b"<html>\n<title> - EXPLORING THE OFFLINE AND ONLINE COLLECTION AND USE OF CONSUMER INFORMATION</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n                    EXPLORING THE OFFLINE AND ONLINE\n                     COLLECTION AND USE OF CONSUMER\n                              INFORMATION\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                    SUBCOMMITTEE ON COMMERCE, TRADE,\n                        AND CONSUMER PROTECTION\n\n                                AND THE\n\n      SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 19, 2009\n\n                               __________\n\n                           Serial No. 111-83\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n74-854                    WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                 HENRY A. WAXMAN, California, Chairman\n\nJOHN D. DINGELL, Michigan            JOE BARTON, Texas\n  Chairman Emeritus                    Ranking Member\nEDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas\nRICK BOUCHER, Virginia               FRED UPTON, Michigan\nFRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida\nBART GORDON, Tennessee               NATHAN DEAL, Georgia\nBOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky\nANNA G. ESHOO, California            JOHN SHIMKUS, Illinois\nBART STUPAK, Michigan                JOHN B. SHADEGG, Arizona\nELIOT L. ENGEL, New York             ROY BLUNT, Missouri\nGENE GREEN, Texas                    STEVE BUYER, Indiana\nDIANA DeGETTE, Colorado              GEORGE RADANOVICH, California\n  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania\nLOIS CAPPS, California               MARY BONO MACK, California\nMICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon\nJANE HARMAN, California              LEE TERRY, Nebraska\nTOM ALLEN, Maine                     MIKE ROGERS, Michigan\nJANICE D. SCHAKOWSKY, Illinois       SUE WILKINS MYRICK, North Carolina\nHILDA L. SOLIS, California           JOHN SULLIVAN, Oklahoma\nCHARLES A. GONZALEZ, Texas           TIM MURPHY, Pennsylvania\nJAY INSLEE, Washington               MICHAEL C. BURGESS, Texas\nTAMMY BALDWIN, Wisconsin             MARSHA BLACKBURN, Tennessee\nMIKE ROSS, Arkansas                  PHIL GINGREY, Georgia\nANTHONY D. WEINER, New York          STEVE SCALISE, Louisiana\nJIM MATHESON, Utah                   PARKER GRIFFITH, Alabama\nG.K. BUTTERFIELD, North Carolina     ROBERT E. LATTA, Ohio\nCHARLIE MELANCON, Louisiana\nJOHN BARROW, Georgia\nBARON P. HILL, Indiana\nDORIS O. MATSUI, California\nDONNA M. CHRISTENSEN, Virgin \nIslands\nKATHY CASTOR, Florida\nJOHN P. SARBANES, Maryland\nCHRISTOPHER S. MURPHY, Connecticut\nZACHARY T. SPACE, Ohio\nJERRY McNERNEY, California\nBETTY SUTTON, Ohio\nBRUCE L. BRALEY, Iowa\nPETER WELCH, Vermont\n\n                                  (ii)\n        Subcommittee on Commerce, Trade, and Consumer Protection\n\n                        BOBBY L. RUSH, Illinois\n                                  Chairman\nJANICE D. SCHAKOWSKY, Illinois       CLIFF STEARNS, Florida\n    Vice Chair                            Ranking Member\nJOHN SARBANES, Maryland              RALPH M. HALL, Texas\nBETTY SUTTON, Ohio                   ED WHITFIELD, Kentucky\nFRANK PALLONE, Jr., New Jersey       GEORGE RADANOVICH, California\nBART GORDON, Tennessee               JOSEPH R. PITTS, Pennsylvania\nBART STUPAK, Michigan                MARY BONO MACK, California\nGENE GREEN, Texas                    LEE TERRY, Nebraska\nCHARLES A. GONZALEZ, Texas           MIKE ROGERS, Michigan\nANTHONY D. WEINER, New York          SUE WILKINS MYRICK, North Carolina\nJIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas\nG.K. BUTTERFIELD, North Carolina\nJOHN BARROW, Georgia\nDORIS O. MATSUI, California\nKATHY CASTOR, Florida\nZACHARY T. SPACE, Ohio\nBRUCE L. BRALEY, Iowa\nDIANA DeGETTE, Colorado\nJOHN D. DINGELL, Michigan (ex \n    officio)\n                                 ------                                \n\n      Subcommittee on Communications, Technology, and the Internet\n\n                         RICK BOUCHER, Virginia\n                                 Chairman\nEDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan\nBART GORDON, Tennessee                 Ranking Member\nBOBBY L. RUSH, Illinois              CLIFF STEARNS, Florida\nANNA G. ESHOO, California            NATHAN DEAL, Georgia\nBART STUPAK, Michigan                BARBARA CUBIN, Wyoming\nDIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois\nMICHAEL F. DOYLE, Pennsylvania       GEORGE RADANOVICH, California\nJAY INSLEE, Washington               MARY BONO MACK, California\nANTHONY D. WEINER, New York          GREG WALDEN, Oregon\nG.K. BUTTERFIELD, North Carolina     LEE TERRY, Nebraska\nCHARLIE MELANCON, Louisiana          MIKE FERGUSON, New Jersey\nBARON P. HILL, Indiana\nDORIS O. MATSUI, California\nDONNA M. CHRISTENSEN, Virgin \n    Islands\nKATHY CASTOR, Florida\nCHRISTOPHER S. MURPHY, Connecticut\nZACHARY T. SPACE, Ohio\nJERRY McNERNEY, California\nPETER WELCH, Vermont\nJOHN D. DINGELL, Michigan (ex \n    officio)\n\n\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Bobby L. Rush, a Representative in Congress from the State \n  of Illinois, opening statement.................................\nHon. George Radanovich, a Representative in Congress from the \n  State of California, opening statement.........................\n    Prepared statement...........................................\n.................................................................\nHon. Edward J. Markey, a Representative in Congress from the \n  Commonwealth of Massachusetts, opening statement...............\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, opening statement..................................\n    Prepared statement...........................................\nHon. Gene Green, a Representative in Congress from the State of \n  Texas, opening statement.......................................\nHon. Michael F. Doyle, a Representative in Congress from the \n  Commonwealth of Pennsylvania, opening statement................\nHon. Steve Scalise, a Representative in Congress from the State \n  of Louisiana, opening statement................................\nHon. Doris O. Matsui, a Representative in Congress from the State \n  of California, opening statement...............................\nHon. Marsha Blackburn, a Representative in Congress from the \n  State of Tennessee, opening statement..........................\nHon. Zachary T. Space, a Representative in Congress from the \n  State of Ohio, opening statement...............................\nHon. Christopher S. Murphy, a Representative in Congress from the \n  State of Connecticut, opening statement........................\nHon. John Barrow, a Representative in Congress from the State of \n  Georgia, opening statement.....................................\nHon. Joe Barton, a Representative in Congress from the State of \n  Texas, prepared statement......................................\n\n                               Witnesses\n\nChris Hoofnagle, Director, Information Privacy Programs, UC \n  Berkeley School of Law.........................................\n    Prepared statement...........................................\n    Answers to submitted questions...............................\nGeorge V. Pappachen, Chief Privacy Officer, Kantar/WPP...........\n    Prepared statement...........................................\n    Answers to submitted questions...............................\nJennifer T. Barrett, Global Privacy and Public Policy Executive, \n  ACXIOM.........................................................\n    Prepared statement...........................................\n    Answers to submitted questions...............................\nZoe Strickland, Vice President, Chief Privacy Officer, Wal-Mart \n  Stores, Inc....................................................\n    Prepared statement...........................................\n    Answers to submitted questions...............................\nMichelle Bougie, Senior Internet Marketing Manager, \n  LearningResources.com and EducationalInsights.com..............\n    Prepared statement...........................................\n    Answers to submitted questions...............................\nPam Dixon, Executive Director, World Privacy Forum...............\n    Prepared statement...........................................\n    Answers to submitted questions...............................\n\n                           Submitted material\n\nStatement of the American Civil Liberties Union..................\n\n \n    EXPLORING THE OFFLINE AND ONLINE COLLECTION AND USE OF CONSUMER \n                              INFORMATION\n\n                              ----------                              \n\n\n                      THURSDAY, NOVEMBER 19, 2009\n\n                  House of Representatives,\n     Subcommittee on Commerce, Trade, and Consumer \n                                        Protection,\n                                             joint with the\nSubcommittee on Communications, Technology, and the \n                                          Internet,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The Subcommittees met, pursuant to call, at 12:23 p.m., in \nRoom 2123 of the Rayburn House Office Building, Hon. Bobby Rush \n[Chairman of the Subcommittee on Commerce, Trade, and Consumer \nProtection] presiding.\n    Members present from Subcommittee on Commerce, Trade, and \nConsumer Protection: Representatives Rush, Schakowsky, \nSarbanes, Green, Barrow, Matsui, Space, Radanovich, and \nScalise.\n    Members present from Subcommittee on Communications, \nTechnology, and the Internet: Representatives Boucher, Markey, \nDoyle, Inslee, Murphy, McNerney, Stearns, Shimkus, and \nBlackburn.\n    Staff Present: Michelle Ash, Chief Counsel; Marc Groman, \nFTC Detailee; Timothy Robinson, Counsel; Amy Levine, Counsel; \nGreg Guice, FCC Detailee; Sarah Fisher, Special Assistant; \n.Will Cusey, Special Assistant; Theresa Cederoth, Intern; Pat \nDelgado, Rep. Waxman's Chief of Staff; Brian McCullough, Senior \nProfessional Staff; Shannon Weinberg, Counsel; Will Carty, \nProfessional Staff; Amy Bender, FCC Detailee; and Sam Skywalker \nCostello, Legislative Analyst.\n\n OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF ILLINOIS\n\n    Mr. Rush. The joint committee will come to order.\n    This is a joint subcommittee hearing on Commerce, Trade, \nand Consumer Protection, and the Commerce, Technology, and \nInternet Subcommittee.\n    The subject matter for this hearing is entitled ``Exploring \nthe Offline and Online Collection and Use of Consumer \nInformation.'' I am privileged to chair the Subcommittee on \nCommerce, Trade, and Consumer Protection, and my friend and \ncolleague, Mr. Boucher, who is the chairman of the \nCommunications, Technology, and Internet Subcommittee of the \nCommittee on Energy and Commerce.\n    It is my honor to chair the first part of this hearing, and \nthis hearing will be chaired subsequently by Chairman Boucher. \nThe chair recognizes himself now for 5 minutes, for the \nprivileges and the purposes of an opening statement.\n    The collection and use of personal information of customers \nand consumers are threads from the same knitting needle, sewn \ninto the fabric of American commerce and competition near the \nstart of the Twentieth Century. Accordingly, these tools and \nmethods predate their more powerful, precise, and predictive \ncounterpart in the online realm by more than 100 years.\n    But just because we have something that has been around for \na long time does not mean we understand as much about it as we \nshould. That is why I am delighted about today's hearing. It is \nthe fourth in a series of hearings our two subcommittees have \nheld on the subject of privacy.\n    At our hearings and in our meetings, consumers and their \nadvocates, industry, and leading commentators have shared with \nus extensively why this all matters, how entrepreneurs and \nbusinesses go about protecting consumer privacy, and why \ncollecting personal information about individual consumers \nimproves the chances their businesses will have to succeed. \nWhile preparing for these hearings, we have been surprised at \nhow little is really known about how businesses go about \nensuring that individual privacy is protected.\n    Consumers are telling us they want to know more about how \ntheir information is being protected. As their representatives \nand our consumers ourselves, we hear them loud and clear. They \nshould be and are concerned, even to the point of anger, when \nthey learn that they have been placed on consumer lists \nidentifying themselves as affluent Jews or Blacks, as pro-\nchoice or pro-life, as donors, as members of a same-sex couple \nrelationship, or as being addicted to gambling, addicted or \nsex, or addicted to tobacco.\n    Indeed, on my way back home to Chicago to celebrate the \nThanksgiving holidays, I could take public transportation to \nthe airport, and by using a SmartCard and a frequent flyer \ncard, records of my whereabouts, and when and to where I was \ncommuting and flying are created. To buy my holiday turkey, I \nmay use my grocery rewards card, which would swipe into a \nsystem of databases what is in my cart, when and where I \nshopped, how much I paid, among the other data points that were \nbeing collected. And these are just several examples of the \ntype of consumer lists and data points that are generated and \npopulated into databases, 24 hours a day, 365 days of every \nyear.\n    But how much do we know about the businesses that that make \nit a business of obtaining and selling or sharing ``offline'' \ninformation and customer lists with affiliated and unaffiliated \nbusinesses. How much do we know about their marketing practices \nand product development strategies to persuade buyers and \nindividuals who will pay considerable amounts of money for that \ninformation? How much do we really know about what these buys \nand individuals do with that information, including reselling \nthe information downstream to other buyers and bidders for that \ninformation?\n    I am interested in hearing everyone's perspectives about \nthe current legal and regulatory structure that exists to \nprotect this information. Should the source of this \ninformation, whether it is taken ``offline'' from a warranty \nregistration card, or ``online,'' from a social or health \nnetworking site be treated differently, when it reveals \nfundamentally the same personal information about individual \nconsumers? And by treating the information differently, with a \nheightened duty on businesses to protect ``online sources,'' \nfor example, are we setting perverse incentives and conditions \nfor regulatory arbitrage and avoidance?\n    Let me be clear. My end goal is to work with members of \nthis subcommittee and members of this committee to introduce \nprivacy legislation, which protects consumers from privacy-\nrelated harms, yet doesn't stifle responsible entrepreneurs and \nbusinesspeople from developing models and instituting \nsuccessful business and marketing plans that are, indeed, \nrespectful of consumer privacy.\n    Keeping privacy protections that belong in the back office \nfrom tumbling into the crawl spaces under the office will be a \nbig part of our challenge. In whatever bill we draft, we must \nto work to ensure that the accelerating convergence of \n``offline'' and ``online'' collection and does not outpace the \ndemands of consumers for dignity and for discipline and for our \ndecency, in our dawning digital economy and markets.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Rush \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. I recognize the ranking member of this \nsubcommittee, Mr. Radanovich, for 5 minutes for the purposes of \nopening statements.\n\n OPENING STATEMENT OF HON. GEORGE RADANOVICH, A REPRESENTATIVE \n            IN CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Radanovich. Thank you, Chairman Rush, and I want to \nthank you for holding this second hearing on the topic of \nprivacy.\n    And we understand, or have heard rumors of legislation \ncoming in the next few weeks, and I look forward to that, and \nworking with you on legislation to improve rights of privacy.\n    As I have stated before, I believe an individual's \ninformation is their own personal property. We, as consumers, \nshould know what information is gathered about us, where and \nhow it is stored and protected, and who has access to that \nstored information. And most importantly, for the context of \nthis hearing, with whom and for what purposes is that \ninformation shared?\n    But the fact of the matter is that information collection, \naggregation, and sharing predates the Internet by decades, and \nyet, most of us don't know the details of who has the \ninformation, what information they have about us, and where \nthey obtained it. The most critical point of concern for me is \nnot necessarily the aggregation of this data offline, but when \nthat comparatively limited offline data is combined with more \ncomprehensive data collected online. I believe that that is the \nmost important development, because it will continue to grow in \nsignificance, as e-commerce and mobile commerce expand.\n    The flipside of my concern for privacy and the right to \ncontrol my information is the recognition that this information \nsharing is good for business, and I certainly do feel that I \nhave, or do not feel that I have been harmed because a retail \ncatalog appeared on my mail. Maybe the tenth one in one day, \nyes, I have been harmed, but. However, we all know that \ncollected information can, in certain contexts, be used by \ncriminals that have, if that information is not respected and \nprotected.\n    In general, I believe the free market can and should be \nallowed to solve these types of issues, as consumers become \naware and demand certain protections, practices, and control \noptions, industry will respond in order to maintain those vital \nrelationships.\n    Thankfully, the best actors do take privacy seriously, and \nthey do provide options for consumers to block the sharing of \ntheir information for marketing purposes. The problem for \nCongress is similar to what we face on many issues, and that is \nhow to address the bad actors without overburdening the good by \ndepressing or even eliminating productive and beneficial \ncommercial activity. That is the balance for which we should \nstrive, and the approach that I will continue to support.\n    I look forward to hearing from our witnesses today, \nparticularly our small business representative. I would like to \nknow exactly what information you collect, with whom you share \nit, and how you and your partners use that information. I would \nalso like to hear all of your thoughts about how this can be \naddressed through industry self-regulation, and what, if any \nsteps Congress may need to consider to ensure personal \ninformation and the use of that information are adequately \nprotected and treated properly.\n    Finally, I would like to know your thoughts on how the \nvarying approaches to potential regulation of sharing we have \npreviously discussed in this committee, such as first party, \nthird party approach, or a primary personal approach would \nimpact the world of small business. We have seen, in other \ncontexts, the consequences of acting too quickly without full \ninvestigation of potential consequences. In this area that is \nso important to so many people, I want to make sure that any \npolicy decisions are based upon the fullest information \navailable, and will be fair to all businesses, regardless of \ntheir size and corporate structure.\n    We all want to protect privacy and prevent harm, but \nCongress should not seek to solve the issue by choosing winners \nand losers.\n    Thank you very much, Mr. Chairman, and I thank you, \nwitnesses, for your time and your input today, and yield back \nthe balance of my time.\n    [The prepared statement of Mr. Radanovich \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. The chair thanks the gentleman, the vice chair, \nor the ranking member, rather.\n    The chair now recognizes the gentleman from Massachusetts, \nMr. Markey, for 5 minutes, for the purposes of opening \nstatement.\n\nOPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN \n        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS\n\n    Mr. Markey. Thank you, Mr. Chairman, very much, and thank \nyou so much for holding this critically important hearing.\n    Shakespeare, in Othello, said: ``Who steals my purse steals \ntrash. 'tis something, nothing; 'Twas mine, 'tis his, and has \nbeen slave to thousands; but he that filches from me my good \nname robs me of that which not enriches him but makes me poor \nindeed.''\n    Now, as we were growing up, our doctors, our bankers, the \nnurses, they were privacy keepers. We knew that our medical \nrecord was locked up in that closet with the nurse, with the \nkey to open it up to go in and get the records, and it wasn't \ngoing to be shared with the neighborhood. The same thing is \ntrue for all of our records.\n    But we have moved from an era now of privacy keepers to one \nof privacy peepers, and data mining reapers, who want to turn \nour information into products. And what is the product? The \nproduct is our records, our privacy, our families' history. And \nas online and wireless merge, it becomes all the more possible \nto take this world, and to compromise the privacy of Americans.\n    And so, this really goes to the heart of who we are. We \nwouldn't let the government do this. We wouldn't let the \ngovernment gather all this information, or make it a product. \nSo, we have to protect against businesses that think that we \nare all products, that our families are all products. The \nmembers of our families are all products, because this \ninformation is invaluable as a product to other people.\n    But to us, it goes right to the essence of our families and \nwho we are, and what privacy we should have a right to expect. \nAnd so, as we are moving forward, we have to create the rules. \nThe new technologies themselves have no personality at all. \nThey are just technologies. They only get their personality as \nwe, we animate them with the values that we want them to serve.\n    And so, for my part, I think that the old values served us \nvery well, and the new technologies should be animated with \nthose old values. That is the key to this discussion. It is not \noh, Congress can't keep up with new technology. Oh, we can keep \nup with it. We know what is going on. The question is, do we \nhave the insight and the courage to add those old values, so \nthat families aren't compromised by businesses that want to \nmake a product out of people's business.\n    When we were doing the health IT bill in February, adding \nthat $20 billion, I authored the language that ensured that the \ninformation that was now going to be transmitted was \nindecipherable to unauthorized users. Because yes, we want to \nget the benefit of new health IT information, because that can \nhelp patients, but we don't want that information to now be \ncompromised, as it is taken out of the file and put online. We \nwant the benefits to flow to the patients, but not for the \ninformation to be turned into a product, a profile, that can \nthen have everyone in town or everyone across the country \nknowing who had anorexia, prostate cancer, breast cancer, in \nyour family.\n    If you want to tell someone about it, you should be able to \ndo it, but if you don't want to tell anyone about it, that \nshould be your right, too. And there is many people who don't \nmind people finding out, but there is many others who aren't \ngoing to tell anyone else in their family that they have a \nsecret. That should be their right. That shouldn't be a \ndecision made by a business, that is now just widely \ndisseminated because there might be more products that they can \nhelp you with, to gain access to. They should ask you if you \nwant to have access to it, then that information can be sent \nout there.\n    So, this brave new world is really no different than the \ndiscussion that our grandparents and our parents had to have \nabout the privacy they expected, and I think that the same \nvalues exist, the technologies should work for families, and \nthey should have the right to say no. They should have the \nknowledge and information that is being gathered about them. \nThey should have the notice that the information is going to be \nused for other purposes, other than that which was originally \nintended, and they should have the right to say no. No, well, I \nwant the benefit of the technology, but I don't want it turned \ninto a product. I don't want my children's, my mother and \nfather's information now as some kind of product that is out \nthere.\n    So, thank you, Mr. Chairman. We could not have a more \nimportant subject. I yield back the balance of my time.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Markey \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. The chair thanks the chairman of the Subcommittee \non Energy. Now, the chair recognizes the ranking member of the \nSubcommittee on Energy, Mr. Stearns, for 5 minutes, for the \npurposes of opening statement.\n\n OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. Thank you, Mr. Chairman, and let me commend \nyou also, you and Mr. Boucher, for having this hearing. I thank \nthe witnesses for coming. We look forward to your testimony.\n    We have had, I think, back in June, we had a big discussion \non behavioral advertising, and how to broadly examine how \ncompanies are using consumer Internet behavior to tailor online \nadvertising, to simply identify the ways this kind of targeted \nadvertising affects the consumer. How does he or she benefit \nfrom this, and I think most of the feelings were that the \nconsumer does benefit from this.\n    So, in a sense, this committee is here to hear more about \nthe subject, but also, with an understanding to do no harm. \nOnly the consumer knows how he or she feels about the \ninformation being collected, parties that are doing the \ncollecting, and of course, the purpose for which the \ninformation is being collected for.\n    The question becomes just how much influence and how much \nregulation should Congress be involved with. I don't think \nCongress cannot and should not make the decision for the \nconsumer. The consumer should make that decision for \nthemselves.\n    We, as members of this committee, certainly can play a \nproactive role in ensuring that consumers have this adequate \ninformation, and full range of tools at their disposal, in \norder to simply make this informed choice, whether it is opt-in \nor opt-out.\n    Companies that collect information about consumers in both \nan offline and online manner obviously had to be good stewards \nof the information, and should seek to protect that information \nwhere it is appropriate. Additionally, all companies, whether \nthey be data brokers, major retail companies, or even small \nbusinesses, should operate in a transparent manner and fair \nmanner, when it comes to the information they collect about \nconsumers, or consumers, or how that information is \nsubsequently being used.\n    The real transparency, I guess, is a question of how robust \na disclosure and notice to the consumer is required in their \nprivacy policy. They obviously should be presented in a clear, \nconspicuous manner, so that the consumer knows, should be \nindicating what is being collected, the ways the information is \nbeing used, and third, the ways the consumer can prevent the \ncollection of the information if they don't want to do it.\n    This is a very significant challenge. We haven't had many \nhearings on privacy, and understanding the constitutional \nissues, as well as understanding the role of the Federal Trade \nCommission. When I was chairing the Commerce, Trade, and \nConsumer Protection Committee, I realized that there is, people \nwould have different outlooks on the opt-in and opt-out \nprovision.\n    And I come to believe that for the most part, that if we \nget into too much of the weeds here, that we are going to \nimpede the Internet, and make it more difficult for people to \ncollect information, when it is probably not necessary.\n    In fact, at one time, the Federal Trade Commission and I \ntalked about a Good Housekeeping Seal, that would be provided \nby private companies, that in a sense, would be a seal of \napproval, so that people, when they went on a Web site, would \nrealize this already complies with a Good Housekeeping Seal \nthat has been approved by the Federal Trade Commission, so that \nthey would have the confidence right there, without going \nthrough the rigmarole of looking at an opt-in and opt-out \nprovision, and reading the detailed fine print in a privacy \npolicy.\n    The small businesses of this country create all of the \njobs, and there is a lot of Internet companies that are \nstarting up, and obviously, we wouldn't want to impede their \nability to function. So, this Internet is such a powerful means \nof communication, putting in a significant privacy policy is \nvery important, and has the great effect of either helping, \nenhancing, or deterring, shall we say, the purchase of \nproducts, the use of it.\n    So, I think this is a very important hearing, to hear from \nthe people that are most involved, and I look forward to \nhearing from them, and hearing some of the pitfalls of sort of \nwhat we have as a draft bill that Mr. Boucher and Mr. Rush and \nI, and Mr.--others have put together, and so, we are looking \nforward to, perhaps, after this hearing, to get this draft bill \nout, so that we can hear from you folks, to see what you think \nof it. And then, we can move forward.\n    And with that, Mr. Chairman, I yield back.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Markey \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. And the chair recognizes Mr. Green for 2 minutes, \nfor the purposes of opening statement.\n\n   OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Green. Thank you, Mr. Chairman, both you and Chairman \nBoucher, thank you for holding this hearing, to continue our \nexamination of consumer data collection and use, and the \nsecurity and privacy implications it has.\n    The issue in discussion, of online versus offline data \ncollection, is an important one, because the distinction has \nblurred so much over the past decade. The ability to easily \naggregate and share information over the Internet has proved \ntremendous benefits to our society and our economy, and the \ncollection of consumer information can provide tremendous \nbenefits to small and upstart businesses, by allowing them to \ntarget customers that have tendencies to purchase \nindividualized products or services.\n    One problem I hear is these aren't the only uses for this \ndata, and the ability of entities that sell this information to \ncollect such a wide variety of information on individuals is \nextremely troubling, because it allows bad actors to target \nvulnerable individuals, based on very specific and granular \ndata, that has been collected across a line of online and \noffline platforms.\n    Another problem is that this information creates a personal \nrecord that few, if any consumers what is exactly contained in \nit. Consumers have no ability to edit that profile, like they \nwould their credit report, but the records maintained on the \ndatabases are unregulated, and often maintained more and wider-\nranging information than in a credit report, if the information \nis not used for products or services that fall under the Fair \nCredit Reporting Act.\n    Information about transactions, behaviors, and online, \noffline, and that occur offline, are also becoming more \nprevalent in these records that can be purchased from companies \nthat sell this marketing information. Nearly every chain store \nhas some sort of discount or club card to collect information \nof consumer trends. Records are kept and sold of individuals \nwho enter various sweepstakes through the mail. Social \nnetworking sites provide, possibly, the greatest threat, \nbecause they contain day to day activity of tens of millions of \nfrequent users.\n    The aggregate of all of this data can provide a \ntremendously detailed picture of a person's daily life, \ninterests, habits, and behavior, which that person may never \nknow exists. We have laws that regulate how this information \ncan be used by financial institutions and relating to medical \nprivacy, but outside of these defined areas, this information \nis largely unregulated, and has the potential to tremendously \nharm consumers.\n    And I want to thank the chair of both subcommittees for the \nhearing today, and continue looking into this issue, and I look \nforward to our witnesses' testimony.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Green \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the gentleman from Illinois, Mr. Shimkus, for 2 \nminutes.\n    Mr. Shimkus. Thank you, Mr. Chairman. I will be brief.\n    We have free over-the-air radio. We have free over-the-air \nTV. We have free email. We live in a great country, and one of \nthe reasons why we have free email is the ability for people to \nput advertising banners on that.\n    And I am talking about Gmail and Hotmail, and we need to be \nvery, very careful that this great benefit, that millions of \nAmericans take advantage of, does not get hindered, disrupted, \nor destroyed by aggressive legislation in this area, and I \nyield back my time.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Shimkus \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. The chair thanks the gentleman for his brevity. \nThe chair now recognizes the gentleman from Pennsylvania, Mr. \nDoyle, for 2 minutes.\n\nOPENING STATEMENT OF HON. MICHAEL F. DOYLE, A REPRESENTATIVE IN \n         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA\n\n    Mr. Doyle. Thank you, Mr. Chairman, for holding this \nhearing today. Trading and selling of personal information \nbegan as long ago as 1899. Two brothers created the Retail \nCredit Company to track the creditworthiness of Atlanta grocery \nand retail customers. Some people know that company now as \nEquifax.\n    Since then, the cost of storing and manipulating \ninformation has fallen sharply, and now, organizations capture \nincreasing amounts of data about individual behavior. Consumers \nhunger for personalization. Products, services, Web sites that \ncater to them, that causes them to reveal information about \nthemselves.\n    Ordering off a catalog reveals other information. Using \ntheir credit card yields more, and thinking you have to send in \nthat warranty card can reveal almost your entire life to other \nparties.\n    But that information probably delivers better products, \nmore targeted services, and a more enjoyable Internet \nexperience. As Alessandro Acquisti of Carnegie Mellon writes: \n``Is there a combination of economic incentives and \ntechnological solutions to privacy issues that is acceptable \nfor the individual and beneficial to society? In other words, \nis there a sweet spot that satisfies the interests of all \nparties?''\n    And then, what are the rules of the road that we need to \nput in place to make sure that consumers' privacy is protected \nand that commerce flourishes? That is what I hope to learn more \nabout in today's hearing.\n    I want to credit the work dozens of dedicated faculty and \nstudents, working on consumers' data privacy at Carnegie Mellon \nUniversity, located in the heart of my district, have done. \nCMU, the Data Privacy Lab, and CyLab, have all greatly \ncontributed to the academic literature, commercial \nconsciousness, public awareness, and my understanding of this \nissue.\n    Thank you, Mr. Chairman, and I yield back.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Doyle \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the gentleman from Louisiana, Mr. Scalise, for 2 \nminutes.\n\n OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF LOUISIANA\n\n    Mr. Scalise. Thank you, Chairman Rush and Boucher. I want \nto thank you and Ranking Members Radanovich and Stearns for \nhaving this hearing on the collection and use of personal \ninformation.\n    I am pleased that both subcommittees are examining this \nissue. I know that Congress and this committee have held \nhearings on privacy in the past, but as we all know, consumers' \npersonal information is being collected more and more every \nday, often without their knowledge, through both online and \noffline modes of commerce. Whether they are participating in a \nsurvey, using Facebook, or even ordering a product over the \nphone.\n    Given the importance of information in today's economy, and \ngiven how often consumers give out their personal information, \nthere is a genuine cause for concern. Therefore, we must \ncontinue to examine ways to ensure consumers don't have their \npersonal information compromised or misused.\n    As one pointed out in our last joint hearing, many Internet \ncompanies are offering the ability to opt-in or opt-out of the \ncompany's policies to use or share personal information they \ncollect. But those policies often do not address the collection \nof the data. The collection and use of personal information can \nhelp companies better serve customers, market products to \ncertain consumers, and verify consumers' identity.\n    But the potential for danger does exist. Personal \ninformation could easily be compromised, and there are bad \nactors that use consumers' personal information in ways that \ntake advantage of the consumer, and in some cases, in ways that \nare illegal.\n    Consequently, there are issues that we must address. As we \ntake those into consideration, and debate the best steps moving \nforward, I hope we proceed carefully when drafting legislation \nin this area. As I stated at the previous hearing on behavioral \nadvertising, I hope the focus of today's hearing is how we can \nprotect consumers and their personal information, and what \nsteps the industry will take on their own to do that.\n    I hope today's hearing does not focus on ways government \ncan get more involved in areas of people's lives where it does \nnot belong. For this reason, I believe that if self-regulation \nis not sufficient, and if any privacy regulatory requirements \nare needed, they should be targeted, consistent, and not be \ngreater for one business or industry than they are for another. \nCongress should not pick winners and losers.\n    I look forward to hearing the comments of our panelists \ntoday, particularly on the collection of data through offline \nmethods, and how companies are using this data. I also hope to \nhear about current security measures that companies have in \nplace, and any they may be planning to implement in the future, \nto ensure the protection of personal information.\n    It is important that these committees understand their \npositions and activities, as well as all of the implications of \ncollecting and using personal information.\n    Thank you, and I yield back.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Scalise \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. The chair thanks the gentleman. The chair now \nrecognizes the gentlelady from California, Mrs. Matsui, for 2 \nminutes.\n\nOPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Matsui. Thank you, Mr. Chairman, and I thank you and \nChairman Boucher for calling today's joint hearing. And I \napplaud your leadership in addressing this important issue. I \nwould like to also thank our panelists for being with us this \nafternoon.\n    Today, we will be examining the collection and commercial \nuse of consumer information across the offline, online, and \nmobile marketplaces. Without their knowledge or approval, \nconsumers' personal information is being collected when they \nconduct daily activities, such as using the Internet, shopping \nat the grocery store, or even ordering takeout from their local \nfavorite restaurants, and that is just to name a few.\n    In today's economy, information is everywhere, and it is to \neveryone. Unfortunately, it is essentially impossible to \nprotect one's personal information these days, and it is \nunderstandable that most Americans simply do not trust that \ntheir personal information is properly protected.\n    Privacy policies and disclosures should be clear and \ntransparent, so consumers can choose what information, if any, \nthey want others to know, instead of inappropriate collection \nand misuse of that information. Consumers should also \nunderstand the scope of the information that is being \ncollected, what it is being used for, the length of time it is \nbeing retained, and its security. The more information that \nconsumers have, the better.\n    Moving forward, we must assure that Americans feel secure \nthat their personal information will not be misused the next \ntime they surf the Internet, shop at a grocery store, or eat \ncarryout from a restaurant. Meaningful privacy safeguards \nshould be in place, while making certain that we do not stifle \ninnovation.\n    Thank you, again, Mr. Chairman, for holding this important \nhearing, and I yield back the balance of my time.\n    I yield back the balance of my time.\n    [The prepared statement of Ms. Matsui \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Rush. The chair thanks the gentlelady. The gentlelady \nfrom Tennessee is recognized for 2 minutes.\n\nOPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF TENNESSEE\n\n    Mrs. Blackburn. Thank you, Mr. Chairman, and welcome to our \nwitnesses. We are glad you are here, and I am pleased that we \nare having this hearing today.\n    Nearly everything that we do on the Internet is monitored, \nand one of the things that we need to do is make certain that \nthere is an understanding of what a level of privacy is, and \nwhat those expectations are, and make certain that we put some \ngood rules of the road in place.\n    At the same time, we don't want to stifle the engines of \nInternet commerce and e-commerce, that have been an absolutely \nwonderful economic driver, especially for many small \nbusinesses. And in areas like mine, all the area from Memphis \nto Nashville, where we have so many small businesses that do \ndepend on those e-commerce formats to make certain that they \nare profitable.\n    Now, my constituents in Tennessee have raised with me the \nissue that there does seem to be an alarming trend, in which \nads from some well-known brands are consistently appearing on \nsites that traffic illegal content, such as pirated movies and \nmusic, and these sites are often located outside the U.S., and \nmay be linked to broader criminal enterprises, that clearly \nhave no regard for the privacy of others. They are very \nconcerned about this, and they want to make certain that that \nis an issue that is addressed, as we move forward in this \ndebate.\n    They are also concerned about rules, as we look at privacy, \nsomething that, about Congress getting in the business of \ndictating what data is acceptable or unacceptable, and \ndistorting how that travels up and down the pipe.\n    So, we need to be responsible, looking for responsible \nsolutions that are going to both protect consumers and empower \nconsumers to have control over their data, and allow businesses \nto continue with their e-commerce format.\n    So, welcome, look forward to hearing your comments.\n    I yield back the balance of my time.\n    [The prepared statement of Mrs. Blackburn \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Boucher [presiding]. Thank you very much, Ms. \nBlackburn. The gentleman from Maryland, Mr. Sarbanes, is \nrecognized for 5 minutes.\n    Mr. Sarbanes. I waive. I waive my opening.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Sarbanes \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Boucher. I am sorry. Mr. Sarbanes, did you waive a \nstatement? OK. The gentleman will have time added to his \nquestion period.\n    The gentleman from California, Mr. McNerney, is recognized \nfor 2 minutes.\n    Mr. McNerney. Well, thank you. I commend Chairman Rush and \nChairman Boucher for convening this fascinating and important \nhearing.\n    As technology develops, the opportunity for abuse, I \nbelieve, is going to grow exponentially, and consequently, \npolicy does need to keep pace, to ensure that consumers are \nprotected.\n    A couple of things that I would like to learn this morning, \nthis afternoon. First of all, I would like to get an idea of \nthe scope of the potential problems. How is this data going to \nbe able to be used to affect our lives? And secondly, I would \nlike to understand what makes sense, in terms of how data \naccess and data use can and should be restricted. And I want to \nthank you all. You represent organizations that collect data \nand use data, so you are on the frontlines.\n    And with that I will yield back.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. McNerney \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Boucher. Thank you very much. The gentleman from Ohio, \nMr. Space, is recognized for two minutes.\n\nOPENING STATEMENT OF HON. ZACHARY T. SPACE, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF OHIO\n\n    Mr. Space. Thank you, Chairman Boucher. I would like to \nthank Chairman Rush and Ranking Members Radanovich and Stearns \nfor convening our subcommittees today to discuss online and \noffline collection and use of consumer information.\n    I was struck, in reviewing our witnesses' testimony, that \nthere seems to be limitless sources for information on \nconsumers, publicly available data, data volunteered by \ncustomers, and data collected from customer-facing businesses. \nTaken individually, each of these datasets provides a partial \npicture of a consumer. However, when these datasets are \ncombined, retailers and data brokers can cobble together a \nfairly complete customer profile.\n    And I find this fascinating. I certainly understand the \nbenefits that such datasets can provide to businesses, \nespecially small businesses, as highlighted by, and I hope I \ndon't get this wrong, Ms. Bougie. With a name like Space, I can \nfeel your pain. And to the extent that customer profiling can \nembrace or enhance commerce, I believe such data gathering is \nan important tool.\n    However, as outlined by our witnesses, there are also some \nconcerning possibilities about and regarding abuse of this \ninformation. It seems like common sense that there should be \nsome protections built in to shield mentally ill citizens, for \nexample, from repeated, unsolicited, targeted marketing.\n    The bottom line is that consumer datasets, compiled from \ninformation gathered online and offline, and the handling of \nsuch data, remain largely unregulated. This strikes me as being \nthe Wild West of e-commerce. So that we have some critical \ninterests to consider, and I welcome the continued discussion \non this issue.\n    I look forward to working on this matter with my \ncolleagues, and I yield back. Thank you, Mr. Chairman.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Space \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Boucher. Thank you very much, Mr. Space. The gentleman \nfrom Connecticut, Mr. Murphy, is recognized for 2 minutes.\n\n      OPENING STATEMENT OF HON. CHRISTOPHER S. MURPHY, A \n    REPRESENTATIVE IN CONGRESS FROM THE STATE OF CONNECTICUT\n\n    Mr. Murphy. Thank you, Mr. Chairman. Thank you for the \nhearing, to our chairmen and our ranking members.\n    Certainly, I think as we spend more time online, this issue \nof what data is being collected about each of us is \nincreasingly critical. And I think we can all agree that most \nconsumers would prefer to have a clear understanding of what \ninformation is being collected, and how it is being used.\n    But to some degree, I also believe that these consumers, if \nthey think that the data collection is unobtrusive and \ninoffensive, and if it is being used, I think this point is \nimportant, if it is being used to give them information or \nopportunities that are relevant to them, that are catered to \ntheir interests, I think a lot of folks will take lesser \noffense to that type of data collection. Certainly, this is all \npredicated on a system that consumers can trust and verify.\n    Beyond this, I am interested today, and I hope the \nwitnesses might elaborate on this, how the information that we \nare talking about today is being used to direct consumers to or \nadvertise on sites that might engage in the pirating of legal \ncontent. Because we know there are a vast number of sites \navailable to users whose business model is developed on \nproviding pirated content to individuals, sometimes for a \nprice, and sometimes, because they are supported by ad revenue \nfor free.\n    In combating piracy, it seems that we should look at how \ninformation derived from consumers is then being used to place \nadvertisements, or direct individuals to places where we know \nillegal activity is occurring.\n    I hope to explore this issue in greater detail. I look \nforward to testimony and to listening to the questions. I thank \nthe chairman and yield back.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Murphy \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Boucher. Thank you very much, Mr. Murphy. The gentleman \nfrom Georgia, Mr. Barrow, is recognized for 2 minutes.\n\n  OPENING STATEMENT OF HON. JOHN BARROW, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF GEORGIA\n\n    Mr. Barrow. I thank the chair. I want to welcome all of the \nwitnesses today.\n    I especially want to welcome Professor Chris Hoofnagle, \nwhom I remember from many, many, many years ago, when I had the \nprivilege of representing him as a county commissioner. It was \nobvious to me he was going places, then. I just wished I could \nstick around for the ride.\n    Mr. Chairman, I am pleased our subcommittees are meeting \ntoday to discuss the issue of online and offline data \ncollection, and the commercial use of consumer information for \nthe purpose of delivering targeted advertising.\n    I have no doubt that sharing consumer information offers \nbenefits to all of us. The benefits pretty much sell \nthemselves, at least, somebody can sell them. It is the costs \nthat I am worried about.\n    As information brokerage continues to expand, it becomes \nmore important than ever that we draw the line between enhanced \ndata collection methods on the one hand, and unwarranted breach \nof personal privacy on the other.\n    In September, this committee was able to mark up H.R. 1319, \nthe Informed Peer-to-Peer User Act, which I co-sponsored with \nCongresswoman Bono Mack. That bill tackles the privacy and \nsecurity risks that come with peer-to-peer file sharing \nprograms. I see the work that we are doing here today as a \ncontinuation of that effort, to protect personal privacy \nwithout discouraging market and technological innovation.\n    I want to thank Chairmen Rush and Boucher for their \nleadership in addressing this issue. With that, I yield back \nthe balance of my time.\n    I yield back the balance of my time.\n    [The prepared statement of Mr. Barrow \nfollows:]*************** COMMITTEE INSERT ***************\n    Mr. Boucher. Thank you very much, Mr. Barrow.\n    Members having had an opportunity, now, to make opening \nstatements, we turn to our panel of witnesses, and I would like \nto welcome each of you here this afternoon, and thank you for \ntaking the time to share your view on this subject of great \ninterest to all of us here.\n    Just a brief word of introduction about each of our \nwitnesses. Mr. Chris, excuse me, Hoofnagle is the Director of \nInformation Privacy Programs at the University of California \nBerkeley School of Law. Mr. George Pappachen is the Chief \nPrivacy Officer at Kantar/WPP. Jennifer Barrett is the Global \nPrivacy and Public Policy Executive at Acxiom. Zoe Strickland \nis the Vice President and Chief Privacy Officer for Wal-Mart \nStores, Incorporated. Michelle Bougie is the Senior Internet \nMarketing Manager for LearningResources.com, and \nEducationalInsights.com. Pat Dixon is the Executive Director of \nthe World Privacy Forum.\n    Without objection, each of your prepared written statements \nwill be made a part of our record of proceedings today, and we \nwould welcome your oral summaries.\n    And in the interests of time, because we are not sure when \nwe are going to have recorded votes that may command our \npresence on the floor for an extended period, we would ask that \nyou try to keep your oral summaries to approximately 5 minutes.\n    So, Professor Hoofnagle, with that admonition, I will be \nhappy to begin with you.\n    Mr. Professor. Chairmen----\n    Mr. Boucher. Pull that microphone fairly close, and be sure \nto turn it on.\n\n STATEMENTS OF CHRIS HOOFNAGLE, DIRECTOR, INFORMATION PRIVACY \nPROGRAMS, UC BERKELEY SCHOOL OF LAW; GEORGE V. PAPPACHEN, CHIEF \n   PRIVACY OFFICER, KANTAR/WWP; JENNIFER T. BARRETT, GLOBAL \n PRIVACY AND PUBLIC POLICY EXECUTIVE, ACXIOM; ZOE STRICKLAND, \n VICE PRESIDENT, CHIEF PRIVACY OFFICER, WAL-MART STORES, INC.; \n      MICHELLE BOUGIE, SENIOR INTERNET MARKETING MANAGER, \n  LEARNINGRESOURCES.COM AND EDUCATIONALINSIGHTS.COM; AND PAM \n         DIXON, EXECUTIVE DIRECTOR, WORLD PRIVACY FORUM\n\n                  STATEMENT OF CHRIS HOOFNAGLE\n\n    Mr. Hoofnagle. Thank you. Chairman Boucher and Ranking \nMembers Radanovich and Stearns, and honorable members of the \ncommittee, thank you for holding this hearing today on an often \noverlooked issue in consumer protection.\n    While we have debated online privacy issues for the past \ndecade, little attention has been focused upon how businesses \ncollect, use, and disseminate information collected in offline \ncontexts, for instance, at stores, at the point of sale, \nthrough surveys, sweepstakes, catalog sales, and the like.\n    I first approached this issue from a civil liberties \nperspective. About six years ago, I started highlighting the \nrelationships between offline marketing companies and the \ngovernment. As Mr. Markey noted in his opening statement, he \nsaid that Americans would never allow the government to collect \nso much information about them. However, I found that many \ngovernment agencies had simply outsourced their information \ncollection activities on citizens by hiring marketing \ncompanies. Offline marketing companies had data on almost every \nAmerican adult, and they had created techniques to analyze the \ndata that could be adopted to law enforcement and intelligence \nneeds.\n    More recently, my work has focused upon consumer protection \nin the offline marketplace. For some time, I tried to call \nattention to the sale of personal information about consumers \namong companies. I would find data cards, which are offers to \nsell personal information databases and put them online. These \nlists included databases that described consumers in pejorative \nways, and I would key up my first exhibit.\n    This is a list of so-called impulsive consumers. It is \ndifficult to read on the screen, but it is included as Appendix \n2 in my testimony. The data marketplace has greatly outpaced \nlegislative and regulatory interventions to protect consumer \nprivacy.\n    For instance, in California, legislators acted quickly to \nblock phone companies from creating a wireless 411 database. \nThis would be a service to look up cell phone numbers. However, \nin focusing upon phone companies, California legislators missed \nthe mark. Several data companies with no consumer relations \nwhatsoever now market cell phone databases and other databases \nthat list unlisted and private phone numbers.\n    Appendix 2 of my testimony gives an example of one that is \ncollected through the phone numbers that are given when you \norder pizza, and this is my second exhibit. This is an \ninformation service that claims to get unlisted and cellular \ntelephone numbers by collecting them from pizza delivery \ncompanies.\n    This brings me to a central point of my testimony today. \nAmerican privacy law allows most offline businesses to sell \ncustomer data without giving the consumer notice or an \nopportunity to object. My public opinion research at UC \nBerkeley has focused upon whether consumers understand this. \nThe findings are clear. Americans falsely believe that they \nenjoy a right of confidentiality with most businesses. This \nexplains why they do not ask for privacy policies at the \nregister, or opt out to information collection. They \nincorrectly assume that privacy law prohibits the use of their \npersonal information. American don't understand that the burden \nis upon them to object.\n    The lack of a legal framework that governs information \ncollection and use offline leads to practices that Americans \nwould object to, if they knew about them. I detail two in my \nwritten testimony. First, data companies use confidentiality \nagreements to keep information sharing secret. This means that \nif an advertiser wants to buy personal information about a \ngroup of people, the seller of the data binds the advertiser to \nconfidentiality.\n    Database companies prohibit their clients from telling \ncustomers how data were acquired, what data were acquired, and \nwhat categories the consumer has been placed in. This means \nthat if you go to a business and ask how did you get my \ninformation, the advertiser is contractually required to say we \ncannot tell you. This is part of a larger strategy that leaves \nconsumers in the dark about information selling practices.\n    Second, in the offline context, and increasingly, in the \nonline world, companies are using enhancement. This is the \npractice of buying additional data about existing consumers. \nSo, for instance, have you ever been at a store, and have the \ncashier ask you what your phone number is?\n    If you share your phone number, that gives that retailer \nthe ability to reverse lookup your name and home address. Some \nof these problems could be solved with what I call data \nprovenance, the ability to determine from where data was \ncollected, and the rules and context governing its collection.\n    Since I have just ten seconds left, I would like to thank \nthe committee again for holding this hearing, and I look \nforward to your questions.\n    [The prepared statement of Mr. Hoofnagle \nfollows:]*************** INSERT 1 ***************\n    Mr. Boucher. Thank you very much, Mr. Hoofnagle. Mr. \nPappachen.\n\n                STATEMENT OF GEORGE V. PAPPACHEN\n\n    Mr. Pappachen. Chairman Boucher, Chairman Rush, Ranking \nMembers Stearns and Radanovich, and members of the \nsubcommittee, thank you for this opportunity to discuss an \nissue that is of critical importance to the businesses that I \nrepresent.\n    My name is George Pappachen, and I am the Chief Privacy \nOfficer of Kantar, a division of WPP. As I have been doing in \nexternal venues and industry forums on issues of privacy and \npublic policy, I am delighted to represent the interests of \nboth Kantar and WPP here today.\n    Utilizing information to become as relevant as possible to \nconsumers, and to transform the marketplace of products and \nservices to be responsive to consumer needs, attitudes, and \nbehaviors is at the heart of our business model. As you can \nappreciate, catering to consumer preferences on a continuous \nbasis is simply not possible without the ability to collect or \nhave access to reliable data and actionable insights.\n    The dialog taking place today is important, not only for \nthe purpose of awareness and understanding of industry \npractices, but also, to grant perspective on our shared respect \nfor consumers. Getting it right with regard to our interaction \nwith consumers is an essential element of business success for \nus. Our brands, and the client brands that we represent, have \nspent decades building trust with consumers and within the \nmarketplace. Our involvement is really a continuation of that \ncapital investment.\n    Kantar is one of the world's largest insight, information, \nand consultancy networks. Covering 80 countries and across the \nwhole spectrum of research and consultancy disciplines, we \noffer clients insights at each and every point of the consumer \nor customer cycle.\n    Our services are employed by a majority of Fortune 500 \ncompanies, domestic and foreign governmental entities at all \nlevels, and almost every kind of brand that seeks to \ncommunicate to or have a relationship with consumers. We \nconduct market research, media measurement, which essentially \nmeans, for example, how many, knowing, measuring how many \npeople watch TV, versus watch mobile TV, versus watch TV \nonline. And we house consulting and specialty services that run \nthe spectrum from brand value to retail, to healthcare, to \ngovernment service management.\n    WWP is the world's leading communications services group. \nThrough its operating companies, the group provides a \ncomprehensive range of advertising and marketing services.\n    Kantar is a research and consultancy arm of WPP, and houses \nrenowned brands, such as Millward Brown, TNS, Added Value, and \nDynamic Logic. Other segments of WPP are creative agencies, \nsuch as Ogilvy and JWT, who create advertising, media agencies \nor other segments, like GroupM, which buy and sell advertising, \nand our public relations and public affairs firms, many of whom \nhave a strong presence right here in D.C.\n    Helping clients manage communications has certainly become \nmore challenging in the recent past, due to audiences being \nmore fragmented across the range of media platforms and \ndevices. And challenging also, because of media convergence, \nthe idea that although people are using different devices to \naccess content, or to communicate, these platforms can be \ninterlinked or overlapped, because of unifying digital \nlanguage.\n    Simply put, whereas consumers were confined to a limited \nnumber of channels broadcast over a handful of distinct \nplatforms, such as TV, new media has allowed a proliferation of \nchannel choices. Staying ahead of these market shifts, so that \nwe continue to deliver best-in-class services to our clients, \nwho trust us with their investment and advertising and \nmarketing, is a matter of high priority for us.\n    Consistent with that is our commitment to provide consumers \nwith brand experiences that are relevant and responsible. As \nnoted earlier, Kantar provides market research services, and \nthey use a variety of methods to accomplish this objective. \nMarket research is the voice of the consumer, the user, the \ncitizen, or the donor. As you can surmise, market research \nfuels a variety of commercial and governmental services.\n    Researchers use various methods of data collection. \nCertainly, there are parts of the world where data collection \nis primarily done offline, via telephone interviews, mall \nintercept surveys, paper diaries, et cetera. However, in the \nU.S. in particular, much of our research is now conducted \nonline, online panels, sometimes dedicated to single sectors \nsuch as healthcare, web intercept surveys, where consumers are \ninvited in real time, online, to give opinions, online \ncommunities, and various other methods are routinely employed.\n    Some methods utilize cookies or tracking technologies to \ndiscern ad exposure, understand site visitation and other \nmetrics. Passive tracking technology has positively impacted \nmarket research, in that it allows shorter surveys, and for \nrespondents to not have to observe total recall on all media \nmatters.\n    It is often said that interactive platforms permit greater \ncustomization for the user, and better measurement for the \ncontent of service providers. I would agree with that, from an \naspirational and inherent capability perspective. While the \npromise of customization and improvement measurement is real, \nand progress is encouraging, I believe the medium is still \nmaturing, and still only on its way to fulfill on potential.\n    Earlier this year, the Federal Trade Commission released \nits staff report on online behavioral advertising, and this \nsummer, a coalition of industry trade associations, which \nincluded the Interactive Advertising Bureau, 4A's and several \nothers, and various businesses, they put forward a self-\nregulatory framework, to address the issues raised by \nCongressional and regulatory concerns.\n    Our companies, like 24/7 Real Media and GroupM, have taken \nan active role in the coalition work, but we haven't stopped \nthere. We took up the challenge to produce market models, to \nwork out the implementation needs of the proposed self-\nregulatory scheme. We established a cross-WPP leadership team \nto develop and test tools, actual tools, which provide enhanced \nnotice and greater transparency about online tracking.\n    We have sought to collaborate with technology firms and \nothers, who would introduce real solutions for implementing the \nfull elements of the self-regulatory framework.\n    While behavioral advertising is one way to build a more \ncustomized user experience, there are still many other \ninnovations the web enables in this area. Some of them employ \ndesigns that don't necessarily require tracking behavior or \nactivity across multiple sites, whereas others do.\n    It is really the vibrancy of the Internet that allows the \nvariety of the models that we see today. It is terrific.\n    Mr. Boucher. Mr. Pappachen, if you could wrap up. You are \nwell over a minute beyond your time now.\n    Mr. Pappachen. Traditional and relevant standards, such as \npersonally identifiable information and sensitive data \nclassifications have certainly helped chart the regulatory \nframework of the online media, and I think has a role to play \ngoing forward.\n    I am of the firm belief that proactive privacy is possible \nin all areas I have discussed, and that it can be accomplished \nwithin a self-regulatory framework.\n    Building trust with consumers is a primary tenet of any \nsuccessful business, and we are committed to contributing to a \nsuccessful formula. I am encouraged by the steps that Members \nof Congress, and particularly those in these two subcommittees \nhave taken to explore the topic of consumer data collection and \nuse.\n    I thank the subcommittee for allowing me this time to put \nforth our position, and I would look forward to staying engaged \nand active in the ongoing conversation.\n    [The prepared statement of Mr. Pappachen \nfollows:]*************** INSERT 2 ***************\n    Mr. Boucher. Thank you, Mr. Pappachen.\n    We have two recorded votes pending on the floor of the \nHouse. We are going to hear from Ms. Barrett, and then, the \nsubcommittee will briefly recess, while we respond to those \nvotes.\n    We will pick up when they are concluded.\n    Ms. Barrett.\n    Ms. Barrett. Thank you, Chairman Boucher, Ranking Member \nRadanovich.\n    Mr. Boucher. And could you pull the microphone very close, \nplease? Thank you.\n\n                STATEMENT OF JENNIFER T. BARRETT\n\n    Ms. Barrett. Members of the subcommittee. Thank you the \nopportunity to share Acxiom's perspective.\n    First, let me say we are in strong support of appropriate \nuse of consumer information. Protecting privacy has been a \npriority for us for decades. Use of consumer information to \ndefraud, discriminate, embarrass, or harass consumers is \ninappropriate, and should be illegal, as it already is in many \nsituations.\n    However, consumer data make a significant contribution to \nour Nation's economy, growth, and stability. For 40 years, \nAcxiom has been a market leader in responsibly providing \ninnovative marketing services and data solutions to help our \nclients deliver better products and services, smarter, faster, \nand with less risk.\n    Marketing services are 70 percent of our revenues, and data \nsolutions are the remaining 30. Our marketing services are \nspecialized computer services that help businesses, nonprofits, \nand political organizations manage and use their customer \ninformation. Although e-commerce has greatly increased the \navailability of products for consumers, it has also introduced \nnew risks that make a trusted relationship more important, and \nmore difficult.\n    We help clients accurately identify a particular individual \nand integrate their information across multiple lines of \nbusiness and varied points of contact. Our email and mobile \nmessage delivery services help our clients respect consumer \npreferences while complying with various laws like CAN-SPAM.\n    Our data solutions, on the other hand, provide marketing \nintelligence and support for identity and risk management \ndecisions. We deliver actionable information not readily \navailable to our clients, to help fill an important gap between \nknowing what their customers bought and knowing what they like, \nhow they spend their time, and how they feel about certain \nissues.\n    Untargeted interactive communications are the junk mail of \nthe digital age, yet this advertising has funded much of what \nconsumers enjoy most about this interactive experience. \nConsequently, the real winner in the appropriate use of \nconsumer information is the consumer. In the offline world, \nAcxiom operates in a fully personally identifiable realm, but \nin the online world, until the consumer chooses to identify \nthemselves to a Web site or an interactive device, Acxiom's \nsolutions, in Acxiom's solutions, the consumer remains \nanonymous.\n    We obtain the data we bring to market from several hundred \ncarefully chosen sources. It falls into three general \ncategories. Public records and publicly available data provides \nnames, contact information, and some demographic information, \nthat come from public directories and other state and local \nregistries. Responses to surveys and questionnaires provide \nadditional demographic, lifestyle, and interest data. Finally, \nAcxiom acquires some data directly from consumer-facing \norganizations.\n    For marketing purposes, consumers are given notice and \nchoice about their data being shared with parties like Acxiom. \nWe use only very general summary data, that would indicate \ncertain lifestyles or interests.\n    For our identity and risk solutions, the focus is on \nidentifying data, which in some instances, actually comes from \nheavily regulated industries. It is important to note that \nAcxiom does not collect online browsing or search activities on \nconsumers.\n    We have a culture of respecting consumer privacy. Our own \nguidelines are more restrictive than laws or industry \nstandards. We offer an opt-out from any or all of our marketing \nsolutions, and access and correction in our identity and risk \nsolutions.\n    Before I close, I want to clear up two common \nmisconceptions. First, Acxiom does not have one big database \nthat contains detailed information about everybody. Instead, we \nhave many databases designed to meet very specific needs or our \nclients. Second, no marketing information we provide to clients \ncan be used for decisions of credit, insurance underwriting, or \nemployment.\n    The environment in which data is collected and our clients \ncommunicate with their customers has changed a lot in our 40 \nyears. Online is no longer separate and distinct from the \noffline, mobile, or interactive TV world. Also, privacy is a \nvery contextual issue, and varies by application, while \ndifferent individuals feel very differently about it.\n    The committee's greatest challenge is to identify where \npractices should be regulated by laws, versus what should be \ncovered by interim self-regulation or best practice. \nComplicating your task is anticipating what changes technology \nmight alter, either in the benefits or the risks.\n    Similar analysis is taking place across the world, but at \npresent, no one can claim to have developed a truly workable \napproach. While the committee considers additional regulation, \nwe should be clear about the extent of harm, or market failure \nit believes has occurred, and look for the least restrictive \nalternative. Informational hearings help inform all parties \nwhere policymakers' concerns lie, and where industry needs more \nproactive initiatives. However, if privacy laws overreach, \neveryone suffers, including our economy.\n    Mr. Chairman, we thank you for the opportunity to be here \ntoday, and are available to answer any other questions.\n    [The prepared statement of Ms. Barrett \nfollows:]*************** INSERT 3 ***************\n    Mr. Boucher. Thank you very much, Ms. Barrett. We are going \nto stand in recess for what will approximately be a half-hour. \nIt may be a bit shorter than that, depending on how quickly the \nvote goes.\n    So, stay close, don't venture far, and as soon as we \nreturn, we will pick up our hearing.\n    [Whereupon, at 1:23 p.m., the subcommittee recessed, to \nreconvene at 1:58 p.m.]\n    Mr. Boucher. The committee will reconvene, and thank you \nfor your patience during our absence.\n    We continue, with testimony from our expert panel this \nafternoon, and we are pleased to hear from Ms. Strickland.\n\n                  STATEMENT OF ZOE STRICKLAND\n\n    Ms. Strickland. Good afternoon. Thank you, Chairman Rush. \nAnd thank you for inviting Wal-Mart to participate in today's \nhearing on online and offline privacy.\n    My name is Zoe Strickland, and I am Wal-Mart's Chief \nPrivacy Officer. For us, good privacy is good business. As the \nlargest retailer and private employer in the U.S., with \napproximately 140 million customers shopping in our U.S. stores \nevery week, Wal-Mart considers an array of privacy issues on a \ndaily basis.\n    Unlike companies that interact with customers or other \nbusinesses primarily online, Wal-Mart approaches privacy from a \nvery broad perspective. Wal-Mart operations cover almost every \nconceivable privacy topic, channel, and geographical region.\n    Given the depth and breadth of Wal-Mart's understanding of \nconsumer privacy issues, we appreciate the committee including \nWal-Mart in today's discussion, and would encourage you to \nengage other similarly situated companies. It is imperative \nthat as privacy rules are developed, legislators take the time \nto fully understand the impact to consumers that have both \nonline and offline relationships with companies.\n    Wal-Mart supports a principle-based approach to privacy, \nrather than a focus on one particular technology or activity. \nAs an example of a principle-based approach, this summer, we \nupdated our customer privacy policy for Wal-Mart operations. \nThe updated policy is based on the Fair Information Practice \nPrinciples, as well as industry standards and global \nguidelines.\n    Our goal was to make it transparent, meet best practices, \nand to be integrated across all business units. To further \nincrease transparency, we included a summary notice that links \nthrough to the detailed policy. The new privacy policy provides \ncustomers more control over their data. Some examples are \ncreating a preference center that allows customers to tell us \ndirectly their preferences regarding direct marketing and data \nsharing for marketing purposes, establishing a stricter \nstandard for data uses customers typically consider more \nsensitive, Wal-Mart uses opt-in for telemarketing and data \nsharing, providing additional or enhanced opt-out mechanisms, \nsuch as for email ratings and online behavioral advertising, \ngiving customers greater access to their own information, and \nfinally, providing more options to submit questions and \nconcerns.\n    This initiative gave us further insight into how to focus \non underlying privacy principles, and then, to operationalize \nthem. With regard to online behavioral advertising, Wal-Mart \nprovides clear notices and opt-outs, consistent with the FTC \nself-regulatory principles, as well as industry best practices.\n    Equally important, in our view, we integrated our approach \ninto our larger view of privacy in both the online and offline \nworlds. When and how is it appropriate to give notice? When and \nhow should consumer choice be offered?\n    We do believe notice and choice are still central privacy \nprotections, even if further protections are warranted. We \nthink our experiences with the use of electronic product code \ntechnology, EPC, is a useful example that demonstrates how a \nbroader, principle-based approach is appropriate and needed.\n    At the simplest level, EPC is a next generation barcode. \nCurrently, EPC is primarily used to track certain cases and \npallets in the supply chain. When EPC may be offered on \nindividual products on the sales floor, future, potential \ncustomer benefits are real and direct. Examples include \nreceipt-less returns, product authenticity, traceability, and \nfood and product safety.\n    Even though EPC tags in retail contain no personal data, we \nare building in privacy protections. As a cornerstone of EPC \ndevelopment, Wal-Mart is designing its use to enable choice. \nEPC tags will be easily removable from the product or its \npackaging, such as by placing it on the price tag. If EPC tags \nused by the retail industry are ever embedded, we will offer a \nmechanism to disable the tag. We believe that choice is \nabsolutely the right model for this technology.\n    Some, perhaps most consumers will appreciate its benefits. \nSome will not, but ultimately, consumers should be able to \nchoose which they prefer.\n    A challenge, of course, is how to provide appropriate \nnotice. This covers both how consumers know this technology is \nin operation, and also know what this technology actually \nmeans. A variety of methods and channels are possible, \nincluding notices on products themselves, notices on or in \nfacilities, and Web site information. You could see how a \ndebate that focuses solely on notices provided on Web sites, \nlike pop-ups, would miss the boat for this technology.\n    In conclusion, Wal-Mart interacts with consumers \nfrequently, and in every conceivable way. A uniform, or at \nleast consistent privacy framework, that includes standards \nsuch as consumer choice is effective for both consumers and \nbusinesses.\n    A privacy regime based on a set of core principles will be \nsufficiently flexible to be applied in multiple contexts. \nConsumers deserve to know what to expect with regard to how \ntheir information is being collected and used, where they may \nobtain further details if they desire, and how they can make \nappropriate choices regarding the use of their data or \ntechnology.\n    Thank you again for the opportunity to testify today. We \nlook forward to continuing to work with you, and I am glad to \nanswer any questions.\n    [The prepared statement of Ms. Strickland \nfollows:]*************** INSERT 4 ***************\n    Mr. Boucher. Thank you very much, Ms. Strickland. Ms. \nBougie.\n\n                  STATEMENT OF MICHELLE BOUGIE\n\n    Ms. Bougie. Thank you, Mr. Chairman and members of the \nsubcommittees. My name is Michelle Bougie, and I am the Senior \nInternet Marketing Manager of Learning Resources, Incorporated, \nof Vernon Hills, Illinois, a small business manufacturer and \ndistributor of classroom materials and educational toys.\n    We sell both business to business and business to consumer, \nmaintaining an extensive Web site and e-commerce store, as well \nas undertaking an active direct mail program for schools, \nteachers, and consumers.\n    In our business, the protection of consumer information is \nparamount. We have long maintained a detailed privacy policy, \nwhich is posted prominently on our Web site. Our commitment to \nthe protection of consumer privacy is voluntary, but it is also \nrequired in the marketplace. Self-regulation by industry and \nmarket standards works effectively, and I urge you to be \ncautious in regulating the use of consumer data to avoid \nunintended consequences, that might put small businesses at a \npermanent market disadvantage, by preventing us from using \ntechnology to grow and expand.\n    In the last 12 years, I have worked with literally dozens \nof companies in various capacities relating to the use of \nconsumer data. In my experience, industry voluntary privacy \nstandards have been universally adopted and are a regular \nelement of any commercial transaction, online or offline. \nPrivacy is a routine and fundamental part of good business \npractices involving the sharing and use of consumer data today.\n    Industry voluntary privacy standards were developed to meet \nconsumer expectations, and to match best practices from \ntraditional direct mail. Companies who do not participate in \nself-regulatory practices, such as protecting consumers' \nfinancial information, or fail to follow opt-out instructions, \nare blacklisted by consumers.\n    As we all come to understand, the consumer is now more \npowerful online. Consumers use the power of social media to \nwarn others about Web sites that offend or use bad practices. \nConsumers will, likewise, use the same tools to promote \nbusinesses that use best practices.\n    It is important to recognize the collection and use of \nconsumer data is essential to improving the consumer experience \nonline. Cookies and other tracking means were developed to make \nit possible to make targeted product and service offers that \nmatch consumer needs. This sophisticated information gathering \nprocess has created a $300 billion industry and 1.2 million \njobs. We must be careful not to endanger this major source of \njobs and enhanced consumer choice.\n    Consumers can control the collection of consumer data in \nmany important ways. Many companies like ours offer the right \nto opt out for consumers, and choose to not participate in our \nmarketing activities.\n    Opt-out options are far superior to opt-in options, both \nfrom the standpoint of businesses and consumers. Businesses \nprefer opt-outs, because they believe that few consumers will \never opt-in, as fear alone discourages most people from opting \nin. Consumers have already experienced an online world filled \nwith opt-ins. In the early days of the Internet, featured \ncautious approaches by Web sites with many opt-in choices. \nConsumers were prompted to accept Web site terms before \nentering, a practice that turned off many consumers at the \nearly online experience, moved at a glacial pace, slowing the \nonline purchase process for customers, and lowering revenues \nfor businesses.\n    Consumers have ways to control the collection of data. \nInternet browser software can notify consumers of cookies, \nActiveX controls, or other means of data collection. In order \nto maximize the speed and pleasure of their online experiences, \nmany consumers turn off these warnings.\n    Again, consumers and businesses are making these privacy \noptions and choices without the need for federal regulation. We \nbelieve that regulation of consumer data may sharply curtail \nour ability to grow, both online and offline. Small businesses \ndon't generate enough leads to keep customer lists fresh and \ngrowing. We must have access to market data to find new \ncustomers.\n    Likewise, consumers need us to promote our products and \nservices, because without this marketing, small businesses are \njust too hard to find.\n    In our ability to collect and use this data is curtailed, \nwe are vulnerable to large businesses gaining an effective \nmonopoly on consumer identities and preferences. Large \nbusinesses, with high web traffic, or many storefronts, have \nthe means to generate and use consumer data for prospecting, to \nremain dominant. Small businesses will lose this game every \ntime.\n    I urge you to be cautious and to carefully avoid unintended \nconsequences. The Internet is a huge job creator, and one of \nthe great drivers of today's complex and rapidly evolving \neconomy.\n    A one size fits all solution is very dangerous in an \neconomy of this complexity. We believe the new legislation \nshould take a crawl, walk, run approach, focusing on the most \nsensitive data, such as financial information or healthcare \ndata, and relying on opt-out mandates for routine commerce. By \ntaking such a prudent approach, Congress can ensure that small \nbusinesses do not find themselves in a permanent federally \nmandated market disadvantage.\n    Thank you for considering my views on this subject. I am \nhappy to answer any questions.\n    [The prepared statement of Ms. Bougie \nfollows:]*************** INSERT 5 ***************\n    Mr. Boucher. Thank you very much, Ms. Bougie.\n    Ms. Bougie. Thank you.\n    Mr. Boucher. Ms. Dixon.\n\n                     STATEMENT OF PAM DIXON\n\n    Ms. Dixon. Thank you. I would like to thank the chairmen \nfor inviting me here today. I am Pam Dixon. I am Executive \nDirector of the World Privacy Forum.\n    We are a nonprofit, public interest research group, based \nin California. We focus on in-depth research of privacy issues.\n    The online and offline collection of information from \nconsumers matters, because it impacts our lives, whether we \nknow it or not. In the past, consumers have been told, you \nbetter watch out, because you have got to act a certain way, \nbecause something might go in your permanent record. We heard \nthis in school, when we were young. But today, because of the \nlarge commercial databases, and those activities related to \nthose commercial databases, we have a new kind of permanent \nrecord. I call this the modern permanent record.\n    This is a permanent record compiled from rich online and \noffline resources, and it can be used to deny or offer \nbenefits, services, and goods and information to consumers.\n    What I would like to do is talk about how these commercial \ndatabases can be used to create a very detailed picture of a \nconsumer, and what that picture can do to a consumer's life. \nAnd to do that, I would like to walk you through how the modern \npermanent record is created and used.\n    So, first, one source for the modern permanent record is \nmarketing lists and databases. These are typically sourced from \nhighly identifiable data. We are not talking about pseudonymous \ndata residing on a hard drive somewhere. We are really talking \nabout data where someone knows your name.\n    If you can look at the monitor, you will see a list of 20 \nmillion consumers. This is an ailments list, and it is a data \ncard that is being sold on consumers. It lists detailed \ndemographic information, and it also lists the various diseases \nthat they have. This list is an unregulated list. It is outside \nof HIPAA, because these people gave their information up in \nsome way or another, sometimes with more knowledge than \nanother.\n    In the next list, you will see it is a list of mental \nhealth sufferers. This is a list of 3 million consumers who \nlanded on a telemarketing list, or a list like this, and it \ntalks about 2 million with anger, antisocial diseases, ADD, \nADHD, autism, bipolar, and so forth. And the company says these \npeople, marketing to them is, they are extremely receptive to \nany campaign, because they suffer from various mental problems.\n    And the real impact of these kinds of lists, that are so \nunregulated, is being seen already today. It is not \ntheoretical. So, for example, one 91-year-old elderly vet was \nprofiled in the New York Times. He landed on one such list, and \nwhat happened is his, he filled out a sweepstakes form, and he \nlanded on a telemarketing list. It was sold, and as a result of \nbad actors purchasing the list, he was bilked of his life \nsavings. And this gentleman, once he was on the list, he had no \neffective rights to remove himself from the list, or mitigate \nthose issues.\n    Another way that the modern permanent record is created is \nthrough what I call non-Fair Credit Reporting Act databases, or \nnoncredit databases. These are databases that have rich scores \nof information in them. However, they may, even if they have \nidentical information to what could be contained in a database \nsubject to the FCRA, they are not subject to the FCRA, because \nthey are used for different purposes.\n    An example of this is the Badcustomers database, and we \nhave a screenshot of that Web site. That Web site says: ``Are \nyour purchasing transactions being denied? Find out if you have \nbeen blacklisted before it is too late.'' This database has 6 \nmillion consumers on it right now, and it has only been in \nexistence for about a month. And the way consumers land on this \ndatabase is that they dispute charges to their credit account.\n    Now, if that sounds familiar, it is because identity theft \nvictims must dispute charges on their credit cards to move \nforward with their lives. So, these are the kinds of databases \nwhere yes, you disputed a charge, but what does that actually \nmean? Was it because you were a victim of fraud, or because you \nwere a bad actor? This is a very difficult thing.\n    The third way that the modern permanent record is compiled \nand created is through a newer type of database, behavioral and \ntransactional databases. These are the databases that put the \n3-D into the consumer. They provide the real detailed picture \nof the consumer, and put flesh on the bones of the consumers.\n    An example of this is eye gaze tracking cameras in retail \nstores. These cameras are not visible to consumers. What they \ndo is they track, basically, the number of consumers that have \nwalked by certain points in the store. They also identify what \nthe consumer is looking at, and for how long. But what has \nhappened, at least in the past year, is that this type of \ntechnology has been also combined with facial recognition \ntechnology. So, what happens is that the consumer walking down \nthe store, who is being captured by the eye gaze tracking \ncamera is also recognized and then marketed to.\n    Now, that is a practice that is in use today. Everything \nthat I have told you is in use today, and it is not \ntheoretical. So, the question this committee has to face is, is \nit worth the risk involved to consumers, when you have these \nlarge, aggregated pictures of consumers that can define their \nlives. Is it worth that risk to leave them unregulated?\n    And I would argue that the modern permanent record, unless \nthere are substantive rules of the road that govern how the \nmodern permanent record is used, that will really creating a \nsituation where there is going to be car accidents and pileups.\n    As consumers become more aware of the threat of how a \nmodern permanent record can potentially be used in their lives, \nI think we really enter a situation where it can chill \ncommerce, and really chill people's lives and inhibit them.\n    A good example of this can be found through Cox \nCommunications. They offer a digital telephone service. That \ndigital telephone service is then subject to detailed analysis, \nand what it does is it analyzes the numbers of, the phone \nnumbers that you call and who calls you. Well, there is nothing \nwrong with that, but what if you have a family member who is a \ndeadbeat? What if you have a friend who is a deadbeat? What \ninference is drawn on you based on those phone calls?\n    So, what does that do to your permanent record, your modern \npermanent record, and that is really the question that we need \nto look at, and we need to answer, in terms of policy creation.\n    Thank you for your time, and I look forward to any of your \nquestions.\n    [The prepared statement of Ms. Dixon \nfollows:]*************** INSERT 6 ***************\n    Mr. Boucher. Well, thank you very much, Ms. Dixon, and the \ncommittee's thanks to all of our witnesses for your informative \ntestimony today.\n    I am going to ask a brief question, and I would appreciate \na brief answer. And I will ask each of you just to respond to \nthis in perhaps 15 seconds or less.\n    Assuming that we adopt a set of new privacy protections, \nshould we apply those both with regard to online and offline \ntransactions? Ms. Dixon.\n    Ms. Dixon. Yes, I believe you should, because the offline \ncollection of data is highly identifiable, and it can include \nbiometric information, name, health information, and other \ninformation that is entirely unregulated.\n    Mr. Boucher. Thank you. Ms. Bougie.\n    Ms. Bougie. I would say it can't be a one size fits all. \nOnline information is different in many cases than offline, and \nso, I would recommend that we just be very cautious, because in \nthe case of the small business, it would really restrict our \nability ultimately to prospect with web searches and things \nlike that.\n    Mr. Boucher. So, you are not saying apply it online only, \nyou are just saying be careful about how you apply it to both.\n    Ms. Bougie. Be very careful, because again, the unintended \nconsequences of what----\n    Mr. Boucher. I understand.\n    Ms. Bougie. --would happen.\n    Mr. Boucher. All right. Thank you. Ms. Strickland.\n    Ms. Strickland. Yes. Wal-Mart does favor a principle-based \napproach that doesn't focus on one particular technology, and I \nthink it is very hard to draw a line that clearly separates \nonline from offline.\n    A lot of services now are both online and offline, so I \nthink a broader view is needed.\n    Mr. Boucher. OK. Ms. Barrett.\n    Ms. Barrett. Yes, Chairman. I think the----\n    Mr. Boucher. Microphone, please.\n    Ms. Barrett. Can you hear me now?\n    Mr. Boucher. Yes.\n    Ms. Barrett. OK. Yes, we think it should be not limited to \nonline, but a broader perspective, but I would echo my \ncolleagues' remarks about some of the nuances regarding what is \npractical to do in an online world, and what is not practical, \nor might need to be dealt with differently in an offline world.\n    Mr. Boucher. All right. Thank you. Mr. Pappachen.\n    Mr. Pappachen. I would agree with the tenor of the comments \nso far, that convergence, as we have seen, would dictate that \nwe have a more broader application. The nuances of the \napplication should be carefully observed, but a broader \napplication is correct.\n    Mr. Boucher. OK. Mr. Hoofnagle.\n    Mr. Hoofnagle. I think the answer is, it depends. Offline \ndata collection is a little different, and----\n    Mr. Boucher. Microphone closer, please.\n    Mr. Hoofnagle. My answer would be, it depends. It depends \non the substantive protections built into the bill, and whether \nthey are appropriate in the offline context.\n    Mr. Boucher. All right. Mr. Hoofnagle, let me pose my \nsecond question to you.\n    You have performed, and we are aware of your study, that as \nI understand it, finds that two-thirds of the American public \ndoes not favor the receipt by them of tailored advertising. And \ngiven the benefits of tailored advertising that many on our \npanel have stressed here today, what do you think we might be \nable to do, that could change that number, and persuade more \npeople that not only is it not harmful, but perhaps even \nbeneficial to the receipt of that advertising to receive it?\n    Mr. Hoofnagle. That is a great question, Mr. Chairman.\n    Mr. Boucher. And pull the microphone closer, please.\n    Mr. Hoofnagle. We were surprised by the answer that so many \nAmericans say that they principally reject tailored advertised, \nand troubled by that result, because it is clear that tailored \nadvertising does have advantages for consumers and for \nbusinesses.\n    But we think also that consumers might have a lot of \nanxiety around information collection. They might not want \ninformation collection in one context to follow them into \nanother. So, for instance, the targeted ads that you get at \nhome when you are using the Internet for personal purposes \nmight, consumers might not want that to bleed over to how they \nuse the computer in the workspace.\n    I think that if there is greater transparency and rules \naround data collection, it might change that number, and more \npeople might----\n    Mr. Boucher. So, let me just cite an example. Let us \nsuppose that we adopt a law that says that any entity that \ncollect information from a customer, whether that collection be \nonline or offline, provide to the customer a thorough \ndescription of what information is collected, a thorough \ndescription of how that information is used, and then provide \nan ability, through a series of opt-in and opt-out \narrangements, depending on what the information is, and how it \nis used, for that customer to be able to control the use, or \nperhaps control the collection of the information itself.\n    If we provide that set of consumer guarantees, what do you \nthink that might do to persuade more people that having \ninformation collected for the purpose of tailored advertising \nis, perhaps, advantageous to them, or at a minimum, have them \nbe willing to acquiesce in it?\n    Mr. Hoofnagle. That is an interesting approach. I would \npoint out that our survey shows that people already assume that \nthere are opt-in standards in place. Americans assume that they \nhave a right of confidentiality in the marketplace.\n    Mr. Boucher. So, they are making that assumption, even when \ntwo-thirds of them say they don't want the tailored \nadvertising.\n    Mr. Hoofnagle. That is right, and they are----\n    Mr. Boucher. And if they knew the truth, that they really \ndidn't have even the measure of control they think they do, \nthat two-thirds number might even be higher is what you are \nsaying.\n    Mr. Hoofnagle. I think that consumers have a lot of anxiety \nin this area, and that might be one of the reasons why they are \nexpressing that level of objection.\n    My collaborator and I, Joseph Turow at the University of \nPennsylvania, argued that notice and opt-out might not be the \nmost optimal approach, because consumers do not read privacy \nnotices. They already assume that protections are in place. \nOpt-out, too, can be problematic. We argued that policymakers--\n--\n    Mr. Boucher. You mean opt-in can be problematic?\n    Mr. Hoofnagle. Opt-in can be manipulated as well, and in \nfact, we explicitly said that the right answer is not just to \ngo to opt-in. We discussed the idea of there being mandatory \nretention ceilings, so that information would have to be \ndeleted after a certain amount of time.\n    Mr. Boucher. After a certain period of time.\n    Mr. Hoofnagle. And that would allow targeted advertising, \nbut it wouldn't allow kind of a permanent profile.\n    Mr. Boucher. Let us suppose, just for the sake of this \nquestion, that we do those things, and that we have retention \nlimits, full disclosure, a set of opt-in and opt-out \nopportunities to control what happens, do you think that \ninstills a greater amount of confidence in the American public \nthat the online experience is secure, and to the extent that \nthey are engaging in offline transactions, that they have more \ncontrol over their privacy?\n    Mr. Hoofnagle. I think it would. It would----\n    Mr. Boucher. Do you think it might enhance commerce, if we \ndid such a thing?\n    Mr. Hoofnagle. Yes, sir. I think it would be----\n    Mr. Boucher. All right. My time has expired.\n    Mr. Hoofnagle. OK.\n    Mr. Boucher. Thank you for your answers. Those are very \nhelpful. Mr. Radanovich.\n    Mr. Radanovich. Thank you, Mr. Boucher. And appreciate the \npanel of witnesses. Earlier, in my opening testimony, I talked \nabout, there was one point that, you know, people, about the \ndelivery of a catalog to your doorstep, and I expounded on a \nlittle bit extemporaneously, because I remember in the past, \nwhere the holidays would come around, or an event would happen \nin my family, and all of a sudden, you don't have one magazine \nor a catalog, you have got 10 or 15. Incredibly frustrating.\n    And what was more frustrating was the hassle it was to get \nthese people to shut it down, if that is, because I didn't want \nthem, and it just didn't--and I know that my following question \nwill not speak to the issue of the collecting of private data, \nbut it does speak to the issue of a person's ability to control \nwhat happens in their home.\n    And so, I want to ask each member of the panel. You know, I \ndon't want to interrupt free commerce and trade, and as long as \nthe boundaries are proper, I think it is good. But I am all \nfor, in a number of ways, making sure that a family's home, to \nbe politically correct, is its castle, and that the people in \ntheir homes have as much ability to control what drops on their \ndoorstep, what pops up on their video, you know, their computer \nscreen and such.\n    Can you, is there anybody that can explain to me ways that \nthe industry could look to provide people with, really, a lot \nof ease in their households, to be able to shut this stuff down \nif they want to? I mean, I have got to think, if I was the \nfather of a new child, I may or may not appreciate the fact \nthat I got a hundred catalogs in there, on how to buy a baby \ncrib, and want to shut it down. But if I shut it down, I might \nthink oh, gosh, maybe I do want that information. I would like \nto see that control in the home.\n    Has anybody given any thought to how you can shut that \ndown, or ways to make it easier to do that? And I will just \nopen it up to the panel.\n    Ms. Barrett, if you would.\n    Ms. Barrett. Yes. I would point to the new self-regulatory \nguidelines that the Direct Marketing Association put into place \nlast year, where you can go to their Web site, and you can opt \nout from all marketing communications, or you can pick certain \ncompanies that you can, even if you have a customer \nrelationship with that company, and say I don't want to receive \nmarketing communications from you.\n    I think this is a big step in the right direction, and one \nthat is probably not as well known as it ought to be.\n    Mr. Radanovich. And it is not as well known as it ought to \nbe, if I heard that right.\n    Ms. Barrett. Correct.\n    Mr. Radanovich. Correct. Yes. Ms. Dixon.\n    Ms. Dixon. Thank you very much. The self-regulatory \napproach has merit. The problem is, is that it is just the good \ncompanies that are following the rules that typically join the \nself-regulatory efforts. And they are always the ones who, you \nknow, you call and they stop sending the catalogs.\n    It is the bad actors, and that is why I think that a \nbroader approach could be very useful in really curtailing \nthis.\n    Mr. Radanovich. A more regulatory approach.\n    Ms. Dixon. That is correct.\n    Mr. Radanovich. Yes.\n    Ms. Dixon. And I think that one of the things to look at is \nlooking at some data rights that are not identical to the Fair \nCredit Reporting Act, because it would be extraordinarily \ncomplex to do, but look at that, and saying what can we learn \nfrom that statute and apply to this area? Is there a way that \nconsumers could have a regular, you know, standardized way of \nfinding out what lists they are on, and seeing that \ninformation, making sure it is accurate, seeing that it is not \nretained for the duration of their lives, and so on and so \nforth.\n    I think that that approach would require a lot of \ndiscussion and very serious thought, but has merit.\n    Mr. Radanovich. OK. Thank you. Ms. Bougie, I wanted to ask \nyou a couple of questions. In your testimony, you mentioned the \none size fits all approach to this whole thing. Do you have any \nsuggestions on what appropriate regulation might be, then, if \nit is not one size fits all?\n    Ms. Bougie. Well, our concern for the one size fits all \napproach is that the business concerns of small business are, \nexcuse me, sorry.\n    Mr. Radanovich. There you go.\n    Ms. Bougie. Our concern with the one size fits all approach \nis that business concerns of a small business are vastly \ndifferent from those of a large corporation. So, this narrow \nview would restrict us, with very few options.\n    The online options help, because it helps level the playing \nfield. And if regulations restrict online behavior as an \nadvertising option, or the ability to prospect or gain email \naddresses, we will be left basically, our list will slowly, \nslowly go away.\n    Mr. Radanovich. Right.\n    Ms. Bougie. But I believe by allowing voluntary privacy \nstandards with marketing data to continue, and we focus on the \nregulations of financial and medical, that it is going to be \nmore advantageous for small business, and allow technology to \nprosper as it should.\n    Mr. Radanovich. OK. Ms. Strickland.\n    Ms. Strickland. Thank you very much. I also would like to \necho her remarks about the one size fits all, and I think that \nis true, not just for small companies and large companies, but \nthis debate we are having about online and offline as well. So, \nas we think about what appropriate notice is, that will be \ndifferent on a Web site than, as you might imagine, in a store. \nYou are not going to have the ability to have the depth and \nlevel of information in a store notice, necessarily.\n    So, as we think about how do we do a principle-based \napproach, how do we make it flexible enough that it will work \nin a variety of contexts, a variety of technology, and a \nvariety of companies.\n    Mr. Radanovich. All right. Thank you.\n    Mr. Pappachen. I would just add that, two things. One \nthing, consumer expectation with regard to medium should play a \nrole when you are looking at the issue of notice and/or \nconsent. The second thing is, I think businesses, who are in \nbusiness because they are effective at communicating certain \nmessages to consumers towards the ends that they want, should \nbe involved in the process, towards the ends that we are \nlooking at here.\n    Mr. Radanovich. All right. Thank you very much. Thank you. \nThank you, Mr. Chair.\n    Mr. Boucher. Thank you, George. Mike?\n    Mr. Doyle. [Presiding] Ms. Barrett, I understand your \ncompany, Acxiom, has roughly 1,500 pieces of data on every \nAmerican. So, I am a male, I live in Pittsburgh, I am 56 years \nold. That is three data points, three pieces of information \nabout me. That means there is roughly 1,497 data points left.\n    So, just between you and me, what else do you know about \nme?\n    Ms. Barrett. Good question, and I appreciate your asking \nit. When we talk about 1,500 potential data points, what we are \nreferring to is the different possibilities of information we \nmight have about an individual.\n    And to give you an example, we have over 600 different \nlifestyle and interest categories. No one has all 600 \nvariables. I happen to like to bicycle and cook and read, so \nthat is 3 out of 600 for me.\n    Mr. Doyle. So, that is all part of the 1,500.\n    Ms. Barrett. So, that is all part of the 1,500.\n    Mr. Doyle. OK.\n    Ms. Barrett. So, I would say an average person may have 20 \nor 30 or 40.\n    Mr. Doyle. Let me ask you some more questions, and they are \njust simple yes or no answers. So, could you send me a \nstatement with everything you know about me?\n    Ms. Barrett. We offer access to the data. We have two kinds \nof data. We have data that we use for marketing, and data we \nuse for identity management and risk decisions. And the answer \nto your question is yes, for the data in the risk decision \ncategory, and we will send you a summary of the data in the \nmarketing category.\n    Mr. Doyle. So, could I log onto your Web site and see what \nothers know about me, and what you sell to other people about \nme?\n    Ms. Barrett. No, we do not.\n    Mr. Doyle. No, that is fine. No is fine. Can I log onto \nyour Web site, or can you send me a letter telling me who you \nsold my information to?\n    Ms. Barrett. I am sorry, who sold?\n    Mr. Doyle. Who you sold my information to? Could you tell \nme who you sold my information to?\n    Ms. Barrett. We do track all of the sales that we make.\n    Mr. Doyle. But could you give me that information? If I \nwanted to know who you sold my information to.\n    Ms. Barrett. We do not provide that information to \nconsumers.\n    Mr. Doyle. Thank you. Can I choose to delete certain \ninformation that you have about me if something is old or out \nof date, or doesn't apply to me anymore?\n    Ms. Barrett. Yes.\n    Mr. Doyle. And how would that process work? How would I go \nin there and do that?\n    Ms. Barrett. You would contact us, and ask if it is the \nmarketing data, you would ask for the data to be deleted, and \nactually, we will remove the entire record, if you wish. On the \nrisk side of the house, you can do it element by element, and \npick and choose the elements that you wish to have corrected.\n    Mr. Doyle. Very good. So, I can be completely removed from \nyour database if I want, every trace about me gone, if I just \ncall you and say I want everything you have about me erased. I \ncan do that?\n    Ms. Barrett. You can do that for our marketing products. We \ndo not allow you to erase or remove all the data from our risk \nproducts. Those are the ones, and identity management products. \nThose are the products that catch the bad guys, and we don't \nlet the bad guys opt out of that data.\n    Mr. Doyle. So, tell me, I am curious. Where do you get all \nthe information you have about me? Where does it all come from? \nWhere do you get it from?\n    Ms. Barrett. It comes from three primary sources. The first \nis public records and publicly available information. The \nsecond is surveys that consumers fill out, and volunteer \ninformation about their interests and life.\n    Mr. Doyle. Like warranty cards?\n    Ms. Barrett. Warranty cards is just one small part. And the \nthird category is information from companies that have a \nrelationship with you, and have given you notice and choice \nabout the fact that your data may be shared with another party, \na third party like Acxiom.\n    Mr. Doyle. So, do you sell medical or other sensitive \ninformation that is attached to personally identifiable \ninformation? Do you sell that?\n    Ms. Barrett. We do not sell what we call sensitive \ninformation in any of our marketing products. Medical data, \nunless it is self-reported by the consumer, we would have no, \npersonal health information is regulated by HIPAA in any of our \nmarketing products.\n    Mr. Doyle. What is the minimum information you need to \nidentify someone? How many data points do you need to identify \nsomeone?\n    Ms. Barrett. A name and address would be the baseline.\n    Mr. Doyle. So, with two data points, you can pretty much \nidentify anyone?\n    Ms. Barrett. Well, we can, it depends on what we are using \nthat information for. If we are using it for marketing, that \nmay be sufficient to say we don't want to market to this person \nor we do.\n    If we are actually using data for an identity application, \nwe would need more data points----\n    Mr. Doyle. I see.\n    Ms. Barrett. --to verify that you are who you really claim \nto be.\n    Mr. Doyle. Tell me, do you audit the companies that buy the \ninformation from you? I mean, do you make sure they lock it up \nproperly, that they use it for what they say they want to use \nit for?\n    Ms. Barrett. For any company that buys any kind of \nsensitive data from us, we do both an onsite inspection, and an \naudit of their practices, to make sure that they are going to \ntreat that information responsibly. For data, for companies \nthat buy non-sensitive information from us, we go through a \ncredentialing process, which makes us comfortable that that \ncompany is a legitimate entity, and that they will respect the \nterms of our contract, and keep the information confidential.\n    Mr. Doyle. And our committee has had several hearings about \ndata security and online security. Have you had any security \nbreaches?\n    Ms. Barrett. We had an incident back in 2003, where one of \nour external servers was hacked. And we used it to transport \ninformation back and forth between our clients. But \nfortunately, we had had a policy on that server that any \nsensitive information needed to be encrypted, and so, no \nconsumers were put at risk as a result of that incident.\n    Mr. Doyle. How would you inform a consumer whose \ninformation had been compromised? What would your procedure be?\n    Ms. Barrett. Well, it would----\n    Mr. Doyle. Or do you do it?\n    Ms. Barrett. Well, it would depend on whose data the \ninformation was. If it was Acxiom's data, because we have both \nour own data products that we sell in the marketplace, and we \nalso provide computer services for clients, who are hosting and \nhousing their data on our computers. If it was Acxiom's data, \nwe would be responsible for the notification. If it was \nclient's data, we would work with that client, to make sure the \nconsumers were notified.\n    Mr. Doyle. Thank you. Just one final question, for Mr. \nDixon and, I am sorry, Ms. Dixon and Mr. Hoofnagle. It is clear \nthat vast amounts of personal information about individual \nconsumers are collected, aggregated, analyzed, and sold for a \nvariety of commercial purposes.\n    In response, some people say so what. If a person likes to \nski, but is mistakenly identified in the database as an angler, \nand received offers or coupons for fishing equipment, what is \nthe harm? Ms. Barrett recommended, in her written testimony, \nthat before we engage in additional regulation, we should \narticulate the extent of the harm.\n    So, I want to ask Ms. Dixon and Mr. Hoofnagle, can you \nplease answer that question? Where is the harm to the \nconsumers? And also, I want to give you a chance to maybe just \nreact to my line of questioning to Ms. Barrett, and whether you \nhave any thoughts on that. If you think this is what Americans \nexpect, and what kind of rules of the road do you think we \nshould put in place?\n    Mr. Stearns. That is a lot of questions.\n    Mr. Doyle. I know, and I am going to get to you, Cliff, and \nbe mighty generous with your time. Go ahead.\n    Ms. Dixon. Thank you for your question.\n    A couple of thoughts. First, I want to talk about the harm, \nand then, I would like to respond to the line of questioning.\n    Mr. Doyle. Yes.\n    Ms. Dixon. Your question. The one thing is that is quite \nclear is that the companies, when they discuss these issues, \nyou will hear companies talk about the benefits of having this \ninformation available. And there is no question that there are \nbenefits. I don't think anyone is arguing about the benefits. \nWe know there are benefits.\n    The problem is, is that there are, indeed, also harms. So, \nfor example, it is the shadow side of all of this. The same \ninformation, we saw it on badcustomers.com database, the same \ninformation that is used to target advertising is also used to \ndeny transactions of consumers who have done, disputed charges.\n    So, you have the same information being used for completely \ndifferent purposes. Once the information is compiled, you \nreally lose the ability to determine how that information will \nbe used, and in all the contexts that it will be used, unless \nit is covered under the Fair Credit Reporting Act. But what we \nhave been talking about here today are all non-FCRA uses of the \ndata, and also, all non-HIPAA uses of the data. So, it is \nreally outside of regulation.\n    The second thing would be inaccuracies, outdated \ninformation, and again, incorrect inferences. I think that when \nyou have these very clear pictures of consumers, you really do \nget locked into a bit of a pictorial box. Here is what consumer \nX or Y looks like. Here is how we are going to treat this \nconsumer.\n    We are familiar with the situation where people were not \nallowed to vote because they landed in certain databases. Some \nof this information was incorrect. So, we are talking about \nsubstantive rights that can be impacted here. So, it is the \npicture of the consumer. Is this the right picture? If it is \nnot, how do we correct that?\n    Mr. Doyle. I am so far over my time. I am just going to ask \nMr., for a quick response, and then we will get to the next \nwitness.\n    Mr. Hoofnagle. I will be quick. I would turn the harm \nquestion around, and say, and ask retailers questions like why \nare they trying to re-identify consumers without telling them \nabout it?\n    So, I detailed in my testimony the example of one company \nthat will ask for your zip code at the register. If you give \nyour zip code, they will combine it with your name from a \ncredit card swipe, and then, they will go out and get your home \naddress. Why not just ask the consumer can we have your home \naddress? The fact that so much of this data collection occurs \nin secrecy, I think is, speaks to the harm issue.\n    Mr. Doyle. Thank you very much. My time has long since \nexpired, and I am going to yield now to my good friend from \nFlorida, Mr. Stearns.\n    Mr. Stearns. I thank you, Mr. Chairman. I just compliment \nyou on your rapid fire questions. You got a lot of questions in \nthere, and I am impressed.\n    I went to Drudge and I deleted all my cookies, and so, I \ncame back the next day to go on Drudge, and it wouldn't go \nforward until it allowed me to put these cookies back on. I had \nto put on 17 cookies.\n    I went to the Gmail to do my Gmail, and I deleted all the \ncookies. Same thing happened there. So, that is an awful lot of \ncookies that I don't know what is going on, and this is for \nGeorge Pappachen.\n    In your testimony, you mentioned the use of passive \ntracking technology, including cookies, in current studies. I \nguess your holding company is WPP, is that it? Yes. Use these \npassive tracking technologies. What do these tracking \ntechnologies do? I am a consumer. You are tracking my cookies. \nSo, what are you looking for, and is the information you get \nuseful, and what is it?\n    Mr. Pappachen. Right.\n    Mr. Stearns. Just pull the mike up a little closer.\n    Mr. Pappachen. Sure. Passive tracking technologies can be \nutilized in different ways. A couple of the ones that I cited \nin my written testimony is, one, ad exposure, the fact that you \nwere exposed to a certain ad.\n    Mr. Stearns. Can you tell that from a cookie, that I was \nexposed to an ad?\n    Mr. Pappachen. Yes, you can tell which ad you----\n    Mr. Stearns. So, when I get an ad on Drudge for a car or \nfor a book, that is based upon my previous search engines on \nDrudge or Google, and so, you get from those cookies, you read \nthose cookies and say, oK, Stearns went to Amazon.com, he went \nto these sites and these sites. You find that all out.\n    Mr. Pappachen. Right. Well, it wouldn't be as far as going \nto search, or there might be some categories where you might \nnot have availability to track or know what the consumer \nengagement was, but there are, on a larger scale, there is the \npractice of tracking exposure to advertising, so that you are \nnot burdened with excessive advertising of the same kind, or--\n--\n    Mr. Stearns. And you sell this to the advertisers to tell \nthem, this is how effective you were or not?\n    Mr. Pappachen. Right. So the idea is to understand how they \nperformed, whether we are being relevant or not, similar to how \nwe would do it with TV, or in another forum.\n    Mr. Stearns. As a customer, do you make the customers aware \nof this? In other words, let us say you are doing this on me, \nhow would I find out that you are doing it, and what you are \ndoing?\n    Mr. Pappachen. Sure. One thing we have been actively \nencouraging and working on is proactive privacy. The Privacy \nIcon project that we were involved in is about allowing for an \nenhanced notice to consumers. That then gives them disclosure.\n    Mr. Stearns. But you are not now doing it.\n    Mr. Pappachen. It is a self-regulatory initiative that is \nunderway. We are definitely doing the best standards or best \npractices of informing about our practices within privacy \npolicies and wherever else we can, but we are encouraging that \nthe industry absorb an enhanced notice under a self-regulatory \nframework, that allows for disclosure that may be more relevant \nto them, that we were being told is important for consumers.\n    So, we are trying to respond in a way that allows for \nconsumers to have transparency, but then allows for business to \nhave, work in the way that it traditionally has, to be \neffective in their communications.\n    Mr. Stearns. You know, we tried to pass a spyware bill here \nin the Energy and Commerce. We just couldn't get the Senate to \nagree. And within that spyware, there was a study that Mr. \nDingell put in to look at cookies and the impact.\n    Do you think the privacy bill should have anything \napplicable to cookies that come into the computer?\n    Mr. Pappachen. I think that, regulating technology is a \ntricky thing, as we have often heard.\n    Mr. Stearns. That is what I mean, yes.\n    Mr. Pappachen. I don't think technology is necessarily the \nenemy. I think we can talk about the uses of it. I think we can \ntalk about how we disclose how we are using it. We can talk \nabout how we give over the levers of control about how we can \nuse it.\n    Mr. Stearns. You said, you discussed a technology developed \nin 2007, one of your subsidiaries, Safecount, that allows users \nto see not only what tracking cookies are on their computer, \nbut what data they are collecting, but also, where the tracking \ncookies came from. So is that in practice, that Safecount, is \nthat being used?\n    Mr. Pappachen. That is right. Consumers can have insight \ninto what cookies there are on their browser, from Safecount, \nand also, which ad it was spawned from.\n    Mr. Stearns. Has this Safecount program been given to other \ncompanies, besides WPP?\n    Mr. Pappachen. It certainly could be. It is a, what I said \nin my written statement is that we have seen other, larger \nactors now going in that direction. It was in support of the \nidea that self-regulation can work.\n    We have seen other actors going towards providing access to \nthe interests and profiles that they build online, and letting \nconsumers have some control over whether those interests are \nbuilt, and what those interest groups, they would want to \nbelong to or not.\n    Mr. Stearns. Do you think we should prevent spyware?\n    Mr. Pappachen. I am sorry, sir. I didn't get the last part.\n    Mr. Stearns. Do you think we should prevent spyware, in \nCongress?\n    Mr. Pappachen. I think spyware by, again, it would matter \nwhat we define as spyware, but spyware, if it means something \nthat consumers did not transparently get notice of and consent \nto, and it engages in activity that that would not want, yes, I \nthink it should be prohibited.\n    Mr. Stearns. OK. Ms. Barrett, Mr. Doyle talked to you \nabout, he asked a series of questions, and he said will you \ntell me this information, and you said, we will not tell you \ninformation about risk product? Is that correct?\n    Ms. Barrett. We will tell you. We will show you exactly \nwhat we have in our risk and identity management products, yes.\n    Mr. Stearns. But he said, can I get all of it, and you said \nno, I thought.\n    Ms. Barrett. For the marketing products?\n    Mr. Stearns. Yes.\n    Ms. Barrett. We offer a summary of the information, not the \ndetails.\n    Mr. Stearns. And some of the information you won't provide, \nand why would that be? Because it is proprietary information \nthat you have developed, that you have a proprietary interest \nin, is that, perhaps, why?\n    Ms. Barrett. No, it is the fact that the information is not \ncommonly requested at an individual level, and so, we have not \nput the systems in place to go retrieve it, and look at it on \none person. Marketing applications look at the data in \nthousands or tens of thousands or millions of records at a \ntime.\n    Mr. Stearns. He had also asked a question about regulating \nonline collection and use of data, should be clear about the \nextent of the harm we are seeking to address. Do you believe \nthat harm exists in online data collection, or is it a risk of \nharm?\n    Ms. Barrett. I think that there is the potential for harm \nin almost any data collection. I think it speaks to how do we \nuse information, and where can we define risk under, in certain \nuses, and then, how can we develop guidelines that either \nprevent or mitigate against that risk, relative to that use?\n    And for example, I might point out some of the self-\nregulatory guidelines that have been put in place. For \ninstance, for marketing, by the Direct Marketing Association \nand the Internet Advertising Bureau, and the Network \nAdvertisers Initiative. Those are three different groups that \nhave defined different kinds of guidelines, relative to \ndifferent marketing activities.\n    Mr. Stearns. This is the last question, Mr. Chairman. This \nis the more tough, you know, here we are trying to legislate a \nprivacy bill. What harm should this privacy bill address, then? \nI mean, can you say that concisely?\n    Ms. Barrett. Well, I think that is the challenge, is \ndefining exactly what are the harms that----\n    Mr. Stearns. Yes.\n    Ms. Barrett. --consumers are at risk of.\n    Mr. Stearns. Yes.\n    Ms. Barrett. My panelist down here, Ms. Dixon, mentioned \nsome of the things, in terms of denying consumers substantive \nbenefits, and I think that might be an area to explore. It is \ncertainly not an area that we see in the marketing arena, but \ninformation that is used outside of simply trying to reach you \nwith a relevant communication well might present some harms to \nthe consumers. And those should be explored.\n    Mr. Stearns. Thank you, Mr. Chairman.\n    Mr. Doyle. Thank you, Mr. Stearns. The chair now recognizes \nMr. Inslee.\n    Mr. Inslee. Thank you, Mr. Hoofnagle. I was looking at a \ndocument attached, I think to your testimony from the Vente \nCompany, which shows lists of, is this your information?\n    Mr. Hoofnagle. It is.\n    Mr. Inslee. Yes. So, it shows this company, it appears that \nthey sell lists of people who have certain conditions. So, \ncancer prostate, it shows they have 125,400 names of people who \nhave cancer of the prostate.\n    Is that, do I read this right? This company will tell you \nwho has cancer of the prostate?\n    Mr. Hoofnagle. I think you are referring to two different \nportions of my appendix here. One is the ailments, diseases, \nand illness sufferers mailing list, which is sold by a company \nthat is a member of the Direct Marketing Association.\n    The Vente list is the addiction responders list, and it \nadvertises who is struggling with an addiction to gambling, \nsex, or food. Who just can't say no to drugs, alcohol, or \ntobacco. Millions of America, and Vente has them.\n    Mr. Inslee. So, Vente has the names of people who have had \nan alcohol problem, then, and they sell those names, is that \nright?\n    Mr. Hoofnagle. That is what their advertising claims.\n    Mr. Inslee. And typically, where do they get the \ninformation that a person has had an alcohol problem?\n    Mr. Hoofnagle. The sources are likely to be self-reported. \nSo, for instance, if a consumer fills out a survey, and checks \na box saying that I have struggled with alcoholism, that is \ninformation that could be bundled and resold, in this type of \ncontext. It would not come, for instance, from a healthcare \nprovider. So, this would be, it could be a product loyalty \ncard, that is associated with purchases, or self-reported data.\n    Mr. Inslee. So, let me ask you about the other document. \nLet us talk about cancer of the prostate. This other document \nsuggests that there is a database of people suffering from a \nwide variety of ailments, diseases, illnesses, and medical \nconditions. Included are cancer of the prostate, there is \n125,400 names, as I understand that.\n    Does this group sell names of people with that condition?\n    Mr. Hoofnagle. This information is personally identifiable. \nSo, it is name and address, and then, if you look along the \nright hand side at the first page, there are what are known as \nselects, which means that for extra money, you can buy their \nage, ethnicity, sex, whether they are a homeowner, et cetera.\n    Mr. Inslee. And where, typically, would this company have \nreceived the information, the personally identifiable \ninformation of the people who have cancer of the prostate?\n    Mr. Hoofnagle. With respect to this list, its provenance is \nclaimed to be a lifestyle questionnaire. So, an example would \nbe, you are walking through the mall and someone stops you and \nsays, will you fill out this survey, and we will give you a \ngift card, or we will give you something free. If you fill out \nthat survey, it could end up in a database like this, and there \nis no right to notice. They don't have to give you notice that \nthey are selling the data. They don't have to give you access, \net cetera.\n    Mr. Inslee. So, they don't have to tell you that it could \nbe used by someone who has got a grudge against you, and wants \nto publicly divulge that information to embarrass you, then.\n    Mr. Hoofnagle. That is really unlikely in this context?\n    Mr. Inslee. Because?\n    Mr. Hoofnagle. This information is sold in bulk. If you \nlook at the terms, it says $150/m, which means that it is 1,000 \nnames for $150. You could not say to these companies, I would \nlike to know whether Chris Hoofnagle is in the cancer list.\n    Mr. Inslee. Why not? Why couldn't somebody say give me \n$10,000 and tell me all you got on Mike Doyle? Could they \nlegally do that?\n    Mr. Doyle. It wouldn't be worth that much money.\n    Mr. Hoofnagle. These companies are not set up to, at least \nthis type of company, is not architected to sell information \nabout a specific individual.\n    Now, with respect to the pizza delivery exhibit that I \nprovided, where Merlin Data is selling identifiable information \nabout people's homes, their unlisted phone numbers, their cell \nphone numbers, et cetera, that is very different. That is when \nyou say, this is a situation where you say I want information \nabout a specific individual. Do you have it?\n    Mr. Inslee. Thank you. I believe, Ms. Barrett, you were \nAcxiom. Do I have, yes, I am sorry. So, you show a document, I \nam looking at the health buying activity, and they show various \ncodes I am looking. Code 6437 is for health, female wellness. \nCode 6436 is health, diet/weight loss. What would be the \ninformation to generate people's inclusion in those codes? \nWhere would you generate that information?\n    Ms. Barrett. It would come from self-reported or survey \ninformation, where the consumer has indicated that they have an \ninterest in information about that topic. And for the surveys \nthat we use, we require that there be a notice that the \ninformation will be used for marketing purposes to other \nparties, and give the consumer the chance to opt out of that, \nor to come to directly to us, and say I don't want you to use \nthat information.\n    Mr. Inslee. So, if a person visited a Web site selling a \nweight loss product, could their visit to the Web site, to \ntheir opening that page, end up being coded on this in some \nfashion?\n    Ms. Barrett. I don't believe so.\n    Mr. Inslee. And what leads to a little question about that \nin your mind?\n    Ms. Barrett. Well, I am not, I would have to go back and \nlook at all the individual sources that contribute to that.\n    Mr. Inslee. So, is there any legal, let me ask the panel in \ngeneral. Is there any legal prohibition at the moment, if a \nperson visits a weight loss Web site, that provides weight loss \nservices or products. Let us say a person just visits the Web \nsite, opens the page. Is there any legal prohibition of that \nowner of that page disseminating to a data information service \nthe fact that this computer, this identified computer, has \nvisited that site, and then that data collector, being able to \ncollect, if they have some connection to an individual, \nconnecting that to the data. Is there any legal prohibition on \nthat happening right now?\n    Ms. Barrett. There is no legal prohibition, but industry \ncode or conduct, as well as the Direct Marketing Association \nCode, calls for the disclosure of that practice to the \nconsumer, and at least in a privacy policy, if not more boldly \non the page, and then, the chance for the consumer to opt out \nof that disclosure to another party.\n    Mr. Inslee. Ms. Dixon, did you----\n    Ms. Dixon. Thank you. It is a good question. There is no \nlegal requirement for that to happen. And one of the more \ntroubling issues with Web sites is that they are very \ncompelling. You can take, for example, Facebook surveys, where \nespecially children, teens, and young adults will just go in, \nand they are very inured to giving out certain information, \nsuch as about anorexia and other, you know, topics they talk \nabout online now.\n    They will give the information out, and these notices can \nbe quite small, and they don't see them. And then, their \ninformation gets sold. So, it is not just that you visited a \nweight loss Web site. It is that you visited the site, then you \nfilled out your name and, perhaps, gave them your email, and \nthen, that can be further associated downstream, and used in \ncollaboration and linked with other data.\n    But in some cases, the information is so identifiable, it \ndoesn't even need to be linked. When you look at these really \nscary lists of ailments, you have prostate cancer, the mental \nhealth lists, these people are known by name, because they have \nfreely given their name.\n    And one of the really difficult questions, I think, that \nthis committee faces is that the opt-in opt-out model is very \nchallenging, because it is so challenging to educate consumers \nabout well, what does giving your name on such a Web site \nactually mean to you? Are you opting in? Do you really know \nwhat you are opting into? Because, for example, the mental \nhealth lists. Those people gave that information up in some \nway, typically, through some kind of Web site or survey or a \nsweepstakes. And did they really, truly know and comprehend the \nfull consequences of their actions? It is a tough question.\n    Mr. Inslee. Thank you very much.\n    Mr. Doyle. Thank you, Mr. Inslee. The chair recognizes Mr. \nRush.\n    Mr. Rush. Thank you, Mr. Chairman. I just have some \nquestions. I know that the time is quickly passing by, and I \njust have some questions for the panel. Now I, something that I \nwill just ask Professor Hoofnagle about this, some questions.\n    Professor Hoofnagle, we don't need to look at any further \nthan Acxiom's data products catalog or the Nextmark Web site \nreferenced in your testimony, to see that companies are \ncollecting and selling personal information about individuals, \nthat many Americans consider sensitive, such as their race, \nethnicity, religious affiliation, and political affiliation, \nnot to mention information on a wide range of sensitive health \ntopics and medical conditions, including addictions, sexual \ndysfunction, viral disorders, body odor, obesity, infertility, \nand menopause. This list can go on and on and on. A lot of \nsensitive information. Are any topics off limits for commercial \nuse, or is the general rule that if information exists, collect \nand sell it?\n    The next question is, if we can agree that some categories \nof data should be off limits, or require heightened levels of \nconsumer consent, how do we define that category of sensitive \ndata?\n    Mr. Hoofnagle. Mr. Chairman, those are two very good \nquestions. If I could address the second one first. I have \ntried to move away from the opt-in opt-out question, because \nframing rights in that way can easily be manipulated. It is \neasy to trick people into opting in, and conversely, it is easy \nto make it so people will not opt out.\n    So, I have suggested several other interventions. One is \nhaving the data disappear after a certain amount of time. So, \nif you have an upward data retention limit is one way of doing \nit. But there are other tools from the advertising world that \ncan be used.\n    One example is advertiser liability. So, for instance, in \nthe telemarketing, spam, and junk fax laws, advertisers can be \nliable if they hire spammers who, excuse me, advertisers can be \nliable if they send out, if they hire someone to send out email \nthat violates the CAN-SPAM law.\n    In this context, you could create liability for people who \nbuy certain lists and abuse them. An example out of Iowa is \nworth nothing. There was a list brokerage company there that \nwas selling a list known as ``elderly impulsive,'' and they \nwere using it to take advantage of senior citizens who had \nproblems remembering, and as a result, were able to architect a \nscam around that.\n    The data seller, I think, should offer some due diligence, \nespecially when there are, using sensitive personal \ninformation. And that can be in reviewing the advertising that \nis ultimately disseminating, or in being responsible if the \nadvertiser ultimately uses the information to take advantage of \npeople.\n    You know, with respect to your first question, the general \nlegal standard in the U.S. is that offline data collection is \nnot regulated by a specific federal privacy law, except in \ncertain areas. Your video rental records, for instance, are \nprotected. Your cable records are protected. But between, in \nall the gaps left by the sectoral laws, there is data \ncollection even on sensitive personal information.\n    Mr. Rush. Thank you. I yield back.\n    Mr. Doyle. Thank you. Well, seeing no more members here, we \nwant to thank all of our witnesses for their testimony today, \nand this hearing is adjourned.\n    [Whereupon, at 3:00 p.m., the Subcommittees were \nadjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"