[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3627 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
2d Session
S. 3627
To establish a centralized system to allow individuals to request the
simultaneous deletion of their personal information across all data
brokers, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 10, 2022
Mr. Cassidy (for himself and Mr. Ossoff) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To establish a centralized system to allow individuals to request the
simultaneous deletion of their personal information across all data
brokers, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Elimination and Limiting
Extensive Tracking and Exchange Act'' or the ``DELETE Act''.
SEC. 2. DATA DELETION REQUIREMENTS.
(a) Data Broker Annual Registration.--
(1) In general.--Not later than 1 year after the date of
enactment of this section, the Commission shall promulgate
regulations to require any data broker to--
(A) not later than 18 months after the date of
enactment of this section, and annually thereafter,
register with the Commission; and
(B) provide the following information with such
registration:
(i) The name and primary physical, email,
and uniform resource locator (URL) addresses of
the data broker.
(ii) If the data broker permits an
individual to opt out of the data broker's
collection or use of personal information,
certain sales of such information, or its
databases--
(I) the method for requesting an
opt-out;
(II) any limitations on the type of
data collection, uses, or sales for
which an individual may opt out; and
(III) whether the data broker
permits an individual to authorize a
third party to perform the opt-out on
the individual's behalf.
(iii) A response to a standardized form (as
issued by the Commission) specifying the types
of information the data broker collects or
obtains and the sources from which the data
broker obtains data.
(iv) A statement as to whether the data
broker implements a credentialing process and,
if so, a description of that process.
(v) Any additional information or
explanation the data broker chooses to provide
concerning its data collection practices.
(vi) Any other information determined
appropriate by the Commission.
(2) Public availability.--
(A) In general.--The Commission shall make the
information described in paragraph (1) publicly
available in a downloadable and machine-readable
format, except in the event that the Commission--
(i) determines that the risk of making such
information available is not in the interest of
public safety or welfare; and
(ii) provides a justification for such
determination.
(B) Disclaimer.--The Commission shall include on
the website of the Commission a disclaimer that--
(i) the Commission cannot confirm the
accuracy of the responses provided by the data
brokers in the registration described in
paragraph (1); and
(ii) individuals may contact such data
brokers at their own risk.
(b) Centralized Data Deletion System.--
(1) Establishment.--
(A) In general.--Not later than 1 year after the
date of enactment of this section, the Commission shall
promulgate regulations to establish a centralized
system that--
(i) implements and maintains reasonable
security procedures and practices (including
administrative, physical, and technical
safeguards) appropriate to the nature of the
information and the purposes for which the
personal information will be used, to protect
individuals' personal information from
unauthorized use, disclosure, access,
destruction, or modification; and
(ii) allows an individual, through a single
submission, to request that every data broker
who is registered under subsection (a) and who
maintains any persistent identifiers (as
described in subparagraph (B)(iii)) delete any
personal information related to such individual
held by such data broker or affiliated legal
entity of the data broker.
(B) Requirements.--The centralized system
established in subparagraph (A) shall meet the
following requirements:
(i) Subject to the regulations promulgated
in accordance with paragraph (2)(B)(ii), the
centralized system shall allow an individual to
request the deletion of all personal
information related to such individual through
a single deletion request.
(ii) The centralized system shall provide a
standardized form to allow an individual to
make such request.
(iii) Such standardized form shall include
the individual's email, phone number, physical
address, and any other persistent identifier
determined by the Commission to aid in the
deletion request.
(iv) The centralized system shall
automatically hash all submitted information
and allow the Commission to maintain
independent hashed registries of each type of
information obtained through such form.
(v) The centralized system shall only
permit data brokers who are registered with the
Commission to submit hashed queries to the
independent hashed registries described in
clause (iv).
(vi) The centralized system shall allow an
individual to make such request using an
internet website operated by the Commission.
(vii) The centralized system shall not
charge the individual to make such request.
(viii) The centralized system shall
automatically delete any individual data field
stored in the system once such data field has
been stored in the centralized system for 2
years. The Commission shall inform the
individual of this automatic deletion period
when the individual makes a deletion request.
Beginning 4 years after the date of enactment
of this Act, the Commission may promulgate
rules to adjust such retention period or enable
automatic renewal of requests if it determines
that such adjustment or automatic renewal would
better protect individual privacy or the public
interest.
(C) Transition.--
(i) In general.--Not later than 8 months
after the effective date of the regulations
promulgated under subparagraph (A), each data
broker shall--
(I) not less than once every 31
days, access the hashed registries
maintained by the Commission as
described in subparagraph (B)(iv); and
(II) process any deletion request
associated with a match between such
hashed registries and the records of
the data broker.
(ii) FTC guidance.--Not later than 6 months
after the effective date of the regulations
promulgated under subparagraph (A), the
Commission shall publish guidance on the
process and standards to which a data broker
must adhere in carrying out clause (i).
(2) Deletion.--
(A) Information deletion.--
(i) In general.--Subject to clause (ii),
not later than 31 days after accessing the
hashed registries described in paragraph
(1)(B)(iv), a data broker and any associated
legal entity shall delete all personal
information in its possession related to the
individual making the request. Immediately
following the deletion, the data broker shall
send an affirmative representation to the
Commission with the number of records deleted
pursuant to each match with a value in the
hashed registries.
(ii) Exclusions.--In carrying out clause
(i), a data broker may retain, where required,
the following information:
(I) Any personal information that
is processed or maintained solely as
part of human subjects research
conducted in compliance with any legal
requirements for the protection of
human subjects.
(II) Any personal information
necessary to comply with a warrant,
subpoena, court order, rule, or other
applicable law.
(III) Any personal information
related to the suppression list
described in subparagraph (B)(ii).
(IV) Any information necessary for
an activity described in subsection
(e)(3)(B), provided that the retained
information is used solely for any such
activity.
(iii) Use of information.--Any personal
information excluded under clause (ii) may only
be used for the purpose described in the
applicable subclause of clause (ii), and may
not be used for any other purpose, including
marketing purposes.
(B) Do not track list; suppression list.--
(i) Do not track list.--Not later than 18
months after the date of enactment of this
section, the Commission shall promulgate
regulations to prohibit any data broker
registered under subsection (a) from collecting
or retaining personal information on any
individual who has submitted a deletion request
through the centralized system established in
paragraph (1)(A), unless such data collection
is requested by the individual.
(ii) Suppression list.--Not later than 18
months after the date of enactment of this
section, the Commission shall promulgate
regulations to ensure that--
(I) any individual who submits a
deletion request through the
centralized system established in
paragraph (1) shall be included on the
Do Not Track list described in clause
(i); and
(II) each data broker registered
under subsection (a)--
(aa) may not collect or
retain more personal
information than is necessary
to identify an individual who
is included on the Do Not Track
list; and
(bb) in the case that
unnecessary personal
information is collected or
retained, shall immediately
delete any personal information
not required to comply with the
regulations promulgated under
this subparagraph.
(C) Annual report.--Each data broker registered
under subsection (a) shall submit to the Commission, on
an annual basis, a report on--
(i) the completion rate with respect to the
completion of deletion requests under
subparagraph (A); and
(ii) the effectiveness of the suppression
list under subparagraph (B)(ii), including--
(I) the number of times the data
broker collected personal information
related to an individual included on
the suppression list;
(II) the number of times the data
broker collected data resulting in a
match with the hashed registries
maintained by the Commission as
described in paragraph (1)(B)(iv); and
(III) whether the regulations
promulgated under subparagraph (B) and
the structure or format of the hashed
registries promote efficient comparison
of the suppression list with
information collected or retained by
the data broker.
(D) Audit.--
(i) In general.--Not later than 3 years
after the date of enactment of this section,
and every 3 years thereafter, each data broker
registered under subsection (a) shall undergo
an independent third party audit to determine
compliance with this subsection.
(ii) Audit report.--Not later than 6 months
after the completion of any audit under clause
(i), each such data broker shall submit to the
Commission any report produced as a result of
the audit, along with any related materials.
(iii) Maintain records.--Each such data
broker shall maintain the materials described
in clause (ii) for a period of not less than 6
years.
(3) Annual fee.--
(A) In general.--Subject to subparagraph (B), each
data broker registered under subsection (a) and who
maintains any persistent identifiers (as described in
paragraph (1)(B)(iii)) shall pay to the Commission, on
an annual basis, a subscription fee determined by the
Commission to access the database.
(B) Limit.--The amount of the subscription fee
under subparagraph (A) may not exceed 1 percent of the
expected annual cost of operating the centralized
system and hashed registries described in paragraph
(1), as determined by the Commission.
(C) Availability.--Any amounts collected by the
Commission pursuant to this paragraph shall be
available without further appropriation to the
Commission for the purpose of enforcing and
administering this Act, including the implementation
and maintenance of such centralized system and hashed
registries and the promotion of public awareness of the
centralized system.
(c) Enforcement by the Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
subsection (a) or (b) or a regulation promulgated under this
Act shall be treated as a violation of a rule defining an
unfair or deceptive act or practice under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--The Commission shall enforce this
section in the same manner, by the same means, and with
the same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates subsection (a) or (b) or a regulation
promulgated under this Act shall be subject to the
penalties and entitled to the privileges and immunities
provided in the Federal Trade Commission Act (15 U.S.C.
41 et seq.).
(C) Authority preserved.--Nothing in this section
shall be construed to limit the authority of the
Commission under any other provision of law.
(D) Rulemaking.--The Commission shall promulgate in
accordance with section 553 of title 5, United States
Code, such rules as may be necessary to carry out this
section.
(d) Study and Report.--
(1) Study.--The Commission shall conduct a study on the
implementation and enforcement of this section. Such study
shall include--
(A) an analysis of the effectiveness of the
centralized system established in subsection (b)(1)(A);
(B) the number deletion requests submitted annually
using such centralized system;
(C) an analysis of the progress of coordinating the
operation and enforcement of such requests with similar
systems established and maintained by the various
States; and
(D) any other area determined appropriate by the
Commission.
(2) Report.--Not later than 3 years after the date of
enactment of this section, and annually thereafter for each of
the next 4 years, the Commission shall submit to the Committee
on Commerce, Science, and Transportation of the Senate and the
Committee on Energy and Commerce of the House of
Representatives a report containing--
(A) the results of the study conducted under
paragraph (1);
(B) a summary of any enforcement actions taken
pursuant to this Act; and
(C) recommendations for such legislation and
administrative action as the Commission determines
appropriate.
(e) Definitions.--In this section:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Credentialing process.--The term ``credentialing
process'' means the practice of taking reasonable steps to
confirm--
(A) the identity of the entity with whom the data
broker has a direct relationship;
(B) that any data disclosed to the entity by such
data broker will be used for the described purpose of
such disclosure; and
(C) that such data will not be used for unlawful
purposes.
(3) Data broker.--
(A) In general.--The term ``data broker'' means an
entity that knowingly collects or obtains the personal
information of an individual with whom the entity does
not have a direct relationship and then--
(i) uses the personal information to
perform a service for a third party; or
(ii) sells, licenses, trades, provides for
consideration, or is otherwise compensated for
disclosing personal information to a third
party.
(B) Exclusion.--The term ``data broker'' does not
include an entity who solely uses, sells, licenses,
trades, provides for consideration, or is otherwise
compensated for disclosing personal information for one
or more of the following activities:
(i) Providing 411 directory assistance or
directory information services, including name,
address, and telephone number, on behalf of or
as a function of a telecommunications carrier.
(ii) Providing an individual's publicly
available information if the information is
being used by the recipient as it relates to
that individual's business or profession.
(iii) Providing or using personal
information in a manner that is regulated under
another Federal or State law, including the
Fair Credit Reporting Act, the Gramm-Leach-
Bliley Act, or the Health Insurance Portability
and Accountability Act.
(iv) Providing personal information to a
third party at the express direction of the
individual for a clearly disclosed single-use
purpose.
(v) Providing or using personal information
for assessing, verifying, or authenticating an
individual's identity, or for investigating or
preventing actual or potential fraud.
(vi) Gathering, preparing, collecting,
photographing, recording, writing, editing,
reporting, or publishing news or information
that concerns local, national, or international
events or other matters of public interest for
dissemination to the public.
(C) Exclusion from sale.--
(i) In general.--For purposes of this
paragraph, the term ``sells'' does not include
a one-time or occasional sale of assets of an
entity as part of a transfer of control of
those assets that is not part of the ordinary
conduct of the entity.
(ii) Notice required.--To meet the
exclusion criteria described in clause (i), an
entity must provide notice to the Commission,
in the manner determined appropriate by the
Commission, of any such one-time or occasional
sale of assets.
(4) Delete.--The term ``delete'' means to remove or destroy
information such that the information is not maintained in
human- or machine-readable form and cannot be retrieved or
utilized in such form in the normal course of business.
(5) Direct relationship.--
(A) In general.--The term ``direct relationship''
means a relationship between an individual and an
entity where the individual--
(i) is a current customer;
(ii) has obtained a good or service from
the entity within the prior 18 months; or
(iii) has made an inquiry about the
products or services of the entity within the
prior 90 days.
(B) Exclusion.--The term ``direct relationship''
does not include a relationship between an individual
and a data broker where the individual's only
connection to the data broker is based on the
individual's request--
(i) for the data broker to delete the
personal information of the individual; or
(ii) to opt out of the data broker's
collection or use of personal information,
certain sales of such information, or its
databases.
(6) Hash.--The term ``hash'' means to input data to a
cryptographic, one-way, collision resistant function that maps
a bit string of arbitrary length to a fixed-length bit string
to produce a cryptographically secure value.
(7) Hashed.--The term ``hashed'' means the type of value
produced by hashing data.
(8) Human subjects research.--The term ``human subjects
research'' means research that--
(A) an investigator (whether professional or
student) conducts on a living individual; and
(B) either--
(i) obtains information or biospecimens
through intervention or interaction with the
individual, and uses, studies, or analyzes the
information or biospecimens; or
(ii) obtains, uses, studies, analyzes, or
generates personal information or identifiable
biospecimens.
(9) Personal information.--
(A) In general.--The term ``personal information''
means any information held by a data broker, regardless
of how the information is collected, inferred, created,
or obtained, that is linked or reasonably linkable by
the data broker to a particular individual or consumer
device, including the following information:
(i) Financial information, including any
bank account number, credit card number, debit
card number, or insurance policy number.
(ii) A name, alias, home or other physical
address, online identifier, Internet Protocol
address, email address, account name, State
identification card number, driver's license
number, passport number, or an identifying
number on a government-issued identification.
(iii) Geolocation information.
(iv) Biometric information.
(v) The contents of, attachments to, or
parties to information, including with respect
to email, text messages, picture messages,
voicemails, audio conversations, or video
conversations.
(vi) Web browsing history, including any
search query.
(vii) Genetic sequencing information.
(viii) A device identifier, online
identifier, persistent identifier, or digital
fingerprinting information.
(ix) Any inference drawn from any of the
information described in this paragraph that is
used to create a profile about an individual
that reflects such individual's preferences,
characteristics, psychological trends,
predispositions, behavior, attitudes,
intelligence, abilities, or aptitudes.
(x) Any other information determined
appropriate by the Commission.
(B) Linked or reasonably linkable.--For purposes of
subparagraph (A), information is ``linked or reasonably
linkable'' to a particular individual or consumer
device if the information can be used on its own or in
combination with other information held by or readily
accessible to a data broker to identify a particular
individual or consumer device.
(10) Process.--The term ``process'' means to perform or
direct the performance of an operation on personal information,
including the collection, transmission, use, disclosure,
analysis, prediction, or modification of such personal
information, whether or not by automated means.
(11) Uniform resource locator; url.--The term ``uniform
resource locator'' or ``URL'' means a short string containing
an address that refers to an object on the web.
<all>