[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]

                            THAT INDIVIDUAL



                               BEFORE THE

                        AND CONSUMER PROTECTION

                                 OF THE

                        HOUSE OF REPRESENTATIVES


                             SECOND SESSION


                             JULY 22, 2010


                           Serial No. 111-147

      Printed for the use of the Committee on Energy and Commerce


78-124                    WASHINGTON : 2013
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]  


                 HENRY A. WAXMAN, California, Chairman
JOHN D. DINGELL, Michigan            JOE BARTON, Texas
  Chairman Emeritus                    Ranking Member
EDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas
RICK BOUCHER, Virginia               FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida
BART GORDON, Tennessee               NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky
ANNA G. ESHOO, California            JOHN SHIMKUS, Illinois
BART STUPAK, Michigan                JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York             ROY BLUNT, Missouri
GENE GREEN, Texas                    STEVE BUYER, Indiana
DIANA DeGETTE, Colorado              GEORGE RADANOVICH, California
  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California               MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon
JANE HARMAN, California              LEE TERRY, Nebraska
TOM ALLEN, Maine                     MIKE ROGERS, Michigan
CHARLES A. GONZALEZ, Texas           JOHN SULLIVAN, Oklahoma
JAY INSLEE, Washington               TIM MURPHY, Pennsylvania
TAMMY BALDWIN, Wisconsin             MICHAEL C. BURGESS, Texas
MIKE ROSS, Arkansas                  MARSHA BLACKBURN, Tennessee
ANTHONY D. WEINER, New York          PHIL GINGREY, Georgia
JIM MATHESON, Utah                   STEVE SCALISE, Louisiana
G.K. BUTTERFIELD, North Carolina
BARON P. HILL, Indiana
DORIS O. MATSUI, California
JERRY McNERNEY, California
        Subcommittee on Commerce, Trade, and Consumer Protection

                        BOBBY L. RUSH, Illinois
    Vice Chair                            Ranking Member
JOHN SARBANES, Maryland              RALPH M. HALL, Texas
BETTY SUTTON, Ohio                   ED WHITFIELD, Kentucky
FRANK PALLONE, Jr., New Jersey       GEORGE RADANOVICH, California
BART GORDON, Tennessee               JOSEPH R. PITTS, Pennsylvania
BART STUPAK, Michigan                MARY BONO MACK, California
GENE GREEN, Texas                    LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas           MIKE ROGERS, Michigan
ANTHONY D. WEINER, New York          SUE WILKINS MYRICK, North Carolina
JIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina
DORIS O. MATSUI, California
JOHN D. DINGELL, Michigan (ex 
                             C O N T E N T S

Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................     1
Hon. Ed Whitfield, a Representative in Congress from the 
  Commonwealth of Kentucky, opening statement....................    85
    Prepared statement...........................................    87
Hon. Kathy Castor, a Representative in Congress from the State of 
  Florida, opening statement.....................................    89
Hon. Steve Scalise, a Representative in Congress from the State 
  of Louisiana, opening statement................................    89
Hon. Gene Green, a Representative in Congress from the State of 
  Texas, opening statement.......................................    90
Hon. Robert E. Latta, a Representative in Congress from the State 
  of Ohio, opening statement.....................................    91
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................    95
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, prepared statement......................................    93


David Vladeck, Director, Bureau of Consumer Protection, Federal 
  Trade Commission...............................................    97
    Prepared statement...........................................   100
Leslie Harris, President and Chief Executive Officer, Center for 
  Democracy and Technology.......................................   123
    Prepared statement...........................................   125
David Hoffman, Global Privacy Officer, Intel Corporation.........   137
    Prepared statement...........................................   139
Ed Mierzwinski, Consumer Program Director, U.S. Public Interest 
  Research Group.................................................   149
    Prepared statement...........................................   151
Ira Rubinstein, Adjunct Professor of Law, New York University 
  School of Law..................................................   168
    Prepared statement...........................................   170
Jason Goldman, Counsel, Technology and E-Commerce, U.S. Chamber 
  of Commerce....................................................   180
    Prepared statement...........................................   182
Mike Zaneis, Vice President, Public Policy, Interactive 
  Advertising Bureau.............................................   201
    Prepared statement...........................................   203

                           Submitted Material

H.R. 5777........................................................     3
Discussion draft.................................................    58

                            THAT INDIVIDUAL


                        THURSDAY, JULY 22, 2010

                  House of Representatives,
           Subcommittee on Commerce, Trade,
                           and Consumer Protection,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The Subcommittee met, pursuant to call, at 2:33 p.m., in 
Room 2322 of the Rayburn House Office Building, Hon. Bobby L. 
Rush [Chairman of the Subcommittee] presiding.
    Members present: Representatives Rush, Stupak, Green, 
Barrow, Castor, Space, Boucher, Whitfield, Stearns, Gingrey, 
Scalise, and Latta.
    Staff present: Michelle Ash, Chief Counsel; Timothy 
Robinson, Counsel; Marc Groman, Counsel; Will Wallace, Special 
Assistant; Brian McCullough, Senior Professional Staff; Shannon 
Weinberg, Counsel; Will Carty, Senior Professional Staff and 
Counselor; Robert Frisby, FTC Detailee; and Sam Costello, 
Legislative Analyst.


    Mr. Rush. Good afternoon. Today we are pleased to welcome 
seven witnesses representing the Federal Trade Commission, the 
consumers, industry, especially businesses with an Internet 
presence and whose mainline of business is to create and sell 
advertising. And I would like to thank them for taking the time 
out of their busy schedules to share in their perspectives on 
consumer privacy as well as to outline their view as 
appropriate offline and online business privacy protection and 
personal information use practices.
    Have you ever been in the midst of a group of people and 
heard someone say ``What is said in this room stays in this 
room?'' As someone in that room you know just from that 
statement that what may be said could be juicy enough, 
sensitive enough, or valuable enough to tempt one of the other 
persons in that room to violate that compact by leaking that 
information to people who are not in the room during the 
discussion. And the very utterance of these words evidences a 
conscious intent by the participants to set the needed 
environmental conditions that will encourage those in the room 
to interact freely with one another to share data, share 
information without them fearing that that very information 
will harm them economically, emotionally, or otherwise at some 
point in the future.
    As an avid user of the Internet and as a person interested 
in technology and communications, and all things visual, I know 
there is no free lunch when I go onto the Internet and Web site 
and to read or view content, especially when I am not paying 
for that content. That Internet Web site and advertisers on the 
right, and overhead, and operating costs of that Web site know 
that my information whether it can be used to identify who I 
am, or whether it gets merged in with other user's information 
has substantial value and can be monetized when it is provided 
to others.
    Before the House was scheduled to adjourn for its August 
recess, I for one felt that it was imperative on Monday of this 
week to introduce privacy legislation in the form of H.R. 5777, 
the Best Practices Act. I also felt it was important that we 
quickly hold a hearing in this Subcommittee on the assorted 
pros and cons of my bill as well as other issues outlined in 
the discussion draft released by Chairman Boucher and Ranking 
Member Stearns of the CIT Subcommittee.
    The Best Practices Act speaks to a host of issues affecting 
consumer privacy, including consumer's expectations as to how 
their personal information should be handled, shared, and 
disclosed to third parties. This legislation also addresses 
other important issues including what defaults should be set in 
connection with those expectations to provide regulatory 
certainty to industry and to investors. What safeguards should 
be crafted to anticipate foreseeable abuses and violations of 
consumer privacy expectations? What sets of remedies will make 
consumers whole in the event of privacy breach, and how to 
calibrate penalties and other possible legal causes of action 
without chilling industry incentives to innovate and grow their 
    This legislation also addresses to what extent, if any, 
should the privacy framework set forth in my bill preempt state 
privacy laws and regulations. In holding this hearing I would 
like to get a better handle on how extensively personal 
information gets shared without an individual's understanding 
and without their consent. I also want to shine a spotlight on 
some of the actual harms that befall individual users through 
no fault of their own.
    With that said I yield back the balance of my time.
    [H.R. 5777 and the discussion draft follow:]

    And now I recognize the Ranking Member of the Subcommittee, 
Mr. Whitfield, for 5 minutes for the purposes of an opening 


    Mr. Whitfield. Well, Chairman Rush, thank you very much and 
we certainly appreciate our panel of expert witnesses here 
today. As you know we are having this hearing to explore 
privacy legislation. I want to commend Chairman Rush for 
introducing his bill and want to thank him and his staff for 
giving us an opportunity to review that legislation. And all of 
us recognize that some steps need to be taken in this area, and 
we are hopeful that after today's hearing a lot of these issues 
will be clarified even more for us because as I said in the 
beginning we look forward to your testimony on this important 
    It seems to me the threshold question is whether Congress 
can require meaningful protections without forcing businesses 
online and offline to abandon or severely curtail legitimate 
business practices that benefit consumers. We know that it is 
easy to misuse information, and we also know there are benefits 
from sharing information, so that balancing act is very 
important. The problem I believe for most consumers is the lack 
of understanding about how their information is collected, and 
once used how--and once they provide it how that is being used, 
and the impact that it has on them.
    This is a preparatory hearing and we always have a lot of 
concerns about legislation, particularly when it is in the area 
of privacy. One of the areas that I have some concern about is 
that the first party, third party distinction created by this 
bill could also give certain players in the Internet ecosystem 
a competitive advantage over others, and I think we need a 
level playing field. I think it would be very difficult also 
for Congress to be involved of every nuance of privacy, and I 
think we need to be very careful about the latitude that we 
give the FTC in this area.
    One of the areas that is vitally important obviously in 
policing any legislation is the enforcement mechanism. I am 
always concerned about private rights of action because I know 
in some instances it has really created a cottage industry for 
trial lawyers seeking to manufacture privacy concerns. But I 
also know that sometimes those appear to be--these private 
rights of actions seem to be a good way to go.
    I do support the ability of State Attorneys General to 
enforce the Federal Statute. I don't think this bill goes far 
enough in terms of preempting state laws, creating the 
possibility that despite the bill's intent, covered entities 
would be subject to actions under multiple potentially 
conflicting laws or legal theories for conduct sanctioned by 
this bill.
    Whatever Congress ultimately enacts consumers will not care 
really about the corporate structure or the regulatory regime 
that governs the entity collecting their information. They only 
want to be sure that their information is treated the same by 
all entities and that they have reasonable protection. And I 
feel quite confident that when we enact privacy legislation 
that we will have a balanced bill that everyone will be 
satisfied with. Maybe I shouldn't say everyone, but most people 
will be satisfied with, and of course, that is our objective.
    Now I yield back the balance of my time.
    [The prepared statement of Mr. Whitfield follows:]

    Mr. Rush. We will be seeking everyone on this bill. We will 
now have Ms. Castor for 2 minutes.


    Ms. Castor. Thank you, Chairman Rush, very much, and thank 
you to the witnesses for being here today. I am looking forward 
to your discussion of consumer privacy in the Internet age, and 
such an exciting age of technological innovation. And I hope 
your comments will be directed to the two draft discussion 
bills that are on the table. We need your expert advice on how 
we balance the important competing interests of personal 
privacy and business innovation.
    We do need to have rules in place that give consumers the 
option to share their information or keep it private. Both 
bills before us require that companies explain to consumers 
what information is being collected and gives them the ability 
to opt out of certain data collection practices. And I think 
this is what consumers are looking for. They want a simple 
explanation followed by a choice. But there are literally 
thousands--millions of new businesses that have been created as 
a result of the ability to share information, and I think that 
this is absolutely vital that we protect that interest as well. 
Nearly all Internet businesses rely on some form of information 
gathering. So we want to insure that these businesses continue 
to grow, and flourish, but in a way that protects--that 
promotes transparency for the consumer.
    So thank you for being here and thank you, Mr. Chairman. I 
yield back.
    Mr. Rush. Mr. Scalise, you are recognized for 2 minutes.


    Mr. Scalise. Thank you, Mr. Chairman. I want to thank you 
and Ranking Member Whitfield for having this hearing on the 
bills before us today, both focusing on consumer privacy. I am 
pleased that we are once again examining this issue and that 
legislation has been brought forward with the goal of 
protecting consumers and their personal information. I look 
forward to hearing from our panelists and discussing the merits 
of these bills. As we take them into consideration and debate 
the best steps moving forward, I hope we proceed wisely and 
    As I have stated at previous hearings, I hope we focus on 
how to protect consumers and their personal information, and 
look at steps the industry will take on their own to do that. 
We need to make sure that these bills do not focus on ways 
government can get involved in more areas of people's lives 
where it does not belong. For this reason, I hope these bills 
take self-regulation into account and include provisions that 
allow companies to continue with steps that they have already 
taken to protect personal information. If self-regulation is 
not sufficient, and if any additional privacy provisions or 
regulatory requirements are needed, they should be targeted, 
consistent, and not discriminate against any one business or 
industry. Congress should not pick winners and losers.
    I also hope that these bills do not harm the ability to 
maintain or invest in their businesses. We must strike a 
balance that protects personal information without limiting a 
company's ability to do business in an honest and ethical way. 
Again, I will look forward to hearing from our panelists on 
whether they feel these bills strike that important balance.
    Mr. Chairman, I also want to close by addressing the rumors 
that FCC Chairman Genachowski may add broadband classification 
to the commission's September 16 agenda. First of all, I do not 
believe that the FCC should reclassify broadband services or 
impose burdensome regulations on the Internet. And more 
importantly, the FCC should definitely not rush any process 
that gives Congress little time to react after returning from 
    Over 8,000 pages of comments have been submitted to the FCC 
on this proposal, and the comment period is open until August 
12. For reclassification to be on the September 16 agenda, the 
other commissioners would have to receive chairman's proposal 
by August 26, giving the commissioners 2 weeks to review the 
thousands of comments. Clearly we need to make sure that they 
have that ability to review those comments from the public. So 
I hope those rumors are in fact just rumors. Otherwise it would 
seem that the FCC intends on ignoring those 8,000 pages of 
comments as well as the bipartisan staff discussions that are 
ongoing on this issue. We must continue to pursue targeted 
legislation that serves the American people, not a hastened 
process that serves a political agenda.
    Thank you, and I yield back.
    Mr. Rush. The chair recognizes now the gentleman from 
Georgia, Mr. Barrow, for 2 minutes.
    Mr. Barrow. Thank you, Chairman, I will waive time.
    Mr. Rush. Mr. Green, you are recognized for 2 minutes.


    Mr. Green. Thank you, Mr. Chairman. Thank you Chairman 
Rush, and Ranking Member Whitfield. I want to thank you for 
raising the issue of consumer privacy and for holding this 
hearing today, and also Chairmen Rush and Boucher, as well as 
Ranking Member Stearns for introducing the bills which we 
examine today.
    As technology continues to evolve, the privacy implications 
for consumers require frequent reexamination by Congress. In 
2003 we passed the Canned Spam Act that countered the alarming 
rise of unsolicited span email messages that interfered with 
the use of Internet and email by in users. Today technology has 
continued its progress and as a result, we are once again 
confronted with challenges for protecting consumers and 
ensuring that private data is not shared without consent.
    The ability to easily aggregate and share information over 
the Internet has provided tremendous benefits to our society 
and our economy, and the collection of consumer information can 
provide tremendous benefits to small and upstart businesses by 
allowing them to target customers that have tendencies to 
purchase individualized products or services. One problem, 
however, is that these are not the only ones using the data, 
and the ability and entire entities that sell this information 
to collect such a wide variety of information on individuals is 
extremely troubling because it allows bad actors to target 
vulnerable individuals based on very specific and granular data 
that has been collected across a number of online and offline 
platforms. We have laws that regulate how this information can 
be used by financial institutions in relating to medical record 
privacy, but outside these defined areas the information is 
largely unregulated and has the potential for being 
tremendously harmful to consumers.
    I am pleased that our committee is confronting these 
challenges head on. It is important that we examine methods 
that introduce transparency into the system and give the 
consumers the ability to have control over the large scale 
data. Collection is currently occurring at most times without 
their knowledge. And I look forward to hearing the testimony 
from witnesses.
    Mr. Chairman, I yield back.
    Mr. Rush. Mr. Latta is recognized for 2 minutes.


    Mr. Latta. Thank you, Mr. Chairman, Ranking Member 
Whitfield. I appreciate you holding today's hearing on the 
important issue of protecting an individual's privacy.
    Meaningful legislation to protect consumer's data is 
important, as there have been recently high profile incidences 
involving the compromising of consumer data that has increased 
privacy and concerns. There are many benefits that the Internet 
provides consumers and it is important that consumers are 
protected. However, as with many of the public policy issues 
that this Subcommittee considers, there needs to be a balance 
between protecting consumers and overburdening companies with 
    The collection of consumer information is a great benefit 
to companies that process transactions as well as to market 
their products. In addition, many of these company's products 
are based on information that the consumers submit to then 
obtain information specific to them. This personal information 
must be protected whether it regards personal health, 
employment, or any other information.
    While it is important for companies to disclose their 
privacy practices, companies should not have to disclose the 
propriety practices or information for collecting this 
information. In moving forward on either of these pieces of 
legislation, we need and to ensure that by expanding the 
authority of a government agency that there are no unintended 
consequences on ecommerce. I have heard concerns, especially 
from small businesses, about this legislation have a chilling 
effect on ecommerce and curbing innovation. These small 
businesses are concerned that increased regulations will have 
negative effect on their businesses and have increased costs 
for them, and those that are self-employed ultimately which 
would then have to be borne by the consumers.
    I will look forward to working--continue to work on--with 
the Subcommittee on this important issue relating to protecting 
consumer's privacy. In this time of rapidly advancing 
technology, we must protect personal information. I am hoping 
that this balance can be achieved for all the parties involved, 
and with that, Mr. Chairman, I yield back. Thank you.
    Mr. Rush. The Chair recognizes Mr. Stearns for 5 minutes.


    Mr. Stearns. Thank you, Mr. Chairman, and like other 
members, I am very glad we are having the hearing on H.R. 5777, 
Best Practices Act, as well as the proposal drafted by Mr. 
Boucher, the Chairman of the Communication, Technology, and the 
Internet Subcommittee, the CTI Subcommittee. I was a sponsor, 
principal sponsor with Mr. Boucher on his bill, and so I am 
happy to join with him in soliciting comments as he did over 
the some 70 days. And as many of you perhaps know that I have 
had a lot of experience working on this privacy issue. It is 
complex, involves a broad range of interests. During my time as 
Chairman of this Subcommittee I introduced several privacy 
bills, so I understand the importance of transparency when it 
comes to collection, use and sharing of consumer information. 
Now it is my capacity as the CTI Subcommittee, I have been 
focusing on privacy issues and the Internet, which it becomes 
so ubiquitous in our everyday lives, that we have started to 
presume, just presume a certain level of privacy that may not 
actually exist, so that is why I think we should be looking at 
this privacy situation.
    We must recognize that online advertising supports much of 
the commercial content, applications, and services that are 
available on the Internet today without charge and my 
colleagues, we do not want to disrupt this well-established and 
successful business model.
    Now this bill Best Practices seeks to enhance transparency 
over the commercial use of personal information that provides 
consumers with choices about the collection, use, and 
disclosure of this information. I support providing consumers 
with choices and transparency, but we must also keep in mind 
that only the consumer knows how he or she feels about the 
information that is being collected, the parties doing the 
collecting and the purpose for which the information for which 
the information is ultimately collected. Congress cannot and 
should not make that decision for them.
    Now I do have some concern with this Best Practices Act as 
currently drafted, including the overly expansive definition of 
covered information. The private right of action with uncapped 
punitive damages and the safe harbor provision which is too 
prescriptive and relies too heavily on the Federal Trade 
Commission. In order to have an effective safe harbor and 
privacy legislation we must craft a provision that creates the 
right incentives for businesses to subscribe to the very best 
practices with respect to the use of personal information of 
those consumer's standards that have been developed over time 
and are capable of being modified rapidly to address any new 
significant consumer privacy concern about businesses use of 
consumer's data.
    I would like to work with my colleagues to develop a better 
self-regulatory structure that will protect consumers while 
creating the proper incentives for businesses to adopt and 
maintain the best privacy and protection standards. I obviously 
appreciate having these hearings. I regret though, Mr. 
Chairman, we are having a hearing only four days after the bill 
was publicly released. This is an important and complicated 
topic, and members, and staff, and our witnesses need more time 
to adequately analyze the provisions in this legislation. It is 
a credit to Mr. Boucher. He released this privacy discussion 
draft on May 4, and he allowed ample time for comments. And if 
I recollect correctly, there were 70 different organizations, 
companies, universities, colleges, and concerned citizens that 
have taken the time to send their comments on this discussion 
    So we have a--plenty of information to consider for his 
bill. So there is clearly a lot of interest out in privacy--out 
in the industry for privacy legislation. I feel that more time 
allowed for more robust discussion is necessary, so I hope we 
have that in the future. But again I appreciate your work, and 
the leadership on this issue, and also Mr. Boucher's hard work 
as I look forward to working with members of both Subcommittees 
as we try to find the good, equal balance of protecting 
consumers and allowing innovation to flourish.
    I will just conclude and sort of mention which Mr. Scalise 
mentioned a little bit about the FCC and their haste to move 
the--from Title I to Title II, the Internet jurisdiction, and I 
would say--one thing that I would add to his comment is when we 
get back in September it will only be a couple of days perhaps 
until the FCC acts, and that is really not enough time for us 
to even consider what they are doing, so again, I urge as Mr. 
Scalise did that the FCC hold off. Thank you, Mr. Chairman.
    Mr. Rush. The Chair thanks all the members for their 
opening statements, the Chair really wants to reassure every 
member of this Subcommittee that the time to--necessary for 
deliberation will be forthcoming at that in no way do we expect 
to rush--pardon the pun--to rush towards judgment. However, we 
do feel as though we need to start this process in a robust way 
and a robust manner, and that is what was the intention of the 
Chairman. You know, discussion has got to end sometime and now 
is the time for the discussion to be ended and the work to 
    So with that said, I want to welcome our witnesses now and 
I am so honored that these individuals have taken the time out 
from their busy schedule to come and share with this 
subcommittee their valuable information, insight, and their 
expertise on this most important matter that affects us, the 
American people. I want to introduce them now. From my left is 
Mr. David Vladeck----
    Mr. Vladeck. Vladeck.
    Mr. Rush. Vladeck. He is the Director of the Bureau of 
Consumer Protection for the Federal Trade Commission. Seated 
next to Mr. Vladeck is Leslie--Ms. Leslie Harris. She is the 
President and CEO of the Center for Democracy and Technology. 
Next to Ms. Harris is Mr. David Hoffman. He is the Global 
Privacy Officer for the Intel Corporation. Seated next to Mr. 
Hoffman is Mr. Ed Mierzwinski. He is the Consumer Program 
Director for the U.S. Public Interest Research Group. And next 
to Mr. Mierzwinski is Mr. Ira Rubinstein. He is the adjunct 
Professor of Law in the New York School of Law. And next to Mr. 
Rubinstein is Mr. Jason Goldman. He is in Counsel, Technology, 
and E-commerce for the U.S. Chamber of Commerce. And then we 
have seated next to Mr. Goldman is Mr. Mike Zaneis, and Mr. 
Zaneis is the Vice-President of the Public Policy Interactive 
Advertising Bureau. Again, thank you all so very much for being 
present here at this hearing, and it is the practice of this 
subcommittee to swear in the witnesses, and I ask each of you 
if you would stand and raise your right hand. There is a big 
panel of witnesses we got here.
    [Witnesses sworn.]
    Mr. Rush. Please let the record reflect that the witnesses 
have all answered in the affirmative and now we will begin with 
testimony from our witnesses. We will begin with Mr. Vladeck. 
Mr. Vladeck, you are recognized for 5 minutes.



    Mr. Vladeck. Thank you very much, Chairman Rush, Member 
Whitfield, members of the Committee, I really appreciate the 
opportunity to be here today.
    The Federal Trade Commission has a long track record of 
protecting consumer privacy. The Commission began examining 
online privacy in the mid-1990's. Initially the Commission's 
work was built on the so-called Fair Information Practice 
principles of notice, choice, access, and security. The 
Commission's efforts were widely credited with raising public 
awareness about privacy, prompting companies to post privacy 
policies online for the first time and improving companies' 
accountability for privacy practices.
    In the early 2000's the FTC shifted its focus and targeted 
harmful uses of information, uses presenting risks to physical 
security, economic injury, or causing unwarranted intrusions. 
This approach was designed to protect privacy without imposing 
costly notice and choice requirements for all uses of 
information. The Commission's privacy agenda included 
aggressive enforcement on data security, children's privacy, 
spam, spyware, and unwanted telephone calls, telemarketing 
    Last year the Commission announced that it was going to 
again re-evaluate its approach to privacy. We recognize that 
the traditional models governing consumer privacy have 
limitations. The Fair Information Practices model placed a 
heavy burden on consumers to read and understand complicated 
and lengthy privacy policies, and then make choices about the 
collection and use of their data. The harm-based model 
generally did not address concerns about having one's personal 
information exposed where there is no direct intangible 
consequence. Often, harms to consumers were addressed after 
they occurred.
    Late last year the Commission began its re-evaluation of 
privacy by holding three round tables which highlighted a 
number of important themes. First and most urgently consumers 
do not understand the extent to which companies are collecting 
and using their personal data. This is a remark that I think 
many of the members echoed in their opening remarks. Second, 
existing privacy policies don't work as a means of 
communicating privacy practices to consumers, and certainly 
will not work well on small screen mobile devices like smart 
phones. Third, consumers do care about privacy and they care 
about privacy as a value in and of itself beyond any tangible 
economic harm that may be associated with it. And finally, as 
others have pointed out, the free flow of information does help 
make tremendous benefits possible, so we need to be cautious 
about restricting information exchanges and uses.
    Recognizing many of these same issues, Chairman Rush and 
Chairman Boucher each have proposed legislation to advance the 
goal of improving privacy protection in today's commercial 
marketplace. We share this goal and we applaud Chairman Rush 
and Chairman Boucher for their leadership.
    Although the Commission has not taken a position on the 
legislation, both proposals include a number of key policy 
objectives that the Commission supports.
    First, both include requirements for data security for 
customer information, a requirement the Commission has long 
endorsed. Second, the Commission supports the proposal's data 
accuracy requirements, especially where the data will be used 
for decisions about a consumer's eligibility for benefits or 
services. Third, both proposals give the FTC limited rule 
making authority in the privacy area. We believe that the 
content, timing, and scope of privacy disclosures required by 
the legislation will benefit from broad stakeholder input and 
consumer testing which can be accomplished as part of an APA 
rulemaking proceeding. Finally, both proposals include 
innovations to simplify consumer's ability to exercise 
meaningful privacy choice.
    If Congress enacts legislation in this area we urge it to 
consider some additional issues. Most importantly we think it 
would be useful to require short disclosures at the point of 
information collection and/or use and to give the FTC 
rulemaking authority so we can provide guidance on this 
    Let me share an example of why we think short and concise 
notices at the right moment are important. A few months ago it 
was reported that approximately 7,500 consumers had ``sold 
their souls'' to an online computer game retailer. To drive 
home the point the consumers don't read lengthy disclosures, 
the company provided a provision in its privacy policy that by 
placing an order with the company the consumer granted the 
company ``the nontransferable option to claim for now and 
forever more your immortal soul''. The company even went on to 
provide an opt-out provision for this particular soul selling 
clause, but not surprisingly very few consumers opted out. Now 
I don't believe that these consumers really meant to transfer 
their rights of their immortal soul to an online gaming 
company, and we think this illustration drives home the need 
for short and concise notices the consumers will read and 
understand at the time of data collection and use.
    Another issue we would urge Congress to look at is whether 
the sharing of individual's data among companies affiliated 
through common ownership should necessarily be exempt from 
consent requirements, especially where a company may share data 
with dozens or even hundreds of affiliate companies.
    Finally we also have concerns that the safe harbor programs 
contained in the proposed legislation could lead to multiple 
consent mechanisms that may differ in important ways which 
could add to consumer confusion when consumers need more 
    The Commission looks forward to working with Congress to 
resolve these issues and any others that may arise in order to 
accomplish our shared objective of improving consumer privacy, 
while at the same time promoting innovation and beneficial 
flows of information on the Internet. Thank you very much.
    [The prepared statement of Mr. Vladeck follows:]

    Mr. Rush. The Chair now recognizes Ms. Harris for 5 


    Ms. Harris. Chairman Rush, Ranking Member Whitfield, 
members of the Subcommittee, on behalf of CDT I thank you for 
the opportunity to testify today. Chairman Rush, you, Chairman 
Boucher, Representative Stearns have shown great leadership in 
putting the issue of consumer privacy legislation back on the 
Congressional agenda.
    At a time when more and more personal information is 
collected, analyzed and sold, an astonishing 88 percent of 
Americans are concerned about their online privacy. A consumer 
privacy law is long overdue. Drafting a privacy law that can 
stand the test of time requires a careful balancing of 
interest. The law must provide consumers rights, it must 
provide meaningful obligations for companies, and at the same 
time it has to be flexible and high level enough to respond to 
the rapid changes in technology and changing business models. 
It needs to give companies certainty while at the same time 
encouraging privacy, innovation, and accountable practices, and 
of course, it needs strong enforcement. CTD believes the bills 
before the Subcommittee today include the essential building 
blocks for a privacy law that meets this test. Chairman 
Boucher's draft, the critical first steps to that end, we 
believe the Best Practices Act builds on that draft to 
significantly advance the discussion.
    Let me just mention a few key points. Fair Information 
Practices, commonly known as FIPs, must be the foundation of 
any consumer privacy law. The Boucher draft provides the basic 
obligations in notice, and choice, and security, but as Mr. 
Vladeck said, that places most of the burden on the consumer to 
figure out notices. Best Practices goes further to a full set 
of substantive Fair Information Practices that place 
obligations on companies for things like specifying purposes, 
limiting data collection to those purposes, minimizing how long 
one retains data, paying attention to data quality, and 
integrity. And we think that in this complex environment all of 
those obligations are critical.
    With respect to cope--scope, excuse me, CDT does support 
the application of a single baseline set of rules to be online 
and offline environment. We do support a robust definition of 
covered information and heightened protection for sensitive 
information, and we strongly support the special rules for 
covered entities, right now mainly ISPs, that collect all or 
substantially all of an individual's data stream. We are 
pleased with the innovative provision on accountability in Best 
Practices, which requires companies to conduct PIAs, Privacy 
Impact Assessments, and periodic reviews of privacy practices. 
American companies including my colleagues from Intel, HP, and 
Microsoft have been the global leaders in developing an 
accountable privacy culture within companies and we think this 
provision will broaden the culture of responsibility for all 
covered entities.
    We also strongly support the inclusion of a safe harbor 
provision. Safe harbors, when they are backed up by rigorous 
internal compliance and some FTC supervision, can take account 
of differences between industries and create certainty for 
companies. It can encourage privacy innovation and reward the 
adoption of accountable practices.
    Finally, strong enforcement must back up privacy rules, and 
we endorse the dual enforcement regime at the FTC and with the 
State Attorneys General. And we also applaud the inclusion of a 
strong private right of action in the Best Practices bill.
    Mr. Chairman, thank you for the opportunity to testify and 
holding this important hearing. We intend to submit a lengthy 
side by side of the bills and our recommendations for moving 
forward, and we look forward to working with you to enact 
historic privacy legislation that consumers are strongly 
demanding and that we believe businesses need to compete in the 
global economy.
    [The prepared statement of Ms. Harris follows:]

    Mr. Rush. The Chair recognizes Mr. Hoffman for 5 minutes.


    Mr. Hoffman. Mr. Chairman, Ranking Member Whitfield, and 
members of the Subcommittee, I am David Hoffman, Director of 
Security Policy and Global Privacy Officer at Intel 
Corporation, and I appreciate the opportunity to testify before 
you today.
    Intel supports the Best Practices Act of 2010 and we 
believe that innovation requires a policy environment in which 
individuals feel confident that their privacy interests are 
protected. We thank Chairman Boucher and Ranking Member Stearns 
for putting forward such a thoughtful and important draft from 
which to work. Their bill and the Best Practices Act include 
many of the important concepts for a comprehensive U.S. privacy 
law and we strongly support Congress's efforts to legislate in 
this area. I congratulate you on the work you have done to 
protect consumer privacy and to promote continued technology 
    It is Intel's mission to deliver the platform in technology 
advancements that have become essential to the way we work and 
live. We see computing moving in a direction where an 
individual's applications and data will move as that person 
moves through his or her day. To manage these applications and 
data, the individual will use a wide assortment of digital 
devices including servers, laptop computers, smart phones, 
tablets, televisions, and handheld PCs. Thus it is necessary 
that individuals have trust in being able to create, process, 
and share all types of data, including data that may be quite 
sensitive such as health and financial information. The 
provisions in the bills we are discussing today can help 
provide a policy environment which creates that trust.
    I would like to highlight five specific aspects of the two 
bills. First, we are pleased that both bills are technology 
neutral and give flexibility to the FTC to adapt the bill's 
principles to changes in the technology. Maintaining technology 
neutrality in the legal framework provides protection for 
individuals in a rapidly evolving society as the creation of 
legislation and regulatory requirements will invariably trail 
innovation of new technology. We specifically like the Best 
Practices Acts guidance given to for the FTC to create 
regulations for certain key provisions of the bill.
    Second, we support federal legislation based upon the Fair 
Information Practices as articulated in the 1980 OECD Privacy 
Guidelines. We are pleased that the Boucher/Stearns discussion 
draft is based upon the framework of the Fair Information 
Practices. Further, we are supportive of Chairman Rush's bill 
which goes further and includes provisions applying all of the 
Fair Information Practices such as individual access to data, 
data minimization, and purpose specification.
    Third, we are pleased that the Best Practices Act includes 
a provision requiring covered entities to engage in the 
accountability processes in the deployment of technologies and 
services. In addition we would advocate that a specific privacy 
by design requirement also be included in the accountability 
section. A privacy by design model focuses on insuring that 
privacy is included as a foundational component of the product 
and service development process. Such a provision should not 
require compliance with detail standards or mandatory third 
party product reviews, but should instead focus on including 
privacy into a business's product and service development 
    Fourth, Intel commends both bills for contemplating that 
certain operational uses of data are implicitly consented to by 
individuals and should not require explicit notice and consent. 
Specifically Intel supports the Best Practices Acts drafting of 
such a use-based model.
    Fifth and finally, Intel is strongly supportive of Title IV 
of the Best Practices Act which establishes a safe harbor for 
participation and self-regulatory choice programs. Intel has 
long been a supporter of privacy trust mark problems and 
believes they provide a way to work with organizations on their 
accountability processes. We believe that in many instances 
trust marks and other similar mechanisms can substantially 
increase the reach and the effectiveness of government 
enforcement. This co-regulation is a better solution than a 
private right of action which is likely to result in baseless 
claims, causing organizations to spend resources on litigation 
when those resources could be better directed toward the 
organization's privacy compliance program. However, if a 
private right of action is included, then the choice program 
should continue to provide a safe harbor from liability.
    Intel again thanks Chairman Rush and the Subcommittee for 
your excellent work to protect consumer privacy, and to promote 
and continue privacy innovation. We are supportive of the Best 
Practices Act, we look forward to continuing our engagement to 
improve the overall protection of privacy.
    [The prepared statement of Mr. Hoffman follows:]

    Mr. Rush. Mr. Mierzwinski, you are recognized for 5 


    Mr. Mierzwinski. Thank you very much. Thank you very much 
Chairman Rush and Ranking Member--I was trying to work my 
timer--this one is not working, but I will try to stick to 5 
minutes. Ranking Member Whitfield, members of the Committee, I 
am Ed Mierzwinski. I am Consumer Program Director for the 
Public Interest Research Group, U.S. PIRG. My testimony as 
submitted includes co-signed by the Consumer Federation of 
America and the Center for Digital Democracy. Since then four 
other organizations and I will provide this for the record: 
Consumer Action, the Consumer Watchdog, Privacy Rights 
Clearinghouse, and the World Privacy Forum have also endorsed 
the testimony.
    I want to start out with one point that is really the main 
point that I want to make, and that is that the current digital 
marketing system does not meet consumer's expectations of 
privacy. A recent study by two leading universities, the 
University of Pennsylvania and the University of California at 
Berkeley, found that most consumers believe that the government 
already protects their privacy. It does not. Instead we have a 
digital marketing system that I call or could call the Hoover 
model, and I am not talking about J. Edgar. I am talking about 
the vacuum cleaner. The vacuum cleaner model of collecting 
every bit of information, every web track that a consumer ever 
makes and keeping it forever is the way that companies like in 
their virtually unregulated digital ecosystem. And we have a 
system right now where the Federal Trade Commission has been 
hobbled for 30 or 40 years by limits on its ability to improve 
the rules that--and that and enforce the rules by the Maggots 
and Moss rulemaking that was imposed on it that this Committee 
tried to fix in the Wall Street Reform Act, but unfortunately 
the Wall Street Reform Act did not finally give the Federal 
Trade Commission fully capable of making authority or full 
aiding and abetting liability, or the full ability to impose 
civil penalties, and we would hope that that would be on the 
committees agenda to continue to try to achieve those goals.
    But--so our organizations share long-standing concerns for 
consumer privacy and look forward to working with the Committee 
on these matters. And the Committee has had a long-standing 
history of bipartisan bases working on consumer privacy, so we 
are very encouraged by the work that was done first by Chairman 
Boucher and Ranking Member Stearns, and then by you, Chairman 
Rush, in putting together your thoughtful proposals.
    However, our concern is that the proposals tend to graft 
Fair Information Practices on top of the digital ecosystem that 
it just won't work as well as a full Fair Information Practices 
based provision might work. So we are suggesting that the 
committee start over and among the key elements of a revised 
bill would be a framework focused on overall data minimization. 
Anyone who knows the online and offline data collection 
industry will tell you that the focus is on data maximization, 
as I said, the Hoover model. ``Every move you make'' as the 
lyrics of the Police song go could be the data collection 
industry's theme song as we are all being watched, compiled, 
analyzed, and then acted upon. While tools involving opt-in and 
safe harbors for example provide greater control by a consumer, 
they do not constrain the dramatic and far reaching growth of 
online and offline data collection for personalized and 
innovative targeting. A vast automated and powerful data 
collection complex has emerged capable of generating and 
continually revising a profile, a consumer x-ray of our habits, 
interests, worries, financial status, and everything else about 
us. It is now being collected not just on the Internet, but 
also whenever we use a cell phone, or play an online game, or 
use any other variety of electronic gimmickry that we might be 
carrying around with us.
    Some of the specific concerns that we have, again we think 
the bills are thoughtful for a start, but we would urge you to 
consider a few other things. First of all notice and choice are 
not enough. And I totally agree with the other witnesses that 
these bills go further than the industry preferred FIPs light 
of notice and choice. But we need to have a greater reliance on 
limiting the amount of information that is collected, used, and 
shared, increasing the knowledge of consumers, limiting data 
retention, and maximizing data minimization.
    The second, self-regulation has not worked. The Federal 
Trade Commission under various Administrations has failed in 
self-regulation, as has the industry. And there are several 
reports that I cite in my testimony that go through the details 
of how first the individual references service group self-
regulatory body that supposedly regulated information brokers 
didn't work in the 1990's, then we have the network advertising 
initiative didn't work, and there is an IAB provision that was 
started last year that we don't think has worked. So we think 
we need greater oversight, greater statutory protections, and 
we need a broader private right of action. Although the Rush 
bill has a narrow private right of action, we don't think 
enrich trial lawyers. We think private rights of action deter 
lawlessness and they encourage companies to comply with the 
law. And second, we believe that state laws should always be 
allowed to be stronger than federal law. If you have got a good 
enough federal law the states will move on and do other things. 
But if Congress doesn't solve the job we need the States as 
quick responders to new problems.
    With that I will just conclude my comments and tell you 
that I am very pleased for our organization's want to continue 
to work with you to refine and enhance this legislation. Thank 
    [The prepared statement of Mr. Mierzwinski follows:]

    Mr. Rush. Thank you. Mr. Rubinstein, you are recognized for 
5 minutes.


    Mr. Rubinstein. Mr. Chairman, Ranking Member Whitfield, and 
members of the Subcommittee, thank you for the opportunity to 
testify today. My name is Ira Rubinstein and I am an adjunct 
professor at NYU School of Law. This afternoon I will focus my 
comments specifically on a key question in Congressional 
efforts to regulate privacy. What is the relationship between 
privacy legislation and industry self-regulation and the role 
and effectiveness of safe harbor provisions in promoting self-
    A safe harbor is a familiar legislative device intended to 
shield or reward firms if they engage in desirable behavior as 
defined by statute. In the privacy arena the most familiar 
example is the Children's Online Privacy Protection Act. Over 
the past decade COPPA safe harbor programs have met with 
success mainly in terms of complimenting FTC's own enforcement 
efforts. But the program has two main shortcomings, weak 
incentives, and a low rate of participation. Only about 100 
firms have joined. In my written testimony I propose several 
ways in which Congress might improve upon the COPPA safe harbor 
by adopting a more co-regulatory approach in which industry 
enjoys greater scope in shaping self-regulatory guidelines 
while government sets default requirements and retains general 
oversight authority to improve--approve and enforce such 
    A co-regulatory approach relies on both sticks and carrots 
as incentives. Sticks for non-participating firms might include 
a private right of action, broader opt-in requirements, 
external and independent audits of regulatory compliance and 
much stricter requirements for online behavioral advertising. 
Carrots, on the other hand, might include not only exemptions 
from private actions for safe harbor participants, but also 
cost saving such as compliance reviews based on self-
assessments rather than external audits, government recognition 
of better performing firms, and regulatory flexibility in the 
form of tailored requirements addressed to specific sectors or 
business models.
    In proposing this new approach to privacy safe harbors it 
bears emphasizing that safe harbor benefits should be limited 
to firms demonstrating superior performance and would not be 
available to other firms that merely satisfy the fault 
statutory requirements. In other words, the safe harbor would 
only benefit firms that meet high performance standards based 
on, for example, sound data governance practices such as 
appointing a chief privacy officer who is accountable for 
setting privacy protection policy and standards; advanced 
privacy methodologies such as use of development guidelines for 
building privacy protection into products or services, also 
called privacy by design as Mr. Hoffman mentioned; and other 
Best Practices such as privacy training for relevant staff and 
online guidance on privacy and security for other employees and 
for consumers.
    In closing I want to emphasize that this new approach to 
privacy safe harbor should not be confused with existing self-
regulatory schemes in which industry alone develops and then 
oversees the privacy code of conduct. Rather, in a privacy safe 
harbor as envisioned here, the government sets default 
requirements and relevant standards and practices emerge from a 
multi-stakeholder process in which both advocacy groups and 
members of the public have an opportunity to participate. This 
requires that interested parties engage in difficult and 
perhaps protracted negotiations and keep talking with each 
other until they forge a rough consensus.
    One way to insure public participation is negotiated rule 
making, a statutorily defined process by which agencies 
formally negotiate rules with regulated industries and other 
stakeholders as an alternative to conventional rule making. An 
alternative approach would be to modify the safe harbor 
approval process by requiring that program sponsors engage in a 
public consultation and report on these consultations in their 
    I will conclude by offering three recommendations which I 
am happy to elaborate upon during this hearing. First, Congress 
needs to enact comprehensive privacy legislation incorporating 
robust Fair Information Practices. Second, this legislation 
should include a safe harbor program based on a co-regulatory 
approach as described above. Finally, this safe harbor program 
should include strong performance standards based on data 
governance, advance privacy methodologies, and other Best 
Practices, and it should also require public consultation as 
part of the safe harbor approval process.
    The two bills being considered today represent important 
first steps in developing this new approach to safe harbors, 
but should be expanded as discussed above. I want to thank you 
again for this opportunity to testify. I will be pleased to 
answer your questions and would be happy to provide any further 
    [The prepared statement of Mr. Rubinstein follows:]

    Mr. Rush. Mr. Zaneis, you are recognized for 5 minutes.
    Mr. Zaneis. I am happy----
    Mr. Rush. I am sorry----
    Mr. Zaneis. That is all right, we don't want to skip over 
    Mr. Rush. Mr. Goldman, I am sorry. Mr. Goldman----
    Mr. Goldman. Thank you very much.
    Mr. Rush. You are recognized for 5 minutes.


    Mr. Goldman. Good afternoon, Chairman Rush, Ranking Member 
Whitfield, and members of the Subcommittee. I am Jason Goldman, 
Telecommunications, and E-commerce Counsel at the U.S. Chamber 
of Commerce. The U.S. Chamber of Commerce is the world's 
largest business federation representing the interest of more 
than three million businesses and organizations of every size, 
sector, and region. On behalf of the Chamber and its members, I 
thank the Subcommittee for its work on consumer protection and 
for the opportunity to testify here today.
    Privacy is a key issue for the Chamber. The Chamber 
supports policies that foster business opportunities while 
respecting consumer's privacy. The collection of personal 
information is necessary to provide consumer, social, and 
business benefits. Given the diversity of private sector 
businesses should have latitude within acceptable guidelines in 
defining what they need--what kind of information they need to 
collect and use.
    Recently the debate over privacy has been brought to the 
forefront by the growth of the Internet. The Internet has 
revolutionized the way business is conducted in all sectors of 
the global economy including financial services, retail, 
wholesale distribution, and manufacturing. Today the vast 
majority of companies, small and large, are online and use the 
Internet to communicate with consumers and with the vendors, 
and all the different other entities. In particular, ad-
supported content has been key to the success of broadband. 
Frequently online content is provided free of charge to 
consumers and revenues are instead generated through 
advertising. This ad-supported business model has been a key to 
the success of many Internet adventures and has helped to make 
the Internet an engine of growth in the U.S. economy.
    I will now turn to the bills that are the topic of this 
hearing. The Chamber received the text of the Best Practices 
Act just a few days ago, so my comments today are based on our 
initial read of the bill and may change as we further analyze 
the bill and vet the bill through our membership. The Chamber's 
analysis of Boucher/Stearns discussion draft was submitted to 
their Subcommittee in June and is attached to our testimony.
    The Chamber very much appreciates the work that went into 
drafting the Best Practices Act. Despite the inclusion of some 
of the provisions that we support, we still have strong 
concerns the bill as currently drafted. The Chamber--I will go 
through some of the provisions that we support and also some of 
the ones that we have modifications to. The Chamber is pleased 
that the bill directs the FTC to promulgate rules under this 
act in a technology-neutral manner. Government should not pick 
winners and losers. The Chamber applauds the inclusion of 
language that preempts State laws governing the collection and 
use of data. However, the Chamber believes the language could 
have been even stronger to help businesses avoid having to 
comply with 50 different State laws. The Chamber agrees with 
the intent of Section 502 which states that the bill should 
have no effect on activities covered by other federal privacy 
laws. However, the opening clause of this section states 
``except as provided expressly in the Act.'' This could be 
interpreted by the FTC or by the courts as permitting the 
creation of multiple layers of regulation.
    The Chamber appreciates the bill attempts to maximize 
regulatory flexibility. However, at the same time the Chamber 
is concerned that the sheer number of rulemakings will create 
needless regulatory uncertainty. The Chamber also believes that 
the safe harbor provision as drafted is a good start but 
improvements could be made. We are gratified by the recognition 
that industry self-regulation in this area has and will 
continue to protect consumers, however the safe harbor in our 
opinion is too narrow and should follow FTC and industry 
principles. And also the Chamber has serious concerns about 
private right of action as well as an explicit grant of 
authority to State Attorneys General to enforce the 
    When combined with the FTC's own enforcement authority we 
are concerned that these official mechanisms will serve to 
impose duplicative and potentially inconsistent findings of 
liability as well as excessive damage awards. In addition the 
explicit grant of authority for the award of punitive damages 
and attorney's fees will serve to increase the likelihood that 
elements of the plaintiff's class action trial bar will use 
this legislation as a way to increase class action litigation 
with little benefit being given to the general public.
    The Chamber also has some concerns covered in more detail 
in our testimony with the opt-in requirements of third party 
sharing and opt-out requirements for information collection, as 
these provisions could upset established business practices for 
many of our members.
    Finally the Chamber has concerns with access and dispute 
resolution and the definition of covered information which I 
will be happy to discuss further during our Q and A. Thank you 
again, and I am happy to answer your questions following Mr. 
    [The prepared statement of Mr. Goldman follows:]

    Mr. Rush. Mr. Zaneis, please 5 minutes now.

                    STATEMENT OF MIKE ZANEIS

    Mr. Zaneis. Thank you. I used to work for the U.S. Chamber 
of Commerce, but I don't think they would appreciate me 
delivering their testimony here today. Thank you, Chairman 
Rush, Ranking Member Whitfield, members of the Subcommittee for 
holding this hearing for the opportunity to testify about these 
important legislative proposals. My name is Mike Zaneis, and I 
do work for the Interactive Advertising Bureau as Vice 
President of Public Policy.
    The IAB represents some 460 companies involved in online 
advertising. Our companies run the gamut from the largest 
portals and search engines to branded publishers. It includes 
ad networks all the way down to the smallest Mom and Pop shop 
publisher online. The common theme for all of these folks is 
that they depend upon online advertising. It is a good industry 
and we are--continue to grow even in these tough economic 
times. In the first quarter of this year online advertising 
revenue in the U.S. grew to $6 billion. And that represents a 
7.5 percent increase over the first quarter of 2009. More 
importantly, our industry is a major component of the national 
economy. We add more than $300 billion to the U.S. economy and 
provide more than 3.1 million jobs total.
    But we know it is not all about economic numbers here 
today. We know in our industry that the number one asset that 
any company has is the consumer relationship in building trust 
through protecting their privacy and meeting their privacy 
expectations. That is why our industry has a long successful 
history of strong self-regulation. It began over a decade ago 
with input from the Federal Trade Commission when industries 
stood up to network advertising initiative. And this was a 
program to oversee third party ad networks and how they have 
collected and used data for consumers and provided choice.
    But we knew over time as our industry grew and innovated 
then so too did our self-regulatory programs. They needed to 
innovate, and grow, and expand. That is why over 2 years ago 
IAD joined with the Association of National Advertisers, the 
American Association of Advertising Agencies, the Direct 
Marketing Association and in conjunction with the Council of 
Better Business Bureaus, one of the most respected, reputable 
self-regulatory monitoring and compliance programs in the 
world, to create for the first time a broad comprehensive set 
of online privacy practices for advertising purposes.
    Here, too, we took away lessons from the Federal Trade 
Commission. They issued their staff report about online 
behavioral advertising privacy principles in February of '09. 
We incorporated many of those principles in our draft--excuse 
me--in our final principles that were issued in July of last 
year, including transparency, consumer notice, and something 
that we haven't talked about which is consumer education, which 
is really a key component here.
    All of this leads me to the bills and the legislative 
proposals that are on the table today. And Mr. Chairman, I want 
to thank you for your recognition in H.R. 5777 about the 
importance of industry self-regulation. We think that that is 
the right approach in that it has a long history of success, it 
can be more flexible and dynamic, and there is a commitment by 
industry and government agencies to make sure that it works. 
And we stand ready to work with you to make sure that any 
legislation that moves forward reflects upon and bolsters the 
success that not only the FTC has pushed out there and 
achieved, but in industry and our cross-industry self-
regulatory group. We are beginning to see fundamental change 
online already in this marketplace about how consumers receive 
information about how data is collected and used, and pushing 
choice out ubiquitously.
    That leads me to my second point that we are very gratified 
to see your recognition in the bill that a one size fits all 
consumer noticed jammed down in a privacy policy often is 
written in legalese may not serve consumers all that well. In 
fact, in our industry we are seeing a tremendous amount of 
innovation in better ways to serve notice to consumers and we 
hope to preserve that type of flexibility with any legislation 
that moves.
    But--and there is always a but--we do have a number of 
reservations about H.R. 5777 and Congressman Boucher's 
proposal. And they share a couple of components that I would 
like to just identify here. The first is the concept that first 
party data usage requires an opt-out. Here we simply have to 
agree with the Federal Trade Commission's finding in their 
staff report. When consumers go to an online Web site they 
understand there is going to be a certain amount of data 
exchanged by that first party site and to serve them content 
and services and yes, advertising. And so, we think that they 
should be first party--clearly first party usage should be 
exempted out of this choice mechanism. Not notice--we should 
always do better around giving consumers notice about how the 
data is collected and used.
    The second issue I would like to raise with you is the 
third party data sharing provision. The Internet is nothing but 
a series of third party relationships. Virtually every Web site 
requires these third party data sharing whether it is to 
customize content, to run your analytics on the back side to 
make sure you know who is coming to your site and who--and 
getting paid, or whether it is for relevant advertising. And so 
here again we agree with the FTC's principle in their staff 
report that you should have an opt-out requirement empowering 
consumers to exercise their choice when they have ligament 
concerns around privacy. You need to give them good notice, you 
need to empower them, and you need to educate them which is 
something that the IAB is committed to.
    So I will just sort of leave you with this last thought and 
I look forward to your questions. I think it is impossible to 
take information out of the information age, because if you do 
that is what you are going to get is less relevant advertising, 
and less relevant advertising by definition is spam. I don't 
think anybody wants that. That is not good for consumers, and 
it is not good for business. Thank you.
    [The prepared statement of Mr. Zaneis follows:]

    Mr. Rush. The Chair wants to thank all of the witnesses for 
your outstanding testimony today. A vote now occurs on the 
floor of the House of Representatives. There are two votes--
should be probably about 30 minutes or more--around 30 minutes, 
so it is the Chair's intention to recess the Subcommittee and 
to reconvene immediately after the last vote takes place. So it 
will be about half an hour. So I apologize for the interruption 
of this hearing, but we will be back as soon as we can. The 
Subcommittee now stands in recess.
    Mr. Rush. The Committee will reconvene, return to order. 
The Chairman recognizes himself for 5 minutes for the purposes 
of questioning the witnesses.
    Mr. Hoffman, I was interested in your testimony, and in 
your testimony you highlighted the importance of providing FTC 
rulemaking authorities to flesh out certain requirements in the 
Best Practices Act and to adapt the bill's provisions to 
changes in technology. Other stakeholders have raised concerns 
that providing FTC with this type of rulemaking authority in 
the bill will create enormous regulatory uncertainty that is 
bad for commerce.
    What are your thoughts on this? If FTC does not provide a 
rulemaking authority, will the bill quickly become outdated? 
Are you concerned about regulatory uncertainty and would you 
answer those questions for me, please?
    Mr. Hoffman. We think the Best Practices Act does an 
excellent job of not just providing rulemaking authority to the 
FTC, but guiding that rulemaking authority by certain criteria 
that should have to shape the regulations that would emanate 
from the FTC. Our perspective when we look at privacy 
legislation is to allow privacy to continue to actually aid 
innovation instead of impede innovation.
    Individual pieces of legislation need to be technologically 
neutral to allow for the enforcement agencies to apply those 
principles to the individual new business models when they come 
up and to provide guidance in that way. The FTC has been an 
absolute leader in doing that for the past decade.
    Mr. Vladeck mentioned the various methods that they have 
used to do that with the different enforcement actions that 
they have taken, plus the round tables that they have held, and 
how they have communicated with industry and academics. We 
think that the Best Practices Act balances those different 
interests very well.
    Mr. Rush. Ms. Harris, is the importance to FTC rulemaking 
the--in this act just for consumers and is it just for business 
    Ms. Harris. We think so. You are always--when you are 
writing a bill like this you can be highly specific, and the 
bill will lock in today's business practices, it will not have 
the flexibility that you need for business practices that we 
haven't seen, and it will not allow the law to basically live 
in a way that will address business practices we haven't seen. 
Giving the FTC very specific rulemaking authority here first of 
all allows them to take into account the different kinds of 
business models and technologies that we are dealing with, but 
it also, I think, allows over time for modifications depending 
on changed circumstances. So yes, we think FTC rulemaking is 
essential here.
    Mr. Rush. In past legislation the third party or 
unaffiliated party has been defined based on the corporate 
structure of an entity, such as common ownership or corporate 
control. And during this hearing and in other sidebar 
conversations we have heard concerns that consumers may not 
understand which entities are subsidiaries, affiliates, parent 
corporations, or otherwise under common control with another 
company. On the other hand, corporate structuring is known and 
we do not know--we don't want to draw an arbitrary line.
    Ms. Harris and Mr. Mierzwinski, do you believe that 
consumers may have difficulty understanding when entities are 
related by common ownership or control? Should privacy matter? 
Should privacy legislation take into account the best 
reasonable expectations of the consumer as this act does? And 
is this a workable definition? Lastly I--you can answer these 
three questions in the manner that you would choose to. Lastly, 
what are the benefits of an approach based on common ownership 
or control and does it provide companies with more clarity? 
Those are a series of questions. I hope you can kind of 
summarize the questions in your answers.
    Ms. Harris. I am going to let Ed go first.
    Mr. Mierzwinski. Oh, thank you, Chairman Rush, and I think 
I want to commend you on your provision recognizing the 
artificial distinction of this corporate common control. 
Consumers don't have any idea that their bank owns some 
hundreds or thousands of other affiliated entities. And the 
Internet has a number of networked companies that are the same 
way. So going to an activities based definition rather than a 
corporate ownership definition, we support that, and I think it 
is much closer to consumer expectations that except for the 
company you are doing business with, pretty much everyone else 
is a third party.
    Ms. Harris. So I generally agree. I do think that your bill 
probably gets it as close to right as you can because it is a 
complicated issue. I am glad that there is some room for FTC 
rulemaking on that provision. The key question here is would a 
consumer under reasonable circumstances believe that they are 
dealing with an entity that is under common control. And I 
really think that that is probably--has to do with common 
branding. I think most of us know that GAP and Banana Republic 
and Old Navy and a whole set of companies are sort of one. But 
given a sort of large multi-national that owns many, many, many 
different lines of business, we have to keep that very narrow 
in the interest of the consumer and I think you've done that.
    Mr. Rush. The Chairman's time is concluded. Now the 
Chairman acknowledges Mr. Whitfield for 5 minutes.
    Mr. Whitfield. I thank all of you for your testimony and 
trying to balance protecting privacy versus generating revenue 
for advertising to keep the Internet the vibrant marketplace 
that it is--searching browsing history of a particular person, 
and can some of you, maybe Ms. Harris or Mr. Mierzwinski, 
identify for me the privacy concerns with the anonymous 
monitoring of web browsing history, and should that require the 
same level of consent as using information like Social Security 
number, bank account numbers and so forth, and just give me 
your perspective on the differences therein.
    Ms. Harris. Mr. Whitfield, the way that they are able to 
collect discrete pieces of browsing history is usually to tie 
them together with an IP address. In that instance companies 
can pull them together into profiles, and they can be put 
together with information to identify the consumer. So in the 
technological environment that we are in now, the ability to 
bring discrete pieces of information together into an 
identifiable profile is simply much easier. I think that there 
is a conversation to be had wherein where you draw the line 
and--but I think that that is something that has changed 
dramatically from, you know, the first time that privacy 
legislation was introduced in Congress.
    Mr. Mierzwinski. Mr. Whitfield, I would agree and I would 
say that from my perspective one of the strongest pieces of 
both bills is that IP addresses insensitive information. We are 
concerned that de-identified or supposedly anonymous 
information can be repackaged back together. There are numerous 
examples of that happening, and I would also point out that a 
recent complaint by U.S. PIRG, the Center for U.S. Democracy, 
and other groups talks about just how easy it is and how the 
technology has changed in the last few years that consumers are 
being sold on a real time basis now. They are not compiling 
dossiers that take even half an hour to compile. The ads are 
being served instantly. They are being brokered to the highest 
bidder. It is very sophisticated, and little bits of 
information can add up very quickly.
    Mr. Whitfield. Mr. Zaneis, would you like to comment on 
    Mr. Zaneis. Yes, thank you very much, appreciate the 
opportunity. I think Congress has to be careful not to try to 
legislate the possible, or the theoretical, and to understand 
the business model. And here I actually disagree slightly with 
Leslie. It is not that VAS or predominant business model to tie 
click stream data back to personally identifiable information--
certainly not in the online advertising space. In fact many of 
the ad networks specifically--advertising networks deliver some 
90 percent of all ads online. They are generally third part by 
nature. Their business model generally is not to try to tie it 
back to what we would traditionally think of as personally 
identifiable information. Certainly there is a lot that is 
possible through technology, but I don't think we can legislate 
the possible. We ought to be looking at actual business models, 
and I think that when we look at H.R. 5777 it actually gets 
closer under their definition of covered information to what we 
ought to be focusing on, which is things that are actually 
personally identifiable, not sort of anonymous in nature.
    Mr. Whitfield. And Mr. Rubinstein, since you are an 
academic here, do you have any comments on this? We always 
value academics' thoughts.
    Mr. Rubinstein. Thank you, Mr. Whitfield. I would think I 
would just add that it is important not to think of anonymous 
data as just a binary category, that it is--data is either 
anonymous or it is not anonymous. And the emphasis might be on 
specific context, so how much data is being assembled and what 
is the quantity of data? Is it being publicly shared or 
privately shared? What is the specific context? Rather than try 
to get at this through definitions that have just a black and 
white aspect to them.
    Mr. Hoffman. I would just like to add one point on that--to 
that. I think the current draft of the Best Practices Act 
actually recognizes that reality that Professor Rubinstein is 
commenting on. As an employee of a technology company there are 
a number of unique identifiers in hardware and software that 
are used on most computing platforms. What is happening in 
reality--Mr. Zaneis' point is a very good one. We need to look 
at the realities. It is some of those unique identifiers that 
are used and apt to correlate to a lot of this data that could 
be described sometimes as personally identifiable information. 
Others might say no, it is only identifying a particular device 
or a particularly device at a point in time. That is why I 
actually think the definition of preference profile which is 
saying that it is a list of preferences associated with an 
individual or with an individual's computer or other device, 
but then tying that to allow exception for participation in a 
choice program is an excellent way to navigate the issues that 
even if something is not completely identifiable to a 
particular individual it still could have the great potential 
to impact an individual.
    Mr. Whitfield. Thank you. I see my time has already 
    Mr. Rush. The Chair now recognizes Mr. Space.
    Mr. Space. I won't need fifteen, Mr. Chairman. In fact, I 
won't even need five, but thank you. I really don't have any 
questions having come in after the votes and after the 
testimony, but I do want to express my appreciation to 
Chairman, and to the Ranking Member for the deliberate process 
that we have undertaken in examining, reviewing, and modifying 
issues relating to privacy when it comes to access to the 
Internet and broadband generally. I think that having all the 
stakeholders present and participating in this discussion is 
very, very important and we see that today. We have seen it in 
the past, and we will see it in the future whether it is 
academia, industry, govern officials, consumer advocacy 
groups--all of those stakeholders deserve a place at the table 
and our Chairman and the Ranking Member have offered them that.
    So I want to thank the witnesses today, thank you, Mr. 
Chairman, and the Ranking Member for again such a deliberate a 
thorough analysis of an issue that is becoming increasingly 
important as we see the role of broadband integrated into 
virtually all aspects of our lives. And I yield back my time.
    Mr. Rush. The Chair thanks the gentleman for his kind 
remarks. And the Chair will now entertain a second round of 
questions, and with that in mind, the Chair recognizes himself 
for 5 minutes.
    This question is addressed to Mr. Vladeck and Mr. Zaneis. 
Section 303 of the Act says some entities using covert 
information or sensitive information for any purpose for as 
long they are in--business or in law enforcement need. Is our 
rebuttal presumption--is it too vague? What would be wrong with 
setting a date certain restrictions say in six months or a 
    Mr. Vladeck. Mike, do you want to go first?
    Mr. Zaneis. No, you go ahead.
    Mr. Vladeck. The Commission has not taken a position on any 
of these issues and we would like the opportunity to comment 
later on once we have had a fuller opportunity to look at this. 
Just generally, you know, we believe that certain kinds of 
information ought to be subject to heightened protection. And 
so that is, you know, the Commission has made that clear in 
other context.
    Mr. Zaneis. We are going to figure this out. Luckily I 
represent the advertising industry so I know how to get my 
message heard even when people don't want to hear it. I think 
Section 303--I think one size fits all doesn't always make 
sense in the online space. What you see here is a diversity of 
opinions, but what we see in the industry is a diversity of 
business models. And sometimes they may need to keep 
information for different purposes, and what is a legitimate 
business purpose I think differs, so you know, I want to take 
that back to my members and see if it is something that they 
are going to be supportive of or if there is some refinements 
we need to make. But as we have seen around things like 
consumer notice and other areas, a one size fits all isn't 
always the best approach, but we are willing to look at that 
and work with the Committee and you, Mr. Chairman, on that.
    Mr. Rush. Mr. Rubinstein, would you chime in on this with 
your opinion, please?
    Mr. Rubinstein. I would generally agree that having 
different time periods for different types of data or different 
purposes is a good idea rather than a single limit. I think the 
one thing that Congress should worry about, though, is 
companies that would retain data simply because they might have 
some use of it in the future. So where it is that non-specific 
and it is just a future business possibility, I don't think 
that is a sufficient reason for some unlimited period of 
    Mr. Rush. Mr. Rubinstein and Mr. Mierzwinski suggested in 
their testimony that this safe harbor in H.R. 5777 in several 
ways. I am going to ask both gentlemen what specific 
recommendations do you have for structuring the safe harbor 
    Mr. Mierzwinski. Thank you, Mr. Rush. I think the bill as 
currently structured captures the key point that I emphasized 
about having a mix of carrots and sticks, and that the Private 
Right of Action serves as a very significant stick or incentive 
for businesses to join. I think the one thing that I would call 
attention to, though, is whether the safe harbor choice program 
has a strong enough emphasis on high performance standards. And 
that is why I emphasized data governance practices such as 
appointing a chief privacy officer or having privacy by design 
methodologies so that there are other standards that a choice 
participant lives up to which in effect entitles them to the 
exemptions that they enjoy under the choice program. And I 
think the question then is how to best balance that mix of 
exemptions on the one hand that serve as incentives to join 
while ensuring that only companies engaged in a very high level 
of privacy protection are then entitled. Finally I would point 
to the desirability having some form of public consultation as 
part of this process and one way to do that might be for a 
choice program as part of their application for approval to 
indicate what type of public consultation they have engaged in. 
Have they met with advocacy groups, have they met with the 
public, if so how have they addressed concerns that those 
groups have raised. If they haven't addressed them, why not. So 
that all is transparent and available to the FTC in making its 
evaluation of the choice program.
    Mr. Mierzwinski. Mr. Chairman, I would add to that that I 
think our concern is that many self-regulatory programs whether 
under the Securities and Exchange Commission, whether under the 
FTC, or other agencies, they work best when they have a robust 
legal standard, robust statutory framework underneath. And 
relying on the companies themselves and rule making only by the 
FTC is usually not good enough. And we would urge you to 
consider strengthening the Federal Trade Commission's 
monitoring of the choice program and the accountability 
mechanisms in there. And to do that of course, we would also 
support strengthening the Federal Trade Commission in general 
if they need additional resources to do those kind of things.
    Mr. Rush. My time is up. The Chairman recognizes the 
Ranking Member.
    Mr. Whitfield. Thank you. Is there anyone on the panel 
other than Mr. Goldman that believes there should not be 
private right of action? OK.
    Mr. Hoffman. Intel does not support a private right of 
action. We think that it--in the context of privacy in the 
great percentage of situations the individual actually does not 
even potentially know that they have been harmed, and they 
don't know who actually has caused the harm until after. We 
think that the best use of resources is to focus on mechanisms 
like the choice program in a way that was just articulated. It 
really--to vote those resources to organizations putting into 
place robust accountability mechanisms into their compliance 
programs that way we will avoid the breaches before they even 
    Mr. Zaneis. And I won't take up much of your time. I 
couldn't agree more. I would just say then I think what we 
might want to focus on legislatively is strengthening the 
Federal Trade Commission and their enforcement, and more 
resources, more cops on the beat I think would be a good thing 
in this area.
    Mr. Whitfield. I am certainly not an expert in this area. 
In fact, I am far from it, but I have read that the OECD's 
privacy protection rules, guidelines for privacy protection are 
some of the most stringent in the world. Is that your 
understanding as well--most of you? Do you understand that to 
be true?
    Mr. Mierzwinski. I would just say it is--the understanding 
in privacy that they are the most robust implementation of the 
Fair Information Practices that were actually first developed 
by a U.S. Regulatory Committee, but how they are implemented in 
law is different in different places. And I would say the only 
U.S. law that comes close to implementing them in a very strong 
way is something called the Fair Credit Reporting Act which 
regulates credit bureaus. Other laws rely on a much weaker 
version on the FIPs.
    Mr. Whitfield. Well, we--if we were to adopt the OECD 
principles basically would you support that or----
    Mr. Mierzwinski. Oh absolutely, and I want to say that both 
bills adopt parts of it. And in fact the Best Practices bill 
adopts quite a bit of the Fair Information Practices. We think 
we can go further with purpose, specificity, data minimization, 
data retention, and again accountability that is giving more 
rights to the data subjects.
    Ms. Harris. Mr. Whitfield, I just--I want to agree that a 
strong set of Fair Information Practices and certainly the OECD 
is sort of the foundational in the United States. The 
Department of Homeland Security issued a set a few years ago 
that I think are you know perhaps captures some of the more 
modern concerns just a little bit that basically the bill 
really needs to include them all. That we have spent a long 
time focusing on you know opt-in, opt-out consent from the 
consumer, and when that is all you have in a bill, then you are 
pretty much telling the consumer that they have got to figure 
it out. They have to read privacy policies, they have got to 
understand it, and that the companies don't have any 
substantive obligations. When you include data minimization, et 
cetera, then you are putting real limits and the companies have 
to decide how to handle those.
    Mr. Whitfield. Mr. Mierzwinski--oh I am sorry, go ahead.
    Mr. Zaneis. Sorry, I just--I want to be sure that the 
Chairman and you, Ranking Member Whitfield understand that 
there is a lot of Fair Information Practices in--certainly in 
H.R. 5777. I--you are talking about notice, and choice, and 
data security, and accuracy. These are Fair Information 
Practice principles. That does not mean you need all of them in 
a bill about things like marketing databases. In our written 
testimony we go into the access and correction provisions and 
the reality there is what we are talking about in some of these 
marketing databases are strings, user agent strings which are 
nothing more than computers talking to computers telling you 
what for instance operating system a computer--a person is 
using to go to a site. This is used to render the content 
readable to the consumer. I ask you what is the, you know, what 
is the purpose in allowing correction to that type of database? 
It is gobbly-goop to the consumer, and I worry about allowing 
people to get into those databases when there is no real harm. 
We are not talking about Fair Credit Reporting Act. There you 
are talking about adverse actions against consumers, things 
centered around employment eligibility, access to credit, 
getting a home mortgage that is not what we are talking about 
    Mr. Whitfield. May I ask one other question?
    Mr. Rush. Ms. Harris wanted to respond.
    Mr. Whitfield. Oh, I am sorry.
    Ms. Harris. I want to strongly disagree with that. Access 
is one of the key Fair Information principles. The likelihood 
that a consumer is going to demand access to a string of code I 
think you know if that is the concern my guess is we can figure 
out how to handle it in this Committee. But we are building 
larger and larger databases with all kinds of information and 
to me that is one of the fundamental rights that consumers have 
and that it needs to be part of this bill.
    Mr. Whitfield. In Mr. Rush's bill in the definitions under 
covered entity it simply says engaged in interstate commerce 
whatever, whatever, whatever, and since I was in the railroad 
industry I know that when we talk about federal preemption it 
is from the business standpoint. We always loved federal 
preemption because we had some certainty in whatever state we 
operated in and so forth. And I know that a number of you would 
be opposed to federal preemption in this arena. Are any of you 
opposed to--OK----
    Mr. Mierzwinski. We are very strongly opposed and the Best 
Practices bill is a much narrower form of preemption, but we 
prefer that federal law be a floor.
    Mr. Whitfield. What about you, Mr. Rubinstein? Do you have 
a comment on that?
    Mr. Rubinstein. I would favor a narrow form of preemption. 
I think that it does allow businesses to operate with more 
certainty, and it is extremely difficult, and costly, and not 
very effective to have to design compliance programs that vary 
depending on which state you operate in. So I think some form 
of preemption is a necessary aspect of this bill.
    Mr. Whitfield. Did you want to make comment, Ms. Harris?
    Ms. Harris. Yes, Mr. Whitfield, it is CDT's position is 
that first the bill has to be good enough at the federal level 
to consider preemption. So you know in saying whether we 
support it or don't support it you know this is a messy 
process. But assuming that the bill provides the right degree 
of protection then a narrow preemption that really covers just 
those covered entities and just those practices is something 
that we are comfortable with. But you know there is a threshold 
of what the bill is implying, and we do think that Mr. Rush's 
bill gets that right.
    Mr. Whitfield. Yes, well I was assuming that if Mr. Rush 
pushed the bill through it would be all right.
    Mr. Rush. I want to get in on one of the questions, and 
this question is addressed to Mr. Goldman and Ms. Harris. In 
your testimony earlier you say that user ID's and implications 
alone should not be defined as covered information. And given 
the fact that there are software passwords, guessing tools out 
in the marketplace, what kind of concerns can we have? And I am 
kind of pointing to a recent development among myself and--with 
myself and some other members of Congress. There is a certain 
company that has something they call street maps and I am 
really alarmed by these street maps. My residence has shown up 
on these street maps, and there are other members of Congress 
whose residence has shown up on these street maps and we are 
concerned about the notability (ph) especially for us 
protecting--protecting assets to the webs and Internet. What 
kind of harm could be visited by consumers with some of these 
different programs and would you respond to that Ms. Harris and 
Mr. Goldman about these certain issues?
    Mr. Goldman. I think as in our testimony I think we talked 
about how if the information is not directly linked back to the 
individual, so if it is just a password or some other kind of 
information that is not, you know, connected to your other kind 
of personal information, that should not be part of the PII. 
And so I think that is where we are at. You know, you could--
theoretically you could have a lot of information out there. 
There is a lot of information out there. You might, for 
example, if you belong to a social network, you know, a social 
networking site you might put your name up there, you might 
created a username. You know, but it might not be linked back 
to your own name, your own personal--I guess whether financial 
or health information. So I think you know, as long as that 
is--the question is what is going to harm us in result from all 
that I think. And as we go into--our testimony also talks about 
we are hesitant about adopting sort of new standards and new 
definitions of covered information. I think you know to the 
extent that we can standardize definitions across, you know 
across bill, across state bills, and federal bills that would 
be a good thing. So if you look at personal information as 
defined in some of the state bills, some of the state data 
breach and privacy bills I think, you know we have not taken--I 
think there will be some support for that. But I have not 
talked to our members about that at all yet.
    Mr. Rush. Ms. Harris, you have a response?
    Ms. Harris. If the question is about, you know, whether we 
should be covering passwords and unique identifiers that 
protect this kind of information then I think in the right 
circumstances we should and I think that your bill does do 
    Mr. Rush. Does any other witness want to respond? Mr. 
    Mr. Hoffman. Yes, I think it is a very good question. I 
think we find ourselves in a situation where there are a number 
of different kinds of data that while they do not point to a 
very specific individual, they might point to a device or a 
location or something that could end up impacting that 
individual. This is a very difficult balance to sort out. I 
actually think the Best Practices Act comes very close to 
getting this as right as you possibly can. We are saying if you 
have got those kinds of identifiers whether it is a password, a 
user alias, an IP address, or something that it will be covered 
if it falls under two different categories. One would be if it 
relates to a specific individual or then if whether it is 
created to maintain a preference profile. That may not cover 
every way that this information could potentially impact an 
individual at some time, but I think that would give business 
enough certainty to understand what is being covered and would 
cover the great bulk of the situations where people are 
concerned right now.
    Mr. Zaneis. I think the definition and some--we are in some 
ways putting the cart before the horse. The choice options that 
we identify really also matter because when you put a blanket 
opt-in for third party data usage which is the Internet--we did 
a survey earlier this year that demonstrated then over 80 
percent of all online advertising campaigns used behavioral 
targeting or techniques. So when you are talking about opt-in 
for third party data usage, you are talking about the vast 
majority of the economic engine of the Internet. So it really 
matters what choice mechanism you give because the stakes 
really get high. Now in our self-regulatory system that we put 
out we actually followed very closely the FTC's own definition 
which was extremely broad and included, you know, sort of all 
data used for behavioral advertising--online behavioral 
advertising. But because we had an opt-out requirement instead 
of an opt-in, it was something that our industry at least--I 
can speak for us, we could live with that. We could live with 
the broader definition if we got the choice mechanism right. So 
I think they all kind of, you know--this is a holistic bill and 
the different provisions really have to work together. You have 
had great staff work to put this together and we just need to 
be cognizant of that, and we stand ready to work through those 
issues with you.
    Mr. Rush. Do you have any additional questions?
    Mr. Whitfield. I will just make one other comment. We are 
in a little bit of a debate about adopting a fully opt-in 
system in the--we have heard some people say whether it would 
significantly impact e-commerce in a negative way, how many of 
you feel that it would? An opt-in system would dramatically 
impact e-commerce? OK, good. So almost everybody up there, 
except I guess you Mr. Mierzwinski and----
    Ms. Harris. There is some ambiguity here. Go ahead.
    Mr. Vladeck. I think that we have been struggling with this 
question for a long time, and I am not speaking for the 
Commission now. I am speaking for staff. I think there is too 
much fray given to the question of the label of opt-in or opt-
out. The concepts are not self-defining and skilled marketers, 
and there are lots of them out there, can easily make either 
method of expressing choice either easy or difficult. We have 
both given what is called affirmative consent because we have 
clicked the button and we both, you know, all of us have easily 
given in to either method. In our view the questions merely 
doesn't boil down to this label. It is a legal label. It is not 
really a practical label. We believe that the goal ought to be 
to insure the consumers are well informed, and are given easy, 
and clear tools with which to exercise choice. Clarity and ease 
of use ought to be the key metrics, not easily manipulable 
legal terms like opt-in, and opt-out. And that is what we think 
the real problem is.
    Mr. Whitfield. Thank you, thank you.
    Ms. Harris. I have nothing to add to that.
    Mr. Whitfield. We should have asked him a question earlier.
    Mr. Vladeck. I am fine.
    Mr. Rush. Well, the Chair--that concludes our questioning. 
And I merely want to reiterate to the witnesses how 
appreciative we are for you taking your time to come and share 
with us your expertise and your insights into this process and 
into both of the drafts, Mr. Boucher's draft bill and to H.R. 
5777. And the Chair wants to assure everyone who is present, 
including our witnesses, that there will be ample opportunity 
for more input before we mark up this bill. I am cognizant of 
the fact that this bill was introduced four days ago and we are 
having a hearing, but I am also determined that we need to move 
forward, you know. I am not sure, there won't be--there will be 
a lot of deliberation, but it won't be unnecessary delay in 
terms of getting this bill to the floor as it be, and hopefully 
to the floor. And we want to--what was some--I want to give you 
assurances that your time is not just being wasted here. It is 
really--your investment in this process will result in a better 
bill but it will be a bill that hopefully will become law. And 
I want to thank you so very much for being here this afternoon. 
And with that said this Subcommittee is now adjourned.
    [Whereupon, at 4:42 p.m., the Subcommittee was adjourned.]