[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 1815 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  1st Session
                                S. 1815

To require data brokers to establish procedures to ensure the accuracy 
       of collected personal information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 14, 2017

 Mr. Markey (for himself, Mr. Blumenthal, Mr. Whitehouse, Mr. Franken, 
 and Mr. Sanders) introduced the following bill; which was read twice 
 and referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To require data brokers to establish procedures to ensure the accuracy 
       of collected personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Broker Accountability and 
Transparency Act of 2017''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Covered data broker.--
                    (A) In general.--The term ``covered data broker'' 
                includes all data brokers except those data brokers 
                excepted under subparagraph (B).
                    (B) Exceptions.--The Commission may except a data 
                broker if the Commission considers, by rule, a data 
                broker outside the scope of this Act, such as a data 
                broker who processes information collected by or on 
                behalf of and received from or on behalf of a 
                nonaffiliated third party concerning an individual who 
                is a customer or an employee of that third party to 
                enable that third party, directly or through parties 
                acting on its behalf, to provide benefits for its 
                employees or directly transact business with its 
                customers.
            (3) Data broker.--The term ``data broker'' means a 
        commercial entity that collects, assembles, or maintains 
        personal information concerning an individual who is not a 
        customer or an employee of that entity in order to sell the 
        information or provide third-party access to the information.
            (4) Non-public information.--The term ``non-public 
        information'' means information about an individual that is--
                    (A) of a private nature;
                    (B) not available to the general public; and
                    (C) not obtained from a public record.
            (5) Public record information.--The term ``public record 
        information'' means information about an individual that has 
        been obtained originally from records of a Federal, State, or 
        local government entity that are available for public 
        inspection.

SEC. 3. PROHIBITION ON OBTAINING OR SOLICITATION TO OBTAIN PERSONAL 
              INFORMATION BY FALSE PRETENSES.

    (a) In General.--A covered data broker may not obtain or attempt to 
obtain, or cause to be disclosed or attempt to cause to be disclosed to 
any person, personal information or any other information relating to 
any person by making a false, fictitious, or fraudulent statement or 
representation to any person, including by providing any document to 
any person, that the covered data broker knows or should know--
            (1) to be forged, counterfeit, lost, stolen, or 
        fraudulently obtained; or
            (2) contains a false, fictitious, or fraudulent statement 
        or representation.
    (b) Solicitation.--A covered data broker may not request a person 
to obtain personal information, or any other information, relating to 
any other person if the covered data broker knows or should know that 
the person to whom the request is made will obtain or attempt to obtain 
that information in the manner described in subsection (a).

SEC. 4. REQUIREMENTS CONCERNING ACCURACY OF AND ACCESS TO PERSONAL 
              INFORMATION.

    (a) Accuracy.--
            (1) In general.--Except as provided in paragraph (2), a 
        covered data broker shall establish procedures to ensure, to 
        the maximum extent practicable, the accuracy of--
                    (A) the personal information it collects, 
                assembles, or maintains; and
                    (B) any other information it collects, assembles, 
                or maintains that specifically identifies an 
                individual, unless the information only identifies an 
                individual's name or address.
            (2) Exception.--A covered data broker may collect or 
        maintain information that may be inaccurate with respect to a 
        particular individual if that information is being collected or 
        maintained solely for the purpose of--
                    (A) indicating whether there may be a discrepancy 
                or irregularity in the personal information that is 
                associated with an individual;
                    (B) helping to identify, or to authenticate the 
                identity of, an individual; or
                    (C) helping to protect against or investigate fraud 
                or other unlawful conduct.
    (b) Consumer Access.--
            (1) In general.--Subject to paragraph (4), a covered data 
        broker shall provide an individual a means to review any 
        personal information or other information that specifically 
        identifies that individual, that the covered data broker 
        collects, assembles, or maintains on that individual.
            (2) Review requirements.--The means for review under 
        paragraph (1) shall be provided--
                    (A) at an individual's request;
                    (B) after verifying the identity of the individual;
                    (C) at least 1 time per year;
                    (D) at no cost to the individual; and
                    (E) in a format that can be readily understood by a 
                consumer, as determined by the Commission.
            (3) Period of review.--A covered data broker shall provide 
        an individual the means required under paragraph (1) within 
        such period after receiving a request from such individual as 
        the Commission shall determine, by rule, is appropriate.
            (4) Exceptions.--The Commission may, by rule, establish 
        such exceptions to paragraph (1) as the Commission considers 
        appropriate, such as for child protection, law enforcement, 
        fraud prevention, or other government purposes.
            (5) Limitation on use of verifying information.--If a 
        covered data broker collects information from an individual to 
        verify the identity of the individual under paragraph (2)(B) 
        that the data broker did not have before such collection, the 
        data broker may not use such information for any purpose other 
        than for purposes of verifying the identity of the individual 
        under such paragraph.
    (c) Disputed Information.--
            (1) In general.--An individual whose personal information 
        is maintained by a covered data broker may dispute the accuracy 
        of any information described under subsection (b)(1) by 
        requesting, in writing, that the covered data broker correct 
        the information.
            (2) Correction requirements.--A covered data broker, after 
        verifying the identity of an individual making a request under 
        paragraph (1) to correct information, and unless there are 
        reasonable grounds to believe the request is frivolous or 
        irrelevant, shall--
                    (A) with regard to public record information--
                            (i) inform the individual of the source of 
                        the information and, if reasonably available, 
                        where to direct the individual's request for 
                        correction; or
                            (ii) if the individual provides proof that 
                        the public record has been corrected or that 
                        the covered data broker was reporting the 
                        information incorrectly, correct the inaccuracy 
                        in the covered data broker's records; and
                    (B) with regard to non-public information--
                            (i) note the information that is disputed, 
                        including the individual's written request;
                            (ii) if the information can be 
                        independently verified, use the procedures 
                        established under subsection (a) to 
                        independently verify the information; and
                            (iii) if the covered data broker was 
                        reporting the information incorrectly, correct 
                        the inaccuracy in the covered data broker's 
                        records.
            (3) Period of correction.--In a case in which a covered 
        data broker is subject to a requirement under paragraph (2) due 
        to a request made by an individual under paragraph (1), such 
        covered data broker shall take such action as may be required 
        to satisfy such requirement within such period as the 
        Commission shall determine, by rule, is appropriate.
    (d) Notice.--
            (1) In general.--A covered data broker shall maintain an 
        Internet website and place a clear and conspicuous notice on 
        that Internet website instructing an individual how--
                    (A) to review information under subsection (b)(1); 
                and
                    (B) to express a preference under subsection 
                (e)(2).
            (2) Form.--A covered data broker shall ensure that the 
        notice the covered data broker places under paragraph (1) 
        conforms to such model form as the Commission shall promulgate 
        for purposes of this subsection.
    (e) Certain Marketing Information.--
            (1) In general.--A covered data broker may not use, share, 
        or sell any information for marketing purposes that is subject 
        to an expressed preference under paragraph (2).
            (2) Expression of preferences.--A covered data broker that 
        maintains any information described under subsection (a) and 
        that uses, shares, or sells that information for marketing 
        purposes shall provide each individual whose information the 
        covered data broker maintains with a reasonable means of 
        expressing a preference not to have that individual's 
        information used for those purposes.
    (f) Auditing.--
            (1) In general.--Subject to paragraph (2), each covered 
        data broker shall establish measures that facilitate the 
        auditing or retracing of any internal or external access to, or 
        transmission of, any data containing personal information 
        collected, assembled, or maintained by the covered data broker.
            (2) Exceptions.--The Commission may establish, by rule, 
        such exceptions to paragraph (1) as the Commission considers 
        appropriate to further or protect law enforcement or national 
        security activities.
    (g) Security.--
            (1) In general.--Each covered data broker shall develop and 
        implement a comprehensive consumer privacy and data security 
        program to protect against harm that may be caused by--
                    (A) loss of personal information collected, 
                assembled, or maintained by the covered data broker; or
                    (B) unauthorized access, destruction, use, 
                modification, or disclosure of such personal 
                information.
            (2) Notice.--Whenever a covered data broker determines that 
        personal information of an individual that is collected, 
        assembled, or maintained by the covered data broker has been 
        lost or the subject of an unauthorized access, destruction, 
        use, modification, or disclosure, the covered data broker shall 
        notify such individual of such loss, access, destruction, use, 
        modification, or disclosure.
    (h) Persons Regulated by the Fair Credit Reporting Act.--A covered 
data broker shall be considered to be in compliance with subsections 
(a) through (f) of this section with respect to information that is 
subject to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) if 
the covered data broker is in compliance with sections 609, 610, and 
611 of that Act (15 U.S.C. 1681g, 1681h, 1681i).

SEC. 5. REGULATIONS.

    (a) In General.--Not later than 1 year after the date of the 
enactment of this Act, the Commission shall promulgate regulations 
under section 553 of title 5, United States Code, to carry out this 
Act.
    (b) Elements.--The regulations promulgated under subsection (a) 
shall include the following:
            (1) Such exceptions the Commission considers appropriate to 
        promulgate under section 2(2)(B).
            (2) The period of review required under section 4(b)(3).
            (3) Such exceptions as the Commission considers appropriate 
        to promulgate under section 4(b)(4).
            (4) The period of correction required under section 
        4(c)(3).
            (5) The model form required by section 4(d)(2).
            (6) Requirements for auditing under paragraph (1) of 
        section 4(f) and such exceptions under paragraph (2) of such 
        section as the Commission considers appropriate.
            (7) Establishment of a centralized Internet website for the 
        benefit of consumers that--
                    (A) lists the covered data brokers that are subject 
                to a requirement of section 4; and
                    (B) provides information to consumers about their 
                rights under this Act.
            (8) Such other regulations as the Commission considers 
        appropriate to carry out this Act.

SEC. 6. ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 3 or 4 or a regulation promulgated under this Act shall 
        be treated as a violation of a rule defining an unfair or a 
        deceptive act or practice under section 18(a)(1)(B) of the 
        Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (2) Powers of commission.--
                    (A) In general.--The Commission shall enforce this 
                Act in the same manner, by the same means, and with the 
                same jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act.
                    (B) Privileges and immunities.--Any person who 
                violates a regulation prescribed under this Act shall 
                be subject to the penalties and entitled to the 
                privileges and immunities provided in the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.).
    (b) Enforcement by States.--
            (1) Civil action.--Except as provided under paragraph (5), 
        in any case in which the attorney general of a State has reason 
        to believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by any person 
        subject to a provision of section 3 or 4 or a regulation 
        promulgated under this Act in a practice that violates such 
        provision or regulation, the attorney general of the State may, 
        as parens patriae, bring a civil action on behalf of the 
        residents of the State in an appropriate district court of the 
        United States--
                    (A) to enjoin further violation of such provision 
                or regulation by such person;
                    (B) to compel compliance with such provision or 
                regulation;
                    (C) to obtain damages, restitution, or other 
                compensation on behalf of such residents;
                    (D) to obtain such other relief as the court 
                considers appropriate; or
                    (E) to obtain civil penalties in the amount 
                determined under paragraph (2).
            (2) Civil penalties.--
                    (A) Calculation.--For purposes of imposing a civil 
                penalty under paragraph (1)(E), the amount determined 
                under this paragraph is the amount calculated by 
                multiplying the number of separate violations of a rule 
                by an amount not greater than $16,000.
                    (B) Adjustment for inflation.--Beginning on the 
                date that the Consumer Price Index is first published 
                by the Bureau of Labor Statistics that is after 1 year 
                after the date of enactment of this Act, and each year 
                thereafter, the amount specified in subparagraph (A) 
                shall be increased by the percentage increase in the 
                Consumer Price Index published on that date from the 
                Consumer Price Index published the previous year.
            (3) Rights of federal trade commission.--
                    (A) Notice to federal trade commission.--
                            (i) In general.--Except as provided in 
                        clause (iii), the attorney general of a State 
                        shall notify the Commission in writing that the 
                        attorney general intends to bring a civil 
                        action under paragraph (1) before initiating 
                        the civil action.
                            (ii) Contents.--The notification required 
                        by clause (i) with respect to a civil action 
                        shall include a copy of the complaint to be 
                        filed to initiate the civil action.
                            (iii) Exception.--If it is not feasible for 
                        the attorney general of a State to provide the 
                        notification required by clause (i) before 
                        initiating a civil action under paragraph (1), 
                        the attorney general shall notify the 
                        Commission immediately upon instituting the 
                        civil action.
                    (B) Intervention by federal trade commission.--The 
                Commission may--
                            (i) intervene in any civil action brought 
                        by the attorney general of a State under 
                        paragraph (1); and
                            (ii) upon intervening--
                                    (I) be heard on all matters arising 
                                in the civil action; and
                                    (II) file petitions for appeal of a 
                                decision in the civil action.
            (4) Investigatory powers.--Nothing in this subsection may 
        be construed to prevent the attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of the State to conduct investigations, to administer 
        oaths or affirmations, or to compel the attendance of witnesses 
        or the production of documentary or other evidence.
            (5) Preemptive action by federal trade commission.--If the 
        Commission institutes a civil action or an administrative 
        action with respect to a violation of a provision of section 3 
        or 4 or a regulation promulgated under this Act, the attorney 
        general of a State may not, during the pendency of such action, 
        bring a civil action under paragraph (1) against any defendant 
        named in the complaint of the Commission for the violation with 
        respect to which the Commission instituted such action.
            (6) Actions by other state officials.--
                    (A) In general.--In addition to civil actions 
                brought by attorneys general under paragraph (1), any 
                other officer of a State who is authorized by the State 
                to do so may bring a civil action under paragraph (1), 
                subject to the same requirements and limitations that 
                apply under this subsection to civil actions brought by 
                attorneys general.
                    (B) Savings provision.--Nothing in this subsection 
                may be construed to prohibit an authorized official of 
                a State from initiating or continuing any proceeding in 
                a court of the State for a violation of any civil or 
                criminal law of the State.

SEC. 7. EFFECT ON OTHER LAWS.

    (a) Preservation of Commission Authority.--Nothing in this Act may 
be construed in any way to limit or affect the Commission's authority 
under any other provision of law.
    (b) Preservation of Other Federal Law.--Nothing in this Act may be 
construed in any way to supersede, restrict, or limit the application 
of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) or any other 
Federal law.
                                 <all>