On Feb. 5, 2026, Florida Attorney General James Uthmeier announced the launch of the Consumer Harm from International Nefarious Actors (CHINA) Prevention Unit, an enforcement unit targeting companies with ties to foreign adversaries, amid what the announcement characterizes as increasing concerns that data practices may pose a threat to U.S. national security.
In its press release, the Office of the Attorney General explains that the CHINA Prevention Unit will focus on proactively auditing companies’ data practices and mandating disclosure of foreign ties. As part of this strategy, the AG says it will leverage state consumer protection laws like the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) to target businesses that fail to adequately disclose how consumer data is collected, stored, accessed, or transferred in connection with foreign adversaries.
In this early stage, the Prevention Unit’s primary focus appears to be on the healthcare sector. However, the Prevention Unit has already issued subpoenas to international retail companies signaling that other industries may face similar scrutiny.
Florida’s Initiative Closely Echoes Federal Policy and Initiatives in Other States
The CHINA Prevention Unit reflects a strategic repurposing of existing consumer protection frameworks, closely mirroring a broader federal enforcement trend, including the DOJ’s data security program, launched in April 2025, and the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).
The data security program establishes what the DOJ has termed “export controls” on the transfer of sensitive data to countries of concern, including China, Cuba, Russia, North Korea, Venezuela and Iran.
PADFAA accomplishes similar goals through the Federal Trade Commission (FTC), giving it authority to prosecute companies (or anyone in engaged in the collection and sale of data) that transfer personally identifiable sensitive data to foreign adversaries under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices.
Using its authority under PADFAA, the FTC recently sent warning letters to 13 data brokers earlier this month, detailing pertinent provisions of PADFAA and outlining compliance requirements, though the identities of recipients were not disclosed.
Several states have announced similar initiatives. Texas recently established a hostile foreign adversaries unit in its Department of Public Safety, focusing on foreign influence activity and cybersecurity protection in the state, which builds on its data privacy team in the Consumer Protection Division of the Office of the Attorney General established in 2024. The Texas Attorney General has also filed several privacy enforcement actions in the last few years. Similarly, in November 2025, the California Privacy Protection Agency created a Data Broker Enforcement Strike Force within its Enforcement Division to investigate privacy violations by the data broker industry, focusing on compliance with the California Consumer Privacy Act (CCPA) and the Delete Act. In September 2025, California also announced a joint investigative privacy sweep with Colorado and Connecticut to assess for noncompliance with the Global Privacy Control, a browser setting that helps monitor and honor opt-out requests.
Florida’s approach in some respects mirrors these federal and state efforts to address what it characterizes as national security-related data exposure and privacy risks to its consumers.
Litigation Risk: Federal Theories as a Blueprint for State-Level Class Actions
If recent federal litigation is any indication, enforcement activity tied to foreign data access will not remain confined to regulators. Plaintiffs lawyers are already leveraging the DOJ’s data security program as a foundation for litigation.
Several class actions were filed late last year in California alleging that companies’ website tracking practices were violating the DOJ’s “Bulk Data Transfer Rule” by transmitting Americans’ sensitive personal data to entities operating under Chinese jurisdiction. Some of these actions have been filed against digital advertising platforms (Xandr, Inc., and Index Exchange, Inc., were named in two cases), and other cases have been filed against international electronics and retail companies.
Although the DOJ rule itself does not create a private right of action, plaintiffs are leveraging the alleged violations of DOJ regulations to support claims under various federal and state legal theories, including: the Electronic Communications Privacy Act (ECPA); the California Invasion of Privacy Act (CIPA); California’s Comprehensive Computer Data Access and Fraud Act; and California’s Unfair Competition Law.
The same dynamic could readily emerge in Florida under the CHINA Prevention Unit’s enforcement regime. If the Prevention Unit issues subpoenas, files public complaints, or makes findings regarding undisclosed foreign data routing, those allegations could serve as a roadmap for follow-on class actions. Once a state investigation becomes public, it may provide detailed factual allegations about foreign ties, ownership structures, and data flow—all of which could be repackaged into civil pleadings.
Even absent a predicate enforcement action, heightened federal and state scrutiny of data transfers may motivate plaintiffs’ firms to file complaints.
Against this backdrop, businesses should not view the CHINA Prevention Unit as solely a regulatory compliance issue, but also as potential catalyst for parallel civil litigation.
Practical Steps for Businesses Operating in Florida
Florida’s CHINA Prevention Unit signals that international data exposure is now a state enforcement priority with potential regulatory and litigation consequences. Businesses operating in Florida should take proactive steps to assess and mitigate risk, including:
Mapping Data Collection
Companies should begin by identifying the categories of sensitive data they collect, where that data is stored, how it is transmitted, and who can access it. This includes reviewing: data flows—including across affiliates and partners, who may have foreign ties in countries of concern; technologies in use on websites and mobile applications; and third-party and vendor agreements to understand the representations made regarding the use and protection of collected data. A clear, documented understanding of where data is stored, routed, and accessible is critical if regulators issue subpoenas or demand audits.
Reassessing Privacy Disclosures
Companies should undertake a careful review of their privacy policies and public-facing disclosures to confirm that they accurately and specifically describe international data transfers, affiliate access, and third-party tracking arrangements. Generalized references to international operations or affiliates may be insufficient if sensitive data is stored in, routed through, or accessible from countries of concern.
Evaluating Foreign Relationships
AG Uthmeier has made clear that foreign ownership and corporate structure are central to the CHINA Prevention Unit’s enforcement focus. Thus, companies with foreign investors, parent entities, or manufacturing relationships in China, Cuba, Russia, North Korea, Venezuela, or Iran should carefully evaluate how those relationships intersect with access to consumer data. This assessment should extend beyond formal ownership to include vendor agreements, technology licensing structures, and arrangements with data brokers and ad networks. If any of a company’s foreign affiliates or partners can access, control, or influence sensitive data—directly or indirectly—risk exposure increases.
Reviewing Federal Guidance
Businesses already evaluating their obligations under the DOJ’s Data Security Program or the FTC’s PADFAA enforcement should ensure that their federal compliance posture aligns with state-level risk in Florida. The DOJ issued a comprehensive compliance guide for entities to ensure their conduct comports with federal policy. This guide could serve as a model for Florida businesses pending Florida-specific guidance, given the closely analogous structure of the federal and Florida regimes.
Monitoring Litigation Trends
Finally, businesses should pay attention to evolving litigation trends and legal developments in this area. A number of pending class actions seek to expand the scope of decades-old statutes to cover modern website and mobile application technologies. Tracking key developments in these cases will help companies understand potential consequences and how they may impact legal risk around consumer-facing technologies. And to the extent that companies are operating in this area, they should be mindful that a subpoena or investigative letter from the CHINA Prevention Unit could attract private plaintiffs. It is therefore imperative to establish clear response protocols for investigative demands and ensure that internal reviews are conducted with appropriate privilege protections.
Conclusion
Florida’s CHINA Prevention Unit has opened a new enforcement front in the data privacy landscape. Businesses that proactively evaluate foreign data exposure and strengthen transparency today will be far better positioned to manage both regulatory scrutiny and follow-on litigation tomorrow.
Ian M. Ross is a co-leader of Sidley Austin’s consumer class actions practice, and experienced trial lawyer who represents clients in business disputes, commercial and securities litigation, nationwide class actions, and government investigations.
Julia M. Steiner is an associate with the firm. She focuses her practice on commercial litigation.
Mar 3
Deal Summary
