[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3627 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 3627

 To establish a centralized system to allow individuals to request the 
  simultaneous deletion of their personal information across all data 
                    brokers, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           February 10, 2022

Mr. Cassidy (for himself and Mr. Ossoff) introduced the following bill; 
    which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
 To establish a centralized system to allow individuals to request the 
  simultaneous deletion of their personal information across all data 
                    brokers, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Elimination and Limiting 
Extensive Tracking and Exchange Act'' or the ``DELETE Act''.

SEC. 2. DATA DELETION REQUIREMENTS.

    (a) Data Broker Annual Registration.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this section, the Commission shall promulgate 
        regulations to require any data broker to--
                    (A) not later than 18 months after the date of 
                enactment of this section, and annually thereafter, 
                register with the Commission; and
                    (B) provide the following information with such 
                registration:
                            (i) The name and primary physical, email, 
                        and uniform resource locator (URL) addresses of 
                        the data broker.
                            (ii) If the data broker permits an 
                        individual to opt out of the data broker's 
                        collection or use of personal information, 
                        certain sales of such information, or its 
                        databases--
                                    (I) the method for requesting an 
                                opt-out;
                                    (II) any limitations on the type of 
                                data collection, uses, or sales for 
                                which an individual may opt out; and
                                    (III) whether the data broker 
                                permits an individual to authorize a 
                                third party to perform the opt-out on 
                                the individual's behalf.
                            (iii) A response to a standardized form (as 
                        issued by the Commission) specifying the types 
                        of information the data broker collects or 
                        obtains and the sources from which the data 
                        broker obtains data.
                            (iv) A statement as to whether the data 
                        broker implements a credentialing process and, 
                        if so, a description of that process.
                            (v) Any additional information or 
                        explanation the data broker chooses to provide 
                        concerning its data collection practices.
                            (vi) Any other information determined 
                        appropriate by the Commission.
            (2) Public availability.--
                    (A) In general.--The Commission shall make the 
                information described in paragraph (1) publicly 
                available in a downloadable and machine-readable 
                format, except in the event that the Commission--
                            (i) determines that the risk of making such 
                        information available is not in the interest of 
                        public safety or welfare; and
                            (ii) provides a justification for such 
                        determination.
                    (B) Disclaimer.--The Commission shall include on 
                the website of the Commission a disclaimer that--
                            (i) the Commission cannot confirm the 
                        accuracy of the responses provided by the data 
                        brokers in the registration described in 
                        paragraph (1); and
                            (ii) individuals may contact such data 
                        brokers at their own risk.
    (b) Centralized Data Deletion System.--
            (1) Establishment.--
                    (A) In general.--Not later than 1 year after the 
                date of enactment of this section, the Commission shall 
                promulgate regulations to establish a centralized 
                system that--
                            (i) implements and maintains reasonable 
                        security procedures and practices (including 
                        administrative, physical, and technical 
                        safeguards) appropriate to the nature of the 
                        information and the purposes for which the 
                        personal information will be used, to protect 
                        individuals' personal information from 
                        unauthorized use, disclosure, access, 
                        destruction, or modification; and
                            (ii) allows an individual, through a single 
                        submission, to request that every data broker 
                        who is registered under subsection (a) and who 
                        maintains any persistent identifiers (as 
                        described in subparagraph (B)(iii)) delete any 
                        personal information related to such individual 
                        held by such data broker or affiliated legal 
                        entity of the data broker.
                    (B) Requirements.--The centralized system 
                established in subparagraph (A) shall meet the 
                following requirements:
                            (i) Subject to the regulations promulgated 
                        in accordance with paragraph (2)(B)(ii), the 
                        centralized system shall allow an individual to 
                        request the deletion of all personal 
                        information related to such individual through 
                        a single deletion request.
                            (ii) The centralized system shall provide a 
                        standardized form to allow an individual to 
                        make such request.
                            (iii) Such standardized form shall include 
                        the individual's email, phone number, physical 
                        address, and any other persistent identifier 
                        determined by the Commission to aid in the 
                        deletion request.
                            (iv) The centralized system shall 
                        automatically hash all submitted information 
                        and allow the Commission to maintain 
                        independent hashed registries of each type of 
                        information obtained through such form.
                            (v) The centralized system shall only 
                        permit data brokers who are registered with the 
                        Commission to submit hashed queries to the 
                        independent hashed registries described in 
                        clause (iv).
                            (vi) The centralized system shall allow an 
                        individual to make such request using an 
                        internet website operated by the Commission.
                            (vii) The centralized system shall not 
                        charge the individual to make such request.
                            (viii) The centralized system shall 
                        automatically delete any individual data field 
                        stored in the system once such data field has 
                        been stored in the centralized system for 2 
                        years. The Commission shall inform the 
                        individual of this automatic deletion period 
                        when the individual makes a deletion request. 
                        Beginning 4 years after the date of enactment 
                        of this Act, the Commission may promulgate 
                        rules to adjust such retention period or enable 
                        automatic renewal of requests if it determines 
                        that such adjustment or automatic renewal would 
                        better protect individual privacy or the public 
                        interest.
                    (C) Transition.--
                            (i) In general.--Not later than 8 months 
                        after the effective date of the regulations 
                        promulgated under subparagraph (A), each data 
                        broker shall--
                                    (I) not less than once every 31 
                                days, access the hashed registries 
                                maintained by the Commission as 
                                described in subparagraph (B)(iv); and
                                    (II) process any deletion request 
                                associated with a match between such 
                                hashed registries and the records of 
                                the data broker.
                            (ii) FTC guidance.--Not later than 6 months 
                        after the effective date of the regulations 
                        promulgated under subparagraph (A), the 
                        Commission shall publish guidance on the 
                        process and standards to which a data broker 
                        must adhere in carrying out clause (i).
            (2) Deletion.--
                    (A) Information deletion.--
                            (i) In general.--Subject to clause (ii), 
                        not later than 31 days after accessing the 
                        hashed registries described in paragraph 
                        (1)(B)(iv), a data broker and any associated 
                        legal entity shall delete all personal 
                        information in its possession related to the 
                        individual making the request. Immediately 
                        following the deletion, the data broker shall 
                        send an affirmative representation to the 
                        Commission with the number of records deleted 
                        pursuant to each match with a value in the 
                        hashed registries.
                            (ii) Exclusions.--In carrying out clause 
                        (i), a data broker may retain, where required, 
                        the following information:
                                    (I) Any personal information that 
                                is processed or maintained solely as 
                                part of human subjects research 
                                conducted in compliance with any legal 
                                requirements for the protection of 
                                human subjects.
                                    (II) Any personal information 
                                necessary to comply with a warrant, 
                                subpoena, court order, rule, or other 
                                applicable law.
                                    (III) Any personal information 
                                related to the suppression list 
                                described in subparagraph (B)(ii).
                                    (IV) Any information necessary for 
                                an activity described in subsection 
                                (e)(3)(B), provided that the retained 
                                information is used solely for any such 
                                activity.
                            (iii) Use of information.--Any personal 
                        information excluded under clause (ii) may only 
                        be used for the purpose described in the 
                        applicable subclause of clause (ii), and may 
                        not be used for any other purpose, including 
                        marketing purposes.
                    (B) Do not track list; suppression list.--
                            (i) Do not track list.--Not later than 18 
                        months after the date of enactment of this 
                        section, the Commission shall promulgate 
                        regulations to prohibit any data broker 
                        registered under subsection (a) from collecting 
                        or retaining personal information on any 
                        individual who has submitted a deletion request 
                        through the centralized system established in 
                        paragraph (1)(A), unless such data collection 
                        is requested by the individual.
                            (ii) Suppression list.--Not later than 18 
                        months after the date of enactment of this 
                        section, the Commission shall promulgate 
                        regulations to ensure that--
                                    (I) any individual who submits a 
                                deletion request through the 
                                centralized system established in 
                                paragraph (1) shall be included on the 
                                Do Not Track list described in clause 
                                (i); and
                                    (II) each data broker registered 
                                under subsection (a)--
                                            (aa) may not collect or 
                                        retain more personal 
                                        information than is necessary 
                                        to identify an individual who 
                                        is included on the Do Not Track 
                                        list; and
                                            (bb) in the case that 
                                        unnecessary personal 
                                        information is collected or 
                                        retained, shall immediately 
                                        delete any personal information 
                                        not required to comply with the 
                                        regulations promulgated under 
                                        this subparagraph.
                    (C) Annual report.--Each data broker registered 
                under subsection (a) shall submit to the Commission, on 
                an annual basis, a report on--
                            (i) the completion rate with respect to the 
                        completion of deletion requests under 
                        subparagraph (A); and
                            (ii) the effectiveness of the suppression 
                        list under subparagraph (B)(ii), including--
                                    (I) the number of times the data 
                                broker collected personal information 
                                related to an individual included on 
                                the suppression list;
                                    (II) the number of times the data 
                                broker collected data resulting in a 
                                match with the hashed registries 
                                maintained by the Commission as 
                                described in paragraph (1)(B)(iv); and
                                    (III) whether the regulations 
                                promulgated under subparagraph (B) and 
                                the structure or format of the hashed 
                                registries promote efficient comparison 
                                of the suppression list with 
                                information collected or retained by 
                                the data broker.
                    (D) Audit.--
                            (i) In general.--Not later than 3 years 
                        after the date of enactment of this section, 
                        and every 3 years thereafter, each data broker 
                        registered under subsection (a) shall undergo 
                        an independent third party audit to determine 
                        compliance with this subsection.
                            (ii) Audit report.--Not later than 6 months 
                        after the completion of any audit under clause 
                        (i), each such data broker shall submit to the 
                        Commission any report produced as a result of 
                        the audit, along with any related materials.
                            (iii) Maintain records.--Each such data 
                        broker shall maintain the materials described 
                        in clause (ii) for a period of not less than 6 
                        years.
            (3) Annual fee.--
                    (A) In general.--Subject to subparagraph (B), each 
                data broker registered under subsection (a) and who 
                maintains any persistent identifiers (as described in 
                paragraph (1)(B)(iii)) shall pay to the Commission, on 
                an annual basis, a subscription fee determined by the 
                Commission to access the database.
                    (B) Limit.--The amount of the subscription fee 
                under subparagraph (A) may not exceed 1 percent of the 
                expected annual cost of operating the centralized 
                system and hashed registries described in paragraph 
                (1), as determined by the Commission.
                    (C) Availability.--Any amounts collected by the 
                Commission pursuant to this paragraph shall be 
                available without further appropriation to the 
                Commission for the purpose of enforcing and 
                administering this Act, including the implementation 
                and maintenance of such centralized system and hashed 
                registries and the promotion of public awareness of the 
                centralized system.
    (c) Enforcement by the Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        subsection (a) or (b) or a regulation promulgated under this 
        Act shall be treated as a violation of a rule defining an 
        unfair or deceptive act or practice under section 18(a)(1)(B) 
        of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (2) Powers of the commission.--
                    (A) In general.--The Commission shall enforce this 
                section in the same manner, by the same means, and with 
                the same jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act.
                    (B) Privileges and immunities.--Any person who 
                violates subsection (a) or (b) or a regulation 
                promulgated under this Act shall be subject to the 
                penalties and entitled to the privileges and immunities 
                provided in the Federal Trade Commission Act (15 U.S.C. 
                41 et seq.).
                    (C) Authority preserved.--Nothing in this section 
                shall be construed to limit the authority of the 
                Commission under any other provision of law.
                    (D) Rulemaking.--The Commission shall promulgate in 
                accordance with section 553 of title 5, United States 
                Code, such rules as may be necessary to carry out this 
                section.
    (d) Study and Report.--
            (1) Study.--The Commission shall conduct a study on the 
        implementation and enforcement of this section. Such study 
        shall include--
                    (A) an analysis of the effectiveness of the 
                centralized system established in subsection (b)(1)(A);
                    (B) the number deletion requests submitted annually 
                using such centralized system;
                    (C) an analysis of the progress of coordinating the 
                operation and enforcement of such requests with similar 
                systems established and maintained by the various 
                States; and
                    (D) any other area determined appropriate by the 
                Commission.
            (2) Report.--Not later than 3 years after the date of 
        enactment of this section, and annually thereafter for each of 
        the next 4 years, the Commission shall submit to the Committee 
        on Commerce, Science, and Transportation of the Senate and the 
        Committee on Energy and Commerce of the House of 
        Representatives a report containing--
                    (A) the results of the study conducted under 
                paragraph (1);
                    (B) a summary of any enforcement actions taken 
                pursuant to this Act; and
                    (C) recommendations for such legislation and 
                administrative action as the Commission determines 
                appropriate.
    (e) Definitions.--In this section:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Credentialing process.--The term ``credentialing 
        process'' means the practice of taking reasonable steps to 
        confirm--
                    (A) the identity of the entity with whom the data 
                broker has a direct relationship;
                    (B) that any data disclosed to the entity by such 
                data broker will be used for the described purpose of 
                such disclosure; and
                    (C) that such data will not be used for unlawful 
                purposes.
            (3) Data broker.--
                    (A) In general.--The term ``data broker'' means an 
                entity that knowingly collects or obtains the personal 
                information of an individual with whom the entity does 
                not have a direct relationship and then--
                            (i) uses the personal information to 
                        perform a service for a third party; or
                            (ii) sells, licenses, trades, provides for 
                        consideration, or is otherwise compensated for 
                        disclosing personal information to a third 
                        party.
                    (B) Exclusion.--The term ``data broker'' does not 
                include an entity who solely uses, sells, licenses, 
                trades, provides for consideration, or is otherwise 
                compensated for disclosing personal information for one 
                or more of the following activities:
                            (i) Providing 411 directory assistance or 
                        directory information services, including name, 
                        address, and telephone number, on behalf of or 
                        as a function of a telecommunications carrier.
                            (ii) Providing an individual's publicly 
                        available information if the information is 
                        being used by the recipient as it relates to 
                        that individual's business or profession.
                            (iii) Providing or using personal 
                        information in a manner that is regulated under 
                        another Federal or State law, including the 
                        Fair Credit Reporting Act, the Gramm-Leach-
                        Bliley Act, or the Health Insurance Portability 
                        and Accountability Act.
                            (iv) Providing personal information to a 
                        third party at the express direction of the 
                        individual for a clearly disclosed single-use 
                        purpose.
                            (v) Providing or using personal information 
                        for assessing, verifying, or authenticating an 
                        individual's identity, or for investigating or 
                        preventing actual or potential fraud.
                            (vi) Gathering, preparing, collecting, 
                        photographing, recording, writing, editing, 
                        reporting, or publishing news or information 
                        that concerns local, national, or international 
                        events or other matters of public interest for 
                        dissemination to the public.
                    (C) Exclusion from sale.--
                            (i) In general.--For purposes of this 
                        paragraph, the term ``sells'' does not include 
                        a one-time or occasional sale of assets of an 
                        entity as part of a transfer of control of 
                        those assets that is not part of the ordinary 
                        conduct of the entity.
                            (ii) Notice required.--To meet the 
                        exclusion criteria described in clause (i), an 
                        entity must provide notice to the Commission, 
                        in the manner determined appropriate by the 
                        Commission, of any such one-time or occasional 
                        sale of assets.
            (4) Delete.--The term ``delete'' means to remove or destroy 
        information such that the information is not maintained in 
        human- or machine-readable form and cannot be retrieved or 
        utilized in such form in the normal course of business.
            (5) Direct relationship.--
                    (A) In general.--The term ``direct relationship'' 
                means a relationship between an individual and an 
                entity where the individual--
                            (i) is a current customer;
                            (ii) has obtained a good or service from 
                        the entity within the prior 18 months; or
                            (iii) has made an inquiry about the 
                        products or services of the entity within the 
                        prior 90 days.
                    (B) Exclusion.--The term ``direct relationship'' 
                does not include a relationship between an individual 
                and a data broker where the individual's only 
                connection to the data broker is based on the 
                individual's request--
                            (i) for the data broker to delete the 
                        personal information of the individual; or
                            (ii) to opt out of the data broker's 
                        collection or use of personal information, 
                        certain sales of such information, or its 
                        databases.
            (6) Hash.--The term ``hash'' means to input data to a 
        cryptographic, one-way, collision resistant function that maps 
        a bit string of arbitrary length to a fixed-length bit string 
        to produce a cryptographically secure value.
            (7) Hashed.--The term ``hashed'' means the type of value 
        produced by hashing data.
            (8) Human subjects research.--The term ``human subjects 
        research'' means research that--
                    (A) an investigator (whether professional or 
                student) conducts on a living individual; and
                    (B) either--
                            (i) obtains information or biospecimens 
                        through intervention or interaction with the 
                        individual, and uses, studies, or analyzes the 
                        information or biospecimens; or
                            (ii) obtains, uses, studies, analyzes, or 
                        generates personal information or identifiable 
                        biospecimens.
            (9) Personal information.--
                    (A) In general.--The term ``personal information'' 
                means any information held by a data broker, regardless 
                of how the information is collected, inferred, created, 
                or obtained, that is linked or reasonably linkable by 
                the data broker to a particular individual or consumer 
                device, including the following information:
                            (i) Financial information, including any 
                        bank account number, credit card number, debit 
                        card number, or insurance policy number.
                            (ii) A name, alias, home or other physical 
                        address, online identifier, Internet Protocol 
                        address, email address, account name, State 
                        identification card number, driver's license 
                        number, passport number, or an identifying 
                        number on a government-issued identification.
                            (iii) Geolocation information.
                            (iv) Biometric information.
                            (v) The contents of, attachments to, or 
                        parties to information, including with respect 
                        to email, text messages, picture messages, 
                        voicemails, audio conversations, or video 
                        conversations.
                            (vi) Web browsing history, including any 
                        search query.
                            (vii) Genetic sequencing information.
                            (viii) A device identifier, online 
                        identifier, persistent identifier, or digital 
                        fingerprinting information.
                            (ix) Any inference drawn from any of the 
                        information described in this paragraph that is 
                        used to create a profile about an individual 
                        that reflects such individual's preferences, 
                        characteristics, psychological trends, 
                        predispositions, behavior, attitudes, 
                        intelligence, abilities, or aptitudes.
                            (x) Any other information determined 
                        appropriate by the Commission.
                    (B) Linked or reasonably linkable.--For purposes of 
                subparagraph (A), information is ``linked or reasonably 
                linkable'' to a particular individual or consumer 
                device if the information can be used on its own or in 
                combination with other information held by or readily 
                accessible to a data broker to identify a particular 
                individual or consumer device.
            (10) Process.--The term ``process'' means to perform or 
        direct the performance of an operation on personal information, 
        including the collection, transmission, use, disclosure, 
        analysis, prediction, or modification of such personal 
        information, whether or not by automated means.
            (11) Uniform resource locator; url.--The term ``uniform 
        resource locator'' or ``URL'' means a short string containing 
        an address that refers to an object on the web.
                                 <all>