II
113th CONGRESS
2d Session
S. 2025
IN THE SENATE OF THE UNITED STATES
February 12, 2014
Mr. Rockefeller (for himself and Mr. Markey) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
A BILL
To require data brokers to establish procedures to ensure the accuracy of collected personal information, and for other purposes.
Short title
This Act may be cited as the
Data Broker Accountability and Transparency Act
.
Definitions
In this Act:
Commission
The term Commission means the Federal Trade Commission.
Data broker
The term data broker means a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information.
Non-public information
The term non-public information means information about an individual that is of a private nature, not available to the general public, and not obtained from a public record.
Public record information
The term public record information means information about an individual that has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.
Prohibition on obtaining or solicitation to obtain personal information by false pretenses
In general
It shall be unlawful for a data broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by making a false, fictitious, or fraudulent statement or representation to any person, including by providing any document to any person, that the data broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.
Solicitation
It shall be unlawful for a data broker to request a person to obtain personal information, or any other information, relating to any other person if the data broker knows or should know that the person to whom the request is made will obtain or attempt to obtain that information in the manner described in subsection (a).
Personal information
Accuracy
A data broker shall establish reasonable procedures to ensure the maximum possible accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles, or maintains that specifically identifies an individual, unless the information only identifies an individual's name or address.
Exception; fraud databases
Notwithstanding subsection (a), a data broker may collect or maintain information that may be inaccurate with respect to a particular individual if that information is being collected or maintained solely for the purpose of—
indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual;
helping to identify, or to authenticate the identity of, an individual; or
helping to protect against or investigate fraud or other unlawful conduct.
Consumer access
A data broker shall provide an individual a means to review any personal information or other information that specifically identifies that individual, that the data broker collects, assembles, or maintains on that individual, unless an exception applies under section 5.
Review requirements
The means for review under subsection (c) shall be provided—
at an individual's request;
after verifying the identity of the individual;
at least 1 time per year; and
at no cost to the individual.
Notice
A data broker shall maintain an Internet Web site and place a clear and conspicuous notice on that Internet Web site instructing an individual—
how to review the information described under subsection (c); and
how to express a preference with respect to the use of personal information for marketing purposes under subsection (g).
Disputed information
An individual whose personal information is maintained by a data broker may dispute the accuracy of any information described under subsection (c) by requesting, in writing, that the data broker correct the information. A data broker, after verifying the identity of the individual making the request, and unless there are reasonable grounds to believe the request is frivolous or irrelevant, shall—
with regard to public record information—
inform the individual of the source of the information and, if reasonably available, where to direct the individual's request for correction; or
if the individual provides proof that the public record has been corrected or that the data broker was reporting the information incorrectly, correct the inaccuracy in the data broker's records; and
with regard to non-public information—
note the information that is disputed, including the individual's written request;
if the information can be independently verified, use the reasonable procedures established under subsection (a) to independently verify the information; and
if the data broker was reporting the information incorrectly, correct the inaccuracy in the data broker's records.
Certain marketing information
A data broker that maintains any information described under subsection (a) and that uses, shares, or sells that information for marketing purposes shall provide each individual whose information it maintains with a reasonable means of expressing a preference not to have that individual's information used for those purposes. If an individual expresses such a preference, the data broker may not use, share, or sell that individual's information for marketing purposes.
Persons regulated by the Fair Credit Reporting Act
A data broker shall be deemed in compliance with this section with respect to information that is subject to the Fair Credit Reporting Act ( 15 U.S.C. 1681 et seq.) if the data broker is in compliance with sections 609, 610, and 611 of that Act ( 15 U.S.C. 1681g , 1681h, 1681i).
Regulations
Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to implement and enforce the requirements of this Act, including—
a requirement that a data broker establish measures that facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information collected, assembled, or maintained by the data broker;
the establishment of a centralized Internet Web site for the benefit of consumers that lists the data brokers subject to section 4 and provides additional information to consumers about their rights under this Act;
if the Commission considers a data broker outside the scope of the purposes of this Act, the exclusion of that data broker from the applicability of this Act, such as, if the Commission considers it appropriate for exclusion, a data broker who processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning an individual who is a customer or an employee of that third party to enable that third party, directly or through parties acting on its behalf, to provide benefits for its employees or directly transact business with its customers;
any exceptions, that the Commission considers necessary, to the auditing and retracing requirements under paragraph (1) to further or protect law enforcement or national security activities; and
any exceptions, that the Commission considers necessary, to an individual's right to review the information described under section 4(c), such as for child protection, law enforcement, fraud prevention, or other legitimate government purposes.
Enforcement
In general
A violation of a regulation prescribed under this Act shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act ( 15 U.S.C. 57a(a)(1)(B) ).
Powers of Commission
The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act ( 15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any data broker who violates a regulation prescribed under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act ( 15 U.S.C. 41 et seq.).
Enforcement by State attorneys general
Civil action
Except as provided under paragraph (3)(B), in any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a data broker who violates a regulation prescribed under this Act, the attorney general, official, or agency of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction—
to enjoin further violation of this Act by the defendant;
to compel compliance with this Act;
to obtain damages, restitution, or other compensation on behalf of such residents, or to obtain such further and other relief as the court may deem appropriate; or
to obtain civil penalties in the amount determined under paragraph (2).
Civil penalties
Calculation
For purposes of imposing a civil penalty under paragraph (1)(D), the amount determined under this paragraph is the amount calculated by multiplying the number of separate violations of a rule by an amount not greater than $16,000.
Adjustment for inflation
Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amount specified in subparagraph (A) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.
Intervention by the Commission
Notice
A State shall provide prior written notice of any civil action under paragraph (1) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action.
Intervention by the Commission
The Commission shall have the right—
to intervene in the civil action under paragraph (1);
upon so intervening, to be heard on all matters arising in that civil action; and
to file petitions for appeal of a decision in that civil action.
Limitation on State action while Federal action is pending
If the Commission has instituted a civil action for violation of this Act, no State attorney general, or official or agency of a State, may bring an action under this subsection during the pendency of that action against any defendant named in the complaint of the Commission for any violation of this Act alleged in the complaint.
Construction
For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State—
to conduct investigations;
to administer oaths or affirmations; or
to compel the attendance of witnesses or the production of documentary and other evidence.
Effect on other laws
Preservation of Commission authority
Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law.
Preservation of other Federal law
Nothing in this Act may be construed in any way to supersede, restrict, or limit the application of the Fair Credit Reporting Act ( 15 U.S.C. 1681 et seq.) or any other Federal law.
