[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2290 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
1st Session
S. 2290
To provide for requirements for data brokers with respect to the
acquisition, use, and protection of brokered personal information and
to require that data brokers annually register with the Federal Trade
Commission.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 24, 2021
Mr. Peters (for himself, Ms. Lummis, and Mrs. Capito) introduced the
following bill; which was read twice and referred to the Committee on
Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To provide for requirements for data brokers with respect to the
acquisition, use, and protection of brokered personal information and
to require that data brokers annually register with the Federal Trade
Commission.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Broker List Act of 2021''.
SEC. 2. REQUIREMENTS FOR DATA BROKERS.
(a) Requirements With Respect to the Acquisition and Use of
Brokered Personal Information.--A data broker shall not--
(1) acquire brokered personal information through
fraudulent means;
(2) acquire or use brokered personal information for the
purpose of--
(A) stalking or harassing another person;
(B) committing fraud, including identity theft,
financial fraud, or e-mail fraud; or
(C) engaging in unlawful discrimination, including
unlawful discrimination in decisions regarding
employment, housing, and credit eligibility; or
(3) sell or transfer brokered personal information to a
third party if the data broker knows or reasonably should know
that the third party intends to engage in any conduct
prohibited by this Act.
(b) Duty To Protect Brokered Personal Information.--
(1) In general.--A data broker shall develop, implement,
and maintain a comprehensive information security program in
order to protect from security breaches or other inadvertent or
improper disclosure the brokered personal information acquired
by the data broker.
(2) Notification of change of ownership.--If a data broker
is purchased or otherwise acquired by another entity, such
other entity shall provide notification of such purchase or
acquisition to any consumer with respect to which--
(A) the data broker collected, processed, analyzed,
stored or used brokered personal information; and
(B) such other entity plans to continue to collect,
process, analyze, store or use such information.
(3) Program requirements.--The comprehensive information
security program required under paragraph (1) shall--
(A) be written in one or more readily accessible
parts; and
(B) contain administrative, technical, and physical
safeguards that are appropriate to--
(i) the size, scope, and type of business
of the data broker;
(ii) the amount of resources available to
the data broker;
(iii) the amount of stored data of the data
broker;
(iv) the nature and sensitivity of the
brokered personal information stored by the
data broker; and
(v) the need for security and
confidentiality of brokered personal
information.
(c) Annual Registration.--
(1) In general.--Annually, on or before January 31, a data
broker shall--
(A) register with the Commission; and
(B) provide the following information with such
registration:
(i) The name and primary physical, e-mail,
and internet addresses of the data broker.
(ii) If the data broker permits a consumer
to opt out of the data broker's collection of
brokered personal information, opt out of its
databases, or opt out of certain sales of
data--
(I) the method for requesting an
opt-out;
(II) if the opt-out applies to only
certain activities or sales, which
ones; and
(III) whether the data broker
permits a consumer to authorize a third
party to perform the opt-out on the
consumer's behalf.
(iii) A statement specifying the data
collection, databases, or sales activities from
which a consumer may not opt out, and why an
opportunity to opt out is not available.
(iv) A statement specifying the types of
information being collected, as determined by
the Commission, to the extent practicable.
(v) A statement as to whether the data
broker implements a purchaser credentialing
process and, if so, a description of that
process.
(vi) The number of security breaches that
the data broker experienced during the previous
year, and if known, the total number of
consumers whose personal information was
accessed, downloaded, viewed, or otherwise
affected in a breach.
(vii) Where the data broker has actual
knowledge that it possesses the brokered
personal information of minors, a separate
statement detailing the data collection
practices, databases, sales activities, and
opt-out policies that are applicable to the
brokered personal information of minors.
(viii) Any additional information or
explanation concerning its data collection
practices.
(2) Exception.--The requirements under paragraph (1) shall
not apply to a data broker that is already required to comply
with such requirements with respect to another Federal agency.
(3) Public availability.--The Commission shall make the
information described in paragraph (1) available on the
internet website of the Commission, except as necessary to
protect the integrity of ongoing investigations or to protect
the privacy of consumers, or if it is in the interest of public
safety or welfare.
SEC. 3. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Unfair or Deceptive Acts or Practices.--A violation of section
2 shall be treated as a violation of a rule defining an unfair or a
deceptive act or practice under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). The Commission shall
begin enforcement of such violations by not later than 1 year after the
date of the enactment of this Act.
(b) Powers of Commission.--
(1) In general.--The Commission shall enforce this Act in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all applicable terms
and provisions of the Federal Trade Commission Act (15 U.S.C.
41 et seq.) were incorporated into and made a part of this Act.
(2) Privileges and immunities.--Any data broker who
violates section 2 shall be subject to the penalties and
entitled to the privileges and immunities provided in the
Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(3) Civil penalty.--A data broker that fails to register as
required under section 2(c) shall be liable for a civil penalty
in an amount determined by the Commission through the
rulemaking authority under subsection (c).
(4) Authority preserved.--Nothing in this Act shall be
construed to limit the authority of the Federal Trade
Commission under any other provision of law.
(c) Rulemaking Authority for the Commission.--The Commission shall
have authority under section 553 of title 5, United States Code, to
promulgate regulations the Commission determines to be necessary to
carry out the provisions of this Act.
SEC. 4. FTC ANNUAL REVIEW AND REPORT.
(a) Annual Review.--The Commission shall conduct an annual review
of the implementation of the provisions of this Act. Such study shall
include an analysis of--
(1) compliance by data brokers with the requirements under
section 2;
(2) enforcement actions taken by the Commission with
respect to violations of such requirements; and
(3) other areas determined appropriate by the Commission.
(b) Annual Report.--Not later than 1 year after the date of the
enactment of this Act, and annually thereafter the Commission shall
submit to Congress a report on the review conducted under subsection
(a), together with recommendations for such legislation and
administrative action as the Commission determines appropriate.
SEC. 5. DEFINITIONS.
In this section:
(1) Brokered personal information.--The term ``brokered
personal information'' means any personal information that is
categorized or organized for sale, license, or trade, or is
otherwise disclosed for compensation, to a third party.
(2) Business.--
(A) In general.--The term ``business'' means a
commercial entity, including a sole proprietorship,
partnership, corporation, association, limited
liability company, or other group, however organized
and whether or not organized to operate at a profit,
including a financial institution organized, chartered,
or holding a license or authorization certificate under
the laws of a State, the United States, or any other
country, or the parent, affiliate, or subsidiary of a
financial institution.
(B) Exclusion.--The term ``business'' does not
include a State, a State agency, any political
subdivision of a State, or a vendor acting solely on
behalf of, and at the direction of, a State.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Consumer.--The term ``consumer'' means an individual
residing in the United States acting in a personal, family, or
household capacity.
(5) Data broker.--
(A) In general.--The term ``data broker'' means a
business that knowingly collects or obtains the
personal information of a consumer with whom the
business does not have a direct relationship and then
sells, licenses, trades, provides for consideration, or
is otherwise compensated for disclosing that
information to a third party.
(B) Direct relationship.--For purposes of
subparagraph (A), a direct relationship with a business
exists if the consumer--
(i) is a current customer;
(ii) obtained a good or service from the
business within the prior 18 months; or
(iii) made an inquiry about the products or
services of the business within the prior 90
days.
(C) Exclusion.--The following activities conducted
by a business, and the collection and sale or licensing
of brokered personal information incidental to
conducting these activities, do not qualify the
business as a data broker:
(i) Providing 411 directory assistance or
directory information services, including name,
address, and telephone number, on behalf of or
as a function of a telecommunications carrier.
(ii) Providing a consumer's publicly
available information if the information is
being used by the recipient as it relates to
that consumer's business or profession.
(iii) Providing publicly available
information via real-time or near-real-time
alert services for health or safety purposes.
(iv) Providing or using information in a
manner that is regulated under another Federal
or State law, including the Fair Credit
Reporting Act, the Gramm-Leach-Bliley Act, or
the Health Insurance Portability and
Accountability Act.
(v) Providing data to a third party at the
direction of the consumer and with the
consumer's affirmative express consent.
(vi) Providing or using information for
assessing, verifying, or authenticating a
person's identity, or for investigating or
preventing actual or potential fraud.
(D) Exclusion from sale.--For purposes of this
paragraph, the term ``sells'' does not include a one-
time or occasional sale of assets of a business as part
of a transfer of control of those assets that is not
part of the ordinary conduct of the business.
(6) Data broker security breach.--
(A) In general.--The term ``data broker security
breach'' means an unauthorized acquisition or a
reasonable belief of an unauthorized acquisition of
more than one element of brokered personal information
maintained by a data broker when the brokered personal
information is not encrypted, redacted, or protected by
another method that renders the information unreadable
or unusable by an unauthorized person or entity.
(B) Exclusion.--The term ``data broker security
breach'' does not include good faith but unauthorized
acquisition of brokered personal information by an
employee or agent of the data broker for a legitimate
purpose of the data broker, provided that the brokered
personal information is not used for a purpose
unrelated to the data broker's business or subject to
further unauthorized disclosure.
(C) Application.--In determining whether brokered
personal information has been acquired or is reasonably
believed to have been acquired without valid
authorization, a data broker may consider the following
factors, among others:
(i) Indications that the brokered personal
information is in the physical possession and
control of a person or entity without valid
authorization, such as a lost or stolen
computer or other device containing brokered
personal information.
(ii) Indications that the brokered personal
information has been downloaded or copied.
(iii) Indications that the brokered
personal information was used by an
unauthorized person or entity, such as
fraudulent accounts opened or instances of
identity theft reported.
(iv) That the brokered personal information
has been made public.
(7) Personal information.--The term ``personal
information'' means information which is related to any
identified or identifiable person.
(8) State.--The term ``State'' means any State of the
United States, the District of Columbia, the Commonwealth of
Puerto Rico, Guam, American Samoa, the Commonwealth of Northern
Mariana Islands, and the United States Virgin Islands.
<all>