S.2577 - Data Broker Accountability and Transparency Act of 2019116th Congress (2019-2020) |
|Sponsor:||Sen. Markey, Edward J. [D-MA] (Introduced 09/26/2019)|
|Committees:||Senate - Commerce, Science, and Transportation|
|Latest Action:||Senate - 09/26/2019 Read twice and referred to the Committee on Commerce, Science, and Transportation. (All Actions)|
This bill has the status Introduced
Here are the steps for Status of Legislation:
- Passed Senate
- Passed House
- To President
- Became Law
Text: S.2577 — 116th Congress (2019-2020)All Information (Except Text)
There is one version of the bill.
Text available as:
Introduced in Senate (09/26/2019)
To require data brokers to establish procedures to ensure the accuracy of collected personal information, and for other purposes.
Mr. Markey (for himself, Mr. Blumenthal, and Ms. Smith) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To require data brokers to establish procedures to ensure the accuracy of collected personal information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “Data Broker Accountability and Transparency Act of 2019”.
In this Act:
(1) COMMISSION.—The term “Commission” means the Federal Trade Commission.
(A) IN GENERAL.—The term “covered data broker” includes all data brokers except those data brokers excepted under subparagraph (B).
(B) EXCEPTIONS.—The Commission may except a data broker if the Commission considers, by rule, a data broker outside the scope of this Act, such as a data broker who processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning an individual who is a customer or an employee of that third party to enable that third party, directly or through parties acting on its behalf, to provide benefits for its employees or directly transact business with its customers.
(3) DATA BROKER.—The term “data broker” means a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information.
(A) IN GENERAL.—The term “personal information” means information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, a particular individual.
(i) an identifier such as a real name, alias, signature, date of birth, gender identity, sexual orientation, marital status, physical characteristic or description, postal address, telephone number, unique personal identifier, military identification number, online identifier, Internet Protocol address, email address, account name, mother’s maiden name, social security number, driver’s license number, passport number, or other similar identifier;
(ii) information such as employment, employment history, bank account number, credit card number, debit card number, insurance policy number, or any other financial information, medical information, mental health information, or health insurance information;
(iii) commercial information, including a record of personal property, income, assets, leases, rentals, products or services purchased, obtained, or considered, or other purchasing or consuming history;
(iv) biometric information, including a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry;
(v) internet or other electronic network activity information, including browsing history, search history, content, including text, photographs, audio or video recordings, or other user generated-content, non-public communications, and information regarding an individual’s interaction with an internet website, mobile application, or advertisement;
(vi) historical or real-time geolocation data;
(vii) audio, electronic, visual, thermal, olfactory, or similar information;
(viii) education records, as defined in section 99.3 of title 34, Code of Federal Regulations, or any successor regulation;
(ix) political information or information on criminal convictions or arrests;
(x) any required security code, access code, password, or username necessary to permit access to the account of an individual;
(xi) characteristics of protected classes under Federal law, including race, color, national origin, religion, sex, age, or disability; or
(xii) an inference drawn from any of the information described in this subparagraph to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.
(i) IN GENERAL.—The term “personal information” does not include publicly available information.
(ii) PUBLICLY AVAILABLE INFORMATION.—For purposes of clause (i), the term “publicly available information” means information that is lawfully made available from Federal, State, or local government records.
(5) PUBLIC RECORD INFORMATION.—The term “public record information” means information about an individual that has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.
(a) In general.—A covered data broker may not obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by making a false, fictitious, or fraudulent statement or representation to any person, including by providing any document to any person, that the covered data broker knows or should know—
(1) to be forged, counterfeit, lost, stolen, or fraudulently obtained; or
(2) contains a false, fictitious, or fraudulent statement or representation.
(b) Solicitation.—A covered data broker may not request a person to obtain personal information, or any other information, relating to any other person if the covered data broker knows or should know that the person to whom the request is made will obtain or attempt to obtain that information in the manner described in subsection (a).
(A) the personal information the broker collects, assembles, or maintains; and
(B) any other information the broker collects, assembles, or maintains that specifically identifies an individual, unless the information only identifies the name or address of an individual.
(2) EXCEPTION.—A covered data broker may collect or maintain information that may be inaccurate with respect to a particular individual if that information is being collected or maintained solely for the purpose of—
(A) indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual;
(B) helping to identify, or to authenticate the identity of, an individual; or
(C) helping to protect against or investigate fraud or other unlawful conduct.
(1) IN GENERAL.—Subject to paragraph (4), a covered data broker shall provide an individual a means to review any personal information or other information that specifically identifies that individual, that the covered data broker collects, assembles, or maintains on that individual.
(i) the personal information being retained;
(ii) each date on which the covered entity collected the personal information;
(iii) the third parties to which the covered entity has disclosed or will disclose the personal information; and
(iv) if possible, how long the personal information will be retained or stored, or if not possible, the criteria used for determining how long the personal information will be retained or stored.
(i) at the request of an individual;
(ii) after verifying the identity of the individual;
(iii) not less than 1 time per year;
(iv) at no cost to the individual; and
(v) in a format that can be readily understood by a consumer, as determined by the Commission.
(3) PERIOD OF REVIEW.—A covered data broker shall provide an individual the means required under paragraph (1) within such period after receiving a request from the individual as the Commission shall determine, by rule, is appropriate.
(4) EXCEPTIONS.—The Commission may, by rule, establish any exceptions to paragraph (1) that the Commission considers appropriate, such as for child protection, law enforcement, fraud prevention, or other government purposes.
(5) LIMITATION ON USE OF VERIFYING INFORMATION.—If a covered data broker collects information from an individual to verify the identity of the individual under paragraph (2)(B) that the data broker did not have before that collection, the data broker may not use the information for any purpose other than for purposes of verifying the identity of the individual under that paragraph.
(1) IN GENERAL.—An individual whose personal information is maintained by a covered data broker may dispute the accuracy of any information described under subsection (b)(1) by requesting, in writing, that the covered data broker correct the information.
(2) CORRECTION REQUIREMENTS.—A covered data broker, after verifying the identity of an individual making a request under paragraph (1) to correct information, and unless there are reasonable grounds to believe the request is frivolous or irrelevant, shall—
(i) inform the individual of the source of the information and, if reasonably available, where to direct the request for correction; or
(ii) if the individual provides proof that the public record has been corrected or that the covered data broker was reporting the information incorrectly, correct the inaccuracy in the records of the covered data broker; and
(i) note the information that is disputed, including the written request of the individual;
(ii) if the information can be independently verified, use the procedures established under subsection (a) to independently verify the information; and
(iii) if the covered data broker was reporting the information incorrectly, correct the inaccuracy in the records of the covered data broker.
(3) PERIOD OF CORRECTION.—If a covered data broker is subject to a requirement under paragraph (2) due to a request made by an individual under paragraph (1), the covered data broker shall take any action that may be required to satisfy the requirement within a period determined appropriate by the Commission, by rule.
(A) to review information under subsection (b)(1); and
(B) to express a preference under subsection (e)(2).
(2) FORM.—A covered data broker shall ensure that the notice the covered data broker places under paragraph (1) conforms to a model form that the Commission shall promulgate for purposes of this subsection.
(1) IN GENERAL.—A covered data broker may not use, share, or sell any information for marketing purposes that is subject to an expressed preference under paragraph (2).
(2) EXPRESSION OF PREFERENCES.—A covered data broker that maintains any information described under subsection (a) and that uses, shares, or sells that information for marketing purposes shall provide each individual whose information the covered data broker maintains with a reasonable means of expressing a preference not to have that individual's information used for those purposes.
(1) IN GENERAL.—Subject to paragraph (2), a covered data broker shall establish measures that facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information collected, assembled, or maintained by the covered data broker.
(2) EXCEPTIONS.—The Commission may establish, by rule, any exceptions to paragraph (1) that the Commission considers appropriate to further or protect law enforcement or national security activities.
(A) loss of personal information collected, assembled, or maintained by the covered data broker; or
(B) unauthorized access, destruction, use, modification, or disclosure of personal information described in subparagraph (A).
(2) NOTICE.—If a covered data broker determines that personal information of an individual that is collected, assembled, or maintained by the covered data broker has been lost or the subject of unauthorized access, destruction, use, modification, or disclosure, the covered data broker shall notify the individual of the loss, access, destruction, use, modification, or disclosure.
(h) Persons regulated by the Fair Credit Reporting Act.—A covered data broker shall be considered to be in compliance with subsections (a) through (f) of this section with respect to information that is subject to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) if the covered data broker is in compliance with sections 609, 610, and 611 of that Act (15 U.S.C. 1681g, 1681h, 1681i).
(1) selling, leasing, trading, or otherwise profiting from an individual’s biometric information;
(A) the dissemination is required by State or Federal law or municipal ordinance; or
(B) the dissemination is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction;
(3) processing personal information for the purpose of advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for employment, finance, healthcare, credit, insurance, housing, or education opportunities, in a manner that discriminates against or otherwise makes the opportunity unavailable on the basis of a person's or class of persons’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability; or
(4) processing personal information in a manner that segregates, discriminates in, or otherwise makes unavailable the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation on the basis of a person's or class of persons’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, or disability.
(1) any entity considered a place of public accommodation under section 201(b) of the Civil Rights Act of 1964 (42 U.S.C. 2000a(b)) or section 301 of the Americans with Disabilities Act of 1990 (42 U.S.C. 12181); and
(2) any entity that offers goods or services through the internet to the general public.
(a) In general.—Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to carry out this Act.
(1) Any exceptions the Commission considers appropriate to promulgate under section 2(2)(B).
(2) The period of review required under section 4(b)(3).
(3) Any exceptions the Commission considers appropriate to promulgate under section 4(b)(4).
(4) The period of correction required under section 4(c)(3).
(5) The model form required by section 4(d)(2).
(6) Requirements for auditing under paragraph (1) of section 4(f) and any exceptions under paragraph (2) of that section that the Commission considers appropriate.
(A) lists the covered data brokers that are subject to a requirement of section 4; and
(B) provides information to consumers about their rights under this Act.
(8) Any other regulations that the Commission considers appropriate to carry out this Act.
(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—A violation of section 3, 4, or 5 or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(A) IN GENERAL.—The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
(B) PRIVILEGES AND IMMUNITIES.—Any person who violates a regulation prescribed under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(1) CIVIL ACTION.—Except as provided under paragraph (5), in any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person subject to a provision of section 3, 4, or 5 or a regulation promulgated under this Act in a practice that violates that provision or regulation, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States—
(A) to enjoin further violation of that provision or regulation by the person;
(B) to compel compliance with that provision or regulation;
(C) to obtain damages, restitution, or other compensation on behalf of the residents;
(D) to obtain any other relief that the court considers appropriate; or
(E) to obtain civil penalties in the amount determined under paragraph (2).
(A) CALCULATION.—For purposes of imposing a civil penalty under paragraph (1)(E), the amount determined under this paragraph is the amount calculated by multiplying the number of separate violations of a rule by an amount not greater than $16,000.
(B) ADJUSTMENT FOR INFLATION.—Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amount specified in subparagraph (A) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.
(i) IN GENERAL.—Except as provided in clause (iii), the attorney general of a State shall notify the Commission in writing that the attorney general intends to bring a civil action under paragraph (1) before initiating the civil action.
(ii) CONTENTS.—The notification required by clause (i) with respect to a civil action shall include a copy of the complaint to be filed to initiate the civil action.
(iii) EXCEPTION.—If it is not feasible for the attorney general of a State to provide the notification required by clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately upon instituting the civil action.
(i) intervene in any civil action brought by the attorney general of a State under paragraph (1); and
(I) be heard on all matters arising in the civil action; and
(II) file petitions for appeal of a decision in the civil action.
(4) INVESTIGATORY POWERS.—Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
(5) PREEMPTIVE ACTION BY FEDERAL TRADE COMMISSION.—If the Commission institutes a civil action or an administrative action with respect to a violation of a provision of section 3, 4, or 5 or a regulation promulgated under this Act, the attorney general of a State may not, during the pendency of the action, bring a civil action under paragraph (1) against any defendant named in the complaint of the Commission for the violation with respect to which the Commission instituted the action.
(A) IN GENERAL.—In addition to civil actions brought by attorneys general under paragraph (1), any other officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.
(B) SAVINGS PROVISION.—Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.
(a) Preservation of Commission authority.—Nothing in this Act may be construed in any way to limit or affect the authority of the Commission under any other provision of law.
(b) Preservation of other Federal law.—Nothing in this Act may be construed in any way to supersede, restrict, or limit the application of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) or any other Federal law.