The Department of Justice’s Bulk Data Rule has fundamentally changed the landscape for advertising technology and digital marketing. For the first time, the sale, transfer, or even indirect exposure of bulk U.S. personal data—including advertising identifiers and IP addresses—to certain foreign entities is not just a privacy issue, but a matter of national security, with severe penalties for violations.
Why Ad Tech Is Squarely in the Crosshairs
Modern advertising relies on the rapid, large-scale exchange of user data—such as device IDs, cookies, pixels, and IP addresses—to target, measure, and optimize campaigns. The DOJ’s new rule, effective April 8, 2025, targets exactly these types of data flows, especially when they involve parties in China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, or Venezuela.
Key Takeaway: Even anonymized, hashed, or encrypted ad identifiers and IP addresses are covered. If your ad tech stack or partners touch these countries, your data practices are now a national security concern.
The Red, Yellow, Green System for Ad Tech
The DOJ classifies data transactions into three categories, each with clear implications for advertising and ad tech companies:
| Category | What It Means for Ad Tech | Example Scenario |
| 🚫 Red (Prohibited) | No bulk data sales, licensing, or similar transactions to entities in the six “countries of concern.” | A U.S. app publisher sends 100,000 U.S. users’ ad IDs and IPs to an ad exchange based in China—prohibited. |
| 🟨 Yellow (Restricted) | Deals with vendors, employees agreement, or certain investment agreement owned/controlled by these countries are only allowed if CISA-grade security, annual audits, and reporting are in place. | A U.S. DSP uses a cloud storage vendor 51% owned by a Russian entity to process bulk ad data—only allowed with strict security and annual audits. |
| 🟢 Green (Permitted) | Domestic processing and exports below bulk thresholds; routine HR/payroll; or foreign partners not linked to the six countries. | A U.S. SSP sends 50,000 ad IDs to a French DSP—permitted if under threshold. |
What Counts as “Bulk” Data in Ad Tech?
The thresholds are surprisingly low for the ad industry:
- 100,000 advertising IDs or IP addresses in 12 months (covered personal identifiers)
- 1,000 precise geolocation records in 12 months
- 1,000 biometric records in 12 months
Given the scale of programmatic advertising, these numbers can be reached in hours or days.
Key Point: If you’re sending personal ad data, cookie pools, or device or identity graphs to any foreign partner, you must track volumes closely and know your counterparties’ ownership structure.
Real-World Ad Tech Scenarios
Prohibited (Red) Example
A U.S. company operates a mobile app for U.S. users. As part of selling ad space, it provides IP addresses and advertising IDs for more than 100,000 U.S. users to an ad exchange based in a country of concern. This is a prohibited transaction—even if the data is hashed or anonymized—because it involves bulk covered personal identifiers.
Restricted (Yellow) Example
A U.S. ad tech firm contracts with a vendor that is a foreign person, but who is not a person from a country of concern (a covered person), to process more than 100,000 U.S. ad IDs. The foreign person then employs an individual who is a covered person and grants them access to bulk SPD without the U.S. firm’s knowledge or direction. If there is no covered data transaction between the U.S. firm and the covered person, and there is no indication that the parties engaged in these transactions with the purpose of evading the regulations (such as the U.S. firm having knowingly directed the foreign person’s employment agreement with the covered person or the parties knowingly structuring a prohibited transaction into these multiple transactions with the purpose of evading the prohibition), then neither the vendor agreement nor the employment agreement would be a restricted transaction. The deal is only permitted, however, if the firm implements CISA security controls, and the diligence, contractual requirements and record keeping requirements discussed below. Without these, the transaction is prohibited.
Permitted (Green) Example
A U.S. DSP sends 80,000 ad IDs to a UK-based SSP in a year. This is below the threshold and not subject to the DOJ rule (though state privacy laws still apply).
Compliance: What Ad Tech Companies Must Do
The DOJ rule imposes extensive documentation and operational requirements, including:
- 10-year recordkeeping: Keep full and accurate records of all relevant transactions, audits, and compliance policies for at least a decade.
- Annual executive certifications: Each year, an executive must certify both a compliance policy and a security-controls policy.
- Due diligence: Maintain detailed data-flow maps, document all counterparties’ ownership, and have an officer certify completeness annually.
- Reporting: File annual reports for cloud vendors with ≥25% country-of-concern ownership; report rejected deals or breaches within 14 days.
- Annual third-party audits: Required for restricted (Yellow) transactions.
Key Action: These requirements go far beyond typical privacy impact assessments. Advertisers and ad tech companies must build new compliance infrastructure and train sales, ad-ops, and legal teams accordingly.
Three Questions for Every Ad Tech Deal
- Who’s on the other end?
Is the counterparty headquartered in, owned by, or staffed from a country of concern? - How much data?
Will your transfer cross a bulk threshold within 12 months? - What’s the nature of the deal?
Is it a data sale or license, vendor agreement or investment agreement?
If the answer to #1 and #3 is yes and #2 is above threshold, the deal is likely prohibited or restricted.
Immediate Steps for Ad Tech Compliance
- Map all data flows and volumes—know exactly where your data goes and how much data is sent.
- Screen every partner—vet ownership and control for all vendors, cloud providers, and buyers.
- Color-code contracts—Red: exit; Yellow: add Bulk-Data Addendum & schedule audits; Green: monitor.
- Implement CISA-grade security—including encryption, key management, MFA, zero-trust IAM, detailed logging.
- Prepare for reporting—set up processes for 14-day breach/rejection notices and annual filings.
- Train your team—ensure everyone from ad-ops to legal understands the new rules.
Deadline: All legacy contracts for restricted transactions must be revised by October 6, 2025. Annual reporting for 2025 activity begins March 1, 2026.
Penalties and Enforcement
Violations can result in civil fines far exceeding those under state privacy laws, and executives face personal criminal liability for willful violations. The DOJ can subpoena records before or after a transaction, so documentation and proactive compliance are critical.
The Bottom Line for Ad Tech
The DOJ Bulk Data Rule is a paradigm shift for advertising and Ad tech. It bans bulk-data sales to six adversary states and imposes requirements for CISA-grade security, audits, and reporting on many offshore deals once record counts hit set thresholds. Ad tech companies must act now: map, screen, contract, secure, and audit before October 6, 2025, or risk severe penalties.
Next Step: Activate a “Bulk-Data SWAT Team,” finalize your data flow map, and send a Bulk-Data Addendum to every offshore counterparty.
/Passle/644c41cc474c4c94b77327c8/SearchServiceImages/2025-06-26-19-53-13-304-685da529527dd49393061c20.jpg)
/Passle/644c41cc474c4c94b77327c8/SearchServiceImages/2025-06-20-14-40-54-215-685572f6b179ba48732572b2.jpg)
/Passle/644c41cc474c4c94b77327c8/SearchServiceImages/2025-06-09-16-28-40-216-68470bb8b770d8a54fec5775.jpg)
/Passle/644c41cc474c4c94b77327c8/SearchServiceImages/2025-05-14-18-43-05-735-6824e4396e173c9cc1d6ae42.jpg)
