[Senate Hearing 112-791]
[From the U.S. Government Publishing Office]
S. Hrg. 112-791
THE NEED FOR PRIVACY PROTECTIONS:
PERSPECTIVES FROM THE ADMINISTRATION AND THE FEDERAL TRADE COMMISSION
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
MAY 9, 2012
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
81-793 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii KAY BAILEY HUTCHISON, Texas,
JOHN F. KERRY, Massachusetts Ranking
BARBARA BOXER, California OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida JIM DeMINT, South Carolina
MARIA CANTWELL, Washington JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas JOHNNY ISAKSON, Georgia
CLAIRE McCASKILL, Missouri ROY BLUNT, Missouri
AMY KLOBUCHAR, Minnesota JOHN BOOZMAN, Arkansas
TOM UDALL, New Mexico PATRICK J. TOOMEY, Pennsylvania
MARK WARNER, Virginia MARCO RUBIO, Florida
MARK BEGICH, Alaska KELLY AYOTTE, New Hampshire
DEAN HELLER, Nevada
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
John Williams, General Counsel
Richard M. Russell, Republican Staff Director
David Quinalty, Republican Deputy Staff Director
Rebecca Seidel, Republican General Counsel and Chief Investigator
C O N T E N T S
----------
Page
Hearing held on May 9, 2012...................................... 1
Statement of Senator Rockefeller................................. 1
Statement of Senator Toomey...................................... 2
Statement of Senator Kerry....................................... 4
Statement of Senator Klobuchar................................... 37
Statement of Senator Pryor....................................... 39
Statement of Senator Udall....................................... 43
Witnesses
Hon. Jon D. Leibowitz, Chairman, Federal Trade Commission........ 6
Prepared statement........................................... 8
Hon. Cameron F. Kerry, General Counsel, U.S. Department of
Commerce....................................................... 17
Prepared statement........................................... 18
Hon. Maureen K. Ohlhausen, Commissioner, Federal Trade Commission 27
Prepared statement........................................... 29
Appendix
Response to written questions submitted by Hon. John F. Kerry to:
Hon. Jon D. Leibowitz........................................ 47
Hon. Maureen K. Ohlhausen.................................... 49
Response to written questions submitted by Hon. Amy Klobuchar to:
Hon. Jon D. Leibowitz and Hon. Maureen K. Ohlhausen.......... 53
Hon. Cameron F. Kerry........................................ 53
Response to written questions submitted by Hon. John Thune to:
Hon. Jon D. Leibowitz........................................ 55
Hon. Maureen K. Ohlhausen.................................... 60
Response to written questions submitted by Hon. Marco Rubio to:
Hon. Jon D. Leibowitz........................................ 57
Maureen K. Ohlhausen......................................... 61
THE NEED FOR PRIVACY PROTECTIONS:
PERSPECTIVES FROM THE ADMINISTRATION AND THE FEDERAL TRADE COMMISSION
----------
WEDNESDAY, MAY 9, 2012
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 2:35 p.m. in room
SR-253, Russell Senate Office Building, Hon. John D.
Rockefeller IV, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
The Chairman. Good afternoon, and I apologize for being 5
minutes late.
Every day, tens of millions of Americans go online to
search for information. They want to shop. They want to pay
their bills, or they're accessing social networking. To state
the obvious, the Internet has fundamentally transformed every
aspect of our lives.
What is less obvious is the level of information that is
collected about us each time we visit a website or watch a
video or send an e-mail or make a purchase.
Now consumers have had no choice but to place an enormous
amount of trust in the online world, trust that their
information is safe, that it will be secure, and it will be
used appropriately, whatever that means.
But the incentive to misuse consumers' information is very
great. A consumer's personal information is the currency, in
fact, of the web.
The value of this data has created untold riches for those
who have successfully harnessed it. This is not necessarily
bad, as it enables an enormous amount of content to be accessed
for free and allows companies to offer a number of services for
free.
But unfettered collection of consumers' online data poses,
to me, very significant risks.
Right now, consumers have little or no choice in managing
how their online information is collected and how it is used.
Whatever limited choices they do have are often too difficult
to use and muddled by complicated, wordy, privacy policies.
It's, again, your classic health insurance comparison--tiny
writing.
Protecting consumer privacy is critical for companies, and
I understand that. People need to trust the websites that they
are visiting. But online companies are conflicted. They need to
protect consumers' information, but they also need to be able
to monetize their users' data.
I am afraid that in the hypercompetitive online
marketplace, the need to monetize consumers' data and profits
will win out, probably almost every time, over privacy
concerns.
The administration and the Federal Trade Commission have
both recently issued reports on the need for industry to do
more, to protect consumer data, and give consumers control over
how their personal information is used. They have worked to
bring about industry consensus on voluntary actions. This is an
interesting subject, which we will discuss further at another
hearing.
The administration's and the industry's actions are to be
commended, with this respect. But I've learned over many years
that self-regulation is inherently one-sided in many
industries, in many times, in many eras, it's inherently one-
sided, and that consumers' rights always seem to lose out to
the industry's needs.
I believe consumers need strong legal protections. They
need simple and easy-to-understand rules about how, what, and
when their information can be collected and used. They need
easy-to-understand privacy policies rather than pages of
incomprehensible legalese.
We should take up strong, consumer-focused privacy
legislation this year. I do not believe that significant
consensus exists yet on what that legislation should look like,
but I will continue to work with my colleagues on legislation.
As Chairman of this Committee, I will continue to work with
the administration and the FTC, both represented here, to push
the industry to develop and adhere to strong consumer privacy
protections.
I will continue to hold oversight hearings to make sure
that the trust Americans have placed in these companies is
being respected.
I call now on the Ranking Member, my next-door neighbor.
STATEMENT OF HON. PATRICK J. TOOMEY,
U.S. SENATOR FROM PENNSYLVANIA
Senator Toomey. Thank you very much, Mr. Chairman. And
thank you for holding another hearing on the topic of privacy.
It is a very important topic.
As I have said in this committee in the past, I still
remain skeptical of the need for Congress to pass privacy
legislation, or, for that matter, for the FTC to have increased
authority to enforce new privacy rules, regulations, or
principles on the private sector.
It seems to me that neither this committee nor the FTC nor
the Commerce Department fully understands what consumers'
expectations are when it comes to their online privacy.
Consumer expectations of privacy can vary based on a particular
application they're using or by the general privacy preference
of any given individual consumer.
It's important that companies have maximum flexibility to
work with their customers to ensure their customers' needs and
preferences are met, and that the application or service
functions as consumers expect.
As the recent FTC report correctly points out, companies
are already currently competing on privacy and are promoting
services as having stronger privacy protections than what is
being offered by marketplace rivals, for instance. This is a
sign of a healthy, functioning, and competitive market. This
type of competition is something that we should be encouraging.
Overly restrictive privacy rules and regulations handed
down from Washington may threaten this innovation by shifting
the incentives to compliance over competition. I don't think
anyone desires such a result, which is why I caution my
colleagues and the administration to proceed with caution.
Proponents of Federal privacy legislation and of granting
the FTC authority to regulate online activity really should
clearly demonstrate the market failure and consumer harm that
they seek to address.
The benefits of online tracking and data collection are
very clear. Facebook is free. Gmail is free. Google Maps is
free. There are thousands of mobile device applications that
are free.
It's often said that information is the currency of the
Internet. A detailed, cost-benefit analysis of a Do Not Track
regulation or other new privacy rules would better inform our
discussion. But to my knowledge, one has not been completed.
We need to fully understand the impact these proposals will
have on the marketplace and on the many online services
consumers have come to expect for free or at a minimal cost.
Less information available is very likely to result in
fewer, free online services and an increase in pay walls. I
think it's irresponsible for the Federal Government to require
companies to radically alter a successful business model that
has provided many consumer benefits without knowing all the
facts first.
I also question whether specific consumer harms currently
occurring in the marketplace cannot be addressed under the
FTC's current statutory authority. Section 5 of the FTC Act
grants the Commission broad authority to investigate unfair or
deceptive acts or practices, and the Commission has brought
enforcement actions using this authority.
In fact, the Commission highlights a number of these
enforcement actions in the beginning of its recently released
report.
When the Commission sees what it believes to be unfair or
deceptive practices, it has acted. Just yesterday, it was
reported that the FTC and MySpace reached a privacy settlement
that will subject the company to biennial privacy assessments
for the next 20 years.
In addition, Google and Facebook recently entered into
consent decrees that subject the companies to outside audits
for two decades. I have not yet heard a persuasive argument as
to why the FTC needs even greater authority.
And last, I find it interesting that the Commission seems
very concerned about consumer trust in the private sector.
Consumer trust is very, very important. But there's no one for
whom it's more important than the company that's hoping to
attract and maintain customers. So I think trust in the
marketplace is something that the marketplace tends to sort out
pretty well.
Companies in all sectors of the economy have a powerful
interest in building a strong, trusting relationship with their
customers. If consumers don't trust company A, they quickly
flee to company B. In the online space, this incentive is even
stronger.
The Internet has made leaving one company or service
provider for another very easy. It can often be done at little
or no cost. As one major online company likes to say, the
Internet is where ``competition is one click away.''
While this is an important topic and certainly worthy of
our consideration, I do think it's premature to begin
discussing specific legislative fixes or increased FTC
authority when we don't fully know whether or not and to what
extent the problem exists.
I look forward to hearing from our witnesses today. I thank
them for coming, and I thank you, Mr. Chairman.
The Chairman. Thank you very much, Senator Toomey.
And I call now on the Chairman of the Subcommittee that
works this, and that is Senator John Kerry.
STATEMENT OF HON. JOHN F. KERRY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Kerry. Thank you very much, Mr. Chairman. I
appreciate it. And I certainly appreciate this hearing.
And I think this hearing can help, as a couple of prior
hearings have.
I think the record is already fairly clear, Senator Toomey,
if I may say, that a lot of the questions you've raised have
actually been addressed in those hearings. And I think there's
been a pretty powerful showing with respect to both the ability
to have a privacy standard as well as the need for the privacy
standard, without affecting those applications and the free
access and all the other things you're talking about. And I
think the record will reflect that.
I'm delighted that we have the Chair of the Federal Trade
Commission and one of the commissioners from the Commission
here with us today.
And obviously, I'm delighted to welcome my own brother, who
carries either the burden or privilege of being so. But I'm
glad that he's here today representing the Commerce Department.
He's been working on this under two different secretaries now,
as have many of us here on the Committee.
So I know that in his capacity as the General Counsel,
together with the Chair, they are going to set out today the
final findings of both the Commerce Department and the Federal
Trade Commission with respect to this question.
It is not unimportant, I think, that both the Commerce
Department and the Federal Trade Commission, frankly, together
with most of the privacy experts in the country, have all come
to the conclusion that we need to have a privacy law with
respect to providing protection to individuals in commerce.
And I think that the distinction, Senator Toomey, is that
the privacy experts have all come to that conclusion.
Obviously, some of the companies have not and don't share it.
And the reason for that is very simple. In the information
economy, the more that a company knows about you, the more
valuable you are to them, whether you have consented to that or
not. And they are collecting more than simply the information
that you type in. And a lot of Americans aren't necessarily
aware of that.
These companies watch your behavior, and they measure your
behavior--how long you linger on a site, your specific
searches. A lot of people think they're just going in and
searching privately. Somebody's watching you. Somebody's
tracking you.
You know, you wouldn't feel particularly good if you had a
private investigator trailing you through the mall, looking at
every single receipt that you get and everything you peruse and
look at and ask for. That's essentially what's happening here.
You don't have privacy. They analyze and enhance that data,
and then they reach a conclusion about you.
Using that information, these data scientists, are creating
enormous wealth, often producing innovative products, we agree,
and services. But there is nothing to stop them from doing the
creation of those products and services with the consent of
people who want to be part of that, or without necessarily the
detail of those who do not.
So what's the harm? Senator Toomey sort of asked the
question today: what's the harm of what can happen to you
without your knowledge, consent, or active participation, and
where there are no limits to what can be collected and where
you have no right to access what is being collected about you?
It seems to me the more conservative position here is,
frankly, to protect the individual in America, not to protect
the right of people to invade your space without your knowing
it.
So if it's not properly secured, that information can
actually harm you, number one, through identity theft. And even
if it is properly secured, it can be used to categorize you
inaccurately or in ways that you don't wish to be categorized,
exposing you to either reputational harm or to unwanted
targeting.
For example, by analyzing your buying habits, a retailer
may know that you're pregnant before you even tell anyone, may
begin to send you advertising based on medical status, or on
your ethnicity or on your age. And corresponding behavior can
then be used to target you in different ways than other
populations may be targeted, and maybe you don't want to be
targeted or analyzed in that particular way.
Or as in the case of the Google Wi-Fi collection, your
private communications, including sensitive conversations, can
be easily captured exposing aspects of your life to companies
that are simply nobody's business.
But when information collected about you is used to make
your buying experience better or serve you better, you'll find
a majority of the people have absolutely no problem consenting
to that kind of use.
But the collector ought to have the right to make that
judgment, the value proposition with respect to the consumer.
Most Americans don't have any awareness that there's no
general law of privacy in commerce in the U.S. today governing
these transactions. And when it's brought to their attention,
they say they want one. Our largest trading partners have such
laws built on the European standard.
But I believe it's important for us to set our own
standard, something that could, in fact, be more flexible and
more stakeholder-driven and less punitive than what exists in
Europe today, but just as capable of delivering strong privacy
protections.
So in keeping with the spirit that the United States
normally doesn't wait for someone else to set the standard and
then borrow it, we ought to be setting our own standard. The
final agency reports that have been issued recently agree that
we ought to lay out a blueprint of privacy principles for
legislation.
Senator John McCain and I have agreed on one approach. And
I introduced that approach with him more than a year ago. It
reflects each of the principles that are being put forward in
the analyses today, as well as the concept of a safe harbor for
a flexible application of the code of conduct to different
kinds of businesses.
I think all of us know that consumers in the United States
are very smart. They'll consent to reasonable and useful data
collection and use practices, particularly if they think it
enhances their buying and life experience.
But the most important principle we want to reinforce here
is that the individual consumer has the right to make that
decision.
So can we get there? I think it's up to the members of this
committee on both sides of the Committee. The bipartisan
proposal that Senator McCain and I offered up is, as I said,
it's not the only way to approach this. We're ready to
negotiate. And I think we ought to compromise in this effort to
reach sort of a fair standard.
But we need to get down to that discussion, because we
really can't afford another year of delay, which may in the end
wind up putting America into a default position on this, which
would be far less flexible, thoughtful, and sensitive to our
own business interests.
And I think that Americans ought to know that Congress
believes that, in the digital age, every individual American
has a right to an expectation of privacy.
I hope we can find that way forward, Mr. Chairman.
The Chairman. Thank you very much, Senator Kerry.
I want to proceed now to our witnesses, and we'll have
ample time for questioning, and other members will be coming
and leaving.
My preference of order would be to start with the Hon. John
Leibowitz, who is the Chairman of the Federal Trade Commission.
Then Hon. Ohlhausen, I'm going to skip over you to the guy who
is General Counsel to the Department of Commerce, who is
somehow related to Senator Kerry. And then come back to you as
a cleanup. Is that all right?
Ms. Ohlhausen. Certainly.
The Chairman. So let's start with Chairman Leibowitz.
STATEMENT OF HON. JON D. LEIBOWITZ, CHAIRMAN,
FEDERAL TRADE COMMISSION
Mr. Leibowitz. Thank you, Chairman Rockefeller, Senator
Toomey, Senator Kerry, Senator Pryor, Senator Klobuchar, and
Senator Ayotte. I appreciate the opportunity to present the
Commission's testimony on consumer privacy, alongside our
newest Commissioner, Maureen Ohlhausen, as well as my friend
Cam Kerry.
The Commission commends the recent privacy efforts by the
Department of Commerce, as well as the bipartisan leadership
your committee has shown on consumer privacy issues. Though
most of my remarks today will concern privacy policy and
especially Do Not Track, the FTC is primarily an enforcement
agency, and Commissioner Ohlhausen will describe our recent
enforcement efforts.
Mr. Chairman, imagine a cash-strapped college student
working part-time to keep up with tuition payments. To make
ends meet, she applies online for a loan and obtains it at a
favorable rate. But she also goes online because her father
suffers from depression, so she wants to research symptoms and
potential treatments.
Soon after, in the mail, she receives another loan offer,
this time from a payday lender at a much higher rate. In the
evening, she spends time relaxing by catching up with friends'
posts on a social network. While online, she notices she's
receiving ads for medication for stress and depression, as well
as more loan offers.
Could the lender have sold the information about her need
for money to payday lenders, who are now offering her loans?
Could the fact that she researched depression be sold to or
shared with potential employers or insurers? Can these
exchanges of information occur without the consumers' consent
or even awareness?
The answer to all these questions is yes.
Of course, the college student benefits from quick
responses to loan applications, free access to health
information, and an easy way to keep up with her friends and
family.
But as Senator Kerry noted in his opening statement, the
vast majority of Americans simply have no knowledge that their
financial, health, and other personal information may be sold
to data brokers, lead generators, lenders, insurance companies,
potential employers, and, really, just about anybody else. Most
consumers are entirely unaware of the vast amounts data about
them being collected, sold, and used both online and offline.
Now, we at the Commission applaud--applaud--the Internet
innovation that has created enormous benefits for consumers and
the advertising ecosystem that has provided free content and
services, the ones that we have all come to expect and enjoy.
But as the Nation's privacy protection agency, we are also
concerned that some practices by some companies may adversely
affect Americans and their critical rights to privacy.
At the FTC, we have been thinking about this issue for more
than a decade. We recently released our final privacy report
that sets forth what we in the public and private sectors
should do to make sure that the right to privacy remains robust
for all Americans.
The short answer is the consumer should have more choice
and more control. And to ensure that control, our report lays
out three simple but powerful principles for companies to
follow in handling personal data.
This is guidance. It is not a regulation.
First, incorporate privacy protections into products as
they are developed. That is privacy by design. Second, offer
consumers choice and control over how their data is collected
and used. And third, provide more transparency; that is, better
explanations to consumers about how their data is handled by
companies.
The final report also recommends that Congress consider
enacting general privacy legislation, as well as specific
statutes addressing data security and data brokers. Data
brokers often hold a wealth of information about consumers but
remain utterly invisible to them.
In addition, our report calls for a Do Not Track mechanism,
one that is easy to use and persistent, to enable consumers to
control the collection of information about their activities
across websites. And it's worth emphasizing here that your
computer is your property.
And as the first chairman I served with, Republican Deborah
Majoras, used to say, ``people shouldn't be putting things in
your computer without your consent.'' And I think that is
fundamentally, a conservative notion.
In the last year, industry has made strides toward
finalizing a meaningful Do Not Track system, as you know, Mr.
Chairman. Indeed, at this point, we are no longer asking
whether Do Not Track will exist, but only how it will be
implemented. We're optimistic that, with the encouragement of
this committee and especially you, Mr. Chairman, a Do Not Track
mechanism that allows consumers to control the collection of
their browsing information, with limited exceptions--for
example, to prevent fraud--will be in place by the end of the
year.
And just going back to the discussion between Senator
Toomey and Senator Kerry, Do Not Track, of course, will be run
by industry. It won't be run like the Government runs Do Not
Call.
Of course, vigorous enforcement remains a top priority for
our agency, as Commissioner Ohlhausen will describe in more
detail. Just this week, we announced a case against the social
network MySpace. The FTC complaint alleged that MySpace shared
personal user information with advertisers after promising that
it would not. The proposed settlement order prohibits MySpace
from making any privacy misrepresentations and requires it to
create a comprehensive privacy program, and undergo third party
audits. Simply put, this case, as well as others that we
brought, stands for the proposition that we will hold companies
accountable for their privacy commitments.
We appreciate the leadership of you, Chairman Rockefeller,
and this committee. And we look forward to continuing to work
with Congress, the administration, industry, and other
stakeholders, on privacy protection going forward. Thank you.
[The prepared statement of Mr. Leibowitz follows:]
Prepared Statement of the Federal Trade Commission
Introduction
Chairman Rockefeller, Ranking Member Hutchison, and members of the
Committee, I am Jon Leibowitz, Chairman of the Federal Trade Commission
(``FTC'' or ``Commission'').\1\
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission, with Commissioner J. Thomas Rosch dissenting and
Commissioner Maureen K. Ohlhausen not participating. My oral
presentation and responses to questions are my own and do not
necessarily represent the views of the Commission or any other
Commissioner.
---------------------------------------------------------------------------
We are pleased to be testifying today alongside General Counsel
Cameron Kerry of the Department of Commerce and the newest member of
the FTC, Commissioner Maureen Ohlhausen. The Commission supports the
privacy efforts and approach developed by the Department of Commerce,
and we look forward to working with the Department of Commerce, the
Administration, and Congress as they move forward in their efforts in
this arena. Members of this Committee in particular have demonstrated
that they understand how important it is that consumers'--and
especially children and teens'--personal data be treated with care and
respect.
This is a critical juncture for consumer privacy, as the
marketplace continues to rapidly evolve and new approaches to privacy
protection are emerging in the United States and around the world.
After careful consideration, the Commission recently released the final
privacy report (``Final Report''). The Final Report sets forth best
practices for businesses to guide current efforts to protect consumer
privacy while ensuring that companies can continue to innovate. The
Commission urges industry to use this guidance to improve privacy
practices and accelerate the pace of self-regulation. Importantly, we
have seen promising developments by industry toward a Do Not Track
mechanism and we ask the Committee to continue to encourage industry to
move towards full implementation. The Report also calls on Congress to
consider enacting general privacy legislation. We reiterate today our
call to Congress to enact legislation requiring companies to implement
reasonable security measures and notify consumers in the event of
certain security breaches, as well as targeted legislation that would
provide consumers with access to information about them held by data
brokers.
Privacy has been a key part of the Commission's consumer protection
mission for more than 40 years. Throughout, the Commission's goal has
remained constant: to protect consumers' personal information and
ensure that they have the confidence to take advantage of the many
benefits offered by the dynamic and ever-changing marketplace. To meet
this objective, the Commission has undertaken substantial efforts to
promote privacy in the private sector through law enforcement,
education, and policy initiatives. For example, since 2001, the
Commission has brought 36 data security cases; more than 100 spam and
spyware cases; and 18 cases for violation of the Children's Online
Privacy Protection Act (``COPPA''). The Commission has also brought
highly publicized privacy cases against companies such as Google and
Facebook and, most recently, Myspace. The Commission has distributed
millions of copies of educational materials for consumers and
businesses to address ongoing threats to security and privacy. And the
FTC continues to examine the implications of new technologies and
business practices on consumer privacy through ongoing policy
initiatives, such as the Commission's Final Report.
This testimony begins by describing the Commission's Final Report.
It then offers an overview of other recent policy efforts in the areas
of privacy and data security and concludes by discussing the
Commission's recent enforcement and education efforts.
II. Final Privacy Report
The FTC recently released its Final Report, setting forth best
practices for companies that collect and use consumer data.\2\ These
best practices can assist companies as they develop and maintain
processes and systems to operationalize privacy and data security
practices within their businesses. To the extent these best practices
exceed existing legal requirements, they are not intended to serve as a
template for law enforcement or regulations under laws currently
enforced by the FTC.\3\
---------------------------------------------------------------------------
\2\ FTC, Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers (Mar. 2012), available
at http://www.ftc.gov/os/2012/03/1203
26privacyreport.pdf. Commissioner Rosch dissented from the issuance of
the Final Privacy Report. He agrees that consumers ought to be given a
broader range of choices and applauded the Report's call for targeted
legislation regarding data brokers and data security. However,
Commissioner Rosch has four major concerns about the privacy framework
because he believes that: (1) in contravention of our promises to
Congress, it is based on an improper reading of our consumer protection
``unfairness'' doctrine; (2) the current state of ``Do Not Track''
still leaves unanswered many important questions; (3) ``opt-in'' will
necessarily be selected as the de facto method of consumer choice for a
wide swath of entities; and (4) although characterized as only ``best
practices,'' the Report's recommendations may be construed as Federal
requirements. See http://www.ftc.gov/os/2012/03/120326privacyreport.pdf
at Appendix C.
\3\ Information on the FTC's privacy initiatives generally may be
found at business.ftc.gov/privacy-and-security.
---------------------------------------------------------------------------
The Final Report supports the three key principles laid out in the
preliminary staff report.\4\ Companies should adopt a ``privacy by
design'' approach by building privacy protections into their everyday
business practices. Such protections include providing reasonable
security for consumer data, collecting only the data needed for a
specific business purpose, retaining data only as long as necessary to
fulfill that purpose, safely disposing of data no longer in use, and
implementing reasonable procedures to promote data accuracy.
---------------------------------------------------------------------------
\4\ The Commission received over 450 public comments from various
stakeholders in response to the preliminary report, which were highly
informative to the Commission as it refined the final framework.
---------------------------------------------------------------------------
Companies also should provide simpler and more streamlined choices
to consumers about their data practices. Companies do not need to
provide choice before collecting and using consumers' data for
practices that are consistent with the context of the transaction, the
company's relationship with the consumer, or as required or
specifically authorized by law. For all other data practices, consumers
should have the ability to make informed and meaningful choices at a
relevant time and context and in a uniform and comprehensive way. The
Commission advocated such an approach for online behavioral tracking--
often referred to as ``Do Not Track''--that is discussed in more detail
below.
Finally, companies should take steps to make their data practices
more transparent to consumers. For instance, companies should improve
their privacy disclosures and work toward standardizing them so that
consumers, advocacy groups, regulators, and others can compare data
practices and choices across companies, thus promoting competition
among companies. Consumers should also have reasonable access to the
data that companies maintain about them, particularly for non-consumer-
facing entities such as data brokers, as discussed in more detail
below. The extent of access should be proportional to the volume and
sensitivity of the data and to its intended use.
In addition, the Final Report makes general and specific
legislative recommendations. The Report supports the development of
general privacy legislation to ensure basic privacy protections across
all industry sectors, and can inform Congress, should it consider such
privacy legislation.\5\ The Commission recommends that any such
legislation be technologically neutral and sufficiently flexible to
allow companies to continue to innovate. In addition, the Commission
believes that any legislation should allow the Commission to seek civil
penalties to deter statutory violations. Such legislation would provide
businesses with the certainty they need to understand their obligations
as well as the incentive to meet those obligations, while also assuring
consumers that companies will respect their privacy. We believe this
approach would foster an environment that allows businesses to innovate
and consumers to embrace those innovations without risking their
privacy. The Final Report also calls on Congress to enact legislation
requiring companies to implement reasonable security measures and
notify consumers in the event of certain security breaches,\6\ as well
as targeted legislation for data brokers, discussed below. We look
forward to working with Congress and other stakeholders to craft this
legislation.
---------------------------------------------------------------------------
\5\ Earlier this year, the Administration released its final
``White Paper'' on consumer privacy, recommending that Congress enact
legislation to implement a Consumer Privacy Bill of Rights. See
Consumer Data Privacy in a Networked World: A Framework for Protecting
Privacy and Promoting Innovation in the Global Digital Economy (Feb.
2012), available at http://www.whitehouse.gov/sites/default/files/
privacy-final.pdf.
\6\ The Commission has long supported such Federal data security
and breach notice laws. See, e.g., Prepared Statement of the FTC, Data
Security: Hearing Before the H. Comm. on Energy and Commerce, Subcomm.
on Commerce, Manufacturing, and Trade, 112th Cong. (June 15, 2011),
available at http://www.ftc.gov/os/testimony/
110615datasecurityhouse.pdf; Prepared Statement of the FTC, Protecting
Social Security Numbers From Identity Theft: Hearing Before the Before
the H. Comm. on Ways and Means, Subcomm. on Social Security, 112th
Cong. (Apr. 13, 2011), available at http://ftc.gov/os/testimony/
110411ssn-idtheft.pdf; FTC, Security in Numbers, SSNs and ID Theft
(Dec. 2008), available at http://www.ftc.gov/os/2008/12/
P075414ssnreport.pdf; and President's Identity Theft Task Force,
Identity Theft Task Force Report (Sept. 2008), available at http://
www.idtheft.gov/reports/IDTReport2008.pdf.
---------------------------------------------------------------------------
The Report's recommendations broadly address the commercial use of
consumer information, both online and offline, by businesses. Below, we
highlight two specific issues addressed in the Report--Do Not Track and
data brokers.
A. Do Not Track
The Final Report advocates the continued implementation of a
universal, one-stop mechanism to enable consumers to control the
tracking of their online activities across websites, often referred to
as ``Do Not Track,'' which the Commission first called for in December
2010 and Chairman Rockefeller has sought through his legislative
proposal.\7\ We recognize the benefits to such online data collection,
including more relevant advertising and free online content that
consumers have come to expect and enjoy. However, we have concerns that
too many consumers either do not understand they are trading their
privacy for free online content or have not made an informed choice to
do so.
---------------------------------------------------------------------------
\7\ Do Not Track is intended to apply to third-party tracking of
consumers because third-party tracking is inconsistent with the context
of a consumer's interaction with a website; by contrast, most first-
party marketing practices are consistent with the consumer's
relationship with the business and thus do not necessitate consumer
choice.
---------------------------------------------------------------------------
The Commission commends industry efforts to improve consumer
control over behavioral tracking in response to our calls. As industry
explores technical options and implements self-regulatory programs, and
as Congress examines Do Not Track, the Commission continues to believe
that an effective Do Not Track system should include five key
principles. First, a Do Not Track system should be implemented
universally to cover all parties that would track consumers. Second,
the choice mechanism should be easy to find, easy to understand, and
easy to use. Third, any choices offered should be persistent and should
not be overridden if, for example, consumers clear their cookies or
update their browsers. Fourth, a Do Not Track system should be
comprehensive, effective, and enforceable. It should opt consumers out
of behavioral tracking through any means and not permit technical
loopholes.\8\ Fifth, an effective Do Not Track system should go beyond
simply opting consumers out of receiving targeted advertisements; it
should opt them out of collection of behavioral data for all purposes
other than those that would be consistent with the context of the
interaction (e.g., preventing click-fraud or frequency capping for
ads). Such a mechanism should be different from the Do Not Call program
in that it should not require the creation of a ``Registry'' of unique
identifiers, which could itself cause privacy concerns. And unlike the
Do Not Call Registry, a Do Not Track mechanism should be implemented by
the private sector.
---------------------------------------------------------------------------
\8\ For example, the FTC brought an action against a company that
told consumers they could opt out of tracking by exercising choices
through their browsers; however, the company used Flash cookies for
such tracking, which consumers could not opt out of through their
browsers. In the Matter of ScanScout, Inc., FTC Docket No. C-4344 (Dec.
21, 2011) (consent order), available at http://www.ftc.gov/os/caselist/
1023185/111221scanscoutdo.pdf.
---------------------------------------------------------------------------
Early on, the companies that develop web browsers stepped up to the
challenge to give consumers choices about how they are tracked online,
sometimes known as the ``browser header'' approach. When consumers
enable Do Not Track, the browser transmits the header to all types of
entities, including advertisers, analytics companies, and researchers,
that track consumers online. Just after the FTC's call for Do Not
Track, Microsoft developed a system to let users of Internet Explorer
prevent tracking by different companies and sites.\9\ Mozilla
introduced a Do Not Track privacy control for its Firefox browser that
an impressive number of consumers have adopted.\10\ Apple subsequently
included a similar Do Not Track control in Safari.\11\
---------------------------------------------------------------------------
\9\ Press Release, Microsoft, Providing Windows Customers with More
Choice and Control of Their Privacy Online with Internet Explorer 9
(Dec. 7, 2010), available at www.microsoft.com/presspass/features/2010/
dec10/12-07ie9privacyqa.mspx.
\10\ The Mozilla Blog, Mozilla Firefox 4 Beta, Now Including ``Do
Not Track'' Capabilities (Feb. 8, 2011), blog.mozilla.com/blog/2011/02/
08/mozilla-firefox-4-beta-now-including-do-not-track-capabilities/;
Alex Fowler, Do Not Track Adoption in Firefox Mobile is 3x Higher
than Desktop, Mozilla Privacy Blog (Nov. 2, 2011), http://
blog.mozilla.com/privacy/2011/11/02/do-not-track-adoption-in-firefox-
mobile-is-3x-higher-than-desktop/.
\11\ Nick Wingfield, Apple Adds Do-Not-Track Tool to New Browser,
Wall St. J., Apr. 13, 2011, available at http://online.wsj.com/article/
SB10001424052748703551304576261272308358858
.html. Google has taken a slightly different approach--providing
consumers with a browser extension that opts them out of most
behavioral advertising on a persistent basis. Sean Harvey & Rajas
Moonka, Keep Your Opt Outs, Google Public Policy Blog (Jan. 24, 2011),
http://googlepublicpolicy.blogspot.com/2011/01/keep-your-opt-outs.html.
---------------------------------------------------------------------------
The online advertising industry, led by the Digital Advertising
Alliance (``DAA''), has also led efforts by implementing a behavioral
advertising opt-out program. The DAA's accomplishments are notable: it
has developed a notice and choice mechanism through a standard icon in
ads and on publisher sites; deployed the icon broadly, with reportedly
over 900 billion impressions served each month; obtained commitments to
follow the self-regulatory principles from advertisers, ad networks,
and publishers that represent close to 90 percent of the online
behavioral advertising market; and established an enforcement mechanism
designed to ensure compliance with the principles.\12\ The DAA is also
working to address one of the long-standing criticisms of its
approach--how to limit secondary use of collected data so that the
consumer opt-out extends beyond simply blocking targeted ads and to the
collection of information for other purposes. The DAA has released
principles that include limitations on the collection of tracking data
and prohibitions on the use or transfer of the data for employment,
credit, insurance, or health care eligibility purposes.\13\ The DAA is
now working to fully implement these principles. Just as important, the
DAA recently moved to address some persistence and usability criticisms
of its icon-based opt out by committing to honor the tracking choices
consumers make through their browser settings.\14\
---------------------------------------------------------------------------
\12\ Peter Kosmala, Yes, Johnny Can Benefit From Transparency &
Control, Self-Regulatory Program for Online Behavioral Advertising,
http://www.aboutads.info/blog/yes-johnny-can-benefit-transparency-and-
control (Nov. 3, 2011); see also Press Release, Digital Advertising
Alliance, White House, DOC and FTC Commend DAA's Self-Regulatory
Program to Protect Consumers Online Privacy (Feb. 23, 2012), available
at http://www.aboutads.info/resource/download/
DAA%20White%20House%20Event.pdf.
\13\ Digital Advertising Alliance, About Self-Regulatory Principles
for Multi-Site Data (Nov. 2011), available at http://www.aboutads.info/
resource/download/Multi-Site-Data-Principles
.pdf.
\14\ Press Release, Digital Advertising Alliance, DAA Position on
Browser Based Choice Mechanism (Feb. 22, 2012), available at http://
www.aboutads.info/resource/download/DAA
.Commitment.pdf.
---------------------------------------------------------------------------
At the same time, the World Wide Web Consortium (``W3C''), an
Internet standards-setting body, has convened a broad range of
stakeholders to create an international, industry-wide standard for Do
Not Track, including DAA member companies; other U.S. and international
companies; industry groups; and public interest organizations. The W3C
group has done admirable work to flesh out how to make a Do Not Track
system practical in both desktop and mobile settings as reflected in
two public working drafts of its standards.\15\ Some important issues
remain, and the Commission encourages all of the stakeholders to work
within the W3C group to resolve these issues.
---------------------------------------------------------------------------
\15\ See Press Release, W3C, Two Drafts Published by the Tracking
Protection Working Group (Mar. 13, 2012), available at http://
www.w3.org/News/2012#entry-9389; Press Release, W3C, W3C Announces
First Draft of Standard for Online Privacy (Nov. 14, 2011), available
at http://www.w3.org/2011/11/dnt-pr.html.en.
---------------------------------------------------------------------------
While work remains to be done on Do Not Track, the Commission
believes that the developments to date, coupled with legislative
proposals, provide the impetus towards an effective implementation of
Do Not Track. The advertising industry, through the DAA, has committed
to deploy browser-based technologies for consumer control over online
tracking, alongside its ubiquitous icon program. The W3C process,
thanks in part to the ongoing participation of DAA member companies,
has made substantial progress toward specifying a consensus consumer
choice system for tracking that is practical and technically
feasible.\16\ The Commission anticipates continued progress in this
area as the DAA members and other key stakeholders continue discussions
within the W3C process to work to reach consensus on a Do Not Track
system in the coming months.
---------------------------------------------------------------------------
\16\ A system practical for both businesses and consumers would
include, for users who choose to enable Do Not Track, significant
controls on the collection and use of tracking data by third parties,
with limited exceptions for functions such as security de-identified
data, and frequency capping. As noted above, a website's sharing of
behavioral information with third parties is not consistent with the
context of the consumer's interaction with the website and would be
subject to choice. Do Not Track is one way for users to express this
choice.
---------------------------------------------------------------------------
B. Data Brokers
The Final Report recommends that companies provide consumers with
reasonable access to the data maintained about them. The extent of such
access should be proportionate to the sensitivity of the data and the
nature of its use.
The Final Report addresses the particular importance of consumers'
ability to access information that data brokers have about them. Data
brokers are companies that collect information, including personal
information about consumers, from a wide variety of sources in order to
resell such information for a variety of purposes, including verifying
an individual's identity, differentiating one consumer's records from
another's, marketing products, and preventing financial fraud. Such
entities often have a wealth of information about consumers without
interacting directly with them. Data brokers can compile data that can
be used to benefit consumers, such as to help authenticate consumers in
order to prevent identity theft or provide them with relevant offers
and deals for products and services. However, consumers are often
unaware of the existence of these entities, as well as the purposes for
which they collect and use data.\17\
---------------------------------------------------------------------------
\17\ As noted above, in connection with online tracking, it is
generally inconsistent with the context of the interaction for a
consumer-facing entity to share the consumer's data with a third party.
Accordingly, such transfers of personal information would be subject to
choice.
---------------------------------------------------------------------------
The Commission has monitored data brokers since the 1990s, hosting
workshops, drafting reports, and testifying before Congress about the
privacy implications of data brokers' practices.\18\ Following a
Commission workshop, data brokers created the Individual References
Services Group (IRSG), a self-regulatory organization for certain data
brokers that set forth principles to restrict availability to certain
non-public information.\19\ The industry ultimately terminated this
organization. Although a series of public breaches--including one
involving ChoicePoint--led to renewed scrutiny of the practices of data
brokers,\20\ there have been no meaningful broad-based efforts to
implement self-regulation in this area in recent years.
---------------------------------------------------------------------------
\18\ See, e.g., Prepared Statement of the FTC, Identity Theft:
Recent Developments Involving the Security of Sensitive Consumer
Information: Hearing Before the S. Comm. on Banking, Housing, and Urban
Affairs, 109th Cong. (Mar. 10, 2005), available at http://www.ftc.gov/
os/testimony/050310idtheft.pdf; see also FTC Workshop, The Information
Marketplace: Merging & Exchanging Consumer Data (Mar. 13, 2001),
available at http://www.ftc.gov/bcp/workshops/infomktplace/index.shtml;
FTC Workshop, Information Flows: The Costs and Benefits to Consumers
and Businesses of the Collection and Use of Consumer Information (June
18, 2003), available at http://www.ftc.gov/bcp/workshops/infoflows/
030618agenda.shtm.
\19\ See FTC, Individual Reference Services, A Report to Congress
(1997), available at http://www.ftc.gov/bcp/privacy/wkshp97/
irsdoc1.htm.
\20\ See Prepared Statement of the FTC, Protecting Consumers' Data:
Policy Issues Raised by ChoicePoint: Hearing before H. Comm. on Energy
& Commerce, Subcomm. on Commerce, Trade, and Consumer Protection, Comm.
on Energy & Commerce, 109th Cong. (Mar. 15, 2005), available at http://
www.ftc.gov/os/2005/03/050315protectingconsumerdata.pdf.
---------------------------------------------------------------------------
To improve the transparency of the practices of data brokers, the
Final Report proposes that data brokers, like all companies, provide
consumers with reasonable access to the data they maintain. Because
most data brokers are invisible to consumers, however, the Commission
makes two additional recommendations as to these entities.
The Commission has long supported legislation that would give
access rights to consumers for information held by data brokers.\21\
For example, Senator Pryor and Chairman Rockefeller's S.1207 includes
provisions to establish a procedure for consumers to access information
held by data brokers.\22\ The Commission continues to support
legislation in this area to improve transparency of the industry's
practices.\23\
---------------------------------------------------------------------------
\21\ See, e.g., Prepared Statement of the FTC, Legislative Hearing
on H.R. 2221, the Data Accountability and Protection Act, and H.R.
1319, the Informed P2P User Act: Hearing Before the H. Comm. on Energy
and Commerce, Subcomm. on Commerce, Trade, and Consumer Protection,
111th Cong. (May 5, 2009), available at http://www.ftc.gov/os/2009/05/
P064504peerto
peertestimony.pdf.
\22\ Data Security and Breach Notification Act of 2011, S. 1207,
112th Congress (2011); see also Data Accountability and Trust Act, H.R.
1707, 112th Congress (2011); Data Accountability and Trust Act of 2011,
H.R. 1841, 112th Congress (2011).
\23\ See, e.g., Prepared Statement of the FTC, Data Security:
Hearing Before the H. Comm. on Energy and Commerce, Subcomm. on
Commerce, Manufacturing, and Trade, 112th Cong. (May 4, 2011),
available at http://www.ftc.gov/opa/2011/05/pdf/
110504datasecurityhouse.pdf; Prepared Statement of the FTC, Data
Security: Hearing Before the H. Comm. on Energy and Commerce, Subcomm.
on Commerce, Manufacturing, and Trade, 112th Cong.(June 15, 2011),
available at http://www.ftc.gov/os/testimony/
110615datasecurityhouse.pdf; Prepared Statement of the FTC, Protecting
Consumers in the Modern World: Hearing Before the S. Comm. on Commerce,
Science, and Transportation, 112th Cong. (June 29, 2011), available at
http://www.ftc.gov/os/testimony/110629privacytestimonybrill.pdf.
---------------------------------------------------------------------------
The Commission also recommends that the data broker industry
explore the possibility of creating a centralized website where data
brokers could identify themselves to consumers, describe how they
collect consumer data, and disclose the types of companies to which
they sell the information.\24\ The Commission staff intends to discuss
with relevant companies how this website could be developed and
implemented voluntarily, to increase the transparency and provide
consumers with tools to opt out.\25\
---------------------------------------------------------------------------
\24\ See, e.g., Tanzina Vega & Edward Wyatt, U.S. Agency Seeks
Tougher Consumer Privacy Rules, N.Y. Times, Mar. 26, 2012, available at
http://www.nytimes.com/2012/03/27/business/ftc-seeks-privacy-
legislation.html?pagewanted=all (`` `It's not an unreasonable request
to have more transparency among data brokers.' '') (quoting Jennifer
Barrett Glasgow, Chief Privacy Officer for Acxiom).
\25\ The current website of the Direct Marketing Association (DMA)
offers an instructive model for such a website. The DMA--which consists
of data brokers, retailers, and others--currently offers a service
through which consumers can opt out of receiving marketing
solicitations via particular channels, such as direct mail, from DMA
member companies. See DMAChoice, http://www.dmachoice.org/dma/member/
home.action.
---------------------------------------------------------------------------
III. Other Policy Initiatives
In addition, the Commission holds public workshops and issues
reports to examine the implications of new technologies and business
practices on consumer privacy. We outline four notable examples below.
First, in February 2012, the Commission released a staff report on
mobile applications (``apps'') for children.\26\ The report found that
in virtually all cases, neither app stores nor app developers provide
disclosures that tell parents what data apps collect from children, how
apps share it, and with whom. The report recommends that all members of
the children's app ecosystem--the stores, developers and third parties
providing services--should play an active role in providing key
information to parents.\27\ The report also encourages app developers
to provide information about data practices simply and succinctly. The
Commission has already reached out to work with industry to provide
parents with the information they need, and some industry participants
have taken positive steps to improve disclosures going forward.
---------------------------------------------------------------------------
\26\ FTC Staff Report, Mobile Apps for Kids: Current Privacy
Disclosures are Disappointing (Feb. 2012), available at http://
www.ftc.gov/opa/2012/02/mobileapps_kids.shtm.
\27\ News reports indicate that some companies, like Apple, are
already working to limit certain types of data collection via apps.
See, e.g., Kim-Mai Cutler, Amid Privacy Concerns, Apple Has Started
Rejecting Apps That Access UDID, TechCrunch (Mar. 24, 2012), http://
techcrunch.com/2012/03/24/apple-udids/.
---------------------------------------------------------------------------
To discuss how members of the mobile and online ecosystems can best
disclose their data practices to consumers, the Commission will host a
public workshop later this month.\28\ The workshop will address the
technological advancements and marketing developments since the FTC
first issued its online advertising disclosure guidelines known as
``Dot Com Disclosures,'' \29\ including the advent of smartphones and
tablets. The workshop will examine whether and how to revise the Dot
Com Disclosures in the current online and mobile advertising
environment and will include a specific panel on mobile privacy
disclosures.\30\
---------------------------------------------------------------------------
\28\ FTC Workshop, Dot Com Disclosures (May 30, 2012), available at
http://www.ftc.gov/opa/2012/02/dotcom.shtm.
\29\ FTC, Dot Com Disclosures (2000), available at http://
www.ftc.gov/os/2000/05/0005
dotcomstaffreport.pdf.
\30\ In addition to examining mobile disclosures, the Commission
continues to examine other privacy and security issues associated with
the mobile ecosystem. See, e.g., FTC Workshop, Paper, Plastic . . . or
Mobile?: An FTC Workshop on Mobile Payments (Apr. 26, 2012), available
at http://www.ftc.gov/bcp/workshops/mobilepayments/.
---------------------------------------------------------------------------
Second, the FTC hosted a workshop in December 2011 that explored
facial recognition technology and the privacy and security implications
raised by its increasing use.\31\ Facial detection and recognition
technology has been adopted in a variety of new contexts, ranging from
online social networks to digital signs and mobile apps. Commission
staff sought comments on the privacy and security issues raised at the
workshop, which it will address in a report in the coming months.
---------------------------------------------------------------------------
\31\ FTC Workshop, Face Facts: A Forum on Facial Recognition
Technology (Dec. 8, 2011), available at http://www.ftc.gov/bcp/
workshops/facefacts/.
---------------------------------------------------------------------------
Third, as discussed in the Final Report, the FTC intends to examine
the practices of large platforms such as Internet browsers, mobile
operating system providers, Internet Service Providers, and large
social media platforms that can collect data from numerous sources to
build extensive profiles about consumers. Commission staff will host a
workshop in the second half of 2012 to examine questions about the
scope of such data collection practices, the potential uses of the
collected data, and related issues.
Finally, the Commission is undertaking a comprehensive review of
the COPPA Rule in light of rapidly evolving technology and changes in
the way children use and access the Internet.\32\ In September 2011,
the Commission proposed modifications to the Rule intended to update
the Rule to meet changes in technology, assist operators in their
compliance obligations, strengthen protections over children's data,
and provide greater oversight of COPPA safe harbor programs.\33\ For
example, the Commission proposed adding geolocation information and
cookies used for behavioral advertising to the definition of ``personal
information,'' which would have the effect of requiring parental
consent for collection of this information. In addition, the Commission
proposed adding a new provision addressing data retention and deletion.
The Commission received over 350 comments on its proposed amendments to
the COPPA Rule, which are being reviewed by FTC staff.
---------------------------------------------------------------------------
\32\ See Request for Public Comment on the Federal Trade
Commission's Implementation of the Children's Online Privacy Protection
Rule, 75 Fed. Reg. 17,089 (Apr. 5, 2010), available at http://
www.ftc.gov/os/fedreg/2010/april/P104503coppa-rule.pdf.
\33\ The Commission's Notice of Proposed Rulemaking can be found at
76 Fed. Reg. 59,804 (Sept. 15, 2011), available at http://www.gpo.gov/
fdsys/pkg/FR-2011-09-27/pdf/2011-24314
.pdf.
---------------------------------------------------------------------------
IV. Enforcement
In addition to its engagement on the policy front, enforcement
remains a top priority for the agency. To date, the Commission has
brought 36 data security cases; almost 80 cases against companies for
improperly calling consumers on the Do Not Call registry;\34\ 86 cases
against companies for violating the Fair Credit Reporting Act
(``FCRA'');\35\ more than 100 spam and spyware cases; 18 COPPA
cases;\36\ and numerous cases against companies for violating the FTC
Act by making deceptive claims about the privacy and security
protections they afford to consumer data. Where the FTC has authority
to seek civil penalties, it has aggressively done so. It has obtained
$60 million in civil penalties in Do Not Call cases; $21 million in
civil penalties under the FCRA; $5.7 million under the CAN-SPAM
Act;\37\ and $6.6 million under COPPA. Where the Commission does not
have authority to seek civil penalties, as in the data security and
spyware areas, it has sought such authority from Congress.
---------------------------------------------------------------------------
\34\ 16 C.F.R. Part 310.
\35\ 15 U.S.C. Sec. Sec. 1681e-i.
\36\ 15 U.S.C. Sec. Sec. 6501-6508.
\37\ 15 U.S.C. Sec. Sec. 7701-7713.
---------------------------------------------------------------------------
Two highly publicized privacy cases--against Google and Facebook--
will benefit more than one billion consumers worldwide. The Commission
charged Google with deceiving consumers by taking previously private
information--the frequent contacts of Gmail users--and making it public
in order to generate and populate a new social network, Google
Buzz.\38\ This, the Commission alleged, was done without the users'
consent and in contravention of Google's privacy promises. As part of
the Commission's decision and consent order, Google must protect the
privacy of consumers who use Gmail as well as Google's many other
products and services. Under the order, if Google changes a product or
service in a way that makes any data collected from or about consumers
more widely available to third parties, it must seek affirmative
express consent to such a change. In addition, the order requires
Google to implement a comprehensive privacy program and obtain
independent privacy audits every other year for the next 20 years.
---------------------------------------------------------------------------
\38\ Google, Inc., Docket No. C-4336 (Oct. 13, 2011) (final
decision and consent order), available at http://www.ftc.gov/opa/2011/
10/buzz.shtm.
---------------------------------------------------------------------------
The FTC's case against Facebook alleged numerous deceptive and
unfair practices.\39\ These include the 2009 changes made by Facebook
so that information users had designated private--such as their
``Friends List'' or pages that they had ``liked''--became public. The
complaint also charged that Facebook made inaccurate and misleading
disclosures relating to how much information about users' apps
operating on the site could access. For example, Facebook told users
that the apps on its site would only have access to the information
those apps ``needed to operate.'' The complaint alleges that in fact,
the apps could view nearly all of the users' information, regardless of
whether that information was ``needed'' for the apps' functionality.
The Commission further alleged that Facebook made promises that it
failed to keep: It told users it would not share information with
advertisers, and then it did; and it agreed to make inaccessible the
photos and videos of users who had deleted their accounts, and then it
did not. Similar to the Google order, the Commission's consent order
against Facebook prohibits the company from deceiving consumers with
regard to privacy; requires it to obtain users' affirmative express
consent before sharing their information in a way that exceeds their
privacy settings; and requires it to implement a comprehensive privacy
program and obtain outside audits. In addition, Facebook must ensure
that it will stop providing access to a user's information after she
deletes that information.
---------------------------------------------------------------------------
\39\ Facebook, Inc., Matter No. 0923184 (Nov. 29, 2011) (proposed
consent agreement), available at http://www.ftc.gov/opa/2011/11/
privacysettlement.shtm.
---------------------------------------------------------------------------
Most recently, the Commission announced a settlement with the
social network Myspace. The FTC complaint alleged that, despite
promising its users that it would not share consumers' personal
information with advertisers, Myspace provided advertisers with the
``Friend ID'' of users who were viewing particular pages on the site.
With the Friend ID, the advertiser could locate the user's Myspace
personal profile to obtain his or her real name and other personal
information. The advertiser could also combine the user's real name and
other personal information with additional information to link broader
web-browsing activity to a specific named individual. The proposed
order prohibits Myspace from misrepresenting the privacy and
confidentiality afforded to users' information, and requires Myspace to
create a comprehensive privacy program and undergo third-party audits
every other year for the next 20 years.
Finally, the Commission continues to make children's privacy a
priority, as demonstrated by a recent a settlement with RockYou, the
popular social media gaming company.\40\ Despite its claims to have
reasonable security, RockYou allegedly failed to use reasonable and
appropriate security measures to protect consumers' private data,
resulting in hackers gaining access to 32 million e-mail addresses and
RockYou passwords. In addition, the Commission charged that RockYou
collected personal information from approximately 179,000 children it
knew to be under 13 without providing notice or obtaining parental
consent, as required by COPPA and despite claims to the contrary. Under
the Commission's settlement, RockYou must implement a data security
program and undergo audits every other year for the next 20 years and
pay a $250,000 civil penalty.
---------------------------------------------------------------------------
\40\ See United States v. RockYou, Inc., No. CV 12 1487 (N.D. Cal.
filed Mar. 26, 2012) (consent decree).
---------------------------------------------------------------------------
V. Education
The FTC conducts outreach to businesses and consumers in the area
of consumer privacy. The Commission's well-known OnGuard Online website
educates consumers about many online threats to consumer privacy and
security, including spam, spyware, phishing, peer-to-peer (``P2P'')
file sharing, and social networking.\41\ Furthermore, the FTC provides
consumer education to help consumers better understand the privacy and
security implications of new technologies. For example, last year the
Commission issued a guide that provides consumers with information
about mobile apps, including what apps are, the types of data they can
collect and share, and why some apps collect geolocation
information.\42\
---------------------------------------------------------------------------
\41\ See www.onguardonline.gov. Since its launch in 2005, OnGuard
Online and its Spanish-language counterpart Alerta en Linea have
attracted more than 25 million visits.
\42\ See Press Release, FTC, Facts from the FTC: What You Should
Know About Mobile Apps (June 28, 2011), available at http://
www.ftc.gov/opa/2011/06/mobileapps.shtm.
---------------------------------------------------------------------------
The Commission has also issued numerous education materials to help
consumers protect themselves from identity theft and to deal with its
consequences when it does occur. The FTC has distributed over 3.8
million copies of a victim recovery guide, Take Charge: Fighting Back
Against Identity Theft, and has recorded over 3.5 million visits to the
Web version.\43\ In addition, the FTC has developed education resources
specifically for children, parents, and teachers to help children stay
safe online. The FTC produced the brochure Net Cetera: Chatting with
Kids About Being Online to give adults practical tips to help children
navigate the online world.\44\ In less than one year, the Commission
distributed more than 7 million copies of Net Cetera to schools and
communities nationwide.
---------------------------------------------------------------------------
\43\ See Take Charge: Fighting Back Against Identity Theft,
available at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/
idt04.shtm.
\44\ See Press Release, FTC, OnGuardOnline.gov Off to a Fast Start
with Online Child Safety Campaign (Mar. 31, 2010), available at
www.ftc.gov/opa/2010/03/netcetera.shtm.
---------------------------------------------------------------------------
Business education is also an important priority for the FTC. The
Commission seeks to educate businesses by developing and distributing
free guidance. For example, the Commission developed a widely-
distributed guide to help small and medium-sized businesses implement
appropriate data security for the personal information they collect and
maintain.\45\ The Commission also creates business educational
materials on specific topics--such as the privacy and security risks
associated with peer-to-peer file-sharing programs and companies'
obligations to protect consumer and employee information from these
risks \46\ and how to properly secure and dispose of information on
digital copiers.\47\ These publications, as well as other business
education materials, are available through the FTC's Business Center
website, which averages one million unique visitors each month.\48\ The
Commission also hosts a Business Center blog,\49\ which frequently
features consumer privacy and data security topics; presently,
approximately 3,500 attorneys and business executives subscribe to
these e-mail blog updates.
---------------------------------------------------------------------------
\45\ See Protecting Personal Information: A Guide For Business,
available at www.ftc.gov/infosecurity.
\46\ See Peer-to-Peer File Sharing: A Guide for Business, available
at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus46.shtm.
\47\ See http://business.ftc.gov/documents/bus43-copier-data-
security.
\48\ See generally http://business.ftc.gov/. The Privacy and Data
Security portal is the most popular destination for visitors to the
Business Center.
\49\ See generally http://business.ftc.gov/blog.
---------------------------------------------------------------------------
Another way the Commission seeks to educate businesses by
publicizing its complaints and orders and issuing public closing and
warning letters. For example, the Commission recently sent warning
letters to the marketers of six mobile apps that provide background
screening services.\50\ The letters state that some of the apps
included criminal record histories, which bear on an individual's
character and general reputation and are precisely the type of
information that is typically used in employment and tenant screening.
The FTC warned the apps marketers that, if they have reason to believe
the background reports they provide are being used for employment
screening, housing, credit, or other similar purposes, they must comply
with the FCRA. The Commission made no determination as to whether the
companies are violating the FCRA, but encouraged them to review their
apps and their policies and procedures to ensure they comply with the
Act.
---------------------------------------------------------------------------
\50\ Press Release, FTC, FTC Warns Marketers that Mobile Apps May
Violate Fair Credit Reporting Act (Feb. 7, 2012), available at http://
www.ftc.gov/opa/2012/02/mobileapps.shtm.
---------------------------------------------------------------------------
VI. Conclusion
These policy, enforcement, and education efforts demonstrate the
Commission's continued commitment to protecting consumers' privacy and
security--both online and offline. As noted above, the Commission
encourages Congress to develop general privacy legislation and to adopt
targeted legislation addressing data brokers. We appreciate the
leadership of Chairman Rockefeller and this Committee on these issues
and look forward to continuing to work with Congress, the
Administration, industry and other critical stakeholders on these
issues in the future.
The Chairman. Thank you, sir.
The Honorable Cameron F. Kerry, General Counsel, U.S.
Department of Commerce.
STATEMENT OF HON. CAMERON F. KERRY, GENERAL COUNSEL, U.S.
DEPARTMENT OF COMMERCE
Mr. Kerry. Thank you, Chairman Rockefeller, Ranking Member
Toomey, distinguished members of the Committee. I'm grateful
for the opportunity to testify today about the administration's
Blueprint for data privacy.
This Blueprint is a framework to enhance consumer privacy
while fostering economic growth, job creation, and exports for
American businesses.
The Federal Trade Commission has been a global leader in
this area as well as a partner to the Department of Commerce
and a valued adviser to the National Science and Technology
Council in developing the Privacy Blueprint. So I welcome being
able to join Chairman Leibowitz and Commissioner Ohlhausen at
the witness table today.
The explosion in the collection and storage and analysis of
data and digital information offers new frontiers of knowledge
and innovation and growth. But Senator Toomey asked the
question, what is the market failure here? We are now at a
tipping point that presents a dual market failure.
First, while many companies earned trust as responsible
stewards of consumers' personal information, it exceeds the
ability of even the most sophisticated consumers to understand
and control what information is collected about them. And
second, this asymmetry allows outliers and outlaws that are not
good stewards of information to take advantage of consumers'
trust and lack of information.
That is why a great many companies, consumer groups, the
FTC, and the administration support baseline consumer privacy
legislation. When it comes to sustaining trust in the digital
economy, business and consumer and government interests
converge.
The administration's Privacy Blueprint articulates a
Consumer Privacy Bill of Rights: individual control,
transparency, respect for context, access and accuracy,
security, and focused collection and accountability. And it
calls for Congress to give these broad principles the force of
law.
We recommend two mechanisms to apply these principles. The
first is giving the FTC the direct authority to enforce the
individual provisions of the Bill of Rights as enacted, rather
than relying entirely on its Section 5 authority, as currently
framed.
The second is authorizing the FTC to grant safe harbors
from enforcement for codes of conduct that address how best to
follow the Privacy Bill of Rights in specific contexts.
The National Telecommunications and Information
Administration of the Department of Commerce is carrying out
the administration's Blueprint by initiating stakeholder-driven
processes to develop codes of conduct. NTIA is reviewing
recommendations on the first topic and on the process,
including your comments, Chairman Rockefeller, thank you.
NTIA should be selecting a topic and convening the first
meetings very soon.
In addition, I have asked a working group to put the
administration's Privacy Blueprint into legislative language we
are drafting. And we stand ready to work with this Committee
and with other Members of Congress to put baseline privacy
legislation into law.
What we do here in America is paramount to U.S. consumers
and companies, but we cannot ignore the global reach of the
Internet. Europe is in the process of honing its approach to
data privacy. Other countries around the world understand the
need for rules of the road and are looking for models.
We have the clear opportunity, as President Obama said in
his preface to the Privacy Blueprint, to offer the world a
dynamic model of how to provide strong privacy protection and
enable ongoing innovation in new information technologies.
Baseline privacy legislation will ground our system firmly,
so America can be an example for the world and pave the way for
privacy standards that are interoperable around the globe.
Leading by example will encourage other countries to build
multi-stakeholder processes, flexibility, and accountability
into their commercial data privacy networks. This model will
promote the free flow of information across national borders,
which helps U.S. companies and U.S. consumers alike.
Mr. Chairman, when I speak to international audiences, I
point to the deeply held privacy values of Americans that are
embedded in our Constitution and in privacy laws that couple
statutory protection in areas like health records with strong
enforcement by the FTC and by state attorneys general. And I
get a lot of thank yous from companies for defending our
system.
But they want and they need more. They want the U.S.
Congress to send a clear message to the world that the United
States cares about privacy and will protect the privacy of
consumers in all sectors.
Mr. Chairman, I thank you again for the opportunity to be
here today, to provide our views. And I welcome the Committee's
questions.
[The prepared statement of Mr. Kerry follows:]
Prepared Statement of Hon. Cameron F. Kerry, General Counsel,
U.S. Department of Commerce
Summary
Commercial privacy protections have not kept pace with the
explosive growth of the Internet. Consumers are deeply concerned about
their privacy, but are unable to determine which companies respect
their privacy and how their personal data are being collected, stored,
and used. Similarly, American businesses need to determine and meet the
privacy expectations of their customers in order to maintain their
customers' trust, but still wish to innovate within these bounds.
Consumers and American businesses share a strong interest in defining
and protecting privacy interests to protect consumers, provide a level
playing field for businesses, and build an environment of trust that
benefits innovation and the digital economy.
To this end, the Administration's Privacy Blueprint articulates a
Consumer Privacy Bill of Rights--and calls on Congress to give this
baseline privacy protection the force of law. The seven basic
principles of the Privacy Blueprint (based on globally recognized Fair
Information Practices) are: (1) individual control, (2) transparency,
(3) respect for context, (4) security, (5) access and accuracy, (6)
focused collection, and (7) accountability. The Administration supports
giving the Federal Trade Commission (FTC) the authority to enforce the
principles of the Privacy Bill of Rights, as codified. The FTC also
should have the authority to provide safe harbors for companies that
adopt context-specific codes of conduct that set forth how they will
follow the Privacy Bill of Rights. Such codes of conduct should be
developed through multistakeholder processes that include broad
participation from all interested parties, including consumer groups
and businesses.
The Administration supports legislation that provides strong
baseline privacy protections in a manner that promotes growth and
innovation in the digital economy. Such legislation would allow
businesses to implement privacy protections in ways that are specific
and appropriate for their industries. It would avoid being too
prescriptive or tailored to specific technologies, potentially stifling
innovation and inhibiting the development of new products or services,
or being so inflexible that it fails to cover the next generation of
changes. Nor should legislation impose unnecessary burdens on our
businesses. These considerations will help the United States strengthen
consumer privacy protections while promoting continued innovation.
I. Introduction
Chairman Rockefeller, Ranking Member Hutchison, and distinguished
Committee Members, thank you for the opportunity to testify on behalf
of the Department of Commerce about the Administration's recently-
released policy blueprint, Consumer Data Privacy in a Networked World:
A Framework for Protecting Privacy and Promoting Innovation in the
Global Digital Economy (the Privacy Blueprint, attached). I welcome
this opportunity to discuss ways to enhance consumer privacy that will
foster economic growth, job creation, and exports for American
businesses.
As President Obama said in the Privacy Blueprint ``[n]ever has
privacy been more important than today, in the age of the Internet, the
World Wide Web and smart phones.'' The need for privacy protections has
grown in proportion to the expansion of the Internet itself. Every day,
an increasing share of our commercial transactions, our social
interactions, and our participation in public discussion depends on the
Internet as a medium. The way we create and share our communications
increasingly relies on new technologies that are networked--and
increasingly raises new questions about how data associated with these
communications are collected, stored, and used. Ultimately, sustaining
the social and economic benefits of networked technologies depends on
consumer trust. People must have confidence that companies will handle
information about them fairly and responsibly.
Privacy protections have not kept up with this explosion of
Internet use and new technology. Due to inadequate protection of data,
millions of Americans have their personal information exposed in data
breaches every year. These breaches lead to concrete harm for
consumers: for 12 consecutive years, identity theft has topped consumer
complaints received by the FTC, accounting for 15 percent of all
complaints.\1\
---------------------------------------------------------------------------
\1\ FTC Releases Top Complaint Categories for 2011: Identity Theft
Once Again Tops the List, Feb. 28, 2012, available at http://ftc.gov/
opa/2012/02/2011complaints.shtm.
---------------------------------------------------------------------------
Consumers also lack transparency into how companies collect and use
data. Not only is it a cliche to say nobody reads privacy policies, but
studies have indicated that the effort would be hopeless, because an
average user would have to devote 250 hours a year just to read the
labyrinthine privacy policies of the websites they visit in a year.\2\
Even if those policies all provided a clear roadmap to companies' use
of data, that is too much to ask; it is as much as 45 minutes of dense
textual reading for each and every site visited in a day, a full one-
eighth of a working year, every year, just to read the privacy
policies. All the promise of the Internet, and the benefits and
efficiencies it can provide, would be dragged down by the anchor of
privacy policies if we had to slog through all that, much less
negotiate details of sub-optimal privacy policies or find alternative
providers for services with unacceptable ones.\3\
---------------------------------------------------------------------------
\2\ Aleecia M. McDonald and Lorrie Faith Cranor, The Cost of
Reading Privacy Policies, I/S: A Journal of Law and Policy for the
Information Society, 2008 Privacy Year in Review Issue, available at
http://www.is-journal.org/.
\3\ See http://mashable.com/2011/01/27/the-real-reason-no-one-
reads-privacy-policies-infogra
phic/.
---------------------------------------------------------------------------
Instead, consumers are subject to terms and conditions they have
not read or they decide not to use services that may be beneficial and
innovative. Neither is a good result. In the first instance, consumers
may give up information and rights without understanding the risks
sufficiently. In the second instance, commerce and the adoption of
useful technology are slowed. For example, recent articles about new
cloud storage services have recounted how privacy concerns are
affecting consumer adoption.\4\ In the end, some consumers may use
cloud services without reading the privacy policies while others may
shy away from such services completely.
---------------------------------------------------------------------------
\4\ See e.g., PCWorld, Google Drive Privacy Policies Slammed, April
28, 2012, available at http://www.pcworld.com/article/254600/
google_drive_privacy_policies_slammed.html.
---------------------------------------------------------------------------
At the same time, businesses recognize the need and benefit of
baseline privacy legislation. Such legislation would provide rules of
the road that would facilitate the flow of information and trade
globally while protecting consumers.\5\ As one commenter stated:
``consumers want it, we believe companies need it, and the economy will
be better for it.'' \6\
---------------------------------------------------------------------------
\5\ See, Department of Commerce Internet Policy Task Force's
report, Commercial Data Privacy and Innovation in the Internet Economy:
A Dynamic Policy Framework, at 34, Dec. 2010, available at http://
www.ntia.doc.gov/files/ntia/publications/
iptf_privacy_greenpaper_12162010
.pdf.
\6\ See id, (quoting Hewlett-Packard Comment at 2).
---------------------------------------------------------------------------
The Privacy Blueprint seeks to help consumers navigate the
patchwork of privacy expectations that currently exists as they
traverse the Internet and to give businesses clearer rules of the road.
The goal is both to protect consumers and to ensure that the Internet
remains a platform of commerce and growth, and an economic driver for
our country. This position may become jeopardized if privacy concerns
are not addressed, as consumers across all age ranges report avoiding
companies that do not sufficiently protect their privacy.\7\ And these
concerns are spreading to quickly developing areas of technology, such
as mobile computing.\8\
---------------------------------------------------------------------------
\7\ See Harris Interactive/TRUSTe Privacy Index: Q1 2012 Consumer
Confidence Edition, Feb. 13, 2012, available at http://www.truste.com/
about-TRUSTe/press-room/news_truste_
launches_new_trend_privacy_index (showing that U.S. adults who avoid
doing business with companies that do not protect their privacy ranges
from 82 percent, among 18-34 year olds, to 93 percent, among adults 55
years old and older).
\8\ See TRUSTe, More Consumers Say Privacy--Over Security--is
Biggest Concern When Using Mobile Applications on Smartphones, Apr. 27,
2011 (reporting results of survey of top 340 free mobile apps conducted
jointly with Harris Interactive), available at http://www.truste.com/
blog/2011/04/27/survey-results-are-in-consumers-say-privacy-is-a-
bigger-concern-than-security-on-smartphones/.
---------------------------------------------------------------------------
Consumers and American businesses share a strong interest in
sustaining the trust that is essential to supporting innovation,
keeping the Internet growing, and maintaining the growth of the digital
economy. Consumers need ways to get a better understanding about what
information is collected about them and how it may be used, as well as
safeguards that ensure the information is adequately protected.
Businesses need clearer benchmarks for good practices, and companies
that handle personal data responsibly should be able to stand out from
companies that behave carelessly.
To this end, the Obama Administration has articulated the Consumer
Privacy Bill of Rights and called on Congress to adopt this Bill of
Rights in privacy legislation that will establish a minimum set of
privacy protections for data collected about individual consumers. Such
legislation would provide clear protections to consumers, a level
playing field for businesses, and foster an environment of trust that
will benefit both.
The Administration is not alone in calling for a new law. A broad
array of private sector stakeholders has expressed support for baseline
consumer privacy legislation. Consumer advocacy groups and civil
liberties organizations, for example, have called for baseline consumer
privacy legislation. In addition, many businesses also have supported
baseline privacy legislation because they see significant value in
obtaining clear privacy guidelines that enable them to earn consumers'
trust, and which may also enable them to comply with international
expectations. These businesses include large technology leaders that
handle significant amounts of personal information and have used
personal data to provide innovative new products and services.
My testimony today will cover the recommendations of the
Administration's Privacy Blueprint. Looking ahead, it will focus on how
legislation can implement the Privacy Bill of Rights, how Department of
Commerce multistakeholder processes to develop codes of conduct in
specific sectors will move forward, and what the Administration is
doing to ensure that our privacy framework promotes growth and trade
internationally for American companies.
II. The Consumer Privacy Bill of Rights
In 2009, the Department of Commerce assembled an Internet Policy
Task Force. This task force spent two years developing a blueprint for
protecting consumer's privacy with extensive consultation of
stakeholders including consumer advocacy groups, businesses, academics,
and other government agencies. The task force began by using the
information learned from consulting stakeholders to craft a Privacy and
Innovation Notice of Inquiry (NOI).\9\ The NOI requested public comment
on ways of improving privacy protections while still protecting
technological innovations. The task force also organized a Privacy and
Innovation Symposium on May 7, 2010.
---------------------------------------------------------------------------
\9\ Department of Commerce, Notice of Inquiry on Information
Privacy and Innovation in the Internet Economy, 75 Fed. Reg. 21226,
Apr. 23, 2010, available at http://www.ntia.doc.gov/files/ntia/
publications/fr_privacynoi_04232010.pdf.
---------------------------------------------------------------------------
The initial conclusions obtained from stakeholder discussions, the
comments received in response to the NOI, and discussions from the
symposium led to the publication in December 2010 of Commercial Data
Privacy and Innovation in the Internet Economy: A Dynamic Policy
Framework, often referred to as the Commerce Green Paper.\10\ This
Green Paper proposed a privacy framework and invited further comments
on the proposed approach. The framework was refined as a result of
further comments and meetings with hundreds of stakeholders
representing the full spectrum of privacy interests to come up with a
final strategy. This was an effort that engaged agencies across the
Executive Branch through the National Science & Technology Council
Subcommittee on Commercial Privacy that I co-chaired, and benefited
from the valuable partnership and advice of the Federal Trade
Commission.
---------------------------------------------------------------------------
\10\ The Privacy Blueprint builds on the Department of Commerce
Internet Policy Task Force's report, Commercial Data Privacy and
Innovation in the Internet Economy: A Dynamic Policy Framework, Dec.
2010, available at http://www.ntia.doc.gov/files/ntia/publications/
iptf_
privacy_greenpaper_12162010.pdf.
---------------------------------------------------------------------------
Based on our study, in February the White House released its
Privacy Blueprint.\11\ This Privacy Blueprint calls for the passage of
a Consumer Privacy Bill of Rights; for enforceable codes of conduct to
implement that Bill of Rights developed by a spectrum of stakeholders
from consumer groups, businesses, and others; and for active engagement
with international partners to develop privacy protections that enable
trustworthy transfer of data across national borders.
---------------------------------------------------------------------------
\11\ The White House, Consumer Data Privacy in a Networked World: A
Framework for Protecting Privacy and Promoting Innovation in a Global
Digital Economy, Feb. 2012, available at http://www.whitehouse.gov/
sites/default/files/privacy-final.pdf (``Privacy Blueprint'').
---------------------------------------------------------------------------
Apart from enforcement of consumer protection laws by the Federal
Trade Commission and state attorneys general when privacy practices are
unfair and deceptive, Federal privacy protections in the United States
are based on a sectoral approach that provides privacy protections
tailored to specific industries such as finance, health care, and
education. Industries that are not subject to such specific privacy
laws, however, account for large shares of daily Internet usage; these
include search engines, social networking sites, behavioral
advertisers, and location-based services. For industries that are not
covered by more specific laws, the Privacy Blueprint calls for baseline
privacy protections in the form of a Consumer Privacy Bill of Rights.
The Consumer Privacy Bill of Rights articulates a set of principles
that clarify to businesses and consumers alike what expectations the
consumer should have from their Internet experience. The seven basic
principles are:
Individual Control: Consumers have a right to exercise
control over what personal data companies collect from them and
how they use it.
Transparency: Consumers have a right to easily
understandable and accessible information about privacy and
security practices.
Respect for Context: Consumers have a right to expect that
companies will collect, use, and disclose personal data in ways
that are consistent with the context in which consumers provide
the data.
Security: Consumers have a right to secure and responsible
handling of personal data.
Access and Accuracy: Consumers have a right to access and
correct personal data in usable formats, in a manner that is
appropriate to the sensitivity of the data and the risk of
adverse consequences to consumers if the data is inaccurate.
Focused Collection: Consumers have a right to reasonable
limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data
handled by companies with appropriate measures in place to
assure they adhere to the Consumer Privacy Bill of Rights.
These principles are based on globally recognized Fair Information
Practice Principles (FIPPs), which originated in the Department of
Health, Education and Welfare's 1973 report, Records, Computers, and
the Rights of Citizens. Congress incorporated these principles into the
Privacy Act of 1974. Since then, a consistent set of FIPPs has become
the foundation for global privacy policy through, for example, the
Organization for Economic Co-operation and Development's Guidelines on
the Protection of Privacy and Transborder Flows of Personal Data
(``OECD Privacy Guidelines'') and the Asia-Pacific Economic
Cooperation's Privacy Framework. The Administration sought to remain
consistent with these existing globally-recognized FIPPs as it
developed the Consumer Privacy Bill of Rights.
Many individuals and organizations that commented on the Commerce
Department's Privacy and Innovation Green Paper noted that changes in
the ways information is generated, collected, stored, and used called
for some adaptation of existing statements of the FIPPs. The digital
economy of the 21st Century, driven by distribution of devices and
connectivity and vast increases in computing speed, storage capacity,
and applications, is data-intensive, dynamic, and increasingly driven
by consumers' active participation. We therefore updated the
traditional FIPPs to suit the challenges posed by the digital economy.
The most significant changes are found in the principles of Individual
Control, Respect for Context, Focused Collection, and Accountability.
1. Individual Control
The principle of Individual Control addresses two salient aspects
of the networked world. First, networked technologies offer consumers
an increasing number of ways to assert control over what personal data
is collected. Companies should take advantage of these technologies by
offering consumers, at the time of collection, usable tools and clear
explanations of their choices about data sharing, collection, use, and
disclosure.
Second, the Individual Control principle calls on consumers to use
these tools to take responsibility for controlling personal data
collection, especially in situations where consumers actively share
data about themselves, such as online social networks. In these cases,
control over the initial act of sharing is critical. Consumers can take
significant steps to reduce harms associated with the misuse of their
data by using improved tools available to gain a better understanding
of what personal data they are disclosing and to control their data.
2. Respect for Context
The second noteworthy way in which the Consumer Privacy Bill of
Rights adapts traditional FIPPs is reflected in the principle of
Respect for Context. The basic premise of this principle is simple: the
relationship between consumers and a company--that is, the context of
personal data use--should help determine whether a specific use is
appropriate and what kinds of consumer choices may be necessary.
Factors such as what consumers are likely to understand about a
company's data practices based on the products and services it offers,
how a company explains the roles of personal data in delivering these
products and services, research on consumers' attitudes and
understandings, and feedback from consumers should also enter these
assessments.
The Respect for Context principle embodies the flexibility that is
at the core of the Consumer Privacy Bill of Rights: it calls for strong
protection when the context indicates--when sensitive personal
information is at stake, for example--but personal data can flow
relatively freely to support purposes that consumers reasonably
anticipate in a given context.
For example, suppose an online social network holds out its service
as a way for individuals to connect with people they know and form ties
with others who share common interests. In connection with this
service, the provider asks new users to submit biographical information
as well as information about their acquaintances. As consumers use the
service, they may provide additional information through written
updates, photos, videos, and other content they choose to post. The
social network's use of this information to suggest connections that
its users might wish to form is integral to the service and foreseeable
from the social networking context. Seeking consumers' affirmative
consent to use personal data for the purpose of facilitating
connections on the service is therefore not necessary. By contrast, if
the social network uses this information for purposes outside this
social networking context, such as employment screening or credit
eligibility, the Respect for Context principle would call for
prominent, clear notice and meaningful opportunities for consumer
choice. The Respect for Context principle will help protect consumers
against these real harms that can arise when information is lifted out
of one context and used unexpectedly in another.
Similarly, explicit consent may not be required for the use of a
consumer's address for the delivery of a product ordered online, but if
that company sells the information to a third party such consent may be
necessary. Requiring explicit consent in every case inures consumers to
accepting all terms and conditions presented to them while limiting
such consent to unexpected uses of consumer data empowers consumers.
The sophistication of a company's customers is an important element
of context. In particular, the unique characteristics of children and
teenagers may warrant different privacy protections than are suitable
for adults. Children are particularly susceptible to privacy harms.\12\
The Administration looks forward to exploring with stakeholders whether
more stringent applications of the Consumer Privacy Bill of Rights--
such as an agreement not to create individual profiles about children,
even if online services obtain the necessary consent from the child to
collect personal data--are appropriate to protect children's privacy.
---------------------------------------------------------------------------
\12\ See Federal Trade Commission, Protecting Consumer Privacy in
an Era of Rapid Change: Recommendations for Businesses and
Policymakers, at 63, March 2012 (``when health or children's
information is involved, for example, the likelihood that data misuse
could lead to embarrassment, discrimination, or other harms is
increased.'').
---------------------------------------------------------------------------
3. Focused Collection
The Focused Collection principle adapts the ``data minimization''
and ``collection limitation'' principles found in traditional FIPPs.
Some existing versions of these principles provide a strict standard
that makes personal data collection permissible only when it is kept to
the minimum necessary to achieve specific, identified purposes. Such a
one-size-fits-all standard is unworkable for the networked technologies
and new data uses that enable the digital age.
Familiar and increasingly essential Internet services, such as
search engines, collect a wide range of data and use it in a wide
variety of ways that cannot be predicted when the data is collected.
Stores of information like these have the potential to provide new
frontiers of human knowledge in addition to new pathways for intrusion
on privacy. Such services may be consistent with the Focused Collection
principle, provided they reflect considered decisions about what kinds
of personal data are necessary to provide the services, how long the
data needs to be retained, and what measures may be available to make
retained data less likely to be associated with specific consumers.
Focused collection will help protect consumers from harm associated
with misuse of data that never needed to be collected or retained to
begin with. The Focused Collection principle, however, does not relieve
companies of any independent legal obligations, including law
enforcement orders, that require them to retain personal data.
4. Accountability
Finally, the Accountability principle emphasizes that the measures
companies take to educate employees about using personal data, prevent
lapses in their privacy commitments, and detect and remedy any lapses
that occur are crucial to protecting consumer privacy. Accountability
also assures that, when consumers feel harmed by the way their data is
handled, their complaints can go to the entity responsible for handling
that data. Accountability mechanisms also may provide a route toward
greater global interoperability. The Administration is actively
exploring how accountability mechanisms, which could be developed
through a privacy multistakeholder process, could ease privacy
compliance burdens for companies doing business globally.
III. Legislation
A. Codify Baseline Privacy Protection Principles
The Privacy Bill of Rights establishes a set of expectations that
consumers can use to understand what they should expect from businesses
they deal with, and businesses can use to guide their privacy policies
and practices. It establishes a benchmark that consumer and privacy
groups, journalists, and policymakers can use to gauge privacy
practices. Businesses that incorporate the Bill of Rights into their
practices will help differentiate themselves as trustworthy stewards of
personal information, enhancing competition based on privacy
protection.
These changes can begin without legislation, but the Administration
urges Congress to strengthen baseline privacy protections for consumers
and to support continued consumer trust in the digital economy by
codifying the Consumer Privacy Bill of Rights as part of baseline
commercial privacy legislation. The Consumer Privacy Bill of Rights
sets forth fundamental protections that have been well received by both
consumers and businesses, and legislation is supported by businesses as
well as civil society.
The Commerce Committee has a long history of avoiding technical
mandates in legislation, which the Administration applauds. The
principles in the Privacy Bill of Rights are intentionally broad to
avoid technical mandates or excessively prescriptive requirements. The
digital economy is constantly changing as are the risks and solutions
to consumer privacy concerns. Legislation that is too prescriptive or
that allows government to dictate specific technologies may stifle
innovation and inhibit the development of new products or services.
Similarly, legislation should not impose unnecessary burdens on all
businesses to address a privacy concern that is relevant only to a
subset of companies. Privacy legislation should be broad and flexible
enough to cover existing services as well as future products and
services that raise unforeseen concerns. Enactment of the Privacy Bill
of Rights as a set of legally enforceable rights would provide strong
baseline privacy protections and permit flexibility both in enforcement
and in industry compliance.
The Administration Privacy Blueprint recommends two mechanisms to
apply the broad principles of the Privacy Bill of Rights to specific
circumstances or practices. The first is enforcement of the Bill of
Rights by the FTC and state attorneys general. The second is the
development of legally enforceable codes of conduct through a voluntary
multistakeholder process convened by the National Telecommunications &
Information Administration (NTIA) of the Department of Commerce.
B. Grant Direct Enforcement Authority to the FTC
The Administration supports giving the FTC the direct authority to
enforce the individual provisions of the Consumer Privacy Bill of
Rights as enacted in law rather than relying only on its authority
under Section 5 of the FTC Act to address unfair and deceptive
practices or acts. Under Chairman Leibowitz as well as under
Republican-appointed chairs in the preceding decade, the FTC has
developed a body of law as well as expertise in privacy using its
Section 5 authority. Giving the FTC direct authority to enforce the
Bill of Rights would give future direction to this body of law,
strengthen protection of consumers, and permit the FTC to address
emerging privacy issues through specific enforcement actions governed
by applicable procedural safeguards.
Baseline privacy protections enforced by the FTC would provide a
level playing field for companies. Currently, a number of companies
offer consumers strong privacy protections. Bad actors, however, are
abusing the trust of consumers and using their information in ways not
reasonably expected by their customers. Such actions undermine consumer
trust in the digital economy to the detriment of businesses and
consumers alike. Granting direct enforcement authority to the FTC would
enable the Commission to take action against outliers and bad actors
even if their actions do not violate a published privacy policy so as
to constitute a deceptive practice or act.
C. Safe Harbor for FTC Approved Codes of Conduct Developed Through
Multistakeholder Processes
The Administration also supports the use of multistakeholder
processes to address consumer privacy issues that arise and change as
quickly as networked technologies and the products and services that
depend on them. These processes should be open to a broad range of
participants, including companies, privacy advocates, academics, and
civil and criminal law enforcement representatives, and facilitate
their full participation to find creative solutions through consensus
building. Specifically, the Privacy Blueprint directs the Department of
Commerce, through the NTIA, to convene interested stakeholders to
address consumer privacy issues in transparent, consensus-based
processes that are open to all interested stakeholders.
The Administration supports codifying this role for NTIA in
baseline privacy legislation because legislation would reinforce NTIA's
mission and its ability to convene stakeholders. Under the
Administration's recommended framework, companies would face a choice:
follow the general principles of the statutory Consumer Privacy Bill of
Rights, or commit to following a code of conduct that spells out how
those rights apply to their businesses. If the FTC determines that this
code of conduct adequately implements the Consumer Privacy Bill of
Rights, the FTC would forbear from enforcing the provisions of the
Consumer Privacy Bill of Rights implemented in the code of conduct
against companies that subscribe to it, so long as they live up to
their commitment. This approach would provide greater certainty for
companies and stronger incentives for all stakeholders to work toward
consensus on codes of conduct, but it requires authority from Congress
to work most effectively.
There is a model for this safe harbor approach in the context of
privacy in the Children's Online Privacy Protection Act of 1998
(COPPA). The FTC has years of experience in implementing COPPA and the
statute has been praised for providing parents with the tools they need
to protect the privacy of children under 13.
The expected outputs of these multistakeholder processes are
context-specific codes of conduct that companies may choose to adopt as
public commitments setting forth how they will follow the Privacy Bill
of Rights. Once a company publicly commits to follow a code of conduct,
the Administration expects that this commitment will be enforceable by
the FTC and state attorneys general, just as companies' privacy
policies and other promises are enforceable today.
The multistakeholder approach to privacy will strike a balance
between certainty for companies, strong protections for consumers, and
the flexibility necessary to promote continued innovation. Implementing
the general principles in the Consumer Privacy Bill of Rights, as
enacted in legislation, across the wide range of innovative uses of
personal data should allow for a flexible, fast-paced process to
determine how to define concrete practices that embody the broader
principles in a specific setting. This process must be capable of
addressing consumer privacy issues that arise and change quickly in the
networked world. In addition, it should focus on specific business
settings to help stakeholders address concrete privacy issues and
business requirements, leading to practices that protect privacy
without discouraging innovation. The process must also allow a broad
range of stakeholders, including consumer groups and privacy scholars
to participate meaningfully so they can ensure the codes of conduct
carry out the principles of the Privacy Bill of Rights. For consumer
and privacy advocates, the privacy multistakeholder process provides an
opportunity to influence these practices through direct engagement with
companies.
This vision draws from several successful examples of Internet
policy development. Private-sector standards setting organizations, for
example, are at the forefront of setting Internet-related technical
standards. Groups such as the Internet Engineering Task Force (IETF)
and the World Wide Web Consortium (W3C) use transparent
multistakeholder processes to set Internet-related technical standards.
These processes are successful, in part, because stakeholders share an
interest in developing consensus-based solutions to the underlying
challenges. Successful government-convened Internet policymaking
efforts in the past also provide precedents for the multistakeholder
approach proposed in the Privacy Blueprint. For example, the Executive
Branch led the privacy discussions of the 1990s and early 2000s, which
continue to be central to advancing consumer data privacy protections
in the United States. More recently, the FTC has encouraged
multistakeholder efforts to develop a ``Do Not Track'' mechanism, which
would afford greater consumer control over personal data in the context
of online behavioral advertising.
Thoughtful and balanced baseline commercial privacy legislation is
good for consumers and industry. As the digital economy opens the world
to commerce and social interactions, the United States should provide
the leadership necessary to promote consumer privacy and trust in a
manner that promotes innovation and competition. We should not cede
this role to other countries that may impose unnecessarily restrictive
burdens on U.S. industry with little or no consumer benefit.
The Administration is developing specific statutory suggestions to
implement the Consumer Privacy Bill of Rights and welcome the
opportunity to work with this Committee to enact baseline privacy
legislation.
IV. Developing Enforceable Codes of Conduct through Multistakeholder
Processes
The Administration has begun to take action to implement the
Consumer Privacy Bill of Rights before baseline legislation is enacted.
NTIA has begun to move ahead with stakeholder-driven processes to
develop codes of conduct based on the Bill of Rights.
Immediately after the Privacy Blueprint was issued, NTIA sought
comment from stakeholders on two sets of questions: which substantive
issue is suitable for an initial effort to develop an enforceable code
of conduct, and what procedures should the process to address this
issue follow. NTIA suggested a number of substantive issues that are
relatively discrete and manageable with the potential to deliver
significant benefits to consumers through a code of conduct. The
request asked stakeholders to comment on the pros and cons of taking up
these issues and to offer other issues that meet the criteria of
definability and potential consumer benefit. NTIA also asked for input
on procedures that will make the process manageable yet open to all
interested stakeholders' participation, transparent, and consensus-
based.
The comment period closed on Monday, April 2, and the Commerce
Department is in the process of reviewing the submissions. NTIA
received comments from consumer groups, businesses, academics, and
Members of Congress, including the Chairman of this Committee.
I anticipate that NTIA will soon select an initial topic and
convene an initial public meeting to begin developing a code of
conduct. Part of the business of this initial meeting will be for
stakeholders to reach agreement on the procedures they will use to work
together. While NTIA likely will provide some guidance and perspective,
based on its participation in other multistakeholder processes as well
as its review of comments on this process, NTIA will avoid imposing its
judgment on the group.
In other words, NTIA's role will be to convene stakeholders and
facilitate discussions that ensure all voices are heard, but it will
not be the decision-maker on the substantive elements of privacy codes
of conduct. The government's role will be as a convener and a
facilitator to forge consensus.
V. International Interoperability
What we do here in America is of paramount importance to U.S.
consumers and companies, but we cannot ignore the global dimensions of
the Internet. The dynamism of the digital economy is linked directly to
flows of data across borders. This is why an essential element of the
Administration's Blueprint for consumer privacy is international
engagement.
Americans expect to follow blog posts and tweets from around the
world. We expect our e-mail to pop-up nearly instantaneously without
thinking about whether it crossed national borders to get there. We
demand information, goods, and services 24 hours a day, 7 days a week,
regardless of whether they are provided from across town or across the
globe.
In today's digital economy it is vital to maintain cross-border
data flows to keep U.S. businesses tapped into the markets of the world
and drive the continued growth of this sector. Over $8 trillion were
exchanged over the Internet last year, and this amount is growing.\13\
The digital economy accounted for 15 percent of U.S. GDP growth over
the five-year period from 2004 to 2009.\14\ Total retail e-commerce
sales for 2011 reached an estimated $194.3 billion, 16.1 percent more
than in 2010, and accounting for 4.6 percent of total retail sales
versus 4.3 percent in 2010.\15\ We must ensure that American companies
that are leaders in Internet technology, cloud computing, and e-
commerce, as well as innovative startups, have continued access to
markets unimpeded by regulations that erect barriers to information
flow at national borders and Balkanize the Internet. To do this, the
United States must remain on the cutting edge of the digital economy in
terms of both technology and policy-making as it relates to the
Internet.
---------------------------------------------------------------------------
\13\ Bipartisan Policy Center, FCC Chairman Julius Genachowski:
Prepared Remarks on Cybersecurity; Feb. 22, 2012, http://
transition.fcc.gov/Daily_Releases/Daily_Business/2012/db0222/DOC-
312602A1.pdf, at 1.
\14\ McKinsey Global Institute, Internet Matters: The Net's
Sweeping Impact on Growth, Jobs, and Prosperity, May 2011, http://
www.mckinsey.com/Insights/MGI/Research/Technology_
and_Innovation/Internet_matters at 15-16.
\15\ U.S. Census Bureau, Quarterly Retail E-Commerce Sales: Fourth
Quarter 2011, Feb. 16, 2012, http://www.census.gov/retail/mrts/www/
data/pdf/ec_current.pdf, at 1.
---------------------------------------------------------------------------
The Privacy Blueprint recognizes that international
interoperability should start with mutual recognition of commercial
data privacy frameworks. The Department of Commerce has been at the
forefront of commercial privacy interoperability efforts, beginning
with our negotiation of the U.S.-EU Safe Harbor Framework in 2000 and
most recently with our leadership in the development of a system of
Cross Border Privacy Rules in the Asia Pacific Economic Cooperation.
Recently, Secretary Bryson and European Commission Vice President
Reding reaffirmed their commitment to the U.S.-EU Safe Harbor Framework
in a joint statement stating, ``[t]his Framework, which has been in
place since 2000, is a useful starting point for further
interoperability. Since its inception, over 3,000 companies have self-
certified to the Framework to demonstrate their commitment to privacy
protection and to facilitate transatlantic trade. The European
Commission and the Department of Commerce look forward to continued
close U.S.-EU collaboration to ensure the continued operation and
progressive updates to this Framework.''
We look forward to exploring additional interoperability mechanisms
with our European partners in particular, because they are in the midst
of reviewing their privacy framework. Our European partners have taken
note of our multistakeholder approach. Although domestically focused,
the codes of conduct developed through the multistakeholder process
could have global relevance, because consumers around the world are
faced with similar privacy challenges.
Alongside these international initiatives, privacy legislation will
firmly ground our consumer data privacy system here so that we can set
the best example for the world and set the stage for necessary mutual
recognition by other countries. Leading by example will encourage other
countries to build multistakeholder processes, transparency, and
flexibility into their commercial data privacy frameworks. This will
help foster the free flow of information, which will benefit U.S.
companies and consumers alike. We should anchor our own consumer data
privacy system in law to guarantee the international interoperability
our companies and our citizens need.
This is a critical time in the world of consumer data privacy.
Europe is in the process of honing its approach to data privacy, and
other countries around the world are starting to understand the need
for rules of the road for the increasingly data-driven digital economy.
We have a clear opportunity, as President Obama said to ``offer to the
world a dynamic model of how to offer strong privacy protection and
enable ongoing innovation in new information technologies.'' It is
incumbent upon us to take the reins of the digital economy and ensure
its forward momentum.
VI. Conclusion
We ask Congress to give the Consumer Privacy Bill of Rights the
force of law. These rights will provide protection for consumers and
define comprehensible rules of the road for the rapidly growing
marketplace for personal data. As envisioned in the Administration's
Privacy Blueprint, the Consumer Privacy Bill of Rights would provide a
set of standards that many responsible companies are already meeting,
and legislation would serve to put these companies on a level playing
field with those who are less careful with personal data.
Mr. Chairman, thank you again for the opportunity to provide our
views on legislation to protect consumer privacy and promote innovation
in the 21st Century. We look forward to working with you and other
stakeholders toward enactment of these consumer data privacy
protections. I welcome any questions.
The Chairman. Thank you very much, sir.
Commissioner Ohlhausen, welcome.
STATEMENT OF HON. MAUREEN K. OHLHAUSEN, COMMISSIONER, FEDERAL
TRADE COMMISSION
Ms. Ohlhausen. Thank you. Chairman Rockefeller, Ranking
Member Toomey, and members of the Committee, I'm pleased to
join Chairman Leibowitz, who is presenting FTC's testimony, and
Cameron Kerry, General Counsel of the Department of Commerce.
Privacy is an important topic for American consumers, and I
commend you for holding this hearing. But let me say at the
outset that my comments and the views expressed in this
statement are my own and do not necessarily represent the views
of the Commission or any other commissioner.
As you know, my tenure as an FTC commissioner began on
April 4, so while privacy is an issue in which I have
tremendous interest and commitment, my views on privacy from
the perspective of a commissioner are just over a month old.
While I have read the March 2012 privacy report and formed
some initial thoughts, I was not at the Commission during its
development and release. I'm just now in the process of fully
educating myself on the specifics of the report and thinking
through the implications of its recommendations. So I'm not yet
ready to commit myself to specific positions on all aspects of
the privacy issues raised in the report.
I am, however, happy to share some of my preliminary views
on the best ways to safeguard consumer privacy, as well as my
thoughts about where the Commission should deploy its
resources.
To start, I firmly believe that consumers should have the
tools to protect their personal information through
transparency and choice. As I said during my confirmation
hearing, I support the FTC's strong record of enforcement in
the area of privacy. The Commission's written testimony
highlights many of our enforcement efforts relating to privacy
and data security.
The FTC has brought more than 100 spam and spyware cases,
and more than 30 data security cases, including cases against
ChoicePoint, CVS, and Twitter. We have also charged companies
with failing to live up to their privacy promises, as in the
highly publicized privacy cases against companies such as
Google and Facebook, which together will protect the privacy of
more than 1 billion users worldwide.
As a commissioner, I will urge continuation of this strong
enforcement record.
As I also said in my confirmation hearing, I support
enactment of data security legislation. The legislation should
empower the FTC to promulgate regulations for the protection of
personal data from unauthorized access, as do the current bills
by Chairman Rockefeller and Chairman Pryor.
As a parent, I am especially concerned about protecting our
children's privacy in the face of rapid technological advances.
I support the commission's multipronged approach in this area:
enforcement, regulation, policy, research, and education.
Since the enactment on the Children's Online Privacy
Protection Act of 1998 (COPPA), the Commission has brought 18
COPPA enforcement actions. In the ongoing proceeding to amend
the rule, I will carefully consider the record as I formulate
my views.
Turning to the Commission's privacy report, I would like to
commend some important aspects of it. It calls for a policy of
privacy by design, by which companies build privacy protections
into their everyday business practices. This helps minimize the
risk of privacy breaches and concerns from the outset and
should be considered a best practice by companies as they
develop new products and services.
Appropriate use of the notice and choice concept is also
core to a sound privacy policy. And I support the report's
recognition that there is no single best way to offer notice
and choice in all circumstances. I also agree with the concept
of reducing burdens on consumers and businesses by identifying
circumstances for which choice is not necessary because the
collection and use of consumer data is consistent with the
context of the transaction or with the relationship with the
consumer.
As I have already noted, Congress has given the commission
enforcement and policy tools to provide a strong framework with
which we can protect American consumers. Some of my colleagues,
however, have supported additional privacy legislation that
would go beyond Section 5. The exact contours of such
legislation are not yet defined, but my colleagues gave general
guidance in the privacy report.
The privacy report was clear, however, that the recommended
legislation would reach practices that would not be challenged
under the current interpretation of Section 5, however.
I believe this gives me the opportunity to develop my own
opinion on what else, in addition to Section 5, may be
beneficial to consumers, such as whether additional general
privacy legislation is needed. I will consult with FTC staff,
my fellow commissioners, as well as many other stakeholders, to
gather their views on what problems and possible solutions they
see in the area of consumer privacy.
Some of the issues I will examine are what harms are
occurring now that Section 5 cannot reach, and how should harm
be measured? As my colleague, Commissioner Rosch, noted in his
dissent to the privacy report, the Commission has, in the past,
specifically advised Congress that, absent deception, it will
not enforce Section 5 against alleged intangible harm.
And the FTC's own unfairness statement suggests that the
focus should be on monetary, as well as health and safety
harms, rather than on more subjective types of harm.
Although the Commission's privacy report did not reject the
fundamental insight of the harm-based approach, it appears to
embrace an expansion of the definition of harm to include
reputational harm or the fear of being monitored or other
intangible privacy interests. As an initial matter, I have
reservations about such an expansion.
Even absent deception, financial and medical information is
protected under current law, which likely reflects most
consumers' expectations. In other areas, however, consumers
appear to have diverse views about sharing information. Thus,
it is important to proceed carefully to avoid impinging on many
consumers' preferences.
If a consumer is provided with clear notice prior to the
collection of information, there is likely no basis for
concluding that a consumer cannot make an informed choice.
I would also like to find out more about the progress of
the self-regulatory and technology-based efforts underway to
provide consumers greater transparency in choice about the
collection and use of their data.
Finally, new restrictions may also have an effect on
competition by favoring entrenched entities that already have
consumer information over new entrants who need to obtain such
information, or encouraging industry consolidation for purposes
of sharing data. As a competition agency, the FTC should be
sensitive to these concerns as well.
Clearly, the technology sector is developing at lightning
speed, and we now face issues unheard of even a few years ago.
I wish to proceed cautiously in exploring the need for any
additional general privacy legislation, however.
I have concerns about the ability of legislative or
regulatory efforts to keep up with the innovations and advances
of the Internet without also imposing unintended, chilling
effects on many of the enormous benefits consumers have gained
from these advances, or without unduly curtailing the
development in success of the Internet economy.
Thank you for allowing me to participate in today's
hearing. This committee has shown strong leadership in the area
of consumer privacy, and I look forward to working with you to
ensure that American consumers' privacy is protected. Thank
you.
[The prepared statement of Ms. Ohlhausen follows:]
Prepared Statement of Maureen K. Ohlhausen, Commissioner,
Federal Trade Commission
Chairman Rockefeller and members of the Committee. I am pleased to
join Chairman Leibowitz, who is presenting the FTC's testimony and
Cameron Kerry, General Counsel at the Department of Commerce. This is
an important topic for American consumers and I commend you for holding
this hearing. Let me say at the onset of my comments that the views
expressed in this statement are my own and do not necessarily represent
the views of the Commission or any other Commissioner.
As you know, my tenure as an FTC Commissioner began on April 4. So
while privacy is an issue in which I have tremendous interest and
commitment, my views on privacy from the perspective of a Commissioner
are just over a month old. While I have read the March 2012 Privacy
Report and formed some initial thoughts, I was not at the Commission
during its development and release. I am just now in the process of
fully educating myself on the specifics of the report and thinking
through the implications of its recommendations. So, I am not yet ready
to commit myself to specific positions on all aspects of the privacy
issues raised in the Report.
I am, however, happy to share some of my preliminary views on the
best ways to safeguard consumer privacy as well as my thoughts about
where the Commission should deploy its resources. To start, I firmly
believe that consumers should have the tools to protect their personal
information through transparency and choices. As I said during my
confirmation hearing, I support the FTC's strong record of enforcement
in the area of privacy. The Commission's written testimony highlights
many of our enforcement efforts relating to privacy and data security.
The FTC has brought more than a hundred (100) spam and spyware cases
and more than thirty (30) data security cases, including cases against
ChoicePoint, CVS, and Twitter. We have also charged companies with
failing to live up to their privacy promises, as in the highly
publicized privacy cases against companies such as Google and Facebook,
which together will protect the privacy of more than one billion users
worldwide. As a Commissioner, I will urge continuation of this strong
enforcement record.
As I also said in my confirmation hearing, I support enactment of
data security legislation. The legislation should empower the FTC to
promulgate regulations for the protection of personal data from
unauthorized access, as do the current bills by Chairman Rockefeller
and Chairman Pryor.
As a parent, I am especially concerned about protecting our
children's privacy in face of rapid technological advances. I support
the Commission's multi-prong approach in this area: enforcement,
regulation, policy research, and education. Since the enactment of the
Children's Online Privacy Protection Act of 1998, the Commission has
brought eighteen (18) COPPA enforcement actions. In the ongoing
proceeding to amend the rule, I will carefully consider the record as I
formulate my views.
Turning to the Commission's Privacy Report, I would like to commend
some important aspects of it. It calls for a policy of ``privacy by
design'' by which companies build privacy protections into their
everyday business practices. This helps minimize the risk of privacy
breaches and concerns from the outset and should be considered a best
practice by companies as they develop new products and services.
Appropriate use of the ``notice and choice'' concept is also core
to a sound privacy policy, and I support the Privacy Report's
recognition that there is no single best way to offer notice and choice
in all circumstances. I also agree with the concept of reducing burdens
on consumers and businesses by identifying circumstances for which
choice is not necessary because the collection and use of consumer data
is consistent with the context of the transaction or with the
relationship with the consumer.
As I have noted, Congress has given the Commission the enforcement
and policy tools to provide a strong framework with which we can
protect American consumers. Some of my colleagues, however, have
supported additional privacy legislation that would go beyond Section
5. The exact contours of such legislation are not yet defined, but my
colleagues gave general guidance in the privacy report. The privacy
report was clear that the recommended legislation would reach practices
that would not be challenged under current Section 5, however.
This gives me the opportunity to develop my own opinion on what
else in addition to Section 5 may be beneficial to consumers, such as
whether additional general privacy legislation is needed. I will
consult with FTC staff, my fellow Commissioners, as well as many other
stakeholders to gather their views on what problems and possible
solutions they see in the area of consumer privacy.
Some of the issues I will examine are:
What harms are occurring now that Section 5 cannot reach and
how should harm be measured? As my colleague Commissioner Rosch
noted in his dissent to the Privacy Report, the Commission has
specifically advised Congress that absent deception, it will
not enforce Section 5 against alleged intangible harm, (FTC
letter to Ford and Danforth, 1984), and the FTC's own
unfairness statement suggests that the focus should be on
monetary as well as health and safety harms, rather than on
more subjective types of harm. Although the Commission's
Privacy Report did not reject the fundamental insights of the
harm-based approach, it appears to embrace an expansion of the
definition of harm to include ``reputational harm,'' or ``the
fear of being monitored,'' or ``other intangible privacy
interests'' (see Report at iii, 20, 31), and, as an initial
matter, I have reservations about such an expansion.
Thus, even absent deception, financial and medical information
is protected under current law, which likely reflects most
consumers' expectations. In other areas, however, consumers
appear to have diverse views about sharing information. Thus,
it is important to proceed carefully to avoid impinging on many
consumers' preferences. If a consumer is provided with clear
notice prior to the collection of information, there is likely
no basis for concluding that a consumer cannot make an informed
choice.
I would also like to find out more about the progress of the
self-regulatory and technology based efforts underway to
provide consumers greater transparency and choice about the
collection and use of their data.
Finally, new restrictions may also have an effect on
competition by favoring entrenched entities that already have
consumer information over new entrants who need to obtain such
information, or encouraging industry consolidation for purposes
of sharing data. As a competition agency, the FTC should be
sensitive to these concerns as well.
Clearly, the technology sector is developing at lightning speed
and we now face issues unheard of even a few years ago. I wish
to proceed cautiously in exploring the need for any additional
general privacy legislation, however. I have concerns about the
ability of legislative or regulatory efforts to keep up with
the innovations and advances of the Internet without also
imposing unintended chilling effects on many of the enormous
benefits consumers have gained from these advances or without
unduly curtailing the development and success of the Internet
economy.
Thank you for allowing me to participate in today's hearing. This
Committee has shown strong leadership in the area of consumer privacy,
and I look forward to working with you to ensure that American
consumers' privacy is protected. I am happy to answer any questions.
The Chairman. Thank you very much, Commissioner.
I'll start with the questioning. I'll make this one to
Chairman Leibowitz.
The Digital Advertising Alliance has spent a lot of time
developing its own consumer guidelines, and they have pledged
to follow these guidelines and honor their customers' privacy
concerns. And that's a good thing.
But we all know, at least I know, that in spite of their
good intentions, and you just see this so many times, whether
it's a coal mine, whether it's natural gas, whether it's a
telephone company, whatever, whatever, whatever, repeats and
repeats, sometimes industries' self-regulatory efforts do not
end up protecting consumers.
In my experience, corporations are unlikely to regulate
themselves out of profits. Let me give you an example.
Back in the 1990s, consumers were getting bogus charges
crammed, which you referred to, on their telephone bills. And
one, I suppose, could say that consumers should understand
everything on their telephone bills, and once they've read it
in writing, if they can see the writing, they're so informed,
and, therefore, their responsibilities have been replete.
The big telephone carriers came to Congress at that time,
back in the 1990s, and they told us that they would take care
of this problem. They told us Congress didn't have to pass a
law, and that they would eliminate cramming on its own.
As you well know, Chairman Leibowitz, the telephone
industries' efforts to stop cramming were a huge failure. But
my question to you is why might the DAA's self-regulatory
effort have a better chance of succeeding?
Mr. Leibowitz. Well, let me just start by saying, as you
know, we brought a major cramming case today. It was a contempt
action against a company that we believe had violated an order.
And when I heard Senator Toomey say ``a 20-year order,''
when I first got to the Commission, I wondered why do we have
20-year orders? We have 20-year orders because this contempt
action came 13 years after we put this company under order. We
think it was more than $50 million in injury to consumers with
bogus charges placed on their bills.
So we want to work with you and this committee, in a
bipartisan way, to stop cramming.
With respect to the Digital Advertising Alliance, I think
they have made meaningful progress, and I do think that Do Not
Track will be available for consumers, I'm optimistic, by the
end of the year, one way or another, with your support and with
your efforts.
I would say this, though. We have to make sure that Do Not
Track, with a few enumerated exceptions for anti-fraud efforts,
is about ``do not collect.'' It can't be, ``I can collect
consumers' information but then I just won't target them with
advertisements, but I will monetize it, I will sell it.''
The Chairman. You cut it off at the starting point. You cut
it off at the starting point.
Mr. Leibowitz. I cut it off at the starting point?
The Chairman. Yes.
Mr. Leibowitz. Did you want me to----
The Chairman. No, no forget it.
Mr. Leibowitz. Right, sorry.
Anyway, so I think we have to work on it.
I will say this, going back to points that several of you
have made, I was on a West Coast trip to the Bay Area, meeting
with a bunch of technology companies, and they were wonderful.
We talked about privacy. We talked about competition issues.
This was just a few weeks ago. And all of them want to be
helpful on privacy. A lot of them wanted to be helpful on Do
Not Track.
And indeed, we're not debating anymore about whether there
will be a Do Not Track initiative. The industry alliance has
said they will support a form of Do Not Track. The only
question is precisely what will be in it and when it will be
effectuated.
But one of the things I heard is that companies are
sometimes concerned that they want to do the right thing, but
they don't want to be at a competitive disadvantage. And that's
why I think your efforts are very, very helpful here.
The Chairman. My time is not up.
So you go back to the DAA, and they say they're going to do
this on their own. But my understanding is that the DAA effort
leaves some rather large loopholes, as you've observed at least
to this point, and I'd like to know about that.
Mr. Leibowitz. Well, I think it depends on what the
exceptions might be to allowing consumers to opt out from third
party tracking. So if it's just for anti-fraud purposes and
perhaps for what's known as frequency capping, so people don't
get the same ad sent to them over and over and over, that might
be legitimate.
If it applies to things like marketing research, it depends
on how it's defined, because you certainly don't want a
loophole that swallows up the commitment. That's why I think
your hearing next week will be very important.
The Chairman. Yes, we're going to have that hearing.
Mr. Leibowitz. I know.
The Chairman. Thank you.
Senator Toomey?
Senator Toomey. Thanks very much, Mr. Chairman.
Just to be very clear, I think I know how you'll answer
this, but Section 5 of the FTC Act does authorize and empower
the Commission to make enforcement actions against a company
that violates its own stated privacy policy.
Do any of you believe that you lack sufficient enforcement
authority in that regard and need any kind of legislative
change, in that respect?
Mr. Leibowitz. So I would say it's a terrific tool for us,
but it doesn't do everything.
We have brought a number of cases, as Commissioner
Ohlhausen mentioned, about companies that have violated their
privacy commitments to consumers, probably more than 40,
including ones against Facebook and Google.
Having said that, there are a lot of gaps in the law. So
for example, we did a report on kids' privacy applications,
``apps,'' that go to kids through either the Android Google
system or through the Apple store.
So these apps are great for kids, but only about a quarter
of them had privacy policies. We can't mandate a privacy
policy, but I think everyone understands that privacy policies
would be a useful thing to have.
Now, we've gone back, and we've talked to Apple and Google.
And they want to work with us to ensure that there are privacy
policies, so parents know what they're giving to their children
when they're putting kids' apps on their iPhones or their
smartphones.
But part of the reason I think that the majority of the
Commission is supportive of general privacy legislation, and
you have to get it right of course, is because it would fill in
gaps. Part of it is because I think a lot of businesses want
more certainty that you can get when you're not taking a case-
by-case approach, which is what we have to do now.
We do case-by-case, and we do policy. We don't really do
regulations, except where it comes to kids' privacy, and that's
because Congress gave us specific authority to.
Ms. Ohlhausen. So that is one of the things that I want to
examine, as I get more settled in as commissioner, is if there
are things that the FTC's current authority can't reach.
But initially, I would say if there's a deceptive statement
in a privacy policy, that is a very straightforward case for
the FTC, and it's successfully brought very many of them.
Senator Toomey. And that was my question.
Ms. Ohlhausen. OK.
Mr. Leibowitz. Yes.
Senator Toomey. So with respect to a violation of a stated
policy, nobody feels as though there is any ambiguity or
insufficient authority?
Ms. Ohlhausen. Correct.
Mr. Leibowitz. None.
Senator Toomey. OK.
I think everybody here acknowledges, but just to be clear,
do you all agree that there are many companies operating on the
Internet that actively compete on the basis of the privacy
policies that they offer, that that is one of the features that
they bring attention to?
Mr. Leibowitz. I think that's a good point. And I think we
have started to see that. And of course, you know, one side of
our agency is consumer protection and the other side is
competition, and so we like to see that.
I believe when Google changed its privacy policy,
effective, I think, at the beginning of March, Microsoft had
full-page ads in the New York Times saying, you know, ``If you
want more privacy protection, use Bing.''
So, yes, we're starting to see that.
Ms. Ohlhausen. I believe that companies are starting to
compete on those issues. But of course, that has to be based on
consumer interest. That's an attribute that consumers care
about. So it's a little circular.
Senator Toomey. Well, that's the nature of the beast. If
there's a feature that is important to consumers, business,
pursuing their own self-interest, will, in fact, try to attract
consumers by providing that feature, and they will compete on
that basis.
I find your discussion about Do Not Track very interesting.
As I understand it, this is an industry effort. This is not
mandated by legislation.
Mr. Leibowitz. Correct.
Senator Toomey. It's not mandated by regulation. It's a
voluntary approach, which you're commending and which the
industry apparently sees as in its own interest to pursue.
So what do you think of this dynamic, whereby an industry,
presumably with input from consumers, discovers a process that
works for both?
Mr. Leibowitz. Well, on Do Not Track, I think the majority
of the commission is very supportive of this process. They are
making meaningful progress.
Now I think part of that is because companies want to do
the right thing. Part of it may be that the Chairman's
legislation is out there, and I think it probably has a fair
amount of support.
But we see progress, and we're hopeful that, one way or
another, we get to the finish line by the end of the year.
Again, some of it depends on precisely what's in the Do Not
Track effort, but we do commend their progress.
Mr. Kerry. Senator Toomey, there is competition on privacy
offerings. We would like to see more competition. Part of the
reason to introduce a set of privacy principles, including
transparency and control, is to create more of an active
conversation between businesses and consumers, so consumers can
make choices, understand the benefits.
The problem with existing law today, the reason that we
believe that additional FTC authority is required, is that too
much hangs on privacy policies. And there's research out there
that indicates that you have to spend 250 hours a year to read
every single privacy policy for the average consumer. That's
just not something that people are able to do.
So people don't really have a choice about the contents of
what's in a private policy. And as Chairman Leibowitz
mentioned, there are companies out there that don't have
privacy policies, and the existing authority doesn't reach
those.
So what the FTC found about mobile apps is consistent with
a broader survey of the top 50 applications found. Only a third
of them had privacy policies.
So how do you deal with people that don't have privacy
policies? There are no promises that you can hold them to under
Section 5.
Senator Toomey. I want to point out, if I could, in
closing, the premise here is, of course, that consumers want
these privacy features that you're advocating are not
available. And so the premise is there's this huge untapped
potential in the marketplace that nobody has been smart enough
to figure out.
Because if all of that is true, of course, there's a huge
incentive for a company to simply offer those policies,
advertise extensively, and then take all kinds of market share
away from the not-so-clever competitors who haven't figured out
that that's important to consumers.
So I think that we ought to proceed very cautiously when
that's an underlying assumption.
The Chairman. I'll call on Senator Kerry, but I have to
point out, Senator Toomey, that's an outstanding assertion,
outstanding degree of faith in the knowledge and time of the
people.
Senator Kerry?
Senator Kerry. Thank you, Mr. Chairman.
Commissioner Ohlhausen, eBay, Hewlett Packard, Microsoft,
Intel, Verizon, other industry leaders, support the legislation
that Senator McCain and I have introduced. Obviously, these are
all capable companies and important to consumers, et cetera.
You said there might be an unintended chilling effect. They
don't see an unintended chilling effect. They've signed up.
They think this is important.
Do you not have faith in the American consumer, if they're
given choices, that they can make those choices? And what's the
unintended chilling effect to the American consumer?
Ms. Ohlhausen. Thank you, Senator Kerry. You raise a very
important issue. And that's one of the things that I want to
explore.
As I said, I'm one month into my tenure, and this is one of
the things I want to find out more about.
But I do think that there is the possibility that companies
that are already entrenched and have the data that they need to
create their products may not have the same concerns as a new
company that may have a new product that we haven't even
thought of yet that may use consumer data in a different way.
Senator Kerry. But they're all going to be held to the same
standard. The issue here is the individual American consumers'
privacy. I mean, they're all going to be held to the same
standard.
I mean you've set forth the idea that, conceivably, I think
you have an economic or physical harm standard that you are
applying. But the problem is, what happens if there is, you
know, if no risk of economic or physical harm can be proven,
but something very personal to people is exposed, a health
issue, that they might have cancer? What if their sexuality is
exposed? What if they might be having an affair or something,
and that's exposed?
That's damage. It's a violation of their privacy.
How do you wind up with this sort of notion that it's only
a physical or economic harm?
Ms. Ohlhausen. Senator, what I was addressing was how the
FTC has already said it would apply its unfairness authority,
and what it has told Congress in the past what the limits were
of that.
For the FTC to recommend new legislation that would take
into account additional harms is something that I think needs
careful consideration.
Senator Kerry. Well, that's what we're trying to give it.
That's exactly what we're doing. We've been giving this careful
consideration for 2 years now. It seems to me, we need to kind
of break through here a little bit.
Let me try to get further in that, because some of the
argument from Senator Toomey and others is sort of this notion
that somehow this is going to interfere with the freedom to
create new apps and so on and so forth. I just don't see that.
Consumers choosing how their information is going to be
managed is not going to affect what people are going to offer.
They're going to offer it with protections, I would assume.
But let me ask specifically the other two witnesses, what
other privacy principles, other than just this idea of
transparency and choice? There are other privacy principles at
stake here, like data retention limits, for instance, or
purpose specification, et cetera.
Can you talk about, either of you, sort of what the breadth
of interests are here that go beyond just the transparency
choice?
Mr. Kerry. Thank you, Senator Kerry.
As I said in my remarks to Senator Toomey, we can't depend
just on notice and choice. You know, that is part of the
problem with the existing system.
The principles that we've outlined--transparency, respect
for context, security--incorporate, I think, some of the
additional principles that you have talked about.
We articulated the principle of focused collection, which
incorporates both use limitations and data minimization.
Senator Kerry. Can you sort of break it down in a practical
way of how that would affect somebody?
Mr. Kerry. Well, the principle recognizes, and the reason
we've articulated it a little bit differently than simply data
minimization, is that, in the age of big data, there's a great
deal of data collection that has public benefits, benefits to
public health, to research, and often in unforeseen connections
in data.
So we don't want to discourage that, but what we do want to
discourage, I think consistent with the principle of privacy by
design, as the FTC has articulated it, is that people make
conscious, considered decisions about what data they need to
collect and what data they need to retain.
Mr. Leibowitz. Yes, and if I could just followup, I think
embedded in your approach are several important principles, one
of them Mr. Kerry mentioned, which is privacy by design.
Another one is more transparency, because that could be one of
the benefits of having stakeholders involved in developing
codes of conduct.
We have found, and we discussed this in a previous hearing,
we have found privacy policies in the mobile space that are 102
clicks. Nobody reads that except our staff, who we asked to
read it.
And then the other thing, and this is part of the reason
why I think businesses are so supportive of things like Do Not
Track and of general privacy legislation is it creates a
virtuous cycle. If consumers have more control, they generally
feel like they have more trust in the Internet, and they engage
in more commerce.
And so I think part of the reason why companies support
general privacy legislation is because it's the right thing to
do. I think part of it is because it becomes a virtuous cycle.
Now as my colleague Commissioner Ohlhausen has mentioned,
you do have to watch out for barriers to entry, because on our
competition side, you sometimes see the big guys doing things
to make it tougher for new innovators. But we have not seen
that problem on privacy issues thus far.
The only other point I just wanted to mention is that we
try not to take speculative harm into account when we bring
cases. We do take reputational harm into account from time to
time, and these are bipartisan, unanimous cases.
So for example, in the Google Buzz order that we have,
Google tried to jumpstart its first social network, Google
Buzz, by taking confidential Gmail information, which they had
said would remain private, and making it public.
And by doing that, certain information, like the fact that
someone might be seeing a psychiatrist and be communicating on
Gmail with that psychiatrist, became known to other users.
And so that kind of harm, where it's not speculative, I
think is one that we do take into account under our statute.
Senator Kerry. Well, I appreciate it.
Thank you, Mr. Chairman. Let me just say, I think it's
important--I mean, look, if you have that choice and
transparency, you'd be better than you are today, there's no
question about that. But you'd still have a problem, because
people could still take your information, use it anyway they
wish, store it indefinitely. And you wouldn't have any control
over a third-party purchase or a third sale or, you know,
what's the standard by which that information is going to be
kept? What happens to it after it has been there for a long
period of time?
There are a lot of things there where there's an
expectation, I think, that has to be protected here, or people
have to have a greater knowledge about, than just the choice of
what they may do.
The Chairman. Thanks, Senator Kerry.
Senator Klobuchar?
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Mr. Chairman.
Thanks for holding this hearing. Thanks to our witnesses.
I wanted to first thank you, Chairman Leibowitz, for the
work on cramming that I know you're doing. It has been
something that I've been focused on for a while, along with our
attorney general in Minnesota. And we've made some strides with
some of the major telephone companies, as you know, agreeing
for landlines to police this in a better way. And I saw
yesterday you announced you're seeking a civil contempt ruling
against the third-party billing company.
So I want to thank you for that, even though it's exactly
not on topic, it is kind of, but then move on to some other
things.
Today, I introduced, along with Senator Blumenthal and a
few other Senators, and we have companion House legislation, a
bill on password privacy, and it's called the Password
Protection Act.
And this of course came out of a number of us had gotten
contacted by people who had been asked for passwords, and
there's been some reports on it. And we worked, actually, with
Facebook and Google and Twitter and a lot of the groups. And
there seems to be some widespread support for putting some kind
of a rule in place to make clear that at least the data that
people intend to have be private is private, what I think
former Justice Brandeis used to call the right to be left
alone.
With the new technology, it's very difficult for the laws
to keep up. And I was just wondering what the FTC, and you, Mr.
Kerry, what the Department of Commerce, is doing with regard to
these issues and if you have things come up with password
issues and the like?
If you want to start?
Mr. Leibowitz. Well, we have some concern, and we've
expressed some concern, about the practice of employers asking
for Facebook passwords. And we have communicated that to
Facebook.
It sounds like Facebook is working with you. They've also
noted that this may not be consistent with their terms of
service.
And so it is something we are concerned about. It may be
something, by the way, that isn't within our unfair deceptive
acts or practices authority. It's an interesting question we
were discussing today before I came up here.
But we want to work with you going forward on your
legislation.
Senator Klobuchar. Very good.
Mr. Kerry?
Mr. Kerry. Thanks, Senator Klobuchar.
Our proposals, frankly, focus on the relationship between
consumers and the companies that they deal with, not with their
employers.
But I would say is that the use of that information by
employers is reflective of one of the critical realities of
where we are in the world of information today, that there is
so much information out there about people. And the ability to
collect and to aggregate that information has gotten so
extensive that it is possible to learn things about people that
constitute sensitive information, even though that sensitive
information hasn't been put out there, you know, by itself.
To take Chairman Leibowitz's example of somebody doing a
search on health information, now, we protect health
information under HIPAA. Health care providers have to protect
that. But you could find, you know, by aggregating information,
you can find out health information but not be subject to those
protections.
So the ability to aggregate information creates new risks
of harm that haven't existed.
Senator Klobuchar. Right. And it's the same with the
information that might be under password, things about people's
religious status, things you would not ask about in an
interview that would be behind a password.
So, you know, we're hoping, working with the business
community, there will be some support here, too, as well as
what the rules of the game are for them. And so we have been
working on that.
My last question is just about industry self-regulation. I
think it is important to recognize the proactive steps industry
has undertaken to set up and follow best practices, self-
regulatory agreements. Now we just need to get the word out,
and make sure they are easy for consumers to use, if they want
to.
How are your agencies working with industry to help get the
word out about consumers' right to privacy and how they can
make privacy decisions that are right for them? Basically, how
do you educate the public about the tools that are out there
now, and in addition to what we may be working on, but what's
out there now? And how are you working with self-regulation
entities to make sure that these policies are consumer-
friendly?
Mr. Leibowitz. Our report, ``Protecting Consumer Privacy in
an Era of Rapid Change''--I think most of the members of this
community are familiar with it--was drafted after working with
stakeholders. We held numerous workshops. We put out a draft
report, which companies generally liked. We also got more than
460 comments from industry representatives, consumer groups,
and various other people who had something to say. And some of
those comments are very detailed and very, very helpful.
I would say that the pace of self-regulation has been
fairly uneven. And I think that even if you ask the best
companies, companies with the best privacy practices, about
that, they would say that's part of the reason why they are
interested in things like Do Not Track standards and privacy
legislation, is so that we will be migrating towards a more
even playing field, and also one where consumers have more
trust in the Internet, which, again, contributes to a virtuous
cycle of more trust and more commerce online.
Senator Klobuchar. OK, very good. I think I'm out of time.
And I will get any other answers in writing from all of you,
and also put in a question on cloud computing, something I'd
like to ask you all about, so thank you very much.
The Chairman. Thank you, Senator.
Senator Pryor?
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Thank you, Mr. Chairman.
Let me start with you, if I may, Ms. Ohlhausen. I'm curious
about your impression of the average Internet users'
understanding and realization of the extent that his or her
information is being collected, and then how it's being used,
and how it might affect their lives.
I'm just curious about your sense of how the average
Internet user, how much he gets of all this.
Ms. Ohlhausen. Well, thank you, Senator Pryor.
That is one of the issues I'd like to find out more about
as I talk to FTC staff and stakeholders. I do believe that
there are consumer expectations that financial information will
be secured, that medical information will be secured.
But as you get away from some of those areas, I do think,
for example, in first-party marketing issues, the FTC, in its
online behavioral advertising and also in this privacy report,
has noted that consumers do expect that the website that they
are dealing with may be serving them ads, may be using
information to market to them subsequently.
As you move away from that paradigm of a one-on-one
relationship, I think those are good questions that I would
like to explore further.
Senator Pryor. Mr. Leibowitz, let me ask you a three-part
question.
From your standpoint, first, are there adequate tools
available? And second, are consumers sufficiently aware of
those tools? And then third, are they exercising their choice
and their controls?
Mr. Leibowitz. That's a great series of questions.
I would say for some things, adequate tools are available.
So for example, if you want to go online, Mozilla, I believe
Google, and possibly even Microsoft, offer browsers where you
can go incognito. So that's an interesting way for consumers if
they want to, and if they are aware, to use a tool that
empowers them.
I think the best companies generally are better about
empowering consumers and giving them more tools and more
information.
But in some instances, consumers just aren't aware and this
goes back to Senator Toomey's point. You know, we all would
like to see more competition for privacy, but when you have
privacy policies that are on the mobile space, that are dozens
of clicks to read through, it's just hard to have competition
without transparency and understanding what your tools might be
and what your options are.
And I'd also say this, some companies give better
protections in the teen space, which I know some of you are
concerned about. Others don't. And so we have encouraged
companies--again, this is not a regulation, we don't regulate
in that space--to give more opt-in approaches to teens, because
as we all know, kids are sometimes tech savvy but judgment
poor.
Senator Pryor. Right.
Yes, I actually was going to ask about teens next, Mr.
Leibowitz, if we could go to that.
And that is, I know that we don't require privacy policies
right now. But should we require privacy policies when it comes
to kids and teens?
Mr. Leibowitz. I think that's something we would like to
work with you on, because I think if you can encourage or
require companies, again, because under the Children's Online
Privacy Protection Act there are some specific obligations. As
this committee knows, we're in the process of updating the
COPPA obligations.
I think that's a really good thing to have, so that teens
understand some of the consequences. All too often, it's after
they recognize the importance of privacy, which most consumers
do recognize, if you look at any polling data, but all too
often, teens recognize the importance of privacy only after
they've sent or posted something or read something that caused
some harm.
So I want to work with you on that issue going forward.
Senator Pryor. That would be great. And as we work on that,
I'd love to get your thoughts on if, and if so, how, operators
are misusing teens' personal information. I know you probably
have some data, but a lot of anecdotal evidence on that.
But let me get to Mr. Kerry, if I can, because I'm almost
out of time here.
And, Mr. Kerry, I know a few moments ago, when Senator
Klobuchar was wrapping up, it looked like you had an answer for
her and you had a document in your hand, you were maybe going
to answer, so I'll give you a chance to do that.
But first, let me ask about state attorneys general. Is it
the administration's or the Department of Commerce's view that
State AGs and the FTC should have the authority to seek civil
penalties for violation of voluntary privacy commitments or
codes of conduct?
Mr. Kerry. Senator, we believe that state attorneys general
along with the FTC should be the prime enforcement vehicle.
It's important that that enforcement have some weight. We would
certainly be glad, as we move forward, to work on legislative
language, to work with you to look at how best to do that.
Senator Pryor. And did you want to----
Mr. Kerry. Sure, Senator Klobuchar had asked, I think, the
question about building consumer awareness. The document I was
getting out, Chairman Leibowitz held up his agency's report.
The appendix in the White House Blueprint sets out the Consumer
Privacy Bill of Rights. And in doing that, we tried to put it
in plain and simple language, and put it into a stand-alone
document that is something that consumers can use to understand
what to expect from businesses as a tool to build consumer
awareness.
And that's something we will work to implement through the
multistakeholder processes that we've now embarked on. I think
it's important to say that those processes are not just self-
regulation. We want to involve all stakeholders, to involve
consumer groups, so that the codes of conduct look out for the
interests of everybody and not just the affected business
community.
The Chairman. It was interesting to me that in some of the
comments that were made, people talked about breaking the
Internet, as if this onslaught--and it was also interesting to
me that some didn't talk at all about consumers. They talked
about the rights of an Internet to be able to develop in any
way, shape, or form that would be, and didn't get around to
talking about the effects on consumers.
So I want to get at this, Mr. Kerry, with you, and also
with all three of you, actually.
This breaking the Internet policy, that if we were to pass
some legislation--I mean we've been working actually, Senator
Kerry said, too, that's specific. We have been working on this
for about 10 years on the Commerce Committee, without the vigor
that we have been recently, but this is an ongoing process.
So privacy laws already protect people's phone
conversations. They protect people's television habits. Privacy
laws protect people's medical records, their financial data.
And clearly, our privacy is protected in other technologies
where there is sensitive information.
Now how does this--which is called protecting the American
people in ways in which they have every right to expect to be
protected and expect very thoroughly to be projected--do we get
into breaking the Internet?
It's unclear to me that in any way, by any of these types
of things, do we attack the rights and privacy of the Internet
in their own business.
Mr. Kerry. Well, I'm pleased to answer that question, Mr.
Chairman, because preserving the dynamism, the innovation, the
economic growth that the Internet has been such a powerful
instrument of has been absolutely a guiding premise of the work
that we've done.
And that's why the model that we've adopted doesn't follow
a traditional rulemaking model. That simply doesn't work in the
Internet environment. It doesn't operate at Internet speed.
That's why we've incorporated in a multistakeholder model,
building on top of a baseline, a floor of rights that consumers
can expect that would apply across the board, regardless of the
business, regardless of the sector, to develop a set of codes
of conduct using the same structures of multistakeholder policy
development standards, consensus, that have been so successful
in the Internet space.
The World Wide Web Consortium, the IEEE, these are the
governing bodies of the Internet that have operated not as the
product of any one government, but as a public-private
partnership involving business, involving civil society.
It's worked tremendously and successfully. It could work
successfully in this space.
Mr. Leibowitz. Yes, and if I could just follow up, Mr.
Chairman?
I think the General Counsel is exactly right. Privacy and
innovation generally go hand in hand, and you can protect
consumers and promote innovation.
And with respect to Do Not Track, the proof of that is that
the business community supports it and is supportive of moving
forward with a Do Not Track option for consumers.
The Chairman. But was it not--and I need to call on you,
Commissioner.
Ms. Ohlhausen. OK.
The Chairman. But was it also not true that a number of
companies got very enthusiastic about doing Do Not Track on
their own right after your report came out?
Mr. Leibowitz. I would say there was, among the browser
companies like Microsoft and Mozilla and Apple, a lot of
support for it. There continues to be. Again, there are a few,
you know----
The Chairman. I'm asking about the timing question. Am I
wrong on that?
Mr. Leibowitz. Yes, they were very supportive early on, and
we think they have made progress since.
The Chairman. No, that's not the question I asked.
They came out in support right after your two reports came
out.
Mr. Leibowitz. Yes, yes. More of them also came out after
the report; that is correct.
The Chairman. Yes.
Mr. Leibowitz. Yes, sir.
The Chairman. Commissioner?
The Chairman. We're still on breaking the Internet.
Ms. Ohlhausen. Yes, I figured we were.
So I think that's a very important issue and one that some
commenters have raised concerns about.
And in the debate, you get a wide array of views. People
express great concerns about that, and other people have great
concerns about consumer privacy.
And I think the FTC generally has tried to strike the
balance of meeting consumer expectations. So if consumers have
protections and expect protections about their financial
information and their medical information, I think the FTC has
done a good job in bringing cases that advance those
expectations for consumers. They are deception-based cases
often, but occasionally there are fairness-based cases.
So I think, for me, that's one of the most important things
that I need to look at it is, is this going to meet consumer
expectations, and is this going to meet consumer preferences,
because consumers do also enjoy using a lot of the new
benefits, new services, that the Internet offers.
So if we have a solution that consumers ultimately end up
unhappy with, because they've lost some of these services,
these conveniences that the Internet has provided them, I'm not
sure we're striking things in the right balance.
But I think the important thing is to strike the right
balance for the benefit of consumers.
The Chairman. Thank you.
Senator Udall?
STATEMENT OF HON. TOM UDALL,
U.S. SENATOR FROM NEW MEXICO
Senator Udall. Thank you, Mr. Chairman. And sorry I wasn't
here earlier. As you know, we have so many things going on.
The Chairman. We were all talking about it.
[Laughter.]
Senator Udall. Yes. I understand.
And I hope you all forgive me, but an incredibly important
subject. The Chairman always focuses, I think, on what the
American people are concerned about.
And I just hear a lot of discussion in New Mexico about
this whole privacy issue. And I apologize if I'm going over any
ground that you've already hit here.
But I just had a couple of questions.
Chairman Leibowitz, the FTC has recently settled privacy
cases with well-known online companies used by millions of
Americans. Could you explain how these settlements will benefit
consumer online privacy and how have these settlements
encouraged other companies to change or improve their privacy
policies?
Mr. Leibowitz. Well, if you are talking about our
settlements with, say, Google, for Google Buzz, and Facebook,
we found what we believed to be violations of the law.
Essentially, those companies made commitments about keeping
information private that we believe they did not keep, or they
didn't honor their commitments. And so we brought cases against
them and had settlements.
In the settlements, they're required to be monitored. They
have to engage in privacy by design. And most importantly, if
you combine the Facebook and the Google matters, they protect
more than a billion consumers worldwide. And if those companies
want to change their privacy settings, they have to give
consumers an opt-in going forward to do that.
And then of course, when you are under order, we, unlike
most attorneys general, and you've missed this discussion, but
I know you were--who have fining authority, we do not have
fining authority. But if you are under order, we can then fine
you for second violation. We hope, of course, we don't see
second violations here.
Senator Udall. Yes.
And, Mr. Kerry, you note in your testimony that the
European Union is moving forward with data privacy regulations.
Is there concern if Europe moves forward with privacy rules
while the U.S. does nothing, that European regulations will
essentially become the global norm that U.S. companies follow?
Mr. Kerry. Senator, thank you, yes, that is a concern. It's
a concern that we've heard from many companies.
I said in my oral remarks that I defend the American system
of privacy and the commitment that we have in our laws. But we
do not want to let other countries set a default standard.
There are certainly points in common between what we are
proposing and what the European Commission has proposed. But
there are also concerns that there are ways that that gets into
prescribing technology and other kinds of prescriptions that
could operate as barriers to entry, that could inhibit the free
flow of information across international borders.
So it is important to move forward here. I think we are
here because our mission, as this committee knows well, is to
promote the domestic and international commerce of the United
States. We would not be promoting privacy legislation if it did
not promote the foreign and domestic commerce of the United
States.
I think the fact that we are sitting here alongside
Chairman Leibowitz, who has also proposed advocating for
legislation, reflects the convergence of economic and business
and consumer interests in this area.
It's important to consumers. It's important to business.
It's important to global commerce.
Senator Udall. Thank you.
Commissioner, do you have any thoughts on those two?
Ms. Ohlhausen. Well, I do believe the international element
of privacy regulation is very important. But I have to admit,
it's something I need to educate myself on a little further
before I could offer anything very useful at this point.
Senator Udall. Thank you.
Thank you, Chairman Rockefeller. I really appreciate it.
The Chairman. Thank you, the Right Hon. Tom Udall of the
State of New Mexico.
I'd just like to close with a couple.
We talk about the Digital Advertising Alliance is making it
very clear they want to cooperate, and they appear to be doing
so. But there are two areas where they still can collect
information under their own definition. And I think one of
those is market research, and the other is product development.
Now, that doesn't take me to a series of blisses or sins,
but I get very nervous when I read that about those two little
snippets being able to swallow up the rule.
What is it that allows them to get? And after your
question, can you talk about what you are doing to make sure
that they don't get that, if you can?
Mr. Leibowitz. Well, I think from the perspective of the
majority of the Commission, we entirely agree with you. Do Not
Track has to mean ``do not collect'' if it's going to mean
anything. There might be a few narrow, enumerated exceptions,
for example, for anti-fraud purposes.
But we are working with the Digital Advertising Alliance at
this point. We think by the end of the year, I believe that one
way or another, whether it's legislative or whether it's by
virtue of resolving some of these matters--and of course,
there's another forum, the World Wide Web Consortium, where a
lot of the companies are working with technologists and
consumer groups to come up with a standard and what it would
entail.
But one way or another, we believe that--I believe that--by
the end of the year, there is going to be meaningful Do Not
Track for American consumers, so they can opt out of third-
party advertisements, and that's critically important for
consumers, if you want to have more trust, as the General
Counsel said, in Internet commerce.
The Chairman. I'd agree with that, and I guess I'll just
close with this, that the statement was made here that it's in
the nature of the Internet industry, the Web industry,
whatever, to compete for the trust of consumers, and that in so
doing, they will get the trust of consumers. And therefore,
there's no need to even consider regulation.
That does sort of go against my general theory of corporate
America. I mean, in other words, if you talk about competition,
that is some of the most, you know, cutthroat competition that
exists going on in precisely that world at this time. People
merging and swallowing and doing all kinds of things.
It doesn't make sense to me that people would compete for
something which is not in their economic interest, except as
they are required to do so by a higher power, which understands
that protection is not just what is already on the books, but
protection is a part of the rule of law, so to speak, in
America.
Mr. Leibowitz. Well, if I can just respond to that. Imagine
Commissioner Ohlhausen and I are competitors. And she wants to
do the right thing, and I want to collect as much information
as I possibly can and monetize it in every way I can. Well,
she's at a competitive disadvantage, because I'm making more
money while she is trying to protect consumers. And so that's--
--
The Chairman. She's being virtuous.
Mr. Leibowitz. She is being virtuous, and she is virtuous.
[Laughter.]
Mr. Leibowitz. And she's a wonderful member of the
Commission already.
[Laughter.]
Ms. Ohlhausen. And if I'm a corporation, I would probably
try to advertise the fact that I am virtuous and get consumers
to come to my company rather than----
Mr. Leibowitz. But of course, if the Leibowitz Corporation
isn't playing along, and we're making more money, you know,
it's not necessarily fair to the Ohlhausen Corporation.
So, you know, you understand this. And that's why things
like voluntary stakeholder-driven codes of conduct can be very,
very useful. It's why, at the end of the day, we're hoping
that--the Digital Advertising Alliance and the companies behind
it represent, I think, 90 percent of all advertising on the
Internet. When you get to 90 percent, if they're all making
commitments not to collect--and again, a lot of those companies
I believe, having talked to them individually, would be very
comfortable with limitations on collection, the kind you and I
envision. I think that would be very, very meaningful for
consumers.
Mr. Kerry. And if I could add that the trust that the
Ohlhausen brand would build up would permit another company, we
won't call it the Kerry Company, to operate under the radar,
without respecting the same standards. That's why we need a
baseline.
The Chairman. Exactly.
I thank all three of you very, very much. This is a new
beginning in this whole area.
And the floor is not an easy place, and the Senate is not
an easy place to get legislation passed, as you may have
noticed. But that doesn't stop us. We've got to do our work.
And it's incredibly important work, particularly in this
particular new age, controlling of the new age, set of business
that we are dealing with.
So I thank you and the hearing is adjourned.
[Whereupon, at 4:05 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. John F. Kerry to
Hon. Jon D. Leibowitz
Principles that Require Protection
Question 1. According to a survey from Consumer Reports, 71 percent
of respondents from a recent survey said that they had concerns about
companies distributing their information without permission, while 56
percent said they had similar concerns about companies that hold onto
data ``even when the companies don't need it anymore.'' Cases brought
to date on privacy rely on the FTC's ability to protect people from
deception. That is, a company cannot do something with your information
that they told you they would not do. That is insufficient in the minds
of many Americans as reflected in this poll since fighting deception is
not a requirement for consent for collection or distribution and it
does not place any limits on data retention. Deception is also silent
on the other fair information practice principles including the right
to access. Can you talk about why the other privacy principles like
data retention limits and purpose specification are necessary and not
simply a regime of notice and choice?
Answer. Our report notes that ``privacy by design'' should include
providing reasonable security for consumer data, collecting only the
data needed for a specific business purpose, retaining data only as
long as necessary to fulfill that purpose, safely disposing of data no
longer in use, and implementing reasonable procedures to promote data
accuracy. By implementing these principles, companies can shift the
burden away from consumers who would otherwise have to seek out privacy
protective practices and technologies. For example, in a pure ``notice
and choice'' regime, consumers would have to sift through privacy
policies to determine which companies maintain reasonable data
security, and exercise choice by only doing business with those
companies. Consumers should not bear this burden; instead, companies
should make reasonable security the default.
Tracking and Your Property
Question 2. For a company to track an individual's behavior and
activities on the Internet, it has to put a tracking technology on a
person's computer or smartphone. Do you believe it is the right of the
collectors of information to place such tracking devices on a person's
property and collect information without that person's knowledge or
participation or collect information that has nothing to do with the
service being provided and if not, what in the law stops that from
happening today?
Answer. Online tracking is a ubiquitous practice that is largely
invisible to consumers, and numerous surveys show some level of
consumer discomfort with online tracking. A person's computer or
smartphone is his property, and consumers need to have the ability to
learn what information is being collected and how it is used and
shared--especially with respect to invisible data collection.
A majority of the Commission continues to call for the
implementation of a Do Not Track mechanism that would give consumers a
choice about whether to be tracked. Although we have asked Congress to
consider enacting general privacy legislation to set baseline
standards, we have not called for Do Not Track legislation
specifically, in part because industry has responded to our call and is
making progress. I am optimistic that, by the end of the year, industry
will have developed a Do Not Track mechanism that meets five criteria:
it should be implemented universally; it should be easy to use; any
choices offered should be persistent and should not be deleted if, for
example, consumers clear their cookies or update their browsers; an
effective Do Not Track system would opt them out of collection of
tracking data, with some narrow exceptions like fraud detection; and a
Do Not Track system should be effective and enforceable.
Who is Authorized to Share Your Data?
Question 3. A Wall Street Journal examination of 100 of the most
popular Facebook apps found that some seek the e-mail addresses,
current location and sexual preference, among other details, not only
of app users but also of their Facebook friends. Should consumers
expect that things they share with a group of friends they choose on
social networking sites in turn makes those friends authorized
distributors of access to them and their information? Does that raise
any concerns for you?
Answer. We share your concern about the privacy of information
collected through applications, particularly personal data such as
photos and videos, address books, and location information. Many
consumers are not aware of the extent of data being collected through
apps and how that data is being used. In our case against Facebook, for
example, we challenged the company's failure to disclose that a user's
privacy settings did not prevent apps used by their friends from
accessing personal information. Recent reports also highlight apps
access and sharing practices--for example, a recent FTC staff report
about children's mobile applications revealed that consumers are
provided with very little information about applications' data
collection and sharing practices. As a result, consumers are
increasingly uneasy about the privacy of such information.
The lack of transparency and choice in the app marketplace is an
example of why the FTC believes that Congress should consider baseline
privacy legislation that includes increased transparency, simpler
choice, and privacy by design. In the meantime, we will continue to
encourage everyone--stores, developers, and third parties--to step up
their privacy efforts and provide meaningful privacy protections for
consumers.
At the same time, if consumers choose to share their information
with hundreds of friends, they should be aware that those friends could
actively further share their information, through oral conversations,
e-mails, tweets, and the like. We have tried to educate consumers on
safe social networking, and have developed materials for consumers,
parents, teens, kids, and educators. Among other things, we tell
consumers to be careful what they post online, because they may not be
able to take it back.
Communication over Open WiFi
Question 4. The FTC, the FCC, and the Department of Commerce
concluded that Google violated no laws when it collected private
communications transmitted over unencrypted WiFi connections. Should
collectors respect fair information practice principles if that
information is transmitted over a WiFi network or is that not necessary
in this context?
Answer. As a general matter, our privacy report recommends that
companies implement privacy by design as part of best practices--which
includes reasonable limits on data collection as well as implementing
data security for the information that is collected.
Section 5 of the FTC Act is a broad statute that allows us to
accomplish a great deal, but we can only use it to challenge practices
that are deceptive or unfair. We cannot use it for everything--for
instance, in most circumstances we cannot mandate privacy policies
under Section 5. This is why we believe Congress should enact data
security legislation and consider implementing general privacy
legislation to give baseline protections for all consumers.
Inconsistencies in Law
Question 5. Today, we have laws governing privacy when a bank is
collecting your information or when a doctor or hospital is collecting
your information. We also have laws governing telephone companies
tapping your communications or cable companies tracking your watching
habits. Isn't similar or identical information collected and use
without a governing framework on the Internet every day and what makes
that disparity in law rational?
Answer. Presently, there is some existing sector-specific
legislation that already imposes privacy protections and security
requirements through legal obligations. However, these laws do not
necessarily apply to all business or all personal information, and as a
result consumers may be vulnerable both online and offline. Because of
these legislative gaps, our privacy report calls for Congress to
consider general privacy legislation and sets forth a framework to
encourage best practices by providing an important baseline for
entities not subject to sector-specific laws. We believe that by
implementing privacy by design, increased transparency, and better
control, companies can promote consumer privacy and build trust in the
marketplace.
The European Privacy Standard
Question 6. What is your understanding of where the European
privacy protection legal framework update stands and how does it
compare to what your agencies have proposed?
Answer. The European Commission proposed its revised privacy
framework on January 25 of this year. The EU Parliament and the EU
member states are currently reviewing that proposal. Part of the
proposal is for a regulation to cover commercial and civil regulatory
activities. The FTC has followed that part of the proposal very
closely. FTC staff has shared views with European Commission
counterparts, both before the proposed regulation's release in January
and since, and our most senior officials have maintained an open
dialogue with the various European stakeholders on a variety of privacy
issues.
As to how the European Commission proposal compares to the
frameworks proposed by the Administration and the FTC, we are largely
pursuing the same ultimate goals on both sides of the Atlantic. In
fact, the frameworks show many similarities. These include promoting
privacy-by-design, improving transparency, providing rights to access
and rectify information, promoting the development of industry codes of
conduct, strengthening data security, protecting children's privacy,
and exploring the idea of giving consumers the ability to erase certain
personal information that they have previously put on the Internet.
Another point of comparison is the issue of comprehensive privacy
legislation, which the Europeans have and which has been proposed for
the United States commercial sector. We view such legislation as
important for privacy protection in the U.S. that, in addition to
protecting U.S. consumers, also helps to build an internationally
interoperable framework for data transfers that both protect people and
also encourage the free flow of information. The goal is not complete
harmonization with the EU, but rather interoperability between
different systems based on larger shared values and based on practical
solutions to bridge differences in our respective regimes.
Of course, we think there is also room for improvement in the
proposed EU regulation. For example, we have discussed with our
European colleagues the available mechanisms for commercial cross-
border data transfers between the EU and the U.S. We are also
discussing the issue of cooperation between regulatory authorities,
especially on enforcement matters. Our concern is to ensure that
transfer restrictions on data in the proposed regulation do not unduly
interfere with legitimate information exchanges and cooperation between
regulatory authorities like the FTC and its counterparts.
______
Response to Written Questions Submitted by Hon. John F. Kerry to
Hon. Maureen K. Ohlhausen
Principles that Require Protection
Question 1. According to a survey from Consumer Reports, 71 percent
of respondents from a recent survey said that they had concerns about
companies distributing their information without permission, while 56
percent said they had similar concerns about companies that hold onto
data ``even when the companies don't need it anymore.'' Cases brought
to date on privacy rely on the FTC's ability to protect people from
deception. That is, a company cannot do something with your information
that they told you they would not do. That is insufficient in the minds
of many Americans as reflected in this poll since fighting deception is
not a requirement for consent for collection or distribution and it
does not place any limits on data retention. Deception is also silent
on the other fair information practice principles including the right
to access.
In your testimony, you state, ``I firmly believe that consumers
should have the tools to protect their personal information through
transparency and choices.''
In light of the clear evidence that there are numerous collectors
of information that provide the people on whom they are collecting
information with neither transparency nor clear choices, would you
support a law requiring the tools you believe consumers should have?
Answer. Although a substantial portion of the FTC's privacy
enforcement has been based on deception as your question indicates,
there are other legal avenues available to the FTC in this area. Thus,
if there is consumer harm occurring from sharing data with third
parties, I would first consider whether we should make fuller use of
existing FTC statutory authority. For instance, the Commission has
routinely used its unfairness authority to reach conduct that did not
involve a deceptive statement but caused substantial harm that is not
outweighed by any countervailing benefits to consumers or competition,
and that consumers themselves could not have avoided reasonably. A
number of these cases involve the sharing of consumer information with
third parties in a way that risked substantial consumer harm. For
example, in 2004 the FTC used its unfairness authority to obtain a
settlement from Gateway Learning Corporation for renting personal
information provided by consumers on the Gateway Learning Website
without seeking or receiving the consumers' consent.\1\ The FTC has
also used its unfairness authority on multiple occasions to target
companies that failed to use reasonable security measures to protect
sensitive consumer data.\2\ the FTC also has actively enforced other
statutes that prohibit sharing sensitive consumer data with third
parties under certain circumstances, such as the Children's Online
Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA),
and the Gramm-Leach-Bliley Act (GLB).
---------------------------------------------------------------------------
\1\ Decision and Order, In re Gateway Learning Corp., 138 F.T.C.
443 (Sept. 10, 2004). In this case, the FTC claimed that the material
revisions Gateway made to its privacy policy, and the retroactive
application of those revisions to information it had previously
collected from consumers constituted an unfair act or practice because
the conduct caused substantial injury to consumers that was not
outweighed by countervailing benefits to consumers of competition. The
Complaint also alleged that the revisions were false and misleading.
\2\ See Complaint, In re BJ's Wholesale Club, Inc., FTC File No.
0423160 (Sept. 20, 2005) (The FTC alleged that BJ's Wholesale's failure
to take appropriate security measures to protect its consumers'
sensitive information constituted an unfair practice. The Complaint
argued that BJ's security failures allowed unauthorized persons to
access sensitive consumer information, and use that information to make
fraudulent purchases.); Complaint, In re DSW, Inc., FTC File No.
0523096 (Dec. 1, 2005) (The FTC alleged that DSW's failure to take
reasonable security measures to protect sensitive consumer data was an
unfair practice. According to the Complaint, DSW's data-security
failures allowed hackers access to consumer's credit card, debit card,
and checking account information.); Complaint, In re CardSystems
Solutions Inc., FTC File No. 0523148 (Feb. 23, 2006) (The FTC alleged
that CardSystem's failure to take appropriate security measures to
protect sensitive information of its consumers constituted an unfair
practice. The Complaint claimed that due to the security failures, a
hacker was able to gain access to sensitive consumer information that
enabled him to counterfeit cards to make fraudulent purchases.)
---------------------------------------------------------------------------
I am aware of concerns about data brokers that monetize and sell
consumer data to other companies in ways that may be invisible to
consumers. The FTC's recent Privacy Report, which issued before I
arrived at the Commission, described three types of data brokers: (1)
those whose products and services are used for eligibility decisions,
such as credit, employment or insurance and whose practices are already
covered by the FCRA; (2) data brokers who collect and sell consumer
data for marketing purposes; and (3) data brokers whose products are
used for purposes other than marketing and FCRA-regulated eligibility
purposes. Some of these uses include fraud prevention or risk
management to verify the identity of consumers.
When developing an appropriate approach to the regulation of third
party data collection, it is important to protect consumers from
harmful practices while still permitting beneficial uses, such as fraud
prevention and, in many cases, marketing. Several data security bills
have included provisions that seek to provide consumers transparency
and choice about information practices, and I will evaluate these
proposals carefully.
Question 2. How would you apply your commitment to transparency and
choices in the case of companies that do not collect information
directly from the consumer but buy it from other collectors or harvest
it from publicly available information?
Answer. As stated above, if there is consumer harm occurring from
sharing data with third parties, I would explore whether we should
undertake enforcement using existing FTC deception and unfairness
authority, as well as other statutes such as COPPA, the FCRA, HIPAA,
and Gramm-Leach-Bliley. I would also evaluate current industry
practices of third party data collectors, including any self-regulatory
programs. Finally, I will consider whether there is consumer harm
occurring that cannot be reached by current enforcement and self-
regulatory programs to determine if additional protections are
necessary.
Tracking and Your Property
Question 3. For a company to track an individual's behavior and
activities on the Internet, it has to put a tracking technology on a
person's computer or smartphone. Do you believe it is the right of the
collectors of information to place such tracking devices on a person's
property and collect information without that person's knowledge or
participation or collect information that has nothing to do with the
service being provided and if not, what in the law stops that from
happening today?
Answer. It is my understanding that tracking for online behavioral
advertising is typically done through the placement of a cookie on a
device (such as a computer, tablet, or smartphone) to collect
information about sites visited by a user. I believe that sites and
services that place such cookies should provide consumers clear notice
of this practice. Consumers should have the right to decline to accept
such cookies for marketing purposes. I also understand that many sites
and browsers provide consumers with a variety of tools that allow them
to express their preferences regarding tracking mechanisms. The FTC has
brought enforcement actions against entities that have failed to honor
such consumer choices. For instance, in 2011 the FTC obtained
settlements from two online behavioral advertising networks,
challenging the companies' privacy policies that allegedly deceptively
tracked online activities, even after consumers opted out of such
tracking.\3\ It is my further understanding that several self-
regulatory organizations offer consumers a blanket opt-out from
receiving targeted ads for marketing purposes.
---------------------------------------------------------------------------
\3\ See Complaint, In re Chitika, Inc., FTC File No, 1023087 (March
14, 2011) (alleging that Chitika's opt-out mechanism in its privacy
policy, which allowed consumers to ``opt-out'' of having cookies placed
on their browsers and receiving targeted ads but only lasted for 10
days, was deceptive); Complaint, In re ScanScout, Inc., FTC File No.
1023185 (Nov. 8, 2011) (alleging that ScanScout's claim that consumers
could opt-out of receiving targeted ads by changing their computer's
web browser settings was deceptive because ScanScout used Flash
cookies, which could not be blocked by browser settings).
---------------------------------------------------------------------------
Data Security vs. Data Privacy
Question 4. Commissioner Ohlhausen, in your testimony, you support
enactment of data security legislation, stating ``the legislation
should empower the FTC to promulgate regulations for the protection of
personal data from unauthorized access.'' If that is appropriate, and I
agree that it is, why shouldn't the FTC have authority to promulgate
regulations to protect personal data from unauthorized acquisition from
the individual in question in the first place, an authority it does not
have today and one you state it should only have after a risk to harm
is exposed?
Answer. I believe that it is necessary to strike the right balance
in regulating the collection and use of consumer information by
legitimate actors, and focusing on consumer harm is an important part
of this balance. There is an important distinction between a data
breach and the collection and use of consumer information by a first
party, as the FTC's Self-Regulatory Principles for Online Behavioral
Advertising from 2009 and recent privacy report recognize. In the case
of a data breach, there are no benefits to consumers or legitimate
businesses or to competition from allowing data to be stolen and
possibly used for fraudulent purposes. Requiring reasonable precautions
against such breaches will enhance consumer welfare. By contrast, as
the FTC has recognized in the guidance it has issued, consumers
generally expect that first parties will collect and use their data.
They also understand that they may receive benefits from the sharing of
their data, such as free content or personalized services. Although
there may be inappropriate sharing of information with third parties in
some circumstances, there are also beneficial uses such as fraud
prevention, risk management to verify the identity of consumers, and
marketing. Because prohibiting these beneficial uses may reduce
consumer welfare and harm competition, we should evaluate whether
certain practices are causing consumer harm and whether consumers would
be, on balance, better off if these practices were prohibited.
Question 5. Is it your position that the breach of personal data on
a company's database should not be illegal if the information does not
pose a provable economic harm? For example, should data breach
legislation cover the hacking of a database of magazine subscriptions
that would expose a person's sexual orientation or religious
affiliation, or does that fail to meet the harm prerequisite?
Answer. If an entity that collects consumers' personal information
has promised to protect such information and fails to take reasonable
precautions resulting in a breach, that failure is actionable under the
FTC's current deception authority regardless of resulting economic
harm. As for the FTC's unfairness authority, which includes a harm
standard, the FTC has long recognized that harm to consumers is not
limited solely to economic consequences and may include other factors,
such as health and safety risks. It may also include a broader class of
sensitive personal information. For instance, in 2007 the district
court affirmed the FTC's action against Accusearch alleging the
unauthorized disclosure of consumers' phone records was likely to cause
substantial injury, including unwarranted risk to their health and
safety, from stalkers and abusers, and was unfair. \4\
---------------------------------------------------------------------------
\4\ FTC v. Accusearch, Inc. No. 06-CV-105-D, 2007 U.S. Dist. LEXIS
74905 (D. Wyo. Sept. 28, 2007), aff'd 570 F.3d 1187 (10th Cir. 2009).
---------------------------------------------------------------------------
However, not every breach of data can be given the same weight, and
the FTC has required companies to take reasonable precautions based on
the sensitivity of the data the entity holds. Protecting against all
breaches is close to impossible. Thus, in determining what breaches
should be a law violation, the breadth of consumer harm must be
considered in light of the costs of preventing a breach. I support the
goals of data security legislation proposed by members of this
Committee.
Who is Authorized to Share Your Data?
Question 6. A Wall Street Journal examination of 100 of the most
popular Facebook apps found that some seek the e-mail addresses,
current location and sexual preference, among other details, not only
of app users but also of their Facebook friends. Should consumers
expect that things they share with a group of friends they choose on
social networking sites in turn makes those friends authorized
distributors of access to them and their information? Does that raise
any concerns for you?
Answer. Social networking is increasingly popular and it is clear
that many consumers feel comfortable freely sharing their personal
information and preferences with a large group of friends and
acquaintances. As social networking becomes the norm in our society, I
think consumers need to be aware that the information they share on
these sites can be easily passed on by their friends and acquaintances.
Educating consumers so that they are aware of the risks as well as the
benefits of sharing information of social networking sites allows
consumers to make informed choices that reflect their preferences. The
FTC has an active consumer education program and has created and widely
disseminated a Net Cetera guide for youth online behavior. Also, as you
know, the FTC has brought several enforcement cases (Google, Facebook
and Twitter) in the social network arena to ensure that consumer
preferences are respected.
Communication over Open WiFi
Question 7. The FTC, the FCC, and the Department of Commerce
concluded that Google violated no laws when it collected private
communications transmitted over unencrypted WiFi connections. Should
collectors respect fair information practice principles if that
information is transmitted over a WiFi network or is that not necessary
in this context?
Answer. As suggested in the FTC's letter to Google closing the
wireless network investigation, a company collecting data in any
fashion, including when transmitted through a WiFi network, is in a
better position to ensure the privacy and security of that data when it
follows best practices, such as collecting only the information
necessary to fulfill a business purpose and disposing of the
information that is no longer necessary to accomplish that purpose.
Additionally, it is advisable that any company collecting data
institute adequate internal review processes to identify risks to
consumer privacy resulting from the collection and use of information
that is personally identifiable or reasonably related to a specific
consumer. Because there was no misrepresentation and Google did not use
the information it collected and promised to destroy it, it would have
been difficult to meet the deception or harm requirements for a
violation of the FTC Act.
Inconsistencies in Law
Question 8. Today, we have laws governing privacy when a bank is
collecting your information or when a doctor or hospital is collecting
your information. We also have laws governing telephone companies
tapping your communications or cable companies tracking your watching
habits. Isn't similar or identical information collected and used
without a governing framework on the Internet every day and what makes
that disparity in law rational?
Answer. There are a variety of statutes, such as HIPAA, the FCRA,
and Gramm-Leach-Bliley, that govern the collection and use of
consumers' financial and medical information in many circumstances,
including over the Internet. The FTC has also brought a variety of
enforcement actions under its deception and unfairness authority to
protect consumers' financial, medical, and other sensitive information
from unauthorized release or usage both online and offline. If there is
harm occurring from sharing consumers' financial or medical data or the
content of their online communications without their knowledge or
consent, I would explore whether we should undertake enforcement using
existing FTC deception and unfairness authority, as well as other
statutes such as COPPA, the FCRA, HIPAA, and Gramm-Leach-Bliley. I
would also evaluate the current industry practices of third party data
collectors, including any self-regulatory programs. Finally, I will
also consider whether there is consumer harm occurring that cannot be
reached by current enforcement and self-regulatory programs to
determine whether additional protections are necessary.
The European Privacy Standard
Question 9. What is your understanding of where the European
privacy protection legal framework update stands and how does it
compare to what your agencies have proposed?
Answer. Regarding the question of where the European privacy legal
framework update stands, I agree with Chairman Leibowitz's response
relating to the status of the EU's privacy update.
With response to the second part of the question, I was not on the
Commission during the release of the FTC's Privacy Report and am in the
process of educating myself about the extent of the EU Privacy and
Electronic Communications Directive update`s interoperability with the
U.S. privacy framework.
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Hon. Jon D. Leibowitz and Hon. Maureen K. Ohlhausen
Question. The United States has been a leader in cloud computing--
as the use of ``the cloud'' continues it is important to work with
foreign countries with consumers of cloud computing or house data
storage centers. We need to make sure they have strong security
standards, enforcement, and consumer protections in place. This
international component is mentioned in both reports--what work have
you done so far to move forward on this cooperation? And are you
working with the Department of State?
Answer. The FTC has promoted strong security standards,
enforcement, and consumer protections for cloud computing in several
ways. First, the FTC has made substantial efforts to improve
enforcement cooperation with its foreign counterparts in the area of
consumer protection and privacy generally. The passage of the U.S. SAFE
WEB Act in 2006, which strengthened the FTC's ability to share
information with and provide investigative assistance to foreign law
enforcement authorities, has been a key part of these efforts. The Act
is scheduled to sunset in 2013; we have urged Congress to renew the
legislation permanently to ensure that we have the tools necessary to
cooperate with our foreign partners on such issues of mutual interest.
Among those issues are ones involving cloud computing.
Second, we play a leadership role in several international
enforcement networks that address issues relevant to cloud computing.
One example is the Global Privacy Enforcement Network, which we
launched jointly with several foreign counterparts. Our aim is to
facilitate more practical cooperation among privacy enforcement
authorities on matters, including cloud computing, that cross borders.
Agencies from twenty countries now participate.
Third, we have worked to support enforceable codes of conduct to
leverage private sector efforts with enforcement to provide strong yet
flexible protections for cross-border data transfers. In the Asia-
Pacific Economic Cooperation forum (or APEC), for example, the FTC and
the Department of Commerce have worked with other economies to develop
the APEC Cross-Border Privacy Rules system, which provides baseline
privacy protections supported by an enforcement backstop. APEC is also
exploring the system's application in the context of cloud computing.
In the transatlantic context, the FTC provides the enforcement support
for the ``Safe Harbor'' system enabling data transfers from the
European Union to the United States, and has recently brought several
cases to vindicate the integrity of this framework.
Fourth, we also work closely with the Department of State and other
U.S. agencies in developing strong and sensible international policies
in this area. FTC staff participate with State in such fora as the
OECD's Working Party on Information Security and Privacy. We have also
worked with the Department of State in the U.S.-EU information society
dialogue, where several issues related to cloud computing are being
addressed. We also have extensive bilateral exchanges with our foreign
counterparts, and routinely solicit their input for FTC conferences.
One example is the FTC's 2009 conference on securing personal data in
the global economy, conducted in conjunction with OECD and APEC, which
analyzed data-security issues in a global information environment where
data can be stored and accessed from multiple jurisdictions.
We believe that data security, consumer protection and privacy
enforcement are critical to the success of any platform, including
cloud computing, and we will continue to reach out to our foreign
partners to ensure that these issues are properly addressed.
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Hon. Cameron F. Kerry
Question. The United States has been a leader in cloud computing--
as the use of ``the cloud'' continues it is important to work with
foreign countries with consumers of cloud computing or house data
storage centers. We need to make sure they have strong security
standards, enforcement, and consumer protections in place. This
international component is mentioned in both reports--what work have
you done so far to move forward on this cooperation? And are you
working with the Department of State?
Answer. Because cloud computing touches on many important economic
and policy interests, the United States government's approach is to
bring to bear a wide array of agencies and coordinate their efforts.
Issues regarding cloud computing are often raised in meetings of the
National Science and Technology Council, particular within the
Committee on Technology's Subcommittees on Privacy and Global Internet
Governance. The Subcommittee on Privacy, which I co-chair along with
Assistant Attorney General Christopher Schroeder of the Department of
Justice's Office of Legal Policy, has a working group entirely focused
on international engagement. This working group is led by members of
the State Department, the International Trade Administration (ITA, a
bureau of Commerce), and the National Telecommunications and
Information Administration (NTIA, a bureau of Commerce), and has
representatives on it from Defense, Homeland Security, Federal Trade
Commission, Office of Science and Technology Policy, Office of the
Director of National Intelligence, National Security Staff, United
States Trade Representative, Treasury, and more than a dozen other
agencies.
Commerce works closely with State and other Administration agencies
on the international components of cloud computing. State's efforts in
this area are spearheaded by Ambassador Philip Verveer, coordinator for
International Communications Information Policy. Ambassador William
Kennard, Chief of the U.S. Mission to the European Union and former
Chairman of the Federal Communications Commission, has also been
extremely engaged.
Within Commerce, the National Institute of Standards and Technology
(NIST), as part of its Cloud Computing Program, has assumed a
technology leadership role in advancing Cloud Computing
interoperability, portability and security standards, guidelines, and
technology. NIST works in a collaborative model with over 2500
individuals and organizations from academia, industry, standards
organizations, United States federal, state and local governments, and
the international community to provide a neutral objective basis for
understanding and addressing the underlying technical challenges
related to the emerging model of cloud computing. In this program, NIST
has worked very closely with the Department of State, Department of
Homeland Security, and other Commerce bureaus to open a dialogue with
the international community, and has been very effective in this role.
For example, in NIST's 2012 Cloud Computing Forum & Workshop held in
Washington, D.C. on June 5-7, senior government officials from Canada,
the People's Republic of China, and Japan presented views on the
benefits of cloud computing for public services, along with United
States CIO Steve Van Roekel, in a session moderated by Ambassador
Verveer. This event was open to the public and had 500 registered
attendees. In this same event, NIST hosted a standards panel that
included international standards organizations. NIST has contributed to
and participates in international standards bodies along with United
States industry.
State, Commerce, Justice, and other agencies are also examining
cloud computing issues as they arise as topics for discussion in
multilateral forums, such as the Organization for Economic Co-operation
and Development and Asia-Pacific Economic Cooperation (APEC). Ensuring
the free flow of data across borders is an important priority in any
new trade agreement, such as the TransPacific Partnership.
State and Commerce are cooperating on cloud discussions with the
Government of Japan to discuss ways in which cooperation can improve
commerce, healthcare, consumer safety, and disaster preparedness
between our nations. Also, Commerce recently held its first meeting
with China's Ministry of Commerce on cloud computing in April 2012 in
order to learn more about China's plans in this area.
One of the major obstacles we face in cloud computing is a popular
misconception around the world that United States laws grant law
enforcement more and easier access to personal data stored in the cloud
than the laws of peer countries. These unfounded concerns run the risk
of hindering the ability of United States companies to compete to
provide cloud computing solutions, particularly in Europe.\1\
Therefore, an important part of the work of the U.S. government is to
educate other governments and citizens about existing privacy
protections for personal data in the United States. State, the Justice
Department, and Commerce have been engaged in education and outreach
efforts in Europe, South America, Asia, and Australia to improve
understanding of our privacy protections for data stored in the cloud.
Contrary to the mistaken impressions occasionally voiced by foreign
governments, the United States legal framework for protection of civil
liberties in the context of legitimate law enforcement access offers a
high level of privacy protection. We continue to raise this issue
publicly and in bilateral interactions with our allies to be sure that
United States cloud computing providers are not unfairly discriminated
against in their efforts to offer services around the world.
---------------------------------------------------------------------------
\1\ See, e.g., David Rauf, PATRIOT Act Clouds Picture for Tech,
Politico (Nov. 29 2011) (available at http://www.politico.com/news/
stories/1111/69366.html); Loek Essers, European Data Concerns Cloud
Outlook for U.S. Vendors: The Dutch Government May Block Bids from U.S.
Cloud Vendors, IDG News Service (Sept. 16 2011) (available at https://
www.networkworld.com/news/2011/091611-european-data-concerns-cloud-
outlook-250988.html); Lothar Determann, Data Privacy in the Cloud: A
Dozen Myths and Facts, The Computer and Internet Lawyer vol. 28 no. 11
(Nov. 2011) (available at http://www.bakermckenzie.com/files/
Publication/85bf0767-55d0-4679-879d-85987d26b725/Presentation/
PublicationAttachment/96b0c239-5feb-46e9-811c-87c66f224629/
ar_california_clouddataprivacy_nov11.pdf).
---------------------------------------------------------------------------
International discussions about cloud computing and cross border
data transfers are too often grounded in myths about the United States
legal system that misrepresent our fundamental commitment to privacy
and the extensive privacy protections we provide, at the expense of our
ability to advocate for international cooperation on creating
interoperable standards and protections. While the consumer privacy
framework in the United States is strong,\2\ Congress can improve
existing consumer privacy protections in ways that benefit consumers,
foster greater trust in both the Internet and cloud computing, and
strengthen our businesses' ability to compete at home and in foreign
markets. The baseline privacy protection legislation outlined in the
Administration's Privacy Blueprint would help to achieve these goals.
---------------------------------------------------------------------------
\2\ See foreword, Consumer Data Privacy in a Networked World: A
Framework for Protecting Privacy and Promoting Innovation in the Global
Digital Economy (Feb. 23 2012) (available at http://www.whitehouse.gov/
sites/default/files/privacy-final.pdf).
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. John Thune to
Hon. Jon D. Leibowitz
Problems with Empowering State Attorneys General to Enforce Federal Law
with Regard to Privacy
Question 1. Mr. Leibowitz, one of the provisions proposed in
various pieces of privacy legislation deals with state attorneys
general being empowered to enforce Federal law with regard to data
security. A likely result if such a provision were to be enacted into
law is that state attorneys general would delegate their Federal
enforcement power to private contingency fee lawyers. I believe the
problem with this approach is that the goals of plaintiffs' lawyers
might conflict with a state official's duty to protect the public
interest. Plaintiffs' lawyers will be motivated to maximize fees at the
expense of the taxpayer. There have also been troubling instances of
state attorneys general hiring favored contingency fee lawyers rather
than having a transparent and competitive bidding process. Litigation
brought by state attorneys general should be motivated by the public
good, not by private profit.
Mr. Leibowitz, with respect to proposed data privacy legislation
empowering state attorneys general to enforce Federal law, do you
believe that the legislation should ensure there is adequate
supervision of state attorneys general at the Federal level to assure
consistent enforcement of Federal law throughout the United States? Do
you believe that state attorneys general empowered to enforce Federal
law regarding data security should be restricted from delegating this
power to contingency fee lawyers? If not, do you believe that if
contingency fees lawyers are employed, the process to hire them should
take place in a transparent manner with competitive bidding?
Answer. We support the ability of state attorneys general to
enforce any Federal privacy laws, but the Commission has not taken a
position on the methods by which the states use their enforcement
authority.
The FTC often collaborates with the states in our privacy and data
security investigations. For example, in our case against Lifelock the
company agreed to pay $11 million to the FTC and $1 million to a group
of 35 state attorneys general to settle charges that the company used
false claims to promote its identity theft protection services. This
joint settlement is just one example of our strong cooperative efforts
with the states, and we look forward to working with them on future
efforts in the areas of privacy and data security. This sort of
collaboration helps ensure that enforcement actions are complementary
and consistent. Another means of ensuring consistent enforcement of
Federal law is carefully crafting the standards in any legislation to
minimize the potential for inconsistent interpretations. We would be
happy to work with the Committee on any such proposed legislation.
While I support the ability of state attorneys general to enforce
any Federal data security laws, the Commission has not taken a position
on the methods by which the states use their enforcement authority.
Definition of Data Broker
Question 2. Mr. Leibowitz, the FTC Privacy Report released a few
months ago applauded the Digital Advertising Alliance's self-regulatory
privacy program. However, the FTC's Privacy Report also calls for
legislation to regulate data brokers, but offers no guidance for what
constitutes a data broker. As it stands, nearly all of industry engages
in business or practices that might constitute data brokerage, and
legislation would have a sweeping impact on many, if not all companies.
Mr. Leibowitz, how would you define what a data broker is? I'd like
to hear your answer here today, but would also like to have your
written answer for the record.
Answer. We would be happy to work with this Committee as it
considers legislation concerning data brokers to determine a consensus
definition of data brokers. When we developed our privacy report, we
considered data brokers to be companies that monetize and sell consumer
data to other companies in ways that are often invisible to consumers.
Our report described three types of data brokers. First, there are
those whose products and services are used for eligibility decisions,
such as credit, employment or insurance; these companies' practices are
covered by the Fair Credit Reporting Act (FCRA). Second, there are data
brokers who collect and sell consumer data for marketing purposes.
Finally, there are data brokers whose products are used for purposes
other than marketing and FCRA-regulated eligibility purposes. Some of
these uses include fraud prevention or risk management to verify the
identity of consumers.
Question 2a. Mr. Leibowitz, why do you believe legislation is
necessary despite the success of industry's self-regulatory program?
Answer. I believe that industry is making progress on self-
regulation in some areas. For example, industry has made great strides
in implementing a Do Not Track mechanism, but more work remains to be
done. But there clearly are other areas that deserve more attention.
The data broker industry is an example of an area where self-regulatory
efforts have lagged. As our Privacy Report notes, there have been no
successful self-regulatory efforts by the data broker industry since
the 1990s--despite the highly-publicized ChoicePoint breach and growing
public concerns. Given the fact that data brokers are largely invisible
to consumers yet can have a dramatic impact on their lives, we have
called for targeted legislation to give consumers reasonable access to
the data such entities maintain about them, and we are working with
data brokers to explore creating a centralized website to increase
transparency about their practices and give consumers choices.
The mobile industry is another area where self-regulation is
lagging. As detailed in a recent FTC staff report about children's
mobile applications (``apps''), consumers are provided with very little
information about applications' data collection and sharing practices.
Our report found that in virtually all cases, neither app stores nor
app developers provide disclosures that tell parents what data apps
collect from children, how apps share it, and with whom.
FTC Privacy Report and Cost-Benefit Analysis
Question 3. The section of the FTC Privacy Report discussing the
cost-benefit analysis of privacy regulation is disturbingly thin. The
report acknowledges that ``imposing new privacy protections will not be
costless'' but makes no attempt to determine what those costs are.
Moreover, the proposed benefits to companies are unquantified and
anecdotal at best. Businesses are better able to determine and maintain
the value of consumer trust in the marketplace than is the FTC. Under
the Regulatory Impact Analysis of the Office of Management and Budget,
agencies are supposed to consider the qualitative and quantitative
costs and benefits of a proposed regulation and any alternatives. That
seems particularly important, given that Internet advertising alone
directly employs 1.2 million Americans. How do we ensure a
comprehensive cost/benefit analysis of privacy regulation or
enforcement activity given that the FTC doesn't seem to have done that
here?
Answer. As we noted in our report, we agree that it is important to
consider costs and benefits associated with our recommendations.
However, empirical, quantitative analyses are particularly challenging
in this area. The value consumers place on not being tracked as they
use the Internet or the costs to them of potential embarrassment or
harm arising from unknown or unanticipated uses of information cannot
be easily calculated.
It is important to note, however, that the Commission's Final
Privacy Report did not and was not intended to set forth a new
regulation or serve as a template for law enforcement. Instead, it
focused on articulating best practices for companies that collect and
use consumer data. The best practice recommendations in the report are
designed to be flexible to permit and encourage innovation. Companies
can implement the privacy protections recommended in the report in a
manner proportional to the nature, sensitivity, and amount of data
collected as well as to the size of the business at issue.
In addition, many companies have already implemented many of these
practices, and we plan to work with industry to facilitate even broader
adoption in the future. Further, it is noteworthy that a number of
leading companies have also asked Congress to consider enacting
baseline privacy legislation to provide legal certainty to industry and
to build trust with consumers. To the extent that Congress decides to
move forward on baseline privacy legislation, the Commission notes that
the best practices it recommends in the final report can inform the
deliberations.
Risk of Stifling the Internet Economy
Question 4. A report commissioned by Interactive Advertising Bureau
recently concluded that the Internet accounted for 15 percent of total
U.S. GDP growth. If the Internet were a national economy, by 2016 it
would rank as the fifth largest economy in the world. The advertisement
supported Internet contributes $300 billion to the U.S. economy and has
created about 3 million U.S. jobs. At a time of sustained, grim
economic news, the Internet has remained one of the bright spots of the
United States economy and that trend is continuing. I'm worried that if
we try to rush a quick-fix on the issue of privacy, rather than
thoughtfully and carefully dealing with the issue, we'll stifle that
important economic advantage we have here in America. How do we make
sure that we don't stifle the Internet economy, but still protect
consumers? How do you balance these interests?
Answer. Our report articulates best practices for companies that
collect and use consumer data. We also recommend--in part in response
to calls from leading companies--that Congress consider enacting
baseline privacy legislation to provide more legal certainty to
industry and to build trust with consumers. All of these
recommendations are the result of our extensive work with all
stakeholders, and we look forward to working with Congress to make sure
that we appropriately balance these interests.
We believe that companies will still be free to innovate--for
example, they can find new ways to target ads without tracking or with
less tracking, and consumers can continue to receive targeted ads if
they so choose. Our recommendations simply seek to give consumers
clear, understandable, relevant choices about their information. This
conversation will build more confidence in the marketplace and
encourage growth.
______
Response to Written Questions Submitted by Hon. Marco Rubio to
Hon. Jon D. Leibowitz
Question 1. The FTC has endorsed the concept of Do Not Track (DNT),
and this feature has been implemented by some browsers and social
network services. As you probably are aware, many stakeholders have
pointed out that implementing DNT could be difficult and disrupt
website operations. My concern is the potential unintended consequences
if a DNT mechanism or policy is drafted or implemented poorly, or does
not take fully into consideration how the mechanism works. We know that
some social networks and service providers utilize tracking functions
and collect data to track child predators or prevent underage children
from joining a site or service. In these cases, data collection and
tracking are being used in an effective way, hence the concern if DNT
is implemented poorly or prevents all data collection. Is the FTC
taking these concerns into consideration? Is the FTC concerned about
unintended harm if a broad DNT policy is implemented poorly?
Answer. The Commission continues to support Do Not Track and
believes an effective model with limited exceptions can be implemented
successfully. As the Commission developed the Do Not Track
recommendation, it was certainly cognizant of unintended consequences
and crafted an approach designed to address concerns like those you
identify. For example, in the scenario you describe about a social
network collecting information about its own users for public safety or
criminal purposes, our framework would likely consider this practice to
be an acceptable first party practice that is not within the scope of a
Do Not Track mechanism. Do Not Track is not intended to prevent or
address legitimate data collection and use by first parties with direct
relationships with consumers but is designed to address data collection
activities by third parties.
With respect to third party tracking, we have stated that any Do
Not Track mechanism should be universal, easy, persistent, enforceable,
and cover most collection, with some narrow exceptions like fraud
detection. Industry has responded to our call for Do Not Track and is
making great progress. There are currently broad-based discussions
taking place on implementation of Do Not Track to ensure that the
implementation is effective and not overbroad. We plan to closely
monitor these discussions and are optimistic that an effective Do Not
Track mechanism will be in place by the end of the year.
Question 2. As a father of four young children, I am concerned
about their safety online, and I want to ensure that children are
protected when they use the Internet and new technologies. I understand
that the FTC is currently engaged in another review of the Children's
Online Privacy Protection Act. Can you update me on the status of that
review? At this point, do you believe that Congress needs to update
that Act?
Answer. Children's privacy is a top priority for the Commission. We
received over 350 comments in response to our proposed changes to the
COPPA Rule and are working through them. There are many complicated
issues, and we want to be sure we get it right. We hope to have the
Rule finalized by the end of the year.
Question 3. In the FTC's Privacy Report there is a section on the
articulation of privacy harms. In it, the FTC ultimately concludes that
the ``range of privacy-related harms is more expansive than economic or
physical harms or unwarranted intrusions and that any privacy framework
should recognize additional harms that might arise from unanticipated
uses of data.'' (p. 8)
Is the FTC implying or concluding that any unanticipated use of
data is wrong? Is the FTC implying or advocating for the ability to
take enforcement actions against harms that ``might arise''? Or is the
FTC already doing this? 1Do you think the FTC has blanket authority to
regulate all uses of data?
Answer. The Commission's Final Privacy Report did not conclude that
any unanticipated use of data was wrong or that the FTC had authority
to regulate all uses of data. Rather, the report noted the concern that
some unanticipated data uses could cause harm. The report described
harms arising from the unexpected and unconsented to revelation of
previously-private information, including both sensitive information
(e.g., health, financial, children's information, precise geolocation
information) and less sensitive information (e.g., purchase history,
employment history) to unauthorized third parties. As one example, in
the Commission's case (and consent) against Google, the complaint
alleged that Google used the information of consumers who signed up for
Gmail to populate a new social network, Google Buzz. The creation of
that social network in some cases revealed previously private
information about Gmail users' most frequent e-mail contacts.
Similarly, the Commission's complaint against Facebook (and proposed
consent) alleged that Facebook's sharing of users' personal information
beyond their privacy settings was harmful.
Another harm the report identified is the erosion of consumer trust
in the marketplace. Businesses frequently acknowledge the importance of
consumer trust to the growth of digital commerce, and surveys support
this view. For example, in the online behavioral advertising area,
survey results show that consumers feel better about brands that give
them transparency and control over advertisements. Companies offering
consumers information about behavioral advertising and the tools to opt
out of it have also found increased customer engagement. In its comment
to the Commission's Draft Privacy Report, Google noted that visitors to
its Ads Preference Manager are far more likely to edit their interest
settings and remain opted in rather than to opt out. Similarly, Intuit
conducted a study showing that making its customers aware of its
privacy and data security principles--including restricting the sharing
of customer data, increasing the transparency of data practices, and
providing access to the consumer data it maintains--significantly
increased customer trust in its company.
Ultimately, the value consumers place on not being tracked online
or the costs to them of potential embarrassment or harm arising from
unknown or unanticipated uses of information cannot be easily
determined. What we do know is that businesses and consumers alike
support increased transparency of data collection and sharing
practices. Increased transparency will benefit both consumers and
industry by increasing consumer confidence in the marketplace.
Finally, nothing in the report changes our existing authority to
enforce the FTC Act. We can only bring actions involving unfair or
deceptive practices. A practice is deceptive if (1) it is likely to
mislead consumers acting reasonably under the circumstances, and (2) it
is material, that is, likely to affect consumers' conduct or decisions
regarding the product at issue. A practice is unfair if it causes or is
likely to cause harm to consumers that: (1) is substantial; (2) is not
outweighed by countervailing benefits to consumers or to competition;
and (3) is not reasonably avoidable by consumers themselves. In order
to prevail in a case under the FTC Act, we must demonstrate to a judge
that the case meets these rigorous standards.
Question 4. As you are aware, over the last year, members of the
Commerce Committee have asked numerous times about the scope of the
FTC's Section 5 authority. With respect to Sec. 5, in follow-up answers
you provided to the Committee after your last appearance here you said:
While the vast majority of [the FTC's] antitrust enforcement
actions involve conduct that falls within the prohibitions of the
Sherman or Clayton Acts, the Commission has a broader mandate, which it
discharges by challenging, under Section 5, conduct that is likely to
result in harm to consumers or to the competitive process. . . The
Commission's recent use of Section 5 demonstrates that the Commission
is committed to using that authority in predictable ways that enhance
consumer welfare.
You say that you are ``committed to using that authority in
predictable ways.'' However, I would note that while the Commission has
held workshops on the scope of its Section 5 authority in recent years,
it has never issued a formal report or guidelines from those workshops
that would give clear direction to the business community about the
types of cases that the Commission will pursue outside the traditional
Sherman Act constraints.
Question 4a. Do you plan on issuing such formal guidelines? If so,
when can we expect to see those guidelines? If not, why?
Answer. I agree that businesses and consumers benefit whenever we
are able to improve the clarity and predictability of the laws we
enforce, including Section 5. It is worth noting that Congress, in
formulating the antitrust laws and Section 5, decided that common law
development of competition law was preferable to trying to produce a
list of specific violations, recognizing that no such list could be
adequate over varying times and circumstances. Congress consciously
opted for a measure of flexibility in competition law.
However, sources of guidance do exist. Although the Supreme Court
has never squarely articulated the precise boundaries of our Section 5
authority, the case law, complaints, and consent agreements identify
the types of conduct to which the FTC has applied its stand-alone
Section 5 authority in the past. Recent cases, including Intel, U-Haul,
and N-Data, further illuminate the kinds of conduct the Commission has
challenged as unfair methods of competition under Section 5. In
addition, a wealth of information is contained in the transcripts and
submissions from our October 2008 workshop on the use of Section 5 as a
competition statute.
The scope of our Section 5 enforcement authority is inherently
broad, in keeping with Congressional intent to create an agency that
would couple expansive jurisdiction with more limited remedies, and it
is firmly tethered to the protection of competition. The FTC has used
its Section 5 authority judiciously in the recent past. We will not
hesitate, however, to use Section 5 to combat unfair methods of
competition that are within the scope of our jurisdiction.
My fellow Commissioners and I continue to consider the best way to
further clarify the bounds of our Section 5 authority, be it a report,
guidelines, or some other approach. This will remain a priority during
the remainder of my term as Chairman.
Question 5. In your written testimony you state that privacy
legislation would provide ``businesses with the certainty they need to
understand their obligations.'' Putting the legislation aside, I like
that you are advocating for providing certainty for businesses. But in
looking at the Privacy Report, I am concerned that the Commission is
embracing an expanded definition of harm under Section 5 to include
``reputational harm,'' or ``the fear of being monitored,'' or ``other
intangible privacy interests.'' These seem like vague concepts--and I
think this expanded harm-based approach would only create more
uncertainty. Your testimony and the report appear to be in contrast in
this instance. Do you agree? Why or why not?
Answer. We do not believe the harms we identify in the report and
describe in the context of our recent enforcement actions are vague or
uncertain. The backlash that followed Google's rollout of its Buzz
social network and the Facebook changes that were the subject of our
consent orders was immediate. Consumers clearly understood the
likelihood of harm arising from these changes, and the companies should
not have been surprised by the reaction. Thus, we do not believe our
continuing use of Section 5 of the FTC Act, even without baseline
legislation, will lead to uncertainty or confusion. We are obligated to
consider certain specific factors in determining whether a violation of
Section 5 exists and will continue to do so in our enforcement actions.
Nevertheless, we believe that businesses can benefit from having clear
rules of the road for commercial data practices that would provide even
more certainty as to their obligations.
______
Response to Written Questions Submitted by Hon. John Thune to
Hon. Maureen K. Ohlhausen
Problems with Empowering State Attorneys General to Enforce Federal Law
with Regard to Privacy
Question 1. Ms. Ohlhausen, one of the provisions proposed in
various pieces of privacy legislation deals with state attorneys
general being empowered to enforce Federal law with regard to data
security. A likely result if such a provision were to be enacted into
law is that state attorneys general would delegate their Federal
enforcement power to private contingency fee lawyers. I believe the
problem with this approach is that the goals of plaintiffs' lawyers
might conflict with a state official's duty to protect the public
interest. Plaintiffs' lawyers will be motivated to maximize fees at the
expense of the taxpayer. There have also been troubling instances of
state attorneys general hiring favored contingency fee lawyers rather
than having a transparent and competitive bidding process. Litigation
brought by state attorneys general should be motivated by the public
good, not by private profit.
Ms. Ohlhausen, with respect to proposed data privacy legislation
empowering state attorneys general to enforce Federal law, do you
believe that the legislation should ensure there is adequate
supervision of state attorneys general at the Federal level to assure
consistent enforcement of Federal law throughout the United States?
Answer. I support data security legislation and believe that state
attorneys general should have enforcement authority. However, as you
suggest, the legislation must be carefully crafted to ensure that there
are clear statutory guidelines by which companies can implement their
data security systems and Federal supervision of the efforts of the
state AGs. The FTC works frequently and effectively with many state AGs
and that model of cooperation to benefit consumers should apply here as
well.
Question 2. Do you believe that state attorneys general empowered
to enforce Federal law regarding data security should be restricted
from delegating this power to contingency fee lawyers? If not, do you
believe that if contingency fees lawyers are employed, the process to
hire them should take place in a transparent manner with competitive
bidding?
Answer. All law enforcement should be motivated by the public good,
considering consumer harm, appropriate allocation of scare resources,
and litigation costs, and among other factors. Transparency is also an
important public goal, as is fostering competition in the procurement
of goods and services for government use. Any Federal legislation
should encourage transparency and competition at all levels of
government but should also avoid being overly prescriptive regarding
how states may conduct their legitimate functions.
Definition of Data Broker
Question 3. The FTC Privacy Report released a few months ago
applauded the Digital Advertising Alliance's self-regulatory privacy
program. However, the FTC's Privacy Report also calls for legislation
to regulate data brokers, but offers no guidance for what constitutes a
data broker. As it stands, nearly all of industry engages in business
or practices that might constitute data brokerage, and legislation
would have a sweeping impact on many, if not all companies. How would
you define what a data broker is? I'd like to hear your answer here
today, but would also like to have your written answer for the record.
Answer. The FTC's recent Privacy Report, which issued before I
arrived at the Commission, considered data brokers to be companies that
monetize and sell consumer data to other companies in ways that may be
invisible to consumers. The Privacy Report described three types of
data brokers: (1) those whose products and services are used for
eligibility decisions, such as credit, employment or insurance and
whose practices are covered by the Fair Credit Reporting Act (FCRA);
(2) data brokers who collect and sell consumer data for marketing
purposes; and (3) data brokers whose products are used for purposes
other than marketing and FCRA-regulated eligibility purposes. Some of
these uses include fraud prevention or risk management to verify the
identity of consumers. When developing an appropriate definition of a
data broker, it is important to protect consumers' personal information
from harmful uses while still permitting beneficial uses, such as fraud
prevention.
Question 3a. Why do you believe legislation is necessary despite
the success of industry's self-regulatory program?
Answer. I believe that data security and breach notification
legislation would be appropriate to protect against the unauthorized
access of consumer information but I have not endorsed the Privacy
Report's call for general privacy legislation.
I think that the best way to safeguard consumer privacy is to give
consumers the tools they need to protect their personal information
through transparency and choices. The self-regulatory programs appear
to have made considerable strides in giving consumers control over who
accesses their information and how it is used for marketing purposes.
The proposed self-regulation, however, is not aimed at protecting
against the unauthorized access of personal data by parties, such as
hackers, and thus would not address the types of harms that data
security legislation seeks to prevent.
FTC Privacy Report and Cost-Benefit Analysis
Question 4. The section of the FTC Privacy Report discussing the
cost-benefit analysis of privacy regulation is disturbingly thin. The
report acknowledges that ``imposing new privacy protections will not be
costless'' but makes no attempt to determine what those costs are.
Moreover, the proposed benefits to companies are unquantified and
anecdotal at best. Businesses are better able to determine and maintain
the value of consumer trust in the marketplace than is the FTC. Under
the Regulatory Impact Analysis of the Office of Management and Budget,
agencies are supposed to consider the qualitative and quantitative
costs and benefits of a proposed regulation and any alternatives. That
seems particularly important given that Internet advertising alone
directly employs 1.2 million Americans. How do we ensure a
comprehensive cost/benefit analysis of privacy regulation or
enforcement activity given that the FTC doesn't seem to have done that
here?
Answer. With privacy, as with all public policy issues within the
FTC's jurisdiction, to produce the best result for consumers we should
conduct a careful analysis of the likely costs and benefits of any
proposed regulation. The Privacy Report, which was issued before I
started at the Commission, discusses costs and benefits in general
terms but does not contain a cost/benefit analysis. I believe that a
review of what consumers and competition are likely to lose and gain
from any new regulation would be helpful to ensuring the best outcome
for consumers. For example, in the case of advertising, the FTC has
consistently recognized the crucial role that truthful non-misleading
information contained in advertising plays not just in informing
consumers but also in fostering competition between current
participants in the market and lowering entry barriers for new
competitors. I believe that we should consider factors regarding the
possible effects of reducing information available in market for
consumers and competitors when analyzing the likely effects of new
privacy regulations.
Risk of Stifling the Internet Economy
Question 5. A report commissioned by Interactive Advertising Bureau
recently concluded that the Internet accounted for 15 percent of total
U.S. GDP growth. If the Internet were a national economy, by 2016 it
would rank as the fifth largest economy in the world. The advertisement
supported Internet contributes $300 billion to the U.S. economy and has
created about 3 million U.S. jobs. At a time of sustained, grim
economic news, the Internet has remained one of the bright spots of the
United States economy and that trend is continuing. I'm worried that if
we try to rush a quick-fix on the issue of privacy, rather than
thoughtfully and carefully dealing with the issue, we'll stifle that
important economic advantage we have here in America. How do we make
sure that we don't stifle the Internet economy, but still protect
consumers? How do you balance these interests?
Answer. The best way to ensure a proper balance of the interests in
the Internet economy and consumer protection is for the FTC to continue
its carefully targeted enforcement against deceptive and unfair acts
and practices on the Internet while proceeding cautiously in exploring
the need for additional generally privacy legislation and promoting
self-regulatory efforts aimed at providing access and choice to
consumers. For example, I support a careful analysis of consumer harms
that are not currently being addressed by enforcement or self-
regulation before recommending any additional privacy legislation.
______
Response to Written Questions Submitted by Hon. Marco Rubio to
Hon. Maureen K. Ohlhausen
Question 1. The Internet has had a transformative impact on
society, both in America and around the world. One of the great things
about the Internet and something that has contributed to its success is
the fact that many of the most popular services and sites that
consumers use are free, and they have remained free because of online
advertising, including behavior based advertising. More and more in our
economy, the ability to tailor services to more efficiently and
effectively meet consumers' needs is driven by the collection of data
and the delivery of tailored ads. And these industries create jobs and
contribute greatly to our economy. Do you agree that the FTC should
balance these considerations when implementing privacy policies? How is
the FTC doing this?
Answer. Yes, I agree that the FTC should balance these
considerations. Because the FTC's ultimate goal is to optimize consumer
welfare, when implementing privacy policies, close attention needs to
be paid to potential outcomes and whether agency activity is actually
improving consumer welfare. Consumer data can help firms to better
understand the needs of their customers and to develop new and
innovative products and services. The FTC has also recognized the
crucial role that truthful non-misleading advertising plays in
fostering competition between current participants in the market and
lowering entry barriers for new competitors, resulting in overall
benefits for consumers. Therefore, any potential competitive effects
resulting from new privacy restrictions, such as a firms' ability to
efficiently and effectively meet consumers' needs, should be considered
against the benefit that consumers may derive from these policies. It
is important to balance the actual privacy-enhancing benefits with the
costs of such proposals in order to ensure the best outcome for
consumers.
Question 2. As you know, certain telecommunications providers are
subject to dual regulation by both the FTC and FCC. And depending on
the service and technology, companies may be subject to multiple
sections of the Telecommunications Act, or none at all. Do you think
this dual regulation leads to confusion or negatively impacts some
providers? Do you think that the Congress should look at eliminating
dual regulation?
Answer. Generally, confusion can be avoided by making narrowly
tailored, well-defined regulations that retain the focus of the
agencies' missions. In the instances where dual regulation is
contradictory, overly broad, or no longer represents industry
conditions, eliminating dual regulation may be beneficial. For example,
I support eliminating the FTC's common carrier exemption, which was
based on the existence of a pervasively regulated, monopoly
telecommunications industry that no longer reflects the state of the
industry.
�