[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 196 Reported in Senate (RS)]
<DOC>
Calendar No. 144
119th CONGRESS
1st Session
S. 196
[Report No. 119-57]
To improve online ticket sales and protect consumers, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
January 22, 2025
Mrs. Blackburn (for herself and Mr. Lujan) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
September 2, 2025
Reported by Mr. Cruz, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To improve online ticket sales and protect consumers, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Mitigating Automated
Internet Networks for Event Ticketing Act'' or the ``MAIN Event
Ticketing Act''.</DELETED>
<DELETED>SEC. 2. STRENGTHENING THE BOTS ACT.</DELETED>
<DELETED> (a) In General.--Section 2 of the Better Online Ticket
Sales Act of 2016 (15 U.S.C. 45c) is amended--</DELETED>
<DELETED> (1) in subsection (a)(1)--</DELETED>
<DELETED> (A) in subparagraph (A), by striking ``;
or'' and inserting a semicolon;</DELETED>
<DELETED> (B) in subparagraph (B), by striking the
period at the end and inserting ``; or''; and</DELETED>
<DELETED> (C) by adding at the end the following new
subparagraph:</DELETED>
<DELETED> ``(C) to use or cause to be used an
application that performs automated tasks to purchase
event tickets from an Internet website or online
service in circumvention of posted online ticket
purchasing order rules of the Internet website or
online service, including a software application that
circumvents an access control system, security measure,
or other technological control or measure.'';</DELETED>
<DELETED> (2) by redesignating subsections (b) and (c) as
subsections (c) and (d), respectively;</DELETED>
<DELETED> (3) by inserting after subsection (a) the
following new subsection:</DELETED>
<DELETED> ``(b) Requiring Online Ticket Issuers To Put in Place Site
Policies and Establish Safeguards To Protect Site Security.--</DELETED>
<DELETED> ``(1) Requirement to enforce site policies.--Each
ticket issuer that owns or operates an Internet website or
online service that facilitates or executes the sale of event
tickets shall ensure that such website or service has in place
an access control system, security measure, or other
technological control or measure to enforce posted event ticket
purchasing limits.</DELETED>
<DELETED> ``(2) Requirement to establish site security
safeguards.--</DELETED>
<DELETED> ``(A) In general.--Each ticket issuer that
owns or operates an Internet website or online service
that facilitates or executes the sale of event tickets
shall establish, implement, and maintain reasonable
administrative, technical, and physical safeguards to
protect the security, confidentiality, integrity, or
availability of the website or service.</DELETED>
<DELETED> ``(B) Considerations.--In establishing the
safeguards described in subparagraph (A), each ticket
issuer described in such paragraph shall consider--
</DELETED>
<DELETED> ``(i) the administrative,
technical, and physical safeguards that are
appropriate to the size and complexity of the
ticket issuer;</DELETED>
<DELETED> ``(ii) the nature and scope of the
activities of the ticket issuer;</DELETED>
<DELETED> ``(iii) the sensitivity of any
customer information at issue; and</DELETED>
<DELETED> ``(iv) the range of security risks
and vulnerabilities that are reasonably
foreseeable or known to the ticket
issuer.</DELETED>
<DELETED> ``(C) Third parties and service
providers.--</DELETED>
<DELETED> ``(i) In general.--Where
applicable, a ticket issuer that owns or
operates an Internet website or online service
that facilitates or executes the sale of event
tickets shall implement and maintain procedures
to require that any third party or service
provider that performs services with respect to
the sale of event tickets or has access to data
regarding event ticket purchasing on the
website or service maintains reasonable
administrative, technical, and physical
safeguards to protect the security and
integrity of the website or service and that
data.</DELETED>
<DELETED> ``(ii) Oversight procedure
requirements.--The procedures implemented and
maintained by a ticket issuer in accordance
with clause (i) shall include the
following:</DELETED>
<DELETED> ``(I) Taking reasonable
steps to select and retain service
providers that are capable of
maintaining appropriate safeguards for
the customer information at
issue.</DELETED>
<DELETED> ``(II) Requiring service
providers by contract to implement and
maintain adequate safeguards.</DELETED>
<DELETED> ``(III) Periodically
assessing service providers based on
the risk they present and the continued
adequacy of their safeguards.</DELETED>
<DELETED> ``(D) Updates.--A ticket issuer that owns
or operates an Internet website or online service that
facilitates or executes the sale of event tickets shall
regularly evaluate and make adjustments to the
safeguards described in subparagraph (A) in light of
any material changes in technology, internal or
external threats to system security, confidentiality,
integrity, and availability, and the changing business
arrangements or operations of the ticket
issuer.</DELETED>
<DELETED> ``(3) Requirement to report incidents of
circumvention; consumer complaints.--</DELETED>
<DELETED> ``(A) In general.--A ticket issuer that
owns or operates an Internet website or online service
that facilitates or executes the sale of event tickets
shall report to the Commission any incidents of
circumvention of which the ticket issuer has actual
knowledge.</DELETED>
<DELETED> ``(B) Consumer complaint website.--Not
later than 180 days after the date of enactment of the
Mitigating Automated Internet Networks for Event
Ticketing Act, the Commission shall create a publicly
available website (or modify an existing publicly
available website of the Commission) to allow
individuals to report violations of this subsection to
the Commission.</DELETED>
<DELETED> ``(C) Reporting timeline and process.--
</DELETED>
<DELETED> ``(i) Timeline.--A ticket issuer
shall report known incidents of circumvention
within a reasonable period of time after the
incident of circumvention is discovered by the
ticket issuer, and in no case later than 30
days after an incident of circumvention is
discovered by the ticket issuer.</DELETED>
<DELETED> ``(ii) Automated submission.--The
Commission may establish a reporting mechanism
to provide for the automatic submission of
reports required under this
subsection.</DELETED>
<DELETED> ``(iii) Coordination with state
attorneys general.--The Commission shall--
</DELETED>
<DELETED> ``(I) share reports
received from ticket issuers under
subparagraph (A) with State attorneys
general as appropriate; and</DELETED>
<DELETED> ``(II) share consumer
complaints submitted through the
website established under subparagraph
(B) with State attorneys general as
appropriate.</DELETED>
<DELETED> ``(4) Duty to address causes of circumvention.--A
ticket issuer that owns or operates an Internet website or
online service that facilitates or executes the sale of event
tickets must take reasonable steps to improve its access
control systems, security measures, and other technological
controls or measures to address any incidents of circumvention
of which the ticket issuer has actual knowledge.</DELETED>
<DELETED> ``(5) FTC guidance.--Not later than 1 year after
the date of enactment of the Mitigating Automated Internet
Networks for Event Ticketing Act, the Commission shall publish
guidance for ticket issuers on compliance with the requirements
of this subsection.'';</DELETED>
<DELETED> (4) in subsection (c), as redesignated by
paragraph (1) of this subsection--</DELETED>
<DELETED> (A) by striking ``subsection (a)'' each
place it appears and inserting ``subsection (a) or
(b)'';</DELETED>
<DELETED> (B) in paragraph (2)--</DELETED>
<DELETED> (i) in subparagraph (A), by
striking ``The Commission'' and inserting
``Except as provided in paragraph (3), the
Commission''; and</DELETED>
<DELETED> (ii) in subparagraph (B), by
striking ``Any person'' and inserting ``Subject
to paragraph (3), any person''; and</DELETED>
<DELETED> (C) by adding at the end the following new
paragraphs:</DELETED>
<DELETED> ``(3) Civil action.--</DELETED>
<DELETED> ``(A) In general.--If the Commission has
reason to believe that any person has committed a
violation of subsection (a) or (b), the Commission may
bring a civil action in an appropriate district court
of the United States to--</DELETED>
<DELETED> ``(i) recover a civil penalty
under paragraph (4); and</DELETED>
<DELETED> ``(ii) seek other appropriate
relief, including injunctive relief and other
equitable relief.</DELETED>
<DELETED> ``(B) Litigation authority.--Except as
otherwise provided in section 16(a)(3) of the Federal
Trade Commission Act (15 U.S.C. 56(a)(3)), the
Commission shall have exclusive authority to commence
or defend, and supervise the litigation of, any civil
action authorized under this paragraph and any appeal
of such action in its own name by any of its attorneys
designated by it for such purpose, unless the
Commission authorizes the Attorney General to do so.
The Commission shall inform the Attorney General of the
exercise of such authority and such exercise shall not
preclude the Attorney General from intervening on
behalf of the United States in such action and any
appeal of such action as may be otherwise provided by
law.</DELETED>
<DELETED> ``(C) Rule of construction.--Any civil
penalty or relief sought through a civil action under
this paragraph shall be in addition to other penalties
and relief as may be prescribed by law.</DELETED>
<DELETED> ``(4) Civil penalties.--</DELETED>
<DELETED> ``(A) In general.--Any person who violates
subsection (a) or (b) shall be liable for--</DELETED>
<DELETED> ``(i) a civil penalty of not less
than $10,000 for each day during which the
violation occurs or continues to occur;
and</DELETED>
<DELETED> ``(ii) an additional civil penalty
of not less than $1,000 per
violation.</DELETED>
<DELETED> ``(B) Enhanced civil penalty for
intentional violations.--In addition to the civil
penalties under subparagraph (A), a person that
intentionally violates subsection (a) or (b) shall be
liable for a civil penalty of not less than $10,000 per
violation.'';</DELETED>
<DELETED> (5) in subsection (d), as redesignated by
paragraph (1) of this subsection, by striking ``subsection
(a)'' each place it appears and inserting ``subsection (a) or
(b)''; and</DELETED>
<DELETED> (6) by adding at the end the following new
subsections:</DELETED>
<DELETED> ``(e) Law Enforcement Coordination.--</DELETED>
<DELETED> ``(1) In general.--The Federal Bureau of
Investigation, the Department of Justice, and other relevant
State or local law enforcement officials shall coordinate as
appropriate with the Commission to share information about
known instances of cyberattacks on security measures, access
control systems, or other technological controls or measures on
an Internet website or online service that are used by ticket
issuers to enforce posted event ticket purchasing limits or to
maintain the integrity of posted online ticket purchasing order
rules. Such coordination may include providing information
about ongoing investigations but may exclude classified
information or information that could compromise a law
enforcement or national security effort, as
appropriate.</DELETED>
<DELETED> ``(2) Cyberattack defined.--In this paragraph, the
term `cyberattack' means an attack, via cyberspace, targeting
an enterprise's use of cyberspace for the purpose of--
</DELETED>
<DELETED> ``(A) disrupting, disabling, destroying,
or maliciously controlling a computing environment or
computing infrastructure; or</DELETED>
<DELETED> ``(B) destroying the integrity of data or
stealing controlled information.</DELETED>
<DELETED> ``(f) Congressional Report.--Not later than 1 year after
the date of enactment of this paragraph, the Commission shall report to
Committee on Commerce, Science, and Transportation of the Senate and
the Committee on Energy and Commerce of the House of Representatives on
the status of enforcement actions taken pursuant to this Act, as well
as any identified limitations to the Commission's ability to pursue
incidents of circumvention described in subsection
(a)(1)(A).''.</DELETED>
<DELETED> (b) Additional Definition.--Section 3 of the Better Online
Ticket Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at
the end the following new paragraph:</DELETED>
<DELETED> ``(4) Circumvention.--The term `circumvention'
means the act of avoiding, bypassing, removing, deactivating,
or otherwise impairing an access control system, security
measure, safeguard, or other technological control or measure
described in section 2(b)(1).''.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Mitigating Automated Internet
Networks for Event Ticketing Act'' or the ``MAIN Event Ticketing Act''.
SEC. 2. STRENGTHENING THE BOTS ACT.
(a) In General.--Section 2 of the Better Online Ticket Sales Act of
2016 (15 U.S.C. 45c) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A)--
(i) by inserting ``online'' before ``ticket
issuer''; and
(ii) by striking ``; or'' and inserting a
semicolon;
(B) in subparagraph (B), by striking the period at
the end and inserting ``; or''; and
(C) by adding at the end the following new
subparagraph:
``(C) to use o