U.S. companies are running out of time to comply with a sweeping new Department of Justice (DOJ) rule that limits sharing sensitive personal data with certain foreign countries—including China, Russia, and Iran. With a hard compliance deadline of July 8, 2025, businesses must act quickly to avoid steep civil or criminal penalties.

The rule, which is part of a broader DOJ national security initiative, took effect on April 8, 2025. However, the agency is offering a short “good faith” grace period for companies actively working to meet the new requirements. After July 8, enforcement actions can carry fines of up to $1 million and potential prison sentences of up to 20 years.

What the Rule Covers

The DOJ’s data security rule prohibits or restricts U.S. companies from sharing bulk sensitive personal datawith individuals or entities from designated “foreign adversary” nations. Affected data types include:

• Human genomic and biometric data
• Precise geolocation
• Health information
• Financial data and identifiers like account names and passwords
• Logs from fitness apps or wearables
• Government-related location data or data linked to U.S. government employees

What Companies Need to Do Now

To comply, businesses can take the following actions:

1. Audit Data
   Identify whether the company stores or transmits regulated data and whether the volumes meet “bulk” thresholds defined by the rule.
2. Review Contracts and Data-Sharing Agreements
   Amend or terminate any transactions or contracts that give covered foreign persons access to sensitive data, including data licensing, brokerage, or research partnerships.
3. Evaluate Foreign Partnerships
   Agreements with non-adversary foreign entities must now include language stating that data will not be passed on to restricted parties.
4. Assess Vendor and Investment Exposure
   Transactions that grant foreign employees, investors, or vendors access to regulated data require strong security controls and may require renegotiation.
5. Build a Compliance Program
   Companies should implement written policies, employee training, and auditing systems and report violations to the DOJ.

With less than two months remaining, companies are urged to determine the next steps for compliance, conduct a comprehensive risk assessment, and review the DOJ’s newly released compliance guide. The DOJ encourages informal inquiries before the deadline but will not review requests for advisory opinions or licenses before July 8.

Companies that handle sensitive personal data must treat the new rule as a top compliance priority or risk serious consequences for the business.