[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 2577 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 2577

To require data brokers to establish procedures to ensure the accuracy 
       of collected personal information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 26, 2019

Mr. Markey (for himself, Mr. Blumenthal, and Ms. Smith) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To require data brokers to establish procedures to ensure the accuracy 
       of collected personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Broker Accountability and 
Transparency Act of 2019''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Covered data broker.--
                    (A) In general.--The term ``covered data broker'' 
                includes all data brokers except those data brokers 
                excepted under subparagraph (B).
                    (B) Exceptions.--The Commission may except a data 
                broker if the Commission considers, by rule, a data 
                broker outside the scope of this Act, such as a data 
                broker who processes information collected by or on 
                behalf of and received from or on behalf of a 
                nonaffiliated third party concerning an individual who 
                is a customer or an employee of that third party to 
                enable that third party, directly or through parties 
                acting on its behalf, to provide benefits for its 
                employees or directly transact business with its 
                customers.
            (3) Data broker.--The term ``data broker'' means a 
        commercial entity that collects, assembles, or maintains 
        personal information concerning an individual who is not a 
        customer or an employee of that entity in order to sell the 
        information or provide third party access to the information.
            (4) Personal information.--
                    (A) In general.--The term ``personal information'' 
                means information that directly or indirectly 
                identifies, relates to, describes, is capable of being 
                associated with, or could reasonably be linked to, a 
                particular individual.
                    (B) Examples.--The term ``personal information'' 
                includes--
                            (i) an identifier such as a real name, 
                        alias, signature, date of birth, gender 
                        identity, sexual orientation, marital status, 
                        physical characteristic or description, postal 
                        address, telephone number, unique personal 
                        identifier, military identification number, 
                        online identifier, Internet Protocol address, 
                        email address, account name, mother's maiden 
                        name, social security number, driver's license 
                        number, passport number, or other similar 
                        identifier;
                            (ii) information such as employment, 
                        employment history, bank account number, credit 
                        card number, debit card number, insurance 
                        policy number, or any other financial 
                        information, medical information, mental health 
                        information, or health insurance information;
                            (iii) commercial information, including a 
                        record of personal property, income, assets, 
                        leases, rentals, products or services 
                        purchased, obtained, or considered, or other 
                        purchasing or consuming history;
                            (iv) biometric information, including a 
                        retina or iris scan, fingerprint, voiceprint, 
                        or scan of hand or face geometry;
                            (v) internet or other electronic network 
                        activity information, including browsing 
                        history, search history, content, including 
                        text, photographs, audio or video recordings, 
                        or other user generated-content, non-public 
                        communications, and information regarding an 
                        individual's interaction with an internet 
                        website, mobile application, or advertisement;
                            (vi) historical or real-time geolocation 
                        data;
                            (vii) audio, electronic, visual, thermal, 
                        olfactory, or similar information;
                            (viii) education records, as defined in 
                        section 99.3 of title 34, Code of Federal 
                        Regulations, or any successor regulation;
                            (ix) political information or information 
                        on criminal convictions or arrests;
                            (x) any required security code, access 
                        code, password, or username necessary to permit 
                        access to the account of an individual;
                            (xi) characteristics of protected classes 
                        under Federal law, including race, color, 
                        national origin, religion, sex, age, or 
                        disability; or
                            (xii) an inference drawn from any of the 
                        information described in this subparagraph to 
                        create a profile about an individual reflecting 
                        the individual's preferences, characteristics, 
                        psychological trends, preferences, 
                        predispositions, behavior, attitudes, 
                        intelligence, abilities, or aptitudes.
                    (C) Exclusions.--
                            (i) In general.--The term ``personal 
                        information'' does not include publicly 
                        available information.
                            (ii) Publicly available information.--For 
                        purposes of clause (i), the term ``publicly 
                        available information'' means information that 
                        is lawfully made available from Federal, State, 
                        or local government records.
            (5) Public record information.--The term ``public record 
        information'' means information about an individual that has 
        been obtained originally from records of a Federal, State, or 
        local government entity that are available for public 
        inspection.

SEC. 3. PROHIBITION ON OBTAINING OR SOLICITATION TO OBTAIN PERSONAL 
              INFORMATION BY FALSE PRETENSES.

    (a) In General.--A covered data broker may not obtain or attempt to 
obtain, or cause to be disclosed or attempt to cause to be disclosed to 
any person, personal information or any other information relating to 
any person by making a false, fictitious, or fraudulent statement or 
representation to any person, including by providing any document to 
any person, that the covered data broker knows or should know--
            (1) to be forged, counterfeit, lost, stolen, or 
        fraudulently obtained; or
            (2) contains a false, fictitious, or fraudulent statement 
        or representation.
    (b) Solicitation.--A covered data broker may not request a person 
to obtain personal information, or any other information, relating to 
any other person if the covered data broker knows or should know that 
the person to whom the request is made will obtain or attempt to obtain 
that information in the manner described in subsection (a).

SEC. 4. REQUIREMENTS CONCERNING ACCURACY OF AND ACCESS TO PERSONAL 
              INFORMATION.

    (a) Accuracy.--
            (1) In general.--Except as provided in paragraph (2), a 
        covered data broker shall establish procedures to ensure, to 
        the maximum extent practicable, the accuracy of--
                    (A) the personal information the broker collects, 
                assembles, or maintains; and
                    (B) any other information the broker collects, 
                assembles, or maintains that specifically identifies an 
                individual, unless the information only identifies the 
                name or address of an individual.
            (2) Exception.--A covered data broker may collect or 
        maintain information that may be inaccurate with respect to a 
        particular individual if that information is being collected or 
        maintained solely for the purpose of--
                    (A) indicating whether there may be a discrepancy 
                or irregularity in the personal information that is 
                associated with an individual;
                    (B) helping to identify, or to authenticate the 
                identity of, an individual; or
                    (C) helping to protect against or investigate fraud 
                or other unlawful conduct.
    (b) Consumer Access.--
            (1) In general.--Subject to paragraph (4), a covered data 
        broker shall provide an individual a means to review any 
        personal information or other information that specifically 
        identifies that individual, that the covered data broker 
        collects, assembles, or maintains on that individual.
            (2) Review requirements.--
                    (A) Elements.--As part of the review described in 
                paragraph (1), a covered data broker shall provide a 
                description of--
                            (i) the personal information being 
                        retained;
                            (ii) each date on which the covered entity 
                        collected the personal information;
                            (iii) the third parties to which the 
                        covered entity has disclosed or will disclose 
                        the personal information; and
                            (iv) if possible, how long the personal 
                        information will be retained or stored, or if 
                        not possible, the criteria used for determining 
                        how long the personal information will be 
                        retained or stored.
                    (B) Additional requirements.--A covered data broker 
                shall provide the means for review under paragraph 
                (1)--
                            (i) at the request of an individual;
                            (ii) after verifying the identity of the 
                        individual;
                            (iii) not less than 1 time per year;
                            (iv) at no cost to the individual; and
                            (v) in a format that can be readily 
                        understood by a consumer, as determined by the 
                        Commission.
            (3) Period of review.--A covered data broker shall provide 
        an individual the means required under paragraph (1) within 
        such period after receiving a request from the individual as 
        the Commission shall determine, by rule, is appropriate.
            (4) Exceptions.--The Commission may, by rule, establish any 
        exceptions to paragraph (1) that the Commission considers 
        appropriate, such as for child protection, law enforcement, 
        fraud prevention, or other government purposes.
            (5) Limitation on use of verifying information.--If a 
        covered data broker collects information from an individual to 
        verify the identity of the individual under paragraph (2)(B) 
        that the data broker did not have before that collection, the 
        data broker may not use the information for any purpose other 
        than for purposes of verifying the identity of the individual 
        under that paragraph.
    (c) Disputed Information.--
            (1) In general.--An individual whose personal information 
        is maintained by a covered data broker may dispute the accuracy 
        of any information described under subsection (b)(1) by 
        requesting, in writing, that the covered data broker correct 
        the information.
            (2) Correction requirements.--A covered data broker, after 
        verifying the identity of an individual making a request under 
        paragraph (1) to correct information, and unless there are 
        reasonable grounds to believe the request is frivolous or 
        irrelevant, shall--
                    (A) with regard to publicly available information--
                            (i) inform the individual of the source of 
                        the information and, if reasonably available, 
                        where to direct the request for correction; or
                            (ii) if the individual provides proof that 
                        the public record has been corrected or that 
                        the covered data broker was reporting the 
                        information incorrectly, correct the inaccuracy 
                        in the records of the covered data broker; and
                    (B) with regard to personal information--
                            (i) note the information that is disputed, 
                        including the written request of the 
                        individual;
                            (ii) if the information can be 
                        independently verified, use the procedures 
                        established under subsection (a) to 
                        independently verify the information; and
                            (iii) if the covered data broker was 
                        reporting the information incorrectly, correct 
                        the inaccuracy in the records of the covered 
                        data broker.
            (3) Period of correction.--If a covered data broker is 
        subject to a requirement under paragraph (2) due to a request 
        made by an individual under paragraph (1), the covered data 
        broker shall take any action that may be required to satisfy 
        the requirement within a period determined appropriate by the 
        Commission, by rule.
    (d) Notice.--
            (1) In general.--A covered data broker shall maintain an 
        internet website and place a clear and conspicuous notice on 
        that internet website instructing an individual how--
                    (A) to review information under subsection (b)(1); 
                and
                    (B) to express a preference under subsection 
                (e)(2).
            (2) Form.--A covered data broker shall ensure that the 
        notice the covered data broker places under paragraph (1) 
        conforms to a model form that the Commission shall promulgate 
        for purposes of this subsection.
    (e) Certain Marketing Information.--
            (1) In general.--A covered data broker may not use, share, 
        or sell any information for marketing purposes that is subject 
        to an expressed preference under paragraph (2).
            (2) Expression of preferences.--A covered data broker that 
        maintains any information described under subsection (a) and 
        that uses, shares, or sells that information for marketing 
        purposes shall provide each individual whose information the 
        covered data broker maintains with a reasonable means of 
        expressing a preference not to have that individual's 
        information used for those purposes.
    (f) Auditing.--
            (1) In general.--Subject to paragraph (2), a covered data 
        broker shall establish measures that facilitate the auditing or 
        retracing of any internal or external access to, or 
        transmission of, any data containing personal information 
        collected, assembled, or maintained by the covered data broker.
            (2) Exceptions.--The Commission may establish, by rule, any 
        exceptions to paragraph (1) that the Commission considers 
        appropriate to further or protect law enforcement or national 
        security activities.
    (g) Security.--
            (1) In general.--A covered data broker shall develop and 
        implement a comprehensive consumer privacy and data security 
        program to protect against harm that may be caused by--
                    (A) loss of personal information collected, 
                assembled, or maintained by the covered data broker; or
                    (B) unauthorized access, destruction, use, 
                modification, or disclosure of personal information 
                described in subparagraph (A).
            (2) Notice.--If a covered data broker determines that 
        personal information of an individual that is collected, 
        assembled, or maintained by the covered data broker has been 
        lost or the subject of unauthorized access, destruction, use, 
        modification, or disclosure, the covered data broker shall 
        notify the individual of the loss, access, destruction, use, 
        modification, or disclosure.
    (h) Persons Regulated by the Fair Credit Reporting Act.--A covered 
data broker shall be considered to be in compliance with subsections 
(a) through (f) of this section with respect to information that is 
subject to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) if 
the covered data broker is in compliance with sections 609, 610, and 
611 of that Act (15 U.S.C. 1681g, 1681h, 1681i).

SEC. 5. USE LIMITATIONS.

    (a) In General.--A covered data broker shall not use personal 
information for unreasonable purposes, including--
            (1) selling, leasing, trading, or otherwise profiting from 
        an individual's biometric information;
            (2) sharing, resharing, or otherwise disseminating an 
        individual's biometric information without first obtaining 
        specific consent from the individual, unless--
                    (A) the dissemination is required by State or 
                Federal law or municipal ordinance; or
                    (B) the dissemination is required pursuant to a 
                valid warrant or subpoena issued by a court of 
                competent jurisdiction;
            (3) processing personal information for the purpose of 
        advertising, marketing, soliciting, offering, selling, leasing, 
        licensing, renting, or otherwise commercially contracting for 
        employment, finance, healthcare, credit, insurance, housing, or 
        education opportunities, in a manner that discriminates against 
        or otherwise makes the opportunity unavailable on the basis of 
        a person's or class of persons' actual or perceived race, 
        color, ethnicity, religion, national origin, sex, gender, 
        gender identity, sexual orientation, familial status, biometric 
        information, lawful source of income, or disability; or
            (4) processing personal information in a manner that 
        segregates, discriminates in, or otherwise makes unavailable 
        the goods, services, facilities, privileges, advantages, or 
        accommodations of any place of public accommodation on the 
        basis of a person's or class of persons' actual or perceived 
        race, color, ethnicity, religion, national origin, sex, gender, 
        gender identity, sexual orientation, or disability.
    (b) Definition of Place of Public Accommodation.--For purposes of 
subsection (a), the term ``place of public accommodation'' means--
            (1) any entity considered a place of public accommodation 
        under section 201(b) of the Civil Rights Act of 1964 (42 U.S.C. 
        2000a(b)) or section 301 of the Americans with Disabilities Act 
        of 1990 (42 U.S.C. 12181); and
            (2) any entity that offers goods or services through the 
        internet to the general public.

SEC. 6. REGULATIONS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Commission shall promulgate regulations under section 
553 of title 5, United States Code, to carry out this Act.
    (b) Elements.--The regulations promulgated under subsection (a) 
shall include the following:
            (1) Any exceptions the Commission considers appropriate to 
        promulgate under section 2(2)(B).
            (2) The period of review required under section 4(b)(3).
            (3) Any exceptions the Commission considers appropriate to 
        promulgate under section 4(b)(4).
            (4) The period of correction required under section 
        4(c)(3).
            (5) The model form required by section 4(d)(2).
            (6) Requirements for auditing under paragraph (1) of 
        section 4(f) and any exceptions under paragraph (2) of that 
        section that the Commission considers appropriate.
            (7) Establishment of a centralized internet website for the 
        benefit of consumers that--
                    (A) lists the covered data brokers that are subject 
                to a requirement of section 4; and
                    (B) provides information to consumers about their 
                rights under this Act.
            (8) Any other regulations that the Commission considers 
        appropriate to carry out this Act.

SEC. 7. ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 3, 4, or 5 or a regulation promulgated under this Act 
        shall be treated as a violation of a rule defining an unfair or 
        a deceptive act or practice under section 18(a)(1)(B) of the 
        Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (2) Powers of commission.--
                    (A) In general.--The Commission shall enforce this 
                Act in the same manner, by the same means, and with the 
                same jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act.
                    (B) Privileges and immunities.--Any person who 
                violates a regulation prescribed under this Act shall 
                be subject to the penalties and entitled to the 
                privileges and immunities provided in the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.).
    (b) Enforcement by States.--
            (1) Civil action.--Except as provided under paragraph (5), 
        in any case in which the attorney general of a State has reason 
        to believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the engagement 
        of any person subject to a provision of section 3, 4, or 5 or a 
        regulation promulgated under this Act in a practice that 
        violates that provision or regulation, the attorney general of 
        the State may, as parens patriae, bring a civil action on 
        behalf of the residents of the State in an appropriate district 
        court of the United States--
                    (A) to enjoin further violation of that provision 
                or regulation by the person;
                    (B) to compel compliance with that provision or 
                regulation;
                    (C) to obtain damages, restitution, or other 
                compensation on behalf of the residents;
                    (D) to obtain any other relief that the court 
                considers appropriate; or
                    (E) to obtain civil penalties in the amount 
                determined under paragraph (2).
            (2) Civil penalties.--
                    (A) Calculation.--For purposes of imposing a civil 
                penalty under paragraph (1)(E), the amount determined 
                under this paragraph is the amount calculated by 
                multiplying the number of separate violations of a rule 
                by an amount not greater than $16,000.
                    (B) Adjustment for inflation.--Beginning on the 
                date that the Consumer Price Index is first published 
                by the Bureau of Labor Statistics that is after 1 year 
                after the date of enactment of this Act, and each year 
                thereafter, the amount specified in subparagraph (A) 
                shall be increased by the percentage increase in the 
                Consumer Price Index published on that date from the 
                Consumer Price Index published the previous year.
            (3) Rights of federal trade commission.--
                    (A) Notice to federal trade commission.--
                            (i) In general.--Except as provided in 
                        clause (iii), the attorney general of a State 
                        shall notify the Commission in writing that the 
                        attorney general intends to bring a civil 
                        action under paragraph (1) before initiating 
                        the civil action.
                            (ii) Contents.--The notification required 
                        by clause (i) with respect to a civil action 
                        shall include a copy of the complaint to be 
                        filed to initiate the civil action.
                            (iii) Exception.--If it is not feasible for 
                        the attorney general of a State to provide the 
                        notification required by clause (i) before 
                        initiating a civil action under paragraph (1), 
                        the attorney general shall notify the 
                        Commission immediately upon instituting the 
                        civil action.
                    (B) Intervention by federal trade commission.--The 
                Commission may--
                            (i) intervene in any civil action brought 
                        by the attorney general of a State under 
                        paragraph (1); and
                            (ii) upon intervening--
                                    (I) be heard on all matters arising 
                                in the civil action; and
                                    (II) file petitions for appeal of a 
                                decision in the civil action.
            (4) Investigatory powers.--Nothing in this subsection may 
        be construed to prevent the attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of the State to conduct investigations, to administer 
        oaths or affirmations, or to compel the attendance of witnesses 
        or the production of documentary or other evidence.
            (5) Preemptive action by federal trade commission.--If the 
        Commission institutes a civil action or an administrative 
        action with respect to a violation of a provision of section 3, 
        4, or 5 or a regulation promulgated under this Act, the 
        attorney general of a State may not, during the pendency of the 
        action, bring a civil action under paragraph (1) against any 
        defendant named in the complaint of the Commission for the 
        violation with respect to which the Commission instituted the 
        action.
            (6) Actions by other state officials.--
                    (A) In general.--In addition to civil actions 
                brought by attorneys general under paragraph (1), any 
                other officer of a State who is authorized by the State 
                to do so may bring a civil action under paragraph (1), 
                subject to the same requirements and limitations that 
                apply under this subsection to civil actions brought by 
                attorneys general.
                    (B) Savings provision.--Nothing in this subsection 
                may be construed to prohibit an authorized official of 
                a State from initiating or continuing any proceeding in 
                a court of the State for a violation of any civil or 
                criminal law of the State.

SEC. 8. EFFECT ON OTHER LAWS.

    (a) Preservation of Commission Authority.--Nothing in this Act may 
be construed in any way to limit or affect the authority of the 
Commission under any other provision of law.
    (b) Preservation of Other Federal Law.--Nothing in this Act may be 
construed in any way to supersede, restrict, or limit the application 
of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) or any other 
Federal law.
                                 <all>