119 S196 RS: Mitigating Automated Internet Networks for Event Ticketing Act U.S. Senate 2025-09-02 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

Short title

This Act may be cited as the

Mitigating Automated Internet Networks for Event Ticketing Act

or the

MAIN Event Ticketing Act

Strengthening the BOTS Act

(a)

In general

Section 2 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c) is amended—(1)in subsection (a)(1)—(A)in subparagraph (A), by striking ; or and inserting a semicolon;(B)in subparagraph (B), by striking the period at the end and inserting ; or; and(C)by adding at the end the following new subparagraph:

(C)to use or cause to be used an application that performs automated tasks to purchase event tickets from an Internet website or online service in circumvention of posted online ticket purchasing order rules of the Internet website or online service, including a software application that circumvents an access control system, security measure, or other technological control or measure.

;

(2)by redesignating subsections (b) and (c) as subsections (c) and (d), respectively;(3)by inserting after subsection (a) the following new subsection:

(b)

Requiring online ticket issuers To put in place site policies and establish safeguards To protect site security

(1)

Requirement to enforce site policies

Each ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall ensure that such website or service has in place an access control system, security measure, or other technological control or measure to enforce posted event ticket purchasing limits.(2)

Requirement to establish site security safeguards

(A)

In general

Each ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, integrity, or availability of the website or service. (B)

Considerations

In establishing the safeguards described in subparagraph (A), each ticket issuer described in such paragraph shall consider—(i)the administrative, technical, and physical safeguards that are appropriate to the size and complexity of the ticket issuer; (ii)the nature and scope of the activities of the ticket issuer;(iii)the sensitivity of any customer information at issue; and(iv)the range of security risks and vulnerabilities that are reasonably foreseeable or known to the ticket issuer.(C)

Third parties and service providers

(i)

In general

Where applicable, a ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall implement and maintain procedures to require that any third party or service provider that performs services with respect to the sale of event tickets or has access to data regarding event ticket purchasing on the website or service maintains reasonable administrative, technical, and physical safeguards to protect the security and integrity of the website or service and that data. (ii)

Oversight procedure requirements

The procedures implemented and maintained by a ticket issuer in accordance with clause (i) shall include the following:(I)Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.(II)Requiring service providers by contract to implement and maintain adequate safeguards.(III)Periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. (D)

Updates

A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall regularly evaluate and make adjustments to the safeguards described in subparagraph (A) in light of any material changes in technology, internal or external threats to system security, confidentiality, integrity, and availability, and the changing business arrangements or operations of the ticket issuer. (3)

Requirement to report incidents of circumvention; consumer complaints

(A)

In general

A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets shall report to the Commission any incidents of circumvention of which the ticket issuer has actual knowledge.(B)

Consumer complaint website

Not later than 180 days after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall create a publicly available website (or modify an existing publicly available website of the Commission) to allow individuals to report violations of this subsection to the Commission. (C)

Reporting timeline and process

(i)

Timeline

A ticket issuer shall report known incidents of circumvention within a reasonable period of time after the incident of circumvention is discovered by the ticket issuer, and in no case later than 30 days after an incident of circumvention is discovered by the ticket issuer.(ii)

Automated submission

The Commission may establish a reporting mechanism to provide for the automatic submission of reports required under this subsection.(iii)

Coordination with state attorneys general

The Commission shall—(I)share reports received from ticket issuers under subparagraph (A) with State attorneys general as appropriate; and(II)share consumer complaints submitted through the website established under subparagraph (B) with State attorneys general as appropriate.(4)

Duty to address causes of circumvention

A ticket issuer that owns or operates an Internet website or online service that facilitates or executes the sale of event tickets must take reasonable steps to improve its access control systems, security measures, and other technological controls or measures to address any incidents of circumvention of which the ticket issuer has actual knowledge.(5)

FTC guidance

Not later than 1 year after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall publish guidance for ticket issuers on compliance with the requirements of this subsection.

;

(4)in subsection (c), as redesignated by paragraph (1) of this subsection—(A)by striking subsection (a) each place it appears and inserting subsection (a) or (b);(B)in paragraph (2)—(i)in subparagraph (A), by striking The Commission and inserting Except as provided in paragraph (3), the Commission; and(ii)in subparagraph (B), by striking Any person and inserting Subject to paragraph (3), any person; and(C)by adding at the end the following new paragraphs:

(3)

Civil action

(A)

In general

If the Commission has reason to believe that any person has committed a violation of subsection (a) or (b), the Commission may bring a civil action in an appropriate district court of the United States to—(i)recover a civil penalty under paragraph (4); and(ii)seek other appropriate relief, including injunctive relief and other equitable relief.(B)

Litigation authority

Except as otherwise provided in section 16(a)(3) of the Federal Trade Commission Act (15 U.S.C. 56(a)(3)), the Commission shall have exclusive authority to commence or defend, and supervise the litigation of, any civil action authorized under this paragraph and any appeal of such action in its own name by any of its attorneys designated by it for such purpose, unless the Commission authorizes the Attorney General to do so. The Commission shall inform the Attorney General of the exercise of such authority and such exercise shall not preclude the Attorney General from intervening on behalf of the United States in such action and any appeal of such action as may be otherwise provided by law.(C)

Rule of construction

Any civil penalty or relief sought through a civil action under this paragraph shall be in addition to other penalties and relief as may be prescribed by law. (4)

Civil penalties

(A)

In general

Any person who violates subsection (a) or (b) shall be liable for—(i)a civil penalty of not less than $10,000 for each day during which the violation occurs or continues to occur; and(ii)an additional civil penalty of not less than $1,000 per violation.(B)

Enhanced civil penalty for intentional violations

In addition to the civil penalties under subparagraph (A), a person that intentionally violates subsection (a) or (b) shall be liable for a civil penalty of not less than $10,000 per violation.

;

(5)in subsection (d), as redesignated by paragraph (1) of this subsection, by striking subsection (a) each place it appears and inserting subsection (a) or (b); and(6)by adding at the end the following new subsections:

(e)

Law enforcement coordination

(1)

In general

The Federal Bureau of Investigation, the Department of Justice, and other relevant State or local law enforcement officials shall coordinate as appropriate with the Commission to share information about known instances of cyberattacks on security measures, access control systems, or other technological controls or measures on an Internet website or online service that are used by ticket issuers to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. Such coordination may include providing information about ongoing investigations but may exclude classified information or information that could compromise a law enforcement or national security effort, as appropriate.(2)

Cyberattack defined

In this paragraph, the term cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of— (A)disrupting, disabling, destroying, or maliciously controlling a computing environment or computing infrastructure; or(B)destroying the integrity of data or stealing controlled information.(f)

Congressional report

Not later than 1 year after the date of enactment of this paragraph, the Commission shall report to Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives on the status of enforcement actions taken pursuant to this Act, as well as any identified limitations to the Commission’s ability to pursue incidents of circumvention described in subsection (a)(1)(A).

(b)

Additional definition

Section 3 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end the following new paragraph:

(4)

Circumvention

The term circumvention means the act of avoiding, bypassing, removing, deactivating, or otherwise impairing an access control system, security measure, safeguard, or other technological control or measure described in section 2(b)(1).

Short title

This Act may be cited as the

Mitigating Automated Internet Networks for Event Ticketing Act

or the

MAIN Event Ticketing Act

Strengthening the BOTS Act

(a)

In general

Section 2 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c) is amended—(1)in subsection (a)(1)—(A)in subparagraph (A)—(i)by inserting online before ticket issuer; and(ii)by striking ; or and inserting a semicolon;(B)in subparagraph (B), by striking the period at the end and inserting ; or; and(C)by adding at the end the following new subparagraph:

(C)to use or cause to be used an application, including a software application, that performs automated tasks to purchase event tickets from an Internet website or online service used by an online ticket issuer through the circumvention of an access control system, security measure, or other technological control or measure used by such Internet website or online service to enforce posted online ticket purchasing order rules of the Internet website or online service.

;

(2)by redesignating subsections (b) and (c) as subsections (c) and (d), respectively;(3)by inserting after subsection (a) the following new subsection:

(b)

Requiring online ticket issuers to enforce site policies

(1)

Requirement to enforce and update site policies

Each online ticket issuer shall—(A)establish, implement, and maintain an access control system, security measure, or other technological control or measure to enforce posted event ticket purchasing limits and to maintain the integrity of posted online ticket purchasing order rules; and(B)regularly evaluate and make adjustments, as necessary, to such an access control system, security measure, or other technological control or measure in light of any material changes in technology, internal or external threats to system security, and the changing business arrangements or operations of the ticket issuer.(2)

Requirement to report incidents of circumvention; consumer complaints

(A)

In general

Each online ticket issuer shall report to the Commission any incidents of circumvention of which the ticket issuer has actual knowledge not later than 30 days after the incident of circumvention is discovered by the online ticket issuer. (B)

Electronic submission

The Commission may establish a reporting mechanism to provide for the electronic submission of reports required by subparagraph (A).(C)

Coordination with State attorneys general

The Commission shall share with State attorneys general, as appropriate—(i)any report received from online ticket issuers under subparagraph (A); and(ii)consumer complaints related to any violation of this subsection that are submitted through the Commission’s website.(3)

Requirement to address known causes of circumvention

Each online ticket issuer shall take reasonable steps to improve its access control systems, security measures, and other technological controls or measures to address any known or reasonably foreseeable risks connected to incidents of circumvention.(4)

Commission guidance

Not later than 1 year after the date of enactment of the Mitigating Automated Internet Networks for Event Ticketing Act, the Commission shall publish guidance for online ticket issuers regarding compliance with the requirements of this subsection.

;

(4)in subsection (c), as redesignated by paragraph (2) of this subsection—(A)by striking subsection (a) each place it appears and inserting subsection (a) or (b); and(B)by adding at the end the following new paragraph:

(3)

Limitation on Commission guidance

(A)

In general

No guidance issued by the Commission with respect to this Act shall confer any rights on any person, State, or locality, nor shall operate to bind the Commission or any person to the approach recommended in such guidance. (B)

Specific allegations

In any enforcement action brought pursuant to this Act, the Commission—(i)shall allege a specific violation of a provision of this Act; and(ii)may not base an enforcement action on, or execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this Act.

;

(5)in subsection (d), as redesignated by paragraph (2) of this subsection, by striking subsection (a) each place it appears and inserting subsection (a) or (b); and(6)by adding at the end the following new subsections:

(e)

Law enforcement coordination

(1)

In general

The Federal Bureau of Investigation, the Attorney General, and other relevant State or local law enforcement officials shall coordinate as appropriate with the Commission to share information about any known instance of a cyberattack on a security measure, access control system, or other technological control or measure on an Internet website or online service that is used by an online ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. Such coordination may include providing information about ongoing investigations, but may exclude classified information or information that could compromise a law enforcement or national security effort, as appropriate.(2)

Cyberattack defined

In this paragraph, the term cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of—(A)disrupting, disabling, destroying, or maliciously controlling a computing environment or computing infrastructure; or(B)destroying the integrity of data or stealing controlled information.(f)

Congressional report

Not later than 1 year after the date of enactment of this paragraph, the Commission shall report to Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives on the status of any enforcement action taken pursuant to this Act, as well as any identified limitations to the Commission’s ability to pursue incidents of circumvention described in subsection (a)(1)(A).

(b)

Additional definitions

Section 3 of the Better Online Ticket Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end the following new paragraphs:

(4)

Circumvention

Online ticket issuer

The term online ticket issuer means a ticket issuer that owns or operates an Internet website or online service that, in the regular course of trade or business of the issuer, facilitates or executes the sale of event tickets to the general public.

September 2, 2025

Reported with an amendment