[Senate Hearing 112-152]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-152
 
  PRIVACY AND DATA SECURITY: PROTECTING CONSUMERS IN THE MODERN WORLD

=======================================================================


                                HEARING

                               before the

                         COMMITTEE ON COMMERCE

                      SCIENCE, AND TRANSPORTATION

                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 29, 2011

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation





                  U.S. GOVERNMENT PRINTING OFFICE
71-313                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001




       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas, 
JOHN F. KERRY, Massachusetts             Ranking
BARBARA BOXER, California            OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida                 JIM DeMINT, South Carolina
MARIA CANTWELL, Washington           JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey      ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas                 JOHNNY ISAKSON, Georgia
CLAIRE McCASKILL, Missouri           ROY BLUNT, Missouri
AMY KLOBUCHAR, Minnesota             JOHN BOOZMAN, Arkansas
TOM UDALL, New Mexico                PATRICK J. TOOMEY, Pennsylvania
MARK WARNER, Virginia                MARCO RUBIO, Florida
MARK BEGICH, Alaska                  KELLY AYOTTE, New Hampshire
                                     DEAN HELLER, Nevada
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                   Bruce H. Andrews, General Counsel
   Brian M. Hendricks, Republican Staff Director and General Counsel
            Todd Bertoson, Republican Deputy Staff Director
                 Rebecca Seidel, Republic Chief Counsel



                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 29, 2011....................................     1
Statement of Senator Rockefeller.................................     1
Statement of Senator Kerry.......................................     2
Statement of Senator Toomey......................................     4
    Prepared statement of the National Retail Federation and 
      Shop.org...................................................     6
Statement of Senator Wicker......................................    36
Statement of Senator Ayotte......................................    36
Statement of Senator Klobuchar...................................    38

                               Witnesses

Hon. Julie Brill, Commissioner, Federal Trade Commission.........    13
    Prepared statement...........................................    15
Hon. Cameron F. Kerry, General Counsel, U.S. Department of 
  Commerce.......................................................    23
    Prepared statement...........................................    24
Austin C. Schlick, General Counsel, Federal Communications 
  Commission.....................................................    29
    Prepared statement...........................................    31
Stuart K. Pratt, President and CEO, Consumer Data Industry 
  Association....................................................    40
    Prepared statement...........................................    42
Ioana Rusu, Regulatory Counsel, Consumers Union..................    46
    Prepared statement...........................................    48
Tim Schaaff, President, Sony Network Entertainment International.    52
    Prepared statement...........................................    53
Thomas M. Lenard, Ph.D., President and Senior Fellow, Technology 
  Policy Institute...............................................    55
    Prepared statement...........................................    56
Scott Taylor, Chief Privacy Officer, Hewlett-Packard Company.....    59
    Prepared statement...........................................    60

                                Appendix

Letter, dated June 29, 2011, to Hon. John D. Rockefeller IV and 
  Hon. Kay Bailey Hutchison from: American Advertising 
  Federation, American Association of Advertising Agencies, 
  Association for Competitive Technology, Consumer Data Industry 
  Association, CTIA--The Wireless Association, Direct Marketing 
  Association, Electronic Retailing Association, Interactive 
  Advertising Bureau, National Association of Professional 
  Background Screeners, National Business Coalition on E-Commerce 
  and Privacy, NetChoice, Network Advertising Initiative, 
  Performance Marketing Association and U.S. Chamber of Commerce.    69
Letter, dated June 27, 2011, to Natasha Mbabazi, Senator Thomas 
  Udall, Senator Frank Lautenberg and Senator Barbara Boxer from 
  Lisa Liberi and Lisa Ostella...................................    72
Response to written questions submitted to Hon. Julie Brill by:
    Hon. John D. Rockefeller IV..................................    73
    Hon. Claire McCaskill........................................    74
    Hon. John F. Kerry...........................................    74
    Hon. Barbara Boxer...........................................    77
    Hon. Mark Begich.............................................    78
    Hon. Kelly Ayotte............................................    79
Response to written questions submitted to Hon. Cameron F. Kerry 
  by:
    Hon. John F. Kerry...........................................    81
    Hon. Mark Begich.............................................    83
Response to written question submitted to Austin C. Schlick by:
    Hon. Claire McCaskill........................................    84
    Hon. Mark Begich.............................................    84
Response to written questions submitted to Stuart K. Pratt by:
    Hon. John D. Rockefeller IV..................................    85
    Hon. Roger F. Wicker.........................................    87
Response to written question submitted to Ioana Rusu by:
    Hon. John D. Rockefeller IV..................................    87
    Hon. Barbara Boxer...........................................    89
Response to written questions submitted to Tim Schaaff by:
    Hon. Claire McCaskill........................................    90
Response to written questions submitted to Thomas M. Lenard, 
  Ph.D. by:
    Hon. Roger F. Wicker.........................................    91


  PRIVACY AND DATA SECURITY: PROTECTING CONSUMERS IN THE MODERN WORLD

                              ----------                              


                        WEDNESDAY, JUNE 29, 2011

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m. in room 
SR-253, Russell Senate Office Building, Hon. John D. 
Rockefeller IV, Chairman of the Committee, presiding.

       OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
                U.S. SENATOR FROM WEST VIRGINIA

    The Chairman. We've got to begin. This hearing will come to 
order. This is the third hearing on consumer privacy that we've 
had in this committee in the 112th Congress. As I have 
repeatedly emphasized, Americans are often unaware of the vast 
amounts of information that are being collected on them and 
then used usually to their detriment.
    I've focused on the need for companies to provide everyday 
consumers with a clear understanding of what information they 
are collecting, where the information is going, and how it's 
being used. I've also asked companies to give consumers an easy 
way for them to stop those collection processes. I don't think 
this is too much to ask of companies that are making a lot of 
money and a lot of money that comes off of consumers' personal 
information.
    That should not be happening in America. This is a new cost 
of doing business in America, and people have to understand 
that. Government doesn't subsidize what companies need to be 
doing to protect privacy.
    Poll after poll shows that Americans are increasingly 
concerned about their loss of privacy, and these same polls 
show that Americans don't know what to do about it. I've had 
endless meetings in my state, as I'm sure Senator Kerry and 
Senator Toomey have, also. They don't know what to do about it.
    It's my intent, as Chairman of this Committee of 
jurisdiction--and I say that very clearly for many to hear--to 
change all of this. I want ordinary consumers to know what is 
being done with their personal information, and I want to give 
them the power to do something about that.
    That is why I've introduced S. 917, the Do-Not-Track Online 
Act of 2011. This bill is based on a very simple concept. With 
an easy click of the mouse, consumers can tell all online 
companies they do not want their information collected, period. 
One click, no information collected. Under my bill, companies 
would be obliged to honor that request. It's that simple.
    Senator Kerry has also introduced a bill, S. 799, the 
Commercial Bill of Rights Act of 2011, which is a very 
comprehensive piece of legislation that governs many facets of 
all of this and of the economy, indeed. It's a very good piece 
of legislation.
    And other members of the Committee have similarly voiced 
strong interest in privacy matters. I believe these hearings 
form the basis for building bipartisan consensus about really 
doing something about this.
    Now, today's hearing is also about data security, which 
directly implicates consumer privacy. We are reminded of this, 
I'm afraid, every day in the headlines.
    The recent security breaches at Citibank, Sony, and Epsilon 
show that companies are increasingly vulnerable to cyber 
attacks that compromise the safety and the privacy of 
Americans. I'm not concerned about the breaches. I'm concerned 
about what happens to American people as a result of that. 
Well, I'm concerned about the breaches, too.
    When criminals break into a database and steal credit card 
numbers, Social Security numbers, or even e-mail addresses, 
they can use this information to commit identity theft, which 
can have devastating consequences for the victims.
    That is why Senator Pryor and I have introduced once again 
this year, S. 1207, the Data Security and Breach Notification 
Act, the same bill that we introduced in the last Congress. The 
bill will impose an obligation on companies to adopt basic 
security protocols to protect sensitive consumer data, and it 
would further require these companies to notify affected 
consumers in the wake of a security breach--again, a cost of 
doing business in the New World.
    The bill would also require greater transparency for 
something called the data broker industry, not one of my 
favorite subjects to talk or think about. These are companies 
that amass vast amounts of data on consumers, sell that 
information to other companies, usually for marketing purposes, 
and they make a lot of money for it. Most people don't even 
know they exist. They've never heard of them. They have no idea 
that their privacy is being invaded, used, sold, and marketed.
    So there's a broad consensus that federal data security 
legislation is necessary. The Administration included a breach 
notification provision similar to the provision of S. 1207, 
Pryor's and my bill, in its cyber security proposal. In order 
for this bill to be ready for floor consideration as part of 
the larger cyber security effort, I will work with Senator 
Pryor and all of my colleagues to make sure that all of this 
works out.
    I now call on Senator Kerry. I warn you we have some votes 
at 11, so we're going to be hurrying just a bit.

               STATEMENT OF HON. JOHN F. KERRY, 
                U.S. SENATOR FROM MASSACHUSETTS

    Senator Kerry. Indeed, and, Mr. Chairman, in that spirit, 
I'll try to be very quick, because we do have about five votes, 
I think, coming up.
    First of all, thank you for holding this hearing. And I 
want to thank you for the meeting that we had the other day to 
discuss, not just our bill, but the whole approach of the 
Committee. And I pledge to work with you as closely as possible 
as we try to find a broad-based and, hopefully, consensus 
approach to the challenges of this issue.
    What we're discussing today is really the ability of people 
to sort of control or have some impact on the way profiles 
about them--a digital profile or multiple digital profiles--are 
compiled on almost all of us and then sliced and diced and 
traded in a marketplace where many people are not, as you have 
just remarked, appropriately in control of what happens to 
them.
    We also are here to discuss the need to establish uniform 
standards for the security of the private networks that hold 
our information. Now, when I talk about privacy, I'm talking 
about the ability of people to exercise choice and control over 
how their information--I repeat, their information--is 
collected, used, and distributed.
    Data security is a subset of that issue and about how 
companies can secure the information that they collect on 
people and what they need to do in the case of a security 
lapse. Both are serious matters.
    When a company is hacked, and the information of hundreds 
of thousands of their consumers is taken, the individuals whose 
information is revealed are obviously exposed to the risk of 
the hackers who stole it using that information in any number 
of ways, but particularly to harm them. The company that is 
hacked is hurt by being exposed to reputational damage and 
harmed relations with its customers.
    And establishing uniform procedures for how to react in the 
case of a security lapse and increasing incentives for having 
strong security procedures is, I think, a necessary goal and 
well addressed in the data breach legislation that you, Mr. 
Chairman, and Senator Pryor have introduced.
    But data security requirements alone are not going to give 
people authority over how their information is collected or its 
use and distribution. Data security is just one piece of the 
overall privacy puzzle.
    After working with Senator McCain and others for some 
months on this issue--you mentioned the legislation, Mr. 
Chairman, a moment ago that we've introduced, and I appreciate 
your comments about it. We need to find a way to meld the 
various approaches that are out there and to build, obviously, 
a consensus within this committee--I agree with you, the 
Committee of jurisdiction--in order to be able to protect 
people.
    Beyond accountability security, I think that the 
legislation we've contemplated is going to give people 
meaningful and specific explanations and control on how their 
information is being collected, used, and distributed, as well 
as, importantly, the power to opt-out of those practices.
    I think Senator Rockefeller's approach is a good one, a 
strong one, an important one, the Do-Not-Track. It's one 
component of it. But I do think that beyond that, we still have 
to deal with this question of choice over how your information 
is managed even if you do consent to it.
    And so I think that what we've put forward is a 
comprehensive bipartisan proposal as a starting point.
    And, Mr. Chairman, I think it's critical to work with you, 
Senator Kay Bailey Hutchison, Senator Snowe, and others on the 
Committee, in order to bring more people to the table, and I 
certainly look forward to doing that.
    I do want to point out that at the moment, sort of in the 
center of this debate--there are a couple of polls, but in the 
center, you've got major companies, like Intel, Microsoft, 
eBay, Hewlett-Packard, as well as consumer advocates 
represented by the Consumers Union and others who are helping 
us to try to focus this in the right direction.
    And, finally, you know, we have expert agencies represented 
here today. The Federal Trade Commission, the Department of 
Commerce, the Federal Communications Commission--they've all 
been doing what they can to protect Americans using the legal 
tools available to them and using their ability to convene the 
stakeholders and the experts and then educate themselves and 
consumers on the changing practices in this rapidly moving and 
ever evolving world we live in.
    But the fact is that they don't have all the tools 
necessary. And that's why this discussion is so important.
    So I look forward to working with you, Mr. Chairman, making 
sure we have a complete picture of what is going on in the 
market today from which we can draw the best conclusions about 
how to proceed to have a smart, baseline, commercial privacy 
protection put into law. And I thank you for focusing intently 
on this important issue.
    The Chairman. Thank you, Senator Kerry.
    Senator Toomey.

               STATEMENT OF HON. PATRICK TOOMEY, 
                 U.S. SENATOR FROM PENNSYLVANIA

    Senator Toomey. Thank you very much, Mr. Chairman, for 
holding another hearing on this very important topic. I 
appreciate that, and I agree with Senator Kerry's 
characterization that data security is one subset of consumer 
privacy, which is itself, though, a very broad topic.
    On data security, there seems to be broad support among 
industry stakeholders, consumer advocates, and many Members of 
Congress for a national standard. And it's certainly an issue 
that Congress is likely to address legislatively in the near 
future.
    In recent years, there have been a number of high profile 
data breaches affecting consumers nationwide. And establishing 
a single federal standard for notifying victims of data 
breaches and protecting sensitive information is something I do 
think we should consider seriously.
    I look forward to working with the Chairman and other 
members of the Committee in, hopefully, addressing this in a 
constructive and bipartisan manner.
    On the broader issue of privacy, however, I'm not sure 
there is yet a consensus on how to best protect consumers or 
whether a legislative solution is, indeed, the best method for 
doing so. So before Congress considers comprehensive privacy 
legislation that would have a significant impact on businesses 
large and small and on consumers, I think we need to thoroughly 
examine this issue and make sure that we don't apply a solution 
in search of a problem.
    I'm very interested to hear from our witnesses today on 
what, specifically, is most concerning to consumers when it 
comes to privacy; what consumers' expectations are regarding 
their privacy; and what, if any, real harm has occurred from 
online data collection and how to best address any such harms. 
In a world where millions of people voluntarily share very 
personal information on websites like Facebook and Twitter on a 
daily basis, I'm not sure exactly what consumer expectations 
are when it comes to privacy. But I am pretty sure that 
different consumers have different expectations about privacy.
    I'm also not sure who's best suited or even qualified to 
make the determination. Should it be Congress? Should it be the 
Federal Trade Commission? Or neither? Perhaps industry and 
consumers should set the standard by mutual consent in their 
interactions.
    These are the issues that I hope we will carefully examine. 
And I'm hopeful that we can make some progress on them today.
    My colleagues who have introduced legislation in this field 
are certainly very well-intentioned and its thoughtful 
legislation. But I am not sure that we've fully considered the 
unintended consequences that could attach to these proposals.
    The Internet and the communications marketplace have 
flourished and fueled tremendous economic growth in part 
because excessive government regulation has not yet occurred. 
In fact, American innovation in this field far outstrips the 
innovation that's occurring in other places, including Europe, 
where much more extensive regulation currently exists.
    So, the Internet clearly has changed the way we communicate 
and do business very much for the better. And we should be 
careful about imposing new rules and regulations that might 
unnecessarily harm future innovations.
    I'm sure no one on this committee wants to ``break the 
Internet'' or limit many of the popular online services 
consumers can access. In order to avoid fundamentally altering 
the current online experience, and creating these unintended 
consequences, I just urge that we all proceed with caution.
    One very brief example, for instance--overly restrictive 
regulations for online advertising would likely result in 
consumers having access to fewer free online services and 
applications. I'm not sure that we're qualified at this point 
to make the judgment of what that trade-off ought to be.
    I want to protect privacy online, and I want consumers to 
feel comfortable when using the Internet. But until we have a 
clear picture of the harm we're trying to address and have 
looked at a cost-benefit analysis of any new privacy 
legislation, I have reservations about moving forward with a 
legislative mandate.
    That said, there are a number of ideas that have been put 
on the table that I do find appealing. One example is the idea 
that maybe we ought to consider consolidating privacy 
enforcement and oversight into a single federal agency rather 
than multiple agencies.
    So on this and this entire range of topics, I look forward 
to working with you, Mr. Chairman, and the other members of the 
Committee. Again, I thank you for holding this hearing. And I'd 
like to ask consent to have a statement prepared by the 
National Retail Federation included in the record.
    [The information referred to follows:]

   Prepared Statement of the National Retail Federation and Shop.org
    Chairman Rockefeller, Ranking Member Hutchison and members of the 
Senate Committee on Commerce, Science, and Transportation, on behalf of 
the National Retail Federation and its division Shop.org, I appreciate 
the opportunity to submit this written statement to the Committee in 
connection with its hearing entitled ``Privacy and Data Security: 
Protecting Consumers in the Modern World'' held on June 29, 2011.
    As the world's largest retail trade association, the National 
Retail Federation's global membership includes retailers of all sizes, 
formats and channels of distribution, as well as chain restaurants and 
industry partners from the U.S. and more than 45 countries abroad. In 
the United States, NRF represents the breadth and diversity of an 
industry with more than 1.6 million American companies that employ 
nearly 25 million workers and generated 2010 sales of $2.4 trillion. 
Shop.org, a division of the National Retail Federation, is the world's 
leading membership community for digital retail. Founded in 1996, 
Shop.org's 600 members include the 10 largest online retailers in the 
U.S. and more than 60 percent of the Internet Retailer Top 100 E-
Retailers.
I. Introduction: Information is the Lifeblood of Retail Success and 
        Growth
    Retailers are by their very nature marketers and advertisers. 
Consumer information used for these purposes is the lifeblood of the 
industry, and the catalyst for its growth. Trends and revolutions in 
retailing, such as the rise of e-commerce, are fueled by the sharing of 
information between merchants and their customers. The information 
collected by retailers ensures the right merchandise is stocked on 
shelves, customers are offered the best sales and promotions to get 
them in the door, and stores are opened in locations where demand is 
the highest, to name just a few of the important uses of consumer 
information.
    As businesses that have direct, first-party relationships with 
their customers, retailers understand why the gathering and use of some 
customer information for these and other lawful purposes may still 
raise consumer privacy concerns despite the clear benefits that the 
smart use of information has provided to consumers over the years. 
Indeed, privacy and security considerations are of paramount concern to 
retailers for that very reason, and their goals are to be as responsive 
to consumer concerns as possible. In a very competitive industry that 
averages only 2 percent profit margins, retailers distinguish 
themselves on the quality of their customer service and the shopping 
experience they provide. Protecting customers' information is an 
important part of that mission.
    Furthermore, we agree with the Committee that privacy 
considerations should be taken seriously by all businesses--from 
securing important human resources information to protecting databases 
that hold sensitive customer information. However, we also believe that 
some of the legislative proposals being considered by the Committee go 
too far in restricting customary and lawful uses of information that 
are essential to retail businesses, and we are concerned that some of 
the provisions could have the unintended effect of stifling innovation 
and growth in our industry at a critical time for our economy and the 
retail sector as a whole.
II. The Continuing Growth of E-Commerce as a Retail Channel
    Retailers have spent the last fifteen years revolutionizing the way 
Americans shop by giving each and every consumer greater access to a 
wide variety of brands, goods, and services at highly competitive 
prices both in their stores and online. E-commerce has brought millions 
of new customers to retailers' virtual stores and has also served to 
increase new customer traffic in traditional brick-and-mortar shops as 
well. According to the Shop.org-released annual study, The State of 
Retailing Online (``SORO''), conducted each year by Forrester Research, 
Inc., online retail sales soared to $156 billion in 2009 and are 
projected to likely exceed the $200 billion mark in 2012.\1\
---------------------------------------------------------------------------
    \1\ The State of Retailing Online 2009.
---------------------------------------------------------------------------
    As retailers continue to fine-tune their selling and marketing 
strategies, consumers, in particular, have become more comfortable 
shopping online--especially with retailers that they know and trust. By 
the end of 2009, online sales accounted for 6 percent of all retail 
sales.\2\ In contrast, it took the catalog industry 100 years to 
represent just 4.7 percent of all retail sales.\3\ What has made this 
online retail revolution possible is the widespread access to the 
Internet and e-mail by American consumers, and the ability for 
retailers to actively and nimbly adapt to their customers' evolving 
shopping preferences. Retailers are constantly re-designing and adding 
new features to their online sites, striving to create the most 
relevant content and consumer-friendly web experiences for their 
customers. This helps retailers maintain their customer base, draw in 
new shoppers, and improve overall conversion rates. As noted 
previously, retailers must be relentless about delivering the most 
compelling and relevant experience to their customers because that is 
how they differentiate themselves in an extremely competitive, volume-
driven business that operates on low profit margins.
---------------------------------------------------------------------------
    \2\ Id.
    \3\ The State of Retailing Online 2002.
---------------------------------------------------------------------------
    The key to the constant evolution of retail marketing and sales is 
the information that retailers have collected about their customers' 
shopping preferences in stores and on their websites over time. That 
being said, retailers take their customers' privacy and security 
seriously and have an excellent track record of using customer 
information in order to deliver relevant and targeted marketing. 
Retailers have long understood that keeping their customers happy is 
the most essential part of building positive long-term business 
relationships. However, retailers do not want to fundamentally alter an 
entire medium for effective information collection and use. We believe 
that effective and enforceable self-regulation and, in the case of 
retailing, industry leadership (or ``best practices''), are among the 
most effective ways to protect consumers while still enabling 
businesses to maintain the flexibility to innovate and adopt new 
technologies to better serve their customers.
    There is an old saying that ``the customer is always right,'' and 
that could not be truer in the retail industry as retailers must meet 
customers' constantly evolving expectations. If they do not meet their 
customers' expectations or, worse, violate their trust, customers will 
not be happy and they will shop elsewhere. Given the limitless number 
of shopping choices presented to American consumers every day, 
particularly online, there's a new saying in online retail that is 
particularly appropriate in this context: ``Competition is only one 
click away.''
    With retailers' interests aligned with their customers' interests 
in terms of satisfying their needs and allaying their concerns, 
honoring consumers' privacy and marketing preferences and securing 
their data is of paramount importance. For this reason, retail 
customers are very likely to have their privacy and security 
expectations met and they continue to maintain significant control over 
the business relationship. The Federal Trade Commission (``FTC'') 
recognized as much in its December 2010 staff report on a proposed U.S. 
privacy framework (the ``FTC Privacy Report''), noting that it had less 
concerns about these types of consumer information practices than 
others.\4\
---------------------------------------------------------------------------
    \4\ See Preliminary FTC Staff Report, ``Protecting Consumer Privacy 
in an Era of Rapid Change,'' December 1, 2010 (hereinafter, ``FTC 
Privacy Report'').
---------------------------------------------------------------------------
III. Views on Proposed Data Security Provisions in Current Legislation
    There are many ways that retailers are currently securing 
information as well as protecting sensitive customer information. 
First, to the extent that retailers act as credit grantors, they must 
abide by the statutory privacy and data security protections required 
by the Gramm Leach Bliley Act (``GLBA''), The Fair Credit Reporting Act 
(``FCRA''), and the Fair and Accurate Credit Transactions Act 
(``FACTA''). Further, any retailer that processes and retains third-
party credit card information is currently subject to the Payment Cards 
Industry (``PCI'') standards program developed by Visa, MasterCard, 
American Express and Discover. These statutes and programs do not apply 
to non-sensitive marketing data, as their goal is to provide important 
protections for consumers' most sensitive financial data because its 
misuse may lead to identity theft or other significant financial harm.
A. Data Minimization and Retention
    While we generally support legislation that would create uniform 
national data security standards, some of the proposed provisions in 
privacy and data security bills, such as data retention standards, 
would be problematic. We also agree that non-sensitive customer data 
should be protected as part of proposed data security standards, but 
believe that such protection must be proportionate to the type and 
sensitivity of the data. A few examples here may be helpful for the 
Committee's review and consideration.
    First, provisions that would require deletion of data unless there 
is a legitimate business need for continued retention must be flexible, 
as the needs will vary greatly from business to business, and companies 
should not be subject to arbitrary time limits for how long data can be 
stored. Retailers, for instance, have many legitimate uses for customer 
data, from fraud prevention to inventory planning, to planning 
marketing campaigns and store openings. As a result, we believe data 
retention determinations must be left to the business itself. In fact, 
in the 46 states and 3 federal territorial jurisdictions that have 
recently enacted data security and breach notification statutes, none 
have legislated a specific time period for data retention and we would 
urge Congress to do as these states and jurisdictions have done.
    Additionally, while the FTC Privacy Report advises that data 
retention periods should be linked in some way to the type or 
sensitivity of the data being collected, this should not force 
retailers to arbitrarily dump marketing information that they have 
expended significant resources to develop and that may be relevant to 
their businesses in the future. For example, innovations in retailing 
and e-commerce are fueled by data analytics and other widely used 
Customer Relationship Management (``CRM'') techniques that rely heavily 
on complete and reliable sources of information. Congress should 
therefore be cautious in setting one-size-fits-all retention periods 
for industry that could have the significant unintended consequence of 
forcing the removal of critical data from businesses that, in turn, may 
limit their future market growth and ability to compete when innovative 
new uses for that information are later developed.
    In addition to marketing, data retention is necessary to provide 
customers with a seamless experience. For instance, if a customer 
purchases a couch from a retailer and then 24 months later would like 
to complete the set, it is critical for the retailer to have all of the 
information about the initial purchase stored in its system in order to 
provide the customer with the service that customer expects and to 
which they have become accustomed. The time period for a retailer 
wishing to provide good customer service is dependent upon the 
retailer's reasonable expectations and experience concerning its 
typical customers' needs.
B. Accuracy, Access and Correction Rights for Non-Sensitive Data
    We disagree with proponents of data security legislation who 
believe businesses should be required to ensure the absolute accuracy 
of non-sensitive marketing data that they collect under the mistaken 
premise that it might result in a customer not receiving an important 
benefit. Information that is used to determine eligibility for credit, 
employment, housing, insurance, and other important financial services, 
is certainly the type of information that may cause economic harm if 
its inaccuracy leads to a denial of such service. However, information 
accuracy, access and correction rights are already provided for this 
type of sensitive information under several federal laws, including 
FCRA and FACTA.
    With respect to non-sensitive marketing data, it is certainly in a 
retailers' best interest to have generalized information about their 
customers' product interests in order to send them the most relevant 
marketing, but marketing files do not merit the same level of scrutiny 
as credit and financial information because, by their very nature, this 
non-sensitive information is not used to deny consumers important 
benefits (such as credit, employment, housing, or insurance). Moreover, 
even moderate inaccuracy of non-sensitive marketing information (e.g., 
an incorrect sock size or color preference) typically cannot cause 
significant economic harm to an individual in the same way that the 
denial of credit, employment, housing and insurance might.
    For these reasons, we would advise that the Committee reconsider 
the inclusion of accuracy, access and correction rights for non-
sensitive marketing information in any proposed data security or 
privacy legislation. On the other hand, as a matter of good practices, 
we do believe that access to customer information should generally be 
restricted to those with an articulable business ``need to know.''
C. Private Rights of Action
    We appreciate that none of the proposed data security or privacy 
bills being considered by the Committee establish new private rights of 
action as part of their enforcement regime. As the Committee can 
appreciate, retailers are already subject to massive fines and expenses 
for data security violations under actions by the Federal Trade 
Commission, state attorneys general and private entities (for PCI 
standards enforcement)--costs which collectively run into the millions 
of dollars. In its consideration of the Committee's legislation, we 
strongly urge Congress not to amplify these costs by also subjecting 
every American business that accepts a credit card to the potential 
ruinous compounding of additional private litigation.
IV. Views on Proposed Privacy Provisions in Current Legislation
A. Scope of Covered Information
    The scope of legislative proposals to protect consumer privacy has 
often been a key issue for retailers and is again a factor that we urge 
the Committee to carefully consider. In proposed legislation, the 
definitions of covered information (where provided and not left to the 
discretion of the FTC) are often overly inclusive of non-sensitive and 
even non-personal information. For example, as currently drafted, the 
Kerry-McCain privacy bill would cover nearly all data collected for 
commercial use, no matter how sensitive or innocuous, if that data can 
be linked to a specific consumer, computer or device.
    Additionally, while the legislative language states that it covers 
all commercial entities that collect data in both online and offline 
contexts, the statements of Senator Kerry and the testimony offered at 
the Committee's privacy hearings this year have focused more keenly on 
online data collection and the provision of consumer choice in these 
channels. Given that the offline collection of consumer data is much 
more layered than online collection, and that offering consumer notices 
and choice mechanisms offline will be much more onerous on businesses 
and consumers alike, we strongly suggest that legislative proposals be 
narrowed to simply address significant known consumer protection 
concerns and not be crafted as one-size-fits-all proposals intended to 
cover every possible instance in which data--particularly non-
personally identifiable data--is collected in the course of doing 
business. To do so would be tantamount to regulating all information in 
our information economy, which we believe would have significant 
unintended consequences.
    Moreover, the proposed broadening of the definition of ``covered 
information'' in the bill to include data that is not personally 
identifiable information (``PII'') is troubling. The FTC Privacy Report 
concluded that ``any data that relates to a person has privacy 
implications and, therefore, should be protected appropriately.'' \5\ 
However, having a proposed privacy framework whose scope would be 
broadly defined to cover any data that can be ``linked'' to a consumer, 
computer or mobile device is one that is as broad as covering all data 
itself, since any data can be conceivably linked to any other data in a 
database. The implied breadth of regulation in the FTC Privacy Report 
goes well beyond the agency's consumer protection mandate and, in terms 
of practicality, is simply untenable.
---------------------------------------------------------------------------
    \5\ FTC Privacy Report, p. 39.
---------------------------------------------------------------------------
    The Commission also noted that the ability to re-identify customers 
from anonymous data has caused the traditional understanding of PII to 
lose significance. However, in the examples the FTC presents in the 
report, the companies involved were either violating their own privacy 
policies or the policies of the company that hired them. These types of 
corporate transgressions should be properly handled under the FTC's 
currently authorized enforcement regime, and not become the stated 
cause for the complete redefinition of what has traditionally been 
considered PII. Furthermore, maintaining a carefully crafted definition 
of covered information based on the same concepts of PII that underlie 
current federal privacy laws would provide some natural boundary to 
proposed privacy legislation so that the scope of new government 
regulations for consumer protection purposes is tied to data that 
actually identifies consumers.
B. Exceptions for Common First-Party and Third-Party Practices
    The first-party marketing exception is extremely important to 
retailers in all marketing channels.\6\ Retailers have been advertising 
and marketing to their own customers since retail began. A century ago, 
pioneering general stores kept careful logs of what customers bought, 
and often extended simplified credit ``terms'' or deferred payment 
based on the shopping histories of loyal customers. In towns and 
cities, local haberdashers knew their customers' measurements and 
preferences by heart, and neighborhood pharmacies were places where 
simple medical advice was dispensed while the community gathered at the 
lunch counter to share news and connect. What was once face-to-face 
interaction with a brick-and-mortar small business has, over time, 
evolved in to customer loyalty programs such as those found at a 
favorite grocer, department store, and on popular websites known for 
serving up targeted customer recommendations and providing one-click 
ordering services.
---------------------------------------------------------------------------
    \6\ Whether legislation narrows the scope of the exception to only 
cover the online collection of data is significant, as first-party 
marketing is a vital tool to retailers in multiple channels including, 
in-store, catalog, online and mobile.
---------------------------------------------------------------------------
    In the FTC Privacy Report, the Commission asked if first-party 
marketing should be limited to the context in which the data is 
collected from the consumer, and the Kerry-McCain bill limits the 
exception in certain similar ways. Our view is that the online or 
offline channel in which first-party marketing is conducted should not 
cause the exception to be narrowed to the use of information collected 
only in that channel because a customer's common understanding is that 
he or she is doing business with a single retailer, even if that 
interaction happens in one of several available mediums. A few examples 
here again may be helpful to the Committee.
    As the Committee knows, retailers operate across all channels and 
consumers have come to expect a seamless shopping experience whether 
they are browsing the retailer's site online or on their mobile device, 
or browsing the store's aisles at the local shopping center. Consumers 
do not differentiate or segment out their experiences with a retailer, 
and retailers must accommodate their expectations. Integrating online 
and offline consumer information allows retail customers to enjoy 
integrated services, such as in-store returns for online purchases, and 
the ability to shop with loyalty points and coupons through the medium 
that is most convenient for them. It also allows for the deployment of 
new technologies such as in-store kiosks that permit online ordering or 
allow customers to manage their wedding and baby registries or 
personalized ``wish lists.'' Customers often appreciate receiving 
marketing promotions in several different ways as well. For those 
customers whose preferences are specific, opt-outs for mail and e-mail 
can be easily obtained under current law and marketing self-regulation 
programs. It is also well-known that reputable retailers respect 
customer preferences as a matter of good customer service.
    Again, whether a customer shops in-store, online, through a mobile 
application or by catalog, that consumer's assumption is that they are 
shopping with a single retailer. The first-party marketing exemption 
should be extended to cover all of these environments in which 
retailers interact with their own customers. Additionally, the 
exception should cover customer marketing information that is shared 
with affiliates as well as third-parties who are operating seamlessly 
within the four walls of the retail operation, such as leased 
departments or in-home services.
    For example, some retailers have launched integrated websites where 
customers can switch from one brand to the next easily. A few are even 
utilizing common shopping carts and web-based check-out services, truly 
tying together their business lines. If an affiliate or service-
provider exception were not included within the first-party marketing 
exception, it could seriously harm these growing programs. 
Additionally, department stores have historically relied on leased 
departments and other third-parties to provide their in-store customers 
with specialized, branded products (e.g., cosmetics, sunglasses, 
jewelry, etc.) and additional customer services (e.g., hair salons, 
photo studios, appliance repair, etc.). If these types of relationships 
are not considered within the scope of the first-party marketing 
exception, it could critically damage these relationships and force a 
complete reorganization of traditional retail department store 
practices that underlie the provision of these services--even possibly 
limiting their future availability to consumers.
    The final question posed by the FTC Privacy Report about first-
party marketing asks how the proposed framework should handle the 
process of data enhancement, whereby a company obtains information 
about its customers from other sources to enrich its customer 
databases. This practice should not be considered different from first-
party marketing and thereby subject to enhanced notice-and-choice 
regulations, but should fall under similar exceptions for ``first-party 
marketing.'' Data enhancement tools are used for many different 
purposes: customer relationship management (CRM), marketing (especially 
targeted marketing), internal business planning (e.g., locating stores 
and planning inventory), loss prevention, fraud prevention and product 
and service fulfillment. For instance, if a retailer did not use third-
party data enhancement to keep current with its customers, it could 
mistakenly send promotional coupons to a deceased customer's household 
without ever knowing it. By confirming current addresses with third-
party service providers, a retailer also might avoid sending mail to an 
old address for products which may be unwanted or irrelevant to the new 
resident. Many consumers often do not bother updating their mailing 
address even with their favorite retailer, simply assuming they will 
continue to receive discounts and promotions from the same store at 
their new mailing address. In another example, retailers commonly run 
shipping addresses provided by a consumer against fraud prevention 
lists, and if new addresses raise red flags in the future, they may be 
subject to further scrutiny via data enhancement tools.
    If these types of common data practices were to fall outside of the 
exceptions for commonly accepted practices in federal legislation, and 
be subject to a new customer notice-andchoice regime, what are now 
routine first-party processes would have to be noticed by retailers and 
customers would be constantly bombarded with marketing ``choices'' at 
the point of sale, whether in a store, on the Internet, or on their 
mobile devices. This would be extremely disruptive to the retail 
customer experience and, furthermore, provides no conceivable benefit 
to consumers because these common practices are not ones that consumers 
are complaining about in the first place.
C. Offering Consumer Choice in the Context in Which It Is Made (Online 
        and 
        Offline)
    The FTC Privacy Report states that to ``be most effective, 
companies should provide the choice mechanism at a time and in a 
context in which the consumer is making a decision about his or her 
data.'' \7\ Indeed, some suggest that allowing consumer choice is very 
technologically workable in the online context. It is true that 
technology has made real-time notice and choice regimes more palatable 
and, when taken individually, disruptions in the flow of the customer's 
experience may not seem like a big deal to a lay person. However, in 
terms of overall conversion rates, these types of ``hiccups'' or 
consumer annoyances can be devastating to retailers.
---------------------------------------------------------------------------
    \7\ FTC Privacy Report, p. 58.
---------------------------------------------------------------------------
    We all know how frustrating pop-ups can be when you are simply 
trying to read the latest headlines on a newspaper website. Now 
transfer that experience to a retail website, where customers have come 
to expect a seamless experience from homepage to check-out. Even under 
the best circumstances, average conversion rates are only about 3.1 
percent and shopping cart abandonment rates still hover at 50 
percent.\8\ Any additional hurdles would simply serve to frustrate 
consumers and could drive down the number of completed transactions 
overall. Further, we now know from years of experience, even when 
offered the option, as required by law, consumers do not regularly take 
advantage of these types of programs. In fact, by our estimates, only 6 
percent of retail customers exercised their right to opt-out of 
marketing e-mails in 2007.\9\
---------------------------------------------------------------------------
    \8\ The State of Retailing Online 2007, Part 1 of 2.
    \9\ The State of Retailing Online, 2008.
---------------------------------------------------------------------------
    To further complicate matters, the FTC Privacy Report suggested, 
and the proposed federal legislation would require, notice and consent 
for the collection of information in-store if that information 
collection and use fell outside of the exceptions for commonly 
authorized uses. These types of point-of-sale notice requirements are 
extraordinarily burdensome on both the retailer and the consumer in a 
physical store environment. Would a store clerk at point of sale be 
required to make sure a customer both received a privacy policy and 
understood the choices offered to them? Would every clerk in a 
department store have to repeat the process as a consumer walked from 
one third-party administered leased department (e.g., oriental rugs) to 
another (e.g., cosmetics)? Additionally, what new and costly point-of-
sale technology would be required to record a customer's marketing 
choices if they chose to opt-out? How would stores be required to keep 
track of that information (``durable opt-out'') when customers can shop 
in hundreds of store locations in several, if not all, states, as well 
as online? Would a ``John Smith'' who exercised an opt-out in Oregon be 
recognized as the same John Smith who visited a store in Florida during 
a family vacation? Or what if John later logged onto the retail website 
or used a retail store's mobile application on his cell phone? With 
opt-out rates being historically low, would such investments even be 
worth the expense and employee training necessary, particularly given 
the number of temporary or seasonal employees retained by a retail 
store during the course of any given year?
    With these considerations in mind, we ask that the members of the 
Committee reconsider this paradigm altogether and let these types of 
choices be exercised in the context in which a retail privacy policy is 
commonly offered. For instance, the Committee should consider allowing 
consumers to make marketing choices in the context of viewing a 
retailers' privacy policy on their website. In turn, we agree that 
marketers should make such policies more accessible to consumers--more 
easily found and in a simplified form.
    The effect of inundating consumers with new notices is also 
compounded by the overly-broad definition of covered information 
contained in the Kerry-McCain legislation and the possibility that 
common practices such as data append or data enhancement are not exempt 
from these new notice requirements. To require customer choice for many 
activities that fall outside the bill's exceptions for commonly 
accepted practices--for example, transferring customer information for 
third-party data analytics, asking customers about the stage of their 
pregnancy (a medical condition) to market maternity clothes or baby 
gear, or even deploying cutting-edge mobile marketing technologies--
will simply make these services much more difficult for retailers to 
continue to provide to their customers who want them.
    It is also important to mention again that consumers do not 
traditionally exercise choice--they rarely opt-in and they rarely opt-
out. The proposed privacy legislation appears to force the issue, 
without perhaps fully considering the continual annoyance this may 
create for the average consumer. For many individuals, there is already 
annoyance about being forced to read and sign a health care privacy 
policy notice in a trusted doctor's office--and that policy covers the 
protection of their ``sensitive'' health information. Imagine the 
frustration if the web, or the checkout line in your favorite store, 
was littered with warnings about marketing information. Retailers can 
imagine, unfortunately, many customers exercising choices with their 
feet--by choosing to shop elsewhere rather than be frustrated by this 
government vision of a satisfying consumer shopping experience.
    We are also concerned about federal legislative provisions that 
would require retailers to obtain opt-in consent for secondary uses of 
customer data that were not specifically disclosed at the time the data 
was first collected. We believe this requirement has the clear 
potential to stifle investment in future innovative uses of that data 
to benefit consumers. For example, had such a limitation been in place 
a decade ago, it may have prevented the use of data about customers' 
purchases to help provide recommendations to online shoppers (e.g., 
suggestions that other customers viewing a particular product also 
viewed similar products, or a greater percentage of other customers 
favored one product over another). These recommendation services exist 
on many retail websites today and are strongly favored by online 
shoppers. The use of one customer's data to make online recommendations 
to other customers may not have been disclosed to consumers in the 
early stages of the development of these practices. Yet, online 
consumers have benefited from such innovations despite not having 
expressly opted in to these data uses in advance.
    The appropriate choice standard for uses of marketing data and 
other non-identifiable or non-sensitive data is meaningful notice and 
the ability to opt-out, as many businesses currently provide. 
Otherwise, the well-meaning provisions in proposed legislation could 
result in actualizing the tragedy of the commons, whereby no innovation 
can take place to develop these beneficial services for customers 
because none of them have opted in to future data uses that permits 
their creation.
D. Do-Not-Track Mechanisms
    We live in the ``information age'' as well as a consumer-driven 
economy where two-thirds of our nation's GDP is directly attributable 
to consumer spending. Stifling information flows and innovations in 
technology (such as mobile marketing) would have a very detrimental 
effect on newly rebounding retail sales. We are very concerned about 
the FTC's proposed ``Do-Not-Track'' mechanism, and question its 
relevancy in light of the recent launch of comprehensive self-
regulatory programs (such as the Ad Choices program) or the new 
software being developed and incorporated into Internet browser 
software.
    Despite its similar sounding name, a Do-Not-Track mechanism would 
be fundamentally different from each of its predecessor proposals--Do-
Not-Call and Do-Not-Spam (which the FTC rejected)--in that the opt-out 
itself would not cover a specific phone number or individual's e-mail 
address, but instead could only be tied to computers or mobile devices 
that may be shared by multiple individuals within households or 
families. This shared use of devices would require individual consumers 
to continually opt-out as they changed devices (even moving from the 
many devices within their own home network: work computer, personal 
laptop, child's laptop, tower computer, Kindle, iPad, iPhone, 
Smartphone, and the list goes on) and could create significant consumer 
confusion because of the expectations built on the earlier Do-Not-Call 
program.
    We urge the Committee to allow the new self-regulatory programs and 
technological solutions to take root and for the FTC to revisit this 
issue in its final privacy report only if such programs appear to be 
failing. Since self-regulatory programs exist already, we believe the 
FTC's efforts should be focused on consumer education and awareness (an 
area where the Commission has and should play a strong role), and not 
on whether consumers are actually exercising their right to opt out 
under such programs. As we have noted above, when offered choices, most 
consumers simply choose to take no action, even after information is 
made available to them. It is highly probable that, once again, the 
metrics from the new programs simply may not bear out the argument (or 
expectation) that consumers will opt-out even when given great 
information and tailored choices. We hope that both the Committee and 
the Commission will keep these considerations in mind as you and the 
FTC review the adequacy of existing self-regulatory programs and the 
necessity of mandating a government-run Do-Not-Track mechanism for 
consumers.
V. Conclusion
    Retailers take the privacy and security of their customers' 
information seriously, and are motivated both by the desire to follow 
good business practices as well as a basic concern of maintaining their 
customers' satisfaction and not losing customers as the result of a 
perceived privacy gaffe or data security breach. We appreciate the 
Committee's focus on privacy and data security legislation and we 
believe that these continued hearings help clarify many of the issues 
surrounding the deployment of new and, sometimes controversial, 
technologies and business practices. As it has often been said, 
``sunlight is the best disinfectant,'' and an ongoing dialogue between 
the Committee and the business community over privacy issues is very 
useful. In particular, the Committee's ongoing interest in privacy 
encourages businesses to consider more carefully any changes in data 
collection or use that may make consumers feel uncomfortable about the 
safety and security of customer information.
    That being said, we would encourage the Committee to re-evaluate 
the breadth of the proposed federal privacy legislation and focus more 
keenly on specific practices that may cause real consumer harm. As 
drafted, the scope of proposed legislation focuses on an enormous swath 
of data and its uses, without narrowly focusing on the practices that 
the Committee might find most harmful to consumers. In December 2010, 
the FTC released its initial staff report on a proposed U.S. policy 
framework for the collection and use of consumer information. While the 
Commission has expressed its concern that the business community did 
not act quickly enough to implement its suggested best-practices to 
address the more narrow subject of online behavioral advertising 
practices, we have seen a great deal of activity in this area from both 
a technological and self-regulatory standpoint. This indicates that the 
FTC's more targeted efforts are having their intended effect, and this 
type of issue-by-issue approach, which focuses on specific consumer 
information uses, helps businesses harness important changes in 
technology that may need to be made in order to provide consumers a 
greater sense of privacy and security.
    In crafting and considering federal privacy legislation, we 
strongly urge the Committee to continue to respect the importance of 
information to businesses, particularly those practicing retail 
business models that have not been the subject of consumer complaints 
driving current federal agency inquiries and proposed privacy 
legislation. Retailers must collect, use and store information about 
their own customers going forward--it is vital to their businesses--and 
we continue to believe that first-party marketing (or marketing to 
one's own customers) should be exempted from any new notice-and-choice 
regime that may be proposed in privacy legislation. Information about 
customers is the lifeblood of retail, and effective marketing could not 
occur without the ability for retailers to understand their own 
customers over time and cater to their evolving interests in products. 
When the Committee members consider that consumer spending accounts for 
roughly two-thirds of our economy, and, that we are on the cusp of an 
economic recovery, now is the time for retailers to reach out even more 
effectively to their customers to get them into stores and spending 
again. Legislation that has the unintended consequence of limiting such 
important customer communications may very likely have a corresponding 
negative impact on our economy at a time we can least afford it.

    The Chairman. So ordered. I thank the Senator and now turn 
to Julie Brill, who is the Commissioner of the Federal Trade 
Commission, one of the commissioners; and Austin Schlick, who 
is General Counsel of the Federal Communications Commission; 
and Cameron Kerry, General Counsel, the Department of 
Commerce--three pretty good witnesses.
    Ms. Brill, if you wish to proceed.

         STATEMENT OF HON. JULIE BRILL, COMMISSIONER, 
                    FEDERAL TRADE COMMISSION

    Ms. Brill. Thank you, Chairman Rockefeller, and Ranking 
Member Hutchison and members of the Committee. I am Julie 
Brill, a Commissioner of the Federal Trade Commission. I 
appreciate the opportunity to present the Commission's 
testimony today.
    Vast amounts of personal information about consumers are 
collected and used by many different types of businesses, 
employers, retailers, advertisers, data brokers, lenders, 
insurance companies, and many more. Imagine a cash-strapped 
mother working as a substitute teacher and waiting for a 
permanent opening. She and her husband have mounting bills, so 
to tide them over between paychecks, she gets a payday loan.
    She then goes to the drugstore and buys diapers and 
Children's Tylenol with her loyalty card. Soon after, in the 
mail, she gets coupons for diapers and Children's Motrin, and 
she receives an offer to refinance her mortgage on terms that 
seem too good to be true.
    In the evening, the mom goes online to spend time on a 
social network site. While online, she notices she is receiving 
ads for toys and children's cough medicine, as well as more 
loan offers.
    Could the drugstore and social networking site have sold 
information about our consumer's purchases and interests? Could 
the payday lender have sold information about her need for 
money to other lenders and lead generators, both online and 
offline, who are offering her loans? Could the fact that she is 
a new mom be sold to potential employers? The answer to all of 
these questions is yes.
    Some of the things I've described can offer real benefits. 
The mom probably wants coupons for diapers. But the vast 
majority of consumers are completely unaware that their 
purchasing history, their particular financial situation, 
information about their health and other personal information 
is sold to data brokers, lead generators, lenders, insurance 
companies, potential employers, and others.
    Most consumers are simply unaware of the data deluge about 
them being collected, sold, and used both online and offline. I 
am concerned about how consumers' privacy is impacted by these 
practices.
    At the Federal Trade Commission, we are focused on 
solutions that provide consumers with more information and more 
choices about these practices while allowing industry to 
continue to innovate and thrive. The FTC enforces laws 
protecting consumer privacy and security, educates consumers 
and businesses, and engages in policy initiatives.
    Our written testimony highlights our many recent 
significant enforcement efforts related to privacy and data 
security, including our latest action announced just this week 
against Teletrack, a company that sold lists about financially 
distressed consumers to marketers. To settle our allegations, 
Teletrack agreed to comply with the Fair Credit Reporting Act 
and pay a $1.8 million civil penalty.
    Privacy and security continue to be front and center on the 
Commission's policy agenda as well. The Commission has not 
taken a position on whether general privacy or do-not-track 
legislation is needed. But a majority of commissioners, myself 
included, supports widespread implementation of do-not-track 
mechanisms.
    More generally, the Commission supports strong privacy 
protections. Our preliminary staff privacy report recommended 
that industry build privacy protections into their products and 
services at the outset, simplify choices presented to consumers 
about privacy, and improve transparency relating to data 
collection and use.
    On data security, the Commission supports the enactment of 
federal data security and breach notification legislation. I am 
pleased that legislation proposed in this committee aims to 
accomplish all of these goals.
    Thank you for your leadership on consumer privacy and data 
security. We look forward to continuing to work closely with 
you on these critical issues.
    [The prepared statement of Ms. Brill follows:]

         Prepared Statement of Hon. Julie Brill, Commissioner, 
                        Federal Trade Commission
I. Introduction
    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee, I am Julie Brill, a Commissioner of the Federal Trade 
Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity 
to present the Commission's testimony on consumer privacy.
---------------------------------------------------------------------------
    \1\ The views expressed in this statement represent the views of 
the Commission. My oral presentation and responses to questions are my 
own and do not necessarily represent the views of the Commission or any 
other Commissioner. Commissioner William E. Kovacic dissents from this 
testimony to the extent that it endorses a Do Not Track mechanism. 
Commissioner Rosch dissents to the portions of the testimony that 
discuss and describe certain conclusions about the concept of Do Not 
Track. His views are included in an attached Separate Statement.
---------------------------------------------------------------------------
    Privacy has been an important component of the Commission's 
consumer protection mission for 40 years.\2\ During this time, the 
Commission's goal in the privacy arena has remained constant: to 
protect consumers' personal information and ensure that they have the 
confidence to take advantage of the many benefits offered by the 
dynamic and ever-changing marketplace. To meet this objective, the 
Commission has undertaken substantial efforts to promote privacy in the 
private sector through law enforcement, education, and policy 
initiatives. For example, since 2001, the Commission has brought 34 
cases challenging the practices of companies that failed to adequately 
protect consumers' personal information; more than 100 spam and spyware 
cases; and 16 cases for violation of the Children's Online Privacy 
Protection Act (``COPPA'').\3\ The Commission also has distributed 
millions of copies of educational materials for consumers and 
businesses to address ongoing threats to security and privacy. And the 
FTC examines the implications of new technologies and business 
practices on consumer privacy through ongoing policy initiatives, such 
as a recent proposed privacy framework.
---------------------------------------------------------------------------
    \2\ Information on the FTC's privacy initiatives generally may be 
found at business.ftc.gov/privacy-and-security.
    \3\ 15 U.S.C.  6501-6508.
---------------------------------------------------------------------------
    This testimony begins by describing some of the uses of consumer 
data that affect consumers' privacy in today's economy. It then offers 
an overview of the Commission's recent efforts in the enforcement, 
education, and policy areas. While the testimony does not offer views 
on general privacy legislation, the Commission encourages Congress to 
enact data security legislation that would: (1) impose data security 
standards on companies, and (2) require companies, in appropriate 
circumstances, to provide notification to consumers when there is a 
security breach.\4\
---------------------------------------------------------------------------
    \4\ The Commission has long supported data security and breach 
notification legislation. See, e.g., Prepared Statement of the Federal 
Trade Commission, Data Security, Before the Subcomm. on Commerce, 
Manufacturing, and Trade of the H. Comm. on Energy and Commerce, 112th 
Cong., June 15, 2011, available at http://www.ftc.gov/os/testimony/
110615datasecurity
house.pdf (noting the Commission's support for data security and breach 
notification standards); Prepared Statement of the Federal Trade 
Commission, Protecting Social Security Numbers From Identity Theft, 
Before the Subcomm. on Social Security of the H. Comm. on Ways and 
Means, 112th Cong., April 13, 2011, available at http://ftc.gov/os/
testimony/110411ssn-idtheft.pdf (same); FTC, Security in Numbers, SSNs 
and ID Theft (Dec. 2008), available at www.ftc.gov/os/2008/12/
P075414ssnreport.pdf; President's Identity Theft Task Force, Identity 
Theft Task Force Report (Sept. 2008), available at http://
www.idtheft.gov/reports/IDTReport2008.pdf.
---------------------------------------------------------------------------
II. Information Flows in the Current Marketplace
    For today's consumer, understanding the complex transfers of 
personal information that occur in the offline and online marketplaces 
is a daunting task. Indeed, these information flows take place in 
almost every conceivable consumer interaction. For example, a consumer 
goes to work and provides sensitive information to her employer, such 
as her Social Security Number, to verify her employment eligibility, 
and bank account number, so that she can get paid. After work, she uses 
an application on her Smartphone to locate the closest ATM so that she 
can withdraw cash. She then visits her local grocery store and signs up 
for a loyalty card to get discounts on future purchases. Upon returning 
home, the consumer logs onto her computer and begins browsing the web 
and updating her social networking page. Later, her child logs on to 
play an online interactive game.
    All of these activities clearly benefit the consumer--she gets 
paid, enjoys free and immediate access to information, locates places 
of interest, obtains discounts on purchases, stays connected with 
friends, and can entertain herself and her family. Her life is made 
easier in a myriad of ways because of information flows.
    There are other implications, however, that may be less obvious. 
Her grocery store purchase history, web activities, and even her 
location information, may be collected and then sold to data brokers 
and other companies she does not know exist. These companies could use 
her information to market other products and services to her or to make 
decisions about her eligibility for credit, employment, or insurance. 
And the companies with whom she and her family interact may not 
maintain reasonable safeguards to protect the data they have collected.
    Some consumers have no idea that this type of information 
collection and sharing is taking place. Others may be troubled by the 
collection and sharing described above. Still others may be aware of 
this collection and use of their personal information but view it as a 
worthwhile trade-off for innovative products and services, convenience, 
and personalization. And some consumers--some teens for example--may be 
aware of the sharing that takes place, but may not appreciate the risks 
it poses. Because of these differences in consumer understanding, and 
attitudes, as well as the rapid pace of change in technology, 
policymaking on privacy issues presents significant challenges and 
opportunities.
    As the hypothetical described above shows, consumer privacy issues 
touch many aspects of our lives in both the brick-and-mortar and 
electronic worlds. In the offline world, data brokers have long 
gathered information about our retail purchases, and consumer reporting 
agencies have long made decisions about our eligibility for credit, 
employment, and insurance based on our past transactions. But new 
online business models such as online behavioral advertising, social 
networking, interactive gaming, and location-based services have 
complicated the privacy picture. In addition, the aggregation of data 
in both the online and offline worlds have in some instances led to 
increased opportunities for fraud. For instance, entities have used 
past transaction history gathered from both the online and offline 
world to sell ``sucker lists'' of consumers who may be susceptible to 
different types of fraud. In both the online and offline worlds, data 
security continues to be an issue. The FTC continues to tackle each of 
these issues through enforcement, education, and policy initiatives.
III. Enforcement
    In the last 15 years, the Commission has brought 34 data security 
cases; 64 cases against companies for improperly calling consumers on 
the Do Not Call registry; \5\ 86 cases against companies for violating 
the Fair Credit Reporting Act (``FCRA''); \6\ 97 spam cases; 15 spyware 
(or nuisance adware) cases; and 16 cases against companies for 
violating COPPA. Where the FTC has authority to seek civil penalties, 
it has aggressively done so. It has obtained $60 million in civil 
penalties in Do Not Call cases; $21 million in civil penalties under 
the FCRA; $5.7 million under the CAN-SPAM Act; \7\ and $6.2 million 
under COPPA. Where the Commission does not have authority to seek civil 
penalties, as in the data security and spyware areas, it has sought 
such authority from Congress. In addition, the Commission has brought 
numerous cases against companies for violating the FTC Act by making 
deceptive claims about the privacy protection they afford to the 
information they collect. And these numbers do not fully reflect the 
scope of the Commission's vigorous enforcement agenda, as not all 
investigations result in enforcement actions. When an enforcement 
action is not warranted, staff closes the investigation, and in some 
cases it issues a closing letter.'' \8\ This testimony highlights the 
Commission's recent, publicly-announced enforcement efforts to address 
the types of privacy issues raised by the hypothetical scenario 
described above.
---------------------------------------------------------------------------
    \5\ 16 C.F.R. Part 310.
    \6\ 15 U.S.C.  1681e-i.
    \7\ 15 U.S.C.  7701-7713.
    \8\ See http://www.ftc.gov/os/closings/staffclosing.shtm.
---------------------------------------------------------------------------
    First, the Commission enforces the FTC Act and several other laws 
that require companies to maintain reasonable safeguards for the 
consumer data they maintain.\9\ Most recently, the Commission resolved 
allegations that Ceridian Corporation \10\ and Lookout Services, 
Inc.\11\ violated the FTC Act by failing to implement reasonable 
safeguards to protect the sensitive consumer information they 
maintained. The companies offered, respectively, payroll processing and 
immigration compliance services for small business employers. As a 
result, they both obtained, processed, and stored highly-sensitive 
information--including Social Security numbers--of employees. The 
Commission alleged that both companies failed to appropriately 
safeguard this information, which resulted in intruders being able to 
access it. The orders require the companies to implement a 
comprehensive data security program and obtain independent audits for 
20 years.
---------------------------------------------------------------------------
    \9\ See the Commission's Safeguards Rule under the Gramm-Leach-
Bliley Act, 16 C.F.R. Part 314, implementing 15 U.S.C.  6801(b), and 
provisions of the FCRA, 15 U.S.C.  1681e, 1681w, implemented at 16 
C.F.R. Part 682.
    \10\ Ceridian Corp., FTC Docket No. C-4325 (June 8, 2011) (consent 
order), available at www.ftc.gov/opa/2011/05/ceridianlookout.shtm.
    \11\ Lookout Servs., Inc., FTC Docket No. C-4326 (June 15, 2011) 
(consent order), available at www.ftc.gov/opa/2011/05/
ceridianlookout.shtm.
---------------------------------------------------------------------------
    Second, the Commission enforces the FCRA, which, among other 
things, prescribes that companies only sell sensitive consumer report 
information for ``permissible purposes,'' and not for general marketing 
purposes. Just this week, the Commission announced an FCRA enforcement 
action against Teletrack for violating this provision. Teletrack 
provides consumer reporting services to payday lenders, rental purchase 
stores, and certain auto lenders, so that they can determine consumers' 
eligibility to receive credit.\12\ The Commission alleged that 
Teletrack created a marketing database of consumers, and sold lists of 
consumers who had applied for payday loans to entities that did not 
have a permissible purpose. The Commission asserted that Teletrack's 
sale of these lists violated the FCRA because the lists were in fact 
consumer reports, which cannot be sold for marketing purposes. The 
Commission's agreement with Teletrack requires it to pay $1.8 million 
in civil penalties for FCRA violations.
---------------------------------------------------------------------------
    \12\ See U.S. v. Teletrack, Inc., No. 1:11-CV-2060 (N.D. Ga. filed 
June 24, 2011) (proposed consent order), available at http://
www.ftc.gov/opa/2011/06/teletrack.shtm.
---------------------------------------------------------------------------
    Third, the Commission has been active in ensuring that companies 
engaged in social networking adhere to any promises to keep consumers' 
information private.\13\ The Commission's recent case against Google 
alleges that the company deceived consumers by using information 
collected from Gmail users to generate and populate its new social 
network, Google Buzz.\14\ The Commission charged that Google made 
public its Gmail users' associations with their frequent e-mail 
contacts without the users' consent and in contravention of Google's 
privacy policy. As part of the Commission's proposed settlement order, 
Google must implement a comprehensive privacy program and conduct 
independent audits every other year for the next 20 years.\15\ Further, 
Google must obtain affirmative express consent for product or service 
enhancements that involve new sharing of previously collected data.
---------------------------------------------------------------------------
    \13\ See, e.g., Twitter, Inc., FTC Docket No. C-4316 (Mar. 2, 2011) 
(consent order), available at http://www.ftc.gov/opa/2010/06/
twitter.shtm (resolving allegations that social networking service 
Twitter deceived its customers by failing to honor their choices after 
offering the opportunity to designate certain ``tweets'' as private).
    \14\ Google, Inc., FTC File No. 102 3136 (Mar. 30, 2011) (consent 
order accepted for public comment), available at www.ftc.gov/opa/2011/
03/google.shtm. Commissioner Rosch issued a concurring statement 
expressing concerns about the terms of the proposed consent agreement, 
available at http://www.ftc.gov/os/caselist/1023136/
110330googlebuzzstatement.pdf.
    \15\ This provision would apply to any data collected by Google 
about users of any Google product or service, including mobile and 
location-based data.
---------------------------------------------------------------------------
    Fourth, the Commission has sought to protect consumers from 
deceptive practices in the behavioral advertising area. In June, the 
Commission finalized a settlement with Chitika, Inc., an online network 
advertiser that acts as an intermediary between website publishers and 
advertisers.\16\ The Commission's complaint alleged that Chitika 
violated the FTC Act by offering consumers the ability to opt out of 
the collection of information to be used for targeted advertising--
without telling them that the opt-out lasted only 10 days. The 
Commission's order prohibits Chitika from making future privacy 
misrepresentations. It also requires Chitika to provide consumers with 
an effective opt-out mechanism, link to this opt-out mechanism in its 
advertisements, and provide a notice on its website for consumers who 
may have opted out when Chitika's opt-out mechanism was ineffective. 
Finally, the order requires Chitika to destroy any data that can be 
associated with a consumer that it collected during the time its opt-
out mechanism was ineffective.
---------------------------------------------------------------------------
    \16\ Chitika, Inc., FTC Docket No. C-4324 (June 7, 2011) (consent 
order), available at http://www.ftc.gov/opa/2011/03/chitika.shtm.
---------------------------------------------------------------------------
    Fifth, the Commission has tried to ensure that data brokers respect 
consumers' choices. In March, the Commission announced a final order 
against U.S. Search, a data broker that maintained an online service, 
which allowed consumers to search for information about others.\17\ The 
company allowed consumers to opt out of having their information appear 
in search results, for a fee of $10. The Commission charged that 
although 4,000 consumers paid the fee and opted out, their personal 
information still appeared in search results. The Commission's 
settlement requires U.S. Search to disclose limitations on its opt-out 
offer, and to provide refunds to consumers who had previously opted 
out.
---------------------------------------------------------------------------
    \17\ US Search, Inc., FTC Docket No. C-4317 (Mar. 14, 2011) 
(consent order), available at http://www.ftc.gov/opa/2010/09/
ussearch.shtm.
---------------------------------------------------------------------------
    Finally, to protect children's privacy, the Commission enforces the 
Children's Online Privacy Protection Act (``COPPA''). In its most 
recent case, against Playdom, Inc. and one of its senior executives, 
the Commission obtained an agreement with the operators of 20 online 
virtual worlds to pay $3 million to settle charges that they violated 
COPPA by illegally collecting and disclosing personal information from 
hundreds of thousands of children under age 13 without their parents' 
consent.\18\ The defendants allegedly collected children's ages and e-
mail addresses during registration and then enabled them to publicly 
post their full names, e-mail addresses, instant messenger IDs, and 
location on personal profile pages and in online community forums. The 
FTC charged that the defendants' failure to provide proper notice or 
obtain parents' prior verifiable consent before collecting or 
disclosing children's personal information violated COPPA. It further 
charged that the defendants violated the FTC Act because their privacy 
policy misrepresented that the company would prohibit children under 13 
from posting personal information online. In addition to the $3 million 
civil penalty--the largest ever for a COPPA violation--the proposed 
settlement permanently bars the defendants from violating COPPA and 
from misrepresenting their information practices regarding children.
---------------------------------------------------------------------------
    \18\ See U.S. v. Playdom, Inc., No. SACV11-00724 (C.D. Cal. filed 
May 11, 2011) (proposed consent order), available at http://
www.ftc.gov/opa/2011/05/playdom.shtm.
---------------------------------------------------------------------------
IV. Education
    The FTC conducts outreach to businesses and consumers in the area 
of consumer privacy. The Commission's well-known OnGuard Online website 
educates consumers about many online threats to consumer privacy and 
security, including spam, spyware, phishing, peerto-peer (``P2P'') file 
sharing, and social networking.\19\ The Commission has also issued 
numerous education materials to help consumers protect themselves from 
identity theft and to deal with its consequences when it does occur. 
The FTC has distributed over 3.8 million copies of a victim recovery 
guide--Take Charge: Fighting Back Against Identity Theft--and has 
recorded over 3.5 million visits to the Web version. In addition, the 
FTC has developed education resources specifically for children, 
parents, and teachers to help children stay safe online. In response to 
the Broadband Data Improvement Act of 2008, the FTC produced the 
brochure Net Cetera: Chatting with Kids About Being Online to give 
adults practical tips to help children navigate the online world.\20\ 
In less than 1 year, the Commission distributed more than 7 million 
copies of Net Cetera to schools and communities nationwide.
---------------------------------------------------------------------------
    \19\ See www.onguardonline.gov. Since its launch in 2005, OnGuard 
Online and its Spanish-language counterpart Alertaena L!nea have 
attracted nearly 12 million unique visits.
    \20\ See Press Release, FTC, OnGuardOnline.gov Off to a Fast Start 
with Online Child Safety Campaign (Mar. 31, 2010), available at 
www.ftc.gov/opa/2010/03/netcetera.shtm.
---------------------------------------------------------------------------
    Business education is also an important priority for the FTC. The 
Commission developed a widely-distributed guide to help small and 
medium-sized businesses implement appropriate data security for the 
personal information they collect and maintain.\21\
---------------------------------------------------------------------------
    \21\ See Protecting Personal Information: A Guide For Business, 
available at www.ftc.gov/infosecurity.
---------------------------------------------------------------------------
    Another way in which the Commission seeks to educate businesses is 
by publicizing its complaints and orders and issuing public closing 
letters. For example, the Commission recently sent a letter closing an 
investigation of Social Intelligence Corporation, a company that sold 
reports to employers about potential job applicants.\22\ The reports 
included public information gathered from social networking sites. The 
investigation sought to determine Social Intelligence's compliance with 
the FCRA.\23\ Although the staff decided to close the particular 
investigation, the public closing letter served to notify similarly 
situated businesses that, to the extent they collect information from 
social networking sites for employment determinations, they must comply 
with the FCRA. The letter included guidance on the obligations of such 
businesses under the FCRA. For example, companies must take reasonable 
steps to ensure the maximum possible accuracy of the information 
reported from social networking sites. They must also provide employers 
who use their reports with information about the employers' obligation 
to notify job applicants if they were denied employment on the basis of 
these reports, and to provide such applicants with information about 
their rights under the FCRA.
---------------------------------------------------------------------------
    \22\ Letter from Maneesha Mithal, Associate Director, Division of 
Privacy and Identity Protection to Renee Jackson, Counsel to Social 
Intelligence Corporation (May 9, 2011), available at www.ftc.gov/os/
closings/110509socialintelligenceletter.pdf.
    \23\ FTC staff did not express an opinion on the merits of Social 
Intelligence's business model.
---------------------------------------------------------------------------
V. Policy Initiatives
    The Commission's privacy program also includes public workshops, 
reports, and policy reviews to examine the implications of new 
technologies and business practices on consumer privacy. For example, 
in December 2009, February 2010, and March 2010, the FTC convened three 
public roundtables to explore consumer privacy issues, including the 
issues facing the hypothetical consumer discussed in Section II 
above.\24\
---------------------------------------------------------------------------
    \24\ See generally FTC Exploring Privacy web page, at www.ftc.gov/
bcp/workshops/privacyroundtables.
---------------------------------------------------------------------------
    Based on these roundtable discussions, staff issued a preliminary 
report in December 2010,\25\ which proposed and solicited comment on a 
new framework to guide policymakers and industry as they consider 
further steps to improve consumer privacy protection. The proposed 
framework included three main concepts.
---------------------------------------------------------------------------
    \25\ See A Preliminary FTC Staff Report on Protecting Consumer 
Privacy in an Era of Rapid Change: A Proposed Framework for Businesses 
and Policymakers (Dec. 1, 2010), available at www.ftc.gov/os/2010/12/
101201privacyreport.pdf. Commissioners Kovacic and Rosch issued 
concurring statements available at www.ftc.gov/os/2010/12/
101201privacyreport.pdf at Appendix D and Appendix E, respectively.
---------------------------------------------------------------------------
    First, staff recommended that companies should adopt a ``privacy by 
design'' approach by building privacy protections into their everyday 
business practices, such as collecting or retaining only the data they 
need to provide a requested service or transaction, and implementing 
reasonable security for such data. Thus, for example, if a mobile 
application (``app'') is providing traffic and weather information to a 
consumer, it does need to collect call logs or contact lists from the 
consumer's device. Similarly, if an app does need sensitive 
information, such as location, in order to provide a requested service, 
the app developer should carefully consider how long the information 
should be retained to provide such service and how the information 
should best be protected.
    Second, staff proposed that companies provide simpler and more 
streamlined choices to consumers about their data practices. One 
example of how choice may be simplified for consumers is through a 
universal, one-stop choice mechanism for online behavioral tracking, 
often referred to as ``Do Not Track.'' The Staff Report recommended 
implementation of such a system.\26\ Following the release of the Staff 
Report, the Commission has testified that any Do Not Track system 
should include certain attributes.\27\ First, any Do Not Track system 
should be implemented universally, so that consumers do not have to 
repeatedly opt out of tracking on different sites. Second, the choice 
mechanism should be easy to find, easy to understand, and easy to use. 
Third, any choices offered should be persistent and should not be 
deleted if, for example, consumers clear their cookies or update their 
browsers. Fourth, a Do Not Track system should be comprehensive, 
effective, and enforceable. It should opt consumers out of behavioral 
tracking through any means and not permit technical loopholes. Finally, 
an effective Do Not Track system would go beyond simply opting 
consumers out of receiving targeted advertisements; it would opt them 
out of collection of behavioral data for all purposes other than 
product and service fulfillment and other commonly accepted 
practices.\28\
---------------------------------------------------------------------------
    \26\ Commissioner Kovacic believes that the endorsement of a Do Not 
Track mechanism by staff (in the report) and the Commission (in this 
testimony) is premature. His concerns about the Commission Staff Report 
are set forth in his statement on the report. See FTC Staff Report, 
supra note 22, at App. D. Commissioner Rosch supported a Do Not Track 
mechanism only if it were ``technically feasible'' and implemented in a 
fashion that provides informed consumer choice regarding all the 
attributes of such a mechanism. Id. At App. E. Commissioner Rosch 
continues to believe that a variety of issues need to be addressed 
prior to the endorsement of any particular Do Not Track mechanism. See 
Statement of Commissioner J. Thomas Rosch, Dissenting in Part, Privacy 
and Data Security: Protecting Consumers in the Modern World, Hearing 
Before the S. Comm. on Commerce, Science, and Transportation, 112th 
Cong. (June 29, 2011).
    \27\ See, e.g., Prepared Statement of the Federal Trade Commission, 
The State of Online Consumer Privacy, Hearing Before the S. Comm. on 
Commerce, Science and Transportation, 112th Cong. (Mar. 16, 2011), 
available at http://www.ftc.gov/os/testimony/110316consumerprivacy
senate.pdf; Prepared Statement of the Federal Trade Commission, Do Not 
Track, Hearing Before the Subcomm. on Commerce, Trade and Consumer 
Protection of the H. Comm. on Energy and Commerce, 111th Cong. (Dec. 2, 
2010), available at www.ftc.gov/os/testimony/101202
donottrack.pdf (hereinafter ``Do Not Track Testimony'').
    \28\ As noted in prior Commission testimony, such a mechanism 
should be different from the Do Not Call program in that it should not 
require the creation of a ``Registry'' of unique identifiers, which 
could itself cause privacy concerns. See Do Not Track Testimony, supra 
note 27.
---------------------------------------------------------------------------
    Of course, any Do Not Track system should not undermine the 
benefits that online behavioral advertising has to offer, by funding 
online content and services and providing personalized advertisements 
that many consumers value. For this reason, any Do Not Track mechanism 
should be flexible. For example, it should allow companies to explain 
the benefits of tracking and to take the opportunity to convince 
consumers not to opt out of tracking. Further, a Do Not Track system 
could include an option that enables consumers to control the types of 
advertising they want to receive and the types of data they are willing 
to have collected about them, in addition to providing the option to 
opt-out completely.\29\
---------------------------------------------------------------------------
    \29\ For example, use of a Do Not Track browser header would enable 
consumer customization. The browser could send the header to some sites 
and not others. Moreover, a particular site could ignore the header to 
the extent the user has consented to tracking on that site.
---------------------------------------------------------------------------
    Industry appears to be receptive to the demand for simple choices. 
Recently, three of the major browsers offered by Mozilla, Microsoft, 
and Apple, announced the development of new choice mechanisms for 
online behavioral advertising that seek to provide increased 
transparency, greater consumer control and improved ease of use. More 
recently, Mozilla introduced a version of its browser that enables Do 
Not Track for mobile web browsing. In addition, an industry coalition 
of media and marketing associations, the Digital Advertising Alliance, 
has continued to make progress on implementation of its improved 
disclosure and consumer choice mechanism offered through a behavioral 
advertising icon.
    Third, the Staff Report proposed a number of measures that 
companies should take to make their data practices more transparent to 
consumers. For instance, in addition to providing the contextual 
disclosures described above, companies should improve their privacy 
notices so that consumers, advocacy groups, regulators, and others can 
compare data practices and choices across companies, thus promoting 
competition among companies. The staff also proposed providing 
consumers with reasonable access to the data that companies maintain 
about them, particularly for non-consumer-facing entities such as data 
brokers. Because of the significant costs associated with access, the 
Staff Report noted that the extent of access should be proportional to 
both the sensitivity of the data and its intended use. Staff is 
evaluating the 450 comments received and expects to issue a final 
report later this year.
    In addition to issuing reports, the Commission also reviews its 
rules periodically to ensure that they keep pace with changes in the 
marketplace. The Commission is currently reviewing its rule 
implementing COPPA and anticipates that any proposed changes will be 
announced in the coming months.\30\
---------------------------------------------------------------------------
    \30\ See generally COPPA Rulemaking and Rule Reviews web page, 
available at business.ftc.gov/documents/coppa-rulemaking-and-rule-
reviews.
---------------------------------------------------------------------------
    Finally, the Commission hosts workshops to study and publicize more 
specific issues. One such issue that has been in the news recently is 
identity theft targeting children.\31\ For a variety of reasons--
including poor safeguards for protecting children's data--identity 
thieves can get access to children's Social Security numbers. These 
criminals may deliberately use a child's Social Security number, or 
fabricate a Social Security number that coincidentally has been 
assigned to a child, in order to obtain employment, apply for 
government benefits, open new accounts, or apply for car loans or even 
mortgages. Child identity theft is especially pernicious because the 
theft may not be detected until the child becomes an adult and seeks 
employment, or applies for student and car loans.
---------------------------------------------------------------------------
    \31\ See, e.g., Richard Power, Carnegie Mellon Cylab, Child 
Identity Theft, New Evidence Indicates Identity Thieves are Targeting 
Children for Unused Social Security Numbers (2011), available at 
www.cyblog.cylab.cmu.edu/2011/03/child-identity-theft.html; Children's 
Advocacy Institute, The Fleecing of Foster Children: How We Confiscate 
Their Assets and Undermine Their Financial Security (2011), available 
at http://www.caichildlaw.org/Misc/Fleecing_Report_
Final_HR.pdf.
---------------------------------------------------------------------------
    To address the challenges raised by child identity theft, 
Commission staff, along with the Department of Justice's Office of 
Victims of Crime, will host a forum on July 12, 2011.\32\ Participants 
will include educators, child advocates, and representatives of various 
governmental agencies and the private sector. The forum will include a 
discussion on how to improve the security of children's data in various 
contexts--including within the education system as well as the foster 
care system--where children may be particularly susceptible to identity 
theft. The goal of the forum is to develop ways to effectively advise 
parents on how to avoid child identity theft, how to protect children's 
personal data, and how to help parents and young adults who have been 
victims of child identity theft recover from the crime.
---------------------------------------------------------------------------
    \32\ See Press Release, FTC, Department of Justice to Host Forum on 
Child Identity Theft (June 2, 2011), available at www.ftc.gov/opa/2011/
06/childtheft.shtm.
---------------------------------------------------------------------------
VI. Conclusion
    The Commission is committed to protecting consumers' privacy and 
security--both online and offline. We look forward to continuing to 
work with Congress on these critical issues.
                               Attachment
Prepared Statement of Commissioner J. Thomas Rosch, Dissenting in Part 
  Privacy and Data Security: Protecting Consumers in the Modern World
    The root problem with the concept of ``Do Not Track'' is that we, 
and with respect, the Congress, do not know enough about most tracking 
to determine how to achieve the five attributes identified in today's 
Commission testimony, or even whether those attributes can be 
achieved.\1\ Considered in a vacuum, the proposed Do Not Track 
attributes set forth in today's testimony can be considered innocuous, 
indeed even beneficial. However, the concept of Do Not Track cannot be 
considered in a vacuum. The promulgation of five attributes, standing 
alone, untethered to actual business practices and consumer 
preferences, and not evaluated in light of their impact upon innovation 
or the Internet economy, is irresponsible. I therefore respectfully 
dissent to the portions of the testimony that discuss and describe 
certain conclusions about the concept of Do Not Track.\2\
---------------------------------------------------------------------------
    \1\ As described in today's and prior testimony, the five 
attributes are:
    First, any Do Not Track system should be implemented universally, 
so that consumers do not have to repeatedly opt out of tracking on 
different sites. Second, the choice mechanism should be easy to find, 
easy to understand, and easy to use. Third, any choices offered should 
be persistent and should not be deleted if, for example, consumers 
clear their cookies or update their browsers. Fourth, a Do Not Track 
system should be comprehensive, effective, and enforceable. It should 
opt consumers out of behavioral tracking through any means and not 
permit technical loopholes. Finally, an effective Do Not Track system 
would go beyond simply opting consumers out of receiving targeted 
advertisements; it would opt them out of collection of behavioral data 
for all purposes other than product and service fulfillment and other 
commonly accepted practices.
    \2\ The concept of Do Not Track was presented in the preliminary 
Staff Privacy Report, issued in December 2010. See http://www.ftc.gov/
os/2010/12/101201privacyreport.pdf. At that time, the Commission 
requested public comment on the issues raised in that preliminary 
report.
---------------------------------------------------------------------------
    It is easy to attack practices that threaten data security. There 
is a consensus in both the United States and Europe that those 
practices are pernicious, and the Commission has successfully 
challenged them.\3\ It is also easy to attack practices that compromise 
certain personally identifiable information (``PII'') like one's social 
security number, confidential financial or health data, or other 
sensitive information, such as that respecting children. The consensus 
about those practices in the United States is reflected in federal 
statutes like the Health Insurance Portability and Accountability Act 
(``HIPAA''), the Gramm-Leach-Bliley Act (``GLBA''), and the Children's 
Online Privacy Protection Act (``COPPA''), and the Commission has 
likewise successfully challenged practices that violate those 
statutes.\4\ On the other hand, some of the ``tracking'' that occurs 
routinely is benign, such as tracking to ensure against advertisement 
repetition and other tracking activities that are essential to ensuring 
the smooth operation of websites and Internet browsing. But we do not 
know enough about other kinds of ``tracking''--or what consumers think 
about it--to reach any conclusions about whether most consumers 
consider it good, bad or are indifferent.
---------------------------------------------------------------------------
    \3\ See, e.g., Lookout Servs., Inc., FTC File No. 1023076 (June 15, 
2011) (consent order) (alleging failure to reasonably and appropriately 
secure employees' and customers' personal information, collected and 
maintained in an online data base); CVS Caremark Corp., FTC File No. 
0723119 (June 18, 2009) (consent order) (alleging failure to implement 
reasonable policies and procedures for secure disposal of personal 
information); BJ's Wholesale Club, Inc., FTC Docket No. C-4148 (Sept. 
20, 2005) (consent order) (alleging failure to take reasonable and 
appropriate security measures to protect sensitive consumer financial 
information with respect to credit and debit card purchases); Eli Lilly 
and Co., FTC File No. 0123214 (May 8, 2002) (consent order) (alleging 
failure to provide appropriate training for employees regarding 
consumer privacy and information security).
    \4\ Rite Aid Corp., FTC File No. 0723121 (Nov. 12, 2010) (consent 
order) (in conjunction with HHS; alleging failure to establish policies 
and procedures for the secure disposal of consumers' sensitive health 
information) (HIPAA); SettlementOne Credit Corp., FTC File No. 0823208 
(Feb. 9, 2011) (proposed consent agreement) (alleging that credit 
report reseller failed to implement reasonable safeguards to control 
risks to sensitive consumer information) (GLBA); United States v. 
Playdom, Inc., Case No. SACV 11-0724-AG(ANx) (C.D. Cal. May 24, 2011) 
(consent order) (alleging failure to provide notice and obtain consent 
from parents before collecting, using, and disclosing children's 
personal information) (COPPA).
---------------------------------------------------------------------------
    More specifically, it is premature to endorse any particular 
browser's Do Not Track mechanism. One type of browser mechanism 
proposed to implement Do Not Track involves the use of ``white lists'' 
and ``black lists'' to allow consumers to pick and choose which 
advertising networks they will allow to track them.\5\ These lists are 
furnished by interested third parties in order to prevent the types of 
tracking that consumers supposedly do not want.\6\ It is clear from 
these ``lists'' what the interested third parties think about the 
tracking on the lists (or not on the lists). However, it is not clear 
whether most consumers share those views, or even understand the basis 
upon which the ``list'' was created. Another proposed browser Do Not 
Track mechanism operates by sending a Do Not Track header as consumers 
surf the Internet. This mechanism would only eliminate tracking to the 
extent that the entities receiving the Do Not Track header understand 
and respect that choice. Theoretically at least, this mechanism could 
block all tracking if it does not offer customization and preserve the 
ability to customize.\7\ This is important because there may be some 
tracking that consumers find beneficial and wish to retain.
---------------------------------------------------------------------------
    \5\ Many, if not all, browsers currently allow consumers to 
customize their browser to prevent the installation of, or delete 
already installed, cookies that are used for tracking.
    \6\ Some Tracking Protection Lists (TPLs) allow any criterion to be 
used to decide which sites go on a TPL and which do not. In some cases, 
consumers may have the option to create their own TPL. However, as 
discussed below, neither the FTC, nor consumer advocates, nor consumers 
themselves, know enough about the tracking, collection, retention and 
sharing practices of online entities.
    \7\ In addition, it is not clear how the ``recipient'' of the Do 
Not Track header would respond to such a request when the consumer has 
otherwise indicated that he or she wishes to have the recipient 
customize the consumer's experience.
---------------------------------------------------------------------------
    Beyond that, consumers (including consumers that are surveyed by 
interested third parties) are generally not fully informed about the 
consequences--both bad and good--of subscribing to a Do Not Track 
mechanism.\8\ They are not always told, for example, that they may lose 
content (including advertising) that is most pertinent and relevant to 
them. Neither are they told that they may lose free content (that is 
paid for by advertising). Nor are they told that subscribing to a Do 
Not Track mechanism may result in more obtrusive advertising or in the 
loss of the chance to ``sell'' the history of their Internet activity 
to interested third parties. Indeed, they are not even generally told 
what kinds of tracking are going to be eliminated. On the other hand, 
consumers are not told that tracking may facilitate the compilation of 
a consumer ``profile'' through the aggregation of information by third 
parties to whom it is sold or with whom it is shared (such as insurance 
companies engaged in ``rating'' consumers). One reason that consumers 
are not told about the latter consequence is that we do not know enough 
about what information is being collected and sold to third parties to 
know the extent to which such aggregation is occurring.
---------------------------------------------------------------------------
    \8\ That is not to say that current technology cannot facilitate 
these disclosures. However, it is critical that advertisers and 
publishers take the opportunity to explain to consumers what their 
practices are and why they might be beneficial.
---------------------------------------------------------------------------
    One thing is certain though: consumers cannot expect simply to 
``register'' for a Do Not Track mechanism as they now register for ``Do 
Not Call.'' \9\ That is because a consumer registering for Do Not Call 
needs to furnish only his or her phone number. In the context of the Do 
Not Call program, each telephone already has a unique identifier in the 
form of a telephone number. In contrast, there is no such persistent 
identifier for computers. For example, Internet Protocol (``IP'') 
addresses can and do change frequently. In this context, creating a 
persistent identifier, and then submitting it to a centralized data 
base, would raise significant privacy issues.\10\ Thus, information 
respecting the particular computer involved is essential, and that kind 
of information cannot be furnished without compromising the very 
confidential information that consumers supposedly do not want to 
share. In addition, multiple users of the same computer or device may 
have different preferences, and tying a broad Do Not Track mechanism to 
a particular computer or device does not take that into consideration.
---------------------------------------------------------------------------
    \9\ See Prepared Statement of the Federal Trade Commission on Do 
Not Track Before the House Committee on Energy and Commerce 
Subcommittee on Commerce, Trade, and Consumer Protection, Dec. 2, 2010, 
available at http://www.ftc.gov/os/testimony/101202donottrack.pdf.
    \10\ A new identifier would be yet another piece of PII that 
companies could use to gather data about individual consumers.
---------------------------------------------------------------------------
    This is not to say that a Do Not Track mechanism is not feasible. 
It is to say that we must gather competent and reliable evidence about 
what kind of tracking is occurring before we embrace any particular 
mechanism. We must also gather reliable evidence about the practices 
most consumers are concerned about. Nor is it to say that it is 
impossible to gather that evidence. The Commission currently knows the 
identities of several hundred ad networks representing more than 90 
percent of those entities engaged in the gathering and sharing of 
tracking information. It is possible to serve those networks with 
compulsory process, which means that the questions about their 
information practices (collection, tracking, retention and sharing) 
must be answered under oath. That would enable the Commission to 
determine and report the kinds of information practices that are most 
frequently occurring. Consumers could then access more complete and 
reliable information about the consequences of information collection, 
tracking, retention and sharing. Additionally, the Commission could 
either furnish, or, depending on technical changes that may occur, 
facilitate the furnishing of, more complete and accurate ``lists'' and 
consumers would then have the ability to make informed choices about 
the collection, tracking, retention and sharing practices they would or 
would not permit.
    This course is not perfect. For one thing, it would take time to 
gather this information. For another thing, it would involve some 
expense and burden for responding parties (though no more than that to 
which food and alcohol advertisers who currently must answer such 
questionnaires are exposed). Consumers would also be obliged to avail 
themselves of the information provided by the Commission. But I 
respectfully submit that this course is superior to acting blindly, 
which is what I fear we are doing now.

    The Chairman. Thank you, Ms. Brill.
    Welcome, Mr. Kerry.

   STATEMENT OF HON. CAMERON F. KERRY, GENERAL COUNSEL, U.S. 
                     DEPARTMENT OF COMMERCE

    Mr. Kerry. Thank you. Thank you, Chairman Rockefeller, 
Senator Thune, and members of the Committee. I welcome the 
opportunity to be here today and to discuss with you the issue 
of how we can best protect consumer data privacy in a digital 
age. This is an issue that affects everyone.
    At this committee's hearing on March 16, the Obama 
Administration urged legislation to establish basic commercial 
data privacy protection for all U.S. consumers. What we 
recommended then had three elements.
    The first is baseline privacy protection in the form of a 
consumer privacy bill of rights adapted from widely accepted 
fair information practice principles. The second is for 
government to convene multi-stakeholder processes to encourage 
the private sector to develop legally enforceable, context 
specific codes of conduct that implement the bill of rights in 
specific context.
    And the third is to bolster the Federal Trade Commission's 
leadership in this field by granting it explicit authority to 
enforce the privacy bill of rights and to grant safe harbors 
for revolving codes of conduct.
    We are encouraged that members of this committee and others 
in Congress have introduced several bills to address 
significant data privacy issues. The Administration looks 
forward to working closely with members of this committee and 
Congress to pass legislation that will protect consumer 
interests and provide businesses and consumers with a clear and 
consistent set of rules of the road both within the United 
States and internationally.
    Our conclusion that the time has come for comprehensive 
data privacy protection is a product of the work of the 
Department of Commerce Internet Policy Task Force and the 
National Science and Technology Council subcommittee that I co-
chair. It reflects two tenets.
    The first is very simply that to harness the full power of 
the Internet, we need clear rules that allow for innovation and 
economic growth while protecting trust and respecting 
consumers' legitimate privacy expectations. Consumer groups, 
industry, and leading privacy scholars agree that a large 
percentage of Americans do not know what information is being 
collected about them or how they can control collection and 
use.
    Second, as we establish guidelines, we need to avoid a 
regulatory environment that restricts the innovation and the 
free flow of information that have been hallmarks of the 
Internet and drivers of economic growth and an expansion of 
information that stretches the boundaries of human knowledge 
and creates social and political change. Legislation shouldn't 
add duplicative or overly burdensome regulatory requirements to 
businesses that already adhere to strong privacy principles or 
that are subject to existing sectoral regimes. Legislation 
should be technology neutral so that, consistent with baseline 
principles, firms have flexibility to adapt technology to 
comply and to adopt business models that use data in ways not 
contemplated today.
    Our work continues as the Administration finishes a white 
paper on commercial privacy. At the Department of Commerce, we 
will engage with stakeholders on the development of codes of 
conduct. We will work on data security and work with other 
agencies to ensure global interoperability.
    This is an area where Congressional action can have 
significant impact. Two weeks ago, I was in Budapest to speak 
with European data privacy commissioners. And I can report to 
you that comprehensive legislation will send a strong message 
of U.S. leadership that could form a model for our partners, 
help prevent fragmentation of the world's privacy laws, and 
undo restrictions on businesses that conduct international 
trade.
    So, Mr. Chairman, we look forward to working with you, the 
Committee, stakeholders, the FTC, and with other federal 
agencies toward enactment of legislation in the field. I ask 
that my written comments be included in the record and welcome 
any questions.
    Thank you again for this opportunity.
    [The prepared statement of Mr. Kerry follows:]

     Prepared Statement of Hon. Cameron F. Kerry, General Counsel, 
                      U.S. Department of Commerce
I. Introduction
    Chairman Rockefeller, Ranking Member Hutchison, and distinguished 
Committee members, thank you for the opportunity to testify about the 
important issue of online privacy on behalf of the Department of 
Commerce (``Department'' or ``Commerce''). I welcome the opportunity to 
discuss how we can best protect consumer data privacy in the Digital 
Age. And I am pleased to testify here today with Commissioner Julie 
Brill of the Federal Trade Commission (FTC) and a fellow General 
Counsel, Austin Schlick of the Federal Communications Commission (FCC).
    At this committee's March 16, 2011, hearing on ``The State of 
Online Data Privacy,'' the Administration announced its support for 
legislation that would create baseline consumer data privacy 
protections through a ``consumer privacy bill of rights.'' \1\ We urged 
Congress to consider legislation that would establish these rights and 
obligations; to encourage the private sector to develop legally-
enforceable, industry-specific codes of conduct that can address 
emerging privacy issues while providing companies some assurance that 
they are in compliance with the law; and to grant the FTC the proper 
authority to enforce the law.
---------------------------------------------------------------------------
    \1\ Statement of Lawrence E. Strickling, Assistant Secretary for 
Communications and Information, before the Committee on Commerce, 
Science, and Transportation, U.S. Senate, Mar. 16, 2011, http://
www.ntia.doc.gov/presentations/2011/
Strickling_Senate_Privacy_Testimony_
03162011.html.
---------------------------------------------------------------------------
    We are encouraged that members of this committee and others have 
introduced several bills that reflect a bipartisan effort to address 
significant consumer data privacy issues affecting our society and our 
economy.
    Since this committee's hearing in March, we have been hard at work 
fleshing out Administration views on the issues we highlighted then. 
These views will inform an Obama Administration ``White Paper'' on 
consumer data privacy, which we are in the midst of drafting. I am here 
today to say we look forward to working with this Committee and other 
Members of Congress to pass legislation that will protect consumers' 
interests and provide businesses clear and consistent rules of the 
road.
    As we stated in March, the Administration supports legislation 
that, first, creates a set of basic privacy protections in the 
commercial context for all American consumers. Second, the 
Administration supports creating incentives for the private sector to 
develop legally-enforceable rules that specify how to implement this 
bill of rights in specific business contexts. Third, because 
enforcement is critical to ensuring that any consumer privacy bill of 
rights is effective, the Administration supports granting the FTC clear 
authority to enforce the privacy obligations established by 
legislation.\2\
---------------------------------------------------------------------------
    \2\ Id.
---------------------------------------------------------------------------
    I will outline briefly how we arrived at these premises, and then 
elaborate on each one.
II. The Need to Strengthen Our Consumer Data Privacy Framework
    Strengthening consumer data privacy protections is integral to the 
Department's Internet policy agenda. Consumer data privacy is one of 
the core issues under assessment by the Department's Internet Policy 
Task Force, which Secretary Gary Locke convened to examine how well 
U.S. policies on privacy, cybersecurity, copyright protection, and the 
free flow of information serve consumers, businesses, and other 
participants in the Internet economy.\3\
---------------------------------------------------------------------------
    \3\ U.S. Dept. of Commerce, Commerce Secretary Locke Announces 
Public Review of Privacy Policy and Innovation in the Internet Economy, 
Launches Internet Policy Task Force, Apr. 21, 2010, http://
www.commerce.gov/print/news/press-releases/2010/04/21/commerce-
secretary-loc
ke-announces-public-review-privacy-policy-and-i.
---------------------------------------------------------------------------
    The Internet economy has sparked tremendous innovation, and the 
Internet is an essential platform for economic growth, domestically and 
globally. Digital technology linked by the Internet has enabled large-
scale collection, analysis, and storage of personal information. These 
tools enable new service options and capabilities but they also create 
risks to individual privacy.
    Privacy is a key ingredient for sustaining consumer trust, which in 
turn is critical to realize the full potential for innovation and the 
growth of the Internet. The technical and organizational complexity of 
this environment makes it challenging for individual consumers to 
understand and manage the uses of their personal data even if they are 
technically adept.
    The Commerce Internet Policy Task Force has engaged with a broad 
array of stakeholders, including companies, consumer advocates, 
academic privacy experts, and other government agencies. Our work 
produced the Task Force's ``Green Paper'' on consumer data privacy in 
the Internet economy on December 16, 2010.\4\ The privacy Green Paper 
made ten separate recommendations on how to strengthen consumer data 
privacy protections while also promoting innovation, but it also 
brought to light many additional questions.
---------------------------------------------------------------------------
    \4\ Commercial Data Privacy and Innovation in the Internet Economy: 
A Dynamic Policy Framework, Dec. 16, 2010, http://www.ntia.doc.gov/
reports/2010/IPTF_Privacy_GreenPaper
_12162010.pdf.
---------------------------------------------------------------------------
    The comments we received on the privacy Green Paper from business, 
academics, and advocates informed our conclusion that the U.S. consumer 
data privacy framework will benefit from legislation that establishes a 
clearer set of rules for businesses and consumers, while preserving the 
innovation and free flow of information that are hallmarks of the 
Internet. This conclusion reflects two tenets. First, to harness the 
full power of the Internet, we need to establish norms and ground rules 
for uses of information that allow for innovation and economic growth 
while respecting consumers' legitimate privacy interests. Consumer 
groups, industry, and leading privacy scholars agree that a large 
percentage of Americans do not fully understand and appreciate what 
information is being collected about them, and how they are able to 
stop certain practices from taking place.\5\ Second, as we go about 
establishing these privacy guidelines, we also need to be careful to 
avoid creating an overly complicated regulatory environment.\6\
---------------------------------------------------------------------------
    \5\ All comments that the Department received in response to the 
Green Paper are available at http://www.ntia.doc.gov/comments/
101214614-0614-01/.
    \6\ For industry comments in support of legislation, see, e.g., 
Intel Comment at 3 (``We disagree with the arguments some have 
advocated against the adoption of legislation, particularly that 
privacy legislation would stifle innovation and would hinder the growth 
of new technologies by small businesses. Instead, we believe that well-
crafted legislation can actually enable small business e-commerce 
growth.''); Google Comment at 2 (supporting ``the development of a 
comprehensive privacy framework for commercial actors . . . that 
create[s] a baseline for privacy regulation that is flexible, scalable, 
and proportional''). For consumer groups and civil liberties' 
organizations comments in support of legislation, see, e.g., Center for 
Democracy and Technology, Comment on Department of Commerce Privacy 
Green Paper, Jan. 28, 2011, at 2 (``CDT has long argued and continues 
to believe that the only way to implement a commercial data privacy 
framework that fully and effectively incorporates all the Fair 
Information Practice Principles is through baseline privacy 
legislation.''); Center for Digital Democracy and USPIRG, Comment on 
Department of Commerce Privacy Green Paper, at 21 (``[W]e urge the 
adoption of regulations that will ensure that consumer privacy online 
is protected. The foundation for such protection should be the 
implementation of Fair Information Practices for the digital marketing 
environment.''); Consumers Union, Comment on Department of Commerce 
Privacy Green Paper, Jan. 28, 2011, at 2 (``Consumers Union supports 
the adoption of a privacy framework that will protect consumer data 
both online and offline. . . . CU believes this comprehensive privacy 
framework should be grounded in statute. . . .''); Privacy Rights 
Clearinghouse, Comment on Department of Commerce Privacy Green Paper, 
Jan. 28, 2011, at 2 (``[N]oting that consumer trust is pivotal to 
commercial success online, and that it has diminished with industry 
self-regulatory practices, PRC advocates comprehensive federal FIPPs-
based data privacy legislation.'').
---------------------------------------------------------------------------
III. Strengthening Our Consumer Data Privacy Framework Through 
        Baseline Protections
    To achieve these goals, the Administration recommended legislation 
to establish baseline consumer data privacy protections that will apply 
in commercial contexts and help fill in gaps in current privacy laws. 
These protections should be flexible, enforceable at law, and serve as 
the basis for both enforcement and development of enforceable codes of 
conduct that specify how the legislative principles apply in specific 
business contexts. Though we are still reviewing the details of the 
various bills introduced, we note they generally adopt an approach of 
defining baseline obligations for companies that handle personal data; 
giving the FTC enforcement authority; and encouraging the development 
of industry-specific codes of conduct to implement these baseline 
requirements.
A. Enacting a Consumer Privacy Bill of Rights
    The Administration recommended that statutory baseline protections 
for consumer data privacy be enforceable at law and based on a 
comprehensive set of Fair Information Practice Principles (FIPPs). In 
the Department of Commerce Green Paper, we drew from existing 
statements of FIPPs as a starting point for principles that should 
apply in the commercial context, in particular the original principles 
developed by the Department of Health, Education and Welfare in 1973 
\7\ and elaborations developed by the Organisation for Economic Co-
operation and Development (OECD).\8\ As we are developing in the 
Administration's forthcoming privacy White Paper, we seek to adapt 
these principles to the interactive and interconnected world of today. 
We are considering how best to incorporate principles that enable 
greater individual control over personal data and respect for the 
context in which such data was collected and that bring commercial data 
practices into alignment with reasonable consumer expectations. Notice 
and choice are fundamental to privacy protection, but today a more 
dynamic and holistic approach to privacy protection is needed, and 
obligations must be enforceable against the organizations that collect, 
use, and disclose personal data.
---------------------------------------------------------------------------
    \7\ See U.S. Dept. of Health, Education and Welfare, Records, 
Computers and the Rights of Citizens: Report of the Secretary's 
Advisory Committee on Automated Personal Data Systems, July 1973, 
http://aspe.hhs.gov/datacncl/1973privacy/tocprefacemembers.htm.
    \8\ See OECD, Guidelines on the Protection of Privacy and 
Transborder Flows of Personal Data, http://www.oecd.org/document/18/
0,3343,en_2649_34255_1815186_1_1_1_1,00.html.
---------------------------------------------------------------------------
    The Administration looks forward to working with Congress and 
stakeholders to define these protections and enforcement authorities 
further and enact them into law.
B. Implementing Enforceable Codes of Conduct Developed Through Multi-
        Stakeholder Processes
    The Administration called for a dual approach to privacy 
protection, coupling legislative protection enshrined in a consumer 
privacy bill of rights with the adoption of legally enforceable codes 
of conduct developed through a multi-stakeholder process. The process 
should permit everyone who has a stake in privacy--companies, 
consumers, civil liberties advocates, academics, and others--to work 
together to take the statutory baseline privacy protections and expand 
them into legally enforceable best practices or codes of conduct. In 
such a process, the government is an active participant, a convener 
that brings together all participants and facilitates discussions, but 
does not prescribe the outcome. This process should be open to any 
person or organization that is willing to participate in the hard work 
of engaging with other stakeholders to resolve any substantive 
differences fairly and openly.
    The Administration believes that the flexibility provided by multi-
stakeholder processes could offer the most effective solution to the 
challenges posed by a rapidly changing technological, economic, and 
social environment. This recommendation reflects the Department's view 
that government must support policy development processes that are 
nimble enough to respond quickly to consumer data privacy issues as 
they emerge and that incorporate the perspectives of all stakeholders 
to the greatest extent possible. A well-crafted multi-stakeholder 
process will allow stakeholders to address privacy issues in new 
technologies and business practices without the need for additional 
legislation, permit stakeholders to readily reexamine changing consumer 
expectations, and enable stakeholders to identify privacy risks early 
in the development of new products and services.
    Multi-stakeholder processes can be well suited for illuminating the 
policy tradeoffs inherent in such ideas like data breach notification, 
data security compliance, and Do-Not-Track. Starting with the 
commercialization of the Internet, the FTC has used a variety of 
stakeholder engagements to develop consumer data privacy policies. Its 
current work on Do-Not-Track carries on this history, and I applaud the 
leadership of Chairman Leibowitz,\9\ as well as browser developers, 
Internet companies, standards organizations, privacy advocates, and 
others to provide options for greater control over personal information 
that may be used for online tracking.\10\ The development of safe 
harbor programs is another task that can be addressed through the 
multi-stakeholder process recommended in the Commerce Green Paper.
---------------------------------------------------------------------------
    \9\ See Statement of the Federal Trade Commission, before the 
Committee on Commerce, Science, and Transportation, U.S. Senate, Mar. 
16, 2011, http://www.ftc.gov/os/testimony/
110316consumerprivacysenate.pdf.
    \10\ See, e.g., W3C Workshop on Web Tracking and User Privacy, Apr. 
28-29, http://www.w3.org/2011/track-privacy/ (collecting position 
papers and reporting on a workshop discussion of technical and policy 
approaches to limit web tracking).
---------------------------------------------------------------------------
C. Strengthening the FTC's Authority
    Bolstering the FTC's enforcement authority is a key element of the 
Administration's proposed framework. In addition to its leadership in 
developing consumer data privacy policy, the FTC plays a vital role as 
the nation's independent consumer privacy enforcement authority for 
non-regulated sectors. Granting the FTC explicit authority to enforce 
baseline privacy principles would strengthen its role in consumer data 
privacy policy and enforcement, resulting in better protection for 
consumers and evolving standards that can adapt to a rapidly evolving 
online marketplace.
D. Establishing Limiting Principles on Consumer Data Privacy 
        Legislation
    As the Committee considers consumer data privacy legislation, I 
would like to reiterate the Administration's views on the limitations 
that Congress should observe in crafting legislation that strengthens 
consumer privacy protections and encourages continuing innovation. 
Legislation should not add duplicative or overly burdensome regulatory 
requirements to businesses that are already adhering to the principles 
in baseline consumer data privacy legislation. Legislation should be 
technology-neutral, so that firms have the flexibility to decide how to 
comply with its requirements and to adopt business models that are 
consistent with baseline principles but use personal data in ways that 
we have not yet contemplated. Furthermore, domestic privacy legislation 
should provide a basis for greater transnational cooperation on 
consumer privacy enforcement issues, as well as more streamlined cross-
border data flows and reduced compliance burdens for U.S. businesses 
facing numerous foreign privacy laws.
IV. The Department of Commerce's Next Steps on Internet Privacy Policy
    As discussion of consumer privacy legislation moves forward, the 
Department of Commerce will continue to make consumer data privacy on 
the Internet a top priority. We will convene Internet stakeholders to 
discuss how best to encourage the development of enforceable codes of 
conduct, in order to provide greater certainty for businesses and 
necessary protections for consumers. The past 15 years have shown that 
self-regulation without government leadership can be sporadic and 
insufficiently motivated. The Department received significant 
stakeholder support for the recommendation that it play a central role 
in convening stakeholders. A broad array of organizations, including 
consumer groups, companies, and industry groups, announced their 
support for the Department to help coordinate outreach to stakeholders 
to work together on enforceable codes of conduct.\11\ This will be led 
by the National Telecommunications and Information Administration 
(NTIA) but would involve all relevant Commerce components, just as NTIA 
supports NIST's effort to convene stakeholders to discuss privacy 
issues that may arise in the implementation of the National Strategy 
for Trusted Identities in Cyberspace (NSTIC),\12\ and ITA administers 
efforts relating to the U.S.-EU Safe Harbor Agreement \13\ and the 
Asia-Pacific Economic Cooperation's (APEC) Cross-Border Data Privacy 
Rules. Through the National Science and Technology Council subcommittee 
I co-chair with Assistant Attorney General Christopher Schroeder, it 
will involve other Federal Government components, including the FTC.
---------------------------------------------------------------------------
    \11\ See, e.g., Center for Democracy and Technology, Comment on 
Department Privacy Green Paper, Jan. 28, 2011, at 15; Consumers Union, 
Comment on Department Privacy Green Paper, Jan. 28, 2011, at 2-3; 
Microsoft, Comment on Department Privacy Green Paper, Jan. 28, 2011, at 
6; Walmart, Comment on Department Privacy Green Paper, Jan. 28, 2011, 
at 2; Intel, Comment on Department Privacy Green Paper, Jan. 28, 2011, 
at 7; Google, Comment on Department Privacy Green Paper, Jan. 28, 2011, 
at 5; Facebook, Comment to Department Privacy Green Paper, Jan. 28, 
2011, on 13; and Yahoo!, Comment on Department Privacy Green Paper, 
Jan. 28, 2011, at 11.
    \12\ National Strategy for Trusted Identities in Cyberspace 
(NSTIC), Apr. 15, 2011, http://www.whitehouse.gov/sites/default/files/
rss_viewer/NSTICstrategy_041511.pdf.
    \13\ See Export.gov, Welcome to the U.S.-EU and U.S.-Swiss Safe 
Harbor Frameworks (last updated Mar. 31, 2011), http://www.export.gov/
safeharbor/.
---------------------------------------------------------------------------
    The Department will also continue to work with others in the 
Federal Government to develop the Administration policy on data 
security. Without data security, there can be no effective data 
privacy. Last month, the Administration submitted a legislative 
proposal to improve cybersecurity, which includes a national data 
breach reporting provision.\14\ Such a law would help businesses by 
simplifying and standardizing the existing patchwork of 47 state laws 
with a single, clear, nationwide requirement, and would help ensure 
that consumers receive notification, when appropriate standards are 
met, no matter where they live or where the business operates.
---------------------------------------------------------------------------
    \14\ See Statement for the Record of Philip Reitinger, Deputy Under 
Secretary, National Protection and Programs Directorate, before the 
Senate Homeland Security and Governmental Affairs Committee: 
``Protecting Cyberspace: Assessing the White House Proposal,'' May 23, 
2011.
---------------------------------------------------------------------------
    Earlier this month, the Department of Commerce released a green 
paper on Cybersecurity, Innovation, and the Internet Economy directed 
at increasing security beyond core critical infrastructure in the vital 
Internet and information technology sectors.\15\ We are currently 
soliciting comments from stakeholders to help us develop this critical 
strategy, with the goal of improving security at home and around the 
world so that Internet services can continue to provide a vital 
connection for trade and commerce, as well as for civic participation 
and social interaction.
---------------------------------------------------------------------------
    \15\ Cybersecurity, Innovation and the Internet Economy, June 11, 
2011, http://www.nist.gov/itl/upload/Cybersecurity_Green-
Paper_FinalVersion.pdf.
---------------------------------------------------------------------------
    The Department will also support the Administration's efforts to 
encourage global interoperability by stepping up our engagement in 
international policymaking bodies. U.S. enterprises continue to incur 
substantial costs complying with disparate data privacy laws around the 
world. The need to comply with different privacy laws can lead to 
compartmentalization of data and privacy practices, can require a 
significant expenditure of time and resources, and can even prevent 
market access. Consistent with the National Export Initiative goal of 
decreasing regulatory barriers to trade and commerce, the Department 
will work with our allies and trading partners to facilitate cross-
border data flows by increasing the global interoperability of privacy 
frameworks. Privacy laws across the globe are frequently based on 
similar values and a shared goal of protecting privacy while 
facilitating global trade and growth. The Department will work with our 
allies to find practical means of bridging any differences, which are 
often more a matter of form than substance. Specifically, the 
Department will work with other agencies to ensure that global privacy 
interoperability builds on accountability, mutual recognition and 
reciprocity, and enforcement cooperation principles pioneered in the 
OECD and APEC. The continued development of agreements with other 
privacy authorities around the world, coordinated with the State 
Department and other key actors in the Federal Government, could 
further reduce significant business global compliance costs.
    Congressional action in this area at this time can have a 
significant global impact. The Administration's work on consumer data 
privacy is having a significant and positive effect on our discussions 
with members of the European Union. One illustration of this direction 
comes from a May 18, 2011, speech about the reform of the EU Data 
Protection Directive by European Justice Commissioner Viviane Reding. 
Commissioner Reding stated that ``EU-U.S. cooperation on data 
protection is crucial to protect consumers and enhance legal security 
for businesses online. I welcome a draft Bill of Rights just introduced 
in the U.S. Congress as a bipartisan initiative of Democrats and 
Republicans.'' Commissioner Reding also stated that ``[t]his is a good 
opportunity to strengthen our transatlantic cooperation.'' Last week I 
was in Budapest to speak with European data privacy commissioners and, 
while we have much further to go in our discussions with Europe, and 
much remains uncertain about the final shape of the EU's revised Data 
Privacy Directive, we see encouraging signs of potential for 
interoperability and harmonization from the other side of the Atlantic. 
U.S. enactment of legislation establishing comprehensive commercial 
data privacy protections will help. Strong leadership in this area 
could form a model for our partners currently examining this issue, and 
prevent fragmentation of the world's privacy laws and its concomitant 
increase in compliance costs to our businesses that conduct 
international trade.
V. Conclusion
    Mr. Chairman, thank you again for the opportunity to provide our 
views on legislation to protect consumer privacy and promote innovation 
in the 21st Century. We look forward to working with you, the FTC and 
other federal agencies, the Executive Office of the President, and 
other stakeholders toward enactment of these consumer data privacy 
protections. I welcome any questions you have for me. Thank you.

    The Chairman. Your statement will be included in the 
record.
    Mr. Kerry. Thank you.
    The Chairman. And thank you for your testimony.
    Mr. Schlick.

   STATEMENT OF AUSTIN C. SCHLICK, GENERAL COUNSEL, FEDERAL 
                   COMMUNICATIONS COMMISSION

    Mr. Schlick. Good morning, Chairman Rockefeller, members of 
the Committee. Thank you for this opportunity to discuss the 
programs of the Federal Communications Commission to protect 
consumer privacy and data security. I am particularly pleased 
to be here this morning with two strong partners in that 
effort, the Department of Commerce and the Federal Trade 
Commission.
    The FCC has decades of experience implementing privacy 
protection statutes. These include provisions of the 
Communications Act that required communications providers to 
safeguard their customers' personally identifiable information, 
as well as provisions to protect consumers against unwanted 
telephone and fax solicitations.
    At the same time, increased use of personal data in 
connection with new online and wireless applications is raising 
serious privacy and security concerns. As the FCC recognized in 
the National Broadband Plan, successfully addressing these 
concerns will be critical to increasing adoption and deployment 
of technologies that benefit consumers, government, and the 
economy.
    The Commission historically has focused on three privacy 
related goals: ensuring that personal information is protected 
from misuse and mishandling, requiring providers to be 
transparent about their practices, and enabling consumers to 
make informed decisions. These goals remain our primary focus 
as we implement the various sections of the Communications Act 
that directly impact privacy.
    For example, Section 222 of the Communications Act requires 
telecommunications carriers and interconnected Voice-over-
Internet Protocol providers to secure customer proprietary 
network information, which is known as CPNI. CPNI includes 
consumers' call records and call information.
    Under Section 222, the FCC has adopted rules addressing the 
handling, use, and sharing of CPNI. We have also adopted rules 
to prevent pretexting, a practice under which unauthorized 
third parties attempt to gain access to telephone subscribers' 
personal information.
    Through our rulemakings and enforcement, we have resolved 
difficult issues such as when opt-in and opt-out notifications 
are appropriate, minimum notice standards, data sharing rules, 
reasonable data security measures, and notification to law 
enforcement and consumers in the event of data breaches. In 
just the last 6 months, the Commission issued 28 warnings and 
notices of apparent liability for various CPNI violations. 
Because of our active enforcement and education efforts, the 
Section 222 protections are now well-known and well understood, 
and the number of consumer complaints the FCC receives on CPNI 
issues has declined steadily.
    Sections 338 and 631 of the Communications Act also protect 
personal information. These provisions establish requirements 
for satellite and cable television providers' treatment of 
their subscribers' personally identifiable information. The 
requirements include clear and conspicuous notice about 
collection and use of subscribers' personal data, limiting 
disclosure of personal data, and remedies for subscribers who 
suffer a violation of these provisions.
    Working in parallel with the FTC, the FCC adopted do-not-
call regulations under Section 227 of the Communications Act. 
Since 2009, we have issued nearly 150 warnings, citations, and 
other actions for do-not-call violations. The FCC and the FTC 
also collaborate on implementation of the CAN-SPAM Act, with 
the FCC adopting rules that prohibit sending unwanted 
commercial e-mail messages to wireless accounts without prior 
permission. The FCC and the Department of Justice enforce 
Section 705 of the Communications Act which prohibits 
unauthorized interception of radio communications and 
unauthorized disclosure of wire or radio communications.
    The FCC supports consumer education in the areas of privacy 
and information security. The FCC is a partner in OnGuard-
Online, an online initiative led by the FTC that helps 
consumers guard against Internet fraud and identity theft, 
protect their children's personal information, and avoid e-mail 
and phishing scams. The FCC also is a member of the National 
Initiative for Cybersecurity Education partnership led by the 
Department of Commerce.
    Just yesterday, we held a workshop of the Commission on 
location-based wireless services and privacy issues that they 
raise. At this webcast event in which the FTC participated, we 
gathered information from wireless carriers, application 
developers, and business and academic leaders about trends in 
the development and use of location-based services, industry 
best practices for protecting personal information, and what 
consumers and parents should know about protecting themselves 
when using these services. We heard about the many potential 
benefits of location-based technologies, as well as the 
challenges of educating consumers to protect their privacy 
while using these new products and services.
    The FCC brings to these issues accumulated privacy 
expertise, as well as expertise about new communications 
technologies and services. Protecting privacy is a necessary 
part of providing communications services. So, too, it is part 
of the FCC's mandate to promote a healthy and competitive 
communications marketplace that meets consumers' needs.
    Thank you for this opportunity to testify today, and I look 
forward to your questions.
    [The prepared statement of Mr. Schlick follows:]

       Prepared Statement of Austin C. Schlick, General Counsel, 
                   Federal Communications Commission
    Good morning Chairman Rockefeller, Ranking Member Hutchison, and 
members of the Committee. Thank you for this opportunity to discuss the 
Federal Communications Commission's programs to protect consumer 
privacy. I am particularly pleased to be here with representatives of 
two strong partners in this effort, the Department of Commerce and the 
Federal Trade Commission.
    The FCC has decades of experience implementing privacy protection 
statutes. These include provisions of the Communications Act that 
require communications providers to safeguard their customers' 
personally identifiable information, as well as provisions that protect 
consumers against unwanted telephone and fax solicitations.
    At the same time, increased use of personal data in connection with 
new online and wireless applications is raising serious privacy and 
security concerns. As the FCC recognized in the National Broadband 
Plan, successfully addressing these concerns will be critical to 
increasing adoption and deployment of technologies that benefit 
consumers, government, and the economy.
    The Commission historically has focused on three privacy-related 
goals: ensuring that personal information is protected from misuse and 
mishandling; requiring providers to be transparent about their 
practices; and enabling consumers to make informed decisions. These 
goals remain our primary focus as we implement the various sections of 
the Communications Act that directly impact privacy.
    For example, Section 222 of the Communications Act requires 
telecommunications carriers and interconnected Voice over Internet 
Protocol providers to secure customer proprietary network information, 
which is known as CPNI. CPNI includes consumers' call records and call-
location information.
    Under Section 222, the FCC has adopted rules addressing the 
handling, use, and sharing of CPNI. We also have adopted rules to 
prevent pretexting, a practice by which unauthorized third parties 
attempt to gain access to telephone subscribers' personal information. 
Through our rulemakings and enforcement, we have resolved difficult 
issues such as when opt-in and opt-out notifications are appropriate, 
minimum notice standards, data sharing rules, reasonable data security 
measures, and notification to law enforcement and consumers in the 
event of data breaches.
    In just the last 6 months, the Commission issued 28 warnings and 
Notices of Apparent Liability for various CPNI violations. Because of 
our active enforcement and education efforts, the Section 222 
protections are now well-known and well-understood, and the number of 
consumer complaints the FCC receives on CPNI issues has declined 
steadily.
    Sections 338 and 631 of the Communications Act also protect 
personal information. These provisions establish requirements for 
satellite and cable television providers' treatment of their 
subscribers' personally identifiable information. The requirements 
include clear and conspicuous notice about collection and use of 
subscribers' personal data, limiting disclosure of personal data, and 
remedies for subscribers who suffer a violation of these provisions.
    Working in parallel with the FTC, the FCC adopted ``Do-Not-Call'' 
regulations under Section 227 of the Communications Act. Since 2009, we 
have issued nearly 150 warning citations for Do-Not-Call violations. 
The FCC and the FTC also collaborate on implementation of the CAN-SPAM 
Act, with the FCC adopting rules that prohibit sending unwanted 
commercial e-mail messages to wireless accounts without prior 
permission.
    The FCC and the Department of Justice enforce Section 705 of the 
Communications Act, which prohibits unauthorized interception of radio 
communications and unauthorized disclosures of wire or radio 
communications.
    The FCC supports consumer education in the areas of privacy and 
information security. The FCC is a partner in On Guard Online, an 
online initiative led by the FTC that helps consumers guard against 
Internet fraud and identity theft, protect their children's personal 
information, and avoid e-mail and phishing scams. The FCC also is a 
member of the National Initiative for Cybersecurity Education 
partnership led by the Department of Commerce.
    Just yesterday, we held a workshop at the Commission on location-
based wireless services and the privacy issues they raise. At this 
webcast event in which the FTC participated, we gathered information 
from wireless carriers, application developers, and business and 
academic leaders about trends in the development and use of location-
based services, industry best practices for protecting personal 
information, and what consumers and parents should know about 
protecting themselves while using these services. We heard about the 
many potential benefits of location-based technologies, as well as the 
challenges of educating consumers to protect their privacy while using 
these new products and services.
    The FCC brings to these issues accumulated privacy expertise, as 
well as expertise about new communications technologies and services. 
Protecting privacy is a necessary part of providing communications 
services. So too, it is part of the FCC's mandate to promote a healthy 
and competitive communications marketplace that meets consumers' needs.
    Thank you for the opportunity to testify today, and I look forward 
to your questions.

    The Chairman. Thank you, Mr. Schlick.
    We're going to proceed to the questions. And as for myself, 
they'll be rather rapid, because we do have votes at 11 
o'clock, and that's very disconcerting to me. The Majority 
Leader failed to check with me about the convenience of the 
Commerce Committee. So I'll do the best I can. I'm going to ask 
these fairly quickly.
    Commissioner Brill, as you know, Senator Pryor and I have 
introduced S. 1207, the Data Security and Breach Notification 
Act. What are your thoughts on this bill, quickly?
    Ms. Brill. The Commission supports strong federal 
legislation dealing with data security and breach notification, 
just like this bill. And this bill does satisfy the 
requirements of such a strong protective bill.
    The Chairman. Thank you. Our bill gives the Federal Trade 
Commission rulemaking authority to require companies with large 
databases to adopt security protocols to protect consumer data. 
Do you think companies are doing enough to maximize protection 
of their databases?
    Ms. Brill. Companies can do more. We have brought many data 
security cases over the past several years. We've investigated 
many more. We are not seeing cases that are close calls. These 
are cases where companies are falling down on basic security 
measures, sometimes not even following their own security 
procedures. So, yes, companies can definitely do more in the 
area of data security.
    The Chairman. I thank you. To follow up, the Commission has 
taken numerous enforcement actions against companies like 
Twitter for not adequately securing consumer information. Can 
you talk about how Senator Pryor's and my bill will complement 
your existing enforcement efforts?
    Ms. Brill. It actually will complement our efforts very 
well. Not only does it set forth some basic security processes 
and procedures, like having an officer focused on privacy, 
having within companies a process to deal with--excuse me--an 
officer focused on security and having in place processes to 
deal with security, but it also gives us broad rulemaking 
authority which will be very helpful. And, most importantly, I 
think, from my perspective, it gives us civil penalty authority 
which, I think, will incentivize companies to improve their 
security practices before they ever have to deal with us.
    The Chairman. Thank you. Incidentally, you're going to keep 
your building. Don't worry about it.
    Ms. Brill. Thank you.
    The Chairman. Mr. Kerry, the Department of Commerce has 
also cause for a national data security legislation. Do you 
have any opinions on the bill that Senator Pryor and I have 
introduced?
    Mr. Kerry. Senator Rockefeller, the bill certainly responds 
to the need for national legislation. One of the important 
drivers in the area of privacy has been the adoption of breach 
notification laws by states. There are now some 47 states that 
have them.
    But in order to make those consistent and to drive the 
issue nationally, there is a need for national data breach 
notification laws. It is part of the Administration's cyber 
security package. And I thank you, Senator, for your leadership 
in helping to drive that issue.
    The Chairman. Thank you, sir.
    Commissioner Brill?
    Ms. Brill. Yes.
    The Chairman. How does the FTC work with the Department of 
Justice on data security issues under current law?
    Ms. Brill. Generally speaking----
    The Chairman. I haven't finished.
    Ms. Brill. Excuse me.
    The Chairman. But my questioning is of clear purpose. Do 
you have a good working relationship that adequately furthers 
the public interest of protecting consumers and prosecuting 
criminals, or do we need to grant Justice more authority than 
it already possesses?
    Ms. Brill. It is important for the Department of Justice to 
have all the tools that it needs to go after folks who are 
hacking into databases. And to the extent that they feel that 
they need more tools, we, obviously, would support that.
    But at the same time, it's critically important to 
recognize that we're never going to be able to catch all the 
criminals. We're never going to be able to catch all the 
hackers.
    So what's critically important and what your bill, I think, 
does very well is it ensures that companies are going to shore 
up their data protection practices in the first instance so 
they aren't affected by hacks to the extent that we can prevent 
that. And that's why we appreciate your bill and what it does, 
especially in incentivizing companies to have good, strong 
programs in place, for instance, through the civil penalty 
provision.
    The Chairman. Thank you. I've got 40 seconds left. 
Commissioner Brill, many companies are already offering 
consumers the ability to use web browsers that have a do-not-
track mechanism on them. However, when consumers use this 
feature, no one is honoring this request except for one 
company, which would happen to be the Associated Press.
    As of now, do you think the FTC can take action against 
consumers that do not honor a consumer's do-not-track request?
    Ms. Brill. Action against companies that don't honor it? If 
a company promises to honor a consumer's request, or an ad 
network promises to honor a consumer's request, then we can 
proceed fairly easily if they breach that promise through our 
deception enforcement jurisdiction.
    But if a company does not make a promise to adhere to a 
consumer's request, then our jurisdictional test is a little 
bit more difficult to meet. We fall under our unfairness 
jurisdiction, and there are some challenges in meeting that 
kind of a test in a scenario like you've described. It would 
depend on the facts and circumstances.
    The Chairman. I thank you.
    Senator Kerry?
    Senator Kerry. Thank you, Senator Rockefeller. I was struck 
by the opening, frankly, comments of Senator Toomey, the 
Ranking Member of the Subcommittee. And I think it's important 
if--if some of those questions are being raised, it's really 
important that they be addressed here.
    And I wasn't planning to, but I want to use the time, 
because we've got a problem here in trying to get a general 
consensus and pass legislation if there's not a baseline level 
of understanding or acceptance of what we're dealing with. 
Senator Toomey, in fairness, is at another hearing that he has 
to be at in the Banking Committee. But I want the record to at 
least reflect the answers to this, and I know his staff will 
help make sure that he sees them.
    But, you know, he stated very clearly the question. He 
raised the question of whether or not this is a solution in 
search of a problem and, in addition, wondered sort of what the 
harm is out there.
    I think it's really important for the three of you to 
address that very directly. What is the harm? Is there harm or 
isn't there harm? Is this worth a national response? Is it 
imperative to have a national response? And, if so, can one be 
constructed without the unintended consequences of harming 
commerce and the open architecture?
    I've been on this committee for a long time now, and I have 
fought diligently to protect the open architecture, not to tax, 
have net neutrality, do all the things necessary. But I do 
believe that it's imperative to have some kind of standard by 
which people are acting here.
    So I want to begin with you, Commissioner Brill, since your 
regulatory agency is particularly in the line of fire on this, 
and then go to the Communications and end with the Commerce 
Department, if we could. But what is the harm? Is there harm? 
Is it real? Why do we--what should be compelled? And is this, 
indeed, a solution looking, you know, for a problem?
    Ms. Brill. I don't believe the focus on privacy protection 
is a solution looking for a problem. I think right now, 
consumers are very unaware of what's happening with their 
information, as I tried to communicate in my opening statement.
    Just with respect to privacy notices, for instance, as one 
example, and thinking about mobile technology, there have been 
studies that have shown that apps which a lot of young people 
are using--teenagers, young adults--many of them don't even 
have any kind of privacy policy whatsoever. To the extent that 
they do have a privacy policy, it often requires consumers to 
click through literally over a hundred screens in order to read 
the privacy policy.
    This just isn't reasonable to expect consumers to be able 
to do that in this modern technological age. So we need to come 
up with some solutions that fit the new technology that give 
consumers information that they need about how their 
information is being used, and then giving them some choices 
about it.
    Mr. Schlick. Senator Kerry, there absolutely is a problem. 
We've seen that in our own Section 222----
    Senator Kerry. Also, is there harm?
    Mr. Schlick. Yes.
    Senator Kerry. Is there harm here?
    Mr. Schlick.--in Section 222 implementation--to give you a 
concrete example, pretexting. The Electronic Privacy 
Information Center came to us a few years ago and identified 
the problem of data being insufficiently secure and being taken 
out through the pretexting practices on false pretenses and 
sold commercially to the harm of consumers. So this was one 
instance where we conducted a rulemaking and were able to adopt 
rules to limit and end that practice.
    Our National Broadband Plan looks beyond the harmed 
individuals and to the harm of the economy. A key finding of 
the Broadband Plan was that if consumers and application 
developers don't understand and trust the rules for privacy 
protection that are built into the system, then the adoption by 
consumers, the deployment by network operators of broadband 
technologies will be harmed.
    We saw this again in our location-based service forum 
yesterday, where consumer groups and industry agreed that there 
is a need for clear rules of the road so that there will be an 
ability and a willingness to use these services for the benefit 
of consumers as well as industry.
    Mr. Kerry. Senator, let me say that our support for 
legislation comes from an extensive exchange with members of 
the public, with members of the business community, who 
broadly, across a spectrum of the business community, retail 
industries, as well as technology industries, as well as 
companies engaged in international trade, said to us that there 
was a need for government action and privacy protection. And 
it's unusual for a government agency to propose regulation and 
to have a wide spectrum of the business community as well as 
consumers and others endorse that proposal. But that's 
precisely what occurred when we put out the commerce green 
paper in December.
    I think what that stems from is the critical need for trust 
in the sector. Let me tell you the story of a policy conference 
that I participated in a couple of years ago with a spectrum of 
people from business, from government, from academia, across 
the political spectrum, given the exercise to identify key 
risks and key drivers to the digital economy and to the 
development of broadband. And working in four separate groups 
looking at scenarios, every single one of them came up with the 
same risks, the same drivers. And every single one of them 
independently framed it in the same way as trust. And I think, 
if we look today at the wave of breaches that Senator 
Rockefeller alluded to, you know, we are facing a higher risk 
scenario in which trust is eroding.
    And, you know, there are a lot of companies that have good 
practices, that understand the importance of trust to their 
business models, their survival. There are malicious actors and 
outliers there who exploit that trust.
    The Chairman. Thank you, Senator.
    Senator Wicker.

              STATEMENT OF HON. ROGER F. WICKER, 
                 U.S. SENATOR FROM MISSISSIPPI

    Senator Wicker. Mr. Chairman, I'm going to yield my time. I 
hope we're able to get to the second panel before the series of 
seven votes begins.
    The Chairman. We won't, but we're coming back. OK. We have 
no choice.
    Senator Wicker. I understand that, and I yield my time.
    The Chairman. All right.
    Then Senator Ayotte.

                STATEMENT OF HON. KELLY AYOTTE, 
                U.S. SENATOR FROM NEW HAMPSHIRE

    Senator Ayotte. Thank you, Mr. Chairman.
    Mr. Kerry, I understand that the Department of Commerce has 
led this Internet Policy Task Force. But could you also explain 
for us what the role of the Department of Commerce would be? Do 
you envision any enforcement role going forward? I mean, 
obviously, I'm pretty clear as to what the FTC and FCC's role 
is, but if you can help us with that----
    Mr. Kerry. Senator Ayotte, no, we do not envision an 
enforcement role. The FTC is a critical policymaker and the 
nation's enforcement authority over a broad area other than 
specific sectoral regimes like communications, like health 
records. And we believe that that role should be strengthened.
    The role of the Department of Commerce is as a convener, as 
a policy leader for the Executive Branch. It's important that 
the Executive Branch have a voice in the process, that we be 
part of the debate, as we are here today. But we have worked 
closely with the FTC in developing policy in this area. We 
would continue to do so.
    Senator Ayotte. Thank you.
    Commissioner Brill, I wanted to follow up on--as I know you 
share a history at the Attorney General's office----
    Ms. Brill. Exactly.
    Senator Ayotte.--in Vermont, so welcome.
    Ms. Brill. Thank you.
    Senator Ayotte. And I wanted to ask about the enforcement 
piece of, for example, a proposal for do-not-track legislation. 
And, particularly, when we get on areas where we're focused on 
a particular kind of technology, given the changes that we can 
see happen in the technology field, (a), how would you 
anticipate that we would--the enforcement mechanism would work 
for something like a do-not-track registry, number one. And 
then, second, do you have any concerns that a do-not-track 
policy could take away some of the tools that consumers have?
    There have been some studies that show that this could harm 
online advertising. So I wanted to get your thoughts on those 
two issues.
    Ms. Brill. Sure. So just to be clear, Senator Ayotte, it 
would not be a registry. What we're talking about is a 
technology-driven solution that would be generated through 
browser companies or ad networks themselves or advertisers 
themselves.
    In terms of enforcement, what we--we do want to see a 
strong enforcement component, whether it becomes a mechanism--
or a mechanism set up by industry itself, or whether it gets 
set up through legislation. The key component in an enforcement 
mechanism is that those who receive the messages from consumers 
about the choices that they are making will honor them. And 
once we are assured, either through a self-regulatory mechanism 
or through legislation, that the receipt of a header or a 
cookie or whatever the technology is--when an entity receives 
that message--that they promise they will honor it. Then we 
have an enforcement tool.
    So that's a critical piece here. And that is certainly 
something that we're looking to see happen in the industry-
driven efforts that are currently underway.
    OK. Your other point about could it take away the 
benefits--you know, there has been discussion about whether or 
not an overwhelming number of consumers would participate and, 
therefore, it would drive away the free content that's 
currently available on the Web. My view is that, actually, what 
will happen is consumers will have much more trust in what's 
happening on the Internet if they understand that the choice is 
available to them to make granular choices about what will 
happen with their information, how it will be used, and how it 
will be collected.
    I actually don't expect that we'll see a whole lot of 
consumers opting into the system, I mean, you know, choosing to 
participate. But what it will do is it will, I think, give--
just engender a huge amount of trust, which I think will 
actually cause the industry to thrive even more. I think that's 
the critical component here that I haven't heard a lot of 
discussion about.
    Senator Ayotte. And just to be clear, just so I understand, 
in terms of issues--for example, a do-not-track issue--you 
envision that this could be something implemented by industry 
as opposed to us in Congress coming up--because one of the 
issues I see in terms of implementation is for us to come up 
with a solution that will work in application is a very 
difficult task. And, often, we aren't the best ones to come up 
with those solutions.
    Ms. Brill. It can be done by industry. And we have called--
a majority of the Commissioners have called on industry to step 
up to the plate. I have been a particularly vocal proponent of 
industry proceeding in a self-regulatory manner.
    I think it has been slow. We started to make these calls to 
do something with respect to online behavioral advertising 
several years ago. But since we started making a specific call 
for do-not-track, industry has moved, and there has been 
significant progress on the part of industry.
    I am worried, though, that we might not be able to get all 
the way there because of the way the industry is structured. 
Advertisers and ad networks are rather disparate. There are 
lots of them. And unless we get them to sort of uniformly agree 
that they're going to participate and honor consumers' 
requests, I'm just not sure that the self-regulatory mechanism 
can work. So I'm worried about the way that it's structured 
right now--the industry is structured--as to whether we can get 
all the way there.
    Senator Ayotte. Thank you very much.
    The Chairman. Thank you very much.
    Before I go to Senator Klobuchar, we have a major problem 
to work out here. There are five votes that are starting at 
11:05. I'm trying to get them moved to 11:10, which means we 
could spend another 15 minutes here.
    We have another panel. We have Senator Klobuchar. Senator 
Pryor has just walked in. Now, you can decide what you want to 
do.
    My recommendation would be that, Senator Klobuchar, you ask 
your question, because you've been here a while. Senator Pryor, 
who is the Subcommittee Chairman is all over this, and he's 
extremely important. But somebody has to sacrifice. And I think 
what we need to do is let Senator Klobuchar ask her question 
quickly and make sure it's responded to quickly. Then we call 
up the other panelists. We let them give their testimony, and 
then we submit questions to them in writing, and then all 
scramble to get to the Senate floor to vote on heavens knows 
what. Is that acceptable?
    It's not to you, and I understand. Is that acceptable?

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Yes, ready to go.
    The Chairman. Go ahead.
    Senator Klobuchar. OK. Well, thank you very much, Mr. 
Chairman. This issue, of course, can create divides, but I 
think we all know that there's some line in the sand here. And, 
for me, you know, when you order books on a Kindle and then 
they come up with recommendations of books that are similar to 
what you ordered, that's just fine. It's actually helpful and 
not harmful.
    But on the other hand, when you hear stories of companies 
that may be compiling what they call ``sucker lists'' about 
consumers that may be susceptible to different kinds of fraud, 
that's a problem. And so I appreciate you helping us work 
through this today.
    One of the things I wanted to ask you about, Commissioner 
Brill, was the Children's Online Privacy Protection Act and the 
Unfair and Deceptive Conduct Clause. It's not clear what 
regulations prohibit the sharing of user information on mobile 
phones. For example, if there is an application geared toward 
adults that has no user agreement or stated privacy policy but 
shares location and other mobile information with a third-party 
advertiser without seeking consent from the user, are there any 
enforcement mechanisms that the FTC can use to prosecute the 
company for misusing the person's data?
    Ms. Brill. Are you focused specifically on children----
    Senator Klobuchar. Mobile.
    Ms. Brill.--or mobile?
    Senator Klobuchar. No, this is on the mobile.
    Ms. Brill. So, if a mobile phone right now does not--a 
mobile--an application does not have a privacy policy and is 
collecting geo-location information, that's your question? Is 
there something that we can do about it? We are, then, as I 
mentioned a few moments ago, in a world where we're no longer 
dealing potentially with deception, because they haven't said 
anything that they are then not following through on, and we're 
rather in the realm of unfairness.
    And in that realm, it really does depend on the facts and 
circumstances. It depends on how they're using it. We might be 
able to make out an argument that the particular use or the way 
in which geo-location was used would be unfair. There also 
might be an argument that failing to have a disclosure to 
consumers about the way in which geo-location was used, if it 
harms the consumer, would also be unfair. But it's a tougher 
test.
    Senator Klobuchar. OK. And then back to the children's 
issues, under the Children's Online Privacy Protection Act, 
companies operating websites or online services intended for 
children under 13 are prohibited from collecting information. 
And I just wonder if there is a practical--and I believe that 
is a good provision--but is there any practical way for the FTC 
to distinguish between websites and online services intended 
for children that need to comply with this law versus 
applications for adults?
    Mr. Brill. Sure, yes. So the Children's Online Privacy 
Protection Act applies when you have a website that is either 
directed at kids or where the website knows that it is 
collecting information about kids. And by kids, it's kids under 
13.
    In order to determine whether a website is directed at 
children, we really look at the totality of the circumstances. 
So we'll look at things like--are there cartoons being used? 
We'll look at issues in the mobile space. Where is the 
application being sold, or how is it being sold? What part of 
the app store is it in? Is it in the part of the app store 
that's designed for kids, or is it in a different part of the 
app store?
    So those are the kinds of factors that we'll look at to 
determine whether the website or the mobile application is 
focused on children. In terms of whether or not the general 
audience website or application is collecting information about 
children, you know, if the website actually receives 
information from a teacher or a parent that there's a 
particular kid involved, obviously, then, they know.
    But we also do undercover work, you know. We'll go online 
and pretend we're 13 or 12 or 11 and see if the website will 
collect information about us. So there are a number of 
different ways we can figure out what's happening.
    Senator Klobuchar. OK. One last question to Mr. Kerry.
    I've been working on this Cloud Computing bill, as you 
know. And one of the issues here is that we are trading 
partners internationally, and I think we've talked about this 
before in Judiciary--but the need to establish privacy, 
security, and cross-border data flow standards along with 
working with our allies, do you believe it would be prudent to 
establish a global standard that companies in all countries 
would voluntarily subscribe to?
    Mr. Kerry. That's a direction that we need to----
    The Chairman. If you could answer in 30 seconds----
    Mr. Kerry.--move toward, Senator Klobuchar. I mean, one of 
the key tenets of what we're trying to do is to establish 
global interoperability so that companies can trade, so that 
data can reside transparently in different locations in the 
cloud. So to try to bring global privacy standards closer 
together is an important part of our support of comprehensive 
legislation.
    The Chairman. Thank you. We're now on this rather quickened 
pace. I thank all three of you very much.
    And I want to introduce--Senator Begich, I'll explain this 
to you on the way to a vote, how you've been abused.
    The second panel are Mr. Scott Taylor, Vice President, 
Chief Privacy Officer, Hewlett-Packard; Mr. Stuart Pratt, 
President and CEO, Consumer Data Industry Association; Ms. 
Ioana Rusu, Regulatory Counsel, Consumers Union; Mr. Tim 
Schaaff, President, Sony Network Entertainment International; 
and Mr. Thomas Lenard, President and Senior Fellow, Technology 
Policy Institute.
    And, once again, our purpose here will be in the time 
remaining to us--which is not yet determined, but let's say 
it's 20 minutes at the maximum--for all 5 of you to give 
testimony. That is a challenge, but you're exceptionally 
bright, well-educated, and advanced people, and so you should 
be able to meet it.
    And we will start with you, Mr. Pratt.
    And, incidentally, the questions will be submitted from the 
Committee members to all of you.

STATEMENT OF STUART K. PRATT, PRESIDENT AND CEO, CONSUMER DATA 
                      INDUSTRY ASSOCIATION

    Mr. Pratt. Chairman Rockefeller, members of the Committee, 
thank you for this opportunity to appear before you today. And 
for the record, my name is Stuart Pratt, and I'm the CEO of the 
Consumer Data Industry Association.
    The Chairman. We know that. Get right to the point.
    Mr. Pratt. CDIA's members' data and technologies protect 
consumers and help businesses manage risk. Whether it's 
counterterrorism efforts, locating a child who has been 
kidnapped, preventing a violent criminal from taking a job with 
access to children or the elderly, or ensuring the safety and 
soundness of lending decisions, our members' databases, 
software, and analytical tools are critical to how we manage 
risk in this country, ensure consumers are treated fairly, and 
how we protect consumers from becoming victims for both violent 
and white-collar crimes.
    Let me just skip some of the examples. Those are in the 
record. And let's jump to some of the key points. I think 
that's where you're driving us here.
    I think this committee has some--a tremendous opportunity 
before it here today. First of all, it can fill an important 
gap in current law by ensuring that all U.S. businesses which 
are not already subject to data security for sensitive personal 
information are in the future. CDIA is on record in support of 
enacting national standards for securing personal information, 
and we're pleased to have this opportunity to affirm this 
position again today.
    Second, Congress can complete the good work of 48 states 
which have enacted data breach notification laws by creating a 
much-needed national standard which ensures consumers are 
treated in the same way, no matter where they live. Here again, 
the CDIA is happy to support the enactment of such a standard 
for those who possess sensitive personal information and where 
such information has been stolen or lost, the consumer is 
exposed to a significant risk of becoming a victim of identity 
theft.
    New law regarding data security and data breach 
notification should be designed to align with current laws 
which are already robust and effective. CDIA's members are 
financial institutions under the Gramm-Leach-Bliley Act and as 
such, they are already subject to an appropriate standard for 
securing sensitive personal information. It is important that 
new law not interfere with, alter, or add to the requirements 
of the GLB safeguards rule and the enforcement guidance that 
has evolved over a decade of enforcement actions, examinations, 
and regulatory guidance.
    The same principle applies to other sectors of the U.S. 
economy that have already been subject to their data security 
duties. This new law should fill gaps, thus ensuring that all 
sensitive personal information is protected.
    Similarly, where sectors of the U.S. economy are already 
subject to a federal data breach notification standard through 
law, regulation, or rules, these sectors should be exempted 
from having to comply with the duties of a new federal 
standard. Again, the new federal standard should fill a gap.
    In the past, bills have tried to eliminate the problems of 
imposing duplicative duties. However, these exemptions often 
fall short by using an in-compliance-with construction rather 
than a subject-to construction. Getting these exemptions right 
is important as the new duties for data security and data 
breach notification are enacted, and we urge the Committee to 
avoid creating duplicative law.
    Congress must also avoid creating a 51st state law. 
Enacting strong and effective duties for securing sensitive 
personal information and data breach notification is only a 
success if it creates a true national standard for U.S. 
businesses. This is especially true for small businesses.
    Finally, we would urge the Committee to exclude privacy 
issues which are not relevant to data security or data breach 
notification. Privacy and data security are not coterminous 
concepts. CDIA's members live with a variety of laws that 
regulate their businesses today, including the Fair Credit 
Reporting Act, the Gramm-Leach-Bliley Act, Title V, HIPPA, the 
Driver's Privacy Protection Act, and more. We urge this 
committee and the Congress to not comingle privacy concepts 
such as provisions which propose to regulate entities defined 
as information brokers with the duty to secure sensitive 
personal information and to provide notices to consumers where 
there has been a breach of their data.
    As discussed more completely in my written testimony, 
privacy issues can even interfere with the development of data 
which is used to prevent fraud, identity theft, and to manage 
risks like those we have discussed. Let's move on clean data 
security and data breach notification which will inure benefits 
to consumers by establishing a national standard and ensuring 
that U.S. businesses can comply, which is always their highest 
goal.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Pratt follows:]

       Prepared Statement of Stuart K. Pratt, President and CEO, 
                   Consumer Data Industry Association
    Chairman Rockefeller, Ranking member Hutchison and members of the 
Committee, thank you for this opportunity to appear before you today. 
For the record, my name is Stuart K. Pratt and I am President and CEO 
of the Consumer Data Industry Association. My testimony will focus on:

   The importance to consumers of the data systems and 
        analytical tools our members produce.

   How current laws which regulate our members' products 
        already protect consumers.

   Separating privacy issues from the important work of 
        establishing a national standard for securing sensitive 
        personal information and data breach notification.

   Aligning new law with existing laws.

   Creating a truly national standard.
CDIA Members' Data and Technologies Protect Consumers and Help Us 
        Businesses Manage Risk
    Whether it is counterterrorism efforts, locating a child who has 
been kidnapped, preventing a violent criminal from taking a job with 
access to children or the elderly, or ensuring the safety and soundness 
of lending decisions our members' innovative databases, software and 
analytical tools are critical to how we manage risk in this country, 
ensure fair treatment and most importantly, how we protect consumers 
from becoming victims of both violent and white-collar crimes of all 
types.
    Following are examples of how our members' products, software and 
databases bring material value to consumers and our country:

   Helping public and private sector investigators to prevent 
        money laundering and terrorist financing.

   Ensuring lenders have best-in-class credit reports, credit 
        scoring technologies, income verification tools and data on 
        assets for purposes of making safe and sound underwriting 
        decisions so that consumers are treated fairly and products 
        make sense for them.

   Bringing transparency to the underlying value of 
        collateralized debt obligations and in doing so ensuring our 
        nation's money supply is adequate which militates against the 
        possibility and severity of economic crises.

   Enforcing child support orders through the use of 
        sophisticated location tools so children of single parents have 
        the resources they need.

   Assisting law enforcement and private agencies which locate 
        missing and exploited children through location tools.

   Researching fugitives, assets held by individuals of 
        interest through the use of investigative tools which allow law 
        enforcement agencies tie together disparate data on given 
        individuals and thus to most effectively target limited 
        manpower resources.

   Witness location through use of location tools for all types 
        of court proceedings.

   Reducing government expense through entitlement fraud 
        prevention, eligibility determinations, and identity 
        verification.

   Making available both local and nationwide background 
        screening tools to ensure, for example, that pedophiles don't 
        gain access to daycare centers or those convicted of driving 
        while under the influence do not drive school buses or vans for 
        elder care centers.

   Helping a local charity hospital to find individuals who 
        have chosen to avoid paying bills when they have the ability to 
        do so.

   Producing sophisticated background screening tools for 
        security clearances, including those with national security 
        implications.

   Improving disaster assistance responses through the use of 
        cross-matched databases that help first-responders to quickly 
        aid those in need and prevent fraudsters from gaming these 
        efforts for personal gain.

    Not only do our members' technologies and innovation protect us and 
ensure that we are managing risk in this country, but they reduce costs 
and labor intensity. Risk management is not merely the domain of the 
largest government agencies or corporations it is available to 
companies of all sizes thanks to our members' investments. Consider the 
following scenarios:

        Scenario 1--Effective Use of Limited Resources

        The following example was given during a Department of Homeland 
        Security meeting on use of data by the department: ``One 
        extremely well-known law enforcement intelligence example from 
        immediately post-9/11 was when there was a now well-publicized 
        threat . . . that there might be cells of terrorists training 
        for scuba diving underwater bombing, similar to those that 
        trained for 9/11 to fly but not land--planes. How does the 
        government best acquire that? The FBI applied the standard 
        shoe-leather approach--spent millions of dollars sending out 
        every agent in every office in the country to identify 
        certified scuba training schools. The alternative could and 
        should have been for the Federal Government to be able to buy 
        that data for a couple of hundred dollars from a commercial 
        provider, and to use that baseline and law enforcement 
        resources, starting with the commercial baseline.''

        Scenario 2--Lowering Costs/Expanding Access to Best-in-Class 
        Tools

        One commercial database provider charges just $25 for an 
        instant comprehensive search of multiple criminal record 
        sources, including fugitive files, state and county criminal 
        record repositories, proprietary criminal record information, 
        and prison, parole and release files, representing more than 
        100 million criminal records across the United States. In 
        contrast, an in-person, local search of one local courthouse 
        for felony and misdemeanor records takes 3 business days and 
        costs $16 plus courthouse fees. An in-person search of every 
        county courthouse would cost $48,544 (3,034 county governments 
        times $16). Similarly, a state sexual offender search costs 
        just $9 and includes states that do not provide online 
        registries of sexual offenders. An in-person search of sexual 
        offender records in all 50 states would cost $800.

        Scenario 3--Preventing Identity Theft & Limiting Indebtedness

        A national credit card issuer reports that they approve more 
        than 19 million applications for credit every year. In fact 
        they process more than 90,000 applications every day, with an 
        approval rate of approximately sixty percent. This creditor 
        reports that they identify one fraudulent account for every 
        1,613 applications approved. This means that the tools our 
        members provided were preventing fraud in more than 99.9 
        percent of the transactions processed. These data also tell us 
        that the lender is doing an effective job of approving 
        consumers who truly qualify for credit and denying consumers 
        who are overextended and should not increase their debt 
        burdens.
Current Laws Regulating Our Members' Products Protect Consumers and Are 
        Robust
    The United States is on the forefront of establishing sector-
specific and enforceable laws regulating uses of personal information 
of many types. The list of laws is extensive and includes but is not 
limited to the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), The 
Gramm-Leach-Bliley Act (Pub. L. 106-102, Title V), the Health Insurance 
Portability and Accountability Act (Pub. L. 104.191), and the Drivers 
Privacy Protection Act (18 U.S.C. 2721 et seq.).
    Following are more probative descriptions of some of these laws, 
the rights of consumers and also the types of products that fall within 
the scope of the law.
Fair Credit Reporting Act
    Key to understanding the role of the FCRA is the fact that it 
regulates any use of personal information (whether obtained from a 
public or private source) defined as a consumer report. A consumer 
report is defined as data which is gathered and shared with a third 
party for a determination of a consumer's eligibility for enumerated 
permissible purposes. This concept of an eligibility test is a key to 
understanding how FCRA regulates an extraordinarily broad range of 
personal information uses. The United States has a law which makes 
clear that any third-party-supplied data that is used to accept or 
deny, for example, my application for a government entitlement, 
employment, credit (e.g., student loans), insurance, and any other 
transaction initiated by the consumer where there is a legitimate 
business need. Again, this law applies equally to governmental uses and 
not merely to the private sector and provides us as consumers with a 
full complement of rights to protect and empower us. Consider the 
following:

   The right of access--consumers may request at any time a 
        disclosure of all information in their file at the time of the 
        request. This right is enhanced by requirements that the cost 
        of such disclosure must be free under a variety of 
        circumstances including once per year upon request, where there 
        is suspected fraud, where a consumer is unemployed and seeking 
        employment, when a consumer places a fraud alert on his or her 
        file, or where a consumer is receiving public assistance and 
        thus would not have the means to pay. Note that the right of 
        access is absolute since the term file is defined in the FCRA 
        and it includes the base information from which a consumer 
        report is produced.

   The right of correction--a consumer may dispute any 
        information in the file. The right of dispute is absolute and 
        no fee may be charged.

   The right to know who has seen or reviewed information in 
        the consumer's file--as part of the right of access, a consumer 
        must see all ``inquiries'' made to the file and these inquiries 
        include the trade name of the consumer and upon request, a 
        disclosure of contact information, if available, for any 
        inquirer to the consumer's file.

   The right to deny use of the file except for transactions 
        initiated by the consumer--consumers have the right to opt out 
        of non-initiated transactions, such as a mailed offer for a new 
        credit card.

   The right to be notified when a consumer report has been 
        used to take an adverse action. This right ensures that I can 
        act on all of the other rights enumerated above.

   Beyond the rights discussed above, with every disclosure of 
        a file, consumers receive a notice providing a complete listing 
        all consumer rights.

   Finally, all such products are regulated for accuracy with a 
        ``reasonable procedures to ensure maximum possible accuracy'' 
        standard. Further all sources which provide data to consumer 
        reporting agencies must also adhere to a standard of accuracy 
        which, as a result of the FACT Act, now includes new rulemaking 
        powers for federal agencies.
Gramm-Leach-Bliley Act
    Not all consumer data products are used for eligibility 
determinations regulated by the FCRA. Congress has applied different 
standards of protection that are appropriate to the use and the 
sensitivity of the data. We refer to these tools as Reference, 
Verification and Information services or RVI services. RVI services are 
used not only to identify fraud, but also to locate and verify 
information for the public and private sectors. Fraud prevention 
systems, for example, aren't regulated under FCRA because no decision 
to approve or deny is made using these data. Annually businesses 
conduct an average more than 2.6 billion searches to check for 
fraudulent transactions. As the fraud problem has grown, industry has 
been forced to increase the complexity and sophistication of the fraud 
detection tools they use. While fraud detection tools may differ, there 
are four key models used.

   Fraud databases--check for possible suspicious elements of 
        customer information. These databases include past identities 
        and records that have been used in known frauds, suspect phone 
        numbers or addresses, and records of inconsistent issue dates 
        of SSNs and the given birth years.

   Identity verification products--crosscheck for consistency 
        in identifying information supplied by the consumer by 
        utilizing other sources of known data about the consumer. 
        Identity thieves must change pieces of information in their 
        victim's files to avoid alerting others of their presence. 
        Inconsistencies in name, address, or SSN associated with a name 
        raise suspicions of possible fraud.

   Quantitative fraud prediction models--calculate fraud scores 
        that predict the likelihood an application or proposed 
        transaction is fraudulent. The power of these models is their 
        ability to assess the cumulative significance of small 
        inconsistencies or problems that may appear insignificant in 
        isolation.

   Identity element approaches--use the analysis of pooled 
        applications and other data to detect anomalies in typical 
        business activity to identify potential fraudulent activity. 
        These tools generally use anonymous consumer information to 
        create macro-models of applications or credit card usage that 
        deviates from normal information or spending patterns, as well 
        as a series of applications with a common work number or 
        address but under different names, or even the identification 
        and further attention to geographical areas where there are 
        spikes in what may be fraudulent activity.

    The largest users of fraud detection tools are financial 
businesses, accounting for approximately 78 percent of all users. 
However, there are many non-financial business uses for fraud detection 
tools. Users include:

   Governmental agencies--Fraud detection tools are used by the 
        IRS to locate assets of tax evaders, state agencies to find 
        individuals who owe child support, law enforcement to assist in 
        investigations, and by various federal and state agencies for 
        employment background checks.

   Private use--Journalists use fraud detection services to 
        locate sources, attorneys to find witnesses, and individuals 
        use them to do background checks on childcare providers.

    CDIA's members are also the leading location services providers in 
the United States. These products are also not regulated under FCRA 
since no decision is based on the data used. These services, which help 
users locate individuals, are a key business-to-business tool that 
creates great value for consumers and business alike. Locator services 
depend on a variety of matching elements. Consider the following 
examples of location service uses of a year's time:

   There were 5.5 million location searches conducted by child 
        support enforcement agencies to enforce court orders. For 
        example, the Financial Institution Data Match program required 
        by the Personal Responsibility and Work Opportunity 
        Reconciliation Act of 1996 (PL 104-193) led to the location of 
        700,000 delinquent individuals being linked to accounts worth 
        nearly $2.5 billion.

   There were 378 million location searches used to enforce 
        contractual obligations to pay debts.

   Tens of millions of searches were conducted by pension funds 
        (location of beneficiaries), lawyers (witness location), blood 
        donors organizations (blood supply safety), as well as by 
        organizations focused on missing and exploited children.

    Clearly RVI services bring great benefit to consumers, governmental 
agencies and to businesses of all sizes. Laws such as the Gramm-Leach-
Bliley Act and Fair Credit Reporting Act are robust, protective of 
consumer rights, but also drafted to ensure that products used to 
protect consumers, prevent fraud and to locate individuals are allowed 
to operate for the good of consumers and business.
A National Data Security and Data Breach Notification Standard Is A 
        Separate Matter from Privacy
    Let me start by stating unequivocally that CDIA's supports the 
creation of a national standard for both securing sensitive personal 
information and notification of consumers when there has been a breach 
of that data. Our position is in agreement with the Federal Trade 
Commission recommendation offered in multiple testimonies on the Hill 
and via their joint Task Force report issued along with the Department 
of Justice. This committee can play a leading role in ensuring that 
such a standard is set. This committee can also ensure that privacy 
issues are not confused with the core consumer protections found in a 
proposal that focuses on data security and breach notification.
    Provisions found in some bills that create national standards for 
security and notification also impose accuracy, access and correction 
standards on a certain type of entity defined as an information broker. 
We believe that provisions such as these should be struck because they 
do not advance the cause of protecting data, and they interfere with 
how other current laws regulate the development of products which do 
protect consumers. Consider the following:

    Products such as those designed for fraud prevention and location 
are produced under laws such as the Gramm-Leach-Bliley Act and Section 
5 of the Federal Trade Commission Act. The definition of information 
broker often does not exclude financial institutions regulated under 
GLB. Therefore products developed under the data-use limitations found 
in GLB Title V, Section 502(e) are adversely affected by information 
broker provisions.
    Neither a product developed for fraud prevention nor location 
should be subject to accuracy, access and correction standards since 
neither product is used to deny or approve an application, etc. If they 
were designed for the purpose of making decisions about a consumer's 
eligibility, then they would already be regulated under the FCRA. 
Further accuracy, access and correction standards are not relevant to 
the important work of this Committee to establish a national standard 
for securing sensitive personal information and notifying consumers 
when there is a breach of such data.
    Consider the effect of applying an accuracy standard to fraud 
tools. Ironically doing so would lead to interference with the very 
tools that help protect consumers against the risks posed by failures 
to protect sensitive personal information. Fraud prevention tools are 
built based on data about consumers, data about confirmed fraud 
attempts, data about combinations of accurate and inaccurate data used 
for fraud attempts and more. Fraud tools are designed to identify 
transactions or applications that are likely to be fraudulent in order 
to allow the user to take additional steps to prevent the crime and 
still process legitimate transactions.
    Similarly it is wrong to subject fraud prevention tools to an 
access and correction regime. If details of a fraud tool are disclosed 
it is akin to disclosing the recipe for fraud prevention. This result 
works against a bill which is focused on protecting consumers from 
crime, particularly identity theft.
    As discussed in this testimony, location and investigative research 
services are materially important to how risk is managed. They are not 
designed to be used for decisionmaking and thus are not regulated under 
the FCRA, which already regulates all data used for eligibility 
decisions (including the imposition of accuracy, access and correction 
rights). Such services are, for example, designed to help a user 
identify possible connections between disparate records and ultimately 
possible locations for the subject of the search. Measuring the quality 
of the possible connections is not akin to an accuracy standard, nor 
should an accuracy standard be applied to ``possible matches.'' 
Further, providing access to a database for purposes of error 
correction could affect the quality of the systems since matches are 
sometimes based on combinations of accurate and inaccurate data.
    Accuracy, access and correction duties are best left to future 
debates about privacy, but they have no relevance to data security and 
breach notification.
Aligning the Operation of New and Current Law
    As discussed above, by not including privacy issues (information 
brokers/accuracy/access/correction) in a data security and notification 
bill, the committee avoids many problems with the operation of 
effective federal laws that are on the books today (e.g., FCRA, GLB, 
HIPAA, DPPA, etc.). Further the committee's bill should not create 
overlapping burdens where U.S. companies are already in compliance with 
a security breach notification or security standard for sensitive 
personal information. For example, financial institutions which are 
subject to the data security standards of the Gramm-Leach-Bliley Act 
and also federal agency guidance regarding data breach notification 
should be fully exempted from the bill.
The Importance of a National Standard
    Congress should not enact a fifty-first law. A true national 
standard will benefit consumers because they will enjoy the benefits of 
this standard no matter where they live. Such a standard also benefits 
U.S. businesses of all sizes because they can then be successful in the 
goal they all share and that is to protect consumers' sensitive 
personal information by building data security into their entire 
enterprise and to notify consumers where there is a significant risk of 
identity theft.
Conclusion
    This committee has a number of important opportunities:

   To fill an important gap in current law by ensuring that all 
        U.S. businesses which are not already subject to a data 
        security duty for sensitive personal information are in the 
        future.

   To harmonize the 48 state data breach notification duties 
        and in doing so create much needed uniformity.

   To exclude privacy issues which are not relevant to data 
        security and breach notification.

   To avoid creating law which interferes with the operation of 
        current laws already on the books.

   To create an effective national standard for securing 
        sensitive personal information and data breach notification.

    We thank you again for giving us this opportunity to testify. It is 
only through such dialogue that good laws are enacted. I'm happy to 
answer any questions.

    The Chairman. Thank you very much.
    Ms. Rusu.

  STATEMENT OF IOANA RUSU, REGULATORY COUNSEL, CONSUMERS UNION

    Ms. Rusu. Thank you, Chairman and members of the Committee. 
I'm going to skip over the intro and jump right into it.
    I think we can all agree that technological advances over 
the past decade have created incredible, fantastic tools for 
consumers to use. However, privacy is still important and 
relevant today. Even in today's age of extensive sharing, few 
people would agree that every piece of information about them 
should be available to everyone for any conceivable purpose.
    In fact, in a May 2011 Consumer Reports poll, 82 percent of 
respondents were concerned that companies may be passing on 
their personal information to third parties without their 
permission. Such consumer distress is a significant barrier to 
the adoption of new technologies, which, in turn, harms 
commerce and discourages innovation.
    Consumers Union supports the privacy and data security 
bills that are the focus of today's hearing. The Commercial 
Privacy Bill of Rights introduced by Senators Kerry and McCain 
puts in place some standards that would give consumers more 
control over their personal information. The bill's framework 
is rooted in a set of fair information practice principles, 
such as timely notice about data collection, opt-out 
requirements, access and accuracy requirements, and the 
principle of privacy by design.
    We support the bill's focus on sensitive information, 
including information about health and religious affiliation. 
Companies handling such information must first get a consumer's 
affirmative opt-in consent. This provision would protect a 
young woman suffering from bulimia, for example, from having to 
worry that by joining an eating disorders support forum her 
information will be passed along to advertisers, who will 
market weight loss supplements to her at every step.
    We also appreciate the bill's enforcement power for the FTC 
and state attorneys general. This will increase the likelihood 
that bad actors are caught and punished.
    While the legislation leaves out an important foundation 
for better privacy practices, we also look forward to 
strengthening the measure so that it provides consumers with 
even more transparency and control. For instance, we support 
providing consumers with an opt-out not only for unauthorized 
use of covered information, but also for its collection. We'd 
also like to see more authority granted to the FTC to modify 
and update the definitions in the bill. In addition, we're 
concerned that the expansive language of the preemption 
provision could forestall state laws that seek to protect 
consumers beyond the intended scope of this bill.
    Consumers Union also supports Chairman Rockefeller's Do-
Not-Track Online Act as an important and necessary component of 
consumer online privacy policy. Public support for a do-not-
track option is particularly high at this moment. According to 
the same Consumer Reports poll I mentioned before, 81 percent 
of respondents agreed that they should be able to permanently 
opt out of Internet tracking.
    Some industry actors have already developed and 
incorporated do-not-track tools directly into browsers. 
Unfortunately, marketers currently can and do ignore consumers' 
do-not-track choices. This is precisely why Chairman 
Rockefeller's bill is a much needed component. Consumers Union 
believes that the Do-Not-Track Online Act and the Commercial 
Privacy Bill of Rights Act taken together would give consumers 
strong privacy protections and meaningful choice in the way 
their information is collected and used.
    Protecting consumer privacy, however, also means 
safeguarding data against unauthorized breaches. The Data 
Security and Breach Notification Act will protect consumers by 
requiring strong data security practices, as well as 
notification in case of breach. The bill will also incentivize 
companies to practice data minimization on the front end before 
a breach occurs and to provide at least 2 years of free credit 
reports. We are particularly pleased with the provisions that 
instruct information brokers to maximize the accuracy and 
accessibility of their records and to provide consumers with a 
process to dispute information.
    Consumers Union would prefer that consumers be notified in 
any event of a breach, similar to the strongest state notice of 
breach laws currently in place. However, we can accept giving 
an exemption whenever a company demonstrates no reasonable risk 
of identify theft to the consumer. We urge this committee not 
to further weaken notification requirements.
    Thank you for your time, and I would be happy to answer any 
questions you may have.
    [The prepared statement of Ms. Rusu follows:]

 Prepared Statement of Ioana Rusu, Regulatory Counsel, Consumers Union
    Chairman Rockefeller, Ranking Member Hutchinson and esteemed 
members of the Committee. Thank you for the opportunity to appear 
before you today to discuss privacy and data security issues. My name 
is Ioana Rusu, and I am Regulatory Counsel for Consumers Union, the 
non-profit publisher of Consumer Reports  magazine.
Privacy in a Rapidly Changing World
    Few can deny just how much the world has changed over the past 
decade. We now research and shop for products without ever leaving our 
homes. Our phones have become mini-computers, allowing us to organize 
our finances, pay bills, and order services on the go, as well as to 
pinpoint our exact geographical location. Social networks and online 
blogs enable us to create virtual lives, to reconnect with long-lost 
friends, and even to organize against oppressive government regimes. By 
transmitting and accessing more information than ever before, we've 
created both a vibrant online community and an efficient and convenient 
Internet marketplace. These incredible tools have enriched and enhanced 
our lives.
    At the same time, however, these same tools have planted some 
unnerving questions in our hearts. For example, will we continue to 
express ourselves freely on the Internet when we know that every click 
and keystroke is being recorded by unknown entities, to be used for 
unknown purposes? And once we've entrusted our personal data to a third 
party, can we be sure it will it be carefully safeguarded? It is time 
for us to answer these questions in a clear and straightforward manner. 
A privacy and data security policy composed of clear, predictable, and 
comprehensive rules will enhance consumer trust and encourage 
innovation.
    The first step toward this goal is our recognition that privacy is 
still very much a relevant and important concept in our world today. 
Although we live in an age of extensive sharing, very few people would 
agree that every piece of information they transmit should be available 
to everyone, for any conceivable purpose. We share information because 
it facilitates transactions, gives us access to services we seek, and 
allows us to more easily communicate with others. But it is incorrect 
to assume that consumers don't care about how that information is used 
and disseminated. In fact, in a May 2011 Consumer Reports  poll, 82 
percent of respondents were concerned that companies they did business 
with may be passing on their personal information to third parties 
without their permission. Such consumer distrust could represent a 
significant barrier to the adoption of new technologies, which in turn 
harms commerce and discourages innovation.
Legislative Solutions for Protecting Consumer Privacy
    The Commercial Privacy Bill of Rights of 2011 introduced by 
Senators Kerry and McCain seeks to implement some reasonable standards 
that would give individuals more control over who gets access to their 
personal information and for what purpose.
    The bill's framework is firmly rooted in a set of Fair Information 
Practice Principles (FIPPs)--``rules of the game'' that spell out how 
covered entities should be collecting, handling, and sharing consumer 
data. These principles include clear, concise, and timely notice about 
data collection practices; opt out requirements for certain uses of 
personal information; access and accuracy requirements; and the 
principle of ``privacy by design,'' which requires entities to 
incorporate privacy protections directly into their day-to-day 
activities, as they develop new products and implement new 
technologies. Taken together, the FIPPs create a roadmap for the fair 
and responsible treatment of consumer data online.
    We are pleased that the bill requires companies to offer consumers 
an opt out from unauthorized uses of their information, including the 
unauthorized transfer of information to third parties and the passive 
collection of information by third parties on first-party sites. Third-
party sharing of information is extremely expansive in today's e-
commerce, as tracking technologies allow advertisers to collect vast 
amounts of information about consumers and to aggregate them into 
personal profiles that are then used to target individuals much more 
effectively than ever before. While some consumers may not mind 
receiving advertising tailored to their interests, others prefer that 
their behaviors and preferences online remain private. The latter group 
should be able to choose not to have data shared with these unknown 
third parties.
    The bill also recognizes that some types of information are more 
intimate and more easily used for harmful purposes than others. As a 
result, the bill creates a ``sensitive information'' category, which 
includes personally identifiable information (PII) that could result in 
physical or economic harm to an individual, or information about an 
individual's medical condition, medical records, or religious beliefs. 
If companies wish to collect, use, or share sensitive information, they 
must obtain the individual's affirmative opt-in consent. We strongly 
agree with this provision. A young woman suffering from bulimia should 
never worry that when she joins an eating disorder support forum, her 
information will be passed along to companies who will market weight 
loss supplements to her at every step, constantly reminding her of her 
obsession with her weight. She also should never have to worry that 
information about her condition will be sold to her insurance company, 
who will then raise her rates. Such uses of sensitive information are 
unexpected and unfair, and should not be permitted without the 
consumer's informed consent.
    In addition, we are pleased that the bill requires entities to 
engage in data minimization by not collecting more data than is needed, 
and by only retaining collected data for a limited amount of time. 
Consumers Union believes that the traditional notice-and-choice 
approach to privacy has not done enough to allay consumers' concerns. 
This approach has resulted in lengthy privacy policies, filled with 
legalese, that consumers must ``agree to'' in order to access a website 
or receive a service. As a result, Consumers Union supports the 
implementation of substantive privacy principles, such as data 
minimization and data retention limits, which do not rely solely on 
consumer participation to function. These principles require companies 
to carry out an honest assessment of their own data practices, and to 
collect and retain only information necessary to the operation of their 
business. It is also important to note that rich repositories of 
information within indefinite retention periods tend to be prime 
targets for hackers and can expose extensive amounts of information in 
case of a data breach. Fewer privacy concerns will arise if only 
necessary data is collected and stored for a limited amount of time.
    The bill grants enforcement power to both the Federal Trade 
Commission and state attorneys general (AGs)--a crucial provision that 
will increase the likelihood that bad actors are caught and punished. 
The enforcement provisions of the bill are crucial elements of this 
privacy framework, and emphasize the fact that any comprehensive 
privacy standards must be backed up by the force of law. The reason why 
industry self-regulation initiatives have largely failed to address 
this problem so far is that companies choose to voluntarily 
participate, and are held accountable insofar as they violate the 
stated terms in their own privacy policies. Under the proposed 
framework, all covered entities would be required to comply or risk 
enforcement action by either FTC or state AGs.
    As discussed above, the Commercial Privacy Bill of Rights of 2011 
lays out an important foundation for better privacy practices which 
Consumers Union supports. At the same time, we look forward to working 
toward strengthening the measure so that it provides consumers with 
even more transparency and control.
    First of all, we support providing consumers with an opt-out not 
only for the unauthorized use of covered information, but also for its 
collection. Companies should not be permitted to amass vast quantities 
of information about individuals' behaviors and interests, without at 
least giving those individuals some notice and opportunity to opt out.
    Second, we believe the bill could be strengthened by extending the 
definition of ``sensitive information'' to also include information 
directly tied to unique identifiers, not just to PII. As the FTC noted 
in its recent staff report, the distinctions between PII and non-PII 
are becoming increasingly irrelevant. A consumer's behavioral profile 
is not ``anonymous'' simply because it is not tied to his name or 
address; it is sufficient that it is tied to his particular device. 
Companies could use that information to treat consumers unfairly, even 
without access to their PII. For example, if a website does not know my 
name, but knows that, based on my browsing habits, I am a user with a 
taste for luxury goods, it could presumably show me different offers, 
at different prices, than it would for another user. This may result in 
economic harm to me.
    In addition, re-identification methods today allow companies to 
aggregate many pieces of ``anonymous'' consumer information into 
profiles that can then be linked to actual persons. While the bill does 
include a provision prohibiting re-identification by third parties--a 
provision that we support--we believe this same prohibition should also 
apply to first parties who claim to collect only anonymous information 
from consumers. Such first parties should also be prohibited from re-
identifying the consumers to whom the data applies. We are pleased to 
see heightened protections for sensitive information, but would like to 
see the definition of ``sensitive information'' expanded to address the 
ways in which online behavioral tracking is currently being carried 
out: though unique identifiers tied to individual devices.
    Third, we wish to see more authority granted to the Federal Trade 
Commission to modify and update the definitions in the bill. As 
industry never fails to point out, this is a rapidly changing and 
emerging field, with new developments springing up almost on a daily 
basis. The FTC should have flexibility to address these new issues as 
they arise.
    Also, the expansive language of the pre-emption provision could 
forestall any state laws that ``relate to'' covered entities' 
collection, use or disclosure of covered information. Although some 
pre-emption may be necessary to ensure uniformity in privacy practices 
across state lines, states should be given leeway to come up with 
innovative ways of protecting consumers while also supporting 
technological innovation. We would recommend that the pre-emption 
provision in the bill, at most, cover any state laws that ``expressly'' 
require covered entities to implement requirements with respect to the 
collection, use or disclosure of covered information. Although still 
pre-emptive, this language would be more narrowly tailored and may 
still allow state action in areas not covered by the bill.
    While we believe the Commercial Privacy Bill of Rights Act will 
provide consumers with meaningful choice over how their personal 
information is collected, transferred, and used, our organization has 
long supported giving consumers the possibility to opt out of online 
tracking. That is why Consumers Union also strongly supports Chairman 
Rockefeller's Do-Not-Track Online Act of 2011 as an important and 
necessary component of consumer online privacy policy.
    The bill would lend the force of law to industry's self-regulatory 
efforts by requiring that when a consumer using a Do-Not-Track (DNT) 
tool expresses a preference to not be tracked online, companies must 
respect that choice. The Federal Trade Commission would have authority 
to establish standards for the implementation of such DNT tools, taking 
into consideration the appropriate scope of such mechanisms, technical 
feasibility, and cost. In addition, the bill gives both FTC and state 
AGs authority to enforce the statute and ensuing regulations, and to 
seek civil penalties and damages from bad actors.
    Public support for a DNT option is particularly high at the moment. 
According to the same Consumer Reports  poll mentioned above, 81 
percent of respondents agreed that they should be able to permanently 
opt out of Internet tracking. In addition, the FTC endorsed this idea 
in its most recent report, and we are pleased that some industry actors 
have already developed and incorporated DNT tools directly into 
browsers. Despite the emergence of such consumer-friendly tools, 
however, marketers currently can and do ignore consumers' DNT choices. 
This is precisely why Chairman Rockefeller's bill is a much-needed 
component in today's privacy discussion.
    Consumers Union believes that the Do-Not-Track Online Act and the 
Commercial Privacy Bill of Rights Act, taken together, would give 
consumers strong privacy protections and meaningful choice in the way 
their information is collected and used online.
Protecting Consumers' Data from Breaches
    Protecting consumer privacy extends beyond giving consumers control 
over how their information is used and shared. Any comprehensive, 
standardized privacy policy must also address how collected information 
is stored and safeguarded, and what protections each consumer should 
enjoy in the unfortunate event of a data breach.
    Last month, Sony's PlayStation network faced numerous attacks that 
resulted in the theft of over 100 million personal records, according 
to Privacy Rights Clearinghouse. And in April, the e-mail database of 
marketing company Epsilon was hacked and an unknown number of consumer 
names and e-mail addresses were stolen. Because Epsilon sends out more 
than 40 billion marketing e-mails annually, the potential breadth of 
this breach could render it the biggest of its kind in U.S. history.
    The ubiquity of security breach incidents today renders the Data 
Security and Breach Notification Act of 2011, introduced by Senator 
Pryor and Chairman Rockefeller, particularly timely and relevant. 
Consumers Union believes this bill will protect consumers by mandating 
strong data security practices for all covered entities, as well as 
notification in case of breach. The bill will also hopefully 
incentivize covered entities to engage in data minimization practices 
on the front end, before a breach occurs.
    The Data Security and Breach Notification Act first directs the 
Federal Trade Commission to promulgate regulations that would lay out 
how covered entities must maintain and protect personal information. 
These regulations would encourage companies to assess vulnerabilities 
and anticipate reasonably foreseeable attacks, in order to address 
those issues and prevent a breach.
    If a security breach nevertheless does occur, the bill would 
require covered entities to provide timely notice of security breach to 
affected consumers and at least 2 years of free credit reports or 
credit monitoring. Consumers Union supports these provisions. If 
consumers do not know their data has been compromised, they cannot take 
steps to protect themselves. We also do not believe that consumers 
should have to bear the costs when personal information that they 
entrusted to a company is lost.
    Although Consumers Union would prefer that consumers receive 
notification whenever their personal information is compromised, if 
there is to be a standard for risk, then Consumers Union would prefer 
the approach taken by this bill, where the risk is considered as an 
exemption rather than as an affirmative trigger. Under an ``exemption'' 
approach, a company with a security breach has to qualify for the 
exemption by showing that there is no reasonable risk of harm. 
Insufficient information about the level of risk does not eliminate the 
obligation to tell consumers about the breach. We would like to note, 
however, that the strongest state notice of breach laws do not require 
a finding of risk before mandating consumer notification.
    We are particularly pleased that the bill focuses on the activities 
of information brokers, defined as commercial entities whose business 
is to collect, assemble, or maintain personal information concerning 
individuals with the purpose of selling such information to 
unaffiliated third parties. We strongly support the provisions 
instructing information brokers to maximize the accuracy and 
accessibility of their records, as well as to provide consumers with a 
process to dispute information. In addition, the provisions requiring 
information brokers to submit their security policies to the FTC, as 
well to undergo potential FTC post-breach audits, will foster 
accountability and enforcement of this bill.
    This bill arms state officials with strong enforcement tools to 
ensure compliance with the law. Consumers Union agrees that state 
attorneys general and other officials or agencies of the State should 
have the authority to bring enforcement actions against any entity that 
engages in conduct violating the bill. State attorneys general have 
been at the forefront of notice of data breach issues and have played 
an invaluable role in addressing identity theft and data breach. 
Consumers' personal information will be better protected because of 
these enforcement tools.
    Consumers Union believes that the Data Security and Breach 
Notification Act would encourage companies to act proactively to 
prevent against data breaches and to quickly address any breaches that 
may occur. At the same time, we look forward to working toward 
strengthening a couple of the provisions in the bill.
    First, we are concerned that companies conducting risk assessments 
may not always evaluate the facts in a fair and truthful manner, in 
order to avoid costly notice requirements. As a result, we would 
suggest that companies be required to either submit the results of 
their self-assessments to the FTC and state AGs, or, alternatively, to 
maintain a copy of those results for a defined period of time and make 
them available to the authorities upon request. A faulty self-
assessment that clearly ignores potential risks should be treated as a 
violation of the statute.
    We also hope that the 60-day window for providing notification will 
be narrowed. The sooner consumers are made aware of a breach, the 
quicker they can take remedial action. In addition, we are concerned 
that some credit monitoring companies are automatically billing 
consumers after the mandatory two free years of monitoring have ended. 
Consumers should affirmatively consent to any additional monitoring 
beyond the 2 years provided by the company.
Closing
    In closing, we urge you to continue the conversation on the 
important topics of data privacy and security. While these three bills 
put in place important protections for consumer data, both online and 
offline, we encourage you to also consider adding additional 
protections for kids and adolescents. Teens between the ages of 13 and 
17, in particular, make up a large portion of Internet users today. At 
the same time, they are more vulnerable to inappropriate uses of their 
personal information online. We hope you will develop some heightened 
standards to address the privacy of these sensitive users.
    Consumers Union looks forward to working with you as these three 
bills move forward. Consumers are looking to you to enact standardized, 
mandatory and enforceable rules of the road that companies must follow 
when handling user data. We firmly believe that implementing these 
baseline principles will enhance consumer trust in the marketplace and 
encourage businesses to grow and innovate with confidence. Thank you 
for your time, and I would be happy to answer any questions you may 
have.

    The Chairman. Thank you.
    Mr. Schaaff?
    Incidentally, I want to apologize to everyone about this 
travesty of scheduling. It's not fair to you. It's not fair to 
us. It's not fair to the subject. People were lined all the way 
down to the basement to get into this hearing. And we're all 
being short-changed because of votes.
    We usually make one vote a day. It's usually on a judge. 
For some reason, now, we're going to have five votes, and it's 
all quite incomprehensible and totally unfair to everybody in 
this room.
    Please proceed, sir.

             STATEMENT OF TIM SCHAAFF, PRESIDENT, 
            SONY NETWORK ENTERTAINMENT INTERNATIONAL

    Mr. Schaaff. Thank you, Chairman Rockefeller and other 
distinguished members of the Committee. Thank you for this 
opportunity.
    My name is Tim Schaaff, and I'm President of Sony Network 
Entertainment, a subsidiary of Sony Corporation based in 
California, where we employ approximately 700 people in five 
offices around the state. I'm chiefly responsible for the 
business and technical aspects of Sony's PlayStation Network 
and Curiosity, online services that allow consumers to access 
movies, television shows, music, and video games.
    Sony Network Entertainment, Sony Online Entertainment, and 
millions of our customers were recently the victims of an 
increasingly common digital age crime, a cyber attack. 
Regarding the attack on Sony, initially anonymous, the 
underground group associated with last year's Wikileaks-related 
cyber attacks openly called for and carried out massive denial 
of service attacks against numerous Sony Internet sites in 
retaliation for Sony bringing an action in federal court to 
protect its intellectual property. During or shortly after 
those attacks, one or more highly-skilled hackers infiltrated 
the servers of the PlayStation Network and Sony Online 
Entertainment.
    Sony Network Entertainment and Sony Online Entertainment 
have always made concerted and substantial efforts to maintain 
and improve the data security systems that we utilize. We hired 
respected and experienced cyber security firms to enhance our 
defenses against the denial of service attacks threatened by 
anonymous. But, unfortunately, no entity can foresee every 
potential cyber security threat.
    We have detailed for the Committee in our written testimony 
the time line from when we first discovered the breach, so I 
will not cover those details here today. However, throughout 
this time, we felt a keen sense of responsibility to our 
consumers. We shut down the networks to protect against further 
unauthorized activity. We notified our customers promptly when 
we had specific, accurate, and useful information.
    We thanked our customers for their patience and loyalty and 
addressed their concerns arising from this breach with free 
identity theft protection and insurance programs for U.S. and 
other customers, as well as a welcome-back package of extended 
and free subscriptions, games, and other services. And we 
worked to restore our networks with stronger security to 
protect our customers' interests.
    Let me address one of the specific issues you are 
considering today, notification of consumers when data breaches 
occur. Laws and common sense provide for companies to 
investigate breaches, gather the facts, and then report data 
losses publicly. If you reverse that order, issuing vague or 
speculative statements before you have specific and reliable 
information, you either send false alarms or so many alarms 
that these warnings will be ignored.
    We, therefore, support balanced federal data breach 
legislation and look forward to working with the Committee on 
the particulars of the bill. By working together to enact 
meaningful cyber security legislation, we can limit the threat 
posed to all. And by simultaneously moving forward on data 
breach policies and legislation, we can ensure that consumers 
are empowered with the necessary information and tools to 
protect themselves from these cyber criminals.
    Thank you very much.
    [The prepared statement of Mr. Schaaff follows:]

             Prepared Statement of Tim Schaaff, President, 
                Sony Network Entertainment International
    Chairman Rockefeller, Ranking Member Hutchison, and other 
distinguished members of the Committee, thank you for providing Sony 
with this opportunity to testify on cyber crime and data security.
    My name is Tim Schaaff, and I am President of Sony Network 
Entertainment International, a subsidiary of Sony Corporation.
    I am chiefly responsible for the business and technical aspects of 
Sony's PlayStation Network and Qriocity, online services that allow 
consumers to access movies, television shows, music and video games.
    As you know, this year, Sony has been one of a growing number of 
targets of an increasingly common digital-age crime: a cyber attack.
    Almost every day it seems a new story emerges about businesses, 
government entities, public institutions and individuals becoming 
victims of this cyber crime wave; thus, supporting President Obama's 
statement noting that these cyber attacks are ``one of the most serious 
economic and national security threats our Nation faces.'' This warning 
was recently echoed by Defense Secretary Gates, ``[t]here is a huge 
future threat and there is a considerable current threat [from cyber 
attacks]. That's just a reality we all face.''
    If nothing else, perhaps the frequency, audacity and harmfulness of 
these attacks will help encourage Congress to enact new legislation to 
make the Internet a safer place for everyone to learn, enjoy 
entertainment and engage in commerce. We applaud this committee for its 
work on the issue, and we stand ready to assist you in whatever way we 
can.
    Regarding the attack on Sony, please let me briefly provide some 
details, Initially, Anonymous, the underground group associated with 
last year's WikiLeaks-related cyber attacks, openly called for and 
carried out massive ``denial-of-service'' attacks against numerous Sony 
Internet sites in retaliation for Sony bringing an action in federal 
court to protect its intellectual property.
    During or shortly after those attacks, one or more highly-skilled 
hackers infiltrated the servers of the PlayStation Network and Sony 
Online Entertainment.
    Sony Network Entertainment and Sony Online Entertainment have 
always made concerted and substantial efforts to maintain and improve 
their data security systems. A well-respected and experienced cyber-
security firm was retained to enhance our defenses against the denial-
of-service attacks threatened by Anonymous. But unfortunately no 
entity--be it a mom-and-pop business, a multinational corporation, or 
the Federal Government--can foresee every potential cyber-security 
threat.
    On Tuesday, April 19, 2011, our network team discovered unplanned 
and unusual activity taking place on four of the many servers that 
comprise the PlayStation Network. The network team took those four 
servers off line and an internal assessment began.
    On Wednesday, April 20, we mobilized a larger internal team to 
assist in the investigation. And on that date, the team discovered the 
first credible indications that an intruder had been in the PlayStation 
Network system. We immediately shut down all of the PlayStation Network 
services in order to prevent additional unauthorized activity.
    That same afternoon, a security firm was retained to ``mirror'' the 
servers to enable a forensic analysis. The scope and complexity of the 
investigation grew substantially as additional evidence about the 
attack developed.
    On Thursday, April 21, a second recognized firm was retained to 
assist in the investigation.
    On Friday, April 22, we notified PlayStation Network customers via 
a post on the PlayStation Blog that an intrusion had occurred.
    By the evening of Saturday, April 23, we were able to confirm that 
intruders had used very sophisticated and aggressive techniques to 
obtain unauthorized access to the servers and hide their presence from 
the system administrators.
    On Sunday, April 24, yet another forensic team with highly 
specialized skills was retained to help determine the scope of the 
intrusion.
    By Monday, April 25, we were able to confirm the scope of the 
personal data that we believed had been accessed. Although there was no 
evidence credit card information was accessed, we could not rule out 
the possibility.
    The very next day--Tuesday, April 26, we issued a public notice 
that we believed the personal information of our customers had been 
taken and that, while there was no--and there still is no--evidence 
that credit card data was taken, we could not rule out the possibility. 
We also posted this on our blog and began to e-mail each of our account 
holders directly.
    On Sunday, May 1, Sony Online Entertainment, a multiplayer, online 
video game network, discovered that data may have been taken. On 
Monday, May 2, Sony Online Entertainment shut down this service and 
notified customers that their personal information may have been 
compromised.
    Throughout this time, we felt a keen sense of responsibility to our 
customers:

   We shut down the networks to protect against further 
        unauthorized activity;

   We notified our customers promptly when we had specific, 
        accurate and useful information;

   We thanked our customers for their patience and loyalty and 
        addressed their concerns arising from this breach with identity 
        theft protection programs--at no cost to consumers--for U.S. 
        and other customers (where available) and a ``Welcome Back'' 
        package of extended and free subscriptions, games and other 
        services; and

   We worked to restore our networks with stronger security to 
        protect our customers' interests.

    We have relaunched our networks, with stronger security protections 
in place, and we are pleased that our customers have been very loyal 
and excited about returning to them. In fact, our PlayStation Network 
activity level is already up to more than 90 percent of what it was 
before the attack. And sales of our PS3's are up double-digits this 
year.
    Two final points. First, as frustrating as the loss of the network 
for playing games was for our customers, the consequences of cyber 
attacks against financial or defense institutions could be devastating 
for our economy and security. Consider the fact that defense contractor 
Lockheed Martin and the Oak Ridge National Laboratory, which helps the 
Department of Energy secure the nation's electric grid, were cyber 
attacked within the past several months. Even the CIA, the FBI and the 
U.S. Senate have recently experienced such attacks.
    Second, we support federal data breach legislation that would: (1) 
provide consumers--regardless of what state they live in--the assurance 
that if and when their personal data is compromised, they will receive 
timely, meaningful, and accurate notice of this fact; (2) ensure that 
consumers receive helpful information on what measures they can take to 
mitigate any potential harm, including free credit reporting in cases 
in which such a service is warranted; and (3) treat all similarly 
situated companies that possess personal information equally.
    By working together to enact meaningful cyber-security legislation, 
we can limit the threat posed to us all. We look forward to working 
with you to ensure that consumers, businesses and governments are 
empowered with the information and tools they need to protect 
themselves from cyber criminals. We are willing and eager to help 
provide law enforcement with the laws and resources they need to 
prevent cyber crime from occurring and bring cyber criminals to justice 
when prevention fails. And by simultaneously moving forward on data 
breach policies and legislation, we can ensure that consumers are 
empowered with the necessary information and tools to protect 
themselves from these cyber criminals.
    Thank you.

    The Chairman. Thank you, Mr. Schaaff.
    Mr. Lenard.

  STATEMENT OF THOMAS M. LENARD, Ph.D., PRESIDENT AND SENIOR 
              FELLOW, TECHNOLOGY POLICY INSTITUTE

    Mr. Lenard. Thank you, Chairman Rockefeller and members of 
the Committee. I appreciate the opportunity to testify today.
    I'd like to stress two points in my testimony: first, the 
importance of having reliable data and analysis for 
policymaking in this area; and, second, that privacy and 
security are different things and, therefore, should be dealt 
with separately. The privacy debate has engendered strong 
opinions but relatively little data or analysis. In order to 
make informed decisions, policymakers need to have facts about 
the practices prevalent in the marketplace. To my knowledge, 
the most recent systematic data on commercial website privacy 
practices are from 2001.
    In addition to basic data, the benefits and costs of policy 
proposals need to be evaluated to ensure that they improve 
consumer welfare. For example, some proposals are likely to 
reduce the value of the Internet as an advertising medium both 
for firms and consumers and in the process reduce the revenue 
available to support content enjoyed by all Internet users. The 
principal purpose of cost-benefit analysis is to make these 
trade-offs explicit.
    Some proposals also may not produce the intended results. 
For example, the idea for a do-not-track mechanism comes from 
the telemarketing Do-Not-Call list which has been very popular. 
But the effects may be quite different. The Do-Not-Call list 
reduces unwanted marketing solicitations. The do-not-track 
mechanism could have the opposite effect with consumers 
receiving a greater number of ads that are less well targeted 
to their interests.
    The Chairman. Could you repeat that sentence?
    Mr. Lenard. A do-not-track mechanism could have the 
opposite effect with consumers receiving a greater number of 
ads that are less well targeted to their interests.
    The Chairman. OK.
    Mr. Lenard. Security presents different issues than 
privacy. People may be quite comfortable with the intended uses 
of their information but worried about unintended uses and want 
their information to be secure. Identity theft is perhaps their 
primary security concern, although the most recent data show 
that total identity fraud in 2010 was at its lowest level in 8 
years.
    Regulating the collection and use of information by 
legitimate firms does little or nothing to deter identity 
theft. And, in fact, excessive control of information may 
increase the risk of identity theft by making it more difficult 
for sellers to determine if a potential buyer is fraudulent. 
There are two general responses to data breaches and related 
fraud: improved security to reduce the likelihood that such 
events will happen, and notification of the victims in the 
event that they do happen. Both are addressed in current 
legislative proposals.
    Data breaches and identity frauds are extremely costly to 
the firms involved, which gives companies a very strong 
incentive to spend money on data security. It's, therefore, 
unclear that government action in this area is warranted. 
Incentives for notification may be less strong, and whether a 
regulatory notification requirement would make people better 
off is, therefore, an empirical question. One thing to be 
concerned about is that if consumers receive more notices, they 
may become afraid to do business online. This would be an 
unfortunate response because online commerce is safer than 
offline commerce.
    Perhaps the most significant benefit of federal data 
security and breach notification legislation would be 
preempting the patchwork of state laws. For that reason, 
enacting a carefully crafted federal bill could yield savings 
for firms and consumers.
    The privacy and data security debates are extremely 
important to the future of the digital economy and of 
innovation in the United States. But, unfortunately, they are 
taking place largely in an empirical vacuum. Without 
substantially better data and analysis, there's no way of 
knowing with any confidence whether proposals currently under 
consideration will improve consumer welfare or not.
    Thank you.
    [The prepared statement of Mr. Lenard follows:]

 Prepared Statement of Thomas M. Lenard, Ph.D.,* President 
             and Senior Fellow, Technology Policy Institute
---------------------------------------------------------------------------
    \*\ The views expressed here are my own and do not necessarily 
reflect the views of TPI, its board, or its staff.
---------------------------------------------------------------------------
    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee: My name is Thomas Lenard and I am President and Senior 
Fellow at the Technology Policy Institute, a non-profit, non-partisan 
think tank that focuses on the economics of innovation, technological 
change, and related regulation in the United States and around the 
world. I appreciate the opportunity to testify before you today on 
privacy and data security. These issues are critically important for 
innovation in the digital economy, which relies on the flow of large 
amounts of information.
    I would like to stress two points in my testimony: first, the 
importance of having reliable data and analysis for good policymaking 
in this area; and, second, that privacy and security are different and 
therefore should be dealt with separately.
Privacy
    The privacy debate has engendered strong opinions, but relatively 
little data or analysis. In some respects, we had better data for 
policymaking 10 years ago than we do now. In 2001, when the last of a 
series of four studies by researchers at the FTC and elsewhere was 
completed, we at least had baseline data on the privacy practices of 
commercial websites. During the period covered by the studies, the 
privacy practices of commercial websites generally improved. However, 
to my knowledge there has been no systematic study since 2001, so no 
one knows what commercial website practices are today and whether they 
are better or worse than they were a decade ago. Policymakers can't 
make informed policy decisions without facts about the practices 
prevalent in the marketplace.
    In addition to basic data, the benefits and costs of alternative 
privacy regimes (including the status quo) need to be carefully 
analyzed in order to identify the policies that will best serve the 
interests of consumers. The commercial use of information online 
produces a range of benefits, including advertising targeted to 
consumers' interests; advertising-supported services and content, such 
as free e-mail and search engines; and fraud detection and reduction in 
other threats, such as malware and phishing. More privacy means less 
information available for the marketplace and, therefore, potentially 
fewer benefits for consumers. Indeed, most privacy proposals are 
designed to make it easier for consumers to limit the amount of 
information firms collect and retain. The principal purpose of cost-
benefit analysis is to make the tradeoffs inherent in greater privacy 
protection explicit and evaluate them.
    On the cost side, a recent study found that the European Privacy 
Directive reduced the effectiveness of online advertising by about 65 
percent. In other words, privacy protections make advertising less 
useful to consumers and, therefore, less valuable to advertisers. 
Advertisers will pay less for less-effective ads, which reduces the 
resources available to support online content. The authors found this 
was particularly so for more general (less product-specific) websites, 
such as newspapers.
    Although only a few empirical studies of the costs of privacy 
regulation exist, even less information is available on the benefits. 
The benefits of privacy are the reduced harms associated with 
information being available or misused. If it is difficult to show harm 
from current practices--and thus far it has been--then it is also 
difficult to demonstrate that increased privacy regulation will produce 
benefits. We do know that people routinely give up some information 
about themselves in return for access to content and other services, 
such as e-mail and online news subscriptions, and more useful 
advertising. This suggests that consumers are willing to give up some 
privacy for the value they receive.
    The benefits and costs of specific proposals, such as a Do-Not-
Track mechanism should be evaluated to make sure they improve consumer 
welfare. Some people may use a Do-Not-Track mechanism because they 
derive utility simply from knowing they are not being tracked. These 
potential benefits need to be weighed against the costs, which include 
the direct costs of implementation as well as the indirect costs in 
terms of the quantity and quality of services and content on the 
Internet. Many of these costs would be borne not only by Do-Not-Track 
participants but by other users as well. A Do-Not-Track mechanism 
(depending on how many people used it) could reduce the value of the 
Internet as an advertising medium, and therefore the revenues available 
to support content for all Internet users. A Do-Not-Track mechanism 
could also affect the quality of major Internet services, such as 
search engines, which use data on search histories to update and 
improve their algorithms, and to protect against threats such as search 
spam, click-fraud, malware and phishing. The fewer data available to 
search engines, the less well they will perform. In sum, the 
information generated by online tracking generates positive 
externalities that support the services that everyone uses. Consumers 
who opted for a Do-Not-Track mechanism might be free-riding off those 
consumers who allowed their data to be used.\1\
---------------------------------------------------------------------------
    \1\ This is in contrast to the Do-Not-Call List. Signing up for the 
Do-Not-Call List would not appear to impose costs on other consumers.
---------------------------------------------------------------------------
    The idea for a Do-Not-Track mechanism comes from the telemarketing 
Do-Not-Call List, which has been very popular. But the similarities 
between the two end at their names. People sign up for the Do-Not-Call 
List in order to reduce unwanted marketing solicitations. A Do-Not-
Track mechanism would likely have the opposite effect. Consumers might 
receive a greater number of ads that are less-well targeted to their 
interests. This cost should also be taken into account. Several easily 
available tools let consumers block ads on the Internet, but a Do-Not-
Track mechanism is unlikely to be one of them.
    The three major browser providers--Google, Microsoft, and Mozilla--
have announced that their products will include Do-Not-Track 
mechanisms. It is unclear whether this is a response to demands from 
consumers or to the specter of regulatory intervention. In any event, 
these ``market'' solutions should be permitted to develop without any 
additional pressure or requirements from the government.
Data Security
    With respect to data security, the most recent survey from Javelin 
Strategy and Research found that total identity fraud in 2010 was at 
its lowest level in 8 years. While all types of fraud declined, and 
average costs per victim declined, mean consumer out-of-pocket costs 
increased, in part due to an increase in ``friendly fraud''--fraud 
perpetrated by people known to the victim, such as a relative or a 
roommate.
    Security presents a different set of issues than privacy. People 
may be comfortable with the intended uses of their data, but are 
worried about unintended uses and want their data to be secure. 
Identity theft--which involves the loss of personal data that poses a 
financial threat (such as a credit card number)--is perhaps the primary 
security concern of individuals. Regulating the collection and use of 
information by legitimate firms does not appear to make it more 
difficult for criminals to access information such as credit card 
numbers and, therefore, does little or nothing to deter identity theft. 
In fact, excessive control of information may increase the risk of 
identity theft by making it more difficult for sellers to determine if 
a potential buyer is fraudulent or not. Moreover, anything that 
encourages individuals to shift transactions offline is likely to be 
counter-productive.
    There are two general responses to data breaches and related 
fraud--improved security to reduce the likelihood that such events will 
happen, and notification of the victims in the event that they do 
happen. Both of these are addressed in the data security bills being 
considered by Congress.
    Substantial evidence suggests that data breaches, identity theft 
and related frauds are very costly to the firms involved. The FTC, in a 
2003 study, found that the costs of identity theft to businesses were 
about 10 times the costs to individuals. Credit card issuers and 
merchants are typically liable for the costs of fraudulent charges--a 
form of insurance provided to credit card holders. The costs to firms 
are reflected in the significant stock market losses they suffer when 
victimized by security breaches. Thus, companies have a strong 
incentive to spend money on data security and it is unclear that 
government action in this area is warranted.
    Incentives for notification may be less strong. However, whether a 
regulatory notification requirement would make people better off is an 
empirical question. Are the expected benefits greater than the expected 
costs? This is a complicated question but several factors affect how we 
should view notification requirements:

        First, even when consumers receive notice of a security breach, 
        most of them do nothing about it. This lack of action is 
        probably a rational response because even when data are 
        compromised, the probability of identity theft is extremely 
        small and actions like placing fraud alerts or closing accounts 
        are not costless. Moreover, the costs of most instances of 
        identity theft--i.e., credit card fraud--are incurred by firms 
        and not individuals.

        Second, we don't have good information about the range of 
        consumer responses to notification. If consumers receive more 
        notices, they may simply become indifferent to them. Or, they 
        may become afraid to do business online. This would be a costly 
        over-reaction because online commerce is safer than offline 
        commerce. Indeed, one of Javelin's principal recommendations in 
        its annual reports is that consumers should move their 
        transactions online.

    Because of these factors, a notification mandate should carefully 
target those individuals most at risk of identity fraud in order to 
increase its potential benefits.
    Perhaps the most significant benefit of federal data security and 
breach notification legislation would be preempting the patchwork of 
state laws. Since most companies operate nationally, a state-by-state 
approach is unlikely to work well. For that reason, enacting a 
carefully crafted federal bill could yield savings for firms and 
consumers.
Conclusion
    The privacy and data security debates are extremely important to 
the future of the digital economy and of innovation in the United 
States. Unfortunately, they are taking place largely in an empirical 
vacuum. Without substantially better data and analysis, there is no way 
of knowing with any confidence whether proposals currently under 
consideration will improve consumer welfare.

    The Chairman. Thank you very much.
    Mr. Taylor.

   STATEMENT OF SCOTT TAYLOR, CHIEF PRIVACY OFFICER, HEWLETT-
                        PACKARD COMPANY

    Mr. Taylor. Chairman Rockefeller, members of the Committee, 
HP commends the Committee on its forward-looking approaches to 
balancing consumer privacy interests with the business 
realities of an Internet-based economy. I'd like to talk today 
about technology, trust, and privacy and how they converge to 
create new opportunities but also a set of challenges.
    We're living in a time where our reliance on technology is 
ever increasing. Our business and personal lives are starting 
to merge. Consumers are more dependent upon mobile devices, and 
they have growing expectations that companies are going to be 
accountable stewards that respect and protect the information 
that we collect, that we use, and that we maintain.
    HP firmly believes that our ability to succeed in the 
marketplace depends on earning and keeping our customers' 
trust. HP takes active steps to implement organizational 
accountability for privacy throughout our company. We believe 
that companies need to do more and, when asked or requested, to 
be able to demonstrate their capacity to uphold the obligations 
and the commitments that they make.
    To that end, we've built an internal program that includes 
our privacy advisor tool, which integrates all of our 
commitments into a tool that helps to guide our employees. The 
tool looks at privacy requirements, risks, and other 
considerations. It helps ensure that we're able to hold every 
employee accountable. The concept is known as privacy by 
design, and it's one of the fundamental elements in the 
legislation that Senators Kerry and McCain have put forward 
that HP supports.
    HP is a strong proponent of omnibus U.S. federal privacy 
legislation. We firmly believe that it's time for the U.S. to 
establish a comprehensive, flexible, legal framework that works 
to protect consumer privacy. We believe consumers are expecting 
it, businesses need it, and the economy will be better for it.
    While HP also believes in effective corporate self-
regulation or the possibility of innovative co-regulatory 
programs as outlined in the Kerry-McCain bill, the patchwork of 
state laws and statutes in existence today confuses customers 
about their protection in any given context, and it also forces 
companies to contend with differing and often conflicting 
regulations. This is why we strongly support the initiatives 
like Senator Pryor's data security legislation, which would set 
a national preemptive standard.
    We believe that the adoption of new innovation depends on 
companies acting in an accountable and responsible manner that 
anticipates consumer expectations. No one is served, not 
corporations, not governments, and certainly not consumers, by 
a lack of confidence in the security and privacy of personal 
information. At HP, we believe that consumer trust comes from 
good transparency and providing meaningful choice. This is why 
we support the concepts in Senator Rockefeller's do-not-track 
legislation.
    We continue to urge policymakers to examine ways to 
establish baseline federal legislation that will clearly 
articulate expectations for all organizations. As more and more 
services are delivered through mobile devices, such as 
applications, it's going to become even more important that we 
have a consistent baseline standard that will strengthen that 
chain of accountability and unify the divergent regulations 
that are currently in existence.
    Simply stated, HP recognizes that consumer trust is a 
precious commodity that must be protected through good 
stewardship and robust privacy programs. Federal legislation 
can establish a unifying federal baseline standard for 
organizational accountability as well as improved consumer 
protection. We believe that it's both a win for consumers as 
well as industry as a whole.
    Thank you for your time, and I'm happy to answer----
    The Chairman. No, thank you very much, and that was very 
clear and well presented.
    [The prepared statement of Mr. Taylor follows:]

      Prepared Statement of Scott Taylor, Chief Privacy Officer, 
                        Hewlett-Packard Company
    Chairman Rockefeller, Ranking Member Hutchison and members of the 
Committee, my name is Scott Taylor and I am the Chief Privacy Officer 
at Hewlett-Packard Company. Thank you for inviting me to testify today 
on privacy. HP commends the Committee for its forward-looking 
approaches to balancing consumer privacy interests with the business 
realties of a global, Internet-based economy.
    We are living in a time when our reliance on technology is 
increasing every day. There is a continued blurring between our 
business and personal lives. Consumers are more dependent on mobile 
devices, and they have a growing expectation that companies will be 
accountable stewards that respect and protect the information we 
collect, use and maintain.
    Today's technologies provide tremendous benefits to consumers and 
businesses and are critical to economic growth and prosperity. Yet 
these same innovations create new challenges related to privacy.
Privacy is a Core HP Value
    HP's core values of trust, respect and integrity provide the 
foundation for our commitment to privacy. HP firmly believes that our 
ability to succeed in the marketplace depends upon earning and keeping 
our customers' trust. HP has a rigorous global privacy program and is 
at the forefront of industry efforts to create new frameworks and 
strengthen privacy protections. HP takes active steps to implement 
organizational accountability for privacy throughout our company. We 
believe companies need to do more and be willing to demonstrate their 
capacity to uphold the obligations and commitments they make.
Accountability Framework
    HP's approach to privacy is built on a model of accountability. We 
seek to create a chain of accountability for the information we handle, 
ensuring data privacy and security are advanced at every stage of the 
process. HP teams work together to oversee and manage our privacy 
efforts and collaborate with external partners to advance privacy 
protection worldwide.
    HP's privacy accountability model is a decision-making framework 
that helps business units make informed choices about the risks 
associated with collecting and handling data. Our accountability 
approach demonstrates HP's commitment to privacy and goes well beyond 
legal compliance. Various factors are taken into consideration 
including first and foremost ethics as well as contractual agreements, 
regulations, international provisions and corporate culture. Our model 
builds on that foundation by considering decisions in light of our 
company values, customer expectations and potential risks to ensure we 
are fully accountable for our actions.
    To that end, we have built a robust internal privacy program that 
focuses on integrated governance, risk and opportunity identification. 
Combined with strong policy commitments and senior management support, 
our program encourages transparency, ensures policies are instituted 
and validates program effectiveness. The diagram below demonstrates 
HP's privacy governance model:


    HP monitors compliance with its privacy policies using internal 
assessments, customer and employee feedback, and internal audits. Our 
privacy team works closely with the HP Ethics and Compliance Office and 
internal audit function to align with their approaches to compliance. 
All suppliers and third-party vendors that handle HP customer and 
employee personal data are contractually bound to comply with 
applicable portions of our privacy policies and detailed supplier 
security standards.
Privacy and Data Protection Board
    HP's Privacy and Data Protection Board (PDPB) provides company-wide 
oversight for privacy and personal data protection. The PDPB comprises 
executives from Privacy, Legal, Information Technology, Security, 
Internal Audit, Procurement, Internet, HP Labs, Human Resources and the 
Global Government Affairs functions, as well as from each business unit 
and region.
    At quarterly meetings, the PDPB members discuss strategy and high-
level priorities, assess programs, launch projects and resolve any 
issues identified through our ongoing monitoring programs that have 
been escalated to the PDPB. The PDPB regularly invites external experts 
to discuss privacy trends and developments. The PDPB conducts an annual 
risk assessment and the members work throughout the year on teams that 
handle specific privacy issues and mitigation projects. For example, as 
a result of the PDPB's work, all company laptops are required to have 
full-disk encryption to mitigate the risk of data theft or loss.
    The PDPB enables HP to manage data protection risks comprehensively 
in a seamless and integrated way. Its shared risk assessment and 
decision-making model sets a standard for governing information 
management more broadly.
Privacy by Design
    HP designs privacy and data protection into new products and 
services, guided by comprehensive, company-wide privacy standards for 
product and service development. This builds consumer trust and 
provides a competitive advantage for HP. The concept of considering 
privacy from inception is referred to as ``Privacy by Design'' and is 
one of the fundamental elements in the legislation of Senators Kerry 
and McCain that HP supports.
    For corporate customers, HP's Secure Advantage portfolio offers 
hardware, software and services that help protect data throughout its 
lifecycle, whether it is stored on a desktop, laptop computer, a 
printer or in a data center. Privacy features incorporated into the 
portfolio include:

   Software that asks the user whether they want to be notified 
        when updates are available, rather than sending notices and 
        installing updates automatically.

   Full-disk encryption that helps protect the data on each 
        drive, even if the disks are lost or stolen, with minimal 
        impact on performance.

   Automated encryption devices to increase protection.

    HP scientists who support our privacy team continue to work on 
several collaborative research projects on privacy. For example, they 
lead Ensuring Consent and Revocation (EnCoRe), a partnership of six 
organizations with the goal of making it safe and easy for people to 
give and withdraw consent for their data to be used. HP scientists and 
engineers are working with eleven other companies on another project 
called Privacy and Identity Management for Community Services (PICOS) 
to create confidence in the safety of sharing data in online 
communities. Project members are identifying privacy, trust and 
identity management issues and plan to design and build mobile 
communication tools to address these issues.
Privacy Advisor Tool
    Beyond our privacy team, at the core of our implementation strategy 
is the HP Privacy Advisor tool that integrates our privacy philosophy 
and commitments into an end-to-end program to better educate and guide 
our employees about privacy requirements, risks and considerations. 
This interactive tool helps to ensure that as we develop new products 
and services, privacy considerations are integrated from the first 
stages of development. Coupled with employee education and mandatory 
training, this tool helps to hold every employee accountable for 
privacy and data protection.
    HP's privacy team partnered with our R&D labs to develop and deploy 
a Privacy by Design program to ensure that our more than 300,000 
employees understand privacy implications as they conceive and develop 
products and programs that will collect or use personal data. Below is 
a screen shot that shows HP's Privacy Advisor tool:


    Importantly, the tool is not just about compliance. It integrates 
ethics and values-based considerations to ensure we align to company 
codes of conduct and consumer expectations. If we think about most 
product designers or marketing managers, they are thinking about the 
next innovation and their first priority isn't necessarily privacy. 
Whether employees are designing a new product or launching an e-mail 
marketing campaign, they need to understand how to put policies, 
obligations and values into effect. And they need to do so as they 
design new products and prior to deployment.
    Not all innovative ideas become reality, so we need to break down 
product or program development into simple stages. In the design and 
development stages, HP's privacy team provides proactive guidance so 
privacy considerations can inform early planning. This has 
traditionally been difficult for companies and can result in a program 
being delayed or canceled later based on privacy concerns.
    Early guidance related to privacy becomes tremendously valuable to 
the organization because it ensures privacy pitfalls can be avoided. In 
the deployment, maintenance and end-of-life stages, our privacy team 
does more than just guide. They provide assessment mechanisms to ensure 
compliance with laws, company obligations, policies and values. We have 
learned that this assessment needs to be as contextual as possible. For 
example, the way we need to assess privacy compliance in a global e-
mail campaign is very different than in a new PC or web-enabled printer 
that seeks to deliver a customized user experience.
    The HP Privacy Advisor tool is available to every employee from our 
internal Internet portal. Employees log in using a digital badge that 
authenticates their credentials and identifies them and their 
organization. That information is also used to assign the appropriate 
privacy team member for follow-up.
    Here is a screen shot of the employee login page:
    
    
    The tool starts by asking simple, basic questions about the 
proposed project. As each question is answered, additional dynamically-
generated questions are posed based on the collective intelligence and 
risk factors derived from how prior questions were answered. Below is a 
look at sample project profile questions:


    The HP Privacy Advisor tool is an intelligent privacy impact 
assessment mechanism that is geared to the employee user and scales 
from simple to complex programs. One of the greatest benefits is 
educating employees in the context of their program or work tasks. 
Through the process employees learn about privacy issues and can modify 
their approach to ensure compliance.
    The following two graphics show additional questions based on the 
sample project:




    The assessment results are documented and reviewed by the privacy 
team. Consultation is provided as necessary. If any issues exist, 
approval from the privacy team is required prior to deployment. After a 
product or program launches, triggers exist to ensure deployment was 
consistent with expectations and that end-of-life actions are taken 
when appropriate. The image below shows a report of the sample 
assessment results:


    By using technology, we are better positioned to scale our privacy 
team's knowledge and guide our 300,000 employees to think about privacy 
in the right context and at the right time. Nothing is perfect, but we 
think it goes a long way to minimizing unanticipated effects, and 
balances our ability to innovate and ensure responsible practices when 
using data.
An Integrated Framework For Privacy Will Benefit Consumers
    Since 2006, HP has worked closely with the U.S. Congress, the 
Federal Trade Commission and the U.S. Department of Commerce to 
establish a new strategy for federal legislation. We have long 
advocated for comprehensive federal privacy legislation which we 
believe will support business growth, promote innovation and ensure 
consumer trust in the use of technology. The complexity of existing 
state laws and statutes can make it difficult for businesses to comply 
with the law. We firmly believe it is time for the U.S. to establish a 
comprehensive, flexible and legal framework for protecting consumer 
privacy. Recent research from University of California, Berkeley and 
the Pew Research Center tells us that consumers are becoming more 
concerned, and increasingly want to know that their privacy is 
protected. We believe consumers are expecting federal legislation, 
companies need it and the economy will be better for it. Federal 
legislation would also help us compete in the global marketplace since 
a baseline privacy law in the U.S. allows the opportunity for 
international interoperability.
    In addition to our work in the U.S., HP is actively engaged with 
Data Protection Commissioners in Europe and the Binding Corporate Rules 
(BCR) of our privacy program have been approved by the European Union. 
BCR approval is considered the highest level of certification for 
organizational privacy accountability. In Asia, HP helped create and 
shape the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules 
system. We are actively engaged in forward-looking frameworks in Latin 
America as well.
    In preparation for this hearing, the Committee asked that we 
examine three privacy bills: (1) S. 799--The Commercial Privacy Bill of 
Rights Act of 2011; (2) S. 913--Do-Not-Track Online Act of 2011; and 
(3) S. 1207--Data Security Breach Legislation. We support the concepts 
espoused in all three of the bills and look forward to further 
collaboration with the Senate Commerce, Science and Transportation 
Committee, government regulators and industry to craft privacy and 
security laws that enable robust and rapid innovation, appropriate 
consumer protection, greater consistency and predictability. We look 
forward to continuing our engagement and furthering the efforts to 
increase effectiveness of the U.S. legal framework for the protection 
of privacy and data security. Below are our brief thoughts on each of 
the bills.
S. 799--The Commercial Privacy Bill of Rights Act of 2011
    HP supports this innovative legislative effort by Senators Kerry 
and McCain. As stated earlier in the testimony, ``Privacy by Design'' 
is one of the fundamental elements in the bill and is a practice HP 
fully embraces. We look forward to working with Congress to advance 
this legislation.
    Earlier this year, HP joined Microsoft, eBay and Intel in 
supporting the Commercial Privacy Bill of Rights Act of 2011 introduced 
by Senator John Kerry (D-MA) and Senator John McCain (R-AZ). Our four 
companies released a joint statement in support of the bill:

        We are pleased that Senator Kerry and Senator McCain, both 
        long-time advocates for strong consumer privacy protections, 
        have introduced the Commercial Privacy Bill of Rights Act of 
        2011. We support the bill and look forward to working with 
        Congress as it moves forward.

        We have long advocated for comprehensive federal privacy 
        legislation, which we believe will support business growth, 
        promote innovation and ensure consumer trust in the use of 
        technology. The complexity of existing privacy regulations 
        makes it difficult for many businesses to comply with the law.

        We support the bill's overall framework, which is built upon 
        the Fair Information Practices principles. We appreciate that 
        this legislation is technology neutral and allows for 
        flexibility to adapt to changes in technology. The bill also 
        strikes the appropriate balance by providing businesses with 
        the opportunity to enter into a robust self-regulatory program.

        We look forward to continuing our engagement to improve the 
        effectiveness of the U.S. legal framework for the protection of 
        privacy.
S. 913--Do-Not-Track Online Act of 2011
    HP interacts with consumers and businesses in many ways online, 
including the sales and support of our products and services. We 
believe that the adoption of new innovation depends on companies acting 
in an accountable and responsible manner to anticipate and advance 
consumer needs. No one is served--not corporations, not governments and 
certainly not consumers--by a lack of customer confidence in the 
security and privacy of personal information. At HP, we believe 
consumer trust comes from transparency and providing meaningful choice 
to consumers. Accordingly, we support the concepts in Senator 
Rockefeller's do-not-track legislation.
    With the acquisition of Palm, HP owns and operates WebOS (an 
operating system used in HP products). HP sells our WebOS devices 
configured to ensure we do not track location-based data without active 
user consent. When a user opts to enable location services, the data is 
used only for diagnostic purposes and is not shared or sold externally. 
Other products and services, such as our PCs, Internet-enabled printers 
and other mobile devices, provide similar levels of consumer 
transparency, choice and strong privacy protections.
    We would welcome the opportunity to collaborate with Senator 
Rockefeller to ensure consumers are given appropriate choices for 
tracking in a manner that recognizes existing industry standards and 
technology limitations. We encourage industry to develop new standards 
to facilitate more meaningful choices across a consumer's online 
experiences.
S. 1207--Data Security Breach Legislation
    Both as a consumer products company and as a service provider to 
other companies, HP collects and maintains personally identifiable 
information. Over the last 10 years, almost every state in the U.S. has 
adopted a data security breach law. The patchwork of state laws and 
statutes in existence today confuses consumers about their protections 
in any given context, and forces companies to contend with differing 
and often conflicting regulations. In some cases the laws require over-
notification which does nothing to increase privacy protection. This is 
why we strongly support initiatives like Senator Pryor's data security 
legislation, which would set a single, national, preemptive standard. 
Such a law would create consistency and predictability for businesses 
and better protection for consumers.
    We support the concepts and principles of the draft bill and look 
forward to providing input on the guidance documents. We hope to ensure 
that any notice required would be meaningful and useful in preventing 
identity theft or other related harms that may result from a data 
breach. In particular, notification must be prompt to enable the 
impacted individuals and companies to take appropriate action to 
protect themselves. That said, the notification time-frame must take 
into account the complexity and nature of the data and the breach. 
Moreover, the communications vehicles must be effective in reaching the 
intended audience and should include new media platforms when 
appropriate (e.g., chat rooms, social media, e-mail, etc.).
Closing Statement
    We continue to urge policymakers to examine ways to establish 
baseline federal legislation that will clearly articulate expectations 
for all organizations. As more and more services are delivered through 
multiple parties, such as applications on mobile devices, a consistent 
baseline standard will strengthen the chain of accountability and unify 
the divergent regulations currently in existence. We believe this 
responds to the very real needs of anxious consumers, and gives 
industry the flexibility to innovate in a responsible manner.
    Stated simply, HP recognizes that consumer trust is a precious 
commodity that must be protected through good stewardship and robust 
privacy programs. Federal legislation can establish the baseline for 
organizational accountability and improved consumer protection. It's a 
win for both consumers and the industry as a whole.

    The Chairman. I want to apologize once again. This has not 
been the order of what has happened. You have a committee 
hearing on a subject as important as this. You come from far 
distances, many of you, and you give your testimony.
    But let me give you some solace. Actually, getting written 
questions from members and then you having the chance to answer 
them at length, or not at length, whatever your choice, 
sometimes works better than us asking questions.
    And then, you know, the 5-minute rule messing everything 
up. So take some hope in that and otherwise just accept my 
apologies, please.
    This hearing is adjourned.
    [Whereupon, at 11:21 a.m., the hearing was adjourned.]
                            A P P E N D I X

                                                      June 29, 2011
Hon. John D. Rockefeller IV,
Chairman,
Committee on Commerce, Science, and Transportation,
U.S. Senate,
Washington, DC.

Hon. Kay Bailey Hutchison,
Ranking Member,
Committee on Commerce, Science, and Transportation,
U.S. Senate,
Washington, DC.

Dear Chairman Rockefeller and Ranking Member Hutchison:

    The undersigned trade associations and business groups representing 
hundreds of thousands of U.S. companies from a wide variety of industry 
segments strongly urges caution as you examine whether changes are 
necessary to existing U.S. privacy law. We continue to believe that 
self-regulation and best business practices that are technology-neutral 
serve as the preferred framework for enhancing innovation, investment, 
and competition, while--at the same time--protecting consumers' 
privacy.
I. The Benefits of Data Collection and Use to the U.S. Economy
    All sectors of the U.S. economy--including financial services, 
manufacturing, and many more--collect and use data to spur sales and 
job growth, enhance productivity, enable cost-savings, improve 
efficiency, and protect consumers. Information is used in many 
beneficial ways in our economy and by our society, including: fair and 
efficient consumer credit allocation; local and national background 
employment screenings and national security clearances; fraud 
prevention in the private-sector and in government; the collection of 
child support payments; and assistance to law enforcement on matters 
ranging from locating missing and exploited children to preventing 
money laundering and terrorist financing.
    Businesses depend more than ever on having beneficial and trusted 
relationships with their customers. Better data allows businesses to 
deliver more relevant and targeted products and services to their 
existing and prospective customers. The efficient use of data allows 
manufacturers to reduce the cost of product development and assembly 
costs by up to 50 percent, and decrease the amount of required working 
capital by up to 7 percent.\1\ Retailers utilize information for 
inventory control and planning, fraud prevention, marketing, and 
deciding where new stores should be located. The power of data helps 
retailers boost their profit margins by as much as 60 percent.\2\
---------------------------------------------------------------------------
    \1\ McKinsey Global Institute, Big Data--The Next Frontier for 
Innovation, Competition, and Productivity, at 8, May 2011, available 
at: http://www.mckinsev.com/mgi/publications/big_data/pdfs/
MGI_big_data_full_report.pdf. (McKinsey Report).
    \2\Id. at 2.
---------------------------------------------------------------------------
    Today, the Internet makes it possible for companies of all shapes 
and sizes to communicate with employees, existing customers, potential 
customers, and business partners around the world. The Internet, 
accounting for $300 billion in economic activity and over three million 
U.S. jobs, is clearly a key economic engine in our economy.\3\ U.S. 
retail e-commerce sales totaled $165.4 billion in 2010, a 14.8 percent 
increase over 2009.\4\ Frequently, online content is provided at little 
or no cost to consumers, and revenues are instead generated through 
advertising. Internet advertising revenues in the United States totaled 
$7.3 billion in the first quarter of 2011, representing the highest 
first-quarter revenue ever for the online advertising industry and a 23 
percent increase over the same period in 2010.\5\ By 2015 companies are 
expected to spend up to $17 billion to create and manage mobile 
applications related to specific products, and $38 billion in revenue 
are expected to be generated from consumers purchasing mobile 
applications for download to their smartphones and tablets.\6\
---------------------------------------------------------------------------
    \3\ John Deighton et al., Economic Value of the Advertising-
Supported Internet Ecosystem, June 10, 2009, at 3-4, available at 
http://www.iab.net/media/file/Economic-Value-Report.pdf.
    \4\ Healthy Growth for Ecommerce as Retail Continues Shift to Web, 
eMarketer Inc., Mar. 17, 2011, available at http://www.emarketer.com/
Article.aspx?R=1008284.
    \5\ Press Release, Internet Advertising Revenues Hit $7.3 Billion 
in Q1, May 26, 2011, available at http://www.iab.net/about_the_iab/
recent_press_releases/press_release_archive/press_
release/pr-052611.
    \6\ Nick Bilton, Mobile App Revenue to Reach $38 Billion by 2015, 
Report Predicts, NYTimes.com, Feb. 28, 2011, available at http://
bits.blogs.nytimes.com/2011/02/28/mobile-app-revenue-to-reach-38-
billion-by-2015-report-predicts/.
---------------------------------------------------------------------------
II. Self-Regulation and Best Practices Serve as Preferred Method for 
        Safeguarding Consumer Privacy
    Recognizing the importance of maintaining consumer trust in order 
to grow their businesses, American companies have long engaged in self-
regulation to ensure that consumer privacy is protected while still 
allowing innovation to grow and expand our economy. Effective self-
regulatory programs governing marketing and advertising have been 
created and implemented by many respected associations and 
organizations. For example, the American Advertising Federation (AAF), 
the American Association of Advertising Agencies (4A's), the 
Association of National Advertisers (ANA), the Direct Marketing 
Association (DMA), the Interactive Advertising Bureau (IAB), the 
Network Advertising Initiative (NAI), TRUSTe, the Council of Better 
Business Bureaus, Inc., the National Advertising Review Council (NARC), 
the Association for Competitive Technology, CTIA--The Wireless 
Association, and the Mobile Marketing Association (MMA) have been 
involved in the promotion of self-regulatory programs. Additionally, 
organizations are bound by their own privacy policies.
    In the absence of any identified problem, self-regulation and best 
business practices continue to be the most appropriate framework for 
protecting consumers' privacy online while enabling innovation, 
investment, and competition. Self-regulatory models are a particularly 
effective method of protecting consumer privacy on the Internet because 
the regulatory process is often incapable of responding rapidly to 
technological changes.
III. Technology and Self-Regulation Already Offer Consumers the Type of 
        Choice Envisioned in Recent Legislative Proposals
    Recent discussion about creating a government-mandated ``Do-Not-
Track'' list to prevent the delivery of targeted ads based on the 
websites that the consumer has visited provides an excellent example of 
the power and effectiveness of self-regulation. Companies must have the 
flexibility to respond to market developments and to meet changing 
customer needs, which a one-size-fits-all, government-mandated approach 
would be unable to provide.
    Industry has already begun to provide consumers with the type of 
choice sought by proponents of a ``Do-Not-Track'' list. For example, 
the Digital Advertising Alliance--a consortium of trade associations 
representing more than 5,000 companies engaged in online advertising--
launched a Self-Regulatory Program for Online Behavioral Advertising in 
October 2010, that allows consumers to opt-out from receiving interest-
based ads across the Internet. Additionally, consumers using Internet 
Explorer, Safari, Firefox, or Google Chrome can choose preference 
settings that help control how their browser stores Internet usage 
information or the types of ``cookies'' that companies may set.
    Any government restriction on the ability of companies to gain 
revenue from advertising would result in less free or subsidized 
content being made available to users and would inhibit innovative 
start-ups.
    Debate over the use of location-based service (LBS) data provides 
another example of how consumer privacy can most quickly and 
effectively be protected through self-regulatory means. Smartphone and 
tablet users are increasingly downloading applications that offer LBS, 
such as navigation and mapping, the ability to locate nearby retailers, 
restaurants, and services, and the capability of always being connected 
to family and friends. Spending on LBS is expected to grow from $2.2 
billion in 2009 to $12.7 billion in 2013.\7\ A recent study estimates 
that, over the next 10 years, these services could bring $100 million 
in revenue to service providers and $700 billion in value to consumer 
and business end users.\8\ Moreover, LBS-data allows wireless carriers 
to manage their networks and enhance their coverage areas. This data 
also provides significant public safety benefits when, for example, a 
mobile user needs emergency assistance or roadside vehicle repair.
---------------------------------------------------------------------------
    \7\ San Jose Firm's Technology Helps to Find Lost Cars, Pets and 
More, Silicon Valley/San Jose Business Journal, http://
www.bizjournals.com/sanjose/stories/2010/01/18/smallb3.html (citing 
Gartner, Dataquest Insight: Consumer Location-Based Services, 
Subscribers and Revenue Forecast, 2007-2013).
    \8\ McKinsey Report at 85.
---------------------------------------------------------------------------
    Policymakers have recently expressed concerns about the collection 
and usage of LBS data by smartphones and mobile applications. However, 
this is a vibrant, competitive, consumer-driven market with many groups 
focused on enhancing or creating new self-regulatory regimes as well as 
user-friendly technological solutions. For example, CTIA--The Wireless 
Association has developed ``Best Practices and Guidelines for Location-
Based Services'' and a ``Consumer Code for Wireless Service.'' The MMA 
has established its ``Mobile Privacy Guidelines.'' The Association for 
Competitive Technology has convened a working group to develop privacy 
guidelines for application developers. Thus, legislation in this area 
is not necessary and would harm innovation, including development of 
the privacy-enhancing technologies that policymakers seek to foster.
IV. Data Security Legislation Would Strengthen Self-Regulation in the 
        Privacy Area
    In today's tough economy, businesses depend more than ever on 
having beneficial and trusted relationships with their customers. 
Therefore, there is no question that protecting sensitive consumer 
information should be a priority for all businesses that collect and 
store this data, and that consumers deserve to be promptly notified if 
a security breach has put them at significant risk of identity theft, 
fraud, or other harm. Thus, while self-regulation is best suited to 
safeguard consumer privacy, we support the enactment of meaningful 
federal data security legislation that does not hinder innovation or 
the beneficial uses of data. To be workable and effective, any such 
legislation must contain carefully drafted provisions, including--but 
not limited to--liability, federal preemption, and impact on existing 
federal laws.
V. Conclusion
    Companies and organizations utilize a variety of effective 
methods--industry best practices, self-regulation, technology, and 
internal privacy policies--to protect consumer privacy. As you consider 
the need for changes to U.S. privacy law, we look forward to discussing 
any concerns that you or your staff may have on this issue.
            Sincerely,
                                        American Advertising Federation
                           American Association of Advertising Agencies
                                 Association for Competitive Technology
                                     Consumer Data Industry Association
                                         CTIA--The Wireless Association
                                           Direct Marketing Association
                                       Electronic Retailing Association
                                         Interactive Advertising Bureau
              National Association of Professional Background Screeners
                  National Business Coalition on E-Commerce and Privacy
                                                              NetChoice
                                         Network Advertising Initiative
                                      Performance Marketing Association
                                               U.S. Chamber of Commerce

Cc: Members of the Senate Committee on Commerce, Science, and 
            Transportation
                                 ______
                                 
Lisa Liberi
Santa Fe, NM

Lisa Ostella
Denville, NJ
                                                      June 27, 2011
Natasha Mbabazi
Consumer Protection, Product Safety, and Insurance Staff

Senator Thomas Udall,
Senate Commerce Committee,

Senator Frank Lautenberg,
Senate Commerce Committee,

Senator Barbara Boxer,
Senate Commerce Committee.

Re: The Data Privacy and Security Bill Hearing, June 29, 2011--
            Protecting Consumers in the Modern World

Dear Natasha,

    Thank you for taking the time with Lisa Liberi and Lisa Ostella. As 
explained over the telephone today, Lisa Ostella and Lisa Liberi have 
been through a complete nightmare concerning data privacy with no 
assistance from State and/or Federal Agencies.
    Lisa Liberi was interning as a Paralegal for an Attorney in 
Pennsylvania. Lisa Ostella was working for a short period of time as a 
Webmaster for Attorney Orly Taitz. Orly Taitz resides and owns 
businesses in Orange County, California. Lisa Liberi spoke to Orly 
Taitz on one occasion in Nov. 2008; and had not met her. Lisa Liberi 
declined assisting Orly Taitz in her litigation against President 
Obama. In addition, Lisa Liberi disagreed with Orly Taitz regarding the 
Natural Born Citizenship laws. Lisa Ostella stopped working for Orly 
Taitz as a result of Orly Taitz's false law enforcement reports 
claiming ``hacking'' into her websites/PayPal Accounts and falsely 
accusing ``Obama and his thugs.'' Lisa Ostella also refused to lie for 
Orly Taitz and refused to substantiate the false claims of ``hacking.'' 
As a result, Orly Taitz targeted and came after Lisa Liberi and Lisa 
Ostella.
    Orly Taitz stated she was going to ``take down'' the attorney who 
Lisa Liberi was interning with and to do so she was going to destroy 
Lisa Liberi, Orly had published all over the Internet that Lisa Liberi 
was the brains behind Philip J. Berg, Esquire. Destroy Lisa Liberi and 
Lisa Ostella she did.
    Orly Taitz, as an Officer of the Court, illegally obtained 
background checks on Lisa Liberi and Lisa Ostella; Orly Taitz illegally 
obtained the credit reports and background checks of Lisa Liberi and 
Lisa Ostella; Orly Taitz illegally obtained medical records and sealed 
court records, including adoption records, of Lisa Liberi and Lisa 
Ostella. Lisa Liberi's credit was discussed on a radio show by Neil 
Sankey, the private investigator who obtained some of the private data 
for Orly Taitz.
    Orly Taitz illegally obtained the full social security numbers; 
dates of birth; place of birth; mother's maiden name; children's names; 
father's names; addresses; phone numbers; relatives' names and 
addresses and other private data belonging to Lisa Liberi and Lisa 
Ostella and all the private primary data of Lisa Liberi and Lisa 
Ostella's spouses.
    Lisa Liberi and Lisa Ostella's private data was obtained by Orly 
Taitz through third parties without any type of legal basis, permission 
of Mrs. Liberi and Mrs. Ostella and without any type of verification 
from the Reed Elsevier, Inc. companies, including but not limited to 
LexisNexis; ChoicePoint, Inc.; Seisint, Inc., d/b/a Accurint; and 
Intelius, Inc. by Orly Taitz and her private investigator's own 
admissions. The Reed Elsevier, Inc. companies, LexisNexis; ChoicePoint, 
Inc.; and Seisint, Inc. d/b/a Accurint canceled Neil Sankey, Todd 
Sankey and the Sankey Firm, Inc.'s Lexis accounts approximately 8 
months after Orly Taitz illegally obtained Politicians private data 
including but not limited to President Obama and at no time 
investigated and/or disclosed the breach.
    In turn, Orly Taitz posted all this primary identification 
information pertaining to Lisa Liberi all over her website located at 
www.orlytaitzesq.com; and posted the private data all over the 
worldwide web repeatedly; to third-party websites asking them to post 
it; sent out by mass e-mailing; mass mailing to Congressional 
individuals; to the U.S. DOJ; FBI; State and Federal entities; and sent 
it Internationally with Lisa Liberi's and Lisa Ostella's full Social 
Security number; date of birth; place of birth; mother's maiden name; 
father's name; address Information; and other private data, primary 
identification data, repeatedly for a year and a half. In fact, Lisa 
Liberi's social security number is still on the Internet as of today's 
date at http://www.oilforimmigration.org/facts/?p=1478 and http://
www.orlytaitzesq.com/wpcontent/uploads/2010/01/Dc279.doc.
    With this private data, Orly Taitz also began and continues cyber-
stalking; Cyberbullying; cyber-harassing Lisa Liberi and Lisa Ostella, 
their families and children; inciting violence against Lisa Liberi and 
Lisa Ostella; against Lisa Liberi and Lisa Ostella. Orly Taitz called 
in help and harassed people in Lisa Liberi and Lisa Ostella's families 
and neighbors, including stalking Liberi's son; contacting people in 
Liberi's life for the past 25 years; sending people to Liberi's home; 
having people call Liberi and Ostella's home threatening their lives; 
filing numerous false law enforcement reports attempting to have Liberi 
and Ostella falsely arrested; Orly Taitz threatened to have Lisa 
Ostella's children professionally kidnapped; Orly Taitz was and has 
continued forging documents in Liberi and Ostella's name; Orly Taitz 
drove around New Jersey where Lisa Ostella's resided and her children 
attended school; Orly Taitz illegally stalked Ostella's daughter, took 
her picture and published the picture online; all of Lisa Ostella and 
Lisa Liberi's private data was sent to armed militia groups; white 
supremacy groups, hate groups; Lisa Liberi was called a ``BLOOD red 
herring''; Orly Taitz illegally obtained a family photo of Lisa Liberi, 
her son and husband off of Liberi's computer; Taitz illegally obtained 
a single photo of Liberi; Liberi's pictures and home address were sent 
out all over the Internet, to armed militias, white supremacy groups 
and other hate groups, etc. These actions are still occurring as of 
today's date.
    Unfortunately, due to the lack of privacy laws, Lisa Liberi and 
Lisa Ostella have been unable to get any assistance from their law 
enforcement agencies. An FTC Complaint was submitted to the Federal 
Trade Commission in or about July 2010, however, to date, Lisa Liberi 
and/or Lisa Liberi have been contacted.
    The damages have been endless and even though Lisa Liberi and Lisa 
Ostella are taking civil action against Orly Taitz, she is still 
calling in her ``cohorts'' to assist her in harming Liberi and Ostella. 
See Liberi, et al., v. Taitz, et al., Case No. 8:11-cv-00485 AG, U.S. 
District Court, Central District of CA, Southern Division.
    Lisa Liberi and her spouses identities have been stolen; their 
credit destroyed; Lisa Ostella's pet rabbits were slaughtered and left 
on her back deck; a man with a dangerous background in Albq., NM, 
attempted to get paid $25,000 from Orly Taitz in increments under the 
$10,000 reporting limits on two (2) separate occasions, which is 
believed to be an attempt to hire a dangerous person to harm Lisa 
Liberi, Lisa Ostella, their families and children, Santa Fe Police 
Department did not even bother to have this investigated--nor did the 
FBI or any other law enforcement agency. Lisa Liberi is a sitting duck 
for Orly Taitz and her ``cohorts'' to harm her, she can't move, no one 
would rent to her with the destruction of her credit by her and her 
husband's Social Security numbers and other private data being stolen 
and used by others due to the illegal disclosure to Orly Taitz.
    This data and security bill must pass, we need laws and need all 
the laws to be enforced so no others go through what Lisa Liberi and 
Lisa Ostella have lived for the past 2-1/2 years and continue to live. 
We need laws so law enforcement can prosecute these crimes without 
jurisdictional issues and assist Mrs. Ostella and Mrs. Liberi.
    There is a bunch more information regarding the breach of private 
data, please feel free to contact us. We will be happy to provide all 
the additional information and the evidence supporting the allegations 
herein.
            Thank you,
                                                Lisa Liberi
                                               Lisa Ostella
Cc: Senator Dianne Feinstein
                                 ______
                                 
Response to Written Questions Submitted by Hon. John D. Rockefeller IV 
                          to Hon. Julie Brill
    Question 1. Commissioner Brill, last month I asked David Vladeck 
why a year after the comment period had closed, the FTC had still not 
completed its review of the Children's Online Privacy Protection Act or 
COPPA Rule. Subsequent to the hearing, I was concerned to hear Chairman 
Leibowitz say that the FTC's COPPA proposal will not be out until the 
fall. I cannot understand what is taking so long. We are talking about 
protecting the most vulnerable Americans--kids under 13. Can you tell 
me why the review has not been completed?
    Answer. Since we commenced our review last year, Commission staff 
has been diligently analyzing the public comments in connection with 
the review. This work involves a wide range of complex issues, and 
requires thorough consideration of technical topics and privacy 
concerns. At the same time, we have continued to enforce the existing 
Rule, most recently announcing a $3 million settlement with Playdom, 
Inc., and we will announce several additional COPPA settlements 
shortly. The internal work on the COPPA Rule is nearly complete, and I 
expect that the Commission will publicly release the findings soon.

    Question 2. Will you commit to me that you will work with the other 
Commissioners to update the rule as quickly as possible?
    Answer. Yes, of course. I am committed to our work in this area, 
and the privacy issues affecting our children have my full attention. I 
will continue to work with the other Commissioners and Commission staff 
to release the findings and update the Rule as quickly as possible.
                                 ______
                                 
  Response to Written Question Submitted by Hon. Claire McCaskill to 
                            Hon. Julie Brill
    Question. The United States may need a national framework to ensure 
that personal data remains secure in an increasingly electronic world 
and to mitigate harm in the event of a breach. As we consider 
legislation, it is important that we do not end up with a patchwork of 
federal data security laws, with multiple regulations from multiple 
federal agencies. That doesn't help consumers and could create 
competitive disparities that could distort the marketplace and create 
confusion. Do you agree that it is not productive to have multiple 
agencies with authority over the same parties, creating possible 
duplication of efforts and confusion and disparities for consumers and 
businesses?
    Answer. I certainly agree that strong federal data security and 
breach notification legislative requirements are critical. The 
Commission has testified before Congress in support of such 
legislation. Overlapping regulations from multiple federal agencies 
could create confusion and we would be pleased to work with Committee 
staff to reduce or eliminate any such overlap.
    As Congress continues to consider legislation, we will continue--as 
we have done in the past--to work cooperatively with our sister 
agencies to avoid duplicative or redundant oversight. For example, the 
FTC and FCC cooperated successfully several years ago in ``pretexting'' 
cases. These cases involved individuals who pretended to be the owners 
of telephone accounts. Under these false pretenses, they obtained the 
calling records for these accounts from telephone companies and sold 
the records to others. The FTC took action against entities involved in 
such pretexting, and the FCC focused on ensuring that telephone 
carriers had ample security in place for calling records. Our 
collective goal in these collaborative efforts is to ensure that there 
are no gaps that would leave consumers unprotected.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. John F. Kerry to 
                            Hon. Julie Brill
    Question 1. Commissioner Brill, can you describe the nature of the 
harm that consumers experience due to the insufficiency of the privacy 
frameworks currently in place in the United States?
    Answer. The insufficiency of the privacy frameworks currently 
employed in the United States have resulted in considerable harms that 
may have been avoided had certain privacy protections, as outlined in 
the FTC's staff privacy report been in place.
    For example, in 2002, the Commission entered into a consent order 
with Eli Lilly and Company resolving allegations that it publicly 
disclosed e-mail addresses of subscribers to an e-mail reminder service 
relating to an anti-depressant drug manufactured by the company. 
Certain privacy protections, including an emphasis on privacy by design 
(as recommended in the FTC staff privacy report), may have avoided this 
incident, which unquestionably harmed consumers by publicly disclosing 
sensitive health-related information.
    More recently, the Commission entered into a consent order with 
Google Inc., resolving allegations that, in connection with the launch 
of its social media product, Google Buzz, the private contacts of 
consumers were made public by default in certain cases. By disclosing 
private e-mail contacts, Google Buzz may have revealed the identities 
of those individuals and organizations that consumers were in contact 
with, including attorneys, health providers, professional recruiters, 
etc. The disclosure of this type of information could lead to certain 
conclusions being drawn by others that can negatively impact consumers. 
For example, the fact that a consumer is in contact with a particular 
medical provider could suggest that he is suffering from a sensitive 
medical condition. Similarly, the fact that a consumer is communicating 
with a professional recruiter may lead others to conclude he is job 
hunting. Again, as in the incident involving Eli Lilly and Company, had 
Google built certain privacy protections into its operations, this type 
of harm may have been avoided.
    Both of these cases involved allegations of deception under section 
5 of the FTC Act, because the companies had made certain promises to 
consumers about their information practices. Had the companies not made 
these claims, however, we may not have been able to address these 
incidents. Moreover, currently there is no general legal requirement 
for companies to disclose their privacy practices, and recent evidence 
exists that companies in the rapidly expanding mobile application 
field, for example, do not. The Future of Privacy Forum think tank 
analyzed the top 30 paid applications at the end of May 2011, and 
discovered that 22 of them lacked even a basic privacy policy.
    Another recent example of unexpected and potentially harmful 
information use involves efforts by insurance companies to use data 
collected online to predict disease and insurance risk. Media reports 
indicate that this may occur without the consumer's knowledge or an 
opportunity to contest the findings. Basic privacy protections, such as 
clear disclosure and adequate choice up front, would allow consumers to 
protect themselves in these situations.
    The potential for harm exists with other types of information as 
well. For example, consumers have historically relied on state and 
federal law protections governing disclosure of the books they check 
out of the library and their video rental history, but these 
protections may not reach all the reading or viewing activities of 
consumers as they simply browse the web. If this information were 
linked to individual consumers, it could be used to make judgments 
about political affiliation, sexual orientation, or other sensitive 
issues. Another example of harm we explored in our privacy roundtables 
involves ``sucker lists.'' Consumers can find themselves on marketing 
lists targeted to sensitive medical conditions or impulsive purchasing 
behavior. These lists can facilitate efforts to take advantage of 
vulnerable consumers.

    Question 2. Commissioner Brill, technology is far more powerful and 
capable of data collection and distribution than it was even 10 years 
ago. How do technological advances such as context awareness (devices 
being able to tell what you are doing and who you are with) and data 
aggregation impact the framework of existing privacy models?
    Answer. As we learned in our series of public roundtables, existing 
privacy models have not kept up with these types of changes in 
technology. For example, a pure notice-and-choice model that relies on 
lengthy privacy policies has proved unworkable and now, in an era of 
small screens, even less feasible. Consumers should not have to scroll 
through dozens or hundreds of screens to understand how companies 
collect, use, and share their data.
    Similarly, a model that only addresses quantifiable harms 
associated with misuse of data may not address the full range of 
consumers' privacy concerns. For example, as you point out, advances in 
technology have enhanced companies' ability to store and aggregate 
consumers' data and use it in ways not understood, intended, or 
disclosed at the time of collection. Moreover, context aware devices 
may allow companies and others to draw conclusions about consumers that 
were not previously possible. Entities that can track the location of 
an individual using a Smartphone could discern, for example, that the 
individual spends considerable time at an address catering to addiction 
treatment, or in the vicinity of a municipal building that houses the 
probation office.

    Question 3. Commissioner Brill, some critics of both the 
recommendations the FTC has made to industry and the legislation that I 
and other members have introduced is that we do not know enough about 
collection practices and uses to make privacy standards necessary. I 
believe that we know what constitutes fair information practice 
principles and we know that a significant portion of collectors of 
information do not comply with them. I think we should have a law that 
requires them to do so and have proposed one. How do you respond to the 
criticism that neither the FTC nor Congress knows enough to establish 
baseline rules for how people's information is collected, used, and 
distributed?
    Answer. I don't agree with this criticism. I believe that 
policymakers have sufficient knowledge of industry practices to 
encourage certain bedrock principles. The Commission has been examining 
the issues surrounding online privacy for years--since at least the 
mid-1990s. During the three Commission privacy roundtables held in 
2009-2010, we heard from hundreds of participants from academia, 
consumer groups, industry, trade associations and others. I believe we 
have a considerable understanding of how industry is collecting, using 
and disclosing information about consumers. Because industry will 
continue to innovate, my goal is to develop universal principles that 
will continue to be relevant regardless of how industry progresses. 
These principles, including privacy by design, simplified choice and 
improved transparency, are ones that can be applicable in nearly all 
situations, and there appears to be widespread agreement that companies 
should be implementing these principles.

    Question 4. Commissioner Brill, data brokers deal in the 
acquisition of information from an original source of collection to 
share with other unrelated entities who might want to use that 
information. I have two questions for you as it relates to data brokers 
and their practices:
    Should companies be able to buy from and sell data to data brokers, 
without the consent of the consumers that are the subject of that data?
    Answer. The Commission staff's report supported the idea that 
companies should provide consumers with meaningful choice before 
sharing their data with third parties, including data brokers. Our 
staff report also supported the idea that consumers should have 
reasonable access to information data brokers maintain about them, and 
in appropriate cases, the right to correct this information or have it 
suppressed. Further, the report noted the extent of access and the 
consumers' ability to correct or suppress information should be 
scalable to the sensitivity of the data and the nature of its use. I 
fully support these proposals.

    Question 4a. If consumers did not consent to collection by a data 
broker and do not have access to or the right of correction regarding 
erroneous data gathered about them without their permission, how can 
the government help data brokers eliminate erroneous data and protect 
consumers?
    Answer. If data brokers sell information for credit, employment, 
insurance, housing or other similar purposes, they must provide certain 
protections under the Fair Credit Reporting Act (``FCRA''). For 
example, they must take reasonable steps to ensure accuracy of the 
information they sell and they must inform purchasers of their 
obligation to provide adverse action notices to consumers. Even when 
the FCRA is not applicable, the FTC staff report proposed that data 
brokers provide consumers with reasonable access to information 
maintained about them, and in appropriate cases, the right to correct 
this information. I support this proposal.

    Question 5. Commissioner Brill, the FTC made its first call for 
comprehensive privacy protection under a Democratic majority in 1999. 
This FTC issued a draft report calling for privacy by design, simpler 
more streamlined choices for consumers, and transparency in data 
collection practices and uses last year. As you know, we modeled our 
legislation on that report and witnesses on the next panel will speak 
directly to the legislation. Do you have a sense of the proportion of 
collectors of information that are not today incorporating privacy 
protections into the design of their services or meeting the other 
baseline fair information practices you lay out?
    Answer. Although we do not have statistical information of that 
nature, based on our investigations and general policy initiatives, it 
is evident that many companies are still lagging in incorporating basic 
data security standards in their everyday practices. We have also seen 
evidence that privacy disclosures are not being used by a substantial 
numbers of mobile applications (``apps''). Recently, the Future of 
Privacy Forum think tank analyzed the top 30 paid apps and discovered 
that 22 of them lacked even a basic privacy policy. It is clear that 
work remains to be done in order to achieve widespread compliance with 
basic privacy protections.

    Question 6. Have you had a chance to review the legislation and in 
your analysis, to what extent does it meet the three recommendations 
for policymakers included in the draft report?
    Answer. I am pleased to see that basic privacy protections like 
those laid out in our FTC staff report--such as privacy by design, 
improved notices, and increased transparency--are incorporated into the 
draft legislation. I believe it would be useful for Commission staff to 
continue to discuss the draft legislation with your staff.

    Question 7. In our legislation, we are calling for comprehensive 
protections that allow people to opt out of having their information 
collected for uses they should not have to expect and beyond that, we 
arguing that we also need other rules, like the ability to have 
consumers ask firms to cease using their information if they lose trust 
in that company as well as the knowledge that companies are required to 
have accountability and security measures in place before they collect 
people's information.
    You have said that prior approaches to privacy protection focused 
solely on threats to harm after the harm has occurred or relied on 
simple notice of collection, and that efforts to offer choice of 
whether or not to have that information secured have fallen short. If 
you believe that the ``no harm, no foul'' and simple notice and choice 
solutions are inadequate as I do, would you not agree that we need a 
new comprehensive privacy law?
    Answer. I agree that we need a new approach to consumer privacy. 
The Commission staff embarked on its privacy reassessment and issued 
its preliminary privacy report in recognition of the inadequacies of 
existing approaches to consumer privacy. I also agree that companies 
should follow basic privacy principles like those laid out in the staff 
report. As you know, however, the Commission has not yet taken a 
position on legislation.

    Question 8. Commissioner Brill, in a May 4 speech you gave, you 
responded to the criticism that a Do Not Track option would dry up 
advertising revenue. You said that ``As the Commission learned during 
our discussions and research prior to issuing our report, when given an 
informed and more granular choice, most consumers, including myself, 
want to receive tailored ads--and will choose to share information for 
that purpose.''
    I agree with that, which is why although we require collectors to 
give consumers a choice about whether their information is collected or 
not, we did not make a universal choice mechanism the centerpiece of 
our legislation. Given that you think most people will not opt-out of 
having their information collected, are not the other fair information 
practice principles--security of information, clear and specific 
notice, ability to access data or call for cessation of its use, and 
the requirement that data be collected and held only as long as 
necessary, to name a few--just as important or more important than 
whether or not we can secure a universal do not track choice?
    Answer. I agree that comprehensive privacy protections are very 
important. The protections that are reflected in your bill, including 
data security, privacy by design, and clear notices, are critical to 
ensuring basic privacy protections. Do Not Track can be a very 
effective tool for consumers to exercise choices about the growing 
industry practice of behavioral advertising. Do Not Track will not 
address other current privacy concerns.

    Question 9. Commissioner Brill, the FTC report calls for different 
treatment for first-party collectors of information and third-party 
collectors. It is a concept we adopted in our legislation as well 
because we believe a first-party interaction is known to the consumer 
and some degree of trust is implicit. Could you explain the difference 
in your mind and why different treatment is warranted?
    Answer. The Commission staff report recognizes that the 
relationship that consumers have with first parties is different from 
the relationship they have with third parties. When a consumer goes 
directly to a retailer's website to obtain a product or service, the 
consumer inherently understands that she is sharing information with 
that retailer. However, when visiting that retailer's website, the 
consumer does not understand or expect that the retailer will be 
sharing her information with other companies (``third parties''). That 
is why our staff report recommended that consumers be given clear 
notice and choice about such information sharing with third parties. 
This distinction, however, must be drawn carefully. If first parties 
are defined broadly to include Internet Service Providers (``ISPs'') or 
other companies that have access to almost all consumers' browsing 
behavior, then consumers would likely have a different expectation 
about the use of their data by those companies than they would a 
typical retailer. Consumers would undoubtedly be surprised, and may in 
fact be concerned, to learn that ISPs or similarly situated companies 
could use all of their browsing behavior without their consent. For 
this reason, the staff report noted that enhanced consent or even more 
heightened restrictions would likely be warranted for practices such as 
ISPs' use of Deep Packet Inspection to create marketing profiles.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Barbara Boxer to 
                            Hon. Julie Brill
    Question 1. In your written testimony, you note that the FTC has 
brought 34 data security cases during the past 15 years. During this 
same period of time, state Attorneys General have been free to file 
cases under state law to protect their citizens. What has been your 
working relationship with state Attorneys General on data security 
matters, and has their ability to prosecute state laws ever conflicted 
or hindered the FTC's prosecution of its cases?

    Question 2. Have the efforts of state Attorneys General assisted 
the FTC in its enforcement of consumer privacy and data security laws?
    Answers 1 and 2. The FTC has a history of working well with state 
Attorneys General on enforcement actions in many types of cases. Having 
served for many years in state Attorneys General offices, I can say 
from experience that the Commission has worked well with the state AGs. 
The agency's continued commitment to this cooperation is among my top 
priorities.
    Commission staff engaged in privacy and data security-related 
investigations regularly interact with staff from the state AGs and 
enforcement actions are coordinated when appropriate. For example, in 
the enforcement action involving LifeLock--a company that provided an 
identity theft prevention service--35 states joined the Commission, 
together obtaining a $12 million settlement involving charges that it 
used false claims to promote its services.
    As we do with our sister federal agencies, we work closely with 
state AGs to prevent any conflicting or duplicative enforcement 
actions.

    Question 3. I am concerned about the effect of the data breach 
bill's preemption of California law. As you may know, California law 
requires a company to notify consumers of a breach if there is a 
reasonable belief that personal information was accessed without 
authorization. Do you have an opinion on whether it is best for data 
breach notification to be triggered on whether there has been 
unauthorized access to data, or whether notification should be 
triggered on a company's determination as to whether there is a risk of 
harm?
    Answer. There may be a risk that requiring notification any time 
there has been unauthorized access to data could result in over-
notification to consumers, causing them to ignore the important 
notices. Therefore, generally, it may be useful to have companies make 
an objective reasonable determination as to whether the breach will not 
pose a reasonable risk of harm. In such cases, a notice would not be 
required.
    At the same time, however, for certain sensitive data, unauthorized 
access to such data may create a presumption of harm. For example, in 
the Commission's Health Breach Notification Rule, the Commission stated 
that, because of the sensitivity of health information, unauthorized 
access would be presumed to create a risk of harm.

    Question 4. In AT&T v. Concepcion, the U.S. Supreme Court ruled 
that federal arbitration law preempts California law banning the use of 
class action waivers in consumer agreements. Some professors and 
consumer advocates in California have expressed concern that this 
decision could have an effect on state data breach laws, such as the 
strong law in effect in California. Do you believe the Supreme Court's 
decision could have an impact on states' ability to pass strong 
consumer protection laws, particularly in the data breach/notification 
area?
    Answer. I note that the California state data breach law contains a 
private right of action. Cal. Civ. Code  1798.84. Under the decision 
in AT&T v. Concepcion, it appears that companies handling consumer data 
could mandate in their consumer agreements that consumers address any 
problem related to data security and notification through individual 
arbitration.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Begich to 
                            Hon. Julie Brill
    Question. Besides passing legislation is there anything else that 
can be done to assist consumers' digital education so they have a 
better understanding of the consequences of their online and offline 
data profiles?
    Answer. As we mentioned in the December 2010 preliminary staff 
privacy report, we believe that all stakeholders should work to educate 
consumers on privacy issues, particularly in the digital world. For its 
part, the FTC has a very active program to educate families about steps 
people can take to protect their data online, and understand how 
companies may track their online activity. Many school systems have 
ordered materials from the FTC, or adapted them for their own use. We 
encourage schools that aren't yet using these materials to consider 
sharing them with teachers, parents and students.
    Since October 2009, the FTC has distributed over eight million 
copies of the guide for parents, ``Net Cetera: Chatting with Kids About 
Being Online.'' Approximately 20,000 schools, school systems, law 
enforcers and other community organizations have placed orders. The Net 
Cetera guide helps adults lead a conversation with kids about online 
privacy and safety, rather than taking a lecturing approach.
    Recently, OnGuardOnline.gov released a new publication designed to 
educate consumers about mobile apps, ``Understanding Mobile Apps: 
Questions and Answers.'' The guide explains what apps are, the types of 
data they can collect and share, and why some apps collect geolocation 
information. The FTC issued the guide to help consumers better 
understand the privacy and security implications of using mobile apps 
before downloading them.
    In September 2011, the FTC will release a revamped 
OnGuardOnline.gov site, in coordination with the Department of Homeland 
Security's Stop.Think.Connect campaign. The site, which will feature a 
blog, will continue to be the Federal Government's site to help users 
be safe, secure and responsible online.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Kelly Ayotte to 
                            Hon. Julie Brill
    Question 1. In a May 2011 interview, Chairman Leibowitz stated that 
``one of the Commission's priorities is to find a pure Section 5 case 
under unfair methods of competition. Everyone acknowledges that 
Congress gave us much more jurisdiction than just antitrust.'' However, 
in 2009, the U.S. Chamber of Commerce published an article that casts 
doubt on the FTC's authority to expand its jurisdiction under Section 
5. The Chamber stated, ``The character of many of these proposals, as 
well as their scope and diversity, highlights key disadvantages of 
extending Section 5 beyond the range of the existing antitrust laws.'' 
Do you agree with the Chamber's views that we should look with 
skepticism at the expansion of Section 5? If not, why not?
    Answer. Congress established the Commission as a bipartisan 
independent agency with a mandate to protect the public from unfair 
methods of competition. Congress intended that the Commission play a 
unique role in the economic life of the nation. As the Supreme Court 
explained in FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 239 (1972), 
in which it thoroughly examined the legislative history of the FTC Act, 
Congress intended for the Commission to proscribe unfair business 
practices that are not condemned under the letter of the antitrust 
laws. Senator Cummins (R. Iowa), one of the main sponsors of the bill 
establishing the FTC, squarely stated on the Senate floor: ``[t]hat is 
the only purpose of Section 5 to make some things punishable, to 
prevent some things, that can not be punished or prevented under the 
antitrust law.'' 51 Cong. Rec. 12,454 (1914). While the vast majority 
of our antitrust enforcement actions involve conduct that falls within 
the prohibitions of the Sherman or Clayton Acts, the Commission has a 
broader mandate, which it discharges by challenging, under Section 5, 
conduct that is likely to result in demonstrated harm to consumers or 
to the competitive process.
    Indeed, Section 5 may be the only practicable means to stop harmful 
conduct that cannot be reached under the antitrust laws. The 
Commission's recent use of Section 5 demonstrates that the Commission 
is committed to using that authority in predictable ways that enhance 
consumer welfare. For instance, the Commission used Section 5 in the 
recent U-Haul settlement to prevent ``invitations to collude'' by 
fixing prices. A competitor's invitation to its nominal rival to fix 
prices does not violate the Sherman Act, but it serves no lawful 
purpose and creates an intolerable risk that price fixing will result. 
And even if an invitation to collude is rejected, it can undermine the 
process by which prices are set by independent competitors and lead to 
tacit coordination. In the article you mention, the Chamber of Commerce 
``acknowledge[s] that there are certain, limited forms of 
anticompetitive conduct that may not be covered by the antitrust 
laws,'' including invitations to collude.
    Congress chose to give the Commission its broad mandate rather than 
handing the Commission a list of specific acts to be condemned as 
unfair because it knew that no such list could be, or long remain, 
sufficiently complete to protect competition and consumers. To address 
concerns about the fairness of not doing so, Congress limited the 
remedies available for violations of Section 5. The Commission is 
limited to certain remedies, such as cease and desist orders, to stop 
harmful conduct; the agency cannot seek a fine or civil penalty as a 
result of a Section 5 violation. Moreover, Section 5 of the FTC Act 
does not provide for a private right of action, and no party may obtain 
treble damages under the FTC Act.
    Because of the limited consequences of Section 5 enforcement, the 
Commission uses its Section 5 authority not to punish the wrongdoer, 
but to fairly eliminate the conduct that is likely to injure 
competition and consumers, allowing honest and competitive markets to 
further consumer welfare.

    Question 2. The Association for Competitive Technology represents a 
number of tech companies including Microsoft, Oracle, and VeriSign. ACT 
has blogged about Chairman Leibowitz's desire to expand the FTC's 
Section 5 authority. It wrote that Chairman Leibowitz ``is arguing that 
requiring actual economic analysis of alleged ``harms to competition'' 
is too high a bar for his agency. They need to be able to prevent 
business practices they believe are harmful to competition and 
consumers, even if the economic analysis suggests otherwise. And in 
this new regime, companies will have little guidance as to what the FTC 
will consider legal vs. illegal.'' This doesn't seem to be the right 
policy for the agency to be pursuing. Why is the FTC doing so?
    Answer. The Commission will not bring a case where the evidence 
shows no actual or likely harm to competition or consumers. As the 
Chairman explained in his testimony before the Senate Judiciary 
Committee last summer, ``Of course, in using our Section 5 authority 
the Commission will focus on bringing cases where there is clear harm 
to the competitive process and to consumers.'' That is, any case the 
Commission brings under the broader authority of Section 5 will be 
based on demonstrable harm to consumers or competition. As the Second 
Circuit held in the Ethyl case,\1\ there must be some ``indicia of 
oppressiveness'' before the FTC can bring an enforcement action under 
Section 5. We have adhered to this standard in our cases. For instance, 
in the recent Intel case, the Commission alleged that Intel's behavior 
harmed consumers and the competitive process in a number of ways, such 
as raising the price of computers; limiting consumer choice; inhibiting 
competition from non-Intel chip makers; reducing innovation by computer 
makers; and reducing the quality of industry benchmarking. Commission 
staff was prepared to offer proof of these harmful effects to establish 
that Intel violated Section 5, as well as Section 2 of the Sherman Act. 
Intel offered to settle the case, resulting in a Commission order 
eliminating the harmful conduct.
---------------------------------------------------------------------------
    \1\ E.I du Pont de Nemours & Co. v. FTC, 729 F.2d 128 (2d Cir. 
1984) (``Ethyl'').

    Question 3. Prior to Google's announcement of an FTC investigation 
into its competitive practices there were a lot of news stories about 
the battle between the FTC and the DoJ over which agency would get to 
investigate the company. In fact, Assistant Attorney General for 
Antitrust Christine Varney questioned whether two agencies should have 
antitrust review powers. She stated, ``I would leave to Congress how 
they would like to resolve the overlapping and sometimes inconsistent 
jurisdiction between the agencies . . . I think what business does need 
is clarity, certainty and understanding of the legal framework within 
which their deals will be evaluated.'' Do you think that the 
overlapping jurisdictions of the FTC and Department of Justice--and the 
fights that they produce--are a good thing for American businesses and 
consumers? If not, how would you propose to fix it?
    Answer. I believe the FTC and the Department of Justice work well 
together to promote and protect competition and the interests of 
American consumers and businesses. Both agencies have areas of 
expertise, and the differences in their organizational structures are 
quite deliberate and provide certain benefits. For example, the FTC was 
created by Congress as an independent agency with expertise in both 
consumer protection and antitrust. One of the principal benefits of the 
FTC is that it is bipartisan and our decisions require consultation and 
consensus. That means that our enforcement efforts remain relatively 
consistent as we go from Administration to Administration. Further, 
because Congress wisely charged the Commission with competition and 
consumer protection enforcement, we have a broad perspective that 
enhances our work. The FTC also was chartered by Congress to employ 
non-enforcement tools, such as issuing reports, performing empirical 
studies, and advocating for pro-competition reforms with other 
government agencies, to support and strengthen the agency's competition 
and consumer protection missions.
    This year, the agencies worked closely together on several joint 
policy projects to provide transparency and predictability for 
businesses subject to the antitrust laws. Last August, FTC and DOJ 
issued revised Horizontal Merger Guidelines, a core document that 
provides businesses with a clear view into how the agencies conduct 
antitrust merger reviews. This year, the agencies also jointly 
developed a Proposed Antitrust Enforcement Policy relating to 
cooperation among health care providers organizing Accountable Care 
Organizations under the new Patient Protection and Affordable Care Act. 
These joint statements reflect a high level of consensus and 
cooperation, and serve as models for competition agencies throughout 
the world.
    It is true that there are occasional clearance disputes over which 
agency is in the better position to investigate a matter. In most 
instances, one or the other agency has greater expertise in the 
industry of potential concern due to a previous investigation, and 
clearance is given to that agency right away. But in grey areas, such 
as where neither agency has conducted an investigation in the past, 
both agencies can make a claim that a related investigation gives them 
a head start on the facts and issues that are likely to arise. The FTC 
and DOJ have a process in place to resolve clearance disputes, which 
helps resolve the issue quickly, so that one agency can get started on 
the investigation and minimize any burden on the parties. Recently, 
clearance disputes have been rare and are handled quickly.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. John F. Kerry to 
                         Hon. Cameron F. Kerry
    Question 1. General Counsel Kerry, I understand that you have had 
discussions with our trading partners in Europe, Asia, and the Americas 
on privacy. I get the sense that our disagreements with them are more 
about form than substance. That is, we share values but not a common 
platform of law. Could you talk about what is going on in the rest of 
the world on this issue and how you and Congress can participate in 
that dialogue effectively?
    Answer. Privacy is a deeply held value in America, reflecting long-
standing legal, political, and cultural traditions. Our laws express 
this value. Respect for privacy is broadly enshrined within the Bill of 
Rights, most dramatically in the Fourth Amendment. Privacy protections 
are woven into the fabric of our common law and state laws. Congress 
has further protected various types of information about individuals 
through legislation aimed at specific industries or categories of 
information, such as health, finance, education, and information about 
children. Some of the companies that operate in these targeted 
industries have adopted multi-stakeholder-created codes of conduct 
which are enforced by the Federal Trade Commission (FTC) and by state 
Attorneys General. Between legislation and these codes of conduct, 
there is strong protection for information about individuals in these 
specific sectors.
    Other countries have adopted different models. With the advent of 
Internet commerce, several multinational bodies developed comprehensive 
data privacy models that draw nearly all data privacy contexts under a 
single legal framework. In large part, these laws are grounded in the 
internationally recognized Fair Information Practice Principles that 
were originally created by the United States Department of Health, 
Education and Welfare back in 1973. In 1995, for example, the European 
Union (EU) passed its Data Protection Directive (DPD), which provides 
an EU-wide, omnibus framework focused on these fair information 
principles. Similarly, the Organization for Economic Cooperation and 
Development (OECD) has issued Guidelines Governing the Protection of 
Privacy and Transborder Flows of Personal Data, and the Asia Pacific 
Economic Cooperation has issued a Privacy Framework, which also 
enshrine the Fair Information Practice Principles. Many member 
countries have implemented this framework in their own national laws, 
including Argentina, Australia, Canada, India, Japan, Mexico, South 
Korea, and all 27 member countries of the EU. These laws are generally 
applicable to information about individuals irrespective of the 
industry in which the information is obtained.
    Because key American players in the Internet, including online 
advertisers, cloud computing service providers, providers of location-
based services, and social networking sites, operate in sectors without 
specific statutory obligations to protect information about 
individuals, much of the information about individuals currently 
traversing the Internet fall into these ``gaps'' in commercial privacy 
legislation. This has led to a misperception in some foreign quarters 
that the United States does not have strong privacy protections and 
does not care about privacy.
    Even though the United States does not have a unitary legal 
framework in the private sector that governs commercial data privacy, 
our system of protections is strong and actively enforced by the FTC, 
by agencies that regulate in specific sectors, and by the States. 
Furthermore, there is an expanding corps of privacy professionals in 
the United States dedicated to considering privacy issues and complying 
with privacy regulations, both domestic and foreign. As the data 
protection commissioner of another country said to me at an 
international conference of data protection and privacy professionals: 
``My colleagues tell me the Americans have no respect for privacy, but 
how come all the people who attend these conferences are American?'' 
Many recognize that the flexible regime of U.S. privacy laws has 
facilitated innovation and contributed to development of some of the 
world's most advanced online services.
    The European Union is currently revising its Data Protection 
Directive, and we are concerned this may result in changes that would 
restrict cross-border data flows. In our engagement with the EU, its 
member states, and other international partners, my Administration 
colleagues and I are working toward minimizing multiple compliance 
burdens and giving businesses and consumers consistent rules and 
expectations.
    The most important thing Congress can do is to enact baseline 
privacy protection to make American commercial data privacy law 
comprehensive, creating protections that would apply to all businesses 
in the absence of more specific industry legislation. The 
Administration has issued a call for enacting such protections in the 
form of a consumer privacy bill of rights based on the Fair Information 
Practice Principles our country pioneered long ago. The EU is closely 
watching our pending privacy-related legislation. If Congress were to 
enact comprehensive commercial data privacy legislation that fills in 
the gaps in consumer protections, this would demonstrate renewed U.S. 
leadership in privacy protection and help prevent fragmentation of the 
Internet that becomes a barrier to the cross-border free flow of 
information essential to the United States and to global trade and 
commerce.

    Question 1a. How many other members of the OECD have a general law 
of privacy for commerce based on the Fair Information Practice 
Principles?
    Answer. Within the OECD, 32 of the 34 members have a general 
commercial privacy law based on the Fair Information Practice 
Principles--all members except the United States and Turkey.

    Question 2. GC Kerry, we are talking about both privacy and what 
happens to people's information when security fails. How would a 
privacy framework based on the Fair Information Practices impact data 
breaches (i.e., only retaining the data for as long as needed, 
implementing good data security, privacy by design, etc?)
    Answer. The premise underlying the Administration's proposal for 
federal security breach notification legislation is that creating 
greater transparency and accountability through breach reporting will 
improve the state of data security practices. The Administration's 
security breach notification proposal does not recommend any specific 
set of data security requirements.
    Other Administration and Department of Commerce proposals contain 
recommendations to improve security for digital information, including 
but not limited to information about individuals. In the context of 
consumer data privacy legislation, the Administration recommends an 
approach based on a comprehensive set of Fair Information Practice 
Principles (FIPPs). Widespread implementation of such principles could 
help address some of the conditions that lead to security breaches. For 
example, observing the principle of data minimization--collecting only 
the information about individuals that is needed and securely deleting 
or disposing of it after it is no longer needed--could lead firms to 
collect less information about individuals that could be subject to 
unauthorized disclosure. This principle would, of course, need to be 
implemented in such a way that it did not hamper the ability of law 
enforcement to continue to ensure public safety. Similarly, a ``privacy 
by design'' approach could lead to the collection of less information 
about individuals and to the incorporation of technical and 
organizational approaches to keeping it secure.

    Question 3. GC Kerry, in the Department of Commerce report issued 
last year, your agency did not call for a Do-Not-Track option to go in 
to law. Can you talk about the pros and cons of Do-Not-Track proposals 
and its role as a part of the larger privacy framework we should be 
considering?
    Answer. Although it is premature to comment on specific Do-Not-
Track proposals currently being debated, the Administration believes 
that Do-Not-Track is exactly the type of complex subject that would 
benefit from the multi-stakeholder process outlined in our response to 
Question 5, where stakeholders with different interests and 
perspectives would work together toward agreement on an enforceable 
code of conduct for the industry. Such a process would allow industry 
to be responsive to changing consumer expectations and rapidly-changing 
technology without the need for additional legislation.
    The FTC's current work on Do-Not-Track embraces this model, and I 
applaud the leadership of Chairman Leibowitz, as well as browser 
developers, privacy advocates, and others, to provide options for 
greater control over personal information.

    Question 4. GC Kerry, the FTC and the FCC both have a role in 
privacy oversight today. Senator McCain and I are proposing 
consolidating that oversight under the FTC to the degree that 
activities telephone and cable companies undertake in collecting 
information are already covered by another law. Again, this remains a 
work in progress and we are open to alternative constructions of the 
bill. Given that cable and telephone companies are collecting 
information for the same business reasons as any other market actor, is 
there a good reason to govern them under different agencies or under 
different constraints?
    Answer. Generally speaking, the Internet Policy Task Force Green 
Paper and other Administration statements have recommended keeping 
existing sector-specific federal data privacy statutes in place and 
avoiding duplicative regulation. We will consider this issue further as 
we develop the Administration's proposal.

    Question 5. GC Kerry, in our legislation we include a safe harbor 
program by which industry can work cooperatively with regulators to 
construct procedures for adherence to fair information practice 
principles that are workable and effective. Could you talk to the 
concept of the multi-stakeholder cooperative process and how you think 
it could work?
    Answer. Multi-stakeholder processes are not an untested idea. 
Groups such as the Internet Engineering Task Force (IETF) and the World 
Wide Web Consortium (W3C) have used transparent, consensus-driven 
processes to set a wide range of Internet-related technical standards. 
These processes have been successful, in part, because stakeholders 
share an interest in solving the underlying challenges. Today the 
standards for basic Internet communications protocols that support 
trillions of dollars in global commerce each year are developed through 
these consensus-driven processes.
    The 1990s Internet policy framework began with a series of multi-
stakeholder events and forums that informed policy and prompted self-
regulatory action. Major websites agreed to post privacy policies, the 
nascent online advertising industry developed a code of conduct, and 
the FTC enforced adherence to these voluntary practices.
    The Administration believes that the flexibility provided by well-
crafted multi-stakeholder processes offers the most effective solution 
to the challenges posed by a rapidly changing technological, economic, 
and social environment. We need a process that is nimble enough to 
enable stakeholders to respond quickly to consumer data privacy issues 
emerging from new technologies and business practices without the need 
for additional legislation.
    The two key characteristics of a successful multi-stakeholder 
process for a wide variety of privacy challenges--including data 
security, and Do-Not-Track--are legitimacy and flexibility.
    Legitimacy means that the broad array of stakeholders affected by 
consumer data privacy have a chance to be heard--and actually are 
heard. The process we envision will put industry leaders at the table 
alongside consumers, privacy advocates, state regulators, academics and 
appropriate federal agencies. We want to engage all of them in a 
dialogue about how to guarantee the privacy consumers have a right to 
expect, while enabling businesses to develop new technologies, 
products, and services, and meeting legitimate public safety concerns 
and other important public interests.
    Flexibility ensures that the process continues to adapt to changes 
in technology and services in the digital economy. The issues will 
touch on technology, business needs, individual values, U.S. law, and 
international law and policy among many other things. The process needs 
to accommodate these different, changing considerations.
    We see a need for our government to take the initiative to convene 
stakeholder discussions. We are convinced that Executive Branch 
involvement as a facilitator will inject energy, legitimacy, and 
urgency to get stakeholders moving.
    The Department of Commerce will initiate the process by working 
with private sector stakeholders, consumer groups, privacy advocates, 
and government partners, to identify specific arenas where privacy 
practices are unclear and clear rules would benefit consumers and 
businesses. Once convened, these stakeholders will hold the pen when 
drafting the codes. The end goal is to produce an enforceable code of 
conduct that meets FTC approval.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Begich to 
                         Hon. Cameron F. Kerry
    Question. Besides passing legislation is there anything else that 
can be done to assist consumers' digital education so they have a 
better understanding of the consequences of their online and offline 
data profiles?
    Answer. As technologies mature, consumers will naturally become 
more educated in the privacy issues related to those technologies. 
However, there are certain actions Congress and the Administration can 
take that will help speed up that constantly-evolving process.
    Congressional hearings on commercial data privacy have helped raise 
awareness of data privacy practices. Forums convened by agencies like 
the Department of Commerce and the Federal Trade Commission have also 
increased awareness and interest in the issues surrounding consumers' 
data profiles. There are also many privacy conferences that explore 
these issues and help educate privacy professionals, who in turn help 
educate an increasingly sophisticated population of consumers.
    We will continue to engage with the private sector as conveners, 
speakers, participants, and listeners at privacy conferences. We will 
also continue leading initiatives like the National Strategy for 
Trusted Identities in Cyberspace, which is focused on enhancing 
consumers' convenience, security, and privacy in online transactions, 
and the National Initiative for Cybersecurity Education, which has as 
one of its three strategic goals to raise awareness about the risks of 
online activities. This kind of leadership and participation has sped-
up the production of tools that provide consumers more awareness and 
control over their online data profiles, such as browser Do-Not-Track 
tools and privacy architecture.
                                 ______
                                 
  Response to Written Question Submitted by Hon. Claire McCaskill to 
                           Austin C. Schlick
    Question. The United States may need a national framework to ensure 
that personal data remains secure in an increasingly electronic world 
and to mitigate harm in the event of a breach. As we consider 
legislation, it is important that we do not end up with a patchwork of 
federal data security laws, with multiple regulations from multiple 
federal agencies. That doesn't help consumers and could create 
competitive disparities that could distort the marketplace and create 
confusion. Do you agree that it is not productive to have multiple 
agencies with authority over the same parties, creating possible 
duplication of efforts and confusion and disparities for consumers and 
businesses?
    Answer. A uniform and consistent set of privacy and data security 
standards employed consistently across government could protect 
consumers and provide certainty to companies that handle personal data. 
These standards would not, however, preclude sector-specific privacy 
regimes overseen by experienced expert agencies. In particular, 
different types of consumer data may warrant different treatment, and 
the same type of information might warrant different treatment by 
companies in different industries. For example, an individual's health-
related information may raise different concerns than the same 
individual's consumer spending-related information, and overseeing data 
security with respect to these different types of data may be most 
successfully done by the agencies that have expertise and experience 
with the industries and types of data at issue.
    The FCC, for instance, has extensive experience protecting 
consumers through the agency's authority over the privacy practices of 
communications providers. Section 222 of the Communications Act 
requires telecommunications carriers to safeguard information about, 
for example, the numbers consumers dial, the length of time they spend 
using the network, and their location when they use wired or wireless 
services to make calls. Over the years, the Commission has responded to 
evolving technologies and networks by promulgating increasingly 
protective rules to safeguard consumers' privacy. Our network-focused 
privacy and data security rules are sound, settled, and legally tested. 
Sections 338 and 631 of the Communications Act also protect personal 
information. These provisions establish requirements for satellite and 
cable television providers' treatment of their subscribers' personally 
identifiable information, including information about the extent of any 
viewing or other use by the subscriber of a cable or satellite service 
or other service provided by the cable or satellite operator. The 
requirements include clear and conspicuous notice about collection and 
use of subscribers' personal data, limiting disclosure of personal 
data, and remedies for subscribers who suffer a violation of these 
provisions.
    The FCC also has experience with successful collaboration in areas 
of overlapping agency jurisdiction. Working in parallel with the FTC, 
the FCC adopted ``Do-Not-Call'' regulations under Section 227 of the 
Communications Act. The FCC and the FTC also collaborated on 
implementation of the CAN-SPAM Act, with the FCC adopting rules that 
prohibit sending unwanted commercial e-mail messages to wireless 
accounts without prior permission. The FCC and the Department of 
Justice enforce Section 705 of the Communications Act, which prohibits 
unauthorized interception of radio communications and unauthorized 
disclosures of wire or radio communications.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Begich to 
                           Austin C. Schlick
    Question. Besides passing legislation is there anything else that 
can be done to assist consumers' digital education so they have a 
better understanding of the consequences of their online and offline 
data profiles?
    Answer. Consumer education is an ongoing priority for the FCC, 
particularly in the area of privacy and data security. The National 
Broadband Plan specifically recognized the importance of educating 
consumers about the potential consequences of their online profiles and 
helping them manage those profiles in a manner that maximizes the 
privacy and security of the information.
    The Commission's E-rate program also requires that any school 
receiving E-rate funding for Internet access or internal connections 
must have an Internet safety policy. At Congress's direction, we are 
implementing a new requirement for 2012 that those policies must 
provide for educating minors--at the school's discretion--about 
appropriate online behavior.
    The FCC also participates in numerous consumer education 
initiatives across the Federal Government in the area of privacy and 
data security. The FCC is an active participant in OnGuard Online, a 
website sponsored by several government and private organizations that 
helps consumers guard against fraud and identity theft on the Internet. 
The FCC also is part of the public/private National Initiative for 
Cybersecurity Education partnership that encourages sound cybersecurity 
practices, including protection of consumers' online profiles. The FCC 
will continue to support these and other initiatives that educate 
consumers about the importance of protecting their online identities.
                                 ______
                                 
Response to Written Questions Submitted by Hon. John D. Rockefeller IV 
                           to Stuart K. Pratt
    Question 1. Mr. Pratt, while your testimony focuses on use of 
information by data brokers for fraud prevention, law enforcement and 
child protection, the industry is much broader than that. According to 
news reports, consumer information is collected, aggregated, and sold 
by data brokers for marketing and other purposes. To provide a fuller 
record, please provide the following:

   A comprehensive list of data brokers and the types of 
        consumer information they collect by entity, how the data is 
        acquired, how it is aggregated, and how it is marketed to 
        potential buyers.

    Answer. There may be companies that produce valuable products for 
American businesses who want to reach customers and which fall under 
the definition of the term data broker as your bill defines it. 
However, CDIA does not represent these types of companies and cannot 
answer for them. CDIA is an international trade association with more 
than 190 member companies, providing our nation's businesses with the 
data tools necessary to manage risk in a wide range of consumer 
transactions. These products include credit and mortgage reports, 
identity verification tools, law enforcement investigative products, 
fraudulent check transaction identification systems, employment 
screening, tenant screening, depository account opening tools, decision 
sciences technologies, locator services and collections. Our members' 
data and the products and services based on it ensure that consumers 
benefit from fair and safe transactions, broader competition and access 
to a market which is innovative and focused on their needs. We estimate 
that the industry's products are used to manage risk in more than nine 
billion transactions per year. The sources of data used to develop 
these products vary. Examples of sources include financial 
institutions, insurance companies, retailers, public records, utilities 
companies, telecommunications companies and consumers, themselves.

    Question 1a. A detailed and comprehensive list of the types of 
entities purchasing data from data brokers and the types of information 
and purpose for purchasing such information.
    Answer. The users of risk-management products produce by our 
members will vary. We include a range of uses in our testimony. 
Examples include insurance companies, financial institutions of all 
types, law enforcement agencies, government entitlement program 
providers, federal, state and local government administrative and 
regulatory agencies, retail merchants, public and private universities, 
non-profit organizations, collection agencies, child support 
enforcement programs and agencies, centers for missing and exploited 
children, retailers, healthcare providers and more.
    The specific purposes for purchasing the data for risk management 
will vary. Some purchase data to verify consumers' identities in order 
to prevent identity theft and to comply with federal laws and 
regulations relating to this crime such as Section 326 of the USA 
Patriot Act or FACT Act Red Flags Rules. Others will purchase data to 
make sure that the consumer with whom they are doing business has the 
ability to pay for the product or that the premium is set fairly 
relative to the risk. An online retailer or government agency may 
purchase data to ensure that addresses to which packages or mailings 
are sent to the most up-to-date address and not to fraudulent 
addresses. Child support enforcement agencies and those which focus on 
missing and exploited children use location and investigative data 
tools to enforce orders and to prevent child abuse.

    Question 1b. Your understanding of what existing laws cover, if 
any, the collection, maintenance, and transfer or sale of each type of 
information described in your responses to the requests above.
    Answer. With regard to CDIA's members there are numerous laws at 
the federal and state level that regulate the collection, maintenance, 
and transfer or sale of information, including but not limited to:

   The Federal Fair Credit Reporting Act (FCRA) as well as 
        various state Fair Credit Reporting Acts;

   Title V of the Gramm-Leach-Bliley Act (GLBA);

   The Drivers Privacy Protection Act (DPPA);

   The Health Insurance Portability and Accountability Act 
        (HIPAA);

   The Children's Online Privacy Protection Act (COPPA);

   The FTC's Do Not Call list;

   The Fair Debt Collection Practices Act;

   Section 5 of the FTC Act and similar state UDAP Statutes;

   Equal Credit Opportunity Act;

   The CAN-SPAM Act;

   The Telemarketing Consumer Protection Act; and

   Numerous state data protection/data security/data breach 
        notification laws.

    Question 2. Mr. Pratt, you suggest the data broker provision in 
Senator Pryor's and my bill will undermine law enforcement and fraud 
prevention even though our bill makes an explicit accommodation for 
``governmental, child protection, and fraud prevention purposes.'' 
Given this exemption, why do you believe the bill would undermine those 
efforts?
    Answer. As suggested in our oral remarks offered at your hearing, 
it is our view that the committee has a tremendous opportunity to pass 
new law establishing a national standard for ensuring the security of 
sensitive personal information and ensuring that consumers are notified 
when the loss of sensitive personal information poses a significant 
risk of identity theft. CDIA continues to support the enactment of an 
administratively-enforced national standard for both concepts.
    With regard to the information broker provision consider the 
following specific concerns which are drawn from our September 22, 2010 
testimony offered at a legislative hearing on S. 3742, the Data 
Security and Breach Notification Act of 2010 and which remain in this 
version of that legislation, as well.
    Interference with Fraud Prevention, Identity Protection and 
Location Services--RVI products such as those designed for fraud 
prevention and location are produced under laws such as the Gramm-
Leach-Bliley Act and Section 5 of the Federal Trade Commission Act.
    The definition of information broker does not exclude financial 
institutions regulated under GLB. Therefore products developed under 
the data-use limitations found in GLB Title V, Section 502(e) are 
adversely affected by the information broker provision. Neither a 
product developed for fraud prevention nor location should be subject 
to accuracy, access and correction standards since neither product is 
used to deny or approve an application, etc. If they were designed for 
the purpose of making decisions about a consumer's eligibility, then 
they would already be regulated under the FCRA.
    Consider the effect of the information broker duties on fraud 
tools. While Section 2(b)(3)(A)(ii) provides a limited exception for 
fraud data bases consisting of inaccurate information, the exception is 
not sufficient, though we do applaud the effort to try and address the 
problem of imposing an accuracy standard on fraud tools. Fraud 
prevention tools are built based on data about confirmed fraud 
attempts, data about combinations of accurate and in accurate data used 
for fraud attempts and more. Fraud tools are designed to identify 
transactions or applications that are likely to be fraudulent in order 
to allow the user to take additional steps to prevent the crime and 
still process legitimate transactions. The current exception does not 
appear to address all types of fraud prevention tools used today and 
further the limitations of the exception impose statutory rigidity that 
will prevent the design of new tools as the strategies of the criminals 
change. It is our view that applying an accuracy standard to any aspect 
of a fraud prevention system that is not used to stop a transaction or 
used to make a yes-or-no decision does not make sense.
    Similarly it is wrong to subject fraud prevention tools to an 
access and correction regime. While Section 2(b)(3)(iv) attempts to 
exclude fraud prevention tools from the duty to disclose (and therefore 
any right to dispute data), the exception is tied to a variety of tests 
such as where the use of the tool would be ``compromised by such 
access.'' It is our view that fraud tools, because they are not used to 
make decisions, should be absolutely excluded from duties to disclose. 
If details of a fraud tool are disclosed it is akin to disclosing the 
recipe for fraud prevention. The fact that the exception to disclosure 
is not absolute leaves open the risk that a tool will have to be 
disclosed which simply reduces the value of fraud prevention tools 
which are protecting consumers. This result works against the premise 
of the bill which is to protect consumers from crime, particularly 
identity theft.
    As discussed in this testimony, location services are materially 
important to how risk is managed. These tools are not designed to be 
used for decisionmaking and thus are not regulated under the FCRA, 
which already regulates all data used for eligibility decisions 
(including the imposition of accuracy, access and correction rights). 
Location services cannot have an accuracy standard applied to them as 
this bill would propose. The tools are about helping local law 
enforcement investigate crimes, attorneys to locate witnesses, and 
federal agencies to cross match data in the pursuit of kidnappers, 
etc., nonprofit hospitals to collect debts from patients who have the 
ability to pay but refuse to do so and in the enforcement of child 
support orders. These systems are designed to, for example, help a user 
identify possible connections between disparate records and ultimately 
possible locations for the subject of the search. Measuring the quality 
of the possible connections is not akin to an accuracy standard, nor 
should an accuracy standard be applied to ``possible matches.'' 
Further, providing access to a database for purposes of error 
correction could affect the quality of the systems since matches are 
sometimes based on combinations of accurate and inaccurate data. 
Ultimately, the data is not used to deny a consumer access to goods or 
services and thus CDIA opposes the application of accuracy, access and 
correction duties to these fraud prevention systems or RVI services.''
    Thank you for this opportunity to add to your hearing record.
                                 ______
                                 
   Response to Written Question Submitted by Hon. Roger F. Wicker to 
                            Stuart K. Pratt
    Question. Mr. Pratt, in your testimony, you cite the litany of 
current laws aimed at data security and protecting consumers' personal 
information, such as the Gramm-Leach-Bliley Act and HIPAA. Further, you 
caution against creating ``overlapping burdens'' where companies are 
already in compliance with security and notification standards for 
sensitive personal information. As we explore this issue, how can we 
ensure creating a national standard will not overlap with these laws 
and create additional burdens on industry?
    Answer. It's our firm belief that one very definite way to 
eliminate some statutory and regulatory overlap as well as to avoid 
misapplication of data management principles is to eliminate the ``data 
broker'' provisions from the bill entirely. In doing this the Senate 
Commerce Committee can focus on the tremendous opportunity to move a 
bill that will establish an administratively-enforced national standard 
for securing sensitive personal information and notifying consumers 
when the loss of sensitive personal information poses a significant 
risk of identity theft.
    Another specific step you can take is to ensure that where a person 
is already subject to a duty established by other federal law, 
regulation or agency guidance to secure sensitive personal information 
or to notify consumers where the loss of sensitive personal information 
poses a significant risk of identity theft, that the person is deemed 
in compliance with the proposed bill's duties. While there are some 
exceptions included in the bill, they are incomplete because the bill 
proposes that entities must be ``in compliance with'' and not merely 
``subject to'' these duties. By adopting this ``in compliance with'' 
test, the current bill essentially requires all U.S. businesses that 
are subject to both laws to comply with both laws, since falling out of 
compliance with one leads to being out of compliance with both. This is 
entirely the wrong result, and CDIA urges the Committee to strike this 
test in favor of a simple set of exceptions tied to a ``subject to'' 
standard.
    Finally, the bill must establish a ``field preemption'' standard 
which applies to all entities who are either subject to the bill or who 
are deemed in compliance with the bill. This type of preemption ensures 
that states cannot alter or affect in any way the operation of the 
national standards for data security and breach notification. If 
preemption is not perfected then the bill will result in persons still 
being subject to new or slightly altered state laws.
    We are happy to provide your staff with amendatory language for 
each of the concerns outlined above.
                                 ______
                                 
 Response to Written Question Submitted by Hon. John D. Rockefeller IV 
                             to Ioana Rusu
    Question. What types of consumer information is currently being 
collected by data brokers, for what purposes, and is there adequate 
transparency for consumers? Would the data broker provisions in the 
Data Security and Breach Notification Act give consumers greater 
protections than existing law?
    Answer. One significant problem associated with data collection 
activities carried out by many information brokers is that few people 
know exactly what types of information are being collected, and how 
they are being used. Consumers often do not even realize that these 
brokers exist, much less that they are collecting information about 
consumer behavior which can then be used to alter important outcomes 
for individuals.
    Nevertheless, there have been some reports and investigations into 
the activities of these companies. For example, a recent Washington 
Post article entitled, ``Little-Known Firms Tracking Data Used in 
Credit Scores'' \1\ detailed the activities of what it called the 
``fourth bureau:'' private companies that compile and sell consumer 
data to entities such as lenders, landlords, employers and health-care 
providers. Unlike the three major credit bureaus, which track consumer 
scores based on credit card activity, auto notes and mortgages, the 
fourth bureau tracks and investigates traditionally unreliable 
indicators of creditworthiness, such as magazine and cable 
subscriptions, utility bills, and child care tuition payments. The Fair 
Credit Reporting Act sets standards for handling of credit information, 
but it does not necessarily cover all the activities of the ``fourth 
bureau,'' and enforcement of this law has been spotty.
---------------------------------------------------------------------------
    \1\ Ylan Q. Mui, ``Little-Known Firms Tracking Data Used in Credit 
Scores,'' Washington Post, July 16, 2011, available on the web at: 
http://www.washingtonpost.com/business/economy/little-known-firms-
tracking-data-used-in-credit-scores/2011/05/24/gIQAXHcWII_story.html.
---------------------------------------------------------------------------
    Most American consumers have no way of knowing that this 
information is being collected about them and used in ways that could 
affect their interest rates, housing, and employment. Even when 
individuals find out about the ``fourth bureau's'' existence, accessing 
and correcting data about them can be very difficult. Consumers Union 
submitted a letter last week to both Senate and House Commerce and 
Banking Committees, asking that Congress investigate the activities of 
these entities and address concerns surrounding consumer privacy and 
FCRA compliance.
    In addition, in its December 2010 staff report, the Federal Trade 
Commission acknowledged that information brokers currently have the 
ability to collect and aggregate data from a wide variety of online and 
offline sources, as well as public and private sources. Data brokers 
may, for example, contract with retailers to acquire consumer purchase 
information.\2\ Some also maintain lists of individuals that are 
considered particularly susceptible to certain marketing campaigns or 
scams.\3\ Data brokers can use collected information for a variety of 
purposes, including providing identity verification services to third-
parties. Information thus obtained, whether correct or erroneous, could 
be used to deny individuals access to funds, admission to an event, or 
membership in a group. Such uses may fall outside of the FCRA, thus 
depriving consumers of the protections offered by the Act.\4\
---------------------------------------------------------------------------
    \2\ Fed. Trade Comm'n, ``Protecting Consumer Privacy in an Era of 
Rapid Change: A Proposed Framework for Businesses and Policymakers,'' 
(2010) (preliminary FTC staff report), available at http://www.ftc.gov/
os/2010/12/101201privacyreport.pdf.
    \3\ Id. at 31, referencing Written Comment of Chris Jay Hoofnagle, 
University of California, Berkeley School of Law, cmt. #544506-00012, 
at 5 (quoting Karen Blumenthal, ``How Banks, Marketers Aid Scams,'' 
Wall St. J., July 1, 2009).
    \4\Id. at 74, note 171.
---------------------------------------------------------------------------
    Because data brokers do not interact directly with consumers, they 
often do not notify consumers when data is being collected. Many also 
do not provide consumers with some means to opt out of the collection. 
As noted in the FTC report, the most troublesome aspect of this 
business is that it is invisible to consumers, and allows the 
aggregation of massive amounts of information about them into consumer 
profiles that can be used for a variety of unanticipated purposes. Such 
secret dossiers pose significant privacy concerns.
    The information broker provisions in S. 1207 would impose 
standardized, mandatory requirements on these companies. Under the 
bill, information brokers would have to provide consumer access to 
collected information, as well as a process for consumers to dispute 
and correct erroneous information. Data brokers would also have to 
maximize accuracy of collected information. In addition, the bill 
prohibits information brokers from engaging in pre-texting in order to 
obtain consumer information. These provisions would provide consumers 
with greater protections than those currently existing in law, because 
they would cover entities that may not technically fit into the 
traditional FCRA definitions. Those companies have often argued that 
they are not subject to FCRA. This bill would ensure that even in 
situations where FCRA does not apply, information brokers still grant 
consumers access to information about them, and make reasonable efforts 
to ensure information is accurate.
    As this legislation moves forward, we hope your Committee will also 
consider strengthening the information broker section by including a 
requirement that whenever an entity uses information furnished by these 
brokers to make an adverse decision about a consumer, that consumer 
must receive notification. Access and correction rights are certainly 
important. However, if a consumer does not know that brokers are 
collecting and selling personal information about them, they will have 
no way of knowing they should access and correct erroneous data.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Barbara Boxer to 
                               Ioana Rusu
    Question 1. As you know, California was the first state to enact 
data breach and notification laws in 2002, which became effective in 
2003. California has been a leader in the area of data breach laws, and 
has continued to pass laws enhancing protections for consumers since 
the initial law. However, I am concerned about the state law preemption 
provisions in S. 913 (Kerry-McCain privacy bill) and S. 1207 (Pryor-
Rockefeller data security bill), which would prevent California 
enacting laws in the future to deal with new threats to consumers. Do 
you believe that leading states such as California should be preempted 
from improving their consumer protection laws?
    Answer. Consumers Union supports the idea that states should be 
``laboratories of democracy,'' constantly evaluating existing law and 
proposing new solutions for rising issues. Our organization supported 
the California breach law passed in 2003 and we have a long history of 
working with state legislatures to pass initiatives that would protect 
consumers. As a result, we would certainly prefer that any federal law 
addressing data breach and notification set out a floor, not a ceiling, 
allowing states to innovate and address new threats to consumers.
    However, we are also concerned that the current patchwork of state 
notification rules may prove unworkable in the long run. We believe 
that the pre-emption language currently included in S. 1207 is narrowly 
drawn.
    In addition, we are also particularly concerned about the 
activities of information brokers. Too often, consumers have no idea 
that these hidden entities are tracking their behavior and collecting 
information about them from online and offline sources, which is then 
aggregated and used to create comprehensive consumer profiles. We 
believe that the provisions of the bill, which would require access, 
accuracy, and a process for consumers to dispute and correct erroneous 
information, would go a long way toward bringing more transparency to 
the activities of these data tracking companies. As a result, although 
Consumers Union would prefer that the bill not preempt state 
initiatives, we believe that the overall bill would increase 
protections of consumer data.

    Question 2. As you may know, California law requires a company to 
notify consumers of a breach if there is a reasonable belief that 
personal information was accessed without authorization. However, this 
law would be preempted by S. 1207. Do you have an opinion on whether it 
is best for data breach notification to be triggered on whether there 
has been unauthorized access to data, or whether notification should be 
triggered on a company's determination as to whether there is a risk of 
harm?
    Answer. In testimony to Congress on this matter, Consumers Union 
has repeatedly pointed out that the strongest state notice of breach 
laws do not require a finding of risk before mandating consumer 
notification. Although Consumers Union would prefer that consumers 
receive notification whenever their personal information is 
compromised, if there is to be a standard for risk, then Consumers 
Union would prefer the approach taken by this bill, where the risk is 
considered as an exemption rather than as an affirmative trigger. Under 
an ``exemption'' approach, a company with a security breach has to 
qualify for the exemption by showing that there is no reasonable risk 
of harm. Insufficient information about the level of risk does not 
eliminate the obligation to tell consumers about the breach.

    Question 3. Do you believe that state Attorneys General play a 
vital role in the enforcement of consumer laws, such as data security 
and privacy laws?
    Answer. Consumers Union strongly believes that state Attorneys 
General must be involved in the enforcement of consumer laws such as S. 
1207. State attorneys general have been at the forefront of notice of 
data breach issues and have played an invaluable role in addressing 
identity theft and data breach. With more cops on the beat, consumers' 
personal information will be better protected.

    Question 4. In AT&T v. Concepcion, the U.S. Supreme Court ruled 
that federal arbitration law preempts California law banning the use of 
class action waivers in consumer agreements. Some professors and 
consumer advocates in California have expressed concern that this 
decision could have an effect on state data breach laws, such as the 
strong law in effect in California. Do you believe the Supreme Court's 
decision could have an impact on states' ability to pass strong 
consumer protection laws, particularly in the data breach/notification 
area?
    Answer. Consumers Union is troubled by the U.S. Supreme Court's 
finding in AT&T v. Concepcion. The Court's decision to strike down the 
California law in question appears to allow companies to draft 
contracts that legally bar consumers from obtaining redress through 
class-action lawsuits or even group arbitration. Consumers Union 
believes that class actions and group arbitration represent important 
tools for consumers to challenge companies that have wronged them, 
particularly in cases where many consumers have suffered relatively 
small economic harms. As a result, we are concerned that under this 
ruling, strong state consumer laws may be nullified by provisions 
buried in consumer contracts.
                                 ______
                                 
  Response to Written Questions Submitted by Hon. Claire McCaskill to 
                              Tim Schaaff
    Question 1. In reviewing proposals that address data security, it 
is important that Congress learns more from industry sectors about how 
they are dealing with these issues. How has the hacking incident of 77 
million of your customers' accounts affected your business and approach 
to data breach?
    Answer. The hacking incident led us to take action that 
significantly disrupted my company's network business and our 
consumers' use of our services, and, for the entire industry, these 
illegal attacks highlighted the widespread problem of cyber security. 
To protect our network and our consumers from online hackers, we felt 
compelled to shut down our services. We worked hard to restore the 
services and to keep our customers informed. We asked our customer for 
their patience and understanding. We have been rewarded with a strong 
return of our customers to our network. Since coming back online there 
has been a net increase of approximately 3 million new user accounts. 
Following the attacks, we reevaluated our approach to data security and 
enhanced our security in numerous respects.

    Question 2. What have you learned from the incident and what 
internal steps are you taking to address it from happening again?
    Answer. We have learned that the problem of cyber crime is 
insidious and pervasive, that the hacking community has become 
increasingly sophisticated and possesses extraordinary ability to 
assimilate and share information, and that, therefore, a more-
coordinated effort among all industry stakeholders is necessary to best 
address the issue. Along with advocating that type of cooperative 
approach, as we do here, to guard against future attacks, we have taken 
various internal steps to enhance the security controls we already had 
in place, including:

   added additional automated software monitoring and 
        configuration management to help defend against new attacks;

   enhanced levels of data protection and encryption;

   enhanced our capabilities to detect software intrusions 
        within the network, unauthorized access and unusual activity 
        patterns;

   implemented additional layers of firewalls;

   began sharing the knowledge, expertise, and available tools 
        acquired by SNEA during the attack with other Sony companies;

   expedited a planned move of the system to a new data center 
        in a different location with enhanced security; and

   created a new Chief Information Security Officer position at 
        SNEA.

    Question 3. What processes have been working for you and what do 
you need to improve?
    Answer. Our communications with our consumers and our Welcome Back 
program have been working well for us. Our consumers have responded, 
and we are at or surpass pre-breach metrics for engagement with our 
customers. We believe that support between industry and government 
should be improved. Companies are effectively defending against highly 
sophisticated hackers by themselves with no real means or ability to 
investigate beyond their own servers if a breach occurs. A strong 
coalition among government, industry, and consumers is needed to insure 
that the Internet is not lawless and that online commerce can grow 
unimpeded. We believe it would be extremely helpful for the public and 
private sector to develop information-sharing processes that help 
legitimate business without inadvertently supporting hackers. In 
addition, means must be found so that consumers, government, and 
industry can work more closely together to enact strong laws, promote 
strong enforcement of those laws, and educate consumers about the very 
real threats that exist online.
                                 ______
                                 
  Response to Written Questions Submitted by Hon. Roger F. Wicker to 
                        Thomas M. Lenard, Ph.D.
    Question 1. In previous hearings of this Committee on online 
privacy, industry representatives have cited the success of self-
regulatory approaches and the importance of enabling flexibility in 
protecting consumer privacy. In light of these self-regulatory, 
principles-based efforts, do you think it would be premature for us to 
move forward with prescriptive regulations?
    Answer. There is no evidence that current approaches are not 
working. Indeed, the recent Department of Commerce Green Paper, which 
did not recommend prescriptive regulations, observed that ``existing 
U.S. commercial data privacy policy has enabled the digital economy to 
flourish'' (DOC Green Paper, p. 1). This raises questions regarding why 
that policy should be changed.
    Proponents of prescriptive regulation have not thus far 
demonstrated that there is market failure or that consumers are being 
harmed under the current regime. Therefore, there is no basis for new 
regulation. If such a basis were established, there would still be the 
need to demonstrate that the benefits of any proposed regulation exceed 
its costs.

    Question 2. If we proceed down the path of prescriptive one-size-
fits-all regulation do you believe there is a chance it could actually 
have a reverse effect and compromise providers' ability to protect 
consumers' personal information?
    Answer. Regulating the collection, use and/or retention of data by 
legitimate firms does little or nothing to deter fraud. It may, 
however, increase the risk of fraud by making it more difficult for 
sellers to have the information necessary to determine if a potential 
buyer is fraudulent.
    The ability to authenticate an individual's identity for purposes 
of online activities will become increasingly important as the Internet 
develops. Authentication often requires the combination of various 
sources of data, which is made more difficult (and in some cases, 
impossible) by various regulatory proposals. Some proposals, such as 
requiring consumers have access to their data, would also make it 
easier for fraudsters to access data, thereby making authentication 
more difficult and increasing the risk of fraud.
    If consumers overestimate the risk of online activities--for 
example, as a result of receiving numerous notices of data breaches--
they may be induced to shift their activities offline. This would be 
exactly the wrong thing to do, because the evidence shows that 
consumers would reduce their risks by shifting more of their activities 
online.

                                  
