[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]


 
          PROTECTING CHILDREN'S PRIVACY IN AN ELECTRONIC WORLD 

=======================================================================

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 5, 2011

                               __________

                           Serial No. 112-91



      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov


                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

74-138 PDF                       WASHINGTON : 2012 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 



                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chairman                      DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia                MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana              Islands
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 _____

           Subcommittee on Commerce, Manufacturing, and Trade

                       MARY BONO MACK, California
                                 Chairman
MARSHA BLACKBURN, Tennessee          G.K. BUTTERFIELD, North Carolina
  Vice Chairman                        Ranking Member
CLIFF STEARNS, Florida               CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire       JIM MATHESON, Utah
GREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey            EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana              BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky              JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas                    MIKE ROSS, Arkansas
DAVID B. McKINLEY, West Virginia     HENRY A. WAXMAN, California (ex 
MIKE POMPEO, Kansas                      officio)
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)

                                  (ii)



                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, opening statement...............................     1
    Prepared statement...........................................     4
Hon. G.K. Butterfield, a Representative in Congress from the 
  State of North Carolina, opening statement.....................     6
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, opening statement.......................................     7
    Prepared statement...........................................     8
Hon. Pete Olson, a Representative in Congress from the State of 
  Texas, opening statement.......................................    10
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................    10
    Prepared statement...........................................    12

                               Witnesses

Mary Koelbel Engle, Associate Director, Division of Advertising 
  Practices, Federal Trade Commission............................    14
    Prepared statement...........................................    17
    Answers to submitted questions...............................   140
Hemanshu Nigam, Founder and Chief Executive Officer, SSP Blue....    37
    Prepared statement...........................................    39
Morgan Reed, Executive Director, Association for Competitive 
  Technology.....................................................    44
    Prepared statement...........................................    46
Stephen Balkam, Chief Executive Officer, Family Online Safety 
  Institute......................................................    58
    Prepared statement...........................................    60
    Answers to submitted questions...............................   143
Kathryn C. Montgomery, Director, Ph.D. Program, School of 
  Communication, American University.............................    72
    Prepared statement...........................................    74
Alan Simpson, Vice President of Policy, Common Sense Media.......    95
    Prepared statement...........................................    97


          PROTECTING CHILDREN'S PRIVACY IN AN ELECTRONIC WORLD

                              ----------                              


                       WEDNESDAY, OCTOBER 5, 2011

                  House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:07 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Mary Bono 
Mack (chairman of the subcommittee) presiding.
    Members present: Representatives Bono Mack, Blackburn, 
Harper, Lance, Cassidy, Guthrie, Olson, McKinley, Kinzinger, 
Barton, Butterfield, Markey, Matheson, Towns, and Waxman (ex 
officio).
    Staff present: Andy Duberstein, Assistant Press Secretary; 
Kirby Howard, Legislative Clerk; Brian McCullough, Senior 
Professional Staff Member, CMT; Jeff Mortier, Professional 
Staff Member; Gib Mullan, Chief Counsel, CMT; Shannon Weinberg, 
Counsel, CMT; Michelle Ash, Democratic Chief Counsel, CMT; 
Felipe Mendoza, Democratic Counsel; and Will Wallace, 
Democratic Policy Analyst.
    Mrs. Bono Mack. The subcommittee will now come to order.
    Good morning. When it comes to online privacy protection, 
we have no more important job than to get it right for our 
kids. Today, there are an estimated 50 million children across 
the United States who are 13 years of age and younger. Our goal 
is to make sure their experiences on the Internet are as safe 
as possible and their privacy rights are fully protected.
    And the Chair now recognizes herself for an opening 
statement.

 OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Whether they are surfing, studying, chatting, or playing 
video games, kids today are spending more and more time online 
taking advantage of the vast, richly diverse resources found on 
the Internet. But as we know very well and sometimes painfully, 
there can be a dark side to the Internet, too. The Children's 
Online Privacy Protection Act was adopted by Congress in 1998 
to help protect the privacy of our children. COPPA requires Web 
sites and other online services to obtain parental consent 
before collecting and sharing information from kids who are 
under the age of 13. As a mother and as chairman of the 
subcommittee, this is an issue that remains one of my top 
priorities, as well as one of my big areas of concern.
    For the most part, the FTC has done a great job of making 
sure COPPA has worked well for our kids and their families, but 
it is time to begin asking some important questions. Should 
Congress revisit COPPA in light of the rapid technological 
advances which have been made since its enactment more than a 
decade ago? Is the current age threshold sufficient to protect 
our kids or should it be raised? If it is raised, what are the 
constitutional and technological implications? Is the COPPA 
safe harbor regime an effective self-regulatory model and could 
it be successfully utilized in other privacy contexts? And 
finally, is the expansion of the definition of personal 
information in the COPPA appropriate for use as a precedent in 
the broader online privacy context.
    Today, we will begin debating these and other issues with a 
respected panel of experts. And one thing is very clear to me--
kids today are becoming more tech savvy at a younger and 
younger age, but that exposure to exciting new sophisticated 
devices and countless Web sites located around the world 
doesn't necessarily mean that they are going to be able to have 
any better judgment or make them any more aware of what dangers 
might lurk online. That is why the FTC and parents everywhere 
must continue to play a critically important role in 
safeguarding the privacy of our children.
    The purpose of this hearing is to take a close look at the 
adequacy of existing protections and whether the FTC's proposed 
changes to COPPA go too far, not far enough, or manage to 
strike the appropriate balance. Having reviewed these changes 
carefully, I think the FTC has, and as I often say, they have 
hit the sweet spot.
    One of the most significant changes involves revising the 
definition of PII to include geolocation data and persistent 
identifiers such as IP addresses or device serial numbers. A 
second change to the existing COPPA Rule includes a new 
provision to govern data retention and deletion of children's 
PII, and it requires operators to delete information when it is 
no longer needed to fulfill its original purpose.
    Another proposed improvement to the COPPA Rule addresses 
the growing unreliability of so-called ``email-plus'' by 
eliminating it as a method of parental consent. And when it 
comes to safe harbors, the FTC is proposing a new self-audit 
requirement calling for information practices to be reviewed 
annually. Additionally, all safe harbor programs would be 
required to regularly submit to the FTC the results of their 
annual member audits and any disciplinary actions imposed by 
their members.
    Clearly, Chairman Leibowitz and the rest of the FTC deserve 
our thanks and our appreciation for conducting a careful, 
thorough, and thoughtful review of COPPA leading to these 
important recommended changes. While some privacy advocates 
would like to raise the COPPA age threshold because of an 
increasing use of social networking sites by teenagers such as 
Facebook, Twitter, and Google Plus, I believe the FTC showed 
commonsense restraint in taking a go-slow approach. The last 
thing we want to do is to inhibit technological advances and 
stifle growth of the Internet by moving forward in a new policy 
area without a good, smart game plan in place.
    I look forward to having this particular debate in the 
months ahead as we continue our broader hearings on privacy. In 
closing, I also want to stress the importance of parental 
involvement in this process. It is not enough to simply check 
the box and provide consent. I urge all parents everywhere to 
regularly check out the Web sites that your kids are visiting, 
carefully review their privacy policies, and finally, ask 
questions. Make sure you clearly understand a site's practices 
as well as its policies and give your kids a primer on the 
dangers of online predators. Talk to them often and make them 
more self-aware. It is critically important that all of us 
continue to work together to keep the Internet as safe as 
possible for all of our children.
    And now, the gentleman from North Carolina, Mr. 
Butterfield, the ranking member of the Subcommittee on 
Commerce, Manufacturing, and Trade is now recognized for his 5 
minutes for his opening statement.
    [The prepared statement of Mrs. Bono Mack follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE STATE OF NORTH CAROLINA

    Mr. Butterfield. I thank the chairman of this subcommittee 
and all of the others who have worked so hard to make today's 
hearing possible. Thank you very much because this certainly an 
important subject. I also want to thank the witnesses for 
coming forward today, and I look forward to each of your 
testimonies.
    The privacy of our children is paramount and is an issue 
where we can show strong bipartisan support. Over 10 million 
children access the Internet on a regular basis and it is our 
job as policymakers to ensure that they are protected and their 
personal information is safe.
    In 1998, consumer use of the Internet was still in its 
infancy. It had evolved from making about 2 percent of two-way 
telecommunication traffic in 1990 to over 50 percent in the 
year 2000. Understanding the enormity of the Internet and the 
pervasive effect that it would ultimately have on our daily 
lives, Congress passed the Children's Online Privacy Protection 
Act. We refer to it as COPPA. In the year 2000, the FTC COPPA 
Rule went into effect.
    These days, homework often includes an online component. 
You would also find it difficult to find a child of a certain 
age who doesn't communicate with his or her peers over the 
Internet in a chat room or instant messaging program. But the 
majority of those Web sites children have to visit to complete 
schoolwork or talk to their friends require some sort of 
registration to use the site and service. Parents deserve to 
know what kind of personal information is being collected on 
their child and how it will be used. COPPA prohibits operators 
of Web sites and online services directed at children under the 
age of 13 from collecting personal information from them 
without first getting verified parental consent.
    I was curious as to why a parent would give consent to have 
their children's information collected by an operator, and it 
became clear to me that even free content on Web sites has a 
cost. Children are avid consumers and represent a large and 
powerful segment of the marketplace. They spend billions of 
dollars a year themselves and influence others to spend 
billions more. Advertisers see it as an enormous opportunity to 
promote products and services to an eager and impressionable 
audience.
    The FTC's proposed revised COPPA Rule addresses a number of 
concerns that have resulted from the technological advancements 
of the past 5 years. Until recently, the term geolocation 
didn't mean so much to the average person. Now, anyone with a 
GPS-enabled phone can use certain online services to broadcast 
their exact location to a couple of feet and anyone can see 
their location. Geolocation, persistent identifiers, as well as 
photos, videos, and audio of a child have been added to the 
definition of personal information. Giving Web site operators 
maximum latitude, the COPPA Rule requires that reasonable 
procedures are in place to protect the confidentiality, 
security, and integrity of personal information collected from 
children while not mandating any specific procedures or 
technology.
    And to maximize protections for children, the FTC's 
proposed rule will require that Web site operators keep 
children's data for only as long as absolutely necessary and 
that they ensure that their third-party vendors also protect 
children's personal data.
    Now, Madam Chairman, I listened very carefully to your 
opening statement a moment ago and I agree with all that you 
said. The proposed revised COPPA Rule is stronger and it will 
better protect American children from their data falling into 
the wrong hands. It seems to me that a lot of the rules should 
be incorporated into the baseline privacy legislation that 
protects everyone, regardless of age. Someone who is 12 today 
and 13 tomorrow has the same privacy concerns as someone who is 
18 today and 19 tomorrow. I hope that moving forward with 
privacy legislation we can look to COPPA's revised rule and 
apply the strong commonsense privacy protection measures to all 
Americans.
    Thank you very much. I look forward to your testimony.
    Mrs. Bono Mack. I thank the gentlemen.
    And the Chair now recognizes the chairman emeritus of the 
full committee, Mr. Barton, for 1 \1/2\ minutes.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Madam Chairwoman. I sincerely 
appreciate you holding this hearing. This is a very personal 
issue with me. I have been involved with privacy for a number 
of years and have a very special interest in children's privacy 
because of my 6-year-old son and my five grandchildren.
    When I grew up, Madam Chairwoman, I didn't even know what a 
computer was. My son, though, my youngest son, 6-year-old son 
probably spends at least an hour a day right now playing on the 
computer both at school and at home. He knows better how to 
click on things than I do quite frankly.
    As cochairman of the Privacy Caucus along with Congressman 
Ed Markey of this committee, I have served as a leading 
advocate for online consumer protection. He and I together have 
introduced H.R. 1895, the Do Not Track Kids Act of 2011. This 
legislation does five things. It updates the Children's Online 
Privacy Protection Act of 1998. It adds protections that 
children or young teenagers ages 13 to 17; it prohibits 
Internet companies from sending targeted advertising to 
children and minors; prohibits Internet companies from 
collecting personal and location information from anyone less 
than 13 years of age without parental consent and anyone less 
than 18 without individual consent; it would require Web site 
operators to develop an eraser button to give children and 
minors the ability to request a deletion of their personal 
information that they do not wish to be available on the 
Internet.
    The issue of online privacy has become a hot topic due to 
the rapid growth of the Internet. I hope that this hearing, 
Madam Chairwoman, spotlights some of the issues and builds a 
bipartisan consensus to do something about it such as move the 
Kids Protection Act that I just mentioned. Thank you for my 
time and I yield back.
    [The prepared statement of Mr. Barton follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Bono Mack. I thank the gentleman.
    The Chair now recognizes Mr. Olson from Texas for 1 minute.

   OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Olson. I thank the Chair for holding this important 
hearing as we continue our discussions about online privacy 
issues.
    As a father of a 14-year-old daughter and 11-year-old son, 
nothing is more important to me than keeping my kids safe. Kids 
today, like mine, have access to new technologies that enable 
them to get online instantly from almost anywhere and access 
and share information. Congress recognized there was a need to 
protect children's Internet privacy and enacted the Children's 
Online Privacy Protection Act, COPPA, in 1998. As we examine 
the FTC's proposed changes to the COPPA Rule, we need a clear 
understanding of all the tools currently available to parents 
to protect their children's privacy on the Internet before we 
determine what changes are needed to COPPA. We cannot legislate 
in search of a problem.
    I thank the witnesses for being here and look forward to 
the hearing. I yield back.
    Mrs. Bono Mack. I thank the gentleman and now will 
recognize the ranking member of the full committee, Mr. Waxman, 
for 5 minutes for his opening statement.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you, Madam Chair.
    In 1998, thanks to the leadership of Representative Ed 
Markey and Dr. Kathryn Montgomery, Congress passed and 
President Clinton signed the Children's Online Privacy 
Protection Act, and today, we are fortunate to have Dr. 
Montgomery back before the committee to talk about this 
landmark law and her recommendations for the future.
    I am pleased that 11 years after enactment, your overall 
assessment is that COPPA is a ``clear legislative success.'' 
COPPA has withstood the test of time, which is remarkable 
because innovation occurs at warp speed online. One reason for 
its success is that it was written to be flexible. The law 
gives the Federal Trade Commission the authority and the 
discretion to carry out several broad mandates aimed at 
protecting young children from the unfair collection and use of 
their information.
    The last several years in particular have been a period of 
rapid change in the delivery of online services. Young children 
now have access to social networks, interactive gaming, and 
apps on mobile devices that they carry with them everywhere 
they go. The FTC is responding to these developments by using 
its authority to update the COPPA Rule so that the law remains 
an effective tool for protecting children's privacy and safety.
    The updates to the COPPA Rule proposed by the FTC are 
appropriate, reasonable, well -hought-out, and true to the 
intent of the law. These changes will ensure that parents of 
young children will remain in control of their information, 
whether it be their precise location at any given time, their 
photographic images, or a record of their online habits and 
activities. That is consistent with the goal of the law--that 
parents, not businesses, get to decide what information about 
their children can and should be revealed online.
    While the focus of this hearing is children's privacy, we 
must not forget that adults need privacy protections, too. 
People of all ages need more control over their information and 
better privacy protection. I have said this before and I will 
say it again. We should enact comprehensive privacy 
legislation. Next week's privacy hearing will be our fourth 
this year. There were six privacy hearings in the last 
Congress. Each hearing has made me more and more convinced that 
current law does not ensure proper privacy protections for 
consumer information.
    As we consider comprehensive legislation, there are some 
clear lessons to be drawn from the 11 years of privacy 
protection for young children under COPPA. First, it is 
possible to provide consumers with real, enforceable online 
privacy protections without killing innovation on the Internet; 
and second, it is possible to craft legislation in such a way 
that the direction from Congress is precise and clear, but the 
authority of the agency is flexible enough to adapt to changes 
in technology and changes in social expectations and behavior. 
Those are valuable lessons. I hope they will be remembered when 
hopefully comprehensive privacy legislation is considered by 
this committee.
    Thank you, Madam Chair, and I am going to yield back the 
balance of my time.
    [The prepared statement of Mr. Waxman follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Bono Mack. I thank the gentleman and I look forward to 
our continued work together on privacy.
    And now I would like to turn our attention to the panel. We 
have just one panel of witnesses today joining us. Each of our 
witnesses has, as usual, prepared an opening statement that 
will be placed into the record. Each of you will have 5 minutes 
to summarize the statement in your remarks.
    On our panel we have Mary Koelbel Engle, Associate 
Director, Division of Advertising Practices at the Federal 
Trade Commission. Also testifying is Hemanshu Nigam, Founder 
and Chief Executive Officer of SSP Blue. Next is Morgan Reed, 
Executive Director, Association for Competitive Technology. Our 
fourth witness is Stephen Balkam, Chief Executive Officer of 
the Family Online Safety Institute. Our fifth witness is Dr. 
Kathryn Montgomery, Director of the Ph.D. Program at the School 
of Communication at the American University. And our final 
witness is Alan Simpson with Common Sense Media.
    Good morning and thank you all very much for coming. You 
will each be recognized for 5 minutes. To help you keep track 
of time, there are the lights in front of you as is standard. 
You know what yellow, green, and red each mean. As it turns 
yellow either hit the gas or slam on the brakes. You get to 
decide. And please just make sure you turn on your microphone 
before you begin. And Ms. Engle, you may start for your 5 
minutes.

STATEMENTS OF MARY KOELBEL ENGLE, ASSOCIATE DIRECTOR, DIVISION 
 OF ADVERTISING PRACTICES, FEDERAL TRADE COMMISSION; HEMANSHU 
 NIGAM, FOUNDER AND CHIEF EXECUTIVE OFFICER, SSP BLUE; MORGAN 
     REED, EXECUTIVE DIRECTOR, ASSOCIATION FOR COMPETITIVE 
  TECHNOLOGY; STEPHEN BALKAM, CHIEF EXECUTIVE OFFICER, FAMILY 
ONLINE SAFETY INSTITUTE; KATHRYN C. MONTGOMERY, DIRECTOR, PH.D. 
PROGRAM, SCHOOL OF COMMUNICATION, AMERICAN UNIVERSITY; AND ALAN 
     SIMPSON, VICE PRESIDENT OF POLICY, COMMON SENSE MEDIA

                STATEMENT OF MARY KOELBEL ENGLE

    Ms. Engle. Good morning, Chairman Bono Mack, Ranking Member 
Butterfield, and members of the subcommittee. My name is Mary 
Engle, and I am the associate director for advertising 
practices in the Bureau of Consumer Protection at the Federal 
Trade Commission. I appreciate the opportunity to appear before 
you today to discuss the Commission's enforcement and 
administration of the Children's Online Privacy Protection 
Act--or COPPA--Rule.
    Congress enacted COPPA in 1998 to address the unique 
privacy and safety risks created when young children under the 
age of 13 access the Internet. The goals of the act were to 
limit the online collection of personal information from 
children without their parents' permission to protect 
children's safety when they view and post information online 
and to maintain the confidentiality and security of personal 
information that is collected from children.
    The Commission believes that COPPA has largely worked well 
to fulfill these purposes and that even as online practices 
evolve, the law remains important today. The Commission has 
brought 17 actions to enforce COPPA since the COPPA Rule went 
into effect garnering more than $16.2 million in civil 
penalties. Our cases, which have been against both large, 
established operators, and smaller or newer companies often 
illustrate different core provisions of COPPA.
    For example, as social networking Web sites exploded onto 
the youth scene about 5 years ago, the Commission sought to 
ensure that these sites understood their COPPA obligations. In 
2006, the Commission obtained a then-record civil penalty of $1 
million against Xanga.com, a popular social networking site 
that allegedly improperly registered 1.7 million child users 
without first obtaining their parents' permission. Since then, 
the Commission has brought a steady stream of cases against 
operators such as Sony BMG Music Entertaining, Iconix Brand 
Group, and Playdom Incorporated, each of whom sought to engage 
child users in the Web 2.0 world. The Commission's $3 million 
civil penalty against Playdom set a new record for COPPA cases.
    More recently, in the first COPPA case involving mobile 
applications, the Commission charged mobile app developer W3 
Innovations with violating COPPA by collecting and maintaining 
personal information from thousands of children and allowing 
them to publicly post personal information on in-app message 
boards for their Dress-Up and Girl World games. This case, 
which included a $50,000 civil penalty made clear that COPPA 
reaches mobile online services and not just traditional online 
services and Web sites.
    Although law enforcement is a critical part of the 
Commission's COPPA program, enforcement alone cannot accomplish 
all of the agency's goals. The Commission also works to educate 
businesses and consumers about their rights and 
responsibilities under the law. The agency devotes significant 
resources to assisting Web site operators with rule compliance, 
regularly updating business education materials, and responding 
to inquiries from operators and their counsel. The Commission's 
consumer education materials, including our online safety 
portal OnGuardOnline.gov, inform parents and children about the 
Rule's protections and also provide them with general online 
privacy and safety information.
    To help ensure that COPPA continues to work well, 
especially in the face of an explosion of children's mobile 
devices and interactive online services, the Commission 
initiated a review of the COPPA Rule last year. Drawing from 
the expertise the agency has gained in enforcing and 
administering COPPA over the years and after extensive 
consideration of public input, last month, the Commission 
proposed modifications to certain areas of the COPPA Rule.
    While the Commission's testimony goes into these changes in 
greater detail, among the proposed changes are updating the 
Rule's definition of personal information to include 
geolocation information and the use of persistent identifiers 
to direct online behavioral advertising to children, 
improvements to the notices that operators must use to inform 
parents of the operator's information collection practices, the 
addition of a number of permissible methods operators may use 
to obtain parental consent, strengthening the Rule's data 
security protections, ensuring of agency oversight of the COPPA 
Safe Harbor Programs. The proposed changes are consistent with 
the original mandates in the COPPA statute. The Commission will 
take public comments on these proposals until November 28.
    The Commission takes seriously the challenge to ensure that 
COPPA continues to meet its originally stated goals even as 
children's interactive media use moves at warp speed. Thank you 
for this opportunity to discuss the Commission's COPPA program, 
and I look forward to your questions.
    [The prepared statement of Ms. Engle follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Bono Mack. Thank you very much, Ms. Engle.
    Mr. Nigam, you are recognized for 5 minutes.

                  STATEMENT OF HEMANSHU NIGAM

    Mr. Nigam. Chairman Bono Mack, Ranking Member Butterfield, 
and members of the subcommittee, thank you for giving me the 
opportunity to provide insight on best ways to protect 
children's privacy in an electronic world.
    I have been at the forefront of nearly every major aspect 
of online and offline child safety for the past 20 years. 
Today, I am the founder and CEO of SSP Blue, a safety, 
security, and privacy strategic business consulting firm. My 
company provides strategic guidance that promotes the 
protection of consumers, especially children, encourages 
corporate social responsibility, and develops partnerships with 
law enforcement, government, and NGOs. Past and current clients 
have included News Corporation, Microsoft, AT&T, Tagged, 
Formspring, and others. To be clear, I do not speak on behalf 
of any of our existing clients today.
    Prior to SSP Blue, I served in leadership roles at News 
Corporation, MySpace, Microsoft, and MPA from the time the 
Internet was just a baby to the time that social media was 
barely a toddler, and in each endeavor, I provided strategic 
direction that put children's safety, security, and privacy at 
the forefront of the business. I have also served as a federal 
prosecutor against Internet crimes against children and 
computer crimes at the Justice Department, an advisor to the 
COPPA Commission, and advisor to the White House Committee on 
Cyberstalking, and as a prosecutor against child molestation 
and sex crimes in the L.A. County District Attorney's Office.
    And so I speak to you from various perspectives in 
government, in law enforcement, in private industry, and as a 
father of four children ranging in age from 6 to 16.
    The FTC has engaged in a meticulous and thoughtful process 
in the review of the Child Online Privacy Protection Act and 
should be congratulated. I also want to stress a concept that 
is easily forgotten. The industry has an incentive to do the 
right thing when it comes to protecting children's privacy 
rights. Businesses lose when they violate a child's privacy 
rights. Their brand reputation suffers, their consumer loyalty 
drops, their friends in child advocacy groups disappear, and 
most important, they lose the trust of the parents and 
guardians who care for the very children that they cater to. In 
essence, without doing the right thing, an online business 
cannot succeed.
    Within this context, I would like to propose this 
subcommittee a framework on how we should approach whether and 
what changes are needed in COPPA. Whenever we think of 
protecting children, whether it is for their safety, security, 
or privacy, our first inclination is to protect them from 
anything that sounds bad instead of what is bad. Solutions 
based on things that sound bad eventually will fail. In the 
past 10 years, I have had the honor of advising the COPPA 
Commission, sitting on the Berkman Center Internet Safety 
Technical Taskforce, and co-chairing the federal Online Safety 
Working Group. In each of these endeavors, we could have 
responded to problems that sounded bad, and instead, we spent 
the time finding the actual problems and then proposing the 
necessary solutions.
    While technologies have evolved since the advent of COPPA, 
I urge you to consider whether an actual problem has been 
clearly articulated that needs to be solved when looking at 
each individual change that is being proposed. Next, consider 
whether existing regulations can be used to respond to an 
identified problem. Looking back on the FTC's COPPA enforcement 
actions, it is clear that current regulations and rules have 
been quite useful and effective. In fact, a great majority of 
the industry does a tremendous job in working within the rules, 
whether their product is directed at children under 13 or 13 
and over. Even new companies know what is expected of them 
before they enter the marketplace. Interestingly, companies are 
finding it easier to provide services for the 13-plus as a much 
better business model.
    And so we must ask whether today there are other bad actors 
the FTC finds it cannot enforce against as an evolving 
landscape created gaps. In areas where existing regulations are 
needed, we should then determine the best solution. Several 
factors should be considered. What we must ask: 1) Would the 
proposed change actually close an identified gap? 2) Would it 
create technical implementation challenges? 3) Would it lead to 
conflicted with other agency and department demands or 
expectations such as conflict that arises between data 
retention, data minimization, and data preservation? And 4) 
Would it lead to unintended consequences such as creating 
disincentives to providing a rich online experience for the 
under-13?
    If we utilize this framework when considering the changes, 
I think we will be able to protect children's online privacy by 
implementing solutions that work while the technology evolves.
    And in closing, I want to stress that if we were to accept 
the proposed changes in whole, we can expect an immediate 
impact on the marketplace. Larger companies will adjust where 
they can and simply shut down areas where there is simply too 
much uncertainty. And smaller and newer companies will find 
investors spooked by uncertainties. Such a multi-year cycle can 
be avoided if you spend the time now to examine the proposal 
within the framework that we are outlining and identify actual 
problems, create effective solutions that can be readily 
implemented by those already incentivized to do the right 
thing.
    Thank you, Chairman Bono Mack, Ranking Member Butterfield, 
and members of the subcommittee, for giving me this opportunity 
to address you on this important topic.
    [The prepared statement of Mr. Nigam follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Bono Mack. Thank you very much.
    Mr. Reed, you are recognized for 5 minutes.

                    STATEMENT OF MORGAN REED

    Mr. Reed. Chairman Bono Mack, Congressman Butterfield, 
thank you for holding this important hearing on children's 
privacy, FTC, and COPPA regulations. My name is Morgan Reed and 
I am with the Association for Competitive Technology, and we 
represent the mobile apps developers. With more than 3,000 
members spread throughout the United States and the world, our 
folks are focused on doing all those cool apps you see on 
television.
    So during the past year, ACT has had a chance to reach out 
to our developers and other developer organizations throughout 
America to discuss privacy and the importance of privacy by 
design. At a recent conference, I was scheduled to present on 
privacy, but before I spoke, developers were given an 
opportunity to talk about their business. Everyone got up and 
said this is what they were excited about, this is the 
direction their business was going, and as I heard all these 
folks talk, I noticed at the end of their conversation always 
concluded with two words. And these two words are two words we 
don't hear much in the United States right now and they are 
words that I think are absolutely critical to all of our 
discussions going forward. Those two words--``We're hiring.''
    And the good news is this wasn't just some random event 
that I was at where it was a special enclave of jobs that no 
one knows about. A recent study out of the University of 
Maryland shows that Facebook apps alone have created 200,000 
jobs. Our own internal studies show that 600,000 jobs have been 
created, saved, or supplemented from the mobile apps economy. 
And the good other part of this news is is that with all 
deference to Chairman Bono Mack's great State of California, 88 
percent are small businesses and over 70 percent are not in the 
great State of California. So it is widespread, it is small, 
and it is growing.
    Now, besides creating jobs, developers as a community are 
passionate about one other thing and that is privacy. And 
education apps are particularly focused on privacy because the 
vast majority of mobile apps are built by parents. Now, these 
aren't folks who started their company looking to get rich; 
they were looking to provide an interactive family experience 
for their kids on this device that they brought home from work.
    So they want to do good and that is why we are working with 
organizations like PrivacyChoice.org to build privacy policy 
generators so that they can easily become aware of and comply 
with privacy regulations. But before we all get into the 
specifics about Section 312.4 of the NPRM or what the meaning 
of ``collect'' is, I thought I would take some time to discuss 
the kinds of apps these small developers are creating.
    For example, from your district we have Animal Apps and 
Animal Pronunciations from Palm Springs. For Congressman 
Butterfield's district, we have got We Pray, Pray With Me, 
which is a special app for the iPad that allows grandparents to 
record a prayer for their child so that if they are aware, if 
they are out of state, if they can't see them, the child can 
hear their voice. It is also used by parents that are deployed 
overseas and folks who are just on business trips. What a great 
app.
    We have got from Congressman Waxman's district, we have got 
3 Trees, which helps educate kids about water, sun, and air, 
and the three elements that power the world. From Congressman 
Lance's district, we have got Random Acts of Kindness, which 
helps kids know about 300 different random acts of kindness 
they can do, charities they can donate to, and inspiration for 
goodwill. From Utah, we have Tap Fuse. They have got two great 
apps--one that helps kids with the alphabet; another that they 
are doing right now that is about anti-bullying. Congressman 
Harper, Mississippi State currently offers field studies in 
iPhone entrepreneurship at Mississippi State and right now you 
have got one guy out of there who is still a freshman, his app 
has already sold 20,000 copies and it is an education app for 
kids in school.
    Congressman Guthrie, we have got Oink-a-Saurus, which is a 
great app. It is a piggy bank that helps kids learn about the 
stock market and how they can save money. Congressman Olson, we 
have got Music Master, high tech flashcards for practicing 
reading music. In Maryland, we have got Pickpocket Books, which 
was a company built by a woman literally a stay-at-home mom on 
her couch who watched her child using the iPad and said, you 
know, I would like to combine this technology with my child's 
love of reading. Since then, she has built a micro empire of 
more than 80 books on the iPad store that she has hired voice 
actors, artists, and developers who have created interactive 
applications that allow children to listen to the book, have 
the book read to them, and read back and practice.
    Now, my own daughter who is now 5-3/4 she reminds me likes 
math apps from Montessorium from Sioux Falls, South Dakota. It 
is a great app that combines the tactile Montessori Method of 
teaching with the touch pad on an iPad screen.
    Now, I know that some here will talk about those in the 
tech industry or media in a way that implies the larger 
faceless corporation. I love the FTC's testimony earlier but 
she said we speak with the companies and their counsel. The 
vast majority of companies that I have named have no in-house 
counsel right now, and so for them this is a learning process.
    Now, I want you to remember that the incredible innovation 
happening today is not driven by faceless corporations but by 
thousands of moms and dads working to build applications that 
educate, motivate, and enrich their families. So let us make 
sure that we don't mess up this as we work to achieve a better 
online privacy protection.
    Thank you for your time and I look forward to your 
questions.
    [The prepared statement of Mr. Reed follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Bono Mack. Thank you, Mr. Reed.
    And just a side note, I appreciate the reference to 
California and the earthquake damage, though, up there on the 
wall is not my fault.
    Mr. Reed. You are bringing good apps, just not earthquakes.
    Mrs. Bono Mack. Mr. Balkam, you are recognized for 5 
minutes.

                  STATEMENT OF STEPHEN BALKAM

    Mr. Balkam. Thank you very much, Chairman and Ranking 
Member Butterfield and members of the subcommittee. My name is 
Stephen Balkam and I am the CEO of the Family Online Safety 
Institute. It gives me great pleasure to testify before you 
today at today's hearing.
    We would like to applaud the chairman's leadership on these 
issues. The series of hearings held by this subcommittee are a 
prime example of an effective step that the government can take 
to balance the promotion of technological innovation with the 
need to keep children safe online.
    FOSI is an international, non-profit membership 
organization working to make the online world a safer and 
healthier place for kids and their families, and we do this by 
identifying and promoting the best practice, tools, and methods 
in the field of online safety and privacy that also respect 
free speech. Personally, I have had over 16 years experience 
working in the Internet safety field and I am the proud father 
of two daughters. The views expressed in both my written and 
oral testimony are my own and do not necessarily reflect the 
views of all the FOSI members.
    So the online landscape for all users has certainly changed 
in the past 11 years since COPPA was enacted, none more so than 
for children. We need a more sophisticated approach that 
empowers families to gain and maintain control of their digital 
lives. Simply put, in order to encourage safe and responsible 
online use, we need tools, rules, and schools: the technology 
tools of filters and monitoring devices; balanced laws, terms 
of use, and household rules; and education on good digital 
citizenship, online safety, privacy and security.
    At FOSI, we believe in building a culture of responsibility 
to ensure that children have a safe and productive time on the 
Internet. We support balanced government oversight of industry 
self-regulatory efforts. This approach allows for maximum 
innovation and creative solutions, as well as the potential for 
enforcement actions and legislative intervention in the event 
of industry non-compliance.
    Parental empowerment is an important component of this 
approach. Recent research commissioned by us and carried out by 
the Hart Research showed that 93 percent of parents have set 
rules or limits to monitor their children's online usage and 53 
percent of parents have used parental controls. FOSI is working 
with industry to promote increased awareness of parental 
controls and education as to their use.
    We commend Congress and the FTC for their work in providing 
reasonable government oversight through COPPA and its 
corresponding Rule, while encouraging self-regulation and 
promoting parental empowerment and children's responsibility. 
The FTC has continued to evaluate the effectiveness of the Rule 
and propose revisions where necessary.
    The planned revisions contain many positive aspects and 
ideas relating to the definition of a child, the actual 
knowledge standard, the expansion of parental consent 
requirements and methods, as well as proposed revisions to the 
safe harbor regime. We agree fully with the FTC's analysis that 
the current Rule is broad enough to encompass the technological 
advancements that have occurred in the past 11 years.
    The COPPA statute defines child as ``an individual under 
the age of 13,'' and we are pleased that the FTC has determined 
that it remains the appropriate age. Changes to the statutory 
definition could lead to a substantial increase in children 
lying about their age, or for that matter parents lying about 
their kids' age, and thus negate protections afforded to 
younger kids through COPPA and specific Web site protections 
for minors.
    The FTC's enforcement mechanism foreseen in the original 
Rule has provided a flexible and valuable tool that has allowed 
the FTC to adapt to the changing technologies. Recent 
enforcement actions which we just heard about against W3 
Innovations, an app developer, show that the FTC was able to 
use the Rule to ensure the compliance of a technology that was 
not widely available when COPPA was enacted.
    The FTC's review of the Rule, in conjunction with their 
recent enforcement actions, demonstrates that no further action 
on the part of Congress is required at this time. The current 
system, with the FTC's proposed revisions, allows for privacy 
protection as well as technological innovations. Furthermore, 
attempts by Congress to pass legislation will almost certainly 
be rendered inadequate within a few years by the innovation of 
new methods of online interaction, sharing, and communication.
    In my opinion, a positive step that Congress could take in 
this sphere would be to increase funding for Internet safety 
and privacy education in schools, as well as for research into 
children's online behaviors and attitudes. This would allow for 
all future legislative efforts to be founded on a factual 
basis.
    Finally, I believe that the best way to ensure that 
children have productive, safe, and secure experiences on the 
Internet is through awareness, education, and empowerment. I 
would like to thank the subcommittee again for holding this 
timely and important hearing. We believe that with reasonable 
government oversight, the self-regulatory and multi-stakeholder 
approach currently being championed in the United States--
although under attack in other parts of the world--can continue 
to protect kids and their privacy on the Internet without 
impeding technological innovation.
    Thank you very much.
    [The prepared statement of Mr. Balkam follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Bono Mack. Thank you.
    Dr. Montgomery, you are recognized for 5 minutes.

               STATEMENT OF KATHRYN C. MONTGOMERY

    Ms. Montgomery. Thank you very much, Chairman Bono Mack, 
Ranking Member Butterfield, and the other members of the 
subcommittee. I really appreciate the opportunity to be here to 
talk about children's privacy. It was during the 1990s in the 
mid-1990s that I started investigating what was going on with 
online children's Web sites, and I was very disturbed to find 
that because of the increasing value of children as a target 
market and their avid involvement with the Internet, companies 
were setting up Web sites all over the web that had a business 
model really based on taking a lot of personal information from 
children and offering prizes and doing all kinds of things in 
order to get children to give up personal information. One of 
my favorites was the Batman site that said ``be a good citizen 
of Gotham and fill out the census.'' And there were many, many 
others like that.
    And I did not hear when I went to industry meetings and 
when I read all the cited coverage about all this any mention 
of children's privacy, any concerns raised in the industry, and 
that is why we went to the FTC. I was pleased that I was able 
to work with both sides of the aisle in Congress, with the FTC, 
with the Coalition of Child Health, and consumer groups, and 
with industry stakeholders to craft a statute and a set of 
regulations that would successfully balance our collective 
interests in nurturing the growth of commerce on the Internet 
while protecting the privacy of our children.
    And because decades of research had already identified that 
younger children had particular vulnerabilities to advertising, 
one of the key goals of the law was to prevent online companies 
from targeting individual children with marketing messages. 
COPPA has served, as many people have observed here, as an 
effective safeguard for young consumers under the age of 13, 
and it sent a strong signal to the industry if you are going to 
do business with our Nation's children, you will have to follow 
some rules. And that was built into the system. As a result, 
some of the most egregious data collection practices that would 
have become state-of-the-art were curtailed.
    Today, however, children are growing up in a ubiquitous 24/
7 digital media environment. The data collection practices that 
we identified in the '90s have been eclipsed by a new 
generation of tracking and targeting techniques. The 
Commission's proposed rules for updated COPPA offer a careful, 
well-researched, and sensible set of recommendations for 
addressing many of these practices, and I want to briefly 
highlight three of them.
    The first, which others have mentioned is mobile and other 
location devices. Roughly half of all children have mobile 
phones now by the age of 11. You can ask any parent. 
Advertising is growing on mobile technologies. Geolocation 
makes it possible to target kids wherever they are. This raises 
not only marketing abuse issues and privacy issues but also 
safety issues. I think the agency has appropriately clarified 
that COPPA should apply to mobile and other web-connected 
location devices.
    The second issue concerns this notion of what is personally 
identifiable information. I was a participant in the 2010 June 
roundtable at the FTC. I was quite taken with the amount of 
consensus among a wide spectrum of participants that these days 
there is really no longer a meaningful distinction between 
personal information and such ``non-personal information'' as 
persistent cookies and IP addresses. And the Wall Street 
Journal did an investigation last year showing that a lot of 
these things are being placed routinely on children's sites.
    While the FTC proposed rules would then apply COPPA 
safeguards to protect children from companies that want to use 
the tools to behaviorally target individual children or to 
create profiles or share the information, the rules are also 
narrowly tailored so that they wouldn't interfere with what the 
companies are doing in terms of their regular normal business 
operations. And I think this kind of sensitivity is reflective 
of how the FTC has done a good job here.
    By the way, on mobile phones, I am disappointed about text 
messaging. I hope we can talk about that because we know how 
much kids are using texts.
    And finally, I agree with the Commission that the mechanism 
of parental verification that we created with COPPA is not 
appropriate for teens. However, I do feel strongly that 
adolescents can no longer be ignored in the public policy 
debates over online privacy. We know they are being encouraged 
to share a lot of information. They also do not know how all of 
their data are tracked by all of these other kinds of 
technologies that are now online. I hope the FTC will develop 
some specific recommendations in its broader privacy agenda.
    And the goal of any public policy on teen privacy should 
balance the ability of young people to participate fully in the 
digital media culture with the government and industry's 
obligation to ensure that youth are not subjected to unfair 
deceptive surveillance, data collection, or behavioral 
profiling. The legislation offered by Representative Joe Barton 
and Representative Ed Markey known as the Do Not Track Kids Act 
of 2011 is based on these principles and it is to give teens 
themselves the power to make their own decisions about their 
privacy online. If we can build privacy principles into how our 
online businesses engage with both children and adolescents, we 
can help ensure that young people are treated fairly in the 
digital marketplace and that they grow up with an understanding 
of their rights and responsibilities as consumers.
    Thank you.
    [The prepared statement of Ms. Montgomery follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Bono Mack. Thank you.
    Mr. Simpson, you are recognized for 5 minutes.

                   STATEMENT OF ALAN SIMPSON

    Mr. Simpson. Good morning, Ms. Bono Mack, Ranking Member 
Butterfield, and thank you to all the members of the 
subcommittee for this important hearing. I am Alan Simpson. I 
am with Common Sense Media, and I want to begin by outlining 
that Common Sense Media works as a nonprofit, nonpartisan 
organization dedicated to helping children and families thrive 
in a world of media and technology. One way that we describe 
our work is that we love media. We work with everyone to make 
it better for kids. We admire and embrace many of the 
innovations we have seen in this space in recent years, and we 
believe that parents, educators, companies, and policymakers 
all must play a central role in helping to protect children's 
privacy in this rapidly changing electronic world. And we work 
with each of these groups to improve the media lives and the 
privacy opportunities of children.
    The Federal Trade Commission's proposed rule revisions will 
help keep COPPA up to date with this rapidly changing world. 
They will improve protections for children's online privacy, 
encourage parental involvement, and foster innovation in online 
services for children, especially the innovations we most 
need--innovations to protect children. The COPPA 
recommendations will help hold the industry more accountable, 
and most importantly, they will build on the fundamental 
purpose of COPPA, which is bolstering the role of parents as 
the informed gatekeepers in the lives of their young children. 
This is not a question of whether kids will be online or 
offline. We all know that kids are online and they will always 
be online. It is most a question of who will be watching them 
and who will be watching over them when they are online.
    I would like to echo Dr. Montgomery's remarks about the 
value of the FTC recommendations and emphasize most of all that 
the FTC has struck a careful and reasonable balance between 
maintaining the internal operations of online services and 
protecting children from intensive tracking and behavioral 
advertising.
    The FTC proposals will be important steps for younger kids, 
but teens still need protections and they need empowerment, and 
the legislation Mr. Barton mentioned--H.R. 1895--will be a 
strong baseline for those protections and that empowerment.
    In my written remarks, I have outlined in more detail the 
work that Common Sense Media is doing with parents and schools, 
including dozens of articles that we have published in the last 
year and a half around privacy and security. And many of those 
parent tips that we published are among the most popular 
resources on our site for parents.
    We also work in more than 18,000 schools around the country 
providing the education around smart, responsible use of media 
and privacy and security are an essential part of that. But one 
of the most important parts of this equation are the media and 
technology companies themselves, and we feel they must do far 
more to help parents and families protect children's online 
privacy in part because they are in the best position to 
develop better technology, better tools, and better information 
for users. There have been positive steps in this area of late, 
but on the whole, media and technology companies have not done 
enough to provide better solutions for families. Parents need 
the innovators to innovate to protect. In our experience, the 
companies will, especially if they are encouraged by this 
subcommittee and this Congress to do so.
    Thank you.
    [The prepared statement of Mr. Simpson follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mrs. Bono Mack. Thank you, Mr. Simpson.
    And I will recognize myself, then, for the first 5 minutes 
of questions. And again, I thank you all very much for your 
testimony.
    And I would ask, Ms. Engle, can you elaborate on why the 
Commission opted not to seek a change on the age threshold?
    Ms. Engle. Yes. That was an issue that we considered very 
carefully and we thought that Congress when it enacted the 
statute and it also thought about that at the time and believed 
that it reached the right result that under 13 is the right 
cutoff. While any particular age cutoff is going to be somewhat 
arbitrary and children do develop at different rates, the whole 
idea behind and the way that COPPA works is for the child to 
provide their parents' email address in order that the operator 
may contact the parent to get permission to further interact 
with the child. And the concern is that if you raise the age, 
COPPA may not work well because older children may not provide 
the parent's email address. They may provide their own or their 
friend's or a sibling's. And that is true even more now than it 
was earlier because it is very common now for children to have 
their own email addresses or multiple email addresses or they 
may simply lie about their age. And younger kids can do that as 
well but it is less likely.
    And finally, we have concerns about the constitutional 
rights that courts have afforded to teenagers and whether that 
might be unduly intrusive on the teenagers.
    Mrs. Bono Mack. Thank you. And you mentioned the email-plus 
rule. So the COPPA Rule allowed Web site operators to use a 
low-cost email-plus approach in determining whether there has 
been verifiable parental consent. And this was intended to be a 
short-term option available only until the Commission 
determined that more reliable consent methods had adequately 
been developed. Has the Commission now made such a 
determination and do sufficient substitutes for email-plus 
currently exist? And if you disallow that mechanism 
immediately, does that leave businesses in the lurch?
    Ms. Engle. So the Commission, when it crafted the COPPA 
Rule, decided to make a distinction between personal 
information collected for a site's internal use and information 
that is used publicly. That distinction is not in the statute 
itself but the Commission decided that it made sense on a 
temporary basis to make that distinction and allow a less 
reliable method of obtaining consent called email-plus assuming 
that more reliable methods, new technology would develop. That 
turned out not to be the case. The Commission expanded allowing 
that unreliable method a couple of times and then ultimately 
made it go on indefinitely when no new technologies developed. 
But having reconsidered it over the years, you know, we believe 
that COPPA statute didn't make that distinction between 
internal and external uses and that perhaps this unreliable but 
easy method has actually deterred the development of 
technologies that would allow a more reliable method.
    So in its place we are proposing that companies can apply 
to the Commission for a new method if we would place it on the 
public record, get comment, and that would allow the Commission 
the opportunity to really evaluate the method and determine 
whether it is reliable and then essentially include it in the 
Rule. It is true right now that the list of reliable methods is 
not exclusive. Companies can use any method that is reasonably 
designed to ensure that the person providing consent is the 
child's parent, but what we heard is that companies prefer the 
assurance that this is the method that essentially the 
Commission has blessed. They want it listed. They don't want to 
take the risk that the Commission may find it inadequate. So we 
have proposed this new method to help provide that assurance.
    Mrs. Bono Mack. Thank you. That is understandable.
    And the FTC proposes to add factors to its ``totality 
review'' of Web sites to determine if they are targeted to 
children under 13--for instance, music and celebrities that 
would appeal to children but many celebrities and a lot of 
music content appeal to both 8-year-olds, 13-year-olds, and 49-
year-olds. Would that blur the age line and create confusion 
for Web sites as to whether or not they would be considered a 
COPPA operator?
    Ms. Engle. No, I think that, you know, we are still 
maintaining the same test basically. It is the totality of the 
circumstances. We look at a number of factors to determine 
whether a particular site is directed to kids under 13 and by 
adding more factors, we are not changing the test. We are just 
making it clear that these are factors that one can consider. 
And yes, it is true that it is never, you know, will never be a 
bright-line cutoff that no children under 13 would be 
interested in an over-13 site and vice versa. But by adding 
more factors, we are trying to make it more transparent to 
operators the kinds of factors the Commission considers.
    Mrs. Bono Mack. Thank you. And right on time.
    The Chair will recognize Mr. Butterfield for 5 minutes.
    Mr. Butterfield. Thank you.
    There is a published study titled ``Always Connected: The 
New Digital Media Habits of Young Children.'' I believe Dr. 
Montgomery has referred to it from time to time. This study 
published through the Sesame Workshop contains some interesting 
findings about the digital media usage habits of white, 
Hispanic, and African American children. In particular, while 
the study points out that the digital divide remains, when 
children of color do have access to digital media, they tend to 
use it substantially more than white children. African American 
children between ages 5 and 9 the report says spends 41 minutes 
online per session. White children in that group spend 27 
minutes online per session. Hispanic children between the ages 
of 8 and 14 spend almost 2 hours online each day. That is 40 
minutes more than white children. The study also points out 
that children from low-income and ethnic minority homes are 
less likely to have adult guidance when accessing the Internet. 
As a result, they are spending more time on lower-quality Web 
sites or on activities that won't help them develop school-
based skills.
    And so, Dr. Montgomery, I would like to hear any thoughts 
that you might have whether COPPA parental notice and consent 
models work well for all children or if there are any changes 
that could and should be made to account for the differences 
that I have referenced.
    Ms. Montgomery. Yes, thank you for asking that. I am 
concerned about ethnic children as you point out and I am 
actually looking at a lot of those issues in another context. I 
am doing a project on food marketing and we are very concerned 
that there are very aggressive techniques that are being used 
to target particularly ethnic children who are at greater risk 
for obesity as well. So this is a very complicated problem.
    I think it is probably difficult to enact a law that can 
address those specific needs around privacy. What we want to do 
is to have a set of rules that work as best as they can for all 
children with special sensitivities to children who are at 
risk. And I think that the proposed changes in the guidelines 
will do that, but it is going to be very important that 
companies take these obligations very, very seriously. And 
particularly, I think companies that are targeting that age 
group ought to be encouraged to develop their own self-
regulatory mechanisms to work more effectively to ensure 
children's privacy.
    Mr. Butterfield. But you do agree this is an issue that we 
need to be concerned about and address?
    Ms. Montgomery. It is.
    Mr. Butterfield. As best we can legislatively.
    Ms. Montgomery. And not only that. Spanish language needs 
to be looked at. I think that the Congress could do more to 
look into these things. We haven't had enough examination of 
these areas either.
    Mr. Butterfield. Ms. Engle, has the Commission looked at 
this issue in any respect?
    Ms. Engle. The Commission has not received specific data 
on--I mean we do have information on the greater use of 
Internet technologies and mobile technologies certainly by 
ethnic minorities for example. Whether there are additional 
protections that are needed that come from that, we haven't 
received information on that.
    Mr. Butterfield. Do you agree with Dr. Montgomery that it 
might be a little difficult to develop some type of regulatory 
protections to protect against these, that ideally it is a 
problem but developing protections might be challenging?
    Ms. Engle. Yes, I agree with that.
    Mr. Butterfield. All right. Can you help us out, Mr. 
Simpson, with this, please?
    Mr. Simpson. Well----
    Ms. Montgomery. Can I add something?
    Mr. Butterfield. Yes, sure.
    Ms. Montgomery. Because I do think in one area that we 
might want to think about changing some things because if we 
look at the kinds of data that are collected, when racial data 
are collected and children are then marketed to based on the 
kind of profiling that can take place with that data, that I 
think can be very problematic and can be very discriminatory 
and I think that needs to be investigated.
    Mr. Butterfield. All right. Mr. Simpson?
    Mr. Simpson. The only thing I can really add, sir, is that 
one of the concerns we see in the broader space around privacy 
and other concerns that parents have around digital media is it 
is, as the FCC's studies have shown, one of the reasons for 
lack of adoption of broadband and digital media. We all see 
great benefits for families and communities in broadband and 
what it can bring to their communities, but if they are 
reluctant because of what they see as the downsides--and lack 
of privacy and security is certainly one of them, especially in 
rural areas and among low-income communities.
    Mr. Butterfield. Let me give my last 5 seconds to Mr. Reed. 
Yes. Yes.
    Mr. Reed. I want to be the guy with good news here. I am 
sure that you have seen studies from Danah Boyd and more 
importantly, we have worked with Dr. Nicol Turner-Lee at the 
Joint Center and it turns out that mobile applications and the 
mobile environment is something that actually is having an 
impact in low-income and especially minority communities. And I 
think as we talk about privacy and what the government can do 
to shut down things and be careful about it, I think it is 
really important that we allow some opportunity for these 
things to flourish. Remember, mobile apps have only been in 
existence since 2008 and what we have seen from Dr. Nicol 
Turner-Lee's information and Dana Boyd is there is a huge 
opportunity for us to reach people who have never had a PC in 
their home through their mobile phone, but more importantly, 
their mobile smartphone. So I think as you talk about what the 
government can do and the ways it can play a role, we need to 
make sure that the choices are there for them to have cool 
things to do rather than just tell them how they can't do 
things.
    Mr. Butterfield. Thank you.
    Mrs. Bono Mack. Thank you.
    The Chair will recognize Mr. Barton for 5 minutes for 
questioning.
    Mr. Barton. Thank you, Madam Chairwoman.
    I am going to ask my first question to the representative 
of the Federal Trade Commission.
    If you don't expand the protections of the law to 13- to 
17-year-olds explicitly, how do we protect them? Because they 
are not adults and while they are able to make some decisions 
on their own, I do not know that they are fully capable of 
making some of the decisions that would be required in this 
area.
    Ms. Engle. The Commission is considering the privacy 
interests of teens in its broader review of privacy generally 
and certainly we have considered that. Some of the ideas that 
we have offered in that area, for example, very clear notice 
about the kinds of information that is being collected and how 
it is being used made at the point that the information is 
collected as well as data security would also provide benefits 
to teens. But the Commission at this time hasn't reached any 
conclusions as to what additional privacy protections teens may 
need.
    Mr. Barton. So would it be safe to say that the provision 
in the Barton Markey bill that gives these protections 
explicitly to 13- to 17-year-olds, the FTC is not automatically 
opposed to; you are just not totally supportive of? Is that a 
fair statement?
    Ms. Engle. The Commission hasn't taken a position on the 
legislation yet, but I would say that we are definitely not 
automatically opposed to it and we would be happy to work with 
you on it.
    Mr. Barton. In a similar vein, in the bill that Mr. Markey 
and I have introduced, we explicitly cover mobile applications. 
The proposed enhancements that you testified to in existing law 
do not explicitly cover mobile applications. Are you opposed to 
the provision in the Barton Markey bill that makes that 
explicit or you just need to study that more also?
    Ms. Engle. No, we are not opposed to it. In fact, we 
believe COPPA already does cover mobile applications. We 
interpret them to be online services already covered by the 
Rule, and in fact we recently brought a case against a company 
that was a mobile app provider on that basis.
    Mr. Barton. See, my position is that more and more of our 
teenagers and certainly even, sadly, children are getting 
iPhones and iPads and you almost have to explicitly cover 
mobile applications just because that is where the younger 
generation is going. So, you know, they are not going to be 
sitting behind a computer. They are going to be walking around 
and doing stuff as they are out and about.
    I want to ask Mr. Balkam, your institute has got a great-
sounding name. Who funds that? Who funds your institute?
    Mr. Balkam. We have more than two dozen members mostly from 
industry, so from AOL at one end of the alphabet to Yahoo at 
the other.
    Mr. Barton. And there is nothing wrong with that, but they 
would be industries that try to make a profit--which again is a 
good thing--by using the Internet and they would tend to want 
to collect information about people on the Internet. Is that 
not a fair statement?
    Mr. Balkam. I think that is a very fair statement and I 
also agree with my colleague Nigam's point that it would be 
against their very own interest to, as it were, violate kids' 
privacy in so doing because it would actually rebound against 
them.
    Mr. Barton. OK. Now, my understanding is that your 
institute doesn't support the bill that Mr. Markey and I have 
introduced, is that correct?
    Mr. Balkam. That is correct. I particularly took notice of 
the eraser button idea and particularly Congressman Markey's 
own statements at an Internet privacy hearing in July when as 
he was talking about kids posting stuff--particularly teens--I 
will quote him, ``what were they thinking? It will want to be 
the parents who will want to erase it. They have a right to do 
so. I am not talking about Big Brother; I am talking about Big 
Mother and Big Father.'' And so given that, while proponents of 
the bill talk about giving kids and teenagers more control over 
their privacy, what we see--and particularly let us think about 
a 17-year-old who is already----
    Mr. Barton. I want to ask you one more question. I am not 
going to cut you off but I have only got 20 seconds so----
    Mr. Balkam. We have serious concerns about parents taking 
things off the Internet of their 17-year-olds and it is not as 
simple as rubbing out like a piece of----
    Mr. Barton. We can work on that. I want to get consensus on 
one thing I think that your group can agree with me on. Do you 
oppose the use of super cookies, your group?
    Mr. Balkam. We think that it is something that deserves 
considerable amount of attention and we are looking forward to 
future hearings on that, yes.
    Mr. Barton. OK. Well, for those of you that don't know, a 
super cookie is something that is put on your IP address 
without your permission and you cannot delete it. You don't 
know about it. It can collect information--it can even collect 
information on where you go on other sites and you don't know 
anything about it and it can't be deleted. And I hope at some 
point, Madam Chairwoman, that we will all agree legislatively 
to ban super cookies. And with that, I would yield back.
    Mrs. Bono Mack. I thank the gentleman.
    The Chair recognizes Mr. Towns for 5 minutes.
    Mr. Towns. Thank you very much, Madam Chair.
    Mr. Simpson, in your testimony you emphasize companies can 
play a more active role in protecting privacy and personal 
information. In what ways can companies play a more active role 
in protecting our privacy?
    Mr. Simpson. Thank you, sir. I think most importantly I 
would recognize there are quite a few companies that are doing 
a better job of providing information, but I think the most 
important change that companies need to make in this space, 
companies large and small, is better opportunities on their own 
platforms, on mobile apps, on all the devices that they provide 
so that parents in the case of younger children and teens 
themselves have more chance to understand what is going on; 
what data is being collected; how they can opt out of it; 
whether they should or shouldn't opt into it; and to keep that 
information simple, accessible, and actionable. The big 
challenge in this space right now is that it is very hard to 
find out what is going on with my data when I use a given 
device or platform. The easier they can make that, the more we 
have parents who can make informed choices on behalf of young 
kids and teens who can make informed choices on behalf of 
themselves.
    Mr. Towns. All right. Thank you very much.
    Mr. Balkam, Family Online Safety Institute is your 
operation, right?
    Mr. Balkam. Um-hum.
    Mr. Towns. All right, good. What do you think the FTC did 
right in their proposed rule and what do you think is missing?
    Mr. Balkam. Well, as I said in my own testimony, I think 
they got the balance just right between protection on the one 
hand while not squashing innovation on the other. I don't think 
that there was anything that they left out. I mean it was quite 
a thorough review. We are very impressed with the range in 
their technical know-how about emerging technologies. So we are 
pretty happy with it.
    Mr. Towns. What about the definition of a child's age?
    Mr. Balkam. We think that is appropriate. We certainly do 
not advocate for it to be increased. As I was beginning to 
explain in my last response, we have some serious concerns 
about the older teens and whether or not they have some rights 
of free speech themselves. We don't really see the need for 
parents to come in and to take away their content as it were.
    Mr. Towns. All right. Thank you very much.
    Ms. Engle, you know, there has been some questions about 
the response period and the notification and that people are 
not informed. What methods and techniques do you use to solicit 
responses?
    Ms. Engle. Are you referring to comments on our proposals?
    Mr. Towns. Yes.
    Ms. Engle. Well, we have published it in the Federal 
Register issued, of course, as we must with all proposed 
rulemakings. We issued a press release, we have reached out 
extensively, we have an extensive email list to privacy 
advocates and people who have expressed interest in privacy, 
you know, in COPPA over the years. We are doing a lot of 
speaking. In fact, one of my colleagues is up in New York this 
morning speaking to the Children's Advertising Review Unit 
Conference on our proposal in COPPA.
    Mr. Towns. And the reason I raise this issue is that many 
members of the faith-based community are saying, look, nobody 
talked to us. We are not aware of this. When did it happen? In 
fact, they even blame me in many instances, you know, and that 
is my problem.
    Ms. Engle. Well, I know we have done outreach to faith-
based institutions in other areas, for example, in fraud 
protection, and I think we can look into doing that here as 
well.
    Mr. Towns. Right, because these faith-based institutions 
have what we refer to as national conferences and if you in 
some way could arrange to get on their agenda, I think it would 
be a great service to all of us because they have some input 
there and I think that we should solicit it.
    Yes, Mr. Reed?
    Mr. Reed. I just wanted to add to that. I think you really 
hit a key point, and Congressman Butterfield, the app that I 
was talking about from your district, the author of that app 
has raised concerns. This was the first she heard about it when 
I contacted her through a group of developers. And she said 
well, this app allows grandparents to contact kids. Do I need 
to get parental explicit consent? How do I go about the 
process? And so this entire process to her, while there are 
rules and regulations, the publishing of something in the 
Federal Register, having discussions with privacy advocates is 
not necessarily the same as reaching out to the faith-based 
communities. And specifically, the app in your district is 
exactly the kind of app that Congressman Ed Towns has talked to 
me about. And I am hoping that we can work with her to make 
sure she understands the changes.
    Mr. Towns. Thank you very much, Madam Chair. Yes, thank 
you.
    Mrs. Bono Mack. I thank the gentleman.
    The Chair recognizes Mr. Harper for 5 minutes.
    Mr. Harper. Thank you, Madam Chair.
    And I certainly want to thank everyone for being here and 
as a parent now to a 19-year-old and a 22-year-old that we 
dealt with those issues and we had AOL and we used age-
appropriate email settings as they were growing up. You know, I 
think there is a large responsibility for the parents 
themselves to make sure that they are monitoring this and we 
certainly want to have those tools available.
    And this is just a curiosity question, Ms. Engle, on 
violations that come to your attention that result in fines. 
Just a general breakdown of the percentage that come from your 
own search or investigation or policing, those that might come 
from third-party organizations and those that perhaps are 
reported by parents, can you give me just a general breakdown?
    Ms. Engle. I would say probably most of the violations we 
detect are from our own review. We do also get complaints and 
things are brought to our attention by the COPPA Safe Harbor 
Programs. They are a frequent source of complaints.
    Mr. Harper. If I could just ask this sort of as a--you 
know, we have heard a lot of different testimony here but just 
at its most basic level, what is wrong with advertising to 
children based on those likes or dislikes so long as the child 
is anonymous?
    Ms. Engle. So we think that the same privacy interests that 
inspired Congress to enact COPPA in the first place, the idea 
that at least with respect to children under the age of 13, 
young children, that parents are the ones who should be in the 
position of making the decision of permitting their children or 
not to interact with a Web site. And it goes both ways, both in 
terms of the Web site collecting personal information from the 
child and also being able to contact a child individually. And 
what we are seeing now and what is behind our proposal is that 
with things like tracking cookies which are able to track 
children across Web sites over time and direct ads based on 
their web browsing activity, that that is a form of contact of 
an individual that falls within COPPA.
    Mr. Harper. OK, thank you.
    Mr. Reed, I would like to ask you a few questions if I may. 
And certainly I know your position in a statement on a Supreme 
Court decision earlier this summer, Brown v. Entertainment 
Merchants Association, 7-2 Supreme Court decision that dealt 
with the sale of videogames to minors. Is there anything about 
that case that correlates to this that you have seen?
    Mr. Reed. Well, I think we have to step back and think to 
ourselves, what are we trying to do? What are the goals we are 
trying to achieve? I have an obvious bias. My goal is to make 
sure that we have mobile apps developers able to create jobs 
and specific applications that reach the right audience. And so 
when you look at both the Supreme Court decision and where we 
are heading both on this panel, I think it is pretty clear that 
our industry is, to borrow a phrase that was used earlier, 
putting the pedal to the metal and trying to get things into 
the hands of as many people as possible. Therefore, we are 
going to be enthusiastic and supportive of ways that allow 
people to have access to our technology.
    That said, just like with videogames, we are very sensitive 
to the content question. There is a big difference between, as 
we have discussed, and it is an interesting part about this 
whole privacy regime, in interviewing parents prior to this 
hearing and in other cases, when you ask them what do you think 
when you see that ``only 13 and over'' in this location? The 
vast majority actually think it is about content, not about 
privacy. So I think that we have merged a lot of these privacy 
questions with content questions in a way that I think we need 
to pull back from. So when it comes to violent videogames, when 
it comes to Supreme Court decision, we need to maybe separate a 
little bit out on how we view the collection of information, 
the content of information, and who the audience of those are.
    Mr. Harper. And I know I am almost out of time. I want to 
end with one last question, Mr. Reed, if I can. You know, you 
had expressed some concern about the FTC's proposal to disallow 
the email-plus system. And I would like for you to just speak 
for the next 23 seconds on that.
    Mr. Reed. I will make it really short. We are concerned 
that the FTC's email-plus complete abandonment is a bit of a 
Hail Mary. It is a well, we will get rid of this technology and 
magically new technology will develop. Now, that might happen 
but I think we are probably better off given just exactly how 
nascent the mobile apps industry is and how we are quite 
literally learning every day that I think we probably, if we 
are going to do anything, it should be considered sunsetted or 
given a longer time to stretch it out a little bit because I am 
not sure in the mobile space people are exactly ready to just 
magically create new technology out of next week. Remember, 
most of these companies are small and they don't have staffs of 
technologists ready to develop their own version of verifiable 
parental consent. So there needs to be some industry 
percolating and I believe there are other incentives that can 
be used rather than just tossing it all out at once.
    Mrs. Bono Mack. I thank the gentleman.
    I now recognize Mr. Guthrie, also the home of Oink-a-
Saurus, for his 5 minutes.
    Mr. Guthrie. Thank you very much. I have to figure out 
where Oink-a-Saurus is so I have to----
    Mr. Reed. I will send you a link.
    Mr. Guthrie. Send a link. That would be great. Thanks a 
lot.
    To Mr. Nigam, in your testimony you said that we don't need 
to be focusing on things that sound bad and focus on things 
that are bad. What is an example of things that sound bad that 
we have focused on that distracts us from----
    Mr. Nigam. I mean I will go back more into the historical 
Internet safety world. There was a time when anytime somebody 
went online there was this fear that predators were going to 
attack them and that sounded bad, and then once that happened, 
there were tons of proposals on do A, B, C, D, and E to stop 
that. But every time research was done, what ended up happening 
was researchers showing around less than 1 percent or even less 
than that there were actual issues with that as opposed to 
issues with things like digital fingerprints that kids are 
leaving online when they are going places and 10 years later it 
is going to be haunting them when they are applying to college. 
That is bad versus what sounded bad. So those are the kinds of 
things that I am referring to when talking about that.
    Mr. Guthrie. OK. And you mentioned that it would be against 
the business model to abuse the information because obviously 
people would quit going to that business if that is the issue, 
but the FTC does find violations of it. Even though it would be 
a bad business model to do it, people are doing it or have done 
it, because from the FTC you do find violations of COPPA, I 
think. So how do you explain that?
    Mr. Nigam. I think that is a great question because if you 
look in the last 11 years, there has been 17 actions, which to 
me is amazingly small. And what you are finding if you go 
through each of the 17 actions, for the majority of them what 
you are going to find is companies who are unaware, didn't have 
the resources, didn't have counsel advising them, hadn't done 
the review when the developer was creating this great idea and 
most of the time didn't even know they were doing what they 
were found to be doing, which I think is very different than 
saying there is a company who made an executive decision. We 
know there is COPPA, let us see if we can get away with it, and 
we will make $10 million by the time they figure it out, and we 
will be disappearing after that.
    Mr. Guthrie. So there are no kinds of cases of that like 
you see in Medicare fraud or stuff like that?
    Mr. Nigam. I haven't read every line of everyone, but I 
would----
    Mr. Guthrie. You know of no case that does that?
    Mr. Nigam. If there is, I am not aware of it.
    Mr. Guthrie. The typical violator would be someone who you 
find are small businesses that just, ``Well, I didn't know I 
was supposed to do that'' kind of thing?
    Ms. Engle. No, actually many of our cases are again very 
large companies--Sony BMG, Universal Music Group, Iconix, but 
what we have found in those cases is they attempted to comply 
with COPPA but didn't really follow through. So they may have 
at the registration page asked for someone to enter their date 
of birth and they intended that if the person entered an age 
under 13, they would be kicked off. In fact, they weren't. And 
then those kids were able to post information, et cetera.
    Mr. Guthrie. OK.
    Mr. Nigam. If I may.
    Mr. Guthrie. Yes, go ahead.
    Mr. Nigam. And having worked inside the companies with 
developers, what you often find happening is legal counsel in 
the large companies, most say here are the requirements. 
Developers don't always understand that and there is where the 
disconnect occurs. So when something is executed, you create a 
new product, a new feature, it may be one of those left-behinds 
or the right process wasn't in place, which is very different 
than an intentional violation or attempt to collect information 
from children that you know would violate their privacy rights 
or violate COPPA for that matter.
    Mr. Guthrie. Professor?
    Ms. Montgomery. Yes, I just wanted to say that having 
observed this all from the very beginning, if we hadn't 
instituted COPPA, you would see a very different marketplace. 
It is not a question of a business model not working. It 
wouldn't work now because it is not legal to work in that way, 
but it was heading in a direction that would have been 
absolutely outrageous and we would all be very, very upset at 
what we saw because data collection was built into the heart of 
it. And that is also what is happening with teens and adults as 
well. So that is why I think we need safeguards for everybody.
    Mr. Guthrie. Thanks.
    Mr. Nigam. And I do agree with what was just said in the 
sense that the expectations have been established and it has 
had a tremendous impact on the marketplace and the way it 
exists today. And so when I am focusing on what do we do next, 
that is when we have to look at each individual proposal and 
say is it proposing to solve a problem that sounds bad or 
actually is bad? Is there gaps? Are there things that can be 
done and are there going to be unintended consequences? For 
example, shutting off email plus is a great example of that. 
Companies have been doing email plus with millions of users 
for, say, 11 years or 10 years and all of a sudden that 
function disappears? What do you do with that millions of users 
on your site? How do you recreate the process? Are they 
grandfathered in? Those are the questions that have to be asked 
in that category of is there technical implementation concerns? 
Will there be unintended consequences?
    And I think that is why I wanted to focus more today on 
providing a framework within which to look at it as opposed to 
let us go line by line right now in this 2 hours that we have 
and come up with the answers.
    Mr. Guthrie. Thank you. I yield back. My time has expired. 
I yield back.
    Mrs. Bono Mack. I thank the gentleman and now recognize Mr. 
Olson for 5 minutes.
    Mr. Olson. I thank the Chair and I want to welcome the 
witnesses. And thank you for coming here today and giving us 
your time and your expertise.
    And my question is for you, Director Engle. And you stated 
in your written testimony that the Commission is not aware of 
any operator directing online behavioral advertising to 
children. However, the Commission is proposing adding to the 
list of what constitutes ``personal information persistent 
identifiers.'' For example, numbers held in cookies, user IDs, 
IP addresses, as well as screen and user names. And you state 
in your testimony that the effect of these additions would be 
``to require parental notification and consent prior to 
collection and use of persistent identifiers for purposes such 
as behaviorally targeting advertising to children.''
    My question for you, ma'am, is if the Commission isn't 
aware of any online companies directing behavioral ads to kids, 
then why does the FTC feel so strongly about wanting to change 
the COPPA Rule to address this issue?
    Ms. Engle. Our testimony is that no individual company has 
admitted that they are behaviorally targeting children under 
the age of 13, but there have been widespread reports in the 
press, for example, Dr. Montgomery referred to the Wall Street 
Journal article earlier that reported dozens and dozens of 
tracking cookies placed on child-directed sites. So it appears 
that the industry position has been that self-regulation is 
sufficient here to address the problem or the issue but our 
thought is that, I mean, what the regulatory principle says 
that their members will not behaviorally advertise to children 
under the 13 except in compliance with COPPA. And so that 
actually doesn't say much because if COPPA doesn't cover it, 
then they are free to do it. But the outward statement appears 
to be that they won't do it. So we want to kind of close that 
gap and require parental permission before that occurs.
    Mr. Olson. OK. Mr. Simpson, it seemed like you had some 
comments. Do you want to follow up on that at all, sir?
    Mr. Simpson. I would echo those remarks and say that we are 
seeing signs of what is increasing. We saw it in the Wall 
Street Journal story, we see it in the increase in ID theft, 
and we see it as a basic business principle of some of these 
companies, as Dr. Montgomery talked about, the pattern of 
advertising towards kids before COPPA was established. We also 
need to keep an eye on what the pattern of valuation of 
companies in Silicon Valley is right now and that is eyeballs. 
Do they have people on their sites? None of these companies I 
would suggest want to turn anyone away, and so their 
opportunity to reach out to kids of any age is valuable to 
them.
    I respect what some of my colleagues have said about the 
importance of corporate responsibility here, but I think they 
are caught in a tension and they do want the biggest audience 
they can get, whether that is an individual app or a large Web 
site. So we see lots of signs of how much they are marketing 
toward kids and targeting kids under 13 and over.
    Mr. Olson. Yes, sir. OK.
    One more question for you, Director Engle. For the 5 new 
proposed rule changes to the COPPA Rule being put forth by the 
FTC, has the Commission conducted any kind of economic impact 
analysis on these proposals, and if not, will you?
    Ms. Engle. We have certainly considered the cost as well as 
the benefits that we hope to achieve by the rule changes, and 
in our Federal Register Notice, we have estimated costs on 
small businesses and we are specifically seeking comment on our 
estimates. And if we are, you know, off on our estimates and 
inaccurate, we certainly would like to hear from businesses 
about that.
    Mr. Olson. And Mr. Reed, you are representing the app world 
so to speak and I want to say, by the way, while I was sitting 
here I texted my 14-year-old daughter and told her I was with 
the app guy and she basically said, Dad, can I get a job with 
him in the future?
    Mr. Reed. We are hiring.
    Mr. Olson. Do you agree with that assessment? I mean the 
small businesses that you represent be involved in the process?
    Mr. Reed. I have found the FTC to be towards me--as a trade 
association based in Washington, D.C.--very responsive. I think 
that they lack the manpower and resources to really reach out 
to a community that is now over 100,000 developers in the 
larger picture and tens of thousands of developers in the 
educational app space. So I think that I respectfully say that 
we will be filing comments with the NPRM specifically about the 
small business impact and we look forward to working with the 
FTC to make sure their estimates are appropriate. I think that 
as we think about all of this, we have to remember 2008 was 
when we had our first app store. So we have had all of these 
changes in business models, in technology, in capabilities in 
24 months. So we are looking forward to working with the FTC, 
and I think I am probably going to say that we are going to 
estimate their cost up and encourage them to take a very 
measured approach on the impact to small business.
    Mr. Olson. Yes, sir?
    Mr. Nigam. I just wanted to make a comment. Because of the 
company that we have in terms of consulting with online 
businesses, we spend countless hours talking about COPPA and 
whether to choose even going under 13 and over 13 and the 
eyeballs question comes up and the uniform reaction is eyeballs 
that are good we want; eyeballs that are going to hurt us kill 
our reputation, therefore kill our business. And I think that 
is something we should keep in mind because that goes back to 
companies being incentivized to find the right way to do the 
right thing. Now, the challenge may be what is that right thing 
because we can't understand what it means. That is a very 
different question than whether you are motivated to even try.
    Mr. Olson. Thank you, sir.
    I am over time. I yield back.
    Mrs. Bono Mack. I thank the gentleman.
    And the Chair recognizes Dr. Cassidy for 5 minutes.
    Mr. Cassidy. I got a 10-year-old, and she will take my 
iPhone, go to my iTunes, and she will download Angry Birds. 
``Dad, can I get Angry Birds?'' I never recall being asked if I 
am over 13. I assume iTunes knows I am over 13. But as I listen 
to you guys, I am suddenly realizing, man, how do you empower a 
parent? It sounds so nice as rhetoric, but as a guy with a 10-
year-old who is always on my iPhone, I have no clue how I am 
empowered. I am feeling very un-empowered.
    Mr. Reed. I can help you with that.
    Mr. Cassidy. Somebody empower me, buddy.
    Mr. Reed. Within most of the devices, I am happy, you know, 
I can grab a cup of coffee and I am happy to walk you through. 
All of the devices now--some of them are better; some of them 
are worse--have pretty granular and pretty incredible parental 
restrictions that you can set up. On your iPhone, there is a 
page that you can go to where you can say your daughter can't 
download. You can set it up with its own password. You can----
    Mr. Cassidy. OK. So my daughter downloads. My son who is 
17----
    Mr. Reed. Right.
    Mr. Cassidy. Vim and vigor, full of himself. Downloads 
something but my 13-year-old uses it.
    Mr. Reed. Right.
    Mr. Cassidy. Or if I go to my desktop, my 84-year-old 
mother who moves in with us is on the computer, my wife is, and 
then my daughter. So the super cookie has a place for my mother 
but it tracks all the way through three generations. Now, it 
seems like, unless somebody is logging off, which we don't do--
we reboot it--whether there is COPPA or not, it is going to be 
tracking whoever is on that computer, correct?
    Mr. Reed. That is correct. I would of course recommend that 
you get more mobile devices for your household. That is the 
clear solution here.
    Mr. Cassidy. Well, we are going that way.
    Mr. Reed. Get more.
    Mr. Cassidy. Yes.
    Mr. Reed. But yes, you are right.
    Mr. Nigam. Oftentimes I talk about how people distinguish 
between the online and the offline, but when you actually step 
back and say as a parent, how would I handle this situation if 
it was in the physical world? I think those same kinds of 
conversations need to apply, which means a conversation--and I 
have an 11-year-old--of you are not allowed to do this but your 
16-year-old brother is. That is part one. Part two----
    Mr. Cassidy. That assumes--think about a television. You 
walk by, you see the program, you have a sense of the content 
over a 30-minute show. You can have an entree into an online 
and then that entree takes you someplace far different. So the 
parent downloads it looks pretty benign, and next thing I know 
I have got, you know, $10 on my credit card bill. Now, I 
figured out how to stop that, but that said, I just say it 
takes you in places--Ms. Montgomery, I liked your testimony, so 
let me get your--I think you were going to say something?
    Ms. Montgomery. Yes. Well, what I wanted to say is I think 
what we need are tools that will help parents because it is 
baffling for all of us, and I agree with you. It is very 
frustrating and you can't really control where your kids are 
all the time, and that is why COPPA was designed to really 
address the business practices and really to minimize data 
collection. It was not set up to facilitate parental 
verification so that companies could collect a lot of data. It 
was really developed to ensure that Web sites targeting 
children did not collect a lot of data.
    Mr. Cassidy. But again, if my mother is on who is 84 and 
something is placed which begins to track and does not log out 
and my daughter gets on, something benign at the outset but 
perhaps less benign further in, I mean my mother has set the 
table for my daughter to be tracked, correct?
    Ms. Montgomery. Well, right. That is right. And that is 
why, you know, I mean this is an evolving marketplace and there 
will be more and more of that happening, as others have noted.
    Mr. Balkam. I just wanted to make a quick point that all of 
the major cell phone operators now offer pretty good parental 
controls. And in our survey that we just released a couple of 
weeks ago, we found that 25 percent of American families now do 
use that. Now, that seems like a fairly low figure, but then 
you compare it to the v-chip usage, which is around 15, 16 
percent, that is not too bad. I would highly recommend that you 
also use----
    Mr. Cassidy. Yes, I have a parental control but I am sure I 
am not using it to the full robustness as it should be.
    Mr. Balkam. And education. We need to empower----
    Mr. Cassidy. Now, I will tell you when I look at your 
documentation and it says click here, once I actually read it, 
it was 40 pages of legalese and a lot of it was redundant. A 
lot of it was actually repeated. And it is like I am thinking 
they are trying to defeat me from reading it. Now, we laugh 
but----
    Mr. Balkam. Sorry, sir.
    Mr. Cassidy. --it is repeated, repeated, repeated, and some 
of it is totally extraneous. It makes me think that that which 
actually I might object to is buried deep within.
    Mr. Balkam. I feel your pain. That is all I can say.
    Mr. Cassidy. I will tell you, though, but we have got to 
move beyond feeling pain to actually having something where a 
parent can look at and say it is one paragraph, boom, this 
works and this does not.
    Mr. Balkam. Right.
    Mr. Cassidy. Because right now I am thinking, heck, I can't 
read through this.
    Mr. Balkam. But there is another factor as well, sir, that 
you should consider especially with apps is that what drives 
those parental controls in many cases is the rating that was 
provided for the content. In television and movies that is 
provided by an industry----
    Mr. Cassidy. Can I ask one more question before I run out 
of time, Ms. Montgomery? I read in the Wall Street Journal that 
if they have this interactive game and they make the tractor 
red, white, and blue on a patriotic holiday, people are more 
like to purchase something online. You realize that there is a 
subliminal suggestion taking place which is modifying the 
behavior of the person who is actually looking at the screen. 
Now, if that is true for an adult, this is absolutely true for 
my 9- and 10-year-old. How are we going to regulate this sort 
of subliminal molding the person who is looking at the 
interactive game to manipulate them into a behavior which they 
frankly may not be aware they are being manipulated?
    Ms. Montgomery. Well, these are major concerns. And I agree 
with you and we haven't even talked about things like 
neuromarketing, which is one of the trends in the industry as 
well, in the online industry. But this is exactly why I think 
we need to ensure that COPPA makes it impossible for companies 
to behaviorally target, to track an individual child and to 
create marketing that is designed for that child based on that 
child's behavior, psychological profiles, and other information 
that has been collected from that child.
    Mr. Cassidy. OK. That seems like nice-sounding 
recommendations, but how do we get there? I am not quite sure I 
know that.
    Ms. Montgomery. We have to keep working at it.
    Mr. Cassidy. OK. Thank you. I yield back.
    Mrs. Bono Mack. Thank you.
    The Chair recognizes Mr. Kinzinger for 5 minutes.
    Mr. Kinzinger. Thank you, Madam Chair.
    I may be the last person to ask you questions, so 
congratulations. You made it. Thank you for coming.
    Mrs. Bono Mack. Excuse me, sir. We plan a second round, so 
don't let them off that easily.
    Mr. Kinzinger. OK, this round. But I really appreciate you 
coming in and talking to us. This is very important. And I 
think as we, you know, here in Congress debate things like the 
economy and jobs and what is the proper role of government, you 
know, does government micromanage an economic recovery or is it 
the private sector, which I believe? This is a great 
opportunity to show how this area is an explosive market and 
really a bright spot in the American economy. It would be 
really sad to think of where we would be, frankly, without, you 
know, technology innovation right now as an economy. What place 
would we have in the world?
    So I think as we go forward it is very important that we 
understand that there has got to be a proper balance, of 
course, between where the government is involved and what it 
does and also stamping down on the innovation of the free 
market. Because again if we are going to get out of this 
recession, and we are, it is going to be through that free 
market.
    So it is good to hear also from the witnesses that the FTC 
is working well with the stakeholders in updating our privacy 
rules to reflect that evolving world. As you have heard from 
everybody here, I am amazed at what the young folks are able to 
teach me about, you know, what to do with applications and 
stuff like that. Even though I may be one of the younger 
members of Congress, all I can do on my iPad right now is surf 
the Internet. I really don't know how to do much else. So I can 
go to my nieces and nephews to help me with that if they need 
to.
    But I also want to say to me it is incredibly hard for 
parents to control or even know what their children are doing, 
and at the same time, I feel confidence, obviously, that 
mothers and fathers want to have that assurance that they know 
what is going on and things like that.
    The FTC has played an important role in this regard and 
should continue to work with the various stakeholders to ensure 
children's personal information is not being collected online. 
More can always be done and this committee must determine and 
it will determine whether the FTC has enough authority to keep 
up with online advances, at the same time finding that balance.
    My first question, though, is to Mr. Reed. As the apps 
become more enhanced in geolocation and social media 
interactions advance--and they do it at a record pace and an 
exponential pace, frankly--do parents have the tools to ensure 
that predators won't have access to their children's location? 
Because, to me, I see that as potentially being a very terrible 
story in the future.
    Mr. Reed. Right. That is becoming kind of a universal 
conundrum. How does my child share his information with his 
friends and not let people that we don't want to see it, see 
it? We are working on technological solutions, we are working 
on allowing kids to kind of develop their own friends list, but 
that has its own shortfalls. Does my 13-year-old--mine is 5-3/4 
so she is not there yet--but does she know who her friends 
really are? The problem is is if we take a step back, we had 
this problem with this device called the telephone. People 
could call each other and say this is where I am. I will meet 
you behind the park or behind the baseball field. So it is 
really a struggle that we have on how do we take this location 
information that we are provided in our mobile device and 
somehow segregate it in a way that is different than, say, my 
physical telephone in my house saying I will meet you behind 
the baseball field.
    Mr. Kinzinger. Right.
    Mr. Reed. So we don't have the answers. We are trying to 
figure it out, but I a big part of what we are doing is 
empowering parents to know what their kids' device does and by 
alerting them very clearly, hey, this is going to share your 
location. Are you OK with it? And in the case of most of the 
mobile devices, you can turn that off completely. So in mine, 
my daughter can't actually hit any button that charts her 
geolocation. And so that is what we are going to have to do.
    Mr. Kinzinger. And that is good. And again, I mean in 2 or 
3 years if you all are fortunate enough to come back here and 
talk, we are going to have a whole slew of new different 
questions----
    Mr. Reed. Right.
    Mr. Kinzinger. --because there is going to be so much that 
we can't even begin to imagine now. And again, that is what 
beautiful about our innovating economy is that, you know, that 
is the case.
    But let me ask Ms. Engle. How is the FTC approaching 
geolocation technologies as it relates to children? And 
specifically, do you believe parents are given enough 
information to know what an app is storing about a child and 
what information is being shared with other users?
    Ms. Engle. The FTC believes that geolocation information is 
already covered as an item of personal information under COPPA 
because COPPA refers to physical location including street name 
and city or state and geolocation information is at least as 
precise as that and often more so. But what we have proposed is 
specifically adding geolocation as an element of personal 
information just to make that crystal clear.
    Mr. Kinzinger. Well, thank you. And again, this appears to 
be a good example of where government and private sector seems 
to be working well together. And I yield back.
    Mrs. Bono Mack. I thank the gentleman and recognize myself 
for the next 5 minutes.
    And to Dr. Montgomery, I appreciate very much your thoughts 
on this and your work on this over the years. Last week, I took 
a trip up to Silicon Valley and I visited a number of the big 
firms. It was very thought-provoking and I think that what 
really strikes me the most is how over the years the Internet 
has been built on the back of intellectual property. And early 
on when you think about Napster and Kazaa and the peer-to-peer 
networking and how we have moved into other models that 
actually try to pay for intellectual property, do you think, I 
mean behavioral advertising to me, I kind of grapple a little 
bit with why it is bad when sometimes they are trying to 
monetize these new models that end up trying to pay for 
content.
    Anybody who is a writer in the audience, you know, anybody 
who has ever been a part of any creative work, any longer your 
work is devalued because you can't get paid. And when something 
is out on the Internet in digital form, a master copy is a 
master copy is a master copy. How do you see moving forward, 
then, in a world where we need to try to provide decent, 
quality content for our children and still protect them from 
behavioral advertising? And you said that if we hadn't had 
COPPA--and I don't disagree with you--but you said it would 
have been outrageous what we would be living under now. How do 
you find outrageous and how do you see paying for quality 
content going forward as people are grappling with how to pay 
people who create valuable content for our children?
    Ms. Montgomery. Well, I will tell you that what I saw in 
the early days was leading to a business model where marketers 
were talking about creating personal relationships between a 
product spokescharacter and a child, things that nobody would 
ever talk about now in terms of microtargeting and targeting 
individual children. And I think what we have been able to do 
with COPPA is allow and enable that industry to grow and 
flourish but by creating some guardrails, some rules of the 
road where we are not taking advantage of the youngest 
children, whereas I mentioned earlier, research shows they 
don't have the cognitive capacities or the psychological 
developmental capacities to handle these kinds of very, very 
sophisticated behavioral targeting and----
    Mrs. Bono Mack. But there must be some positive behavioral 
targeting out there, too. And this is what troubles me about 
these discussions we have in here with privacy, with security, 
is all of these issues have another side to the coin where some 
people see benefit, others see risk, all of these. My point 
here is what if we wanted to do an anti-bullying campaign? That 
is positive. What if we want to encourage our children to go to 
a great university like USC or something like that? And so 
there are ways to target them in a positive way as well, aren't 
there? We are stifling----
    Ms. Montgomery. Absolutely. And from the beginning what we 
have said and I still agree with, we were never trying to 
eliminate marketing or advertising in this context. We think 
that is perfectly fine and identifying the IPs, understanding 
that an IP address is still now personal information, 
personally identifiable, that doesn't mean you can't provide 
contextual advertising to children. That is still very much 
possible. You can do all kinds of anti-bullying campaigns. They 
are happening online. None of this would restrict it.
    What I think is important, however, is that we create some 
safeguards for the kinds of data collection and profiling and 
highly targeted and potentially very manipulative advertising 
that is targeted at younger children. Now, when it comes to----
    Mrs. Bono Mack. And can you speak a little bit towards 
monetizing the delivery of quality content? This is what it is 
all about at the end of the day.
    Ms. Montgomery. It is a tradeoff. It is always a tradeoff. 
And yes, of course you need to monetize the content but you do 
that at a price. And if it is a price that is not fair to 
children, that takes advantage of them, then I think you look 
for ways to alter that business model.
    Mrs. Bono Mack. Thank you very much, Dr. Montgomery.
    Mr. Simpson?
    Mr. Simpson. Just quickly to add to that, as a big believer 
in those incredible educational opportunities of apps, of a lot 
of this digital media, how do we monetize that? As much as 
possible we do that with the engagement and empowerment of 
parents. Make them part of the equation so that they know about 
the cyber bullying campaign that we want to promote and that 
they are engaged with their kids with talking about USC and 
other great institutions. Make them part of the equation.
    Mrs. Bono Mack. Quick question--and we are trying also to 
get enough time to Mr. Markey so he can be here--you like the 
eraser button. I don't understand how that is technologically 
feasible. I am not opposed to the concept, but again, if it is 
a digital recording, if a song is out there, it is out there 
forever. If a photograph is out there, it is out there forever. 
How do you technologically think that an eraser button is 
possible when it is already out there in cyberspace and you 
can't even attribute necessarily who originated it?
    Mr. Simpson. You are very right on that part and one of our 
first pieces of advice to parents and to our educational 
materials for kids is to make them recognize that these things 
can be forever and all the more reason why kids need to be very 
careful about what they post, what they share. But as the bill 
has drafted, to the degree that it is technologically feasible, 
the eraser button should address some of the opportunities for 
kids or teens, parents in the case of kids, to take down what 
they own.
    This also gets back to what, I believe, Congresswoman 
Blackburn has described as who owns the virtual you. So this is 
also an issue of intellectual property. This is an issue of 
property. When we start sharing things online, they do get much 
more complicated. They run into First Amendment issues and they 
run into shared ownership. But at what point do we have tools 
for parents and for teens where something that belonged to me, 
a picture I took of myself still belongs to me and is something 
I can take down.
    Mrs. Bono Mack. All right, thank you. I need to yield to 
Mr. Butterfield for 5 minutes.
    Mr. Butterfield. Thank you, Madam Chair.
    Ms. Engle, let me start with you. The statute contains a 
broad definition of personal information. It states simply that 
personal information means ``individually identifiable 
information about an individual collected online'' and then 
includes a nonexclusive list of identifiers. The FTC is also 
granted the authority to expand the definition to include any 
other identifier that the Commission determines permits the 
physical or online contacting of a specific individual. This is 
the authority that the FTC is relying on to bring the meaning 
of personal information into the COPPA Rule in line with the 
technological changes that have happened since the Rule first 
went into effect.
    Let me just ask you yes or no. Am I correct that you are 
not required by the statute to determine whether changing the 
definition of personal information will unreasonably impede 
technological innovation?
    Ms. Engle. That is correct.
    Mr. Butterfield. All right. Yes or no, am I correct that 
you are not required by the statute to determine whether 
changing the definition of personal information will adversely 
affect interstate commerce?
    Ms. Engle. That is correct.
    Mr. Butterfield. All right. Yes or no, am I correct that 
exercise of this authority does not require any finding other 
than that the identifier permits physical or online contacting?
    Ms. Engle. That is what the statute says.
    Mr. Butterfield. All right. Yes or no, am I correct that 
you get to use streamlined APA rulemaking and are not required 
to follow the more burdensome Magnuson-Moss rulemaking process 
to change the definition?
    Ms. Engle. That is correct, although we always, you know, 
seek comment on burdens and cost and technological feasibility, 
but it is not statutorily required.
    Mr. Butterfield. All right. Yes or no, is this the first 
time in the 11 years since the COPPA rule became effective that 
the Commission has proposed changes to the meaning of personal 
information using its statutory authority to modify the meaning 
of that term?
    Ms. Engle. Yes.
    Mr. Butterfield. All right. Those are my yes-or-no 
questions. All right. We need to use some more time.
    It seems to me that when the FTC is given the ability to 
modify the meaning of a key statutory term like personal 
information, and 2) is allowed to do so following a 
straightforward and streamlined process, it is shown it will 
not abuse the authority or act hastily. It will not run wild 
and create chaos and unnecessary cost for businesses. I think 
our experience with COPPA shows the FTC can exercise this sort 
of authority carefully and deliberately. I hope that is a 
lesson all of us here can apply to the data security context as 
we look to move legislation in that area that is both effective 
and adaptable to changes in technology and expectations about 
what information should be protected.
    This has been a good hearing, Madam Chairman. I want to 
thank the witnesses and want to thank you for your patience. I 
yield back.
    Mrs. Bono Mack. I thank the gentleman and at this point I 
will thank the panel very much for your answers to our 
questions. You have been very gracious with your time. And as I 
said, these issues I think no more than any others have a 
flipside to everything that we do. And the law of unintended 
consequences can be very, very frightening. And with that, I am 
actually just stretching--you owe me. And I am happy to 
recognize Mr. Markey for 5 minutes.
    Mr. Markey. Thank you. I thank the gentlelady and I thank 
you for allowing me as a nonmember of this subcommittee to 
participate. Thank you so much.
    I am the House author of the Children's Online Privacy 
Protection Act, which Congress passed and President Clinton 
signed into law in 1998. It is the communications constitution 
when it comes to protecting kids online but we need to update 
it to take into account the explosive growth and innovation in 
the online ecosystem over the last 13 years.
    I commend the Federal Trade Commission for its thoughtful 
and comprehensive review and for its proposed changes to that 
Rule, which reflect and reinforce many of the same safeguards 
contained in the Do Not Track Kids Act that I introduced this 
past May with Representative Joe Barton.
    As in our bill, the Commission appropriately notes that 
teens should be provided with clear information about how their 
personal data is used and also empowered to exercise control 
over these uses. As in our bill, the Commission also proposes 
to add children's location information under the category of 
personal data that require a parent's permission before it is 
collected or used. Given the potential for this sensitive data 
to be misused to endanger a child, the Commission's proposal in 
this area is a much-needed step.
    I commend the Commission for rejecting arguments that 
voluntary self-regulatory efforts are the best way to address 
privacy concerns in connection with behavioral targeting of 
children online. Strong legal requirements along with vigilant 
enforcement are needed to protect children from tracking and 
targeting on the Internet.
    Children should be able to grow up in an electronic oasis 
that enables access to online education, to education and 
entertainment opportunities in a safe environment. And I look 
forward to working with you, Madam Chair, and all the members 
of the committee so that we can strengthen privacy safeguards 
and ensure that kids and teens are protected when they go 
online, and that is why I introduced the Do Not Track Kids Act.
    Mr. Simpson, you mentioned in your testimony that teens 
still need privacy protection online because, as we know, COPPA 
covers users 12 and younger. I agree with you. And the Do Not 
Track Kids bill that Joe Barton and I introduced provides teens 
with safeguards specifically tailored for their age group 
without expanding the COPPA structure to adolescents. Can you 
expand on Common Sense's views on privacy protections for 
teens, please?
    Mr. Simpson. Thank you, sir. We think you are taking very 
much the right approach. There is a complicated issue here 
called child development and we all know that not all 8-year-
olds are the same, 8-year-olds are not the same as 14-year-old, 
and 14-year-olds are not the same as 20-year-olds, and many 20-
year-olds act like 12-year-olds. But the reality is that teens 
need something more than they have right now. The FTC's 
recommendations are very valuable for kids under 13, but there 
are a lot of 13- and 14- and 15-year-olds who are quite capable 
of making mistakes in this innovative space, and those mistakes 
can come back to haunt them. They need opportunities and they 
need a lot more education and they need a lot more information 
that is actionable. They need resources they can use that are 
designed for their age group, not for the lawyers who are well 
versed in privacy.
    Mr. Markey. Thank you.
    Dr. Montgomery, do you agree that younger teens need a 
framework for them as well, perhaps not for the 12 and under 
but something tailored for that group?
    Ms. Montgomery. Yes, I do and this is something I have felt 
very strongly about for a long time since we were debating 
COPPA where the issue of whether we ought to apply the COPPA 
protections to teens was very much part of the discussion at 
that time. And what I really believe is that we do need 
protections here. What we have seen is with COPPA, we have a 
framework where there is an industry that appreciates the 
concerns about children, but with teenagers, it has been no 
holds barred and no real sensitivity to their concerns.
    Mr. Markey. Can I ask, what is your response to the 
questions that are raised by the eraser button that Mr. Barton 
and I have included in our bill? What do you think about its 
functionality as a way for parents to be able to protect kids?
    Ms. Montgomery. I don't really know how the eraser button 
will work but I do believe, as my colleague Alan Simpson has 
said, that teenagers themselves should be able to have some 
control over the information they have placed online.
    Mr. Markey. Mr. Simpson, what is your view in terms of the 
eraser button?
    Mr. Simpson. Absolutely. And you know, we don't know 
exactly how they will work, but I think they key is here we 
have seen a lot of innovation on how to collect and not enough 
innovation on how to protect. And I think something like an 
eraser button is a tool that industry can design to empower 
teens in richer ways.
    Mr. Markey. OK. Thank you. And I thank all of you for your 
participation in this very, very important discussion. It is 
only going to get more and more dangerous for kids if we don't 
put these safeguards in place.
    Thank you, Madam Chair.
    Mrs. Bono Mack. Thank you, Mr. Markey.
    And again, I would like to thank Ms. Engle and the entire 
staff at the FTC who has devoted time and thought to this 
effort. Job well done. And also to all of you once again, thank 
you. I would like to say that this is a third in our series of 
online privacy hearings so far this year. I look forward to our 
continued discussions on how we can best balance the need to 
remain innovative with the need to protect all of our privacy, 
certainly our children's privacy.
    Next week, we will take a close look at consumer attitudes 
and expectations, and we know that is going to be a very 
interesting hearing.
    I will remind members that they have 10 business days to 
submit questions for the record, and I ask all witnesses to 
please respond promptly to any questions you might receive.
    And the hearing is now adjourned. Thank you again.
    [Whereupon, at 11:02 a.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

                                 
