Customs Broker Confidentiality: Client Record Rules in the Digital Age

What Confidentiality Rules Apply to Customs Broker Client Records?

Under 19 C.F.R. 111.24, records pertaining to broker clients are confidential. Brokers must not disclose their contents or any connected information to anyone other than the clients themselves, their surety on a particular entry, and specified CBP officials, except under court subpoena or with written client authorization.

Do Confidentiality Rules Apply When Brokers Use Third-Party Digital Platforms?

Yes. When brokers communicate with importers through platform-embedded chat systems or share client data through third-party technology infrastructure, the confidentiality obligation remains in full force. CBP flagged this risk specifically in HQ H350722 (January 2026). The platform operator is a "person" who may not receive broker client information without written client consent.

---

Digital platforms, cloud-based TMS systems, and shared communication tools have created new challenges for the customs broker confidentiality rule that most brokers have followed for decades without much thought. The rule is straightforward in a traditional setting: don't share client records with third parties. But when a broker's entry software runs on a third-party's servers, when broker-importer communications flow through a platform's chat function, and when client documents are stored in shared cloud environments, the question of who has access to confidential information becomes more complex.

CBP's January 2026 ruling in HQ H350722 brought this issue into sharp focus by identifying specific confidentiality risks with online customs platforms.

Last updated: March 2026

The Rule: 19 C.F.R. 111.24

The regulation is concise. Records "pertaining to the business of the clients serviced by the broker are to be considered confidential, and the broker must not disclose their contents or any information connected with the records to any persons other than those clients," plus their surety on a particular entry and specified CBP officials, "except on subpoena by a court of competent jurisdiction."

CBP revised this regulation in 2022 as part of the broker modernization, but the substance remained unchanged. CBP's "longstanding position on this matter is that absent written client consent, a broker may not share client information" (85 Fed. Reg. 34836, June 5, 2020).

What Counts as "Records"?

The term "records" is defined broadly in 19 C.F.R. 111.1 to include "documents, data and information referred to in" Part 111 of CBP Regulations, plus "any other records required to be maintained by a broker under Part 163." This encompasses entry data, shipping documents, classification workpapers, duty calculations, correspondence with CBP about client entries, and any other information a broker is required to maintain.

In HQ 116025 (September 29, 2003), CBP addressed whether a licensed brokerage subsidiary of UPS could share customer background and revenue information with non-broker affiliates. CBP found that even basic client information (customer name, contact details, account identifiers, and aggregated revenue data) could fall within the confidentiality restriction if connected to records pertaining to client customs business. The "identity of a client is information that appears on entry documents, and thus does relate to the transaction of customs business."

The One-Way Street: Confidentiality Binds Brokers, Not Importers

A critical principle established in HQ H272715 (February 7, 2017) and applied in H350722: the confidentiality rule constrains brokers, not importers. If an importer chooses to share its own entry data, shipping documents, or customs information with a platform, freight forwarder, or any other party, no violation of 19 C.F.R. 111.24 occurs. The regulation governs "whether a violation of 19 C.F.R. 111.24 may occur depends on the flow of client information because 19 C.F.R. 111.24 does not apply to circumstances in which information is disclosed by an entity other than a customs broker."

In the H350722 context: importers uploading documents to the platform did not violate 111.24. But if brokers disclosed client information to the platform operator through the embedded chat function, that would violate 111.24 unless the importer had provided written authorization.

Written Authorization: The Consent Mechanism

CBP has recognized written client consent as a permissible basis for sharing confidential information. In HQ H318461 (August 25, 2022), a broker (World Customs Brokerage) proposed including a consent provision in its POA with importers. The POA language authorized the broker to share records with the importer's freight forwarder, invoice through the freight forwarder, and disclose import transaction records to the freight forwarder. CBP analyzed whether this consent was adequate and provided guidance on its requirements.

The key elements of effective written authorization:

• The importer must be clearly informed that their records will be shared with a third party
• The authorization should identify the type of information being shared (or broadly authorize sharing)
• The authorization can be included in the POA or in a separate consent document
• The importer must execute the authorization voluntarily

Digital Platform Risks: What H350722 Flagged

H350722 identified a specific confidentiality scenario: an online platform with an embedded chat function that brokers and importers use to communicate about entries. Because the chat operates on the platform's infrastructure, the platform operator could access the communications. If a broker shares client-specific entry information through the chat (shipment details, classification decisions, duty calculations), the broker may be disclosing confidential records to the platform operator.

CBP did not find that a violation had occurred (the ruling analyzed the platform's structure, not specific communications). But it flagged the risk clearly enough for brokers using similar platforms to take action.

Practical Guidance for Brokers Using Digital Platforms

Review platform architecture. Understand whether the platform operator has access to data and communications that flow through the platform. If the platform operator can view broker-client messages or access entry data stored on the platform, confidentiality is implicated.

Obtain written client consent. Include a confidentiality consent provision in your POA or engagement agreement. Model it on the language approved in H318461, clearly stating that records may be shared with or through the platform provider.

Separate importer-uploaded data from broker-shared data. Data uploaded directly by the importer to the platform is not subject to 111.24 restrictions. Data shared by the broker (classification workpapers, duty calculations, CBP correspondence) is restricted. Structuring the platform so that the broker's work product is shared directly with the client, not through the platform, can reduce risk.

Consider encrypted communication channels. If broker-client communications must flow through a third-party platform, end-to-end encryption prevents the platform operator from accessing message content, eliminating the confidentiality concern.

Review affiliate data sharing. For brokerages that are part of larger corporate groups, HQ 116025 established that sharing client information with non-broker affiliates (even sister companies under common ownership) requires client consent. Parent and subsidiary corporations are separate legal persons for confidentiality purposes.

Frequently Asked Questions

Can a broker share client data with a cloud-based software provider?

Using cloud software to store and process client records raises 111.24 considerations. The software provider may have access to client data stored on its servers. Best practice: obtain written client consent for cloud storage and processing, and ensure the software provider's terms of service include appropriate data protection commitments.

Does the confidentiality rule apply to former clients?

The regulation refers to "clients serviced by the broker" and covers records the broker is required to maintain under Parts 111 and 163. Brokers must maintain records for five years after the date of entry (19 C.F.R. 163.4). The confidentiality obligation extends to records during the retention period, even for former clients.

Can a broker discuss a client's entry with CBP?

Yes. The regulation explicitly permits disclosure to "the Field Director, Office of International Trade, Regulatory Audit, the special agent in charge, the port director, or other duly accredited officers or agents of the United States." Communications with CBP about client entries are not restricted.

What if the client is a subsidiary of a larger company?

Each corporate entity is a separate "person" for confidentiality purposes. A broker may not share the records of one subsidiary with its parent company or sister subsidiaries without the client subsidiary's written consent, even if the broker also services the parent or other subsidiaries (HQ 116025, 2003).

How does GingerControl handle broker client data?

GingerControl operates as a pre-classification research tool. Importers and brokers use the platform independently for classification research, tariff simulation, and policy tracking. GingerControl does not receive, store, or process broker client entry data. The Classifier accepts product descriptions (input by the user) and produces research output. The research function is separate from the broker-client entry relationship, so broker confidentiality obligations are not implicated by the use of GingerControl's research tools.

---

GingerControl is a pre-classification research tool. It follows the same reasoning process a licensed customs broker uses, including GRI analysis, Section/Chapter Note review, and CROSS ruling research, but the final classification decision benefits from professional judgment.

Need help structuring compliant data practices for your brokerage or import operation? GingerControl offers trade compliance consulting. Talk to our team

---

References

[REF 1] 19 C.F.R. 111.24: Confidentiality of broker client records Source: eCFR

[REF 2] HQ H350722 (Jan. 16, 2026): Platform chat confidentiality risk Source: CROSS

[REF 3] HQ H272715 (Feb. 7, 2017): Confidentiality binds brokers, not importers Source: CROSS

[REF 4] HQ H318461 (Aug. 25, 2022): Written consent via POA Source: CROSS

[REF 5] HQ 116025 (Sept. 29, 2003): Affiliate data sharing restrictions Source: CROSS

[REF 6] 85 Fed. Reg. 34836 (June 5, 2020): CBP position on written client consent Source: Federal Register

[REF 7] 87 Fed. Reg. 63267 (Oct. 18, 2022): Broker modernization, confidentiality unchanged Source: Federal Register

[REF 8] 19 C.F.R. 111.1: Definition of "records" Source: eCFR