It’s a new day for data privacy and security regulation. As the DOJ ramps up investigations and enforcement, businesses should prioritize knowing their data, knowing their transactions, and understanding the DSP’s requirements and how they might be enforced.
For years, the general structure of data security and privacy regulation in the United States has been relatively stable. Every U.S. state now has some form of data breach law or regulation, and more states are enacting comprehensive data privacy regimes modeled after the European Union’s General Data Protection Regulation (GDPR) every year. However, the new state-level requirements largely have been harmonious with those of other states, and change has been more a matter of imposing an individual-rights-based framework rather than introducing any significant changes in the types of data or entities subject to regulation.
On the federal side, data privacy regulation primarily has been sector-specific: including health care, financial services and government contractors; or targeted at certain categories of data such as children’s personal information. Entities have had years to adapt to regulation and enforcement of these provisions and to learn how regulators prioritize, investigate and bring enforcement actions. Consequently, companies and their counsel have years of experience and a body of enforcement actions to help them navigate compliance and predict outcomes of violations.
The common theme among data security and privacy laws has been to protect people’s data from private actors and to give them more control over how their data is collected, used and disclosed. These laws and regulations have followed a notice and consent model, requiring companies to provide notice or obtain consent when they collect or use someone’s data. Many of these regulations exempt certain industries and do not apply to data that is anonymized, de-identified or aggregated.
The familiar landscape, however, is beginning to shift, and at a rapid clip. The Department of Justice (DOJ) recently launched its new data security program (DSP). The DSP is a novel data privacy regulation, with a new purpose, new scope of regulated data and a new regulator.
On the DSP home page, the DOJ describes the DSP as “establish[ing] what are effectively export controls” to prevent foreign adversaries, and those subject to their control, jurisdiction, ownership and direction, from accessing bulk US sensitive personal data and government-related data. Although the DSP regulations became effective on April 8, 2025, the DOJ provided a 90-day enforcement grace period which expired July 8, 2025. While the DOJ gave entities and individuals until Oct. 6, 2025 to comply with certain obligations, all requirements under DSP are now enforceable.
Unlike the existing regime of regulations intended to protect individual privacy rights, according to the final rule implementing Executive Order 14117, the DSP aims to protect the national security of the United States. The DSP prohibits or restricts certain covered data transactions with countries of concern or covered persons. The DOJ has designated China (including Hong Kong and Macau), North Korea, Cuba, Iran, Russia and Venezuela as countries of concern. It defines a covered data transaction as any transaction that gives a country of concern or covered person access to any government-related data or bulk US sensitive personal data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement. The thresholds for the definition of bulk vary depending the type of data collected, but can be as low as 1,000 US persons for biometric identifiers and precise geolocation information.
Certain covered transactions are prohibited, unless an exception applies, including data brokerage transfers to a country of concern or covered person. Prohibited transactions also include transfers of “human ‘omic data” to a country of concern or covered person, including human genomic (DNA sequencing), proteomic (protein functionality), epigenomic (modifications to DNA that affect gene activity without changing sequencing) and transcriptomic (gene expression level) data. Other covered transactions are restricted including covered transactions involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person. US persons can engage in these transactions, but they must comply with new security, audit, and recordkeeping requirements. Also, they must implement policies and procedures to conduct due diligence prior to the restricted transaction.
The DSP’s expansive definitions encompass data, transactions and entities beyond those covered by current regulatory schemes. Under the DSP, the term data brokerage means the sale of data, licensing of access to data, or similar commercial transactions (excluding employment, investment, and vendor agreements) where the recipient of a transfer of data did not collect or process the data directly from the individual. In its April 11, 2025 Data Security Program: Compliance Guide, the DOJ stated “some activities that may not be thought of as data brokerage many nonetheless constitute data brokerage under the DSP, such as a US company maintaining a website or mobile application that contains ads with tracking pixels or software development kits that were knowingly installed.”
Further, the term sensitive personal data broadly covers personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof. And unlike most existing data privacy regulations, the DSP’s definition of covered personal identifiers includes combinations of listed identifiers typically considered transactional or otherwise non-sensitive, such as media access control (MAC) addresses, internet protocol (IP) addresses, and cookie data. Moreover, sensitive personal data also includes data that is anonymized, pseudonymized, de-identified, or encrypted. According to the DOJ’s Data Security Program: Frequently Asked Questions, posted Sept. 24, 2025, “[e]ven anonymized data, when aggregated, can still be used by countries of concern and covered persons to identify individuals and to conduct malicious activities that implicate the risk to national security [the DSP is] intended to address.”
While many entities are focused on compliance under DSP for covered data transactions directly with countries of concern or covered persons, the DSP also contains prohibitions for covered transactions involving data brokerage with any foreign persons, regardless of whether they are covered persons. Entities may not engage in data brokerage transaction with any foreign person unless they implement contractual measures to ensure the foreign person refrains from engaging in a subsequent transaction involving the data with a country of concern or covered person—a feature akin to prohibitions on evading sanctions or export controls by routing transactions through a third country.
An entity engaging in a restricted transaction will be required to (1) implement security requirements promulgated by the cybersecurity and infrastructure agency (CISA), (2) develop and maintain a data compliance program and (3) maintain full and accurate records of each transaction for at least 10 years. The data compliance program must demonstrate a due diligence review of transactions, including risk-based procedures, vendor management and validation, written policies that are certified annually and written security requirements. Thus, businesses engaging in restricted transactions will need to update contracts, set up compliance programs, audit data flows, and understand how to avoid transactions that are prohibited under the rule.
Although the DSP may seem daunting, at its core it requires understanding and appreciating the nature of stored data and the extent to which it is transferred to and entrusted with third parties. Many entities may already be well positioned if they have taken steps to comply with existing data security and privacy laws.
The DOJ’s National Security Division (NSD) is tasked with enforcing the DSP’s requirements, through its Foreign Investment Review Section (FIRS). Interaction with and oversight by NSD and FIRS will be new to businesses not engaged in sectors or markets implicated by previously existing national security authorities, and understanding NSD and its operations will be instructive to businesses as they seek to successfully navigate the DSP’s requirements. DSP compliance presents new challenges as businesses seek to determine the priorities, process, or penalties for regulations under a regulator new to the data privacy space.
Although NSD is new to its role as a data privacy regulator, it has a long-standing history of spearheading efforts to mitigate the national security risks posed by foreign commerce, including supply-chain security, foreign investment, and other programs to protect the nation from malign actions by foreign adversaries. To assist in the navigation of these new data security requirements, entities can refer to NSD’s comprehensive compliance guide and answers to more than 100 frequently asked questions. Additionally, the DSP creates a mechanism for NSD to issue advisory opinions regarding the application of the DSP to specific transactions.
Failure to comply with the requirements of the DSP can lead to civil penalties of the greater of $377,700 or twice the amount of the transaction involved. Willful violations can result in criminal penalties including up to $1 million and 20 years of imprisonment. To encourage compliance, the Financial Crimes Enforcement Network (FinCEN) established a whistleblower program with financial incentives for individuals reporting DSP violations.
It’s a new day for data privacy and security regulation. As the DOJ ramps up investigations and enforcement, businesses should prioritize knowing their data, knowing their transactions, and understanding the DSP’s requirements and how they might be enforced.
Reprinted with permission from the Nov. 21, 2025 edition of “New Jersey Law Journal” © 2025 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or reprints@alm.com.