[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2121 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 2121
To establish a centralized system to allow individuals to request the
simultaneous deletion of their personal information across all data
brokers, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 22, 2023
Mr. Cassidy (for himself and Mr. Ossoff) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To establish a centralized system to allow individuals to request the
simultaneous deletion of their personal information across all data
brokers, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Elimination and Limiting
Extensive Tracking and Exchange Act'' or the ``DELETE Act''.
SEC. 2. DATA DELETION REQUIREMENTS.
(a) Data Broker Annual Registration.--
(1) In general.--
(A) Regulations.--Not later than 1 year after the
date of enactment of this section, the Commission shall
promulgate regulations to require any data broker to--
(i) not later than 18 months after the date
of enactment of this section, and annually
thereafter, register with the Commission; and
(ii) subject to subparagraph (B), provide
the following information with such
registration:
(I) The name and primary physical,
email, and uniform resource locator
(URL) addresses of the data broker.
(II) If the data broker permits an
individual to opt out of the data
broker's collection or use of personal
information, certain sales of such
information, or its databases--
(aa) the method for
requesting an opt-out;
(bb) any limitations on the
type of data collection, uses,
or sales for which an
individual may opt-out; and
(cc) whether the data
broker permits an individual to
authorize a third party to
perform the opt-out on the
individual's behalf.
(III) A response to a standardized
form (as issued by the Commission)
specifying the types of information the
data broker collects or obtains and the
sources from which the data broker
obtains data.
(IV) A statement as to whether the
data broker implements a credentialing
process and, if so, a description of
that process.
(V) Any additional information or
explanation the data broker chooses to
provide concerning its data collection
practices.
(VI) Any other information
determined appropriate by the
Commission.
(B) Construction.--Nothing in this paragraph shall
be construed as requiring a data broker to disclose any
information that is a trade secret or confidential
information described in section 552(b)(4) of title 5,
United States Code.
(2) Public availability.--
(A) In general.--The Commission shall make the
information described in paragraph (1)(A) publicly
available in a downloadable and machine-readable
format, except in the event that the Commission--
(i) determines that the risk of making such
information available is not in the interest of
public safety or welfare; and
(ii) provides a justification for such
determination.
(B) Disclaimer.--The Commission shall include on
the website of the Commission a disclaimer that--
(i) the Commission cannot confirm the
accuracy of the responses provided by the data
brokers in the registration described in
paragraph (1)(A); and
(ii) individuals may contact such data
brokers at their own risk.
(b) Centralized Data Deletion System.--
(1) Establishment.--
(A) In general.--Not later than 1 year after the
date of enactment of this section, the Commission shall
promulgate regulations to establish a centralized
system that--
(i) implements and maintains reasonable
security procedures and practices (including
administrative, physical, and technical
safeguards) appropriate to the nature of the
information and the purposes for which the
personal information will be used, to protect
individuals' personal information from
unauthorized use, disclosure, access,
destruction, or modification;
(ii) allows an individual, through a single
submission, to request that every data broker
who is registered under subsection (a) and who
maintains any persistent identifiers (as
described in subparagraph (B)(iii))--
(I) delete any personal information
related to such individual held by such
data broker or affiliated legal entity
of the data broker; and
(II) unless otherwise specified by
the individual, discontinue any present
or future collection of personal
information related to such individual;
and
(iii) allows a registered data broker,
prior to the collection of any personal
information that is tied to a persistent
identifier for which a registry exists, to
submit a query to the centralized system to
confirm that the persistent identifier is not
subject to a deletion request described in
clause (ii).
(B) Requirements.--The centralized system
established in subparagraph (A) shall meet the
following requirements:
(i) The centralized system shall allow an
individual to request the deletion of all
personal information related to such individual
and the discontinuation of any collection of
such personal information related to such
individual through a single deletion request.
(ii) The centralized system shall provide a
standardized form to allow an individual to
make such request.
(iii) Such standardized form shall include
the individual's email, phone number, physical
address, and any other persistent identifier
determined by the Commission to aid in the
deletion request.
(iv) The centralized system shall
automatically salt and hash all submitted
information and allow the Commission to
maintain independent hashed registries of each
type of information obtained through such form.
(v) The centralized system shall only
permit data brokers who are registered with the
Commission to submit hashed queries to the
independent hashed registries described in
clause (iv).
(vi) With respect to the independent hashed
registries described in clause (iv), the salt
shall be different for each such registry and
shall be made available to all registered data
brokers for the purposes of submitting hashed
queries, as described in clause (v).
(vii) The centralized system shall allow an
individual to make such request using an
internet website operated by the Commission.
(viii) The centralized system shall not
charge the individual to make such request.
(C) Transition.--
(i) In general.--Not later than 8 months
after the effective date of the regulations
promulgated under subparagraph (A), each data
broker shall--
(I) not less than once every 31
days, access the hashed registries
maintained by the Commission as
described in subparagraph (B)(iv); and
(II) process any deletion request
associated with a match between such
hashed registries and the records of
the data broker.
(ii) FTC guidance.--Not later than 6 months
after the effective date of the regulations
promulgated under subparagraph (A), the
Commission shall publish guidance on the
process and standards to which a data broker
must adhere in carrying out clause (i).
(2) Deletion.--
(A) Information deletion.--
(i) In general.--Subject to clause (ii),
not later than 31 days after accessing the
hashed registries described in paragraph
(1)(B)(iv), a data broker and any associated
legal entity shall delete all personal
information in its possession related to the
individual making the request and discontinue
the collection of personal information related
to such individual. Immediately following the
deletion, the data broker shall send an
affirmative representation to the Commission
with the number of records deleted pursuant to
each match with a value in the hashed
registries.
(ii) Exclusions.--In carrying out clause
(i), a data broker may retain, where required,
the following information:
(I) Any personal information that
is processed or maintained solely as
part of human subjects research
conducted in compliance with any legal
requirements for the protection of
human subjects.
(II) Any personal information
necessary to comply with a warrant,
subpoena, court order, rule, or other
applicable law.
(III) Any information necessary for
an activity described in subsection
(f)(3)(B), provided that the retained
information is used solely for any such
activity.
(iii) Use of information.--Any personal
information excluded under clause (ii) may only
be used for the purpose described in the
applicable subclause of clause (ii), and may
not be used for any other purpose, including
marketing purposes.
(B) Annual report.--Each data broker registered
under subsection (a) shall submit to the Commission, on
an annual basis, a report on the completion rate with
respect to the completion of deletion requests under
subparagraph (A).
(C) Audit.--
(i) In general.--Not later than 3 years
after the date of enactment of this section,
and every 3 years thereafter, each data broker
registered under subsection (a) shall undergo
an independent third party audit to determine
compliance with this subsection.
(ii) Audit report.--Not later than 6 months
after the completion of any audit under clause
(i), each such data broker shall submit to the
Commission any report produced as a result of
the audit, along with any related materials.
(iii) Maintain records.--Each such data
broker shall maintain the materials described
in clause (ii) for a period of not less than 6
years.
(3) Annual fee.--
(A) In general.--Subject to subparagraph (B), each
data broker registered under subsection (a) and who
maintains any persistent identifiers (as described in
paragraph (1)(B)(iii)) shall pay to the Commission, on
an annual basis, a subscription fee determined by the
Commission to access the database.
(B) Limit.--The amount of the subscription fee
under subparagraph (A) may not exceed 1 percent of the
expected annual cost of operating the centralized
system and hashed registries described in paragraph
(1), as determined by the Commission.
(C) Availability.--Any amounts collected by the
Commission pursuant to this paragraph shall be
available without further appropriation to the
Commission for the exclusive purpose of enforcing and
administering this Act, including the implementation
and maintenance of such centralized system and hashed
registries and the promotion of public awareness of the
centralized system.
(c) Enforcement by the Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
subsection (a) or (b) or a regulation promulgated under this
Act shall be treated as a violation of a rule defining an
unfair or deceptive act or practice under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--The Commission shall enforce this
section in the same manner, by the same means, and with
the same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates subsection (a) or (b) or a regulation
promulgated under this Act shall be subject to the
penalties and entitled to the privileges and immunities
provided in the Federal Trade Commission Act (15 U.S.C.
41 et seq.).
(C) Authority preserved.--Nothing in this section
shall be construed to limit the authority of the
Commission under any other provision of law.
(D) Rulemaking.--The Commission shall promulgate in
accordance with section 553 of title 5, United States
Code, such rules as may be necessary to carry out this
section.
(d) Study and Report.--
(1) Study.--The Commission shall conduct a study on the
implementation and enforcement of this section. Such study
shall include--
(A) an analysis of the effectiveness of the
centralized system established in subsection (b)(1)(A);
(B) the number deletion requests submitted annually
using such centralized system;
(C) an analysis of the progress of coordinating the
operation and enforcement of such requests with similar
systems established and maintained by the various
States; and
(D) any other area determined appropriate by the
Commission.
(2) Report.--Not later than 3 years after the date of
enactment of this section, and annually thereafter for each of
the next 4 years, the Commission shall submit to the Committee
on Commerce, Science, and Transportation of the Senate and the
Committee on Energy and Commerce of the House of
Representatives a report containing--
(A) the results of the study conducted under
paragraph (1);
(B) a summary of any enforcement actions taken
pursuant to this Act; and
(C) recommendations for such legislation and
administrative action as the Commission determines
appropriate.
(e) Preemption.--
(1) In general.--The provisions of this Act shall preempt
any State privacy law only to the extent that such State law is
inconsistent with the provisions of this Act.
(2) Greater protection under state law.--For purposes of
paragraph (1), a State privacy law is not inconsistent with the
provisions of this Act if the protection such law affords any
person is greater than the protection provided under this Act,
as determined by the Commission.
(f) Definitions.--In this section:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Credentialing process.--The term ``credentialing
process'' means the practice of taking reasonable steps to
confirm--
(A) the identity of the entity with whom the data
broker has a direct relationship;
(B) that any data disclosed to the entity by such
data broker will be used for the described purpose of
such disclosure; and
(C) that such data will not be used for unlawful
purposes.
(3) Data broker.--
(A) In general.--The term ``data broker'' means an
entity that knowingly collects or obtains the personal
information of an individual with whom the entity does
not have a direct relationship and then--
(i) uses the personal information to
perform a service for a third party; or
(ii) sells, licenses, trades, provides for
consideration, or is otherwise compensated for
disclosing personal information to a third
party.
(B) Exclusion.--The term ``data broker'' does not
include an entity who solely uses, sells, licenses,
trades, provides for consideration, or is otherwise
compensated for disclosing personal information for one
or more of the following activities:
(i) Providing 411 directory assistance or
directory information services, including name,
address, and telephone number, on behalf of or
as a function of a telecommunications carrier.
(ii) Providing an individual's publicly
available information if the information is
being used by the recipient as it relates to
that individual's business or profession.
(iii) Providing personal information to a
third party at the express direction of the
individual for a clearly disclosed single-use
purpose.
(iv) Providing or using personal
information for assessing, verifying, or
authenticating an individual's identity, or for
investigating or preventing actual or potential
fraud.
(v) Gathering, preparing, collecting,
photographing, recording, writing, editing,
reporting, or publishing news or information
that concerns local, national, or international
events or other matters of public interest (as
determined by the Commission) for dissemination
to the public.
(vi) Acting as a consumer reporting agency
(as defined in section 603(f) of the Fair
Credit Reporting Act (15 U.S.C. 1681a(f))).
(C) Exclusion from sale.--
(i) In general.--For purposes of this
paragraph, the term ``sells'' does not include
a one-time or occasional sale of assets of an
entity as part of a transfer of control of
those assets that is not part of the ordinary
conduct of the entity.
(ii) Notice required.--To meet the
exclusion criteria described in clause (i), an
entity must provide notice to the Commission,
in the manner determined appropriate by the
Commission, of any such one-time or occasional
sale of assets.
(4) Delete.--The term ``delete'' means to remove or destroy
information such that the information is not maintained in
human- or machine-readable form and cannot be retrieved or
utilized in such form in the normal course of business.
(5) Direct relationship.--
(A) In general.--The term ``direct relationship''
means a relationship between an individual and an
entity where the individual--
(i) is a current customer;
(ii) has obtained a good or service from
the entity within the prior 18 months; or
(iii) has made an inquiry about the
products or services of the entity within the
prior 90 days.
(B) Exclusion.--The term ``direct relationship''
does not include a relationship--
(i) between an individual and a data broker
where the individual's only connection to the
data broker is based on the individual's
request--
(I) for the data broker to delete
the personal information of the
individual; or
(II) to opt-out of the data
broker's collection or use of personal
information, certain sales of such
information, or its databases; or
(ii) required under any State or Federal
law related to the use of personal information.
(6) Hash.--The term ``hash'' means to input data to a
cryptographic, one-way, collision resistant function that maps
a bit string of arbitrary length to a fixed-length bit string
to produce a cryptographically secure value.
(7) Hashed.--The term ``hashed'' means the type of value
produced by hashing data.
(8) Human subjects research.--The term ``human subjects
research'' means research that--
(A) an investigator (whether professional or
student) conducts on a living individual; and
(B) either--
(i) obtains information or biospecimens
through intervention or interaction with the
individual, and uses, studies, or analyzes the
information or biospecimens; or
(ii) obtains, uses, studies, analyzes, or
generates personal information or identifiable
biospecimens.
(9) Personal information.--
(A) In general.--The term ``personal information''
means any information held by a data broker, regardless
of how the information is collected, inferred, created,
or obtained, that is linked or reasonably linkable by
the data broker to a particular individual or consumer
device, including the following information:
(i) Financial information, including any
bank account number, credit card number, debit
card number, or insurance policy number.
(ii) A name, alias, home or other physical
address, online identifier, Internet Protocol
address, email address, phone number, account
name, State identification card number,
driver's license number, passport number, or an
identifying number on a government-issued
identification.
(iii) Geolocation information.
(iv) Biometric information.
(v) The contents of, attachments to, or
parties to information, including with respect
to email, text messages, picture messages,
voicemails, audio conversations, or video
conversations.
(vi) Web browsing history, including any
search query.
(vii) Genetic sequencing information.
(viii) A device identifier, online
identifier, persistent identifier, or digital
fingerprinting information.
(ix) Any inference drawn from any of the
information described in this paragraph that is
used to create a profile about an individual
that reflects such individual's preferences,
characteristics, psychological trends,
predispositions, behavior, attitudes,
intelligence, abilities, or aptitudes.
(x) Any other information determined
appropriate by the Commission.
(B) Linked or reasonably linkable.--For purposes of
subparagraph (A), information is ``linked or reasonably
linkable'' to a particular individual or consumer
device if the information can be used on its own or in
combination with other information held by or readily
accessible to a data broker to identify a particular
individual or consumer device.
(10) Process.--The term ``process'' means to perform or
direct the performance of an operation on personal information,
including the collection, transmission, use, disclosure,
analysis, prediction, or modification of such personal
information, whether or not by automated means.
(11) Salt.--The term ``salt'' means to add a random string
of data to the input of a hash function.
(12) Uniform resource locator; url.--The term ``uniform
resource locator'' or ``URL'' means a short string containing
an address that refers to an object on the web.
<all>