[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




 
               OVERSIGHT OF THE FEDERAL TRADE COMMISSION

=======================================================================

                                HEARING

                               BEFORE THE

        SUBCOMMITTEE ON DIGITAL COMMERCE AND CONSUMER PROTECTION

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 18, 2018

                               __________

                           Serial No. 115-153
                           
                           
                           
                           
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                           




      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                        
                        
                        
                        
                        
                U.S. GOVERNMENT PUBLISHING OFFICE
                   
35-607                  WASHINGTON : 2019                              
                        
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                          GREG WALDEN, Oregon
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas            ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee          GENE GREEN, Texas
STEVE SCALISE, Louisiana             DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio                MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington   JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi            G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas                    JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida            PAUL TONKO, New York
BILL JOHNSON, Ohio                   YVETTE D. CLARKE, New York
BILLY LONG, Missouri                 DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana               KURT SCHRADER, Oregon
BILL FLORES, Texas                   JOSEPH P. KENNEDY, III, 
SUSAN W. BROOKS, Indiana                 Massachusetts
MARKWAYNE MULLIN, Oklahoma           TONY CARDENAS, California
RICHARD HUDSON, North Carolina       RAUL RUIZ, California
CHRIS COLLINS, New York              SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota           DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina

        Subcommittee on Digital Commerce and Consumer Protection

                         ROBERT E. LATTA, Ohio
                                 Chairman
GREGG HARPER, Mississippi            JANICE D. SCHAKOWSKY, Illinois
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BEN RAY LUJAN, New Mexico
MICHAEL C. BURGESS, Texas            YVETTE D. CLARKE, New York
LEONARD LANCE, New Jersey            TONY CARDENAS, California
BRETT GUTHRIE, Kentucky              DEBBIE DINGELL, Michigan
DAVID B. McKINLEY, West Virgina      DORIS O. MATSUI, California
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
GUS M. BILIRAKIS, Florida            JOSEPH P. KENNEDY, III, 
LARRY BUCSHON, Indiana                   Massachusetts
MARKWAYNE MULLIN, Oklahoma           GENE GREEN, Texas
MIMI WALTERS, California             FRANK PALLONE, Jr., New Jersey (ex 
RYAN A. COSTELLO, Pennsylvania           officio)
JEFF DUNCAN, South Carolina
GREG WALDEN, Oregon (ex officio)
  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Robert E. Latta, a Representative in Congress from the State 
  of Ohio, opening statement.....................................     1
    Prepared statement...........................................     3
Hon. Janice D. Schakowsky, a Representative in Congress from the 
  State of Illinois, opening statement...........................     4
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     6
    Prepared statement...........................................     7
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................     8

                               Witnesses

Joseph Simons, Chairman, Federal Trade Commission................    10
    Prepared statement...........................................    12
    Answers to submitted questions...............................   113
Maureen Ohlhausen, Commissioner, Federal Trade Commission........    34
Noah Phillips, Commissioner, Federal Trade Commission............    35
    Answers to submitted questions...............................   160
Rohit Chopra, Commissioner, Federal Trade Commission.............    37
    Answers to submitted questions...............................   164
Rebecca Slaughter, Commissioner, Federal Trade Commission........    38
    Answers to submitted questions...............................   171

                           Submitted Material

Statement of ACA International...................................    79
Statement of the Electronic Privacy Information Center...........    83
Statement of the Coalition Trade Association.....................    89
Statement of the Internet Association............................    92
Letter of April 24, 2018, from Members of Congress to the FTC....    93
Letter of June 25, 2018, from the FTC to Representative Welch....    95
Article entitled, ``If you shopped at these 15 stores in the last 
  year, your data might have been stolen,'' Business Insider, 
  July 14, 2018..................................................    97


               OVERSIGHT OF THE FEDERAL TRADE COMMISSION

                              ----------                              


                        WEDNESDAY, JULY 18, 2018

                  House of Representatives,
     Subcommittee on Digital Commerce and Consumer 
                                        Protection,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:15 a.m., in 
room 2123 Rayburn House Office Building, Hon. Robert Latta 
(chairman of the subcommittee) presiding.
    Members present: Representatives Latta, Kinzinger, Burgess, 
Lance, Guthrie, McKinley, Bilirakis, Bucshon, Walters, 
Costello, Walden (ex officio), Schakowsky, Lujan, Clarke, 
Dingell, Matsui, Welch, Kennedy, Green, and Pallone (ex 
officio).
    Staff present: Melissa Froelich, Chief Counsel, Digital 
Commerce and Consumer Protection; Adam Fromm, Director of 
Outreach and Coalitions; Ali Fulling, Legislative Clerk, 
Oversight & Investigations, Digital Commerce and Consumer 
Protection; Elena Hernandez, Press Secretary; Paul Jackson, 
Professional Staff, Digital Commerce and Consumer Protection; 
Bijan Koohmaraie, Counsel, Digital Commerce and Consumer 
Protection; Austin Stonebraker, Press Assistant; Madeline Vey, 
Policy Coordinator, Digital Commerce and Consumer Protection; 
Hamlin Wade, Special Advisor, External Affairs; Greg Zerzan, 
Counsel, Digital Commerce and Consumer Protection; Michelle 
Ash, Minority Chief Counsel, Digital Commerce and Consumer 
Protection; Jeff Carroll, Minority Staff Director; Lisa 
Goldman, Minority Counsel; Carolyn Hann, Minority FTC Detailee; 
Caroline Paris-Behr, Minority Policy Analyst; Tim Robinson, 
Minority Chief Counsel; Andrew Souvall, Minority Director of 
Communications, Outreach and Member Services; and C.J. Young, 
Minority Press Secretary.

OPENING STATEMENT OF HON. ROBERT E. LATTA, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF OHIO

    Mr. Latta. Well, good morning. I'd like to call the 
Subcommittee on Digital Commerce and Consumer Protection to 
order.
    And before we begin our opening statements, I'd like to say 
how pleased I am to have all of our FTC commissioners before us 
today.
    And what I'd like to do before I begin my opening remarks 
is introduce our FTC commissioners. Today, we have Chairman Joe 
Simons, who was sworn into office on May 1st. Before joining 
the commission, the chairman was a partner at Paul, Weiss and 
co-chair of the firm's anti-trust group. He previously served 
at the commission in various positions between 1987 and 1989 as 
well as 2001 to 2003.
    Next, we have Commissioner Maureen Ohlhausen, who was sworn 
into office on April the 4th, 2012, and served as acting FTC 
chairman between January 2017 and May 1st, 2018. Prior to 
joining the FTC she was a partner at Wilkinson Barker Knauer, 
LLP. She previously served at the commission for 11 years in 
various capacities and leadership roles. We thank the 
commissioner for her leadership for the past 15 months when she 
was acting chair and for her work at the agency.
    Commissioner Noah Phillips was sworn into office on May 
2nd, 2018. Before joining the commission he served as chief 
counsel to Senator John Cornyn of Texas.
    Commissioner Rohit Chopra was also sworn in on May 2nd, 
2018. He previously served as a senior fellow at the Consumer 
Federation of America.
    And finally, we have Commissioner Rebecca Slaughter, sworn 
in on May 2nd, 2018, and prior to joining the commission, 
Commissioner Slaughter served as chief counsel to Senator Chuck 
Schumer of New York.
    Our witnesses have a strong fidelity to public service and 
they are once again being asked to serve the American people to 
maintain competitive markets and to protect consumers against 
unfair and deceptive acts and practices, and again, we thank 
you very much for being with us today.
    And at this time now, I'll recognize myself for a 5-minute 
opening statement.
    Our hearing today will focus on oversight of the Federal 
Trade Commission. The FTC functions as the top cop on the beat 
and keeps consumers safe and to promote a vibrant free market 
in the United States.
    We look forward to working with the FTC on specific issues 
relating to this subcommittee's jurisdiction, including self-
driving cars, data security, the Internet of Things, blockchain 
technologies, privacy issues, deceptive advertising, robocalls, 
and more.
    Emerging consumer protection issues are at the forefront of 
this committee. Recently, I joined Chairman Walden, Chairman 
Blackburn, and Chairman Harper, sending letters to Apple and 
Google, asking them to explain how smartphone users' data is 
protected, and when audio recording data and location 
information is compiled and shared. This morning, we will be 
sending letters to location data aggregator LocationSmart, 
Securus, and 3CInteractive Corporation.
    We continue to remain concerned about cybercrime, estimated 
to cost millions to the global economy each year, and how 
businesses prioritize protecting the most sensitive data they 
hold about individuals. As we all know, there is no such thing 
as 100 percent perfect security.
    We will continue to work with regulators to understand what 
transpired in the recent high-profile breaches and what we 
should learn from these actions for the future.
    The Economist proclaims, ``The world's most valuable 
resource is no longer oil, but data.'' I look forward to a 
thoughtful discussion on the appropriate steps the FTC is 
considering, including the chairman's recently announced 
hearings on 21st century challenges.
    In my remaining time, I would like to hear how Chairman 
Simons will work to utilize the FTC's annual funding to its 
greatest need and impact, judiciously using the taxpayers' 
dollars, including on the FTC's current priorities, 
authorities, and performance, including its human resources 
efforts at securing and retaining the best experts in the 
fields of antitrust and consumer protection. While we are in a 
challenging fiscal environment, the House Appropriations 
Committee approved $2 million more dollars to the FTC than the 
agency requested for fiscal year 2019.
    I am also encouraged by the large refunds the FTC has been 
able to return directly to consumers, most recently to Uber 
drivers and customers who bought deceptively marketed bed bug 
products, consumers in both cases receiving average checks over 
$200.
    This is a unique tool in the FTC toolbox. The FTC has 
returned over $543 million to consumers and deposited $94 
million in the U.S. Treasury. FTC orders in the Volkswagen, 
Amazon, and Net Spend matters required defendants to self-
administer consumer refund programs worth more than $11.5 
billion.
    The FTC's enforcement authorities are broad and far 
reaching. The unique position of the FTC as the civil law 
enforcement agency for the majority of the U.S. economy cannot 
be taken lightly. Calls for expanded rulemaking authority, 
shifting the agency from its expertise in enforcement to 
regulatory and rulemaking, raises serious questions for me 
because Congress has explicitly granted the agency rulemaking 
that has not been utilized in years.
    Some may argue that the FTC is not equipped to handle the 
challenges of the day, but I believe their actions speak louder 
than words. The FTC has vigorously defended its jurisdiction 
and consumers and we have no reason to believe that will stop 
any time soon.
    Finally, the FTC plays an important enforcement role in the 
EU-U.S. Privacy Shield framework, particularly relating to 
compliance and enforcement of U.S. businesses. With the second 
annual review of the Privacy Shield by the European Commission 
coming this fall, we want to hear about FTC's and the 
commissioners' roles, and what can this committee do to help 
make sure that 3,100 businesses, including small businesses, 
continue to have access to the Privacy Shield.
    Again, at this time I want to thank our witnesses for being 
here today, and this time I am going to yield to the gentlelady 
from Illinois, the ranking member of the subcommittee, for 5 
minutes for an opening statement.
    [The prepared statement of Mr. Latta follows:]

               Prepared statement of Hon. Robert E. Latta

    Our hearing today will focus on oversight of the Federal 
Trade Commission. The FTC functions as the top cop on the beat 
to keep consumers safe and to promote a vibrant free market in 
the United States.
    We look forward to working with the FTC on specific issues 
relating to this Subcommittee's jurisdiction, including self-
driving cars, data security, the Internet of Things, blockchain 
technologies, privacy issues, deceptive advertising, robocalls, 
and much more.
    Emerging consumer protection issues are at the forefront 
for this committee. Recently, I joined Chairman Walden, 
Chairman Blackburn, and Chairman Harper, sending letters to 
Apple and Google, asking them to explain how smartphone users' 
data is protected, and when audio recording data and location 
information is compiled and shared. This morning, we will be 
sending letters to location data aggregator LocationSmart, 
Securus, and 3CInteractive Corporation.
    We continue to remain concerned about cybercrime, estimated 
to billions to the global economy, and how businesses 
prioritize protecting the most sensitive data they hold about 
individuals. As we all know, there is no such thing as 100% 
perfect security.
    We will continue to work with regulators to understand what 
transpired in the recent high-profile breaches and what we 
should learn from these situations for the future.
    The Economist proclaims, the ``world's most valuable 
resource is no longer oil, but data.'' I look forward to a 
thoughtful discussion of the appropriate steps the FTC is 
considering, including the Chairman's recently announced 
hearings on 21st Century challenges.
    In my remaining time, I would like to hear how Chairman 
Simons will work to utilize the FTC's annual funding to its 
greatest need and impact, judiciously using the taxpayer's 
dollars. Including on the FTC's current priorities, authorities 
and performance, including its human resources efforts securing 
and retaining the best experts in the fields of antitrust and 
consumer protection. While we are in a challenging fiscal 
environment, the House Appropriations Committee approved $2 
million more dollars for the FTC than the agency requested for 
fiscal year 2019.
    I am also encouraged by the large refunds the FTC has been 
able to return directly to consumers--most recently to Uber 
drivers and customers who bought deceptively marketed bed bug 
products--consumers in both cases receiving average checks over 
$200.
    This is a unique tool in the FTC's toolbox. The FTC has 
returned over $543 million to consumers and deposited $94 
million into the U.S. Treasury. FTC orders in the Volkswagen, 
Amazon, and Net Spend matters required defendants to self-
administer consumer refund programs worth more than $11.5 
billion.
    The FTC's enforcement authorities are broad and far 
reaching. The unique position of the FTC as the civil law 
enforcement agency for the majority of the U.S. economy cannot 
be taken lightly. Calls for expanded rulemaking authority--
shifting the agency from its expertise in enforcement to 
regulatory and rulemaking--raises serious questions for me 
because Congress has explicitly granted the agency rulemaking 
that has not been utilized in years.
    Some may argue that the FTC is not equipped to handle the 
challenges of the day--but I believe their actions speak louder 
than words. The FTC has vigorously defended its jurisdiction 
and consumers and we have no reason to believe that will stop 
any time soon.
    Finally, the FTC plays an important enforcement role in the 
EU-U.S. Privacy Shield framework, particularly relating to 
compliance and enforcement of U.S. businesses. With the second 
annual review of the Privacy Shield by the European Commission 
coming this fall, we want to hear about FTC's and 
Commissioners' roles, and what can this Committee do to help 
make sure the 3,100 businesses--including many small 
businesses--continue to have access to the Privacy Shield.
    Thank you to all of our witnesses for being here today. I 
yield to the gentlewoman from Illinois, ranking member of the 
subcommittee, for her 5 minute opening statement.

       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A 
     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS

    Ms. Schakowsky. Thank you so much, Mr. Chairman, for 
holding this hearing on the FTC and I want to welcome Chairman 
Simons. I know you're new to the job. I look forward to meeting 
with you.
    Today's hearing really comes down to two questions: is the 
Federal Trade Commission equipped to fulfill its mission of 
protecting consumers and what can Congress do to make it more 
effective--a more effective consumer advocate.
    The FTC is--to echo the chairman--the top cop on the beat, 
protecting both the public and businesses against unfair, 
deceptive, fraudulent, or anti-competitive practices through 
the consumer protection and anti-trust authorities.
    As the economy continues to change and expand, the FTC has 
had to adapt to this new economy and as our social networks, 
shopping, banking, and other forms of communication and 
businesses move to the internet, the FTC has changed, bringing 
in more technology experts. At the same time, many suggest that 
the commission needs more technology experts, even though its 
resources are as tight as ever.
    I am concerned that we are asking one of our country's most 
important consumer agencies to choose which protections it will 
be able to enforce. I hope we will work together to ensure that 
the FTC has all the resources that it needs to maintain 
consumer protection and a fair marketplace.
    From a regulatory standpoint, it's time to look at ways to 
reduce barriers to FTC consumer protection rulemaking. The 
FTC's ability to move forward with important rulemaking is much 
more limited than those at other agencies.
    In the rapidly changing climate of commerce today, 
rulemaking must be efficient and timely to keep pace. 
Specifically, I would like to discuss how well the FTC is 
protecting consumers' privacy and what they are doing to 
promote data security. It's my belief that on data security 
this committee and Congress should be giving the FTC the tools 
it needs to do more.
    Ranking Member Pallone and I have introduced H.R. 3895, the 
Secure and Protect America's Data Act, which gives the FTC 
rulemaking authority and civil penalty authority for data 
security breach notification. These issues are becoming more 
important for Americans, not less. In our hearing last October 
with former Equifax CEO Richard Smith, I asked him if, as a 
consumer, can I opt out of Equifax--after all, I never opted 
in. Equifax collects my data whether I want them to do it or 
not and now my data is at risk of being shared because Equifax 
failed to adequately protect it, and the answer was, sadly, 
yes, I don't have an opportunity to opt out.
    It would be one thing if that breach were an isolated 
incident, and it wasn't. We saw this with Facebook and we saw 
this with Uber. In the case of Uber, it actually paid the 
hackers $100,000 before reporting the incident to the FTC.
    This can't be standard industry practice. We need to change 
that power balance by strengthening consumer protections. With 
the FTC as our partner, we, as Congress, must work to 
strengthen the agency to face the 21st century challenges.
    Many of these new marketplaces, which are often highly 
concentrated, are failing American consumers. Part of the FTC's 
mission is the issue of anti-trust and, as we saw this morning 
with the EU leveling a $5.1 billion fine on Google, strong 
consumer protection and robust competition go hand in hand, and 
that's why Congress and consumer watchdogs must step in.
    I welcome the new commissioners, Chairman Simon and 
Commissioners Phillips, Chopra, and Slaughter. Did I miss 
somebody?
    Commissioner Simons, Phillips, Chopra, and Slaughter, and I 
want to thank Commissioner--I am going to say it wrong--
Ohlhausen, for her work on the commission and her stewardship 
during the transition.
    I look forward to hearing your perspective, all of you, on 
these issues, and I yield back.
    Mr. Latta. Thank you. The gentlelady yields back.
    The chair now recognizes the gentleman from Oregon, the 
chairman of the full committee, for 5 minutes for an opening 
statement.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. Well, good morning, Mr. Chairman, and to the 
members of the FTC, good morning. Welcome before the Energy and 
Commerce Committee.
    We are delighted you're here. We want to welcome our five 
distinguished public servants and welcome to the committee. We 
have a lot of work to do. So do you, and so we appreciate your 
counsel.
    While our economy is the driver of so much growth and 
opportunity for Americans, there are still, unfortunately, some 
bad actors and the Federal Trade Commission is one of the top 
cops on the beat. It is charged with the dual mission of 
competition and consumer protection across large segments of 
the United States economy and this committee's jurisdiction. So 
we need the FTC to follow its statutory authority to protect 
consumers from unfair, deceptive, and anti-competitive 
practices, both online and off.
    Recent data security incidents involving Facebook, Equifax, 
Uber, and other companies continue to raise concerns about the 
various aspects of protecting consumers in a data-driven 
economy.
    I understand the commission does not, for good reason, 
comment on open investigations--we won't ask you to do that--
but I would emphasize that data security incidents involving 
sensitive, personal, and financial information are a 
significant threat to United States consumers and businesses 
and we are laser focused on these issues here at the Energy and 
Commerce Committee.
    The revelations surrounding Facebook and Cambridge 
Analytica have brought the issue of privacy of consumers' data 
and information in the age of pervasive social media to the 
forefront. In fact, Mark Zuckerberg sat in that chair in the 
middle for 5 hours not long ago. Particularly with Facebook 
being under a consent order with the FTC, we are closely 
evaluating the tools used by the Federal Trade Commission in 
cases as that matter moves forward.
    Two weeks ago, we asked Apple CEO Tim Cook and Alphabet CEO 
Larry Page to explain how their companies use audio recording 
data as well as locational information collected on iPhone and 
Android smartphones. Consumers want to know who's tracking them 
and how.
    And following reports that location data aggregators 
obtained locational data from U.S. wireless carriers, in turn 
selling it to other firms, this morning we will be sending 
letters to LocationSmart, Securus, and 3CInteractive 
Corporation to probe their data handling and use practices.
    We have pursued, and will continue to pursue, important 
oversight work on these issues and we will explore the question 
of whether there are improvements in the current privacy 
regulations that would increase consumer understanding of how 
data flows support the global economy.
    We do not want to unduly saddle companies with unnecessary 
regulations or impose compliance burdens that will not result 
in any meaningful impact for consumers. But we will ensure 
companies are being responsible and that they do not misuse 
consumer data, period.
    This is the overarching reason I support the Federal 
Communications Commission's ``Restoring Internet Freedom 
Order,'' which reaffirms the FTC's authority over both ISPs--
internet service providers--and tech companies alike. This 
authority is critical for enforcing data privacy practices, 
promoting a free and open internet, and protecting consumers 
from anti-competitive behaviors across the digital ecosystem.
    So as we consider these issues, I reiterate my invitation 
to the technology company CEOs to come to Congress, come to 
Washington, D.C., engage with us and talk directly to the 
committee and the public about your practices.
    Our goal is to work with all stakeholders on how best to 
incentivize data security and help protect personal and 
financial data.
    So I am encouraged to have all of you here today because I 
know you each understand the importance of these issues and the 
complexity of these issues, and the role that the Federal Trade 
Commission has in protecting consumers.
    So we look forward to your testimony. Again, thanks for 
being here before the committee and with that, unless any other 
members on our side want the remainder of my time, I would be 
happy to yield back.
    [The prepared statement of Mr. Walden follows:]

                 Prepared statement of Hon. Greg Walden

    Good morning. Today we welcome five distinguished public 
servants from the Federal Trade Commission. Chairman Simons and 
fellow commissioners, welcome to the Energy and Commerce 
Committee. We are so pleased to have a fully-constituted FTC in 
place, and we look forward to working with each of you.
    While our economy is the driver of so much growth and 
opportunity for Americans, there are still, unfortunately, bad 
actors. The FTC is one of the top cops on the beat. It is 
charged with a dual mission of competition and consumer 
protection across large segments of the U.S. economy and this 
Committee's jurisdiction. We need the FTC to follow its 
statutory authority to protect consumers from unfair, 
deceptive, and anti-competitive practices, both online and off.
    Recent data security incidents involving Facebook, Equifax, 
Uber, and other companies continue to raise concerns about the 
various aspects of protecting consumers in a data-driven 
economy.
    I understand the Commission does not, for good reason, 
comment on open investigations, but I would emphasize that data 
security incidents involving sensitive personal and financial 
information are a significant threat to U.S. consumers and 
businesses and we are laser focused on these issues at the 
committee.
    The revelations surrounding Facebook and Cambridge 
Analytica have brought the issue of privacy of consumers' data 
and information in the age of pervasive social media to the 
forefront. Particularly with Facebook being under a consent 
order with the FTC, I will be closely evaluating the tools used 
by the FTC in that case as the matter moves forward.
    Two weeks ago, we asked Apple CEO Tim Cook and Alphabet CEO 
Larry Page to explain how their companies use audio recording 
data as well as location information collected on iPhone and 
Android smartphones.
    And, following reports that location data aggregators 
obtained location data from U.S. wireless carriers, in turn 
selling it to other firms, this morning we will be sending 
letters to LocationSmart, Securus, and 3CInteractive 
Corporation to probe their data handling and use practices.
    We have pursued, and will continue to pursue, important 
oversight work of these issues. And we'll explore the question 
of whether there are improvements in the current privacy 
regulations that would increase consumer understanding of how 
data flows support the global economy.
    We do not want to unduly saddle companies with unnecessary 
regulations or impose compliance burdens that will not result 
in any meaningful impact for consumers, but we will ensure 
companies are being responsible and that they do not misuse 
consumer data.
    This is the overarching reason I support the Federal 
Communications Commission's Restoring Internet Freedom Order, 
which reaffirms the FTC's authority over both ISPs and tech 
companies alike. This authority is critical for enforcing data 
privacy practices, promoting a free and open internet, and 
protecting consumers from anticompetitive behaviors across the 
digital ecosystem.
    As we consider these issues, I reiterate my invitation to 
tech CEOs to come here to D.C., engage with Congress, and talk 
directly to the committee and the public about their practices.
    Our goal is to work with all stakeholders on how best to 
incentivize data security and help protect personal and 
financial data.
    I am encouraged to have you all here today because I know 
you each understand the importance of these issues and the roll 
of the FTC in protecting consumers.
    Thank you for being with us this morning and I look forward 
to working with you moving forward and to our important 
discussion today.

    Mr. Latta. Seeing none, the gentleman yields back the 
balance of his time.
    The chair now recognizes the gentleman from New Jersey, the 
ranking member of the full committee, 5 minutes for an opening 
statement.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman.
    Today's hearing focuses on the important work of the 
Federal Trade Commission.
    I want to congratulate and welcome the new commissioners: 
Chairman Simons, Commissioners Phillips, Chopra, and Slaughter, 
and welcome back Commissioner Ohlhausen--I guess I am 
pronouncing it right.
    The FTC plays a critical role in protecting consumers 
nationwide. It has the dual mission to prevent anti-competitive 
business practices and protect consumers from unfair or 
deceptive actions.
    It's an enormous endeavor covering many industries and 
issues. It works to stop anti-competitive business practices 
that are likely to leave the higher prices and lower quality of 
goods and services and at the same time it works to protect 
consumers from false advertising, annoying telemarketing, data 
throttling, and other forms of fraud.
    While the FTC has had successes such as its case against 
Volkswagen, in which it obtained $11 billion in compensation 
for consumers who purchased clean diesel cars that turned out 
not to be clean, the commission should be doing more, in my 
opinion.
    But in order to do more in support of consumers, the FTC 
needs the support and legislative authorizations from Congress. 
Unfortunately, instead of working with the FTC, this committee, 
just 2 years ago, sought to further reduce the already limited 
authorities of the FTC and I am hopeful we will not see that 
effort again.
    The FTC is a relatively small agency, especially given the 
breadth of its mission. In the area of data privacy and 
security--one of the more critical consumer protection issues 
today--FTC's entire division is only 45 full time employees and 
only 35 of those are attorneys who are able to bring 
enforcement actions.
    These actions are important since the commission's 
rulemaking authorities are hindered by overly burdensome 
requirements that effectively nullify its ability to establish 
regulations for consumer privacy and data security. And even 
its enforcement authorities are limited.
    Most often the FTC can only get an injunction stopping the 
unfair or deceptive acts for a first time violation. The FTC 
cannot hit the offender where it hurts, with a monetary 
penalty. A slap on the wrist with a promise not to do the bad 
act again often fails to be a sufficient deterrent to further 
bad action. Only if the company commits the same unscrupulous 
act again after promising in a consent that it would stop such 
conduct can the FTC seek fines, and that limitation on fining 
authority has allowed some companies to repeatedly take 
advantage of consumers without real consequences.
    Just a few months ago, we were here listening to Mark 
Zuckerberg apologize yet again for Facebook's failure to 
properly inform users of how their data would be shared. If the 
FTC was able to fine Facebook in 2011 the first time it found 
that Facebook failed to properly notify users, we may not have 
seen the Cambridge Analytica scandal.
    And to make matters worse, FTC has only 40 employees 
reviewing the hundreds of consent decrees that are in effect. 
Those employees cannot possibly know whether any one company is 
keeping the commitments it made in the consent decree.
    After all, Facebook was under a consent decree and we saw 
what that wrist slapping did--nothing. And yes, Equifax was 
under a consent decree as well.
    So today's hearing is not on the breaches at Facebook or 
Equifax but those breaches are good examples for exploring how 
the FTC could better fulfill its mission and I look forward to 
hearing from the commissioners about their ideas for the future 
of the FTC and hope we can discuss ways to support the FTC's 
dual mission and give it the tools that it needs.
    And I'd like to yield the time I have left to Ms. Matsui.
    Ms. Matsui. Thank you very much, Ranking Member Pallone.
    I've discussed the potential of blockchain applications in 
this subcommittee before. These include as possibility to 
facilitate spectrum sharing as next-generation broadband 
networks are deployed, maintain patient health records and 
secure business transactions and communications between the 
Internet of Things networks.
    In its basic and essential element and function, blockchain 
is a decentralized ledger technology. But as the hype 
surrounding blockchain and its applications grow, how exactly 
blockchain is defined has become less clear.
    More fundamentally, there is no agreed upon definition of 
blockchain. So I am working on legislation that would direct 
the Department of Commerce to convene a working group or 
Federal and industry stakeholders to develop a consensus-based 
agreed upon definition of blockchain.
    I believe a common definition of blockchain could greatly 
assist in its development and deployment. I invite all of you 
here on the panel to work with me on this as well as my 
colleagues here and I hope that we can do this as quickly as 
possible.
    Thank you, and I yield back.
    Mr. Pallone. And I yield back, Mr. Chairman.
    Mr. Latta. Thank you very much. The gentleman yields back 
the balance of his time and that will conclude with member 
opening statements.
    The chair would like to remind members that pursuant to 
committee rules all members' opening statements will be made 
part of the record.
    And, again, I want to thank all of our witnesses for 
appearing before us today to take time to testify before the 
subcommittee. Today's witnesses will have the opportunity to 
give a 5-minute opening statement followed by a round of 
questions from the members of the subcommittee.
    Chairman Simons, you are recognized for 5 minutes. If you'd 
just pull the mic up close and turn the button on, we'll--glad 
to have you here today.
    Thank you.

 STATEMENTS OF THE HONORABLE JOSEPH SIMONS, CHAIRMAN, FEDERAL 
      TRADE COMMISSION; THE HONORABLE MAUREEN OHLHAUSEN, 
  COMMISSIONER, FEDERAL TRADE COMMISSION; THE HONORABLE NOAH 
PHILLIPS, COMMISSIONER, FEDERAL TRADE COMMISSION; THE HONORABLE 
   ROHIT CHOPRA, COMMISSIONER, FEDERAL TRADE COMMISSION; THE 
   HONORABLE REBECCA SLAUGHTER, COMMISSIONER, FEDERAL TRADE 
                           COMMISSION

                   STATEMENT OF JOSEPH SIMONS

    Mr. Simons. Thank you so much.
    Chairman Latta, Ranking Member Schakowsky, and members of 
the subcommittee, I am Joe Simons and I am the new chairman of 
the Federal Trade Commission. It's an honor to appear before 
you today, especially alongside my fellow commissioners. I'd 
also like to thank you for being so supportive of the FTC's 
resource needs over the years.
    As you've already said, the FTC is a highly productive and 
effective independent agency with a broad mission--to protect 
consumers and to maintain competition. The FTC also has a long 
history of bipartisanship and all of us here today are very 
committed to continuing that strong tradition.
    I am going to focus my oral remarks today primarily on data 
security and privacy. Year after year, these two issues topped 
the list of consumer protection priorities at the FTC. The 
commission has challenged numerous privacy and security 
practices under Section 5 of the FTC Act.
    Our program in these areas, which includes enforcement as 
well as consumer and business education, has been highly 
successful within the limits of our authority. Section 5 is an 
imperfect tool. In my view, we do need more authority. I 
support data security legislation that would give us three 
things: one, the ability to seek civil penalties to effectively 
deter unlawful conduct; two, jurisdiction over nonprofits and 
common carriers; and three, the authority to issue implementing 
rules under the Administrative Procedure Act.
    Make no mistake, however. Under my leadership, privacy and 
data security will continue to be an enforcement priority and 
the FTC will use every tool in its arsenal to address consumer 
harm to the extent we can. To date, the commission has brought 
more than 60 cases alleging that companies failed to implement 
reasonable data security safeguards as well as dozens of 
general privacy cases.
    We have aggressively pursued privacy and data security 
cases in myriad areas including financial privacy, children's 
privacy, health privacy, and the Internet of Things.
    Recently, the European Union put into effect its general 
data protection regulation. The FTC will be watching carefully 
and assessing the impact of this new regime to see what lessons 
we can learn that might be applicable to the U.S.
    In addition, GDPR, like its predecessor, imposes 
restrictions on the ability of companies to transfer consumer 
data from the EU to other jurisdictions, including the U.S.
    The EU-U.S. Privacy Shield framework provides a mechanism 
that enables data to be legally transferred from Europe to the 
United States and the FTC is committed to strenuously enforcing 
Privacy Shield.
    Finally, let me mention one additional item. The FTC has 
the tradition of self-critical examination, and in that vein, 
we recently announced our hearings on competition and consumer 
protection in the 21st century, and these will begin in the 
fall.
    This series of public hearings will explore whether we need 
to adjust our enforcement efforts, our priorities, and policies 
in light of changes in the marketplace and new thinking.
    The issues to discuss include whether we need to change the 
governing standard for anti-trust enforcement, whether merger 
enforcement has been too lax, our remedial authority with 
respect to privacy and data security, and other issues.
    A discussion of these issues at the hearing along with the 
public comments that will be collected throughout the hearings 
will help inform our thinking. The FTC is committed to 
maximizing the use of its resources, to enhance its 
effectiveness in protecting consumers, and promoting 
competition, to anticipate and to respond to changes in the 
marketplace, and to meet current and future challenges.
    We look forward to continuing to work with the subcommittee 
and Congress, and I look forward to answering your questions.
    Thank you so much.
    [The prepared statement of Mr. Simons follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
       
    Mr. Latta. Thank you very much for your statement.
    And, Commissioner Ohlhausen, you are recognized for 5 
minutes.

                 STATEMENT OF MAUREEN OHLHAUSEN

    Ms. Ohlhausen. Chairman Latta, Ranking Member Schakowsky, 
and members of the subcommittee, I am pleased to appear before 
you today alongside my FTC colleagues.
    I've been a commissioner for 6 years and was honored to be 
named Acting Chairman in January 2017 and to serve in that 
capacity until May 2018.
    Having a leadership role at the FTC provides a unique 
insight into the vital protections the agency provides for the 
American consumer and I am proud of the work that we'll discuss 
in today's hearing.
    Although the FTC has many accomplishments, I will limit my 
remarks today to two areas: process reforms and competition 
enforcement.
    First, process reforms. In April 2017, I directed the FTC's 
Bureau of Consumer Protection to identify ways we could 
streamline our civil investigative demands, or CIDs, which are 
the agency's version of administrative subpoenas. This 
initiative was in part in response to concerns raised by 
members of Congress that FTC investigations often imposed undue 
burdens on legitimate companies.
    Now, of course, the FTC must remain an effective and 
aggressive protector of the American consumer. That is our 
primary mission. But we should also look for ways to be more 
efficient.
    These CID reforms have been in effect for a year and I 
believe the agency has successfully navigated making the CID 
process friendlier to legitimate businesses without sacrificing 
our effectiveness. For example, one difficulty for small 
business is wading through pages of legalese. To lighten this 
burden, the FTC now includes a plain language description of 
the CID process in every CID we issue and we've posted FAQs for 
small businesses on our website to help them.
    We are also being more selective about the time frame for 
requested documents or information. Obviously, the broader the 
time frame the greater the burden on companies.
    It is now our policy where appropriate to limit the time 
frames in our CIDs to more recent years and, of course, when 
there is good cause, we will seek a broader range of documents 
and information. But that is now the exception, not the rule.
    These are just a handful of the ways that we've reformed 
our CID process so that we can continue to protect consumers 
without placing undue burdens on legitimate companies.
    And now turning briefly to competition enforcement, I would 
like to make just a few points. In fiscal year 2017, the FTC 
challenged 23 mergers and obtained remedies for consumers in 15 
others, maintaining, essentially, the same merger enforcement 
pace during the beginning of this administration as it had 
during the previous one.
    And the brisk pace continues in fiscal year 2018. The 
agency has already undertaken a number of merger challenges 
including Tronox, Williamson, and Otto Bock, all of which are 
currently in litigation.
    During the 2017-2018 period, the commission also stopped 
three mergers when the parties abandoned them after we sued, 
and, in addition, Walgreen's substantially restructured its 
proposed acquisition of Rite-Aid due to commission concerns.
    And I would like to highlight two merger cases that focused 
on important points about our competition mission. Draft Kings-
FanDuel was a proposed merger of two internet platforms 
offering so-called daily fantasy sports contests and the FTC 
sued to block the deal, finding that these two companies were 
the leading providers and that other forms of fantasy sports 
were inadequate substitutes.
    And, importantly, the commission rejected arguments that 
the technology was too nascent and fast moving to be able to 
draw reliable conclusions, and in the face of the FTC's 
challenge, the companies ultimately abandoned their 
transaction.
    And the other case I would like to briefly mention was CDK-
AutoMate, which involved two providers of specialized software 
used by auto dealers. Our challenge to the deal noted that the 
current levels of competition between the parties likely 
understated the competitive significance of the smaller firm.
    In effect, the larger firm was buying out this promising 
upstart before it could grow to become a much more serious 
competitive threat, and in the face of the FTC's challenge the 
parties abandoned their deal.
    Both of these cases were big wins for U.S. consumers but 
they also show how the commission can use its existing 
authority to intervene in a factually grounded economically 
nuanced way, even in fast-moving high technology markets.
    In addition to merger review, we also brought a number of 
important conduct cases including several challenging anti-
competitive behavior by drug manufacturers.
    And finally, our Economic Liberty Task Force, which I 
launched last year, has helped to spotlight unnecessary or over 
broad occupational licensing which often disproportionately 
harms those near the bottom of the economic ladder and burdens 
our military families.
    So thank you for your time and I look forward to your 
questions.
    Mr. Latta. And thank you very much for your testimony 
today.
    And Commissioner Phillips, you are recognized for 5 
minutes.

                   STATEMENT OF NOAH PHILLIPS

    Mr. Phillips. Thank you.
    Chairman Latta, Ranking Member Schakowsky, distinguished 
members of the subcommittee, thank you all for the opportunity 
to be before you today.
    I am honored to be here with my fellow commissioners, and 
from our testimony I hope you see the important work that the 
FTC and its staff do every day on behalf of American consumers.
    As you all know, our economy is increasingly globalized, 
digitized, and connected. These changes generate incredible 
opportunity but they also pose new problems for consumers such 
as traditional scams that now thrive online and new internet-
enabled frauds, and they also raise important enforcement 
challenges like the enhanced ability of scammers to act 
anonymously or to move their ill-gotten gains abroad and 
outside of our jurisdiction.
    They also create roadblocks to international law 
enforcement cooperation. Congress has been an essential ally in 
this fight. In 2006, it passed the U.S. SAFE WEB Act. SAFE WEB 
allows the FTC to share evidence with and provide investigative 
assistance to foreign authorities in cases involving spam, 
spyware, privacy violations, and data breach.
    It also confirms our authority to challenge foreign-based 
frauds that harm U.S. consumers or involve material conduct in 
the United States.
    Using SAFE WEB, the FTC has worked with authorities abroad 
to stop illegal conduct and secure millions in judgments from 
fraudsters and sometimes even criminal convictions.
    The FTC uses SAFE WEB authority in important international 
privacy cases. We collaborated with Canadian and Australian 
privacy authorities on the massive data breach of the Toronto-
based adult dating website ashleymadison.com, and we worked 
again with Canadian authorities on FTC's first children's 
privacy and security case involving connected toys, a 
settlement with electronic toy manufacturer VTech Electronics 
under the Children's Online Privacy Protection Act.
    In total, the FTC has responded to more than 125 SAFE WEB 
information sharing requests from 30 foreign enforcement 
agencies. We have issued more than 110 civil investigative 
demands in more than 50 investigations on behalf of foreign 
agencies, civil and criminal.
    The FTC has collected millions of dollars in restitution 
for injured consumers, both foreign and domestic. SAFE WEB 
helps protect Americans by policing and instilling confidence 
in the digital economy. But it sunsets in 2020. The commission 
respectfully requests that Congress reauthorize this authority 
and eliminate the sunset provision.
    Our international efforts support American business 
leadership in the global digital economy by enabling 
transatlantic data flows and protecting privacy.
    As Chairman Latta rightly highlighted in his remarks, the 
FTC works with the Department of Commerce on three key cross-
border data transfer programs including the EU-U.S. Privacy 
Shield.
    Privacy Shield provides a legal mechanism for companies to 
transfer personal data from the EU to the U.S. with strong 
privacy protections and the FTC enforces these companies' 
Privacy Shield promises under Section 5 of our organic statute.
    We are committed to the success of Privacy Shield and the 
other cross-border data transfer mechanisms. We have brought 
nearly 50 actions to enforce them including four under the new 
Privacy Shield, one announced just two weeks ago.
    Privacy Shield is an important mechanism for encouraging 
commerce and protecting privacy. Enforcement of it is and will 
remain a priority for the agency.
    Thank you for your time and attention and I look forward to 
answering any questions that you have.
    Mr. Latta. Again, thank you very much for your testimony.
    And Commissioner Chopra, you are recognized for 5 minutes.

                   STATEMENT OF ROHIT CHOPRA

    Mr. Chopra. Chairman Latta, Ranking Member Schakowsky, and 
members of the subcommittee, thank you for the opportunity to 
testify and discuss data security and privacy.
    According to survey data, 91 percent of adults believe they 
have lost control about how companies are collecting and using 
their personal information.
    News reports of data breaches and disclosure of sensitive 
data have become routine. On the dark web, stolen credit card 
and Social Security numbers and social media profiles can be 
bought and sold.
    For many Americans, the situation seems hopeless and they 
feel powerless, and Washington cannot be sitting on the 
sidelines. We must confront the risks to our economy, our 
society, and national security of inadequate data security and 
privacy, and the cost of inaction is growing.
    According to an industry study, over 15 million Americans 
were a victim of identity theft in some form in 2016, leading 
to $16 billion of losses. The majority of these Americans had 
their records accessed in a data breach in the years prior to 
their identity theft. When we talk about data security in 
Washington we typically focus on protecting power grids, 
payment networks, and other critical infrastructure to avoid a 
crippling attack.
    But we also know that the infiltration of commercial 
holdings of consumer data can also cause chaos. Large-scale 
breaches of unencrypted data are increasing these risks and we 
must do more to secure personal data from falling into the 
wrong hands.
    Chairman Simons is right. The FTC cracks down on illegal 
practices whenever we can. But I think our existing toolkit 
won't do the trick. In too many situations, our resolution is 
to tell a lawbreaking company to simply stop breaking the law.
    To truly make a difference when it comes to data protection 
we need the ability to deter misconduct through financial 
penalties and sensible safeguards that can evolve with the 
marketplace and when it comes to privacy the United States 
should lead.
    New privacy protections from Europe and California are 
advancing but we shouldn't feel we have to simply copy and 
paste. We should be leading. I believe privacy and competition 
can go hand in hand, especially when consumers can access their 
data in portable and interoperable formats.
    We can increase privacy protections without crowning 
corporate royalty. We don't need to start from scratch either. 
Congress can build upon existing privacy laws such as the 
Children's Online Privacy Protection Act.
    Twenty years ago, incumbents warned that this bipartisan 
effort to protect children online would end in utter disaster 
for our information economy and, boy, were they wrong.
    COPPA has common sense ideas. Data collected for one 
purpose shouldn't be used for another purpose without your 
permission. You should have the ability to review the 
information collected about you.
    Companies should be up front and honest about who they're 
sharing your data with and strong protections should be backed 
by an enforcement regime that can hold companies and their 
operators accountable.
    Over the past decade, the FTC has produced scores of 
studies and reports but now it is time for Congress to act. I 
am confident that if Congress entrusts the Federal Trade 
Commission with the authority and resources to do more to 
protect families and businesses, we will deploy them 
efficiently and effectively while continuing to promote a 
dynamic digital economy that truly benefits all of us.
    Thank you.
    Mr. Latta. And thank you very much for your testimony.
    And Commissioner Slaughter, you are recognized for 5 
minutes for your opening statement.

                 STATEMENT OF REBECCA SLAUGHTER

    Ms. Slaughter. Thank you, Chairman Latta, Ranking Member 
Schakowsky, and members of the subcommittee. Thank you for 
inviting all of us here today.
    I would like to use my oral remarks to highlight the 
critical work the commission does to protect American consumers 
from fraud and from illegal robocalls. I also want to draw 
attention to the resource challenges of the commission.
    Although it sometimes grabs fewer headlines, fighting fraud 
is a central part of the FTC's consumer protection mission. The 
commission routinely tracks down and stops some of the worst 
scams, often targeting consumers who can least afford to lose 
money, including the elderly, members of the military, students 
burdened by debt, and small businesses.
    The FTC takes the lead on important initiatives to shut 
down fraudsters and joins with our Federal, State, and 
international law enforcement partners. Some recent examples of 
these initiatives include Operation Tech Trap, a crackdown on 
tech support scams. Another example was Operation Game of 
Loans, where we led the first Federal and State coordinated 
action targeting 36 student loan debt relief scams. And just 
last month, we announced Operation Main Street, an effort to 
stop small business scams.
    The agency has also been at the forefront of addressing 
deceptive moneymaking frauds involving crypto currencies, 
bringing enforcement action and hosting a workshop to explore 
house scammers or exploiting public interest in crypto currency 
and how to empower and protect consumers against the growing 
threat of exploitation. This is an area we must continue to 
monitor closely including working with stakeholders who don't 
traditionally engage with the FTC.
    On robocalls, few things unite Americans more than their 
outrage over illegal robocalls and I include myself among the 
outraged. The FTC uses every tool at its disposal to stop 
illegal calls. We've brought 137 cases targeting over 800 
individuals and companies responsible for billions of illegal 
calls to U.S. consumers and we've collected over $120 million 
in judgments.
    But, as anyone with a phone knows, the problem persists. 
While our aggressive law enforcement efforts will continue, we 
know that the explosion in illegal calls stems from 
technological developments in the calling landscape.
    Law violators can now place endless streams of calls for a 
fraction of a cent and too often the criminals behind some of 
the worst calling scams are located abroad, beyond the 
immediate reach of a civil law enforcement agency.
    Technological problems need technological solutions. The 
FTC has been a leader in pushing industry to develop those 
solutions, helping to spur providers and third parties into 
offering call-blocking options. However, the best long-term 
solution is to empower and expect providers to deploy solutions 
at the network level that will reach every consumer.
    Effective blocking tools to stop spam should be available 
to all consumers using every kind of phone system and carriers 
should have both the right and the responsibility to keep their 
systems clear of unwanted calls.
    The FTC is currently limited in its ability to address 
failures on the part of providers as a result of the common 
carrier exemption to our jurisdiction. Some carriers know or 
have every reason to know that they are passing along illegal 
or even fraudulent calls but they are beyond our reach. 
Speaking as a consumer as well as an enforcement official, I 
share the public outrage at robocalls and I am eager to work 
with Congress to empower the FTC to do even more to combat this 
profound nuisance.
    Finally, I would like to say a word about our resources. 
The FTC works tirelessly to protect consumers and advance 
competition in an increasingly technical, digital, and 
sophisticated marketplace.
    Consumers rightly look to the FTC to address evolving 
challenges and one of my top priorities is to make sure that we 
meet those expectations successfully. We have excellent expert 
experienced staff who want nothing more than to hold 
lawbreakers accountable. We leverage them as effectively as 
possible. But we have more cases to bring every day. Those 
cases have become more complex both legally and technologically 
and they involve defendants with deep pockets and armies of 
attorneys.
    Our budget has not kept pace with these developments. To 
wit, we had more full time employees in the Reagan 
administration than we do today. It is critical that the FTC 
have sufficient resources to support its work, particularly as 
demands for enforcement in so many complex areas continue to 
grow.
    In addition to sufficient resources, as several of my 
colleagues have noted, sufficient authority is critical for the 
FTC to continue to meet the demands of the 21st century 
marketplace.
    Repeal of the common carrier exemption, APA rulemaking 
authority, and related civil penalty authority would each go a 
long way to help the FTC better meet today's challenges as well 
as tomorrow's.
    Thank you, and I look forward to taking your questions.
    Mr. Latta. Thank you very much for your testimony today and 
I, again, thank all the commissioners for being with us today 
and I will start the questioning with 5 minutes.
    And Chairman Simons, if I could start with you. You bring 
very strong anti-trust credentials to the FTC, previously 
serving as head of the Bureau of Competition.
    One of the priority issues of the subcommittee is the 
consumer protection jurisdiction enforcement activities of the 
FTC and I noted in your opening remarks you talked about 
especially enforcement on IoT--I sponsored legislation with the 
gentleman from Vermont and on the Internet of Things.
    But we also, in the last Congress, had the working group. 
So Internet of Things is something that we are very concerned 
about.
    With recent headlines highlighting the open investigations 
of Equifax and Facebook, which I know you can't comment on, and 
the Eleventh Circuit recent decision highlighting the 
unenforceable order of LabMD data security case, how would you 
describe your general approach to consumer protection 
enforcement?
    Mr. Simons. Our mantra is vigorous enforcement, Chairman.
    So that's what we are all about. We are about protecting 
the consumer and vigorous enforcement. In addition, we are very 
active in terms of not only trying to create a disincentive for 
the bad guys to do the wrong thing, but in addition, to educate 
consumers and small businesses and businesses generally to make 
sure they do the right thing.
    So very enforcement oriented, very vigorous, and across the 
board. One of the things you probably noticed from the remarks 
of the commissioners was that it was spread out in terms of 
different subject matters and that was not by accident.
    So we are aggressive across the board whether it's data 
security, privacy, all kinds of different fraud across the 
board.
    Mr. Latta. OK. Let me follow up. You mentioned on the civil 
penalty authority the FTC doesn't have the civil penalty 
authority today to enforce initial violation of the safeguards 
rule that covers companies like Equifax.
    Would you support civil penalty authority to enforce the 
safeguards rule?
    Mr. Simons. Yes.
    Mr. Latta. OK. Thank you.
    Would you like to follow up on that?
    [Laughter.]
    Mr. Simons. Yes. Sure.
    So one of the problems that we have is we are able to show 
in these cases that there is sufficient harm to show a 
violation under the statute. But in terms of our monetary 
remedial authority and showing damage from any particular 
breach and tracing it to that specific breach is very 
difficult.
    So it really hinders our ability to seek a significant 
monetary penalty and monetary relief and to create a sufficient 
deterrence so that conduct doesn't occur in the future.
    Mr. Latta. Let me follow up with another question to you. I 
was listening when you were talking about your announcement of 
the series of public hearings this year on the 21st century 
challenges to the economy and I also commend you and the 
commission for taking a thoughtful approach to examining 
whether the current legal, economic, and technological 
predicates--warrants adjustment to competition and consumer 
protection policy.
    Would you share your goals for the hearing including 
efforts to update the agency's research and policy function or 
to set the foundation for enforcement actions in policy agenda 
setting?
    Mr. Simons. So we are conducting these hearings with a 
broad range of participants from all over the spectrum of 
thoughts and ideas and so we are going in with an open mind and 
we are not expecting any particular outcome. But potential 
outcomes would be things that would involve, for example, 
amending our horizontal merger guidelines, drafting potentially 
new vertical merger guidelines.
    We are going to also look at privacy and data security and 
maybe we'll come out with strong suggestions there as to how to 
move forward maybe along the lines of Commissioner Chopra's 
suggestions a minute ago.
    So it's really quite wide open. Last time that hearings of 
this nature were conducted there were substantial action items 
coming out of those hearings. This was done by then Chairman 
Robert Pitofsky, and one of the main things that came out of 
that was amendments to the merger guidelines relating to 
efficiencies.
    There was also a lot of work done on the intellectual 
property area. And so our goal is to try to be as effective in 
these hearings as Chairman Pitofsky was in his hearings.
    Mr. Latta. Well, thank you very much, and my time is about 
to expire so I am going to yield back and recognize the 
gentlelady from Illinois, the ranking member of the 
subcommittee for 5 minutes.
    Ms. Schakowsky. Thank you.
    Let me just say I've been a long-term consumer advocate 
since I was a very young woman. So I have a special place in my 
heart for the Federal Trade Commission and I want to ask about 
your authorities.
    Most agencies issue regulations under the Administrative 
Procedures Act, which sets out notice and public comment 
procedures for issuing regulations. But unless granted APA 
rulemaking authority for specific issues by Congress, the FTC 
issues rules under a different law, which provides more 
burdensome procedures and makes it more difficult for the 
commission to issue rules.
    So I wanted to ask you, Mr. Chairman, do you agree that the 
FTC currently is limited and, an example I think you gave in a 
meeting could not write rules like the open internet rules 
written by the FCC?
    Mr. Simons. So I generally do agree with your 
characterization of a rulemaking authority. So our general 
rulemaking authority is under the Magnuson-Moss Act and it is 
considerably more burdensome than the Administrative Procedure 
Act. So I agree with that completely.
    In terms of your question about the net neutrality rule, I 
don't think that we could adopt exactly the same rule, and if 
we were to try to do it under Magnuson-Moss, like you said, it 
would be pretty time consuming.
    However, what we normally do is we bring enforcement 
actions and our sense is that those actually accomplish pretty 
much the same thing. By doing.
    Ms. Schakowsky. I wanted to ask about that. It says without 
effective rulemaking authority, the FCC has focused its efforts 
on law enforcement, and we've heard a number of really positive 
examples.
    But it seems to me the enforcement only approach is not as 
effective as when legal standards are supported by agency 
rulemaking.
    Mr. Simons. I think a mix, depending on the circumstance of 
rulemaking and enforcement, could be optimal.
    Ms. Schakowsky. So, this issue has come up often in this 
committee's discussion of data breach legislation. Previous 
commissions have supported APA rulemaking authority for data 
security and breach notification.
    Ranking Member Pallone and I have introduced a bill--I 
mentioned it in my opening statement--3896, the Secure and 
Protect America's Data Act--that would require companies to 
have reasonable data security and notify consumers in a 
reasonable time when breaches occur.
    So to the whole panel, our bill would give the FTC 
authority to write rules on data security and breach 
notification using APA rulemaking and I would just like to go 
down the row and see if you would support that.
    Mr. Simons. Yes. Without commenting on the specifics of 
your bill I certainly support in concept what you're 
suggesting.
    Ms. Schakowsky. OK.
    Ms. Ohlhausen. As I have previously supported data security 
and breach notification legislation, I would also support it 
without supporting particular details.
    Ms. Schakowsky. I understand. Right. Thank you.
    Mr. Phillips.
    Mr. Phillips. I too support legislation, Congresswoman. I 
have not yet formed an opinion with respect to particular 
rulemakings. One of the things I look forward to in our 
upcoming hearings that the chairman has announced is the fact 
that we are going to be doing a careful study of the remedies 
available to us and I look forward to learning from those.
    Mr. Chopra. Yes, and I would add that the development of 
rules is a much more participatory process than individual 
enforcement actions and it also gives clear notice to the 
marketplace rather than being surprised, and I think it would 
be a good idea.
    Ms. Schakowsky. Good point. Yes.
    Ms. Slaughter. Yes. Like my colleagues, I haven't studied 
your particular bill. But as you describe it, it's something 
that I would very much support.
    Ms. Schakowsky. Let me just say, the word partner came up a 
good deal in various testimonies, both on the committee and on 
the panel, and I hope that we can use that approach.
    Chairman Simons, if the FTC had APA rulemaking authority 
now, would you direct staff to begin the rulemaking process for 
data security and breach notification?
    Mr. Simons. Sure. Yes.
    Ms. Schakowsky. OK. Even though FTC's current rulemaking 
procedures are burdensome, couldn't the FTC issue an advanced 
notice of proposed rulemaking or a notice of inquiry to collect 
data and get the process started now?
    Mr. Simons. We could certainly start a rulemaking under 
Mag-Moss. It would just, you know, be time consuming and really 
resource intensive and so there's an issue about whether we 
want to start that, not knowing whether we could finish it 
under----
    Ms. Schakowsky. If I could just have a couple more seconds. 
We've had these high-profile hearings from Equifax, Zuckerberg 
was sitting in that chair, as the chairman mentioned.
    And yet, we really have not moved forward, I think, in 
doing something about these data breaches and the mistakes that 
have been made. I really look forward to working with you and 
meeting with all of you.
    Thank you.
    Mr. Latta. Thank you very much. The gentlelady's time has 
expired and the chair now recognizes the gentleman from Oregon, 
the chairman of the full committee, for 5 minutes.
    Mr. Walden. Thank you, Mr. Chairman, and I want to thank 
you for your leadership in this area on data breach, data 
security, and all--I think you have had, what, four roundtables 
including one yesterday, I think, with how many participants? 
Thirty-eight?
    Yes, we know this is pretty complicated. If there were an 
easy answer we'd all do it because, I think of my colleague 
from Illinois, Ms. Schakowsky, said, she worries about her data 
being breached by Equifax.
    I don't think you have to worry. I think it is.
    [Laughter.]
    I think the worry part is gone and that's the tragedy of it 
all is we don't have control over our data and we have laws on 
the books in some cases. Companies have trust obligations in 
other cases and they don't have the security in most cases, and 
so it is something we are all concerned about as consumers and 
as policy makers and enforcers.
    And so it's something this committee is very concerned 
about and, as I say, we've been trying to find if there's an 
eye in that needle to thread legislation to get to data 
notification. Hold people accountable and we are closing in on 
it.
    And, like others on the committee, I think we are all 
consumers and I care deeply about putting the consumer first. 
That's been part of my mantra as chairman of the committee, 
because if you do that you have competitive markets. You have 
innovation and you have price competition and you have choice 
and consumers benefit.
    And, Ms. Slaughter, your comment about robocalls I am fully 
in agreement with. I remember when pop-up ads were a nuisance. 
I tongue-in-cheek suggested death penalty for those people, 
because you couldn't do anything on your computer. You had 
bazillions of these pop-up ads.
    We had a hearing on robocalls and the private sector--the 
technology sector is being pretty inventive and one of the 
witnesses has an app that they market--I won't promote a 
particular one--but it actually figures out how to answer the 
call and then pretends to be real and keeps the caller on the 
line for half an hour.
    I love that kind of thing. Run their bill up, drive them 
crazy. And so, we have a lot of young kids out there with 
brilliant minds that can develop these apps and help us in this 
endeavor. But one of the big challenges, of course, is a lot of 
this stuff is overseas and hard even for you or for us or 
anybody to get their hands around. Boy, we'd have our hands 
around their necks.
    So, Chairman Simons, what role to do you believe anti-trust 
plays with respect to consumer protection? Give us your 
thoughts on that as the chairman. Try--yes.
    Mr. Simons. It's similar, Mr. Chairman, to what you just 
suggested. So the more competition, the more likely it is the 
consumer is going to be benefited, and what goes hand in hand 
is that competition and consumer protection in terms of 
nondeceptive information in the marketplace, an efficient 
advertising market, those are things that make firms compete 
stronger and it drives competition.
    So we want to have those two things. We want to have 
vigorous competition. We want to make sure that firms are not 
behaving anti-competitively and at the same time we want to 
make sure that consumers have the information that is necessary 
for them to make the right decisions and right choices in the 
marketplace.
    Mr. Walden. And with this emerging digital economy that's, 
well, fully underway but, it's emerging every day there's 
something new, you see we have legacy rules.
    We have industries that are built upon those and then you 
have a new entrant into the market and then you have 
consolidation and mergers and people trying to compete. So what 
questions are you most focused on regarding the changing 
digital nature of the U.S. economy during your public hearings.
    Mr. Simons. We are focused on a very broad range of things, 
everything from whether the consumer welfare standard--which 
has been the consensus standard for the last 20 or 30 years--
whether that needs to be changed or not, whether the way we 
have done merger analysis in the past 20 or 30 years has been 
appropriate, whether that's been too lax.
    And then we are also focused on the consumer protection 
side, particularly in terms of privacy and data security. As I 
mentioned in my oral remarks that we are very focused on is the 
potential tradeoff between privacy on the one hand and data 
security on the one hand and competition on the other hand.
    Mr. Walden. Right.
    Mr. Simons. We are a little nervous that if you do privacy 
in the wrong way, have it go too far in one direction that you 
might end up reducing competition.
    You might create a situation in which you entrench the 
large tech platforms, for example. You make it very difficult, 
because the advertising market becomes, potentially, much less 
efficient. You make it much more difficult for new entrants and 
smaller firms to get the attention of the consumers that 
they're trying to reach.
    In fact, one of the things that I saw very recently after 
the effective date of the GDPR was an article in the Wall 
Street Journal that reported that they could already see that 
advertising was moving to the Google platform over in Europe 
and so that's something we are very conscious of and we want to 
be very careful about.
    And when Congress thinks about these things in legislation, 
this is something that my recommendation would be you think 
carefully about to strike the right balance.
    Mr. Walden. And I know I am over, but that's exactly the 
conundrum we are in is finding that right balance because you 
have just a couple of platforms that dominate in the online 
advertising world today.
    So you want that competition but you don't want to do 
something that actually enhances their dominance, if you will. 
So I appreciate that.
    And I yield back.
    Mr. Latta. Thank you very much. The gentleman yields back.
    The chair now recognizes the gentleman from New Jersey, the 
ranking member of the full committee for 5 minutes.
    Mr. Pallone. Thank you, Mr. Chairman.
    Much of the FTC's consumer protection enforcement actions 
are brought under Section 5 of the FTC Act, which prohibits 
unfair and deceptive acts or practices, and the remedies 
available for these cases are limited. The FTC can only seek an 
injunction in conditions which most often come in consent 
decrees. It can seek civil penalties for first violations.
    And I know, Chairman Simons, you mentioned already today 
that you support giving the FTC authority to seek civil 
penalties for first violations when companies fail to maintain 
reasonable data security.
    How would that tool help the FTC's efforts to protect 
consumers from data breaches?
    Mr. Simons. Thank you, Congressman.
    So what that would do is that would enable us to impose a 
sufficient monetary penalty that would incentivize companies to 
better protect data.
    As you have said and as others have said, if what is going 
on in terms of our enforcement authority is that we can only 
get an injunction that just says, sin no more, then that's much 
less of a deterrent than if we could get monetary penalties 
that would actually cause the business to think through how 
it's conducting its business and what it's doing in terms of 
security and privacy.
    Mr. Pallone. Now, to clarify, when the FTC does have 
authority to seek civil penalties, it's still up to the FTC to 
decide whether to even ask for those penalties and how much 
those penalties should be, correct?
    Mr. Simons. I am sorry. Could you repeat that?
    Mr. Pallone. When the FTC does have authority to seek civil 
penalties, it's still up to you to decide whether to even ask 
for those penalties and how much those penalties should be, 
correct?
    Mr. Simons. Yes.
    Mr. Pallone. OK. So do you think that civil penalty 
authority would be beneficial for FTC's privacy cases as well?
    Mr. Simons. That's something I think we should explore. I 
don't have a view on that yet. Maybe something will come out of 
the hearings that we are going to conduct in the fall that will 
inform our views.
    Mr. Pallone. I appreciate your having those hearings in the 
fall, too. I think it's great that you're doing that.
    What about the other Section 5 violations? Would you 
support legislation giving the FTC civil penalty authority for 
other enforcement actions?
    Mr. Simons. So other enforcement actions, I think, are a 
little different in the sense--like, fraud, for example. Even 
though we are going under our Section 5 authority that provides 
for injunctive relief, as part--what's ancillary to injunctive 
relief is the ability to get restitution and disgorgement, and 
those can serve as significant deterrent effects.
    So with respect to fraud, that's something that where our 
existing authority probably is sufficient. But with data 
security and privacy, it just becomes very hard to prove the 
extent of damage to any specific ----
    Mr. Pallone. I am thinking of robocalls, which I know we 
discussed. Do you see that as different? Like if, you know----
    Mr. Simons. Well, we have a rule and so we can get civil 
penalties for violations of the robocall, the marketing and 
sales.
    Mr. Pallone. OK.
    Mr. Chopra. Congressman, under our statute, we are able to 
ask a court for civil penalties in the case where there's a 
rule on the books or when there's a violation of an order, 
generally speaking.
    So when we do have a rule on the books, it is easier, even 
on the first defense, we are able to ask a court for civil 
penalty. That's one of the reasons why rulemaking also could 
increase deterrence as well.
    Mr. Pallone. All right.
    Well, now, let me just say one more thing. I wanted to ask 
you about the Uber settlement. FTC recently announced an 
expanded settlement with Uber, and while the FTC was in the 
process of negotiating a settlement with Uber, making deceptive 
privacy and data security claims, FTC learned that Uber failed 
to disclose another significant breach of the customers' data, 
which Commissioner Ohlhausen called strikingly similar.
    So just quickly, Chairman Simons, the expanded settlement 
with Uber includes some additional requirements but does not 
include civil penalties.
    Why couldn't the FTC seek civil penalties related to the 
second data breach?
    Mr. Simons. We would have to show that that was a violation 
of a preexisting order.
    Mr. Pallone. OK.
    Mr. Simons. There was no preexisting order.
    Mr. Pallone. But FTC found that Uber twice committed 
misconduct but still couldn't impose fines? Maybe I will go 
back to Commissioner Chopra.
    Do you think this situation is sufficient to stop repeat 
offenders in the case of Uber?
    Mr. Chopra. Well, my understanding of the Uber resolution 
was that the order was modified based on conduct that was not a 
direct violation of the original order, and this is what I am 
talking about.
    Our limitations on obtaining civil penalties are when 
there's a rule violation or a violation of an order itself. So 
I, of course, and I think all of us want to make sure that FTC 
orders are followed and if they are not followed we will seek 
all appropriate relief we should.
    But the question you're raising about whether on a first 
offense there should be penalties, I think that in order to 
deter misconduct we need to consider when it's appropriate that 
even on a first offense the lack of penalties may not serve as 
adequate deterrence.
    Mr. Pallone. All right. Thanks so much.
    Thank you, Mr. Chairman.
    Mr. Latta. Thank you. The gentleman's time has expired.
    The chair now recognizes the vice chairman of the 
subcommittee, the gentleman from Illinois, for 5 minutes.
    Mr. Kinzinger. Well, thank you, Chairman, for yielding and 
I thank you all for being here today and taking some time and 
everything you do for the country.
    Commissioner Ohlhausen, the commission's website states 
that the FTC protects consumers by stopping unfair, deceptive, 
or fraudulent practices in the marketplace.
    I want to ask you a rudimentary and kind of direct 
question. Do you think a private company should ever be 
compelled to provide inaccurate information to consumers that 
deceptive or could impact the marketplace?
    Ms. Ohlhausen. I would certainly be concerned about any 
company providing inaccurate information to consumers, whether 
they did it voluntarily or were required to do so.
    Mr. Kinzinger. OK.
    Commissioner Ohlhausen, crypto currency scams have been 
fertile ground for scammers since the value of bitcoin and 
other tokens skyrocketed in value at the end of 2017, bringing 
with it rising interest in raising capital for startups via 
initial coin offerings.
    Last Congress, I worked with Representative Cardenas to 
pass Resolution 835 through the House highlighting the 
importance of improving consumer access to financial technology 
tools.
    Besides the recent workshop on crypto currency scams, what 
more is the FTC doing to target things like deceptive 
investment opportunities and focussed mining operations?
    Ms. Ohlhausen. So we actually have brought two cases 
involving crypto currency to enforcement actions where there 
were deceptive representations to consumers and we also have a 
long history of bringing, at different times, enforcement 
actions against deceptive promises about precious metals.
    Mr. Kinzinger. And is that getting enough public attention, 
do you think, or should it get more and how?
    Ms. Ohlhausen. We are always happy to get more public 
attention and interested in ways to find that out.
    Mr. Kinzinger. Sometimes you have to compete for bandwidth 
in the media.
    The goal of the U.S.--and I will ask each of you this 
question--the goal of the EU-U.S. Privacy Shield is to protect 
personal data and enable the flow of transatlantic data.
    Without this framework, companies on both sides of the 
Atlantic would face grave uncertainty and serious limitations 
on their ability to conduct business overseas.
    So for each of you, yes or no--do you pledge support for 
Privacy Shield and commitment to enforce the framework?
    Mr. Simons. Absolutely.
    Ms. Ohlhausen. Yes.
    Mr. Phillips. Absolutely.
    Mr. Chopra. Yes.
    Ms. Slaughter. Yes.
    Mr. Kinzinger. Good. It's easy.
    And Chairman Simons, the calendar years 2015 and 2017 and 
the first quarter of 2018 all broke records for merger and 
acquisition activity. In the first quarter of 2018, for 
instance, the merger activity increased 67 percent year over 
year.
    Researchers found that economic concentration has increased 
in many or most economic sectors. At the same time, researchers 
have found that entrepreneurs are not starting new businesses 
at a rate sufficient to overcome business closings.
    Do you think that increase in concentration is cause for 
concern or evidence of declining competition in the U.S. 
economy?
    Mr. Simons. Thank you, Congressman.
    So that is one of the main focuses of the hearings that we 
are going to have in the fall. Precisely that concern is one of 
the things that we want to get testimony about and take 
comments on.
    Mr. Kinzinger. You will be in a better position, you think, 
to comment after all that?
    Mr. Simons. Yes. In other words, it's an important focus of 
the hearings because, based on what we see in terms of the 
economic literature and otherwise, there's enough out there to 
be concerned that those things are really problematic.
    Mr. Kinzinger. Do you see any correlation between rising 
concentration and declining rates of new firm formation?
    Mr. Simons. Not specifically. Some of the material that 
you're probably citing relates to broad industry categories.
    So, for example, you might have--and the categories could 
be national. And so if what you have in the marketplace is you 
have chains who are becoming more pervasive in displacing local 
companies.
    The local concentration might not be changing at all. But 
the national concentration is, and for anti-trust purposes in 
those types of markets it would probably be the local 
concentration that you'd want to worry about.
    So there might be some other issues going on. But our job 
or our intent is to kind of figure that out.
    Mr. Kinzinger. Thank you. And the last question for you--
two companies, Google and Apple, together dominate the market 
for mobile operating systems, accounting for 99 percent of the 
market for smartphones in the United States, and you have seen 
the news, I am sure, this morning that the EU is set to fine 
Google $5 billion anti-trust for the way it bundles its apps on 
Android smartphones and tablets.
    The question is what, if any, competitive discipline exists 
in such a highly concentrated market?
    Mr. Simons. So there's the two of them so they compete 
pretty heavily against each other. So that's one level of 
competition.
    But I have to agree with you, it's concentrated. So, it's 
not like commodities in the Midwest or whatever. It's, 
obviously, very fragmented. This is a concentrated industry and 
this is an industry, as I've said before, what we do in the 
anti-trust world is most of the problematic conduct occurs 
where firms are big and have market power and that's where we 
look. And so this is one of the places we would focus on.
    Mr. Kinzinger. OK. Thank you. I yield back.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired.
    And the chair now recognizes the gentleman from Vermont for 
5 minutes.
    Mr. Welch. Thank you, Mr. Chairman.
    I've got 5 minutes, so I want to go through this quickly.
    First, I want to say congratulations to each of you. I've 
read all your resumes. You people are smart, and in addition to 
that, you have got a record of public service and it 
demonstrates you're not only smart but you actually want to use 
your talent for the public good, and I just want to say to you 
that I think serving on the FTC at this time is incredibly 
important.
    I think a lot of working Americans are being squeezed at 
one end because wages aren't going up and, at the other end, 
because what Mr. Kinzinger was talking about, incredible 
pricing power as a result of anti-competitive practices, and 
that is so essential that you stand up for the American 
consumer.
    So you're 3-2. But I hope you're 5-0 in asserting the need 
to have a very strong FTC to help working Americans. So thank 
you.
    I want to talk about a couple of things. One, in April, a 
bipartisan group of my colleagues including on this 
subcommittee Congressman Jeff Duncan and I wrote to you about 
the technological changes taking place in mobile commerce.
    And we think it's important for the FTC and the Department 
of Justice to be vigilant to make sure that incumbent 
businesses with existing payment technologies don't use that 
market position to block innovations and developments by 
potential competitors.
    And I appreciate it very much the commission's response to 
our letter where you indicated that you'd look closely at the 
payment standard setting process and your assurance that the 
commission will take appropriate action against any act or 
practice in the mobile payments marketplace that violates any 
of these statutes that you enforce.
    And I would like to submit for the record if I could, Mr. 
Chairman, our letter--these letters.
    I want to ask you, Chairman Simons, with our mutual goal of 
detecting and remedying any practice that may harm competition 
and consumers, can you share what you have done to date on the 
issues we raised in our letter to protect competition and 
innovation and, quickly, if you can.
    Mr. Simons. Yes. Sure.
    So standard setting, which is what you're describing is a 
really important thing in our economy. It can be useful for 
great numbers of efficiencies. As you can tell, the payment 
system itself is very interoperable.
    There's a bunch of different players in it and they have to 
interoperate. It's all the banks, the credit card companies, 
and all the merchants, of course.
    And so it's really important that that function but it's 
also possible that those types of organizations can be used for 
anti-competitive purposes and we've had cases involving anti-
competitive activity in standard-setting bodies. And so we are 
focused on that.
    Mr. Welch. Thank you. Let me go on to my next question.
    And I was pleased to see just yesterday that the FTC issued 
a statement to Health and Human Services in response to the HHS 
request for public comment on lowering drug prices and out-of-
pocket costs, which laid out the commission's concerns with 
pharma companies abusing the REMS program to prevent generic 
competition.
    The commission comments really captured the issue perfectly 
and I can read it. The REMS program can protect the public from 
pharma abuse but they can also be misused to disrupt 
competition and innovation, and you go on to say the FTC 
supports regulatory and legislative actions aimed at correcting 
the misuse of REMS programs.
    I believe that's exactly right and I want to thank you for 
that. Chairman Simons, as we continue to consider the FAST 
Generics Act and the CREATES Act, how can Congress deter the 
current abuses and delays by brand manufacturers, instead, 
motivate them to provide generics with access to samples in a 
timely way?
    Mr. Simons. So without giving a view on the precise 
specifications in the act and the legislation you're 
describing, we are very supportive of this issue.
    Mr. Welch. OK. Let me interject because I just have a few 
seconds left.
    Mr. Simons. OK. Sorry.
    Mr. Welch. But thank you, and I appreciated the FTC letter.
    Another issue that's come to my attention is that web 
browsers are considering the changes to the user interface that 
consumers see on their screens.
    Specifically, in the coming months consumers who are 
already wrestling with how best to protect themselves will 
potentially be provided with less information about the 
security of the website they are using at any given time.
    We should be working together to provide consumers with 
that information. Is this potential change to consumers' web 
browsing experience something that the commission is aware of? 
That's the security label at the top.
    If so, I would ask the commission to keep consumers and 
this committee updated on the impact of that potential change. 
And I am out of time, so it ends up as a statement, not a 
question.
    But, again, Mr. Chairman, I want to thank you. I think your 
institution, your agency, is so, so vital. I hope you find a 
way better than sometimes we find a way to work together to get 
to an outcome that will be durable and helpful to the American 
people.
    We thank you.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired and the chair now recognizes the gentleman from Texas, 
the chairman of the Health Subcommittee of the full committee 
for 5 minutes.
    Mr. Burgess. Thank you, Mr. Chairman, and I appreciate our 
commissioners being here. This is always a good day when we 
have all of our commissioners in front of the committee.
    Chairman Simons, you began your testimony stating that 
Section 5 is an imperfect tool and, granted it is. But it's the 
tool that we have.
    Still, after years of studying the LabMD case, and I 
realize that most of you were not even born when that case 
started, and I also understand that it's--although there was a 
recent Eleventh Circuit decision, I am certain it's not settled 
yet. But here in the aftermath of that, the business had 
arguably had a good business plan and was competently run.
    But because of a breach that occurred in technology that 
was really poorly understood years ago, now this business is no 
more and the people that were involved have, obviously, 
suffered significant harm.
    And, really, my question is, is this a learning process as 
we look back? And I know you can't talk about the specifics of 
the case because I do understand that it's still in litigation.
    But it's been a hard one as I've watched for the last 10, 
15 years in Congress. I practiced medicine before then so I 
certainly understand that yes, you can have somebody in your 
front office do something on a computer that puts some data at 
risk.
    But in the absence of harm, to do this much violence to the 
business plan and the business model seems a little bit over 
the top. I just wondered. is this an ongoing process that 
you're learning about this imperfect tool?
    Mr. Simons. Sure. One of the things the FTC does is it has 
a good history of engaging in self-critical examination.
    So, first of all, let me say that, of course, we never 
intentionally tried to put legitimate businesses out of 
business.
    We try to get them to comply with the law and not drive 
them from the market. That's bad for competition, which is the 
other side of our mission. So we really don't want to do that.
    And then the other thing I will say is that we do engage in 
self-critical examination, even outside these public hearings. 
We do it internally, and so one of the things that we've got 
going on is a task force on how we do our orders, and so that's 
relevant to the LabMD decision.
    Mr. Burgess. It's reassuring to know that. Again, history 
is history and what has happened has happened and none of us 
can undo that. But I am grateful to hear that.
    Let me ask a question on robocalls because man, they are a 
nuisance, and at our house we have three cell phones and they 
can all ring simultaneously with the same identifying number 
from a town called Mexia, Texas, which is a small little town 
between Waco and Dallas. I don't know if it really did 
originate from there, and they're all selling, well, there was 
a hailstorm in your community and we are in the neighborhood 
and we thought we'd come by and check your roof for you. But 
three simultaneous calls come at the exact same time. It just 
doesn't seem reasonable that that that's one person doing that. 
Is there recourse for the consumer at this point?
    I know we've passed do not call laws. In this committee, 
we've passed anti-spoofing laws. Is there recourse for the 
consumer? Should I have them call your 800 number? What is the 
next step?
    Mr. Simons. So one of the things--I am sorry, was that 
directed to----
    Mr. Burgess. Well, anyone can answer. Ms. Slaughter brought 
it up but, Chairman, you're welcome to answer as well.
    Mr. Simons. Well, I don't want to hog the attention. So if 
anyone else would like to answer please go ahead.
    Ms. Slaughter. Thank you for the question. I think we 
probably are all on the same page about this. So you could hear 
a similar answer from any of us. It is enormously frustrating 
for consumers.
    It is just endlessly frustrating, and I can't tell you, 
sitting here, whether those three calls originated really from 
Texas or not.
    The challenge for us that I outlined a little bit in my 
testimony is that many of the people orchestrating these calls 
and orchestrating these schemes are overseas and hide behind 
spoofing technology.
    Mr. Burgess. So the next step for the consumer that gets 
these calls what should we tell them?
    Ms. Slaughter. Right now, the technological solutions that 
the FTC has helped push into the marketplace can be among the 
most helpful that identify calls as fake or robocalls when they 
come into your phone and block them.
    Chairman Walden talked about one such example. But I think 
looking at larger scale solutions that can be implemented 
across network levels is an important thing.
    Mr. Burgess. And it's a longer discussion. I am going to 
submit some questions for the record. But the issue of 
consolidation in the health care industry and when I was in 
practice back in the late '80s I worried that there was going 
to be a single payer health care system and it was going to be 
called Aetna.
    And now the corner drug store is buying Aetna. So it is a 
cause of some concern for those of us who sit on this 
committee.
    We've had hearings on it. I will have some specific 
questions for you on that and I would appreciate your attention 
to that.
    Thank you.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired, and the chair now recognizes the gentleman from 
Massachusetts for 5 minutes.
    Mr. Kennedy. Thank you, Chairman. I want to thank everybody 
for coming and testifying this morning, and helpful information 
has been provided and I appreciate all of your service.
    I wanted to touch a little bit on some of the focus of a 
number of hearings that we've had on this committee over the 
course of the past year or so with regards to internet and 
internet companies.
    So following the revelations of Facebook's data sharing 
practices with third parties, specifically for third party app 
developers, which led to Facebook users ending or data ending 
up with Cambridge Analytica, there was a lot of discussion 
around the FTC's 2011 consent decree with Facebook.
    That consent decree was entered into following Facebook's 
earlier failure to notify its customers of its data sharing 
policies and the recent Cambridge Analytica issue appears very 
similar.
    Chairman, I am not going to ask you details. I imagine 
you're not going to get into the details of an investigation. 
But I believe you have confirmed that the FTC is investigating 
whether Facebook violated its consent decree. Is that right?
    Mr. Simons. Yes, that's correct.
    Mr. Kennedy. And so, sir, under the consent decree Facebook 
was required to get biennial independent audits certifying that 
it has in fact a privacy program in place that meets or exceeds 
their requirements of the FTC order and to ensure that the 
privacy of consumers' information is protected.
    Given that requirement, it's a bit troubling to see that 
the FTC didn't discover the Cambridge Analytica issue earlier. 
So, again, I know you're not going to discuss the ongoing 
investigation.
    But this is a circumstance in which the FTC is 
investigating the acts of a company that is subject to a 
consent decree.
    Is the investigation limited to whether the consent decree 
was violated or with the FTC also consider whether there were 
new unfair deceptive practices?
    Mr. Simons. Thank you, Congressman.
    Like you said, it is an ongoing investigation. We 
publically announced that. But what we can't do is we can't 
discuss the particulars of the investigation itself.
    And so I am sorry, but I can't comment on that.
    Mr. Kennedy. OK.
    Mr. Chopra. Congressman Kennedy, though, I just want to 
add, FTC orders typically do not preclude the agency from 
investigating conduct outside of those orders. So if you 
reviewed the wide swath of orders that we have entered into 
over the years, we typically do not handcuff ourself to the 
four quarters.
    Mr. Kennedy. So just the four quarters of the scope of 
that. Thank you. I appreciate that, Commissioner.
    So to reiterate a couple of the points that were made 
earlier, if new unfair deceptive practices are in fact found, a 
repeat offender could then be subject to civil penalties for 
those violations. Is that correct?
    Mr. Simons. Yes.
    Mr. Kennedy. So thank you. I also want to understand 
whether the FTC takes into account public statements made by 
those companies. Commissioner, you might have just touched on 
this point.
    But Facebook has made public statements that it's 
investigating all third party apps to determine if there was in 
fact misuse of users' information.
    Contrary to that statement, though, it's also been reported 
that Facebook has not even been able to access data regarding 
Cambridge Analytica to understand what happened in that case 
because the company and the data are located abroad.
    Again, without getting into the details of the current 
investigation, I respect that, Chairman. Do you consider those 
public statements as commitments made to consumers?
    Mr. Simons. So let me just say without tying it to a 
specific case, we look at everything. We look at what they say 
in their public documents. We look at what they say in their 
advertising. We look at what they say on their website--the 
whole range.
    So we would look at everything.
    Mr. Kennedy. OK.
    Mr. Phillips. Congressman, if I--please, I apologize for 
interrupting you.
    Mr. Kennedy. No.
    Mr. Phillips. One of the things that I talked about in my 
oral statement earlier was the importance of Congress 
reauthorizing and eliminating the sunset in the U.S. SAFE WEB 
Act.
    You mentioned access to data abroad without, again, 
speaking to the specific case. That is a very important tool. 
So we really do urge you all to consider that.
    Mr. Kennedy. I appreciate the insight, sir.
    Last bit, and I think one of my colleagues touched on this 
as well. Google has told the public that it would stop scanning 
personal emails. Of course, most consumers probably didn't know 
that that was happening.
    But now we hear that Google does allow third parties to 
scan emails. Do you review those public statements for 
violations of either Section 5 generally or of a consent 
decree?
    Mr. Simons. Yes, we review everything. So, that's one of 
the ways we start investigations. We issue public announcements 
or public statements and we get complaints. So, we consider 
everything.
    Mr. Kennedy. OK. Chairman, thank you, and I thank all the 
commissioners for being here. Appreciate your testimony and I 
yield back.
    Mr. Latta. Thank you very much. The gentleman yields back 
and, as agreed upon, we are going to take a 5-minute recess at 
this time and come back in at 10 til the hour.
    Thank you.
    [Recess.]
    Mr. Latta. I would like to reconvene the subcommittee to 
order, and at this time I would recognize the gentleman from 
New Jersey for 5 minutes.
    Mr. Lance. Thank you very much, and good morning to the 
distinguished panel.
    I champion the Consumer Review Fairness Act in 2016 to 
protect consumers ability to share their honest reviews and 
opinions about products, services, or conduct in various forms 
including social media.
    There has been growth and influence of search and social 
media since the bill became law. Much has changed since the FTC 
closed its Google investigation in 2012, and I ask the panel, 
beginning with the chair, what is your view on how best to 
maintain competitive markets and better safeguard consumer 
reviews?
    Mr. Simons. So let me just say that that piece of 
legislation is terrific.
    Mr. Lance. This is being recorded.
    [Laughter.]
    Mr. Simons. OK. I stick with that statement.
    So one of the key things as I've described a little bit 
earlier or alluded to in terms of competition is that you need 
good information.
    Good information allows consumers to make the best choices 
and the reviews are just terrific in that regard. They really 
help spur competition. So that's terrific and we are very much 
looking to--and have enforced under that statute.
    Mr. Lance. Thank you. Would others on the panel like to 
comment?
    Yes, of course.
    Ms. Ohlhausen. Yes, thank you, Congressman.
    I think that legislation was also very beneficial, and I 
was at the commission when we brought the case against Roca 
Labs----
    Mr. Lance. Yes.
    Ms. Ohlhausen [continuing]. Saying that that was a 
violation. But I also want to mention in addition to making 
sure that consumers are free to express their opinions, we want 
to be sure that when opinions are expressed what they're paid 
for by a sponsor that that's clear to consumers, too.
    So the FTC has engaged in a lot of enforcement and consumer 
ed and business warning letters to make sure that reviews, if 
they're sponsored, are labeled as such.
    Mr. Lance. And is that a more recent addition to this whole 
issue, the fact that you have required there be a disclaimer or 
whatever the appropriate word would be for the fact that some 
are being paid?
    Ms. Ohlhausen. So it's not recent but we've given 
additional guidance for the new, on Twitter or online to make 
sure that the old rules that have always applied that people 
understand how they apply in the new economy as well.
    Mr. Lance. Thank you very much, Commissioner.
    Other comments? Yes, Commissioner.
    Mr. Phillips. Just briefly. I just want to associate myself 
with the comments of my colleagues and thank you for your work 
on that really important legislation.
    Mr. Lance. Thank you. It's based upon the fact that there 
was a review of I think an orchestra at a wedding and there was 
some discussion that those who might purchase that service had 
to sign a form saying that there could be no disparaging review 
online which, of course, I think appals the American consuming 
public.
    Mr. Chopra. I agree, and I also want to share that one 
useful provision of that bill as well as some other bills that 
have been passed on a bipartisan basis is also allowing our 
state attorneys general to enforce it as well.
    We don't have the resources to do everything. But sometimes 
we won't be able to catch every orchestra violation. But the 
more we can rely on our state partners, the better.
    Mr. Lance. Thank you.
    Without commenting on any particular company or 
investigation, if a company is operating under a consent order 
and found in violation of the agency's data security or privacy 
rules, does that affect the assessment of fines and penalties?
    Whoever would like to begin.
    Mr. Chopra. So, typically, violations of orders allow the 
FTC to seek from a court injunctions equitable relief, which 
can include consumer refunds as well as substantial civil 
penalties over 40,000 per violation.
    So we have the discretion in many ways of when to seek it 
and how much to seek. But enforcement of our orders has to be a 
top priority.
    Mr. Lance. Thank you. I ask these questions as the FTC 
continues its investigation into Facebook. During my 
questioning at this committee's hearing with Facebook CEO Mark 
Zuckerberg on April 11th, I indicated that Facebook's actions 
leading up to the Cambridge Analytica hack may have violated 
the consent agreement Facebook struck with the FTC in 2011.
    News reports since that hearing have highlighted other 
questionable practices at Facebook. This has strengthened my 
belief that the company has routinely violated its promise to 
obtain express consent from consumers before sharing 
information with third parties.
    I realize you cannot comment on that as members of the 
commission. But that is my considered view, having reviewed the 
matter.
    Thank you, Mr. Chairman. I yield back.
    Mr. Latta. Thank you. The gentleman yields back.
    The chair now recognizes the gentlelady from California for 
5 minutes.
    Ms. Matsui. Thank you very much, Mr. Chairman.
    Last week in the Telecom subcommittee, we discussed the 
difference frameworks governing consumer privacy. Current 
privacy rules for the telecommunications providers, for 
instance, require opt in consent from consumers before their 
provider could share so-called CPNI with unrelated third 
parties for independent use.
    More broadly, however, it is often the case that an 
unrelated third party to an online platform can and does 
receive data on a consumer that visits that platform.
    Third party analytics tools on a given website which send 
information on a user's visit to a third party and allows that 
third party to assess user data.
    So I believe that a necessary part of the data privacy 
discussion--maybe the most important part--could be addressing 
access to data by a third party with whom a consumer has no 
direct relationship or knowledge.
    Mr. Chopra, what role does addressing independent third 
party data use have in the FTC's consumer protection mission?
    Mr. Chopra. Well, under our current authority, if that is 
disclosed, we may be frustrated in being able to combat that. 
But with respect to any privacy legislation that offers 
consumers affirmative rights to know where data is being 
shared, to know what it's being used for, and for consumers to 
be able to access that, if we were able to implement that and 
some of these principles come from our work from nearly 20 
years ago in 1999, I think that would be very effective for the 
marketplace.
    Ms. Matsui. So you're basically saying you need 
legislation.
    Mr. Chopra. We are doing what we can----
    Ms. Matsui. Right.
    Mr. Chopra [continuing]. With what we have. But we can't 
solve all of these problems with the existing law we have. This 
is why I really think we need more tools and resources to----
    Ms. Matsui. So we have to be very specific, though, in our 
legislation to direct you then. Is that correct?
    Mr. Chopra. Well, many people know how to craft legislation 
better than me.
    But the extent to which you can provide the framework in 
which we can implement through rulemaking, that will allow us 
to be flexible as how the market changes.
    No one would have known the extent to which website 
trackers would be used 10 years ago.
    Ms. Matsui. Right. OK.
    Any other comments?
    OK. As you all know, regular HTTP connections sent in plain 
text can be intercepted and exploited by anybody or anything 
between a user and the website including somebody using public 
wifi.
    So I am pleased that HTTPS deployment continues to grow. 
HTTPS protocol can ensure an online connection between a 
consumer and a website that's encrypted. And I am interested 
that the commission is looking at whether the same standard UI 
security indicators could be helpful in providing consistent 
meaningful consumer information no matter which browser you're 
using and whether you are using a desktop or mobile device.
    Common security indicators that are deployed consistently 
could be a step towards increasing consumer understanding as to 
when their connection to a website is not only secure but also 
safe.
    Does anybody have any thoughts on how security indicators 
deployed by web browsers could promote consumer protection?
    Mr. Chopra. Well, I think the advancements in how we are 
securing website traffic are a positive step in the 
marketplace.
    We know from other sectors of the economy, particularly in 
financial services, that encryption and higher standards for 
website security continue to be far ahead of the rest of the 
digital economy.
    I don't necessarily know what we can do from a law 
enforcement perspective. But, obviously, companies that are 
maintaining sensitive data, financial health or whatever it may 
be, need to take steps to secure that data.
    Ms. Matsui. The rest of the panel any comments?
    Ms. Ohlhausen. I think it's important that we look at how 
consumers get information about the security of the entire 
chain.
    So the FTC has brought enforcement actions against browsers 
that weren't secure against--that was the ASUS case--computers 
that had inadvertently or they didn't understand that it was 
really providing a man in the middle attack for adware in the 
Lenovo case. So I think we've paid attention to all links in 
the chain for consumers.
    Ms. Matsui. And I think the consumer needs to know and 
that's the part of it that we like to look at and I hope you're 
looking at too, because they don't know, in essence, and that's 
what's causing a lot of problems today, because they are 
unaware of what's protected, what's secure, what's not.
    So anyway, it looks like I've run out of time. I yield back 
my time. Thank you.
    Mr. Latta. Thank you very much. The gentlelady yields back.
    The chair now recognizes the gentleman from Kentucky for 5 
minutes.
    Mr. Guthrie. Thank you, Mr. Chairman. Thank you for holding 
this meeting and thank you all for being here.
    This first one is for Commissioner Ohlhausen. Last 
Congress, I introduced--it was H.R. 5315, which is the CLEAR 
Act, which we had part of a series of bills that we put forward 
on commission process reform.
    And I think it was almost a year ago that the commission 
announced a set of reforms for consumer protection 
investigations, and it was reportedly looking into reforms for 
competitive investigations as well.
    Has there been progress made?
    Ms. Ohlhausen. So yes, there has been progress that's been 
made. So we had our civil investigative demands reforms that I 
talked about at the beginning of my testimony that tried to 
give recipients clearer information and better guidance.
    We also reduced the time for civil investigative demand. I 
gave a little more time to respond. We've gone through, under 
my leadership and we closed a number of investigations, but one 
of the other things that we did is we went through and looked 
at all our data security investigations, and privacy, the ones 
that we closed, and we distilled form that lessons about what 
steps companies had taken where we found it gave reasonable 
security and we issued that in an updated guidance called Stick 
with Security. It gave us 10 additional lessons to supplement 
or start with security for sure.
    Mr. Guthrie. OK. Well, thank you.
    And Mr. Chairman, do you have any comments on the issues 
the committee should be considering in just terms of process 
reform as well?
    Mr. Simons [continuing]. Process, also on the competition 
side. So one of the things that's been reported publicly is 
that the merger investigation seems to have gotten longer, at 
least according to some measures.
    So one of the things we are looking at is actually 
developing a tracking mechanism to see how long they are in 
fact taking and why they are taking as long as they are and 
then allow us to determine what we can do to make them more 
efficient and less burdensome.
    Mr. Guthrie. Thank you very much. And I am going to shift 
gears to the chairman as well. Particularly with older folks 
we've advertised and talked--our office to try to put out when 
somebody calls you never give any information over the phone. 
Hey, we are your bank--we need to fix your account or 
whatever--we do that.
    But the concern that I have is these fake websites. When 
you go online and you're seeking the information and you're 
trying to engage with a hotel chain or to get a reservation or 
whatever and you got to give information to confirm a rental 
car--any of that--any consumer, actually, retail business.
    So just interested in how we know the identity of a 
website. One, I know the committee is looking at how websites 
or identities confirmed, and the question is what tools can 
consumers use to confirm they're on a real website where they 
intended to go instead of a phishing site.
    I think it's the green padlock that should be next to the 
site. Is that secure? Is that something we should look for? If 
anybody that's in that area to talk about that? Is there any--
talking about secure websites under that?
    OK. I guess that's not, unfortunately ----
    Mr. Phillips. Congressman, you had asked about other 
process reforms. I think I would be remiss not to bring up the 
Sunshine Act. While that law has a really great name, the way 
it operates today it inhibits our ability as a commission to 
talk to each other.
    And so I just forward that for your consideration.
    Mr. Guthrie. How is that detrimental?
    Mr. Phillips. Well----
    Mr. Guthrie. I am not challenging. I am asking to ----
    Mr. Phillips. Sure. So----
    Mr. Guthrie. An example you would like to talk with each 
other and----
    Mr. Phillips. If three of us want to talk together about an 
important issue or four of us want to talk together, unless we 
publicly notice it in advance we can't meet and while there are 
some really important meetings that take place that are 
noticed, the daily back and forth can also be important.
    Mr. Simons. The ability to informally meet without having 
to in advance schedule a full commission meeting would be 
enormously helpful.
    Mr. Guthrie. OK. So----
    Mr. Simons. It allows us to work through issues much more 
quickly and without delay as opposed to actually scheduling a 
formal meeting.
    Mr. Guthrie. So the idea if you were going to take any 
action that it would be noticed but you can't even----
    Mr. Simons. We'd have to vote. We'd have to vote.
    Mr. Guthrie. OK. Any action would report, I see that.
    Mr. Phillips. Typically, we are talking about informal 
conversation--take any legal action. Yes, of course.
    Mr. Guthrie. Yes. I've seen city commissions in a room or 
something. They say, oh, we got one commissioner needs to step 
out and talk about something.
    Mr. Phillips. It happens.
    Mr. Guthrie. So there only can be two instead of three when 
I am talking to them about different business I've seen that 
before, and they literally do that.
    They don't take advantage. They send somebody out of the 
room and say they don't have the quorum or moving forward. But 
it does seem like him and I just talk about what issues are 
important to the city. It's not an action that's being taking 
and moving forward. I see your point to that.
    I yield back.
    Mr. Latta. Thank you very much.
    The gentleman yields back the balance of his time.
    And the chair now recognizes the gentlelady from New York 
for 5 minutes.
    Ms. Clarke. Thank you, Chairman Latta and Ranking Member 
Schakowsky, for convening this morning's hearing.
    A pleasant good morning to all of our commissioners and a 
special welcome to our newest FTC commissioners. Your role is 
more important now than it has ever been before.
    The American people count on you to protect their data, 
privacy, promote competition, and much more. There are so many 
pressing issues and changes happening under the FTC's authority 
daily.
    I can say that I'm very anxious to hear your answers 
regarding these issues and the significant changes. I would 
like to start with the issue of privacy, and direct this 
question to Commissioner Chopra.
    When it comes to privacy, there are many changes that need 
to be made to protect American consumers. Over the past years, 
discrimination online has been rapid, resulting in the 
marginalization of struggling families and communities.
    So can you please talk about the impact that the lack of 
meaningful privacy protections has on consumers, particularly 
those in under served and low income communities?
    Mr. Chopra. Yes. So 50 years ago, Congress had a debate 
about secret databases that were making decisions about where 
we could live, about where we could work, and about what loans 
we could take.
    We passed the Fair Credit Reporting Act in 1970 to advance 
new levels of transparency, to give consumers redress when 
there are mistakes.
    In today's digital economy, decisions are increasingly 
being made through data sets that we could have never imagines. 
It's no longer a manila folder world. It's a digital world.
    And in many cases, it's very hard for us to look at what 
was the data that was being used. With machine learning and 
algorithms that are constantly changing, it's hard to audit and 
hard to see when maybe those mechanisms are reinforcing biases 
rather than leading to more inclusion.
    The FTC has done work on big data and inclusion issues and 
I am concerned that our existing laws to prevent discrimination 
can't really be easily used when it comes to how technology is 
affecting the choices of firms in our economy, particularly 
with employment, housing, and credit.
    Ms. Clarke. So what can the FTC do to make sure that these 
consumers are protected and do you feel that the FTC has the 
resources, expertise, and authority necessary to protect these 
consumers?
    Mr. Chopra. Well, we have the Fair Credit Reporting Act. We 
have the Equal Credit Opportunity Act. We have not brought a 
case in a long time in the Equal Credit Opportunity Act. I 
would like us to energetically enforce those two laws.
    But, truthfully, on the second part of your question, my 
answer would be no, I don't think we have the resources and 
authority to confront some of the issues you're raising, 
particularly with respect to privacy and data security.
    Ms. Clarke. OK. Well, I think that, Mr. Chairman, this is 
something we need to take a look at because it's only something 
that will become more insidious over time.
    Net neutrality and the FTC's authority is an issue that I 
believe is on everyone's mind. So let me just extend this to 
the panel.
    Would you state or believe that the recent Supreme Court 
decision in Ohio v. American Express has affected the FTC's 
ability to police anti-competitive behavior and net neutrality 
violations by broadband providers?
    Mr. Simons. I will answer first. I don't think so.
    I think the Am Ex case is extremely narrow. I think, 
really, the basic crux of it is limited to situations where 
there's a multi-sided platform that effectively involves a 
transaction where the platform is providing a service to both 
sides at the same time in the same way, basically.
    So I think, generally, that's going to apply to very few 
situations.
    Ms. Clarke [continuing]. That it serves a two-sided 
market--edge providers or interconnecting parties on one side 
and consumers on the other.
    Does the American Express decision potentially preclude 
effective FTC enforcement against anti-competitive conduct 
against edge providers?
    Mr. Simons. It might depend on the very specific facts. 
But, in general, I would think not.
    Ms. Clarke. Very well.
    Former FTC Commissioner Terrell McSweeny has suggested 
creating a bureau of technology at the FTC. Does the commission 
have sufficient resources and staffing to protect consumer 
privacy in the digital age and were resources an issue in 
failing to enforce the 2011 consent order?
    Mr. Simons. We can't talk about an existing investigation. 
So we have numerous ways of getting the technology help that we 
need. So we have an office of technology research and 
investigation which has, I think, about eight technologists in 
it. We frequently contract with outside parties to get 
technology resources and we hold workshops and seminars where 
we bring people in to educate us about new developments in the 
technological area.
    Ms. Clarke. Very well. Mr. Chair----
    Ms. Slaughter. Can I jump in, Congresswoman?
    I would lend my personal support to the idea of a bureau of 
technology. I think it is the kind of thing we could really 
benefit from and I am concerned that with our current resource 
constraints to set something like that up we would have to be 
taking resources away from other important work that we are 
doing.
    So it is an area where I think we could really benefit from 
some injection of more resources.
    Mr. Simons. We are looking into that. So we actually are 
affirmatively evaluating whether to create a bureau of 
technology and that's just in process So I am not sure how 
that's going to come out.
    There's a group of technologists that are embedded in the 
Bureau of Consumer Protection and so they're already there. And 
so the question is whether we need to have a commission wide 
bureau as opposed to one that's just in one of the bureaus.
    Ms. Clarke. And whether, in fact, the workload is----
    Mr. Simons. And yes.
    Ms. Clarke [continuing]. Would be a burden to those who are 
already in that space.
    Mr. Chairman, I yield back.
    Mr. Latta. Thank you very much.
    The gentlelady's time has expired.
    The chair now recognizes the gentleman from Indiana for 5 
minutes.
    Mr. Bucshon. Thank you very much, Mr. Chairman.
    As a physician, I am concerned to hear reports that the DOJ 
may not challenge the CVS-Aetna merger. In the health care 
industry that already lacks price transparency and, in many 
areas, competition, this vertical merger could increase anti-
competitive practices.
    I am not passing any judgements on the merger at all, up or 
down. I am just voicing a few concerns and then I have a few 
questions.
    The merger could potentially lead to Aetna customers 
receiving some pressure to fill prescriptions at CVS and to 
visit CVS walk-in clinics instead of other pharmacies or 
clinics, eliminating real choice for the consumer.
    In addition, Caremark, owned by CVS, is one of the largest 
PBMs--pharmacy benefit managers--in the country, and as you 
likely know, ensures our PBMs to negotiate prices from drug 
manufacturers.
    The top three PBMs manage the drug benefits for 
approximately 95 percent of the American people. The merger 
might incentivize Caremark to secure better deals from Aetna 
while potentially increasing costs for other companies.
    While I understand that the DOJ is currently investigating 
the merger, I want to get your perspective not particularly on 
this merger. I am getting to my point here. I want to get your 
perspective since the FTC also has jurisdiction enforcing 
Federal anti-trust laws.
    So to the panel, what are your thoughts on this type of 
vertical merger in the health care industry, again, not 
specific to this but in general, in the health care industry 
and other industries.
    Particularly in health care, I am very concerned about this 
because, as you know, as a country, we are struggling to get 
health care costs down and provide coverage for all of our 
citizens.
    So I guess I will just address this to the panel. What are 
your thoughts about this type of merger in the health care 
space?
    Mr. Simons. So let me say first, that the health care 
industry has been and will continue to be an enormous emphasis 
for the FTC for all the reasons that you just described.
    So we are very focused on this part of the economy and we 
are very much looking out for the consumer here.
    So, and in terms of the vertical mergers, they turn out to 
be very, very fact specific. So sometimes they can be 
efficiency enhancing and beneficial for the consumer, even 
maybe when the companies involved are relatively large.
    But sometimes they can be very harmful to the consumer. And 
so, the job of the anti-trust authority is to determine which 
is which and act accordingly.
    Ms. Ohlhausen. I agree that healthcare is enormously 
important to consumers and it's an enormously important part of 
our economy and thus an enormously important and focus at the 
FTC and health care enforcement in general.
    Regarding vertical mergers, I agree with Chairman Simons 
they are intensely fact specific. But I would mention that's 
outside the healthcare space. But we recently just had a 
vertical merger where we had a behavioral remedy in the 
Northrop-Orbital ATK matter.
    So there can be problems in vertical mergers and where 
there are problems the mergers should be stopped or maybe a 
remedy should be proposed that takes care of that problem and 
allows the efficiencies to occur.
    Mr. Phillips. Thank you for the question, Congressman. I 
agree with my colleagues that healthcare has been for a very 
long time and will remain a focus for this agency--I am very 
proud of the work that our staff have done in fighting all 
sorts of anti-competitive conduct in the health care space in 
ensuring that mergers work for consumers.
    Experience and economic learning teach us that verticals 
can be very good for consumers. But the specifics depend on the 
facts, and that makes it really important that we, as law 
enforcers, pay attention to trends, in that sector of our 
economy. Look at how companies are changing their behavior, 
look at how they're combining and stay on top of them when we 
fear that there may be anti-competitive effects.
    Mr. Chopra. I think the structure of the pharmacy benefit 
manager business raises very serious transparency and conflict 
of interest issues.
    Ms. Slaughter. My colleagues have said basically everything 
I was going to say. I was going to add a point that I think in 
health care in particular consumers are frequently frustrated 
and competition is frustrated by a lack of transparency, as 
Commissioner Chopra mentioned, and it's particularly true with 
respect to pharmaceutical benefits.
    Mr. Bucshon. Quickly, Commissioner Phillips, this committee 
is very focused on ways in which companies and devices collect 
information about consumers.
    As I've raised in several hearings, I have specific 
concerns with cell phones and other smart devices listening and 
collecting information and then that information being used to 
deliver targeted ads, and this happens to all of us all the 
time.
    Is this something you're concerned with--and I know you 
are--that--and will it be an issue that the FTC makes a 
priority?
    Mr. Phillips. I think it's one of those economic trends 
that I mentioned a moment ago outside the healthcare space that 
very much is at the front of what we are looking.
    Mr. Bucshon. OK. Thank you very much. I yield back.
    Mr. Latta. Thank you. The gentleman's time has expired. The 
chair now recognizes the gentleman from Texas for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. I thank you for holding 
this hearing, also for our ranking member.
    I would like to talk a bit about our robocall problem and 
consumer fraud. As you know, robocalls and failure of the do 
not call registry are some of the top complaints received by 
the FTC and by members of Congress and our constituents, 
particularly older Americans.
    Older Americans lose more money to fraud than younger age 
groups. According to the FTC's Consumer Sentinel Network Data 
Book, Americans ages 50 and older are reporting a median loss 
of $1,092 over two and a half times the median loss for 
Americans in their 30s for only $380.
    Chairman Simons, out of all the complaints received by the 
FTC on these calls and can you provide a rough estimate on how 
many come from U.S. companies or individuals and how many come 
from overseas?
    Mr. Simons. Thank you for the question.
    We are very interested in that. But, unfortunately, the 
data that we have access to doesn't allow us to determine that. 
If I had to guess, I would say it's probably, largely, coming 
from overseas.
    Mr. Green. Well, I've heard that the hearing to date--she 
said that she got a robocall and somebody was speaking to 
Chinese to her. I don't know how that would do any good to try 
to call us in Texas. But----
    Mr. Simons. That's one of the problems really is that the 
do not call rule has been superseded by technology--right, 
technological developments.
    You can have the telecommunications costs have come down so 
dramatically and the computing costs have come down so 
dramatically that blasting out millions and millions of calls 
is so cheap.
    Mr. Green. Do you know how many defrauded older Americans 
receive consumer redress from the FTC?
    If you don't know, if you'd just get it to us, because a 
lot of us do senior townhall meetings and they want to know 
about Social Security and Medicare and then they say we are 
tired of robocalls.
    Mr. Simons. We are all tired of robocalls and actually one 
of the things we think would be really helpful in that regard 
is to give us jurisdiction over common carriers because some of 
them are, we think, are facilitating robocalls and we could 
challenge that.
    Mr. Green. I've understood that and I don't have any 
opposition to it. But I know when we get the FTC and the FCC 
it's--somehow in our committee had jurisdiction over both of 
them. So you're talking to the right committee.
    What more could the FTC do under current law to protect 
older Americans from fraud?
    Mr. Simons. We do a lot. So we have enforcement actions. We 
have community outreach. On our website we have consumer 
materials for the elderly and we do sweeps.
    We recently conducted a sweep that dealt with the elderly. 
Or actually, there's a task force now that the DOJ is 
spearheading that we are involved with. That is one of the 
communities that's geared to help is elderly.
    Mr. Green. Could the FTC partner with the FCC on a joint 
effort, particularly for seniors and older Americans?
    Mr. Simons. We would certainly be happy to talk to Chairman 
Pai about that.
    Mr. Green. I will bring that up at our telecom 
subcommittee.
    Elder abuse is an issue and that's a big one I know we all 
hear about. Mr. Chairman, I will yield back the balance of my 
time.
    Mr. Latta. Thank you very much. The gentleman yields back.
    The chair now recognizes the gentleman from Pennsylvania 
for 5 minutes.
    Mr. Costello. Thank you. In May, the FTC and the FDA sent 
13 warning letter to retailers, manufacturers, and distributers 
of vaping nicotine products to stop marketing these products to 
children. As we have recently seen, vaping--some people call it 
JUULing--has increasingly become pervasive in our schools.
    As FDA Commissioner Gottlieb announced in April, it is well 
established that nicotine can ``rewire an adolescent's brain, 
leading to years of addiction.''
    Two questions, Mr. Chairman, and if anyone else would like 
to weigh in--does the FTC agree with Chairman Gottlieb's 
statement that there is no acceptable number of children using 
tobacco products--I guess that's an easy answer----
    Ms. Slaughter. Yes.
    Mr. Costello [continuing]. Followed by this question. Would 
it be a powerful deterrent to give the FTC the authority to 
find a party marketing these vaping products to children for 
their first violation?
    Mr. Simons. I would think any financial penalty would be 
more of a deterrent than no financial penalty.
    Mr. Costello. This comes on the heels, I think, of 
Commissioner Chopra's comment about the difference between 
having the ability to find versus working on a----
    Mr. Simons. Correct.
    Mr. Chopra. If there was a rule in place or if we had that 
authority, we would certainly be able not only to just tell 
someone stop; we would be able to seek penalties and other 
remedies to----
    Mr. Costello. What would that rule look like and how could 
Congress carefully tailor that so that you don't have all the 
freedom that we fear you could have?
    Mr. Chopra. Yes. Well, I think actually some of the 
comments Commissioner Gottlieb has made on this I think that 
would really inform how you might prescribe it because there is 
some changing science.
    There are some changing delivery mechanisms of nicotine. 
Maybe someone is but I am not an expert in the tobacco market.
    But I think you would be able to put the guardrails around 
it to make it as narrow or as wide as you want. I just want to 
make sure that whatever you do give us we vigorously enforce.
    Mr. Costello. Yes. The broader application of that example 
is, from a marketing perspective, how do you fashion how you 
would go about determining what is and isn't a violation and 
just how broadly would that power be vested upon you to go into 
the marketing space and say we are going to fine you here 
versus we are going to enter into a consent decree there.
    And is it so broad as to say any marketing or is it going 
to be sort of certain types of marketing or certain products?
    Mr. Chopra. Right. So actually we do----
    Mr. Costello. Because I gave you the easy example.
    Mr. Chopra. We do enforce a children's online privacy 
protection act and there's implementing regulations, and as 
part of that we help to communicate to the marketplace what is 
considered dealing with online transactions with children. We 
specify that.
    So one of the advantages of putting some meat on the bones 
through implementing rules is that it gives all market 
participants a clear sense as to what is inside and outside the 
bounds rather than just waiting for enforcement action.
    Mr. Costello. Right. I have another question for you. I 
will ask that and if you want to follow up on this one.
    The Smart IoT Act was approved by the full committee. We 
were focused on both the benefits and challenges of what a 
connected world brings.
    Can you talk about the actions and initiatives the FTC has 
or will take to promote consumer protection with respect to IoT 
devices?
    Mr. Simons. Yes. So we are active in that space, as 
Commissioner Ohlhausen mentioned. We've had a couple of orders 
there already and we continue to look at that.
    We've also had an IoT workshop and so to educate ourselves 
and to look at what we should be doing, going forward.
    So we are very active in this area.
    Mr. Costello. Ms. Ohlhausen, you also mentioned that in 
your opening testimony. Anything to add to that in terms of 
what you're doing in the IoT space?
    Ms. Ohlhausen. I think it's a particularly interesting area 
and, certainly, our enforcement actions against the first 
connected toy case in VTech, other ones that we brought about--
internet connected cameras and the routers as well as the 
policy inquiries, because Internet of Things can have enormous 
benefits for consumers and for competition.
    So we want to draw the lines in the right place to make 
sure consumers are protected but that innovation can still 
continue in the market.
    Mr. Costello. Do you have the type of authority vested in 
you to be able to do that or have you found that lacking in 
your diligence?
    Ms. Ohlhausen. I think for the Internet of Things, the 
cases we've been able to bring I think do show that we do have 
sufficient authority there to--teeth and got the attention of 
the industry about making sure that they don't have flaws and 
that they are looking at things.
    But it is a challenging area because they are often 
disposable products they don't necessarily get updated a lot. 
So there may be----
    Mr. Costello. Layered with other products?
    Ms. Ohlhausen [continuing]. Industry involvement as well.
    Mr. Costello. I appreciate your feedback.
    I yield back.
    Mr. Latta. Thank you.
    The chair now recognizes the gentleman from Florida for 5 
minutes.
    Mr. Bilirakis. Thank you, Mr. Chairman, I appreciate it.
    To the panel, well, this is actually for Chairman Simons.
    The FTC points out it serves its dual mission through 
vigorous enforcement, education, advocacy, and policy work, and 
by anticipating and responding to changes in the marketplace.
    Outside of law enforcement, are there past or recent 
examples of policy work, reports, and workshops related to 
online privacy that you can share with us today, please?
    Mr. Simons. I am drawing a blank right now. But maybe one 
of my colleagues could help me.
    Ms. Ohlhausen. So just in the past year and a half, we 
actually have done six workshops in major policy efforts 
looking at privacy and data security things from industry 
guidance.
    We did a student privacy and NED tech workshop. We did an 
informational injury workshop to explore the boundaries and 
types of industries consumers may suffer. We did an identity 
theft workshop, a connected cars workshop, going to the 
Internet of Things.
    So I think we have done quite a bit in this space. Just in 
recent time, and that's just building on all the other years of 
work we've done in this area.
    Mr. Bucshon. OK. Thank you. And Commissioner Phillips--does 
somebody else want to add something?
    Mr. Phillips. I was going to.
    Mr. Bucshon. OK. Go ahead, please.
    Mr. Phillips. I was just going to say the chairman also has 
announced a very ambitious set of hearings to begin this fall 
on a variety of issues including those.
    Mr. Bucshon. OK. Very good. Thank you.
    Mr. Chopra. And we also--I would encourage you--our 2012 
privacy report as well as a later report on data brokers--those 
two, I think, provide a real consensus roadmap on a lot of the 
initiatives that could be pursued on a bipartisan basis, in my 
view.
    Mr. Bucshon. Right. Do you have anything to add? We are OK?
    I will go on the next one.
    Commissioner Phillips, do you believe American consumers 
fully comprehend exactly how much personal health and financial 
data has been collected on them? What can the FTC do to better 
educate consumers on data collection activity that industry is 
engaged on? It's up to the individual. But they need to get all 
the facts. So if you could answer that I would appreciate it.
    Mr. Phillips. Thank you for that question. I think that's a 
really important one. I can't sit here and tell you that every 
individual fully comprehends the way which data are being 
collected, how those data are being used or how those data, as 
Commissioner Chopra said earlier, are being shared.
    You're right to note that consumers have access to that 
information and consumers also have certain expectations. For 
instance, my ability to use an app, let's say, that guides me 
through traffic and tells me where the traffic jams are going 
to be.
    I know that it must have information about that traffic 
from drivers like me who are supplying it. That balance is a 
very important one.
    Fostering the innovation as we want to do and also helping 
to keep consumer understanding in line, I think that's going to 
be one of the biggest challenges that we face over all of our 
tenures.
    I know it's going to be a topic that we are going to be 
talking about in years to come and we look forward to working 
with you on that.
    Mr. Bilirakis. Thank you. If someone else wants to add, but 
would you recommend that the consumer assume that particular 
data would be collected when they make an informed decision as 
to whether they want to log in or log out, and a lot of times 
they don't have the opportunity to opt out.
    Mr. Phillips. Let me start with the second one. I hope in 
my own life and I hope that everyone in their own lives always 
make informed decisions.
    That's not always how we do things. I will admit to you 
that I have repeatedly in the last few weeks clicked on any 
number of accept accept accepts online. And now I've forgotten 
the first part of the question. I apologize.
    Ms. Slaughter. I will jump in.
    Mr. Bilirakis. Well, just--yes. Should I repeat the 
question?
    Mr. Phillips. If you don't mind.
    Mr. Bilirakis. For our consumer, would you recommend the 
consumer assume----
    Mr. Phillips. Let's assume.
    Mr. Bilirakis. Yes, assume that this data is collected on 
them.
    Mr. Phillips. The short answer is yes. As we engage with 
the digital economy, we derive tremendous benefits from that 
almost every minute of every day of our lives and in many 
respects we are sharing information and so that is a pretty 
reasonable assumption.
    Mr. Chopra. That's pretty sad, though.
    Mr. Bilirakis. Would you like to add something?
    Mr. Chopra. It's pretty sad that we have to assume 
helplessness. So I understand we may want to warn consumers 
that anything can be up for grabs. But that can really lower 
consumers' confidence in engaging online or engaging in spaces 
where they just think everything is going to be taken from 
them.
    So we have to make sure that we are also not scaring people 
from engaging in productive transactions for their lives 
because they fear that someone is always spying on them and 
this is why we have to put into place the right framework to 
protect privacy.
    Ms. Slaughter. And from an enforcement perspective it's our 
obligation to ensure that when companies represent to consumers 
that they are collecting data in a certain way or not 
collecting data in a certain way that they're living up to 
those representations that they make and that is an area under 
the current law where we can and do enforce.
    Mr. Bilirakis. Yes, go ahead, please.
    Ms. Ohlhausen. So going back to the FTC's 2012 privacy 
report it talks about the importance of it being context 
specific.
    So if I am sharing my location with the traffic app, I 
certainly understand that it knows where I am to route me 
around the traffic jams. But we have to understand that the 
consumer may not expect that that data will be used in other 
ways.
    For example, we brought an enforcement action in a case 
called Goldenshores, which was about a flashlight app and it 
worked fine as a flashlight. But the consumers didn't know that 
it was also collecting their real-time location data and 
sharing that with marketers.
    So I think that is an important thing is the context. Is 
the information being used the way the consumer expects to get 
the service or is it being shared--their sensitive data being 
shared in some way that they don't anticipate and I think 
that's where enforcement and guidance and policy concerns need 
to focus.
    Mr. Bilirakis. All right. I have a couple more questions 
but I will submit them for the record. I appreciate it , Mr. 
Chairman. I yield back.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired.
    The chair now recognizes the gentleman from New Mexico for 
5 minutes.
    Mr. Lujan. Thank you, Chairman Latta, Ranking Member 
Pallone, and Schakowsky, Chairman Walden, for holding this 
important hearing with our Federal Trade Commission Oversight.
    When it comes to protecting consumers, I am afraid that 
both Congress and the FTC have much more to do.
    Commissioner Simons, I am going to direct my questions to 
you, which I believe you should be able to address without 
getting into the FTC's active investigations.
    In September of 2017, the credit bureau Equifax announced a 
massive consumer data breach due to vulnerability that the 
company knew about but failed to adequately address.
    Personal information including Social Security numbers, 
birth dates, addresses, and, in some cases, driver license 
numbers or partial driver's licence numbers of almost 150 
million consumers were exposed to illicit actors.
    Commissioner Simons, is that correct?
    Mr. Simons. I am sorry. Is that what?
    Mr. Lujan. Is that correct?
    Mr. Simons. That's my understanding. That's consistent with 
what I----
    Mr. Lujan. And, again, it's that Equifax announced the 
massive consumer----
    Mr. Simons. Yes. This is public information.
    Mr. Lujan. Is it correct, due to this breach of the credit 
card numbers of more than 200,000 consumers were compromised as 
well as other personal information included in the dispute 
documents of more than 180 consumers?
    Mr. Simons. So I am not sure if that was public. So I 
really don't----
    Mr. Lujan. I believe that that was public as well. So we 
can verify that. We'll get that entered into the record.
    Mr. Simons. OK.
    Mr. Lujan. Is it correct that Facebook recently revealed 
that 87 million Facebook users had their data exposed to 
Cambridge Analytica?
    Mr. Simons. I believe there were press reports to that 
effect.
    Mr. Lujan. Is it correct that in November of last year we 
learned that hackers stole information of 57 million Uber 
drivers and riders?
    Mr. Simons. I think that's reported as well.
    Mr. Lujan. So Mr. Chairman, I would like to support a 
business insider article into the record. The article states 
that since January 2017 at least 15 retailers were hacked and 
likely had information stolen from them. Techy include Macy's, 
Adidas, Sears, Kmart, Delta, Best Buy, Saks Fifth Avenue, Lord 
& Taylor, Under Armour, Panera Bread, Forever 21, Sonic, Whole 
Foods, Game Stop, and Arby's.
    Commissioner Simons, have you ever shopped at one of these 
establishments?
    Mr. Simons. Yes.
    Mr. Lujan. Me too. I think most Americans have. 
Commissioner Simons, is there any reason to expect that there 
will be fewer data breaches in the future?
    Mr. Simons. That's our goal and that's what we are working 
for.
    Mr. Lujan. But the reason we are working toward that goal 
is because we are concerned that they could happen.
    Mr. Simons. Yes, and one of the things that we discussed 
earlier is the need for civil penalty authority to act as an 
increased deterrent.
    Mr. Lujan. So building on that, Commissioner, can you 
detail what rules the FTC is currently developing to better 
protect consumers' privacy and data?
    Mr. Simons. We don't have any rulemakings going on. We are 
engaged in enforcement to the extent our current authority 
allows us to do that and we are as aggressive as we can under 
our current authority.
    Mr. Lujan. Does the FTC have rulemaking authority?
    Mr. Simons. We do under Magnuson-Moss. But it's very 
cumbersome.
    Mr. Lujan. But not in this space?
    Mr. Simons. No, well, it's general.
    Mr. Lujan. Could the FTC use support for authority to have 
more clear rulemaking authority to protect consumers' privacy?
    Mr. Simons. I think through individual enforcement we are 
able to make pretty clear what companies are supposed to do.
    So I think we are relatively effective in that regard, and 
I don't think we need a rule to make it clear what the 
companies need to do. I think the civil penalty authority would 
act as a substantial conditional deterrent.
    Mr. Lujan. So some of the numbers that I rattled off--150 
million people exposed with Equifax, 200,000 consumers were 
compromised, 180,000 consumers here and there, 87 million with 
Facebook and Cambridge Analytica, 57 million Uber drivers, a 
lot of people are getting their information stolen.
    Commissioner, are you aware of any recent legislation 
that's been passed by the Congress and signed into law that 
will strengthen privacy protections for consumers?
    Mr. Simons. You mean like COPPA?
    Mr. Lujan. Anything that you might be aware of.
    Mr. Simons. COPPA would be one. That would be a relatively 
recent one.
    Ms. Ohlhausen. It's not recent, but there's the Fair Credit 
Reporting Act as well.
    Mr. Lujan. The reason I ask that question is this 
subcommittee, Mr. Chairman, held a hearing on Equifax in 
October of 2017. We had Mark Zuckerberg before the full 
committee in April 2018. It's now July.
    And these breaches took place before the holidays. There 
were assurances that the Congress would act to provide more 
certainty to the comments that Commissioner Chopra shared--that 
you need to instill confidence.
    Nothing happened. I believe, Mr. Chairman, that this 
Congress and this committee need to act before the August 
recess, need to act before the end of this year to be able to 
get more comprehensive privacy legislation adopted and I 
believe our constituents and the American people deserve 
better.
    I thank everyone for their time and I see my time has 
expired.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired.
    The chair now recognizes the gentleman from Georgia for 5 
minutes.
    Mr. Carter. Thank you, Mr. Chairman. I appreciate you 
letting me sit in on this.
    I thank all of you for being here. You have a very 
important job and certainly, it's very important to consumers.
    Full disclosure--currently I am the only pharmacist serving 
in Congress for over 30 years. I practiced in retail pharmacy 
and I am very familiar with what's going on in that.
    And I wanted to ask you--I want to talk specifically about 
PBMs--pharmacy benefit managers--where three companies control 
78 percent of the market.
    First of all, Mr. Simons, you and I met after you became 
director and we met and we talked about the anti-competitive 
nature of this. Would you consider three companies owning 78 
percent of the market be a problem?
    Mr. Simons. Certainly, a market structure in which you 
might find and we might look for anti-competitive conduct.
    As I mentioned before, in terms of anti-trust enforcement, 
the places you look are the places where there are small 
numbers of firms with large shares.
    Mr. Carter. Right.
    Mr. Simons. And this would be such a case.
    Mr. Carter. One of the things that confuses me is when we 
talk about vertical integration and horizontal integration and 
often times you tell me, well, vertical integration is fine and 
we just have to worry about horizontal integration.
    Mr. Simons. No, I wouldn't say that.
    Mr. Carter. Well, I appreciate you correcting me because 
that's probably a misnomer that I want to dispose of because 
the vertical integration as we see it right now, all of you 
know what's going on. All of you know what's going on.
    We've got the top three--those three that I mentioned--PBMs 
that control 78 percent of the market--you have got CVS, 
Caremark that now is buying Aetna. So all of a sudden you're 
going to have a vertical integration that includes the 
insurance company owning the pharmacy benefits manager owning 
the pharmacy.
    Now you have got Cigna buying out Express Scripts. Did you 
know that Express Scripts, according to volume, is the third 
largest pharmacy chain in America right now?
    So now you have gone number one at CVS. You have got number 
three at Express Scripts. Cigna is going to be the insurance 
company.
    Express Scripts will be the PBM and there will be the 
pharmacy, and that vertical integration you yourself, Mr. 
Simons, the FTC investigated in January of 2012 regarding 
patient steering from Caremark to CVS. And what was going on 
there?
    We see it. I've got numerous examples that I can share with 
you and I will be glad to share with you, and yet they hide 
under the auspices of a lack of transparency.
    This is the most opaque system that's known out there, and 
they hide behind that and their profits have been just 
outrageous.
    In fact, I don't like to read but I am going to read this: 
according to data from CMS, between 1987, when PBMs first 
became involved in this when they were formed, and 2014 
expenditures on prescription drugs have jumped by 1,100 
percent.
    There's been 1,553 percent increase in per employee 
prescription drug benefit cost since 1987. In the last 10 
years, the two largest PBMs have increased their profit margins 
by nearly 600 percent.
    Now, folks, I am not opposed to anybody making money. But 
if you ask them what is the mission of a PBM, they'll tell you 
it's to control prescription drug prices.
    Well, how is that working out? Why is that an initiative of 
the president of Health and Human Services right now to lower 
prescription drug prices?
    If they are fulfilling their mission, and yet they're 
hiding again and this is what we look to the FTC to do. Am I 
wrong? Is that not your responsibility? Should I be talking to 
some other agency?
    Mr. Simons. Well, it's partially our responsibility. So we 
look at anti-competitive conduct and if they're engaging in 
anti-competitive conduct we should be challenging it.
    Mr. Carter. So just a quick story. I had a pharmacist that 
shared a story with me--that he filled a prescription at his 
drug store for his wife, who was covered under Caremart 
insurance.
    That night he got a call at his home from CVS saying if you 
get it filled at our pharmacy you can get a lower co-payment.
    Now, is there supposed to be a firewall? What happened to 
that firewall? This was his wife.
    Mr. Simons. I understand.
    Mr. Carter. That's the kind of behavior that's going on 
here. Yet and we look to you to help us with this, not because 
of the pharmacy but because of the consumer. It's the consumer 
who's suffering here, because as you do away the independent 
retail pharmacies, you do away with choice, less competition, 
that's not going to benefit the consumer at all.
    It's just very frustrating when you have a profession where 
the PBMs are responsible--they create the pharmacy networks. 
They decide who's going to be let into that network and who's 
not going to be let into that network. They direct the patients 
to the certain pharmacies and it they own the pharmacy who do 
you think they're going to direct it to?
    My one question is who is supposed to be watching this. I 
thought it was the FTC. Can I get a commitment that you will 
look into this?
    Mr. Simons. We are looking into it.
    Mr. Carter. You're looking into it now?
    Mr. Simons. You and I had a meeting and----
    Mr. Carter. We did.
    Mr. Simons. --And I took what you said to heart.
    Mr. Carter. Thank you.
    I look forward to continuing that conversation with you.
    Mr. Latta. Thank you very much.
    Mr. Carter. Thank you. I yield.
    Mr. Latta. The gentleman's time has expired and the chair 
now recognizes the chairman from Maryland for 5 minutes.
    Mr. Sarbanes. Thank you, Mr. Chairman, for the opportunity 
to participate in the hearing. Just before I start my 
questions, I want to say I agree 1,000 percent with my 
colleague. These mergers are kind of out of control. They're 
putting the consumer, really, in a very, very bad position.
    I want to thank you all for being here, for your work. This 
is an incredibly important commission in terms of protecting 
consumers, obviously, and the opportunities to lean in to do 
that, I think are expansive right now, if you look across all 
the various areas of jurisdiction that you have.
    Commissioner, is it Simmons? Is that the pronunciation?
    Mr. Simons. It's Simons.
    Mr. Sarbanes. It's Simons. OK.
    Mr. Simons. One M, two S's.
    Mr. Sarbanes. I was wondering why everyone was saying 
Simmons.
    Mr. Simons. But it's remarkable how often it's pronounced 
so I am used to it.
    Mr. Sarbanes. OK. So Commissioner Simons, I wanted to talk 
a little bit about biologic drugs and biosimilars. The FTC, as 
I understand it, doesn't currently have the authority to 
monitor agreements made between the manufacturers of biologics 
and biosimilars, and I wanted to know if you thought it was 
important that the FTC get that authority and, if so, why.
    Mr. Simons. I mean, in terms of, like, pay for delay and--
--
    Mr. Sarbanes. Exactly.
    Mr. Simons. Yes, that would be helpful.
    Mr. Sarbanes. I mean, my understanding is that if you look 
at the authority you have over the agreements between brand 
name drug manufacturers and generic drug manufacturers where 
you can monitor this anti-competitive behavior, the pay for 
delay agreements, and so forth, that you can have a significant 
impact on the overall cost to the consumer out there is you 
take those actions.
    Can you describe a little bit some of the tools you have 
when you go after those pay for delay agreements?
    Mr. Simons. So the statute you're talking about requires 
that if there's any agreement between a brand and a generic I 
think that delays the marketing of the product that they have 
to report that to the FTC and those disclosures are significant 
way in which the commission finds out about these agreements 
and whether it tells us where to look for whether these 
agreements might be anti-competitive or not.
    So the alert says hey, these agreements, and it's a big 
brief description of what they are, and we can look at them and 
then figure out OK, which ones look like they're problems and 
then we go after them.
    Mr. Sarbanes. It's incredibly important. I think there's a 
study out there that shows that while brand name drugs are 
about 10 percent of all drugs that are dispensed, I think 
that's including biologics in the equation, they make up about 
72 percent of the annual U.S. drug spending.
    So there's a huge amount of money on the line, obviously, 
from patients directly and from payers like Medicare and 
Medicaid, government payers that can be saved by monitoring 
these agreements, blocking these agreements.
    But it's really critical to get that same kind of authority 
with respect to the biologics and the biosimilars because in 
the same way those paid for delays are decreasing market 
competition. They're keeping the costs high. That's hurting 
patients at the counter, and I want to, again, commend you on 
the work you're doing with respect to the brand name drugs and 
the generics.
    But the Medicare Modernization Act of 2003, which gave FTC 
this authority, as you know, didn't extend it to biologics and 
biosimilar drugs.
    So I will be introducing soon the Biosimilars Competition 
Act of 2018 to grant FTC that authority so that you can begin 
to monitor these deals, punish the bad actors and hopefully 
deter many of these backroom deals from being made in the first 
place.
    We look forward to any comments you all will have with 
respect to the proposed because we do want to give you that 
authority.
    Mr. Simons. Thank you very much.
    Mr. Sarbanes. I wanted to switch gears really quickly. You 
had probably two or three members ask you about your authority 
as it related to Facebook and that earlier consent decree and I 
wanted to pick up on that a little bit.
    I was sort of struck in a recent earnings call--the various 
Wall Street analysts were, like, peppering Mark Zuckerberg and 
Sheryl Sandberg about the implications of Europe's new privacy 
law, the general data protection regulation, how it might 
impact the company and its earnings.
    Not a single analyst asked about the FTC's announced 
investigation into Facebook's privacy concerns, potential 
violation of the 2011 consent decree.
    So the market, in any event, doesn't seem to be taking that 
consent decree--your ability to enforce it and punish Facebook 
if you see violations, seriously from a kind of market 
standpoint.
    Actually, Commissioner Chopra, I would like your 
perspective, if you could share it quickly, just about this 
issue of the commission's credibility.
    I mean, to me that treatment on the earnings call suggests 
that they're not taking it seriously. Can you speak to how the 
FTC could be taken more seriously on things like that and the 
tools that you could maybe uses to do that?
    Mr. Chopra. Without speaking about this specific matter at 
hand, the FTC very energetically goes after companies that 
break the law and when it comes to small time scammers, we 
really do lay down the hammer. We seek bans of executives. We 
sometimes close down a business.
    I would like us to apply the law evenly regardless if it's 
a small time scammer or a big time publicly traded corporation 
and it's our duty, I think, to apply that law equally and the 
market needs to see that we are willing to do that. Otherwise, 
the credibility of our orders and enforcement will not be as 
high as it needs to be.
    Mr. Sarbanes. Well, thank you very much. I appreciate that. 
I agree with you and I think we do need to make sure the big 
guys receive the same kind of attention as the small guys.
    The public's confidence in the commission, I think, is 
dependent upon that.
    Thank you, and I yield back my time.
    Mr. Latta. Thank you. The gentleman's time has expired, and 
the chair now recognizes the gentleman from California for 5 
minutes.
    Mr. McNerney. Well, I thank the chair and the ranking 
member. I thank the commissioners for your service with limited 
resources. It's a tough job.
     In recent years, we've witnessed numerous data breaches 
incidents from many companies like Facebook, Equifax, Target, 
Home Depot, LinkedIn, and Anthem.
    The FTC does have resources to help consumers who have been 
victims of data breaches.
    Commissioner Slaughter, what more could the FTC be doing 
for consumers?
    Ms. Slaughter. Thank you for the question, Congressman.
    I think my colleagues and I have all spoken particularly in 
the area of data breach and data security. Well, I don't say 
all--several of us have spoken.
    No, I think all, actually, about how we could benefit from 
data security legislation, perhaps data breach notification 
legislation that gave us more specific authority and perhaps 
rulemaking authority with respect to data security and data 
privacy.
    Mr. McNerney. So that would be your specific recommendation 
as it you--the FTC be given rulemaking authority?
    Ms. Slaughter. Yes. A number of us have outlined different 
kinds of authorities that would be useful in different ways. 
Rulemaking is one. Civil penalty authority is another.
    I think we do and we will go after violations of the law 
where we find them now. But deterring these problems on a large 
scale would be better able to do that with a little bit more 
authority.
    Mr. McNerney. Thank you.
    Commissioner Chopra, do you have anything to add to that?
    Mr. Chopra. Well, I think that you mentioned Target and 
some other large retailers. I just want to underscore, 
particularly with respect to stolen credit card information at 
these large retailers, this actually impacts a wide swath of 
our banking industry as well. Community banks, others, who in 
some ways have to take those losses.
    So we require financial institutions. We require certain 
health care institutions to protect data. I think we, in some 
ways, need to level the playing field and make sure other big 
sectors of the economy are doing the same thing.
    Mr. McNerney. Thank you.
    Chairman Simons, facial recognition features are 
increasingly being incorporated into technology. However, just 
last week, Brad Smith from Microsoft stated that facial 
recognition technology should be regulated, which is voicing a 
great concern on this issue.
    What is the FTC doing to address privacy concerns raised by 
facial recognition technology?
    Mr. Simons. Thank you for the question, Congressman.
    So this is a good example of something that maybe even a 
few years ago was not really considered sensitive information, 
and now with the development of technology now it is sensitive 
information.
    And so one of the things we are following and are careful 
about is whether people are being misled about information that 
is sensitive information for them and whether the companies 
have disclosed how they're using it in the correct way.
    Mr. McNerney. Thank you.
    Mr. Chopra, do you have anything to add to that?
    Mr. Chopra. Well, I agree with Chairman Simons.
    I will just add I think the potential for misuse with 
facial recognition implicates a lot of issues and values that 
we are not always best situated to combat.
    I don't know if I want to live in a society where everyone 
knows my movements at all time and where my face can be scanned 
and it can be used to decide other things about me.
    Mr. McNerney. Hear, hear.
    Mr. Chopra. So it's something I am worried about when it 
comes to misuse. I saw Microsoft's announcement about this. We 
will do what we can.
    But I want to be clear. We can't solve everything with 
respect to the issues with facial recognition. We have limited 
authority to do that.
    Mr. McNerney. So this is an area you think Congress needs 
to get involved in?
    Mr. Chopra. Well, I think it involves a lot of issues 
beyond our narrow lens including really our values as Americans 
and our civil liberties, and that is something that we want to 
enforce the law with respect to promises that are made or 
misuse of data in certain commercial transactions.
    But I think it's on you guys to really think about the big 
picture.
    Mr. McNerney. OK. Thank you.
    Chairman, I am going to follow up on the Cambridge 
Analytica issue.
    The FTC entered a consent decree with Facebook in 2011. In 
2015, it was revealed that Cambridge Analytica illegitimately 
obtained consumer data.
    Yet, it was not until this spring that the commission 
announced it was investigating. Now, I realize you can't 
comment on Facebook specifically, but can you tell us what 
steps the commission is taking to improve how it monitors 
compliance with consent decrees?
    Mr. Simons. Yes. Without saying anything about the 
particular matter, so this is another example of self-critical 
examination.
    So when this all came to light, one of the things we did 
was we started a task force to deal with potential changes in 
how we do our orders.
    Mr. McNerney. And how you enforce those?
    Mr. Simons. How we write them and how we enforce them.
    Mr. McNerney. Because, you don't enforce them. There's no 
point in----
    Mr. Simons. Right. But also you have to write them in the 
right way. So you have to get the company committed to doing 
what it needs to do and you have to--and also in terms of being 
able to monitor them properly.
    So writing the orders is important and enforcing is 
important. Both are important.
    Mr. McNerney. Thank you for that answer.
    Mr. Chopra. Congressman, if I can quickly add, I think we 
all take enforcement of our orders seriously. I will note that 
when Chairman Simons was--his previous stint at the FTC he 
achieved and obtained a very significant penalty against a 
larger order violator and I think we will continue with that 
spirit and use all the tools we can to correct violations of 
our orders.
    Mr. McNerney. Thank you.
    I would like to yield back.
    Mr. Latta. Thank you very much.
    The gentleman's time has expired and at this time the 
ranker and I are going to ask one last quick question each that 
we agreed upon.
    Chairman, I was wondering if I could start, to just ask my 
last question to you. I want to touch on an issue we've all 
heard about. We have seen advertisements that target the senior 
population. We've all seen or heard the lawsuit advertisements 
that proclaim that certain medications or drugs may cause 
complications and to contact the organization or law firm 
airing the advertisement.
    I also understand that these ads may at times be misleading 
or in some cases just outright fraudulent, leading to potential 
physical harm.
    Is this an issue that the FTC is focused on and, if you 
are, what is the FTC doing to prevent misleading or false ads?
    Mr. Simons. Yes, so this is potentially deception in a very 
sensitive area and it also, because of the area of its 
involvement, it's something that we would do in conjunction 
with the FDA.
    Mr. Latta. OK. But this is something you're actively 
working on then?
    Mr. Simons. Well, you brought it to our attention, yes. So 
this is some of the concern, yes.
    Mr. Latta. OK. Well, thank you very much.
    And I will recognize the gentlelady from Illinois, the 
ranker of the subcommittee.
    Ms. Schakowsky. As I mentioned in my opening statement, the 
European Commission announced a $5.1 billion antitrust fine on 
Google.
    The E.U. alleges, among other things, that Google, for 
smart phone makers, preinstall Google Search together with its 
Play Store and Chrome browser and sign agreements not to sell 
devices on rival Android systems by imposing its bundled 
package on smart phone makers.
    Google, arguably, gave itself an advantage over its 
competitors. So, Chairman Simons, I know that you have 
announced a series of hearings that will examine a competition 
policy.
    But as of right now, are there any limitations under U.S. 
law that would prevent the FTC from looking into Google's 
conduct regarding this kind of bundling.
    Specifically, do you have enough authority to consider if 
Google's conduct is anti-competitive?
    Mr. Simons. So thank you for the question.
    We do have enough authority to determine whether it's anti-
competitive or not. And let me just say, we are going to read 
what the EU put out very closely.
    We are very interested in what they're doing. I had a 
conversation with Commissioner Vestager yesterday. So we are 
very interested in what the EU is----
    Ms. Schakowsky. I am sorry. Who is that person?
    Mr. Simons. She's the commissioner. She's my counterpart of 
the European Commission's competition directorate.
    But in terms of what they look at versus what we look at, 
their regulatory regime is a little different than ours.
    So once they find that a company is dominant, as I 
understand it, that imposes upon the company kind of like a 
fairness obligation irrespective of what the effect is on the 
consumer.
    Our anti-trust regime requires that there be a harm to 
consumer welfare. So the consumer has to be injured.
    So the two tests are a little bit different. But we are 
going to look closely at what the EU is doing.
    Ms. Schakowsky. Thank you.
    I yield back.
    Mr. Latta. Thank you very much. The gentlelady yields back.
    And seeing that there are no other further members here to 
ask any questions, again, we want to thank you all for being 
with us today and appearing before the subcommittee.
    Before we do conclude, I would like to submit them for the 
record by unanimous consent: A letter from ACA International, a 
letter from the Electronic Privacy Information Center, a letter 
from the Coalition Trade Association, and a letter from the 
Internet Association.
    And without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. Latta. Pursuant to committee rules, I remind members 
that they have 10 business days to submit additional questions 
for the record, and I ask that our witnesses submit their 
responses within 10 business days upon receipt of those 
questions.
    And without objection, the subcommittee stands adjourned.
    [Whereupon, at 12:02 p.m., the committee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]