Data deletion requirements

(a)

Data broker annual registration

(1)

In general

Not later than 1 year after the date of enactment of this section, the Commission shall promulgate regulations to require any data broker to— (A)not later than 18 months after the date of enactment of this section, and annually thereafter, register with the Commission; and (B)provide the following information with such registration: (i)The name and primary physical, email, and uniform resource locator (URL) addresses of the data broker. (ii)If the data broker permits an individual to opt out of the data broker’s collection or use of personal information, certain sales of such information, or its databases— (I)the method for requesting an opt-out; (II)any limitations on the type of data collection, uses, or sales for which an individual may opt out; and (III)whether the data broker permits an individual to authorize a third party to perform the opt-out on the individual’s behalf. (iii)A response to a standardized form (as issued by the Commission) specifying the types of information the data broker collects or obtains and the sources from which the data broker obtains data. (iv)A statement as to whether the data broker implements a credentialing process and, if so, a description of that process. (v)Any additional information or explanation the data broker chooses to provide concerning its data collection practices. (vi)Any other information determined appropriate by the Commission. (2)

Public availability

(A)

In general

The Commission shall make the information described in paragraph (1) publicly available in a downloadable and machine-readable format, except in the event that the Commission— (i)determines that the risk of making such information available is not in the interest of public safety or welfare; and (ii)provides a justification for such determination. (B)

Disclaimer

The Commission shall include on the website of the Commission a disclaimer that— (i)the Commission cannot confirm the accuracy of the responses provided by the data brokers in the registration described in paragraph (1); and (ii)individuals may contact such data brokers at their own risk. (b)

Centralized data deletion system

(1)

Establishment

(A)

In general

Not later than 1 year after the date of enactment of this section, the Commission shall promulgate regulations to establish a centralized system that— (i)implements and maintains reasonable security procedures and practices (including administrative, physical, and technical safeguards) appropriate to the nature of the information and the purposes for which the personal information will be used, to protect individuals’ personal information from unauthorized use, disclosure, access, destruction, or modification; and (ii)allows an individual, through a single submission, to request that every data broker who is registered under subsection (a) and who maintains any persistent identifiers (as described in subparagraph (B)(iii)) delete any personal information related to such individual held by such data broker or affiliated legal entity of the data broker. (B)

Requirements

The centralized system established in subparagraph (A) shall meet the following requirements: (i)Subject to the regulations promulgated in accordance with paragraph (2)(B)(ii), the centralized system shall allow an individual to request the deletion of all personal information related to such individual through a single deletion request. (ii)The centralized system shall provide a standardized form to allow an individual to make such request. (iii)Such standardized form shall include the individual's email, phone number, physical address, and any other persistent identifier determined by the Commission to aid in the deletion request. (iv)The centralized system shall automatically hash all submitted information and allow the Commission to maintain independent hashed registries of each type of information obtained through such form. (v)The centralized system shall only permit data brokers who are registered with the Commission to submit hashed queries to the independent hashed registries described in clause (iv). (vi)The centralized system shall allow an individual to make such request using an internet website operated by the Commission. (vii)The centralized system shall not charge the individual to make such request. (viii)The centralized system shall automatically delete any individual data field stored in the system once such data field has been stored in the centralized system for 2 years. The Commission shall inform the individual of this automatic deletion period when the individual makes a deletion request. Beginning 4 years after the date of enactment of this Act, the Commission may promulgate rules to adjust such retention period or enable automatic renewal of requests if it determines that such adjustment or automatic renewal would better protect individual privacy or the public interest. (C)

Transition

(i)

In general

Not later than 8 months after the effective date of the regulations promulgated under subparagraph (A), each data broker shall— (I)not less than once every 31 days, access the hashed registries maintained by the Commission as described in subparagraph (B)(iv); and (II)process any deletion request associated with a match between such hashed registries and the records of the data broker. (ii)

FTC guidance

Not later than 6 months after the effective date of the regulations promulgated under subparagraph (A), the Commission shall publish guidance on the process and standards to which a data broker must adhere in carrying out clause (i). (2)

Deletion

(A)

Information deletion

(i)

In general

Subject to clause (ii), not later than 31 days after accessing the hashed registries described in paragraph (1)(B)(iv), a data broker and any associated legal entity shall delete all personal information in its possession related to the individual making the request. Immediately following the deletion, the data broker shall send an affirmative representation to the Commission with the number of records deleted pursuant to each match with a value in the hashed registries. (ii)

Exclusions

In carrying out clause (i), a data broker may retain, where required, the following information: (I)Any personal information that is processed or maintained solely as part of human subjects research conducted in compliance with any legal requirements for the protection of human subjects. (II)Any personal information necessary to comply with a warrant, subpoena, court order, rule, or other applicable law. (III)Any personal information related to the suppression list described in subparagraph (B)(ii). (IV)Any information necessary for an activity described in subsection (e)(3)(B), provided that the retained information is used solely for any such activity. (iii)

Use of information

Any personal information excluded under clause (ii) may only be used for the purpose described in the applicable subclause of clause (ii), and may not be used for any other purpose, including marketing purposes. (B)

Do Not Track list; suppression list

(i)

Do Not Track list

Not later than 18 months after the date of enactment of this section, the Commission shall promulgate regulations to prohibit any data broker registered under subsection (a) from collecting or retaining personal information on any individual who has submitted a deletion request through the centralized system established in paragraph (1)(A), unless such data collection is requested by the individual. (ii)

Suppression list

Not later than 18 months after the date of enactment of this section, the Commission shall promulgate regulations to ensure that— (I)any individual who submits a deletion request through the centralized system established in paragraph (1) shall be included on the Do Not Track list described in clause (i); and (II)each data broker registered under subsection (a)— (aa)may not collect or retain more personal information than is necessary to identify an individual who is included on the Do Not Track list; and (bb)in the case that unnecessary personal information is collected or retained, shall immediately delete any personal information not required to comply with the regulations promulgated under this subparagraph. (C)

Annual report

Each data broker registered under subsection (a) shall submit to the Commission, on an annual basis, a report on— (i)the completion rate with respect to the completion of deletion requests under subparagraph (A); and (ii)the effectiveness of the suppression list under subparagraph (B)(ii), including— (I)the number of times the data broker collected personal information related to an individual included on the suppression list; (II)the number of times the data broker collected data resulting in a match with the hashed registries maintained by the Commission as described in paragraph (1)(B)(iv); and (III)whether the regulations promulgated under subparagraph (B) and the structure or format of the hashed registries promote efficient comparison of the suppression list with information collected or retained by the data broker. (D)

Audit

(i)

In general

Not later than 3 years after the date of enactment of this section, and every 3 years thereafter, each data broker registered under subsection (a) shall undergo an independent third party audit to determine compliance with this subsection. (ii)

Audit report

Not later than 6 months after the completion of any audit under clause (i), each such data broker shall submit to the Commission any report produced as a result of the audit, along with any related materials. (iii)

Maintain records

Each such data broker shall maintain the materials described in clause (ii) for a period of not less than 6 years. (3)

Annual fee

(A)

In general

Subject to subparagraph (B), each data broker registered under subsection (a) and who maintains any persistent identifiers (as described in paragraph (1)(B)(iii)) shall pay to the Commission, on an annual basis, a subscription fee determined by the Commission to access the database. (B)

Limit

The amount of the subscription fee under subparagraph (A) may not exceed 1 percent of the expected annual cost of operating the centralized system and hashed registries described in paragraph (1), as determined by the Commission. (C)

Availability

Any amounts collected by the Commission pursuant to this paragraph shall be available without further appropriation to the Commission for the purpose of enforcing and administering this Act, including the implementation and maintenance of such centralized system and hashed registries and the promotion of public awareness of the centralized system. (c)

Enforcement by the Commission

(1)

Unfair or deceptive acts or practices

A violation of subsection (a) or (b) or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). (2)

Powers of the Commission

(A)

In general

The Commission shall enforce this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. (B)

Privileges and immunities

Any person who violates subsection (a) or (b) or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.). (C)

Authority preserved

Nothing in this section shall be construed to limit the authority of the Commission under any other provision of law. (D)

Rulemaking

The Commission shall promulgate in accordance with section 553 of title 5, United States Code, such rules as may be necessary to carry out this section. (d)

Study and report

(1)

Study

The Commission shall conduct a study on the implementation and enforcement of this section. Such study shall include— (A)an analysis of the effectiveness of the centralized system established in subsection (b)(1)(A); (B)the number deletion requests submitted annually using such centralized system; (C)an analysis of the progress of coordinating the operation and enforcement of such requests with similar systems established and maintained by the various States; and (D)any other area determined appropriate by the Commission. (2)

Report

Not later than 3 years after the date of enactment of this section, and annually thereafter for each of the next 4 years, the Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report containing— (A)the results of the study conducted under paragraph (1); (B)a summary of any enforcement actions taken pursuant to this Act; and (C)recommendations for such legislation and administrative action as the Commission determines appropriate. (e)

Definitions

In this section: (1)

Commission

The term Commission means the Federal Trade Commission. (2)

Credentialing process

The term credentialing process means the practice of taking reasonable steps to confirm— (A)the identity of the entity with whom the data broker has a direct relationship; (B)that any data disclosed to the entity by such data broker will be used for the described purpose of such disclosure; and (C)that such data will not be used for unlawful purposes. (3)

Data broker

(A)

In general

The term data broker means an entity that knowingly collects or obtains the personal information of an individual with whom the entity does not have a direct relationship and then— (i)uses the personal information to perform a service for a third party; or (ii)sells, licenses, trades, provides for consideration, or is otherwise compensated for disclosing personal information to a third party. (B)

Exclusion

The term data broker does not include an entity who solely uses, sells, licenses, trades, provides for consideration, or is otherwise compensated for disclosing personal information for one or more of the following activities: (i)Providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier. (ii)Providing an individual's publicly available information if the information is being used by the recipient as it relates to that individual's business or profession. (iii)Providing or using personal information in a manner that is regulated under another Federal or State law, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or the Health Insurance Portability and Accountability Act. (iv)Providing personal information to a third party at the express direction of the individual for a clearly disclosed single-use purpose. (v)Providing or using personal information for assessing, verifying, or authenticating an individual's identity, or for investigating or preventing actual or potential fraud. (vi)Gathering, preparing, collecting, photographing, recording, writing, editing, reporting, or publishing news or information that concerns local, national, or international events or other matters of public interest for dissemination to the public. (C)

Exclusion from sale

(i)

In general

For purposes of this paragraph, the term sells does not include a one-time or occasional sale of assets of an entity as part of a transfer of control of those assets that is not part of the ordinary conduct of the entity. (ii)

Notice required

To meet the exclusion criteria described in clause (i), an entity must provide notice to the Commission, in the manner determined appropriate by the Commission, of any such one-time or occasional sale of assets. (4)

Delete

The term delete means to remove or destroy information such that the information is not maintained in human- or machine-readable form and cannot be retrieved or utilized in such form in the normal course of business. (5)

Direct relationship

(A)

In general

The term direct relationship means a relationship between an individual and an entity where the individual— (i)is a current customer; (ii)has obtained a good or service from the entity within the prior 18 months; or (iii)has made an inquiry about the products or services of the entity within the prior 90 days. (B)

Exclusion

The term direct relationship does not include a relationship between an individual and a data broker where the individual's only connection to the data broker is based on the individual's request— (i)for the data broker to delete the personal information of the individual; or (ii)to opt out of the data broker’s collection or use of personal information, certain sales of such information, or its databases. (6)

Hash

The term hash means to input data to a cryptographic, one-way, collision resistant function that maps a bit string of arbitrary length to a fixed-length bit string to produce a cryptographically secure value. (7)

Hashed

The term hashed means the type of value produced by hashing data. (8)

Human subjects research

The term human subjects research means research that— (A)an investigator (whether professional or student) conducts on a living individual; and (B)either— (i)obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or (ii)obtains, uses, studies, analyzes, or generates personal information or identifiable biospecimens. (9)

Personal information

(A)

In general

The term personal information means any information held by a data broker, regardless of how the information is collected, inferred, created, or obtained, that is linked or reasonably linkable by the data broker to a particular individual or consumer device, including the following information: (i)Financial information, including any bank account number, credit card number, debit card number, or insurance policy number. (ii)A name, alias, home or other physical address, online identifier, Internet Protocol address, email address, account name, State identification card number, driver's license number, passport number, or an identifying number on a government-issued identification. (iii)Geolocation information. (iv)Biometric information. (v)The contents of, attachments to, or parties to information, including with respect to email, text messages, picture messages, voicemails, audio conversations, or video conversations. (vi)Web browsing history, including any search query. (vii)Genetic sequencing information. (viii)A device identifier, online identifier, persistent identifier, or digital fingerprinting information. (ix)Any inference drawn from any of the information described in this paragraph that is used to create a profile about an individual that reflects such individual's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes. (x)Any other information determined appropriate by the Commission. (B)

Linked or reasonably linkable

For purposes of subparagraph (A), information is linked or reasonably linkable to a particular individual or consumer device if the information can be used on its own or in combination with other information held by or readily accessible to a data broker to identify a particular individual or consumer device. (10)

Process

The term process means to perform or direct the performance of an operation on personal information, including the collection, transmission, use, disclosure, analysis, prediction, or modification of such personal information, whether or not by automated means. (11)

Uniform resource locator; URL

The term uniform resource locator or URL means a short string containing an address that refers to an object on the web.