Statute Pri9905s9 May 2026

Q1. Does PRI‑9905‑S9 apply to anonymous data?
A: If the data is truly anonymized—meaning re‑identification is impossible using reasonable means—then the statute does not apply. However, many “anonymous” data sets can be re‑identified; the NPSB recommends treating any data that could be linked to an individual as PII until proven otherwise.

Q2. What about cross‑border data flows?
A: The statute applies to any outbound transmission, regardless of destination. If the receiving jurisdiction imposes stricter privacy standards (e.g., GDPR), you must comply with the stricter regime.

Q3. Can a company rely on a third‑party vendor’s compliance certificate?
A: No. The data controller (your organization) remains ultimately responsible. You must verify that the vendor’s processes meet the NPSB standards and obtain a copy of their certificate for your records. statute pri9905s9

Q4. Are there any exemptions for small businesses?
A: The law includes a “threshold exemption” for entities that process fewer than 5,000 PII records per year and whose annual revenue is under $10 million. However, many small firms still opt to certify voluntarily to gain competitive advantage.

Q5. How does this interact with the upcoming Data‑Transparency Act (DTA) of 2026?
A: The DTA focuses on consumer‑facing transparency and data‑access rights, while PRI‑9905‑S9 tackles how data can be shared safely. In practice, compliance programs should address both statutes simultaneously. For a contract to satisfy the Statute of

In short, PRI‑9905‑S9 mandates that any organization (public or private) that transmits data containing PII must first apply an approved privacy‑preserving technique—such as differential privacy, homomorphic encryption, or secure multi‑party computation—before the data leaves its original repository.

For a contract to satisfy the Statute of Frauds, the writing must generally contain the following elements: who it affects

Posted on April 13, 2026 • by Legal Insights Blog

Quick Take: Statute PRI‑9905‑S9 is a relatively new, niche piece of legislation that governs privacy‑preserving data sharing in the United States. It was enacted in late 2025 as part of the broader “Public‑Resource Innovation” (PRI) package and is already reshaping how tech firms, research institutions, and government agencies handle personally identifiable information (PII). Below, we break down what the statute means, who it affects, and what you should be doing right now to stay compliant.

| Penalty | Description | |--------------|-----------------| | Civil Penalties | Up to $10,000 per violation (per dataset) plus a potential treble damages clause if the breach is willful. | | Criminal Liability | Only in cases of reckless disregard or intentional circumvention—up to $250,000 and 5 years imprisonment (rare). | | Federal Contract Suspension | Non‑compliant contractors may be barred from future federal contracts for up to 3 years. | | State Enforcement | States can impose additional penalties under their own privacy statutes. |

In practice, the FTC has signaled that enforcement will prioritize systemic non‑compliance (e.g., large SaaS platforms that repeatedly share raw data without privacy safeguards) rather than isolated mistakes.