[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 1951 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 1951

    To require the Securities and Exchange Commission to promulgate 
regulations relating to the disclosure of certain commercial data, and 
                          for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 25, 2019

Mr. Warner (for himself and Mr. Hawley) introduced the following bill; 
which was read twice and referred to the Committee on Banking, Housing, 
                           and Urban Affairs

_______________________________________________________________________

                                 A BILL


 
    To require the Securities and Exchange Commission to promulgate 
regulations relating to the disclosure of certain commercial data, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Designing Accounting Safeguards To 
Help Broaden Oversight and Regulations on Data''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Commercial data operator.--The term ``commercial data 
        operator'' means an entity acting in its capacity as a consumer 
        online services provider or data broker that--
                    (A) generates a material amount of revenue from the 
                use, collection, processing, sale, or sharing of the 
                user data; and
                    (B) has more than 100,000,000 unique monthly 
                visitors or users in the United States for a majority 
                of months during the previous 1-year period.
            (2) Commission.--The term ``Commission'' means the 
        Securities and Exchange Commission.
            (3) Issuer.--The term ``issuer'' has the meaning given the 
        term in section 3(a) of the Securities and Exchange Act of 1934 
        (15 U.S.C. 78c(a)).
            (4) User.--The term ``user'' means an individual consumer 
        who uses an online service designed for consumer use by a 
        commercial data operator.
            (5) User data.--The term ``user data'' means any 
        information that identifies, relates to, describes, is capable 
        of being associated with, or could reasonably be linked with an 
        individual user, whether directly submitted to the commercial 
        data operator by the user or derived from the observed activity 
        of the user by the commercial data operator.

SEC. 3. COMMERCIAL DATA OPERATORS.

    (a) Requirements.--
            (1) In general.--A commercial data operator shall--
                    (A) on a routine basis, and not less frequently 
                than once every 90 days--
                            (i) provide each user of the commercial 
                        data operator with an assessment of the 
                        economic value that the commercial data 
                        operator places on the data of that user; and
                            (ii) in a clear and conspicuous manner, in 
                        accordance with paragraph (3), identify to each 
                        user of the commercial data operator--
                                    (I) the types of data collected 
                                from users of the commercial data 
                                operator, whether by the commercial 
                                data operator or another person 
                                pursuant to an agreement with the 
                                commercial data operator; and
                                    (II) the ways that the data of a 
                                user of the commercial data operator is 
                                used if the use is not directly or 
                                exclusively related to the online 
                                service that the commercial data 
                                operator provides to the user; and
                    (B) except as provided in paragraph (2), provide a 
                user of the commercial data operator with the ability 
                to delete all data, in the aggregate and for an 
                individual field, that the commercial data operator 
                possesses, or maintains control or access to with 
                respect to the user, through--
                            (i) a single setting; or
                            (ii) another clear and conspicuous 
                        mechanism by which the user may make such a 
                        deletion.
            (2) Deletion exceptions.--
                    (A) In general.--A commercial data operator shall 
                comply with a user directive to delete, in whole or in 
                part, the data of the user except--
                            (i) in cases where there is a legal 
                        obligation of the commercial data operator to 
                        maintain the data;
                            (ii) for the establishment, exercise, or 
                        defense of legal claims; or
                            (iii) if the data is necessary to detect 
                        security incidents, protect against malicious, 
                        deceptive, fraudulent, or illegal activity, or 
                        assist in the prosecution of those responsible 
                        for such activity.
                    (B) Retention.--A commercial data operator may not 
                retain any more user data than is necessary to carry 
                out an activity described in clauses (i) through (iii) 
                of subparagraph (A).
            (3) Availability.--A commercial data operator shall ensure 
        that all disclosures required under subsection (a) are 
        available to a user of the commercial data operator--
                    (A) on and after the date on which the commercial 
                data operator makes the identification; and
                    (B) through any normal mechanism by which a user 
                may interact with the online service provided by the 
                commercial data operator.
            (4) Unfair and deceptive acts or practices.--
                    (A) Unfair or deceptive acts or practices.--A 
                violation of this subsection shall be treated as a 
                violation of a rule defining an unfair or deceptive act 
                or practice prescribed under section 18(a)(1)(B) of the 
                Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
                    (B) Powers of federal trade commission.--
                            (i) In general.--The Federal Trade 
                        Commission shall enforce this subsection in the 
                        same manner, by the same means, and with the 
                        same jurisdiction, powers, and duties as though 
                        all applicable terms and provisions of the 
                        Federal Trade Commission Act (15 U.S.C. 41 et 
                        seq.) were incorporated into and made a part of 
                        this subsection.
                            (ii) Privileges and immunities.--Any person 
                        who violates this subsection shall be subject 
                        to the penalties and entitled to the privileges 
                        and immunities provided in the Federal Trade 
                        Commission Act (15 U.S.C. 41 et seq.).
    (b) Regulations.--Not later than 1 year after the date of enactment 
of this Act, the Federal Trade Commission shall promulgate regulations 
carrying out subsection (a).

SEC. 4. SEC DISCLOSURES.

    (a) In General.--Section 13 of the Securities Exchange Act of 1934 
(15 U.S.C. 78m) is amended by adding at the end the following:
    ``(s) Disclosure Relating to Aggregate Value of User Data Held by 
Commercial Data Operators.--
            ``(1) Definitions.--In this subsection:
                    ``(A) Commercial data operator.--The term 
                `commercial data operator' means an entity acting in 
                its capacity as a consumer online services provider or 
                data broker that--
                            ``(i) generates a material amount of 
                        revenue directly from the use, collection, 
                        processing, sale, or sharing of the user data; 
                        and
                            ``(ii) has more than 100,000,000 unique 
                        monthly visitors or users in the United States 
                        for a majority of months during the previous 1-
                        year period;
                    ``(B) User.--The term `user' means an individual 
                consumer who uses an online service designed for 
                consumer use by a commercial data operator.
                    ``(C) User data.--The term `user data' means any 
                information that identifies, relates to, describes, is 
                capable of being associated with, or could reasonably 
                be linked with an individual user, whether directly 
                submitted to the commercial data operator by the user 
                or derived from the observed activity of the user by 
                the commercial data operator.
            ``(2) Disclosure.--Each issuer that is, or is a 
        consolidated subsidiary of, a commercial data operator and is 
        required to file an annual or quarterly report under subsection 
        (a) shall disclose in that report the aggregate value, if 
        material, of--
                    ``(A) user data that the commercial data operator 
                holds;
                    ``(B) contracts with third parties for the 
                collection of user data through the online service 
                provided by the commercial data operator; and
                    ``(C) any other item that the Commission 
                determines, by rule, is necessary or useful for the 
                protection of investors and in the public interest.
            ``(3) Valuation methodology.--
                    ``(A) In general.--The Commission, in consultation 
                with appropriate standards settings organizations, 
                shall develop a method or methods for calculating the 
                value of user data required to be disclosed under 
                paragraph (2).
                    ``(B) Considerations.--In developing the method 
                under subparagraph (A), the Commission shall promote 
                comparability in calculating the value of data across 
                commercial data operators that utilize user data in a 
                similar manner while taking into account the potential 
                need to develop distinct methods for calculating the 
                value of data for different uses, sectors, and business 
                models.''.
    (b) Qualitative Disclosure.--Not later than 1 year after the date 
of enactment of this subsection, the Commission shall amend section 
229.306 of title 17, Code of Federal Regulations, to require a 
commercial data operator that is an issuer subject to section 13 or 
15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)) to 
provide quantitative and qualitative disclosures about the value of 
user data held, including--
            (1) technical and legal measures in place to protect user 
        data held by the commercial data operator;
            (2) an assessment of financial and legal risks associated 
        with storing the type and quantity of user data held by the 
        commercial data operator;
            (3) each source of user data held by the commercial data 
        operator, whether by sale, a direct consumer relationship, an 
        indirect consumer relationship, or other means;
            (4) each discrete revenue generating operation of the 
        commercial data operator and any subsidiary or affiliate that 
        relies on user data;
            (5) the entry into any contract valued at more than 
        $10,000,000 with a third party for the collection, licensing, 
        or sharing by the third party pursuant to an agreement with the 
        commercial data operator;
            (6) the amount of revenue derived from obtaining, 
        collecting, processing, selling, using or sharing user data 
        during the reporting period;
            (7) how changes in the measurement of aggregate fair value 
        of user data affect the reported performance and cash flows of 
        the issuer; and
            (8) any acquisition of user data in the preceding reporting 
        period valued at more than $100,000,000.
    (c) Report.--
            (1) In general.--Not later than 3 years after the date of 
        enactment of this Act, the Commission shall submit to the 
        Committee on Banking, Housing, and Urban Affairs of the Senate 
        and the Committee on Financial Services of the House of 
        Representatives a report on--
                    (A) the nature, timing, and extent of the 
                disclosure practices of commercial data operators;
                    (B) an assessment of the valuation methodologies 
                and practices employed by commercial data operators in 
                developing and submitting disclosures to the public;
                    (C) an evaluation of the methods of delivery and 
                presentation of the disclosures required by this Act, 
                and the amendments made by this Act; and
                    (D) recommendations for the improvement of the 
                methods described in paragraph (3), including 
                developing standards to enhance comparability and 
                utility for investors.
            (2) Rulemaking.--Not later than 180 days after the date on 
        which the report required under paragraph (1) is submitted, the 
        Commission shall promulgate a proposed regulation implementing 
        the recommendations described in paragraph (1)(D).
                                 <all>