Some of the most protected real estate in America may be wide open in the world of commercial location data. Three congressional Democrats warned Thursday that a new Justice Department rule meant to stop foreign adversaries from buying Americans’ cellphone location data is leaving major Washington power hubs out in the cold - including the White House, the U.S. Capitol and the CIA’s Langley campus.
In a letter to administration officials, Sens. Ron Wyden and Martin Heinrich and Rep. Sara Jacobs argue that those omissions undercut the rule’s national security purpose. They want the department to plug the gaps and swap the current patchwork of coordinates for a wider protection zone that covers the entire Washington, D.C., region.
As reported by the Associated Press, the lawmakers write that "[t]he sale of Americans' location data by data brokers poses a serious threat to U.S. national security" and urge the Department of Justice to both broaden the geographic protections and expand the list of countries barred from acquiring the data. Wyden's staff, working with the Congressional Research Service, compared the rule's published GPS coordinates with known federal facilities and flagged which sites made the cut and which did not. Their conclusion: the department needs to rethink both the map and the roster of foreign buyers covered by the rule.
What the DOJ rule covers
The Justice Department finalized the regulation to implement Executive Order 14117 and set an effective date of April 8, 2025. The rule defines what counts as "government-related" precise geolocation data and bars U.S. persons from selling location data tied to areas that appear on a Government-Related Location Data List. It also broadly restricts bulk sales of U.S. location data to designated countries of concern.
The mechanics, along with the specific geofenced coordinates, are spelled out in the department’s final rule in the Federal Register, which lays out how companies are supposed to identify covered locations and what kinds of transfers are off limits.
Where the rule falls short
Wyden, Heinrich and Jacobs say that technical, coordinate-by-coordinate mapping has produced some glaring blind spots. Their letter notes that the public list of locations - which they describe as 736 geofenced areas - appears to skip several obvious federal sites, including the White House, Congress and CIA headquarters in Langley.
Leaving those off the list, they warn, could let foreign intelligence services buy up smaller datasets and sidestep thresholds that are supposed to block adversaries from scooping up large volumes of highly sensitive information. A Justice Department spokesperson declined to comment on the lawmakers' letter, and the Office of the Director of National Intelligence did not respond to requests for comment, according to reporting on the letter.
Why lawmakers say that matters
The department itself has framed the geofenced list as a national security tool. Its public materials say commercial geolocation datasets can be mined to infer activities at government facilities and to enable intelligence collection against U.S. targets.
The rule’s preamble and related documents point to past episodes in which app data or aggregated location information exposed sensitive operations. That risk is the stated rationale for the new prohibitions and compliance obligations. It also underpins the audit, reporting and recordkeeping requirements imposed on companies that engage in covered transactions.
What lawmakers want fixed
In their letter, Wyden, Heinrich and Jacobs ask the department to enlarge the list of countries of concern and to swap out the current coordinate list for a Washington-region protection zone that would wrap the entire capital area in a single set of guardrails. They argue that a regional approach would be harder for adversaries to game than a series of pinpointed geofences.
The lawmakers also seek more transparency about how the Government-Related Location Data List was created and a review of the policy thresholds that decide when a sale is prohibited. Without changes, they warn, foreign buyers could “stitch together” multiple small purchases to get around device-count thresholds that are meant to keep bulk data off the market.
What happens next
The rule already comes with compliance deadlines and procedural rules. U.S. persons engaged in restricted transactions must develop data compliance programs and auditing practices on the schedule set in the regulation, meaning data brokers and app vendors should already be sorting out which locations and transfers are covered.
If the department revises the location list or changes which countries are considered of concern, companies could face fresh obligations or need to revise earlier compliance reports. The lawmakers’ letter signals they intend to keep pressing the administration for answers and may pursue additional oversight if officials do not act.
For residents, federal workers and anyone walking around D.C. with location-tracking apps in their pocket, the standoff is not just an inside-the-Beltway paperwork fight. It is a live debate over how tightly the government draws the lines around places and movements it deems too sensitive to sell. Wyden, Heinrich and Jacobs are asking for quick clarification so both national security officials and commercial data players know exactly where those lines are.
