The U.S. Department of Justice’s Sensitive Data Bulk Transfer Rule is in effect. That includes, as of Oct. 6, 2025, the requirements on due diligence and compliance.
What does this mean?
If you engage (or may engage) in transfers of sensitive data (and sensitive is more than you think it is and can include demographic data and cookie data) that hit the bulk thresholds, you need to develop and implement a compliance program (either a stand-alone or as part of your general governance / compliance program). This includes:
Due Diligence
You need risk-based procedures for verifying data flows involved in any restricted transaction, including procedures to verify and log in an auditable manner:
- Types and volumes of sensitive data.
- Identification of the parties, including ownership, citizenship and primary residence.
- End use of data.
- Method of transfer.
- Verify the identities of vendors, where relevant.
- A written policy that describes the data compliance program that is annually certified by an officer, executive or other employee responsible for compliance.
- A written policy that describes the implementation of the security requirements set forth in the rule that is annually certified by an officer, executive or other employee responsible for compliance.
Audit
You need to conduct an audit of compliance by an auditor who is independent. The auditor will examine the transfer of sensitive data and the compliance program and submit a written report that describes:
- The transfers.
- The methodology of the audit.
- The effectiveness of the compliance program.
- Any vulnerabilities or deficiencies.
- Any instances where the security requirements failed or were not effective in mitigating risk of access by covered persons.
- Any improvements of changes that are recommended.
You need to retain the audit report for at least 10 years.