[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 196 Reported in Senate (RS)]
<DOC>
Calendar No. 144
119th CONGRESS
1st Session
S. 196
[Report No. 119-57]
To improve online ticket sales and protect consumers, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
January 22, 2025
Mrs. Blackburn (for herself and Mr. Lujan) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
September 2, 2025
Reported by Mr. Cruz, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To improve online ticket sales and protect consumers, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Mitigating Automated
Internet Networks for Event Ticketing Act'' or the ``MAIN Event
Ticketing Act''.</DELETED>
<DELETED>SEC. 2. STRENGTHENING THE BOTS ACT.</DELETED>
<DELETED> (a) In General.--Section 2 of the Better Online Ticket
Sales Act of 2016 (15 U.S.C. 45c) is amended--</DELETED>
<DELETED> (1) in subsection (a)(1)--</DELETED>
<DELETED> (A) in subparagraph (A), by striking ``;
or'' and inserting a semicolon;</DELETED>
<DELETED> (B) in subparagraph (B), by striking the
period at the end and inserting ``; or''; and</DELETED>
<DELETED> (C) by adding at the end the following new
subparagraph:</DELETED>
<DELETED> ``(C) to use or cause to be used an
application that performs automated tasks to purchase
event tickets from an Internet website or online
service in circumvention of posted online ticket
purchasing order rules of the Internet website or
online service, including a software application that
circumvents an access control system, security measure,
or other technological control or measure.'';</DELETED>
<DELETED> (2) by redesignating subsections (b) and (c) as
subsections (c) and (d), respectively;</DELETED>
<DELETED> (3) by inserting after subsection (a) the
following new subsection:</DELETED>
<DELETED> ``(b) Requiring Online Ticket Issuers To Put in Place Site
Policies and Establish Safeguards To Protect Site Security.--</DELETED>
<DELETED> ``(1) Requirement to enforce site policies.--Each
ticket issuer that owns or operates an Internet website or
online service that facilitates or executes the sale of event
tickets shall ensure that such website or service has in place
an access control system, security measure, or other
technological control or measure to enforce posted event ticket
purchasing limits.</DELETED>
<DELETED> ``(2) Requirement to establish site security
safeguards.--</DELETED>
<DELETED> ``(A) In general.--Each ticket issuer that
owns or operates an Internet website or online service
that facilitates or executes the sale of event tickets
shall establish, implement, and maintain reasonable
administrative, technical, and physical safeguards to
protect the security, confidentiality, integrity, or
availability of the website or service.</DELETED>
<DELETED> ``(B) Considerations.--In establishing the
safeguards described in subparagraph (A), each ticket
issuer described in such paragraph shall consider--
</DELETED>
<DELETED> ``(i) the administrative,
technical, and physical safeguards that are
appropriate to the size and complexity of the
ticket issuer;</DELETED>
<DELETED> ``(ii) the nature and scope of the
activities of the ticket issuer;</DELETED>
<DELETED> ``(iii) the sensitivity of any
customer information at issue; and</DELETED>
<DELETED> ``(iv) the range of security risks
and vulnerabilities that are reasonably
foreseeable or known to the ticket
issuer.</DELETED>
<DELETED> ``(C) Third parties and service
providers.--</DELETED>
<DELETED> ``(i) In general.--Where
applicable, a ticket issuer that owns or
operates an Internet website or online service
that facilitates or executes the sale of event
tickets shall implement and maintain procedures
to require that any third party or service
provider that performs services with respect to
the sale of event tickets or has access to data
regarding event ticket purchasing on the
website or service maintains reasonable
administrative, technical, and physical
safeguards to protect the security and
integrity of the website or service and that
data.</DELETED>
<DELETED> ``(ii) Oversight procedure
requirements.--The procedures implemented and
maintained by a ticket issuer in accordance
with clause (i) shall include the
following:</DELETED>
<DELETED> ``(I) Taking reasonable
steps to select and retain service
providers that are capable of
maintaining appropriate safeguards for
the customer information at
issue.</DELETED>
<DELETED> ``(II) Requiring service
providers by contract to implement and
maintain adequate safeguards.</DELETED>
<DELETED> ``(III) Periodically
assessing service providers based on
the risk they present and the continued
adequacy of their safeguards.</DELETED>
<DELETED> ``(D) Updates.--A ticket issuer that owns
or operates an Internet website or online service that
facilitates or executes the sale of event tickets shall
regularly evaluate and make adjustments to the
safeguards described in subparagraph (A) in light of
any material changes in technology, internal or
external threats to system security, confidentiality,
integrity, and availability, and the changing business
arrangements or operations of the ticket
issuer.</DELETED>
<DELETED> ``(3) Requirement to report incidents of
circumvention; consumer complaints.--</DELETED>
<DELETED> ``(A) In general.--A ticket issuer that
owns or operates an Internet website or online service
that facilitates or executes the sale of event tickets
shall report to the Commission any incidents of
circumvention of which the ticket issuer has actual
knowledge.</DELETED>
<DELETED> ``(B) Consumer complaint website.--Not
later than 180 days after the date of enactment of the
Mitigating Automated Internet Networks for Event
Ticketing Act, the Commission shall create a publicly
available website (or modify an existing publicly
available website of the Commission) to allow
individuals to report violations of this subsection to
the Commission.</DELETED>
<DELETED> ``(C) Reporting timeline and process.--
</DELETED>
<DELETED> ``(i) Timeline.--A ticket issuer
shall report known incidents of circumvention
within a reasonable period of time after the
incident of circumvention is discovered by the
ticket issuer, and in no case later than 30
days after an incident of circumvention is
discovered by the ticket issuer.</DELETED>
<DELETED> ``(ii) Automated submission.--The
Commission may establish a reporting mechanism
to provide for the automatic submission of
reports required under this
subsection.</DELETED>
<DELETED> ``(iii) Coordination with state
attorneys general.--The Commission shall--
</DELETED>
<DELETED> ``(I) share reports
received from ticket issuers under
subparagraph (A) with State attorneys
general as appropriate; and</DELETED>
<DELETED> ``(II) share consumer
complaints submitted through the
website established under subparagraph
(B) with State attorneys general as
appropriate.</DELETED>
<DELETED> ``(4) Duty to address causes of circumvention.--A
ticket issuer that owns or operates an Internet website or
online service that facilitates or executes the sale of event
tickets must take reasonable steps to improve its access
control systems, security measures, and other technological
controls or measures to address any incidents of circumvention
of which the ticket issuer has actual knowledge.</DELETED>
<DELETED> ``(5) FTC guidance.--Not later than 1 year after
the date of enactment of the Mitigating Automated Internet
Networks for Event Ticketing Act, the Commission shall publish
guidance for ticket issuers on compliance with the requirements
of this subsection.'';</DELETED>
<DELETED> (4) in subsection (c), as redesignated by
paragraph (1) of this subsection--</DELETED>
<DELETED> (A) by striking ``subsection (a)'' each
place it appears and inserting ``subsection (a) or
(b)'';</DELETED>
<DELETED> (B) in paragraph (2)--</DELETED>
<DELETED> (i) in subparagraph (A), by
striking ``The Commission'' and inserting
``Except as provided in paragraph (3), the
Commission''; and</DELETED>
<DELETED> (ii) in subparagraph (B), by
striking ``Any person'' and inserting ``Subject
to paragraph (3), any person''; and</DELETED>
<DELETED> (C) by adding at the end the following new
paragraphs:</DELETED>
<DELETED> ``(3) Civil action.--</DELETED>
<DELETED> ``(A) In general.--If the Commission has
reason to believe that any person has committed a
violation of subsection (a) or (b), the Commission may
bring a civil action in an appropriate district court
of the United States to--</DELETED>
<DELETED> ``(i) recover a civil penalty
under paragraph (4); and</DELETED>
<DELETED> ``(ii) seek other appropriate
relief, including injunctive relief and other
equitable relief.</DELETED>
<DELETED> ``(B) Litigation authority.--Except as
otherwise provided in section 16(a)(3) of the Federal
Trade Commission Act (15 U.S.C. 56(a)(3)), the
Commission shall have exclusive authority to commence
or defend, and supervise the litigation of, any civil
action authorized under this paragraph and any appeal
of such action in its own name by any of its attorneys
designated by it for such purpose, unless the
Commission authorizes the Attorney General to do so.
The Commission shall inform the Attorney General of the
exercise of such authority and such exercise shall not
preclude the Attorney General from intervening on
behalf of the United States in such action and any
appeal of such action as may be otherwise provided by
law.</DELETED>
<DELETED> ``(C) Rule of construction.--Any civil
penalty or relief sought through a civil action under
this paragraph shall be in addition to other penalties
and relief as may be prescribed by law.</DELETED>
<DELETED> ``(4) Civil penalties.--</DELETED>
<DELETED> ``(A) In general.--Any person who violates
subsection (a) or (b) shall be liable for--</DELETED>
<DELETED> ``(i) a civil penalty of not less
than $10,000 for each day during which the
violation occurs or continues to occur;
and</DELETED>
<DELETED> ``(ii) an additional civil penalty
of not less than $1,000 per
violation.</DELETED>
<DELETED> ``(B) Enhanced civil penalty for
intentional violations.--In addition to the civil
penalties under subparagraph (A), a person that
intentionally violates subsection (a) or (b) shall be
liable for a civil penalty of not less than $10,000 per
violation.'';</DELETED>
<DELETED> (5) in subsection (d), as redesignated by
paragraph (1) of this subsection, by striking ``subsection
(a)'' each place it appears and inserting ``subsection (a) or
(b)''; and</DELETED>
<DELETED> (6) by adding at the end the following new
subsections:</DELETED>
<DELETED> ``(e) Law Enforcement Coordination.--</DELETED>
<DELETED> ``(1) In general.--The Federal Bureau of
Investigation, the Department of Justice, and other relevant
State or local law enforcement officials shall coordinate as
appropriate with the Commission to share information about
known instances of cyberattacks on security measures, access
control systems, or other technological controls or measures on
an Internet website or online service that are used by ticket
issuers to enforce posted event ticket purchasing limits or to
maintain the integrity of posted online ticket purchasing order
rules. Such coordination may include providing information
about ongoing investigations but may exclude classified
information or information that could compromise a law
enforcement or national security effort, as
appropriate.</DELETED>
<DELETED> ``(2) Cyberattack defined.--In this paragraph, the
term `cyberattack' means an attack, via cyberspace, targeting
an enterprise's use of cyberspace for the purpose of--
</DELETED>
<DELETED> ``(A) disrupting, disabling, destroying,
or maliciously controlling a computing environment or
computing infrastructure; or</DELETED>
<DELETED> ``(B) destroying the integrity of data or
stealing controlled information.</DELETED>
<DELETED> ``(f) Congressional Report.--Not later than 1 year after
the date of enactment of this paragraph, the Commission shall report to
Committee on Commerce, Science, and Transportation of the Senate and
the Committee on Energy and Commerce of the House of Representatives on
the status of enforcement actions taken pursuant to this Act, as well
as any identified limitations to the Commission's ability to pursue
incidents of circumvention described in subsection
(a)(1)(A).''.</DELETED>
<DELETED> (b) Additional Definition.--Section 3 of the Better Online
Ticket Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at
the end the following new paragraph:</DELETED>
<DELETED> ``(4) Circumvention.--The term `circumvention'
means the act of avoiding, bypassing, removing, deactivating,
or otherwise impairing an access control system, security
measure, safeguard, or other technological control or measure
described in section 2(b)(1).''.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Mitigating Automated Internet
Networks for Event Ticketing Act'' or the ``MAIN Event Ticketing Act''.
SEC. 2. STRENGTHENING THE BOTS ACT.
(a) In General.--Section 2 of the Better Online Ticket Sales Act of
2016 (15 U.S.C. 45c) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A)--
(i) by inserting ``online'' before ``ticket
issuer''; and
(ii) by striking ``; or'' and inserting a
semicolon;
(B) in subparagraph (B), by striking the period at
the end and inserting ``; or''; and
(C) by adding at the end the following new
subparagraph:
``(C) to use or cause to be used an application,
including a software application, that performs
automated tasks to purchase event tickets from an
Internet website or online service used by an online
ticket issuer through the circumvention of an access
control system, security measure, or other
technological control or measure used by such Internet
website or online service to enforce posted online
ticket purchasing order rules of the Internet website
or online service.'';
(2) by redesignating subsections (b) and (c) as subsections
(c) and (d), respectively;
(3) by inserting after subsection (a) the following new
subsection:
``(b) Requiring Online Ticket Issuers to Enforce Site Policies.--
``(1) Requirement to enforce and update site policies.--
Each online ticket issuer shall--
``(A) establish, implement, and maintain an access
control system, security measure, or other
technological control or measure to enforce posted
event ticket purchasing limits and to maintain the
integrity of posted online ticket purchasing order
rules; and
``(B) regularly evaluate and make adjustments, as
necessary, to such an access control system, security
measure, or other technological control or measure in
light of any material changes in technology, internal
or external threats to system security, and the
changing business arrangements or operations of the
ticket issuer.
``(2) Requirement to report incidents of circumvention;
consumer complaints.--
``(A) In general.--Each online ticket issuer shall
report to the Commission any incidents of circumvention
of which the ticket issuer has actual knowledge not
later than 30 days after the incident of circumvention
is discovered by the online ticket issuer.
``(B) Electronic submission.--The Commission may
establish a reporting mechanism to provide for the
electronic submission of reports required by
subparagraph (A).
``(C) Coordination with state attorneys general.--
The Commission shall share with State attorneys
general, as appropriate--
``(i) any report received from online
ticket issuers under subparagraph (A); and
``(ii) consumer complaints related to any
violation of this subsection that are submitted
through the Commission's website.
``(3) Requirement to address known causes of
circumvention.--Each online ticket issuer shall take reasonable
steps to improve its access control systems, security measures,
and other technological controls or measures to address any
known or reasonably foreseeable risks connected to incidents of
circumvention.
``(4) Commission guidance.--Not later than 1 year after the
date of enactment of the Mitigating Automated Internet Networks
for Event Ticketing Act, the Commission shall publish guidance
for online ticket issuers regarding compliance with the
requirements of this subsection.'';
(4) in subsection (c), as redesignated by paragraph (2) of
this subsection--
(A) by striking ``subsection (a)'' each place it
appears and inserting ``subsection (a) or (b)''; and
(B) by adding at the end the following new
paragraph:
``(3) Limitation on commission guidance.--
``(A) In general.--No guidance issued by the
Commission with respect to this Act shall confer any
rights on any person, State, or locality, nor shall
operate to bind the Commission or any person to the
approach recommended in such guidance.
``(B) Specific allegations.--In any enforcement
action brought pursuant to this Act, the Commission--
``(i) shall allege a specific violation of
a provision of this Act; and
``(ii) may not base an enforcement action
on, or execute a consent order based on,
practices that are alleged to be inconsistent
with any such guidance, unless the practices
allegedly violate this Act.'';
(5) in subsection (d), as redesignated by paragraph (2) of
this subsection, by striking ``subsection (a)'' each place it
appears and inserting ``subsection (a) or (b)''; and
(6) by adding at the end the following new subsections:
``(e) Law Enforcement Coordination.--
``(1) In general.--The Federal Bureau of Investigation, the
Attorney General, and other relevant State or local law
enforcement officials shall coordinate as appropriate with the
Commission to share information about any known instance of a
cyberattack on a security measure, access control system, or
other technological control or measure on an Internet website
or online service that is used by an online ticket issuer to
enforce posted event ticket purchasing limits or to maintain
the integrity of posted online ticket purchasing order rules.
Such coordination may include providing information about
ongoing investigations, but may exclude classified information
or information that could compromise a law enforcement or
national security effort, as appropriate.
``(2) Cyberattack defined.--In this paragraph, the term
`cyberattack' means an attack, via cyberspace, targeting an
enterprise's use of cyberspace for the purpose of--
``(A) disrupting, disabling, destroying, or
maliciously controlling a computing environment or
computing infrastructure; or
``(B) destroying the integrity of data or stealing
controlled information.
``(f) Congressional Report.--Not later than 1 year after the date
of enactment of this paragraph, the Commission shall report to
Committee on Commerce, Science, and Transportation of the Senate and
the Committee on Energy and Commerce of the House of Representatives on
the status of any enforcement action taken pursuant to this Act, as
well as any identified limitations to the Commission's ability to
pursue incidents of circumvention described in subsection (a)(1)(A).''.
(b) Additional Definitions.--Section 3 of the Better Online Ticket
Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end
the following new paragraphs:
``(4) Circumvention.--The term `circumvention' means the
act of avoiding, bypassing, removing, deactivating, or
otherwise impairing an access control system, security measure,
safeguard, or other technological control or measure described
in section 2.
``(5) Online ticket issuer.--The term `online ticket
issuer' means a ticket issuer that owns or operates an Internet
website or online service that, in the regular course of trade
or business of the issuer, facilitates or executes the sale of
event tickets to the general public.''.
Calendar No. 144
119th CONGRESS
1st Session
S. 196
[Report No. 119-57]
_______________________________________________________________________
A BILL
To improve online ticket sales and protect consumers, and for other
purposes.
_______________________________________________________________________
September 2, 2025
Reported with an amendment