Protecting Investors’ Personally Identifiable Information Act
This bill, the Protecting Investors’ Personally Identifiable Information Act, would curb the Securities and Exchange Commission’s ability to require publicly traded market participants to provide personally identifiable information (PII) as part of Consolidated Audit Trail (CAT) reporting. It defines PII narrowly (e.g., names, addresses, birth dates, Social Security numbers, phone numbers, emails, IP addresses, and other linked data) and prohibits the SEC from demanding such information for CAT-related orders or reportable events, except under a specific investigative/enforcement exception. When PII can be requested, it must be provided within 24 hours (with a possible extension) and, once the investigation or matter concludes, the information must be destroyed within one day. The overall aim is to strengthen privacy protections for investors while limiting data collection in CAT submissions.
Key Points
- 1Definition of PII: Information that can identify an individual, including name, address, DOB, SSN, phone, email, and IP address, and any data that can be linked to identify someone.
- 2Prohibition on SEC demands for PII: The SEC may not require exchanges, associations, or their members to provide PII to meet CAT reporting requirements, absent the bill’s exceptions.
- 3Investigation/enforcement exception: PII may be requested only if the SEC makes a formal request and the information is related to an investigation or an enforcement action concerning a violation of federal securities laws or related regulations.
- 4Timeframe for providing PII: If requested, exchanges/associations must provide the PII within 24 hours, unless the Commission approves a reasonable extension.
- 5Destruction of PII: Once the investigation or matter concludes, the SEC must destroy the provided PII no later than the next day.