On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance implementing the Data Security Program, commonly referred to as the Bulk Data Transfer Rule (28 C.F.R. Part 202). The Rule was promulgated under Executive Order 14117 to restrict bulk transfers of U.S. sensitive personal data and government-related data to “countries of concern,” including China (and its special administrative regions Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela.
The Rule, effective April 8, 2025, creates new obligations for U.S. persons and entities engaging in “covered data transactions” that involve access to U.S. sensitive personal data by a country of concern or “covered person.” The DOJ’s accompanying guidance clarifies that even anonymized or pseudonymized datasets can fall within the scope of the Rule if the data could be re-identified or linked to individuals.
Although the Rule itself does not create a private right of action, it has already begun shaping the contours of litigation risk. Two federal class actions filed in September 2025 and three state attorney general lawsuits illustrate how plaintiffs and regulators may attempt to leverage the Rule to frame privacy, consumer protection and even national security-related claims.
The DOJ Rule and Its Scope
The DOJ describes the Rule as part of a broader national security initiative aimed at preventing adversarial governments from obtaining large-scale datasets that could be used to model, surveil, or exploit U.S. persons. Below are the key terms of the Rule:
Covered Persons
The Rule restricts transactions between U.S. companies and “covered persons,” meaning individuals or entities under the jurisdiction or control of a country of concern.
Individual covered persons include residents of these countries and employees of covered entities, regardless of residence.
Corporate covered persons include entities incorporated, headquartered, or located in a country of concern, or 50% or more owned by such entities.
DOJ may designate additional covered persons but has not done so yet.
Covered Data
The Rule covers: U.S. person sensitive personal data, including personal identifiers (such as IP addresses and advertising identifiers), personal health and financial data, human ‘omic data, human biospecimens, biometric identifiers and precise geolocation data.
U.S. government-related data: precise geolocation data for military or intelligence sites and sensitive data linked to government personnel.
- Bulk Thresholds. Data meets the “bulk” threshold when it involves:
- 100 U.S. persons (human genomic data)
- 1,000 U.S. persons/devices (epigenomic, proteomic, transcriptomic, biometric, or geolocation data)
- 10,000 U.S. persons (health or financial data)
- If multiple data types are combined, the lowest threshold applies.
These thresholds are low, meaning many datasets may qualify as “bulk.” The Rule applies even to anonymized, pseudonymized, deidentified, or encrypted data. DOJ explained that aggregated data could still be used by foreign adversaries to identify individuals or model sensitive behavior.
Covered Data Transactions
Any transaction involving bulk data between a U.S. company and a covered person qualifies. There are two main types:
Prohibited transactions: Include “data brokerage” transactions with covered persons (defined broadly as any sale, licensing, or similar transfer of U.S. person data to an entity that did not originally collect it). This includes first-party data sales. Also prohibited are transactions that make bulk human ‘omic data or biospecimens accessible to covered persons. Such transactions require a DOJ license unless exempt.
Restricted Transactions
Include vendor, employment, or investment agreements with covered persons (e.g., engaging a Hong Kong vendor, hiring a Chinese contractor, or entering a joint venture with a Chinese company). These are permitted only if the U.S. company:
- Implements Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity controls,
- Keeps records for each restricted transaction,
- Maintains a written Data Compliance Program
- Conducts annual audits with executive certification.
Exceptions
The Rule contains 10 exemptions based on transaction type.
Key ones include:
- Financial services transactions ordinarily incident to providing financial services.
- Telecommunications services in any format.
- FDA-regulated drug, biologic and medical device authorizations and related clinical investigations.
- Personal communications, informational materials, travel, official U.S. government business, or compliance with federal law.
By October 6, 2025, U.S. persons engaging in restricted data transactions must implement the following Data Security Program (DSP) compliance measures:
- Compliance Program: Adopt a written, risk-based program that verifies data flows (including the types and volumes of bulk U.S. sensitive or government-related data), identifies transaction parties and ownership, confirms end uses and transfer methods and verifies vendor identities. The program must be certified annually.
- Auditing: Conduct an annual audit of the compliance program and related systems by a qualified, independent auditor who is not a covered person or from a country of concern. A report of findings must be delivered to a senior officer within 60 days of the audit’s completion.
- Due Diligence: Understand and document data flows, business relationships and transactions subject to the DSP.
- Recordkeeping: Maintain detailed, auditable records of restricted transactions for at least 10 years.
- Reporting: Report any rejected prohibited data brokerage transaction within 14 days. U.S. persons owned 25% or more by a country of concern or covered person and engaged in restricted cloud-computing transactions must file annual reports. The DOJ’s National Security Division may also request additional sworn reports as needed.
Emerging Litigation Under the ECPA
After the DOJ guidance was issued, plaintiffs filed two federal Electronic Communications Privacy Act (ECPA) class actions alleging that digital advertising intermediaries unlawfully intercepted and transmitted users’ data in violation of the Bulk Data Transfer Rule. The cases, John Baker v. Index Exchange (No. 1:25-cv-10517) and Marissa Porcuna v. Xandr, Inc. (No. 4:25-cv-07385), both filed on September 2, 2025, represent the first known attempts to use the Rule to support civil claims under existing federal privacy law.
Under the ECPA, it is generally unlawful to intentionally intercept or procure the interception of any wire, oral, or electronic communication. However, most ECPA lawsuits fail early, often at the motion to dismiss stage, because of what is known as the “party exception.” Under the party exception, a party to a communication can legally intercept communications, meaning that a company capturing or monitoring its own website interactions is typically not considered a third-party “wiretapper.”
The exception, however, does not apply if the interception is done knowingly and intentionally for the purpose of committing a criminal or tortious act. In the above cases, the plaintiffs argue that the party exception does not apply because the alleged data transfers were carried out with the intent to violate the DOJ’s Bulk Data Transfer Rule, essentially reframing what would normally be lawful data collection as an unlawful act tied to national security concerns.
Key Allegations in the Complaints
In Porcuna v. Xandr, Inc., the complaint alleges that Xandr’s advertising infrastructure collected and transmitted users’ communications, including web page context and health-related data, through automated ad systems that relayed information to foreign-based ad platforms. The complaint details how tools such as JavaScript trackers, Prebid.js adapters and cookie-syncing endpoints allegedly enabled Xandr to capture and share identifiers (such as cookies, device IDs and IP addresses) and contextual information about users’ browsing activities.
Similarly, in Baker v. Index Exchange, plaintiffs allege that the company placed users into detailed behavioral “segments” based on inferred traits ranging from geographic location and interests to potentially sensitive attributes like religion or mental health. The complaint asserts that Index Exchange engaged in “cookie syncing” with certain partners to match internal user IDs with identifiers from other advertising platforms, facilitating persistent cross-site tracking.
These lawsuits illustrate how plaintiffs are beginning to invoke national security regulations to strengthen traditional privacy claims, even though the DOJ’s Bulk Data Transfer Rule provides no private right of action.
At the same time, state attorneys general have intensified enforcement against Chinese-owned apps. For example, Texas Attorney General Ken Paxton has brought actions against companies including Alibaba and CapCut for alleged violations of Texans’ privacy rights, while Kentucky, Nebraska and Arkansas have each filed separate lawsuits against Temu, claiming the app operates as spyware to collect sensitive personal data.
Compliance Considerations for Businesses
The convergence of ECPA claims and state AG enforcement with the DOJ’s Bulk Data Transfer Rule highlights how data transfer risk is evolving from a privacy issue into a national security and compliance challenge.
Adtech ecosystems, which rely on cross-platform data exchanges and real-time bidding, may face particular scrutiny. Behavioral identifiers, IP addresses and segment data that previously fell into regulatory gray areas are now expressly identified as potential “covered personal identifiers.” Companies engaged in cookie syncing or bid-stream data sharing should evaluate whether any of their partners could be classified as covered persons or entities in countries of concern.
Organizations handling data that could be considered “sensitive personal data” or “government-related data” under the Rule should evaluate their current practices in light of these developments.
The following actions may help mitigate legal and regulatory risk:
Map data flows and assess exposure.
Review vendor agreements and diligence processes.
Implement CISA-aligned security standards.
Evaluate anonymization and aggregation claims.
Monitor litigation trends.
The ECPA cases suggest that plaintiffs may continue to test how federal privacy laws can be extended to cover violations of national security regulations. Companies should track court interpretations to gauge how the “party exception” may evolve.
Prepare for October 2025 compliance deadlines.
The DOJ has confirmed that due diligence, audit and reporting obligations took effect Oct. 6, 2025. Organizations engaging in vendor, employment, or investment transactions that could qualify as restricted should establish governance processes now.
With the October 2025 compliance deadline now passed, the DOJ’s Bulk Data Transfer Rule has entered full enforcement. Early lawsuits and state actions show how national security regulations are increasingly shaping privacy risk. Companies should confirm that their data governance, vendor oversight and reporting processes meet the Rule’s ongoing requirements. Compliance with the Rule provides companies with an effective shield against these new litigation threats.
