Navigating DOJ Rules for Data Brokerage and Vendor Agreements

As of July 8, 2025, full compliance with the DOJ’s Data Security Program (DSP) – implementing former President Biden’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern – is expected. To assist organizations in navigating the DSP, this article synthesizes insights shared by Latham & Watkins partners Jennifer Archie and Michael Rubin during a firm program regarding the broad scope of the DSP and its key provisions, particular the broad definition of “data brokerage” that can sweep in significantly more behavior than might be expected. It also provides a checklist for identifying DSP compliance issues around vendor agreements. See our two-part series “DOJ Guidance on Bulk Sensitive Data Rules”: “Enforcement Grace Period and Prohibited Transactions” (May 21, 2025), and “Compliance Program, Recordkeeping and Reporting” (Jun. 4, 2025).

To read the full article

Continue reading your article with an ACR subscription.