[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2290 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                S. 2290

   To provide for requirements for data brokers with respect to the 
 acquisition, use, and protection of brokered personal information and 
 to require that data brokers annually register with the Federal Trade 
                              Commission.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 24, 2021

 Mr. Peters (for himself, Ms. Lummis, and Mrs. Capito) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To provide for requirements for data brokers with respect to the 
 acquisition, use, and protection of brokered personal information and 
 to require that data brokers annually register with the Federal Trade 
                              Commission.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Broker List Act of 2021''.

SEC. 2. REQUIREMENTS FOR DATA BROKERS.

    (a) Requirements With Respect to the Acquisition and Use of 
Brokered Personal Information.--A data broker shall not--
            (1) acquire brokered personal information through 
        fraudulent means;
            (2) acquire or use brokered personal information for the 
        purpose of--
                    (A) stalking or harassing another person;
                    (B) committing fraud, including identity theft, 
                financial fraud, or e-mail fraud; or
                    (C) engaging in unlawful discrimination, including 
                unlawful discrimination in decisions regarding 
                employment, housing, and credit eligibility; or
            (3) sell or transfer brokered personal information to a 
        third party if the data broker knows or reasonably should know 
        that the third party intends to engage in any conduct 
        prohibited by this Act.
    (b) Duty To Protect Brokered Personal Information.--
            (1) In general.--A data broker shall develop, implement, 
        and maintain a comprehensive information security program in 
        order to protect from security breaches or other inadvertent or 
        improper disclosure the brokered personal information acquired 
        by the data broker.
            (2) Notification of change of ownership.--If a data broker 
        is purchased or otherwise acquired by another entity, such 
        other entity shall provide notification of such purchase or 
        acquisition to any consumer with respect to which--
                    (A) the data broker collected, processed, analyzed, 
                stored or used brokered personal information; and
                    (B) such other entity plans to continue to collect, 
                process, analyze, store or use such information.
            (3) Program requirements.--The comprehensive information 
        security program required under paragraph (1) shall--
                    (A) be written in one or more readily accessible 
                parts; and
                    (B) contain administrative, technical, and physical 
                safeguards that are appropriate to--
                            (i) the size, scope, and type of business 
                        of the data broker;
                            (ii) the amount of resources available to 
                        the data broker;
                            (iii) the amount of stored data of the data 
                        broker;
                            (iv) the nature and sensitivity of the 
                        brokered personal information stored by the 
                        data broker; and
                            (v) the need for security and 
                        confidentiality of brokered personal 
                        information.
    (c) Annual Registration.--
            (1) In general.--Annually, on or before January 31, a data 
        broker shall--
                    (A) register with the Commission; and
                    (B) provide the following information with such 
                registration:
                            (i) The name and primary physical, e-mail, 
                        and internet addresses of the data broker.
                            (ii) If the data broker permits a consumer 
                        to opt out of the data broker's collection of 
                        brokered personal information, opt out of its 
                        databases, or opt out of certain sales of 
                        data--
                                    (I) the method for requesting an 
                                opt-out;
                                    (II) if the opt-out applies to only 
                                certain activities or sales, which 
                                ones; and
                                    (III) whether the data broker 
                                permits a consumer to authorize a third 
                                party to perform the opt-out on the 
                                consumer's behalf.
                            (iii) A statement specifying the data 
                        collection, databases, or sales activities from 
                        which a consumer may not opt out, and why an 
                        opportunity to opt out is not available.
                            (iv) A statement specifying the types of 
                        information being collected, as determined by 
                        the Commission, to the extent practicable.
                            (v) A statement as to whether the data 
                        broker implements a purchaser credentialing 
                        process and, if so, a description of that 
                        process.
                            (vi) The number of security breaches that 
                        the data broker experienced during the previous 
                        year, and if known, the total number of 
                        consumers whose personal information was 
                        accessed, downloaded, viewed, or otherwise 
                        affected in a breach.
                            (vii) Where the data broker has actual 
                        knowledge that it possesses the brokered 
                        personal information of minors, a separate 
                        statement detailing the data collection 
                        practices, databases, sales activities, and 
                        opt-out policies that are applicable to the 
                        brokered personal information of minors.
                            (viii) Any additional information or 
                        explanation concerning its data collection 
                        practices.
            (2) Exception.--The requirements under paragraph (1) shall 
        not apply to a data broker that is already required to comply 
        with such requirements with respect to another Federal agency.
            (3) Public availability.--The Commission shall make the 
        information described in paragraph (1) available on the 
        internet website of the Commission, except as necessary to 
        protect the integrity of ongoing investigations or to protect 
        the privacy of consumers, or if it is in the interest of public 
        safety or welfare.

SEC. 3. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    (a) Unfair or Deceptive Acts or Practices.--A violation of section 
2 shall be treated as a violation of a rule defining an unfair or a 
deceptive act or practice under section 18(a)(1)(B) of the Federal 
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). The Commission shall 
begin enforcement of such violations by not later than 1 year after the 
date of the enactment of this Act.
    (b) Powers of Commission.--
            (1) In general.--The Commission shall enforce this Act in 
        the same manner, by the same means, and with the same 
        jurisdiction, powers, and duties as though all applicable terms 
        and provisions of the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) were incorporated into and made a part of this Act.
            (2) Privileges and immunities.--Any data broker who 
        violates section 2 shall be subject to the penalties and 
        entitled to the privileges and immunities provided in the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.).
            (3) Civil penalty.--A data broker that fails to register as 
        required under section 2(c) shall be liable for a civil penalty 
        in an amount determined by the Commission through the 
        rulemaking authority under subsection (c).
            (4) Authority preserved.--Nothing in this Act shall be 
        construed to limit the authority of the Federal Trade 
        Commission under any other provision of law.
    (c) Rulemaking Authority for the Commission.--The Commission shall 
have authority under section 553 of title 5, United States Code, to 
promulgate regulations the Commission determines to be necessary to 
carry out the provisions of this Act.

SEC. 4. FTC ANNUAL REVIEW AND REPORT.

    (a) Annual Review.--The Commission shall conduct an annual review 
of the implementation of the provisions of this Act. Such study shall 
include an analysis of--
            (1) compliance by data brokers with the requirements under 
        section 2;
            (2) enforcement actions taken by the Commission with 
        respect to violations of such requirements; and
            (3) other areas determined appropriate by the Commission.
    (b) Annual Report.--Not later than 1 year after the date of the 
enactment of this Act, and annually thereafter the Commission shall 
submit to Congress a report on the review conducted under subsection 
(a), together with recommendations for such legislation and 
administrative action as the Commission determines appropriate.

SEC. 5. DEFINITIONS.

    In this section:
            (1) Brokered personal information.--The term ``brokered 
        personal information'' means any personal information that is 
        categorized or organized for sale, license, or trade, or is 
        otherwise disclosed for compensation, to a third party.
            (2) Business.--
                    (A) In general.--The term ``business'' means a 
                commercial entity, including a sole proprietorship, 
                partnership, corporation, association, limited 
                liability company, or other group, however organized 
                and whether or not organized to operate at a profit, 
                including a financial institution organized, chartered, 
                or holding a license or authorization certificate under 
                the laws of a State, the United States, or any other 
                country, or the parent, affiliate, or subsidiary of a 
                financial institution.
                    (B) Exclusion.--The term ``business'' does not 
                include a State, a State agency, any political 
                subdivision of a State, or a vendor acting solely on 
                behalf of, and at the direction of, a State.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Consumer.--The term ``consumer'' means an individual 
        residing in the United States acting in a personal, family, or 
        household capacity.
            (5) Data broker.--
                    (A) In general.--The term ``data broker'' means a 
                business that knowingly collects or obtains the 
                personal information of a consumer with whom the 
                business does not have a direct relationship and then 
                sells, licenses, trades, provides for consideration, or 
                is otherwise compensated for disclosing that 
                information to a third party.
                    (B) Direct relationship.--For purposes of 
                subparagraph (A), a direct relationship with a business 
                exists if the consumer--
                            (i) is a current customer;
                            (ii) obtained a good or service from the 
                        business within the prior 18 months; or
                            (iii) made an inquiry about the products or 
                        services of the business within the prior 90 
                        days.
                    (C) Exclusion.--The following activities conducted 
                by a business, and the collection and sale or licensing 
                of brokered personal information incidental to 
                conducting these activities, do not qualify the 
                business as a data broker:
                            (i) Providing 411 directory assistance or 
                        directory information services, including name, 
                        address, and telephone number, on behalf of or 
                        as a function of a telecommunications carrier.
                            (ii) Providing a consumer's publicly 
                        available information if the information is 
                        being used by the recipient as it relates to 
                        that consumer's business or profession.
                            (iii) Providing publicly available 
                        information via real-time or near-real-time 
                        alert services for health or safety purposes.
                            (iv) Providing or using information in a 
                        manner that is regulated under another Federal 
                        or State law, including the Fair Credit 
                        Reporting Act, the Gramm-Leach-Bliley Act, or 
                        the Health Insurance Portability and 
                        Accountability Act.
                            (v) Providing data to a third party at the 
                        direction of the consumer and with the 
                        consumer's affirmative express consent.
                            (vi) Providing or using information for 
                        assessing, verifying, or authenticating a 
                        person's identity, or for investigating or 
                        preventing actual or potential fraud.
                    (D) Exclusion from sale.--For purposes of this 
                paragraph, the term ``sells'' does not include a one-
                time or occasional sale of assets of a business as part 
                of a transfer of control of those assets that is not 
                part of the ordinary conduct of the business.
            (6) Data broker security breach.--
                    (A) In general.--The term ``data broker security 
                breach'' means an unauthorized acquisition or a 
                reasonable belief of an unauthorized acquisition of 
                more than one element of brokered personal information 
                maintained by a data broker when the brokered personal 
                information is not encrypted, redacted, or protected by 
                another method that renders the information unreadable 
                or unusable by an unauthorized person or entity.
                    (B) Exclusion.--The term ``data broker security 
                breach'' does not include good faith but unauthorized 
                acquisition of brokered personal information by an 
                employee or agent of the data broker for a legitimate 
                purpose of the data broker, provided that the brokered 
                personal information is not used for a purpose 
                unrelated to the data broker's business or subject to 
                further unauthorized disclosure.
                    (C) Application.--In determining whether brokered 
                personal information has been acquired or is reasonably 
                believed to have been acquired without valid 
                authorization, a data broker may consider the following 
                factors, among others:
                            (i) Indications that the brokered personal 
                        information is in the physical possession and 
                        control of a person or entity without valid 
                        authorization, such as a lost or stolen 
                        computer or other device containing brokered 
                        personal information.
                            (ii) Indications that the brokered personal 
                        information has been downloaded or copied.
                            (iii) Indications that the brokered 
                        personal information was used by an 
                        unauthorized person or entity, such as 
                        fraudulent accounts opened or instances of 
                        identity theft reported.
                            (iv) That the brokered personal information 
                        has been made public.
            (7) Personal information.--The term ``personal 
        information'' means information which is related to any 
        identified or identifiable person.
            (8) State.--The term ``State'' means any State of the 
        United States, the District of Columbia, the Commonwealth of 
        Puerto Rico, Guam, American Samoa, the Commonwealth of Northern 
        Mariana Islands, and the United States Virgin Islands.
                                 <all>