[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 1287 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 1287
To establish a centralized system to allow individuals to request the
simultaneous deletion of their personal information across all data
brokers, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 3, 2025
Mr. Cassidy (for himself, Mr. Ossoff, and Mr. Lujan) introduced the
following bill; which was read twice and referred to the Committee on
Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To establish a centralized system to allow individuals to request the
simultaneous deletion of their personal information across all data
brokers, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Data Elimination and Limiting
Extensive Tracking and Exchange Act'' or the ``DELETE Act''.
SEC. 2. DATA DELETION REQUIREMENTS.
(a) Data Broker Annual Registration.--
(1) In general.--
(A) Regulations.--Not later than 1 year after the
date of enactment of this section, the Commission shall
promulgate regulations to require any data broker to--
(i) not later than 18 months after the date
of enactment of this section, and annually
thereafter, register with the Commission; and
(ii) subject to subparagraph (B), provide
the following information with such
registration:
(I) The name and primary physical,
email, and uniform resource locator
(URL) addresses of the data broker.
(II) If the data broker permits an
individual to opt out of the data
broker's collection or use of personal
information, certain sales of such
information, or its databases--
(aa) the method for
requesting an opt-out;
(bb) any limitations on the
type of data collection, uses,
or sales for which an
individual may opt-out; and
(cc) whether the data
broker permits an individual to
authorize a third party to
perform the opt-out on the
individual's behalf.
(III) A response to a standardized
form (as issued by the Commission)
specifying the types of information the
data broker collects or obtains and the
sources from which the data broker
obtains data.
(IV) A statement as to whether the
data broker implements a credentialing
process and, if so, a description of
that process.
(V) Any additional information or
explanation the data broker chooses to
provide concerning its data collection
practices.
(VI) Any other information
determined appropriate by the
Commission.
(B) Construction.--Nothing in this paragraph shall
be construed as requiring a data broker to disclose any
information that is a trade secret or confidential
information described in section 552(b)(4) of title 5,
United States Code.
(2) Public availability.--
(A) In general.--The Commission shall make the
information described in paragraph (1)(A) publicly
available in a downloadable and machine-readable
format, except in the event that the Commission--
(i) determines that the risk of making such
information available is not in the interest of
public safety or welfare; and
(ii) provides a justification for such
determination.
(B) Disclaimer.--The Commission shall include on
the website of the Commission a disclaimer that--
(i) the Commission cannot confirm the
accuracy of the responses provided by the data
brokers in the registration described in
paragraph (1)(A); and
(ii) individuals may contact such data
brokers at their own risk.
(b) Centralized Data Deletion System.--
(1) Establishment.--
(A) In general.--Not later than 1 year after the
date of enactment of this section, the Commission shall
promulgate regulations to establish a centralized
system that--
(i) implements and maintains reasonable
security procedures and practices (including
administrative, physical, and technical
safeguards) appropriate to the nature of the
information and the purposes for which the
personal information will be used, to protect
individuals' personal information from
unauthorized use, disclosure, access,
destruction, or modification;
(ii) allows an individual, through a single
submission, to request that every data broker
who is registered under subsection (a) and who
maintains any persistent identifiers (as
described in subparagraph (B)(iii))--
(I) delete any personal information
related to such individual held by such
data broker or affiliated legal entity
of the data broker; and
(II) unless otherwise specified by
the individual, discontinue any present
or future collection of personal
information related to such individual;
and
(iii) allows a registered data broker,
prior to the collection of any personal
information that is tied to a persistent
identifier for which a registry exists, to
submit a query to the centralized system to
confirm that the persistent identifier is not
subject to a deletion request described in
clause (ii).
(B) Requirements.--The centralized system
established in subparagraph (A) shall meet the
following requirements:
(i) The centralized system shall allow an
individual to request the deletion of all
personal information related to such individual
and the discontinuation of any collection of
such personal information related to such
individual through a single deletion request.
(ii) The centralized system shall provide a
standardized form to allow an individual to
make such request.
(iii) Such standardized form shall include
the individual's email, phone number, physical
address, and any other persistent identifier
determined by the Commission to aid in the
deletion request.
(iv) The centralized system shall
automatically salt and hash all submitted
information and allow the Commission to
maintain independent hashed registries of each
type of information obtained through such form.
(v) The centralized system shall only
permit data brokers who are registered with the
Commission to submit hashed queries to the
independent hashed registries described in
clause (iv).
(vi) With respect to the independent hashed
registries described in clause (iv), the salt
shall be different for each such registry and
shall be made available to all registered data
brokers for the purposes of submitting hashed
queries, as described in clause (v).
(vii) The centralized system shall allow an
individual to make such request using an
internet website operated by the Commission.
(viii) The centralized system shall not
charge the individual to make such request.
(C) Transition.--
(i) In general.--Not later than 8 months
after the effective date of the regulations
promulgated under subparagraph (A), each data
broker shall--
(I) not less than once every 31
days, access the hashed registries
maintained by the Commission as
described in subparagraph (B)(iv); and
(II) process any deletion request
associated with a match between such
hashed registries and the records of
the data broker.
(ii) FTC guidance.--Not later than 6 months
after the effective date of the regulations
promulgated under subparagraph (A), the
Commission shall publish guidance on the
process and standards to which a data broker
must adhere in carrying out clause (i).
(2) Deletion.--
(A) Information deletion.--
(i) In general.--Subject to clause (ii),
not later than 31 days after accessing the
hashed registries described in paragraph
(1)(B)(iv), a data broker and any associated
legal entity shall delete all personal
information in its possession related to the
individual making the request and discontinue
the collection of personal information related
to such individual. Immediately following the
deletion, the data broker shall send an
affirmative representation to the Commission
with the number of records deleted pursuant to
each match with a value in the hashed
registries.
(ii) Exclusions.--In carrying out clause
(i), a data broker may retain, where required,
the following information:
(I) Any personal information that
is processed or maintained solely as
part of human subjects research
conducted in compliance with any legal
requirements for the protection of
human subjects.
(II) Any personal information
necessary to comply with a warrant,
subpoena, court order, rule, or other
applicable law.
(III) Any information necessary for
an activity described in subsection
(f)(3)(B), provided that the retained
information is used solely for any such
activity.
(iii) Use of information.--Any personal
information excluded under clause (ii) may only
be used for the purpose described in the
applicable subclause of clause (ii), and may
not be used for any other purpose, including
marketing purposes.
(B) Annual report.--Each data broker registered
under subsection (a) shall submit to the Commission, on
an annual basis, a report on the completion rate with
respect to the completion of deletion requests under
subparagraph (A).
(C) Audit.--
(i) In general.--Not later than 3 years
after the date of enactment of this section,
and every 3 years thereafter, each data broker
registered under subsection (a) shall undergo
an independent third party audit to determine
compliance with this subsection.
(ii) Audit report.--Not later than 6 months
after the completion of any audit under clause
(i), each such data broker shall submit to the
Commission any report produced as a result of
the audit, along with any related materials.
(iii) Maintain records.--Each such data
broker shall maintain the materials described
in clause (ii) for a period of not less than 6
years.
(3) Annual fee.--
(A) In general.--Subject to subparagraph (B), each
data broker registered under subsection (a) and who
maintains any persistent identifiers (as described in
paragraph (1)(B)(iii)) shall pay to the Commission, on
an annual basis, a subscription fee determined by the
Commission to access the database.
(B) Limit.--The amount of the subscription fee
under subparagraph (A) may not exceed 1 percent of the
expected annual cost of operating the centralized
system and hashed registries described in paragraph
(1), as determined by the Commission.
(C) Availability.--Any amounts collected by the
Commission pursuant to this paragraph shall be
available without further appropriation to the
Commission for the exclusive purpose of enforcing and
administering this Act, including the implementation
and maintenance of such centralized system and hashed
registries and the promotion of public awareness of the
centralized system.
(c) Enforcement by the Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
subsection (a) or (b) or a regulation promulgated under this
Act shall be treated as a violation of a rule defining an
unfair or deceptive act or practice under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--The Commission shall enforce this
section in the same manner, by the same means, and with
the same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates subsection (a) or (b) or a regulation
promulgated under this Act shall be subject to the
penalties and entitled to the privileges and immunities
provided in the Federal Trade Commission Act (15 U.S.C.
41 et seq.).
(C) Authority preserved.--Nothing in this section
shall be construed to limit the authority of the
Commission under any other provision of law.
(D) Rulemaking.--The Commission shall promulgate in
accordance with section 553 of title 5, United States
Code, such rules as may be necessary to carry out this
section.
(d) Study and Report.--
(1) Study.--The Commission shall conduct a study on the
implementation and enforcement of this section. Such study
shall include--
(A) an analysis of the effectiveness of the
centralized system established in subsection (b)(1)(A);
(B) the number deletion requests submitted annually
using such centralized system;
(C) an analysis of the progress of coordinating the
operation and enforcement of such requests with similar
systems established and maintained by the various
States; and
(D) any other area determined appropriate by the
Commission.
(2) Report.--Not later than 3 years after the date of
enactment of this section, and annually thereafter for each of
the next 4 years, the Commission shall submit to the Committee
on Commerce, Science, and Transportation of the Senate and the
Committee on Energy and Commerce of the House of