Covered Data Transaction
A covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:
(1) Data brokerage;
(2) A vendor agreement;
(3) An employment agreement; or
(4) An investment agreement.

Government-Related Data
(1) Any precise geolocation data, regardless of volume, for any location enumerated on the “Government-Related Location Data List” in the Bulk Data Regs.
(2) Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.

Sensitive Personal Data
The term sensitive personal data means covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.

Covered Personal Identifiers
The term covered personal identifiers means any listed identifier: (1) In combination with any other listed identifier; or (2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data. (b) Exclusion. The term covered personal identifiers excludes: (1) Demographic or contact data that is linked only to other demographic or contact data (such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers); and (2) A network-based identifier, account-authentication data, or call-detail data that is linked only to other network-based identifier, account-authentication data, or call detail data as necessary for the provision of telecommunications, networking, or similar service.

Listed Identifier
The term listed identifier means any piece of data in any of the following data fields: (a) Full or truncated government identification or account number (such as a Social Security number, driver’s license or State identification number, passport number, or Alien Registration Number); (b) Full financial account numbers or personal identification numbers associated with a financial institution or financial-services company; (c) Device-based or hardware-based identifier (such as International Mobile Equipment Identity (“IMEI”), Media Access Control (“MAC”) address, or Subscriber Identity Module (“SIM”) card number); (d) Demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers); (e) Advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID (“MAID”)); (f) Account-authentication data (such as account username, account password, or an answer to security questions); (g) Network-based identifier (such as Internet Protocol (“IP”) address or cookie data); or (h) Call-detail data (such as Customer Proprietary Network Information (“CPNI”)).

Personal Financial Data
The term personal financial data means data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report” (as defined in 15 U.S.C. 1681a(d)).

Personal Health Data
The term personal health data means health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.

Human ‘Omic Data
The term human ‘omic data means human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data, but excludes pathogen-specific data embedded in human ‘omic data sets.

Bulk
The term bulk means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person: (a) Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons; (b) Biometric identifiers collected about or maintained on more than 1,000 U.S. persons; (c) Precise geolocation data collected about or maintained on more than 1,000 U.S. devices; (d) Personal health data collected about or maintained on more than 10,000 U.S. persons; (e) Personal financial data collected about or maintained on more than 10,000 U.S. persons; (f) Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or (g) Combined data, meaning any collection or set of data that contains more than one of the categories in paragraphs (a) through (g) of this section, or that contains any listed identifier linked to categories in paragraphs (a) through (e) of this section, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.

Exclusions
The term sensitive personal data, and each of the categories of sensitive personal data, excludes: (1) Public or nonpublic data that does not relate to an individual, including such data that meets the definition of a “trade secret” (as defined in 18 U.S.C. 1839(3)) or “proprietary information” (as defined in 50 U.S.C. 1708(d)(7)); (2) Data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories); (3) Personal communications; and (4) Information or informational materials and ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials.

(7) Sensitive data. — The term “sensitive data” includes the following:
• (A) A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.
• (B) Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
• (C) A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.
• (D) Biometric information.
• (E) Genetic information.
• (F) Precise geolocation information.
• (G) An individual’s private communications such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.
• (H) Account or device log-in credentials, or security or access codes for an account or device.
• (I) Information identifying the sexual behavior of an individual.
• (J) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location.
• (K) A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
• (L) Information revealing the video content requested or selected by an individual.
• (M) Information about an individual under the age of 17.
• (O) Information identifying an individual’s online activities over time and across websites or online services.
• (P) Information that reveals the status of an individual as a member of the Armed Forces.
(Q) Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed in subparagraphs (A) through (P).

Countries of concern = China (incl. Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

“Person” means an individual or entity.

“Foreign person” means any person that is not a U.S. person.

“U.S. person” means any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. 1157 or granted asylum under 8 U.S.C. 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.

The term “controlled by a foreign adversary” means, with respect to an individual or entity, that such individual or entity is– (A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country; (B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or (C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).

(8) Service provider.–The term “service provider” means an entity that– (A) collects, processes, or transfers data on behalf of, and at the direction of– (i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or (ii) a Federal, State, Tribal, territorial, or local government entity; and (B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.

Current maximum civil penalties are not to exceed the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed.

Potential criminal fines and imprisonment are available for willful violations of the regulations. In particular, a maximum of $1,000,000 fine and imprisonment of not more than 20 years, or both, are available in the event of willful violations.

The Federal Trade Commission is provided with enforcement authority under PADFA. Remedies for violation of Section 18(a)(1)(B) of the FTC Act include civil penalties of up to $50,120 per violation and various forms of equitable relief (e.g., disgorgement, injunctions, etc.).