[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2121 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 2121

 To establish a centralized system to allow individuals to request the 
  simultaneous deletion of their personal information across all data 
                    brokers, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 22, 2023

Mr. Cassidy (for himself and Mr. Ossoff) introduced the following bill; 
    which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
 To establish a centralized system to allow individuals to request the 
  simultaneous deletion of their personal information across all data 
                    brokers, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Data Elimination and Limiting 
Extensive Tracking and Exchange Act'' or the ``DELETE Act''.

SEC. 2. DATA DELETION REQUIREMENTS.

    (a) Data Broker Annual Registration.--
            (1) In general.--
                    (A) Regulations.--Not later than 1 year after the 
                date of enactment of this section, the Commission shall 
                promulgate regulations to require any data broker to--
                            (i) not later than 18 months after the date 
                        of enactment of this section, and annually 
                        thereafter, register with the Commission; and
                            (ii) subject to subparagraph (B), provide 
                        the following information with such 
                        registration:
                                    (I) The name and primary physical, 
                                email, and uniform resource locator 
                                (URL) addresses of the data broker.
                                    (II) If the data broker permits an 
                                individual to opt out of the data 
                                broker's collection or use of personal 
                                information, certain sales of such 
                                information, or its databases--
                                            (aa) the method for 
                                        requesting an opt-out;
                                            (bb) any limitations on the 
                                        type of data collection, uses, 
                                        or sales for which an 
                                        individual may opt-out; and
                                            (cc) whether the data 
                                        broker permits an individual to 
                                        authorize a third party to 
                                        perform the opt-out on the 
                                        individual's behalf.
                                    (III) A response to a standardized 
                                form (as issued by the Commission) 
                                specifying the types of information the 
                                data broker collects or obtains and the 
                                sources from which the data broker 
                                obtains data.
                                    (IV) A statement as to whether the 
                                data broker implements a credentialing 
                                process and, if so, a description of 
                                that process.
                                    (V) Any additional information or 
                                explanation the data broker chooses to 
                                provide concerning its data collection 
                                practices.
                                    (VI) Any other information 
                                determined appropriate by the 
                                Commission.
                    (B) Construction.--Nothing in this paragraph shall 
                be construed as requiring a data broker to disclose any 
                information that is a trade secret or confidential 
                information described in section 552(b)(4) of title 5, 
                United States Code.
            (2) Public availability.--
                    (A) In general.--The Commission shall make the 
                information described in paragraph (1)(A) publicly 
                available in a downloadable and machine-readable 
                format, except in the event that the Commission--
                            (i) determines that the risk of making such 
                        information available is not in the interest of 
                        public safety or welfare; and
                            (ii) provides a justification for such 
                        determination.
                    (B) Disclaimer.--The Commission shall include on 
                the website of the Commission a disclaimer that--
                            (i) the Commission cannot confirm the 
                        accuracy of the responses provided by the data 
                        brokers in the registration described in 
                        paragraph (1)(A); and
                            (ii) individuals may contact such data 
                        brokers at their own risk.
    (b) Centralized Data Deletion System.--
            (1) Establishment.--
                    (A) In general.--Not later than 1 year after the 
                date of enactment of this section, the Commission shall 
                promulgate regulations to establish a centralized 
                system that--
                            (i) implements and maintains reasonable 
                        security procedures and practices (including 
                        administrative, physical, and technical 
                        safeguards) appropriate to the nature of the 
                        information and the purposes for which the 
                        personal information will be used, to protect 
                        individuals' personal information from 
                        unauthorized use, disclosure, access, 
                        destruction, or modification;
                            (ii) allows an individual, through a single 
                        submission, to request that every data broker 
                        who is registered under subsection (a) and who 
                        maintains any persistent identifiers (as 
                        described in subparagraph (B)(iii))--
                                    (I) delete any personal information 
                                related to such individual held by such 
                                data broker or affiliated legal entity 
                                of the data broker; and
                                    (II) unless otherwise specified by 
                                the individual, discontinue any present 
                                or future collection of personal 
                                information related to such individual; 
                                and
                            (iii) allows a registered data broker, 
                        prior to the collection of any personal 
                        information that is tied to a persistent 
                        identifier for which a registry exists, to 
                        submit a query to the centralized system to 
                        confirm that the persistent identifier is not 
                        subject to a deletion request described in 
                        clause (ii).
                    (B) Requirements.--The centralized system 
                established in subparagraph (A) shall meet the 
                following requirements:
                            (i) The centralized system shall allow an 
                        individual to request the deletion of all 
                        personal information related to such individual 
                        and the discontinuation of any collection of 
                        such personal information related to such 
                        individual through a single deletion request.
                            (ii) The centralized system shall provide a 
                        standardized form to allow an individual to 
                        make such request.
                            (iii) Such standardized form shall include 
                        the individual's email, phone number, physical 
                        address, and any other persistent identifier 
                        determined by the Commission to aid in the 
                        deletion request.
                            (iv) The centralized system shall 
                        automatically salt and hash all submitted 
                        information and allow the Commission to 
                        maintain independent hashed registries of each 
                        type of information obtained through such form.
                            (v) The centralized system shall only 
                        permit data brokers who are registered with the 
                        Commission to submit hashed queries to the 
                        independent hashed registries described in 
                        clause (iv).
                            (vi) With respect to the independent hashed 
                        registries described in clause (iv), the salt 
                        shall be different for each such registry and 
                        shall be made available to all registered data 
                        brokers for the purposes of submitting hashed 
                        queries, as described in clause (v).
                            (vii) The centralized system shall allow an 
                        individual to make such request using an 
                        internet website operated by the Commission.
                            (viii) The centralized system shall not 
                        charge the individual to make such request.
                    (C) Transition.--
                            (i) In general.--Not later than 8 months 
                        after the effective date of the regulations 
                        promulgated under subparagraph (A), each data 
                        broker shall--
                                    (I) not less than once every 31 
                                days, access the hashed registries 
                                maintained by the Commission as 
                                described in subparagraph (B)(iv); and
                                    (II) process any deletion request 
                                associated with a match between such 
                                hashed registries and the records of 
                                the data broker.
                            (ii) FTC guidance.--Not later than 6 months 
                        after the effective date of the regulations 
                        promulgated under subparagraph (A), the 
                        Commission shall publish guidance on the 
                        process and standards to which a data broker 
                        must adhere in carrying out clause (i).
            (2) Deletion.--
                    (A) Information deletion.--
                            (i) In general.--Subject to clause (ii), 
                        not later than 31 days after accessing the 
                        hashed registries described in paragraph 
                        (1)(B)(iv), a data broker and any associated 
                        legal entity shall delete all personal 
                        information in its possession related to the 
                        individual making the request and discontinue 
                        the collection of personal information related 
                        to such individual. Immediately following the 
                        deletion, the data broker shall send an 
                        affirmative representation to the Commission 
                        with the number of records deleted pursuant to 
                        each match with a value in the hashed 
                        registries.
                            (ii) Exclusions.--In carrying out clause 
                        (i), a data broker may retain, where required, 
                        the following information:
                                    (I) Any personal information that 
                                is processed or maintained solely as 
                                part of human subjects research 
                                conducted in compliance with any legal 
                                requirements for the protection of 
                                human subjects.
                                    (II) Any personal information 
                                necessary to comply with a warrant, 
                                subpoena, court order, rule, or other 
                                applicable law.
                                    (III) Any information necessary for 
                                an activity described in subsection 
                                (f)(3)(B), provided that the retained 
                                information is used solely for any such 
                                activity.
                            (iii) Use of information.--Any personal 
                        information excluded under clause (ii) may only 
                        be used for the purpose described in the 
                        applicable subclause of clause (ii), and may 
                        not be used for any other purpose, including 
                        marketing purposes.
                    (B) Annual report.--Each data broker registered 
                under subsection (a) shall submit to the Commission, on 
                an annual basis, a report on the completion rate with 
                respect to the completion of deletion requests under 
                subparagraph (A).
                    (C) Audit.--
                            (i) In general.--Not later than 3 years 
                        after the date of enactment of this section, 
                        and every 3 years thereafter, each data broker 
                        registered under subsection (a) shall undergo 
                        an independent third party audit to determine 
                        compliance with this subsection.
                            (ii) Audit report.--Not later than 6 months 
                        after the completion of any audit under clause 
                        (i), each such data broker shall submit to the 
                        Commission any report produced as a result of 
                        the audit, along with any related materials.
                            (iii) Maintain records.--Each such data 
                        broker shall maintain the materials described 
                        in clause (ii) for a period of not less than 6 
                        years.
            (3) Annual fee.--
                    (A) In general.--Subject to subparagraph (B), each 
                data broker registered under subsection (a) and who 
                maintains any persistent identifiers (as described in 
                paragraph (1)(B)(iii)) shall pay to the Commission, on 
                an annual basis, a subscription fee determined by the 
                Commission to access the database.
                    (B) Limit.--The amount of the subscription fee 
                under subparagraph (A) may not exceed 1 percent of the 
                expected annual cost of operating the centralized 
                system and hashed registries described in paragraph 
                (1), as determined by the Commission.
                    (C) Availability.--Any amounts collected by the 
                Commission pursuant to this paragraph shall be 
                available without further appropriation to the 
                Commission for the exclusive purpose of enforcing and 
                administering this Act, including the implementation 
                and maintenance of such centralized system and hashed 
                registries and the promotion of public awareness of the 
                centralized system.
    (c) Enforcement by the Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        subsection (a) or (b) or a regulation promulgated under this 
        Act shall be treated as a violation of a rule defining an 
        unfair or deceptive act or practice under section 18(a)(1)(B) 
        of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (2) Powers of the commission.--
                    (A) In general.--The Commission shall enforce this 
                section in the same manner, by the same means, and with 
                the same jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act.
                    (B) Privileges and immunities.--Any person who 
                violates subsection (a) or (b) or a regulation 
                promulgated under this Act shall be subject to the 
                penalties and entitled to the privileges and immunities 
                provided in the Federal Trade Commission Act (15 U.S.C. 
                41 et seq.).
                    (C) Authority preserved.--Nothing in this section 
                shall be construed to limit the authority of the 
                Commission under any other provision of law.
                    (D) Rulemaking.--The Commission shall promulgate in 
                accordance with section 553 of title 5, United States 
                Code, such rules as may be necessary to carry out this 
                section.
    (d) Study and Report.--
            (1) Study.--The Commission shall conduct a study on the 
        implementation and enforcement of this section. Such study 
        shall include--
                    (A) an analysis of the effectiveness of the 
                centralized system established in subsection (b)(1)(A);
                    (B) the number deletion requests submitted annually 
                using such centralized system;
                    (C) an analysis of the progress of coordinating the 
                operation and enforcement of such requests with similar 
                systems established and maintained by the various 
                States; and
                    (D) any other area determined appropriate by the 
                Commission.
            (2) Report.--Not later than 3 years after the date of 
        enactment of this section, and annually thereafter for each of 
        the next 4 years, the Commission shall submit to the Committee 
        on Commerce, Science, and Transportation of the Senate and the 
        Committee on Energy and Commerce of the House of 
        Representatives a report containing--
                    (A) the results of the study conducted under 
                paragraph (1);
                    (B) a summary of any enforcement actions taken 
                pursuant to this Act; and
                    (C) recommendations for such legislation and 
                administrative action as the Commission determines 
                appropriate.
    (e) Preemption.--
            (1) In general.--The provisions of this Act shall preempt 
        any State privacy law only to the extent that such State law is 
        inconsistent with the provisions of this Act.
            (2) Greater protection under state law.--For purposes of 
        paragraph (1), a State privacy law is not inconsistent with the 
        provisions of this Act if the protection such law affords any 
        person is greater than the protection provided under this Act, 
        as determined by the Commission.
    (f) Definitions.--In this section:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Credentialing process.--The term ``credentialing 
        process'' means the practice of taking reasonable steps to 
        confirm--
                    (A) the identity of the entity with whom the data 
                broker has a direct relationship;
                    (B) that any data disclosed to the entity by such 
                data broker will be used for the described purpose of 
                such disclosure; and
                    (C) that such data will not be used for unlawful 
                purposes.
            (3) Data broker.--
                    (A) In general.--The term ``data broker'' means an 
                entity that knowingly collects or obtains the personal 
                information of an individual with whom the entity does 
                not have a direct relationship and then--
                            (i) uses the personal information to 
                        perform a service for a third party; or
                            (ii) sells, licenses, trades, provides for 
                        consideration, or is otherwise compensated for 
                        disclosing personal information to a third 
                        party.
                    (B) Exclusion.--The term ``data broker'' does not 
                include an entity who solely uses, sells, licenses, 
                trades, provides for consideration, or is otherwise 
                compensated for disclosing personal information for one 
                or more of the following activities:
                            (i) Providing 411 directory assistance or 
                        directory information services, including name, 
                        address, and telephone number, on behalf of or 
                        as a function of a telecommunications carrier.
                            (ii) Providing an individual's publicly 
                        available information if the information is 
                        being used by the recipient as it relates to 
                        that individual's business or profession.
                            (iii) Providing personal information to a 
                        third party at the express direction of the 
                        individual for a clearly disclosed single-use 
                        purpose.
                            (iv) Providing or using personal 
                        information for assessing, verifying, or 
                        authenticating an individual's identity, or for 
                        investigating or preventing actual or potential 
                        fraud.
                            (v) Gathering, preparing, collecting, 
                        photographing, recording, writing, editing, 
                        reporting, or publishing news or information 
                        that concerns local, national, or international 
                        events or other matters of public interest (as 
                        determined by the Commission) for dissemination 
                        to the public.
                            (vi) Acting as a consumer reporting agency 
                        (as defined in section 603(f) of the Fair 
                        Credit Reporting Act (15 U.S.C. 1681a(f))).
                    (C) Exclusion from sale.--
                            (i) In general.--For purposes of this 
                        paragraph, the term ``sells'' does not include 
                        a one-time or occasional sale of assets of an 
                        entity as part of a transfer of control of 
                        those assets that is not part of the ordinary 
                        conduct of the entity.
                            (ii) Notice required.--To meet the 
                        exclusion criteria described in clause (i), an 
                        entity must provide notice to the Commission, 
                        in the manner determined appropriate by the 
                        Commission, of any such one-time or occasional 
                        sale of assets.
            (4) Delete.--The term ``delete'' means to remove or destroy 
        information such that the information is not maintained in 
        human- or machine-readable form and cannot be retrieved or 
        utilized in such form in the normal course of business.
            (5) Direct relationship.--
                    (A) In general.--The term ``direct relationship'' 
                means a relationship between an individual and an 
                entity where the individual--
                            (i) is a current customer;
                            (ii) has obtained a good or service from 
                        the entity within the prior 18 months; or
                            (iii) has made an inquiry about the 
                        products or services of the entity within the 
                        prior 90 days.
                    (B) Exclusion.--The term ``direct relationship'' 
                does not include a relationship--
                            (i) between an individual and a data broker 
                        where the individual's only connection to the 
                        data broker is based on the individual's 
                        request--
                                    (I) for the data broker to delete 
                                the personal information of the 
                                individual; or
                                    (II) to opt-out of the data 
                                broker's collection or use of personal 
                                information, certain sales of such 
                                information, or its databases; or
                            (ii) required under any State or Federal 
                        law related to the use of personal information.
            (6) Hash.--The term ``hash'' means to input data to a 
        cryptographic, one-way, collision resistant function that maps 
        a bit string of arbitrary length to a fixed-length bit string 
        to produce a cryptographically secure value.
            (7) Hashed.--The term ``hashed'' means the type of value 
        produced by hashing data.
            (8) Human subjects research.--The term ``human subjects 
        research'' means research that--
                    (A) an investigator (whether professional or 
                student) conducts on a living individual; and
                    (B) either--
                            (i) obtains information or biospecimens 
                        through intervention or interaction with the 
                        individual, and uses, studies, or analyzes the 
                        information or biospecimens; or
                            (ii) obtains, uses, studies, analyzes, or 
                        generates personal information or identifiable 
                        biospecimens.
            (9) Personal information.--
                    (A) In general.--The term ``personal information'' 
                means any information held by a data broker, regardless 
                of how the information is collected, inferred, created, 
                or obtained, that is linked or reasonably linkable by 
                the data broker to a particular individual or consumer 
                device, including the following information:
                            (i) Financial information, including any 
                        bank account number, credit card number, debit 
                        card number, or insurance policy number.
                            (ii) A name, alias, home or other physical 
                        address, online identifier, Internet Protocol 
                        address, email address, phone number, account 
                        name, State identification card number, 
                        driver's license number, passport number, or an 
                        identifying number on a government-issued 
                        identification.
                            (iii) Geolocation information.
                            (iv) Biometric information.
                            (v) The contents of, attachments to, or 
                        parties to information, including with respect 
                        to email, text messages, picture messages, 
                        voicemails, audio conversations, or video 
                        conversations.
                            (vi) Web browsing history, including any 
                        search query.
                            (vii) Genetic sequencing information.
                            (viii) A device identifier, online 
                        identifier, persistent identifier, or digital 
                        fingerprinting information.
                            (ix) Any inference drawn from any of the 
                        information described in this paragraph that is 
                        used to create a profile about an individual 
                        that reflects such individual's preferences, 
                        characteristics, psychological trends, 
                        predispositions, behavior, attitudes, 
                        intelligence, abilities, or aptitudes.
                            (x) Any other information determined 
                        appropriate by the Commission.
                    (B) Linked or reasonably linkable.--For purposes of 
                subparagraph (A), information is ``linked or reasonably 
                linkable'' to a particular individual or consumer 
                device if the information can be used on its own or in 
                combination with other information held by or readily 
                accessible to a data broker to identify a particular 
                individual or consumer device.
            (10) Process.--The term ``process'' means to perform or 
        direct the performance of an operation on personal information, 
        including the collection, transmission, use, disclosure, 
        analysis, prediction, or modification of such personal 
        information, whether or not by automated means.
            (11) Salt.--The term ``salt'' means to add a random string 
        of data to the input of a hash function.
            (12) Uniform resource locator; url.--The term ``uniform 
        resource locator'' or ``URL'' means a short string containing 
        an address that refers to an object on the web.
                                 <all>