Bulk Data Transfer Rule Highlights Heightened Compliance Risks for Location Data
The Department of Justice’s (DOJ) new Bulk Transfer Rule (the “Bulk Transfer Rule”) which is intended to protect against countries of concern[1] or covered persons (as defined in §202.211) from receiving personal information on U.S. citizens due to national security concerns, places precise geolocation data and other location-enabled data assets (i.e., data that can be tied to a location) at the epicenter of U.S. national-security scrutiny. National security concerns associated with personal information have increased due to increased evidence that countries are trying to exploit the vast amounts of digital information being collected on U.S. citizens. While the rule restricts transfers of several types of personal information[2] to countries of concern and people, companies will struggle most with understanding whether its onerous requirements apply to the vast amounts of precise geolocation data and other types of location-enabled data they are collecting, processing, storing, and in some cases trying to monetize through artificial intelligence (AI). The scope and nature of location data makes determining if and how such data could be accessed by countries of concern or covered persons a significant challenge. However, failure to comply can result in harsh penalties, including substantial civil penalties (the greater of $377,700 or twice the value of the appliable transaction) and potential criminal liability.
The challenge for location-enable data arises from several factors:
Defining Location Information is Hard
First, location Information is very difficult to define. For example, under the Bulk Transfer Rule, precise geolocation data is defined as “any information, historical or real-time, that identifies the location of an individual or device within 1,000 meters.” This differs significantly from the definition under the California Consumer Privacy Act (CCPA), which defines it data “that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet”, (i.e., approximately 550 meters). Meanwhile, the definition under the Virginia Consumer Data Protection Act (VCDPA) is “information derived from technology, including but not limited to Global Positioning System (GPS) level latitude and longitude coordinates or other mechanisms, that identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet.” Determining the accuracy of any location dataset is difficult but determining what data within a larger dataset places a consumer within 550 meters of a location will be impossible for all but the most technically savvy companies.
Equally important for compliance purposes is the definition of “device,” as an individual’s precise geolocation information is often determined through an associated device. Yet this has proven to be as difficult to define from a legal standpoint. As noted above, the CCPA applies to data that is “derived from a device that is used or intended to be used to locate a consumer” within a geographic area, while the VCDPA more broadly applies to “information derived from technology.” Unfortunately, the Bulk Transfer Rule uses an even broader definition: a device is defined as “any device with the capacity to store or transmit data that is linked or linkable to a U.S. person.”
These differences may appear to be semantics. But applying the Bulk Transfer Rule to an organization’s various data holdings requires a deep understanding of how different technologies collect location information. In today’s world, that is becoming increasingly difficult, as “smart” technology often means location-enabled, and the list of technologies that collect a person’s location (e.g., GPS, Wi-Fi, cell towers, RFID, sensors in automobiles and on drones, aircrafts and satellites, and RFID) is long, and growing. The number of devices that can collect an individual’s location and can store or transmit data is also growing. These include smartphones and tablets, laptops and desktop computers, wearable technology (e.g., smartwatches and fitness trackers), connected vehicles and in-vehicle navigation systems, Internet of Things (IoT) devices (e.g., smart home assistants, connected appliances, and sensors), key fobs, cameras, home security/surveillance equipment, license plate readers and red-light cameras. Many companies are using and storing information collected from some subset of these devices in their operations. Parsing through the complex Bulk Transfer Rule to understand how it applies to a particular dataset, device or use case will be challenging for many companies, as technologies (and devices) collect location information in different ways, with differing degrees of accuracy and precision and for different uses. Simply finding this data within an organization will be a challenge for some companies as databases and workflows were not created with regulatory oversight in mind.
The Bulk Transfer Rule does not apply just to precise geolocation data. It also applies to: “covered personal identifiers”, which includes ZIP codes, residential streets or postal addresses linked or linkable to another personal identifier, such as an IP address or cookie data; a full or truncated government identification or account number (such as a Social Security number, driver's license or passport number); a full financial account numbers or personal identification number associated with a financial institution; a device-based or hardware-based identifier; an advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID; or account-authentication data (such as account username, account password, or an answer to security questions). For purposes of the Bulk Transfer Rule, “linkable” includes situations in which personal identifiers (whether involved in a single covered data transaction or in multiple covered data transactions between the same or related parties) are reasonably capable of being associated with the same person.
Location Information is a Business Enabler
A second, equally challenging factor is the versatility and power of location information. Location information is used in some form by companies in every industrial sector and by every government agency. Businesses are using location information daily for advertising and marketing, to track inventory, assets and employees, routing, and security. As a result, much of this is stored in various databases across an organization and, in the aggregate, can be linked to an individual using AI and other tools. For example, geocoding APIs can convert an address into a lat/long coordinate or a place ID (and reverse geocoding technology can change a lat/long coordinate into an address).
The Title of the Bulk Transfer Rule is Misleading
A third challenge is how the Bulk Transfer Rule is written. For example, companies may assume that the Bulk Transfer Rule does not apply to them, because they do not sell their location data assets to third party assets. However, the definition of what constitutes a transfer is quite broad and includes transactions that would not normally be considered a transfer. Under the rule, certain (i) data brokerage arrangements, (ii) vendor agreements, (iii) employment agreements and (iv) investment agreements are either prohibited or restricted transactions.
Data brokerage agreements with countries of concern or covered persons involving data subject to the Bulk Transfer Rules are prohibited. A data brokerage agreement includes the sale or licensing of access to data where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. Access is broadly defined, to include the ability to obtain, read, copy, edit, or view data in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software. Given the difficulty in identifying a company’s location-enabled data and how it applies to the Bulk Data Transfer Rule, a company may not know if access has been granted to countries of concern or covered persons. For example, licensing of a chatbot that has been trained on bulk sensitive data of U.S. persons could be a data brokerage arrangement if the licensee could use the chatbot to access the training data. Quite remarkably, the sale or licensing of a ZIP code, residential street or postal address could be subject to the Bulk Data Rule if the recipient acknowledges it plans to link the data to other personal identifiers or sensitive information.
In addition, a company that enters into a data brokerage transaction with any foreign person (i.e., not just a country of concern or covered person) that provides a foreign person access to government-related data or U.S. sensitive personal data must contractually require that the foreign person engage in any subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person. It must also report any known or suspected violation of the contractual requirements.
Restricted transactions include vendor agreements, employment agreements and investment agreements with countries of concern or covered persons. A vendor agreement is defined as providing goods or services for payment. As a result, the Bulk Transfer Rule would, for example, restrict using a cloud-computing service from a covered country to store certain personal data. The Bulk Transfer Rule could also apply to employment of an individual who is a covered person with access to covered personal identifiers and to certain investors. Companies involved in transactions must comply with certain requirements, including developing a data compliance program, training, record-keeping requirements and third-party audits.
The term “bulk” in the context of the Bulk Transfer Rule is similarly misleading, particularly with location information. Bulk is defined as collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, where such data meets or exceeds a certain applicable threshold. While the bulk threshold for covered personal identifiers is data collected about or maintained on more than 100,000 U.S. persons, the threshold for precise geolocation data is data from only 1,000 U.S. devices. For “government related data” the threshold is even smaller: the bulk threshold is any precise location data within an area listed on the Government-Related Location Data List or any sensitive personal data that is marketed as linked or linkable to current or recent former employees or contractors, or former senior officials (i.e., addresses of active-duty military officers living in Howard County, Maryland).
Many companies will also struggle with the Government-Related Location Data List, a list of lat/longs for geofenced areas of which the government has determined that any disclosure of personal location information is a national security risk. Initially, 736 areas are listed, although that number could change. Some companies will not have the expertise to determine whether any precise location information in their records was collected within these broad geographic areas with the degree of precision required for a rule with such draconian penalties.
Practical Next Steps
The Bulk Transfer Rule applies to knowingly directing or engaging in prohibited or restricted transactions. As the term knowingly is broadly defined to include both actual knowledge as well as reasonable knowledge, it will be essential for all companies that have business relationships with companies and individuals outside the U.S. to understand which of their data assets are location-enabled. All location-enabled data should be cross-checked against the Government-Related Location Data List and flagged (or stored separately) if found to have been collected within those areas to protect against inadvertent disclosure or transfer.
Companies should also determine whether any of these data assets are being transferred to countries of concern or covered persons in ways that might constitute a covered transaction. Depending upon the company, this might include due diligence on vendors and customers, identifying whether employees from countries of concern have access to such information, and understanding investor profiles. Contracts involving location-enabled data should be updated to include prohibitions on downstream distribution to countries of concern or covered persons. Sales, product, and IT staff should be trained in the new requirements and the applicability to their operations.
The Bulk Transfer Rule is the next step in the evolution of regulating the flow of personal information for national security concerns, beginning with the 2020 Final Rule by the Committee on Foreign Investment in the United States (CFIUS) imposing new requirements for foreign investors who may have control over sensitive personal data of U.S. citizens. Such restrictions on the flows of personal information are likely to increase at both the federal and state levels due to increased national security and privacy concerns exacerbated by the power of AI to make connections and analyze individuals. Given this trend, the power of location data, and the associated complexities, even companies that do not focus on data-driven products and services will benefit from identifying location-enable data assets today, so they can develop appropriate processes, policies, and procedures to protect themselves tomorrow.
If you have questions about this Client Alert or are interested in additional details or guidance, please reach out to Kevin D. Pomfret or your regular PierFerd contact for assistance.
This publication and/or any linked publications herein do not constitute legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, the author(s) and PierFerd assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, this publication may constitute Attorney Advertising. © 2025 Pierson Ferdinand LLP.
[1] China (including Hong Kong and Macau) Cuba, Iran, North Korea, Russia, and Venezuela
[2] Biometric identifiers, human omic data, personal health data, personal financial data.
