[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2713 Introduced in House (IH)]
<DOC>
119th CONGRESS
1st Session
H. R. 2713
To improve online ticket sales and protect consumers, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 8, 2025
Mrs. Harshbarger (for herself and Mr. Carter of Louisiana) introduced
the following bill; which was referred to the Committee on Energy and
Commerce
_______________________________________________________________________
A BILL
To improve online ticket sales and protect consumers, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Mitigating Automated Internet
Networks for Event Ticketing Act'' or the ``MAIN Event Ticketing Act''.
SEC. 2. STRENGTHENING THE BOTS ACT.
(a) In General.--Section 2 of the Better Online Ticket Sales Act of
2016 (15 U.S.C. 45c) is amended--
(1) in subsection (a)(1)--
(A) in subparagraph (A), by striking ``; or'' and
inserting a semicolon;
(B) in subparagraph (B), by striking the period at
the end and inserting ``; or''; and
(C) by adding at the end the following new
subparagraph:
``(C) to use or cause to be used an application
that performs automated tasks to purchase event tickets
from an internet website or online service in
circumvention of posted online ticket purchasing order
rules of the internet website or online service,
including a software application that circumvents an
access control system, security measure, or other
technological control or measure.'';
(2) by redesignating subsections (b) and (c) as subsections
(c) and (d), respectively;
(3) by inserting after subsection (a) the following new
subsection:
``(b) Requiring Online Ticket Issuers To Put in Place Site Policies
and Establish Safeguards To Protect Site Security.--
``(1) Requirement to enforce site policies.--Each ticket
issuer that owns or operates an internet website or online
service that facilitates or executes the sale of event tickets
shall ensure that such website or service has in place an
access control system, security measure, or other technological
control or measure to enforce posted event ticket purchasing
limits.
``(2) Requirement to establish site security safeguards.--
``(A) In general.--Each ticket issuer that owns or
operates an internet website or online service that
facilitates or executes the sale of event tickets shall
establish, implement, and maintain reasonable
administrative, technical, and physical safeguards to
protect the security, confidentiality, integrity, or
availability of the website or service.
``(B) Considerations.--In establishing the
safeguards described in subparagraph (A), each ticket
issuer described in such paragraph shall consider--
``(i) the administrative, technical, and
physical safeguards that are appropriate to the
size and complexity of the ticket issuer;
``(ii) the nature and scope of the
activities of the ticket issuer;
``(iii) the sensitivity of any customer
information at issue; and
``(iv) the range of security risks and
vulnerabilities that are reasonably foreseeable
or known to the ticket issuer.
``(C) Third parties and service providers.--
``(i) In general.--Where applicable, a
ticket issuer that owns or operates an internet
website or online service that facilitates or
executes the sale of event tickets shall
implement and maintain procedures to require
that any third party or service provider that
performs services with respect to the sale of
event tickets or has access to data regarding
event ticket purchasing on the website or
service maintains reasonable administrative,
technical, and physical safeguards to protect
the security and integrity of the website or
service and that data.
``(ii) Oversight procedure requirements.--
The procedures implemented and maintained by a
ticket issuer in accordance with clause (i)
shall include the following:
``(I) Taking reasonable steps to
select and retain service providers
that are capable of maintaining
appropriate safeguards for the customer
information at issue.
``(II) Requiring service providers
by contract to implement and maintain
adequate safeguards.
``(III) Periodically assessing
service providers based on the risk
they present and the continued adequacy
of their safeguards.
``(D) Updates.--A ticket issuer that owns or
operates an internet website or online service that
facilitates or executes the sale of event tickets shall
regularly evaluate and make adjustments to the
safeguards described in subparagraph (A) in light of
any material changes in technology, internal or
external threats to system security, confidentiality,
integrity, and availability, and the changing business
arrangements or operations of the ticket issuer.
``(3) Requirement to report incidents of circumvention;
consumer complaints.--
``(A) In general.--A ticket issuer that owns or
operates an internet website or online service that
facilitates or executes the sale of event tickets shall
report to the Commission any incidents of circumvention
of which the ticket issuer has actual knowledge.
``(B) Consumer complaint website.--Not later than
180 days after the date of enactment of the Mitigating
Automated Internet Networks for Event Ticketing Act,
the Commission shall create a publicly available
website (or modify an existing publicly available
website of the Commission) to allow individuals to
report violations of this subsection to the Commission.
``(C) Reporting timeline and process.--
``(i) Timeline.--A ticket issuer shall
report known incidents of circumvention within
a reasonable period of time after the incident
of circumvention is discovered by the ticket
issuer, and in no case later than 30 days after
an incident of circumvention is discovered by
the ticket issuer.
``(ii) Automated submission.--The
Commission may establish a reporting mechanism
to provide for the automatic submission of
reports required under this subsection.
``(iii) Coordination with state attorneys
general.--The Commission shall--
``(I) share reports received from
ticket issuers under subparagraph (A)
with State attorneys general as
appropriate; and
``(II) share consumer complaints
submitted through the website
established under subparagraph (B) with
State attorneys general as appropriate.
``(4) Duty to address causes of circumvention.--A ticket
issuer that owns or operates an internet website or online
service that facilitates or executes the sale of event tickets
must take reasonable steps to improve its access control
systems, security measures, and other technological controls or
measures to address any incidents of circumvention of which the
ticket issuer has actual knowledge.
``(5) FTC guidance.--Not later than 1 year after the date
of enactment of the Mitigating Automated Internet Networks for
Event Ticketing Act, the Commission shall publish guidance for
ticket issuers on compliance with the requirements of this
subsection.'';
(4) in subsection (c), as redesignated by paragraph (1) of
this subsection--
(A) by striking ``subsection (a)'' each place it
appears and inserting ``subsection (a) or (b)'';
(B) in paragraph (2)--
(i) in subparagraph (A), by striking ``The
Commission'' and inserting ``Except as provided
in paragraph (3), the Commission''; and
(ii) in subparagraph (B), by striking ``Any
person'' and inserting ``Subject to paragraph
(3), any person''; and
(C) by adding at the end the following new
paragraphs:
``(3) Civil action.--
``(A) In general.--If the Commission has reason to
believe that any person has committed a violation of
subsection (a) or (b), the Commission may bring a civil
action in an appropriate district court of the United
States to--
``(i) recover a civil penalty under
paragraph (4); and
``(ii) seek other appropriate relief,
including injunctive relief and other equitable
relief.
``(B) Litigation authority.--Except as otherwise
provided in section 16(a)(3) of the Federal Trade
Commission Act (15 U.S.C. 56(a)(3)), the Commission
shall have exclusive authority to commence or defend,
and supervise the litigation of, any civil action
authorized under this paragraph and any appeal of such
action in its own name by any of its attorneys
designated by it for such purpose, unless the
Commission authorizes the Attorney General to do so.
The Commission shall inform the Attorney General of the
exercise of such authority and such exercise shall not
preclude the Attorney General from intervening on
behalf of the United States in such action and any
appeal of such action as may be otherwise provided by
law.
``(C) Rule of construction.--Any civil penalty or
relief sought through a civil action under this
paragraph shall be in addition to other penalties and
relief as may be prescribed by law.
``(4) Civil penalties.--
``(A) In general.--Any person who violates
subsection (a) or (b) shall be liable for--
``(i) a civil penalty of not less than
$10,000 for each day during which the violation
occurs or continues to occur; and
``(ii) an additional civil penalty of not
less than $1,000 per violation.
``(B) Enhanced civil penalty for intentional
violations.--In addition to the civil penalties under
subparagraph (A), a person that intentionally violates
subsection (a) or (b) shall be liable for a civil
penalty of not less than $10,000 per violation.'';
(5) in subsection (d), as redesignated by paragraph (1) of
this subsection, by striking ``subsection (a)'' each place it
appears and inserting ``subsection (a) or (b)''; and
(6) by adding at the end the following new subsections:
``(e) Law Enforcement Coordination.--
``(1) In general.--The Federal Bureau of Investigation, the
Department of Justice, and other relevant State or local law
enforcement officials shall coordinate as appropriate with the
Commission to share information about known instances of
cyberattacks on security measures, access control systems, or
other technological controls or measures on an internet website
or online service that are used by ticket issuers to enforce
posted event ticket purchasing limits or to maintain the
integrity of posted online ticket purchasing order rules. Such
coordination may include providing information about ongoing
investigations but may exclude classified information or
information that could compromise a law enforcement or national
security effort, as appropriate.
``(2) Cyberattack defined.--In this paragraph, the term
`cyberattack' means an attack, via cyberspace, targeting an
enterprise's use of cyberspace for the purpose of--
``(A) disrupting, disabling, destroying, or
maliciously controlling a computing environment or
computing infrastructure; or
``(B) destroying the integrity of data or stealing
controlled information.
``(f) Congressional Report.--Not later than 1 year after the date
of enactment of this paragraph, the Commission shall report to
Committee on Commerce, Science, and Transportation of the Senate and
the Committee on Energy and Commerce of the House of Representatives on
the status of enforcement actions taken pursuant to this Act, as well
as any identified limitations to the Commission's ability to pursue
incidents of circumvention described in subsection (a)(1)(A).''.
(b) Additional Definition.--Section 3 of the Better Online Ticket
Sales Act of 2016 (15 U.S.C. 45c note) is amended by adding at the end
the following new paragraph:
``(4) Circumvention.--The term `circumvention' means the
act of avoiding, bypassing, removing, deactivating, or
otherwise impairing an access control system, security measure,
safeguard, or other technological control or measure described
in section 2(b)(1).''.
<all>