Odia Kagan of Fox Rothschild explains:
The U.S. Department of Justice’s Sensitive Data Bulk Transfer Rule is in effect. That includes, as of Oct. 6, 2025, the requirements on due diligence and compliance.
What does this mean?
If you engage (or may engage) in transfers of sensitive data (and sensitive is more than you think it is and can include demographic data and cookie data) that hit the bulk thresholds, you need to develop and implement a compliance program (either a stand-alone or as part of your general governance / compliance program). This includes:
Due Diligence
You need risk-based procedures for verifying data flows involved in any restricted transaction, including procedures to verify and log in an auditable manner:
- Types and volumes of sensitive data.
- Identification of the parties, including ownership, citizenship and primary residence.
- End use of data.
- Method of transfer.
- Verify the identities of vendors, where relevant.
- A written policy that describes the data compliance program that is annually certified by an officer, executive or other employee responsible for compliance.
- A written policy that describes the implementation of the security requirements set forth in the rule that is annually certified by an officer, executive or other employee responsible for compliance
Read more about what the rule requires at Privacy Compliance & Data Security.