[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
H.R. 5777, THE ``BEST PRACTICES ACT,'' AND H.R. ___, A DISCUSSION DRAFT
TO REQUIRE NOTICE TO AND CONSENT OF AN INDIVIDUAL PRIOR TO THE
COLLECTION AND DISCLOSURE OF CERTAIN PERSONAL INFORMATION RELATING TO
THAT INDIVIDUAL
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, TRADE,
AND CONSUMER PROTECTION
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
JULY 22, 2010
__________
Serial No. 111-147
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
U.S. GOVERNMENT PRINTING OFFICE
78-124 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, gpo@custhelp.com.
COMMITTEE ON ENERGY AND COMMERCE
HENRY A. WAXMAN, California, Chairman
JOHN D. DINGELL, Michigan JOE BARTON, Texas
Chairman Emeritus Ranking Member
EDWARD J. MARKEY, Massachusetts RALPH M. HALL, Texas
RICK BOUCHER, Virginia FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey CLIFF STEARNS, Florida
BART GORDON, Tennessee NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois ED WHITFIELD, Kentucky
ANNA G. ESHOO, California JOHN SHIMKUS, Illinois
BART STUPAK, Michigan JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York ROY BLUNT, Missouri
GENE GREEN, Texas STEVE BUYER, Indiana
DIANA DeGETTE, Colorado GEORGE RADANOVICH, California
Vice Chairman JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania GREG WALDEN, Oregon
JANE HARMAN, California LEE TERRY, Nebraska
TOM ALLEN, Maine MIKE ROGERS, Michigan
JANICE D. SCHAKOWSKY, Illinois SUE WILKINS MYRICK, North Carolina
CHARLES A. GONZALEZ, Texas JOHN SULLIVAN, Oklahoma
JAY INSLEE, Washington TIM MURPHY, Pennsylvania
TAMMY BALDWIN, Wisconsin MICHAEL C. BURGESS, Texas
MIKE ROSS, Arkansas MARSHA BLACKBURN, Tennessee
ANTHONY D. WEINER, New York PHIL GINGREY, Georgia
JIM MATHESON, Utah STEVE SCALISE, Louisiana
G.K. BUTTERFIELD, North Carolina
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA M. CHRISTENSEN, Virgin
Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER S. MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE L. BRALEY, Iowa
PETER WELCH, Vermont
Subcommittee on Commerce, Trade, and Consumer Protection
BOBBY L. RUSH, Illinois
Chairman
JANICE D. SCHAKOWSKY, Illinois CLIFF STEARNS, Florida
Vice Chair Ranking Member
JOHN SARBANES, Maryland RALPH M. HALL, Texas
BETTY SUTTON, Ohio ED WHITFIELD, Kentucky
FRANK PALLONE, Jr., New Jersey GEORGE RADANOVICH, California
BART GORDON, Tennessee JOSEPH R. PITTS, Pennsylvania
BART STUPAK, Michigan MARY BONO MACK, California
GENE GREEN, Texas LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas MIKE ROGERS, Michigan
ANTHONY D. WEINER, New York SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina
JOHN BARROW, Georgia
DORIS O. MATSUI, California
KATHY CASTOR, Florida
ZACHARY T. SPACE, Ohio
BRUCE L. BRALEY, Iowa
DIANA DeGETTE, Colorado
JOHN D. DINGELL, Michigan (ex
officio)
C O N T E N T S
----------
Page
Hon. Bobby L. Rush, a Representative in Congress from the State
of Illinois, opening statement................................. 1
Hon. Ed Whitfield, a Representative in Congress from the
Commonwealth of Kentucky, opening statement.................... 85
Prepared statement........................................... 87
Hon. Kathy Castor, a Representative in Congress from the State of
Florida, opening statement..................................... 89
Hon. Steve Scalise, a Representative in Congress from the State
of Louisiana, opening statement................................ 89
Hon. Gene Green, a Representative in Congress from the State of
Texas, opening statement....................................... 90
Hon. Robert E. Latta, a Representative in Congress from the State
of Ohio, opening statement..................................... 91
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 95
Hon. Joe Barton, a Representative in Congress from the State of
Texas, prepared statement...................................... 93
Witnesses
David Vladeck, Director, Bureau of Consumer Protection, Federal
Trade Commission............................................... 97
Prepared statement........................................... 100
Leslie Harris, President and Chief Executive Officer, Center for
Democracy and Technology....................................... 123
Prepared statement........................................... 125
David Hoffman, Global Privacy Officer, Intel Corporation......... 137
Prepared statement........................................... 139
Ed Mierzwinski, Consumer Program Director, U.S. Public Interest
Research Group................................................. 149
Prepared statement........................................... 151
Ira Rubinstein, Adjunct Professor of Law, New York University
School of Law.................................................. 168
Prepared statement........................................... 170
Jason Goldman, Counsel, Technology and E-Commerce, U.S. Chamber
of Commerce.................................................... 180
Prepared statement........................................... 182
Mike Zaneis, Vice President, Public Policy, Interactive
Advertising Bureau............................................. 201
Prepared statement........................................... 203
Submitted Material
H.R. 5777........................................................ 3
Discussion draft................................................. 58
H.R. 5777, THE ``BEST PRACTICES ACT,'' AND H.R. --------, A DISCUSSION
DRAFT TO REQUIRE NOTICE TO AND CONSENT OF AN INDIVIDUAL PRIOR TO THE
COLLECTION AND DISCLOSURE OF CERTAIN PERSONAL INFORMATION RELATING TO
THAT INDIVIDUAL
----------
THURSDAY, JULY 22, 2010
House of Representatives,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Committee on Energy and Commerce,
Washington, DC.
The Subcommittee met, pursuant to call, at 2:33 p.m., in
Room 2322 of the Rayburn House Office Building, Hon. Bobby L.
Rush [Chairman of the Subcommittee] presiding.
Members present: Representatives Rush, Stupak, Green,
Barrow, Castor, Space, Boucher, Whitfield, Stearns, Gingrey,
Scalise, and Latta.
Staff present: Michelle Ash, Chief Counsel; Timothy
Robinson, Counsel; Marc Groman, Counsel; Will Wallace, Special
Assistant; Brian McCullough, Senior Professional Staff; Shannon
Weinberg, Counsel; Will Carty, Senior Professional Staff and
Counselor; Robert Frisby, FTC Detailee; and Sam Costello,
Legislative Analyst.
OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Mr. Rush. Good afternoon. Today we are pleased to welcome
seven witnesses representing the Federal Trade Commission, the
consumers, industry, especially businesses with an Internet
presence and whose mainline of business is to create and sell
advertising. And I would like to thank them for taking the time
out of their busy schedules to share in their perspectives on
consumer privacy as well as to outline their view as
appropriate offline and online business privacy protection and
personal information use practices.
Have you ever been in the midst of a group of people and
heard someone say ``What is said in this room stays in this
room?'' As someone in that room you know just from that
statement that what may be said could be juicy enough,
sensitive enough, or valuable enough to tempt one of the other
persons in that room to violate that compact by leaking that
information to people who are not in the room during the
discussion. And the very utterance of these words evidences a
conscious intent by the participants to set the needed
environmental conditions that will encourage those in the room
to interact freely with one another to share data, share
information without them fearing that that very information
will harm them economically, emotionally, or otherwise at some
point in the future.
As an avid user of the Internet and as a person interested
in technology and communications, and all things visual, I know
there is no free lunch when I go onto the Internet and Web site
and to read or view content, especially when I am not paying
for that content. That Internet Web site and advertisers on the
right, and overhead, and operating costs of that Web site know
that my information whether it can be used to identify who I
am, or whether it gets merged in with other user's information
has substantial value and can be monetized when it is provided
to others.
Before the House was scheduled to adjourn for its August
recess, I for one felt that it was imperative on Monday of this
week to introduce privacy legislation in the form of H.R. 5777,
the Best Practices Act. I also felt it was important that we
quickly hold a hearing in this Subcommittee on the assorted
pros and cons of my bill as well as other issues outlined in
the discussion draft released by Chairman Boucher and Ranking
Member Stearns of the CIT Subcommittee.
The Best Practices Act speaks to a host of issues affecting
consumer privacy, including consumer's expectations as to how
their personal information should be handled, shared, and
disclosed to third parties. This legislation also addresses
other important issues including what defaults should be set in
connection with those expectations to provide regulatory
certainty to industry and to investors. What safeguards should
be crafted to anticipate foreseeable abuses and violations of
consumer privacy expectations? What sets of remedies will make
consumers whole in the event of privacy breach, and how to
calibrate penalties and other possible legal causes of action
without chilling industry incentives to innovate and grow their
businesses.
This legislation also addresses to what extent, if any,
should the privacy framework set forth in my bill preempt state
privacy laws and regulations. In holding this hearing I would
like to get a better handle on how extensively personal
information gets shared without an individual's understanding
and without their consent. I also want to shine a spotlight on
some of the actual harms that befall individual users through
no fault of their own.
With that said I yield back the balance of my time.
[H.R. 5777 and the discussion draft follow:]
[GRAPHIC] [TIFF OMITTED] T8124A.001
[GRAPHIC] [TIFF OMITTED] T8124A.002
[GRAPHIC] [TIFF OMITTED] T8124A.003
[GRAPHIC] [TIFF OMITTED] T8124A.004
[GRAPHIC] [TIFF OMITTED] T8124A.005
[GRAPHIC] [TIFF OMITTED] T8124A.006
[GRAPHIC] [TIFF OMITTED] T8124A.007
[GRAPHIC] [TIFF OMITTED] T8124A.008
[GRAPHIC] [TIFF OMITTED] T8124A.009
[GRAPHIC] [TIFF OMITTED] T8124A.010
[GRAPHIC] [TIFF OMITTED] T8124A.011
[GRAPHIC] [TIFF OMITTED] T8124A.012
[GRAPHIC] [TIFF OMITTED] T8124A.013
[GRAPHIC] [TIFF OMITTED] T8124A.014
[GRAPHIC] [TIFF OMITTED] T8124A.015
[GRAPHIC] [TIFF OMITTED] T8124A.016
[GRAPHIC] [TIFF OMITTED] T8124A.017
[GRAPHIC] [TIFF OMITTED] T8124A.018
[GRAPHIC] [TIFF OMITTED] T8124A.019
[GRAPHIC] [TIFF OMITTED] T8124A.020
[GRAPHIC] [TIFF OMITTED] T8124A.021
[GRAPHIC] [TIFF OMITTED] T8124A.022
[GRAPHIC] [TIFF OMITTED] T8124A.023
[GRAPHIC] [TIFF OMITTED] T8124A.024
[GRAPHIC] [TIFF OMITTED] T8124A.025
[GRAPHIC] [TIFF OMITTED] T8124A.026
[GRAPHIC] [TIFF OMITTED] T8124A.027
[GRAPHIC] [TIFF OMITTED] T8124A.028
[GRAPHIC] [TIFF OMITTED] T8124A.029
[GRAPHIC] [TIFF OMITTED] T8124A.030
[GRAPHIC] [TIFF OMITTED] T8124A.031
[GRAPHIC] [TIFF OMITTED] T8124A.032
[GRAPHIC] [TIFF OMITTED] T8124A.033
[GRAPHIC] [TIFF OMITTED] T8124A.034
[GRAPHIC] [TIFF OMITTED] T8124A.035
[GRAPHIC] [TIFF OMITTED] T8124A.036
[GRAPHIC] [TIFF OMITTED] T8124A.037
[GRAPHIC] [TIFF OMITTED] T8124A.038
[GRAPHIC] [TIFF OMITTED] T8124A.039
[GRAPHIC] [TIFF OMITTED] T8124A.040
[GRAPHIC] [TIFF OMITTED] T8124A.041
[GRAPHIC] [TIFF OMITTED] T8124A.042
[GRAPHIC] [TIFF OMITTED] T8124A.043
[GRAPHIC] [TIFF OMITTED] T8124A.044
[GRAPHIC] [TIFF OMITTED] T8124A.045
[GRAPHIC] [TIFF OMITTED] T8124A.046
[GRAPHIC] [TIFF OMITTED] T8124A.047
[GRAPHIC] [TIFF OMITTED] T8124A.048
[GRAPHIC] [TIFF OMITTED] T8124A.049
[GRAPHIC] [TIFF OMITTED] T8124A.050
[GRAPHIC] [TIFF OMITTED] T8124A.051
[GRAPHIC] [TIFF OMITTED] T8124A.052
[GRAPHIC] [TIFF OMITTED] T8124A.053
[GRAPHIC] [TIFF OMITTED] T8124A.054
[GRAPHIC] [TIFF OMITTED] T8124A.055
[GRAPHIC] [TIFF OMITTED] T8124A.056
[GRAPHIC] [TIFF OMITTED] T8124A.057
[GRAPHIC] [TIFF OMITTED] T8124A.058
[GRAPHIC] [TIFF OMITTED] T8124A.059
[GRAPHIC] [TIFF OMITTED] T8124A.060
[GRAPHIC] [TIFF OMITTED] T8124A.061
[GRAPHIC] [TIFF OMITTED] T8124A.062
[GRAPHIC] [TIFF OMITTED] T8124A.063
[GRAPHIC] [TIFF OMITTED] T8124A.064
[GRAPHIC] [TIFF OMITTED] T8124A.065
[GRAPHIC] [TIFF OMITTED] T8124A.066
[GRAPHIC] [TIFF OMITTED] T8124A.067
[GRAPHIC] [TIFF OMITTED] T8124A.068
[GRAPHIC] [TIFF OMITTED] T8124A.069
[GRAPHIC] [TIFF OMITTED] T8124A.070
[GRAPHIC] [TIFF OMITTED] T8124A.071
[GRAPHIC] [TIFF OMITTED] T8124A.072
[GRAPHIC] [TIFF OMITTED] T8124A.073
[GRAPHIC] [TIFF OMITTED] T8124A.074
[GRAPHIC] [TIFF OMITTED] T8124A.075
[GRAPHIC] [TIFF OMITTED] T8124A.076
[GRAPHIC] [TIFF OMITTED] T8124A.077
[GRAPHIC] [TIFF OMITTED] T8124A.078
[GRAPHIC] [TIFF OMITTED] T8124A.079
[GRAPHIC] [TIFF OMITTED] T8124A.080
[GRAPHIC] [TIFF OMITTED] T8124A.081
[GRAPHIC] [TIFF OMITTED] T8124A.082
And now I recognize the Ranking Member of the Subcommittee,
Mr. Whitfield, for 5 minutes for the purposes of an opening
statement.
OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF KENTUCKY
Mr. Whitfield. Well, Chairman Rush, thank you very much and
we certainly appreciate our panel of expert witnesses here
today. As you know we are having this hearing to explore
privacy legislation. I want to commend Chairman Rush for
introducing his bill and want to thank him and his staff for
giving us an opportunity to review that legislation. And all of
us recognize that some steps need to be taken in this area, and
we are hopeful that after today's hearing a lot of these issues
will be clarified even more for us because as I said in the
beginning we look forward to your testimony on this important
issue.
It seems to me the threshold question is whether Congress
can require meaningful protections without forcing businesses
online and offline to abandon or severely curtail legitimate
business practices that benefit consumers. We know that it is
easy to misuse information, and we also know there are benefits
from sharing information, so that balancing act is very
important. The problem I believe for most consumers is the lack
of understanding about how their information is collected, and
once used how--and once they provide it how that is being used,
and the impact that it has on them.
This is a preparatory hearing and we always have a lot of
concerns about legislation, particularly when it is in the area
of privacy. One of the areas that I have some concern about is
that the first party, third party distinction created by this
bill could also give certain players in the Internet ecosystem
a competitive advantage over others, and I think we need a
level playing field. I think it would be very difficult also
for Congress to be involved of every nuance of privacy, and I
think we need to be very careful about the latitude that we
give the FTC in this area.
One of the areas that is vitally important obviously in
policing any legislation is the enforcement mechanism. I am
always concerned about private rights of action because I know
in some instances it has really created a cottage industry for
trial lawyers seeking to manufacture privacy concerns. But I
also know that sometimes those appear to be--these private
rights of actions seem to be a good way to go.
I do support the ability of State Attorneys General to
enforce the Federal Statute. I don't think this bill goes far
enough in terms of preempting state laws, creating the
possibility that despite the bill's intent, covered entities
would be subject to actions under multiple potentially
conflicting laws or legal theories for conduct sanctioned by
this bill.
Whatever Congress ultimately enacts consumers will not care
really about the corporate structure or the regulatory regime
that governs the entity collecting their information. They only
want to be sure that their information is treated the same by
all entities and that they have reasonable protection. And I
feel quite confident that when we enact privacy legislation
that we will have a balanced bill that everyone will be
satisfied with. Maybe I shouldn't say everyone, but most people
will be satisfied with, and of course, that is our objective.
Now I yield back the balance of my time.
[The prepared statement of Mr. Whitfield follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.083
[GRAPHIC] [TIFF OMITTED] T8124A.084
Mr. Rush. We will be seeking everyone on this bill. We will
now have Ms. Castor for 2 minutes.
OPENING STATEMENT OF HON. KATHY CASTOR, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Ms. Castor. Thank you, Chairman Rush, very much, and thank
you to the witnesses for being here today. I am looking forward
to your discussion of consumer privacy in the Internet age, and
such an exciting age of technological innovation. And I hope
your comments will be directed to the two draft discussion
bills that are on the table. We need your expert advice on how
we balance the important competing interests of personal
privacy and business innovation.
We do need to have rules in place that give consumers the
option to share their information or keep it private. Both
bills before us require that companies explain to consumers
what information is being collected and gives them the ability
to opt out of certain data collection practices. And I think
this is what consumers are looking for. They want a simple
explanation followed by a choice. But there are literally
thousands--millions of new businesses that have been created as
a result of the ability to share information, and I think that
this is absolutely vital that we protect that interest as well.
Nearly all Internet businesses rely on some form of information
gathering. So we want to insure that these businesses continue
to grow, and flourish, but in a way that protects--that
promotes transparency for the consumer.
So thank you for being here and thank you, Mr. Chairman. I
yield back.
Mr. Rush. Mr. Scalise, you are recognized for 2 minutes.
OPENING STATEMENT OF HON. STEVE SCALISE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF LOUISIANA
Mr. Scalise. Thank you, Mr. Chairman. I want to thank you
and Ranking Member Whitfield for having this hearing on the
bills before us today, both focusing on consumer privacy. I am
pleased that we are once again examining this issue and that
legislation has been brought forward with the goal of
protecting consumers and their personal information. I look
forward to hearing from our panelists and discussing the merits
of these bills. As we take them into consideration and debate
the best steps moving forward, I hope we proceed wisely and
carefully.
As I have stated at previous hearings, I hope we focus on
how to protect consumers and their personal information, and
look at steps the industry will take on their own to do that.
We need to make sure that these bills do not focus on ways
government can get involved in more areas of people's lives
where it does not belong. For this reason, I hope these bills
take self-regulation into account and include provisions that
allow companies to continue with steps that they have already
taken to protect personal information. If self-regulation is
not sufficient, and if any additional privacy provisions or
regulatory requirements are needed, they should be targeted,
consistent, and not discriminate against any one business or
industry. Congress should not pick winners and losers.
I also hope that these bills do not harm the ability to
maintain or invest in their businesses. We must strike a
balance that protects personal information without limiting a
company's ability to do business in an honest and ethical way.
Again, I will look forward to hearing from our panelists on
whether they feel these bills strike that important balance.
Mr. Chairman, I also want to close by addressing the rumors
that FCC Chairman Genachowski may add broadband classification
to the commission's September 16 agenda. First of all, I do not
believe that the FCC should reclassify broadband services or
impose burdensome regulations on the Internet. And more
importantly, the FCC should definitely not rush any process
that gives Congress little time to react after returning from
recess.
Over 8,000 pages of comments have been submitted to the FCC
on this proposal, and the comment period is open until August
12. For reclassification to be on the September 16 agenda, the
other commissioners would have to receive chairman's proposal
by August 26, giving the commissioners 2 weeks to review the
thousands of comments. Clearly we need to make sure that they
have that ability to review those comments from the public. So
I hope those rumors are in fact just rumors. Otherwise it would
seem that the FCC intends on ignoring those 8,000 pages of
comments as well as the bipartisan staff discussions that are
ongoing on this issue. We must continue to pursue targeted
legislation that serves the American people, not a hastened
process that serves a political agenda.
Thank you, and I yield back.
Mr. Rush. The chair recognizes now the gentleman from
Georgia, Mr. Barrow, for 2 minutes.
Mr. Barrow. Thank you, Chairman, I will waive time.
Mr. Rush. Mr. Green, you are recognized for 2 minutes.
OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Green. Thank you, Mr. Chairman. Thank you Chairman
Rush, and Ranking Member Whitfield. I want to thank you for
raising the issue of consumer privacy and for holding this
hearing today, and also Chairmen Rush and Boucher, as well as
Ranking Member Stearns for introducing the bills which we
examine today.
As technology continues to evolve, the privacy implications
for consumers require frequent reexamination by Congress. In
2003 we passed the Canned Spam Act that countered the alarming
rise of unsolicited span email messages that interfered with
the use of Internet and email by in users. Today technology has
continued its progress and as a result, we are once again
confronted with challenges for protecting consumers and
ensuring that private data is not shared without consent.
The ability to easily aggregate and share information over
the Internet has provided tremendous benefits to our society
and our economy, and the collection of consumer information can
provide tremendous benefits to small and upstart businesses by
allowing them to target customers that have tendencies to
purchase individualized products or services. One problem,
however, is that these are not the only ones using the data,
and the ability and entire entities that sell this information
to collect such a wide variety of information on individuals is
extremely troubling because it allows bad actors to target
vulnerable individuals based on very specific and granular data
that has been collected across a number of online and offline
platforms. We have laws that regulate how this information can
be used by financial institutions in relating to medical record
privacy, but outside these defined areas the information is
largely unregulated and has the potential for being
tremendously harmful to consumers.
I am pleased that our committee is confronting these
challenges head on. It is important that we examine methods
that introduce transparency into the system and give the
consumers the ability to have control over the large scale
data. Collection is currently occurring at most times without
their knowledge. And I look forward to hearing the testimony
from witnesses.
Mr. Chairman, I yield back.
Mr. Rush. Mr. Latta is recognized for 2 minutes.
OPENING STATEMENT OF HON. ROBERT E. LATTA, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OHIO
Mr. Latta. Thank you, Mr. Chairman, Ranking Member
Whitfield. I appreciate you holding today's hearing on the
important issue of protecting an individual's privacy.
Meaningful legislation to protect consumer's data is
important, as there have been recently high profile incidences
involving the compromising of consumer data that has increased
privacy and concerns. There are many benefits that the Internet
provides consumers and it is important that consumers are
protected. However, as with many of the public policy issues
that this Subcommittee considers, there needs to be a balance
between protecting consumers and overburdening companies with
regulations.
The collection of consumer information is a great benefit
to companies that process transactions as well as to market
their products. In addition, many of these company's products
are based on information that the consumers submit to then
obtain information specific to them. This personal information
must be protected whether it regards personal health,
employment, or any other information.
While it is important for companies to disclose their
privacy practices, companies should not have to disclose the
propriety practices or information for collecting this
information. In moving forward on either of these pieces of
legislation, we need and to ensure that by expanding the
authority of a government agency that there are no unintended
consequences on ecommerce. I have heard concerns, especially
from small businesses, about this legislation have a chilling
effect on ecommerce and curbing innovation. These small
businesses are concerned that increased regulations will have
negative effect on their businesses and have increased costs
for them, and those that are self-employed ultimately which
would then have to be borne by the consumers.
I will look forward to working--continue to work on--with
the Subcommittee on this important issue relating to protecting
consumer's privacy. In this time of rapidly advancing
technology, we must protect personal information. I am hoping
that this balance can be achieved for all the parties involved,
and with that, Mr. Chairman, I yield back. Thank you.
Mr. Rush. The Chair recognizes Mr. Stearns for 5 minutes.
[GRAPHIC] [TIFF OMITTED] T8124A.085
[GRAPHIC] [TIFF OMITTED] T8124A.086
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Thank you, Mr. Chairman, and like other
members, I am very glad we are having the hearing on H.R. 5777,
Best Practices Act, as well as the proposal drafted by Mr.
Boucher, the Chairman of the Communication, Technology, and the
Internet Subcommittee, the CTI Subcommittee. I was a sponsor,
principal sponsor with Mr. Boucher on his bill, and so I am
happy to join with him in soliciting comments as he did over
the some 70 days. And as many of you perhaps know that I have
had a lot of experience working on this privacy issue. It is
complex, involves a broad range of interests. During my time as
Chairman of this Subcommittee I introduced several privacy
bills, so I understand the importance of transparency when it
comes to collection, use and sharing of consumer information.
Now it is my capacity as the CTI Subcommittee, I have been
focusing on privacy issues and the Internet, which it becomes
so ubiquitous in our everyday lives, that we have started to
presume, just presume a certain level of privacy that may not
actually exist, so that is why I think we should be looking at
this privacy situation.
We must recognize that online advertising supports much of
the commercial content, applications, and services that are
available on the Internet today without charge and my
colleagues, we do not want to disrupt this well-established and
successful business model.
Now this bill Best Practices seeks to enhance transparency
over the commercial use of personal information that provides
consumers with choices about the collection, use, and
disclosure of this information. I support providing consumers
with choices and transparency, but we must also keep in mind
that only the consumer knows how he or she feels about the
information that is being collected, the parties doing the
collecting and the purpose for which the information for which
the information is ultimately collected. Congress cannot and
should not make that decision for them.
Now I do have some concern with this Best Practices Act as
currently drafted, including the overly expansive definition of
covered information. The private right of action with uncapped
punitive damages and the safe harbor provision which is too
prescriptive and relies too heavily on the Federal Trade
Commission. In order to have an effective safe harbor and
privacy legislation we must craft a provision that creates the
right incentives for businesses to subscribe to the very best
practices with respect to the use of personal information of
those consumer's standards that have been developed over time
and are capable of being modified rapidly to address any new
significant consumer privacy concern about businesses use of
consumer's data.
I would like to work with my colleagues to develop a better
self-regulatory structure that will protect consumers while
creating the proper incentives for businesses to adopt and
maintain the best privacy and protection standards. I obviously
appreciate having these hearings. I regret though, Mr.
Chairman, we are having a hearing only four days after the bill
was publicly released. This is an important and complicated
topic, and members, and staff, and our witnesses need more time
to adequately analyze the provisions in this legislation. It is
a credit to Mr. Boucher. He released this privacy discussion
draft on May 4, and he allowed ample time for comments. And if
I recollect correctly, there were 70 different organizations,
companies, universities, colleges, and concerned citizens that
have taken the time to send their comments on this discussion
draft.
So we have a--plenty of information to consider for his
bill. So there is clearly a lot of interest out in privacy--out
in the industry for privacy legislation. I feel that more time
allowed for more robust discussion is necessary, so I hope we
have that in the future. But again I appreciate your work, and
the leadership on this issue, and also Mr. Boucher's hard work
as I look forward to working with members of both Subcommittees
as we try to find the good, equal balance of protecting
consumers and allowing innovation to flourish.
I will just conclude and sort of mention which Mr. Scalise
mentioned a little bit about the FCC and their haste to move
the--from Title I to Title II, the Internet jurisdiction, and I
would say--one thing that I would add to his comment is when we
get back in September it will only be a couple of days perhaps
until the FCC acts, and that is really not enough time for us
to even consider what they are doing, so again, I urge as Mr.
Scalise did that the FCC hold off. Thank you, Mr. Chairman.
Mr. Rush. The Chair thanks all the members for their
opening statements, the Chair really wants to reassure every
member of this Subcommittee that the time to--necessary for
deliberation will be forthcoming at that in no way do we expect
to rush--pardon the pun--to rush towards judgment. However, we
do feel as though we need to start this process in a robust way
and a robust manner, and that is what was the intention of the
Chairman. You know, discussion has got to end sometime and now
is the time for the discussion to be ended and the work to
begin.
So with that said, I want to welcome our witnesses now and
I am so honored that these individuals have taken the time out
from their busy schedule to come and share with this
subcommittee their valuable information, insight, and their
expertise on this most important matter that affects us, the
American people. I want to introduce them now. From my left is
Mr. David Vladeck----
Mr. Vladeck. Vladeck.
Mr. Rush. Vladeck. He is the Director of the Bureau of
Consumer Protection for the Federal Trade Commission. Seated
next to Mr. Vladeck is Leslie--Ms. Leslie Harris. She is the
President and CEO of the Center for Democracy and Technology.
Next to Ms. Harris is Mr. David Hoffman. He is the Global
Privacy Officer for the Intel Corporation. Seated next to Mr.
Hoffman is Mr. Ed Mierzwinski. He is the Consumer Program
Director for the U.S. Public Interest Research Group. And next
to Mr. Mierzwinski is Mr. Ira Rubinstein. He is the adjunct
Professor of Law in the New York School of Law. And next to Mr.
Rubinstein is Mr. Jason Goldman. He is in Counsel, Technology,
and E-commerce for the U.S. Chamber of Commerce. And then we
have seated next to Mr. Goldman is Mr. Mike Zaneis, and Mr.
Zaneis is the Vice-President of the Public Policy Interactive
Advertising Bureau. Again, thank you all so very much for being
present here at this hearing, and it is the practice of this
subcommittee to swear in the witnesses, and I ask each of you
if you would stand and raise your right hand. There is a big
panel of witnesses we got here.
[Witnesses sworn.]
Mr. Rush. Please let the record reflect that the witnesses
have all answered in the affirmative and now we will begin with
testimony from our witnesses. We will begin with Mr. Vladeck.
Mr. Vladeck, you are recognized for 5 minutes.
TESTIMONY OF DAVID VLADECK, DIRECTOR, BUREAU OF CONSUMER
PROTECTION, FEDERAL TRADE COMMISSION; LESLIE HARRIS, PRESIDENT
AND CHIEF EXECUTIVE OFFICER, CENTER FOR DEMOCRACY AND
TECHNOLOGY; DAVID HOFFMAN, GLOBAL PRIVACY OFFICER, INTEL
CORPORATION; ED MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, U.S.
PUBLIC INTEREST RESEARCH GROUP; IRA RUBINSTEIN, ADJUNCT
PROFESSOR OF LAW, NEW YORK UNIVERSITY SCHOOL OF LAW; JASON
GOLDMAN, COUNSEL, TECHNOLOGY AND E-COMMERCE, U.S. CHAMBER OF
COMMERCE; AND MIKE ZANEIS, VICE PRESIDENT, PUBLIC POLICY,
INTERACTIVE ADVERTISING BUREAU
TESTIMONY OF DAVID VLADECK
Mr. Vladeck. Thank you very much, Chairman Rush, Member
Whitfield, members of the Committee, I really appreciate the
opportunity to be here today.
The Federal Trade Commission has a long track record of
protecting consumer privacy. The Commission began examining
online privacy in the mid-1990's. Initially the Commission's
work was built on the so-called Fair Information Practice
principles of notice, choice, access, and security. The
Commission's efforts were widely credited with raising public
awareness about privacy, prompting companies to post privacy
policies online for the first time and improving companies'
accountability for privacy practices.
In the early 2000's the FTC shifted its focus and targeted
harmful uses of information, uses presenting risks to physical
security, economic injury, or causing unwarranted intrusions.
This approach was designed to protect privacy without imposing
costly notice and choice requirements for all uses of
information. The Commission's privacy agenda included
aggressive enforcement on data security, children's privacy,
spam, spyware, and unwanted telephone calls, telemarketing
robocalls.
Last year the Commission announced that it was going to
again re-evaluate its approach to privacy. We recognize that
the traditional models governing consumer privacy have
limitations. The Fair Information Practices model placed a
heavy burden on consumers to read and understand complicated
and lengthy privacy policies, and then make choices about the
collection and use of their data. The harm-based model
generally did not address concerns about having one's personal
information exposed where there is no direct intangible
consequence. Often, harms to consumers were addressed after
they occurred.
Late last year the Commission began its re-evaluation of
privacy by holding three round tables which highlighted a
number of important themes. First and most urgently consumers
do not understand the extent to which companies are collecting
and using their personal data. This is a remark that I think
many of the members echoed in their opening remarks. Second,
existing privacy policies don't work as a means of
communicating privacy practices to consumers, and certainly
will not work well on small screen mobile devices like smart
phones. Third, consumers do care about privacy and they care
about privacy as a value in and of itself beyond any tangible
economic harm that may be associated with it. And finally, as
others have pointed out, the free flow of information does help
make tremendous benefits possible, so we need to be cautious
about restricting information exchanges and uses.
Recognizing many of these same issues, Chairman Rush and
Chairman Boucher each have proposed legislation to advance the
goal of improving privacy protection in today's commercial
marketplace. We share this goal and we applaud Chairman Rush
and Chairman Boucher for their leadership.
Although the Commission has not taken a position on the
legislation, both proposals include a number of key policy
objectives that the Commission supports.
First, both include requirements for data security for
customer information, a requirement the Commission has long
endorsed. Second, the Commission supports the proposal's data
accuracy requirements, especially where the data will be used
for decisions about a consumer's eligibility for benefits or
services. Third, both proposals give the FTC limited rule
making authority in the privacy area. We believe that the
content, timing, and scope of privacy disclosures required by
the legislation will benefit from broad stakeholder input and
consumer testing which can be accomplished as part of an APA
rulemaking proceeding. Finally, both proposals include
innovations to simplify consumer's ability to exercise
meaningful privacy choice.
If Congress enacts legislation in this area we urge it to
consider some additional issues. Most importantly we think it
would be useful to require short disclosures at the point of
information collection and/or use and to give the FTC
rulemaking authority so we can provide guidance on this
requirement.
Let me share an example of why we think short and concise
notices at the right moment are important. A few months ago it
was reported that approximately 7,500 consumers had ``sold
their souls'' to an online computer game retailer. To drive
home the point the consumers don't read lengthy disclosures,
the company provided a provision in its privacy policy that by
placing an order with the company the consumer granted the
company ``the nontransferable option to claim for now and
forever more your immortal soul''. The company even went on to
provide an opt-out provision for this particular soul selling
clause, but not surprisingly very few consumers opted out. Now
I don't believe that these consumers really meant to transfer
their rights of their immortal soul to an online gaming
company, and we think this illustration drives home the need
for short and concise notices the consumers will read and
understand at the time of data collection and use.
Another issue we would urge Congress to look at is whether
the sharing of individual's data among companies affiliated
through common ownership should necessarily be exempt from
consent requirements, especially where a company may share data
with dozens or even hundreds of affiliate companies.
Finally we also have concerns that the safe harbor programs
contained in the proposed legislation could lead to multiple
consent mechanisms that may differ in important ways which
could add to consumer confusion when consumers need more
simplicity.
The Commission looks forward to working with Congress to
resolve these issues and any others that may arise in order to
accomplish our shared objective of improving consumer privacy,
while at the same time promoting innovation and beneficial
flows of information on the Internet. Thank you very much.
[The prepared statement of Mr. Vladeck follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.087
[GRAPHIC] [TIFF OMITTED] T8124A.088
[GRAPHIC] [TIFF OMITTED] T8124A.089
[GRAPHIC] [TIFF OMITTED] T8124A.090
[GRAPHIC] [TIFF OMITTED] T8124A.091
[GRAPHIC] [TIFF OMITTED] T8124A.092
[GRAPHIC] [TIFF OMITTED] T8124A.093
[GRAPHIC] [TIFF OMITTED] T8124A.094
[GRAPHIC] [TIFF OMITTED] T8124A.095
[GRAPHIC] [TIFF OMITTED] T8124A.096
[GRAPHIC] [TIFF OMITTED] T8124A.097
[GRAPHIC] [TIFF OMITTED] T8124A.098
[GRAPHIC] [TIFF OMITTED] T8124A.099
[GRAPHIC] [TIFF OMITTED] T8124A.100
[GRAPHIC] [TIFF OMITTED] T8124A.101
[GRAPHIC] [TIFF OMITTED] T8124A.102
[GRAPHIC] [TIFF OMITTED] T8124A.103
[GRAPHIC] [TIFF OMITTED] T8124A.104
[GRAPHIC] [TIFF OMITTED] T8124A.105
[GRAPHIC] [TIFF OMITTED] T8124A.106
[GRAPHIC] [TIFF OMITTED] T8124A.107
[GRAPHIC] [TIFF OMITTED] T8124A.108
[GRAPHIC] [TIFF OMITTED] T8124A.109
Mr. Rush. The Chair now recognizes Ms. Harris for 5
minutes.
TESTIMONY OF LESLIE HARRIS
Ms. Harris. Chairman Rush, Ranking Member Whitfield,
members of the Subcommittee, on behalf of CDT I thank you for
the opportunity to testify today. Chairman Rush, you, Chairman
Boucher, Representative Stearns have shown great leadership in
putting the issue of consumer privacy legislation back on the
Congressional agenda.
At a time when more and more personal information is
collected, analyzed and sold, an astonishing 88 percent of
Americans are concerned about their online privacy. A consumer
privacy law is long overdue. Drafting a privacy law that can
stand the test of time requires a careful balancing of
interest. The law must provide consumers rights, it must
provide meaningful obligations for companies, and at the same
time it has to be flexible and high level enough to respond to
the rapid changes in technology and changing business models.
It needs to give companies certainty while at the same time
encouraging privacy, innovation, and accountable practices, and
of course, it needs strong enforcement. CTD believes the bills
before the Subcommittee today include the essential building
blocks for a privacy law that meets this test. Chairman
Boucher's draft, the critical first steps to that end, we
believe the Best Practices Act builds on that draft to
significantly advance the discussion.
Let me just mention a few key points. Fair Information
Practices, commonly known as FIPs, must be the foundation of
any consumer privacy law. The Boucher draft provides the basic
obligations in notice, and choice, and security, but as Mr.
Vladeck said, that places most of the burden on the consumer to
figure out notices. Best Practices goes further to a full set
of substantive Fair Information Practices that place
obligations on companies for things like specifying purposes,
limiting data collection to those purposes, minimizing how long
one retains data, paying attention to data quality, and
integrity. And we think that in this complex environment all of
those obligations are critical.
With respect to cope--scope, excuse me, CDT does support
the application of a single baseline set of rules to be online
and offline environment. We do support a robust definition of
covered information and heightened protection for sensitive
information, and we strongly support the special rules for
covered entities, right now mainly ISPs, that collect all or
substantially all of an individual's data stream. We are
pleased with the innovative provision on accountability in Best
Practices, which requires companies to conduct PIAs, Privacy
Impact Assessments, and periodic reviews of privacy practices.
American companies including my colleagues from Intel, HP, and
Microsoft have been the global leaders in developing an
accountable privacy culture within companies and we think this
provision will broaden the culture of responsibility for all
covered entities.
We also strongly support the inclusion of a safe harbor
provision. Safe harbors, when they are backed up by rigorous
internal compliance and some FTC supervision, can take account
of differences between industries and create certainty for
companies. It can encourage privacy innovation and reward the
adoption of accountable practices.
Finally, strong enforcement must back up privacy rules, and
we endorse the dual enforcement regime at the FTC and with the
State Attorneys General. And we also applaud the inclusion of a
strong private right of action in the Best Practices bill.
Mr. Chairman, thank you for the opportunity to testify and
holding this important hearing. We intend to submit a lengthy
side by side of the bills and our recommendations for moving
forward, and we look forward to working with you to enact
historic privacy legislation that consumers are strongly
demanding and that we believe businesses need to compete in the
global economy.
[The prepared statement of Ms. Harris follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.110
[GRAPHIC] [TIFF OMITTED] T8124A.111
[GRAPHIC] [TIFF OMITTED] T8124A.112
[GRAPHIC] [TIFF OMITTED] T8124A.113
[GRAPHIC] [TIFF OMITTED] T8124A.114
[GRAPHIC] [TIFF OMITTED] T8124A.115
[GRAPHIC] [TIFF OMITTED] T8124A.116
[GRAPHIC] [TIFF OMITTED] T8124A.117
[GRAPHIC] [TIFF OMITTED] T8124A.118
[GRAPHIC] [TIFF OMITTED] T8124A.119
[GRAPHIC] [TIFF OMITTED] T8124A.120
[GRAPHIC] [TIFF OMITTED] T8124A.121
Mr. Rush. The Chair recognizes Mr. Hoffman for 5 minutes.
TESTIMONY OF DAVID HOFFMAN
Mr. Hoffman. Mr. Chairman, Ranking Member Whitfield, and
members of the Subcommittee, I am David Hoffman, Director of
Security Policy and Global Privacy Officer at Intel
Corporation, and I appreciate the opportunity to testify before
you today.
Intel supports the Best Practices Act of 2010 and we
believe that innovation requires a policy environment in which
individuals feel confident that their privacy interests are
protected. We thank Chairman Boucher and Ranking Member Stearns
for putting forward such a thoughtful and important draft from
which to work. Their bill and the Best Practices Act include
many of the important concepts for a comprehensive U.S. privacy
law and we strongly support Congress's efforts to legislate in
this area. I congratulate you on the work you have done to
protect consumer privacy and to promote continued technology
innovation.
It is Intel's mission to deliver the platform in technology
advancements that have become essential to the way we work and
live. We see computing moving in a direction where an
individual's applications and data will move as that person
moves through his or her day. To manage these applications and
data, the individual will use a wide assortment of digital
devices including servers, laptop computers, smart phones,
tablets, televisions, and handheld PCs. Thus it is necessary
that individuals have trust in being able to create, process,
and share all types of data, including data that may be quite
sensitive such as health and financial information. The
provisions in the bills we are discussing today can help
provide a policy environment which creates that trust.
I would like to highlight five specific aspects of the two
bills. First, we are pleased that both bills are technology
neutral and give flexibility to the FTC to adapt the bill's
principles to changes in the technology. Maintaining technology
neutrality in the legal framework provides protection for
individuals in a rapidly evolving society as the creation of
legislation and regulatory requirements will invariably trail
innovation of new technology. We specifically like the Best
Practices Acts guidance given to for the FTC to create
regulations for certain key provisions of the bill.
Second, we support federal legislation based upon the Fair
Information Practices as articulated in the 1980 OECD Privacy
Guidelines. We are pleased that the Boucher/Stearns discussion
draft is based upon the framework of the Fair Information
Practices. Further, we are supportive of Chairman Rush's bill
which goes further and includes provisions applying all of the
Fair Information Practices such as individual access to data,
data minimization, and purpose specification.
Third, we are pleased that the Best Practices Act includes
a provision requiring covered entities to engage in the
accountability processes in the deployment of technologies and
services. In addition we would advocate that a specific privacy
by design requirement also be included in the accountability
section. A privacy by design model focuses on insuring that
privacy is included as a foundational component of the product
and service development process. Such a provision should not
require compliance with detail standards or mandatory third
party product reviews, but should instead focus on including
privacy into a business's product and service development
processes.
Fourth, Intel commends both bills for contemplating that
certain operational uses of data are implicitly consented to by
individuals and should not require explicit notice and consent.
Specifically Intel supports the Best Practices Acts drafting of
such a use-based model.
Fifth and finally, Intel is strongly supportive of Title IV
of the Best Practices Act which establishes a safe harbor for
participation and self-regulatory choice programs. Intel has
long been a supporter of privacy trust mark problems and
believes they provide a way to work with organizations on their
accountability processes. We believe that in many instances
trust marks and other similar mechanisms can substantially
increase the reach and the effectiveness of government
enforcement. This co-regulation is a better solution than a
private right of action which is likely to result in baseless
claims, causing organizations to spend resources on litigation
when those resources could be better directed toward the
organization's privacy compliance program. However, if a
private right of action is included, then the choice program
should continue to provide a safe harbor from liability.
Intel again thanks Chairman Rush and the Subcommittee for
your excellent work to protect consumer privacy, and to promote
and continue privacy innovation. We are supportive of the Best
Practices Act, we look forward to continuing our engagement to
improve the overall protection of privacy.
[The prepared statement of Mr. Hoffman follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.122
[GRAPHIC] [TIFF OMITTED] T8124A.123
[GRAPHIC] [TIFF OMITTED] T8124A.124
[GRAPHIC] [TIFF OMITTED] T8124A.125
[GRAPHIC] [TIFF OMITTED] T8124A.126
[GRAPHIC] [TIFF OMITTED] T8124A.127
[GRAPHIC] [TIFF OMITTED] T8124A.128
[GRAPHIC] [TIFF OMITTED] T8124A.129
[GRAPHIC] [TIFF OMITTED] T8124A.130
[GRAPHIC] [TIFF OMITTED] T8124A.131
Mr. Rush. Mr. Mierzwinski, you are recognized for 5
minutes.
TESTIMONY OF ED MIERZWINSKI
Mr. Mierzwinski. Thank you very much. Thank you very much
Chairman Rush and Ranking Member--I was trying to work my
timer--this one is not working, but I will try to stick to 5
minutes. Ranking Member Whitfield, members of the Committee, I
am Ed Mierzwinski. I am Consumer Program Director for the
Public Interest Research Group, U.S. PIRG. My testimony as
submitted includes co-signed by the Consumer Federation of
America and the Center for Digital Democracy. Since then four
other organizations and I will provide this for the record:
Consumer Action, the Consumer Watchdog, Privacy Rights
Clearinghouse, and the World Privacy Forum have also endorsed
the testimony.
I want to start out with one point that is really the main
point that I want to make, and that is that the current digital
marketing system does not meet consumer's expectations of
privacy. A recent study by two leading universities, the
University of Pennsylvania and the University of California at
Berkeley, found that most consumers believe that the government
already protects their privacy. It does not. Instead we have a
digital marketing system that I call or could call the Hoover
model, and I am not talking about J. Edgar. I am talking about
the vacuum cleaner. The vacuum cleaner model of collecting
every bit of information, every web track that a consumer ever
makes and keeping it forever is the way that companies like in
their virtually unregulated digital ecosystem. And we have a
system right now where the Federal Trade Commission has been
hobbled for 30 or 40 years by limits on its ability to improve
the rules that--and that and enforce the rules by the Maggots
and Moss rulemaking that was imposed on it that this Committee
tried to fix in the Wall Street Reform Act, but unfortunately
the Wall Street Reform Act did not finally give the Federal
Trade Commission fully capable of making authority or full
aiding and abetting liability, or the full ability to impose
civil penalties, and we would hope that that would be on the
committees agenda to continue to try to achieve those goals.
But--so our organizations share long-standing concerns for
consumer privacy and look forward to working with the Committee
on these matters. And the Committee has had a long-standing
history of bipartisan bases working on consumer privacy, so we
are very encouraged by the work that was done first by Chairman
Boucher and Ranking Member Stearns, and then by you, Chairman
Rush, in putting together your thoughtful proposals.
However, our concern is that the proposals tend to graft
Fair Information Practices on top of the digital ecosystem that
it just won't work as well as a full Fair Information Practices
based provision might work. So we are suggesting that the
committee start over and among the key elements of a revised
bill would be a framework focused on overall data minimization.
Anyone who knows the online and offline data collection
industry will tell you that the focus is on data maximization,
as I said, the Hoover model. ``Every move you make'' as the
lyrics of the Police song go could be the data collection
industry's theme song as we are all being watched, compiled,
analyzed, and then acted upon. While tools involving opt-in and
safe harbors for example provide greater control by a consumer,
they do not constrain the dramatic and far reaching growth of
online and offline data collection for personalized and
innovative targeting. A vast automated and powerful data
collection complex has emerged capable of generating and
continually revising a profile, a consumer x-ray of our habits,
interests, worries, financial status, and everything else about
us. It is now being collected not just on the Internet, but
also whenever we use a cell phone, or play an online game, or
use any other variety of electronic gimmickry that we might be
carrying around with us.
Some of the specific concerns that we have, again we think
the bills are thoughtful for a start, but we would urge you to
consider a few other things. First of all notice and choice are
not enough. And I totally agree with the other witnesses that
these bills go further than the industry preferred FIPs light
of notice and choice. But we need to have a greater reliance on
limiting the amount of information that is collected, used, and
shared, increasing the knowledge of consumers, limiting data
retention, and maximizing data minimization.
The second, self-regulation has not worked. The Federal
Trade Commission under various Administrations has failed in
self-regulation, as has the industry. And there are several
reports that I cite in my testimony that go through the details
of how first the individual references service group self-
regulatory body that supposedly regulated information brokers
didn't work in the 1990's, then we have the network advertising
initiative didn't work, and there is an IAB provision that was
started last year that we don't think has worked. So we think
we need greater oversight, greater statutory protections, and
we need a broader private right of action. Although the Rush
bill has a narrow private right of action, we don't think
enrich trial lawyers. We think private rights of action deter
lawlessness and they encourage companies to comply with the
law. And second, we believe that state laws should always be
allowed to be stronger than federal law. If you have got a good
enough federal law the states will move on and do other things.
But if Congress doesn't solve the job we need the States as
quick responders to new problems.
With that I will just conclude my comments and tell you
that I am very pleased for our organization's want to continue
to work with you to refine and enhance this legislation. Thank
you.
[The prepared statement of Mr. Mierzwinski follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.132
[GRAPHIC] [TIFF OMITTED] T8124A.133
[GRAPHIC] [TIFF OMITTED] T8124A.134
[GRAPHIC] [TIFF OMITTED] T8124A.135
[GRAPHIC] [TIFF OMITTED] T8124A.136
[GRAPHIC] [TIFF OMITTED] T8124A.137
[GRAPHIC] [TIFF OMITTED] T8124A.138
[GRAPHIC] [TIFF OMITTED] T8124A.139
[GRAPHIC] [TIFF OMITTED] T8124A.140
[GRAPHIC] [TIFF OMITTED] T8124A.141
[GRAPHIC] [TIFF OMITTED] T8124A.142
[GRAPHIC] [TIFF OMITTED] T8124A.143
[GRAPHIC] [TIFF OMITTED] T8124A.144
[GRAPHIC] [TIFF OMITTED] T8124A.145
[GRAPHIC] [TIFF OMITTED] T8124A.146
[GRAPHIC] [TIFF OMITTED] T8124A.147
[GRAPHIC] [TIFF OMITTED] T8124A.148
Mr. Rush. Thank you. Mr. Rubinstein, you are recognized for
5 minutes.
TESTIMONY OF IRA RUBINSTEIN
Mr. Rubinstein. Mr. Chairman, Ranking Member Whitfield, and
members of the Subcommittee, thank you for the opportunity to
testify today. My name is Ira Rubinstein and I am an adjunct
professor at NYU School of Law. This afternoon I will focus my
comments specifically on a key question in Congressional
efforts to regulate privacy. What is the relationship between
privacy legislation and industry self-regulation and the role
and effectiveness of safe harbor provisions in promoting self-
regulation?
A safe harbor is a familiar legislative device intended to
shield or reward firms if they engage in desirable behavior as
defined by statute. In the privacy arena the most familiar
example is the Children's Online Privacy Protection Act. Over
the past decade COPPA safe harbor programs have met with
success mainly in terms of complimenting FTC's own enforcement
efforts. But the program has two main shortcomings, weak
incentives, and a low rate of participation. Only about 100
firms have joined. In my written testimony I propose several
ways in which Congress might improve upon the COPPA safe harbor
by adopting a more co-regulatory approach in which industry
enjoys greater scope in shaping self-regulatory guidelines
while government sets default requirements and retains general
oversight authority to improve--approve and enforce such
guidelines.
A co-regulatory approach relies on both sticks and carrots
as incentives. Sticks for non-participating firms might include
a private right of action, broader opt-in requirements,
external and independent audits of regulatory compliance and
much stricter requirements for online behavioral advertising.
Carrots, on the other hand, might include not only exemptions
from private actions for safe harbor participants, but also
cost saving such as compliance reviews based on self-
assessments rather than external audits, government recognition
of better performing firms, and regulatory flexibility in the
form of tailored requirements addressed to specific sectors or
business models.
In proposing this new approach to privacy safe harbors it
bears emphasizing that safe harbor benefits should be limited
to firms demonstrating superior performance and would not be
available to other firms that merely satisfy the fault
statutory requirements. In other words, the safe harbor would
only benefit firms that meet high performance standards based
on, for example, sound data governance practices such as
appointing a chief privacy officer who is accountable for
setting privacy protection policy and standards; advanced
privacy methodologies such as use of development guidelines for
building privacy protection into products or services, also
called privacy by design as Mr. Hoffman mentioned; and other
Best Practices such as privacy training for relevant staff and
online guidance on privacy and security for other employees and
for consumers.
In closing I want to emphasize that this new approach to
privacy safe harbor should not be confused with existing self-
regulatory schemes in which industry alone develops and then
oversees the privacy code of conduct. Rather, in a privacy safe
harbor as envisioned here, the government sets default
requirements and relevant standards and practices emerge from a
multi-stakeholder process in which both advocacy groups and
members of the public have an opportunity to participate. This
requires that interested parties engage in difficult and
perhaps protracted negotiations and keep talking with each
other until they forge a rough consensus.
One way to insure public participation is negotiated rule
making, a statutorily defined process by which agencies
formally negotiate rules with regulated industries and other
stakeholders as an alternative to conventional rule making. An
alternative approach would be to modify the safe harbor
approval process by requiring that program sponsors engage in a
public consultation and report on these consultations in their
applications.
I will conclude by offering three recommendations which I
am happy to elaborate upon during this hearing. First, Congress
needs to enact comprehensive privacy legislation incorporating
robust Fair Information Practices. Second, this legislation
should include a safe harbor program based on a co-regulatory
approach as described above. Finally, this safe harbor program
should include strong performance standards based on data
governance, advance privacy methodologies, and other Best
Practices, and it should also require public consultation as
part of the safe harbor approval process.
The two bills being considered today represent important
first steps in developing this new approach to safe harbors,
but should be expanded as discussed above. I want to thank you
again for this opportunity to testify. I will be pleased to
answer your questions and would be happy to provide any further
assistance.
[The prepared statement of Mr. Rubinstein follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.149
[GRAPHIC] [TIFF OMITTED] T8124A.150
[GRAPHIC] [TIFF OMITTED] T8124A.151
[GRAPHIC] [TIFF OMITTED] T8124A.152
[GRAPHIC] [TIFF OMITTED] T8124A.153
[GRAPHIC] [TIFF OMITTED] T8124A.154
[GRAPHIC] [TIFF OMITTED] T8124A.155
[GRAPHIC] [TIFF OMITTED] T8124A.156
[GRAPHIC] [TIFF OMITTED] T8124A.157
[GRAPHIC] [TIFF OMITTED] T8124A.158
Mr. Rush. Mr. Zaneis, you are recognized for 5 minutes.
Mr. Zaneis. I am happy----
Mr. Rush. I am sorry----
Mr. Zaneis. That is all right, we don't want to skip over
Jason.
Mr. Rush. Mr. Goldman, I am sorry. Mr. Goldman----
Mr. Goldman. Thank you very much.
Mr. Rush. You are recognized for 5 minutes.
STATEMENT OF JASON GOLDMAN
Mr. Goldman. Good afternoon, Chairman Rush, Ranking Member
Whitfield, and members of the Subcommittee. I am Jason Goldman,
Telecommunications, and E-commerce Counsel at the U.S. Chamber
of Commerce. The U.S. Chamber of Commerce is the world's
largest business federation representing the interest of more
than three million businesses and organizations of every size,
sector, and region. On behalf of the Chamber and its members, I
thank the Subcommittee for its work on consumer protection and
for the opportunity to testify here today.
Privacy is a key issue for the Chamber. The Chamber
supports policies that foster business opportunities while
respecting consumer's privacy. The collection of personal
information is necessary to provide consumer, social, and
business benefits. Given the diversity of private sector
businesses should have latitude within acceptable guidelines in
defining what they need--what kind of information they need to
collect and use.
Recently the debate over privacy has been brought to the
forefront by the growth of the Internet. The Internet has
revolutionized the way business is conducted in all sectors of
the global economy including financial services, retail,
wholesale distribution, and manufacturing. Today the vast
majority of companies, small and large, are online and use the
Internet to communicate with consumers and with the vendors,
and all the different other entities. In particular, ad-
supported content has been key to the success of broadband.
Frequently online content is provided free of charge to
consumers and revenues are instead generated through
advertising. This ad-supported business model has been a key to
the success of many Internet adventures and has helped to make
the Internet an engine of growth in the U.S. economy.
I will now turn to the bills that are the topic of this
hearing. The Chamber received the text of the Best Practices
Act just a few days ago, so my comments today are based on our
initial read of the bill and may change as we further analyze
the bill and vet the bill through our membership. The Chamber's
analysis of Boucher/Stearns discussion draft was submitted to
their Subcommittee in June and is attached to our testimony.
The Chamber very much appreciates the work that went into
drafting the Best Practices Act. Despite the inclusion of some
of the provisions that we support, we still have strong
concerns the bill as currently drafted. The Chamber--I will go
through some of the provisions that we support and also some of
the ones that we have modifications to. The Chamber is pleased
that the bill directs the FTC to promulgate rules under this
act in a technology-neutral manner. Government should not pick
winners and losers. The Chamber applauds the inclusion of
language that preempts State laws governing the collection and
use of data. However, the Chamber believes the language could
have been even stronger to help businesses avoid having to
comply with 50 different State laws. The Chamber agrees with
the intent of Section 502 which states that the bill should
have no effect on activities covered by other federal privacy
laws. However, the opening clause of this section states
``except as provided expressly in the Act.'' This could be
interpreted by the FTC or by the courts as permitting the
creation of multiple layers of regulation.
The Chamber appreciates the bill attempts to maximize
regulatory flexibility. However, at the same time the Chamber
is concerned that the sheer number of rulemakings will create
needless regulatory uncertainty. The Chamber also believes that
the safe harbor provision as drafted is a good start but
improvements could be made. We are gratified by the recognition
that industry self-regulation in this area has and will
continue to protect consumers, however the safe harbor in our
opinion is too narrow and should follow FTC and industry
principles. And also the Chamber has serious concerns about
private right of action as well as an explicit grant of
authority to State Attorneys General to enforce the
legislation.
When combined with the FTC's own enforcement authority we
are concerned that these official mechanisms will serve to
impose duplicative and potentially inconsistent findings of
liability as well as excessive damage awards. In addition the
explicit grant of authority for the award of punitive damages
and attorney's fees will serve to increase the likelihood that
elements of the plaintiff's class action trial bar will use
this legislation as a way to increase class action litigation
with little benefit being given to the general public.
The Chamber also has some concerns covered in more detail
in our testimony with the opt-in requirements of third party
sharing and opt-out requirements for information collection, as
these provisions could upset established business practices for
many of our members.
Finally the Chamber has concerns with access and dispute
resolution and the definition of covered information which I
will be happy to discuss further during our Q and A. Thank you
again, and I am happy to answer your questions following Mr.
Zaneis.
[The prepared statement of Mr. Goldman follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.159
[GRAPHIC] [TIFF OMITTED] T8124A.160
[GRAPHIC] [TIFF OMITTED] T8124A.161
[GRAPHIC] [TIFF OMITTED] T8124A.162
[GRAPHIC] [TIFF OMITTED] T8124A.163
[GRAPHIC] [TIFF OMITTED] T8124A.164
[GRAPHIC] [TIFF OMITTED] T8124A.165
[GRAPHIC] [TIFF OMITTED] T8124A.166
[GRAPHIC] [TIFF OMITTED] T8124A.167
[GRAPHIC] [TIFF OMITTED] T8124A.168
[GRAPHIC] [TIFF OMITTED] T8124A.169
[GRAPHIC] [TIFF OMITTED] T8124A.170
[GRAPHIC] [TIFF OMITTED] T8124A.171
[GRAPHIC] [TIFF OMITTED] T8124A.172
[GRAPHIC] [TIFF OMITTED] T8124A.173
[GRAPHIC] [TIFF OMITTED] T8124A.174
[GRAPHIC] [TIFF OMITTED] T8124A.175
[GRAPHIC] [TIFF OMITTED] T8124A.176
[GRAPHIC] [TIFF OMITTED] T8124A.177
Mr. Rush. Mr. Zaneis, please 5 minutes now.
STATEMENT OF MIKE ZANEIS
Mr. Zaneis. Thank you. I used to work for the U.S. Chamber
of Commerce, but I don't think they would appreciate me
delivering their testimony here today. Thank you, Chairman
Rush, Ranking Member Whitfield, members of the Subcommittee for
holding this hearing for the opportunity to testify about these
important legislative proposals. My name is Mike Zaneis, and I
do work for the Interactive Advertising Bureau as Vice
President of Public Policy.
The IAB represents some 460 companies involved in online
advertising. Our companies run the gamut from the largest
portals and search engines to branded publishers. It includes
ad networks all the way down to the smallest Mom and Pop shop
publisher online. The common theme for all of these folks is
that they depend upon online advertising. It is a good industry
and we are--continue to grow even in these tough economic
times. In the first quarter of this year online advertising
revenue in the U.S. grew to $6 billion. And that represents a
7.5 percent increase over the first quarter of 2009. More
importantly, our industry is a major component of the national
economy. We add more than $300 billion to the U.S. economy and
provide more than 3.1 million jobs total.
But we know it is not all about economic numbers here
today. We know in our industry that the number one asset that
any company has is the consumer relationship in building trust
through protecting their privacy and meeting their privacy
expectations. That is why our industry has a long successful
history of strong self-regulation. It began over a decade ago
with input from the Federal Trade Commission when industries
stood up to network advertising initiative. And this was a
program to oversee third party ad networks and how they have
collected and used data for consumers and provided choice.
But we knew over time as our industry grew and innovated
then so too did our self-regulatory programs. They needed to
innovate, and grow, and expand. That is why over 2 years ago
IAD joined with the Association of National Advertisers, the
American Association of Advertising Agencies, the Direct
Marketing Association and in conjunction with the Council of
Better Business Bureaus, one of the most respected, reputable
self-regulatory monitoring and compliance programs in the
world, to create for the first time a broad comprehensive set
of online privacy practices for advertising purposes.
Here, too, we took away lessons from the Federal Trade
Commission. They issued their staff report about online
behavioral advertising privacy principles in February of '09.
We incorporated many of those principles in our draft--excuse
me--in our final principles that were issued in July of last
year, including transparency, consumer notice, and something
that we haven't talked about which is consumer education, which
is really a key component here.
All of this leads me to the bills and the legislative
proposals that are on the table today. And Mr. Chairman, I want
to thank you for your recognition in H.R. 5777 about the
importance of industry self-regulation. We think that that is
the right approach in that it has a long history of success, it
can be more flexible and dynamic, and there is a commitment by
industry and government agencies to make sure that it works.
And we stand ready to work with you to make sure that any
legislation that moves forward reflects upon and bolsters the
success that not only the FTC has pushed out there and
achieved, but in industry and our cross-industry self-
regulatory group. We are beginning to see fundamental change
online already in this marketplace about how consumers receive
information about how data is collected and used, and pushing
choice out ubiquitously.
That leads me to my second point that we are very gratified
to see your recognition in the bill that a one size fits all
consumer noticed jammed down in a privacy policy often is
written in legalese may not serve consumers all that well. In
fact, in our industry we are seeing a tremendous amount of
innovation in better ways to serve notice to consumers and we
hope to preserve that type of flexibility with any legislation
that moves.
But--and there is always a but--we do have a number of
reservations about H.R. 5777 and Congressman Boucher's
proposal. And they share a couple of components that I would
like to just identify here. The first is the concept that first
party data usage requires an opt-out. Here we simply have to
agree with the Federal Trade Commission's finding in their
staff report. When consumers go to an online Web site they
understand there is going to be a certain amount of data
exchanged by that first party site and to serve them content
and services and yes, advertising. And so, we think that they
should be first party--clearly first party usage should be
exempted out of this choice mechanism. Not notice--we should
always do better around giving consumers notice about how the
data is collected and used.
The second issue I would like to raise with you is the
third party data sharing provision. The Internet is nothing but
a series of third party relationships. Virtually every Web site
requires these third party data sharing whether it is to
customize content, to run your analytics on the back side to
make sure you know who is coming to your site and who--and
getting paid, or whether it is for relevant advertising. And so
here again we agree with the FTC's principle in their staff
report that you should have an opt-out requirement empowering
consumers to exercise their choice when they have ligament
concerns around privacy. You need to give them good notice, you
need to empower them, and you need to educate them which is
something that the IAB is committed to.
So I will just sort of leave you with this last thought and
I look forward to your questions. I think it is impossible to
take information out of the information age, because if you do
that is what you are going to get is less relevant advertising,
and less relevant advertising by definition is spam. I don't
think anybody wants that. That is not good for consumers, and
it is not good for business. Thank you.
[The prepared statement of Mr. Zaneis follows:]
[GRAPHIC] [TIFF OMITTED] T8124A.178
[GRAPHIC] [TIFF OMITTED] T8124A.179
[GRAPHIC] [TIFF OMITTED] T8124A.180
[GRAPHIC] [TIFF OMITTED] T8124A.181
[GRAPHIC] [TIFF OMITTED] T8124A.182
[GRAPHIC] [TIFF OMITTED] T8124A.183
[GRAPHIC] [TIFF OMITTED] T8124A.184
[GRAPHIC] [TIFF OMITTED] T8124A.185
[GRAPHIC] [TIFF OMITTED] T8124A.186
[GRAPHIC] [TIFF OMITTED] T8124A.187
Mr. Rush. The Chair wants to thank all of the witnesses for
your outstanding testimony today. A vote now occurs on the
floor of the House of Representatives. There are two votes--
should be probably about 30 minutes or more--around 30 minutes,
so it is the Chair's intention to recess the Subcommittee and
to reconvene immediately after the last vote takes place. So it
will be about half an hour. So I apologize for the interruption
of this hearing, but we will be back as soon as we can. The
Subcommittee now stands in recess.
[Recess.]
Mr. Rush. The Committee will reconvene, return to order.
The Chairman recognizes himself for 5 minutes for the purposes
of questioning the witnesses.
Mr. Hoffman, I was interested in your testimony, and in
your testimony you highlighted the importance of providing FTC
rulemaking authorities to flesh out certain requirements in the
Best Practices Act and to adapt the bill's provisions to
changes in technology. Other stakeholders have raised concerns
that providing FTC with this type of rulemaking authority in
the bill will create enormous regulatory uncertainty that is
bad for commerce.
What are your thoughts on this? If FTC does not provide a
rulemaking authority, will the bill quickly become outdated?
Are you concerned about regulatory uncertainty and would you
answer those questions for me, please?
Mr. Hoffman. We think the Best Practices Act does an
excellent job of not just providing rulemaking authority to the
FTC, but guiding that rulemaking authority by certain criteria
that should have to shape the regulations that would emanate
from the FTC. Our perspective when we look at privacy
legislation is to allow privacy to continue to actually aid
innovation instead of impede innovation.
Individual pieces of legislation need to be technologically
neutral to allow for the enforcement agencies to apply those
principles to the individual new business models when they come
up and to provide guidance in that way. The FTC has been an
absolute leader in doing that for the past decade.
Mr. Vladeck mentioned the various methods that they have
used to do that with the different enforcement actions that
they have taken, plus the round tables that they have held, and
how they have communicated with industry and academics. We
think that the Best Practices Act balances those different
interests very well.
Mr. Rush. Ms. Harris, is the importance to FTC rulemaking
the--in this act just for consumers and is it just for business
also?
Ms. Harris. We think so. You are always--when you are
writing a bill like this you can be highly specific, and the
bill will lock in today's business practices, it will not have
the flexibility that you need for business practices that we
haven't seen, and it will not allow the law to basically live
in a way that will address business practices we haven't seen.
Giving the FTC very specific rulemaking authority here first of
all allows them to take into account the different kinds of
business models and technologies that we are dealing with, but
it also, I think, allows over time for modifications depending
on changed circumstances. So yes, we think FTC rulemaking is
essential here.
Mr. Rush. In past legislation the third party or
unaffiliated party has been defined based on the corporate
structure of an entity, such as common ownership or corporate
control. And during this hearing and in other sidebar
conversations we have heard concerns that consumers may not
understand which entities are subsidiaries, affiliates, parent
corporations, or otherwise under common control with another
company. On the other hand, corporate structuring is known and
we do not know--we don't want to draw an arbitrary line.
Ms. Harris and Mr. Mierzwinski, do you believe that
consumers may have difficulty understanding when entities are
related by common ownership or control? Should privacy matter?
Should privacy legislation take into account the best
reasonable expectations of the consumer as this act does? And
is this a workable definition? Lastly I--you can answer these
three questions in the manner that you would choose to. Lastly,
what are the benefits of an approach based on common ownership
or control and does it provide companies with more clarity?
Those are a series of questions. I hope you can kind of
summarize the questions in your answers.
Ms. Harris. I am going to let Ed go first.
Mr. Mierzwinski. Oh, thank you, Chairman Rush, and I think
I want to commend you on your provision recognizing the
artificial distinction of this corporate common control.
Consumers don't have any idea that their bank owns some
hundreds or thousands of other affiliated entities. And the
Internet has a number of networked companies that are the same
way. So going to an activities based definition rather than a
corporate ownership definition, we support that, and I think it
is much closer to consumer expectations that except for the
company you are doing business with, pretty much everyone else
is a third party.
Ms. Harris. So I generally agree. I do think that your bill
probably gets it as close to right as you can because it is a
complicated issue. I am glad that there is some room for FTC
rulemaking on that provision. The key question here is would a
consumer under reasonable circumstances believe that they are
dealing with an entity that is under common control. And I
really think that that is probably--has to do with common
branding. I think most of us know that GAP and Banana Republic
and Old Navy and a whole set of companies are sort of one. But
given a sort of large multi-national that owns many, many, many
different lines of business, we have to keep that very narrow
in the interest of the consumer and I think you've done that.
Mr. Rush. The Chairman's time is concluded. Now the
Chairman acknowledges Mr. Whitfield for 5 minutes.
Mr. Whitfield. I thank all of you for your testimony and
trying to balance protecting privacy versus generating revenue
for advertising to keep the Internet the vibrant marketplace
that it is--searching browsing history of a particular person,
and can some of you, maybe Ms. Harris or Mr. Mierzwinski,
identify for me the privacy concerns with the anonymous
monitoring of web browsing history, and should that require the
same level of consent as using information like Social Security
number, bank account numbers and so forth, and just give me
your perspective on the differences therein.
Ms. Harris. Mr. Whitfield, the way that they are able to
collect discrete pieces of browsing history is usually to tie
them together with an IP address. In that instance companies
can pull them together into profiles, and they can be put
together with information to identify the consumer. So in the
technological environment that we are in now, the ability to
bring discrete pieces of information together into an
identifiable profile is simply much easier. I think that there
is a conversation to be had wherein where you draw the line
and--but I think that that is something that has changed
dramatically from, you know, the first time that privacy
legislation was introduced in Congress.
Mr. Mierzwinski. Mr. Whitfield, I would agree and I would
say that from my perspective one of the strongest pieces of
both bills is that IP addresses insensitive information. We are
concerned that de-identified or supposedly anonymous
information can be repackaged back together. There are numerous
examples of that happening, and I would also point out that a
recent complaint by U.S. PIRG, the Center for U.S. Democracy,
and other groups talks about just how easy it is and how the
technology has changed in the last few years that consumers are
being sold on a real time basis now. They are not compiling
dossiers that take even half an hour to compile. The ads are
being served instantly. They are being brokered to the highest
bidder. It is very sophisticated, and little bits of
information can add up very quickly.
Mr. Whitfield. Mr. Zaneis, would you like to comment on
this?
Mr. Zaneis. Yes, thank you very much, appreciate the
opportunity. I think Congress has to be careful not to try to
legislate the possible, or the theoretical, and to understand
the business model. And here I actually disagree slightly with
Leslie. It is not that VAS or predominant business model to tie
click stream data back to personally identifiable information--
certainly not in the online advertising space. In fact many of
the ad networks specifically--advertising networks deliver some
90 percent of all ads online. They are generally third part by
nature. Their business model generally is not to try to tie it
back to what we would traditionally think of as personally
identifiable information. Certainly there is a lot that is
possible through technology, but I don't think we can legislate
the possible. We ought to be looking at actual business models,
and I think that when we look at H.R. 5777 it actually gets
closer under their definition of covered information to what we
ought to be focusing on, which is things that are actually
personally identifiable, not sort of anonymous in nature.
Mr. Whitfield. And Mr. Rubinstein, since you are an
academic here, do you have any comments on this? We always
value academics' thoughts.
Mr. Rubinstein. Thank you, Mr. Whitfield. I would think I
would just add that it is important not to think of anonymous
data as just a binary category, that it is--data is either
anonymous or it is not anonymous. And the emphasis might be on
specific context, so how much data is being assembled and what
is the quantity of data? Is it being publicly shared or
privately shared? What is the specific context? Rather than try
to get at this through definitions that have just a black and
white aspect to them.
Mr. Hoffman. I would just like to add one point on that--to
that. I think the current draft of the Best Practices Act
actually recognizes that reality that Professor Rubinstein is
commenting on. As an employee of a technology company there are
a number of unique identifiers in hardware and software that
are used on most computing platforms. What is happening in
reality--Mr. Zaneis' point is a very good one. We need to look
at the realities. It is some of those unique identifiers that
are used and apt to correlate to a lot of this data that could
be described sometimes as personally identifiable information.
Others might say no, it is only identifying a particular device
or a particularly device at a point in time. That is why I
actually think the definition of preference profile which is
saying that it is a list of preferences associated with an
individual or with an individual's computer or other device,
but then tying that to allow exception for participation in a
choice program is an excellent way to navigate the issues that
even if something is not completely identifiable to a
particular individual it still could have the great potential
to impact an individual.
Mr. Whitfield. Thank you. I see my time has already
expired.
Mr. Rush. The Chair now recognizes Mr. Space.
Mr. Space. I won't need fifteen, Mr. Chairman. In fact, I
won't even need five, but thank you. I really don't have any
questions having come in after the votes and after the
testimony, but I do want to express my appreciation to
Chairman, and to the Ranking Member for the deliberate process
that we have undertaken in examining, reviewing, and modifying
issues relating to privacy when it comes to access to the
Internet and broadband generally. I think that having all the
stakeholders present and participating in this discussion is
very, very important and we see that today. We have seen it in
the past, and we will see it in the future whether it is
academia, industry, govern officials, consumer advocacy
groups--all of those stakeholders deserve a place at the table
and our Chairman and the Ranking Member have offered them that.
So I want to thank the witnesses today, thank you, Mr.
Chairman, and the Ranking Member for again such a deliberate a
thorough analysis of an issue that is becoming increasingly
important as we see the role of broadband integrated into
virtually all aspects of our lives. And I yield back my time.
Mr. Rush. The Chair thanks the gentleman for his kind
remarks. And the Chair will now entertain a second round of
questions, and with that in mind, the Chair recognizes himself
for 5 minutes.
This question is addressed to Mr. Vladeck and Mr. Zaneis.
Section 303 of the Act says some entities using covert
information or sensitive information for any purpose for as
long they are in--business or in law enforcement need. Is our
rebuttal presumption--is it too vague? What would be wrong with
setting a date certain restrictions say in six months or a
year?
Mr. Vladeck. Mike, do you want to go first?
Mr. Zaneis. No, you go ahead.
Mr. Vladeck. The Commission has not taken a position on any
of these issues and we would like the opportunity to comment
later on once we have had a fuller opportunity to look at this.
Just generally, you know, we believe that certain kinds of
information ought to be subject to heightened protection. And
so that is, you know, the Commission has made that clear in
other context.
Mr. Zaneis. We are going to figure this out. Luckily I
represent the advertising industry so I know how to get my
message heard even when people don't want to hear it. I think
Section 303--I think one size fits all doesn't always make
sense in the online space. What you see here is a diversity of
opinions, but what we see in the industry is a diversity of
business models. And sometimes they may need to keep
information for different purposes, and what is a legitimate
business purpose I think differs, so you know, I want to take
that back to my members and see if it is something that they
are going to be supportive of or if there is some refinements
we need to make. But as we have seen around things like
consumer notice and other areas, a one size fits all isn't
always the best approach, but we are willing to look at that
and work with the Committee and you, Mr. Chairman, on that.
Mr. Rush. Mr. Rubinstein, would you chime in on this with
your opinion, please?
Mr. Rubinstein. I would generally agree that having
different time periods for different types of data or different
purposes is a good idea rather than a single limit. I think the
one thing that Congress should worry about, though, is
companies that would retain data simply because they might have
some use of it in the future. So where it is that non-specific
and it is just a future business possibility, I don't think
that is a sufficient reason for some unlimited period of
retention.
Mr. Rush. Mr. Rubinstein and Mr. Mierzwinski suggested in
their testimony that this safe harbor in H.R. 5777 in several
ways. I am going to ask both gentlemen what specific
recommendations do you have for structuring the safe harbor
provisions?
Mr. Mierzwinski. Thank you, Mr. Rush. I think the bill as
currently structured captures the key point that I emphasized
about having a mix of carrots and sticks, and that the Private
Right of Action serves as a very significant stick or incentive
for businesses to join. I think the one thing that I would call
attention to, though, is whether the safe harbor choice program
has a strong enough emphasis on high performance standards. And
that is why I emphasized data governance practices such as
appointing a chief privacy officer or having privacy by design
methodologies so that there are other standards that a choice
participant lives up to which in effect entitles them to the
exemptions that they enjoy under the choice program. And I
think the question then is how to best balance that mix of
exemptions on the one hand that serve as incentives to join
while ensuring that only companies engaged in a very high level
of privacy protection are then entitled. Finally I would point
to the desirability having some form of public consultation as
part of this process and one way to do that might be for a
choice program as part of their application for approval to
indicate what type of public consultation they have engaged in.
Have they met with advocacy groups, have they met with the
public, if so how have they addressed concerns that those
groups have raised. If they haven't addressed them, why not. So
that all is transparent and available to the FTC in making its
evaluation of the choice program.
Mr. Mierzwinski. Mr. Chairman, I would add to that that I
think our concern is that many self-regulatory programs whether
under the Securities and Exchange Commission, whether under the
FTC, or other agencies, they work best when they have a robust
legal standard, robust statutory framework underneath. And
relying on the companies themselves and rule making only by the
FTC is usually not good enough. And we would urge you to
consider strengthening the Federal Trade Commission's
monitoring of the choice program and the accountability
mechanisms in there. And to do that of course, we would also
support strengthening the Federal Trade Commission in general
if they need additional resources to do those kind of things.
Mr. Rush. My time is up. The Chairman recognizes the
Ranking Member.
Mr. Whitfield. Thank you. Is there anyone on the panel
other than Mr. Goldman that believes there should not be
private right of action? OK.
Mr. Hoffman. Intel does not support a private right of
action. We think that it--in the context of privacy in the
great percentage of situations the individual actually does not
even potentially know that they have been harmed, and they
don't know who actually has caused the harm until after. We
think that the best use of resources is to focus on mechanisms
like the choice program in a way that was just articulated. It
really--to vote those resources to organizations putting into
place robust accountability mechanisms into their compliance
programs that way we will avoid the breaches before they even
happen.
Mr. Zaneis. And I won't take up much of your time. I
couldn't agree more. I would just say then I think what we
might want to focus on legislatively is strengthening the
Federal Trade Commission and their enforcement, and more
resources, more cops on the beat I think would be a good thing
in this area.
Mr. Whitfield. I am certainly not an expert in this area.
In fact, I am far from it, but I have read that the OECD's
privacy protection rules, guidelines for privacy protection are
some of the most stringent in the world. Is that your
understanding as well--most of you? Do you understand that to
be true?
Mr. Mierzwinski. I would just say it is--the understanding
in privacy that they are the most robust implementation of the
Fair Information Practices that were actually first developed
by a U.S. Regulatory Committee, but how they are implemented in
law is different in different places. And I would say the only
U.S. law that comes close to implementing them in a very strong
way is something called the Fair Credit Reporting Act which
regulates credit bureaus. Other laws rely on a much weaker
version on the FIPs.
Mr. Whitfield. Well, we--if we were to adopt the OECD
principles basically would you support that or----
Mr. Mierzwinski. Oh absolutely, and I want to say that both
bills adopt parts of it. And in fact the Best Practices bill
adopts quite a bit of the Fair Information Practices. We think
we can go further with purpose, specificity, data minimization,
data retention, and again accountability that is giving more
rights to the data subjects.
Ms. Harris. Mr. Whitfield, I just--I want to agree that a
strong set of Fair Information Practices and certainly the OECD
is sort of the foundational in the United States. The
Department of Homeland Security issued a set a few years ago
that I think are you know perhaps captures some of the more
modern concerns just a little bit that basically the bill
really needs to include them all. That we have spent a long
time focusing on you know opt-in, opt-out consent from the
consumer, and when that is all you have in a bill, then you are
pretty much telling the consumer that they have got to figure
it out. They have to read privacy policies, they have got to
understand it, and that the companies don't have any
substantive obligations. When you include data minimization, et
cetera, then you are putting real limits and the companies have
to decide how to handle those.
Mr. Whitfield. Mr. Mierzwinski--oh I am sorry, go ahead.
Mr. Zaneis. Sorry, I just--I want to be sure that the
Chairman and you, Ranking Member Whitfield understand that
there is a lot of Fair Information Practices in--certainly in
H.R. 5777. I--you are talking about notice, and choice, and
data security, and accuracy. These are Fair Information
Practice principles. That does not mean you need all of them in
a bill about things like marketing databases. In our written
testimony we go into the access and correction provisions and
the reality there is what we are talking about in some of these
marketing databases are strings, user agent strings which are
nothing more than computers talking to computers telling you
what for instance operating system a computer--a person is
using to go to a site. This is used to render the content
readable to the consumer. I ask you what is the, you know, what
is the purpose in allowing correction to that type of database?
It is gobbly-goop to the consumer, and I worry about allowing
people to get into those databases when there is no real harm.
We are not talking about Fair Credit Reporting Act. There you
are talking about adverse actions against consumers, things
centered around employment eligibility, access to credit,
getting a home mortgage that is not what we are talking about
here.
Mr. Whitfield. May I ask one other question?
Mr. Rush. Ms. Harris wanted to respond.
Mr. Whitfield. Oh, I am sorry.
Ms. Harris. I want to strongly disagree with that. Access
is one of the key Fair Information principles. The likelihood
that a consumer is going to demand access to a string of code I
think you know if that is the concern my guess is we can figure
out how to handle it in this Committee. But we are building
larger and larger databases with all kinds of information and
to me that is one of the fundamental rights that consumers have
and that it needs to be part of this bill.
Mr. Whitfield. In Mr. Rush's bill in the definitions under
covered entity it simply says engaged in interstate commerce
whatever, whatever, whatever, and since I was in the railroad
industry I know that when we talk about federal preemption it
is from the business standpoint. We always loved federal
preemption because we had some certainty in whatever state we
operated in and so forth. And I know that a number of you would
be opposed to federal preemption in this arena. Are any of you
opposed to--OK----
Mr. Mierzwinski. We are very strongly opposed and the Best
Practices bill is a much narrower form of preemption, but we
prefer that federal law be a floor.
Mr. Whitfield. What about you, Mr. Rubinstein? Do you have
a comment on that?
Mr. Rubinstein. I would favor a narrow form of preemption.
I think that it does allow businesses to operate with more
certainty, and it is extremely difficult, and costly, and not
very effective to have to design compliance programs that vary
depending on which state you operate in. So I think some form
of preemption is a necessary aspect of this bill.
Mr. Whitfield. Did you want to make comment, Ms. Harris?
Ms. Harris. Yes, Mr. Whitfield, it is CDT's position is
that first the bill has to be good enough at the federal level
to consider preemption. So you know in saying whether we
support it or don't support it you know this is a messy
process. But assuming that the bill provides the right degree
of protection then a narrow preemption that really covers just
those covered entities and just those practices is something
that we are comfortable with. But you know there is a threshold
of what the bill is implying, and we do think that Mr. Rush's
bill gets that right.
Mr. Whitfield. Yes, well I was assuming that if Mr. Rush
pushed the bill through it would be all right.
Mr. Rush. I want to get in on one of the questions, and
this question is addressed to Mr. Goldman and Ms. Harris. In
your testimony earlier you say that user ID's and implications
alone should not be defined as covered information. And given
the fact that there are software passwords, guessing tools out
in the marketplace, what kind of concerns can we have? And I am
kind of pointing to a recent development among myself and--with
myself and some other members of Congress. There is a certain
company that has something they call street maps and I am
really alarmed by these street maps. My residence has shown up
on these street maps, and there are other members of Congress
whose residence has shown up on these street maps and we are
concerned about the notability (ph) especially for us
protecting--protecting assets to the webs and Internet. What
kind of harm could be visited by consumers with some of these
different programs and would you respond to that Ms. Harris and
Mr. Goldman about these certain issues?
Mr. Goldman. I think as in our testimony I think we talked
about how if the information is not directly linked back to the
individual, so if it is just a password or some other kind of
information that is not, you know, connected to your other kind
of personal information, that should not be part of the PII.
And so I think that is where we are at. You know, you could--
theoretically you could have a lot of information out there.
There is a lot of information out there. You might, for
example, if you belong to a social network, you know, a social
networking site you might put your name up there, you might
created a username. You know, but it might not be linked back
to your own name, your own personal--I guess whether financial
or health information. So I think you know, as long as that
is--the question is what is going to harm us in result from all
that I think. And as we go into--our testimony also talks about
we are hesitant about adopting sort of new standards and new
definitions of covered information. I think you know to the
extent that we can standardize definitions across, you know
across bill, across state bills, and federal bills that would
be a good thing. So if you look at personal information as
defined in some of the state bills, some of the state data
breach and privacy bills I think, you know we have not taken--I
think there will be some support for that. But I have not
talked to our members about that at all yet.
Mr. Rush. Ms. Harris, you have a response?
Ms. Harris. If the question is about, you know, whether we
should be covering passwords and unique identifiers that
protect this kind of information then I think in the right
circumstances we should and I think that your bill does do
that.
Mr. Rush. Does any other witness want to respond? Mr.
Hoffman?
Mr. Hoffman. Yes, I think it is a very good question. I
think we find ourselves in a situation where there are a number
of different kinds of data that while they do not point to a
very specific individual, they might point to a device or a
location or something that could end up impacting that
individual. This is a very difficult balance to sort out. I
actually think the Best Practices Act comes very close to
getting this as right as you possibly can. We are saying if you
have got those kinds of identifiers whether it is a password, a
user alias, an IP address, or something that it will be covered
if it falls under two different categories. One would be if it
relates to a specific individual or then if whether it is
created to maintain a preference profile. That may not cover
every way that this information could potentially impact an
individual at some time, but I think that would give business
enough certainty to understand what is being covered and would
cover the great bulk of the situations where people are
concerned right now.
Mr. Zaneis. I think the definition and some--we are in some
ways putting the cart before the horse. The choice options that
we identify really also matter because when you put a blanket
opt-in for third party data usage which is the Internet--we did
a survey earlier this year that demonstrated then over 80
percent of all online advertising campaigns used behavioral
targeting or techniques. So when you are talking about opt-in
for third party data usage, you are talking about the vast
majority of the economic engine of the Internet. So it really
matters what choice mechanism you give because the stakes
really get high. Now in our self-regulatory system that we put
out we actually followed very closely the FTC's own definition
which was extremely broad and included, you know, sort of all
data used for behavioral advertising--online behavioral
advertising. But because we had an opt-out requirement instead
of an opt-in, it was something that our industry at least--I
can speak for us, we could live with that. We could live with
the broader definition if we got the choice mechanism right. So
I think they all kind of, you know--this is a holistic bill and
the different provisions really have to work together. You have
had great staff work to put this together and we just need to
be cognizant of that, and we stand ready to work through those
issues with you.
Mr. Rush. Do you have any additional questions?
Mr. Whitfield. I will just make one other comment. We are
in a little bit of a debate about adopting a fully opt-in
system in the--we have heard some people say whether it would
significantly impact e-commerce in a negative way, how many of
you feel that it would? An opt-in system would dramatically
impact e-commerce? OK, good. So almost everybody up there,
except I guess you Mr. Mierzwinski and----
Ms. Harris. There is some ambiguity here. Go ahead.
Mr. Vladeck. I think that we have been struggling with this
question for a long time, and I am not speaking for the
Commission now. I am speaking for staff. I think there is too
much fray given to the question of the label of opt-in or opt-
out. The concepts are not self-defining and skilled marketers,
and there are lots of them out there, can easily make either
method of expressing choice either easy or difficult. We have
both given what is called affirmative consent because we have
clicked the button and we both, you know, all of us have easily
given in to either method. In our view the questions merely
doesn't boil down to this label. It is a legal label. It is not
really a practical label. We believe that the goal ought to be
to insure the consumers are well informed, and are given easy,
and clear tools with which to exercise choice. Clarity and ease
of use ought to be the key metrics, not easily manipulable
legal terms like opt-in, and opt-out. And that is what we think
the real problem is.
Mr. Whitfield. Thank you, thank you.
Ms. Harris. I have nothing to add to that.
Mr. Whitfield. We should have asked him a question earlier.
Mr. Vladeck. I am fine.
Mr. Rush. Well, the Chair--that concludes our questioning.
And I merely want to reiterate to the witnesses how
appreciative we are for you taking your time to come and share
with us your expertise and your insights into this process and
into both of the drafts, Mr. Boucher's draft bill and to H.R.
5777. And the Chair wants to assure everyone who is present,
including our witnesses, that there will be ample opportunity
for more input before we mark up this bill. I am cognizant of
the fact that this bill was introduced four days ago and we are
having a hearing, but I am also determined that we need to move
forward, you know. I am not sure, there won't be--there will be
a lot of deliberation, but it won't be unnecessary delay in
terms of getting this bill to the floor as it be, and hopefully
to the floor. And we want to--what was some--I want to give you
assurances that your time is not just being wasted here. It is
really--your investment in this process will result in a better
bill but it will be a bill that hopefully will become law. And
I want to thank you so very much for being here this afternoon.
And with that said this Subcommittee is now adjourned.
[Whereupon, at 4:42 p.m., the Subcommittee was adjourned.]