[Senate Hearing 107-1150]
[From the U.S. Government Publishing Office]



                                                       S. Hrg. 107-1150
 
                  S. 2201, ONLINE PERSONAL PRIVACY ACT

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 25, 2002

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation




                    U.S. GOVERNMENT PRINTING OFFICE
91-368                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

              ERNEST F. HOLLINGS, South Carolina, Chairman
DANIEL K. INOUYE, Hawaii             JOHN McCAIN, Arizona
JOHN D. ROCKEFELLER IV, West         TED STEVENS, Alaska
    Virginia                         CONRAD BURNS, Montana
JOHN F. KERRY, Massachusetts         TRENT LOTT, Mississippi
JOHN B. BREAUX, Louisiana            KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota        OLYMPIA J. SNOWE, Maine
RON WYDEN, Oregon                    SAM BROWNBACK, Kansas
MAX CLELAND, Georgia                 GORDON SMITH, Oregon
BARBARA BOXER, California            PETER G. FITZGERALD, Illinois
JOHN EDWARDS, North Carolina         JOHN ENSIGN, Nevada
JEAN CARNAHAN, Missouri              GEORGE ALLEN, Virginia
BILL NELSON, Florida
               Kevin D. Kayes, Democratic Staff Director
                  Moses Boyd, Democratic Chief Counsel
      Jeanne Bumpus, Republican Staff Director and General Counsel


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 25, 2002...................................     1
Statement of Senator Allen.......................................     6
Statement of Senator Burns.......................................     5
Statement of Senator Cleland.....................................    21
Statement of Senator Hollings....................................     1
    Prepared statement...........................................     2
Statement of Senator McCain......................................     3
Statement of Senator Stevens.....................................     9
Statement of Senator Wyden.......................................     8

                               Witnesses

Dugan, John C., Partner, Covington & Burling, on behalf of The 
  Financial Services Coordinating Council........................    50
    Prepared statement...........................................    52
Lawler, Barbara, Chief Privacy Officer, Hewlett-Packard Company..    28
    Prepared statement...........................................    30
Misener, Paul, Vice President of Global Public Policy, Amazon.com    39
    Prepared statement...........................................    41
Rotenberg, Marc, Executive Director, Electronic Privacy 
  Information Center.............................................    33
    Prepared statement...........................................    36
Torres, Frank, Legislative Counsel, Consumers Union..............    22
    Prepared statement...........................................    23

                                Appendix

Jaffee, Daniel L., Association of National Advertisers, Inc., 
  letter dated April 25, 2002 to Hon. Ernest F. Hollings.........    71
Kerry, Hon. John F., U.S. Senator from Massachusetts, prepared 
  statement......................................................    71


                  S. 2201, ONLINE PERSONAL PRIVACY ACT

                              ----------                              


                       THURSDAY, APRIL 25, 2002,

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:15 a.m. in 
room SR-253, Russell Senate Office Building, Hon. Ernest F. 
Hollings, Chairman of the Committee, presiding.

         OPENING STATEMENT OF HON. ERNEST F. HOLLINGS,
                U.S. SENATOR FROM SOUTH CAROLINA

    The Chairman. The Committee will come to order. What we 
have, of course, is our online privacy bill before the 
Committee, and we have an actual bipartisan bill. The 
interesting thing is that--and I will put my full statement in 
the record, but we have got 14 different laws and regulations 
offering different levels of notice, choice, access and 
everything else, we have got the Cable Act, the Junk Fax Act, 
the telemarketing privacy, the video privacy--I comment on that 
because you would think, in trying to propose privacy for the 
Internet, that we are doing something real radical--not at all.
    In fact, you look at the European practice, we have got 
some 135 blue chip American corporations that have joined in 
their particular opt-in online privacy provisions, which in a 
way in a couple of regards are even a little more stringent 
than ours, but be that as it may, the bipartisan bill sets a 
uniform Federal standard for the protection of online personal 
information, and the five core principles are consent, notice, 
access, security, enforcement.
    I want to particularly, of the nine cosponsors, thank 
Senators Inouye, Rockefeller, Breaux and Cleland, who started 
with us--this has been a sort of a 2-1/2 year exercise, and 
Senators Kerry, Stevens, and Burns now, who worked with us the 
past 7 months to craft a bill that takes care of the concerns, 
not just of the consumers but, of course, the industry itself.
    We do not want to do anything to stultify--in fact, it is 
this Senator's view that in providing privacy provisions we are 
actually establishing trust and confidence in the Internet and 
therefore encouraging and propagating better and increased use. 
It has a provision for strong preemption. That is the certainty 
needed to resolve conflicting State standards. It has an opt-in 
protection for the sensitive personal information such as 
financial, health, ethnicity, religious preference, sexual 
orientation. It has opt-out protection for nonsensitive 
personal information like marketplace purchases. It has 
reasonable access, reasonable security and a sensible 
enforcement by the FTC and the State Attorneys General, of 
course with the private right of action.
    When we look at the Federal Trade Commission they have had 
some 5 years of studies, hearings, meetings with the industry 
off and on, and the last Federal Trade Commission recommended, 
in futility, that we legislate, because they could not get an 
agreed approach, but you can see how the Federal Trade were 
treated. Eli Lilly exposed 700 Prozac patients and got just a 
slap on the wrist, so we have it in there as a private right of 
action with jurisdiction in the Federal court and a showing of 
actual harm.
    My full statement is in the record. Let me yield. Senator 
McCain.
    [The prepared statement of The Chairman follows:]

Prepared Statement of Hon. Ernest F. Hollings, U.S. Senator from South 
                                Carolina

    Today the Commerce Committee will examine S. 2201, the Online 
Personal Privacy Act of 2002--a bipartisan bill that is sponsored by 10 
Senators on this Committee. We plan to report a bill in May, and that 
makes today's hearing exceedingly timely. It's past time for action on 
this issue, today will mark the 6th hearing on internet privacy in the 
last two Congresses. American consumers deserve better privacy 
protection on the Internet. We intend to give it to them.
    I am pleased to be joined in my efforts by nine cosponsors on this 
Committee. We have those who were with me from the beginning--Senators 
Inouye, Rockefeller, Breaux, and Cleland. And we have additional 
support, from Senators Kerry, Nelson, Carnahan, Stevens and Burns. I 
particularly want to commend Senators Kerry, Stevens, and Burns, who 
have worked with me over the past seven months to craft the sensible, 
balanced approach that we introduced last week.
    Let me articulate the principles that allowed us to achieve strong 
bipartisan support for our legislation--

   Strong preemption (to give business the certainty it needs 
        in the face of conflicting state standards)

   Opt-in protection for sensitive personal information (like 
        your financial and health information, your ethnicity, 
        religious preferences, or sexual orientation)

   Opt-out protection for non-sensitive personal information 
        (like your name and address, and marketplace purchases)

   Reasonable access

   Reasonable security

   Sensible enforcement by the ftc and the state ags, with the 
        limited exception of violations involving sensitive 
        information, which permit a right of action in federal court, 
        premised on a showing of actual harm.

    Why do we need legislation? Businesses keep confounding consumers 
with unclear privacy policies that state, ``your privacy is important 
to us,'' but subsequently outline exceptions crafted to allow almost 
any use of personal information. Other Web sites don't post privacy 
policies, safe in the knowledge that they face no legal jeopardy under 
current law for selling your information.
    Some have argued that Americans' concerns about privacy no longer 
exist after September 11th. But poll after poll consistently 
demonstrates the American people want companies they patronize to seek 
their permission prior to using their personal information for 
commercial profit. As recently as February, a Harris survey found that 
63% of Americans want internet privacy legislation.
    At the same time, advances in technology have provided the tools to 
seamlessly compile and enhance highly detailed personal profiles and 
histories of Internet users. Cookies and web bugs, and who knows what 
other technologies, all enable the surreptitious collection of 
individuals' personal information, including every click of their 
computer mouse, online.
    Moreover, severe privacy breaches continue without consequence. 
Last year, Eli Lilly disclosed a list of hundreds of customers 
suffering from depression, bulimia, and obsessive compulsive disorder. 
Eli Lilly's response? An apology, and a promise it won't happen again. 
But an apology and a promise is not enough for those patients whose 
medical history was divulged publicly.
    Sensible privacy legislation like S. 2201 will stop this, promote 
consumer confidence, and bolster online commerce. A recent Forrester 
study reports that online businesses lost $15 billion due to consumer 
privacy concerns. Those numbers are significant in light of the 
economic downturn and its exaggerated impact on the high tech internet 
sector. Good privacy means good business and the internet economy could 
use a dose of that right now.
    The shame is that it has taken us this long to get here. It has 
been nearly two years since the FTC recommendation for Internet privacy 
legislation, which was reached after five years of diligent study. This 
recommendation was particularly credible in light of the FTC's record 
of extensive analysis and its two prior recommendations to allow self-
regulation a chance to work.
    We will hear from our opponents today that it is unfair to regulate 
online only. But this argument is nothing more than a straw man 
designed to kill internet privacy legislation. Does anyone remember a 
similar argument when we passed the children's privacy legislation? 
Were children's web sites complaining that we were regulating them 
differently from Toys-R-Us? Of course not. The internet industry 
supported that legislation. This Committee stands ready to pass similar 
legislation for all users. Lets start there and then we'll see about 
the entire marketplace.
    Others will complain that our bill is premature--that we need to 
give the Gramm-Leach-Bliley financial privacy rules a chance to work, 
before we alter them for the Internet. Well--we've seen those rules, 
and they don't work.
    Americans have been receiving billions of notices in the mail 
telling them they can opt-out of the sharing of their personal 
financial information by financial institutions. These notices make a 
mockery of the claim that notice and opt-out provides sufficient 
protection for sensitive information. In many cases, the notices are 
internally inconsistent and outright deceptive.
    We need to bring transparency and consistency to privacy protection 
on the internet by building on the many existing statutes that protect 
privacy for telephone customers, cable subscribers, video renters, 
credit card customers, and children on the internet. All Internet users 
deserve similar protection.
    Some forward thinking companies know this. Microsoft, Intel, 
Hewlett-Packard, Expedia, and Earthlink provide opt-in right now. 185 
U.S. companies, Including, Microsoft, Intel, Hewlett-Packard, and one 
of the largest data collection companies, Axciom, have signed on to the 
EU Safe Harbor, which requires notice, opt-in for sensitive 
information, access and security. Why should European citizens be 
granted more protection than Americans?
    Finally, I want to note that the following high tech trade 
associations have called for privacy legislation that preempts state 
law, requires notice and an opportunity to opt-out (and sometimes, even 
opt-in): the Information Technology Industries Association; the 
American Electronics Association; the Computer Systems Policy Project; 
and the Computer Technology Industry Association. Many of the members 
of these associations actually provide better privacy protection 
themselves, voluntarily.
    Despite the good intentions of these companies, unless we take 
action to establish common-sense protections that will deter bad 
actors, consumer fears will continue to stifle use of the internet as a 
trusted commercial medium.
    I look forward to our witness testimony, and the remarks of my 
distinguished former chairman, Senator McCain.

                 STATEMENT OF HON. JOHN McCAIN,
                   U.S. SENATOR FROM ARIZONA

    Senator McCain. Thank you, Mr. Chairman, and I want to 
thank you for holding this hearing today on the topic of online 
privacy and your recently introduced bill. I want to thank you 
for your continued work on this important subject. It is clear 
that privacy continues to concern many Americans who use the 
Internet. In a recent Harris interactive poll a majority of the 
respondents once again voiced their concerns over the use of 
their personal information online.
    In past hearings, this Committee has closely examined 
several issues with respect to online privacy legislation. We 
considered whether each of the four fair information 
principles, notice, choice, access, and security, should be 
mandated for online companies and, if so, how. We also 
addressed the questions of enforcement and preemption of State 
law. The Chairman's bill includes each of these elements and 
offers a solution that seeks compromise on some of the 
differences we have explored in prior hearings.
    Differences remain, however, particularly with respect to 
the private rights of action that this legislation creates, as 
well as the bill's coverage of access and security. There are, 
on an even broader level, very significant practical challenges 
we need to consider with respect to how or if this legislation 
can be implemented.
    One challenge we face is the treatment of personally 
identifiable information that is collected from both online and 
offline sources, and then merged together in a single consumer 
data file. Many companies and institutions today operate in 
both the online and offline world. We see examples of this 
everywhere. The retail chain, Toys-R-Us, allows customers to 
shop for the same toys online at Amazon that they can buy in 
their stores and shopping centers. Many local banks have web 
sites that allow account holders to check balances, transfer 
funds between accounts, and write checks to pay their bills 
online.
    These businesses must collect and use personal information 
in both settings in order to provide their goods and services, 
and sometimes that information must be combined into one 
customer file. What happens to that combined information if we 
attempt to legislate for the online world without considering 
its collection or use in the offline one? Would the same types 
of notices be applied, even ones designed with the Internet in 
mind?
    As these two worlds merge, we must face the practical 
reality that restrictions intended for the online world may 
have unintended but significant impact on accepted business 
practices in the offline world.
    The second challenge is that Congress passed over 30 
Federal laws that already protect the privacy of individuals. 
We have to be certain to carefully consider the effect of this 
bill on these existing laws, particularly if its enactment 
would create ambiguous or conflicting requirements for business 
and greater confusion for consumers.
    I would also like to introduce two items into the record 
today that I believe are essential to our consideration of this 
legislation. The first are the letters of the Chairman and 
commissioners of the Federal Trade Commission that I received 
yesterday afternoon, a second is the 2001 survey of online 
privacy practices released by the Progress and Freedom 
Foundation in March, which duplicated the methodology used by 
the FTC in its 2000 report.
    The FTC has spent a considerable amount of time and 
resources addressing the issue of online privacy. After S. 2201 
was introduced, I wrote a letter to each of the commissioners 
asking whether they believed legislation was needed and, if so, 
what it should contain. I also asked for their comments on the 
principle features of the legislation. Despite the short amount 
of time they had to spend, each commissioner did, and I thank 
them for their efforts. In summary, two of the five 
commissioners believe that legislation is needed at this time 
and are supportive of the bill. The other three commissioners, 
including the Chairman, expressed strong reservations about the 
workability of the provisions of S. 2201, and the need for 
legislation in light of existing privacy law, increased FTC 
enforcement, and industry efforts to improve protections.
    I want to thank the witnesses for being with us today, and 
I will be interested in hearing their views on the legislation. 
Thank you, Mr. Chairman.
    The Chairman. Thank you. Senator Burns.

                STATEMENT OF HON. CONRAD BURNS,
                   U.S. SENATOR FROM MONTANA

    Senator Burns. Thank you, Mr. Chairman. Thanks for holding 
this hearing today as we wrestle with this problem of privacy 
in the Internet world. As more and more of our daily activities 
move online, it is no surprise that privacy is the number one 
concern among Internet users. I should add that privacy or, 
rather, the lack of it, is also the top reason why nonusers 
have not yet ventured into the Internet.
    The reason for these well-justified concerns are clear. 
Americans have no safety net on privacy online. In fact, ever 
more sophisticated technologies are being developed to collect 
nearly limitless information on individuals without their 
knowledge. Privacy is not just an individual rights concern, 
however. Online privacy is central to the future of the 
economic well-being of the Internet. The rate of growth of e-
commerce is clearly being slowed by consumers' rising and 
legitimate fears about privacy intrusion. Several studies 
pointed out that the privacy reason preventing more people from 
making purchases online is the lack of privacy.
    While the Internet has exhibited massive growth, currently 
less than one percent of all consumer retail spending is done 
online. In short, e-commerce still has a huge upside potential, 
but that potential will never be fulfilled without the basic 
assurances of consumer privacy. To address these concerns, 
early in the 106th Congress, Senator Wyden and I introduced an 
Online Privacy Protection Act which was based on our shared 
view that while self-regulation should be encouraged, we need 
to also provide a strong enforcement mechanism to punish the 
bad actors.
    I remain convinced that the comprehensive private 
legislation is necessary to protect consumers, which is why I 
am the original cosponsor of the bill the Committee is 
considering today, the Online Personal Privacy Act. The fact 
that the bipartisan bill was introduced last week with 10 
cosponsors on the Committee shows a tremendous support for 
online privacy that exists on this Committee. The current bill 
is much improved from the previous versions, and, while it is 
not perfect by any means, I view it as a reasonable compromise 
between the opt-out approach, which I favored previously, and 
the opt-in approach which the Chairman's original bill 
incorporated.
    I believe one of the strongest sections of the bill the 
Committee is considering today is its clear-cut preemption 
language. In response to the rising call for consumer privacy 
protection, the Internet risks being subject to a crazy quilt 
of conflicting regulations on a State-by-State basis. Already, 
for instance, the State of Minnesota has passed a comprehensive 
online privacy bill out of its legislature, and California is 
moving along a similar track. An online privacy law is already 
on the books in Vermont, which requires an opt-in by consumers 
before individuals' financial or medical information can be 
shared with third parties.
    While the impulse behind these efforts is understandable, 
companies need regulatory certainty in order to do business 
efficiently. Clearly, strong Federal preemption is needed and 
is provided in S. 2201.
    The robust security requirement is also a very positive 
aspect of the current bill. The bill simply requires web sites 
to maintain a reasonable procedure necessary to protect 
security, confidentiality, and integrity of personally 
identifiable information. In today's era of hacker intrusion 
and identity theft, I view this section as absolutely essential 
to protect consumers.
    I would like to touch on the idea offered by many who 
oppose privacy legislation that simply posting a privacy policy 
is the same as actually ensuring privacy for consumers. While I 
view the increasing trend toward posting privacy policies as a 
positive development, the fact remains that many of these 
policies are frustrating exercises in legalese. It becomes 
obvious from weeding through the examples of these policies 
that most were designed with the goal of protecting the 
companies, rather than informing and empowering the consumers.
    A perfect example of the potential consequences of the 
legalistic approach toward privacy policies occurred earlier 
this month, when millions of consumers downloaded a file-
swapping program called Kazaa. Only later did consumers realize 
that they had agreed to install software that could help turn 
their computers into nodes on a network controlled by a third 
company called Brilliant Entertainment, while the company's 
privacy policy ran over 4,000 words, which explains why most 
consumers simply clicked on the ``I agree'' button.
    The concern surrounding these types of abuse led to the 
requirement in previous bills, on Senator Wyden's and my bill 
before, and S. 2201, that Privacy policies must be clear, and 
they must be conspicuous.
    I look forward to working with the Chairman and my 
colleagues on the Committee on this critical issue. I also look 
forward to the testimony today, and I appreciate it, and thank 
the witnesses for coming today, and I thank the Chairman.
    The Chairman. Thank you. Senator Allen.

                STATEMENT OF HON. GEORGE ALLEN,
                   U.S. SENATOR FROM VIRGINIA

    Senator Allen. Thank you, Mr. Chairman, for holding this 
hearing. I have read and look forward to working with our 
witnesses, and thank you all for being here.
    I think we all can agree that individual people have a 
significant interest in personal information and an interest in 
determining how that information is used. Now, throughout this 
debate, Mr. Chairman, and for those who are in the Committee 
room here, I have been guided by two principles.
    First, I think we ought to empower individual consumers to 
make sure that they have the information necessary to make a 
reasonable decision and choice on their own. Second, I think we 
need to encourage to the greatest extent possible market-driven 
regulation. Many of those market forces already exist.
    Now, I want to associate myself, Mr. Chairman, with the 
sentiments expressed by Senator McCain, and I will not repeat 
many of the points he made, but I do want to touch on them. In 
this regard, I have concerns that this Committee may be 
proceeding with legislation prematurely that is unnecessarily 
burdensome and discriminatory to the online world. I do not 
think we should discriminate in the treatment of personally 
identifiable information with regard to the medium through 
which the information is collected. Why should a consumer's 
privacy concern regarding information-sharing only accommodate 
or apply to those consumers who have access to the Internet?
    Second, and further, there are at least 23 current Federal 
laws addressing information-sharing and privacy rights. I 
understand that consumers have specific and legitimate concerns 
about his or her health and financial information privacy. In 
addition, whether online or offline, the Gramm-Leach-Bliley Act 
of 1999, and the Health Insurance Portability and 
Accountability Act of 1996 already address many of those 
specific concerns. I would encourage enforcement of our 
existing laws before we attempt to craft new laws.
    Third, the Progress and Freedom Foundation released a 
report on online privacy, a report on the information practices 
and policies of commercial web sites. Some of the more 
interesting findings were that commercial web sites are 
collecting less personally identifiable information than they 
were 2 years ago. They also pointed out that fewer web sites 
are using third party cookies to track web surfing behavior.
    Of the most popular web sites, showing the reaction of the 
private sector, the sites that receive the most traffic, the 
use of third party cookies fell from 78 percent to 48 percent, 
and also the privacy notices--and Senator Burns noted this--are 
more prevalent and more prominent and more complete.
    Ninety-nine percent of the 85 busiest web sites have 
privacy policies that are more comprehensive, in other words, 
stating how they handle the consumer information, and more 
accessible from the site's front page.
    Now, the one rational jurisdictional reason for this 
legislation and one that I, too, support, and I think is the 
most important part, has to do with the jurisdiction, the 
Federal jurisdiction in this, in that it does deal with 
interstate commerce. The reason the Senate should consider any 
privacy legislation is to establish a uniform national 
standard. To have a patchwork of liabilities and rules governed 
by the States would make it extremely difficult for any 
business to comply with 50 potentially conflicting privacy laws 
and regulations, thus arguably affecting interstate commerce.
    I do want to get into some of the details of how much--and 
we do need to have a strong preemption. Some States, Mr. 
Chairman, and others are considering enacting privacy laws 
under the Gramm-Leach-Bliley Act and the Health Insurance 
Portability and Accountability Act, and how will these privacy 
laws be preempted under this legislation, and if we enact a new 
law I think we ought to make certain that the strongest, most 
effective preemption language is included.
    I would finally say that the treatment in here of 
affiliated companies as third parties can be seriously 
troublesome to diversified companies with diversified corporate 
structures. Many companies consist of dozens of different 
corporate structures, all of which may share a common customer 
data base. If a user's consent is required to share personally 
sensitive, personally identifiable information, even amongst 
controlled and affiliated subsidiaries, then many larger 
companies are going to be automatically potentially out of 
compliance, and just by the very nature of how data management 
infrastructures are built.
    So I look forward to working to the extent we can, and I 
hope we can in a bipartisan fashion with our Committee Members 
in an approach that informs and empowers individual choice, but 
also trust the private sector to continue its good work in the 
market, and I believe that that approach means that we ought to 
move very cautiously.
    I would finally state, Mr. Chairman, let us not create any 
more government-imposed restrictions that create more problems 
than they solve.
    Thank you, Mr. Chairman.
    The Chairman. Thank you. Senator Wyden.

                  STATEMENT OF HON. RON WYDEN,
                    U.S. SENATOR FROM OREGON

    Senator Wyden. Thank you, Mr. Chairman. I want to start, 
Mr. Chairman, by commending you, because I think a lot of 
progress has been made in the last year on this issue. As all 
of us will recall a year ago, this Committee was to a great 
extent deadlocked over some arcane matters, particularly this 
opt-out and opt-in issue. You have produced a hybrid kind of 
approach that I think makes a lot of sense, and I am planning 
to work very closely with you in the days ahead so that we can 
report this legislation.
    There is an important challenge today, because I do not 
think this country can afford an EXXON VALDEZ of privacy. We 
have already seen some very serious problems. It was not very 
long ago when the Eli Lilly Company unintentionally 
disseminated the e-mail addresses of more than 600 people 
taking Prozac, and I would just say, particularly to people in 
industry, if there is an EXXON VALDEZ of privacy, it will not 
be possible to get the kind of preemption protection that is 
envisaged in this legislation.
    If there are those kinds of calamitous events, every State 
in this country is going to go off and essentially do their own 
thing, and at that point the horse will be out of the barn, and 
it will not be possible to get preemption protection, as many 
in industry are seeking.
    Now, there are a number of concerns that I have at this 
point. I do want to make sure that with respect to the notice 
provision that there is a short, understandable notice 
provision, something that consumers can become familiar with in 
the years ahead.
    I also think it is important to explore ideas for safe 
harbor provisions so that the many companies in this country 
that are acting responsibly will have a clear path of certainty 
and safety under the legislation that Congress may pass, but 
there is no question in my mind important progress has been 
made in the last year, and I look forward to working with you, 
Mr. Chairman and Senator McCain and others to report this 
legislation.
    The Chairman. Thank you. Senator Stevens.

                 STATEMENT OF HON. TED STEVENS,
                    U.S. SENATOR FROM ALASKA

    Senator Stevens. Thanks very much, Mr. Chairman. I do not 
have a written statement, but I would say that I agree with 
Senator McCain about the offline concept, and I think we 
probably should be willing, those of us who sponsor this 
legislation, to listen to some of those concerns.
    Also, I have some concerns that I have expressed to you 
about the right of private action, and I think there ought to 
be some limitation on that. We ought to rely on the agencies 
first and then rely on private action only when it is necessary 
to raise the issues in the courts.
    And Senator McCain, I do not know if you know it, some of 
the commissioners sent us copies of the letters they wrote back 
to you, others did not. If you would share all of them with us, 
I think it would be good for the record to know what the 
commissioners are thinking about this. I do think, as Senator 
Allen said, we have a job to do now, and it is time that we got 
this done, and I think we should not be afraid of broadening 
this legislation.
    Thank you very much.
    The Chairman. Very good. Senator Cleland.
    Senator McCain. Mr. Chairman, I would ask the letters be 
included in the record.
    The Chairman. Those letters will be included.
    [The information referred to follows:]

                                   Federal Trade Commission
                                     Washington, DC, April 24, 2002
Hon. John McCain,
Ranking Member,
Committee on Commerce, Science, and Transportation,
Washington, DC.

Dear Senator McCain:

    Thank you for your letter of April 19, 2002, requesting my views on 
S. 2201, the Online Personal Privacy Act.
    Personal privacy issues are a key priority at the Commission. 
Because a variety of practices can have negative consequences, consumer 
concerns about privacy are strong and justified. Avoiding these 
consequences requires a strong law enforcement presence, and we have 
increased by 50 percent FTC resources targeted to addressing privacy 
problems. Our agenda includes:

   A proposed rulemaking to establish a national, do not call 
        registry;

   Greater efforts to enforce both online and offline privacy 
        promises;

   Beefed up enforcement against deceptive spam;

   A new emphasis on assuring information security;

   Putting a stop to pretexting;

   Increased enforcement of the Children's Online Privacy 
        Protection Act; and

   New initiatives to both help victims of I.D. theft and 
        assist criminal prosecution of this crime.

    The concerns about privacy that motivate our enforcement agenda 
have led others, including many members of Congress, to propose new 
laws, such as S. 2201, the Online Personal Privacy Act. There are 
potential benefits from general privacy legislation. If such 
legislation could establish a clear set of workable rules about how 
personal information is used, then it might increase consumer 
confidence in the Internet. Moreover, federal legislation could help 
ensure consistent regulation of privacy practices across the 50 states. 
Although we should consider carefully alternative methods to protect 
consumer privacy and to reduce the potential for misuse of consumers' 
information, enactment of this type of general legislation is currently 
unwarranted. \1\
---------------------------------------------------------------------------
    \1\ There may be areas in which new legislation is appropriate to 
address a specific privacy issue. This letter addresses my concerns 
about broad, general legislation governing online privacy issues.
---------------------------------------------------------------------------
    Five points underscore my concern about general, online privacy 
legislation:
1. Drafting workable legislative and regulatory standards is 
        extraordinarily difficult.
    The recently-enacted Gramm-Leach-Bliley Act (``GLB''), which 
applies only to financial institutions, required the multiple mailings 
of over a billion privacy notices to consumers with little current 
evidence of benefit. \2\ Our experience with GLB privacy notices should 
give one great pause about whether we know enough to implement 
effectively broad-based legislation, even if it was limited to notices.
---------------------------------------------------------------------------
    \2\ I am unaware of any evidence that the passage of GLB increased 
consumer confidence in the privacy of their financial information. In 
contrast to GLB's notice requirements, certain GLB provisions targeting 
specific practices have directly aided consumer privacy. For example, 
the law prohibits financial institutions from selling lists of account 
numbers for marketing purposes, and makes it illegal for third parties 
to use false statements (``pretexting'') to obtain customer information 
from financial institutions in most instances.
---------------------------------------------------------------------------
    Unlike GLB, the proposed legislation deals with a wide variety of 
very different businesses, ranging from the websites of local retailers 
whose sales cross state lines to the largest Internet service providers 
in the world. Thus, implementation of its notice requirement will 
likely be even more complicated.
    Moreover, the legislation adds requirements for access not found in 
GLB. The recommendations of the FTC's Advisory Committee on Online 
Access and Security make clear that no consensus exists about how to 
implement this principle on a broad scale. \3\ Perhaps reflecting these 
same concerns, S. 2201 grants the FTC broad rulemaking authority. The 
only legislative guidance is the requirement that the procedures be 
reasonable. The statute is silent, for example, on how to balance the 
benefits of convenient customer access to their information with the 
inherent risks to security that greater access would create. The FTC 
has no answer to this conundrum. We do not know how to draft a workable 
rule to assure that consumers' privacy is not put at risk through 
unauthorized access.
---------------------------------------------------------------------------
    \3\ The Committee's Final Report is available at www.ftc.gov/acoas/
papers/finalreport.htm.
---------------------------------------------------------------------------
    The inherent complexity of general privacy legislation raises many 
difficulties even with provisions that are conceptually attractive in 
the abstract. For example, the proposed legislation imposes different 
requirements on businesses based on whether they collect ``sensitive'' 
or ``nonsensitive'' personal information. Although this may be a 
conceptually sound approach, we have no practical experience in 
implementing it, and attempting to draw such distinctions appears 
fraught with difficulty, both in drafting regulations and assuring 
business compliance. Under the statute, for example, the fact that I am 
a Republican is considered sensitive, but a list of books I buy and 
websites I visit are not.
    Similarly, the broad state preemption provision would provide 
highly desirable national uniformity. Questions about the scope of 
preemption would inevitably arise, however. How would the preemption 
provision affect, for example, state laws on the confidentiality of 
attorney/client communications for attorneys using websites to increase 
their efficiency in dealing with their clients? Moreover, what are the 
implications for state common law invasion of privacy torts when the 
invasion of privacy occurs online?
    Another problem is that, except for provisions reconciling the 
provisions of this bill with the provisions of the Children's Online 
Privacy Protection Act and certain provisions of the Federal 
Communications Act, there are no provisions reconciling the proposed 
legislation with other important Federal privacy legislation. For 
example, it is unclear how S. 2201's requirement of notice and ``opt-
in'' choice for disclosure of financial information collected online 
would be reconciled with GLB's notice and ``opt-out'' requirements for 
the same information. Nor is it clear whether a credit reporting 
agency's use of a website to facilitate communications with its 
customers would subject it to a separate set of notice, access, and 
security requirements, beyond those already in the Fair Credit 
Reporting Act.
    I want to emphasize that I note these examples, not to criticize 
the drafting of the proposed legislation, but to illustrate the 
inherent complexity of what it is trying to accomplish.
2. The legislation would have a disparate impact on the online 
        industry.
    Second, I am concerned about limiting general privacy legislation 
to online practices. Whatever the potential of the Internet, most 
observers recognize that information collection today is also 
widespread offline. Legislation subjecting one set of competitors to 
different rules, simply based on the medium used to collect the 
information, appears discriminatory. Indeed the sources of information 
that lead to our number one privacy complaint--ID Theft--are frequently 
offline. Of course, applying the legislation offline would increase the 
complexity of implementation, again underscoring the difficulties 
inherent in general privacy legislation.
3. We have insufficient information about costs and benefits.
    Third, although we know consumers value their privacy, we know 
little about the cost of online privacy legislation to consumers or the 
online industry. Again, the experience under GLB indicates that the 
costs of notice alone can be substantial. Under S. 2201, these costs 
may be increased by the greater number of businesses that must comply, 
by uncertainty over which set of consent procedures apply, and by the 
difficulty of implementing access and security provisions.
4. Rapid evolution of online industry and privacy programs is 
        continuing.
    Fourth, the online industry is continuing to evolve rapidly. Recent 
surveys show continued progress in providing privacy protection to 
consumers. \4\ Almost all (93 percent) of the most popular websites 
provide consumers with notice and choice regarding sharing of 
information with third parties. Some of the practices of most concern 
to consumers, such as the use of third party cookies, have declined 
sharply. Moreover fewer businesses are collecting information beyond 
email addresses. These changes demonstrate and reflect the more 
important form of choice: the decision consumers make in the 
marketplace regarding which businesses they will patronize. Those 
choices will drive businesses to adopt the privacy practices that 
consumers desire.
---------------------------------------------------------------------------
    \4\ The Progress and Freedom Foundation recently released the 
results of its 2001 Privacy Survey, available at www.pff.org/pr/
pr032702privacyonline.htm.
---------------------------------------------------------------------------
    Perhaps most important for the future of online privacy protection, 
23 percent of the most popular sites have already implemented the 
Platform for Privacy Preferences (P3P). This technology promises to 
alter the landscape for privacy disclosures substantially. Microsoft 
has incorporated one implementation of P3P in its web browser; AT&T is 
testing another, broader implementation of this technology. By the time 
the Act's disclosure regulations might reasonably take effect, \5\ the 
technological possibilities for widespread disclosure may differ 
substantially. Although S. 2201 anticipates this development by 
requiring the National Institute of Standards to promote the 
development of P3P technology, legislation enacted now cannot take 
advantage of such nascent technology. Moreover, it may inadvertently 
reduce the incentives for businesses and consumers to adopt this 
technology if disclosures are required using other approaches.
---------------------------------------------------------------------------
    \5\ Again, GLB is instructive. It was almost two years between the 
enactment of the statute and the effective date of the privacy rules 
promulgated thereunder.
---------------------------------------------------------------------------
5. Diversion of resources from ongoing law enforcement and compliance 
        activities.
    Finally, there is a great deal the FTC and others can do under 
existing laws to protect consumer privacy. Indeed, since 1996, five new 
laws have had a substantial impact on privacy-related issues. \6\ We 
should gain experience in implementing and enforcing these new laws 
before passing general legislation. Implementation of yet another new 
law will require both industry and government to focus their efforts on 
a myriad of new implementation and compliance issues, thus displacing 
resources that might otherwise improve existing privacy protection 
programs and enforce existing laws. Simply shifting more resources to 
privacy related matters will not, at least in the short term, correct 
this problem. The newly-assigned staff would need to develop the 
background necessary to deal with these often complex issues. The same 
is likely true for business compliance with a new law. Without more 
experience, we should opt for the certain benefits of implementing our 
aggressive agenda to protect consumer privacy, rather than the very 
significant effort of implementing new general legislation.
---------------------------------------------------------------------------
    \6\ Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 (amended 9/30/
96); Health Insurance Portability and Accountability Act, 42 U.S.C. 
Sec. 1320 (enacted 8/21/98); Children's Online Privacy Protection Act, 
15 U.S.C. Sec. 6501 (enacted 10/21/98); ID Theft Assumption & 
Deterrence Act, 18 U.S.C. Sec. 1028 (enacted 10/30/98); GLB, 15 U.S.C. 
Sec. 6801 (enacted 11/12/99). Moreover, since 1996, the FTC has been 
applying its own statute to protect privacy.
---------------------------------------------------------------------------
Conclusion
    We share the desire to provide American consumers better privacy 
protection and to ensure that American businesses face consistent state 
and Federal standards when handling consumer information. Nonetheless, 
we believe that enactment of this general online privacy legislation is 
premature at this time. We can better protect privacy by continuing 
aggressive enforcement of our current laws.
        Sincerely,
                                           Timothy J. Muris
                                                           Chairman
                                 ______
                                 
                                   Federal Trade Commission
                                     Washington, DC, April 24, 2002
Hon. John McCain,
Ranking Member,
Committee on Commerce, Science, and Transportation,
Washington, DC.
              Re: S. 2201 (The Online Personal Privacy Act)

Dear Senator McCain:

    I am pleased to provide my views on S. 2201, the Online Personal 
Privacy Act, which was introduced by Chairman Hollings on April 18, 
2002. Although I share the view of the sponsors of this legislation 
that privacy is important to American consumers, there has been no 
market failure that would justify the passage of legislation regulating 
privacy practices concerning most types of information. Even if such a 
market failure exists, I am not persuaded that the benefits of such 
legislation, including the proposed Online Personal Privacy Act, exceed 
its costs.
    Indeed, the best means of protecting consumer privacy without 
unduly burdening the New Economy is through a combination of industry 
self-regulation and aggressive enforcement of existing laws that are 
relevant to privacy by the FTC and other appropriate regulatory 
agencies. This approach is flexible enough to respond rapidly to 
technological change and to the tremendous insight we are gaining from 
the ongoing dialogue among government, industry, and consumers on 
privacy issues.
    You have asked for my assessment of whether legislation is needed. 
I believe legislation should be reserved for problems that the market 
cannot fix on its own. To my knowledge, there is no evidence of a 
market failure with respect to online privacy practices, nor are there 
signs of impending market failure that would warrant burdensome 
legislation. As a result of a continuing and energetic dialogue among 
industry, government and consumer representatives, industry is stepping 
up to the plate and leading the way toward enhancing consumer privacy 
online. Flexible and efficient privacy tools are increasingly 
addressing consumer concerns. Indeed, the evidence indicates that the 
market is responding to consumers' concerns and demands about privacy.
    A recent Progress and Freedom Foundation study \1\ tells us that 
there has been a significant decline in the amount of personal 
information that websites are collecting from visitors. \2\ At the same 
time, there has been an increase in the voluntary adoption of privacy 
practices. The study indicates that privacy policies have become more 
common and more consumer-friendly over the past year. In addition, the 
percentage of the most popular sites offering consumers a choice 
whether their information can be shared with third parties increased 
from 77% in 2000 to 93% in 2001. The privacy-enabling technology, 
Platform for Privacy Preferences (P3P), is being deployed rapidly, and 
industry has generally become more responsive to the privacy concerns 
of consumers.
---------------------------------------------------------------------------
    \1\ Adkinson, William F. Jr., Jeffrey A. Eisenach, Thomas M. 
Lenard, Privacy Online: A Report on the Information Practices and 
Policies of Commercial Web Sites. Washington, D.C.: Progress & Freedom 
Foundation (2002). Available at: http://www.pff.org/publications/
privacyonlinefinalael.pdf.
    \2\ Among the most popular 100 sites, the proportion collecting 
personal information fell from 96% in 2000 to 84% in 2001. Similar to 
this finding, the proportion of those firms employing ``cookies'' fell 
from 78% to 48% in the past year.
---------------------------------------------------------------------------
    These trends clearly demonstrate that the online marketplace is 
dynamic, and that firms are working hard to find the ``right'' pattern 
for information management practices. In addition, the survey results 
show that the most frequently visited websites (and much of the 
Internet as a whole) have clearly recognized that information 
management policies and privacy practices are necessary parts of 
everyday business on the Internet. Consumers expect privacy protection 
and firms realize that it is to their competitive advantage to respond 
to customer expectations. To the extent that consumers have demanded 
privacy, these results show that the market has provided it.
    Contrary to arguments by proponents of legislation that consumers' 
privacy concerns are retarding the growth of electronic commerce, 
electronic commerce is growing rapidly without new privacy legislation. 
Online transactions have roughly doubled each year between 1997 and 
1999, and annual consumer purchases have risen from roughly $5 billion 
in 1998 to $32 billion in 2001. Recent data on online holiday shopping 
are even more dramatic, rising from roughly $1 billion in 1997 to 
nearly $14 billion in 2001--a 1300% increase. E-commerce thus is 
growing rapidly in the absence of new privacy regulation. \3\
---------------------------------------------------------------------------
    \3\ It is interesting to compare the growth of electronic commerce 
to the growth in the use of debit cards. Between 1988 and 1996, debit 
transactions slowly rose from virtually nothing to less than $50 
billion annually. As consumers' experience with these cards increased, 
however, debit card spending jumped to $300 billion in 2000. This 
massive growth in debit card transactions was not caused by federal 
regulatory action, but resulted from consumers' positive experiences 
with the cards.
---------------------------------------------------------------------------
    For many years now, it has been my understanding that Congress 
seeks to weigh the costs and benefits of new legislation, with the goal 
of avoiding doing more harm than good. To my knowledge, there is no 
evidence concerning the costs associated with the proposed legislation, 
nor an assessment of whether those costs are outweighed by the ill-
defined economic benefits that might follow. I do not believe 
legislation should be adopted without careful consideration of the 
problems it may create.
    Perhaps the most glaring cost associated with the bill, and with 
any online-specific privacy legislation, is that it discriminates in 
favor of offline commerce. It is important to remember that electronic 
commerce currently constitutes a very small portion of all commercial 
activity. It is difficult to understand drawing a distinction between 
offline and online privacy. I would suggest that it is likely that 
consumers share similar concerns in both situations. I believe it is 
essential to consider the costs and benefits of regulating both online 
and offline privacy before any legislation is enacted.
    To evaluate other costs associated with the notice and choice 
requirements of the Online Personal Privacy Act, the Commission's 
experience with the Gramm-Leach-Bliley Act (GLB Act) is instructive. 
The GLB Act requires that financial institutions issue privacy notices 
to their customers and, in certain circumstances, provide them with the 
opportunity to opt out of disclosures of nonpublic personal information 
to nonaffiliated third parties. To comply with the GLB Act last year, 
firms incurred great expense in disseminating privacy notices, yet very 
few consumers opted out. Among the difficulties encountered in 
complying with the GLB Act was the challenge of communicating complex 
information to consumers. Industry would face these same challenges in 
communicating notice and choice in the online context, and a 
requirement to provide ``robust'' notice to consumers does little to 
solve these problems. It also would be difficult for static regulation 
to keep pace with technology. For example, regulation mandating notice 
provided on a website may be inapplicable to Web-enabled handheld 
devices, such as cell phones.
    A requirement to provide ``reasonable access and security'' is 
difficult to define. In its May 2000 report, the Commission's Advisory 
Committee on Online Access and Security was unable to reach consensus 
as to the amount and type of access that should be provided to 
consumers. \4\ Given the complexity of this issue, I do not believe 
that it is a suitable topic for broad-based legislation or regulation. 
More important, the Commission already has the ability to address 
security breaches through the enforcement of existing statutes. \5\
---------------------------------------------------------------------------
    \4\ In 1999, the Commission established an Advisory Committee on 
Online Access and Security to provide advice and recommendations to the 
Commission regarding implementation of reasonable access and adequate 
security by domestic commercial websites. The Committee's final report 
to the Commission on May 15, 2000, described options for implementing 
reasonable access to, and adequate security for, personal information 
collected online and the advantages and disadvantages of each option.
    \5\ See In the Matter of Eli Lilly and Co., FTC File No. 012 3214 
(consent agreement accepted, Jan. 17, 2002) (alleging that Eli Lilly 
unintentionally disclosed personal information collected from consumers 
by not taking appropriate steps to protect the confidentiality and 
security of that information).
---------------------------------------------------------------------------
    In addition, I am not aware of reliable information about the 
likely costs associated with providing access and, in particular, the 
costs of maintaining a clickstream database that could be easily 
accessible to consumers and easily altered. \6\ I therefore question 
whether the $3.00 fee allowed by S. 2201 for consumers to obtain access 
to their information would be sufficient to cover the expense. Although 
some firms--obviously the larger ones--might be able to absorb the 
costs associated with this access mandate, other firms might be unable 
to provide the service for a minimal fee and would be unable to 
continue business with their current model. This possibility seems 
terribly unfair to small business and harmful to competition in 
electronic commerce.
---------------------------------------------------------------------------
    \6\ Under the proposed legislation, clickstream data, as collected 
by third-party cookies, are considered to be personally identifiable 
information to which consumers should have access.
---------------------------------------------------------------------------
    Finally, in an attempt to empower consumers, this legislation gives 
them a private right of action. While this measure is aimed at 
increasing compliance with the law, I fear that a private right of 
action may result in unintended consequences. More specifically, 
increased private litigation over information management policies may 
chill further innovation on the part of businesses that may fear that 
any change in their information management practices will be met with 
lawsuits.
    In summary, the electronic marketplace is still evolving. Industry 
and government have been working diligently to address consumers' 
privacy concerns. Businesses have made admirable progress over the past 
several years and have no intention of standing down. Industry leaders 
are directly involved in seeking solutions to meet consumer demands and 
concerns. From a business standpoint, it just makes good sense. Now is 
not the time for the federal government to legislate and effectively 
halt progress on these self-regulatory efforts. New, complicated, and 
ambiguous laws will force innovation and investment to take a back seat 
to compliance and bureaucratic process. At the end of the day, we will 
have made far less progress in finding solutions to privacy concerns 
than we would have if we had simply relied on government and private 
sector cooperation and market forces.
    Thank you for the opportunity to offer my views on these issues. I 
look forward to working with you in the future.
        Sincerely,
                                             Orson Swindle,
                                                       Commissioner
                                 ______
                                 
                                   Federal Trade Commission
                                     Washington, DC, April 24, 2002
Hon. John McCain,
Ranking Member,
Committee on Commerce, Science, and Transportation,
Washington, DC.
              Re: S. 2201 (The Online Personal Privacy Act)

Dear Senator McCain:

    In anticipation of the Senate Commerce Committee's April 25, 2002 
hearing on S. 2201, the Online Personal Privacy Act (``OPPA''), you 
have asked each Commissioner of the Federal Trade Commission to comment 
on whether legislation is needed and, if so, what such legislation 
should contain. As you know, the FTC has long been involved with the 
issue of consumer privacy and I have also personally devoted a great 
deal of time and thought to this matter. Accordingly, I appreciate the 
opportunity to offer my views about privacy legislation and comment on 
the principal features of the OPPA.
    In the past, a particular area of focus for me has been the 
question of whether federal legislation is necessary. In the 
Commission's May 2000 Congressional Report, ``Privacy Online: Fair 
Information Practices in the Electronic Marketplace,'' a majority of 
the FTC recommended that Congress enact online privacy legislation. In 
my accompanying statement and written testimony, I expressed my support 
for thoughtful and balanced online privacy legislation that is coupled 
with meaningful self-regulation and enforcement of existing laws. \1\
---------------------------------------------------------------------------
    \1\ This position represented a change from my prior opinion which 
did not support legislation but, instead, called for industry self-
regulatory measures. Compare Statement of Commissioner Mozelle W. 
Thompson Before Senate Comm. On Commerce, Science and Transp. (May 25, 
2000), with Statement of Commissioner Mozelle W. Thompson Before Senate 
Comm. On Commerce, Science and Transp. (July 13, 1999).
---------------------------------------------------------------------------
    I also stated that such privacy legislation should incorporate the 
well-established fair information practice principles of notice, 
choice, access and security and should provide for federal preemption 
of inconsistent state laws. Further, legislation should be organic and 
sufficiently flexible to take into account the type and sensitivity of 
the data at issue.
    My conclusion has not changed and, as discussed below, I believe 
that today's market conditions make an even more compelling case for 
legislation. Moreover, I support the OPPA because it contains the above 
described elements and represents a thoughtful, balanced and well-
reasoned approach to the privacy issue.
On-line Privacy Legislation Is Needed
    Consumer confidence is one of the most important features of 
American economic strength and, as demonstrated by recent declines in 
dot-com industries, emerging markets and young industries are 
particularly vulnerable to consumer uncertainty. It is not surprising 
then, that those industries involved in the developing electronic 
marketplace, or ``e-commerce,'' have begun to direct greater attention 
and more resources to strategies that address consumer confidence. 
Members of this industry are asking what is needed to allow e-commerce 
to reach its potential and fully develop into a stable and robust 
market? One answer is data privacy.
    Studies continue to indicate that consumers' foremost concern with 
respect to e-commerce is the privacy of their personal data. Indeed, 
last year Forrester Research estimated that consumers' online privacy 
concerns cost $15 billion of potential e-commerce revenue. Also, 73% of 
online consumers who refused to purchase online did so because of 
privacy concerns. Moreover, one need only compare the stock prices of 
those companies engaged in online profiling, before and after settling 
complaints about their business practices, to find a clear example of 
the value to consumers of certainty and confidence in a new market.
    To date, the FTC has provided a strong privacy foundation by way of 
the agency's law enforcement regime combined with our efforts in 
promoting industry self-regulation. Although consumers and businesses 
involved in e-commerce have benefitted from these efforts, they are no 
longer sufficient because there are still online companies that fail to 
protect consumer information. Without a legislative backdrop, too much 
of the risk of e-commerce is shifted to the consumer at a time when 
consumer confidence is critical. Law enforcement measures are by their 
nature retroactive, focusing on events that have already occurred. Once 
a consumer has lost his or her privacy--be it through identity theft, 
the creation of an unauthorized profile based upon the consumer's 
online activities or by some other means--it is generally impossible to 
make that consumer whole again.
    This condition is made more serious because the Internet allows 
instantaneous, inexpensive and unlimited transmission of data while 
computer databases permit storage and unprecedented manipulation. 
Moreover, it is difficult for the consumer to even know that his or her 
privacy has been violated until, in some cases, years after the fact. 
\2\ Consequently, without legislation, e-commerce will remain an 
uncertain marketplace in which only those consumers on the fringe will 
participate.
---------------------------------------------------------------------------
    \2\ These features, coupled with technology that allows websites to 
surreptitiously collect consumer information, distinguish the online 
consumer environment from the offline world.
---------------------------------------------------------------------------
    The absence of legislation also forces the Commission into the 
unusual position of going after the good actors that have strong 
privacy policies, while the bad remain largely unreachable by agencies 
like the FTC, thus leaving these businesses free to violate consumer 
trust. Without the type of legislative backdrop that the Commission 
called for in 2000, and which OPPA provides, I am afraid there will 
continue to be many free riders and companies with inadequate 
information practices.

Necessary Elements For Effective Privacy Legislation
    I believe that the OPPA addresses many of the most delicate 
problems associated with a legislative privacy framework. First, it 
contains the fair information principles and allows for flexibility and 
change. The OPPA avoids a ``one size fits all'' approach to the notice 
requirements and provides a reasonableness test for access. The OPPA is 
also more reflective of a ``real world'' consumer environment because 
it employs a sliding scale that affords more protection to more 
sensitive information.
    Second, by preempting state law, the OPPA will prevent the 
possibility of multiple standards that could ``Balkanize'' e-commerce 
and prove overly burdensome to business and too confusing for 
consumers. Finally, in granting the FTC rulemaking authority, the OPPA 
will permit strong enforcement, with special sensitivity to industry 
and consumer needs, while also providing a means for state 
participation.
    Thank you again for providing me with this opportunity to discuss 
privacy legislation and the OPPA. I also hope that you will continue to 
consider the FTC a resource as your work progresses on this important 
issue.
        Sincerely yours,
                                       Mozelle W. Thompson,
                                                       Commissioner
                                 ______
                                 
                                   Federal Trade Commission
                                     Washington, DC, April 24, 2002
Hon. John McCain,
Ranking Member,
Committee on Commerce, Science, and Transportation,
Washington, DC.

Dear Senator McCain:

    Thank you for your letter of April 19, 2002 asking me to comment on 
Chairman Hollings Senate Bill 2201, ``The Online Personal Privacy 
Act.'' Your letter asked two questions: First, whether I believe 
legislation is needed, and if so, what it should contain. Second, you 
asked for my comments on the principal features of S. 2201.

I. Is legislation needed?
    Yes, legislation is needed to protect consumers' privacy. Absent 
federal standards to be followed by all persons and entities that 
collect private information, it is unlikely that consumers will be 
adequately protected from identity theft, commercial harassment, and 
hucksterism. In addition, dissatisfaction with and mistrust of online 
business practices by the American people will continue to grow; an 
uneven patchwork of state laws will proliferate; and consumer 
confidence in e-commerce will be undermined.
    Industry has not been able or willing to effectively self-regulate. 
While some responsible companies have stepped up to the plate, the 
financial incentives work against a universal commitment by e-business 
to provide effective privacy protection for consumers. Business 
interests will undoubtedly point to a recent Progress and Freedom 
Foundation survey as evidence that federal legislation is not necessary 
because websites are collecting less personally identifiable 
information and privacy notices are prevalent, more prominent, and more 
complete. These arguments completely miss the mark. First, the survey 
reveals that nearly all sites surveyed continue to collect personally 
identifiable information. \1\ Second, the mere posting of a privacy 
policy does not ensure effective consumer protection and often is only 
pretty packaging of empty content.
---------------------------------------------------------------------------
    \1\ The survey indicated that 90 percent of the random sample, and 
96 percent of the most popular sites, collect personally identifiable 
information compared with 97 percent and 99 percent in 2000. This is 
hardly a statistically significant decline. In fact, an April 11, 2002, 
New York Times article (attached) chronicled how some of the Internet's 
most frequently visited sites are expanding their collection and 
commercial use of personally identifiable information.
---------------------------------------------------------------------------
    Just any legislation is not enough. In my view, strong privacy 
legislation should:

   preempt inconsistent or weaker state law;

   incorporate effective notice and choice, adequate access, 
        reasonable security, and strong enforcement remedies;

   be free from exceptions created for special interests or 
        industries;

   require affirmative consumer consent before sensitive 
        personally identifiable information is collected through any 
        means either online or offline; and

   avoid tactics that unduly delay the effective date of the 
        Act.

II. Senate Bill 2201
    Senate Bill 2201 provides long-awaited, strong protection measures 
for consumers in the online world. My only concern with this proposed 
legislation is its limited reach. In my view, federal legislation is 
necessary to protect the privacy of personally identifiable consumer 
information in the offline as well as online commercial realms. These 
marketplaces are often intertwined and indistinguishable. In fact, I 
believe that the wired world facilitates the effective, constant 
aggregation of endless varieties of real-time ``surfer'' information 
and combines it with commercial information gathered through 
traditional ``offline'' means. I would strongly support the expansion 
of this Bill's consumer protections to the ``offline'' collection of 
personally identifiable consumer information.
    That said, Senate Bill 2201 is a balanced, comprehensive approach 
to protecting consumer privacy online. By incorporating the concepts of 
notice, choice, access, security, and enforcement, it creates a level 
playing field for both consumers and industry. However, I offer the 
following comments:

Preemption
    I believe that federal legislation should preempt inconsistent and 
weaker state privacy laws which do not effectively protect consumers 
and tend to frustrate the development of e-commerce. On the other hand, 
I generally support the power of states to enact legislation that 
offers their citizens stronger consumer protections than federal law 
where the federal law merely establishes a ``floor'' of minimum 
protection standards. However, if passage of a federal law ``with 
teeth,'' is feasible, I believe that both consumers and industry would 
value the uniformity and predictability that federal preemption offers.
Title I--Online Privacy Protection
Section 101
    I applaud Title I's coverage of personally identifiable information 
that is collected, used or disclosed. Previous bills focused only on 
the ``collection'' of information, yet many privacy breaches occur when 
information is used or disclosed without the consumer's knowledge or 
consent after collection.

Notice and Consent
    I strongly support the inclusion of Section 102(b) which requires a 
consumer's affirmative consent (``opt-in'') before, or at the time 
that, certain sensitive information is collected. An opt-in consent 
requirement guarantees consumer notice and meaningful choice, and 
compels the collector to clarify its practices in order to entice the 
consumer to agree to them. It effectively equalizes the bargaining 
position of consumers and e-merchants in the market for personal 
information.
    While I prefer an opt-in standard for the collection of all 
personally identifiable information, the Bill's requirement of robust 
notice and opt-out consent for nonsensitive personally identifiable 
information improves on the level of notice and choice currently 
provided by many websites. Also, I support the permanence of consent 
provision found in Section 102(e), which essentially provides that a 
consumer's privacy preferences stay with the user despite corporate 
changes.
    Section 103's requirement that changes in privacy policies or the 
existence of privacy breaches be communicated to consumers is 
particularly commendable. Many websites place the privacy protection 
burden on consumers to keep track of changes in a website's privacy 
policy. Section 103 appropriately places that responsibility on the 
internet service provider, online service provider, or operator of a 
commercial website. Likewise, the Bill's provision requiring user 
notification of material changes in the privacy policy allows consumers 
to utilize updated, relevant information when deciding how or whether 
to protect their own personal information. Section 103 illustrates the 
balanced approach of this Bill to the extent it acknowledges that there 
may be situations where delayed consumer notifications is appropriate.
    The exceptions contained in Section 104 seem reasonable and again 
reflect the Bill's inherent respect for the need to balance the vital 
privacy interests of consumers with the economic and financial 
interests of e-business.

Access
    The access provision of Section 105 appropriately enables consumers 
to suggest corrections or deletions of personally identifiable 
information that the provider or operator has collected or combined 
with personally identifiable information gathered from other sources. 
The reasonableness test incorporated in this section strikes an 
appropriate balance among the competing interests of consumer privacy, 
the relative sensitivity of different types of personal information, 
and the burdens and costs imposed on the website operator.

Security
    The security provision in Section 106 is consistent with the 
approach taken by the Commission in its Gramm-Leach-Bliley Act Security 
Rulemaking. Rather than dictate a one-size-fits-all solution, it is up 
to the website to establish and maintain reasonable procedures 
necessary to protect the security, confidentiality, and integrity of 
the data it maintains.

Title II--Enforcement
    I am impressed with the range of remedies included under this 
Title, including the authority to impose civil penalties and establish 
redress funds for consumers for violations of Title I. In addition, 
this Title allows private rights of action as well as state actions.

Title III--Application to Congress and Federal Agencies
    To my knowledge, the federal agencies do not trade in private 
consumer information for commercial purposes. Therefore, I see no 
justification for Section 302. However, I do believe that federal 
agencies should provide notice to consumers about their information 
collection practices consistent with applicable federal law.

Title IV--Miscellaneous
    Section 402 provides that the effective date of the Act will be the 
day after the date the Commission publishes a final rule under Section 
403. While I am pleased that there is no ``grace period'' for 
compliance with this Title, I am disappointed that data collectors will 
be free from liability for data they collected without consumer consent 
before the Act's effective date. I also hope that Congress will resist 
obvious delaying tactics, such as proposals for additional studies.

Technical concerns
    Section 403 may need technical modifications to achieve the Bill's 
goals. Our staff would be pleased to assist you in these efforts. 
Specifically, Section 403 should reflect that the rulemaking 
contemplated by the Act is to be conducted pursuant the Administrative 
Procedures Act rather than through a Magnuson Moss Rulemaking.
    I appreciate the opportunity to express my views, and I hope they 
are helpful.
        Sincerely,
                                         Sheila F. Anthony,
                                                       Commissioner
                                 ______
                                 
                                   Federal Trade Commission
                                     Washington, DC, April 24, 2002
Hon. John McCain,
Ranking Member,
Committee on Commerce, Science, and Transportation,
Washington, DC.

Dear Senator McCain:

    You have asked that members of the Federal Trade Commission provide 
their individual views on a privacy bill, ``The Online Personal Privacy 
Act,'' S. 2201, and I am pleased to respond.
    It is important to express a key reservation up front. This 
statement of my individual views is constrained by my understanding of 
the context of your request. Like any other citizen, I have personal 
views on fundamental issues in the privacy debate (e.g., the question 
of whether it is appropriate to speak of a ``right to privacy'' in the 
context of private consensual transactions as opposed to intrusions by 
government; the balance between any privacy rights of one party and the 
First Amendment rights of another; and the question of whether it is 
realistic to expect that most barriers to disclosure will prove 
effective in the long term). However, there is no reason why you or any 
other lawmaker should be particularly interested in my opinions about 
these value-laden issues, so I understand that you are asking for my 
views in the context of the responsibilities and capabilities of the 
Federal Trade Commission. In other words, this response is constrained 
by an appreciation of the limitations of our institutional expertise. 
\1\
---------------------------------------------------------------------------
    \1\ My previous statements on privacy issues are enclosed with this 
letter.
---------------------------------------------------------------------------
    To be blunt, I do not believe it is my place to advise Congress on 
the bottom line issue of whether it is or is not a good idea to 
legislate on privacy issues. (To the extent I presumed to do so in the 
past, I have changed my mind.) The Federal Trade Commission, in my 
view, functions best as a facilitator, which attempts through law 
enforcement and education \2\ to ensure that consumers are not 
misinformed about the goods and services that they buy and that sellers 
are not disabled by illegal private constraints. But, in the absence of 
Congressional direction to the contrary, we are neutral about the terms 
of sale that are freely determined. We have strong institutional 
confidence in the ability of adequately informed consumers to make 
their own choices about what they want (including, presumably, varying 
levels of privacy protection) without interference from government. We 
are good at specifying what is adequate disclosure of the terms of sale 
but we are not good at devising rules for what the terms of sale should 
be.
---------------------------------------------------------------------------
    \2\ The Commission also provides a forum for the exchange of views 
among outside individuals and groups.
---------------------------------------------------------------------------
    With this awareness of our limitations, I join with those 
colleagues who express serious reservations about the ``Online Personal 
Privacy Act,'' S. 2201. I generally concur in their conclusions, but 
write separately to emphasize my particular perspective. I simply do 
not believe that S. 2201 can be enforced in a coherent way. The 
following is a summary list of the reasons:

         1. I do not believe it is workable or reasonable to treat 
        privacy differently in the online world than in the offline 
        world to the extent that the information collected is the same, 
        regardless of the site of collection or the means of 
        dissemination. It is obvious that different modes of disclosure 
        might be required, but it is illogical to regulate one medium 
        and not the other.

         2. Congress may, in its judgment, determine that it is 
        appropriate to mandate some form of ``notice'' to consumers 
        about what will happen to their personal information. For one 
        thing, mandated notice would eliminate the present awkward 
        situation whereby a company that volunteers information about 
        its privacy policy \3\ risks prosecution if the information is 
        inaccurate, but one that volunteers nothing risks nothing. \4\ 
        Recent experience with mandated notice, however, suggests that 
        it is not enough for Congress simply to require that it be 
        done. \5\ Businesses have to be given more precise guidance 
        about the forms of notice that will be useful to consumers. 
        This is something that the Federal Trade Commission, as an 
        institution, knows something about. It might be appropriate to 
        direct the Commission or some other appropriate body to survey 
        the quality of notices that are either voluntarily provided or 
        mandated today, and then recommend a template for notice that 
        would be meaningful. This project would inform the policy 
        debate and ultimately, perhaps, provide the framework for 
        legislation.
---------------------------------------------------------------------------
    \3\ And, apparently, an overwhelming majority do, according to the 
most recent evidence. William F. Adkinson, Jr., Jeffrey A. Eisenach and 
Thomas Lenard, Progress & Freedom Foundation, ``Privacy Online: A 
Report on the Information Practices and Policies of Commercial 
Websites'' www.pff.org/pr/pr032702privacyonline.htm.
    \4\ The vendor may, of course, incur marketplace risk.
    \5\ Gramm-Leach-Bliley Act, 15 U.S.C. Sec. Sec. 6801-6810; and 
Interagency Public Workshop: Get Noticed: Effective Financial Privacy 
Notices (December 4, 2001) http://www.ftc.gov/bcp/workshops/glb/
index.html.

         3. The issue of ``choice'' or ``consent'' is much more complex 
        than the bill seems to recognize. At first glance, it seems 
        obvious that the whole purpose of notice is to enable consumers 
        to make informed choices. It is necessary, however, to think 
        about the consequences of choice. If there is no cost or 
        reduced benefit associated with the choice to opt-out (or 
        failure to opt-in), then the added expense of accommodating 
        these choices will be borne by consumers less tender of their 
        privacy. (No one suggests that people who do not want to use 
        their supermarket charge cards because of the information 
        disclosed should be entitled to the discount anyway.) On the 
        other hand, if privacy-conscious consumers are disadvantaged 
        too much, their only practical ``choice'' is to seek another 
        provider, and mandated ``opt-outs'' or ``opt-ins'' become 
        essentially meaningless. There would have to be some regulatory 
        regime to determine what is a reasonable in-between position in 
        these circumstances, and I have no idea how this could be done 
---------------------------------------------------------------------------
        across-the-board.

         4. Under the bill, further refinements of ``access'' and 
        ``security'' would presumably need to be spelled out in 
        rulemaking proceedings. \6\ As I have said before, ``[i]t is 
        not appropriate to defer all the tough issues for future rule-
        making.'' \7\ I personally believe, for example, that there is 
        a vast disparity between the costs and benefits of an access 
        regime in most situations, and I further believe that the costs 
        of merely developing and enforcing across-the-board rules would 
        also vastly exceed the benefits. Congress may want to consider 
        whether any tailored expansion of present rights is necessary, 
        \8\ but a blanket mandate of ``access'' rights is unlikely to 
        result in significant benefits overall.
---------------------------------------------------------------------------
    \6\ S. 2201, Section 403.
    \7\ Federal Trade Commission, ``Online Profiling: A Report to 
Congress'' (Part 2) (Statement of Commissioner Thomas B. Leary, 
Concurring in Part and Dissenting in Part)(July 2000) http://
www.ftc.gov/os/2000/07/onlineprofiling.htm#LEARY.
    \8\ The Fair Credit Reporting Act , 15 U.S.C. Sec. Sec. 1681 et 
seq., and the Children's Online Privacy Protection Act of 1998, 15 
U.S.C. Sec. Sec. 6501 et seq., are among the federal laws that grant 
access rights.

    These are major objections, but the following issues are also 
---------------------------------------------------------------------------
significant:

         5. S. 2201 distinguishes ``sensitive'' from ``non-sensitive'' 
        personal information. \9\ These categories seem arbitrary. For 
        example, as Chairman Muris points out in his letter to you of 
        this date, some might feel that information about the books 
        they read is a lot more sensitive than their political 
        affiliation. Moreover, information that is merely ``inferred'' 
        from data \10\ may be just as sensitive as information 
        ``about'' \11\ certain aspects of an individual. \12\
---------------------------------------------------------------------------
    \9\ S. 2201, Sections 102 and 401.
    \10\ S. 2201, Section 401.
    \11\ S. 2201, Section 401.
    \12\ See, In the Matter of Eli Lilly and Co., FTC File No. 012-3214 
(January 18, 2002) http://www.ftc.gov/opa/2002/01/elililly.htm. This 
case involved the improper disclosure of the identity of people who had 
regularly obtained information about a certain psychotropic medication, 
but did not disclose whether they actually took the medication.

         6. The distinction between ``clear and conspicuous'' notice 
        and ``robust'' notice \13\ seems unworkable as a legal mandate. 
        Articulation of the latter undercuts the significance of the 
        former. If some form of notice is ever mandated by Congress, it 
        should be both.
---------------------------------------------------------------------------
    \13\ S. 2201, Sections 102 and 401.

         7. The bill is silent about the extent to which privacy 
        protections travel with consumers' personal information. In 
        general, Gramm-Leach-Bliley's privacy provisions require 
        downstream recipients of covered data only to use the 
        information in a fashion that is consistent with the consumers' 
        stated privacy preferences or only for uses that are exempted 
        from the notice and choice requirements (such as credit 
        reporting). In this sense, the protections flow with the 
        information. I seriously question whether this concept can be 
        applied across the economy, but without it, the privacy 
---------------------------------------------------------------------------
        protections of the bill may be nullified.

         8. As Chairman Muris notes, some of the provisions of S. 2201 
        attempt to reconcile the legislation's privacy protections with 
        other federal statutes that allow limited but beneficial 
        information sharing. However, as currently drafted, S. 2201 
        might limit a variety of legitimate and beneficial information 
        sharing which covered entities engage in and which Congress 
        would like to continue. It is not clear, for example, whether 
        information about transactions completed online could be 
        communicated to credit bureaus. Without appropriate exclusions, 
        any proposed privacy rules could have a serious anti-consumer 
        impact.

         9. This bill would add to the emerging patchwork of federal 
        privacy regulations that apply to personal information \14\ and 
        may ultimately result in ambiguous, conflicting, or impractical 
        requirements for businesses, and greater confusion for 
        consumers as well. For example, S. 2201 provides that 
        ``sensitive'' and ``non-sensitive'' information would be 
        subjected to different levels of protection. Dissemination of 
        ``sensitive'' information would be subject to consumer notice, 
        opt-in choice, access and security. ``Non-sensitive'' 
        information would be protected by ``robust'' notice, opt-out 
        choice, access and security. The specifics of these 
        requirements would all be defined in a future rulemaking. At 
        the same time, ``non-public'' personal information collected by 
        financial institutions (whether online or offline) would be 
        subjected to Gramm-Leach-Bliley's distinct notice, choice and 
        security standards.
---------------------------------------------------------------------------
    \14\ Among the many federal privacy laws are: Gramm-Leach-Bliley 
Act, 15 U.S.C. Sec. Sec. 6801-6810 (covers financial institutions, non-
public personally identifiable information and requires notice of 
information practices and an opt-out for sharing information with third 
parties); Children's Online Privacy Protection Act of 1998, 15 U.S.C. 
Sec. Sec. 6501 et seq. (covers Web site operators, prohibits 
collection, use and disclosure of children's online information without 
verifiable parental consent and provide for parental access rights and 
imposes security requirements); Fair Credit Reporting Act, 15 U.S.C. 
Sec. Sec. 1681 et seq. (covers credit bureaus and providers and users 
of credit data and grants consumers access rights and opt-out rights 
for certain uses of credit data); and Health Insurance Portability and 
Accountability Act of 1996, Pub. L. No. 104-191, 262(a), 110 Stat. 1936 
(1996) (codified as amended in scattered sections of 18, 26, 29 and 42 
U.S.C.A.); 42 U.S.C.A. Sec. Sec. 1320d to 1320d-8 (West Supp. 
1998)(covers a variety of health-related entities and health 
information and contains requirements that include notice, varying 
degrees of choice, access, and security).

    Businesses that seek to comply with both of these regulations would 
be required to differentiate between online and offline information as 
well as any possible differences between the notice, choice, and 
security requirements in the two regulatory schemes. Additionally, our 
experience to date with Gramm-Leach-Bliley suggests that consumers may 
need less rather than more complex privacy disclosures in order to 
understand and execute their rights. It is unrealistic, at this point, 
to assume that consumers will comprehend the various categories of 
information as well as the protections that are attached to each 
---------------------------------------------------------------------------
category of information.

         10. The bill provides that ``penalties'' would be imposed for 
        a violation of the statute, and that ``redress'' would be 
        distributed to consumers in an amount not to exceed $200 (for 
        breaches involving non-sensitive personal information). This 
        confuses two separate concepts. Penalties are calculated 
        without regard to consumer injury or ill-gotten gains, and are 
        paid to the Treasury. Redress is intended to make consumers 
        whole.

         11. Wholly apart from the burden issues identified above, the 
        bill does not seem to recognize the potential conflict between 
        access and security. Broad access rights will lead to the 
        centralization of data which could result in very significant 
        security breaches. This is a highly technical subject, on which 
        there is no consensus among experts. \15\
---------------------------------------------------------------------------
    \15\ Final Report of Federal Trade Commission Advisory Committee on 
Online Access and Security, published as Appendix D of Privacy Online: 
Fair Information Practices in the Electronic Marketplace: A Federal 
Trade Commission Report to Congress (May 2000) http://www.ftc.gov/
acoas/papers/finalreport.htm.

    I appreciate the opportunity to provide these comments and would be 
pleased to respond to any further questions.
        Sincerely,
                                           Thomas B. Leary,
                                                       Commissioner

    The Chairman. Senator Cleland.

                 STATEMENT OF HON. MAX CLELAND,
                   U.S. SENATOR FROM GEORGIA

    Senator Cleland. Thank you very much, Mr. Chairman.
    The difference between the world we see today and the world 
we saw last year is quite stark. Given September 11, the 
support for our men and women fighting in uniform, fighting 
terrorism abroad, for law enforcement efforts to uncover 
terrorist activity at home have justifiably received support, 
and I fully support these efforts as well, but on the domestic 
front, protecting people's privacy at home still remains for me 
an important issue as well.
    I am constantly reminded of this fact from stories of 
people who provide incorrect information to online businesses 
because of the fear that this information may be improperly 
used and from consumers choosing to bypass the many services 
the Internet provides for commercial purposes because they are 
concerned their online buying habits may be shared with others.
    The Senate has acted in a manner which I believe is 
balanced in its approached to online privacy. S. 2201, the 
bipartisan privacy legislation of which I am a proud cosponsor, 
incorporates many of the concerns of the high tech industry and 
balances those with a need of protections that have been 
advocated by civil liberties groups.
    Under the bill, sensitive information such as financial and 
health records, ethnic information, religious affiliation and 
social security numbers must be protected unless a person 
provides affirmative consent that this information can be 
shared. Other nonsensitive information can be shared between 
companies unless the consumer opts out of this sharing. That is 
straightforward protection in its most basic form, and, like 
the Fair Credit Reporting Act, which has worked well for 
consumers, information will be accessible and correctable. This 
approach is reasonable, as evidenced by the bipartisan support 
it has received.
    I believe that one of Yahoo's former vice presidents for 
direct marketing correctly frames the issue when he describes 
Yahoo's recent change in its privacy policy that would require 
opting out of receiving solicitations. Quote, they would be 
better off sending offers to a million people who said they 
want to receive a coupon each day, than to send them to 10 
million people and worry about whether you have offended them 
by finally going too far. This is basic marketing knowledge, 
and I see no reason why it should not apply to the Internet as 
well.
    We have a good privacy protection bill for consumers, and I 
appreciate the opportunity to work with the Chairman on 
perfecting this legislation. Thank you, Mr. Chairman.
    The Chairman. Thank you. We welcome the distinguished 
panel. Each of the statements of the distinguished witnesses 
are included in their entireties in the record. The Senators 
have had a chance to review those statements, and we would ask, 
in order that we leave some good time for questioning, that 
each of the witnesses summarize within, let us say, the 7-
minute rule. Let me start over on your right and go right 
across and start with Mr. Torres and end with Mr. Dugan.
    Mr. Torres.

        STATEMENT OF FRANK TORRES, LEGISLATIVE COUNSEL,
                        CONSUMERS UNION

    Mr. Torres. Good morning, Mr. Chairman, Members of the 
Committee. Consumers Union appreciates the opportunity to 
discuss our support for S. 2201. S. 2201 is a sound privacy law 
that will increase consumer trust and confidence in the online 
marketplace. We commend you and other members who have 
sponsored this landmark bill. You and your staffs have worked 
hard to balance the consumer's interest with those of the tech 
world, bending over backward in some cases to address their 
concerns. Here are some of the reasons we believe this bill is 
good.
    First, S. 2201 will provide both consumers and businesses 
with clear expectations of how online information will be 
treated, when it can be shared, and let consumers control the 
use of their personal data. Up till now, privacy has been 
addressed sector by sector. We often hear complaints from 
businesses that one sector is being treated differently from 
another. S. 2201 responds to those concerns. Consumers Union 
believes that basing the protection trigger on the type of 
information collected, rather than any specific industry, is 
the right way to address online privacy.
    Second, S. 2201 advances the privacy debate by recognizing 
the distinction between sensitive and nonsensitive data. More 
sensitive personal data like financial and medical information 
warrant the strongest possible protections. A business should 
first obtain a consumer's consent before protecting or sharing 
that information outside the scope of the reason for which that 
data was given.
    Where data is less sensitive, a less rigorous approach may 
be appropriate. However, this only works if the notice is good. 
The robust notice contemplated in S. 2201 will provide an up-
front mechanism for consumers to get privacy notices and 
exercise their opt-out.
    Third, S. 2201 offers a substantial improvement over the 
Gramm-Leach-Bliley Act by providing that sensitive financial 
information cannot be shared without the express consent of 
consumers, again for reasons outside the scope for which it was 
given.
    On the issue of preemption, Consumers Union believes that 
the strength of S. 2201 must be weighed against State privacy 
efforts. S. 2201 could set a strong national standard. However, 
should the bill be scaled back, we would revisit our position 
on the preemption issue and the bill as a whole.
    Businesses that choose to collect and share sensitive 
personal information should be held accountable for their 
handling of that data. This gets to the question of the private 
right of action. If wrongful disclosure of sensitive data after 
a consumer has said no leads to identity theft, for example, 
shouldn't the consumer be compensated for his or her loss?
    S. 2201 exercises an abundance of caution on this issue, 
given the concerns of the industry. It applies only to 
sensitive data. The consumer must prove actual damages. The 
amount of damages is limited even for multiple breaches, and 
actions cannot be brought if the disclosure was caused by 
systems failure or an event beyond the control of the business.
    In fact, there are a number of privacy laws that are both 
opt-in and also allow consumers to go after the wrong-doers. We 
have not heard, as I am sure we would have, of any explosions 
of lawsuits in these areas. We know from privacy surveys that 
consumers are concerned about privacy. They are more concerned 
about online than offline privacy. They want Congress to act, 
and they favor an opt-in approach overall. This bill splits 
between an opt-in and an opt-out approach. Consumers are 
concerned about privacy because banks have shared sensitive 
information with felons, or have used sensitive information 
fraudulently.
    We are here because of Double Click, Toy Smart, and Yahoo 
and their practices. Maybe some think it is OK for banks to 
share customer data with felons, or that companies should be 
allowed to lie to consumers. We, however, believe that such 
behavior is unacceptable. The reaction of some to S. 2201 and 
other privacy bills reminds me of the story of Goldilocks. This 
bill is too hot, or this one is too cold.
    Unlike Goldilocks, however, some will never find the 
privacy law that is just right. They are going to oppose any 
privacy legislation that Congress offers. S. 2201 gives 
consumers control over their own information, and it places the 
burden where it should be, on businesses who want information 
to convince consumers to share it. Isn't that how the 
marketplace should be working?
    Thank you, and I would be happy to answer any questions.
    [The prepared statement of Mr. Torres follows:]

  Prepared Statement of Frank Torres, Legislative Counsel, Consumers 
                                 Union

    Consumers Union \1\ appreciates the opportunity to present this 
testimony on the Online Personal Privacy Act, S. 2201. This hearing 
provides a forum to discuss why American consumers need meaningful and 
comprehensive online privacy protections, how S. 2201 accomplishes 
those goals, and Consumers Union's support for the bill.
---------------------------------------------------------------------------
    \1\ Consumers Union is a nonprofit membership organization 
chartered in 1936 under the laws of the State of New York to provide 
consumers with information, education and counsel about goods, 
services, health, and personal finance; and to initiate and cooperate 
with individual and group efforts to maintain and enhance the quality 
of life for consumers. Consumers Union's income is solely derived from 
the sale of Consumer Reports, its other publications and from 
noncommercial contributions, grants and fees. In addition to reports on 
Consumers Union's own product testing, Consumer Reports with 
approximately 4.5 million paid circulation, regularly, carries articles 
on health, product safety, marketplace economics and legislative, 
judicial and regulatory actions which affect consumer welfare. 
Consumers Union's publications carry no advertising and receive no 
commercial support.
---------------------------------------------------------------------------
Introduction
    Consumers Union has long been an advocate for strong privacy 
protections. Along with other consumer and privacy advocates we pushed 
for amendments to the Gramm-Leach-Bliley Act to try to provide 
consumers control over how their personal financial information is 
collected and whether it could be shared. We fought for strong medical 
privacy regulations and continue to push for privacy related to health 
like genetic information. Consumers Union is also part of a broad 
privacy coalition that has supported online privacy protections.
    Stronger laws are needed to give consumers control over their 
personal information. Legislative efforts such as S. 2201 will help 
ensure that consumers are told about how and why information is 
collected and used, provided access to that data, and given the ability 
to choose who gets access to their most intimate personal data.
    S. 2201 represents a balanced and reasonable approach to online 
privacy. The bill reflects where there could be some agreement on the 
substantive privacy protections of notice, access and consent.
    Consumers Union believes that basing the protection trigger on the 
type of information collected, rather than on any specific industry 
sector is a right way to ensure consumer data is safeguarded. This is a 
logical way to consider the privacy issue. Consumers should not have to 
keep track of all the businesses entities that may be collecting 
information about them, especially in light of the growing number of 
cross-industry mergers and the passage of the Gramm-Leach-Bliley Act. 
S. 2201 provide clear guidance for businesses as well. If you collect 
and use consumer data covered by the bill, you know what you have to 
do.

Background
    The right to be left alone appears to have been trumped by the 
pressure exerted by businesses to protect and expand their ability to 
gather personally identifiable information from consumers. No part of 
life is left untouched by data collection activities. Financial and 
medical records, what you buy, where you shop, your genetic code, are 
all exposed in a privacy free-for-all. Complete strangers can, for a 
price, have access to your most intimate secrets. Often, consumers have 
no choice in whether or not information is collected and no choice in 
how it is used.
    Do consumers care about their privacy? You bet they do.

   According to a survey commissioned by STAR, a subsidiary of 
        Powell Tate, conducted by SWR Worldwide, many consumers report 
        they have informed their primary financial institution of their 
        desire to opt out (31 percent) of information sharing. And 40 
        percent plan to opt out in the next 12 months. This opt out 
        rate is significantly higher than that reported by financial 
        institutions.

   The survey, conducted after September 11, also found that 
        more than half of the respondents (57 percent) expressed 
        concern that their primary financial institution may be sharing 
        personal or financial information with its affiliates or third 
        parties. The majority (59 percent) also reported that their 
        level of concern is about the same as it was a year ago.

   A recent report by KPMG, entitled A New Covenant With 
        Stakeholders: Managing Privacy as a Competitive Advantage, 
        cites a survey of U.S. voters by the Public Opinion Strategies 
        firm last year indicating that strengthening privacy laws to 
        assure that computerized medical, financial or personal records 
        are kept private is the highest-rated issue of concern to 
        voters nationwide.

   KPMG also noted that increasingly, individuals want to 
        choose who does and does not have access to their medical, 
        financial, purchasing, and other personal information. And, if 
        access is needed, individuals would like to be able to specify 
        for what purposes and to what extent access will be granted. 
        They also want specific assurances that the information they 
        consider private is, in fact, kept private by the organizations 
        with which they do business.

   Forrester Research found that 72 percent of consumers 
        participating in a survey last year considered it a violation 
        of privacy for businesses to collect and then supply personal 
        data to other companies. 94 percent of Internet users want 
        privacy violators to be disciplined. 70 percent said that 
        Congress should pass legislation protecting privacy on the 
        Internet. In December, Forrester found 69 percent of Americans 
        worried about their financial privacy.

   Other surveys have estimated that concerns about privacy and 
        lack of trust cost U.S. companies $12.4 billion in 2000 because 
        consumers were reluctant to share their personal information 
        over the Internet.

   A 2001 study by the Markle Foundation found that by more 
        than a 3 to 1 margin (63-19 percent) the public says it is more 
        concerned about companies collecting personal information 
        online than offline.

   Nearly two-thirds of the public, 64 percent, say that the 
        government should develop rules to protect people when they are 
        on the Internet, even if it requires some regulation of the 
        Internet.

   The study also found that the public is looking not only for 
        protection by others, but they want an ability to control their 
        own online experience, and the uses that others might make of 
        what they do online. By a strong 58-37 percent margin, the 
        public prefers an opt-in regime.

   Finally, the survey concluded that the public perceives that 
        the Internet, although useful, is not yet a medium that enables 
        them to hold others accountable when they go online.

    All these surveys lead to the same conclusion: the majority of 
consumers are concerned about the threats to their privacy while 
online. An Ernst and Young report Privacy Promises Are Not Enough, 
noted that ``at the core of this trust issue is the fact that consumers 
do not trust businesses to protect their privacy or follow their stated 
privacy policies.''
    Increasingly, consumers want to choose who does and does not have 
access to their medical, financial and other personal information. 
Consumers want to be able to specify for what purposes and to what 
extent access to their information will be granted. Consumers want 
assurances that the information they consider sensitive will be kept 
private by the businesses they use. Often, consumers have no choice in 
whether or not information is collected and no choice in how it is 
used. Today, any information provided by a consumer for one reason, 
such as getting a loan at a bank, can be used for any other purposes 
with virtually no restrictions.

Comments on S. 2201
    There are a number of elements of privacy protection that have 
become clearer over the course of our involvement in the privacy debate 
which are reflected in S. 2201:

   A distinction can be made between sensitive and non-
        sensitive information. S. 2201 advances the privacy debate by 
        recognizing the distinction between sensitive and non-sensitive 
        data. We have commented that more sensitive personal data, like 
        financial and medical information, warrant the strongest 
        possible protections. For this type of data we favor an 
        approach that requires a business to obtain the consumer's 
        consent prior to sharing that data.

         For other data collected, a lessor standard may be 
        appropriate. We support this approach only if clear notice is 
        given to the consumer prior to the collection of the data and 
        that the consumer is given the opportunity up front to choose 
        not to have his or her information shared with others. We 
        encourage providing specific and uniform mechanisms for 
        exercising an opt-out.

         For telephone marketing several states are implementing ``do-
        not-call'' lists. Even the Direct Marketing Association 
        maintains such a list. A one-stop universal opt-out would be a 
        useful tool for consumers. We anticipate that the Federal Trade 
        Commission will move forward soon on a final rule for a 
        national do-not-call list. Perhaps a similar mechanism for the 
        online world should be encouraged.

   Consumers need a stronger law to protect their personal 
        financial information. S. 2201 offers a substantial improvement 
        over the privacy provision of the Gramm-Leach-Bliley Act by 
        providing that sensitive financial information cannot be shared 
        with affiliates or third parties without the express consent of 
        the consumers. S. 2201 would allow financial institutions to 
        share less sensitive data with their affiliates under the opt-
        out standard.

         The Gramm-Leach-Bliley Act falls far short of providing 
        meaningful privacy protections in the financial setting. 
        Loopholes in the law and in this draft rule allow personal 
        financial information to be shared among affiliated companies 
        without the consumer's consent. In many instances, personal 
        information can also be shared between financial institutions 
        and unaffiliated third parties, including marketers, without 
        the consumers consent.

         Consumers across the country are receiving privacy notices 
        from their financial institutions. Unfortunately these opt 
        outs, in reality, will do little or nothing to prevent the 
        sharing of personal information with others. Other loopholes 
        allow institutions to avoid having to disclose all of their 
        information sharing practices to consumers. In addition, the 
        GLB does not allow consumers to access to the information about 
        them that an institution collects. While states were given the 
        ability to enact stronger protections, those efforts have met 
        fierce resistance by the financial services industry.

         Reports and surveys conducted by the Privacy Rights 
        Clearinghouse show how poorly written and difficult to 
        understand the financial privacy notices are. Despite those 
        obstacles, a recent survey indicates that consumers are 
        choosing to opt-out.

   Consumers' health information should not be shared without 
        their express consent. S. 2201 protects personal health 
        information across the board--under the bill health information 
        cannot be shared without the prior consent of the consumer. 
        There appears to be widespread agreement on this principle.

         Consumers should not be put in the position of privacy 
        intrusions when they go online to seek medical advice or 
        information about prescription drugs, for example. Those 
        seeking medical treatment are most vulnerable and should be 
        allowed to focus on their treatment or the treatment of their 
        loved ones, rather than on trying to maintain their privacy. It 
        is unfair that those citizens must be concerned that 
        information about their medical condition could be provided to 
        others who have no legitimate need to see that information.

   S. 2201 requires notice and consent prior to the sharing of 
        personal information with others. Online entities that collect 
        personal information should be responsible for providing notice 
        to consumers if they intend to share personal data with others 
        and allow consumers to opt-out of such data collection and 
        sharing third parties.

   S. 2201 will allow consumers to opt-out of sharing their 
        less sensitive data. This requirement should be easy to 
        implement, in most cases consumer choice can be provided at the 
        point where the information is collected. The opt-out for less 
        sensitive information is distinguishable from the stricter 
        regime that would apply to more sensitive financial and medical 
        data. An opt-out may be adequate for such information provided 
        that the notice and choice is given up-front, prior to the 
        collection, and is clear and in plain English. Consumers Union 
        believes that the ``robust'' notice called for in S. 2201 will 
        provide consumers with the type of notice to get the job done 
        and avoid the pitfalls of the financial privacy notices.

         This is a reasonable step. Consider the position of the former 
        Vice President of Yahoo!, Seth Godin, who has written about 
        ``permission marketing. He says that about 38 percent of the 
        people that are given a chance to tell his company their 
        interests to get information about things that match their 
        profile do, in fact, opt-in. He goes on to call opt-out a sham.

   Businesses should be responsible for safeguarding the 
        sensitive data of Internet users if they choose to collect and 
        use that data. Businesses that collect and share sensitive 
        personal information should be held accountable if that 
        information is shared after a consumer has said no to such 
        sharing of information. For example, if disclosure of sensitive 
        financial data without the consumer's consent is the cause of 
        that consumer's identity being stolen, shouldn't the businesses 
        that sold the information be held accountable and be 
        responsible for that consumer's loss?

    The approach in S. 2201 is reasonable on this issue. It provides a 
private right of action only related to the misuse of sensitive 
personal data. Even the, the standard is high--a consumer can only 
recover upon a showing of actual harm. Actions cannot be brought if a 
systems failure or an event beyond the control of the business caused 
the disclosure.
    We have not seen evidence of an onerous litigation burden despite a 
number of prior privacy statutes that allow such action. Most of these 
laws have been on the books for years:

     Section 616 of the Fair Credit Reporting Act--up to $1,000 
        for knowing or willful noncompliance plus punitive damages and 
        actual damages for negligent noncompliance;

     47 U.S.C. Section 551 Cable Communications Policy Act--
        $1,000 or actual damages plus punitive damages;

     Section 2520 of the Electronic Communication Privacy Act--
        between $500 and $10,000 and actual damages;

     18 U.S.C. Section 2710 Video Privacy Protection Act--
        $2,500 in actual damages plus punitive damages;

     47 U.S.C. Section 227 Telephone Consumer Protection Act--
        up to $500 for each violation.

   The strength of S. 2201 must be balanced against any 
        preemption of state law. In response to consumer concerns about 
        privacy several states are poised to act on these issues. We 
        consider the work of the states vital. Consumers Union believes 
        that it is critical to seek the input from the states, 
        including state attorneys general and legislators, before 
        deciding to preempt state privacy efforts. As long as the 
        underlying privacy standards remain strong, S. 2201 will set a 
        strong national privacy standard. Should S. 2201 be weakened 
        Consumers Union would reconsider its continued support for the 
        bill and urge that states be allowed to pass tougher privacy 
        laws. Let us be clear, should the other provisions in the bill 
        change, we would reconsider our position on preemption. 
        Preempting state law is predicated on getting the strongest 
        possible consumer protection in the underlying legislation.

The Online Marketplace
    The ability to collect, share and use data in all sorts of ways 
boggles the mind. Consumers, in many cases, aren't even aware that data 
is being collected, much less how profiles about them are created. The 
information collection overload is particularly troublesome when it 
becomes the basis for decisions made about an individual--like how much 
a product or service will cost.
    Cross industry mergers and consolidations have given financial 
institutions unprecedented access to consumers' personal data. 
Technology has made it possible and profitable to mine that data. No 
law prevents businesses from using data to choose between desirable 
borrowers and less profitable consumers the institutions may want to 
avoid. Special software helps guide sales staff through scripted 
pitches that draw on a customer's profile to persuade the account 
holder to buy extra, and in some cases junk products.
    Some web-based businesses already seem to be willing to move beyond 
the privacy wasteland where GLB left consumers. There no longer appears 
to be a question, for some, of whether consumers should get notice, 
access, and control over their information. The challenge is how to 
effectively put these principles into practice.
    A May 2000 Consumer Reports survey of web sites, Consumer Reports 
Privacy Special Report, Big Browser is Watching You, shows that 
consumers' privacy is not being protected online. The report also shows 
that privacy notices at several popular sites are inadequate and vague. 
This data, as do other recent web surveys, shows the state of consumer 
privacy online continues to hit or miss.
    Privacy policies are not a substitute for privacy protections, 
especially when some companies don't even follow what is in their 
policies. Just because a company has a privacy policy does not mean 
that they follow Fair Information Practices. And consumers are 
skeptical about self-regulation.
    The marketplace is changing daily. The Wall Street Journal reports 
that Time Warner has the names, addresses and information on the 
reading and listening habits of 65 million households. USA Today says 
Time Warner has access to information about its 13 million cable 
subscribers and from its other businesses, like Time and People 
magazine. With so much information, how will the competitiveness of the 
marketplace be impacted by this merger? Will companies who seek to 
operate under a higher privacy standard be at a competitive 
disadvantage and unable to compete against a larger entity that is able 
to make unrestricted use of the personal information it obtains?

Do Consumers Benefit from Data Sharing?
    Financial institutions promised that in exchange for a virtually 
unfettered ability to collect and share consumers' personal 
information, that consumers would get better quality products and 
services and lower prices. This is why, they claimed, consumers 
shouldn't have strong privacy protections like the ability to stop the 
sharing of their information among affiliates, or access to that 
information to make sure its accurate. Let's look at reality.
    Bank fees for many consumers continue to rise. Information about 
financial health may actually be used to the consumer's determent if it 
is perceived that the consumer will not be as profitable as other 
customers. Both Freddie Mac and Fannie Mae say between 30 and 50% of 
consumers who get subprime loans, actually qualify for more 
conventional products, despite all the information that is available to 
lenders today. Credit card issuers continue to issue credit cards to 
imposters, thus perpetuating identity theft, even when it seems like a 
simple verification of the victim's last known address should be a 
warning. Instead of offering affordable loans, banks are partnering 
with payday lenders. And when do some lenders choose not to share 
information? When sharing that information will benefit the consumer--
like good credit histories that would likely mean less costly loans.

    Chase Manhattan Bank, one of the largest financial institutions in 
the United States, settled charges brought by the New York attorney 
general for sharing sensitive financial information with out-side 
marketers in violation of its own privacy policy. In Minnesota, U.S. 
Bancorp ended its sales of information about its customers' checking 
and credit card information to outside marketing firms. Both of these 
were of questionable benefit for the bank's customers. Other 
institutions sold data to felons or got caught charging consumers for 
products that were never ordered.

    Maybe the right approach is to let institutions that want a 
consumer's information to be put in a position to convince that 
consumer that some benefit will be derived from a willingness to give 
that information up to the institution. Such an approach may increase 
trust in financial institutions and let consumers have control and 
choice over their own personal information. The same technology that 
enables vast amounts of data to be collected can be used to give 
consumers access to that data. It is a simple thing to tell consumers 
what is collected and how it is used.

Conclusion
    Consumers face aggressive intrusions on their private lives. Often 
a consumer is forced to provide personal information to obtain products 
or services. Many times information that has been provided for one 
purpose is then used for another reason, unbeknownst to the consumer. 
Financial institutions, Internet companies health providers and 
marketers have been caught crossing that line. Meanwhile, identity 
theft is at an all time high.
    Sound and comprehensive privacy laws will help increase consumer 
trust and confidence in the marketplace and also serve to level the 
playing field. These laws do not have to ban the collection and use of 
personal data, merely give the consumer control over their own 
information.
    Consumers should have the right to be fully and meaningfully 
informed about an institution's practices. Consumers should be able to 
choose to say ``no'' to the sharing or use of their information for 
purposes other than for what the information was originally provided. 
Consumers should have access to the information collected about them 
and be given a reasonable opportunity to correct it if it is wrong. In 
addition to full notice, access, and control, a strong enforcement 
provision is needed to ensure that privacy protections are provided.
    S. 2201 provides the privacy protections consumers deserve.

    The Chairman. Very good. Ms. Lawler.

           STATEMENT OF BARBARA LAWLER, CHIEF PRIVACY
                OFFICER, HEWLETT-PACKARD COMPANY

    Ms. Lawler. Good morning, Mr. Chairman, Members of the 
Committee. I thank you for the invitation to appear today to 
discuss the need for stronger Federal protections for consumer 
privacy and comment specifically on S. 2201.
    My name is Barbara Lawler, and as the privacy manager for 
HP I have global responsibility for HP's privacy policy 
management, implementation, compliance, education, and 
communication, both for offline and online approaches. We want 
to commend you, Mr. Chairman, and the Ranking Minority Member, 
Senator McCain, and the other Members of the Committee for your 
commitment to finding solutions to address consumer concerns 
about protecting their privacy.
    3 years ago, when HP first advocated the need for a Federal 
initiative on privacy, we were virtually alone as a corporation 
in advocating this position. We think times have changed, and 
that many more companies and associations will support 
reasonable baseline Federal legislation for protecting 
consumers' privacy. It is time to develop national privacy 
standards.
    Let me start by briefly giving you an overall picture of 
how we manage privacy at HP. We apply a universal global 
privacy policy built on the fair information practices 
mentioned today by the Committee, notice, choice, accuracy and 
access, security, and oversight. In any language the core 
commitments are the same, with minimal localization required to 
reflect local country laws. Some key provisions in our policy 
include no selling of customer data, no sharing of our customer 
data outside HP without that customer's permission, customer 
access to core contact data, and a customer feedback mechanism. 
We insist, through contractual obligations, that suppliers must 
abide by our policies.
    On January 29 of 2001, HP became the first high tech 
company to self-certify with the U.S. Department of Commerce a 
safe harbor. This demonstrates our continued leadership to 
strong privacy practices in the U.S., and because HP manages to 
a global privacy policy, citizens in the U.S. enjoy the same 
benefits as those in the EU and elsewhere from HP's privacy 
policy.
    I would now like to turn to the language of S. 2201. First 
of all, let me say that we are pleased to see that the bill 
bases its notice and consent requirements on clear and 
conspicuous disclosure. HP has always felt that informed choice 
depends upon consumers having available the information they 
need to make informed choices about with whom they wish to 
share their personal information.
    We are pleased that section 102 recognizes the importance 
of requiring this basic consumer protection. We are also 
pleased that there is a place in this legislation for privacy-
enhancing technologies like P3P that enhance the notice and 
choice capabilities for consumers.
    We are also pleased that the legislation does not take an 
either-or stance with regard to the opt-in, opt-out debate. We 
believe that the continued free flow of nonsensitive personal 
data with the resulting economic benefits for both consumers 
and businesses may be best served by an opt-out requirement, 
allowing room for competitive differentiation. For personal 
information that is sensitive, an opt-in requirement will give 
consumers greater confidence in participating in online 
transactions. HP believes a very constructive discussion can be 
held as to where the demarcation should be made between opt-in 
and opt-out.
    We also agree on the importance of giving consumers 
reasonable data access to evaluate the accuracy of information 
collected. An observation that we would make is that from our 
experience, data access can be a very complex process. Many 
companies have multiple data bases that collect data from a 
number of sources and mediums, and they may not be 
interoperable.
    An integral problem related to this is that of 
authentication. Confirming that somebody is indeed who they say 
they are when they request data access could lead into security 
and identity theft issues. Creating a potential security breach 
or identity theft problem while trying to address data access 
is a very real concern.
    As to enforcement, we are pleased that the legislation 
recognizes the importance of the role of the FTC, and we also 
agree that there is a role for the State Attorneys General in 
the enforcement of this legislation, and we concur with the 
balance achieved in the bill between the rights of States to 
protect their citizens and the right of the FTC, as the expert 
agency, to interpret its rules.
    One suggestion we would like to make is to find a role for 
self-regulatory privacy seal programs that have standards equal 
to or above those required under this legislation. The more 
eyes and ears available to resolve privacy disputes will 
benefit consumers, allowing the FTC to certify reputable seal 
programs to take a first crack at resolving disputes.
    Moving to ramp up and comment on the areas where we do have 
concerns, we must state our strong opposition to the concept of 
the private right of action for a privacy violation. We agree 
with the legislation that there is a need for strong, bright 
lines as to what businesses must do to protect consumer 
privacy. As we have said, we welcome a healthy debate on opt-in 
and opt-out, and FTC and State AG enforcement. We would urge 
the Committee to consider adding language that would allow 
reputable seal programs to help in protecting consumer privacy. 
All these initiatives add clarity and certainty to the job of 
businesses protecting consumer privacy.
    We are concerned that a private right of action will create 
less certainty and clarity in the marketplace as each court 
will supply its own definition of what constitutes actual harm 
or reasonable access or reasonable security. Calibrating actual 
monetary loss from privacy evaluations could become an art 
rather than a science, as in each case each court, each 
plaintiff lawyer having their own view.
    In other issues addressed in the bill, we believe that 
there must be a recognition that the offline world and the 
online world should be subject to the same privacy rules. We 
would be pleased to work with the Committee on addressing that 
need for convergence, recognizing the differences in offline 
and online implementation.
    I want to thank you, Mr. Chairman, for the opportunity to 
testify on S. 2201. HP looks forward to working with the 
Committee in developing and passing practicable consumer 
privacy protection this Congress. I would be pleased to answer 
any questions you may have.
    [The prepared statement of Ms. Lawler follows:]

     Prepared Statement of Barbara Lawler, Chief Privacy Officer, 
                        Hewlett-Packard Company

    Mr. Chairman, Members of the Committee, I thank you for the 
invitation to appear today to discuss the need for stronger federal 
protections for consumer privacy, and comment specifically on S. 2201.
    My name is Barbara Lawler, and as the HP Privacy Manager, I have 
global responsibility for Hewlett-Packard's privacy policy management, 
implementation, compliance, education and communication, in both the 
online and offline worlds.
    By way of background, HP is a leading provider of computing and 
imaging solutions and services. As a company we are focused on making 
technology and its benefits accessible to individuals and businesses 
through networked appliances, beneficial e-services and an ``always 
on'' Internet infrastructure.
    As a high-tech company that sells to the consumer market, we are 
deeply committed to strong privacy practices. HP believes that self-
regulation with credible third-party enforcement--such as the Better 
Business Bureau privacy seal program--is the single most important step 
that businesses can take to ensure that consumers' privacy will be 
respected and protected online. We have also felt for some time, that 
there must be a `floor' of uniform consumer privacy protections which 
all companies must adhere to. HP has testified on a number of occasions 
before Congress about our support for strong, practicable, federal 
privacy protections. We at HP have had much experience in developing 
and managing consumer-friendly privacy policies and practices, so we 
welcome the opportunity to share our experiences with the Committee 
about what we think works--and what may not work--in crafting privacy 
standards.
    We want to commend you, Mr. Chairman, the ranking minority Member 
(Senator McCain), and the other Members of the Committee for your 
commitment to finding solutions to address consumer concerns about 
protecting their privacy. Three years ago, when HP first advocated the 
need for a federal initiative on privacy, we were virtually alone as a 
corporation in advocating that position. We think times have changed, 
and that many more companies and associations will support reasonable, 
baseline federal legislation for protecting consumers' privacy. It is 
time--past time--to develop national privacy standards. We welcome your 
leadership in working through the difficult issues that must be 
resolved if we are to see privacy legislation enacted this year, and we 
welcome your bill, Mr. Chairman, as a starting point for those 
discussions.
    Let me start by giving you an overall picture of how we manage 
privacy at Hewlett-Packard. HP applies a universal, global privacy 
policy built on the fair information practices: notice, choice, 
accuracy & access, security and oversight. Whether in English, French 
or Japanese, the core commitments are the same, with minimal 
localization required to reflect local country laws. Key elements of 
our policy include no selling of customer data, no sharing of customer 
data outside HP without customer permission, customer access to core 
contact data and a customer feedback mechanism. We insist through 
contractual obligations that suppliers must abide by our policy. Our 
consumer business requires opt-in for email contact and our B2B 
business is moving to opt-in as well.
    The HP policy can be viewed in its online form at the lower left-
hand corner of every hp.com web page: http://www.welcome.hp.com/
country/us/eng/privacy.htm
    The guiding principles for managing data privacy at HP are:

   customers control their own personal data

   give customers choices that enhance trust and therefore 
        enhance the business

   put the customer in the lead to determine how HP may use 
        information about them; and

   have the highest integrity in practices, responses and 
        partners

    HP people apply the privacy policy to marketing, support, e-
services and product generation using a set of HP-developed tools 
called the ``Privacy Rulebook'' and the ``Web Site Data and Privacy 
Practices Self-Assessment Tool''.
    A sample of current HP global privacy initiatives include:

   company-wide training on implementing privacy standards

   new application development and business rules for company-
        wide multiple customer database consolidation

   Platform for Privacy Preferences (P3P) implementation for 
        our most active web sites

   Supplier contract compliance assessments

    I want to underscore some important distinctions around the `opt-
in' discussion and add some clarity. It's HP policy to never sell or 
share our customer data without their express permission. HP has many 
business relationships with other companies. Companies that act as 
service providers or suppliers to HP are contractually required through 
a Confidential Non-Disclosure Agreement and Personal Data Protection 
Agreement to abide by HP's privacy policy.
    HP's strategic partnerships and co-marketing partners comprise a 
different class of business relationships. It is these relationships to 
which the HP opt-in policy requirement described above applies.
    Applying the opt-in standard for marketing contact within HP is an 
order of magnitude more difficult, but we're committed because it's the 
right thing to do for our customers. Implementing opt-in for marketing 
contact requires us to evaluate all customer databases and customer 
privacy choice data elements, re-engineer the data structures, systems 
and associated processes, change the privacy question format itself, 
develop implementation guides and tools, and communicate the new 
standard HP-wide. Some of the challenges we face are in the areas of 
managing a program-specific customer privacy choice with a `topdown' HP 
request and resolving a large volume of data where the privacy choice 
is unknown.
    On January 29th, 2001, HP became the first high-tech company to 
certify with the U.S. Department of Commerce for Safe Harbor. This 
demonstrates our continued leadership to strong privacy practices in 
the U.S. The Safe Harbor framework offers consistency and continuity 
for business operations conducted between HP sites located in the 
United States and the European Union; this is critical for a global 
enterprise. And because HP manages a global privacy policy, citizens in 
the U.S. enjoy the same benefits as those in the EU and elsewhere.
    Finally, I would like to put the privacy issue into the larger 
perspective of consumer confidence in the global electronic 
marketplace. While consumers are concerned about their privacy online, 
they are also concerned about whether their credit cards are safe 
online, and whether if they order a blue vase from a website in Paris 
or Tokyo, they will get what they order in the quality and condition 
they expected. In order for online businesses to truly earn the trust 
of consumers, we need to expand ongoing efforts to make sure that the 
global electronic marketplace is a clean, well-lighted venue for both 
consumers and businesses. For example, consumers need to have 
confidence that when they do business across national borders, there 
will be a redress system in place should anything go wrong with the 
transaction.
    HP is working with 70+ businesses from around the world through the 
Global Business Dialogue for electronic commerce to develop a consensus 
on worldwide standards on consumer redress systems, that is of 
Alternative Dispute Resolution (ADR). In this effort, we are working 
with consumer groups and the FTC and the European Commission so that 
consumers and businesses will be able to quickly, fairly and 
efficiently resolve complaints related to online transactions.
I would now like to turn to the language of S. 2201.
    First of all, we are pleased that the bill bases its ``Notice and 
Consent'' requirements upon ``clear and conspicuous'' disclosure. HP 
has always felt that informed choice depends upon consumers having 
available the material information they need to make an informed choice 
with whom they wish to share their personal information. ``Clear and 
conspicuous'' is a term of art used by the FTC to provide robust 
notification, and we are pleased that Section 102 recognizes the 
importance of requiring this basic consumer protection. We are also 
pleased that there is a place in the legislation for privacy enhancing 
technologies such as P3P, which enhance notice and support capabilities 
for consumers.
    We are also pleased that the legislation does not take an `either-
or' stance on the opt-in, opt-out debate. We think the continued free 
flow of non-sensitive data, with the resulting economic benefits for 
both consumers and businesses, will be best served by an opt-out 
requirement and allowing room for competitive differentiation. For 
personally identifiable information that is of a sensitive nature (as 
defined by S. 2201), an opt-in requirement will most likely give 
consumers greater confidence in participating in online transactions. 
HP believes a very constructive discussion can be held as to where the 
demarcation should be made between opt-in and opt-out.
    We agree that as a general rule, the consent or denial of a 
consumer for permission to collect or disclose personally identifiable 
information should remain in effect until the consumer decides to 
change their preference.
    We also agree on the importance of giving consumers reasonable data 
access to evaluate the accuracy of information collected. An 
observation we would make is that from our experience, data access can 
be a complex process. Many companies have multiple databases that 
collect data from a number of sources and mediums, and which may not be 
interoperable. Merging these data files is a prolonged, expensive 
process, though a process that is underway throughout industry.
    A commensurate problem is that of authentication. Ensuring that 
someone is indeed who they say they are when they request access may 
bleed into security and identity theft issues. Creating a security 
breech or an identity theft problem while trying to address the access 
issue is a real concern.
    Having said that, we would like to work with the Committee to find 
practicable, secure and cost-effective, solutions to the problems of 
access.
    As to enforcement, we are pleased that the legislation recognizes 
the importance of the role of the FTC. Utilizing clear statutory 
parameters, we welcome an FTC rulemaking that will allow an opportunity 
to develop implementation rules and to help define with greater 
specificity the terms of the legislation. We also agree that there is a 
role for the state Attorneys General in the enforcement of this 
legislation, and we concur with the balance achieved in the bill, 
between the rights of states to protect their citizens, and the right 
of the FTC--as the expert agency--to interpret its rule.
    One suggestion we would make, is to find a role for self-regulatory 
privacy seal programs that have standards equal or above those required 
under this legislation. As we have stated, we belong to the BBB privacy 
program, which we believe is quite strict, and which requires that any 
consumer complaint must be addressed through a dispute resolution 
process. The more eyes and ears available to resolve privacy disputes 
will benefit consumers, and allowing the FTC to certify reputable seal 
programs to take a first crack at resolving disputes would be 
beneficial.
    Turning to areas of the bill where we have concerns, we must state 
our strong opposition to the concept of a private right of action for a 
privacy violation. We agree with the legislation that there need to be 
strong, bright lines as to what businesses must do to protect their 
customers' privacy. As we have said, we welcome a healthy debate on 
opt-in and opt-out; we welcome FTC and state Attorneys General 
enforcement, and we would urge the Committee to consider adding 
language that will allow reputable seal programs to help in protecting 
consumer privacy. All of these initiatives add clarity and certainty to 
the job of protecting consumer privacy. We are concerned that a private 
right of action will create less certainty and clarity in the 
marketplace, as each court will supply its own definition as to what 
constitutes ``actual harm'' or ``reasonable access'' or ``reasonable 
security''. Calibrating ``actual monetary loss'' from privacy 
violations will therefore be an art rather than a science, as on each 
case, each court, and each plaintiff lawyer having their own view of 
the matter.
    Consumers deserve adequate protections, and this bill--as we have 
described--fills a void in privacy protections. At the same time, 
businesses need certainty as to the rules of the road, so that they can 
meet the obligations required to address privacy issues. A private 
right of action in this dynamic environment places this need for 
clarity and certainty on its head; legislation with a private right of 
action will offer consumers and businesses less certainty at a time 
when we need more clarity as to what should be the national, uniform 
privacy compact.
    On other issues addressed in the bill, we believe that there must 
be a recognition that the offline world and online world should be 
subject to the same privacy rules. We would be pleased to work with the 
Committee in addressing that need for convergence recognizing the 
differences in offline and online implementation.
    We also believe that ``Whistleblower'' law should be uniform across 
industries and therefore not considered for inclusion in this bill. 
Industry should not be piecemealed by variations in employment law 
relating to whistleblowers. And again,--for the reasons stated above--
we are concerned about a private right of action included in the 
Whistleblower section.
    Thank you Mr. Chairman for the opportunity to testify on S. 2201. 
HP looks forward to working with the Committee in developing--and 
passing--practicable consumer privacy protection, this Congress. I 
would be pleased to answer any questions that you may have.

    The Chairman. Thank you very much. Mr. Rotenberg.

       STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, 
             ELECTRONIC PRIVACY INFORMATION CENTER

    Mr. Rotenberg. Thank you very much, Mr. Chairman, Members 
of the Committee. My name is Marc Rotenberg. I am executive 
director of the Electronic Privacy Information Center, and I 
would like to thank you for the opportunity to be here this 
morning. We have worked with a wide range of privacy and 
consumer organizations over the years since your original bill 
was introduced to seek support for important privacy 
legislation in the Congress.
    I think it is clear that across the country public support 
for privacy protection is still very high, even with the 
progress which industry has made over the last several years, 
and there has been progress, there is still a fundamental lack 
of trust and confidence in the online marketplace.
    Legislation does not solve the problem of privacy 
protection, but I think it will take a big step forward in 
establishing the type of trust, confidence, stability, and 
continuity that allow businesses and consumers to participate 
in this new electronic environment with confidence that the 
personal information will be protected. The types of problems 
which the marketplace simple cannot solve are clear today. You 
can enter into a relationship with an online business, read a 
privacy policy, provide your personal information, and the 
company then decides to change its privacy policy. What do you 
do at that point?
    You can go online, provide information to a business which 
perhaps is not so well-run. Eventually, they seek the 
protection of bankruptcy law, and they take their customer data 
base and they put it online to the highest bidder.
    You can go to a commercial web site, look at a 20-page 
privacy policy and decide you have got better things to do with 
your life, click ``I agree,'' and take your risks.
    What the legislation does is to try to deal with those 
types of problems that arise specifically in the online 
environment and make it difficult for consumers to have the 
type of confidence and assurance that they need when they type 
in the names of their children, their credit card numbers, 
where they live, their spouse's names, and so forth.
    Now, as you may know, this version of the bill does not go 
as far as many privacy and consumer groups would like to go. We 
believe as a general matter that opt-in is a better approach, 
because it gives consumers better control. We think preemption 
raises serious concerns about the ability of States to protect 
the interest of their own citizens, and there are other areas 
as well where we think further changes might be necessary, but 
nonetheless I think this is an important step forward.
    Now, in my testimony I draw attention to a few areas that I 
hope the Committee will consider as you look at the legislation 
a little bit more closely, and I am going to highlight them now 
very briefly. I am concerned about the law enforcement 
exception, which is actually a new issue in the drafting of 
this bill, simply because it is so broad.
    The way privacy laws typically work is to create a 
presumption against disclosure and then to allow exceptions in 
such circumstances as a warrant or a court order to allow 
criminal investigations to go forward, but that exception has 
to be narrowly crafted to ensure that any person who shows up 
in a business with a piece of paper saying they work for a 
Government agency is not able to get every record in the 
possession of that business, and I think it would be in the 
interest of both businesses and consumers to try to narrow that 
exception.
    I also think if it were possible to expand the access 
provision so that people would know a bit more about the 
information about them that is held by the companies, that 
would be beneficial. As the bill is currently drafted, 
consumers will largely know only the information that they 
provide to the company, which is, frankly, fairly self-evident.
    Let me say a couple of words, if I may, about the 
enforcement provision, because I have read a number of comments 
in the news stories from folks speaking for industry about this 
provision that it makes me wonder if they are reading the same 
bill that I was reading. The bill creates a private right of 
action, without question, but this is a private right of action 
that I cannot imagine any good attorney wanting to take a case 
based upon, and the reasons are very simple.
    First of all, it requires a showing of actual harm, which 
is extremely difficult to do in privacy cases, and the reason 
that Federal statutes typically set out a liquidated damages 
amount of $2,500, or $1,000 or whatever an appropriate amount 
may be, is because it is hard to show harm when personal 
information is disclosed.
    But the second thing that this bill does is to take out any 
compensation, any award of attorney's fees or for actual costs 
incurred that a court would routinely award. In other words, 
even if you prevail, even if you are able to show actual harm 
under the private right of action set out in this bill, you are 
only going to be compensated for the amount of your harm and 
any costs associated with your litigation will not be 
recoverable.
    Now, I think this is just too high a burden for people who 
are trying to seek redress where their rights have been lost, 
and I think you have two solutions. One, you can put back in 
the type of compensation that you would routinely receive in 
Federal litigation, which includes reasonable attorney's fees, 
or you can say, if you want to bring a privacy case, go to 
small claims court, and this is the approach that was taken in 
the Telephone Consumer Protection Act, and I think that 
approach could work as well, but this current approach, 
contrary to what you may read in the newspapers, is not going 
to open a floodgate of litigation. At best, you may see a 
trickle of cases from a few people who have a lot of money and 
want to pursue a privacy claim.
    On the distinction between personally identifiable 
information and sensitive personally identifiable information, 
I think the privacy community would generally prefer the 
broader or the higher standard, which would be treat all 
information as being sensitive, but I do think the bill strikes 
a reasonable balance, and I think it strikes a common-sense 
balance that how we view medical information and financial 
information is not the same as how we view the lettuce we buy 
or the paper towels we buy in the grocery store, and maybe it 
is appropriate to make that distinction which the bill makes 
here.
    The one suggestion I would make in terms of where you might 
draw that line is to consider that issues related to political 
belief and intellectual freedom really should fall under the 
category of sensitive personal information. As the bill is 
currently drafted, you put religious belief as sensitive, 
personal information, and you put political party affiliation 
under that category, but a person's political beliefs which may 
be reflected in their purchases online I think also should be 
entitled to similar protection.
    The approach to technologies for protecting personal policy 
is very good, and I think that could be expanded to consider a 
wide range of solutions that industry may develop and that 
consumers would favor.
    So in conclusion, Mr. Chairman and Members of the 
Committee, I think this is very important legislation. I think 
it is timely legislation. I think there are an awful lot of 
people in the United States that would feel more comfortable 
going online, using the Internet, making transactions and 
buying stuff, if they knew that there was some privacy 
protection in place to help safeguard them.
    [The prepared statement of Mr. Rotenberg follows:]

 Prepared Statement of Marc Rotenberg, Executive Director, Electronic 
                       Privacy Information Center

    Mr. Chairman, Members of the Senate Commerce Committee, thank you 
for the opportunity to testify today on S. 2201, the Online Personal 
Privacy Act. My name is Marc Rotenberg. I am the Executive Director of 
the Electronic Privacy Information Center in Washington, DC. EPIC is a 
public interest research and advocacy organization that focuses on 
emerging civil liberties issues. I am also the chairman of Privacy 
International, a human rights organization based in London.
    It is clear that the protection of privacy remains one of the top 
concerns in the United States today. Even with the dramatic events of 
the past year, Americans continue to make clear in opinion polls, news 
articles, and everyday conversation that one of the great challenges in 
our era of hi-tech convenience is to avoid the loss of personal 
privacy.
    Today we get sports scores online, read news stories, send messages 
to friends and colleagues, participate in discussions, buy books and 
CDs, shop for home loans, make travel plans, and purchase gifts for our 
relatives. All of this is made possible because of a new computer 
network technology that has linked together the inexpensive desktop 
computers that we have in our homes. The benefits of the Internet are 
clear, but so too are the risks.
    In many respects, this ongoing support for the right of privacy is 
not surprising. Privacy protection has a long history in the United 
States. Many countries have simply not afforded their citizens the 
right to use telephones without eavesdropping, to hold credit reporting 
firms accountable for inaccurate disclosures that impact a consumer's 
ability to participate in the marketplace, to find a job, to obtain 
health insurance, or to buy a home.
    New privacy laws have frequently been developed in response to the 
challenges of new technology. Congress enacted privacy laws for the 
telephone network, computer databases, cable television, videotape 
rentals, automated health records, electronic mail, and polygraphs. In 
each case, it was never the intent to prohibit the technology or to 
prevent the growth of effective business models. Instead, the purpose 
was to establish public trust and confidence in the use of new 
technologies that had the ability to gather a great amount of personal 
information and, if used improperly, to undermine the right of privacy.
    With the Internet, a piecemeal approach has been taken. A law was 
passed to protect the privacy interests of minor children. The FTC 
exercised its section 5 authority for a limited number of privacy 
cases. Some US firms endorsed the Safe Harbor Arrangement, providing at 
least for their European customers, baseline privacy protection. Many 
companies also attempted to address public concerns about online 
privacy through the development of privacy policies, the hiring of 
privacy officials, and support for third-party accreditation services. 
Some progress has been made. But serious problems remain.

   Companies post privacy policies, enter into relationships 
        with consumers, collect personal information, and then decide 
        to change their policies.

   Companies create assurances of protection, run into 
        financial troubles, seek protection under bankruptcy law, and 
        then sell their customers' data to the highest bidder.

   Companies post privacy policies that require the help of 
        both an English major and a commercial lawyer to understand, 
        and even then the policies are misleading and contradictory.

   Companies acquire information from customers for one purpose 
        and then turn around and sell it for another without the 
        customer's knowledge and consent.

   And companies avoid the adoption of genuine Privacy 
        Enhancing Technologies that could minimize privacy risk and 
        promote the development of electronic commerce because there is 
        no financial consequence to do otherwise.

    In each of these examples, there is no market-based solution. And 
all of this takes place in an environment where the data-collection 
practices are far more extensive than in the physical world. In theory 
consumers could bring suit for breach of contract, but privacy harms 
are difficult to measure, class action lawsuits have not had much 
success, and even the FTC has struggled to find a way to apply 
traditional consumer protection law to the new challenges of online 
privacy.
    The Online Personal Privacy Act seeks to establish trust and 
confidence in the disclosure of personal information in the online 
environment. This is central to the growth of electronic commerce and 
the online marketplace. The Act follows the approach of virtually every 
modern privacy law in the United States. The Act sets out ``Fair 
Information Practices'' for the collection and use of personal 
information provided by users of the Internet to those who operate 
commercial web sites or provide Internet services or online services.
    As a general matter, the Online Privacy Protection Act contains the 
basic elements of an effective privacy law. There are provisions for 
access and for enforcement. There are security obligations and notice 
requirements. There are opportunities for enforcement. In many respects 
the Act also tracks the better practices followed by companies today as 
well as the Safe Harbor Arrangement that US firms have increasingly 
followed in their online commercial relations with customers in Europe 
and other countries.

Law Enforcement Exception
    As with many privacy laws, the Act creates a presumption against 
the disclosure of personal information and then sets out limited 
circumstances when the information may properly be disclosed. For a 
privacy law to be effective, it is critical that these exceptions be 
carefully drafted and as narrow as possible. In my opinion, the 
exception for disclosure to law enforcement agencies (sec. 103(e)) is 
too broad. In fact, I could not find another privacy law that would 
make it so easy for so many public officials to get access to personal 
information that would be otherwise protected in law.
    The problem is the list of entities--``law enforcement, 
investigatory, national security, regulatory agency, or Department of 
United States''--coupled with the phrase ``in response to a request or 
demand made under authority granted to that agency or department.'' 
That formulation essentially defeats the Fourth Amendment purpose of 
ensuring that the judiciary plays a role where a lawful search is 
authorized. I urge you to stay with the standard in other privacy laws 
that grants authority to a ``law enforcement agency'' acting on a 
federal or state warrant, a court order, or a properly executed 
administrative order. This provides the government with a wide range of 
opportunity to obtain information in the course of a criminal 
investigation in a manner that ensures judicial oversight and minimizes 
the risk of abuse.

Access Provision
    The access provision (sec. 105) follows a principle widely 
recognized in US privacy law and that is the ability of person to see 
the records held by others. Consumers receive access to credit reports, 
to medical records, and to cable billing information. Under the Privacy 
Act they are also able to obtain records of information about them held 
by federal agencies. But the provision in the Online Personal Privacy 
Act is narrower than it should be. Consumers generally know what 
information they have provided to companies. What they do not know is 
what information the company is providing about them to others. The 
access provisions should allow consumers to be aware of disclosures to 
third parties.
    Also, the bill rightly ensures that copies of this information will 
be available at a reasonable fee and that the fee is waived in those 
cases where the consumer may not be able to pay or where there is 
fraud. A provision should also be included to provide free access in 
those cases where the provider or operator receives payment or 
consideration from a third party for the disclosure of the user's 
information. This is a principle of fairness and equity that will make 
companies more respectful of the privacy interests of their customers.

Enforcement
    Mr. Chairman, the section on enforcement raises several difficult 
problems. It rightly seeks to provide several ways to ensure actual 
implementation of the practices set out in Title I, but it is not clear 
whether these provisions individually, or taken together, provide an 
adequate means of protection.
    It is likely that the primary means of enforcement will be through 
the Federal Trade Commission since any violation of the Act will be 
considered a violation of Section 5 of the FTC Act. However, the FTC 
Act does not provide any actual relief to affected parties. The FTC 
will have the authority to enter into a consent decree to prevent the 
company from engaging in similar acts in the future.
    The State Attorneys General retain significant authority to pursue 
actors that violate Title I but the FTC retains the ability to prevent 
these matters from going forward. Considering that the bill also 
preempts the authority of states to enact stronger measures to 
safeguard the interests of their citizens, this provision represents a 
significant transfer of authority from the states to Washington, DC.
    Structurally, the Act places a great deal of faith on the ability 
of the FTC to pursue privacy violations. I believe that this can be 
made to work but it will require extensive public oversight. The 
critical role of the FTC becomes even clearer when you consider the 
private right of action created by section 203. Some of the industry 
lobbyists have claimed that this bill will open a floodgate of 
litigation. But a fair reading of the Act reveals that it will be 
remarkable if there is more than a trickle of cases.
    Section 203 is drafted in such a way as to pile high all the 
hurdles of litigation without any of the benefits. Litigants will be 
required to establish ``actual harm'' which is difficult in privacy 
cases, and the reason that federal law typically provides for 
liquidated damages. They will be required to go into federal district 
court when violations have occurred but there will be no payment for a 
lawyer or costs incurred and very limited opportunity for damages if 
they prevail. It is hard to imagine who but the most affluent would be 
able to pursue such a case.
    The private right of action provision in this bill is far narrower 
than any other privacy law with which I am familiar. Typically, a 
federal privacy law allows a person to recover actual damages not less 
than a set amount of at least $2,500, punitive damages, reasonable 
attorney fees and litigation costs, and such other relief as a court 
may determine. And even with these incentives, privacy cases are 
infrequent and damages, when they are awarded, are nominal. It takes an 
extremely determined plaintiff to pursue these cases.
    At the very least, the Committee should either allow individual 
consumers to go into small claims court to seek relief for violations 
of the Act, as they are able to do currently under the Telephone 
Consumer Protection Act, or if they must go into federal court, the Act 
should provide for reasonable attorneys fees, costs, and such other 
relief as a court may provide. Even with this change, proving actual 
harm in a privacy case will remain very difficult.
Application to Congress and Federal Agencies
    Mr. Chairman, I am pleased to see that Title III of the Act extends 
baseline privacy standards to federal agencies and to the United States 
Congress. This sends a clear message that Internet privacy protection 
should apply to both the public and private sector. Title III should 
also be made clear that nothing in this Act will alter the obligations 
set out in the Privacy Act of 1974, which applies to all federal 
agencies that collect personal information on US citizens whether or 
not they are providers or operators under the definitions of the Act.
    But here again I must point out that, unless the law enforcement 
access provision in Section 103 is narrowed, any federal agency could 
defeat the purpose of this Online Personal Privacy Act simply by 
granting itself the authority to routinely engage in actions that would 
otherwise violate the provisions set out in Title I. It simply does not 
make sense to pass a privacy law that seeks to impose privacy 
obligations on a federal agency and then leaves the agency with the 
authority, if it so chooses, to remove the obligations.

Definition of Sensitive Personally Identifiable Information
    The Act makes an important distinction between Personally 
Identifiable Information (PII) and Sensitive Personally Identifiable 
Information (SPII). The first is generally subject to the opt-out 
approach, while the second would require opt-in. While many privacy 
experts, including me, have favored the opt-in rule for all transfers 
of personal information, I believe the approach set out in the bill can 
be made to work. It reflects a general recognition that there is a 
distinction between medical and financial information on the one hand 
and the type of paper towel or lettuce we buy on the other. It also 
follows an approach that is increasingly found in Europe and other 
regions of the world to make clear that a stronger privacy standard 
should apply to more sensitive personal information. The definition of 
Sensitive Personally Identifiable Information set out in the Act 
reflect both a commonsense understanding and the practice that is 
currently evolving.
    The one additional subject area that I hope you will consider 
adding to the category of Sensitive Personally Identifiable Information 
is for matters of intellectual freedom and political belief. The United 
States in particular has a long tradition of seeking to safeguard the 
records of the books that people borrow in libraries, the video tapes 
they rent, and the cable programs they watch. In a recent case, a state 
Supreme Court made clear the high level of privacy associated with 
records of bookstore customers.
    With the Internet in particular, there is a significant risk that a 
very detailed picture of a person's political beliefs could be easily 
compiled and distributed with little regard for the right of privacy. I 
believe that if this were done by government actors it would implicate 
deeply held First Amendment values and should not be permitted.

Privacy Enhancing Technologies
    Efforts to develop tools that will enhance online privacy and could 
diminish the need for further legislation should certainly be 
encouraged. The bill proposes P3P as one possible approach. I believe a 
better research program would focus on genuine Privacy Enhancing 
Techniques that enable online transactions and commerce, and minimize 
the risk of privacy loss. Such approaches include techniques for 
``authentication without identification,'' which means simply that 
consumers could engage in verifiable transactions with online merchants 
without disclosing their actual identities much as they do today in the 
physical world with cash and credit cards. Other research topics might 
include techniques for enabling online access that do not create 
additional security risks, developing methods for consumers to more 
readily track the subsequent disclosure of their personal information, 
and ensuring by technical measures that individuals will maintain 
greater control over the personal information they provide to others.
    It is clear that a wide range of approaches will be necessary to 
safeguard online privacy. Technology has a critical role to play. But 
the privacy technologies must be designed with the central goal of 
protecting privacy.

Conclusion
    In conclusion, Mr. Chairman and Members of the Committee, the 
Online Personal Privacy Act is an important step forward in the 
advancement of privacy law in the United States. It responds to 
overwhelming public support for stronger privacy protection on the 
Internet. It seeks to ensure that the right of privacy will carry 
forward as new commercial opportunities are developed and new 
technologies emerge. I hope the Committee will take the steps necessary 
to strengthen the provisions in the bill so as to ensure that the 
intent of the sponsors is realized in practice.
    Thank you again for the opportunity to appear before the Committee 
today. I would be pleased to answer your questions.

    The Chairman. Thank you very much. Mr. Misener.

          STATEMENT OF PAUL MISENER, VICE PRESIDENT OF
                GLOBAL PUBLIC POLICY, AMAZON.COM

    Mr. Misener. Good morning, Chairman Hollings, Senator 
McCain, Members of the Committee. My name is Paul Misener. I am 
Amazon.com's vice president for global public policy. Thank you 
for inviting me to testify today on S. 2201. We greatly 
appreciate the time and energy you and your staff have 
committed to consumer information privacy issues, as well as 
your continuing willingness to hear Amazon.com's perspectives.
    Mr. Chairman, Amazon.com is the Internet's No. 1 retailer, 
with well over 35 million customers. We have as much experience 
and as much at stake as any entity on these issues. Although 
Amazon.com has serious concerns about several aspects of this 
bill, we look forward on behalf of our customers and company to 
working with you and your Committee to address all of these 
issues.
    Mr. Chairman, Amazon.com is pro-privacy. The privacy of 
personal information is important to our customers and, thus, 
is important to us. Therefore, Mr. Chairman, we share your goal 
of providing consumers the personal privacy protections they 
want, and we already provide, with one understandable 
exception, the substantive protections that a reasonable 
interpretation of your bill would require.
    Indeed, at Amazon.com we manifest our commitment to privacy 
by providing our customers notice, choice, including opt-in 
choice where appropriate, access and security. So why do we do 
so? Well, the reason is simple. Privacy is important to our 
customers, and therefore important to Amazon.com. We simply are 
responding to market forces.
    Amazon.com believes S. 2201's most serious shortcoming is 
that, as drafted, it would not apply equally to online and 
offline activity. In our view, it makes little sense to treat 
consumer information collected online differently from the same 
consumer information collected through offline media such as 
point-of-sale purchase tracking, warranty registration cards, 
and magazine subscriptions.
    Offline privacy practices differ from online practices in 
only three relevant respects, and in two of these respects 
consumers get more privacy protection online than offline. In 
any case, these differences are not addressed in this bill. 
Rather, virtually identical practices would be treated 
differently.
    Moreover, online transactions account for only a tiny 
percentage, as Senator Burns pointed out, just 1 percent of all 
consumer transactions, and people on the unfortunate side of 
the digital divide, generally those with less money and 
education, would receive no protections from an online-only 
law.
    This is not to suggest that an online-only approach never 
was credible. To the contrary, based on what little was known 
publicly about both online and offline privacy practices as 
recently as 2 years ago, one easily could have concluded at the 
time that online privacy issues deserved discriminatory 
treatment, especially in order to avoid a potential privacy 
disaster, but now we know there is little justification for 
discriminating against online.
    Mr. Chairman, Amazon.com gratefully acknowledges that S. 
2201 contains two important provisions that would be good for 
our customers, company, and industry. First, it would confirm 
our believe that the privacy promises a company makes to 
consumers must still apply to the private information consumers 
provide to that company even after ownership of the company or 
information changes.
    Second, it intends to preempt inconsistent or additional 
State laws. It would be difficult or impossible for nation-wide 
entities to comply with as many as 50 conflicting laws, and it 
would be unfair, if not also unconstitutional, to permit the 
citizens of one State to make the privacy decisions for 
citizens of another.
    Mr. Chairman, we also have identified the following areas 
of serious concern in S. 2201. Amazon.com will focus its 
cooperative, constructive efforts on these issues as well as on 
the online-offline parity point, in an effort to provide you 
and your commitment as much information as possible.
    We are very concerned that section 203, on private rights 
of action, would give overly aggressive litigants a new tool to 
extract rents from, quote, good-guy companies with relatively 
deep pockets. It is clear from the recent privacy sweeps that 
the most popular and, thus, the most successful web sites 
already are providing outstanding privacy protections. 
Unfortunately, however, it will be these, quote, good guys that 
litigants attack, because these are the entities capable of 
paying big judgments. Indeed, under the current bill it would 
be far more lucrative to bring a class action suit to catch a 
good guy on a technicality than catch a bad guy in an egregious 
act.
    And the threat is astounding. A company could be hit with a 
judgment of $5,000 per user per violation with a showing of but 
minimal actual harm and no showing of malfeasance. Because 
class actions are not precluded, there probably would be a 
class action alleged for every potential violation, and for a 
company like ours, with 35 million customers, the implications 
are staggering.
    And worse for consumers, allowing such private rights of 
action would cause the good guys to make their privacy notices 
much more legalistic and much less readable just so that they 
would fare better in a lawsuit. We believe a regulatory body 
such as FTC, on the other hand, could balance the competing 
interests of legal precision against simplicity.
    Another key concern for us are the access and deletion 
requirements in section 105. This section seems to require data 
deletion on demand, which would be extraordinarily expensive 
and would dramatically hinder our efforts to thwart fraud and 
consumer identity theft. Indeed, this provision would likely 
end up making consumer identity theft easier by making criminal 
activity much harder to trace.
    Further, the quote, reasonable security requirements of 
section 106 are cause for great concern, especially among 
Amazon.com's engineers. Companies have every possible 
motivation, including extant tort law, to maintain effective 
security against hackers. Nonetheless, if there is a security 
breach, it may be very difficult for a company to argue that, 
quote, reasonable precautions were taken. With little precedent 
for guidance, the fact of a breach would make any failed 
security precautions look unreasonable. In other words, without 
clarifying language, the security reasonableness standard 
likely would function as a strict liability standard.
    Last, we are very concerned about the vague and sometimes 
incorrect definitions listed in section 401. What for example 
is, ``robust notice'' on a web-enabled cell phone or other 
small-screen device such as a remote terminal on the kitchen 
wall, or on the automobile dashboard?
    Mr. Chairman, in conclusion, Amazon.com is pro-privacy in 
response to consumer demand and competition. We already provide 
our customers notice, choice, access, and security. You have 
called for these same features in S. 2201, and although we have 
many concerns with this bill, we appreciate that you recognize, 
as we do, the importance of consumer privacy.
    Our foremost concern with S. 2201 is that it would apply 
only to some companies and only to 1 percent of consumer 
transactions. Amazon.com respectfully requests that any privacy 
legislation that moves forward out of this Committee apply to 
all transactions, not merely those conducted online. Although 
Amazon.com welcomes two key components of this bill, we also 
have serious concerns with several other specific provisions. 
We look forward to working with you and your Committee to 
address these issues.
    Thank you again for inviting me to testify. I welcome your 
questions.
    [The prepared statement of Mr. Misener follows:]

   Prepared Statement of Paul Misener, Vice President, Global Public 
                           Policy, Amazon.com

    Chairman Hollings, Senator McCain, and Members of the Committee, my 
name is Paul Misener. I am Amazon.com's Vice President for Global 
Public Policy. Thank you for inviting me to testify today on S. 2201, 
The Online Personal Privacy Act.
    Although, as I will describe throughout this testimony, Amazon.com 
has serious concerns about several aspects of this bill, we greatly 
appreciate the time and energy you and your staff have committed to 
consumer information privacy issues, as well as your continuing 
willingness to hear Amazon.com's perspectives.
    Amazon.com also gratefully acknowledges that S. 2201 contains two 
important provisions that we could support. First, this bill would 
confirm our belief that the privacy promises a company makes to 
consumers must still apply to the private information consumers provide 
to that company, even after ownership of the company or information 
changes. Second, S. 2201 intends to preempt inconsistent or additional 
state laws. It would be difficult or impossible for nationwide websites 
to comply with as many as fifty conflicting laws, and it would be 
unfair (if not also unconstitutional) to permit the citizens of one 
state to make the privacy decisions for the citizens of another. Both 
of these provisions in S. 2201 are welcome and would be good for our 
customers, company, and industry.
    As for our concerns, Mr. Chairman, Amazon.com is the Internet's 
number one retailer and, therefore, has as much experience (and as much 
at stake) as any other entity on these issues. On behalf of our 
customers and company, we look forward to working with you and your 
Committee to address the concerns we raise in this testimony. I hope 
that you will welcome our perspectives in the constructive and 
cooperative spirit in which they are offered.

Privacy at Amazon.com
    Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal 
information is important to our customers and, thus, is important to 
us. Indeed, as Amazon.com strives to be Earth's most customer-centric 
company, we must provide our customers the very best shopping 
experience, which is a combination of convenience, personalization, 
privacy, selection, savings, and other features.
    Therefore, Mr. Chairman, Amazon.com shares your goal of providing 
consumers the personal privacy protections they want, and we already 
provide most of the substantive protections that a reasonable 
interpretation of your bill would require. At Amazon.com, we manifest 
our commitment to privacy by providing our customers notice, choice, 
access, and security. Before I describe these four facets of privacy 
protection at Amazon.com, please allow me to explain how we use 
customer information.

Personalization at Amazon.com
    In general, Amazon.com uses personally identifiable customer 
information to personalize the shopping experience at our store. Rather 
than present an identical storefront to all visitors, our longstanding 
objective is to provide a unique store to every one of our customers, 
now totaling well over 35 million people. In this way, our customers 
may readily find items they seek, and discover other items of interest. 
If, for example, you buy a Stephen King novel from us, we likely will 
recommend other thrillers the next time you visit the site.
    Amazon.com now inserts, among the now-familiar ``tabs'' atop our 
Web pages, a special tab with the customer's name on it. When I visited 
Amazon.com's site last week, for example, the tabs included Books, 
Electronics, DVDs, and ``Paul's Store.'' By clicking on the ``Paul's 
Store'' tab, Amazon.com introduced me to six smaller stores, including 
one named, ``Your Kitchen and Housewares Store,'' which featured a 
Calphalon Commercial Nonstick Collector's Edition 10-Inch International 
Griddle/Crepe Pan, which I promptly bought.
    It was no coincidence, of course, that Amazon.com recommended this 
crepe pan to me, and that I liked it: using so-called ``collaborative 
filtering'' techniques, which compare my past purchases (many of which 
are cookware items) to anonymous statistics on thousands of other 
Amazon.com purchases, Amazon.com computers automatically--and 
correctly--predicted that I would want that crepe pan.
    Similar personalization is provided in the traditional Amazon.com 
recommendations on the home page, in purchase follow-up 
recommendations, in the ``New for You'' feature, and in some varieties 
of email communications. Customers can improve the quality of these 
recommendations in several ways, including by deleting individual 
Amazon.com purchases from consideration, and by rating the products 
they buy at Amazon.com or elsewhere. For example, last year I bought my 
niece a few CDs from the singer Britney Spears but, because I do not 
want similar music recommended to me, I have deleted these CDs from the 
list of items Amazon.com uses to produce my recommendations. In 
addition, on Amazon.com's site, I can rate a CD that I might have 
purchased at Wal-Mart, in order to improve the quality of Amazon.com's 
music recommendations to me.
    Obviously, Amazon.com's personalization features directly benefit 
our customers. And, just as obviously, these features require the 
collection and use of personally identifiable customer information. The 
question, then, is how do we protect the privacy of this information?

Privacy Practices at Amazon.com
    As I indicated earlier, Amazon.com manifests its privacy commitment 
by providing notice, choice, access, and security.
    Notice. Amazon.com was one of the first online retailers to post a 
clear and conspicuous privacy notice. And in the summer of 2000, we 
proudly unveiled our updated and enhanced privacy policy by taking the 
unusual step of sending email notices to all of our customers, then 
totaling over 20 million people.
    Choice. We also provide our customers meaningful privacy choices. 
In some instances, we provide opt-out choice, and in other instances, 
we provide opt-in choice. For example, Amazon.com will share a 
customer's information with a wireless service provider only after that 
customer makes an opt-in choice. We simply are not in the business of 
selling customer information and, thus, beyond the very narrow 
circumstances enumerated in our privacy notice, there is no information 
disclosure without consent.
    Access. We are an industry leader in providing our customers access 
to the information we have about them. They may easily view and correct 
as appropriate their contact information, payment methods, and purchase 
history. And, with a feature called ``The Page You Made,'' customers 
even can see part of the ``click-stream'' record of products they view 
while browsing Amazon.com's online store.
    Security. Finally, Amazon.com vigilantly protects the security of 
our customers' information. Not only have we spent tens of millions of 
dollars on security infrastructure, we continually work with law 
enforcement agencies and industry to share security techniques and 
develop best practices.
    It is very important to note that, other than an obligation to live 
up to pledges made in our privacy notice, there is no legal requirement 
for Amazon.com to provide our customers the privacy protections that we 
do.

Market Forces at Work
    So why do we provide notice, choice, access, and security? The 
reason is simple: privacy is important to our customers, and thus it is 
important to Amazon.com. We simply are responding to market forces.
    Indeed, if we don't make our customers comfortable shopping online, 
they will shop at established brick and mortar retailers, who are our 
biggest competition. Moreover, online--where it is virtually effortless 
for consumers to choose among thousands of competitors--the market 
provides all the discipline necessary. Our customers will shop at other 
online stores if we fail to provide the privacy protections they 
demand.
    These market realities lead Amazon.com to eschew the term 
``industry self-regulation.'' We believe this concept--which often is 
touted as a substitute for legislation and government regulation--
suggests that companies must act altruistically in order to provide 
consumers the protections they deserve. But this suggestion simply is 
not true. Companies must provide the privacy protections consumers 
demand or be forced out of business. Nowhere is this more true than 
among website-based retailers: a consumer can easily choose among 
hundreds of retailers without leaving her home. Contrast that with 
brick and mortar retail, which presents consumers with only a very 
small number of store choices within a reasonable driving distance.
    Moreover, as Amazon.com has consistently stated, and last year 
testified before this Committee, these market realities also lead us to 
conclude that there is no inherent need for privacy legislation, at 
least for typical website-based business-to-consumer commerce. The 
Federal Trade Commission's annual privacy sweeps (this year conducted 
by the Progress and Freedom Foundation at the behest of the Commission) 
confirm that those companies with high levels of privacy protections 
are the ones that succeed in this robust market. There simply is no 
market failure for legislators to address; indeed, as just noted, the 
``online'' retail market is inherently more competitive than that of 
traditional ``offline'' retail. Put another way, if there is a market 
failure, it is with offline, not online consumer transactions.
    Notwithstanding these points on the inherent need for legislation, 
Mr. Chairman, Amazon.com wants to work cooperatively and constructively 
with you and your Committee on this issue. For S. 2201, we have one 
general concern, and several specific concerns, which I will describe 
momentarily. Let me again say, however, that we greatly appreciate the 
work you and your staff have put into this bill.

Fairness Among Transactions and Consumers
    Before addressing specific provisions of S. 2201, please allow me 
to comment on what Amazon.com believes to be the bill's most serious 
shortcoming: As drafted, S. 2201 would require companies to provide 
various privacy protections, but only for a tiny fraction of consumer 
transactions. And, S. 2201 would not require companies to provide any 
protections for tens of millions of American consumers with relatively 
low incomes and limited educational backgrounds.
    As I previously have testified before this Committee, Amazon.com 
believes that privacy legislation must apply equally to online and 
offline activities, including the activities of our offline retail 
competitors. It makes little sense to treat consumer information 
collected online differently from the same (or often far more 
sensitive) consumer information collected through other media, such as 
offline credit card transactions, mail-in warranty registration cards, 
point-of-sale purchase tracking, and magazine subscriptions.
    Offline Privacy Practices. For example, the offline consumer 
information collection practices of brick and mortar retailers are 
described on the website (http://www.epic.org/privacy/profiling/) of 
the Electronic Privacy Information Center (EPIC):

         ``Many supermarkets are offering membership cards that grant 
        discounts to consumers. What often goes unmentioned is that 
        these club cards enable the store to create detailed profiles 
        of individuals' consumption habits. These profiles are linked 
        to individually-identifiable information, often with the 
        requirement at enrollment that the consumer show state-issued 
        identification. Since many supermarkets sell more than just 
        food (alcohol, cigarettes, pharmaceuticals, etc.), the 
        companies can collect volumes of information about individuals' 
        habits.''

         ``The danger in this profiling is increased by the fact that 
        supermarkets are not limited by law in sharing the information 
        they collect. A supermarket can sell the information to a 
        health insurance company or to other aggregators in order to 
        make a more complete profile on an individual.''

         ``The risks of profiling based on consumption are often 
        derided by supermarket profilers. They may say that `no one 
        cares if you like asparagus more than broccoli.' But, that's 
        not the issue. Individuals have different definitions of 
        sensitive information. And the profilers aren't interested in 
        whether you're buying one vegetable over another. They are more 
        likely to want to know whether an individual is buying baby 
        diapers or adult diapers.''

    My wife and I know about these offline privacy practices firsthand. 
Our son is nearly five months old. Last month, after buying many 
packages of baby diapers from Giant Food, where we have a ``loyalty 
card,'' we received a Giant Food ``baby brochure,'' which essentially 
is an advertising packet. Clearly, this baby brochure solicitation from 
Giant came merely as a result of purchasing baby products from Giant 
stores: Giant's computers compiled information about our buying habits 
and decided to start sending us baby literature.
    To be clear, I don't mind receiving such solicitations nor, I 
believe, do most Americans. It makes more sense for me to receive baby 
product ads than the brochures I often receive on lawn care services in 
spite of the fact that I live in a townhouse. I just mind that S. 2201 
would ignore such offline practices, yet regulate the exact same 
personalization services provided by online entities such as 
Amazon.com.
    Warranty registration cards, as EPIC also points out on its 
website, are yet another way offline entities collect, enter into 
electronic databases, and sell personally identifiable information that 
often is entirely unrelated to the subject of the warranty. Several 
weeks ago, my wife and I needed to buy a new clothes washer and dryer. 
The warranty registration cards for these large and potentially 
dangerous appliances had labels telling us to complete and return the 
cards in the interest of safety. But, for some reason, they also needed 
to know our household income and our reading habits! Consumers are 
essentially asked to either provide private information or be unsafe. 
Similarly, an earlier purchase of a small, but potentially dangerous, 
space heater included a warranty registration card (again emphasizing 
the safety aspects of registration) that asked for my household income, 
where my family took our last vacation, whether we read the Bible, and 
whether anyone in the household has prostate problems. Because the 
private information sought from consumers is clearly unrelated to the 
product subject to the warranty, and probably unrelated to other 
products sold by the manufacturers of my washer/dryer and space heater, 
it is obvious that, under the guise of safety, highly private consumer 
information is being collected and sold.
    Obviously, these offline privacy practices are no less deserving--
and often far more deserving--of Congress' attention than online 
practices. Amazon.com firmly believes that, in fairness to consumers 
(if not also companies), online and offline privacy practices must be 
treated equally.
    The former and current chairs of the Federal Trade Commission have 
supported this view. In testimony before this Committee nearly two 
years ago, on May 25, 2000, then-Chairman Robert Pitofsky, in a 
colloquy with Senator Kerry, testified that,

         ``[I] have increasingly come to the view that the theory of 
        distinguishing online from offline is really rather weak. I was 
        recently influenced by one of our advisory panel people who 
        said, ``What is the point of treating warranty information from 
        when a consumer files a warranty card, that is just going to be 
        read into an electronic format by some clerk--Why would you 
        treat that information differently from another?'' I found that 
        a very powerful argument. I am also influenced by the fact that 
        we hear through mergers, joint ventures, and otherwise, that 
        online and offline companies are merging their databases. And 
        that's another reason we should think about both.''

    Current FTC Chairman Timothy Muris, in testimony before the Senate 
Appropriations Committee on March 19, 2002, said that,

         ``Consumers are deeply concerned about the privacy of their 
        personal information, both online and offline. Although privacy 
        concerns have been heightened by the rapid development of the 
        Internet, they are by no means limited to the cyberworld. 
        Consumers can be harmed as much by the thief who steals credit 
        card information from a mailbox or dumpster as by the one who 
        steals that information from a Web site.''

    And, last October, in a speech to the Privacy 2001 Conference, 
Chairman Muris specifically addressed the scope of privacy legislation, 
saying,

         ``I am concerned about limiting legislation to online 
        practices. Whatever the potential of the Internet, most 
        observers recognize that information collection today is more 
        widespread offline than online. Legislation limited to online 
        practices perhaps seemed attractive when Internet commerce was 
        expanding almost limitlessly. Today, however, it is 
        increasingly difficult to see why one avenue of commerce should 
        be subject to different rules than another, simply based on the 
        medium in which it is delivered.''

    Mr. Chairman, parity is necessary in fairness to online companies. 
It simply would not be equitable to saddle online retailers with 
requirements that our brick and mortar (or mail or telephone order) 
competitors do not face, nor would it be fair to mislead consumers by 
telling them their privacy would be substantially protected by an 
online-only bill when, in fact, only a tiny fraction of their 
transactions would be addressed.
    Online-Offline Differences. Some people contend, however, that 
online activities deserve discriminatory treatment under the law 
because of some inherent differences between online and offline 
business-to-consumer relations. As described above, there are many 
obvious similarities. I acknowledge, however, that there are three 
relevant differences between online and offline. Although one of these 
differences could lead to online consumers having relatively less 
privacy, the other two differences actually give online consumers more 
privacy protection than offline consumers.
    The one difference that potentially gives online consumers less 
privacy protection is the availability of so-called ``click-stream'' 
information, by which a website operator can observe, for example, what 
individual visitors see while visiting a website. In the retail 
context, this means web-based retailers can tell what a customer looks 
at, not just what he buys.
    Amazon.com has turned this technical capability into customer-
friendly features by which we better personalize our customers' 
shopping experience. We do this in two principal ways: First, we 
automatically display items that take into account a customer's recent 
shopping. If a customer has been looking at cameras, for example, the 
site may automatically display for her a camera tripod. Second, in our 
``The Page You Made'' feature, we display, on the side of the screen, 
links back to some of the items the customer has looked at. Thus, 
instead of scrolling back through the site (the online equivalent of 
walking back to the other side of the store), we provide a simple way 
for a customer to get back to the items she earlier examined. Again, 
these features rely on the use of ``click-stream'' information.
    But even this ability to see what is shopped but not bought is not 
entirely unique to online entities. Professor Clarke L. Caywood, in his 
top-selling marketing and PR textbook, The Handbook of Strategic Public 
Relations & Integrated Communications (McGraw-Hill, 1997), describes 
the same practice in the brick and mortar world:

         ``Marketers at Wal-Mart, a large discount retail chain, for 
        example, spend several days each week in their own stores (and 
        those of the competition) watching consumers shop, questioning 
        them about their purchases, and asking them for feedback. At 
        the end of each week, they return to their headquarters office 
        and, in conjunction with their colleagues who have also spent 
        time in stores in other locales, they discuss what's on the 
        consumer's mind, what trends they need to watch, and what 
        problems they need to correct. Armed with that information, 
        they can tailor all manner of programs to the immediate needs 
        of customers in a very specific local area.''

    Importantly, even if Congress considers the ``click-stream'' 
difference between online and offline to be crucial enough to warrant 
discriminatory treatment under the law, no federal bill introduced to 
date, not even S. 2201, is based upon this particular difference. 
Rather, S. 2201 and previous online-only bills would apply 
discriminatory legal treatment to activities that, for all practical 
purposes, are identical online and offline.
    And, if differences between online and offline activities are the 
key, online transactions, in two important respects, actually protect 
consumer privacy better than offline transactions. One respect is 
physical characteristics. Those Wal-Mart employees said to follow 
consumers around stores--and, indeed, any employee of a brick and 
mortar store, watching from the floor or hidden cameras overhead--can 
see physical personal characteristics unknown to online retailers. Wal-
Mart knows your sex and race; if you are pregnant; how well you dress; 
and if you have acne.
    They also know where you are. Indeed, when one of Amazon.com's 
customers visits our store, we cannot know their location. They may be 
at home, at the office, with their laptop computer at the airport, on 
the beach with their wireless PDA, or at an ``Internet Cafe'' in Paris. 
We simply don't know. But, when I use my Mobil credit card, Exxon-Mobil 
knows exactly where I am, and can track my movements. My physical 
location at any given time is, I would think, highly sensitive 
information. And, yet, by my reading of Mobil's privacy policy, Exxon-
Mobil would not even allow me to opt-out of Mobil using that 
information internally or sharing it with Mobil's ``joint marketing 
partners.'' S. 2201 would do nothing to change such offline situations, 
but would require online retailers to obtain (as Amazon.com already 
does) opt-in approval before transferring sensitive information. Again, 
if there's a privacy problem somewhere, it's offline.
    And, for those who point out that offline consumers can always wear 
dark sunglasses or pay cash in order to remain anonymous, I note that 
online consumers have many, much easier ways to remain anonymous. They 
may easily set their web browser to block cookies or may use 
anonymizing software tools provided by companies such as Zero-Knowledge 
Systems. Amazon.com's privacy notice describes how to block cookies and 
provides link to Zero-Knowledge and other anonymizer companies.
    Amazon.com Compliance with a Privacy Bill. At last summer's House 
Commerce Committee hearing on privacy, one Committee member kindly 
noted that the companies represented, including Amazon.com, are ``the 
good guys.'' The implication was that the ``bad guys'' should be the 
target of privacy legislation, and that we ``good guys'' need not fear 
a reasonable law.
    In one sense, this Representative was exactly right. Amazon.com 
does not fear the direct effects of reasonable privacy legislation 
because, unlike the vast majority of our competition in the brick and 
mortar world, we already provide notice, meaningful choice, access, and 
security. Indeed, if truly reasonably interpreted, almost all of the 
substantive requirements of S. 2201 likely would have little direct 
effect on Amazon.com and its customers. (The most notable exception 
would be the bill's extraordinarily burdensome access/deletion 
requirement.) We already are providing the privacy protections at the 
heart of this bill, including excellent access by customers to their 
own private information, simply because that is what our customers 
want.
    Offline Compliance with a Privacy Bill. However, in addition to a 
grave fear of being unfairly exposed to a spate of highly unreasonable 
lawsuits (which I will discuss in a moment), we fear any law that 
implicitly allows our offline competitors free rein to continue to be 
privacy ``bad guys,'' unbeknownst to consumers. Indeed, although we are 
confident that, if consumers really knew what was happening to their 
private information in the offline world, instead of being mislead to 
believe that their privacy is more at risk online, they actually would 
flock to do business with online ``good guys'' like Amazon.com. But, 
with the considerable media hype and misinformation surrounding online 
privacy issues, and the relative dearth of revelations about offline 
consumer information privacy practices, we believe it would be very 
unfair to let our competitors surreptitiously collect, use, or transfer 
consumers' private information.
    Consumers Online and Offline. But most importantly, it would be 
fundamentally misleading to American consumers to enact a law that 
applies only to online entities because, for the foreseeable future, 
the putative protections of such a law would apply to just a tiny 
fraction of consumer transactions. Last year, online sales accounted 
for only one percent of all retail trade in the United States. 
Obviously, any law that addresses only online transactions could not 
benefit consumers much at all compared to one that equally addresses 
online and offline activities. Moreover, a law that addresses only 
online activities would have the perverse effect of failing to provide 
any benefits to those on the less fortunate side of the digital divide. 
Indeed, consumers who, because of economic situation, education, or 
other factors, are not online would receive no benefits from an online-
only law.
    Prior Online-Only Approaches. This is not to suggest that an 
online-only approach never was credible. To the contrary, based on what 
little was known publicly about both online and offline privacy 
practices as recently as two years ago, one reasonably could have 
concluded at the time that online privacy issues deserve discriminatory 
treatment, especially in order to avoid a potential ``privacy 
disaster.''
    No disaster has occurred, and we believe that facts gathered by 
this Committee and other bodies reveal that an online privacy disaster 
is no more likely than an offline privacy disaster. In addition, 
consumers now better understand that computers are used to record both 
online and offline transactions. The huge, searchable, and transferable 
computer databases kept by offline companies are just as much at risk 
as the information collections of online entities. In any case, the 
bills introduced to date would do little or nothing to forestall 
privacy disasters, either online or offline.
    Moreover, as elaborated throughout this testimony, discussions over 
the past few years have shown that there are few meaningful differences 
between online and offline privacy practices, and that some of these 
differences actually serve to protect consumer privacy better online. 
And, finally, as documented in the annual online privacy sweeps 
conducted by the FTC, et al., starting in 1998, it is clear that online 
entities have made extraordinary strides to enhance their privacy 
practices over the past four years. Offline privacy practices certainly 
have not improved at anywhere near this pace, if at all, over the same 
period.
    In sum, Mr. Chairman, although currently-available facts 
demonstrate that online practices do not deserve discriminatory 
treatment, there were good reasons why many people believed only a few 
years ago that such discrimination was warranted.
    Privacy Bill Benefits to Industry. Even if this law would do little 
or nothing to benefit the vast majority of consumer transactions, it 
has been suggested, such as in S. 2201's Findings, that an online 
privacy bill would be good for online companies because the consumer 
trust it would spawn would lead to additional sales. This belief 
implies that the online industry, which has not sought a bill, either 
does not know what is best for itself or has a hidden agenda. Speaking 
for Amazon.com, I can say unequivocally that our agenda since our 
founding in the mid-1990s, has been to provide our customers the very 
best shopping experience. We believe, with good reason, that if S. 2201 
were enacted, it would dramatically interfere with our ability to serve 
our customers. Indeed, S. 2201 has been reviewed by key personnel 
throughout our company and has provoked expressions of grave concern, 
particularly in the engineering department. These ``can-do'' engineers 
and programmers, who have built up our computer system all the way from 
our CEO's garage to the Fortune 500 in just seven years, seriously 
question whether we possibly could comply with the technical 
requirements of this bill. And, even if somehow they could make our 
systems comply, our engineers fear that many of the bill's provisions 
would seriously jeopardize our systems' security and anti-fraud 
efforts.
    Questionable Industry Support for an Online-only Bill. It is often 
said that, even if not a majority, at least some in ``industry'' 
support an online-only legislative approach. The relevant question is, 
which industry? The principal proponents of an online-only law do very 
little business online with consumers. One of the companies, a hardware 
manufacturer, does but a fraction of its business online, while its 
biggest competitor does 100% of its business online. It is not 
difficult to imagine why the first company might support a burdensome 
online-only approach. Moreover, this same hardware manufacturer sells 
business hardware and services to Internet-based companies and, 
potentially at least, would benefit from a law that would require 
substantial technical investments by online companies. Lastly, the 
other major technology firm that supports online-only legislation 
actually manufactures computer components and makes only a tiny 
percentage of its sales to consumers, whether online or offline. It is 
difficult to believe this company knows much more about serving web-
based customers than Amazon.com knows about semiconductor dumping 
practices.
    Relative Expediency of an Online-only Bill. Finally, it also has 
been said that ``online'' and ``Internet'' transactions are being 
singled out because it would be too difficult to craft a law that 
protects the other 99% of consumer transactions. Although it is hard to 
believe that expediency is the reason for the ``online-only'' focus, it 
is important to note that other bills have been (or soon will be) 
introduced in Congress that address both online and offline 
transactions. And, certainly this Committee has jurisdiction over all 
channels of commerce. Moreover, passing an online-only law at this 
point likely would delay passage of an offline bill for many years and, 
thus, actually would hurt the chances of providing privacy protections 
for consumers offline. In any case, it certainly would not be 99 times 
more difficult to craft a law that protects 99 times as many consumer 
transactions.
    Conclusion. For all the foregoing reasons, we firmly believe that 
any privacy legislation that moves forward out of this Committee should 
apply to all consumer transactions, not merely the one percent 
conducted online.

Key Positive Provisions in S. 2201
    Mr. Chairman, as noted earlier, we believe that there are at least 
two key provisions in S. 2201 that we could support. We appreciate the 
fact that you included these in your bill. They are the following:

   Continuing Promise (Section 102(e)(1)(b)): This explicit 
        confirmation that ``the promise runs with the information'' is 
        good. Although we believe existing common law and Section 5 of 
        the FTC act already would prevent successor entities from 
        treating information less restrictively than was promised at 
        the time the information was collected, we appreciate and 
        support the enactment of this clarifying language, particularly 
        because it removes potential ambiguity in bankruptcy 
        proceedings.

   Preemption (Preamble Section 4): As noted above, this is a 
        necessary and good provision to ensure equal consumer privacy 
        protections nationwide and to allow nationwide entities to 
        comply (it would be virtually impossible for a nationwide 
        website to comply with conflicting rules from multiple 
        jurisdictions). Even though state laws most likely would fail a 
        constitutional challenge, the expense and uncertainty of 
        litigation could be avoided with this sort of Congressionally 
        adopted ceiling. Given the agreement on the need to preempt 
        inconsistent state laws, we merely need to ensure that this 
        language is adequately clear. (Reviewing courts look for clear 
        congressional intent; ambiguous language favors non-
        preemption.)

Specific Areas of Concern about S. 2201
    Mr. Chairman, we also have identified the following areas of 
serious concern in S. 2201. Amazon.com will focus its cooperative and 
constructive efforts on these issues, as well as on the online-offline 
parity point, in an effort to provide you and your Committee as much 
information as soon as possible. Our principal concerns are as follows:

    Private Rights of Action (Section 203):

   As noted above, we fear giving overly aggressive litigants a 
        new tool to extract rents from ``good guy'' companies with 
        relatively deep pockets. It is clear from the FTC/PFF sweeps 
        that the most popular and, thus, the most successful, websites 
        already are providing outstanding privacy protections. 
        Unfortunately, however, it will be these ``good guys'' that 
        litigants attack, because these are the entities capable of 
        paying big judgments. Indeed, under the current bill, it would 
        be far more lucrative to bring a class action suit to catch a 
        ``good guy'' on a technicality than catch a ``bad guy'' in an 
        egregious act.

   A company could be hit with a judgment of $5,000 per user 
        per violation (with up to a $100,000 kicker for repeated 
        violations) with a showing of but minimal actual harm and 
        showing no malfeasance. Because class actions are not 
        precluded, there probably will be a class action alleged for 
        every potential violation. And, if the alleged violation is a 
        part of a company doing business, there will be gigantic cases.

   Allowing such private rights of action will cause the ``good 
        guys'' to make their privacy notices much more legalistic--and 
        much less readable to consumers--just so that they would fare 
        better in a lawsuit. Unreadably long privacy statements and 
        fine-print legalese would become the norm. A regulatory body 
        such as the Federal Trade Commission, on the other hand, could 
        balance the competing interests of legal precision and 
        simplicity.

   In addition, the uniformity necessary to run nationwide 
        websites would be destroyed by a host of litigants suing 
        companies all across the country. A single authority, such as 
        the FTC, could provide the nationwide approach that private 
        litigation cannot.

    State Actions (Section 204):

   In a highly unusual, if not entirely unprecedented, grant of 
        power, this section would allow state attorneys general to 
        bring class actions on behalf of all their residents, unfairly 
        exposing online entities to politically motivated lawsuits.

    Access and Deletion (Section 105):

   Several of the terms in this section, such as ``reasonable 
        access,'' ``reasonable opportunity,'' and ``suggest,'' are 
        ambiguously defined and it is unclear how the ambiguity will be 
        resolved. Is this a matter for the Courts or perhaps a broad 
        FTC rulemaking?

   This section seems to require data deletion, which would 
        dramatically hinder our efforts to limit fraud and thwart 
        consumer identity theft. Indeed, this provision likely would 
        end up making consumer identity theft easier, by making 
        criminal activity much harder to trace. Further, just imagine 
        asking a bank, or credit card company, or brick and mortar 
        store, to simply ``forget'' a transaction conducted with them 
        last month, or last year!

   Our information technology department tells us that the 
        access/deletion requirements would require extraordinary costly 
        technical measures. They also fear that, even if it would be 
        possible to meet these requirements, our security and anti-
        fraud measures would be compromised.

   Finally, there are very narrow exceptions to law enforcement 
        disclosure. One situation not addressed is where a website 
        operator discovers fraud and wants federal help investigating 
        it. Could we be liable if we report fraud to law enforcement or 
        to the victim of the fraud? And what if the victim files a 
        civil suit? Does the fraudster really have a right to contest 
        that motion?

    ``Reasonable'' Security (Section 106):

   Companies have every possible motivation, including tort 
        law, to maintain effective security against hackers. There is 
        no need for a new statute to require it.

   After a security breach, it may very be difficult to argue 
        that ``reasonable'' precautions were taken. With little 
        precedent for guidance, the fact of a breach would make any 
        failed security precautions look unreasonable. In other words, 
        without clarifying language, a security ``reasonableness'' 
        standard likely would function as a strict liability standard. 
        On the other hand, to the extent that security practices of 
        other entities become well known, it also would be a concern if 
        ``reasonable'' were defined as ``what everybody else is 
        doing.'' This interpretation could make it risky for companies 
        to take innovative approaches to security.

   Any detailed, public investigation of whether a company took 
        reasonable precautions might reveal too much to hackers about 
        what a company does and does not do.

    Information Collection (Section 101(a)):

   Even if S. 2201 were not modified to apply to offline 
        entities, this provision could unfairly be read to impose 
        requirements on online entities' use of offline information 
        that is, and would remain, available to offline entities 
        without restriction. Online entities should face no more 
        restrictions on offline information than do offline entities.

    Notice and Consent (Section 102):

   ``Clear and conspicuous,'' ``affirmative consent,'' and 
        ``robust'' all are ambiguous terms, despite the definitions 
        offered in Section 401, particularly with regard to the various 
        technical means for delivering this information. For example, 
        robust notice on a web-enabled telephone--with a very small 
        display--might be very different from robust notice on a wide-
        screen monitor.

   We are concerned about the general prescriptions on ``use'' 
        disclosures. How detailed must these disclosures be? If the 
        requirement is for super-detailed specifications, then 
        companies will have to anticipate too many small variations on 
        the general theme of how information is used, instead of 
        focusing on the most important general points. Importantly, if 
        too much information is required, consumers will not be 
        presented readable disclosures. Finally, as for ``methods of 
        using,'' we are concerned that this might require the 
        revelation of potentially sensitive technical information not 
        relevant to consumers, but very relevant and useful to hackers.

   For sensitive information, are ``opt-in'' (in the title) and 
        ``affirmative consent'' (in the text) the same thing? There is 
        considerable ambiguity in both of these terms. Would the 
        ``initial robust notice'' requirement force website operators, 
        every time they collect a little more PII, to go back and give 
        robust notice? Yet if the visitor just returns, and the 
        operator doesn't collect PII, then no robust notice is 
        required. And, under the construct of this bill, every web page 
        visit, which produces click-stream information, creates PII 
        when it's combined with a user's identity. We fear that 
        repetitive opt-out requirements would be burdensome and 
        annoying to consumers.

    Definitions (Section 401):

   This section, in addition to containing many ambiguities, 
        incorrectly defines the term ``cookie.'' Further, the 
        definition of ``robust notice'' is not clear. What is ``actual 
        notice''? Is it subjective? Also, the definition itself 
        contains a ``use'' (``to use or disclose that information for 
        marketing or other purposes''). Does this mean you have to give 
        Robust Notice, before the collection of PII, but Robust Notice 
        is the same as actual notice that you intend to use for 
        marketing or ``other'' purposes. Is a website's link to a 
        privacy notice ``robust'' in this way? And what about ``robust 
        notice'' on a wireless or other small screen device such as the 
        remote terminal on the kitchen wall or the automobile 
        dashboard?

    We have identified these principal concerns with S. 2201, and plan 
to continue our analysis and dedicate our attention to providing the 
Committee information on each of these points.

Conclusion
    In conclusion, Mr. Chairman, Amazon.com is pro-privacy in response 
to consumer demand and competition. We already provide our customers 
notice, choice (including opt-in choice where appropriate), access, and 
security. You have called for these same features in S. 2201 and, 
although we have many concerns with this bill, we appreciate that you 
recognize, as we do, the importance of consumer privacy.
    Our foremost concern with S. 2201 is that it would apply only to 
some companies and only to one percent of consumer retail transactions. 
For the many reasons articulated in this testimony, Amazon.com 
respectfully requests that any privacy legislation approved by this 
Committee apply to all consumer transactions, not merely those 
conducted online.
    In addition, Amazon.com has serious concerns with several specific 
provisions in the bill. Primary of these are the provisions for nearly 
unfettered class action litigation; access/deletion obligations that 
would jeopardize our security and anti-fraud efforts; and technically 
infeasible security requirements. We look forward to working with you 
and your Committee to address all of these issues.
    Thank you again for inviting me to testify; I look forward to your 
questions.

    The Chairman. Thank you, sir. Mr. Dugan.

              STATEMENT OF JOHN C. DUGAN, PARTNER,
   COVINGTON & BURLING, ON BEHALF OF THE FINANCIAL SERVICES 
                      COORDINATING COUNCIL

    Mr. Dugan. Thank you, Mr. Chairman, Senator Hollings, 
Senator McCain. I am testifying today on behalf of the 
Financial Services Coordinating Council, whose members include 
the American Bankers Association, the American Council of Life 
Insurers, the American Insurance Association, and the 
Securities Industry Association. These organizations represent 
thousands of large and small banks, insurance companies, and 
securities firms that, taken together, provide financial 
services to virtually every household in America.
    The FSCC is keenly aware of the need to maintain the 
privacy of personal information. With the enactment of the 
Gramm-Leach-Bliley Act in 1999, thousands of financial 
institutions across the country have expended enormous amounts 
of time, energy, and resources to provide financial institution 
customers with comprehensive privacy protections.
    These mandatory protections include notice of the 
institution's information that must be clear, conspicuous, and 
provided annually, opt-out choice regarding the institution's 
sharing of information with nonaffiliated third parties, 
security in the form of mandatory policies, systems, and 
controls to ensure that personal information remains 
confidential, and enforcement of privacy protections via the 
full panoply of enforcement powers of the agencies that already 
regulate financial institutions, the Federal bank regulators, 
the Securities and Exchange Commission, State insurance 
authorities, and the Federal Trade Commission.
    All of these mandatory privacy protections apply equally to 
financial institution consumers in both the offline and online 
context. The proposed requirements of S. 2201 would apply to 
financial institutions on top of this already extensive privacy 
regime.
    As a result, the FSCC strongly opposes S. 2201 for the 
following five reasons.
    First, as I said, financial institution are subject already 
to the comprehensive privacy regulation that Congress carefully 
debated and enacted just less than 3 years ago. It would be 
both unnecessary and costly to subject them to the new and 
conflicting restrictions included in S. 2201, which would 
translate into two types of notices to consumers, two types of 
consent provisions, redundant security requirements, and two 
distinct types of enforcement regimes. The FSCC believes that 
financial institutions should be subject to a single privacy 
regime that applies equally in all contexts, as is the case 
now.
    Second, we believe the bill will thwart the development of 
e-commerce by, for example, imposing dual and conflicting 
privacy standards for companies that collect information both 
offline and online, as Senator McCain indicated before, often 
from the same customer. S. 2201 would severely impair a 
company's ability to operate under this clicks and bricks 
business model. Such a company would be forced to maintain two 
separate information systems, an offline system subject to any 
applicable offline privacy regulations, and an online system 
subject to both those privacy requirements and the requirements 
contained in S. 2201.
    In many cases, as I said, the two systems would apply to 
personal information collected from the same individual, and 
such a two-tiered system would be extremely costly and 
burdensome to manage, and it could cause some companies, 
especially smaller ones, to avoid online operations altogether.
    Third, S. 2201 would have a disproportionate impact on 
financial institutions, even though financial institutions are 
already subject to extensive privacy regulation. This is so 
because the bill regulates so-called sensitive information such 
as account balance and insurance policy information, much more 
stringently than nonsensitive information. Sensitive 
information is subject to the opt-in and class action 
enforcement, while nonsensitive information is subject only to 
the opt-out and no private right of action.
    For most types of businesses, the increased restrictions 
and sensitive information present relatively few additional 
problems, because sensitive information does not constitute the 
core of their business. That is not the case with financial 
institutions. There, such information frequently is the 
business of banks, insurance companies, and securities firms.
    For example, an online clothing retailer might want to 
provide special discount coupons to its best customers, who 
might be those individuals who purchase more than a certain 
amount of clothing each year. The retailer's discount offer 
would be subject to the bill's opt-out requirement, and a 
violation of the requirement would not be subject to a private 
right of action or class action enforcement.
    In contrast, a bank might want to give its biggest 
depositors a discount on unrelated financial services such as 
an insurance product, or a loan, or an insurance company might 
want to reward a large life insurance policyholder with a 
discount on his or her car insurance. In these cases, the 
discount offers would be subject to the bill's opt-in 
requirement, and any related violations of the statute would be 
subject to class action enforcement.
    Thus, financial institutions, which are subject to much 
more comprehensive privacy regulation than other online 
businesses, are subject to the bill's most onerous restrictions 
with respect to their core businesses, while less-regulated 
online providers are not. The FSCC believes this is unfair and 
unnecessary.
    Fourth, the FSCC believes that a number of the bill's 
provisions are simply far too restrictive, including both the 
opt-in and the access provision. In addition, the bill includes 
far too few exceptions to both its opt-in and opt-out 
requirements to recognize legitimate business-sharing and use 
practices that are necessary for companies to stay in business 
and provide customer service, such as sharing information with 
credit bureaus, securitizing mortgages, and a variety of other 
practices which I have included in more detail in my written 
statement.
    Moreover, the bill's opt-in and opt-out apply to any 
unrelated use of information, which would act as a new and 
unprecedented barrier to businesses communicating and marketing 
products to their own consumers. We think this restriction is 
just too broad.
    Finally, as others have testified, the FSCC believes that 
the bill's regulatory approach is unnecessary in view of the 
increasingly effective self-regulatory efforts of the online 
industry, including through new technologies.
    For all of these reasons, the FSCC opposes S. 2201. I would 
be happy to answer any questions you may have.
    [The prepared statement of Mr. Dugan follows:]

 Prepared Statement of John C. Dugan, Partner, Covington & Burling, on 
         behalf of the Financial Services Coordinating Council

    My name is John Dugan, and I am a partner with the law firm of 
Covington & Burling. I am testifying today on behalf of the Financial 
Services Coordinating Council (``FSCC''), whose members include the 
American Bankers Association, American Council of Life Insurers, 
American Insurance Association, and Securities Industry Association. 
These organizations represent thousands of large and small banks, 
insurance companies, and securities firms that, taken together, provide 
financial services to virtually every household in America.
    The FSCC appreciates the opportunity to testify before this 
Committee on S. 2201, the Online Personal Privacy Act. We are keenly 
aware of the need to maintain the privacy of personal information. With 
the enactment of the Gramm-Leach-Bliley Act in 1999 (the ``GLB Act''), 
thousands of financial institutions across the country have expended 
enormous amounts of time, energy, and resources to provide financial 
institution customers with comprehensive privacy protections. Coupled 
with the protections mandated by the Fair Credit Reporting Act, these 
consumers now must be provided--

   Notice of the institution's practices regarding information 
        collection, disclosure, and use, which must be clear, 
        conspicuous, and updated each year;

   Opt-Out Choice regarding the institution's sharing of 
        information with nonaffiliated third parties, and in certain 
        instances, with affiliates;

   Security in the form of mandatory policies, procedures, 
        systems and controls to ensure that personal information 
        remains confidential; and

   Enforcement of privacy protections via the full panoply of 
        enforcement powers of the agencies that regulate financial 
        institutions, i.e., the federal bank regulators, the Securities 
        and Exchange Commission, state insurance authorities, and the 
        Federal Trade Commission.

    In addition to these protections, customers of financial 
institutions that handle personal health information receive the 
extensive privacy protections of federal and state medical privacy 
laws. All of these mandatory privacy protections apply equally to 
financial institution consumers in both the offline and online 
contexts. Taken together, they form perhaps the most comprehensive set 
of mandatory privacy protections in the country. The proposed 
requirements of S. 2201 would apply to financial institutions on top of 
this extensive privacy regime.
    The FSCC strongly opposes S. 2201 bill for the following reasons. 
First, financial institutions are subject already to the comprehensive 
privacy regulation described above, which Congress carefully debated 
and enacted less than three years ago; it would be both unnecessary and 
costly to subject them to the new and conflicting restrictions included 
in S. 2201. Second, the bill will thwart the development of e-commerce 
by, for example, imposing dual and conflicting privacy standards for 
companies that collect information both online and offline, often from 
the same customer. Third, parts of the bill apply much more 
restrictively to financial institutions, because of the nature of their 
business, than they do to other types of companies--even though 
financial institutions are already subject to extensive privacy 
regulation. Fourth, a number of the bill's provisions are simply far 
too restrictive. Finally, the FSCC believes that the bill's heavy 
regulatory approach is unnecessary in view of the increasingly 
effective self-regulatory efforts of the online industry, including 
through new technologies.

I. Financial Institutions and their Customers Don't Need Yet Another 
        Set of Privacy Rules
    S. 2201 seems to be aimed primarily at online businesses and 
advertisers that are not now subject to mandatory privacy regulation. 
But the bill sweeps in any business that deals with any consumer via 
the Internet, which means that privacy-regulated businesses like 
financial institutions are included as well. Because of the financial 
institution privacy protections described above, which are already in 
place and apply in the online context, the FSCC believes that the 
bill's application to financial institutions is unnecessary.
    Just over two years ago, Congress carefully considered the costs 
and benefits of the privacy-related restrictions that ought to apply to 
financial institutions and their consumers, which resulted in Title V 
of the GLB Act. Financial regulators subsequently implemented detailed 
privacy regulations for the first time, and financial institutions have 
spent many millions of dollars to build systems to comply and protect 
customer information. Financial institution customers now enjoy the 
benefit of those protections, which ought to be given a chance to work.
    Moreover, S. 2201 would subject financial institutions to a whole 
new layer of privacy regulations that would apply at the same time as 
those imposed by the GLB Act and other financial privacy laws. That 
would mean two types of notices to customers, two types of consent 
provisions, redundant security requirements, and two distinct types of 
enforcement regimes. This is far too burdensome and costly. It could 
also confuse customers, which in turn would result in conflicting 
instructions by consumers to their financial institutions (e.g., opt-
out in one context, opt-in in another). Financial institutions should 
be subject to a single privacy regime that applies equally in all 
contexts.

II. S. 2201 Will Thwart the Development of Electronic Commerce
    The Internet is bringing enormous social and economic benefits to 
its users and to nations around the world. It is empowering individuals 
to seek, receive, and share information and ideas. It is changing how 
we educate, shop, spend our time, and transact business. And, perhaps 
most importantly, it is equalizing access to information, giving 
everyone with a computer and an Internet connection an opportunity both 
to acquire and use information more effectively.
    Throughout its short history, the Internet has been a virtually 
regulation-free environment. In the United States, regulations 
affecting the privacy of information online have been limited to only 
those necessary to protect our most vulnerable online population--
children. Because of this philosophy of regulatory restraint, 
electronic commerce has thrived. According to a recent U.S. Department 
of Commerce survey, more than half of Americans are using the Internet 
and among these Internet users, 39 percent of them are making online 
purchases.
    While the European Union has adopted comprehensive privacy 
regulations, the United States has avoided such an approach. On 
numerous occasions, government officials have appropriately voiced 
concern over problems inherent with applying old legislative paradigms 
to the constantly changing Internet. These concerns appropriately 
recognize (1) that market-driven solutions to online problems provide 
the most effective means to ensure the continued growth of the 
Internet, and (2) that any governmental regulation should target 
discrete concerns and be carefully tailored to reach no broader than 
necessary in order to solve the problem at hand. The Children's Online 
Privacy Protection Act (``COPPA'') and the Electronic Signatures in 
Globalization Act (``ESIGN'') reflect this balanced approach. Both laws 
are narrowly tailored to target specific online concerns and provide a 
workable legal framework within which these concerns can be resolved.
    S. 2201 is a marked departure from this philosophy of restraint and 
targeted governmental action. The bill treats information collected 
online differently than information collected by other means and 
thereby subjects the vast majority of U.S. companies to two 
substantially different privacy regimes in the offline and online 
environments. In practice, this approach will retard the use of online 
channels, or, at the very least, require a company to adhere to the 
bill's substantive requirements with respect to all of its information 
collection activities.
    Today, companies like financial institutions frequently operate 
according to a ``clicks and bricks'' business model under which 
customer relationships begin offline and migrate online. Specifically, 
a company collects personal information about a consumer offline when 
it begins a relationship with a consumer and then again online when the 
consumer, on his own or through the prompting of the company, uses the 
company's services over the Internet. In many cases, the information 
collected online is exactly the same as that collected offline (i.e., 
name, address, account number), but in other cases the information may 
be different. As a result, it is fairly typical that a company has one 
database that includes both personal information initially collected 
non-electronically (and subsequently entered into a computer) and 
similar or different information collected over the Internet.
    S. 2201 would severely impair a company's ability to operate under 
this ``clicks and bricks'' business model. Such a company would be 
forced to maintain two separate information systems--an offline system 
subject to any applicable offline privacy regulations (such as the GLB 
Act or healthcare privacy rules) and an online system subject to both 
those privacy requirements and the requirements contained in S. 2201. 
In many cases the two systems would apply to personal information 
collected from the same individual. Such a two-tiered system would be 
extremely costly and burdensome to manage. And it could cause some 
companies, especially smaller ones, to avoid online operations 
altogether.

III. S. 2201 Will Have a Disproportionate Impact on Financial 
        Institutions
    S. 2201 creates two categories of personally identifiable 
information--``sensitive'' and ``non-sensitive''--and regulates 
sensitive information much more stringently than non-sensitive 
information. The bill requires online operators to obtain opt-in 
consent before they collect, disclose, or otherwise use sensitive 
information, and would use a private right of action and class actions 
to address violations of such requirements. In contrast, with respect 
to non-sensitive information, the bill requires only opt-out consent 
and establishes no express private right of action for individuals.
    For most types of businesses, the increased restrictions on 
``sensitive'' information present relatively few additional problems, 
because ``sensitive information'' does not constitute the core of their 
business. That is not the case with financial institutions. S. 2201 
defines ``sensitive personally identifiable information'' to include 
``sensitive financial information,'' and that term includes the amount 
of income earned or losses suffered by an individual; balance 
``information'' regarding any financial services account; any insurance 
policy information; and outstanding credit card, debt, or loan 
obligations. Although such information may be incidental to the 
operations of many online companies, it frequently is the business of 
banks, insurance companies, and securities firms.
    For example, an online clothing retailer might want to provide 
special discount coupons to its best customers, who might be those 
individuals who purchased more than a certain amount of clothing each 
year. The retailer's discount offer would be subject to the bill's opt-
out requirement, and a violation of the requirement would not be 
subject to a private right of action or class action enforcement. In 
contrast, a bank might want to give its biggest depositors a discount 
on unrelated financial services such as an insurance product or a loan. 
Or an insurance company might want to reward a large term-life 
insurance policyholder with a discount on his or her car insurance. In 
these cases, the discount offers would be subject to the bill's opt-in 
requirement, and any related violations of the statute would be subject 
to (and a target for) class action enforcement.
    Thus, financial institutions, which are subject to much more 
comprehensive privacy regulation than other online businesses, are 
perversely subject to the bill's most onerous restrictions with respect 
to their core businesses, while less regulated online providers are 
not. As discussed below, it would be extremely costly and unfair to 
target financial institutions with some of the bill's most restrictive 
provisions, i.e., the opt-in and private right of action, which also 
have particularly negative effects on financial institutions that 
handle health information.

A. S. 2201's ``opt-in'' requirement will effectively prohibit core 
        financial institution practices that benefit consumers.
    Financial institutions are well aware of the unique position of 
responsibility they have regarding an individual's personal 
information, including health information. The member companies of the 
trade groups belonging to the FSCC are strongly committed to the 
principle that individuals have a legitimate interest in the proper 
collection and handling of their personal information and that these 
companies have an obligation to assure individuals of the 
confidentiality of that information.
    However, the FSCC strongly opposes S. 2201's opt-in requirement, 
especially when it is coupled with the bill's unrelated use 
requirement. That is, unlike the GLB Act, which applies only to 
disclosures of personal information by a financial institution to third 
parties, S. 2201 also restricts virtually any use of personal 
information by the institution itself, even if the information were not 
disclosed to others and were used to benefit the customer. This would 
constitute a new and unnecessary roadblock between all companies and 
their customers.
    The combination of the opt-in and unrelated use restrictions would 
require financial institutions to contact customers and obtain their 
prior permission to engage in core business activities involving 
personal information--which in practice would constitute a de facto 
prohibition on responsible information sharing that benefits consumers. 
Not even Europe's Privacy Directive, which on paper is one the most 
stringent privacy regimes, goes this far. Instead, the EU Directive 
permits entities to follow an opt-out approach with respect to the use 
and disclosure of financial information.
    The FSCC believes that there is a fundamental flaw with the way 
opt-in requirements work. Such provisions deprive consumers of benefits 
from information sharing, such as discounts on other types of financial 
products. In essence, an opt-in creates a ``default rule'' that stops 
the free flow of information (which is especially critical to Internet 
transactions). This in turn makes the provision of financial services 
more expensive and reduces the products and services that can be 
offered. Further, consumers rarely exercise opt-in consent of any 
kind--even those consumers who would want to receive the benefits of 
information sharing if they knew about them. In contrast, a meaningful 
opt-out gives privacy-sensitive consumers as much choice as an opt-in, 
but without setting the default rule to deny benefits to consumers who 
are less privacysensitive.

B. S. 2201's narrow exceptions to the bill's opt-in (and opt-out) will 
        prevent critical information sharing by financial institutions.
    Privacy regimes that impose customer consent restrictions on 
financial institutions nearly always include a range of specific 
exceptions. These exceptions cover circumstances in which consent is 
either implied, unnecessary, or would impede a legitimate public policy 
goal. For example, the Gramm-Leach-Bliley Act and its implementing 
regulations at both the federal and state level recognize well over 30 
such exceptions, which are critically important to financial 
institutions doing business with their customers. Such ``doing 
business'' exceptions, which have never been controversial, permit 
disclosures that are necessary, for example, to prevent fraud, create 
credit histories, underwrite insurance, engage in risk management 
practices, securitize loans, outsource functions to agents, obtain 
legal advice, etc.
    In contrast, S. 2201 includes only four exceptions to the bill's 
opt-in and opt-out requirements. Section 104's exceptions apply to 
certain information collection, use, and disclosure practices that are 
necessary to (1) protect the security or integrity of the website; (2) 
conduct a transaction, deliver a product, or complete an arrangement 
for which personal information has been provided; (3) provide other 
products or services that are ``integrally related'' to the 
transaction, service, product, or arrangement for which the consumer 
provided the information; and (4) to comply with law enforcement or a 
judicial process.
    These provisions, although vague, were clearly crafted to reach 
services provided in the context of completing online retail sales. Yet 
financial institutions necessarily do much more with online information 
than engage in marketing or the other extremely narrow range of 
activities covered by the bill's exceptions. The combination of the 
opt-in and unrelated use provisions could potentially shut down core 
business use and sharing practices, including sharing information with 
credit bureaus, securitizing mortgages, running normal credit card 
operations, and engaging in a range of activities related to insurance 
underwriting. It is unlikely that these activities would qualify as 
``necessary to conduct'' or ``integrally related'' to the transaction, 
service, or product obtained by the consumer. This would have the 
unintended, negative consequence of disadvantaging, rather than 
helping, consumers.

C. The private-right-of-action provision will invite abusive class 
        action litigation against financial institutions.
    Under the bill's private right of action, any showing of actual 
harm involving sensitive information, however small, will provide a 
plaintiff with a guaranteed recovery of at least $5,000 per violation. 
Such a provision is clearly intended to attract class action litigation 
as an enforcement mechanism. Because financial institutions' core 
business involves information that the bill deems ``sensitive,'' the 
bill would make them the new target of choice for the plaintiffs' bar.
    This is both unfair and unnecessary. Unlike most online businesses, 
financial institutions are already heavily regulated, and their 
regulators have broad powers to punish violations of law--which they do 
not hesitate to exercise. That is why, in the privacy context, Congress 
chose not to authorize a private right of action or class actions as a 
means to enforce the GLB Act's privacy provisions. Instead, enforcement 
is accomplished through the full panoply of enforcement powers of the 
relevant financial regulator, e.g., federal banking agencies for banks; 
the SEC for securities firms; state insurance authorities for insurance 
companies; and the FTC for non-traditional ``financial institutions.'' 
This enforcement regime works. The FSCC therefore strongly opposes the 
creation of a new class action mechanism that, while having little 
impact on most online businesses, would create a huge and unnecessary 
new source of litigation cost for financial institutions.

D. The bill will have a disproportionate impact on financial 
        institutions that handle health information.
    S. 2201 includes individually identifiable health information 
within the definition of sensitive information that is subject to the 
bill's stricter opt-in requirements. This ignores the complex and 
detailed issues surrounding the protection of health information. 
Financial institutions, particularly insurance companies, must be able 
to disclose or otherwise use personally identifiable health information 
to perform essential, legitimate insurance business functions, such as 
underwriting and claims evaluations. In addition, insurers must be able 
to disclose and use personally identifiable health information to 
perform important business functions that are not necessarily directly 
related to a particular insurance contract but that are essential to 
the administration or servicing of insurance policies generally, such 
as, for example, developing and maintaining of computer systems. An 
opt-in that would jeopardize these uses and disclosures of personally 
identifiable health information would also jeopardize insurers' ability 
to serve and fulfill their contractual obligations to existing and 
prospective customers.
    Insurers also must regularly disclose personal health and financial 
information to: (1) state insurance departments as a result of their 
general regulatory oversight of insurers, which includes regular market 
conduct and financial examinations of insurers; (2) self-regulatory 
organizations, such as the Insurance Marketplace Standards Association 
(IMSA), which imposes and monitors adherence to requirements with 
respect to member insurers' conduct in the marketplace; and (3) state 
insurance guaranty funds, which seek to satisfy policyholder claims in 
the event of impairment or insolvency of an insurer or to facilitate 
rehabilitations or liquidations that typically require broad access to 
policyholder information. In addition, insurers need to (and, in fact, 
in some states are required to) disclose personal information in order 
to protect against or to prevent actual or potential fraud. Such 
disclosures are made not only to law enforcement agencies, but also to 
state insurance departments, the Medical Information Bureau (MIB), or 
outside attorneys or investigators, who work for the insurer. To the 
extent that S. 2201's opt-in would limit these disclosures, it would 
undermine the public policy reason for making them--to protect 
consumers.
    Existing federal and state privacy regimes, including the final 
Standards for Privacy of Individually Identifiable Health Information 
(Privacy Rule) promulgated by the Department of Health and Human 
Services as required by the Health Insurance Portability and 
Accountability Act (HIPAA) (P.L. 104-191), provide fundamental 
protections to the privacy of health information. Unlike S. 2201, the 
HIPAA Privacy Rule includes a variety of carefully considered 
exceptions to its authorization requirement in order to strike a proper 
balance between the legitimate expectations of consumers concerning the 
treatment of their information and the ability of insurers and others 
to use personal health information responsibly. Also, many state laws 
and regulations, particularly those adopted recently to implement the 
privacy requirements of the GLB Act, contain sections specifically 
addressing the confidentiality of health information and specifically 
providing exceptions to their opt-in requirements applicable to 
disclosures of health information.
    In short, the issue of health information privacy is difficult and 
complex. It is, at best, unclear how the health provisions of S. 2201 
compare and/or integrate with existing laws and what impact this 
legislation will have on financial institutions. At worst, the 
combination of the opt-in and class action enforcement could have 
extremely negative consequences.

IV. Other Concerns with S. 2201
    There are a number of other fundamental problems with the 
provisions of S. 2201 that are not unique to financial institutions.
    ``Use'' Restrictions. The problem with the bill's blanket 
restriction on unrelated ``uses'' of information is not limited to 
sensitive information covered by the opt-in. It also applies to 
nonsensitive information covered by the opt-out. (A business may not 
disclose or ``otherwise use'' information collected online without 
notice and opt-out.) Among other things, this will impair a business 
from engaging in generally accepted marketing activities with its own 
customers, and a charity from soliciting contributors for additional 
contributions. Thus, the FSCC believes the use restriction is both 
unnecessary and overly broad.
    Access. S. 2201 will impose access requirements that will be 
extremely costly and that will reduce security on the Internet. S. 2201 
subjects access requests to a vague reasonableness test and fails to 
exclude information, such as trade secrets or internal operating 
procedures, to which consumers should never have access. In addition, 
S. 2201 fails to recognize that information may not be maintained in 
centralized databases searchable by customer name. (And privacy 
advocates have long advocated that businesses should not be encouraged 
to establish such centralized databases because of increased 
possibilities for obtaining and using too much information about an 
individual too easily.) Even where databases are highly centralized, 
the costs of complying with this requirement will far exceed the 
nominal charges permitted under the bill. S. 2201 also fails to define 
what it means to ``delete'' a record in an electronic environment. For 
example, must all back-up tapes be retrieved from storage and searched 
for relevant records when a ``delete'' request is received? What about 
requests to delete personal information when there is a legal 
obligation or important business reason to retain such information? The 
bill does not provide guidance on these important questions.
    Financial institutions already provide their customers--often in 
real time--with access to the personal information of greatest concern 
to them, i.e., their account balances and transaction statements. In 
addition, the Fair Credit Reporting Act provides consumers with 
extensive access and correction rights regarding financial institution 
information that is used to make very significant decisions about them, 
i.e., to grant or deny credit or insurance. For these reasons, there is 
no need to impose an additional and vague access requirement that can 
be used for ``fishing expeditions'' to search for violations of the 
Act--especially when violations can be easily translated into class 
action litigation.
    Security. S. 2201 contains security requirements that duplicate 
those already established for financial institutions in the GLB Act. 
Specifically, the GLB Act and its implementing regulations require that 
each financial institution protect the security and confidentiality of 
customers' nonpublic personal information and implement a comprehensive 
security program. The differences between the security provisions of S. 
2201 and the GLB Act will lead to unnecessary increased costs to ensure 
that security procedures meet multiple sets of requirements.

V. S. 2201 Is Unnecessary Because Private Sector Efforts Are Working
    Finally, apart from the fact that financial institutions are 
already subject to comprehensive privacy regulation, the FSCC believes 
that the private sector has taken and continues to take significant 
steps to address online privacy concerns. These efforts are 
particularly well suited for solving privacy-related problems on the 
Internet. This is so because private sector initiatives generally can 
respond more quickly than legislative solutions to changing 
technologies and evolving online business and social practices. In 
addition, private-sector mechanisms, because they are consumer driven 
by nature, are more likely to permit users to choose among various 
solutions based on their individual privacy preferences and thereby 
avoid the problem of over- and under-breadth that is unavoidable in 
government regulation, which typically must be one dimensional in 
nature.
    Recent surveys indicate that the private sector's efforts at self-
regulation are working. For example, the Privacy Online report released 
earlier this year by the Progress and Freedom Foundation shows that 
nearly all of the most popular websites (99%) and the vast majority of 
randomly sampled websites (80%, up from 64% in 2000) post some form of 
privacy notice if they collect personally identifiable information. Of 
those websites collecting personally identifiable information, 71% of 
randomly sampled sites and 89% of the most popular sites offer 
consumers some form of choice with respect to disclosing that 
information internally, and almost all (93% up from 77% last year) of 
the most popular sites and the majority of randomly sampled sites (65%) 
offer consumers choice over disclosures to third parties. Finally, the 
survey showed that websites are increasingly likely to tell consumers 
that they are taking adequate security measures to protect collected 
information.
    In addition, website operators continue to seek certification under 
seal programs such as TRUSTe and BBBOnLine. By the end of 2001, TRUSTe 
had certified more than 2000 websites in a variety of industries (up 
from roughly 500 websites in 1999) and BBBOnLine has certified more 
than 760 sites, up from 450 two years ago. The FTC has recognized that 
such seal programs are an effective method for delivering privacy 
protections to consumers. In particular, the FTC has endorsed seal 
programs as a means of complying with the provisions of COPPA--the FTC 
has created a safe harbor so that websites that comply with, for 
example, TRUSTe's children's privacy seal, will be deemed to be in 
compliance with COPPA as well.
    In addition to these efforts, technology provides compelling 
solutions to many online privacy concerns. For example, P3P, a privacy-
enhancing technology that enables users to specify a level of privacy 
protection based on a website's practices for tracking data, is 
continuing to gain acceptance and prominence as an effective method of 
protecting consumers' online privacy. Among the most popular websites, 
23% have implemented P3P, and Internet Explorer 6 includes the P3P 
function.
    In sum, like the Federal Trade Commission, the FSCC believes that 
the significant and evolving steps taken by the private sector to 
address online privacy concerns makes additional governmental 
regulation unnecessary at this time, including S. 2201.

    The Chairman. Very good. Mr. Dugan, we appreciate the 
position of the bankers and the insurance industry and the 
securities group, but all you have to do is go get a loan from 
the bank and you will see how many requirements that are 
required, and all the information that is necessary to get that 
loan.
    There is no question--getting right to the point, the 
Federal Trade Commission for 5 years did as we in this 
Committee asked. We asked them to bring the industry in, 
correlate it, have hearings, they had numerous hearings time 
and again, and I mention this because one of the witnesses 
would quote just part of what Mr. Pitofsky found, that the 
Federal Trade Commission after 5 years, 2 years ago--so that 
means we have been on it sevem years--they recommended 
congressional action to protect the consumer privacy online.
    Otherwise, all the fear and bother about the online-offline 
comparisons, witness after witness has pointed out the 
differences. It culminated into the Children's Online Privacy 
Protection under Senator Bryan some 4 years ago, and it has 
worked wonderfully well. We have not had all of the Chicken 
Little, the sky is going to fall if you do not regulate the 
offline with the online.
    Otherwise, with respect to the right of action, I will have 
to agree with Mr. Rotenberg that there is a virus in this 
Congress, because we are all opposed to politicians and we do 
not like lawyers, and anything that refers to our right of 
action, you would think that we had never had any enforcement, 
and of course when we refer to the different--like the National 
Highway Transportation Safety Board, we got into Firestone 
case, and we found out that in a 5-year period 99 million 
recalls, they were all voluntary on account of the private 
right of action. Not a one in 5 years of the 99 million did the 
particular governmental Federal commission direct that there be 
a recall, so we have had hard experience at this Committee 
level with respect to it.
    And the diversity, Ms. Lawler, that you find that might 
cause trouble of one jury finding one finding and a different 
jury in a different section of the country finding differently 
would be sort of confusing. It was not until the forefathers, 
they put that in in the Seventh Amendment, the Bill of Rights, 
the trial by jury, for the very reason that we wanted to 
respect that diversity.
    Senator McCain.
    Senator McCain. Thank you, Mr. Chairman. I would like to 
ask first of all, from all the members of the panel, two 
questions. How should we treat information collected online and 
offline that is merged together into one consumer data file, 
and should all identical types of information, whether 
collected online or offline, be subject to the same privacy 
restrictions? We will begin with you, Mr. Torres.
    Mr. Torres. Senator, we would love to see a comprehensive 
privacy bill passed by this Congress and signed by the 
President into law. Unfortunately, the way that privacy has 
been treated in this country has been sector by sector. We have 
looked at video records, we have looked at cable television 
viewing habits, we have the FCRA, which protects some of the 
financial information. Telephone records are also covered.
    Gramm-Leach-Bliley, while we do not necessarily agree with 
the position taken by the industry council about the 
effectiveness of the law, nonetheless that is the law on the 
books, so the way we have done information in the past, it has 
been sector by sector, so it is not surprising that we should 
treat, or that the concept is out there in this bill that we 
should treat the online sector as kind of--that we should not 
treat it at all, because we are concerned about implications in 
the offline world, and I have got three responses to that, 
really.
    We should treat it differently. It is different. It is a 
different medium. The way they collect information is 
different.
    Senator McCain. My question is, if it is merged together 
into one consumer data file.
    Mr. Torres. If it is merged together in one consumer data 
file, it should go to the stronger protections, perhaps, 
because it is the companies that choose the way they collect 
their information in either the online or the offline setting. 
It is the companies that choose to merge that data together. We 
should not fault the consumer for what the company does and say 
we cannot control this company because they choose to make this 
complicated. I do not have a choice, if I think the IRS laws 
are too complicated, because I have got a lot of complex 
financial transactions, to say, whoa, this is too complicated, 
I should not have to comply with this. It is, I choose to merge 
this information together.
    I have got full faith and confidence in this industry, that 
can find zillions of ways to slice and dice this information, 
to use it without telling the consumers what they are doing 
with it, to try to sell consumers junk products, based upon the 
information they collect from consumers, and now they cannot 
figure out how to provide the consumers notice and opt-out, and 
I mean, the companies are not prohibited from using this 
information to serve the client, for what the customer gave 
them the information to do.
    What they are not allowed to do without giving the consumer 
some level of control is to go out and sell this information.
    Senator McCain. Mr. Torres, my time is limited, and we have 
four other respondents. As much as I appreciate your knowledge 
and your passion, I thank you.
    Ms. Lawler. Let me comment about merging online and offline 
data sources by way of HP's actual practices, which are that 
that is the fact today for us, and particularly when we look at 
the different types of sources, Mr. Misener from Amazon.com 
mentioned a few. One he did not mention that is actually the 
single largest source of our customer data is our call center 
business, and that would be support call centers, or pre-sales 
call centers, where someone calls because they have a problem 
they need fixed or help with, with regard to one of their HP 
products.
    So when we talk about merging data into a single data base, 
I would actually qualify that and say, with many large, global 
companies like HP, we are not talking about merged data in a 
data base. We are talking about several, and our efforts have 
actually focused on reducing the hundreds into the several into 
the few. It will be never less than a few, given the vast and 
broad nature of our customers.
    Our perspective is, we treat them the same, when you look 
at the statements made by the FTC last fall, that the 
presumption is that the offline policies and practices are the 
same as those stated in our online privacy statement.
    Senator McCain. So then they should be subject to the same 
privacy restrictions, in your view?
    Ms. Lawler. We would be comfortable with that.
    Senator McCain. Mr. Rotenberg.
    Mr. Rotenberg. Senator, I think the obligations for 
companies operating on the Internet should apply when they 
marry that data with the offline data that is in their 
possession on the same customers. I think it is very 
important--you know, if we learned nothing else from the last 5 
years, it is clear that the privacy risks associated with the 
online world are different from those in the physical world.
    Senator McCain. Would you agree also, with the changing 
technology, that the challenges change as well?
    Mr. Rotenberg. Certainly, Senator, I agree the technology 
will evolve and the law will evolve. The good thing about this 
bill is that it follows the general principles that have been 
used in the past to protect privacy and fair information 
practices, and those principles which really relate to the 
collection and use of customer information stay pretty much the 
same even as the technology changes.
    But if I may, sir, make one other point, companies 
operating on the Internet have the benefit of an enormous 
opportunity that those in the physical world do not. They can 
track their customers moving from one web page to another. They 
can plant cookies. They can use e-mails. Some of this is very 
effective, and some of it has helped build companies like 
Amazon that today has 35 million customers, but I certainly 
think that privacy obligations carry along with those new, 
innovative business practices.
    Senator McCain. Thank you. Mr. Misener, you do not need me 
to repeat the question, do you?
    Mr. Misener. No, I do not, thank you, sir.
    Senator McCain, the same information ought to be treated 
the same. The consumer's perspective on this is fairly obvious. 
Why should they care if their privacy is violated through one 
medium as opposed to another? It ought to be treated equally. 
It seems to me there is no reason, no principled reason to 
treat them any differently, or to treat the information any 
differently.
    We have heard from a couple of the other witnesses that 
there are true differences between the online Internet medium 
and other channels of commerce. I would submit to you that 
there are, and if there are differences that warrant 
legislation specified or specifically tailored to those 
differences, that is something we ought to talk about. 
Unfortunately, the way these bills have gone, including S. 
2201, is that they treat the same kind of practices 
differently. They do not hone in on the differences.
    I would submit to you, Senator McCain, that in the offline 
world retailers know the race and the sex and the personal 
appearances of their customers. We do not. In the offline 
world, retailers know where the customers are. They can track 
them around the country. We cannot. We have no idea where they 
are physically. Those are two very serious privacy differences 
that actually favor the online world.
    If we want to talk about differences, we ought to legislate 
about----
    Senator McCain. Favor the offline world?
    Mr. Misener. Well, that privacy is better in the online 
world, and so if there are true differences here, let us talk 
about the differences and hone in on those, but where the 
collection methods and the use and the treatment of the 
information and the information itself are identical, they 
ought to be treated identically under the law.
    Senator McCain. Mr. Dugan.
    Mr. Dugan. Senator, I agree, we cannot see how you can 
treat the information differently. If you operate in two 
channels at once for the same customer you could not have two 
separate checking accounts for one person, for example. We 
think they should be treated the same. They are treated the 
same under the Gramm-Leach-Bliley privacy scheme that applies 
to financial institutions in both the offline and the online 
context, and we think that is appropriate.
    Senator McCain. But they are not under this legislation?
    Mr. Dugan. That is correct.
    Senator McCain. Thank you very much, Mr. Chairman.
    The Chairman. Thank you. Senator Burns.
    Senator Burns. I would like to ask the panel one question 
along the same lines as Senator McCain asked. Why is it we hear 
the clamor for privacy online when much or more is collected 
offline?
    Mr. Rotenberg. Senator, if I could try to answer this, I 
think it really is because the data collection practices are 
different. If you go into a store--you know, it is interesting, 
you go into a store and you purchase a product, you can pay by 
cash, and pay by credit card. There is a very good chance the 
store has no idea who you are unless you choose to sign up for 
a catalogue or have something shipped to your home, and the 
thought that walking down an aisle, or picking up a book, or 
looking at a product that you might be interested in could 
somehow be recorded is really the exception rather than the 
rule.
    The online world is very different. We know this. I mean, 
we know this because of the way the cookies operate, because of 
the http protocols. It is just much easier to follow people 
online, so when the list of Prozac people is published, that is 
the kind of problem that could only happen on the Internet.
    Ms. Lawler. Senator Burns, what I would like to add to 
that, I think it gets down to the fundamental trust 
relationship that consumers have with the organizations they do 
business with, and when you have that personal interaction, or 
you can choose that personal interaction when you walk into a 
store, or walk onto the concrete in an auto dealer, that is 
very different than when you cannot see with whom you are 
dealing. It is a nameless, faceless entity, so I think the 
perceived and real standards become higher in individuals' 
minds when they are dealing with a company that may or may not 
have a brick-and-mortar presence as well.
    Mr. Misener. If you do not mind, Senator, I would just like 
to add to that that I think part of it--and you have asked why 
is there more attention being paid to it. I think part of it is 
frankly just a carryover from what the novelty of the Internet 
is that really began five, six, 7 years ago, when people were 
sitting before a computer and it is a mysterious thing. It is a 
computer, as opposed to the friendly store, or the friendly 
cards they fill out, the subscriptions I get.
    My wife and I just bought a washer and dryer, and the 
warranty registration card has labeling all over it saying, for 
your safety, fill out this and return this for your safety, and 
these are dangerous devices, and so they want to know for my 
safety what my household income is and whether or not we read 
the Bible. It is not scary when you fill out the little card in 
pencil and mail it in, right?
    But the reality is, when that card gets filled out and sent 
in, it gets entered into a huge computer data base which is 
shared, and the information is sold wherever, and in this 
instance it is far more safe to share your information with 
Amazon.com.
    Mr. Dugan. Senator, my only comment is, from a financial 
institution's perspective, they do not see much difference. 
Customers are obviously concerned about privacy, but they see 
it the same way whether it is online or offline.
    Senator Burns. I would imagine--yes, sir, Mr. Torres.
    Mr. Torres. I was just going to say, I think consumers, 
when they go online, may venture into different areas that they 
would not necessarily go to in the offline world. I mean, I 
have looked up an awful lot of, because of a family situation 
an awful lot of medical information online. The thought that 
that is being tracked is rather frightening, whereas I might 
not necessarily go to a bookstore or to the library and look 
that up, but it is available to me, and so just where you can 
go online is quite different.
    Senator Burns. As for the second area of concern, in a 
meeting with various interest parties around about the bill the 
Committee is concerned with today, I heard a lot of alarm about 
the private right of action language. Could you comment on the 
private right of action section contained in S. 2201? Is it 
overly broad in scope, or is it too limited? Does anybody want 
to take a shot at that?
    Mr. Dugan. Sure, I will take a shot. We believe it is far 
too broad, and because financial institutions deal in sensitive 
information, it is really aimed at financial institutions, even 
though we already are subject to privacy protections and 
enforcement.
    Our regulators, for example, bank regulators can impose 
penalties of $1 million a day for violations of privacy 
violations of the Gramm-Leach-Bliley Act. We think that is 
sufficient. It is a system that works. There is no reason to 
apply a private right of action in that circumstance, and the 
provision in this bill does, as I think someone was saying 
before, you have to show some actual harm, it is true, but if 
you show any bit of actual harm, then it is a minimum $5,000 
per customer per violation, and if you have millions of 
customers, as many companies do, that is an invitation to class 
action litigation.
    Senator Burns. Let me put a footnote on this, and whether 
it is too broad or too narrow. Give me your idea on safe 
harbor.
    Mr. Rotenberg. Mr. Chairman, first of all--I am sorry, 
Senator Burns, as the Chairman explained, you need some kind of 
private right of action because otherwise all your chips 
basically sit on the FTC. I mean, that is the way the bill is 
structured, and if the FTC does not choose to take action, 
people who may have been actually aggrieved will have no place 
to turn, and so that is where this provision comes from.
    As I explained in my opening statement, I think it is too 
narrow. I think it places all the burdens of litigation without 
any of the benefits, and I cannot imagine any lawyer, unless 
kind of a bighearted person wants to do it on a pro bono basis, 
litigating on the basis of this provision, and so I gave two 
suggestions.
    One is to treat it as other privacy statutes do, which is 
to give people the opportunity to recover for cause. You can 
even cap, by the way--I mean, I understand the industry 
concern. You do not need to have sort of big, open-ended 
damages. You could have a cap on damages, or go into small 
claims court.
    On safe harbor, I think it can be made to work, but 
enforcement is key, because you have to understand that is 
another hurdle, another sort of black hole where, you know, we 
can lose track of what is actually happening and whether there 
is enforcement of the good provisions in the bill.
    Mr. Torres. Senator, we would be very skeptical of a safe 
harbor unless it was properly structured in such a way that it 
was not such a harsh hurdle to overcome, and also have some 
kind of teeth to it so that the standards were at least 
equivalent.
    And to the private right of action, it is just--I mean, the 
thought that--we cannot even get--let me put it this way . I 
work on a lot of different financial and banking issues. We 
cannot get the bank regulators to go after predatory lenders. 
The thought that they would go after a bank to seek a $1 
million penalty for a privacy violation, I just do not see that 
happening.
    I mean, we talk a lot about accountability and 
responsibility. You know, we are about to pass a bankruptcy 
bill that is going to sock it to consumers, and hold them 
accountable and responsible. Why can't we ask for that same 
type of standard of industry? If they are so concerned about 
privacy, they are so concerned about doing the right thing, and 
they say that they are, why don't they stand up and say, OK, 
and the private right of action here, the hurdles are high. If 
anything, it is narrow, but perhaps it does strike the right 
balance, because to use it, it has got to be a real bad thing 
for a consumer to use it, so in a way it is self-limiting, and 
may be the right approach.
    Mr. Misener. Just very quickly, Senator, there are two 
competing consumer interests here. Consumer interest one is 
enforcement. They want to ensure that if there is a law on the 
books that it is enforceable. If it has no teeth, then it is 
not useful.
    On the other hand, consumers also want clear, readable 
notice given to them. We have these two competing things. One 
is, companies will try to protect themselves against lawsuits 
by making the privacy policy extraordinarily long, detailed, 
legalistic, unreadable. On the other hand, they want to provide 
their consumers and their customers something that is useful to 
them, something that actually they will read and understand. 
These kinds of things are competing interests that an agency 
like the FTC could take into account.
    Yes, it may not have been entirely, precisely, legally 
correct, but it was trying to communicate to consumers what 
they were really doing. A class action attorney will have no 
such balancing desire. He will focus in on the legal precision 
only, and not care whether or not it was readable.
    Senator Burns. Ms. Lawler.
    Ms. Lawler. Thank you. With regard to the safe harbor, we 
think there is an excellent place for that in the overall 
enforcement scheme, and I would comment in particular on our 
involvement in the BBB online privacy sale program, which also 
meets the first line of enforcement requirement for the safe 
harbor self-certification. We think that takes a good place in 
that regard.
    With regard to the private right of action, some of my 
concerns would be a little bit on the opposite side of the 
class action suits, and based on observations we have made very 
recently in the industry and with some of our colleagues, that 
you have similar to what is happening with many of the State 
anti-spam laws, which are the spambulance chasers, where 
individuals----
    Senator Burns. Do not get started on spam.
    [Laughter.]
    Ms. Lawler. In any event, what we see is not attorneys 
getting involved looking for large, deep pockets, but 
individuals perhaps turning their own interpretation of the law 
on its side in an effort merely to gain some additional income.
    Senator Burns. Thank you.
    The Chairman. Senator Wyden.
    Senator Wyden. Thank you, and I thank all of our panel. As 
you know, millions of the privacy notices that get mailed out 
today, particularly the ones in Gramm-Leach-Bliley just end up 
in the trash can. They literally show up at the house and into 
the trash they go, and these notices are particularly 
important, because this is something that empowers consumers, 
and they get a sense of what it is the companies are collecting 
about them, and for the life of me I cannot figure out why it 
is not possible to come up with a short, understandable notice 
and format, so as to give consumers these basic protections.
    I would be curious what would be wrong, in the judgment of 
this panel, with using something along the lines of what is 
done for nutritional labeling. This is an effort, it is a 
requirement, it is done the same way on all food products, 
consumers grow familiar with it, they know to look for it, it 
is truly a useful tool, and I have got to think that there is 
enough ingenuity at this table to come up, working on a 
bipartisan basis with the Chairman and Senator McCain, to come 
up with something like this that would be helpful to the 
public. Maybe we could just start with Mr. Dugan, and I have 
got a few questions for this panel.
    Mr. Dugan. Senator, you raise a good point. In the Gramm-
Leach-Bliley act, financial institutions have been frustrated 
by the fact that in many cases, although they have gone to 
tremendous time and expense to prepare the notices, as required 
by the law and the regulations, that they have been perceived 
as too complicated and too legalistic, and the problem is 
exactly what Paul was talking about earlier, that in order to 
comply with the detailed requirements of the privacy 
regulations, in order to avoid legal liability, there is a real 
fear that if you get simpler you can expose yourself.
    Nevertheless, in the wake of what happened with the first 
round of Gramm-Leach-Bliley notices, I think there was a lot of 
education that occurred both with respect to companies and with 
respect to agencies. It is why the FTC had a big interagency 
privacy short notice conference in December. It has prompted an 
effort by the industry to come up and look at precisely the 
kinds of short notices that you are talking about, but I have 
to tell you--and I think that is going to make progress. I 
think we are going to produce something over time, but I have 
to tell you that is something that takes some care to do right 
and do in a way that does not expose you to liability.
    It took a long time to come up with a food labeling notice 
that was acceptable to the parties involved and to the 
Government. I think it is very much a worthwhile endeavor and 
very much a good point, and it is something we do need to work 
on in the privacy context.
    Senator Wyden. Are the rest of you comfortable with looking 
at the nutritional labeling concept just as a model? Obviously, 
food is different than technology, but this sector has so much 
expertise it ought to be possible to do something, other than 
in effect put all of this mail in the trash can, and that is 
what is happening today.
    Mr. Misener. Senator, we would certainly be happy to look 
into that sort of thing. We want to be able to communicate as 
clearly as possible to our customers. I will say that the clear 
effect of having a private right of action in a bill like this 
would be to move it the other direction. It would become less 
clear, much more complicated, much more legalistic, much 
longer.
    Ms. Lawler. Let me just add that HP would enjoy very much 
being a part of this discussion. We actually have some best 
practices that we could bring to the table that we are 
currently providing in many of our online places for data 
collection. There is definitely a balance between providing the 
right level of specificity so that you do not open yourselves 
up unnecessarily to legal exposure, but I think the overriding 
principle is definitely clear, simple, informed notice for 
consumers, and I think along with that, though, is the 
importance of real, sincere, earnest consumer education on 
those standards in the labeling that I think are the fair 
information practices we are talking about.
    Senator Wyden. Let me turn now to you, Mr. Misener, with 
respect to industry's position on why it is important to have a 
law. You all are the No. 1 retailer in this field. I mean, it 
seems to me that if there is an EXXON VALDEZ of privacy, as I 
have come to describe it, this just shatters consumer 
confidence. This makes people stay away from the kinds of 
initiatives your company is built on.
    I do not see how all of these voluntary efforts--and I 
think they are good, and P3P, for example, is the very good, I 
do not see how they are going to control the bad apples, and I 
think that is why it is important to have one sensible Federal 
initiative in this area, and why we spent a lot of time, as you 
know, working with you, Senator Burns and I and Chairman 
Hollings, to try to get it done right, but aren't the stakes 
enormous if nothing is done here, and some of those bad apples 
shatter consumer confidence?
    Mr. Misener. Thank you, Senator, and you have been 
consistent in this position for many years, and we certainly 
appreciate that. If we thought that it would be in the best 
interest of our customers and company to have a bill like this 
adopted, we would be here lobbying for it.
    Senator Wyden. But just talk about the concept. Understand, 
I am not a sponsor of a bill right now. I am interested in 
working with the Chairman and people like yourself to get 
something done that addresses this, so just talk conceptually 
about what happens if the bad apples----
    Mr. Misener. Conceptually, the bill would do nothing to 
prevent the next EXXON VALDEZ of privacy, would do nothing to 
get at the bad actors. It would do everything to expose the 
good guys to litigation.
    The little guys who are potentially the bad actors who are 
not doing well in the market because they are bad actors will 
not be the targets of litigation. They do not have any pockets. 
The litigators will go after the big names. They will go after 
my company and other household names. We see no additional 
benefit to our customers, either existing or future customers, 
in having that ability.
    Just to sort of pile on, on top if it, Senator, we have 
really eschewed the term self-regulation. You will never hear 
me use that because it implies some sort of altruism on behalf 
of consumers, that companies are going to regulate themselves 
out of the goodness of their hearts. The reality is, is that 
companies will lose business. They will lose their existing 
customers, they will not gain new customers if they do not have 
the privacy protections that consumers want, and so this is a 
market-regulating thing. Just as much as the prices of our 
products are market regulators, so are the levels of privacy 
protections we provide.
    Senator Wyden. Well, again, I am open with respect to the 
details here, and that is why I have not signed on to the 
legislation, but I will tell you, with respect to the key 
concepts here like preemption, if there are these horrendous 
incidents where people's medical records, for example, get out, 
preemption has gone. Industry will not get something that they 
feel very strongly about. You will have 50 States off to the 
races, and the whole matter of preemption will be gone, and so 
we hope you will work with us so we can get it done right, and 
that is one of the reasons why I am not a sponsor of the 
legislation today, and I am anxious to work with all of you on 
it.
    A question for you, if I could, Mr. Torres, on the safe 
harbor, because again, this goes right to the heart of how we 
are going to bring together folks in the consumer movement who 
I have worked with for many years, and people in industry. I 
think with so many e-commerce companies hurting right now, 
really struggling, it is understandable why they are nervous 
about possible exposure under a new privacy statute.
    How far are you all willing to go to provide this safe 
harbor kind of concept so that there is a clear path to 
certainty and safety for companies that we end up rewarding the 
self-regulatory efforts that are responsible? How far are you 
all willing to go in terms of meeting industry halfway on the 
safe harbor idea?
    Mr. Torres. Well, Senator, considering how far we have come 
on this legislation, to go a little bit farther and talk about 
how to structure a safe harbor, we would certainly be open to 
that as a way of recognizing the efforts of some of the better 
companies out there who have responded to consumer privacy 
concerns.
    Senator Wyden. One last question, maybe for either of the 
industry representatives, and Mr. Rotenberg, maybe we could get 
you into this one.
    With respect to access, this, too, is going to be an 
important issue if we are going to get a meaningful piece of 
legislation. Access is what makes consumers feel secure. They 
know that they can get to this critical information. Where is 
the common ground between industry and consumers with respect 
to access rights?
    Why don't, Mr. Rotenberg, you and Mr. Misener take this one 
on?
    Mr. Rotenberg. Thank you, Senator. Actually, having been a 
customer of Amazon, I can say that in many ways Amazon has been 
a leader in trying to provide their customers with a very 
extensive display of the personal information that the company 
has acquired, and it is an important way to establish trust and 
confidence for the company to disclose to its customers the 
information that it has on them.
    It is really--without access, we are left only with the 
notices, which are largely like disclaimers. The problems, I 
think, arise in other circumstances with companies that have 
not developed this practice that basically say, as this bill 
seems to suggest, we will give you the information about you 
that you have already provided to us, and that is not enough, I 
think, for most consumers to understand what types of profiles 
are being built, what kind of data is being linked, what other 
information is informing the company in its decisionmaking with 
the consumers, and so it is really over in that category of 
information that I think there is also an interest of access.
    Mr. Misener. Thank you, Senator. Certainly, access is very 
important. As Mr. Rotenberg points out, Amazon.com has really 
attempted to provide it as best as possible. I think perhaps 
the bigger question here is, given that only 1 percent of 
consumer transactions are consummated online, what about the 
other 99 percent, no access at all? Is that the result here?
    I would think a question to some consumer groups might be, 
why fight so hard for this 1 percent and leave aside the other 
99?
    Senator Wyden. My time has expired. I would only say to 
this panel I think you all, and the cross-section of people 
that the Chairman has at this table, you all may have the clout 
to kill Federal legislation this year. I think that that would 
be a big mistake. I think it would be a big mistake because a 
lot of consumers in this country would get hurt, and I think it 
would be a huge mistake for industry.
    As you know, I am the principal sponsor of the Internet tax 
freedom bill to promote commerce online. You have these privacy 
problems, and you undo a lot of what we have achieved with the 
Internet tax freedom bill, so what I have told the Chairman is, 
I am going to work very closely with him, because I think it is 
time to get moving, folks.
    I think it is time to get a bill passed, and there are 
areas such as the one I have talked about with respect to the 
notice provision where, instead of putting all the stuff in the 
trash cans of America the way we are doing today, under the 
various requirements of today, we can do something that is 
constructive by looking at models like nutritional labeling, 
and so I hope you will work with all of us. I am going to work 
with the Chairman and Senator McCain, because I think it is 
time to get going and pass a law, and I thank you, Mr. 
Chairman.
    The Chairman. Thank you, Senator. I enjoyed your 
observation, because let us assume the bill is killed and 
nothing happens, do not worry about it, the States are going to 
legislate.
    This crowd--I sort of resent polls, and pollster 
politicians. For 25 years I never did see one, and now I have 
got to look at them now, because the people do not pay 
attention until the very end of the campaign, and so that is 
where you have got to put your money and your TV, but the 
bankers are not going to get by, and the insurance companies, 
and the securities. They are going to legislate for you.
    And so the reason we are moving now is because the 
politicians all up here, as much as they dislike private rights 
of action and whoopee, let's get all the lawyers and everything 
else like that, they even see now that this is the No. 1 issue 
on every poll that every one of these Senators are taking, and 
that is why we are able to finally move, after 7 years.
    I can tell you--and I do not mind putting in a bill for the 
offline the same as the online. I can tell you, 7 years, that 
will wait 70 years. That is not going anywhere. I can tell you 
myself. I used to represent a 123 chain supermarket, and I can 
see that notice sticking up in the doorway as you come in about 
how they are going to use the information about what you are 
buying and sell it around. That poor store would close in the 
next week. They would lose all their business. People would be 
scared.
    Everybody is interested in privacy offline, online, 
offline, online, we all know that, but it has gotten to be such 
a problem and can be managed and will be managed either by the 
States or the Federal Government, and we here at the Federal 
level cannot let the perfect be the enemy of the good. I mean, 
if we wait around, and continue to wait around, we will never 
get anything done.
    So you folks have brought into focus some real concerns 
about this particular bill. These have been very valuable 
presentations here today. The Committee is indebted to you, and 
we will proceed from this point on. We thank you very, very 
much.
    The Committee will be in recess, subject to the call of the 
chair.
    [Whereupon, at 11:55 a.m., the Committee adjourned.]

                            A P P E N D I X

      Prepared Statement of Hon. John F. Kerry, U.S. Senator from 
                             Massachusetts

    Mr. Chairman, thank you for holding this hearing. This is a 
continuation of a process that began in the previous Congress to 
develop Internet privacy legislation. We are now very near to a bill 
that empowers consumers to have confidence in the security of the 
Internet and will allow the Web to continue to grow as an engine of 
commerce.
    I think we are getting very close to achieving that balance. The 
Chairman has introduced a bill that I am proud to co-sponsor. It is 
strongly pro-consumer. Its basic premise is that if consumers give 
their private information out over the Internet, it should be used only 
for the reason it was given, unless the consumer decides otherwise.
    For the first time, we have legislation that creates two separate 
tracks for personal information--non-sensitive and sensitive. As I have 
said before, I believe that consumers have different expectations for 
privacy with respect to their shopping habits or hobbies than they do 
their medical information or financial information about their religion 
or sexual orientation.
    And, accordingly, the bill allows operators to collect nonsensitive 
information unless a user decides he or she does not want to permit 
such an action. Sensitive information is assumed to be private, unless 
a user allows the operator or service provider to collect that 
information.
    One of the most important elements of the bill is that it requires 
operators to provide ``clear and conspicuous'' notice about the 
collection of personal information. Many well-known websites already do 
this, much to their credit. However, many online service providers do 
not have clear, easy-to-understand privacy policies. I believe that 
requiring this robust notice is a ``must'' for any privacy legislation. 
This bill meets that requirement.
    Another critical requirement of privacy legislation met by this 
bill is that it ensures that web site operators and service providers 
must meet only one standard of privacy. The bill preempts state laws, 
so that operators are not faced with the cumbersome responsibility of 
having 51 different privacy notices and 51 different ways for a user to 
opt-in or opt-out, depending on their residency.
    Finally, let me add that technology has an important role to play 
in this debate. Obviously, if I believed technology held all the 
answers to guaranteeing Internet privacy, I would not be supporting the 
Chairman's bill. However, it can help Internet users feel comfortable 
browsing, shopping and doing research--be it academic or consumer 
research. The Platform for Privacy Preferences, which I understand 
Microsoft has recently made available to its consumers, holds great 
promise in helping consumers determine what sites they can trust and 
which they are not comfortable with.
    Mr. Chairman, today's hearing represents another step in the long 
march to enacting sound Internet privacy policy. As we go forward on 
this bill there will undoubtedly be some changes and some further 
improvements. I stand ready to work with both you and the witnesses, as 
well as other interested parties to help in that process.
                                 ______
                                 
                  Association of National Advertisers, Inc.
                                                     April 25, 2002
Hon. Ernest F. Hollings,
Chairman,
Commerce, Science, and Transportation Committee,
Washington, DC.

Dear Mr. Chairman:

    On behalf of the Association of National Advertisers (ANA), I am 
writing to submit these comments and questions about S. 2201, the 
``Online Personal Privacy Act.'' I would like to request that these 
comments be included in the official hearing record.
    ANA is the advertising industry's oldest trade association and the 
only group dedicated exclusively to enhancing the ability and 
protecting the rights of companies to market their products and 
services on a national and regional basis. Our members are a cross-
section of American industry, consisting of manufacturers, retailers 
and service providers. Representing more than 8,000 separate 
advertising entities, our member companies market a wide array of 
products and services to consumers and other businesses. Many of our 
members are actively engaged in e-commerce.
    Privacy protection is a critical issue for both consumers and 
marketers. The future of the Internet and the future of target 
marketing, which provides the economic foundation for economic 
efficiency and support for the marketplace of ideas, all depend on our 
finding a solution to the legitimate privacy concerns of consumers. 
Marketers understand that the full potential of the Internet will never 
be reached unless consumers feel secure in the online environment.
    S. 2201 contains some positive features, such as federal preemption 
of state laws. It is a more sophisticated proposal than earlier 
legislation, recognizing that all information collected online is not 
created equal. However, we have several significant concerns about the 
bill:

         (1) ANA strongly opposes the access and security provisions of 
        the bill and the private right of action for consumers. These 
        provisions would expose commercial websites to tremendous 
        potential liability and class action lawsuits, and in our view, 
        are unreasonable.

         (2) S. 2201 would attempt to regulate the entire universe of 
        online commercial activity and conflict with numerous privacy 
        laws already on the books.

         (3) The bill would impose massive new costs and major new 
        burdens on every business that operates online.

         (4) Mandating the use of a sweeping opt-in approach for all 
        sensitive information raises serious First Amendment concerns.

         (5) The bill would result in a barrage of notice disclosures 
        that would be counterproductive for consumers and businesses.

    ANA does not believe that broad new federal privacy legislation is 
necessary. No government or combination of governments has the 
resources to police all of cyberspace effectively. We believe that 
consumers can be best protected through a combination of existing 
privacy laws and regulations, privacy enhancing technology, effective 
self-regulation and the backstop of the FTC's current powers to stop 
false, deceptive or unfair acts or practices.

The Business Community has Responded to Consumer Concerns
    ANA believes that the findings in the bill do not adequately 
recognize the efforts that the business community has made to protect 
privacy, or the legal enforceability of those steps.
    Almost every major commercial website has adopted and posted 
privacy policies to tell consumers how they collect and use 
information. The private sector has developed three major seal programs 
(BBBOnline, TRUSTe and CPA Webtrust) to assure consumers that websites 
are in fact carrying out their online privacy policies. New 
technologies from ``cookie cutters'' to P3P, the Platform for Privacy 
Preferences, are providing consumers with the tools they need to 
protect their privacy. While more remains to be done, we believe the 
online community has made substantial progress.
    The most recent ``privacy sweep'' shows continued industry 
progress. That survey of the most popular websites was released in 
March by the Progress and Freedom Foundation (PFF) and is available at 
their website at www.pff.org.
    The survey was conducted by Ernst & Young, based on the methodology 
of the most recent FTC survey. The key findings of the survey are: (1) 
websites are collecting less information; (2) privacy notices are more 
prevalent, more prominent and more complete; and (3) consumers have 
more opportunities to choose how personally identifiable information is 
used. Virtually all of the most popular websites surveyed had privacy 
notices, while 90% of the random sample of websites posted privacy 
notices. Self-regulation already has gone a long way and continues to 
be strengthened every day.

FTC Already has Legal Authority to Enforce Privacy Promises
    Last October, FTC Chairman Timothy Muris announced a major new 
privacy agenda for the Commission, including greatly increased 
resources, more consumer outreach and education and new enforcement 
initiatives. At that time, the Chairman stated that the Commission did 
not need new legislation to protect consumer privacy. We share the 
Chairman's conclusion that a more vigorous federal cop on the beat, 
combined with the various efforts of the private sector, can provide 
consumers with the best protection of their privacy in our new economy.
    Once a company posts a privacy policy, the FTC has jurisdiction to 
go after the website if it does not live up to the privacy promises 
made. The FTC has brought a number of enforcement cases based on this 
authority. Thus, the statement in the findings of S. 2201 that current 
law provides only ``minimal'' protections is inaccurate.

The Scope of the Proposed Legislation is Very Broad
    As you know, the United States has historically taken a sectoral 
approach to privacy regulation, adopting specific rules to apply to a 
specific industry and specific perceived problems. As a result, there 
are more than ten separate federal regulatory privacy regimes, 
including the Children's Online Privacy Protection Act, the Cable 
Communications Policy Act, the Telephone Consumer Protection Act, the 
Video Privacy Protection Act, the Gramm-Leach-Bliley (GLB) Act, the 
Fair Credit Reporting Act, and the Health Insurance Portability and 
Accountability Act, to name just a few.
    S. 2201 would seem to regulate the entire universe of online 
commercial activity. How would the bill relate to all of the other 
privacy laws already on the books, such as GLB and the health privacy 
rules? Would companies in those industries be subject to yet another 
inconsistent privacy regime?
    The answer appears to be yes. Under GLB, financial service firms 
are not required to get consumer consent through opt-in before sharing 
information with affiliates and subsidiaries. GLB adopts an opt-out 
approach for this information and this was one of the most contentious 
issues in the GLB debate. Yet S. 2201 would require an opt-in approach 
for any collection, use or transfer of sensitive financial information, 
whether to affiliates or any other group.
    One fundamental question that Congress must address is what is the 
harm that the legislation is seeking to address. Consumers have a 
legitimate concern about how health or financial information about them 
might be used by someone else. Thus we have the GLB and health privacy 
laws and regulations to address those specific concerns and potential 
harms.
    S. 2201 would regulate every part of the online economy, including 
information about how many shirts someone orders from a retailer and 
what color, size and price they were. What is the potential harm that 
can come to a consumer from the use or transfer of that type of general 
commercial information? Does that potential harm justify a sweeping new 
privacy regime that imposes costs and burdens on every business in 
America that uses the Internet?
    ANA believes it is critical to determine how S. 2201 would be 
harmonized with all the existing federal privacy laws. A major 
diversified business could easily find itself subject to multiple and 
conflicting requirements and definitions. Conflicting definitions and 
standards on when a consumer may opt-out of the transfer of information 
to another entity would be very confusing to consumers and could have a 
chilling effect on their willingness to permit information to be shared 
in the marketplace. As discussed below, there is substantial economic 
evidence that such a result could impose multibillion dollars of costs 
on various industry sectors.

ANA Supports Uniform, Federal Enforcement of Privacy Laws
    If broad privacy legislation is passed by the Congress, then 
federal preemption should be a key part of the package. The Internet is 
the first truly global medium and we must be very careful not to allow 
Internet privacy regulation to become Balkanized through multiple, 
inconsistent state laws. Therefore, we support language that clearly 
preempts state law or regulations on the collection, use or disclosure 
of personally identifiable information obtained through the Internet.
    However, the preemption provision in S. 2201 may not actually go 
far enough. Many of the other federal privacy laws, such as GLB, 
allowed states to go beyond federal law and adopt their own state laws. 
It is not clear that the preemption provision in S. 2201 would have any 
impact on any of these state laws already on the books.

Access and Security Provisions are Unreasonable
    ANA is also concerned about the provisions of the bill that would 
require that consumers receive access to all information held about 
them by a company. This could be a very costly process for a major 
global marketer with multiple divisions and subsidiaries. If a packaged 
goods company has 40 different websites for each of their branded 
products, are they treated as separate entities for purposes of the 
access requirement? If not, the access provision may require the 
corporate parent to pull together the disparate information held by 
various subsidiaries to create a dossier on a consumer. This, in turn, 
raises new security concerns about the ability of hackers or other 
unauthorized persons to gain access to this newly created profile.
    These issues are very challenging and complex. Several years ago, 
the FTC created an Advisory Committee on Online Access and Security 
(ACOAS). After months of serious consideration, neither the FTC nor the 
advisory committee were able to establish clear standards on how to 
implement these policies.
    Everyone agrees on the concepts of access and security, but these 
issues are the true Gordian Knot of privacy. Providing consumers with 
broad access to information, without adequate protections, poses 
potential severe security risks. Overly stringent security precautions 
can make access very difficult.
    How is the access to be provided? Online or offline? How was the $3 
fee for providing a consumer access determined? It seems very low in 
regard to potential collection costs for companies with multiple 
subsidiaries or disparate databases. Does the committee have any 
economic evidence of what the actual costs might be for companies to 
provide access? Without this type of data, it would be dangerous to 
impose this type of maximum fee. Furthermore, even if the fee could be 
justified today, can the Congress really assess what would be 
reasonable fees into the future? A more flexible approach should be 
developed.
    Not all information is created equal. A consumer may have a greater 
interest in access to sensitive information that a website has 
collected. Is giving a consumer access to all general marketing 
information collected about him so important as to justify the cost and 
burden to companies to provide this access? Are these costs justified 
in light of potential increased security risks?

Private Right of Action is Unreasonable
    We strongly oppose the provisions of the bill that would provide 
consumers with a private right of action to sue websites that somehow 
violate the privacy regime.
    By creating a damage award of at least $5,000 per plaintiff, the 
bill would put popular websites at risk for large class action 
lawsuits. Companies would be forced to spend substantial amounts even 
to defend frivolous claims.
    Under section 203 of the bill, upon a showing of actual harm, a 
consumer is allowed to recover the GREATER of the actual monetary loss 
from the violation, or $5,000. Assume you had a group of 1,000 
consumers who allege that a website has failed to provide reasonable 
access to sensitive data and a court determined that the actual 
monetary loss from the violation was $3 per consumer. Under S. 2201, 
the total award for this case would not be $3,000 (1,000 consumers X $3 
per consumer), but rather would be $5 million (1,000 consumers X $5,000 
per consumer). This would essentially be a punitive damages model that 
would strongly encourage litigation even if any actual harm were 
minimal.
    This potential risk could be devastating for many online companies, 
which often begin as start-up firms or small family businesses. The 
risk would be very significant even for major multinational firms.

The Opt-In Requirement is Unworkable
    Mandating the use of an opt-in approach for the collection and use 
of all sensitive PII would add tremendous costs and raises serious 
First Amendment concerns.
    ANA is a member of the Privacy Leadership Initiative (PLI). PLI has 
carried out a number of economic studies to determine the value of 
information transfer in our economy and the potential costs of an opt-
in regulatory regime. In the financial arena, a number of studies 
demonstrate multi-billion dollar annual savings from accurate credit 
reporting and the avoidance of fraud due to the collection of data and 
data access. In the apparel sales area alone, it was demonstrated that 
if catalog sellers were unable to use routine data that they collect 
from customers and obtain third party data, they would have to raise 
their prices by more than $1.4 billion annually. These studies are 
available at the PLI website, www.understandingprivacy.org.
    The PLI studies show that gaining affirmative consent under an opt-
in system from consumers is a very difficult and expensive process. For 
example, US West recently conducted an affirmative consent trial using 
both call centers and direct mail. Outbound telemarketing calls 
obtained an opt-in rate of 29% of residential subscribers at a cost of 
$20.66 per positive response. Direct mail was much less successful, 
obtaining a positive response rate between 5% and 11% and costing 
between $29.32 and $34.32 per positive response. US West concluded that 
opt-in was not a viable approach because it was too difficult, too time 
intensive and too costly.
    Therefore, the cost implications of this legislation could be very 
substantial.
    An opt-in requirement, however, implicates issues that go far 
beyond cost and economic efficiency. Some courts and legal scholars 
believe that it raises serious First Amendment issues. In 1999 in U.S. 
West v. Federal Communications Commission, 182 F.3d 1224, the 10th 
Circuit Court of Appeals held that the government must carry out a 
careful calculation of costs and benefits associated with burdens on 
speech imposed by an opt-in rule. In that case, the court struck down 
an FCC rule that contained an opt-in requirement, concluding that the 
rule violated the First Amendment.
    These First Amendment considerations must be carefully analyzed 
before a broad opt-in approach is adopted, or the government will not 
meet the requirements laid out by the Supreme Court for the protection 
of commercial speech.

Balkanization of Information
    S. 2201 treats information collected online differently than 
information collected by other means, such as by telephone, direct mail 
or fax. Since many businesses provide services to their customers both 
online and offline, this will mean that information will have to be 
identified and handled based on how it was received. This requirement 
will create major incentives to balkanize information about consumers, 
which will result in significant increased costs with little added 
benefit for the consumer.
    Merging offline data with online data appears to trigger the 
massive regulatory regime of this legislation. This could create 
incentives for inefficient information practices, as companies seek to 
avoid the massive liability they could face under the private right of 
action provisions of the legislation.
    S. 2201 would create numerous classes of information that are 
subject to special and differential treatment. This is in addition to 
the different classes of information established by the privacy 
provisions of GLB and the Fair Credit Reporting Act. This ever-
increasing Balkanization of information databases is both costly and 
inefficient.

Barrage of Notice Disclosures
    S. 2201 requires special notice disclosures that differ from the 
notice requirements of GLB and other federal privacy laws. It may not 
be possible to satisfy all of these various notice requirements in a 
single notice. Further, any resulting notices are likely to be complex 
and confusing to consumers.
    Notice requirements are tied to ``material'' changes in a company's 
current practices, rather than to the information provided in a prior 
notice. Thus, even if a company disclosed a prospective practice in its 
privacy notice, the company would still need to provide a new notice 
when it actually changes its policies. This will lead to a barrage of 
notices as new notices are provided in response to relatively minor 
changes in information practices.
    Section 102(d) of the bill states that a website must provide 
``robust notice'' at its ``first collection of non-sensitive personally 
identifiable information from that user.'' However, the section then 
goes on to provide that ``a subsequent collection of additional or 
materially different non-sensitive personally identifiable information 
from that user shall be treated as a first collection.'' It thus seems 
that ``robust notice'' must be provided at every point where 
``additional'' non-sensitive PII is collected. This would lead to 
massive and repetitive disclosure regimes proliferated across the 
Internet and every business sector, regardless of cost effectiveness.
Sweeping Government Regulation Does Not Guarantee Privacy Protection
    The adoption of sweeping government regulation is no guarantee that 
consumer privacy will actually be better protected. Europe offers a 
good example. Although their privacy laws are generally considered more 
restrictive and comprehensive than those in this country, a January 
2001 study by Consumers International indicated that European sites 
appear often to be actually less effective in protecting personal 
privacy than American websites. For example, the study found that 
despite all the rules, 60 percent of European sites lack a privacy 
policy; only 9 percent of the European sites ask the consumer for 
permission to sell information about them. Indeed, the study found that 
U.S.-based sites tended to set higher standards for privacy policies. 
Consumers International, Privacy@net: An International Comparative 
Study of Consumer Privacy on the Internet, (January 2001).
    In fact, Professor Fred Cate of the University of Indiana School of 
Law has argued that the more restrictive European privacy laws also 
have failed to quell consumer fears. Despite wide differences in our 
legal and regulatory approach, polls on consumer privacy concerns show 
nearly identical results in the U.S. and Europe. For example, Professor 
Cate cites a Lou Harris & Associates poll in 1999 that found that U.S. 
and German consumers surveyed demonstrated virtually identical fears 
about privacy on the Internet. See: IBM Multi-National Consumer Privacy 
Survey (1999). Therefore, any claims that broad privacy legislation 
mirroring the European model will drastically diminish public anxiety 
about privacy and generate dramatic increases in online commercial 
activity do not seem to be founded on solid research. Nor can they 
provide the justification for such comprehensive and restrictive 
legislation as S. 2201.

Conclusion
    Privacy gives rise to very complex issues and no one, in industry 
or government, has all of the answers. We believe the business 
community is actively working to address the legitimate privacy 
concerns of consumers.
    The online business community has faced tremendous economic 
challenges in the last year, as companies continue to try to develop 
profitable business models. Most of the survivors began as small 
businesses and start-up firms.
    S. 2201 is well intended and there are several improvements over 
earlier proposals. However, ANA believes this bill would impose 
tremendous new costs and unreasonable burdens on companies of all 
sizes, and therefore should be rejected.
    We appreciate your sincere concerns about consumer privacy and look 
forward to continuing to work with you and your staff on these critical 
issues.
        Sincerely,
                                           Daniel L. Jaffe,
                                           Executive Vice President

                                  
