The bill prohibits data brokers from selling or providing military servicemember lists to any covered nation or to a person controlled by a covered nation. It also requires contractual safeguards with downstream recipients to prevent further transfer to covered nations and prohibits conspiracies or evasion of these prohibitions.
The measure creates FTC enforcement provisions, including penalties under the FTC Act, and authorizes state attorneys general to pursue actions for residents harmed by violations. A rulemaking process is mandated, with a final rule due within one year, and a Comptroller General report due within one year to assess enforcement, resources, and potential expansion of protections.
At a Glance
What It Does
It bars data brokers from selling, reselling, or otherwise providing military servicemember lists to covered nations or entities controlled by them. It also requires downstream recipients to agree not to transfer such data and prohibits evasion or conspiracies.
Who It Affects
Data brokers and their customers, plus military servicemembers and their families who are protected by the data restrictions. Federal and state enforcers gain clear authorities to pursue violations.
Why It Matters
It establishes a security-focused privacy guardrail around sensitive military data, clarifies enforcement mechanisms, and signals a unified federal-state approach to protect servicemembers from foreign data access.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act begins by defining who is protected and who must enforce the rules. A “data broker” is a firm that collects and sells or otherwise makes available personal information of individuals with whom it does not have a direct relationship.
A “military servicemember list” is any roster or compilation of personal information about current or former servicemembers that is not public-record information. A “covered nation” is defined by standards in federal law, and a person or entity “controlled by a covered nation” includes foreign entities domiciled or organized abroad, or any entity where a foreign owner holds at least 20 percent or where foreign direction or control exists.
Section 3 makes it unlawful for data brokers to provide a military servicemember list to a covered nation or to a person controlled by a covered nation. It also requires that if a broker sells or provides such a list to any other party, the contract must include a clause prohibiting the recipient from selling or providing the list to a covered nation or its controlled entities.
The section also bars attempts to induce or facilitate violations and prohibits transactions aimed at evading these prohibitions.Section 4 places enforcement in the Federal Trade Commission, treating violations as unfair or deceptive acts under the FTC Act, and it mirrors FTC enforcement procedures and penalties. It preserves the Commission’s authority and adds nonprofit organizations to the enforcement reach.
It also permits independent litigation in federal courts to enjoin violations, obtain damages, and restore harmed consumers. In addition, states’ attorneys general may sue on behalf of their residents, with notice and potential Commission intervention, and venue rules are specified.
The section does not bar other legal remedies under federal or state law.Section 5 requires the Comptroller General to deliver a report within one year assessing enforcement effectiveness, resource needs, and the potential expansion of protections to additional categories of individuals or information, along with recommendations for additional legislation or administrative actions.
The Five Things You Need to Know
The bill prohibits data brokers from selling or providing military servicemember lists to any covered nation or to a person controlled by a covered nation.
A data broker’s downstream recipients must be contractually barred from selling or providing such lists to covered nations or controlled entities.
The Commission (FTC) enforces the rule as an unfair or deceptive act or practice with a mandatory final rule within one year.
States may bring actions on behalf of residents, with consent considerations and potential Commission intervention.
A Comptroller General report due within one year analyzes enforcement, resources, and potential expansions.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
This Act may be cited as the Protecting Military Servicemembers Data from Foreign Adversaries Act of 2025. It lays the groundwork for the prohibitions and enforcement framework that follow in later sections.
Definitions
Key terms are defined to set the scope: the Commission means the Federal Trade Commission; ‘controlled by a covered nation’ includes entities with substantial foreign ownership or control; a ‘covered nation’ aligns with existing statutory definitions; a ‘data broker’ refers to entities that knowingly collect and sell personal information; and a ‘military servicemember list’ covers non-public personal data about servicemembers compiled for dissemination.
Prohibiting providing servicemember lists
This section makes it unlawful for data brokers to sell or provide a military servicemember list to a covered nation or to any person controlled by a covered nation. It also requires contracts with downstream buyers to prohibit further sale or distribution to covered nations or their controlled entities, and it bars conspiracies and transactions intended to evade these prohibitions.
Enforcement
The FTC enforces section 3 as an unfair or deceptive act or practice and uses its existing powers and procedures. The Act also allows nonprofit organizations to be subject to enforcement and provides for independent federal litigation to enjoin, compel compliance, and obtain damages. States’ attorneys general may file suits on behalf of residents, with certain notice provisions and an option for Commission participation; venue and service rules are laid out, and the Act preserves other legal authorities.
Report
Within one year of enactment, the Comptroller General must report to Congress on enforcement, potential resource needs, and whether expanding protections to more categories of individuals or data would further national security interests, plus recommendations for future actions.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Servicemembers and their families, who gain privacy protections and reduced risk of targeted use of personal data by foreign actors.
- Data-broker compliance teams and firms that implement clear governance to avoid penalties and enforcement actions.
- The Federal Trade Commission, which gains enforcement authority and a clear regulatory mandate.
- State attorneys general, who can pursue cases on behalf of residents under a parens patriae framework.
- National security policymakers and defense officials who benefit from reduced data leakage risk and clearer national-security safeguards.
Who Bears the Cost
- Data brokers that currently sell servicemember data will incur compliance costs to meet new restrictions (contracts, governance, audits).
- Small and mid-sized data brokers may face disproportionate costs relative to their scale and resources.
- Recipients of servicemember data in legitimate but restricted use cases may need to alter business models or discontinue certain data-enhanced offerings.
- State and federal enforcement agencies will bear costs associated with investigations, litigation, and rulemaking.
- Covered nations or entities controlled by them lose access to a data stream that may have been relied upon for certain analytical or security-related purposes.
Key Issues
The Core Tension
The central dilemma is whether a strict prohibition on distributing servicemember lists to covered nations can be achieved without unduly constraining legitimate, privacy-respecting data uses and eroding the ability of businesses to manage risk and comply with other laws.
The bill’s scope rests on definitional choices that determine reach—particularly what constitutes a ‘covered nation’ and what qualifies as ‘controlled by a covered nation.’ The 20% ownership or control threshold could still permit access through more complex ownership structures, creating potential loopholes. The reliance on a federal rulemaking process with a one-year deadline for the final rule places weight on administrative capacity and the capacity to harmonize FTC regulations with existing privacy and data-protection regimes.
While the act permits nonprofit enforcement and allows state action, questions remain about cross-border data flows, coordination with other statutes, and how to handle evolving data broker business models.
Another tension lies in balancing robust privacy protections with legitimate data-driven uses, risk assessment, and compliance activities that rely on servicemember data for security and safety purposes. The act provides remedies and remedies-focused enforcement, but it does not spell out all practical implementation details, such as third-party audit standards or the handling of legacy data holdings not clearly categorized under new definitions.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.