The FTC Just Put 13 Data Brokers on Notice. That Is Not a Privacy Victory. It Is a Body Count.

The courthouse air always smells like marble and denial. The denial is strategic: suits acting like the economy is weather, not a machine with levers, owners, and victims. I am on stale coffee number three, watching the privacy beat do its favorite routine: chase the getaway car after the vault is already empty.

The siren this time is a February 9, 2026 Federal Trade Commission press release. The FTC says it sent letters to 13 data brokers warning them to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA). The law bars data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to foreign adversaries, including China, Russia, Iran, and North Korea, or entities they control. The FTC also flagged something especially grotesque: it said it identified instances where some recipients offered products involving whether a person is a member of the U.S. Armed Forces, which can fall under the statute’s protected categories.

Good. Now stop applauding and look at the mechanism.

What the FTC actually did

On the record: the FTC’s Bureau of Consumer Protection sent warning letters to 13 data brokers about PADFAA compliance. PADFAA covers sensitive categories including health, financial, genetic, biometric, geolocation, sexual behavior information, login credentials, and government-issued identifiers. The agency also put a dollar sign on the threat: potential civil penalties of up to $53,088 per violation. Bloomberg Law separately reported the same enforcement move: data brokers are on the FTC’s radar over possible unlawful disclosures to foreign adversaries.

Translation: Washington just admitted the market is a leak by design

Translation: a data broker is a company that turns your life into a spreadsheet and sells rows of it. PADFAA is not a vibes-based “best practices” memo. It is an embargo: you cannot sell Americans’ sensitive data to certain foreign adversaries. No opt-out checkbox. No legal-smoke privacy policy.

So the story is not just that some companies might be breaking a rule. The story is that the default setting is a private surveillance supply chain, and the emergency response is a letter.

Here is the mechanism: compliance theater around a legal business model

Here is the mechanism: PADFAA is narrow by design. It targets transfers to foreign adversaries while leaving untouched the domestic sale of the same sensitive data to basically anyone else with money and a clean enough corporate shell. That is how you get the ritual: warnings, “reviews,” binders, revenue.

Even the penalty line reveals the incentive math. If punishment is rare enough and margins are fat enough, penalties turn into a cost of doing business. A fee to keep the faucet running.

Follow the money: who benefits from treating privacy like a “choice”

Follow the money: brokers profit, but so do downstream buyers who get plausible deniability. It is always cleaner to buy “segments” than admit you are buying people. And the losers are not abstract: servicemembers and their families, patients, protesters, union organizers, immigrants, anyone whose location and routine can be weaponized. The FTC’s armed forces note is the tell. You do not build a product around military status unless you think it sells.

The quiet part

The quiet part: PADFAA draws a border around who is allowed to buy certain data. It does not draw a border around whether that data should be for sale at all. That is border policy for data, not a privacy policy for people.

The letter is not nothing. But if the government has to warn data brokers not to sell soldiers’ data to foreign adversaries, the scandal is not the warning. The scandal is the sale.

Accountability is not a press release. It is enforcement, audits, state AGs, inspectors general, courts with discovery, and privacy statutes that treat sensitive data like a hazard, not a revenue stream.