As the U.S. doubles down on protecting sensitive personal and government-related data from falling into the hands of the wrong people, a new privacy regulation is on the horizon. The Department of Justice’s Sensitive Data Rule officially takes effect July 8, 2025, and this current “grace period” gives you the chance to prepare. This week we are digging into what this rule means, who it affects, and what your organization should be doing right now to prepare.
The DOJ’s Sensitive Data Rule limits how and with whom U.S. organizations can share and/or sell bulk sensitive or government-related data, especially when there is a risk of it winding up in the hands of foreign adversaries. There are two defined data sharing/selling ‘transactions’ outlined in this rule:
- Prohibited Transactions: No selling or brokering large datasets to entities linked to restricted countries (even if the data is de-identified).
- Restricted Transactions: Data sharing may be allowed if strict CISA-level cybersecurity controls are in place such as encryption, access limitation, audit completion, and more.
The scope of this rule doesn’t only apply to data brokers; if you collect, store, transfer, or even enable access to large amounts of sensitive or government-related data, you are likely in scope.
Some examples of organizations/groups that would be in scope:
- Health apps and wearable health devices
- Fintech platforms
- Ad tech companies
- Cloud providers and SaaS platforms
- Any business with remote workers or offshore vendors
If you are covered by this new rule, now is the time to prepare. Here are some suggestions on what you can do to best prepare for this to come into effect:
- Know what data you collect, where it moves, and who can access it.
- Identify any data-sharing with entities that may fall under the “countries of concern” list.
- Update contracts and policies for vendors and partners, specifically around data use and sharing.
- Ensure that you align with baseline security requirements, including encryption, role-based access, and monitoring.
- Educate your staff on these new rules.
- Maintain these changes and be prepared for audits/evaluations.
It is important to understand that this rule isn’t just about compliance, this rule aims to protect U.S. citizens from data misuse, identity theft, and national security threats. It also signals a broader trend: data sovereignty is becoming a global priority. Organizations that take this seriously now won’t just avoid financial or social penalties, this will help better position them for what’s next in data privacy.