[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] PROTECTING CHILDREN'S PRIVACY IN AN ELECTRONIC WORLD ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS FIRST SESSION __________ OCTOBER 5, 2011 __________ Serial No. 112-91 Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov ---------- U.S. GOVERNMENT PRINTING OFFICE 74-138 PDF WASHINGTON : 2012 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE FRED UPTON, Michigan Chairman JOE BARTON, Texas HENRY A. WAXMAN, California Chairman Emeritus Ranking Member CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan ED WHITFIELD, Kentucky Chairman Emeritus JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey GREG WALDEN, Oregon BOBBY L. RUSH, Illinois LEE TERRY, Nebraska ANNA G. ESHOO, California MIKE ROGERS, Michigan ELIOT L. ENGEL, New York SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas Vice Chairman DIANA DeGETTE, Colorado JOHN SULLIVAN, Oklahoma LOIS CAPPS, California TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas BRIAN P. BILBRAY, California JAY INSLEE, Washington CHARLES F. BASS, New Hampshire TAMMY BALDWIN, Wisconsin PHIL GINGREY, Georgia MIKE ROSS, Arkansas STEVE SCALISE, Louisiana JIM MATHESON, Utah ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia GREGG HARPER, Mississippi DORIS O. MATSUI, California LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin BILL CASSIDY, Louisiana Islands BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida PETE OLSON, Texas DAVID B. McKINLEY, West Virginia CORY GARDNER, Colorado MIKE POMPEO, Kansas ADAM KINZINGER, Illinois H. MORGAN GRIFFITH, Virginia _____ Subcommittee on Commerce, Manufacturing, and Trade MARY BONO MACK, California Chairman MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina Vice Chairman Ranking Member CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas CHARLES F. BASS, New Hampshire JIM MATHESON, Utah GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois PETE OLSON, Texas MIKE ROSS, Arkansas DAVID B. McKINLEY, West Virginia HENRY A. WAXMAN, California (ex MIKE POMPEO, Kansas officio) ADAM KINZINGER, Illinois JOE BARTON, Texas FRED UPTON, Michigan (ex officio) (ii) C O N T E N T S ---------- Page Hon. Mary Bono Mack, a Representative in Congress from the State of California, opening statement............................... 1 Prepared statement........................................... 4 Hon. G.K. Butterfield, a Representative in Congress from the State of North Carolina, opening statement..................... 6 Hon. Joe Barton, a Representative in Congress from the State of Texas, opening statement....................................... 7 Prepared statement........................................... 8 Hon. Pete Olson, a Representative in Congress from the State of Texas, opening statement....................................... 10 Hon. Henry A. Waxman, a Representative in Congress from the State of California, opening statement............................... 10 Prepared statement........................................... 12 Witnesses Mary Koelbel Engle, Associate Director, Division of Advertising Practices, Federal Trade Commission............................ 14 Prepared statement........................................... 17 Answers to submitted questions............................... 140 Hemanshu Nigam, Founder and Chief Executive Officer, SSP Blue.... 37 Prepared statement........................................... 39 Morgan Reed, Executive Director, Association for Competitive Technology..................................................... 44 Prepared statement........................................... 46 Stephen Balkam, Chief Executive Officer, Family Online Safety Institute...................................................... 58 Prepared statement........................................... 60 Answers to submitted questions............................... 143 Kathryn C. Montgomery, Director, Ph.D. Program, School of Communication, American University............................. 72 Prepared statement........................................... 74 Alan Simpson, Vice President of Policy, Common Sense Media....... 95 Prepared statement........................................... 97 PROTECTING CHILDREN'S PRIVACY IN AN ELECTRONIC WORLD ---------- WEDNESDAY, OCTOBER 5, 2011 House of Representatives, Subcommittee on Commerce, Manufacturing, and Trade, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 9:07 a.m., in room 2123 of the Rayburn House Office Building, Hon. Mary Bono Mack (chairman of the subcommittee) presiding. Members present: Representatives Bono Mack, Blackburn, Harper, Lance, Cassidy, Guthrie, Olson, McKinley, Kinzinger, Barton, Butterfield, Markey, Matheson, Towns, and Waxman (ex officio). Staff present: Andy Duberstein, Assistant Press Secretary; Kirby Howard, Legislative Clerk; Brian McCullough, Senior Professional Staff Member, CMT; Jeff Mortier, Professional Staff Member; Gib Mullan, Chief Counsel, CMT; Shannon Weinberg, Counsel, CMT; Michelle Ash, Democratic Chief Counsel, CMT; Felipe Mendoza, Democratic Counsel; and Will Wallace, Democratic Policy Analyst. Mrs. Bono Mack. The subcommittee will now come to order. Good morning. When it comes to online privacy protection, we have no more important job than to get it right for our kids. Today, there are an estimated 50 million children across the United States who are 13 years of age and younger. Our goal is to make sure their experiences on the Internet are as safe as possible and their privacy rights are fully protected. And the Chair now recognizes herself for an opening statement. OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA Whether they are surfing, studying, chatting, or playing video games, kids today are spending more and more time online taking advantage of the vast, richly diverse resources found on the Internet. But as we know very well and sometimes painfully, there can be a dark side to the Internet, too. The Children's Online Privacy Protection Act was adopted by Congress in 1998 to help protect the privacy of our children. COPPA requires Web sites and other online services to obtain parental consent before collecting and sharing information from kids who are under the age of 13. As a mother and as chairman of the subcommittee, this is an issue that remains one of my top priorities, as well as one of my big areas of concern. For the most part, the FTC has done a great job of making sure COPPA has worked well for our kids and their families, but it is time to begin asking some important questions. Should Congress revisit COPPA in light of the rapid technological advances which have been made since its enactment more than a decade ago? Is the current age threshold sufficient to protect our kids or should it be raised? If it is raised, what are the constitutional and technological implications? Is the COPPA safe harbor regime an effective self-regulatory model and could it be successfully utilized in other privacy contexts? And finally, is the expansion of the definition of personal information in the COPPA appropriate for use as a precedent in the broader online privacy context. Today, we will begin debating these and other issues with a respected panel of experts. And one thing is very clear to me-- kids today are becoming more tech savvy at a younger and younger age, but that exposure to exciting new sophisticated devices and countless Web sites located around the world doesn't necessarily mean that they are going to be able to have any better judgment or make them any more aware of what dangers might lurk online. That is why the FTC and parents everywhere must continue to play a critically important role in safeguarding the privacy of our children. The purpose of this hearing is to take a close look at the adequacy of existing protections and whether the FTC's proposed changes to COPPA go too far, not far enough, or manage to strike the appropriate balance. Having reviewed these changes carefully, I think the FTC has, and as I often say, they have hit the sweet spot. One of the most significant changes involves revising the definition of PII to include geolocation data and persistent identifiers such as IP addresses or device serial numbers. A second change to the existing COPPA Rule includes a new provision to govern data retention and deletion of children's PII, and it requires operators to delete information when it is no longer needed to fulfill its original purpose. Another proposed improvement to the COPPA Rule addresses the growing unreliability of so-called ``email-plus'' by eliminating it as a method of parental consent. And when it comes to safe harbors, the FTC is proposing a new self-audit requirement calling for information practices to be reviewed annually. Additionally, all safe harbor programs would be required to regularly submit to the FTC the results of their annual member audits and any disciplinary actions imposed by their members. Clearly, Chairman Leibowitz and the rest of the FTC deserve our thanks and our appreciation for conducting a careful, thorough, and thoughtful review of COPPA leading to these important recommended changes. While some privacy advocates would like to raise the COPPA age threshold because of an increasing use of social networking sites by teenagers such as Facebook, Twitter, and Google Plus, I believe the FTC showed commonsense restraint in taking a go-slow approach. The last thing we want to do is to inhibit technological advances and stifle growth of the Internet by moving forward in a new policy area without a good, smart game plan in place. I look forward to having this particular debate in the months ahead as we continue our broader hearings on privacy. In closing, I also want to stress the importance of parental involvement in this process. It is not enough to simply check the box and provide consent. I urge all parents everywhere to regularly check out the Web sites that your kids are visiting, carefully review their privacy policies, and finally, ask questions. Make sure you clearly understand a site's practices as well as its policies and give your kids a primer on the dangers of online predators. Talk to them often and make them more self-aware. It is critically important that all of us continue to work together to keep the Internet as safe as possible for all of our children. And now, the gentleman from North Carolina, Mr. Butterfield, the ranking member of the Subcommittee on Commerce, Manufacturing, and Trade is now recognized for his 5 minutes for his opening statement. [The prepared statement of Mrs. Bono Mack follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NORTH CAROLINA Mr. Butterfield. I thank the chairman of this subcommittee and all of the others who have worked so hard to make today's hearing possible. Thank you very much because this certainly an important subject. I also want to thank the witnesses for coming forward today, and I look forward to each of your testimonies. The privacy of our children is paramount and is an issue where we can show strong bipartisan support. Over 10 million children access the Internet on a regular basis and it is our job as policymakers to ensure that they are protected and their personal information is safe. In 1998, consumer use of the Internet was still in its infancy. It had evolved from making about 2 percent of two-way telecommunication traffic in 1990 to over 50 percent in the year 2000. Understanding the enormity of the Internet and the pervasive effect that it would ultimately have on our daily lives, Congress passed the Children's Online Privacy Protection Act. We refer to it as COPPA. In the year 2000, the FTC COPPA Rule went into effect. These days, homework often includes an online component. You would also find it difficult to find a child of a certain age who doesn't communicate with his or her peers over the Internet in a chat room or instant messaging program. But the majority of those Web sites children have to visit to complete schoolwork or talk to their friends require some sort of registration to use the site and service. Parents deserve to know what kind of personal information is being collected on their child and how it will be used. COPPA prohibits operators of Web sites and online services directed at children under the age of 13 from collecting personal information from them without first getting verified parental consent. I was curious as to why a parent would give consent to have their children's information collected by an operator, and it became clear to me that even free content on Web sites has a cost. Children are avid consumers and represent a large and powerful segment of the marketplace. They spend billions of dollars a year themselves and influence others to spend billions more. Advertisers see it as an enormous opportunity to promote products and services to an eager and impressionable audience. The FTC's proposed revised COPPA Rule addresses a number of concerns that have resulted from the technological advancements of the past 5 years. Until recently, the term geolocation didn't mean so much to the average person. Now, anyone with a GPS-enabled phone can use certain online services to broadcast their exact location to a couple of feet and anyone can see their location. Geolocation, persistent identifiers, as well as photos, videos, and audio of a child have been added to the definition of personal information. Giving Web site operators maximum latitude, the COPPA Rule requires that reasonable procedures are in place to protect the confidentiality, security, and integrity of personal information collected from children while not mandating any specific procedures or technology. And to maximize protections for children, the FTC's proposed rule will require that Web site operators keep children's data for only as long as absolutely necessary and that they ensure that their third-party vendors also protect children's personal data. Now, Madam Chairman, I listened very carefully to your opening statement a moment ago and I agree with all that you said. The proposed revised COPPA Rule is stronger and it will better protect American children from their data falling into the wrong hands. It seems to me that a lot of the rules should be incorporated into the baseline privacy legislation that protects everyone, regardless of age. Someone who is 12 today and 13 tomorrow has the same privacy concerns as someone who is 18 today and 19 tomorrow. I hope that moving forward with privacy legislation we can look to COPPA's revised rule and apply the strong commonsense privacy protection measures to all Americans. Thank you very much. I look forward to your testimony. Mrs. Bono Mack. I thank the gentlemen. And the Chair now recognizes the chairman emeritus of the full committee, Mr. Barton, for 1 \1/2\ minutes. OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Barton. Thank you, Madam Chairwoman. I sincerely appreciate you holding this hearing. This is a very personal issue with me. I have been involved with privacy for a number of years and have a very special interest in children's privacy because of my 6-year-old son and my five grandchildren. When I grew up, Madam Chairwoman, I didn't even know what a computer was. My son, though, my youngest son, 6-year-old son probably spends at least an hour a day right now playing on the computer both at school and at home. He knows better how to click on things than I do quite frankly. As cochairman of the Privacy Caucus along with Congressman Ed Markey of this committee, I have served as a leading advocate for online consumer protection. He and I together have introduced H.R. 1895, the Do Not Track Kids Act of 2011. This legislation does five things. It updates the Children's Online Privacy Protection Act of 1998. It adds protections that children or young teenagers ages 13 to 17; it prohibits Internet companies from sending targeted advertising to children and minors; prohibits Internet companies from collecting personal and location information from anyone less than 13 years of age without parental consent and anyone less than 18 without individual consent; it would require Web site operators to develop an eraser button to give children and minors the ability to request a deletion of their personal information that they do not wish to be available on the Internet. The issue of online privacy has become a hot topic due to the rapid growth of the Internet. I hope that this hearing, Madam Chairwoman, spotlights some of the issues and builds a bipartisan consensus to do something about it such as move the Kids Protection Act that I just mentioned. Thank you for my time and I yield back. [The prepared statement of Mr. Barton follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. I thank the gentleman. The Chair now recognizes Mr. Olson from Texas for 1 minute. OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Olson. I thank the Chair for holding this important hearing as we continue our discussions about online privacy issues. As a father of a 14-year-old daughter and 11-year-old son, nothing is more important to me than keeping my kids safe. Kids today, like mine, have access to new technologies that enable them to get online instantly from almost anywhere and access and share information. Congress recognized there was a need to protect children's Internet privacy and enacted the Children's Online Privacy Protection Act, COPPA, in 1998. As we examine the FTC's proposed changes to the COPPA Rule, we need a clear understanding of all the tools currently available to parents to protect their children's privacy on the Internet before we determine what changes are needed to COPPA. We cannot legislate in search of a problem. I thank the witnesses for being here and look forward to the hearing. I yield back. Mrs. Bono Mack. I thank the gentleman and now will recognize the ranking member of the full committee, Mr. Waxman, for 5 minutes for his opening statement. OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA Mr. Waxman. Thank you, Madam Chair. In 1998, thanks to the leadership of Representative Ed Markey and Dr. Kathryn Montgomery, Congress passed and President Clinton signed the Children's Online Privacy Protection Act, and today, we are fortunate to have Dr. Montgomery back before the committee to talk about this landmark law and her recommendations for the future. I am pleased that 11 years after enactment, your overall assessment is that COPPA is a ``clear legislative success.'' COPPA has withstood the test of time, which is remarkable because innovation occurs at warp speed online. One reason for its success is that it was written to be flexible. The law gives the Federal Trade Commission the authority and the discretion to carry out several broad mandates aimed at protecting young children from the unfair collection and use of their information. The last several years in particular have been a period of rapid change in the delivery of online services. Young children now have access to social networks, interactive gaming, and apps on mobile devices that they carry with them everywhere they go. The FTC is responding to these developments by using its authority to update the COPPA Rule so that the law remains an effective tool for protecting children's privacy and safety. The updates to the COPPA Rule proposed by the FTC are appropriate, reasonable, well -hought-out, and true to the intent of the law. These changes will ensure that parents of young children will remain in control of their information, whether it be their precise location at any given time, their photographic images, or a record of their online habits and activities. That is consistent with the goal of the law--that parents, not businesses, get to decide what information about their children can and should be revealed online. While the focus of this hearing is children's privacy, we must not forget that adults need privacy protections, too. People of all ages need more control over their information and better privacy protection. I have said this before and I will say it again. We should enact comprehensive privacy legislation. Next week's privacy hearing will be our fourth this year. There were six privacy hearings in the last Congress. Each hearing has made me more and more convinced that current law does not ensure proper privacy protections for consumer information. As we consider comprehensive legislation, there are some clear lessons to be drawn from the 11 years of privacy protection for young children under COPPA. First, it is possible to provide consumers with real, enforceable online privacy protections without killing innovation on the Internet; and second, it is possible to craft legislation in such a way that the direction from Congress is precise and clear, but the authority of the agency is flexible enough to adapt to changes in technology and changes in social expectations and behavior. Those are valuable lessons. I hope they will be remembered when hopefully comprehensive privacy legislation is considered by this committee. Thank you, Madam Chair, and I am going to yield back the balance of my time. [The prepared statement of Mr. Waxman follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. I thank the gentleman and I look forward to our continued work together on privacy. And now I would like to turn our attention to the panel. We have just one panel of witnesses today joining us. Each of our witnesses has, as usual, prepared an opening statement that will be placed into the record. Each of you will have 5 minutes to summarize the statement in your remarks. On our panel we have Mary Koelbel Engle, Associate Director, Division of Advertising Practices at the Federal Trade Commission. Also testifying is Hemanshu Nigam, Founder and Chief Executive Officer of SSP Blue. Next is Morgan Reed, Executive Director, Association for Competitive Technology. Our fourth witness is Stephen Balkam, Chief Executive Officer of the Family Online Safety Institute. Our fifth witness is Dr. Kathryn Montgomery, Director of the Ph.D. Program at the School of Communication at the American University. And our final witness is Alan Simpson with Common Sense Media. Good morning and thank you all very much for coming. You will each be recognized for 5 minutes. To help you keep track of time, there are the lights in front of you as is standard. You know what yellow, green, and red each mean. As it turns yellow either hit the gas or slam on the brakes. You get to decide. And please just make sure you turn on your microphone before you begin. And Ms. Engle, you may start for your 5 minutes. STATEMENTS OF MARY KOELBEL ENGLE, ASSOCIATE DIRECTOR, DIVISION OF ADVERTISING PRACTICES, FEDERAL TRADE COMMISSION; HEMANSHU NIGAM, FOUNDER AND CHIEF EXECUTIVE OFFICER, SSP BLUE; MORGAN REED, EXECUTIVE DIRECTOR, ASSOCIATION FOR COMPETITIVE TECHNOLOGY; STEPHEN BALKAM, CHIEF EXECUTIVE OFFICER, FAMILY ONLINE SAFETY INSTITUTE; KATHRYN C. MONTGOMERY, DIRECTOR, PH.D. PROGRAM, SCHOOL OF COMMUNICATION, AMERICAN UNIVERSITY; AND ALAN SIMPSON, VICE PRESIDENT OF POLICY, COMMON SENSE MEDIA STATEMENT OF MARY KOELBEL ENGLE Ms. Engle. Good morning, Chairman Bono Mack, Ranking Member Butterfield, and members of the subcommittee. My name is Mary Engle, and I am the associate director for advertising practices in the Bureau of Consumer Protection at the Federal Trade Commission. I appreciate the opportunity to appear before you today to discuss the Commission's enforcement and administration of the Children's Online Privacy Protection Act--or COPPA--Rule. Congress enacted COPPA in 1998 to address the unique privacy and safety risks created when young children under the age of 13 access the Internet. The goals of the act were to limit the online collection of personal information from children without their parents' permission to protect children's safety when they view and post information online and to maintain the confidentiality and security of personal information that is collected from children. The Commission believes that COPPA has largely worked well to fulfill these purposes and that even as online practices evolve, the law remains important today. The Commission has brought 17 actions to enforce COPPA since the COPPA Rule went into effect garnering more than $16.2 million in civil penalties. Our cases, which have been against both large, established operators, and smaller or newer companies often illustrate different core provisions of COPPA. For example, as social networking Web sites exploded onto the youth scene about 5 years ago, the Commission sought to ensure that these sites understood their COPPA obligations. In 2006, the Commission obtained a then-record civil penalty of $1 million against Xanga.com, a popular social networking site that allegedly improperly registered 1.7 million child users without first obtaining their parents' permission. Since then, the Commission has brought a steady stream of cases against operators such as Sony BMG Music Entertaining, Iconix Brand Group, and Playdom Incorporated, each of whom sought to engage child users in the Web 2.0 world. The Commission's $3 million civil penalty against Playdom set a new record for COPPA cases. More recently, in the first COPPA case involving mobile applications, the Commission charged mobile app developer W3 Innovations with violating COPPA by collecting and maintaining personal information from thousands of children and allowing them to publicly post personal information on in-app message boards for their Dress-Up and Girl World games. This case, which included a $50,000 civil penalty made clear that COPPA reaches mobile online services and not just traditional online services and Web sites. Although law enforcement is a critical part of the Commission's COPPA program, enforcement alone cannot accomplish all of the agency's goals. The Commission also works to educate businesses and consumers about their rights and responsibilities under the law. The agency devotes significant resources to assisting Web site operators with rule compliance, regularly updating business education materials, and responding to inquiries from operators and their counsel. The Commission's consumer education materials, including our online safety portal OnGuardOnline.gov, inform parents and children about the Rule's protections and also provide them with general online privacy and safety information. To help ensure that COPPA continues to work well, especially in the face of an explosion of children's mobile devices and interactive online services, the Commission initiated a review of the COPPA Rule last year. Drawing from the expertise the agency has gained in enforcing and administering COPPA over the years and after extensive consideration of public input, last month, the Commission proposed modifications to certain areas of the COPPA Rule. While the Commission's testimony goes into these changes in greater detail, among the proposed changes are updating the Rule's definition of personal information to include geolocation information and the use of persistent identifiers to direct online behavioral advertising to children, improvements to the notices that operators must use to inform parents of the operator's information collection practices, the addition of a number of permissible methods operators may use to obtain parental consent, strengthening the Rule's data security protections, ensuring of agency oversight of the COPPA Safe Harbor Programs. The proposed changes are consistent with the original mandates in the COPPA statute. The Commission will take public comments on these proposals until November 28. The Commission takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals even as children's interactive media use moves at warp speed. Thank you for this opportunity to discuss the Commission's COPPA program, and I look forward to your questions. [The prepared statement of Ms. Engle follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. Thank you very much, Ms. Engle. Mr. Nigam, you are recognized for 5 minutes. STATEMENT OF HEMANSHU NIGAM Mr. Nigam. Chairman Bono Mack, Ranking Member Butterfield, and members of the subcommittee, thank you for giving me the opportunity to provide insight on best ways to protect children's privacy in an electronic world. I have been at the forefront of nearly every major aspect of online and offline child safety for the past 20 years. Today, I am the founder and CEO of SSP Blue, a safety, security, and privacy strategic business consulting firm. My company provides strategic guidance that promotes the protection of consumers, especially children, encourages corporate social responsibility, and develops partnerships with law enforcement, government, and NGOs. Past and current clients have included News Corporation, Microsoft, AT&T, Tagged, Formspring, and others. To be clear, I do not speak on behalf of any of our existing clients today. Prior to SSP Blue, I served in leadership roles at News Corporation, MySpace, Microsoft, and MPA from the time the Internet was just a baby to the time that social media was barely a toddler, and in each endeavor, I provided strategic direction that put children's safety, security, and privacy at the forefront of the business. I have also served as a federal prosecutor against Internet crimes against children and computer crimes at the Justice Department, an advisor to the COPPA Commission, and advisor to the White House Committee on Cyberstalking, and as a prosecutor against child molestation and sex crimes in the L.A. County District Attorney's Office. And so I speak to you from various perspectives in government, in law enforcement, in private industry, and as a father of four children ranging in age from 6 to 16. The FTC has engaged in a meticulous and thoughtful process in the review of the Child Online Privacy Protection Act and should be congratulated. I also want to stress a concept that is easily forgotten. The industry has an incentive to do the right thing when it comes to protecting children's privacy rights. Businesses lose when they violate a child's privacy rights. Their brand reputation suffers, their consumer loyalty drops, their friends in child advocacy groups disappear, and most important, they lose the trust of the parents and guardians who care for the very children that they cater to. In essence, without doing the right thing, an online business cannot succeed. Within this context, I would like to propose this subcommittee a framework on how we should approach whether and what changes are needed in COPPA. Whenever we think of protecting children, whether it is for their safety, security, or privacy, our first inclination is to protect them from anything that sounds bad instead of what is bad. Solutions based on things that sound bad eventually will fail. In the past 10 years, I have had the honor of advising the COPPA Commission, sitting on the Berkman Center Internet Safety Technical Taskforce, and co-chairing the federal Online Safety Working Group. In each of these endeavors, we could have responded to problems that sounded bad, and instead, we spent the time finding the actual problems and then proposing the necessary solutions. While technologies have evolved since the advent of COPPA, I urge you to consider whether an actual problem has been clearly articulated that needs to be solved when looking at each individual change that is being proposed. Next, consider whether existing regulations can be used to respond to an identified problem. Looking back on the FTC's COPPA enforcement actions, it is clear that current regulations and rules have been quite useful and effective. In fact, a great majority of the industry does a tremendous job in working within the rules, whether their product is directed at children under 13 or 13 and over. Even new companies know what is expected of them before they enter the marketplace. Interestingly, companies are finding it easier to provide services for the 13-plus as a much better business model. And so we must ask whether today there are other bad actors the FTC finds it cannot enforce against as an evolving landscape created gaps. In areas where existing regulations are needed, we should then determine the best solution. Several factors should be considered. What we must ask: 1) Would the proposed change actually close an identified gap? 2) Would it create technical implementation challenges? 3) Would it lead to conflicted with other agency and department demands or expectations such as conflict that arises between data retention, data minimization, and data preservation? And 4) Would it lead to unintended consequences such as creating disincentives to providing a rich online experience for the under-13? If we utilize this framework when considering the changes, I think we will be able to protect children's online privacy by implementing solutions that work while the technology evolves. And in closing, I want to stress that if we were to accept the proposed changes in whole, we can expect an immediate impact on the marketplace. Larger companies will adjust where they can and simply shut down areas where there is simply too much uncertainty. And smaller and newer companies will find investors spooked by uncertainties. Such a multi-year cycle can be avoided if you spend the time now to examine the proposal within the framework that we are outlining and identify actual problems, create effective solutions that can be readily implemented by those already incentivized to do the right thing. Thank you, Chairman Bono Mack, Ranking Member Butterfield, and members of the subcommittee, for giving me this opportunity to address you on this important topic. [The prepared statement of Mr. Nigam follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. Thank you very much. Mr. Reed, you are recognized for 5 minutes. STATEMENT OF MORGAN REED Mr. Reed. Chairman Bono Mack, Congressman Butterfield, thank you for holding this important hearing on children's privacy, FTC, and COPPA regulations. My name is Morgan Reed and I am with the Association for Competitive Technology, and we represent the mobile apps developers. With more than 3,000 members spread throughout the United States and the world, our folks are focused on doing all those cool apps you see on television. So during the past year, ACT has had a chance to reach out to our developers and other developer organizations throughout America to discuss privacy and the importance of privacy by design. At a recent conference, I was scheduled to present on privacy, but before I spoke, developers were given an opportunity to talk about their business. Everyone got up and said this is what they were excited about, this is the direction their business was going, and as I heard all these folks talk, I noticed at the end of their conversation always concluded with two words. And these two words are two words we don't hear much in the United States right now and they are words that I think are absolutely critical to all of our discussions going forward. Those two words--``We're hiring.'' And the good news is this wasn't just some random event that I was at where it was a special enclave of jobs that no one knows about. A recent study out of the University of Maryland shows that Facebook apps alone have created 200,000 jobs. Our own internal studies show that 600,000 jobs have been created, saved, or supplemented from the mobile apps economy. And the good other part of this news is is that with all deference to Chairman Bono Mack's great State of California, 88 percent are small businesses and over 70 percent are not in the great State of California. So it is widespread, it is small, and it is growing. Now, besides creating jobs, developers as a community are passionate about one other thing and that is privacy. And education apps are particularly focused on privacy because the vast majority of mobile apps are built by parents. Now, these aren't folks who started their company looking to get rich; they were looking to provide an interactive family experience for their kids on this device that they brought home from work. So they want to do good and that is why we are working with organizations like PrivacyChoice.org to build privacy policy generators so that they can easily become aware of and comply with privacy regulations. But before we all get into the specifics about Section 312.4 of the NPRM or what the meaning of ``collect'' is, I thought I would take some time to discuss the kinds of apps these small developers are creating. For example, from your district we have Animal Apps and Animal Pronunciations from Palm Springs. For Congressman Butterfield's district, we have got We Pray, Pray With Me, which is a special app for the iPad that allows grandparents to record a prayer for their child so that if they are aware, if they are out of state, if they can't see them, the child can hear their voice. It is also used by parents that are deployed overseas and folks who are just on business trips. What a great app. We have got from Congressman Waxman's district, we have got 3 Trees, which helps educate kids about water, sun, and air, and the three elements that power the world. From Congressman Lance's district, we have got Random Acts of Kindness, which helps kids know about 300 different random acts of kindness they can do, charities they can donate to, and inspiration for goodwill. From Utah, we have Tap Fuse. They have got two great apps--one that helps kids with the alphabet; another that they are doing right now that is about anti-bullying. Congressman Harper, Mississippi State currently offers field studies in iPhone entrepreneurship at Mississippi State and right now you have got one guy out of there who is still a freshman, his app has already sold 20,000 copies and it is an education app for kids in school. Congressman Guthrie, we have got Oink-a-Saurus, which is a great app. It is a piggy bank that helps kids learn about the stock market and how they can save money. Congressman Olson, we have got Music Master, high tech flashcards for practicing reading music. In Maryland, we have got Pickpocket Books, which was a company built by a woman literally a stay-at-home mom on her couch who watched her child using the iPad and said, you know, I would like to combine this technology with my child's love of reading. Since then, she has built a micro empire of more than 80 books on the iPad store that she has hired voice actors, artists, and developers who have created interactive applications that allow children to listen to the book, have the book read to them, and read back and practice. Now, my own daughter who is now 5-3/4 she reminds me likes math apps from Montessorium from Sioux Falls, South Dakota. It is a great app that combines the tactile Montessori Method of teaching with the touch pad on an iPad screen. Now, I know that some here will talk about those in the tech industry or media in a way that implies the larger faceless corporation. I love the FTC's testimony earlier but she said we speak with the companies and their counsel. The vast majority of companies that I have named have no in-house counsel right now, and so for them this is a learning process. Now, I want you to remember that the incredible innovation happening today is not driven by faceless corporations but by thousands of moms and dads working to build applications that educate, motivate, and enrich their families. So let us make sure that we don't mess up this as we work to achieve a better online privacy protection. Thank you for your time and I look forward to your questions. [The prepared statement of Mr. Reed follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. Thank you, Mr. Reed. And just a side note, I appreciate the reference to California and the earthquake damage, though, up there on the wall is not my fault. Mr. Reed. You are bringing good apps, just not earthquakes. Mrs. Bono Mack. Mr. Balkam, you are recognized for 5 minutes. STATEMENT OF STEPHEN BALKAM Mr. Balkam. Thank you very much, Chairman and Ranking Member Butterfield and members of the subcommittee. My name is Stephen Balkam and I am the CEO of the Family Online Safety Institute. It gives me great pleasure to testify before you today at today's hearing. We would like to applaud the chairman's leadership on these issues. The series of hearings held by this subcommittee are a prime example of an effective step that the government can take to balance the promotion of technological innovation with the need to keep children safe online. FOSI is an international, non-profit membership organization working to make the online world a safer and healthier place for kids and their families, and we do this by identifying and promoting the best practice, tools, and methods in the field of online safety and privacy that also respect free speech. Personally, I have had over 16 years experience working in the Internet safety field and I am the proud father of two daughters. The views expressed in both my written and oral testimony are my own and do not necessarily reflect the views of all the FOSI members. So the online landscape for all users has certainly changed in the past 11 years since COPPA was enacted, none more so than for children. We need a more sophisticated approach that empowers families to gain and maintain control of their digital lives. Simply put, in order to encourage safe and responsible online use, we need tools, rules, and schools: the technology tools of filters and monitoring devices; balanced laws, terms of use, and household rules; and education on good digital citizenship, online safety, privacy and security. At FOSI, we believe in building a culture of responsibility to ensure that children have a safe and productive time on the Internet. We support balanced government oversight of industry self-regulatory efforts. This approach allows for maximum innovation and creative solutions, as well as the potential for enforcement actions and legislative intervention in the event of industry non-compliance. Parental empowerment is an important component of this approach. Recent research commissioned by us and carried out by the Hart Research showed that 93 percent of parents have set rules or limits to monitor their children's online usage and 53 percent of parents have used parental controls. FOSI is working with industry to promote increased awareness of parental controls and education as to their use. We commend Congress and the FTC for their work in providing reasonable government oversight through COPPA and its corresponding Rule, while encouraging self-regulation and promoting parental empowerment and children's responsibility. The FTC has continued to evaluate the effectiveness of the Rule and propose revisions where necessary. The planned revisions contain many positive aspects and ideas relating to the definition of a child, the actual knowledge standard, the expansion of parental consent requirements and methods, as well as proposed revisions to the safe harbor regime. We agree fully with the FTC's analysis that the current Rule is broad enough to encompass the technological advancements that have occurred in the past 11 years. The COPPA statute defines child as ``an individual under the age of 13,'' and we are pleased that the FTC has determined that it remains the appropriate age. Changes to the statutory definition could lead to a substantial increase in children lying about their age, or for that matter parents lying about their kids' age, and thus negate protections afforded to younger kids through COPPA and specific Web site protections for minors. The FTC's enforcement mechanism foreseen in the original Rule has provided a flexible and valuable tool that has allowed the FTC to adapt to the changing technologies. Recent enforcement actions which we just heard about against W3 Innovations, an app developer, show that the FTC was able to use the Rule to ensure the compliance of a technology that was not widely available when COPPA was enacted. The FTC's review of the Rule, in conjunction with their recent enforcement actions, demonstrates that no further action on the part of Congress is required at this time. The current system, with the FTC's proposed revisions, allows for privacy protection as well as technological innovations. Furthermore, attempts by Congress to pass legislation will almost certainly be rendered inadequate within a few years by the innovation of new methods of online interaction, sharing, and communication. In my opinion, a positive step that Congress could take in this sphere would be to increase funding for Internet safety and privacy education in schools, as well as for research into children's online behaviors and attitudes. This would allow for all future legislative efforts to be founded on a factual basis. Finally, I believe that the best way to ensure that children have productive, safe, and secure experiences on the Internet is through awareness, education, and empowerment. I would like to thank the subcommittee again for holding this timely and important hearing. We believe that with reasonable government oversight, the self-regulatory and multi-stakeholder approach currently being championed in the United States-- although under attack in other parts of the world--can continue to protect kids and their privacy on the Internet without impeding technological innovation. Thank you very much. [The prepared statement of Mr. Balkam follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. Thank you. Dr. Montgomery, you are recognized for 5 minutes. STATEMENT OF KATHRYN C. MONTGOMERY Ms. Montgomery. Thank you very much, Chairman Bono Mack, Ranking Member Butterfield, and the other members of the subcommittee. I really appreciate the opportunity to be here to talk about children's privacy. It was during the 1990s in the mid-1990s that I started investigating what was going on with online children's Web sites, and I was very disturbed to find that because of the increasing value of children as a target market and their avid involvement with the Internet, companies were setting up Web sites all over the web that had a business model really based on taking a lot of personal information from children and offering prizes and doing all kinds of things in order to get children to give up personal information. One of my favorites was the Batman site that said ``be a good citizen of Gotham and fill out the census.'' And there were many, many others like that. And I did not hear when I went to industry meetings and when I read all the cited coverage about all this any mention of children's privacy, any concerns raised in the industry, and that is why we went to the FTC. I was pleased that I was able to work with both sides of the aisle in Congress, with the FTC, with the Coalition of Child Health, and consumer groups, and with industry stakeholders to craft a statute and a set of regulations that would successfully balance our collective interests in nurturing the growth of commerce on the Internet while protecting the privacy of our children. And because decades of research had already identified that younger children had particular vulnerabilities to advertising, one of the key goals of the law was to prevent online companies from targeting individual children with marketing messages. COPPA has served, as many people have observed here, as an effective safeguard for young consumers under the age of 13, and it sent a strong signal to the industry if you are going to do business with our Nation's children, you will have to follow some rules. And that was built into the system. As a result, some of the most egregious data collection practices that would have become state-of-the-art were curtailed. Today, however, children are growing up in a ubiquitous 24/ 7 digital media environment. The data collection practices that we identified in the '90s have been eclipsed by a new generation of tracking and targeting techniques. The Commission's proposed rules for updated COPPA offer a careful, well-researched, and sensible set of recommendations for addressing many of these practices, and I want to briefly highlight three of them. The first, which others have mentioned is mobile and other location devices. Roughly half of all children have mobile phones now by the age of 11. You can ask any parent. Advertising is growing on mobile technologies. Geolocation makes it possible to target kids wherever they are. This raises not only marketing abuse issues and privacy issues but also safety issues. I think the agency has appropriately clarified that COPPA should apply to mobile and other web-connected location devices. The second issue concerns this notion of what is personally identifiable information. I was a participant in the 2010 June roundtable at the FTC. I was quite taken with the amount of consensus among a wide spectrum of participants that these days there is really no longer a meaningful distinction between personal information and such ``non-personal information'' as persistent cookies and IP addresses. And the Wall Street Journal did an investigation last year showing that a lot of these things are being placed routinely on children's sites. While the FTC proposed rules would then apply COPPA safeguards to protect children from companies that want to use the tools to behaviorally target individual children or to create profiles or share the information, the rules are also narrowly tailored so that they wouldn't interfere with what the companies are doing in terms of their regular normal business operations. And I think this kind of sensitivity is reflective of how the FTC has done a good job here. By the way, on mobile phones, I am disappointed about text messaging. I hope we can talk about that because we know how much kids are using texts. And finally, I agree with the Commission that the mechanism of parental verification that we created with COPPA is not appropriate for teens. However, I do feel strongly that adolescents can no longer be ignored in the public policy debates over online privacy. We know they are being encouraged to share a lot of information. They also do not know how all of their data are tracked by all of these other kinds of technologies that are now online. I hope the FTC will develop some specific recommendations in its broader privacy agenda. And the goal of any public policy on teen privacy should balance the ability of young people to participate fully in the digital media culture with the government and industry's obligation to ensure that youth are not subjected to unfair deceptive surveillance, data collection, or behavioral profiling. The legislation offered by Representative Joe Barton and Representative Ed Markey known as the Do Not Track Kids Act of 2011 is based on these principles and it is to give teens themselves the power to make their own decisions about their privacy online. If we can build privacy principles into how our online businesses engage with both children and adolescents, we can help ensure that young people are treated fairly in the digital marketplace and that they grow up with an understanding of their rights and responsibilities as consumers. Thank you. [The prepared statement of Ms. Montgomery follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. Thank you. Mr. Simpson, you are recognized for 5 minutes. STATEMENT OF ALAN SIMPSON Mr. Simpson. Good morning, Ms. Bono Mack, Ranking Member Butterfield, and thank you to all the members of the subcommittee for this important hearing. I am Alan Simpson. I am with Common Sense Media, and I want to begin by outlining that Common Sense Media works as a nonprofit, nonpartisan organization dedicated to helping children and families thrive in a world of media and technology. One way that we describe our work is that we love media. We work with everyone to make it better for kids. We admire and embrace many of the innovations we have seen in this space in recent years, and we believe that parents, educators, companies, and policymakers all must play a central role in helping to protect children's privacy in this rapidly changing electronic world. And we work with each of these groups to improve the media lives and the privacy opportunities of children. The Federal Trade Commission's proposed rule revisions will help keep COPPA up to date with this rapidly changing world. They will improve protections for children's online privacy, encourage parental involvement, and foster innovation in online services for children, especially the innovations we most need--innovations to protect children. The COPPA recommendations will help hold the industry more accountable, and most importantly, they will build on the fundamental purpose of COPPA, which is bolstering the role of parents as the informed gatekeepers in the lives of their young children. This is not a question of whether kids will be online or offline. We all know that kids are online and they will always be online. It is most a question of who will be watching them and who will be watching over them when they are online. I would like to echo Dr. Montgomery's remarks about the value of the FTC recommendations and emphasize most of all that the FTC has struck a careful and reasonable balance between maintaining the internal operations of online services and protecting children from intensive tracking and behavioral advertising. The FTC proposals will be important steps for younger kids, but teens still need protections and they need empowerment, and the legislation Mr. Barton mentioned--H.R. 1895--will be a strong baseline for those protections and that empowerment. In my written remarks, I have outlined in more detail the work that Common Sense Media is doing with parents and schools, including dozens of articles that we have published in the last year and a half around privacy and security. And many of those parent tips that we published are among the most popular resources on our site for parents. We also work in more than 18,000 schools around the country providing the education around smart, responsible use of media and privacy and security are an essential part of that. But one of the most important parts of this equation are the media and technology companies themselves, and we feel they must do far more to help parents and families protect children's online privacy in part because they are in the best position to develop better technology, better tools, and better information for users. There have been positive steps in this area of late, but on the whole, media and technology companies have not done enough to provide better solutions for families. Parents need the innovators to innovate to protect. In our experience, the companies will, especially if they are encouraged by this subcommittee and this Congress to do so. Thank you. [The prepared statement of Mr. Simpson follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Bono Mack. Thank you, Mr. Simpson. And I will recognize myself, then, for the first 5 minutes of questions. And again, I thank you all very much for your testimony. And I would ask, Ms. Engle, can you elaborate on why the Commission opted not to seek a change on the age threshold? Ms. Engle. Yes. That was an issue that we considered very carefully and we thought that Congress when it enacted the statute and it also thought about that at the time and believed that it reached the right result that under 13 is the right cutoff. While any particular age cutoff is going to be somewhat arbitrary and children do develop at different rates, the whole idea behind and the way that COPPA works is for the child to provide their parents' email address in order that the operator may contact the parent to get permission to further interact with the child. And the concern is that if you raise the age, COPPA may not work well because older children may not provide the parent's email address. They may provide their own or their friend's or a sibling's. And that is true even more now than it was earlier because it is very common now for children to have their own email addresses or multiple email addresses or they may simply lie about their age. And younger kids can do that as well but it is less likely. And finally, we have concerns about the constitutional rights that courts have afforded to teenagers and whether that might be unduly intrusive on the teenagers. Mrs. Bono Mack. Thank you. And you mentioned the email-plus rule. So the COPPA Rule allowed Web site operators to use a low-cost email-plus approach in determining whether there has been verifiable parental consent. And this was intended to be a short-term option available only until the Commission determined that more reliable consent methods had adequately been developed. Has the Commission now made such a determination and do sufficient substitutes for email-plus currently exist? And if you disallow that mechanism immediately, does that leave businesses in the lurch? Ms. Engle. So the Commission, when it crafted the COPPA Rule, decided to make a distinction between personal information collected for a site's internal use and information that is used publicly. That distinction is not in the statute itself but the Commission decided that it made sense on a temporary basis to make that distinction and allow a less reliable method of obtaining consent called email-plus assuming that more reliable methods, new technology would develop. That turned out not to be the case. The Commission expanded allowing that unreliable method a couple of times and then ultimately made it go on indefinitely when no new technologies developed. But having reconsidered it over the years, you know, we believe that COPPA statute didn't make that distinction between internal and external uses and that perhaps this unreliable but easy method has actually deterred the development of technologies that would allow a more reliable method. So in its place we are proposing that companies can apply to the Commission for a new method if we would place it on the public record, get comment, and that would allow the Commission the opportunity to really evaluate the method and determine whether it is reliable and then essentially include it in the Rule. It is true right now that the list of reliable methods is not exclusive. Companies can use any method that is reasonably designed to ensure that the person providing consent is the child's parent, but what we heard is that companies prefer the assurance that this is the method that essentially the Commission has blessed. They want it listed. They don't want to take the risk that the Commission may find it inadequate. So we have proposed this new method to help provide that assurance. Mrs. Bono Mack. Thank you. That is understandable. And the FTC proposes to add factors to its ``totality review'' of Web sites to determine if they are targeted to children under 13--for instance, music and celebrities that would appeal to children but many celebrities and a lot of music content appeal to both 8-year-olds, 13-year-olds, and 49- year-olds. Would that blur the age line and create confusion for Web sites as to whether or not they would be considered a COPPA operator? Ms. Engle. No, I think that, you know, we are still maintaining the same test basically. It is the totality of the circumstances. We look at a number of factors to determine whether a particular site is directed to kids under 13 and by adding more factors, we are not changing the test. We are just making it clear that these are factors that one can consider. And yes, it is true that it is never, you know, will never be a bright-line cutoff that no children under 13 would be interested in an over-13 site and vice versa. But by adding more factors, we are trying to make it more transparent to operators the kinds of factors the Commission considers. Mrs. Bono Mack. Thank you. And right on time. The Chair will recognize Mr. Butterfield for 5 minutes. Mr. Butterfield. Thank you. There is a published study titled ``Always Connected: The New Digital Media Habits of Young Children.'' I believe Dr. Montgomery has referred to it from time to time. This study published through the Sesame Workshop contains some interesting findings about the digital media usage habits of white, Hispanic, and African American children. In particular, while the study points out that the digital divide remains, when children of color do have access to digital media, they tend to use it substantially more than white children. African American children between ages 5 and 9 the report says spends 41 minutes online per session. White children in that group spend 27 minutes online per session. Hispanic children between the ages of 8 and 14 spend almost 2 hours online each day. That is 40 minutes more than white children. The study also points out that children from low-income and ethnic minority homes are less likely to have adult guidance when accessing the Internet. As a result, they are spending more time on lower-quality Web sites or on activities that won't help them develop school- based skills. And so, Dr. Montgomery, I would like to hear any thoughts that you might have whether COPPA parental notice and consent models work well for all children or if there are any changes that could and should be made to account for the differences that I have referenced. Ms. Montgomery. Yes, thank you for asking that. I am concerned about ethnic children as you point out and I am actually looking at a lot of those issues in another context. I am doing a project on food marketing and we are very concerned that there are very aggressive techniques that are being used to target particularly ethnic children who are at greater risk for obesity as well. So this is a very complicated problem. I think it is probably difficult to enact a law that can address those specific needs around privacy. What we want to do is to have a set of rules that work as best as they can for all children with special sensitivities to children who are at risk. And I think that the proposed changes in the guidelines will do that, but it is going to be very important that companies take these obligations very, very seriously. And particularly, I think companies that are targeting that age group ought to be encouraged to develop their own self- regulatory mechanisms to work more effectively to ensure children's privacy. Mr. Butterfield. But you do agree this is an issue that we need to be concerned about and address? Ms. Montgomery. It is. Mr. Butterfield. As best we can legislatively. Ms. Montgomery. And not only that. Spanish language needs to be looked at. I think that the Congress could do more to look into these things. We haven't had enough examination of these areas either. Mr. Butterfield. Ms. Engle, has the Commission looked at this issue in any respect? Ms. Engle. The Commission has not received specific data on--I mean we do have information on the greater use of Internet technologies and mobile technologies certainly by ethnic minorities for example. Whether there are additional protections that are needed that come from that, we haven't received information on that. Mr. Butterfield. Do you agree with Dr. Montgomery that it might be a little difficult to develop some type of regulatory protections to protect against these, that ideally it is a problem but developing protections might be challenging? Ms. Engle. Yes, I agree with that. Mr. Butterfield. All right. Can you help us out, Mr. Simpson, with this, please? Mr. Simpson. Well---- Ms. Montgomery. Can I add something? Mr. Butterfield. Yes, sure. Ms. Montgomery. Because I do think in one area that we might want to think about changing some things because if we look at the kinds of data that are collected, when racial data are collected and children are then marketed to based on the kind of profiling that can take place with that data, that I think can be very problematic and can be very discriminatory and I think that needs to be investigated. Mr. Butterfield. All right. Mr. Simpson? Mr. Simpson. The only thing I can really add, sir, is that one of the concerns we see in the broader space around privacy and other concerns that parents have around digital media is it is, as the FCC's studies have shown, one of the reasons for lack of adoption of broadband and digital media. We all see great benefits for families and communities in broadband and what it can bring to their communities, but if they are reluctant because of what they see as the downsides--and lack of privacy and security is certainly one of them, especially in rural areas and among low-income communities. Mr. Butterfield. Let me give my last 5 seconds to Mr. Reed. Yes. Yes. Mr. Reed. I want to be the guy with good news here. I am sure that you have seen studies from Danah Boyd and more importantly, we have worked with Dr. Nicol Turner-Lee at the Joint Center and it turns out that mobile applications and the mobile environment is something that actually is having an impact in low-income and especially minority communities. And I think as we talk about privacy and what the government can do to shut down things and be careful about it, I think it is really important that we allow some opportunity for these things to flourish. Remember, mobile apps have only been in existence since 2008 and what we have seen from Dr. Nicol Turner-Lee's information and Dana Boyd is there is a huge opportunity for us to reach people who have never had a PC in their home through their mobile phone, but more importantly, their mobile smartphone. So I think as you talk about what the government can do and the ways it can play a role, we need to make sure that the choices are there for them to have cool things to do rather than just tell them how they can't do things. Mr. Butterfield. Thank you. Mrs. Bono Mack. Thank you. The Chair will recognize Mr. Barton for 5 minutes for questioning. Mr. Barton. Thank you, Madam Chairwoman. I am going to ask my first question to the representative of the Federal Trade Commission. If you don't expand the protections of the law to 13- to 17-year-olds explicitly, how do we protect them? Because they are not adults and while they are able to make some decisions on their own, I do not know that they are fully capable of making some of the decisions that would be required in this area. Ms. Engle. The Commission is considering the privacy interests of teens in its broader review of privacy generally and certainly we have considered that. Some of the ideas that we have offered in that area, for example, very clear notice about the kinds of information that is being collected and how it is being used made at the point that the information is collected as well as data security would also provide benefits to teens. But the Commission at this time hasn't reached any conclusions as to what additional privacy protections teens may need. Mr. Barton. So would it be safe to say that the provision in the Barton Markey bill that gives these protections explicitly to 13- to 17-year-olds, the FTC is not automatically opposed to; you are just not totally supportive of? Is that a fair statement? Ms. Engle. The Commission hasn't taken a position on the legislation yet, but I would say that we are definitely not automatically opposed to it and we would be happy to work with you on it. Mr. Barton. In a similar vein, in the bill that Mr. Markey and I have introduced, we explicitly cover mobile applications. The proposed enhancements that you testified to in existing law do not explicitly cover mobile applications. Are you opposed to the provision in the Barton Markey bill that makes that explicit or you just need to study that more also? Ms. Engle. No, we are not opposed to it. In fact, we believe COPPA already does cover mobile applications. We interpret them to be online services already covered by the Rule, and in fact we recently brought a case against a company that was a mobile app provider on that basis. Mr. Barton. See, my position is that more and more of our teenagers and certainly even, sadly, children are getting iPhones and iPads and you almost have to explicitly cover mobile applications just because that is where the younger generation is going. So, you know, they are not going to be sitting behind a computer. They are going to be walking around and doing stuff as they are out and about. I want to ask Mr. Balkam, your institute has got a great- sounding name. Who funds that? Who funds your institute? Mr. Balkam. We have more than two dozen members mostly from industry, so from AOL at one end of the alphabet to Yahoo at the other. Mr. Barton. And there is nothing wrong with that, but they would be industries that try to make a profit--which again is a good thing--by using the Internet and they would tend to want to collect information about people on the Internet. Is that not a fair statement? Mr. Balkam. I think that is a very fair statement and I also agree with my colleague Nigam's point that it would be against their very own interest to, as it were, violate kids' privacy in so doing because it would actually rebound against them. Mr. Barton. OK. Now, my understanding is that your institute doesn't support the bill that Mr. Markey and I have introduced, is that correct? Mr. Balkam. That is correct. I particularly took notice of the eraser button idea and particularly Congressman Markey's own statements at an Internet privacy hearing in July when as he was talking about kids posting stuff--particularly teens--I will quote him, ``what were they thinking? It will want to be the parents who will want to erase it. They have a right to do so. I am not talking about Big Brother; I am talking about Big Mother and Big Father.'' And so given that, while proponents of the bill talk about giving kids and teenagers more control over their privacy, what we see--and particularly let us think about a 17-year-old who is already---- Mr. Barton. I want to ask you one more question. I am not going to cut you off but I have only got 20 seconds so---- Mr. Balkam. We have serious concerns about parents taking things off the Internet of their 17-year-olds and it is not as simple as rubbing out like a piece of---- Mr. Barton. We can work on that. I want to get consensus on one thing I think that your group can agree with me on. Do you oppose the use of super cookies, your group? Mr. Balkam. We think that it is something that deserves considerable amount of attention and we are looking forward to future hearings on that, yes. Mr. Barton. OK. Well, for those of you that don't know, a super cookie is something that is put on your IP address without your permission and you cannot delete it. You don't know about it. It can collect information--it can even collect information on where you go on other sites and you don't know anything about it and it can't be deleted. And I hope at some point, Madam Chairwoman, that we will all agree legislatively to ban super cookies. And with that, I would yield back. Mrs. Bono Mack. I thank the gentleman. The Chair recognizes Mr. Towns for 5 minutes. Mr. Towns. Thank you very much, Madam Chair. Mr. Simpson, in your testimony you emphasize companies can play a more active role in protecting privacy and personal information. In what ways can companies play a more active role in protecting our privacy? Mr. Simpson. Thank you, sir. I think most importantly I would recognize there are quite a few companies that are doing a better job of providing information, but I think the most important change that companies need to make in this space, companies large and small, is better opportunities on their own platforms, on mobile apps, on all the devices that they provide so that parents in the case of younger children and teens themselves have more chance to understand what is going on; what data is being collected; how they can opt out of it; whether they should or shouldn't opt into it; and to keep that information simple, accessible, and actionable. The big challenge in this space right now is that it is very hard to find out what is going on with my data when I use a given device or platform. The easier they can make that, the more we have parents who can make informed choices on behalf of young kids and teens who can make informed choices on behalf of themselves. Mr. Towns. All right. Thank you very much. Mr. Balkam, Family Online Safety Institute is your operation, right? Mr. Balkam. Um-hum. Mr. Towns. All right, good. What do you think the FTC did right in their proposed rule and what do you think is missing? Mr. Balkam. Well, as I said in my own testimony, I think they got the balance just right between protection on the one hand while not squashing innovation on the other. I don't think that there was anything that they left out. I mean it was quite a thorough review. We are very impressed with the range in their technical know-how about emerging technologies. So we are pretty happy with it. Mr. Towns. What about the definition of a child's age? Mr. Balkam. We think that is appropriate. We certainly do not advocate for it to be increased. As I was beginning to explain in my last response, we have some serious concerns about the older teens and whether or not they have some rights of free speech themselves. We don't really see the need for parents to come in and to take away their content as it were. Mr. Towns. All right. Thank you very much. Ms. Engle, you know, there has been some questions about the response period and the notification and that people are not informed. What methods and techniques do you use to solicit responses? Ms. Engle. Are you referring to comments on our proposals? Mr. Towns. Yes. Ms. Engle. Well, we have published it in the Federal Register issued, of course, as we must with all proposed rulemakings. We issued a press release, we have reached out extensively, we have an extensive email list to privacy advocates and people who have expressed interest in privacy, you know, in COPPA over the years. We are doing a lot of speaking. In fact, one of my colleagues is up in New York this morning speaking to the Children's Advertising Review Unit Conference on our proposal in COPPA. Mr. Towns. And the reason I raise this issue is that many members of the faith-based community are saying, look, nobody talked to us. We are not aware of this. When did it happen? In fact, they even blame me in many instances, you know, and that is my problem. Ms. Engle. Well, I know we have done outreach to faith- based institutions in other areas, for example, in fraud protection, and I think we can look into doing that here as well. Mr. Towns. Right, because these faith-based institutions have what we refer to as national conferences and if you in some way could arrange to get on their agenda, I think it would be a great service to all of us because they have some input there and I think that we should solicit it. Yes, Mr. Reed? Mr. Reed. I just wanted to add to that. I think you really hit a key point, and Congressman Butterfield, the app that I was talking about from your district, the author of that app has raised concerns. This was the first she heard about it when I contacted her through a group of developers. And she said well, this app allows grandparents to contact kids. Do I need to get parental explicit consent? How do I go about the process? And so this entire process to her, while there are rules and regulations, the publishing of something in the Federal Register, having discussions with privacy advocates is not necessarily the same as reaching out to the faith-based communities. And specifically, the app in your district is exactly the kind of app that Congressman Ed Towns has talked to me about. And I am hoping that we can work with her to make sure she understands the changes. Mr. Towns. Thank you very much, Madam Chair. Yes, thank you. Mrs. Bono Mack. I thank the gentleman. The Chair recognizes Mr. Harper for 5 minutes. Mr. Harper. Thank you, Madam Chair. And I certainly want to thank everyone for being here and as a parent now to a 19-year-old and a 22-year-old that we dealt with those issues and we had AOL and we used age- appropriate email settings as they were growing up. You know, I think there is a large responsibility for the parents themselves to make sure that they are monitoring this and we certainly want to have those tools available. And this is just a curiosity question, Ms. Engle, on violations that come to your attention that result in fines. Just a general breakdown of the percentage that come from your own search or investigation or policing, those that might come from third-party organizations and those that perhaps are reported by parents, can you give me just a general breakdown? Ms. Engle. I would say probably most of the violations we detect are from our own review. We do also get complaints and things are brought to our attention by the COPPA Safe Harbor Programs. They are a frequent source of complaints. Mr. Harper. If I could just ask this sort of as a--you know, we have heard a lot of different testimony here but just at its most basic level, what is wrong with advertising to children based on those likes or dislikes so long as the child is anonymous? Ms. Engle. So we think that the same privacy interests that inspired Congress to enact COPPA in the first place, the idea that at least with respect to children under the age of 13, young children, that parents are the ones who should be in the position of making the decision of permitting their children or not to interact with a Web site. And it goes both ways, both in terms of the Web site collecting personal information from the child and also being able to contact a child individually. And what we are seeing now and what is behind our proposal is that with things like tracking cookies which are able to track children across Web sites over time and direct ads based on their web browsing activity, that that is a form of contact of an individual that falls within COPPA. Mr. Harper. OK, thank you. Mr. Reed, I would like to ask you a few questions if I may. And certainly I know your position in a statement on a Supreme Court decision earlier this summer, Brown v. Entertainment Merchants Association, 7-2 Supreme Court decision that dealt with the sale of videogames to minors. Is there anything about that case that correlates to this that you have seen? Mr. Reed. Well, I think we have to step back and think to ourselves, what are we trying to do? What are the goals we are trying to achieve? I have an obvious bias. My goal is to make sure that we have mobile apps developers able to create jobs and specific applications that reach the right audience. And so when you look at both the Supreme Court decision and where we are heading both on this panel, I think it is pretty clear that our industry is, to borrow a phrase that was used earlier, putting the pedal to the metal and trying to get things into the hands of as many people as possible. Therefore, we are going to be enthusiastic and supportive of ways that allow people to have access to our technology. That said, just like with videogames, we are very sensitive to the content question. There is a big difference between, as we have discussed, and it is an interesting part about this whole privacy regime, in interviewing parents prior to this hearing and in other cases, when you ask them what do you think when you see that ``only 13 and over'' in this location? The vast majority actually think it is about content, not about privacy. So I think that we have merged a lot of these privacy questions with content questions in a way that I think we need to pull back from. So when it comes to violent videogames, when it comes to Supreme Court decision, we need to maybe separate a little bit out on how we view the collection of information, the content of information, and who the audience of those are. Mr. Harper. And I know I am almost out of time. I want to end with one last question, Mr. Reed, if I can. You know, you had expressed some concern about the FTC's proposal to disallow the email-plus system. And I would like for you to just speak for the next 23 seconds on that. Mr. Reed. I will make it really short. We are concerned that the FTC's email-plus complete abandonment is a bit of a Hail Mary. It is a well, we will get rid of this technology and magically new technology will develop. Now, that might happen but I think we are probably better off given just exactly how nascent the mobile apps industry is and how we are quite literally learning every day that I think we probably, if we are going to do anything, it should be considered sunsetted or given a longer time to stretch it out a little bit because I am not sure in the mobile space people are exactly ready to just magically create new technology out of next week. Remember, most of these companies are small and they don't have staffs of technologists ready to develop their own version of verifiable parental consent. So there needs to be some industry percolating and I believe there are other incentives that can be used rather than just tossing it all out at once. Mrs. Bono Mack. I thank the gentleman. I now recognize Mr. Guthrie, also the home of Oink-a- Saurus, for his 5 minutes. Mr. Guthrie. Thank you very much. I have to figure out where Oink-a-Saurus is so I have to---- Mr. Reed. I will send you a link. Mr. Guthrie. Send a link. That would be great. Thanks a lot. To Mr. Nigam, in your testimony you said that we don't need to be focusing on things that sound bad and focus on things that are bad. What is an example of things that sound bad that we have focused on that distracts us from---- Mr. Nigam. I mean I will go back more into the historical Internet safety world. There was a time when anytime somebody went online there was this fear that predators were going to attack them and that sounded bad, and then once that happened, there were tons of proposals on do A, B, C, D, and E to stop that. But every time research was done, what ended up happening was researchers showing around less than 1 percent or even less than that there were actual issues with that as opposed to issues with things like digital fingerprints that kids are leaving online when they are going places and 10 years later it is going to be haunting them when they are applying to college. That is bad versus what sounded bad. So those are the kinds of things that I am referring to when talking about that. Mr. Guthrie. OK. And you mentioned that it would be against the business model to abuse the information because obviously people would quit going to that business if that is the issue, but the FTC does find violations of it. Even though it would be a bad business model to do it, people are doing it or have done it, because from the FTC you do find violations of COPPA, I think. So how do you explain that? Mr. Nigam. I think that is a great question because if you look in the last 11 years, there has been 17 actions, which to me is amazingly small. And what you are finding if you go through each of the 17 actions, for the majority of them what you are going to find is companies who are unaware, didn't have the resources, didn't have counsel advising them, hadn't done the review when the developer was creating this great idea and most of the time didn't even know they were doing what they were found to be doing, which I think is very different than saying there is a company who made an executive decision. We know there is COPPA, let us see if we can get away with it, and we will make $10 million by the time they figure it out, and we will be disappearing after that. Mr. Guthrie. So there are no kinds of cases of that like you see in Medicare fraud or stuff like that? Mr. Nigam. I haven't read every line of everyone, but I would---- Mr. Guthrie. You know of no case that does that? Mr. Nigam. If there is, I am not aware of it. Mr. Guthrie. The typical violator would be someone who you find are small businesses that just, ``Well, I didn't know I was supposed to do that'' kind of thing? Ms. Engle. No, actually many of our cases are again very large companies--Sony BMG, Universal Music Group, Iconix, but what we have found in those cases is they attempted to comply with COPPA but didn't really follow through. So they may have at the registration page asked for someone to enter their date of birth and they intended that if the person entered an age under 13, they would be kicked off. In fact, they weren't. And then those kids were able to post information, et cetera. Mr. Guthrie. OK. Mr. Nigam. If I may. Mr. Guthrie. Yes, go ahead. Mr. Nigam. And having worked inside the companies with developers, what you often find happening is legal counsel in the large companies, most say here are the requirements. Developers don't always understand that and there is where the disconnect occurs. So when something is executed, you create a new product, a new feature, it may be one of those left-behinds or the right process wasn't in place, which is very different than an intentional violation or attempt to collect information from children that you know would violate their privacy rights or violate COPPA for that matter. Mr. Guthrie. Professor? Ms. Montgomery. Yes, I just wanted to say that having observed this all from the very beginning, if we hadn't instituted COPPA, you would see a very different marketplace. It is not a question of a business model not working. It wouldn't work now because it is not legal to work in that way, but it was heading in a direction that would have been absolutely outrageous and we would all be very, very upset at what we saw because data collection was built into the heart of it. And that is also what is happening with teens and adults as well. So that is why I think we need safeguards for everybody. Mr. Guthrie. Thanks. Mr. Nigam. And I do agree with what was just said in the sense that the expectations have been established and it has had a tremendous impact on the marketplace and the way it exists today. And so when I am focusing on what do we do next, that is when we have to look at each individual proposal and say is it proposing to solve a problem that sounds bad or actually is bad? Is there gaps? Are there things that can be done and are there going to be unintended consequences? For example, shutting off email plus is a great example of that. Companies have been doing email plus with millions of users for, say, 11 years or 10 years and all of a sudden that function disappears? What do you do with that millions of users on your site? How do you recreate the process? Are they grandfathered in? Those are the questions that have to be asked in that category of is there technical implementation concerns? Will there be unintended consequences? And I think that is why I wanted to focus more today on providing a framework within which to look at it as opposed to let us go line by line right now in this 2 hours that we have and come up with the answers. Mr. Guthrie. Thank you. I yield back. My time has expired. I yield back. Mrs. Bono Mack. I thank the gentleman and now recognize Mr. Olson for 5 minutes. Mr. Olson. I thank the Chair and I want to welcome the witnesses. And thank you for coming here today and giving us your time and your expertise. And my question is for you, Director Engle. And you stated in your written testimony that the Commission is not aware of any operator directing online behavioral advertising to children. However, the Commission is proposing adding to the list of what constitutes ``personal information persistent identifiers.'' For example, numbers held in cookies, user IDs, IP addresses, as well as screen and user names. And you state in your testimony that the effect of these additions would be ``to require parental notification and consent prior to collection and use of persistent identifiers for purposes such as behaviorally targeting advertising to children.'' My question for you, ma'am, is if the Commission isn't aware of any online companies directing behavioral ads to kids, then why does the FTC feel so strongly about wanting to change the COPPA Rule to address this issue? Ms. Engle. Our testimony is that no individual company has admitted that they are behaviorally targeting children under the age of 13, but there have been widespread reports in the press, for example, Dr. Montgomery referred to the Wall Street Journal article earlier that reported dozens and dozens of tracking cookies placed on child-directed sites. So it appears that the industry position has been that self-regulation is sufficient here to address the problem or the issue but our thought is that, I mean, what the regulatory principle says that their members will not behaviorally advertise to children under the 13 except in compliance with COPPA. And so that actually doesn't say much because if COPPA doesn't cover it, then they are free to do it. But the outward statement appears to be that they won't do it. So we want to kind of close that gap and require parental permission before that occurs. Mr. Olson. OK. Mr. Simpson, it seemed like you had some comments. Do you want to follow up on that at all, sir? Mr. Simpson. I would echo those remarks and say that we are seeing signs of what is increasing. We saw it in the Wall Street Journal story, we see it in the increase in ID theft, and we see it as a basic business principle of some of these companies, as Dr. Montgomery talked about, the pattern of advertising towards kids before COPPA was established. We also need to keep an eye on what the pattern of valuation of companies in Silicon Valley is right now and that is eyeballs. Do they have people on their sites? None of these companies I would suggest want to turn anyone away, and so their opportunity to reach out to kids of any age is valuable to them. I respect what some of my colleagues have said about the importance of corporate responsibility here, but I think they are caught in a tension and they do want the biggest audience they can get, whether that is an individual app or a large Web site. So we see lots of signs of how much they are marketing toward kids and targeting kids under 13 and over. Mr. Olson. Yes, sir. OK. One more question for you, Director Engle. For the 5 new proposed rule changes to the COPPA Rule being put forth by the FTC, has the Commission conducted any kind of economic impact analysis on these proposals, and if not, will you? Ms. Engle. We have certainly considered the cost as well as the benefits that we hope to achieve by the rule changes, and in our Federal Register Notice, we have estimated costs on small businesses and we are specifically seeking comment on our estimates. And if we are, you know, off on our estimates and inaccurate, we certainly would like to hear from businesses about that. Mr. Olson. And Mr. Reed, you are representing the app world so to speak and I want to say, by the way, while I was sitting here I texted my 14-year-old daughter and told her I was with the app guy and she basically said, Dad, can I get a job with him in the future? Mr. Reed. We are hiring. Mr. Olson. Do you agree with that assessment? I mean the small businesses that you represent be involved in the process? Mr. Reed. I have found the FTC to be towards me--as a trade association based in Washington, D.C.--very responsive. I think that they lack the manpower and resources to really reach out to a community that is now over 100,000 developers in the larger picture and tens of thousands of developers in the educational app space. So I think that I respectfully say that we will be filing comments with the NPRM specifically about the small business impact and we look forward to working with the FTC to make sure their estimates are appropriate. I think that as we think about all of this, we have to remember 2008 was when we had our first app store. So we have had all of these changes in business models, in technology, in capabilities in 24 months. So we are looking forward to working with the FTC, and I think I am probably going to say that we are going to estimate their cost up and encourage them to take a very measured approach on the impact to small business. Mr. Olson. Yes, sir? Mr. Nigam. I just wanted to make a comment. Because of the company that we have in terms of consulting with online businesses, we spend countless hours talking about COPPA and whether to choose even going under 13 and over 13 and the eyeballs question comes up and the uniform reaction is eyeballs that are good we want; eyeballs that are going to hurt us kill our reputation, therefore kill our business. And I think that is something we should keep in mind because that goes back to companies being incentivized to find the right way to do the right thing. Now, the challenge may be what is that right thing because we can't understand what it means. That is a very different question than whether you are motivated to even try. Mr. Olson. Thank you, sir. I am over time. I yield back. Mrs. Bono Mack. I thank the gentleman. And the Chair recognizes Dr. Cassidy for 5 minutes. Mr. Cassidy. I got a 10-year-old, and she will take my iPhone, go to my iTunes, and she will download Angry Birds. ``Dad, can I get Angry Birds?'' I never recall being asked if I am over 13. I assume iTunes knows I am over 13. But as I listen to you guys, I am suddenly realizing, man, how do you empower a parent? It sounds so nice as rhetoric, but as a guy with a 10- year-old who is always on my iPhone, I have no clue how I am empowered. I am feeling very un-empowered. Mr. Reed. I can help you with that. Mr. Cassidy. Somebody empower me, buddy. Mr. Reed. Within most of the devices, I am happy, you know, I can grab a cup of coffee and I am happy to walk you through. All of the devices now--some of them are better; some of them are worse--have pretty granular and pretty incredible parental restrictions that you can set up. On your iPhone, there is a page that you can go to where you can say your daughter can't download. You can set it up with its own password. You can---- Mr. Cassidy. OK. So my daughter downloads. My son who is 17---- Mr. Reed. Right. Mr. Cassidy. Vim and vigor, full of himself. Downloads something but my 13-year-old uses it. Mr. Reed. Right. Mr. Cassidy. Or if I go to my desktop, my 84-year-old mother who moves in with us is on the computer, my wife is, and then my daughter. So the super cookie has a place for my mother but it tracks all the way through three generations. Now, it seems like, unless somebody is logging off, which we don't do-- we reboot it--whether there is COPPA or not, it is going to be tracking whoever is on that computer, correct? Mr. Reed. That is correct. I would of course recommend that you get more mobile devices for your household. That is the clear solution here. Mr. Cassidy. Well, we are going that way. Mr. Reed. Get more. Mr. Cassidy. Yes. Mr. Reed. But yes, you are right. Mr. Nigam. Oftentimes I talk about how people distinguish between the online and the offline, but when you actually step back and say as a parent, how would I handle this situation if it was in the physical world? I think those same kinds of conversations need to apply, which means a conversation--and I have an 11-year-old--of you are not allowed to do this but your 16-year-old brother is. That is part one. Part two---- Mr. Cassidy. That assumes--think about a television. You walk by, you see the program, you have a sense of the content over a 30-minute show. You can have an entree into an online and then that entree takes you someplace far different. So the parent downloads it looks pretty benign, and next thing I know I have got, you know, $10 on my credit card bill. Now, I figured out how to stop that, but that said, I just say it takes you in places--Ms. Montgomery, I liked your testimony, so let me get your--I think you were going to say something? Ms. Montgomery. Yes. Well, what I wanted to say is I think what we need are tools that will help parents because it is baffling for all of us, and I agree with you. It is very frustrating and you can't really control where your kids are all the time, and that is why COPPA was designed to really address the business practices and really to minimize data collection. It was not set up to facilitate parental verification so that companies could collect a lot of data. It was really developed to ensure that Web sites targeting children did not collect a lot of data. Mr. Cassidy. But again, if my mother is on who is 84 and something is placed which begins to track and does not log out and my daughter gets on, something benign at the outset but perhaps less benign further in, I mean my mother has set the table for my daughter to be tracked, correct? Ms. Montgomery. Well, right. That is right. And that is why, you know, I mean this is an evolving marketplace and there will be more and more of that happening, as others have noted. Mr. Balkam. I just wanted to make a quick point that all of the major cell phone operators now offer pretty good parental controls. And in our survey that we just released a couple of weeks ago, we found that 25 percent of American families now do use that. Now, that seems like a fairly low figure, but then you compare it to the v-chip usage, which is around 15, 16 percent, that is not too bad. I would highly recommend that you also use---- Mr. Cassidy. Yes, I have a parental control but I am sure I am not using it to the full robustness as it should be. Mr. Balkam. And education. We need to empower---- Mr. Cassidy. Now, I will tell you when I look at your documentation and it says click here, once I actually read it, it was 40 pages of legalese and a lot of it was redundant. A lot of it was actually repeated. And it is like I am thinking they are trying to defeat me from reading it. Now, we laugh but---- Mr. Balkam. Sorry, sir. Mr. Cassidy. --it is repeated, repeated, repeated, and some of it is totally extraneous. It makes me think that that which actually I might object to is buried deep within. Mr. Balkam. I feel your pain. That is all I can say. Mr. Cassidy. I will tell you, though, but we have got to move beyond feeling pain to actually having something where a parent can look at and say it is one paragraph, boom, this works and this does not. Mr. Balkam. Right. Mr. Cassidy. Because right now I am thinking, heck, I can't read through this. Mr. Balkam. But there is another factor as well, sir, that you should consider especially with apps is that what drives those parental controls in many cases is the rating that was provided for the content. In television and movies that is provided by an industry---- Mr. Cassidy. Can I ask one more question before I run out of time, Ms. Montgomery? I read in the Wall Street Journal that if they have this interactive game and they make the tractor red, white, and blue on a patriotic holiday, people are more like to purchase something online. You realize that there is a subliminal suggestion taking place which is modifying the behavior of the person who is actually looking at the screen. Now, if that is true for an adult, this is absolutely true for my 9- and 10-year-old. How are we going to regulate this sort of subliminal molding the person who is looking at the interactive game to manipulate them into a behavior which they frankly may not be aware they are being manipulated? Ms. Montgomery. Well, these are major concerns. And I agree with you and we haven't even talked about things like neuromarketing, which is one of the trends in the industry as well, in the online industry. But this is exactly why I think we need to ensure that COPPA makes it impossible for companies to behaviorally target, to track an individual child and to create marketing that is designed for that child based on that child's behavior, psychological profiles, and other information that has been collected from that child. Mr. Cassidy. OK. That seems like nice-sounding recommendations, but how do we get there? I am not quite sure I know that. Ms. Montgomery. We have to keep working at it. Mr. Cassidy. OK. Thank you. I yield back. Mrs. Bono Mack. Thank you. The Chair recognizes Mr. Kinzinger for 5 minutes. Mr. Kinzinger. Thank you, Madam Chair. I may be the last person to ask you questions, so congratulations. You made it. Thank you for coming. Mrs. Bono Mack. Excuse me, sir. We plan a second round, so don't let them off that easily. Mr. Kinzinger. OK, this round. But I really appreciate you coming in and talking to us. This is very important. And I think as we, you know, here in Congress debate things like the economy and jobs and what is the proper role of government, you know, does government micromanage an economic recovery or is it the private sector, which I believe? This is a great opportunity to show how this area is an explosive market and really a bright spot in the American economy. It would be really sad to think of where we would be, frankly, without, you know, technology innovation right now as an economy. What place would we have in the world? So I think as we go forward it is very important that we understand that there has got to be a proper balance, of course, between where the government is involved and what it does and also stamping down on the innovation of the free market. Because again if we are going to get out of this recession, and we are, it is going to be through that free market. So it is good to hear also from the witnesses that the FTC is working well with the stakeholders in updating our privacy rules to reflect that evolving world. As you have heard from everybody here, I am amazed at what the young folks are able to teach me about, you know, what to do with applications and stuff like that. Even though I may be one of the younger members of Congress, all I can do on my iPad right now is surf the Internet. I really don't know how to do much else. So I can go to my nieces and nephews to help me with that if they need to. But I also want to say to me it is incredibly hard for parents to control or even know what their children are doing, and at the same time, I feel confidence, obviously, that mothers and fathers want to have that assurance that they know what is going on and things like that. The FTC has played an important role in this regard and should continue to work with the various stakeholders to ensure children's personal information is not being collected online. More can always be done and this committee must determine and it will determine whether the FTC has enough authority to keep up with online advances, at the same time finding that balance. My first question, though, is to Mr. Reed. As the apps become more enhanced in geolocation and social media interactions advance--and they do it at a record pace and an exponential pace, frankly--do parents have the tools to ensure that predators won't have access to their children's location? Because, to me, I see that as potentially being a very terrible story in the future. Mr. Reed. Right. That is becoming kind of a universal conundrum. How does my child share his information with his friends and not let people that we don't want to see it, see it? We are working on technological solutions, we are working on allowing kids to kind of develop their own friends list, but that has its own shortfalls. Does my 13-year-old--mine is 5-3/4 so she is not there yet--but does she know who her friends really are? The problem is is if we take a step back, we had this problem with this device called the telephone. People could call each other and say this is where I am. I will meet you behind the park or behind the baseball field. So it is really a struggle that we have on how do we take this location information that we are provided in our mobile device and somehow segregate it in a way that is different than, say, my physical telephone in my house saying I will meet you behind the baseball field. Mr. Kinzinger. Right. Mr. Reed. So we don't have the answers. We are trying to figure it out, but I a big part of what we are doing is empowering parents to know what their kids' device does and by alerting them very clearly, hey, this is going to share your location. Are you OK with it? And in the case of most of the mobile devices, you can turn that off completely. So in mine, my daughter can't actually hit any button that charts her geolocation. And so that is what we are going to have to do. Mr. Kinzinger. And that is good. And again, I mean in 2 or 3 years if you all are fortunate enough to come back here and talk, we are going to have a whole slew of new different questions---- Mr. Reed. Right. Mr. Kinzinger. --because there is going to be so much that we can't even begin to imagine now. And again, that is what beautiful about our innovating economy is that, you know, that is the case. But let me ask Ms. Engle. How is the FTC approaching geolocation technologies as it relates to children? And specifically, do you believe parents are given enough information to know what an app is storing about a child and what information is being shared with other users? Ms. Engle. The FTC believes that geolocation information is already covered as an item of personal information under COPPA because COPPA refers to physical location including street name and city or state and geolocation information is at least as precise as that and often more so. But what we have proposed is specifically adding geolocation as an element of personal information just to make that crystal clear. Mr. Kinzinger. Well, thank you. And again, this appears to be a good example of where government and private sector seems to be working well together. And I yield back. Mrs. Bono Mack. I thank the gentleman and recognize myself for the next 5 minutes. And to Dr. Montgomery, I appreciate very much your thoughts on this and your work on this over the years. Last week, I took a trip up to Silicon Valley and I visited a number of the big firms. It was very thought-provoking and I think that what really strikes me the most is how over the years the Internet has been built on the back of intellectual property. And early on when you think about Napster and Kazaa and the peer-to-peer networking and how we have moved into other models that actually try to pay for intellectual property, do you think, I mean behavioral advertising to me, I kind of grapple a little bit with why it is bad when sometimes they are trying to monetize these new models that end up trying to pay for content. Anybody who is a writer in the audience, you know, anybody who has ever been a part of any creative work, any longer your work is devalued because you can't get paid. And when something is out on the Internet in digital form, a master copy is a master copy is a master copy. How do you see moving forward, then, in a world where we need to try to provide decent, quality content for our children and still protect them from behavioral advertising? And you said that if we hadn't had COPPA--and I don't disagree with you--but you said it would have been outrageous what we would be living under now. How do you find outrageous and how do you see paying for quality content going forward as people are grappling with how to pay people who create valuable content for our children? Ms. Montgomery. Well, I will tell you that what I saw in the early days was leading to a business model where marketers were talking about creating personal relationships between a product spokescharacter and a child, things that nobody would ever talk about now in terms of microtargeting and targeting individual children. And I think what we have been able to do with COPPA is allow and enable that industry to grow and flourish but by creating some guardrails, some rules of the road where we are not taking advantage of the youngest children, whereas I mentioned earlier, research shows they don't have the cognitive capacities or the psychological developmental capacities to handle these kinds of very, very sophisticated behavioral targeting and---- Mrs. Bono Mack. But there must be some positive behavioral targeting out there, too. And this is what troubles me about these discussions we have in here with privacy, with security, is all of these issues have another side to the coin where some people see benefit, others see risk, all of these. My point here is what if we wanted to do an anti-bullying campaign? That is positive. What if we want to encourage our children to go to a great university like USC or something like that? And so there are ways to target them in a positive way as well, aren't there? We are stifling---- Ms. Montgomery. Absolutely. And from the beginning what we have said and I still agree with, we were never trying to eliminate marketing or advertising in this context. We think that is perfectly fine and identifying the IPs, understanding that an IP address is still now personal information, personally identifiable, that doesn't mean you can't provide contextual advertising to children. That is still very much possible. You can do all kinds of anti-bullying campaigns. They are happening online. None of this would restrict it. What I think is important, however, is that we create some safeguards for the kinds of data collection and profiling and highly targeted and potentially very manipulative advertising that is targeted at younger children. Now, when it comes to---- Mrs. Bono Mack. And can you speak a little bit towards monetizing the delivery of quality content? This is what it is all about at the end of the day. Ms. Montgomery. It is a tradeoff. It is always a tradeoff. And yes, of course you need to monetize the content but you do that at a price. And if it is a price that is not fair to children, that takes advantage of them, then I think you look for ways to alter that business model. Mrs. Bono Mack. Thank you very much, Dr. Montgomery. Mr. Simpson? Mr. Simpson. Just quickly to add to that, as a big believer in those incredible educational opportunities of apps, of a lot of this digital media, how do we monetize that? As much as possible we do that with the engagement and empowerment of parents. Make them part of the equation so that they know about the cyber bullying campaign that we want to promote and that they are engaged with their kids with talking about USC and other great institutions. Make them part of the equation. Mrs. Bono Mack. Quick question--and we are trying also to get enough time to Mr. Markey so he can be here--you like the eraser button. I don't understand how that is technologically feasible. I am not opposed to the concept, but again, if it is a digital recording, if a song is out there, it is out there forever. If a photograph is out there, it is out there forever. How do you technologically think that an eraser button is possible when it is already out there in cyberspace and you can't even attribute necessarily who originated it? Mr. Simpson. You are very right on that part and one of our first pieces of advice to parents and to our educational materials for kids is to make them recognize that these things can be forever and all the more reason why kids need to be very careful about what they post, what they share. But as the bill has drafted, to the degree that it is technologically feasible, the eraser button should address some of the opportunities for kids or teens, parents in the case of kids, to take down what they own. This also gets back to what, I believe, Congresswoman Blackburn has described as who owns the virtual you. So this is also an issue of intellectual property. This is an issue of property. When we start sharing things online, they do get much more complicated. They run into First Amendment issues and they run into shared ownership. But at what point do we have tools for parents and for teens where something that belonged to me, a picture I took of myself still belongs to me and is something I can take down. Mrs. Bono Mack. All right, thank you. I need to yield to Mr. Butterfield for 5 minutes. Mr. Butterfield. Thank you, Madam Chair. Ms. Engle, let me start with you. The statute contains a broad definition of personal information. It states simply that personal information means ``individually identifiable information about an individual collected online'' and then includes a nonexclusive list of identifiers. The FTC is also granted the authority to expand the definition to include any other identifier that the Commission determines permits the physical or online contacting of a specific individual. This is the authority that the FTC is relying on to bring the meaning of personal information into the COPPA Rule in line with the technological changes that have happened since the Rule first went into effect. Let me just ask you yes or no. Am I correct that you are not required by the statute to determine whether changing the definition of personal information will unreasonably impede technological innovation? Ms. Engle. That is correct. Mr. Butterfield. All right. Yes or no, am I correct that you are not required by the statute to determine whether changing the definition of personal information will adversely affect interstate commerce? Ms. Engle. That is correct. Mr. Butterfield. All right. Yes or no, am I correct that exercise of this authority does not require any finding other than that the identifier permits physical or online contacting? Ms. Engle. That is what the statute says. Mr. Butterfield. All right. Yes or no, am I correct that you get to use streamlined APA rulemaking and are not required to follow the more burdensome Magnuson-Moss rulemaking process to change the definition? Ms. Engle. That is correct, although we always, you know, seek comment on burdens and cost and technological feasibility, but it is not statutorily required. Mr. Butterfield. All right. Yes or no, is this the first time in the 11 years since the COPPA rule became effective that the Commission has proposed changes to the meaning of personal information using its statutory authority to modify the meaning of that term? Ms. Engle. Yes. Mr. Butterfield. All right. Those are my yes-or-no questions. All right. We need to use some more time. It seems to me that when the FTC is given the ability to modify the meaning of a key statutory term like personal information, and 2) is allowed to do so following a straightforward and streamlined process, it is shown it will not abuse the authority or act hastily. It will not run wild and create chaos and unnecessary cost for businesses. I think our experience with COPPA shows the FTC can exercise this sort of authority carefully and deliberately. I hope that is a lesson all of us here can apply to the data security context as we look to move legislation in that area that is both effective and adaptable to changes in technology and expectations about what information should be protected. This has been a good hearing, Madam Chairman. I want to thank the witnesses and want to thank you for your patience. I yield back. Mrs. Bono Mack. I thank the gentleman and at this point I will thank the panel very much for your answers to our questions. You have been very gracious with your time. And as I said, these issues I think no more than any others have a flipside to everything that we do. And the law of unintended consequences can be very, very frightening. And with that, I am actually just stretching--you owe me. And I am happy to recognize Mr. Markey for 5 minutes. Mr. Markey. Thank you. I thank the gentlelady and I thank you for allowing me as a nonmember of this subcommittee to participate. Thank you so much. I am the House author of the Children's Online Privacy Protection Act, which Congress passed and President Clinton signed into law in 1998. It is the communications constitution when it comes to protecting kids online but we need to update it to take into account the explosive growth and innovation in the online ecosystem over the last 13 years. I commend the Federal Trade Commission for its thoughtful and comprehensive review and for its proposed changes to that Rule, which reflect and reinforce many of the same safeguards contained in the Do Not Track Kids Act that I introduced this past May with Representative Joe Barton. As in our bill, the Commission appropriately notes that teens should be provided with clear information about how their personal data is used and also empowered to exercise control over these uses. As in our bill, the Commission also proposes to add children's location information under the category of personal data that require a parent's permission before it is collected or used. Given the potential for this sensitive data to be misused to endanger a child, the Commission's proposal in this area is a much-needed step. I commend the Commission for rejecting arguments that voluntary self-regulatory efforts are the best way to address privacy concerns in connection with behavioral targeting of children online. Strong legal requirements along with vigilant enforcement are needed to protect children from tracking and targeting on the Internet. Children should be able to grow up in an electronic oasis that enables access to online education, to education and entertainment opportunities in a safe environment. And I look forward to working with you, Madam Chair, and all the members of the committee so that we can strengthen privacy safeguards and ensure that kids and teens are protected when they go online, and that is why I introduced the Do Not Track Kids Act. Mr. Simpson, you mentioned in your testimony that teens still need privacy protection online because, as we know, COPPA covers users 12 and younger. I agree with you. And the Do Not Track Kids bill that Joe Barton and I introduced provides teens with safeguards specifically tailored for their age group without expanding the COPPA structure to adolescents. Can you expand on Common Sense's views on privacy protections for teens, please? Mr. Simpson. Thank you, sir. We think you are taking very much the right approach. There is a complicated issue here called child development and we all know that not all 8-year- olds are the same, 8-year-olds are not the same as 14-year-old, and 14-year-olds are not the same as 20-year-olds, and many 20- year-olds act like 12-year-olds. But the reality is that teens need something more than they have right now. The FTC's recommendations are very valuable for kids under 13, but there are a lot of 13- and 14- and 15-year-olds who are quite capable of making mistakes in this innovative space, and those mistakes can come back to haunt them. They need opportunities and they need a lot more education and they need a lot more information that is actionable. They need resources they can use that are designed for their age group, not for the lawyers who are well versed in privacy. Mr. Markey. Thank you. Dr. Montgomery, do you agree that younger teens need a framework for them as well, perhaps not for the 12 and under but something tailored for that group? Ms. Montgomery. Yes, I do and this is something I have felt very strongly about for a long time since we were debating COPPA where the issue of whether we ought to apply the COPPA protections to teens was very much part of the discussion at that time. And what I really believe is that we do need protections here. What we have seen is with COPPA, we have a framework where there is an industry that appreciates the concerns about children, but with teenagers, it has been no holds barred and no real sensitivity to their concerns. Mr. Markey. Can I ask, what is your response to the questions that are raised by the eraser button that Mr. Barton and I have included in our bill? What do you think about its functionality as a way for parents to be able to protect kids? Ms. Montgomery. I don't really know how the eraser button will work but I do believe, as my colleague Alan Simpson has said, that teenagers themselves should be able to have some control over the information they have placed online. Mr. Markey. Mr. Simpson, what is your view in terms of the eraser button? Mr. Simpson. Absolutely. And you know, we don't know exactly how they will work, but I think they key is here we have seen a lot of innovation on how to collect and not enough innovation on how to protect. And I think something like an eraser button is a tool that industry can design to empower teens in richer ways. Mr. Markey. OK. Thank you. And I thank all of you for your participation in this very, very important discussion. It is only going to get more and more dangerous for kids if we don't put these safeguards in place. Thank you, Madam Chair. Mrs. Bono Mack. Thank you, Mr. Markey. And again, I would like to thank Ms. Engle and the entire staff at the FTC who has devoted time and thought to this effort. Job well done. And also to all of you once again, thank you. I would like to say that this is a third in our series of online privacy hearings so far this year. I look forward to our continued discussions on how we can best balance the need to remain innovative with the need to protect all of our privacy, certainly our children's privacy. Next week, we will take a close look at consumer attitudes and expectations, and we know that is going to be a very interesting hearing. I will remind members that they have 10 business days to submit questions for the record, and I ask all witnesses to please respond promptly to any questions you might receive. And the hearing is now adjourned. Thank you again. [Whereupon, at 11:02 a.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]