Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Executive Order Seeks to Protect Americans’ Privacy

The aim is to keep sensitive personal data from foreign adversaries


spinner image a keyboard with a hand over it with different colors
Getty Images

Many companies profit off individuals’ personal data, as do scammers looking to exploit the information.

Six “countries of concern” also view sensitive personal information as a strategic resource, according to the U.S. intelligence community and the Biden administration.

These countries — China, Cuba, Iran, North Korea, Russia and Venezuela — are buying potentially revealing personal details from data brokers and are looking to leverage the information for blackmail, espionage and malicious activities online, according to a senior Department of Justice official who briefed reporters Tuesday. Once the data is in their hands, the foreign adversaries can manipulate it using artificial intelligence (AI) and other advanced technologies to coerce or target academics, politicians, political groups and others in the United States.

On Wednesday, President Biden issued an executive order that aims to protect Americans’ most sensitive personal data. He authorized the attorney general to prevent the large-scale transfer of such information and create safeguards to help ensure Americans’ privacy.

6 types of personal data covered

The data in need of protection spans seven broad categories, six related to individuals’ privacy:

1. Biometric identifiers, unique physical characteristics such as DNA, fingerprints and iris scans. 

2. Genomic data, which is information hidden in a person’s genes, including inherited diseases

3. Personal financial data, including account balances, assets, liabilities and transactions that someone might have conducted on a website. 

4. Personal health data, such as a patient’s allergies, blood type, immunization status and other medical history.

5. Precise geolocation data gathered from a device such as a connected car, fitness tracker or smartphone that identifies the latitude and longitude of someone within about 1,750 feet. 

6. Additional types of personal identifiable information that describe an individual, including name, address, email address, Social Security number and telephone number. 

The seventh category is sensitive government-related data.

In the United States, buying and reselling data through data brokers is legal, and data brokers are mostly unregulated on the federal level. Federal law doesn’t require data brokers to give consumers access to the information collected about them. 

And no one federal agency has the legal authority to regulate consumer privacy, although many do have regulations relating to a specific sector. The Federal Trade Commission requires all companies to maintain reasonable privacy and security of personal information.

Privacy legislation still needed, White House says

Wednesday’s executive action “is carefully crafted to prevent countries of concern from buying up the most sensitive data of Americans through the front door,” a senior administration official said. It’s not a substitute for comprehensive privacy legislation.

Under the order, which will be subjected to multiple rounds of public comments and what could be a lengthy rule-making process, the Department of Justice will be authorized “to regulate certain narrow categories of cross-border transactions that pose an unacceptable risk.”

As part of the process, government officials say they are consulting with human rights groups, labor unions, privacy advocates, tech companies and others to carve out important exemptions to mitigate any unintended economic consequences. For instance, certain financial transactions or routine business operations within multinational companies, such as payroll, may be exempt.

Wednesday’s action is Biden’s 133rd executive order since being sworn into office in January 2021. In May 2021, the president addressed cybersecurity threats to government agencies and infrastructure in another executive order, and in March 2023 he prohibited the U.S. government from using commercial spyware unless it helps protect computer systems and intelligence against security risks.

Because executive orders are not laws created by Congress, a future president can revoke them.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?