IN THE SENATE OF THE UNITED STATES
September 14, 2017
Mr. Markey (for himself, Mr. Blumenthal, Mr. Whitehouse, Mr. Franken, and Mr. Sanders) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To require data brokers to establish procedures to ensure the accuracy of collected personal information, and for other purposes.
This Act may be cited as the
Data Broker Accountability and Transparency Act of 2017.
In this Act:
The term Commission means the Federal Trade Commission.
Covered data broker
The term covered data broker includes all data brokers except those data brokers excepted under subparagraph (B).
The Commission may except a data broker if the Commission considers, by rule, a data broker outside the scope of this Act, such as a data broker who processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning an individual who is a customer or an employee of that third party to enable that third party, directly or through parties acting on its behalf, to provide benefits for its employees or directly transact business with its customers.
The term data broker means a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third-party access to the information.
The term non-public information means information about an individual that is—
of a private nature;
not available to the general public; and
not obtained from a public record.
Public record information
The term public record information means information about an individual that has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.
Prohibition on obtaining or solicitation to obtain personal information by false pretenses
A covered data broker may not obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by making a false, fictitious, or fraudulent statement or representation to any person, including by providing any document to any person, that the covered data broker knows or should know—
to be forged, counterfeit, lost, stolen, or fraudulently obtained; or
contains a false, fictitious, or fraudulent statement or representation.
A covered data broker may not request a person to obtain personal information, or any other information, relating to any other person if the covered data broker knows or should know that the person to whom the request is made will obtain or attempt to obtain that information in the manner described in subsection (a).
Requirements concerning accuracy of and access to personal information
Except as provided in paragraph (2), a covered data broker shall establish procedures to ensure, to the maximum extent practicable, the accuracy of—
the personal information it collects, assembles, or maintains; and
any other information it collects, assembles, or maintains that specifically identifies an individual, unless the information only identifies an individual's name or address.
A covered data broker may collect or maintain information that may be inaccurate with respect to a particular individual if that information is being collected or maintained solely for the purpose of—
indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual;
helping to identify, or to authenticate the identity of, an individual; or
helping to protect against or investigate fraud or other unlawful conduct.
Subject to paragraph (4), a covered data broker shall provide an individual a means to review any personal information or other information that specifically identifies that individual, that the covered data broker collects, assembles, or maintains on that individual.
The means for review under paragraph (1) shall be provided—
at an individual's request;
after verifying the identity of the individual;
at least 1 time per year;
at no cost to the individual; and
in a format that can be readily understood by a consumer, as determined by the Commission.
Period of review
A covered data broker shall provide an individual the means required under paragraph (1) within such period after receiving a request from such individual as the Commission shall determine, by rule, is appropriate.
The Commission may, by rule, establish such exceptions to paragraph (1) as the Commission considers appropriate, such as for child protection, law enforcement, fraud prevention, or other government purposes.
Limitation on use of verifying information
If a covered data broker collects information from an individual to verify the identity of the individual under paragraph (2)(B) that the data broker did not have before such collection, the data broker may not use such information for any purpose other than for purposes of verifying the identity of the individual under such paragraph.
An individual whose personal information is maintained by a covered data broker may dispute the accuracy of any information described under subsection (b)(1) by requesting, in writing, that the covered data broker correct the information.
A covered data broker, after verifying the identity of an individual making a request under paragraph (1) to correct information, and unless there are reasonable grounds to believe the request is frivolous or irrelevant, shall—
with regard to public record information—
inform the individual of the source of the information and, if reasonably available, where to direct the individual's request for correction; or
if the individual provides proof that the public record has been corrected or that the covered data broker was reporting the information incorrectly, correct the inaccuracy in the covered data broker's records; and
with regard to non-public information—
note the information that is disputed, including the individual's written request;
if the information can be independently verified, use the procedures established under subsection (a) to independently verify the information; and
if the covered data broker was reporting the information incorrectly, correct the inaccuracy in the covered data broker's records.
Period of correction
In a case in which a covered data broker is subject to a requirement under paragraph (2) due to a request made by an individual under paragraph (1), such covered data broker shall take such action as may be required to satisfy such requirement within such period as the Commission shall determine, by rule, is appropriate.
A covered data broker shall maintain an Internet website and place a clear and conspicuous notice on that Internet website instructing an individual how—
to review information under subsection (b)(1); and
to express a preference under subsection (e)(2).
A covered data broker shall ensure that the notice the covered data broker places under paragraph (1) conforms to such model form as the Commission shall promulgate for purposes of this subsection.
Certain marketing information
A covered data broker may not use, share, or sell any information for marketing purposes that is subject to an expressed preference under paragraph (2).
Expression of preferences
A covered data broker that maintains any information described under subsection (a) and that uses, shares, or sells that information for marketing purposes shall provide each individual whose information the covered data broker maintains with a reasonable means of expressing a preference not to have that individual's information used for those purposes.
Subject to paragraph (2), each covered data broker shall establish measures that facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information collected, assembled, or maintained by the covered data broker.
The Commission may establish, by rule, such exceptions to paragraph (1) as the Commission considers appropriate to further or protect law enforcement or national security activities.
Each covered data broker shall develop and implement a comprehensive consumer privacy and data security program to protect against harm that may be caused by—
loss of personal information collected, assembled, or maintained by the covered data broker; or
unauthorized access, destruction, use, modification, or disclosure of such personal information.
Whenever a covered data broker determines that personal information of an individual that is collected, assembled, or maintained by the covered data broker has been lost or the subject of an unauthorized access, destruction, use, modification, or disclosure, the covered data broker shall notify such individual of such loss, access, destruction, use, modification, or disclosure.
Persons regulated by the Fair Credit Reporting Act
A covered data broker shall be considered to be in compliance with subsections (a) through (f) of this section with respect to information that is subject to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) if the covered data broker is in compliance with sections 609, 610, and 611 of that Act (15 U.S.C. 1681g, 1681h, 1681i).
Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to carry out this Act.
The regulations promulgated under subsection (a) shall include the following:
Such exceptions the Commission considers appropriate to promulgate under section 2(2)(B).
The period of review required under section 4(b)(3).
Such exceptions as the Commission considers appropriate to promulgate under section 4(b)(4).
The period of correction required under section 4(c)(3).
The model form required by section 4(d)(2).
Requirements for auditing under paragraph (1) of section 4(f) and such exceptions under paragraph (2) of such section as the Commission considers appropriate.
Establishment of a centralized Internet website for the benefit of consumers that—
lists the covered data brokers that are subject to a requirement of section 4; and
provides information to consumers about their rights under this Act.
Such other regulations as the Commission considers appropriate to carry out this Act.
Enforcement by Federal Trade Commission
Unfair or deceptive acts or practices
A violation of section 3 or 4 or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Powers of Commission
The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
Privileges and immunities
Any person who violates a regulation prescribed under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Enforcement by States
Except as provided under paragraph (5), in any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any person subject to a provision of section 3 or 4 or a regulation promulgated under this Act in a practice that violates such provision or regulation, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States—
to enjoin further violation of such provision or regulation by such person;
to compel compliance with such provision or regulation;
to obtain damages, restitution, or other compensation on behalf of such residents;
to obtain such other relief as the court considers appropriate; or
to obtain civil penalties in the amount determined under paragraph (2).
For purposes of imposing a civil penalty under paragraph (1)(E), the amount determined under this paragraph is the amount calculated by multiplying the number of separate violations of a rule by an amount not greater than $16,000.
Adjustment for inflation
Beginning on the date that the Consumer Price Index is first published by the Bureau of Labor Statistics that is after 1 year after the date of enactment of this Act, and each year thereafter, the amount specified in subparagraph (A) shall be increased by the percentage increase in the Consumer Price Index published on that date from the Consumer Price Index published the previous year.
Rights of Federal Trade Commission
Notice to Federal Trade Commission
Except as provided in clause (iii), the attorney general of a State shall notify the Commission in writing that the attorney general intends to bring a civil action under paragraph (1) before initiating the civil action.
The notification required by clause (i) with respect to a civil action shall include a copy of the complaint to be filed to initiate the civil action.
If it is not feasible for the attorney general of a State to provide the notification required by clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately upon instituting the civil action.
Intervention by Federal Trade Commission
The Commission may—
intervene in any civil action brought by the attorney general of a State under paragraph (1); and
be heard on all matters arising in the civil action; and
file petitions for appeal of a decision in the civil action.
Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
Preemptive action by Federal Trade Commission
If the Commission institutes a civil action or an administrative action with respect to a violation of a provision of section 3 or 4 or a regulation promulgated under this Act, the attorney general of a State may not, during the pendency of such action, bring a civil action under paragraph (1) against any defendant named in the complaint of the Commission for the violation with respect to which the Commission instituted such action.
Actions by other State officials
In addition to civil actions brought by attorneys general under paragraph (1), any other officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.
Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.
Effect on other laws
Preservation of Commission authority
Nothing in this Act may be construed in any way to limit or affect the Commission's authority under any other provision of law.
Preservation of other Federal law
Nothing in this Act may be construed in any way to supersede, restrict, or limit the application of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) or any other Federal law.