Margin Of The Law

Constitutional Analysis • Civic Education • Investigative Research

Data Brokers and Foreign Actors: What the Public Record Actually Shows

The government refuses to secure your data

By Malcolm Lee Kitchen III | MK3 Law Group
(c) 2026 – All rights reserved.

The Only Transparent Window Into a Closed Industry

California’s mandatory data broker registry is the clearest public signal available that some brokers are actively selling or sharing American personal data to actors outside the United States. It is not comprehensive. It is not perfectly accurate. But it is the only structured, company-by-company disclosure requirement in the country that forces brokers to answer a direct question about foreign transfers.

The 2026 California Data Broker Registry, covering activity from calendar year 2025, contains 33 registered brokers that self-reported sharing or selling consumer data to a “foreign actor” in the past year. That number is the starting point for understanding the scale of documented foreign-linked data brokerage. It is not the ceiling.

To read those disclosures accurately, you need to understand what California means by “foreign actor.” The definition is narrower than most people assume. It covers the government of a foreign adversary country, or any entity organized under the laws of, or with its principal place of business in, a foreign adversary country. “Foreign adversary country” is tied to the definition of “covered nation” under 10 U.S.C. section 4872. In practice, that means China, Iran, North Korea, and Russia. Not the broader category of all foreign nations. Not companies that happen to operate internationally. A specific, legally defined set of adversary jurisdictions.

That matters for scope. The California disclosure is not an ordinary international data transfer in the outsourcing sense. It is a disclosure about transfers or sales to actors anchored in a defined set of adversary jurisdictions. When a broker checks “yes” to that question, they are acknowledging contact with entities connected to countries the United States treats as national security threats.

The 33 Brokers: Who They Are and What Data Is at Stake

The full roster of brokers that answered “yes” to the foreign actor question in the 2026 registry spans a wide range of company types, sizes, and data profiles. Some are large, well-known commercial data firms. Others are smaller operations with narrower product lines. Several have headquarters outside the United States.

Among the 33, the data type breakdown is specific and significant. Thirty-two out of 33 disclosed collecting personal information combined with device identifiers. That category covers classic identifiers alongside advertising and device IDs. Five out of 33 disclosed collecting precise geolocation data. One disclosed collecting reproductive health care data. One disclosed collecting government-issued identifiers commonly used to verify identity.

These are not marginal data types. Precise geolocation tied to a real identity can expose where a person lives, works, worships, receives medical care, or meets with others. Government-issued identifiers are the foundation of identity verification across financial systems, border crossings, and security clearances. Reproductive health data is explicitly protected under California law because its exposure creates direct personal risk, particularly for people in states where that information can be used against them. When any of these categories flows to an adversary-connected entity, the risk is not theoretical.

The complete list of companies that self-reported “foreign actor = yes” in the 2026 registry includes the following:

  • AggKnowledge Inc. (Brooklyn, New York): disclosed personal info and device IDs. The company disputed the foreign actor classification after the registry was published.
  • Asset International, Inc. (Rockville, Maryland): disclosed personal info and device IDs, plus gender identity data. Also reported sharing data with federal government entities.
  • Bachmanity, Inc. (Carmel, Indiana): disclosed personal info and device IDs. Disputed the foreign actor classification.
  • Cision (Chicago, Illinois): disclosed personal info and device IDs. Reported sharing with federal and state government entities.
  • Clarivate (Ann Arbor, Michigan): disclosed personal info and device IDs. Reported sharing with federal and state government entities.
  • Clay Labs, Inc. (New York, New York): disclosed personal info and device IDs, plus account login credentials and security codes. Reported sharing with generative AI developers. Disputed the foreign actor classification.
  • Command Precision Inc. (Boston, Massachusetts): disclosed personal info and device IDs. Disputed the foreign actor classification.
  • CoStar Realty Information, Inc. (Arlington, Virginia): disclosed personal info and device IDs, plus precise geolocation. Reported sharing with federal and state government entities.
  • Crimson Hexagon (New York, New York): disclosed personal info and device IDs. Reported sharing with federal and state government entities, law enforcement outside of subpoena or court order, and generative AI developers.
  • DR Decision Resources, LLC (Ann Arbor, Michigan): disclosed personal info and device IDs. Reported sharing with federal and state government entities.
  • Effyis, Inc. (Provo, Utah): disclosed usernames as its primary data category rather than the standard statutory fields.
  • Epsilon Data Management, LLC (Irving, Texas): disclosed personal info and device IDs, plus reproductive health care data. Reported sharing with federal and state government entities. This is the only broker in the 33 to disclose reproductive health data alongside a foreign actor transfer.
  • Healthcare Inc (Miami, Florida): disclosed personal info and device IDs, precise geolocation, and gender identity data.
  • HubSpot, Inc. (Cambridge, Massachusetts): disclosed personal info and device IDs. Reported sharing with generative AI developers.
  • Hunter Web Services, Inc (Wilmington, Delaware): disclosed personal info and device IDs.
  • Institutional Shareholder Services Inc. (Rockville, Maryland): disclosed personal info and device IDs, plus sexual orientation data. Reported sharing with federal and state government entities and law enforcement outside subpoena or court order. This is the only broker in the 33 to disclose sexual orientation data alongside a foreign actor transfer.
  • Irys, Inc (Reston, Virginia): disclosed personal info and device IDs, plus precise geolocation. Disputed the foreign actor classification.
  • L.S Mobile Apps Holdings LTD (Tel Aviv, Israel): disclosed personal info and device IDs. This company is headquartered in Israel, making it one of several non-US-headquartered entities in the registry.
  • LightBox Parent, L.P. (Irvine, California): disclosed personal info and device IDs. Reported sharing with federal and state government entities.
  • Lightcast, LLC (Moscow, Idaho): disclosed personal info and device IDs. Reported sharing with federal and state government entities.
  • MaxMind, Inc. (Waltham, Massachusetts): disclosed personal info and device IDs. Reported sharing with federal and state government entities.
  • Media.net Advertising FZ, LLC (Dubai, United Arab Emirates): disclosed personal info and device IDs, plus precise geolocation. Disputed the foreign actor classification. Media.net is headquartered in the UAE, not the United States.
  • Meltwater News US, Inc. (San Francisco, California): disclosed personal info and device IDs, plus gender identity data. Reported sharing with federal and state government entities, law enforcement, and generative AI developers.
  • Moody’s Corporation (New York, New York): disclosed personal info and device IDs. Reported sharing with federal and state government entities.
  • Orgio, Inc. (New York, New York): disclosed personal info and device IDs, plus gender identity data.
  • PitchBook Data Inc (Seattle, Washington): disclosed personal info and device IDs, plus gender identity data.
  • Preqin Ltd (London, United Kingdom): disclosed personal info and device IDs. Preqin is a UK-headquartered financial data firm.
  • Semcasting, Inc. (New York, New York): disclosed personal info and device IDs, plus precise geolocation.
  • Similarweb Ltd. (Givatayim, Israel): disclosed personal info and device IDs, government-issued identity verification identifiers, citizenship and immigration status, and gender identity data. Similarweb is headquartered in Israel and carries the most data categories of any broker in the 33.
  • Snovio Inc (Prague, Czech Republic): disclosed personal info and device IDs. Snovio lists a Czech Republic address in the registry.
  • Veeva Systems Inc. (Pleasanton, California): disclosed personal info and device IDs, plus gender identity data. Reported sharing with federal and state government entities.
  • Warmly, Inc. (San Francisco, California): disclosed personal info and device IDs. Disputed the foreign actor classification.
  • WINR Data (Amsterdam, Netherlands): disclosed personal info and device IDs, plus gender identity data. Reported sharing with federal and state government entities and law enforcement. WINR Data is headquartered in the Netherlands.

The Dispute Problem

Seven of the 33 brokers contacted a third-party watchdog after the registry was published and stated that their “foreign actor = yes” designation was inaccurate. They claimed they did not actually sell or share data to foreign actors within the statute’s meaning.

That dispute does not erase the public record. The registry disclosures stand unless formally corrected through California’s process. But the existence of acknowledged data quality problems in a mandatory self-reporting system is worth stating directly. Self-reported registries depend on filers understanding the legal definitions, completing forms accurately, and having internal compliance systems capable of tracking what their data actually does after it leaves their systems. The dispute rate among this specific subset suggests that at least some “yes” answers may reflect misunderstanding of the statutory definition rather than confirmed transfers to adversary-linked entities. It also raises the inverse concern: some brokers that answered “no” may not have the internal visibility to know whether their data reached a covered foreign actor through a downstream intermediary.

The disputed entries are marked in the table. They are not removed from the record. They are flagged as priority verification targets for investigators and journalists working these questions.

The Case Study That Shows How Supply Chains Obscure Origin

The California registry shows which brokers disclosed foreign actor transfers. It does not show the mechanics of how those transfers happen. A 2024 investigative report fills part of that gap.

Reporters investigated a Florida-based data broker that offered a large sample of precise location data associated with US military and intelligence personnel operating in Germany. The location data was granular enough to track movement patterns tied to sensitive national security assignments abroad. The broker marketed the sample publicly.

In follow-up reporting, the same broker claimed that the upstream source of its location data was a Lithuanian advertising technology firm. The Lithuanian firm denied any relationship with the US broker. The exact contractual arrangement remained unresolved in public reporting.

The case demonstrates something important about how cross-border data access operates in practice. The final company in a data transaction can be US-based and still be channeling data that originated from or passed through foreign ad-tech infrastructure. Software development kits embedded in mobile apps, advertising exchanges that aggregate signals across publishers, and intermediary analytics layers all create pathways for data to cross borders without any single broker necessarily knowing the full chain of custody. A US broker selling location data may genuinely not know that the underlying signals were collected by a Lithuanian SDK before being aggregated and sold upstream.

That opacity cuts both ways. It means that a broker’s “no” answer on the foreign actor question may reflect honest ignorance rather than clean conduct. It also means that the 33 confirmed disclosures are likely a significant undercount of actual foreign-linked exposure across the industry.

The Federal Regulatory Response

The US government has moved toward treating cross-border transfers of bulk sensitive personal data as a national security issue rather than a purely commercial privacy matter. Two major federal instruments now apply.

The Protecting Americans’ Data from Foreign Adversaries Act, known as PADFAA, is in force and prohibits data brokers from making personally identifiable sensitive data available to foreign adversary countries or entities controlled by those countries. The covered countries are China, Iran, North Korea, and Russia. The Federal Trade Commission is responsible for enforcement and publicly confirmed in February 2026 that it sent compliance warning letters to 13 data brokers. Those letters do not name foreign counterparties, but they identify the categories of sensitive data at issue, including military status data, and signal that the FTC is actively reviewing broker conduct under this statute. Violations can be treated as unfair or deceptive acts under Section 5 of the FTC Act, which carries civil penalty exposure.

The Department of Justice issued a final rule implementing Executive Order 14117, which became effective on April 8, 2025, with some compliance provisions extended to October 6, 2025. The DOJ rule goes further than PADFAA in two meaningful ways. First, it covers a broader list of countries. In addition to China, Iran, North Korea, and Russia, the DOJ rule includes Cuba and Venezuela as “countries of concern,” creating categorical prohibitions and restrictions on covered data transactions with entities in all six countries. Second, the DOJ rule introduces an onward transfer concept analogous to export control reexport restrictions. Even when a US person or entity transacts with a non-covered foreign counterparty, the US party must contractually prohibit that counterparty from further brokering the same data to a country of concern or covered person, and must report known or suspected violations. That provision creates compliance obligations that extend downstream into the supply chain rather than stopping at the immediate transaction.

The combination of PADFAA and the DOJ rule represents a meaningful escalation in the legal treatment of sensitive data transfers. Neither framework requires that a foreign government actually weaponize the data to trigger a violation. The transfer itself, under covered conditions, is the prohibited act.

The Policy Timeline

The regulatory response to foreign-linked data brokerage did not appear suddenly. It developed over several years as specific incidents surfaced and enforcement agencies began to connect commercial data markets to national security exposure.

  • In August 2022, the FTC sued Kochava over the sale of geolocation data tied to sensitive locations, including places of worship, reproductive health clinics, and government facilities. That case established the agency’s position that commercial location data carries real-world harm potential.
  • Executive Order 14117 was issued in February 2024, directing the DOJ to develop rules restricting bulk sensitive personal data transactions with countries of concern. The DOJ published its final rule in January 2025, with an effective date of April 8, 2025.
  • In November 2024, the investigative report about the Florida broker and US military personnel in Germany was published. The follow-up reporting disputing the Lithuanian sourcing claim appeared in February 2025.
  • In December 2024, the FTC announced actions against Gravy Analytics, its subsidiary Venntel, and Mobilewalla for selling sensitive location data. Those actions reinforced the agency’s position on location data specifically.
  • California’s Data Rights and Opt-Out Platform, or DROP, went live for consumers in January 2026. The platform is designed to allow consumers to submit opt-out requests to all registered brokers through a single interface, with processing obligations starting August 1, 2026.
  • The FTC sent PADFAA warning letters to 13 data brokers in February 2026. The 2026 registry compilation highlighting the 33 “foreign actor = yes” disclosures was published in March 2026.

What a Broader Definition of “Foreign Actor” Would Reveal

California’s definition covers adversary-linked entities specifically. If you apply a broader definition, one that includes any entity not located in the United States, plus US entities that operate internationally, the universe of foreign actor transactions becomes very large, very quickly.

Most major advertising platforms, cloud infrastructure providers, and analytics services operate across borders. Data that enters those systems may be processed, stored, or accessed from multiple jurisdictions. Under a broad definition, a significant portion of all commercial data brokerage would qualify as involving a “foreign actor” by virtue of international business operations alone.

That is analytically useful for mapping exposure but practically difficult to enforce, because it does not distinguish between a multinational analytics firm processing data in European data centers under standard contractual terms and a company knowingly selling sensitive records to an entity with ties to a foreign intelligence service.

The practical approach is the one reflected in current US law: define a set of high-risk jurisdictions, impose categorical restrictions on transfers to those jurisdictions, require onward transfer controls for borderline cases, and build out enforcement and reporting mechanisms to generate evidence over time. The California registry is one piece of that infrastructure. PADFAA and the DOJ rule are others.

What the Public Record Cannot Tell You

The 33 brokers in the California registry are the documented starting point. They are not the full picture.

A complete list of all US data brokers selling or transferring American personal data to foreign actors under any broad definition cannot be reconstructed from public sources today. Buyer identities and downstream transfer terms are almost universally treated as confidential commercial information. Supply chains in ad tech are layered, fast-moving, and deliberately opaque. Brokers frequently do not know who their data reaches after the immediate transaction.

The most productive paths to expand beyond the California registry involve several lines of inquiry. Longitudinal comparison of California registry data across prior years, from 2020 through 2026, can identify brokers that newly disclosed foreign actor transfers, which are natural targets for deeper investigation into contract terms and downstream buyers. Federal enforcement documents produced under the DOJ rule after April 2025 may surface compliance artifacts, audit records, and reported violations that name specific foreign counterparties. FTC actions under PADFAA may generate consent decrees and investigation records that fill in buyer-side detail. Location data ecosystem mapping, following the model of the Datastream investigation, can trace upstream sourcing through SDK attribution, ad exchange records, and partner disclosures.

The California registry gives you the first usable roster. Federal rules define the legal guardrails. Investigations expose the mechanics in between. The missing element, specific buyer identities by country and organization at scale, will typically require compelled disclosure through litigation, formal regulatory process, whistleblower reporting, or structured procurement records.

What the Evidence Establishes

Thirty-three registered data brokers self-reported selling or sharing consumer data to foreign adversary-linked entities in 2025. The data types involved include precise geolocation, government-issued identifiers, reproductive health records, and sexual orientation data. At least one documented supply chain connected US military location data to a foreign ad-tech firm, with disputed sourcing claims that were never resolved publicly. Federal regulators have responded with two overlapping legal frameworks that treat outbound transfers of sensitive personal data to adversary jurisdictions as a category of national security risk rather than ordinary commercial privacy concern.

What the public record does not show is the full scope of the problem. Self-reporting has known accuracy limitations. Supply chain opacity is structural, not accidental. Buyer identities are not publicly disclosed. The 33 documented cases are the floor of what is actually occurring, not the ceiling.

The regulatory infrastructure now exists to generate more evidence. Whether it does depends on enforcement, audits, and the willingness of federal agencies to make findings public rather than resolve them quietly through warning letters and informal compliance conversations.

© 2026 – MK3 Law Group

For republication or citation, please credit this article with link attribution to marginofthelaw.com/.

MK3

, , , ,