[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]








                    EXPLORING THE OFFLINE AND ONLINE
                     COLLECTION AND USE OF CONSUMER
                              INFORMATION

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                    SUBCOMMITTEE ON COMMERCE, TRADE,
                        AND CONSUMER PROTECTION

                                AND THE

      SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 19, 2009

                               __________

                           Serial No. 111-83





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

74-854                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001







                    COMMITTEE ON ENERGY AND COMMERCE

                 HENRY A. WAXMAN, California, Chairman

JOHN D. DINGELL, Michigan            JOE BARTON, Texas
  Chairman Emeritus                    Ranking Member
EDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas
RICK BOUCHER, Virginia               FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida
BART GORDON, Tennessee               NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky
ANNA G. ESHOO, California            JOHN SHIMKUS, Illinois
BART STUPAK, Michigan                JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York             ROY BLUNT, Missouri
GENE GREEN, Texas                    STEVE BUYER, Indiana
DIANA DeGETTE, Colorado              GEORGE RADANOVICH, California
  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California               MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon
JANE HARMAN, California              LEE TERRY, Nebraska
TOM ALLEN, Maine                     MIKE ROGERS, Michigan
JANICE D. SCHAKOWSKY, Illinois       SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California           JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas           TIM MURPHY, Pennsylvania
JAY INSLEE, Washington               MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin             MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas                  PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York          STEVE SCALISE, Louisiana
JIM MATHESON, Utah                   PARKER GRIFFITH, Alabama
G.K. BUTTERFIELD, North Carolina     ROBERT E. LATTA, Ohio
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin 
Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE L. BRALEY, Iowa
PETER WELCH, Vermont

                                  (ii)
        Subcommittee on Commerce, Trade, and Consumer Protection

                        BOBBY L. RUSH, Illinois
                                  Chairman
JANICE D. SCHAKOWSKY, Illinois       CLIFF STEARNS, Florida
    Vice Chair                            Ranking Member
JOHN SARBANES, Maryland              RALPH M. HALL, Texas
BETTY SUTTON, Ohio                   ED WHITFIELD, Kentucky
FRANK PALLONE, Jr., New Jersey       GEORGE RADANOVICH, California
BART GORDON, Tennessee               JOSEPH R. PITTS, Pennsylvania
BART STUPAK, Michigan                MARY BONO MACK, California
GENE GREEN, Texas                    LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas           MIKE ROGERS, Michigan
ANTHONY D. WEINER, New York          SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina
JOHN BARROW, Georgia
DORIS O. MATSUI, California
KATHY CASTOR, Florida
ZACHARY T. SPACE, Ohio
BRUCE L. BRALEY, Iowa
DIANA DeGETTE, Colorado
JOHN D. DINGELL, Michigan (ex 
    officio)
                                 ------                                

      Subcommittee on Communications, Technology, and the Internet

                         RICK BOUCHER, Virginia
                                 Chairman
EDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan
BART GORDON, Tennessee                 Ranking Member
BOBBY L. RUSH, Illinois              CLIFF STEARNS, Florida
ANNA G. ESHOO, California            NATHAN DEAL, Georgia
BART STUPAK, Michigan                BARBARA CUBIN, Wyoming
DIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois
MICHAEL F. DOYLE, Pennsylvania       GEORGE RADANOVICH, California
JAY INSLEE, Washington               MARY BONO MACK, California
ANTHONY D. WEINER, New York          GREG WALDEN, Oregon
G.K. BUTTERFIELD, North Carolina     LEE TERRY, Nebraska
CHARLIE MELANCON, Louisiana          MIKE FERGUSON, New Jersey
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin 
    Islands
KATHY CASTOR, Florida
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
PETER WELCH, Vermont
JOHN D. DINGELL, Michigan (ex 
    officio)





                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................
Hon. George Radanovich, a Representative in Congress from the 
  State of California, opening statement.........................
    Prepared statement...........................................
.................................................................
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, opening statement...............
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................
    Prepared statement...........................................
Hon. Gene Green, a Representative in Congress from the State of 
  Texas, opening statement.......................................
Hon. Michael F. Doyle, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................
Hon. Steve Scalise, a Representative in Congress from the State 
  of Louisiana, opening statement................................
Hon. Doris O. Matsui, a Representative in Congress from the State 
  of California, opening statement...............................
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................
Hon. Zachary T. Space, a Representative in Congress from the 
  State of Ohio, opening statement...............................
Hon. Christopher S. Murphy, a Representative in Congress from the 
  State of Connecticut, opening statement........................
Hon. John Barrow, a Representative in Congress from the State of 
  Georgia, opening statement.....................................
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, prepared statement......................................

                               Witnesses

Chris Hoofnagle, Director, Information Privacy Programs, UC 
  Berkeley School of Law.........................................
    Prepared statement...........................................
    Answers to submitted questions...............................
George V. Pappachen, Chief Privacy Officer, Kantar/WPP...........
    Prepared statement...........................................
    Answers to submitted questions...............................
Jennifer T. Barrett, Global Privacy and Public Policy Executive, 
  ACXIOM.........................................................
    Prepared statement...........................................
    Answers to submitted questions...............................
Zoe Strickland, Vice President, Chief Privacy Officer, Wal-Mart 
  Stores, Inc....................................................
    Prepared statement...........................................
    Answers to submitted questions...............................
Michelle Bougie, Senior Internet Marketing Manager, 
  LearningResources.com and EducationalInsights.com..............
    Prepared statement...........................................
    Answers to submitted questions...............................
Pam Dixon, Executive Director, World Privacy Forum...............
    Prepared statement...........................................
    Answers to submitted questions...............................

                           Submitted material

Statement of the American Civil Liberties Union..................

 
    EXPLORING THE OFFLINE AND ONLINE COLLECTION AND USE OF CONSUMER 
                              INFORMATION

                              ----------                              


                      THURSDAY, NOVEMBER 19, 2009

                  House of Representatives,
     Subcommittee on Commerce, Trade, and Consumer 
                                        Protection,
                                             joint with the
Subcommittee on Communications, Technology, and the 
                                          Internet,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The Subcommittees met, pursuant to call, at 12:23 p.m., in 
Room 2123 of the Rayburn House Office Building, Hon. Bobby Rush 
[Chairman of the Subcommittee on Commerce, Trade, and Consumer 
Protection] presiding.
    Members present from Subcommittee on Commerce, Trade, and 
Consumer Protection: Representatives Rush, Schakowsky, 
Sarbanes, Green, Barrow, Matsui, Space, Radanovich, and 
Scalise.
    Members present from Subcommittee on Communications, 
Technology, and the Internet: Representatives Boucher, Markey, 
Doyle, Inslee, Murphy, McNerney, Stearns, Shimkus, and 
Blackburn.
    Staff Present: Michelle Ash, Chief Counsel; Marc Groman, 
FTC Detailee; Timothy Robinson, Counsel; Amy Levine, Counsel; 
Greg Guice, FCC Detailee; Sarah Fisher, Special Assistant; 
.Will Cusey, Special Assistant; Theresa Cederoth, Intern; Pat 
Delgado, Rep. Waxman's Chief of Staff; Brian McCullough, Senior 
Professional Staff; Shannon Weinberg, Counsel; Will Carty, 
Professional Staff; Amy Bender, FCC Detailee; and Sam Skywalker 
Costello, Legislative Analyst.

 OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Rush. The joint committee will come to order.
    This is a joint subcommittee hearing on Commerce, Trade, 
and Consumer Protection, and the Commerce, Technology, and 
Internet Subcommittee.
    The subject matter for this hearing is entitled ``Exploring 
the Offline and Online Collection and Use of Consumer 
Information.'' I am privileged to chair the Subcommittee on 
Commerce, Trade, and Consumer Protection, and my friend and 
colleague, Mr. Boucher, who is the chairman of the 
Communications, Technology, and Internet Subcommittee of the 
Committee on Energy and Commerce.
    It is my honor to chair the first part of this hearing, and 
this hearing will be chaired subsequently by Chairman Boucher. 
The chair recognizes himself now for 5 minutes, for the 
privileges and the purposes of an opening statement.
    The collection and use of personal information of customers 
and consumers are threads from the same knitting needle, sewn 
into the fabric of American commerce and competition near the 
start of the Twentieth Century. Accordingly, these tools and 
methods predate their more powerful, precise, and predictive 
counterpart in the online realm by more than 100 years.
    But just because we have something that has been around for 
a long time does not mean we understand as much about it as we 
should. That is why I am delighted about today's hearing. It is 
the fourth in a series of hearings our two subcommittees have 
held on the subject of privacy.
    At our hearings and in our meetings, consumers and their 
advocates, industry, and leading commentators have shared with 
us extensively why this all matters, how entrepreneurs and 
businesses go about protecting consumer privacy, and why 
collecting personal information about individual consumers 
improves the chances their businesses will have to succeed. 
While preparing for these hearings, we have been surprised at 
how little is really known about how businesses go about 
ensuring that individual privacy is protected.
    Consumers are telling us they want to know more about how 
their information is being protected. As their representatives 
and our consumers ourselves, we hear them loud and clear. They 
should be and are concerned, even to the point of anger, when 
they learn that they have been placed on consumer lists 
identifying themselves as affluent Jews or Blacks, as pro-
choice or pro-life, as donors, as members of a same-sex couple 
relationship, or as being addicted to gambling, addicted or 
sex, or addicted to tobacco.
    Indeed, on my way back home to Chicago to celebrate the 
Thanksgiving holidays, I could take public transportation to 
the airport, and by using a SmartCard and a frequent flyer 
card, records of my whereabouts, and when and to where I was 
commuting and flying are created. To buy my holiday turkey, I 
may use my grocery rewards card, which would swipe into a 
system of databases what is in my cart, when and where I 
shopped, how much I paid, among the other data points that were 
being collected. And these are just several examples of the 
type of consumer lists and data points that are generated and 
populated into databases, 24 hours a day, 365 days of every 
year.
    But how much do we know about the businesses that that make 
it a business of obtaining and selling or sharing ``offline'' 
information and customer lists with affiliated and unaffiliated 
businesses. How much do we know about their marketing practices 
and product development strategies to persuade buyers and 
individuals who will pay considerable amounts of money for that 
information? How much do we really know about what these buys 
and individuals do with that information, including reselling 
the information downstream to other buyers and bidders for that 
information?
    I am interested in hearing everyone's perspectives about 
the current legal and regulatory structure that exists to 
protect this information. Should the source of this 
information, whether it is taken ``offline'' from a warranty 
registration card, or ``online,'' from a social or health 
networking site be treated differently, when it reveals 
fundamentally the same personal information about individual 
consumers? And by treating the information differently, with a 
heightened duty on businesses to protect ``online sources,'' 
for example, are we setting perverse incentives and conditions 
for regulatory arbitrage and avoidance?
    Let me be clear. My end goal is to work with members of 
this subcommittee and members of this committee to introduce 
privacy legislation, which protects consumers from privacy-
related harms, yet doesn't stifle responsible entrepreneurs and 
businesspeople from developing models and instituting 
successful business and marketing plans that are, indeed, 
respectful of consumer privacy.
    Keeping privacy protections that belong in the back office 
from tumbling into the crawl spaces under the office will be a 
big part of our challenge. In whatever bill we draft, we must 
to work to ensure that the accelerating convergence of 
``offline'' and ``online'' collection and does not outpace the 
demands of consumers for dignity and for discipline and for our 
decency, in our dawning digital economy and markets.
    I yield back the balance of my time.
    [The prepared statement of Mr. Rush 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. I recognize the ranking member of this 
subcommittee, Mr. Radanovich, for 5 minutes for the purposes of 
opening statements.

 OPENING STATEMENT OF HON. GEORGE RADANOVICH, A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Radanovich. Thank you, Chairman Rush, and I want to 
thank you for holding this second hearing on the topic of 
privacy.
    And we understand, or have heard rumors of legislation 
coming in the next few weeks, and I look forward to that, and 
working with you on legislation to improve rights of privacy.
    As I have stated before, I believe an individual's 
information is their own personal property. We, as consumers, 
should know what information is gathered about us, where and 
how it is stored and protected, and who has access to that 
stored information. And most importantly, for the context of 
this hearing, with whom and for what purposes is that 
information shared?
    But the fact of the matter is that information collection, 
aggregation, and sharing predates the Internet by decades, and 
yet, most of us don't know the details of who has the 
information, what information they have about us, and where 
they obtained it. The most critical point of concern for me is 
not necessarily the aggregation of this data offline, but when 
that comparatively limited offline data is combined with more 
comprehensive data collected online. I believe that that is the 
most important development, because it will continue to grow in 
significance, as e-commerce and mobile commerce expand.
    The flipside of my concern for privacy and the right to 
control my information is the recognition that this information 
sharing is good for business, and I certainly do feel that I 
have, or do not feel that I have been harmed because a retail 
catalog appeared on my mail. Maybe the tenth one in one day, 
yes, I have been harmed, but. However, we all know that 
collected information can, in certain contexts, be used by 
criminals that have, if that information is not respected and 
protected.
    In general, I believe the free market can and should be 
allowed to solve these types of issues, as consumers become 
aware and demand certain protections, practices, and control 
options, industry will respond in order to maintain those vital 
relationships.
    Thankfully, the best actors do take privacy seriously, and 
they do provide options for consumers to block the sharing of 
their information for marketing purposes. The problem for 
Congress is similar to what we face on many issues, and that is 
how to address the bad actors without overburdening the good by 
depressing or even eliminating productive and beneficial 
commercial activity. That is the balance for which we should 
strive, and the approach that I will continue to support.
    I look forward to hearing from our witnesses today, 
particularly our small business representative. I would like to 
know exactly what information you collect, with whom you share 
it, and how you and your partners use that information. I would 
also like to hear all of your thoughts about how this can be 
addressed through industry self-regulation, and what, if any 
steps Congress may need to consider to ensure personal 
information and the use of that information are adequately 
protected and treated properly.
    Finally, I would like to know your thoughts on how the 
varying approaches to potential regulation of sharing we have 
previously discussed in this committee, such as first party, 
third party approach, or a primary personal approach would 
impact the world of small business. We have seen, in other 
contexts, the consequences of acting too quickly without full 
investigation of potential consequences. In this area that is 
so important to so many people, I want to make sure that any 
policy decisions are based upon the fullest information 
available, and will be fair to all businesses, regardless of 
their size and corporate structure.
    We all want to protect privacy and prevent harm, but 
Congress should not seek to solve the issue by choosing winners 
and losers.
    Thank you very much, Mr. Chairman, and I thank you, 
witnesses, for your time and your input today, and yield back 
the balance of my time.
    [The prepared statement of Mr. Radanovich 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. The chair thanks the gentleman, the vice chair, 
or the ranking member, rather.
    The chair now recognizes the gentleman from Massachusetts, 
Mr. Markey, for 5 minutes, for the purposes of opening 
statement.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

    Mr. Markey. Thank you, Mr. Chairman, very much, and thank 
you so much for holding this critically important hearing.
    Shakespeare, in Othello, said: ``Who steals my purse steals 
trash. 'tis something, nothing; 'Twas mine, 'tis his, and has 
been slave to thousands; but he that filches from me my good 
name robs me of that which not enriches him but makes me poor 
indeed.''
    Now, as we were growing up, our doctors, our bankers, the 
nurses, they were privacy keepers. We knew that our medical 
record was locked up in that closet with the nurse, with the 
key to open it up to go in and get the records, and it wasn't 
going to be shared with the neighborhood. The same thing is 
true for all of our records.
    But we have moved from an era now of privacy keepers to one 
of privacy peepers, and data mining reapers, who want to turn 
our information into products. And what is the product? The 
product is our records, our privacy, our families' history. And 
as online and wireless merge, it becomes all the more possible 
to take this world, and to compromise the privacy of Americans.
    And so, this really goes to the heart of who we are. We 
wouldn't let the government do this. We wouldn't let the 
government gather all this information, or make it a product. 
So, we have to protect against businesses that think that we 
are all products, that our families are all products. The 
members of our families are all products, because this 
information is invaluable as a product to other people.
    But to us, it goes right to the essence of our families and 
who we are, and what privacy we should have a right to expect. 
And so, as we are moving forward, we have to create the rules. 
The new technologies themselves have no personality at all. 
They are just technologies. They only get their personality as 
we, we animate them with the values that we want them to serve.
    And so, for my part, I think that the old values served us 
very well, and the new technologies should be animated with 
those old values. That is the key to this discussion. It is not 
oh, Congress can't keep up with new technology. Oh, we can keep 
up with it. We know what is going on. The question is, do we 
have the insight and the courage to add those old values, so 
that families aren't compromised by businesses that want to 
make a product out of people's business.
    When we were doing the health IT bill in February, adding 
that $20 billion, I authored the language that ensured that the 
information that was now going to be transmitted was 
indecipherable to unauthorized users. Because yes, we want to 
get the benefit of new health IT information, because that can 
help patients, but we don't want that information to now be 
compromised, as it is taken out of the file and put online. We 
want the benefits to flow to the patients, but not for the 
information to be turned into a product, a profile, that can 
then have everyone in town or everyone across the country 
knowing who had anorexia, prostate cancer, breast cancer, in 
your family.
    If you want to tell someone about it, you should be able to 
do it, but if you don't want to tell anyone about it, that 
should be your right, too. And there is many people who don't 
mind people finding out, but there is many others who aren't 
going to tell anyone else in their family that they have a 
secret. That should be their right. That shouldn't be a 
decision made by a business, that is now just widely 
disseminated because there might be more products that they can 
help you with, to gain access to. They should ask you if you 
want to have access to it, then that information can be sent 
out there.
    So, this brave new world is really no different than the 
discussion that our grandparents and our parents had to have 
about the privacy they expected, and I think that the same 
values exist, the technologies should work for families, and 
they should have the right to say no. They should have the 
knowledge and information that is being gathered about them. 
They should have the notice that the information is going to be 
used for other purposes, other than that which was originally 
intended, and they should have the right to say no. No, well, I 
want the benefit of the technology, but I don't want it turned 
into a product. I don't want my children's, my mother and 
father's information now as some kind of product that is out 
there.
    So, thank you, Mr. Chairman. We could not have a more 
important subject. I yield back the balance of my time.
    I yield back the balance of my time.
    [The prepared statement of Mr. Markey 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. The chair thanks the chairman of the Subcommittee 
on Energy. Now, the chair recognizes the ranking member of the 
Subcommittee on Energy, Mr. Stearns, for 5 minutes, for the 
purposes of opening statement.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Thank you, Mr. Chairman, and let me commend 
you also, you and Mr. Boucher, for having this hearing. I thank 
the witnesses for coming. We look forward to your testimony.
    We have had, I think, back in June, we had a big discussion 
on behavioral advertising, and how to broadly examine how 
companies are using consumer Internet behavior to tailor online 
advertising, to simply identify the ways this kind of targeted 
advertising affects the consumer. How does he or she benefit 
from this, and I think most of the feelings were that the 
consumer does benefit from this.
    So, in a sense, this committee is here to hear more about 
the subject, but also, with an understanding to do no harm. 
Only the consumer knows how he or she feels about the 
information being collected, parties that are doing the 
collecting, and of course, the purpose for which the 
information is being collected for.
    The question becomes just how much influence and how much 
regulation should Congress be involved with. I don't think 
Congress cannot and should not make the decision for the 
consumer. The consumer should make that decision for 
themselves.
    We, as members of this committee, certainly can play a 
proactive role in ensuring that consumers have this adequate 
information, and full range of tools at their disposal, in 
order to simply make this informed choice, whether it is opt-in 
or opt-out.
    Companies that collect information about consumers in both 
an offline and online manner obviously had to be good stewards 
of the information, and should seek to protect that information 
where it is appropriate. Additionally, all companies, whether 
they be data brokers, major retail companies, or even small 
businesses, should operate in a transparent manner and fair 
manner, when it comes to the information they collect about 
consumers, or consumers, or how that information is 
subsequently being used.
    The real transparency, I guess, is a question of how robust 
a disclosure and notice to the consumer is required in their 
privacy policy. They obviously should be presented in a clear, 
conspicuous manner, so that the consumer knows, should be 
indicating what is being collected, the ways the information is 
being used, and third, the ways the consumer can prevent the 
collection of the information if they don't want to do it.
    This is a very significant challenge. We haven't had many 
hearings on privacy, and understanding the constitutional 
issues, as well as understanding the role of the Federal Trade 
Commission. When I was chairing the Commerce, Trade, and 
Consumer Protection Committee, I realized that there is, people 
would have different outlooks on the opt-in and opt-out 
provision.
    And I come to believe that for the most part, that if we 
get into too much of the weeds here, that we are going to 
impede the Internet, and make it more difficult for people to 
collect information, when it is probably not necessary.
    In fact, at one time, the Federal Trade Commission and I 
talked about a Good Housekeeping Seal, that would be provided 
by private companies, that in a sense, would be a seal of 
approval, so that people, when they went on a Web site, would 
realize this already complies with a Good Housekeeping Seal 
that has been approved by the Federal Trade Commission, so that 
they would have the confidence right there, without going 
through the rigmarole of looking at an opt-in and opt-out 
provision, and reading the detailed fine print in a privacy 
policy.
    The small businesses of this country create all of the 
jobs, and there is a lot of Internet companies that are 
starting up, and obviously, we wouldn't want to impede their 
ability to function. So, this Internet is such a powerful means 
of communication, putting in a significant privacy policy is 
very important, and has the great effect of either helping, 
enhancing, or deterring, shall we say, the purchase of 
products, the use of it.
    So, I think this is a very important hearing, to hear from 
the people that are most involved, and I look forward to 
hearing from them, and hearing some of the pitfalls of sort of 
what we have as a draft bill that Mr. Boucher and Mr. Rush and 
I, and Mr.--others have put together, and so, we are looking 
forward to, perhaps, after this hearing, to get this draft bill 
out, so that we can hear from you folks, to see what you think 
of it. And then, we can move forward.
    And with that, Mr. Chairman, I yield back.
    I yield back the balance of my time.
    [The prepared statement of Mr. Markey 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. And the chair recognizes Mr. Green for 2 minutes, 
for the purposes of opening statement.

   OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Green. Thank you, Mr. Chairman, both you and Chairman 
Boucher, thank you for holding this hearing, to continue our 
examination of consumer data collection and use, and the 
security and privacy implications it has.
    The issue in discussion, of online versus offline data 
collection, is an important one, because the distinction has 
blurred so much over the past decade. The ability to easily 
aggregate and share information over the Internet has proved 
tremendous benefits to our society and our economy, and the 
collection of consumer information can provide tremendous 
benefits to small and upstart businesses, by allowing them to 
target customers that have tendencies to purchase 
individualized products or services.
    One problem I hear is these aren't the only uses for this 
data, and the ability of entities that sell this information to 
collect such a wide variety of information on individuals is 
extremely troubling, because it allows bad actors to target 
vulnerable individuals, based on very specific and granular 
data, that has been collected across a line of online and 
offline platforms.
    Another problem is that this information creates a personal 
record that few, if any consumers what is exactly contained in 
it. Consumers have no ability to edit that profile, like they 
would their credit report, but the records maintained on the 
databases are unregulated, and often maintained more and wider-
ranging information than in a credit report, if the information 
is not used for products or services that fall under the Fair 
Credit Reporting Act.
    Information about transactions, behaviors, and online, 
offline, and that occur offline, are also becoming more 
prevalent in these records that can be purchased from companies 
that sell this marketing information. Nearly every chain store 
has some sort of discount or club card to collect information 
of consumer trends. Records are kept and sold of individuals 
who enter various sweepstakes through the mail. Social 
networking sites provide, possibly, the greatest threat, 
because they contain day to day activity of tens of millions of 
frequent users.
    The aggregate of all of this data can provide a 
tremendously detailed picture of a person's daily life, 
interests, habits, and behavior, which that person may never 
know exists. We have laws that regulate how this information 
can be used by financial institutions and relating to medical 
privacy, but outside of these defined areas, this information 
is largely unregulated, and has the potential to tremendously 
harm consumers.
    And I want to thank the chair of both subcommittees for the 
hearing today, and continue looking into this issue, and I look 
forward to our witnesses' testimony.
    I yield back the balance of my time.
    [The prepared statement of Mr. Green 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the gentleman from Illinois, Mr. Shimkus, for 2 
minutes.
    Mr. Shimkus. Thank you, Mr. Chairman. I will be brief.
    We have free over-the-air radio. We have free over-the-air 
TV. We have free email. We live in a great country, and one of 
the reasons why we have free email is the ability for people to 
put advertising banners on that.
    And I am talking about Gmail and Hotmail, and we need to be 
very, very careful that this great benefit, that millions of 
Americans take advantage of, does not get hindered, disrupted, 
or destroyed by aggressive legislation in this area, and I 
yield back my time.
    I yield back the balance of my time.
    [The prepared statement of Mr. Shimkus 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. The chair thanks the gentleman for his brevity. 
The chair now recognizes the gentleman from Pennsylvania, Mr. 
Doyle, for 2 minutes.

OPENING STATEMENT OF HON. MICHAEL F. DOYLE, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Doyle. Thank you, Mr. Chairman, for holding this 
hearing today. Trading and selling of personal information 
began as long ago as 1899. Two brothers created the Retail 
Credit Company to track the creditworthiness of Atlanta grocery 
and retail customers. Some people know that company now as 
Equifax.
    Since then, the cost of storing and manipulating 
information has fallen sharply, and now, organizations capture 
increasing amounts of data about individual behavior. Consumers 
hunger for personalization. Products, services, Web sites that 
cater to them, that causes them to reveal information about 
themselves.
    Ordering off a catalog reveals other information. Using 
their credit card yields more, and thinking you have to send in 
that warranty card can reveal almost your entire life to other 
parties.
    But that information probably delivers better products, 
more targeted services, and a more enjoyable Internet 
experience. As Alessandro Acquisti of Carnegie Mellon writes: 
``Is there a combination of economic incentives and 
technological solutions to privacy issues that is acceptable 
for the individual and beneficial to society? In other words, 
is there a sweet spot that satisfies the interests of all 
parties?''
    And then, what are the rules of the road that we need to 
put in place to make sure that consumers' privacy is protected 
and that commerce flourishes? That is what I hope to learn more 
about in today's hearing.
    I want to credit the work dozens of dedicated faculty and 
students, working on consumers' data privacy at Carnegie Mellon 
University, located in the heart of my district, have done. 
CMU, the Data Privacy Lab, and CyLab, have all greatly 
contributed to the academic literature, commercial 
consciousness, public awareness, and my understanding of this 
issue.
    Thank you, Mr. Chairman, and I yield back.
    I yield back the balance of my time.
    [The prepared statement of Mr. Doyle 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the gentleman from Louisiana, Mr. Scalise, for 2 
minutes.

 OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF LOUISIANA

    Mr. Scalise. Thank you, Chairman Rush and Boucher. I want 
to thank you and Ranking Members Radanovich and Stearns for 
having this hearing on the collection and use of personal 
information.
    I am pleased that both subcommittees are examining this 
issue. I know that Congress and this committee have held 
hearings on privacy in the past, but as we all know, consumers' 
personal information is being collected more and more every 
day, often without their knowledge, through both online and 
offline modes of commerce. Whether they are participating in a 
survey, using Facebook, or even ordering a product over the 
phone.
    Given the importance of information in today's economy, and 
given how often consumers give out their personal information, 
there is a genuine cause for concern. Therefore, we must 
continue to examine ways to ensure consumers don't have their 
personal information compromised or misused.
    As one pointed out in our last joint hearing, many Internet 
companies are offering the ability to opt-in or opt-out of the 
company's policies to use or share personal information they 
collect. But those policies often do not address the collection 
of the data. The collection and use of personal information can 
help companies better serve customers, market products to 
certain consumers, and verify consumers' identity.
    But the potential for danger does exist. Personal 
information could easily be compromised, and there are bad 
actors that use consumers' personal information in ways that 
take advantage of the consumer, and in some cases, in ways that 
are illegal.
    Consequently, there are issues that we must address. As we 
take those into consideration, and debate the best steps moving 
forward, I hope we proceed carefully when drafting legislation 
in this area. As I stated at the previous hearing on behavioral 
advertising, I hope the focus of today's hearing is how we can 
protect consumers and their personal information, and what 
steps the industry will take on their own to do that.
    I hope today's hearing does not focus on ways government 
can get more involved in areas of people's lives where it does 
not belong. For this reason, I believe that if self-regulation 
is not sufficient, and if any privacy regulatory requirements 
are needed, they should be targeted, consistent, and not be 
greater for one business or industry than they are for another. 
Congress should not pick winners and losers.
    I look forward to hearing the comments of our panelists 
today, particularly on the collection of data through offline 
methods, and how companies are using this data. I also hope to 
hear about current security measures that companies have in 
place, and any they may be planning to implement in the future, 
to ensure the protection of personal information.
    It is important that these committees understand their 
positions and activities, as well as all of the implications of 
collecting and using personal information.
    Thank you, and I yield back.
    I yield back the balance of my time.
    [The prepared statement of Mr. Scalise 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. The chair thanks the gentleman. The chair now 
recognizes the gentlelady from California, Mrs. Matsui, for 2 
minutes.

OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Matsui. Thank you, Mr. Chairman, and I thank you and 
Chairman Boucher for calling today's joint hearing. And I 
applaud your leadership in addressing this important issue. I 
would like to also thank our panelists for being with us this 
afternoon.
    Today, we will be examining the collection and commercial 
use of consumer information across the offline, online, and 
mobile marketplaces. Without their knowledge or approval, 
consumers' personal information is being collected when they 
conduct daily activities, such as using the Internet, shopping 
at the grocery store, or even ordering takeout from their local 
favorite restaurants, and that is just to name a few.
    In today's economy, information is everywhere, and it is to 
everyone. Unfortunately, it is essentially impossible to 
protect one's personal information these days, and it is 
understandable that most Americans simply do not trust that 
their personal information is properly protected.
    Privacy policies and disclosures should be clear and 
transparent, so consumers can choose what information, if any, 
they want others to know, instead of inappropriate collection 
and misuse of that information. Consumers should also 
understand the scope of the information that is being 
collected, what it is being used for, the length of time it is 
being retained, and its security. The more information that 
consumers have, the better.
    Moving forward, we must assure that Americans feel secure 
that their personal information will not be misused the next 
time they surf the Internet, shop at a grocery store, or eat 
carryout from a restaurant. Meaningful privacy safeguards 
should be in place, while making certain that we do not stifle 
innovation.
    Thank you, again, Mr. Chairman, for holding this important 
hearing, and I yield back the balance of my time.
    I yield back the balance of my time.
    [The prepared statement of Ms. Matsui 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Rush. The chair thanks the gentlelady. The gentlelady 
from Tennessee is recognized for 2 minutes.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. Thank you, Mr. Chairman, and welcome to our 
witnesses. We are glad you are here, and I am pleased that we 
are having this hearing today.
    Nearly everything that we do on the Internet is monitored, 
and one of the things that we need to do is make certain that 
there is an understanding of what a level of privacy is, and 
what those expectations are, and make certain that we put some 
good rules of the road in place.
    At the same time, we don't want to stifle the engines of 
Internet commerce and e-commerce, that have been an absolutely 
wonderful economic driver, especially for many small 
businesses. And in areas like mine, all the area from Memphis 
to Nashville, where we have so many small businesses that do 
depend on those e-commerce formats to make certain that they 
are profitable.
    Now, my constituents in Tennessee have raised with me the 
issue that there does seem to be an alarming trend, in which 
ads from some well-known brands are consistently appearing on 
sites that traffic illegal content, such as pirated movies and 
music, and these sites are often located outside the U.S., and 
may be linked to broader criminal enterprises, that clearly 
have no regard for the privacy of others. They are very 
concerned about this, and they want to make certain that that 
is an issue that is addressed, as we move forward in this 
debate.
    They are also concerned about rules, as we look at privacy, 
something that, about Congress getting in the business of 
dictating what data is acceptable or unacceptable, and 
distorting how that travels up and down the pipe.
    So, we need to be responsible, looking for responsible 
solutions that are going to both protect consumers and empower 
consumers to have control over their data, and allow businesses 
to continue with their e-commerce format.
    So, welcome, look forward to hearing your comments.
    I yield back the balance of my time.
    [The prepared statement of Mrs. Blackburn 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Boucher [presiding]. Thank you very much, Ms. 
Blackburn. The gentleman from Maryland, Mr. Sarbanes, is 
recognized for 5 minutes.
    Mr. Sarbanes. I waive. I waive my opening.
    I yield back the balance of my time.
    [The prepared statement of Mr. Sarbanes 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Boucher. I am sorry. Mr. Sarbanes, did you waive a 
statement? OK. The gentleman will have time added to his 
question period.
    The gentleman from California, Mr. McNerney, is recognized 
for 2 minutes.
    Mr. McNerney. Well, thank you. I commend Chairman Rush and 
Chairman Boucher for convening this fascinating and important 
hearing.
    As technology develops, the opportunity for abuse, I 
believe, is going to grow exponentially, and consequently, 
policy does need to keep pace, to ensure that consumers are 
protected.
    A couple of things that I would like to learn this morning, 
this afternoon. First of all, I would like to get an idea of 
the scope of the potential problems. How is this data going to 
be able to be used to affect our lives? And secondly, I would 
like to understand what makes sense, in terms of how data 
access and data use can and should be restricted. And I want to 
thank you all. You represent organizations that collect data 
and use data, so you are on the frontlines.
    And with that I will yield back.
    I yield back the balance of my time.
    [The prepared statement of Mr. McNerney 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Boucher. Thank you very much. The gentleman from Ohio, 
Mr. Space, is recognized for two minutes.

OPENING STATEMENT OF HON. ZACHARY T. SPACE, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF OHIO

    Mr. Space. Thank you, Chairman Boucher. I would like to 
thank Chairman Rush and Ranking Members Radanovich and Stearns 
for convening our subcommittees today to discuss online and 
offline collection and use of consumer information.
    I was struck, in reviewing our witnesses' testimony, that 
there seems to be limitless sources for information on 
consumers, publicly available data, data volunteered by 
customers, and data collected from customer-facing businesses. 
Taken individually, each of these datasets provides a partial 
picture of a consumer. However, when these datasets are 
combined, retailers and data brokers can cobble together a 
fairly complete customer profile.
    And I find this fascinating. I certainly understand the 
benefits that such datasets can provide to businesses, 
especially small businesses, as highlighted by, and I hope I 
don't get this wrong, Ms. Bougie. With a name like Space, I can 
feel your pain. And to the extent that customer profiling can 
embrace or enhance commerce, I believe such data gathering is 
an important tool.
    However, as outlined by our witnesses, there are also some 
concerning possibilities about and regarding abuse of this 
information. It seems like common sense that there should be 
some protections built in to shield mentally ill citizens, for 
example, from repeated, unsolicited, targeted marketing.
    The bottom line is that consumer datasets, compiled from 
information gathered online and offline, and the handling of 
such data, remain largely unregulated. This strikes me as being 
the Wild West of e-commerce. So that we have some critical 
interests to consider, and I welcome the continued discussion 
on this issue.
    I look forward to working on this matter with my 
colleagues, and I yield back. Thank you, Mr. Chairman.
    I yield back the balance of my time.
    [The prepared statement of Mr. Space 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Boucher. Thank you very much, Mr. Space. The gentleman 
from Connecticut, Mr. Murphy, is recognized for 2 minutes.

      OPENING STATEMENT OF HON. CHRISTOPHER S. MURPHY, A 
    REPRESENTATIVE IN CONGRESS FROM THE STATE OF CONNECTICUT

    Mr. Murphy. Thank you, Mr. Chairman. Thank you for the 
hearing, to our chairmen and our ranking members.
    Certainly, I think as we spend more time online, this issue 
of what data is being collected about each of us is 
increasingly critical. And I think we can all agree that most 
consumers would prefer to have a clear understanding of what 
information is being collected, and how it is being used.
    But to some degree, I also believe that these consumers, if 
they think that the data collection is unobtrusive and 
inoffensive, and if it is being used, I think this point is 
important, if it is being used to give them information or 
opportunities that are relevant to them, that are catered to 
their interests, I think a lot of folks will take lesser 
offense to that type of data collection. Certainly, this is all 
predicated on a system that consumers can trust and verify.
    Beyond this, I am interested today, and I hope the 
witnesses might elaborate on this, how the information that we 
are talking about today is being used to direct consumers to or 
advertise on sites that might engage in the pirating of legal 
content. Because we know there are a vast number of sites 
available to users whose business model is developed on 
providing pirated content to individuals, sometimes for a 
price, and sometimes, because they are supported by ad revenue 
for free.
    In combating piracy, it seems that we should look at how 
information derived from consumers is then being used to place 
advertisements, or direct individuals to places where we know 
illegal activity is occurring.
    I hope to explore this issue in greater detail. I look 
forward to testimony and to listening to the questions. I thank 
the chairman and yield back.
    I yield back the balance of my time.
    [The prepared statement of Mr. Murphy 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Boucher. Thank you very much, Mr. Murphy. The gentleman 
from Georgia, Mr. Barrow, is recognized for 2 minutes.

  OPENING STATEMENT OF HON. JOHN BARROW, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF GEORGIA

    Mr. Barrow. I thank the chair. I want to welcome all of the 
witnesses today.
    I especially want to welcome Professor Chris Hoofnagle, 
whom I remember from many, many, many years ago, when I had the 
privilege of representing him as a county commissioner. It was 
obvious to me he was going places, then. I just wished I could 
stick around for the ride.
    Mr. Chairman, I am pleased our subcommittees are meeting 
today to discuss the issue of online and offline data 
collection, and the commercial use of consumer information for 
the purpose of delivering targeted advertising.
    I have no doubt that sharing consumer information offers 
benefits to all of us. The benefits pretty much sell 
themselves, at least, somebody can sell them. It is the costs 
that I am worried about.
    As information brokerage continues to expand, it becomes 
more important than ever that we draw the line between enhanced 
data collection methods on the one hand, and unwarranted breach 
of personal privacy on the other.
    In September, this committee was able to mark up H.R. 1319, 
the Informed Peer-to-Peer User Act, which I co-sponsored with 
Congresswoman Bono Mack. That bill tackles the privacy and 
security risks that come with peer-to-peer file sharing 
programs. I see the work that we are doing here today as a 
continuation of that effort, to protect personal privacy 
without discouraging market and technological innovation.
    I want to thank Chairmen Rush and Boucher for their 
leadership in addressing this issue. With that, I yield back 
the balance of my time.
    I yield back the balance of my time.
    [The prepared statement of Mr. Barrow 
follows:]*************** COMMITTEE INSERT ***************
    Mr. Boucher. Thank you very much, Mr. Barrow.
    Members having had an opportunity, now, to make opening 
statements, we turn to our panel of witnesses, and I would like 
to welcome each of you here this afternoon, and thank you for 
taking the time to share your view on this subject of great 
interest to all of us here.
    Just a brief word of introduction about each of our 
witnesses. Mr. Chris, excuse me, Hoofnagle is the Director of 
Information Privacy Programs at the University of California 
Berkeley School of Law. Mr. George Pappachen is the Chief 
Privacy Officer at Kantar/WPP. Jennifer Barrett is the Global 
Privacy and Public Policy Executive at Acxiom. Zoe Strickland 
is the Vice President and Chief Privacy Officer for Wal-Mart 
Stores, Incorporated. Michelle Bougie is the Senior Internet 
Marketing Manager for LearningResources.com, and 
EducationalInsights.com. Pat Dixon is the Executive Director of 
the World Privacy Forum.
    Without objection, each of your prepared written statements 
will be made a part of our record of proceedings today, and we 
would welcome your oral summaries.
    And in the interests of time, because we are not sure when 
we are going to have recorded votes that may command our 
presence on the floor for an extended period, we would ask that 
you try to keep your oral summaries to approximately 5 minutes.
    So, Professor Hoofnagle, with that admonition, I will be 
happy to begin with you.
    Mr. Professor. Chairmen----
    Mr. Boucher. Pull that microphone fairly close, and be sure 
to turn it on.

 STATEMENTS OF CHRIS HOOFNAGLE, DIRECTOR, INFORMATION PRIVACY 
PROGRAMS, UC BERKELEY SCHOOL OF LAW; GEORGE V. PAPPACHEN, CHIEF 
   PRIVACY OFFICER, KANTAR/WWP; JENNIFER T. BARRETT, GLOBAL 
 PRIVACY AND PUBLIC POLICY EXECUTIVE, ACXIOM; ZOE STRICKLAND, 
 VICE PRESIDENT, CHIEF PRIVACY OFFICER, WAL-MART STORES, INC.; 
      MICHELLE BOUGIE, SENIOR INTERNET MARKETING MANAGER, 
  LEARNINGRESOURCES.COM AND EDUCATIONALINSIGHTS.COM; AND PAM 
         DIXON, EXECUTIVE DIRECTOR, WORLD PRIVACY FORUM

                  STATEMENT OF CHRIS HOOFNAGLE

    Mr. Hoofnagle. Thank you. Chairman Boucher and Ranking 
Members Radanovich and Stearns, and honorable members of the 
committee, thank you for holding this hearing today on an often 
overlooked issue in consumer protection.
    While we have debated online privacy issues for the past 
decade, little attention has been focused upon how businesses 
collect, use, and disseminate information collected in offline 
contexts, for instance, at stores, at the point of sale, 
through surveys, sweepstakes, catalog sales, and the like.
    I first approached this issue from a civil liberties 
perspective. About six years ago, I started highlighting the 
relationships between offline marketing companies and the 
government. As Mr. Markey noted in his opening statement, he 
said that Americans would never allow the government to collect 
so much information about them. However, I found that many 
government agencies had simply outsourced their information 
collection activities on citizens by hiring marketing 
companies. Offline marketing companies had data on almost every 
American adult, and they had created techniques to analyze the 
data that could be adopted to law enforcement and intelligence 
needs.
    More recently, my work has focused upon consumer protection 
in the offline marketplace. For some time, I tried to call 
attention to the sale of personal information about consumers 
among companies. I would find data cards, which are offers to 
sell personal information databases and put them online. These 
lists included databases that described consumers in pejorative 
ways, and I would key up my first exhibit.
    This is a list of so-called impulsive consumers. It is 
difficult to read on the screen, but it is included as Appendix 
2 in my testimony. The data marketplace has greatly outpaced 
legislative and regulatory interventions to protect consumer 
privacy.
    For instance, in California, legislators acted quickly to 
block phone companies from creating a wireless 411 database. 
This would be a service to look up cell phone numbers. However, 
in focusing upon phone companies, California legislators missed 
the mark. Several data companies with no consumer relations 
whatsoever now market cell phone databases and other databases 
that list unlisted and private phone numbers.
    Appendix 2 of my testimony gives an example of one that is 
collected through the phone numbers that are given when you 
order pizza, and this is my second exhibit. This is an 
information service that claims to get unlisted and cellular 
telephone numbers by collecting them from pizza delivery 
companies.
    This brings me to a central point of my testimony today. 
American privacy law allows most offline businesses to sell 
customer data without giving the consumer notice or an 
opportunity to object. My public opinion research at UC 
Berkeley has focused upon whether consumers understand this. 
The findings are clear. Americans falsely believe that they 
enjoy a right of confidentiality with most businesses. This 
explains why they do not ask for privacy policies at the 
register, or opt out to information collection. They 
incorrectly assume that privacy law prohibits the use of their 
personal information. American don't understand that the burden 
is upon them to object.
    The lack of a legal framework that governs information 
collection and use offline leads to practices that Americans 
would object to, if they knew about them. I detail two in my 
written testimony. First, data companies use confidentiality 
agreements to keep information sharing secret. This means that 
if an advertiser wants to buy personal information about a 
group of people, the seller of the data binds the advertiser to 
confidentiality.
    Database companies prohibit their clients from telling 
customers how data were acquired, what data were acquired, and 
what categories the consumer has been placed in. This means 
that if you go to a business and ask how did you get my 
information, the advertiser is contractually required to say we 
cannot tell you. This is part of a larger strategy that leaves 
consumers in the dark about information selling practices.
    Second, in the offline context, and increasingly, in the 
online world, companies are using enhancement. This is the 
practice of buying additional data about existing consumers. 
So, for instance, have you ever been at a store, and have the 
cashier ask you what your phone number is?
    If you share your phone number, that gives that retailer 
the ability to reverse lookup your name and home address. Some 
of these problems could be solved with what I call data 
provenance, the ability to determine from where data was 
collected, and the rules and context governing its collection.
    Since I have just ten seconds left, I would like to thank 
the committee again for holding this hearing, and I look 
forward to your questions.
    [The prepared statement of Mr. Hoofnagle 
follows:]*************** INSERT 1 ***************
    Mr. Boucher. Thank you very much, Mr. Hoofnagle. Mr. 
Pappachen.

                STATEMENT OF GEORGE V. PAPPACHEN

    Mr. Pappachen. Chairman Boucher, Chairman Rush, Ranking 
Members Stearns and Radanovich, and members of the 
subcommittee, thank you for this opportunity to discuss an 
issue that is of critical importance to the businesses that I 
represent.
    My name is George Pappachen, and I am the Chief Privacy 
Officer of Kantar, a division of WPP. As I have been doing in 
external venues and industry forums on issues of privacy and 
public policy, I am delighted to represent the interests of 
both Kantar and WPP here today.
    Utilizing information to become as relevant as possible to 
consumers, and to transform the marketplace of products and 
services to be responsive to consumer needs, attitudes, and 
behaviors is at the heart of our business model. As you can 
appreciate, catering to consumer preferences on a continuous 
basis is simply not possible without the ability to collect or 
have access to reliable data and actionable insights.
    The dialog taking place today is important, not only for 
the purpose of awareness and understanding of industry 
practices, but also, to grant perspective on our shared respect 
for consumers. Getting it right with regard to our interaction 
with consumers is an essential element of business success for 
us. Our brands, and the client brands that we represent, have 
spent decades building trust with consumers and within the 
marketplace. Our involvement is really a continuation of that 
capital investment.
    Kantar is one of the world's largest insight, information, 
and consultancy networks. Covering 80 countries and across the 
whole spectrum of research and consultancy disciplines, we 
offer clients insights at each and every point of the consumer 
or customer cycle.
    Our services are employed by a majority of Fortune 500 
companies, domestic and foreign governmental entities at all 
levels, and almost every kind of brand that seeks to 
communicate to or have a relationship with consumers. We 
conduct market research, media measurement, which essentially 
means, for example, how many, knowing, measuring how many 
people watch TV, versus watch mobile TV, versus watch TV 
online. And we house consulting and specialty services that run 
the spectrum from brand value to retail, to healthcare, to 
government service management.
    WWP is the world's leading communications services group. 
Through its operating companies, the group provides a 
comprehensive range of advertising and marketing services.
    Kantar is a research and consultancy arm of WPP, and houses 
renowned brands, such as Millward Brown, TNS, Added Value, and 
Dynamic Logic. Other segments of WPP are creative agencies, 
such as Ogilvy and JWT, who create advertising, media agencies 
or other segments, like GroupM, which buy and sell advertising, 
and our public relations and public affairs firms, many of whom 
have a strong presence right here in D.C.
    Helping clients manage communications has certainly become 
more challenging in the recent past, due to audiences being 
more fragmented across the range of media platforms and 
devices. And challenging also, because of media convergence, 
the idea that although people are using different devices to 
access content, or to communicate, these platforms can be 
interlinked or overlapped, because of unifying digital 
language.
    Simply put, whereas consumers were confined to a limited 
number of channels broadcast over a handful of distinct 
platforms, such as TV, new media has allowed a proliferation of 
channel choices. Staying ahead of these market shifts, so that 
we continue to deliver best-in-class services to our clients, 
who trust us with their investment and advertising and 
marketing, is a matter of high priority for us.
    Consistent with that is our commitment to provide consumers 
with brand experiences that are relevant and responsible. As 
noted earlier, Kantar provides market research services, and 
they use a variety of methods to accomplish this objective. 
Market research is the voice of the consumer, the user, the 
citizen, or the donor. As you can surmise, market research 
fuels a variety of commercial and governmental services.
    Researchers use various methods of data collection. 
Certainly, there are parts of the world where data collection 
is primarily done offline, via telephone interviews, mall 
intercept surveys, paper diaries, et cetera. However, in the 
U.S. in particular, much of our research is now conducted 
online, online panels, sometimes dedicated to single sectors 
such as healthcare, web intercept surveys, where consumers are 
invited in real time, online, to give opinions, online 
communities, and various other methods are routinely employed.
    Some methods utilize cookies or tracking technologies to 
discern ad exposure, understand site visitation and other 
metrics. Passive tracking technology has positively impacted 
market research, in that it allows shorter surveys, and for 
respondents to not have to observe total recall on all media 
matters.
    It is often said that interactive platforms permit greater 
customization for the user, and better measurement for the 
content of service providers. I would agree with that, from an 
aspirational and inherent capability perspective. While the 
promise of customization and improvement measurement is real, 
and progress is encouraging, I believe the medium is still 
maturing, and still only on its way to fulfill on potential.
    Earlier this year, the Federal Trade Commission released 
its staff report on online behavioral advertising, and this 
summer, a coalition of industry trade associations, which 
included the Interactive Advertising Bureau, 4A's and several 
others, and various businesses, they put forward a self-
regulatory framework, to address the issues raised by 
Congressional and regulatory concerns.
    Our companies, like 24/7 Real Media and GroupM, have taken 
an active role in the coalition work, but we haven't stopped 
there. We took up the challenge to produce market models, to 
work out the implementation needs of the proposed self-
regulatory scheme. We established a cross-WPP leadership team 
to develop and test tools, actual tools, which provide enhanced 
notice and greater transparency about online tracking.
    We have sought to collaborate with technology firms and 
others, who would introduce real solutions for implementing the 
full elements of the self-regulatory framework.
    While behavioral advertising is one way to build a more 
customized user experience, there are still many other 
innovations the web enables in this area. Some of them employ 
designs that don't necessarily require tracking behavior or 
activity across multiple sites, whereas others do.
    It is really the vibrancy of the Internet that allows the 
variety of the models that we see today. It is terrific.
    Mr. Boucher. Mr. Pappachen, if you could wrap up. You are 
well over a minute beyond your time now.
    Mr. Pappachen. Traditional and relevant standards, such as 
personally identifiable information and sensitive data 
classifications have certainly helped chart the regulatory 
framework of the online media, and I think has a role to play 
going forward.
    I am of the firm belief that proactive privacy is possible 
in all areas I have discussed, and that it can be accomplished 
within a self-regulatory framework.
    Building trust with consumers is a primary tenet of any 
successful business, and we are committed to contributing to a 
successful formula. I am encouraged by the steps that Members 
of Congress, and particularly those in these two subcommittees 
have taken to explore the topic of consumer data collection and 
use.
    I thank the subcommittee for allowing me this time to put 
forth our position, and I would look forward to staying engaged 
and active in the ongoing conversation.
    [The prepared statement of Mr. Pappachen 
follows:]*************** INSERT 2 ***************
    Mr. Boucher. Thank you, Mr. Pappachen.
    We have two recorded votes pending on the floor of the 
House. We are going to hear from Ms. Barrett, and then, the 
subcommittee will briefly recess, while we respond to those 
votes.
    We will pick up when they are concluded.
    Ms. Barrett.
    Ms. Barrett. Thank you, Chairman Boucher, Ranking Member 
Radanovich.
    Mr. Boucher. And could you pull the microphone very close, 
please? Thank you.

                STATEMENT OF JENNIFER T. BARRETT

    Ms. Barrett. Members of the subcommittee. Thank you the 
opportunity to share Acxiom's perspective.
    First, let me say we are in strong support of appropriate 
use of consumer information. Protecting privacy has been a 
priority for us for decades. Use of consumer information to 
defraud, discriminate, embarrass, or harass consumers is 
inappropriate, and should be illegal, as it already is in many 
situations.
    However, consumer data make a significant contribution to 
our Nation's economy, growth, and stability. For 40 years, 
Acxiom has been a market leader in responsibly providing 
innovative marketing services and data solutions to help our 
clients deliver better products and services, smarter, faster, 
and with less risk.
    Marketing services are 70 percent of our revenues, and data 
solutions are the remaining 30. Our marketing services are 
specialized computer services that help businesses, nonprofits, 
and political organizations manage and use their customer 
information. Although e-commerce has greatly increased the 
availability of products for consumers, it has also introduced 
new risks that make a trusted relationship more important, and 
more difficult.
    We help clients accurately identify a particular individual 
and integrate their information across multiple lines of 
business and varied points of contact. Our email and mobile 
message delivery services help our clients respect consumer 
preferences while complying with various laws like CAN-SPAM.
    Our data solutions, on the other hand, provide marketing 
intelligence and support for identity and risk management 
decisions. We deliver actionable information not readily 
available to our clients, to help fill an important gap between 
knowing what their customers bought and knowing what they like, 
how they spend their time, and how they feel about certain 
issues.
    Untargeted interactive communications are the junk mail of 
the digital age, yet this advertising has funded much of what 
consumers enjoy most about this interactive experience. 
Consequently, the real winner in the appropriate use of 
consumer information is the consumer. In the offline world, 
Acxiom operates in a fully personally identifiable realm, but 
in the online world, until the consumer chooses to identify 
themselves to a Web site or an interactive device, Acxiom's 
solutions, in Acxiom's solutions, the consumer remains 
anonymous.
    We obtain the data we bring to market from several hundred 
carefully chosen sources. It falls into three general 
categories. Public records and publicly available data provides 
names, contact information, and some demographic information, 
that come from public directories and other state and local 
registries. Responses to surveys and questionnaires provide 
additional demographic, lifestyle, and interest data. Finally, 
Acxiom acquires some data directly from consumer-facing 
organizations.
    For marketing purposes, consumers are given notice and 
choice about their data being shared with parties like Acxiom. 
We use only very general summary data, that would indicate 
certain lifestyles or interests.
    For our identity and risk solutions, the focus is on 
identifying data, which in some instances, actually comes from 
heavily regulated industries. It is important to note that 
Acxiom does not collect online browsing or search activities on 
consumers.
    We have a culture of respecting consumer privacy. Our own 
guidelines are more restrictive than laws or industry 
standards. We offer an opt-out from any or all of our marketing 
solutions, and access and correction in our identity and risk 
solutions.
    Before I close, I want to clear up two common 
misconceptions. First, Acxiom does not have one big database 
that contains detailed information about everybody. Instead, we 
have many databases designed to meet very specific needs or our 
clients. Second, no marketing information we provide to clients 
can be used for decisions of credit, insurance underwriting, or 
employment.
    The environment in which data is collected and our clients 
communicate with their customers has changed a lot in our 40 
years. Online is no longer separate and distinct from the 
offline, mobile, or interactive TV world. Also, privacy is a 
very contextual issue, and varies by application, while 
different individuals feel very differently about it.
    The committee's greatest challenge is to identify where 
practices should be regulated by laws, versus what should be 
covered by interim self-regulation or best practice. 
Complicating your task is anticipating what changes technology 
might alter, either in the benefits or the risks.
    Similar analysis is taking place across the world, but at 
present, no one can claim to have developed a truly workable 
approach. While the committee considers additional regulation, 
we should be clear about the extent of harm, or market failure 
it believes has occurred, and look for the least restrictive 
alternative. Informational hearings help inform all parties 
where policymakers' concerns lie, and where industry needs more 
proactive initiatives. However, if privacy laws overreach, 
everyone suffers, including our economy.
    Mr. Chairman, we thank you for the opportunity to be here 
today, and are available to answer any other questions.
    [The prepared statement of Ms. Barrett 
follows:]*************** INSERT 3 ***************
    Mr. Boucher. Thank you very much, Ms. Barrett. We are going 
to stand in recess for what will approximately be a half-hour. 
It may be a bit shorter than that, depending on how quickly the 
vote goes.
    So, stay close, don't venture far, and as soon as we 
return, we will pick up our hearing.
    [Whereupon, at 1:23 p.m., the subcommittee recessed, to 
reconvene at 1:58 p.m.]
    Mr. Boucher. The committee will reconvene, and thank you 
for your patience during our absence.
    We continue, with testimony from our expert panel this 
afternoon, and we are pleased to hear from Ms. Strickland.

                  STATEMENT OF ZOE STRICKLAND

    Ms. Strickland. Good afternoon. Thank you, Chairman Rush. 
And thank you for inviting Wal-Mart to participate in today's 
hearing on online and offline privacy.
    My name is Zoe Strickland, and I am Wal-Mart's Chief 
Privacy Officer. For us, good privacy is good business. As the 
largest retailer and private employer in the U.S., with 
approximately 140 million customers shopping in our U.S. stores 
every week, Wal-Mart considers an array of privacy issues on a 
daily basis.
    Unlike companies that interact with customers or other 
businesses primarily online, Wal-Mart approaches privacy from a 
very broad perspective. Wal-Mart operations cover almost every 
conceivable privacy topic, channel, and geographical region.
    Given the depth and breadth of Wal-Mart's understanding of 
consumer privacy issues, we appreciate the committee including 
Wal-Mart in today's discussion, and would encourage you to 
engage other similarly situated companies. It is imperative 
that as privacy rules are developed, legislators take the time 
to fully understand the impact to consumers that have both 
online and offline relationships with companies.
    Wal-Mart supports a principle-based approach to privacy, 
rather than a focus on one particular technology or activity. 
As an example of a principle-based approach, this summer, we 
updated our customer privacy policy for Wal-Mart operations. 
The updated policy is based on the Fair Information Practice 
Principles, as well as industry standards and global 
guidelines.
    Our goal was to make it transparent, meet best practices, 
and to be integrated across all business units. To further 
increase transparency, we included a summary notice that links 
through to the detailed policy. The new privacy policy provides 
customers more control over their data. Some examples are 
creating a preference center that allows customers to tell us 
directly their preferences regarding direct marketing and data 
sharing for marketing purposes, establishing a stricter 
standard for data uses customers typically consider more 
sensitive, Wal-Mart uses opt-in for telemarketing and data 
sharing, providing additional or enhanced opt-out mechanisms, 
such as for email ratings and online behavioral advertising, 
giving customers greater access to their own information, and 
finally, providing more options to submit questions and 
concerns.
    This initiative gave us further insight into how to focus 
on underlying privacy principles, and then, to operationalize 
them. With regard to online behavioral advertising, Wal-Mart 
provides clear notices and opt-outs, consistent with the FTC 
self-regulatory principles, as well as industry best practices.
    Equally important, in our view, we integrated our approach 
into our larger view of privacy in both the online and offline 
worlds. When and how is it appropriate to give notice? When and 
how should consumer choice be offered?
    We do believe notice and choice are still central privacy 
protections, even if further protections are warranted. We 
think our experiences with the use of electronic product code 
technology, EPC, is a useful example that demonstrates how a 
broader, principle-based approach is appropriate and needed.
    At the simplest level, EPC is a next generation barcode. 
Currently, EPC is primarily used to track certain cases and 
pallets in the supply chain. When EPC may be offered on 
individual products on the sales floor, future, potential 
customer benefits are real and direct. Examples include 
receipt-less returns, product authenticity, traceability, and 
food and product safety.
    Even though EPC tags in retail contain no personal data, we 
are building in privacy protections. As a cornerstone of EPC 
development, Wal-Mart is designing its use to enable choice. 
EPC tags will be easily removable from the product or its 
packaging, such as by placing it on the price tag. If EPC tags 
used by the retail industry are ever embedded, we will offer a 
mechanism to disable the tag. We believe that choice is 
absolutely the right model for this technology.
    Some, perhaps most consumers will appreciate its benefits. 
Some will not, but ultimately, consumers should be able to 
choose which they prefer.
    A challenge, of course, is how to provide appropriate 
notice. This covers both how consumers know this technology is 
in operation, and also know what this technology actually 
means. A variety of methods and channels are possible, 
including notices on products themselves, notices on or in 
facilities, and Web site information. You could see how a 
debate that focuses solely on notices provided on Web sites, 
like pop-ups, would miss the boat for this technology.
    In conclusion, Wal-Mart interacts with consumers 
frequently, and in every conceivable way. A uniform, or at 
least consistent privacy framework, that includes standards 
such as consumer choice is effective for both consumers and 
businesses.
    A privacy regime based on a set of core principles will be 
sufficiently flexible to be applied in multiple contexts. 
Consumers deserve to know what to expect with regard to how 
their information is being collected and used, where they may 
obtain further details if they desire, and how they can make 
appropriate choices regarding the use of their data or 
technology.
    Thank you again for the opportunity to testify today. We 
look forward to continuing to work with you, and I am glad to 
answer any questions.
    [The prepared statement of Ms. Strickland 
follows:]*************** INSERT 4 ***************
    Mr. Boucher. Thank you very much, Ms. Strickland. Ms. 
Bougie.

                  STATEMENT OF MICHELLE BOUGIE

    Ms. Bougie. Thank you, Mr. Chairman and members of the 
subcommittees. My name is Michelle Bougie, and I am the Senior 
Internet Marketing Manager of Learning Resources, Incorporated, 
of Vernon Hills, Illinois, a small business manufacturer and 
distributor of classroom materials and educational toys.
    We sell both business to business and business to consumer, 
maintaining an extensive Web site and e-commerce store, as well 
as undertaking an active direct mail program for schools, 
teachers, and consumers.
    In our business, the protection of consumer information is 
paramount. We have long maintained a detailed privacy policy, 
which is posted prominently on our Web site. Our commitment to 
the protection of consumer privacy is voluntary, but it is also 
required in the marketplace. Self-regulation by industry and 
market standards works effectively, and I urge you to be 
cautious in regulating the use of consumer data to avoid 
unintended consequences, that might put small businesses at a 
permanent market disadvantage, by preventing us from using 
technology to grow and expand.
    In the last 12 years, I have worked with literally dozens 
of companies in various capacities relating to the use of 
consumer data. In my experience, industry voluntary privacy 
standards have been universally adopted and are a regular 
element of any commercial transaction, online or offline. 
Privacy is a routine and fundamental part of good business 
practices involving the sharing and use of consumer data today.
    Industry voluntary privacy standards were developed to meet 
consumer expectations, and to match best practices from 
traditional direct mail. Companies who do not participate in 
self-regulatory practices, such as protecting consumers' 
financial information, or fail to follow opt-out instructions, 
are blacklisted by consumers.
    As we all come to understand, the consumer is now more 
powerful online. Consumers use the power of social media to 
warn others about Web sites that offend or use bad practices. 
Consumers will, likewise, use the same tools to promote 
businesses that use best practices.
    It is important to recognize the collection and use of 
consumer data is essential to improving the consumer experience 
online. Cookies and other tracking means were developed to make 
it possible to make targeted product and service offers that 
match consumer needs. This sophisticated information gathering 
process has created a $300 billion industry and 1.2 million 
jobs. We must be careful not to endanger this major source of 
jobs and enhanced consumer choice.
    Consumers can control the collection of consumer data in 
many important ways. Many companies like ours offer the right 
to opt out for consumers, and choose to not participate in our 
marketing activities.
    Opt-out options are far superior to opt-in options, both 
from the standpoint of businesses and consumers. Businesses 
prefer opt-outs, because they believe that few consumers will 
ever opt-in, as fear alone discourages most people from opting 
in. Consumers have already experienced an online world filled 
with opt-ins. In the early days of the Internet, featured 
cautious approaches by Web sites with many opt-in choices. 
Consumers were prompted to accept Web site terms before 
entering, a practice that turned off many consumers at the 
early online experience, moved at a glacial pace, slowing the 
online purchase process for customers, and lowering revenues 
for businesses.
    Consumers have ways to control the collection of data. 
Internet browser software can notify consumers of cookies, 
ActiveX controls, or other means of data collection. In order 
to maximize the speed and pleasure of their online experiences, 
many consumers turn off these warnings.
    Again, consumers and businesses are making these privacy 
options and choices without the need for federal regulation. We 
believe that regulation of consumer data may sharply curtail 
our ability to grow, both online and offline. Small businesses 
don't generate enough leads to keep customer lists fresh and 
growing. We must have access to market data to find new 
customers.
    Likewise, consumers need us to promote our products and 
services, because without this marketing, small businesses are 
just too hard to find.
    In our ability to collect and use this data is curtailed, 
we are vulnerable to large businesses gaining an effective 
monopoly on consumer identities and preferences. Large 
businesses, with high web traffic, or many storefronts, have 
the means to generate and use consumer data for prospecting, to 
remain dominant. Small businesses will lose this game every 
time.
    I urge you to be cautious and to carefully avoid unintended 
consequences. The Internet is a huge job creator, and one of 
the great drivers of today's complex and rapidly evolving 
economy.
    A one size fits all solution is very dangerous in an 
economy of this complexity. We believe the new legislation 
should take a crawl, walk, run approach, focusing on the most 
sensitive data, such as financial information or healthcare 
data, and relying on opt-out mandates for routine commerce. By 
taking such a prudent approach, Congress can ensure that small 
businesses do not find themselves in a permanent federally 
mandated market disadvantage.
    Thank you for considering my views on this subject. I am 
happy to answer any questions.
    [The prepared statement of Ms. Bougie 
follows:]*************** INSERT 5 ***************
    Mr. Boucher. Thank you very much, Ms. Bougie.
    Ms. Bougie. Thank you.
    Mr. Boucher. Ms. Dixon.

                     STATEMENT OF PAM DIXON

    Ms. Dixon. Thank you. I would like to thank the chairmen 
for inviting me here today. I am Pam Dixon. I am Executive 
Director of the World Privacy Forum.
    We are a nonprofit, public interest research group, based 
in California. We focus on in-depth research of privacy issues.
    The online and offline collection of information from 
consumers matters, because it impacts our lives, whether we 
know it or not. In the past, consumers have been told, you 
better watch out, because you have got to act a certain way, 
because something might go in your permanent record. We heard 
this in school, when we were young. But today, because of the 
large commercial databases, and those activities related to 
those commercial databases, we have a new kind of permanent 
record. I call this the modern permanent record.
    This is a permanent record compiled from rich online and 
offline resources, and it can be used to deny or offer 
benefits, services, and goods and information to consumers.
    What I would like to do is talk about how these commercial 
databases can be used to create a very detailed picture of a 
consumer, and what that picture can do to a consumer's life. 
And to do that, I would like to walk you through how the modern 
permanent record is created and used.
    So, first, one source for the modern permanent record is 
marketing lists and databases. These are typically sourced from 
highly identifiable data. We are not talking about pseudonymous 
data residing on a hard drive somewhere. We are really talking 
about data where someone knows your name.
    If you can look at the monitor, you will see a list of 20 
million consumers. This is an ailments list, and it is a data 
card that is being sold on consumers. It lists detailed 
demographic information, and it also lists the various diseases 
that they have. This list is an unregulated list. It is outside 
of HIPAA, because these people gave their information up in 
some way or another, sometimes with more knowledge than 
another.
    In the next list, you will see it is a list of mental 
health sufferers. This is a list of 3 million consumers who 
landed on a telemarketing list, or a list like this, and it 
talks about 2 million with anger, antisocial diseases, ADD, 
ADHD, autism, bipolar, and so forth. And the company says these 
people, marketing to them is, they are extremely receptive to 
any campaign, because they suffer from various mental problems.
    And the real impact of these kinds of lists, that are so 
unregulated, is being seen already today. It is not 
theoretical. So, for example, one 91-year-old elderly vet was 
profiled in the New York Times. He landed on one such list, and 
what happened is his, he filled out a sweepstakes form, and he 
landed on a telemarketing list. It was sold, and as a result of 
bad actors purchasing the list, he was bilked of his life 
savings. And this gentleman, once he was on the list, he had no 
effective rights to remove himself from the list, or mitigate 
those issues.
    Another way that the modern permanent record is created is 
through what I call non-Fair Credit Reporting Act databases, or 
noncredit databases. These are databases that have rich scores 
of information in them. However, they may, even if they have 
identical information to what could be contained in a database 
subject to the FCRA, they are not subject to the FCRA, because 
they are used for different purposes.
    An example of this is the Badcustomers database, and we 
have a screenshot of that Web site. That Web site says: ``Are 
your purchasing transactions being denied? Find out if you have 
been blacklisted before it is too late.'' This database has 6 
million consumers on it right now, and it has only been in 
existence for about a month. And the way consumers land on this 
database is that they dispute charges to their credit account.
    Now, if that sounds familiar, it is because identity theft 
victims must dispute charges on their credit cards to move 
forward with their lives. So, these are the kinds of databases 
where yes, you disputed a charge, but what does that actually 
mean? Was it because you were a victim of fraud, or because you 
were a bad actor? This is a very difficult thing.
    The third way that the modern permanent record is compiled 
and created is through a newer type of database, behavioral and 
transactional databases. These are the databases that put the 
3-D into the consumer. They provide the real detailed picture 
of the consumer, and put flesh on the bones of the consumers.
    An example of this is eye gaze tracking cameras in retail 
stores. These cameras are not visible to consumers. What they 
do is they track, basically, the number of consumers that have 
walked by certain points in the store. They also identify what 
the consumer is looking at, and for how long. But what has 
happened, at least in the past year, is that this type of 
technology has been also combined with facial recognition 
technology. So, what happens is that the consumer walking down 
the store, who is being captured by the eye gaze tracking 
camera is also recognized and then marketed to.
    Now, that is a practice that is in use today. Everything 
that I have told you is in use today, and it is not 
theoretical. So, the question this committee has to face is, is 
it worth the risk involved to consumers, when you have these 
large, aggregated pictures of consumers that can define their 
lives. Is it worth that risk to leave them unregulated?
    And I would argue that the modern permanent record, unless 
there are substantive rules of the road that govern how the 
modern permanent record is used, that will really creating a 
situation where there is going to be car accidents and pileups.
    As consumers become more aware of the threat of how a 
modern permanent record can potentially be used in their lives, 
I think we really enter a situation where it can chill 
commerce, and really chill people's lives and inhibit them.
    A good example of this can be found through Cox 
Communications. They offer a digital telephone service. That 
digital telephone service is then subject to detailed analysis, 
and what it does is it analyzes the numbers of, the phone 
numbers that you call and who calls you. Well, there is nothing 
wrong with that, but what if you have a family member who is a 
deadbeat? What if you have a friend who is a deadbeat? What 
inference is drawn on you based on those phone calls?
    So, what does that do to your permanent record, your modern 
permanent record, and that is really the question that we need 
to look at, and we need to answer, in terms of policy creation.
    Thank you for your time, and I look forward to any of your 
questions.
    [The prepared statement of Ms. Dixon 
follows:]*************** INSERT 6 ***************
    Mr. Boucher. Well, thank you very much, Ms. Dixon, and the 
committee's thanks to all of our witnesses for your informative 
testimony today.
    I am going to ask a brief question, and I would appreciate 
a brief answer. And I will ask each of you just to respond to 
this in perhaps 15 seconds or less.
    Assuming that we adopt a set of new privacy protections, 
should we apply those both with regard to online and offline 
transactions? Ms. Dixon.
    Ms. Dixon. Yes, I believe you should, because the offline 
collection of data is highly identifiable, and it can include 
biometric information, name, health information, and other 
information that is entirely unregulated.
    Mr. Boucher. Thank you. Ms. Bougie.
    Ms. Bougie. I would say it can't be a one size fits all. 
Online information is different in many cases than offline, and 
so, I would recommend that we just be very cautious, because in 
the case of the small business, it would really restrict our 
ability ultimately to prospect with web searches and things 
like that.
    Mr. Boucher. So, you are not saying apply it online only, 
you are just saying be careful about how you apply it to both.
    Ms. Bougie. Be very careful, because again, the unintended 
consequences of what----
    Mr. Boucher. I understand.
    Ms. Bougie. --would happen.
    Mr. Boucher. All right. Thank you. Ms. Strickland.
    Ms. Strickland. Yes. Wal-Mart does favor a principle-based 
approach that doesn't focus on one particular technology, and I 
think it is very hard to draw a line that clearly separates 
online from offline.
    A lot of services now are both online and offline, so I 
think a broader view is needed.
    Mr. Boucher. OK. Ms. Barrett.
    Ms. Barrett. Yes, Chairman. I think the----
    Mr. Boucher. Microphone, please.
    Ms. Barrett. Can you hear me now?
    Mr. Boucher. Yes.
    Ms. Barrett. OK. Yes, we think it should be not limited to 
online, but a broader perspective, but I would echo my 
colleagues' remarks about some of the nuances regarding what is 
practical to do in an online world, and what is not practical, 
or might need to be dealt with differently in an offline world.
    Mr. Boucher. All right. Thank you. Mr. Pappachen.
    Mr. Pappachen. I would agree with the tenor of the comments 
so far, that convergence, as we have seen, would dictate that 
we have a more broader application. The nuances of the 
application should be carefully observed, but a broader 
application is correct.
    Mr. Boucher. OK. Mr. Hoofnagle.
    Mr. Hoofnagle. I think the answer is, it depends. Offline 
data collection is a little different, and----
    Mr. Boucher. Microphone closer, please.
    Mr. Hoofnagle. My answer would be, it depends. It depends 
on the substantive protections built into the bill, and whether 
they are appropriate in the offline context.
    Mr. Boucher. All right. Mr. Hoofnagle, let me pose my 
second question to you.
    You have performed, and we are aware of your study, that as 
I understand it, finds that two-thirds of the American public 
does not favor the receipt by them of tailored advertising. And 
given the benefits of tailored advertising that many on our 
panel have stressed here today, what do you think we might be 
able to do, that could change that number, and persuade more 
people that not only is it not harmful, but perhaps even 
beneficial to the receipt of that advertising to receive it?
    Mr. Hoofnagle. That is a great question, Mr. Chairman.
    Mr. Boucher. And pull the microphone closer, please.
    Mr. Hoofnagle. We were surprised by the answer that so many 
Americans say that they principally reject tailored advertised, 
and troubled by that result, because it is clear that tailored 
advertising does have advantages for consumers and for 
businesses.
    But we think also that consumers might have a lot of 
anxiety around information collection. They might not want 
information collection in one context to follow them into 
another. So, for instance, the targeted ads that you get at 
home when you are using the Internet for personal purposes 
might, consumers might not want that to bleed over to how they 
use the computer in the workspace.
    I think that if there is greater transparency and rules 
around data collection, it might change that number, and more 
people might----
    Mr. Boucher. So, let me just cite an example. Let us 
suppose that we adopt a law that says that any entity that 
collect information from a customer, whether that collection be 
online or offline, provide to the customer a thorough 
description of what information is collected, a thorough 
description of how that information is used, and then provide 
an ability, through a series of opt-in and opt-out 
arrangements, depending on what the information is, and how it 
is used, for that customer to be able to control the use, or 
perhaps control the collection of the information itself.
    If we provide that set of consumer guarantees, what do you 
think that might do to persuade more people that having 
information collected for the purpose of tailored advertising 
is, perhaps, advantageous to them, or at a minimum, have them 
be willing to acquiesce in it?
    Mr. Hoofnagle. That is an interesting approach. I would 
point out that our survey shows that people already assume that 
there are opt-in standards in place. Americans assume that they 
have a right of confidentiality in the marketplace.
    Mr. Boucher. So, they are making that assumption, even when 
two-thirds of them say they don't want the tailored 
advertising.
    Mr. Hoofnagle. That is right, and they are----
    Mr. Boucher. And if they knew the truth, that they really 
didn't have even the measure of control they think they do, 
that two-thirds number might even be higher is what you are 
saying.
    Mr. Hoofnagle. I think that consumers have a lot of anxiety 
in this area, and that might be one of the reasons why they are 
expressing that level of objection.
    My collaborator and I, Joseph Turow at the University of 
Pennsylvania, argued that notice and opt-out might not be the 
most optimal approach, because consumers do not read privacy 
notices. They already assume that protections are in place. 
Opt-out, too, can be problematic. We argued that policymakers--
--
    Mr. Boucher. You mean opt-in can be problematic?
    Mr. Hoofnagle. Opt-in can be manipulated as well, and in 
fact, we explicitly said that the right answer is not just to 
go to opt-in. We discussed the idea of there being mandatory 
retention ceilings, so that information would have to be 
deleted after a certain amount of time.
    Mr. Boucher. After a certain period of time.
    Mr. Hoofnagle. And that would allow targeted advertising, 
but it wouldn't allow kind of a permanent profile.
    Mr. Boucher. Let us suppose, just for the sake of this 
question, that we do those things, and that we have retention 
limits, full disclosure, a set of opt-in and opt-out 
opportunities to control what happens, do you think that 
instills a greater amount of confidence in the American public 
that the online experience is secure, and to the extent that 
they are engaging in offline transactions, that they have more 
control over their privacy?
    Mr. Hoofnagle. I think it would. It would----
    Mr. Boucher. Do you think it might enhance commerce, if we 
did such a thing?
    Mr. Hoofnagle. Yes, sir. I think it would be----
    Mr. Boucher. All right. My time has expired.
    Mr. Hoofnagle. OK.
    Mr. Boucher. Thank you for your answers. Those are very 
helpful. Mr. Radanovich.
    Mr. Radanovich. Thank you, Mr. Boucher. And appreciate the 
panel of witnesses. Earlier, in my opening testimony, I talked 
about, there was one point that, you know, people, about the 
delivery of a catalog to your doorstep, and I expounded on a 
little bit extemporaneously, because I remember in the past, 
where the holidays would come around, or an event would happen 
in my family, and all of a sudden, you don't have one magazine 
or a catalog, you have got 10 or 15. Incredibly frustrating.
    And what was more frustrating was the hassle it was to get 
these people to shut it down, if that is, because I didn't want 
them, and it just didn't--and I know that my following question 
will not speak to the issue of the collecting of private data, 
but it does speak to the issue of a person's ability to control 
what happens in their home.
    And so, I want to ask each member of the panel. You know, I 
don't want to interrupt free commerce and trade, and as long as 
the boundaries are proper, I think it is good. But I am all 
for, in a number of ways, making sure that a family's home, to 
be politically correct, is its castle, and that the people in 
their homes have as much ability to control what drops on their 
doorstep, what pops up on their video, you know, their computer 
screen and such.
    Can you, is there anybody that can explain to me ways that 
the industry could look to provide people with, really, a lot 
of ease in their households, to be able to shut this stuff down 
if they want to? I mean, I have got to think, if I was the 
father of a new child, I may or may not appreciate the fact 
that I got a hundred catalogs in there, on how to buy a baby 
crib, and want to shut it down. But if I shut it down, I might 
think oh, gosh, maybe I do want that information. I would like 
to see that control in the home.
    Has anybody given any thought to how you can shut that 
down, or ways to make it easier to do that? And I will just 
open it up to the panel.
    Ms. Barrett, if you would.
    Ms. Barrett. Yes. I would point to the new self-regulatory 
guidelines that the Direct Marketing Association put into place 
last year, where you can go to their Web site, and you can opt 
out from all marketing communications, or you can pick certain 
companies that you can, even if you have a customer 
relationship with that company, and say I don't want to receive 
marketing communications from you.
    I think this is a big step in the right direction, and one 
that is probably not as well known as it ought to be.
    Mr. Radanovich. And it is not as well known as it ought to 
be, if I heard that right.
    Ms. Barrett. Correct.
    Mr. Radanovich. Correct. Yes. Ms. Dixon.
    Ms. Dixon. Thank you very much. The self-regulatory 
approach has merit. The problem is, is that it is just the good 
companies that are following the rules that typically join the 
self-regulatory efforts. And they are always the ones who, you 
know, you call and they stop sending the catalogs.
    It is the bad actors, and that is why I think that a 
broader approach could be very useful in really curtailing 
this.
    Mr. Radanovich. A more regulatory approach.
    Ms. Dixon. That is correct.
    Mr. Radanovich. Yes.
    Ms. Dixon. And I think that one of the things to look at is 
looking at some data rights that are not identical to the Fair 
Credit Reporting Act, because it would be extraordinarily 
complex to do, but look at that, and saying what can we learn 
from that statute and apply to this area? Is there a way that 
consumers could have a regular, you know, standardized way of 
finding out what lists they are on, and seeing that 
information, making sure it is accurate, seeing that it is not 
retained for the duration of their lives, and so on and so 
forth.
    I think that that approach would require a lot of 
discussion and very serious thought, but has merit.
    Mr. Radanovich. OK. Thank you. Ms. Bougie, I wanted to ask 
you a couple of questions. In your testimony, you mentioned the 
one size fits all approach to this whole thing. Do you have any 
suggestions on what appropriate regulation might be, then, if 
it is not one size fits all?
    Ms. Bougie. Well, our concern for the one size fits all 
approach is that the business concerns of small business are, 
excuse me, sorry.
    Mr. Radanovich. There you go.
    Ms. Bougie. Our concern with the one size fits all approach 
is that business concerns of a small business are vastly 
different from those of a large corporation. So, this narrow 
view would restrict us, with very few options.
    The online options help, because it helps level the playing 
field. And if regulations restrict online behavior as an 
advertising option, or the ability to prospect or gain email 
addresses, we will be left basically, our list will slowly, 
slowly go away.
    Mr. Radanovich. Right.
    Ms. Bougie. But I believe by allowing voluntary privacy 
standards with marketing data to continue, and we focus on the 
regulations of financial and medical, that it is going to be 
more advantageous for small business, and allow technology to 
prosper as it should.
    Mr. Radanovich. OK. Ms. Strickland.
    Ms. Strickland. Thank you very much. I also would like to 
echo her remarks about the one size fits all, and I think that 
is true, not just for small companies and large companies, but 
this debate we are having about online and offline as well. So, 
as we think about what appropriate notice is, that will be 
different on a Web site than, as you might imagine, in a store. 
You are not going to have the ability to have the depth and 
level of information in a store notice, necessarily.
    So, as we think about how do we do a principle-based 
approach, how do we make it flexible enough that it will work 
in a variety of contexts, a variety of technology, and a 
variety of companies.
    Mr. Radanovich. All right. Thank you.
    Mr. Pappachen. I would just add that, two things. One 
thing, consumer expectation with regard to medium should play a 
role when you are looking at the issue of notice and/or 
consent. The second thing is, I think businesses, who are in 
business because they are effective at communicating certain 
messages to consumers towards the ends that they want, should 
be involved in the process, towards the ends that we are 
looking at here.
    Mr. Radanovich. All right. Thank you very much. Thank you. 
Thank you, Mr. Chair.
    Mr. Boucher. Thank you, George. Mike?
    Mr. Doyle. [Presiding] Ms. Barrett, I understand your 
company, Acxiom, has roughly 1,500 pieces of data on every 
American. So, I am a male, I live in Pittsburgh, I am 56 years 
old. That is three data points, three pieces of information 
about me. That means there is roughly 1,497 data points left.
    So, just between you and me, what else do you know about 
me?
    Ms. Barrett. Good question, and I appreciate your asking 
it. When we talk about 1,500 potential data points, what we are 
referring to is the different possibilities of information we 
might have about an individual.
    And to give you an example, we have over 600 different 
lifestyle and interest categories. No one has all 600 
variables. I happen to like to bicycle and cook and read, so 
that is 3 out of 600 for me.
    Mr. Doyle. So, that is all part of the 1,500.
    Ms. Barrett. So, that is all part of the 1,500.
    Mr. Doyle. OK.
    Ms. Barrett. So, I would say an average person may have 20 
or 30 or 40.
    Mr. Doyle. Let me ask you some more questions, and they are 
just simple yes or no answers. So, could you send me a 
statement with everything you know about me?
    Ms. Barrett. We offer access to the data. We have two kinds 
of data. We have data that we use for marketing, and data we 
use for identity management and risk decisions. And the answer 
to your question is yes, for the data in the risk decision 
category, and we will send you a summary of the data in the 
marketing category.
    Mr. Doyle. So, could I log onto your Web site and see what 
others know about me, and what you sell to other people about 
me?
    Ms. Barrett. No, we do not.
    Mr. Doyle. No, that is fine. No is fine. Can I log onto 
your Web site, or can you send me a letter telling me who you 
sold my information to?
    Ms. Barrett. I am sorry, who sold?
    Mr. Doyle. Who you sold my information to? Could you tell 
me who you sold my information to?
    Ms. Barrett. We do track all of the sales that we make.
    Mr. Doyle. But could you give me that information? If I 
wanted to know who you sold my information to.
    Ms. Barrett. We do not provide that information to 
consumers.
    Mr. Doyle. Thank you. Can I choose to delete certain 
information that you have about me if something is old or out 
of date, or doesn't apply to me anymore?
    Ms. Barrett. Yes.
    Mr. Doyle. And how would that process work? How would I go 
in there and do that?
    Ms. Barrett. You would contact us, and ask if it is the 
marketing data, you would ask for the data to be deleted, and 
actually, we will remove the entire record, if you wish. On the 
risk side of the house, you can do it element by element, and 
pick and choose the elements that you wish to have corrected.
    Mr. Doyle. Very good. So, I can be completely removed from 
your database if I want, every trace about me gone, if I just 
call you and say I want everything you have about me erased. I 
can do that?
    Ms. Barrett. You can do that for our marketing products. We 
do not allow you to erase or remove all the data from our risk 
products. Those are the ones, and identity management products. 
Those are the products that catch the bad guys, and we don't 
let the bad guys opt out of that data.
    Mr. Doyle. So, tell me, I am curious. Where do you get all 
the information you have about me? Where does it all come from? 
Where do you get it from?
    Ms. Barrett. It comes from three primary sources. The first 
is public records and publicly available information. The 
second is surveys that consumers fill out, and volunteer 
information about their interests and life.
    Mr. Doyle. Like warranty cards?
    Ms. Barrett. Warranty cards is just one small part. And the 
third category is information from companies that have a 
relationship with you, and have given you notice and choice 
about the fact that your data may be shared with another party, 
a third party like Acxiom.
    Mr. Doyle. So, do you sell medical or other sensitive 
information that is attached to personally identifiable 
information? Do you sell that?
    Ms. Barrett. We do not sell what we call sensitive 
information in any of our marketing products. Medical data, 
unless it is self-reported by the consumer, we would have no, 
personal health information is regulated by HIPAA in any of our 
marketing products.
    Mr. Doyle. What is the minimum information you need to 
identify someone? How many data points do you need to identify 
someone?
    Ms. Barrett. A name and address would be the baseline.
    Mr. Doyle. So, with two data points, you can pretty much 
identify anyone?
    Ms. Barrett. Well, we can, it depends on what we are using 
that information for. If we are using it for marketing, that 
may be sufficient to say we don't want to market to this person 
or we do.
    If we are actually using data for an identity application, 
we would need more data points----
    Mr. Doyle. I see.
    Ms. Barrett. --to verify that you are who you really claim 
to be.
    Mr. Doyle. Tell me, do you audit the companies that buy the 
information from you? I mean, do you make sure they lock it up 
properly, that they use it for what they say they want to use 
it for?
    Ms. Barrett. For any company that buys any kind of 
sensitive data from us, we do both an onsite inspection, and an 
audit of their practices, to make sure that they are going to 
treat that information responsibly. For data, for companies 
that buy non-sensitive information from us, we go through a 
credentialing process, which makes us comfortable that that 
company is a legitimate entity, and that they will respect the 
terms of our contract, and keep the information confidential.
    Mr. Doyle. And our committee has had several hearings about 
data security and online security. Have you had any security 
breaches?
    Ms. Barrett. We had an incident back in 2003, where one of 
our external servers was hacked. And we used it to transport 
information back and forth between our clients. But 
fortunately, we had had a policy on that server that any 
sensitive information needed to be encrypted, and so, no 
consumers were put at risk as a result of that incident.
    Mr. Doyle. How would you inform a consumer whose 
information had been compromised? What would your procedure be?
    Ms. Barrett. Well, it would----
    Mr. Doyle. Or do you do it?
    Ms. Barrett. Well, it would depend on whose data the 
information was. If it was Acxiom's data, because we have both 
our own data products that we sell in the marketplace, and we 
also provide computer services for clients, who are hosting and 
housing their data on our computers. If it was Acxiom's data, 
we would be responsible for the notification. If it was 
client's data, we would work with that client, to make sure the 
consumers were notified.
    Mr. Doyle. Thank you. Just one final question, for Mr. 
Dixon and, I am sorry, Ms. Dixon and Mr. Hoofnagle. It is clear 
that vast amounts of personal information about individual 
consumers are collected, aggregated, analyzed, and sold for a 
variety of commercial purposes.
    In response, some people say so what. If a person likes to 
ski, but is mistakenly identified in the database as an angler, 
and received offers or coupons for fishing equipment, what is 
the harm? Ms. Barrett recommended, in her written testimony, 
that before we engage in additional regulation, we should 
articulate the extent of the harm.
    So, I want to ask Ms. Dixon and Mr. Hoofnagle, can you 
please answer that question? Where is the harm to the 
consumers? And also, I want to give you a chance to maybe just 
react to my line of questioning to Ms. Barrett, and whether you 
have any thoughts on that. If you think this is what Americans 
expect, and what kind of rules of the road do you think we 
should put in place?
    Mr. Stearns. That is a lot of questions.
    Mr. Doyle. I know, and I am going to get to you, Cliff, and 
be mighty generous with your time. Go ahead.
    Ms. Dixon. Thank you for your question.
    A couple of thoughts. First, I want to talk about the harm, 
and then, I would like to respond to the line of questioning.
    Mr. Doyle. Yes.
    Ms. Dixon. Your question. The one thing is that is quite 
clear is that the companies, when they discuss these issues, 
you will hear companies talk about the benefits of having this 
information available. And there is no question that there are 
benefits. I don't think anyone is arguing about the benefits. 
We know there are benefits.
    The problem is, is that there are, indeed, also harms. So, 
for example, it is the shadow side of all of this. The same 
information, we saw it on badcustomers.com database, the same 
information that is used to target advertising is also used to 
deny transactions of consumers who have done, disputed charges.
    So, you have the same information being used for completely 
different purposes. Once the information is compiled, you 
really lose the ability to determine how that information will 
be used, and in all the contexts that it will be used, unless 
it is covered under the Fair Credit Reporting Act. But what we 
have been talking about here today are all non-FCRA uses of the 
data, and also, all non-HIPAA uses of the data. So, it is 
really outside of regulation.
    The second thing would be inaccuracies, outdated 
information, and again, incorrect inferences. I think that when 
you have these very clear pictures of consumers, you really do 
get locked into a bit of a pictorial box. Here is what consumer 
X or Y looks like. Here is how we are going to treat this 
consumer.
    We are familiar with the situation where people were not 
allowed to vote because they landed in certain databases. Some 
of this information was incorrect. So, we are talking about 
substantive rights that can be impacted here. So, it is the 
picture of the consumer. Is this the right picture? If it is 
not, how do we correct that?
    Mr. Doyle. I am so far over my time. I am just going to ask 
Mr., for a quick response, and then we will get to the next 
witness.
    Mr. Hoofnagle. I will be quick. I would turn the harm 
question around, and say, and ask retailers questions like why 
are they trying to re-identify consumers without telling them 
about it?
    So, I detailed in my testimony the example of one company 
that will ask for your zip code at the register. If you give 
your zip code, they will combine it with your name from a 
credit card swipe, and then, they will go out and get your home 
address. Why not just ask the consumer can we have your home 
address? The fact that so much of this data collection occurs 
in secrecy, I think is, speaks to the harm issue.
    Mr. Doyle. Thank you very much. My time has long since 
expired, and I am going to yield now to my good friend from 
Florida, Mr. Stearns.
    Mr. Stearns. I thank you, Mr. Chairman. I just compliment 
you on your rapid fire questions. You got a lot of questions in 
there, and I am impressed.
    I went to Drudge and I deleted all my cookies, and so, I 
came back the next day to go on Drudge, and it wouldn't go 
forward until it allowed me to put these cookies back on. I had 
to put on 17 cookies.
    I went to the Gmail to do my Gmail, and I deleted all the 
cookies. Same thing happened there. So, that is an awful lot of 
cookies that I don't know what is going on, and this is for 
George Pappachen.
    In your testimony, you mentioned the use of passive 
tracking technology, including cookies, in current studies. I 
guess your holding company is WPP, is that it? Yes. Use these 
passive tracking technologies. What do these tracking 
technologies do? I am a consumer. You are tracking my cookies. 
So, what are you looking for, and is the information you get 
useful, and what is it?
    Mr. Pappachen. Right.
    Mr. Stearns. Just pull the mike up a little closer.
    Mr. Pappachen. Sure. Passive tracking technologies can be 
utilized in different ways. A couple of the ones that I cited 
in my written testimony is, one, ad exposure, the fact that you 
were exposed to a certain ad.
    Mr. Stearns. Can you tell that from a cookie, that I was 
exposed to an ad?
    Mr. Pappachen. Yes, you can tell which ad you----
    Mr. Stearns. So, when I get an ad on Drudge for a car or 
for a book, that is based upon my previous search engines on 
Drudge or Google, and so, you get from those cookies, you read 
those cookies and say, oK, Stearns went to Amazon.com, he went 
to these sites and these sites. You find that all out.
    Mr. Pappachen. Right. Well, it wouldn't be as far as going 
to search, or there might be some categories where you might 
not have availability to track or know what the consumer 
engagement was, but there are, on a larger scale, there is the 
practice of tracking exposure to advertising, so that you are 
not burdened with excessive advertising of the same kind, or--
--
    Mr. Stearns. And you sell this to the advertisers to tell 
them, this is how effective you were or not?
    Mr. Pappachen. Right. So the idea is to understand how they 
performed, whether we are being relevant or not, similar to how 
we would do it with TV, or in another forum.
    Mr. Stearns. As a customer, do you make the customers aware 
of this? In other words, let us say you are doing this on me, 
how would I find out that you are doing it, and what you are 
doing?
    Mr. Pappachen. Sure. One thing we have been actively 
encouraging and working on is proactive privacy. The Privacy 
Icon project that we were involved in is about allowing for an 
enhanced notice to consumers. That then gives them disclosure.
    Mr. Stearns. But you are not now doing it.
    Mr. Pappachen. It is a self-regulatory initiative that is 
underway. We are definitely doing the best standards or best 
practices of informing about our practices within privacy 
policies and wherever else we can, but we are encouraging that 
the industry absorb an enhanced notice under a self-regulatory 
framework, that allows for disclosure that may be more relevant 
to them, that we were being told is important for consumers.
    So, we are trying to respond in a way that allows for 
consumers to have transparency, but then allows for business to 
have, work in the way that it traditionally has, to be 
effective in their communications.
    Mr. Stearns. You know, we tried to pass a spyware bill here 
in the Energy and Commerce. We just couldn't get the Senate to 
agree. And within that spyware, there was a study that Mr. 
Dingell put in to look at cookies and the impact.
    Do you think the privacy bill should have anything 
applicable to cookies that come into the computer?
    Mr. Pappachen. I think that, regulating technology is a 
tricky thing, as we have often heard.
    Mr. Stearns. That is what I mean, yes.
    Mr. Pappachen. I don't think technology is necessarily the 
enemy. I think we can talk about the uses of it. I think we can 
talk about how we disclose how we are using it. We can talk 
about how we give over the levers of control about how we can 
use it.
    Mr. Stearns. You said, you discussed a technology developed 
in 2007, one of your subsidiaries, Safecount, that allows users 
to see not only what tracking cookies are on their computer, 
but what data they are collecting, but also, where the tracking 
cookies came from. So is that in practice, that Safecount, is 
that being used?
    Mr. Pappachen. That is right. Consumers can have insight 
into what cookies there are on their browser, from Safecount, 
and also, which ad it was spawned from.
    Mr. Stearns. Has this Safecount program been given to other 
companies, besides WPP?
    Mr. Pappachen. It certainly could be. It is a, what I said 
in my written statement is that we have seen other, larger 
actors now going in that direction. It was in support of the 
idea that self-regulation can work.
    We have seen other actors going towards providing access to 
the interests and profiles that they build online, and letting 
consumers have some control over whether those interests are 
built, and what those interest groups, they would want to 
belong to or not.
    Mr. Stearns. Do you think we should prevent spyware?
    Mr. Pappachen. I am sorry, sir. I didn't get the last part.
    Mr. Stearns. Do you think we should prevent spyware, in 
Congress?
    Mr. Pappachen. I think spyware by, again, it would matter 
what we define as spyware, but spyware, if it means something 
that consumers did not transparently get notice of and consent 
to, and it engages in activity that that would not want, yes, I 
think it should be prohibited.
    Mr. Stearns. OK. Ms. Barrett, Mr. Doyle talked to you 
about, he asked a series of questions, and he said will you 
tell me this information, and you said, we will not tell you 
information about risk product? Is that correct?
    Ms. Barrett. We will tell you. We will show you exactly 
what we have in our risk and identity management products, yes.
    Mr. Stearns. But he said, can I get all of it, and you said 
no, I thought.
    Ms. Barrett. For the marketing products?
    Mr. Stearns. Yes.
    Ms. Barrett. We offer a summary of the information, not the 
details.
    Mr. Stearns. And some of the information you won't provide, 
and why would that be? Because it is proprietary information 
that you have developed, that you have a proprietary interest 
in, is that, perhaps, why?
    Ms. Barrett. No, it is the fact that the information is not 
commonly requested at an individual level, and so, we have not 
put the systems in place to go retrieve it, and look at it on 
one person. Marketing applications look at the data in 
thousands or tens of thousands or millions of records at a 
time.
    Mr. Stearns. He had also asked a question about regulating 
online collection and use of data, should be clear about the 
extent of the harm we are seeking to address. Do you believe 
that harm exists in online data collection, or is it a risk of 
harm?
    Ms. Barrett. I think that there is the potential for harm 
in almost any data collection. I think it speaks to how do we 
use information, and where can we define risk under, in certain 
uses, and then, how can we develop guidelines that either 
prevent or mitigate against that risk, relative to that use?
    And for example, I might point out some of the self-
regulatory guidelines that have been put in place. For 
instance, for marketing, by the Direct Marketing Association 
and the Internet Advertising Bureau, and the Network 
Advertisers Initiative. Those are three different groups that 
have defined different kinds of guidelines, relative to 
different marketing activities.
    Mr. Stearns. This is the last question, Mr. Chairman. This 
is the more tough, you know, here we are trying to legislate a 
privacy bill. What harm should this privacy bill address, then? 
I mean, can you say that concisely?
    Ms. Barrett. Well, I think that is the challenge, is 
defining exactly what are the harms that----
    Mr. Stearns. Yes.
    Ms. Barrett. --consumers are at risk of.
    Mr. Stearns. Yes.
    Ms. Barrett. My panelist down here, Ms. Dixon, mentioned 
some of the things, in terms of denying consumers substantive 
benefits, and I think that might be an area to explore. It is 
certainly not an area that we see in the marketing arena, but 
information that is used outside of simply trying to reach you 
with a relevant communication well might present some harms to 
the consumers. And those should be explored.
    Mr. Stearns. Thank you, Mr. Chairman.
    Mr. Doyle. Thank you, Mr. Stearns. The chair now recognizes 
Mr. Inslee.
    Mr. Inslee. Thank you, Mr. Hoofnagle. I was looking at a 
document attached, I think to your testimony from the Vente 
Company, which shows lists of, is this your information?
    Mr. Hoofnagle. It is.
    Mr. Inslee. Yes. So, it shows this company, it appears that 
they sell lists of people who have certain conditions. So, 
cancer prostate, it shows they have 125,400 names of people who 
have cancer of the prostate.
    Is that, do I read this right? This company will tell you 
who has cancer of the prostate?
    Mr. Hoofnagle. I think you are referring to two different 
portions of my appendix here. One is the ailments, diseases, 
and illness sufferers mailing list, which is sold by a company 
that is a member of the Direct Marketing Association.
    The Vente list is the addiction responders list, and it 
advertises who is struggling with an addiction to gambling, 
sex, or food. Who just can't say no to drugs, alcohol, or 
tobacco. Millions of America, and Vente has them.
    Mr. Inslee. So, Vente has the names of people who have had 
an alcohol problem, then, and they sell those names, is that 
right?
    Mr. Hoofnagle. That is what their advertising claims.
    Mr. Inslee. And typically, where do they get the 
information that a person has had an alcohol problem?
    Mr. Hoofnagle. The sources are likely to be self-reported. 
So, for instance, if a consumer fills out a survey, and checks 
a box saying that I have struggled with alcoholism, that is 
information that could be bundled and resold, in this type of 
context. It would not come, for instance, from a healthcare 
provider. So, this would be, it could be a product loyalty 
card, that is associated with purchases, or self-reported data.
    Mr. Inslee. So, let me ask you about the other document. 
Let us talk about cancer of the prostate. This other document 
suggests that there is a database of people suffering from a 
wide variety of ailments, diseases, illnesses, and medical 
conditions. Included are cancer of the prostate, there is 
125,400 names, as I understand that.
    Does this group sell names of people with that condition?
    Mr. Hoofnagle. This information is personally identifiable. 
So, it is name and address, and then, if you look along the 
right hand side at the first page, there are what are known as 
selects, which means that for extra money, you can buy their 
age, ethnicity, sex, whether they are a homeowner, et cetera.
    Mr. Inslee. And where, typically, would this company have 
received the information, the personally identifiable 
information of the people who have cancer of the prostate?
    Mr. Hoofnagle. With respect to this list, its provenance is 
claimed to be a lifestyle questionnaire. So, an example would 
be, you are walking through the mall and someone stops you and 
says, will you fill out this survey, and we will give you a 
gift card, or we will give you something free. If you fill out 
that survey, it could end up in a database like this, and there 
is no right to notice. They don't have to give you notice that 
they are selling the data. They don't have to give you access, 
et cetera.
    Mr. Inslee. So, they don't have to tell you that it could 
be used by someone who has got a grudge against you, and wants 
to publicly divulge that information to embarrass you, then.
    Mr. Hoofnagle. That is really unlikely in this context?
    Mr. Inslee. Because?
    Mr. Hoofnagle. This information is sold in bulk. If you 
look at the terms, it says $150/m, which means that it is 1,000 
names for $150. You could not say to these companies, I would 
like to know whether Chris Hoofnagle is in the cancer list.
    Mr. Inslee. Why not? Why couldn't somebody say give me 
$10,000 and tell me all you got on Mike Doyle? Could they 
legally do that?
    Mr. Doyle. It wouldn't be worth that much money.
    Mr. Hoofnagle. These companies are not set up to, at least 
this type of company, is not architected to sell information 
about a specific individual.
    Now, with respect to the pizza delivery exhibit that I 
provided, where Merlin Data is selling identifiable information 
about people's homes, their unlisted phone numbers, their cell 
phone numbers, et cetera, that is very different. That is when 
you say, this is a situation where you say I want information 
about a specific individual. Do you have it?
    Mr. Inslee. Thank you. I believe, Ms. Barrett, you were 
Acxiom. Do I have, yes, I am sorry. So, you show a document, I 
am looking at the health buying activity, and they show various 
codes I am looking. Code 6437 is for health, female wellness. 
Code 6436 is health, diet/weight loss. What would be the 
information to generate people's inclusion in those codes? 
Where would you generate that information?
    Ms. Barrett. It would come from self-reported or survey 
information, where the consumer has indicated that they have an 
interest in information about that topic. And for the surveys 
that we use, we require that there be a notice that the 
information will be used for marketing purposes to other 
parties, and give the consumer the chance to opt out of that, 
or to come to directly to us, and say I don't want you to use 
that information.
    Mr. Inslee. So, if a person visited a Web site selling a 
weight loss product, could their visit to the Web site, to 
their opening that page, end up being coded on this in some 
fashion?
    Ms. Barrett. I don't believe so.
    Mr. Inslee. And what leads to a little question about that 
in your mind?
    Ms. Barrett. Well, I am not, I would have to go back and 
look at all the individual sources that contribute to that.
    Mr. Inslee. So, is there any legal, let me ask the panel in 
general. Is there any legal prohibition at the moment, if a 
person visits a weight loss Web site, that provides weight loss 
services or products. Let us say a person just visits the Web 
site, opens the page. Is there any legal prohibition of that 
owner of that page disseminating to a data information service 
the fact that this computer, this identified computer, has 
visited that site, and then that data collector, being able to 
collect, if they have some connection to an individual, 
connecting that to the data. Is there any legal prohibition on 
that happening right now?
    Ms. Barrett. There is no legal prohibition, but industry 
code or conduct, as well as the Direct Marketing Association 
Code, calls for the disclosure of that practice to the 
consumer, and at least in a privacy policy, if not more boldly 
on the page, and then, the chance for the consumer to opt out 
of that disclosure to another party.
    Mr. Inslee. Ms. Dixon, did you----
    Ms. Dixon. Thank you. It is a good question. There is no 
legal requirement for that to happen. And one of the more 
troubling issues with Web sites is that they are very 
compelling. You can take, for example, Facebook surveys, where 
especially children, teens, and young adults will just go in, 
and they are very inured to giving out certain information, 
such as about anorexia and other, you know, topics they talk 
about online now.
    They will give the information out, and these notices can 
be quite small, and they don't see them. And then, their 
information gets sold. So, it is not just that you visited a 
weight loss Web site. It is that you visited the site, then you 
filled out your name and, perhaps, gave them your email, and 
then, that can be further associated downstream, and used in 
collaboration and linked with other data.
    But in some cases, the information is so identifiable, it 
doesn't even need to be linked. When you look at these really 
scary lists of ailments, you have prostate cancer, the mental 
health lists, these people are known by name, because they have 
freely given their name.
    And one of the really difficult questions, I think, that 
this committee faces is that the opt-in opt-out model is very 
challenging, because it is so challenging to educate consumers 
about well, what does giving your name on such a Web site 
actually mean to you? Are you opting in? Do you really know 
what you are opting into? Because, for example, the mental 
health lists. Those people gave that information up in some 
way, typically, through some kind of Web site or survey or a 
sweepstakes. And did they really, truly know and comprehend the 
full consequences of their actions? It is a tough question.
    Mr. Inslee. Thank you very much.
    Mr. Doyle. Thank you, Mr. Inslee. The chair recognizes Mr. 
Rush.
    Mr. Rush. Thank you, Mr. Chairman. I just have some 
questions. I know that the time is quickly passing by, and I 
just have some questions for the panel. Now I, something that I 
will just ask Professor Hoofnagle about this, some questions.
    Professor Hoofnagle, we don't need to look at any further 
than Acxiom's data products catalog or the Nextmark Web site 
referenced in your testimony, to see that companies are 
collecting and selling personal information about individuals, 
that many Americans consider sensitive, such as their race, 
ethnicity, religious affiliation, and political affiliation, 
not to mention information on a wide range of sensitive health 
topics and medical conditions, including addictions, sexual 
dysfunction, viral disorders, body odor, obesity, infertility, 
and menopause. This list can go on and on and on. A lot of 
sensitive information. Are any topics off limits for commercial 
use, or is the general rule that if information exists, collect 
and sell it?
    The next question is, if we can agree that some categories 
of data should be off limits, or require heightened levels of 
consumer consent, how do we define that category of sensitive 
data?
    Mr. Hoofnagle. Mr. Chairman, those are two very good 
questions. If I could address the second one first. I have 
tried to move away from the opt-in opt-out question, because 
framing rights in that way can easily be manipulated. It is 
easy to trick people into opting in, and conversely, it is easy 
to make it so people will not opt out.
    So, I have suggested several other interventions. One is 
having the data disappear after a certain amount of time. So, 
if you have an upward data retention limit is one way of doing 
it. But there are other tools from the advertising world that 
can be used.
    One example is advertiser liability. So, for instance, in 
the telemarketing, spam, and junk fax laws, advertisers can be 
liable if they hire spammers who, excuse me, advertisers can be 
liable if they send out, if they hire someone to send out email 
that violates the CAN-SPAM law.
    In this context, you could create liability for people who 
buy certain lists and abuse them. An example out of Iowa is 
worth nothing. There was a list brokerage company there that 
was selling a list known as ``elderly impulsive,'' and they 
were using it to take advantage of senior citizens who had 
problems remembering, and as a result, were able to architect a 
scam around that.
    The data seller, I think, should offer some due diligence, 
especially when there are, using sensitive personal 
information. And that can be in reviewing the advertising that 
is ultimately disseminating, or in being responsible if the 
advertiser ultimately uses the information to take advantage of 
people.
    You know, with respect to your first question, the general 
legal standard in the U.S. is that offline data collection is 
not regulated by a specific federal privacy law, except in 
certain areas. Your video rental records, for instance, are 
protected. Your cable records are protected. But between, in 
all the gaps left by the sectoral laws, there is data 
collection even on sensitive personal information.
    Mr. Rush. Thank you. I yield back.
    Mr. Doyle. Thank you. Well, seeing no more members here, we 
want to thank all of our witnesses for their testimony today, 
and this hearing is adjourned.
    [Whereupon, at 3:00 p.m., the Subcommittees were 
adjourned.]
    [Material submitted for inclusion in the record follows:]

                                 
