skip to main content

S. 1951: Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data

The text of the bill below is as of Jun 25, 2019 (Introduced).


II

116th CONGRESS

1st Session

S. 1951

IN THE SENATE OF THE UNITED STATES

June 25, 2019

(for himself and Mr. Hawley) introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban Affairs

A BILL

To require the Securities and Exchange Commission to promulgate regulations relating to the disclosure of certain commercial data, and for other purposes.

1.

Short title

This Act may be cited as the Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data.

2.

Definitions

In this Act:

(1)

Commercial data operator

The term commercial data operator means an entity acting in its capacity as a consumer online services provider or data broker that—

(A)

generates a material amount of revenue from the use, collection, processing, sale, or sharing of the user data; and

(B)

has more than 100,000,000 unique monthly visitors or users in the United States for a majority of months during the previous 1-year period.

(2)

Commission

The term Commission means the Securities and Exchange Commission.

(3)

Issuer

The term issuer has the meaning given the term in section 3(a) of the Securities and Exchange Act of 1934 (15 U.S.C. 78c(a)).

(4)

User

The term user means an individual consumer who uses an online service designed for consumer use by a commercial data operator.

(5)

User data

The term user data means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with an individual user, whether directly submitted to the commercial data operator by the user or derived from the observed activity of the user by the commercial data operator.

3.

Commercial data operators

(a)

Requirements

(1)

In general

A commercial data operator shall—

(A)

on a routine basis, and not less frequently than once every 90 days—

(i)

provide each user of the commercial data operator with an assessment of the economic value that the commercial data operator places on the data of that user; and

(ii)

in a clear and conspicuous manner, in accordance with paragraph (3), identify to each user of the commercial data operator—

(I)

the types of data collected from users of the commercial data operator, whether by the commercial data operator or another person pursuant to an agreement with the commercial data operator; and

(II)

the ways that the data of a user of the commercial data operator is used if the use is not directly or exclusively related to the online service that the commercial data operator provides to the user; and

(B)

except as provided in paragraph (2), provide a user of the commercial data operator with the ability to delete all data, in the aggregate and for an individual field, that the commercial data operator possesses, or maintains control or access to with respect to the user, through—

(i)

a single setting; or

(ii)

another clear and conspicuous mechanism by which the user may make such a deletion.

(2)

Deletion exceptions

(A)

In general

A commercial data operator shall comply with a user directive to delete, in whole or in part, the data of the user except—

(i)

in cases where there is a legal obligation of the commercial data operator to maintain the data;

(ii)

for the establishment, exercise, or defense of legal claims; or

(iii)

if the data is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or assist in the prosecution of those responsible for such activity.

(B)

Retention

A commercial data operator may not retain any more user data than is necessary to carry out an activity described in clauses (i) through (iii) of subparagraph (A).

(3)

Availability

A commercial data operator shall ensure that all disclosures required under subsection (a) are available to a user of the commercial data operator—

(A)

on and after the date on which the commercial data operator makes the identification; and

(B)

through any normal mechanism by which a user may interact with the online service provided by the commercial data operator.

(4)

Unfair and deceptive acts or practices

(A)

Unfair or deceptive acts or practices

A violation of this subsection shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(B)

Powers of Federal Trade Commission

(i)

In general

The Federal Trade Commission shall enforce this subsection in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this subsection.

(ii)

Privileges and immunities

Any person who violates this subsection shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(b)

Regulations

Not later than 1 year after the date of enactment of this Act, the Federal Trade Commission shall promulgate regulations carrying out subsection (a).

4.

SEC disclosures

(a)

In general

Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) is amended by adding at the end the following:

(s)

Disclosure relating to aggregate value of user data held by commercial data operators

(1)

Definitions

In this subsection:

(A)

Commercial data operator

The term commercial data operator means an entity acting in its capacity as a consumer online services provider or data broker that—

(i)

generates a material amount of revenue directly from the use, collection, processing, sale, or sharing of the user data; and

(ii)

has more than 100,000,000 unique monthly visitors or users in the United States for a majority of months during the previous 1-year period;

(B)

User

The term user means an individual consumer who uses an online service designed for consumer use by a commercial data operator.

(C)

User data

The term user data means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with an individual user, whether directly submitted to the commercial data operator by the user or derived from the observed activity of the user by the commercial data operator.

(2)

Disclosure

Each issuer that is, or is a consolidated subsidiary of, a commercial data operator and is required to file an annual or quarterly report under subsection (a) shall disclose in that report the aggregate value, if material, of—

(A)

user data that the commercial data operator holds;

(B)

contracts with third parties for the collection of user data through the online service provided by the commercial data operator; and

(C)

any other item that the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.

(3)

Valuation methodology

(A)

In general

The Commission, in consultation with appropriate standards settings organizations, shall develop a method or methods for calculating the value of user data required to be disclosed under paragraph (2).

(B)

Considerations

In developing the method under subparagraph (A), the Commission shall promote comparability in calculating the value of data across commercial data operators that utilize user data in a similar manner while taking into account the potential need to develop distinct methods for calculating the value of data for different uses, sectors, and business models.

.

(b)

Qualitative disclosure

Not later than 1 year after the date of enactment of this subsection, the Commission shall amend section 229.306 of title 17, Code of Federal Regulations, to require a commercial data operator that is an issuer subject to section 13 or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)) to provide quantitative and qualitative disclosures about the value of user data held, including—

(1)

technical and legal measures in place to protect user data held by the commercial data operator;

(2)

an assessment of financial and legal risks associated with storing the type and quantity of user data held by the commercial data operator;

(3)

each source of user data held by the commercial data operator, whether by sale, a direct consumer relationship, an indirect consumer relationship, or other means;

(4)

each discrete revenue generating operation of the commercial data operator and any subsidiary or affiliate that relies on user data;

(5)

the entry into any contract valued at more than $10,000,000 with a third party for the collection, licensing, or sharing by the third party pursuant to an agreement with the commercial data operator;

(6)

the amount of revenue derived from obtaining, collecting, processing, selling, using or sharing user data during the reporting period;

(7)

how changes in the measurement of aggregate fair value of user data affect the reported performance and cash flows of the issuer; and

(8)

any acquisition of user data in the preceding reporting period valued at more than $100,000,000.

(c)

Report

(1)

In general

Not later than 3 years after the date of enactment of this Act, the Commission shall submit to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives a report on—

(A)

the nature, timing, and extent of the disclosure practices of commercial data operators;

(B)

an assessment of the valuation methodologies and practices employed by commercial data operators in developing and submitting disclosures to the public;

(C)

an evaluation of the methods of delivery and presentation of the disclosures required by this Act, and the amendments made by this Act; and

(D)

recommendations for the improvement of the methods described in paragraph (3), including developing standards to enhance comparability and utility for investors.

(2)

Rulemaking

Not later than 180 days after the date on which the report required under paragraph (1) is submitted, the Commission shall promulgate a proposed regulation implementing the recommendations described in paragraph (1)(D).