[Senate Hearing 115-730]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 115-730

                             OVERSIGHT OF 
                      THE FEDERAL TRADE COMMISSION

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON CONSUMER PROTECTION,
                       PRODUCT SAFETY, INSURANCE,
                           AND DATA SECURITY

                                 of the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________


                           NOVEMBER 27, 2018

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation






                 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]






                Available online: http://www.govinfo.gov

                               ______
                                 

                 U.S. GOVERNMENT PUBLISHING OFFICE

55-155 PDF                WASHINGTON : 2024













       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                   JOHN THUNE, South Dakota, Chairman

ROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas                  BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska                 EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada                  TOM UDALL, New Mexico
JAMES INHOFE, Oklahoma               GARY PETERS, Michigan
MIKE LEE, Utah                       TAMMY BALDWIN, Wisconsin
RON JOHNSON, Wisconsin               TAMMY DUCKWORTH, Illinois
SHELLEY MOORE CAPITO, West Virginia  MAGGIE HASSAN, New Hampshire
CORY GARDNER, Colorado               CATHERINE CORTEZ MASTO, Nevada
TODD YOUNG, Indiana                  JON TESTER, Montana

                       Nick Rossi, Staff Director
                 Adrian Arnakis, Deputy Staff Director
                    Jason Van Beek, General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
                      Renae Black, Senior Counsel

                                 ------                                

  SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND 
                             DATA SECURITY

JERRY MORAN, Kansas, Chairman        RICHARD BLUMENTHAL, Connecticut, 
ROY BLUNT, Missouri                      Ranking
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada                  TOM UDALL, New Mexico
JAMES INHOFE, Oklahoma               TAMMY DUCKWORTH, Illinois
MIKE LEE, Utah                       MAGGIE HASSAN, New Hampshire
SHELLEY MOORE CAPITO, West Virginia  CATHERINE CORTEZ MASTO, Nevada
TODD YOUNG, Indiana








                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on November 27, 2018................................     1
Statement of Senator Moran.......................................     1
Statement of Senator Blumenthal..................................     2
Statement of Senator Nelson......................................     4
Statement of Senator Klobuchar...................................    29
Statement of Senator Thune.......................................    31
Statement of Senator Markey......................................    33
Statement of Senator Udall.......................................    35
Statement of Senator Hassan......................................    38
Statement of Senator Cortez Masto................................    40
Statement of Senator Capito......................................    42
Statement of Senator Cruz........................................    51

                               Witnesses

Hon. Joseph J. Simons, Chairman, Federal Trade Commission........     5
    Joint prepared statement.....................................     7
Hon. Rohit Chopra, Commissioner, Federal Trade Commission........    19
Hon. Noah Joshua Phillips, Commissioner, Federal Trade Commission    20
Hon. Rebecca Kelly Slaughter, Commissioner, Federal Trade 
  Commission.....................................................    22
Hon. Christine S. Wilson, Commissioner, Federal Trade Commission.    23

                                Appendix

Letter dated November 26, 2018 to Hon. Jerry Moran and Hon. 
  Richard Blumenthal from Electronic Privacy Information Center: 
  Marc Rotenberg, EPIC President; Caitriona Fitzgerald, EPIC 
  Policy Director; Christine Bannan, EPIC Consumer Privacy 
  Counsel; Enid Zhou, EPIC Open Government Counsel; Lorraine 
  Kisselburgh, EPIC Scholar in Residence; an Jeff Gary, EPIC 
  Legislative Fellow.............................................    55
Letter dated November 26, 2018 to Joseph J. Simons, Chairman, 
  Federal Trade Commission from the following consumer, privacy, 
  and civil organizations: Campaign for a Commercial Free 
  Chilhood, Center for Digital Democracy, Consumer Action, 
  Consumer Federation of America, Consumer Watchdog, Customer 
  Commons, Electronic Frontier Foundation, Electronic Privacy 
  Information Center, Media Alliance, National Hispanic Media 
  Coalition, Privacy Rights Clearinghouse, Public Citizen, Public 
  Knowledge, Stop Online Violence Against Women and US PIRG......    61
Response to written questions submitted to Hon. Joseph J. Simons 
  by:
    Hon. John Thune..............................................    63
    Hon. Roy Blunt...............................................    66
    Hon. Jerry Moran.............................................    66
    Hon. Richard Blumenthal......................................    71
    Hon. Maggie Hassan...........................................    78
    Hon. Tom Udall...............................................    80
    Hon. Catherine Cortez Masto..................................    81
Response to written questions submitted to Hon. Rohit Chopra by:
    Hon. John Thune..............................................    86
    Hon. Jerry Moran.............................................    87
    Hon. Richard Blumenthal......................................    90
    Hon. Catherine Cortez Masto..................................    92
    Hon. Maggie Hassan...........................................    95
    Hon. Amy Klobuchar...........................................    95
    Hon. Tom Udall...............................................    95
Response to written questions submitted to Hon. Noah Joshua 
  Phillips by:
    Hon. John Thune..............................................    96
    Hon. Jerry Moran.............................................   101
    Hon. Richard Blumenthal......................................   106
    Hon. Catherine Cortez Masto..................................   112
    Hon. Amy Klobuchar...........................................   115
    Hon. Tom Udall...............................................   116
Response to written questions submitted to Hon. Rebecca Kelly 
  Slaughter by:
    Hon. John Thune..............................................   117
    Hon. Jerry Moran.............................................   119
    Hon. Richard Blumenthal......................................   122
    Hon. Catherine Cortez Masto..................................   125
    Hon. Amy Klobuchar...........................................   128
    Hon. Tom Udall...............................................   128
Response to written questions submitted to Hon. Christine S. 
  Wilson by:
    Hon. John Thune..............................................   129
    Hon. Jerry Moran.............................................   134
    Hon. Amy Klobuchar...........................................   138
    Hon. Tom Udall...............................................   140
    Hon. Richard Blumenthal......................................   141
    Hon. Catherine Cortez Masto..................................   145










 
                             OVERSIGHT OF 
                      THE FEDERAL TRADE COMMISSION

                              ----------                              


                       TUESDAY, NOVEMBER 27, 2018

                               U.S. Senate,
Subcommittee on Consumer Protection, Product Safety, Insurance, and 
                                                  Data Security,   
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:38 p.m., in 
room SR-253, Russell Senate Office Building, Hon. Jerry Moran, 
Chairman of the Subcommittee, presiding.
    Present: Senators Thune, Moran [presiding], Nelson, Cruz, 
Capito, Blumenthal, Klobuchar, Markey, Udall, Hassan, and 
Cortez Masto.

            OPENING STATEMENT OF HON. JERRY MORAN, 
                    U.S. SENATOR FROM KANSAS

    Senator Moran. The hearing will come to order.
    Thank you, all of the commissioners, for being with us here 
today as the Subcommittee conducts on oversight of the Federal 
Trade Commission.
    The Commission has a broad mandate to protect consumers 
from unfair and deceptive trade practices. Its consumer 
protection mission includes protecting consumers from 
everything from robocalls, ticket bots, and data breaches, and 
enforcing laws such as the Consumer Review Fairness Act, the 
Fair Credit Reporting Act, and the Children's Online Privacy 
Protection Act.
    This is the first opportunity for this subcommittee to hear 
from all five new commissioners since their confirmation this 
past spring and learn about their enforcement priorities.
    This spring the Commission announced it would hold a series 
of hearings titled Competition and Consumer Protection in the 
21st Century with the goal of exploring whether evolving 
businesses practices and emerging technologies might 
necessitate changes to the FTC enforcement policy and 
priorities. So far, the Commission has held seven hearings on 
topics which included big data and artificial intelligence, 
with data security and privacy hearings to be held in the next 
few months.
    I would like to hear from the commissioners about the 
response they have gotten to the hearings, what they have 
learned so far, and what, if any, policy or enforcement 
guidance might result.
    I am also interested in what the Commission can share on 
its investigation into Equifax and Facebook. In September 2017 
the FTC announced that it had opened an investigation into 
Equifax's massive data breach that affected the personal 
information of at least 148 million Americans. The breach 
apparently went unnoticed by Equifax for more than 70 days, and 
once the company finally realized that a breach had occurred, 
the company waited six weeks to report it. The breach put 
consumers at high risk of identity theft.
    Last March following the Cambridge Analytical scandal, the 
FTC also confirmed that it was investigating whether Facebook's 
privacy practices violated the Commission's 2012 consent 
decree.
    This Subcommittee held a hearing on June 19, focused on how 
the use of the app by about 300,000 Facebook users ultimately 
resulted in the personal information of nearly 87 million 
Facebook users being transferred to Cambridge Analytica. It 
would be useful to know if the Commission has an anticipated 
timeline for when the results of that investigation will be 
announced and what penalties the company might face if the 
Commission determines if practices did violate the consent 
decree.
    Privacy has emerged as an area of major concern for 
consumers. In the past month alone, Facebook and Google 
revealed the exposure of personal information of up to 30 
million and 500,000 users respectively, and these are just the 
latest in a long series of incidents that have raised serious 
concerns about privacy practices of large tech companies and 
the adequacy of their responses.
    In the wake of these incidents, the implementation of the 
General Data Protection Regulation, GDPR, in Europe and the 
recent passage of the California Consumer Privacy Act, it has 
become clear that the U.S. needs a Federal consumer data 
privacy law. My colleagues on the committee and I are pursuing 
a bipartisan privacy legislative proposal.
    As the primary Federal privacy regulator that has brought 
over 100 data security and privacy cases over the last 20 years 
and issued privacy guidance, the FTC has unique experience and 
expertise to call on when we work to develop that privacy 
legislation.
    I look forward to hearing from the commissioners about what 
they think should be included in any Federal privacy 
legislation and what additional tools the FTC might need in 
order to effectively protect consumer privacy while still 
encouraging and enhancing innovation.
    With that, I turn to the Ranking Member so that he can make 
his opening statement.

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thanks, Senator Moran. Thank you to you 
and Chairman Thune for your leadership.
    And I have been working with Senator Moran on a bipartisan 
privacy bill that I hope will make very good progress very 
soon.
    Congress has long empowered and directed the Federal Trade 
Commission to enforce the tools it has now, not to mention new 
ones that we may give it in such a privacy law. And looking 
back, this year really exemplifies the urgent need for the FTC 
to be more vigorous and vigilant in its enforcement; to stand 
up for consumers, promote competitive markets, and combat 
fraud.
    And I will be very blunt. First, thank you all for your 
service, but thank you for recognizing, as I hope you will, 
that all too often the FTC has fallen short of that empower/
enforcement trust. It is falling short on confronting pressing 
challenges. Sometimes it's because the Commission lacks the 
needed tools, but too regularly the problem appears to be lack 
of will. And I say that with great respect based not only on my 
8 years as a United States Senator but 20 years as a law 
enforcer at the state level, attorney general of Connecticut.
    This hearing is about finding out whether the FTC is ready 
and willing to take on hard problems and whether the FTC will 
robustly protect privacy using the authorities and resources 
that you have now and that we will hopefully provide.
    We've seen the consequences of lack of enforcement with 
Facebook. After over a year of foot dragging on Russian 
interference earlier this year, we learned a political firm had 
secretly amassed Facebook data on tens of millions of people to 
manipulate our election.
    Cambridge Analytica should never have happened. It would 
never have happened if the consent order reached by the FTC 
with Facebook had been vigorously and adequately enforced. When 
Mark Zuckerberg came before the Senate, I showed him the terms 
of service of Cambridge Analytica's app. He acknowledged that 
Facebook was not paying attention and promised change. In fact, 
he said he hadn't seen them before.
    Instead, we have learned that while Mr. Zuckerberg embarked 
on this apology tour, surrogates of Facebook were maligning 
critics and Members of Congress. That issue is only one of 
many, and it won't be the last, I'm afraid. My colleagues and I 
have raised countless more concerns about Facebook's privacy 
and security practices.
    I have been frustrated that there has been no cost to 
Facebook for catastrophic failure to protect consumers, and I 
will be asking, like Senator Moran, where the investigation 
stands and when we will see results.
    Facebook has captured the headlines but it's hardly alone. 
In July, the Wall Street Journal disclosed that Google had 
potentially exposed the private data of hundreds of thousands 
of Google's users. Google's instinct was concealment. A memo 
from Google policy staff quoted by the Journal warned 
disclosure would likely result in, ``us coming into the 
spotlight alongside or even instead of Facebook despite having 
stayed under the radar throughout the Cambridge Analytical 
scandal.'' I, along with Senators Markey and Udall wrote the 
FTC about this incident and I hope for a response today.
    This issue is about big tech, and Congress is fed up. It's 
about big tech no longer being entitled to say to America, 
Trust us. Big tech is no longer entitled to that trust if it 
ever was. And big tech maybe is no longer entitled to be as big 
as it is. Misuse of bigness can be in violation of antitrust 
laws. There may be nothing that prohibits the amassment of 
market power, but misuse of that power can violate antitrust 
laws. And so it's not only privacy, consumer protection, but 
also antitrust that has to be assessed.
    You all know, America is well aware that we all carry with 
us the most sophisticated tracking devices ever invented. Our 
phones monitor our movements on a minute-by-minute basis. They 
are privy to the most intimate conversations. We use them as 
credit cards and to monitor our health. They may know us better 
than we know ourselves, and the ones collecting the data 
yielded by those phones know us the best of all. That is also 
big tech. And worse, there is little that any individual can do 
about it.
    That's not the basis of innovation. It's an invitation to 
disaster. We have seen this year that the misuse and abuse of 
our data represents a threat to consumer safety but also 
national security, the defense of our nation, and the health of 
our democracy. We need changes.
    I look forward to collaborating with my colleagues on this 
Committee to pass bipartisan legislation that sets clear rules 
of the road on consumer privacy and other issues essential to 
our national security. And we need to do it not only because 
Europe has done it, not only because California has done it, 
but these rules are long overdue. We can't simply endorse the 
status quo.
    And these real changes must include, at a minimum, rules 
passed by Congress that will provide all Americans with the 
same or better rights and redress than California and Europe, 
move us beyond the failed notice and choice regime; and set 
requirements for transparency, access and control; end the 
secret harvesting and sale of personal data through requiring 
reasonable data minimization; provide the FTC with the 
resources, and expertise, and structure to enforce the rules; 
establish meaningful penalties on first offenses to pose a 
credible deterrent, and recognize the importance of state 
attorneys general to ensure that violations are investigated 
and punished.
    And finally, to end where I began, any rules that we pass 
need to be enforced. That FTC consent decree already on the 
books should have prevented Cambridge Analytica. The FTC simply 
can't claim to be surprised here. If we let Facebook and Google 
police themselves, set their own goal posts, make their own 
rules, they will always come up short. And so I look forward to 
hearing whether the FTC is up to this task, and we need a 
commitment from you to end the cycle of impunity.
    Thank you, Mr. Chairman.
    Senator Moran. Thank you, Senator Blumenthal.
    Senator Nelson, would you care to make an opening 
statement?

                STATEMENT OF HON. BILL NELSON, 
                   U.S. SENATOR FROM FLORIDA

    Senator Nelson. Thank you, Mr. Chairman.
    The FTC, the consumer--premier consumer protection agency 
set up in 1914, it's the bedrock of American consumer 
protection. The agency is tasked with policing and promoting 
competitive markets and with protecting consumers from unfair 
or deceptive acts or practices.
    And despite the important mission, an enormous mandate, the 
FTC remains a relatively small agency. For years, I have 
consistently advocated that the FTC be provided with more 
resources so that you can effectively do your job, particularly 
during an age where the American economy is becoming 
increasingly complex and digitized. And with a little over a 
thousand full-time employees, the FTC can only do so much in a 
19-trillion-dollar economy.
    It's my hope that Congress will finally do the right thing 
by providing the FTC with the increased funding and personnel 
to police the marketplace and to protect American consumers 
from a myriad of scams, frauds, corporate practices that fleece 
them from their hard-earned money.
    It is my hope that the FTC continues to operate in a 
bipartisan and a consensus manner. It is all too common today, 
not only from this institution but from the administrative 
agencies, that we are beginning to see creep into the agencies 
the same thing that is happening in the body politic: the 
tribalism that has now entered and dominating our political 
milieu.
    The Commission has a long, proud history of bipartisanship. 
It's a tradition from which other independent agencies should 
draw. Too often agencies like the FCC or the CPSC, Consumer 
Product Safety Commission, they get mired in competing 
individual ideological agendas. And we speak in this Committee 
from a position of knowing because we have the oversight of 
both the FCC and the CPSC. And by and large, the FTC has 
avoided this kind of dysfunction, and it's served the American 
consumer well. Congress obviously can learn from your example 
of bipartisan deliberation and cooperation.
    And to the FTC commissioners before us in the Committee 
today, thank you for your public service. It has been a 
privilege and an honor to have worked closely with you during 
the tenure in my capacity as Ranking Member on this Committee.
    Thank you again, Mr. Chairman.
    Senator Moran. Thank you, Senator Nelson.
    We are now ready for that testimony. We have before us 
today Trade Commission Chairman Joseph Simons, Commissioner 
Rohit Chopra, Commissioner Noah Phillips, Commissioner Rebecca 
Kelly Slaughter, and Commissioner Christine Wilson.
    It is my understanding that your testimony is going to be a 
joint testimony and will be delivered by the Chairman.
    Mr. Chairman, you are recognized.

  STATEMENT OF HON. JOSEPH J. SIMONS, CHAIRMAN, FEDERAL TRADE 
                           COMMISSION

    Mr. Simons. Chairman Moran, Ranking Member Blumenthal, and 
members of the Subcommittee, it is an honor to appear before 
you today, especially alongside my esteemed colleagues.
    As Senator Nelson said, the FTC is a highly productive and 
efficient, independent agency with a broad dual mission: to 
protect consumers and to maintain competition. The FTC has a 
long history of bipartisanship and we work hard to maintain it 
and we will continue to work hard to maintain it.
    I'm going to focus my oral remarks today on data security 
and privacy. Year after year, these issues top the list of the 
FTC's consumer protection priorities. The Commission has 
challenged numerous privacy and data security practices under 
Section 5 of the FTC Act. Our program in these areas, which 
includes enforcement as well as consumer and business 
education, has been highly successful within the limits of our 
authority. But as mentioned, Section 5 is an imperfect tool.
    In my view, we need more authority. I support data security 
legislation that would give us three things: one, the ability 
to seek civil penalties to effectively deter unlawful conduct; 
two, jurisdiction over nonprofits and common carriers; and 
three, the authority to issue implementing rules under the 
Administrative Procedure Act.
    The Commission also urges the Congress to consider enacting 
privacy legislation that would be enforced by the FTC. While we 
remain committed to vigorously enforcing existing privacy-
related statutes, we are hopeful that Congress can craft 
legislation that would more seamlessly balance consumers' 
legitimate concerns regarding collection, use, and sharing of 
their data while providing the flexibility to foster 
competition and innovation to the benefit of consumers. This 
process understandably will involve difficult value judgments 
and tradeoffs that are appropriately left to the Congress. No 
matter the specific privacy or data-security laws that Congress 
enacts, the Commission commits to using its extensive 
experience and expertise to enforce them vigorously and 
enthusiastically.
    Irrespective of any new legislation, privacy and data 
security will continue to be a top enforcement priority for us, 
and we will use every tool in our existing arsenal to redress 
consumer harm to the extent we can under existing authority.
    To date, the Commission has brought more than 60 cases 
alleging that companies failed to reasonably protect their 
consumer data as well as more than 60 general privacy cases. 
Since I became Chairman, we have announced eight new 
enforcement actions, seven policy initiatives, and a Notice of 
Proposed Rulemaking to give active military consumers free 
credit monitoring. And we have launched our small business 
cyber education campaign. We have no intention of slowing down.
    The FTC also enforces the Privacy Shield Framework, a 
mechanism that enables data to be legally transferred from 
Europe to the United States. Our commitment to support the 
Privacy Shield Framework is unwavering, and we will continue to 
enforce and uphold it.
    Let me mention one additional item. The FTC has a tradition 
of self-critical examination, and our public hearings on 
Competition and Consumer Protection in the 21st Century are 
exploring whether we need to adjust our enforcement efforts, 
our priorities, and our policies in light of changes in the 
marketplace and new thinking.
    Issues we are discussing include whether we need to change 
the governing standard for antitrust enforcement, whether 
merger enforcement has been too lax; our remedial authority, 
whether it's sufficient with respect to privacy and data 
security; and many other critical issues. The comments and 
discussions on these issues will inform the FTC's enforcement 
and policy priorities.
    We are committed to maximizing our resources to enhance our 
effectiveness in protecting consumers and promoting 
competition, to anticipate and to respond to changes in the 
marketplace, and to meet current and future challenges.
    We look forward to working with the Subcommittee and the 
Congress, and I would be happy to answer your questions. Thank 
you.
    [The prepared statement of the Federal Trade Commission 
follows:]

           Prepared Statement of the Federal Trade Commission
I. Introduction
    Chairman Moran, Ranking Member Blumenthal, and members of the 
Subcommittee, the Federal Trade Commission (``FTC'' or ``Commission'') 
is pleased to appear before you today to discuss the FTC's work to 
protect consumers and promote competition.\1\
---------------------------------------------------------------------------
    \1\ This written statement presents the views of the Federal Trade 
Commission. The oral statements and responses to questions reflect the 
views of individual Commissioners, and do not necessarily reflect the 
views of the Commission or any other Commissioner.
---------------------------------------------------------------------------
    The FTC is an independent agency with three main bureaus: the 
Bureau of Consumer Protection (``BCP''); the Bureau of Competition 
(``BC''); and the Bureau of Economics (``BE''), which supports both BCP 
and BC. The FTC is the only Federal agency with a broad mission to both 
protect consumers and maintain competition in most sectors of the 
economy. Its jurisdiction ranges from privacy and data security, to 
mergers and acquisitions, to anticompetitive tactics by pharmaceutical 
and other companies. We enforce the law across a range of sectors, 
including high technology and emerging industries. The FTC has a long 
history of bipartisanship and cooperation, and we work hard to maintain 
it.
    The FTC has broad law enforcement responsibilities under the 
Federal Trade Commission Act,\2\ and enforces a wide variety of other 
laws, ranging from the Clayton Act to the Fair Credit Reporting Act. In 
total, the Commission has enforcement or administrative 
responsibilities under more than 70 laws.\3\ The Commission pursues a 
vigorous and effective law enforcement program, and the impact of its 
work is significant. In addition to its consumer protection work, its 
competition enforcement program is critically important to maintaining 
competitive markets across the country; vigorous competition results in 
lower prices, higher quality goods and services, and innovative and 
beneficial new products and services.
---------------------------------------------------------------------------
    \2\ 15 U.S.C. Sec. 41 et seq.
    \3\ See https://www.ftc.gov/enforcement/statutes.
---------------------------------------------------------------------------
    The FTC investigates and prosecutes those engaging in unfair or 
deceptive acts or practices or unfair methods of competition, and seeks 
to do so without impeding lawful business activity. The agency has a 
varied toolkit to advance its mission. For example, the Commission 
collects consumer complaints from the public and maintains one of the 
most extensive consumer protection complaint databases, Consumer 
Sentinel. The FTC and other federal, state, and local law enforcement 
agencies use these complaints in their law enforcement and policy 
efforts. The FTC also has rulemaking authority. In addition to the 
FTC's Magnuson-Moss rulemaking authority, Congress has given the agency 
discrete rulemaking authority under the Administrative Procedure Act 
(``APA'') over specific topics. The agency regularly analyzes its 
rules, including seeking public feedback, to ensure their continued 
efficacy. The FTC also educates consumers and businesses to encourage 
informed consumer choices, compliance with the law, and public 
understanding of the competitive process. Through its research, 
advocacy, education, and policy work, the FTC seeks to promote an 
honest and competitive marketplace and works with foreign counterparts 
to harmonize competition and consumer protection laws across the globe.
    To complement its enforcement efforts, the FTC pursues a consumer 
protection and competition policy and research agenda to improve agency 
decision-making, and engages in advocacy and education initiatives. 
This past September, the Commission began holding its Hearings on 
Competition and Consumer Protection in the 21st Century.\4\ These 
multi-day, multi-part public hearings are exploring whether broad-based 
changes in the economy, evolving business practices, new technologies, 
or international developments might require adjustments to competition 
and consumer protection law, enforcement priorities, and policy. To 
date, we have heard from more than 200 panelists and received more than 
700 public comments. This project is ongoing, and the FTC will continue 
to hold public hearings through early 2019.
---------------------------------------------------------------------------
    \4\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection; see also FTC Press Release, FTC Announces Hearings On 
Competition and Consumer Protection in the 21st Century (June 20, 
2018), https://www.ftc.gov/news-events/press-releases/2018/06/ftc-
announces-hearings-competi
tion-consumer-protection-21st.
---------------------------------------------------------------------------
    This testimony provides a short overview of the FTC's work to 
protect U.S. consumers and competition, including highlights of some of 
the agency's major recent activities and initiatives. It also discusses 
the Commission's international efforts to protect consumers and promote 
competition.
II. Consumer Protection Mission
    As the Nation's primary consumer protection agency, the FTC has a 
broad mandate to protect consumers from unfair, deceptive, or 
fraudulent practices in the marketplace. It does this by, among other 
things, pursuing law enforcement actions to stop unlawful practices, 
and educating consumers and businesses about their rights and 
responsibilities. The FTC's enforcement and education efforts include 
working closely with federal, state, international, and private sector 
partners on joint initiatives. The Commission's structure, research 
capacity, and committed staff enable it to pursue its mandate of 
protecting consumers and competition in an ever-changing marketplace. 
Among other issues, the FTC works to protect privacy and data security, 
helps ensure that advertising claims to consumers are truthful and not 
misleading, addresses fraud across most sectors of the economy, and 
combats illegal robocalls.
    The FTC's law enforcement orders prohibit defendants from engaging 
in further illegal activity, impose data security and other compliance 
obligations, and in some cases, ban defendants from engaging in certain 
conduct altogether. When possible, the FTC collects money to return to 
harmed consumers. During FY 2018, Commission actions resulted in over 
$1.6 billion being returned to consumers. Specifically, the Commission 
returned more than $83.3 million in redress to consumers, and FTC 
orders--including in the Volkswagen,\5\ Amazon,\6\ and NetSpend\7\ 
matters--required defendants to self-administer consumer refund 
programs worth more than $1.6 billion. The FTC also collected civil 
penalties worth more than $2.4 million pursuant to these orders in FY 
2018. In addition, the Commission deposited an additional $8.5 million 
into the U.S. Treasury.
---------------------------------------------------------------------------
    \5\ FTC v. Volkswagen Group of America, Inc., No. 3:15-md-02672-CRB 
(N.D. Cal. May 17, 2017), https://www.ftc.gov/enforcement/cases-
proceedings/162-3006/volkswagen-group-america
-inc.
    \6\ FTC v. Amazon.com, Inc., No. 2:14-cv-01038 (W.D. Wash. Apr. 4, 
2017), https://www.ftc.gov/enforcement/cases-proceedings/122-3238/
amazoncom-inc.
    \7\ FTC v. NetSpend Corp., No. 1:16-cv-04203-AT (N.D. Ga. Apr. 10, 
2017), https://www.ftc
.gov/enforcement/cases-proceedings/netspend-corporation.
---------------------------------------------------------------------------
A. Protecting Consumer Privacy and Data Security
    The FTC has served as the primary Federal agency charged with 
protecting consumer privacy, dating back to the 1970 enactment of the 
Fair Credit Reporting Act (``FCRA'').\8\ The FTC has played a key role 
enforcing this law, which protects sensitive data used for credit, 
employment, insurance, and other decisions from disclosure to 
unauthorized persons.
---------------------------------------------------------------------------
    \8\ 15 U.S.C. Sec. 1681.
---------------------------------------------------------------------------
    Beginning in the mid-1990s, with the development of the Internet as 
a commercial medium, the FTC expanded its focus on privacy to reflect 
the growing collection, use, and sharing of consumer data in the 
commercial marketplace. At that time, the FTC began concentrating on 
children's privacy, and in 1998, Congress enacted the Children's Online 
Privacy Protection Act to address the unique privacy and safety risks 
created when young children--those under 13 years of age--access the 
Internet.\9\ Since then, the Commission also has used Section 5 of the 
FTC Act,\10\ which empowers the Commission to take action against 
deceptive or unfair commercial practices,\11\ as its primary source of 
legal authority in the privacy and data security arena.
---------------------------------------------------------------------------
    \9\ Children's Online Privacy Protection Act of 1998, 15 U.S.C. 
Sec. Sec. 6501-6506.
    \10\ 15 U.S.C. Sec. 45.
    \11\ The Commission also enforces sector-specific statutes 
containing privacy and data security provisions, such as the Gramm-
Leach-Bliley Act (``GLB Act''), Pub. L. No. 106-102, 113 Stat. 1338 
(1999) (codified as amended in scattered sections of 12 and 15 U.S.C.), 
and the Children's Online Privacy Protection Act (``COPPA''), 15 U.S.C. 
Sec. Sec. 6501-6506.
---------------------------------------------------------------------------
    Year after year, privacy and data security top the list of consumer 
protection priorities at the Federal Trade Commission. These issues are 
critical to consumers and businesses alike. Press reports about privacy 
practices and data breaches are increasingly common--such as the 
reports about Facebook and Equifax, just to name two companies, both of 
which the FTC is currently investigating.\12\ Some consumers are 
concerned when their data are used in ways they do not expect or 
understand. Hackers and others seek to exploit vulnerabilities, obtain 
unauthorized access to consumers' sensitive information, and 
potentially misuse it in ways that can cause serious harms to consumers 
as well as businesses.
---------------------------------------------------------------------------
    \12\ See, e.g., Statement by the Acting Director of FTC's Bureau of 
Consumer Protection Regarding Reported Concerns about Facebook Privacy 
Practices (Mar. 26, 2018), https://www.ftc.gov/news-events/press-
releases/2018/03/statement-acting-director-ftcs-bureau-consumer-
protection.
---------------------------------------------------------------------------
    These incidents are not a new phenomenon. In fact, we have been 
hearing about data breaches for well over a decade. These incidents 
fuel the debate about both privacy and data security, and the best ways 
to ensure them. The FTC has long used its broad authority under Section 
5 of the FTC Act to address consumer harms arising from new 
technologies and business practices and consequently has challenged 
certain deceptive or unfair privacy and security practices.\13\ The 
FTC's privacy and data security program--which includes enforcement as 
well as consumer and business education--helps to promote a well-
functioning market.
---------------------------------------------------------------------------
    \13\ 15 U.S.C. Sec. 45(a). The FTC also enforces sector-specific 
statutes that protect certain health, credit, financial, and children's 
information. See 16 C.F.R. Part 318 (Health Breach Notification Rule); 
15 U.S.C. Sec. Sec. 1681-1681x (Fair Credit Reporting Act); 16 C.F.R. 
Parts 313-314 (Gramm-Leach-Bliley Privacy and Safeguards Rules), 
implementing 15 U.S.C. Sec. Sec. 6801-6809; 16 C.F.R. Part 312 
(Children's Online Privacy Protection Rule), implementing 15 U.S.C. 
Sec. Sec. 6501-6506.
---------------------------------------------------------------------------
    Privacy and data security will continue to be an enforcement 
priority at the Commission, and the agency will use every tool at its 
disposal to address consumer harm. Many of the FTC's investigations and 
cases in this arena involve complex facts and technologies and well-
financed defendants, often requiring outside experts, which can be 
costly. It is critical that the FTC have sufficient resources to 
support its investigative and litigation needs, including expert work, 
particularly as demands for enforcement in this area continue to grow.
    To date, the Commission has brought more than 60 cases alleging 
that companies failed to implement reasonable data security safeguards, 
as well as more than 60 general privacy cases.\14\ The FTC has 
aggressively pursued privacy and data security cases in myriad areas, 
including financial privacy, children's privacy, health privacy, and 
the Internet of Things.\15\
---------------------------------------------------------------------------
    \14\ See generally FTC, Privacy & Data Security Update: 2017 (Jan. 
2018), https://www.ftc.gov/reports/privacy-data-security-update-2017-
overview-commissions-enforcement-policy-initiatives.
    \15\ Id.
---------------------------------------------------------------------------
    For example, the Commission recently gave final approval to an 
expanded settlement with ride-sharing platform company Uber 
Technologies related to allegations that the company failed to 
reasonably secure sensitive consumer data stored in the cloud.\16\ As a 
result, an intruder allegedly accessed personal information about Uber 
customers and drivers, including more than 25 million names and e-mail 
addresses, 22 million names and mobile phone numbers, and 600,000 names 
and driver's license numbers. Under the final settlement, Uber must 
notify the FTC about future incidents and meet other order requirements 
relating to privacy or data security, with the threat of strong civil 
penalties if it fails to comply. And earlier this year, the Commission 
approved a settlement with PayPal, Inc. to resolve allegations that its 
Venmo peer-to-peer payment service misled consumers about their ability 
to control the privacy of their Venmo transactions and the extent to 
which their financial accounts were protected by ``bank grade security 
systems.'' \17\ Among other order requirements, Venmo must make certain 
disclosures to consumers or face the threat of civil penalties for the 
failure to do so.
---------------------------------------------------------------------------
    \16\ See Press Release, FTC, Federal Trade Commission Gives Final 
Approval to Settlement with Uber (Oct. 26, 2018), https://www.ftc.gov/
news-events/press-releases/2018/10/federal-trade-commission-gives-
final-approval-settlement-uber. Uber suffered a second, larger breach 
of drivers' and riders' data in October-November 2016, and failed to 
disclose that breach to consumers or the FTC for more than a year, 
despite being the subject of an ongoing FTC investigation of its data 
security practices during that time.
    \17\ PayPal, Inc., No. C-4651 (May 24, 2018), https://www.ftc.gov/
enforcement/cases-proceedings/162-3102/paypal-inc-matter.
---------------------------------------------------------------------------
    The Commission takes seriously its obligation to protect children's 
privacy. In the Commission's first children's privacy case involving 
Internet-connected toys, the FTC announced a settlement--including a 
$650,000 civil penalty--with electronic toy manufacturer VTech 
Electronics for violations of the Children's Online Privacy Protection 
Rule.\18\ The FTC alleged that the company collected children's 
personal information online without first obtaining parental consent, 
and failed to take reasonable steps to secure the data it 
collected.\19\
---------------------------------------------------------------------------
    \18\ U.S. v. VTech Elec. Ltd. et al., No. 1:18-cv-00114 (N.D. Ill. 
Jan. 8, 2018), https://www.ftc
.gov/enforcement/cases-proceedings/162-3032/vtech-electronics-limited.
    \19\ In addition to law enforcement, the FTC also undertakes policy 
initiatives, such as its workshop co-hosted with the Department of 
Education on educational technology and student privacy. See Student 
Privacy and Ed Tech (Dec. 1, 2017), https://www.ftc.gov/news-events/
events-calendar/2017/12/student-privacy-ed-tech.
---------------------------------------------------------------------------
    Section 5, however, is not without limitations. For example, 
Section 5 does not provide for civil penalties, reducing the 
Commission's deterrent capability. The Commission also lacks authority 
over non-profits and over common carrier activity, even though the acts 
or practices of these market participants often have serious 
implications for consumer privacy and data security. Finally, the FTC 
lacks broad APA rulemaking authority for data security generally.\20\ 
The Commission continues to reiterate its longstanding bipartisan call 
for comprehensive data security legislation.
---------------------------------------------------------------------------
    \20\ The Commission has been granted APA rulemaking authority for 
discrete topics such as children's privacy, financial data security, 
and certain provisions of credit reporting.
---------------------------------------------------------------------------
    The Commission also must continue to prioritize, examine, and 
address privacy and data security with a fresh perspective. Under the 
umbrella of the 21st Century Hearings, the Commission recently 
announced panels taking place over four days, specifically addressing 
consumer privacy and data security.\21\ The Commission's remedial 
authority with respect to privacy and data security will be a key topic 
in these panels, and the comments and discussions on these issues will 
be one source to inform the FTC's enforcement and policy priorities. In 
addition, the Commission recently announced its fourth PrivacyCon, an 
annual event that reviews evolving privacy and data security 
issues.\22\
---------------------------------------------------------------------------
    \21\ See Press Release, FTC, FTC Announces Sessions on Consumer 
Privacy and Data Security as Part of Its Hearings on Competition and 
Consumer Protection in the 21st Century (Oct. 26, 2018), https://
www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-
consu
mer-privacy-data-security-part-its.
    \22\ See Press Release, FTC, FTC Announces PrivacyCon 2019 and 
Calls for Presentations (Oct. 24, 2018), https://www.ftc.gov/news-
events/press-releases/2018/10/ftc-announces-privacy
con-2019-calls-presentations.
---------------------------------------------------------------------------
    Recently, the European Union put into effect its General Data 
Protection Regulation (``GDPR''). GDPR, like the EU's data protection 
directive before it, imposes certain restrictions on the ability of 
companies to transfer consumer data from the EU to other jurisdictions. 
The EU-U.S. Privacy Shield Framework is a voluntary mechanism companies 
can use to promise certain protections for data transferred from Europe 
to the United States--and the FTC enforces the promises made by Privacy 
Shield participants under its jurisdiction.\23\ The Commission is 
committed to the success of the EU-U.S. Privacy Shield Framework, a 
critical tool for protecting privacy and enabling cross-border data 
flows. The FTC has actively enforced Privacy Shield--bringing four 
cases in just the last two months--and will continue to do so when 
Privacy Shield participants fail to meet their legal obligations.\24\ 
Chairman Simons recently participated, along with the Secretary of 
Commerce, in the second annual review of the functioning of the Privacy 
Shield framework with our European government counterparts. The 
Commission also will continue to work with the Department of Commerce, 
other agencies in the U.S. government, and with its partners in Europe 
to ensure businesses and consumers can continue to benefit from Privacy 
Shield.
---------------------------------------------------------------------------
    \23\ See www.privacyshield.gov and www.ftc.gov/tips-advice/
business-center/privacy-and-security/privacy-shield. Companies can also 
join a Swiss-U.S. Privacy Shield for transfers from Switzerland.
    \24\ See Press Release, FTC, FTC Reaches Settlements with Four 
Companies That Falsely Claimed Participation in the EU-U.S. Privacy 
Shield (Sept. 27, 2018), https://www.ftc.gov/news-events/press-
releases/2018/09/ftc-reaches-settlements-four-companies-falsely-
claimed.
---------------------------------------------------------------------------
    Finally, the Commission urges Congress to consider enacting privacy 
legislation that would be enforced by the FTC. While the agency remains 
committed to vigorously enforcing existing privacy-related statutes, 
Congress may be able to craft Federal legislation that would more 
seamlessly address consumers' legitimate concerns regarding the 
collection, use, and sharing of their data and provide greater clarity 
to businesses while retaining the flexibility required to foster 
competition and innovation. The Commission and its staff are prepared 
to share our expertise and assist with formulating appropriate 
legislation, as we did with the Children's Online Privacy Protection 
Act, CAN-SPAM, and the Gramm-Leach-Bliley Act. This process 
understandably will involve difficult value judgments and tradeoffs 
that are appropriately left to Congress. No matter the specific laws 
Congress enacts in the privacy and/or data security arenas, the 
Commission commits to using its extensive expertise and experience to 
enforce them vigorously, consistent with its ongoing and bipartisan 
emphasis on privacy and data security enforcement.
B. Truthfulness in National Advertising
    Ensuring that advertising is truthful and not misleading has always 
been one of the FTC's core missions because it allows consumers to make 
well-informed decisions about how to best use their resources and 
promotes the efficient functioning of market forces by promoting the 
dissemination of accurate information. Below are a few recent examples 
of the Commission's work in this area.
    This past year, the agency has continued to bring cases challenging 
false and unsubstantiated health claims, including those targeting 
older consumers, consumers affected by the opioid crisis, and consumers 
with serious medical conditions. The Commission has brought cases 
challenging products that claim to improve memory and ward off 
cognitive decline, relieve joint pain and arthritis symptoms, and even 
reverse aging.\25\ We have challenged bogus claims that treatments 
could cure, treat, or mitigate various serious diseases and ailments, 
including those affecting children and older consumers.\26\ The 
Commission also has sued companies that claimed, allegedly without 
scientific evidence, that using their products could alleviate the 
symptoms of opioid withdrawal and increase the likelihood of overcoming 
opioid dependency.\27\ Finally, the Commission obtained an order 
barring a marketer from making deceptive claims about its products' 
ability to mitigate the side effects of cancer treatments.\28\
---------------------------------------------------------------------------
    \25\ See, e.g., Telomerase Activation Sci., Inc. et al., No. C-4644 
(Apr. 19, 2018), https://www.ftc.gov/enforcement/cases-proceedings/142-
3103/telomerase-activation-sciences-inc-noel-thomas-patton-matter; FTC 
v. Health Research Labs., Inc., No. 2:17-cv-00467 (D. Maine Nov. 30, 
2017), https://www.ftc.gov/enforcement/cases-proceedings/152-3021/
health-research-laboratories-llc.
    \26\ FTC v. Regenerative Med. Grp., Inc., No. 8:18-cv-01838 (C.D. 
Cal. filed Oct. 12, 2018), https://www.ftc.gov/enforcement/cases-
proceedings/172-3062/regenerative-medicalgroup-inc; A&O Enters., Inc., 
No. 1723016 (Sept. 20, 2018), https://www.ftc.gov/enforcement/cases-
proceedings/172-3016/ao-enterprises-doing-business-iv-bars-aaron-k-
roberts-matter.
    \27\ FTC v. Catlin Enters., Inc., No. 1:17-cv-403 (W.D. Tex. May 
17, 2017), https://www.ftc.gov/enforcement/cases-proceedings/1623204/
catlin-enterprises-inc. In addition, in conjunction with the FDA, the 
FTC issued letters to companies that appeared to be making questionable 
claims in order to sell addiction or withdrawal remedies. See Press 
Release, FTC, FTC, FDA Warn Companies about Marketing and Selling 
Opioid Cessation Products (Jan. 24, 2018), https://www.ftc.gov/news-
events/press-releases/2018/01/ftc-fda-warn-companies-about-marketing-
selling-opioid-cessation.
    \28\ FTC v. CellMark Biopharm, No. 2:18-cv-00014-JES-CM (M.D. Fla. 
Jan. 12, 2018), https://www.ftc.gov/enforcement/cases-proceedings/162-
3134/cellmark-biopharma-derek-e-vest.
---------------------------------------------------------------------------
    When consumers with serious health concerns fall victim to 
unsupported health claims, they may put their health at risk by 
avoiding proven therapies and treatments. Through consumer education, 
including the FTC's advisories, the agency urges consumers to check 
with a medical professional before starting any treatment or product to 
treat serious medical conditions.\29\
---------------------------------------------------------------------------
    \29\ FTC Consumer Blog, Treatments and Cures, https://
www.consumer.ftc.gov/topics/treatments-cures.
---------------------------------------------------------------------------
    The FTC also protects consumers from illegal practices in the 
financial area. For example, last month, the Commission alleged that 
online student loan refinancer Social Finance made deceptive claims 
about the average savings members could achieve by refinancing--
sometimes doubling the average savings.\30\ The Commission also filed a 
complaint against Lending Club, an online lender, alleging that its 
marketing was deceptive because it claimed its loans had ``no hidden 
fees,'' when in fact consumers later learned they were charged 
hundreds, and even thousands, of dollars in origination fees.\31\
---------------------------------------------------------------------------
    \30\ Press Release, FTC, Online Student Loan Refinance Company SoFi 
Settles FTC Charges, Agrees to Stop Making False Claims About Loan 
Refinancing Savings (Oct. 28, 2018), https://www.ftc.gov/news-events/
press-releases/2018/10/online-student-loan-refinance-company-sofi-
settles-ftc-charges.
    \31\ FTC v. Lending Club Corp., No. 3:18-cv-02454 (N.D. Cal. Apr. 
25, 2018), https://www.ftc.gov/enforcement/cases-proceedings/162-3088/
federal-trade-commission-v-lendingclub-corporation.
---------------------------------------------------------------------------
C. Protecting Consumers from Fraud
    Fighting fraud is a major focus of the FTC's law enforcement 
efforts. The Commission's anti-fraud program tracks down and stops some 
of the most egregious scams that prey on U.S. consumers--often, the 
most vulnerable consumers who can least afford to lose money. For 
example, reports about imposter scams have been on the rise over the 
past few years, and many of these scams target older Americans.\32\ 
Fraudsters falsely claiming to be government agents (including the IRS 
and even the FTC), family members, or well-known tech companies contact 
consumers and pressure them to send money, often via cash-like payment 
methods such as gift cards or money transfers, or trick them into 
providing personal information. Fraudsters also target small 
businesses, sometimes cold-calling businesses to ``collect'' on 
invoices they do not owe.
---------------------------------------------------------------------------
    \32\ FTC Fiscal Year 2019 Congressional Budget Justification, 
https://www.ftc.gov/reports/fy-2019-congressional-budget-justification.
---------------------------------------------------------------------------
    In 2017, the FTC joined federal, state, and international law 
enforcement partners in announcing ``Operation Tech Trap,'' a 
nationwide and international crackdown on tech support scams that dupe 
consumers into believing their computers are infected with viruses and 
malware, and then charge them hundreds of dollars for unnecessary 
repairs.\33\ The FTC brought actions to shut down these deceptive 
operations and also developed consumer education materials to help 
consumers avoid falling victim to tech support scams in the first 
place.\34\ This past June, the FTC announced ``Operation Main Street,'' 
an initiative to stop small business scams. The FTC, jointly with the 
offices of two U.S. Attorneys' Offices, the New York Division of the 
U.S. Postal Inspection Service, eight state Attorneys General, and the 
Better Business Bureau, announced 24 actions targeting fraud aimed at 
small businesses and released new education materials to help small 
businesses identify and avoid potential scams.\35\
---------------------------------------------------------------------------
    \33\ Press Release, FTC, FTC and Federal, State and International 
Partners Announce Major Crackdown on Tech Support Scams (May 12, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/05/ftc-federal-
state-international-partners-announce-major-crackdown. ``Operation Tech 
Trap'' is just one example of a law enforcement ``sweep''--coordinated, 
simultaneous law enforcement actions with partners--that the FTC uses 
to leverage resources to maximize effects. Another example of a recent 
sweep is ``Game of Loans,'' the first coordinated federal-state law 
enforcement initiative targeting deceptive student loan debt relief 
scams. Press Release, FTC, State Law Enforcement Partners Announce 
Nationwide Crackdown on Student Loan Debt Relief Scams (Oct.13, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/10/ftc-state-law-
enforcement-partners-announce-nationwide-crackdown.
    \34\ FTC Guidance, Tech Support Scams (July 2017), https://
www.consumer.ftc.gov/articles/0346-tech-support-scams#How.
    \35\ Press Release, FTC, FTC, BBB, and Law Enforcement Partners 
Announce Results of Operation Main Street: Stopping Small Business 
Scams Law Enforcement and Education Initiative (June 18, 2018), https:/
/www.ftc.gov/news-events/press-releases/2018/06/ftc-bbb-law-
enforcement-partners-announce-results-operation-main.
---------------------------------------------------------------------------
    In September, the Commission brought an action against Sunkey 
Publishing, alleging that the lead generation operation falsely claimed 
to be affiliated with the military and promised to use consumers' 
information only for military recruitment purposes. Instead, the FTC 
alleged that Sunkey used the information it collected to make millions 
of illegal telemarketing calls and sold the information to post-
secondary schools.\36\ This action is part of the FTC's work in the 
area of lead generation, which is the process of identifying and 
cultivating individual consumers who are potentially interested in 
purchasing a product or service.\37\
---------------------------------------------------------------------------
    \36\ Press Release, FTC, FTC Takes Action against the Operators of 
Copycat Military Websites (Sept. 6, 2018), https://www.ftc.gov/news-
events/press-releases/2018/09/ftc-takes-action-agai
nst-operators-copycat-military-websites.
    \37\ See generally FTC Staff Perspective, ``Follow the Lead'' 
Workshop (Sept. 2016), https://www
.ftc.gov/system/files/documents/reports/staff-perspective-follow-lead/
staff_perspective_follow_
the_lead_workshop.pdf.
---------------------------------------------------------------------------
    The FTC strives to stay ahead of scammers, who are always on the 
lookout for new ways to market old schemes. For example, there has been 
an increase in frauds involving cryptocurrencies--digital assets that 
use cryptography to secure or verify transactions.\38\ The Commission 
has worked to educate consumers about cryptocurrencies and hold 
fraudsters accountable.\39\ In March, the FTC halted the operations of 
Bitcoin Funding Team, which allegedly falsely promised that 
participants could earn large returns by enrolling in moneymaking 
schemes and paying with cryptocurrency.\40\ And in June, the FTC hosted 
a workshop to explore how scammers are exploiting public interest in 
cryptocurrencies like Bitcoin and Litecoin, and discussed ways to 
empower and protect consumers against this growing threat.\41\
---------------------------------------------------------------------------
    \38\ See, e.g., FTC, What to Know About Cryptocurrency (Oct. 2018), 
https://www.consumer
.ftc.gov/articles/what-know-about-cryptocurrency.
    \39\ See, e.g., FTC Consumer Blog, Know the risks before investing 
in cryptocurrencies, https://www.ftc.gov/news-events/blogs/business-
blog/2018/02/know-risks-investing-cryptocurrencies; FTC Consumer Blog, 
Protecting your devices from cryptojacking, https://
www.consumer.ftc.gov/blog/2018/06/protecting-your-devices-
cryptojacking.
    \40\FTC v. Thomas Dluca, et al., (Bitcoin Funding Team), No. 0:18-
cv-60379-KMM (S.D.N.Y. Mar. 16, 2018), https://www.ftc.gov/enforcement/
cases-proceedings/172-3107/federal-trade-com
mission-v-thomas-dluca-et-al-bitcoin-funding.
    \41\ FTC Workshop, Decrypting Cryptocurrency Scams (June 25, 2018), 
https://www.ftc.gov/news-events/events-calendar/2018/06/decrypting-
cryptocurrency-scams.
---------------------------------------------------------------------------
    In addition to targeting scammers, the FTC also brings actions 
against companies that facilitate fraud, often by ignoring red flags 
associated with fraudulent transactions. Money transfers are a 
preferred method of payment for fraudsters because money sent through 
money transfer systems can be retrieved quickly at locations all over 
the world, and once retrieved, the money is all but impossible to 
recover. Earlier this month, MoneyGram agreed to pay $125 million to 
settle allegations that the company failed to take steps required under 
a 2009 FTC order to crack down on fraudulent money transfers that cost 
U.S. consumers millions of dollars, and also to resolve allegations 
that the company violated a 2012 deferred prosecution agreement with 
the U.S. Department of Justice (``DOJ'').\42\
---------------------------------------------------------------------------
    \42\ Press Release, FTC, MoneyGram Agrees to Pay $125 Million to 
Settle Allegations that the Company Violated the FTC's 2009 Order and 
Breached a 2012 DOJ Deferred Prosecution Agreement (Nov. 8, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/11/moneygram-
agrees-pay-125-million-settle-allegations-company; see also FTC v. The 
Western Union Co., No. 1:17-cv-00110 (M.D. Pa. Jan. 19, 2017), https://
www.ftc.gov/enforcement/cases-proceedings/122-3208/western-union-
company.
---------------------------------------------------------------------------
D. Illegal Robocalls
    Illegal robocalls also remain a significant consumer protection 
problem and consumers' top complaint to the FTC. They repeatedly 
disturb consumers' privacy, and frequently use fraud and deception to 
pitch goods and services, leading to significant economic harm. In FY 
2018, the FTC 1received more than 3.7 million robocall complaints.\43\ 
The FTC has used many methods to fight these illegal calls, including 
136 enforcement actions to date.\44\ Technological advances, however, 
have allowed bad actors to place millions or even billions of calls, 
often from abroad, at very low cost, and in ways that are difficult to 
trace. This phenomenon continues to infuriate consumers and challenge 
enforcers.
---------------------------------------------------------------------------
    \43\ Total unwanted-call complaints for FY 2017, including both 
robocall complaints and complaints about live calls from consumers 
whose phone numbers are registered on the Do Not Call Registry, 
exceeded 7 million. See Do Not Call Registry Data Book 2017: Complaint 
Figures for FY 2017, https://www.ftc.gov/reports/national-do-not-call-
registry-data-book-fiscal-year-2017.
    \44\ See FTC Robocall Initiatives, https://www.consumer.ftc.gov/
features/feature-0025-robocalls. Since establishing the Do Not Call 
Registry in 2003, the Commission has fought vigorously to protect 
consumers' privacy from unwanted calls. Indeed, since the Commission 
began enforcing the Do Not Call provisions of the Telemarketing Sales 
Rule (``TSR'') in 2004, the Commission has brought 136 enforcement 
actions seeking civil penalties, restitution for victims of 
telemarketing scams, and disgorgement of ill-gotten gains against 444 
corporations and 358 individuals. As a result of the 125 cases resolved 
thus far, the Commission has collected over $121 million in equitable 
monetary relief and civil penalties. See Enforcement of the Do Not Call 
Registry, https://www.ftc.gov/news-events/media-resources/do-not-call-
registry/enforcement. In August, the FTC and its law enforcement 
partners achieved an historic win in a long-running fight against 
unwanted calls when a Federal district court in Illinois issued an 
order imposing a $280 million penalty against Dish Network--the largest 
penalty ever issued in a Do Not Call case. U.S. et al., v. Dish 
Network, L.L.C., No. 309-cv-03073-JES-CHE (C.D. Ill. Aug. 10, 2017), 
https://www.ftc.gov/enforcement/cases-proceedings/052-3167/dish-
network-llc-united-states-america-federal-trade.
---------------------------------------------------------------------------
    Part of the huge uptick in illegal calls, including robocalls, is 
attributable to relatively recent technological developments that 
facilitate telemarketing without requiring a significant capital 
investment in specialized hardware and labor.\45\ Today, robocallers 
benefit from automated dialing technology, inexpensive international 
and long distance calling rates, and the ability to move 
internationally and employ cheap labor. The result: law-breaking 
telemarketers can place robocalls for a fraction of one cent per 
minute. Moreover, technological changes have also affected the 
marketplace by enabling telemarketers to conceal their identities and 
``spoof'' caller IDs when they place calls.\46\
---------------------------------------------------------------------------
    \45\ FTC Workshop, Robocalls: All the Rage (Oct. 18, 2012), https:/
/www.ftc.gov/news-events/events-calendar/2012/10/robocalls-all-rage-
ftc-summit. A transcript of the workshop is available at https://
www.ftc.gov/sites/default/files/documents/public_events/robocalls-all-
rage-ftc-summit/robocallsummittranscript.pdf.
    \46\ Recently, the FTC filed a complaint against two related 
operations and their principals who allegedly facilitated billions of 
illegal robocalls to consumers nationwide. The complaint charged that 
these operations provided the computer-based dialing platform and 
``spoofed'' caller IDs for robocallers to pitch everything from auto 
warranties to home security systems and supposed debt-relief services. 
FTC v. James Christiano et al., No. 8:18-cv-00936 (C.D. Cal. June 5, 
2018), https://www.ftc.gov/enforcement/cases-proceedings/162-3124/
james-christiano-et-al-netdotsolutions-inc.
---------------------------------------------------------------------------
    Recognizing that law enforcement, while critical, is not enough to 
solve the problem of illegal calls, the FTC has taken steps to spur the 
marketplace to develop technological solutions. For instance, from 2013 
to 2015, the FTC led four public challenges to incentivize innovators 
to help tackle the unlawful robocalls that plague consumers.\47\ The 
FTC's challenges contributed to a shift in the development and 
availability of technological solutions in this area, particularly 
call-blocking and call-filtering products. Consumers can access 
information about potential solutions available to them on the FTC's 
website.\48\
---------------------------------------------------------------------------
    \47\ The first challenge, in 2013, called upon the public to 
develop a consumer-facing solution to block illegal robocalls. One of 
the winners, ``NomoRobo,'' was on the market within 6 months after 
being selected by the FTC. NomoRobo, which reports blocking over 600 
million calls to date, is being offered directly to consumers by a 
number of telecommunications providers and is available as an app on 
iPhones. See Press Release, FTC, FTC Announces Robocall Challenge 
Winners (Apr. 2, 2013), https://www.ftc.gov/news-events/press-releases/
2013/04/ftc-announces-robocall-challenge-winners; see also Press 
Release, FTC, FTC Awards $25,000 Top Cash Prize for Contest-Winning 
Mobile App That Blocks Illegal Robocalls (Aug. 17, 2015), https://
www.ftc.gov/news-events/press-releases/2015/08/ftc-awards-25000-top-
cash-prize-contest-winning-mobile-app-blocks; Press Release, FTC, FTC 
Announces Winners of ``Zapping Rachel'' Robocall Contest (Aug. 28, 
2014), https://www.ftc.gov/news-events/press-releases/2014/08/ftc-
announces-winners-zapping-rachel-robocall-contest.
    \48\ See https://www.consumer.ftc.gov/features/how-stop-unwanted-
calls.
---------------------------------------------------------------------------
    In addition, the FTC regularly works with its state, federal, and 
international partners to combat illegal robocalls. For example, this 
spring the FTC and the Federal Communications Commission (``FCC'') co-
hosted a Joint Policy Forum on illegal robocalls to discuss the 
regulatory and enforcement challenges posed by this activity, as well 
as a public expo featuring new technologies, devices, and applications 
to minimize or eliminate the number of illegal robocalls that consumers 
receive.\49\ As described in more detail in the International 
Cooperation section, the Commission also participated in several 
international initiatives focusing on robocalls and other calling 
abuses.\50\
---------------------------------------------------------------------------
    \49\ Press Release, FTC, FTC and FCC to Host Joint Policy Forum on 
Illegal Robocalls (Mar. 22, 2018), www.ftc.gov/news-events/press-
releases/2018/03/ftc-fcc-host-joint-policy-forum-illegal-robocalls; 
Press Release, FTC, FTC and FCC Seek Exhibitors for an Expo Featuring 
Technologies to Block Illegal Robocalls (Mar. 7, 2018), www.ftc.gov/
news-events/press-releases/2018/03/ftc-fcc-seek-exhibitors-expo-
featuring-technologies-block-illegal.
    \50\ See, e.g., Memorandum of Understanding Among Public 
Authorities of the Unsolicited Communications Enforcement Network 
Pertaining to Unlawful Telecommunications and SPAM (May 2016), https://
www.ftc.gov/policy/cooperation-agreements/international-unlawful-
telecommunications-spam-enforcement-cooperation; Press Release, FTC, 
FTC Signs Memorandum of Understanding With Canadian Agency To 
Strengthen Cooperation on Do Not Call, Spam Enforcement (Mar. 24, 
2016), https://www.ftc.gov/news-events/press-releases/2016/03/ftc-
signs-memoran
dum-understanding-canadian-agency-strengthen
---------------------------------------------------------------------------
    Also, for many years, the Commission has testified in favor of 
eliminating the common carrier exemption. The exemption is outdated and 
no longer makes sense in today's marketplace where the lines between 
telecommunications and other services are increasingly blurred. It 
impedes the FTC's work tackling illegal robocalls and more broadly 
circumscribes other enforcement initiatives. For example, a carrier 
that places, or assists and facilitates, illegal telemarketing may be 
beyond the Commission's reach because of the common carrier exemption. 
Likewise, the exemption may frustrate the Commission's ability to 
obtain complete relief for consumers when there are multiple parties, 
some of whom are common carriers. It also may pose difficulties when a 
company engages in deceptive or unfair practices involving a mix of 
common carrier and non-common carrier activities. Finally, litigation 
has been complicated by entities that attempt to use their purported 
status as common carriers to shield themselves from FTC 
enforcement.\51\
---------------------------------------------------------------------------
    \51\ See, e.g., Answer and Affirmative Defenses of Defendant 
Pacific Telecom Communications Group at 9, 17-20, Dkt. 19, FTC et al., 
v. Carribbean Cruise Line et al., No. 0:15-cv-60423 (S.D. Fla. June 2, 
2015), https://www.ftc.gov/enforcement/cases-proceedings/122-3196-
x150028/caribbean-cruise-line-inc.
---------------------------------------------------------------------------
E. Consumer and Business Education and Outreach
    Public outreach and education is another critical element of the 
FTC's efforts to fulfill its consumer protection mission. The 
Commission's education and outreach programs reach tens of millions of 
people each year through the FTC's website, the media, and partner 
organizations that disseminate consumer information on the agency's 
behalf. The FTC delivers actionable, practical, plain-language guidance 
on dozens of issues, and updates its consumer education materials 
whenever it has new information to share. The FTC disseminates these 
tips through articles, blog posts, social media, infographics, videos, 
audio, and campaigns. For example, in response to the enactment of the 
Economic Growth, Regulatory Relief, and Consumer Protection Act,\52\ 
which allows consumers to freeze their credit and place one-year fraud 
alerts for free, the Commission updated its IdentityTheft.gov website 
to help consumers take advantage of the new protections.\53\
---------------------------------------------------------------------------
    \52\ Pub. L. No: 115-174.
    \53\ See, Press Release, FTC, Starting Today, New Federal Law 
Allows Consumers to Place Free Credit Freezes and Yearlong Fraud Alerts 
(Sept. 21, 2018), https://www.ftc.gov/news-events/press-releases/2018/
09/starting-today-new-law-allows-consumers-place-free-credit-freezes.
---------------------------------------------------------------------------
    Among the key audiences served by the FTC are older adults, as 
described in a recent report to Congress that details how older adults 
experience scams.\54\ For example, according to the FTC's 2017 data, 
people 60 and over are much more likely to report fraud than people in 
their 20s, but far less likely to say they lost money.\55\ However, 
when people 80 and over report losing money to a scam, they lose much 
more than do their younger counterparts.\56\ As a response to older 
adults' experience with scams, the FTC created its Pass It On 
campaign,\57\ which gives older adults the information they need to 
start a conversation about scams with family and friends.
---------------------------------------------------------------------------
    \54\ FTC Report, Protecting Older Consumers: 2017-2018 (Oct. 2018), 
https://www.ftc.gov/reports/protecting-older-consumers-2017-2018-
report-congress-federal-trade-commission.
    \55\ Id. at 5.
    \56\ Id. at 6.
    \57\ See www.ftc.gov/PassItOn and www.ftc.gov/Pasalo. The campaign 
has distributed more than 9.5 million print publications since its 
creation, including 2.2 million in Fiscal Year 2018.
---------------------------------------------------------------------------
    The Commission also works to provide companies with resources on a 
variety of issues that affect businesses. Just last month, we released 
our ``Cybersecurity for Small Business'' campaign, based on concerns we 
heard from small businesses. The campaign discusses a dozen need-to-
know topics, such as ``Cybersecurity Basics,'' ``Tech Support Scams,'' 
and ``Hiring a Web Host.'' \58\
---------------------------------------------------------------------------
    \58\ See Cybersecurity Resources for Your Small Business (Oct. 18, 
2018), https://www.ftc.gov/news-events/blogs/business-blog/2018/10/
cybersecurity-resources-your-small-business.
---------------------------------------------------------------------------
III. Competition Mission
    In addition to the work of BCP described above, the FTC enforces 
U.S. antitrust law in many sectors that directly affect consumers and 
their wallets, such as health care, consumer products and services, 
technology, manufacturing, and energy. The Commission shares Federal 
antitrust enforcement responsibilities with the Antitrust Division of 
the Department of Justice.
    One of the agencies' principal responsibilities is to prevent 
mergers that may substantially lessen competition. Under U.S. law, 
parties to certain mergers and acquisitions must file premerger 
notification and observe the statutorily prescribed waiting period 
before consummating their transactions. Premerger filings under the 
Hart-Scott-Rodino (``HSR'') Act have increased steadily since FY 2013. 
In FY 2017, the antitrust agencies received over 2,000 HSR filings for 
the first time since 2007, bringing filings in the past Fiscal Year to 
the average over the past 20 years.\59\ The vast majority of reported 
transactions do not raise competitive concerns and the agencies clear 
those non-problematic transactions expeditiously. But when the evidence 
gives the Commission reason to believe that a proposed merger likely 
would be anticompetitive, it does not hesitate to intervene. Since the 
beginning of FY 2017, the Commission has challenged 45 mergers after 
the evidence showed that they would likely harm consumers. Although 
many of these cases were resolved through divestiture settlements, in 
FY 2018 alone, the Commission voted to initiate litigation to block 
five mergers, each of which has required a significant commitment of 
resources. Three of the challenges ended successfully when the parties 
abandoned the transactions before the district court could issue a 
decision,\60\ while the other two are still being litigated.\61\ In two 
of these matters, a federal district court granted the Commission's 
motion for a preliminary injunction pending an administrative trial, 
and issued a decision resolving important issues of merger law.\62\
---------------------------------------------------------------------------
    \59\ In FY 2017, the agencies received notice of 2,052 
transactions, compared with 1,326 in FY 2013 and 2,201 in FY 2007. For 
historical information about HSR filings and U.S. merger enforcement, 
see the joint FTC/DOJ Hart-Scott-Rodino annual reports, https://
www.ftc.gov/policy/reports/policy-reports/annual-competition-reports.
    \60\ FTC v. DraftKings, Inc., No. 17-cv-01195 (D.D.C. June 19, 
2017), https://www.ftc.gov/enforcement/cases-proceedings/161-0174/
draftkings-fanduel-ftc-state-california-district-columbia-v; Press 
Release, FTC, FTC Challenges Proposed Acquisition of Conagra's Wesson 
Cooking Oil Brand by Crisco owner, J.M. Smucker Co., (Mar. 5, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/03/ftc-challenges-
proposed-acquisition-conagras-wesson-cooking-oil; In re CDK Global & 
Auto/Mate, Dkt. 9382 (Mar. 20, 2018), https://www.ftc.gov/enforcement/
cases-proceedings/171-0156/cdk-global-automate-matter.
    \61\ Tronox Ltd., Dkt. 9377 (Dec. 5, 2017), https://www.ftc.gov/
enforcement/cases-proceedings/171-0085/tronoxcristal-usa; Otto Bock 
HealthCare North America, Inc., Dkt. 9378 (Dec. 20, 2017), https://
www.ftc.gov/enforcement/cases-proceedings/171-0231/otto-bock-
healthcarefree
dom-innovations.
    \62\ FTC v. Wilhelmsen, No. 1:18-cv-00414 (D.D.C. Feb. 23, 2018), 
https://www.ftc.gov/enforcement/cases-proceedings/171-0161/wilhelm-
wilhelmsen-et-al-ftc-v; FTC v. Tronox, Ltd., No. 1:18-cv-01622 (D.D.C. 
Jul. 10, 2018), https://www.ftc.gov/enforcement/cases-proceedings/171-
0085/tronox-limited-et-al-ftc-v.
---------------------------------------------------------------------------
    One increasing challenge for the Commission in litigating 
competition cases is the continuing need to hire testifying economic 
experts. Qualified experts are a critically important component in all 
of the FTC's competition cases heading toward litigation. While the 
agency thus far has managed to find sufficient resources to fund the 
experts needed to support its cases, the FTC is reaching the point 
where it cannot meet these needs without compromising its ability to 
fulfill other aspects of the agency's mission. The Commission 
appreciates Congress's attention to its resource needs, including the 
need to hire outside experts.
    The Commission also maintains a robust program to identify and stop 
anticompetitive conduct, and it currently has a number of cases in 
active litigation.\63\ For over twenty years and on a bipartisan basis, 
the Commission has prioritized ending anticompetitive reverse-payment 
patent settlements in which a brand-name drug firm pays its potential 
generic rival to delay entering the market with a lower cost generic 
product. Following the U.S. Supreme Court's 2013 decision in FTC v. 
Actavis, Inc.,\64\ the Commission is in a much stronger position to 
protect consumers. Since that ruling, the FTC obtained a landmark $1.2 
billion settlement in its litigation involving the sleep disorder drug, 
Provigil,\65\ and other manufacturers have agreed to abandon the 
practice.\66\ In addition, the Commission has challenged other 
anticompetitive conduct by drug manufacturers, including the abuse of 
government process through sham litigation or repetitive regulatory 
filings intended to slow the approval of competitive drugs.\67\ For 
example, a Federal court recently ruled that AbbVie Inc. used sham 
litigation illegally to maintain its monopoly over the testosterone 
replacement drug Androgel, and ordered $493.7 million in monetary 
relief to consumers who were overcharged for Androgel as a result of 
AbbVie's conduct.\68\ The Commission also obtained a stipulated 
injunction in which Mallinckrodt ARD Inc. agreed to pay $100 million 
and divest assets to settle charges that it had illegally acquired the 
rights to develop a drug that threatened its monopoly in the U.S. 
market for a specialty drug used to treat a rare seizure disorder 
afflicting infants.\69\
---------------------------------------------------------------------------
    \63\ In addition to the cases involving pharmaceutical firms 
discussed infra, pending litigation alleging anticompetitive conduct 
includes FTC v. Qualcomm, Inc., No. 17-cv-00220 (N.D. Cal. Jan. 17, 
2017), https://www.ftc.gov/enforcement/cases-proceedings/141-0199/
qualcomm-inc; In re 1-800 Contacts, Inc., Dkt. 9372 (Aug. 8, 2016), 
https://www.ftc.gov/enforcement/cases-proceedings/141-0200/1-800-
contacts-inc-matter; In re Louisiana Real Estate Appraisers Board, Dkt. 
9374 (May 31, 2017), https://www.ftc.gov/enforcement/cases-proceedings/
161-0068/louisiana-real-estate-appraisers-board; In re Benco Dental 
Supply et al., Dkt. 9379 (Feb. 12, 2018), https://www.ftc.gov/
enforcement/cases-proceedings/151-0190/bencoscheinpatterson-matter.
    \64\ FTC v. Actavis, Inc., 570 U.S. 756 (2013).
    \65\ Press Release, FTC, FTC Settlement of Cephalon Pay for Delay 
Case Ensures $1.2 Billion in Ill-Gotten Gains Relinquished; Refunds 
Will Go To Purchasers Affected by Anticompetitive Tactics (May 28, 
2015), https://www.ftc.gov/news-events/press-releases/2015/05/ftc-
settlement-cephalon-pay-delay-case-ensures-12-billion-ill.
    \66\ Joint Motion for Entry of Stipulated Order for Permanent 
Injunction, FTC v. Allergan plc, No. 17-cv-00312 (N.D. Cal. Jan. 23, 
2017), https://www.ftc.gov/enforcement/cases-proceedings/141-0004/
allergan-plc-watson-laboratories-inc-et-al; Stipulated Order for 
Permanent Injunction, FTC v. Teikoku Pharma USA, Inc., No. 16-cv-01440 
(E.D. Pa. Mar. 30, 2016), https://www.ftc.gov/enforcement/cases-
proceedings/141-0004/endo-pharmaceuticals-impax-labs.
    \67\ FTC v. AbbVie Inc., No. 14-cv-5151 (E.D. Pa. Sept. 8, 2014), 
https://www.ftc.gov/enforcement/cases-proceedings/121-0028/abbvie-inc-
et-al.
    \68\ Statement of FTC Chairman Joe Simons Regarding Federal Court 
Ruling in FTC v. AbbVie (June 29, 2018), https://www.ftc.gov/news-
events/press-releases/2018/06/statement-ftc-chairman-joe-simons-
regarding-federal-court-ruling.
    \69\ Stipulated Order for Permanent Injunction and Equitable 
Monetary Relief, FTC v. Mallinckrodt ARD Inc., No. 1:17-cv-00120 
(D.D.C. Jan. 30, 2017), https://www.ftc.gov/system/files/documents/
cases/stipulated_order_for_permanent_injunction_mallinckrodt.pdf.
---------------------------------------------------------------------------
    The Commission also follows closely developments in the high-
technology sector. From smart appliances and smart cars to mobile 
devices and artificial intelligence, the widespread adoption of new 
technologies is not only changing the way we live, but also the way 
firms operate. Although many of these changes may offer consumer 
benefits, they also raise complex competition issues. Given the 
important role that technology companies play in the American economy, 
it is critical that the Commission--in furthering its mission to 
protect consumers and promote competition--not only understand the 
current and developing business models, but also ensure that companies 
in this sector abide by the same rules of competitive markets that 
apply to any company.\70\
---------------------------------------------------------------------------
    \70\ See, e.g., 1-800 Contacts, Inc., No. 9372 (Nov. 14, 2017), 
https://www.ftc.gov/enforcement/cases-proceedings/141-0200/1-800-
contacts-inc-matter (Commissioner Phillips dissented in this matter); 
DraftKings, Inc./FanDuel Ltd., No. 9375 (July 14, 2017), https://
www.ftc.gov/enforcement/cases-proceedings/161-0174/draft-kings-inc-
fanduel-limited.
---------------------------------------------------------------------------
    In addition to competition enforcement, the FTC promotes 
competition principles in advocacy comments to state lawmakers and 
regulators, as well as to its sister Federal agencies,\71\ and in 
amicus briefs filed in Federal courts considering important areas of 
antitrust law.\72\ Last year, the Commission concluded a comprehensive 
review of its merger remedies to evaluate the effectiveness of the 
Commission's orders issued between 2006 and 2012, and made public its 
findings.\73\ The Commission continues to conduct merger 
retrospectives, examining prior merger enforcement decisions to assess 
their impact on competition and consumers, and plans to broaden this 
effort going forward. Similarly, through the series of hearings 
described above, the Commission is devoting significant resources to 
refresh and, if warranted, renew its thinking on a wide range of 
cutting-edge competition issues.\74\
---------------------------------------------------------------------------
    \71\ See generally https://www.ftc.gov/policy/advocacy.
    \72\ Amicus briefs are posted at https://www.ftc.gov/policy/
advocacy/amicus-briefs.
    \73\ FTC Staff Report, The FTC's Merger Remedies 2006-2012: A 
Report of the Bureaus of Competition and Economics (2017), https://
www.ftc.gov/system/files/documents/reports/ftcs-merger-remedies-2006-
2012-report-bureaus-competition-economics/
p143100_ftc_merger_remedies_2006
-2012.pdf.
    \74\ See Prepared Remarks of Chairman Simons Announcing the 
Competition and Consumer Protection Hearings (June 20, 2018), https://
www.ftc.gov/system/files/documents/public_
statements/1385308/
prepared_remarks_of_joe_simons_announcing_the_hearings_6-20-18_0.pdf.
---------------------------------------------------------------------------
IV. International Cooperation
    In addition to its domestic programs, the FTC engages in 
significant international work, much of which relies on the expiring 
SAFE WEB Act, which the Commission urges Congress to reauthorize. On 
the competition side, with the expansion of global trade and the 
operation of many companies across national borders, the FTC and DOJ 
increasingly engage with foreign antitrust agencies to ensure close 
collaboration on cross-border cases and convergence toward sound
    competition policies and procedures.\75\ The FTC effectively 
coordinates reviews of multijurisdictional mergers and continues to 
work with its international counterparts to achieve consistent outcomes 
in cases of possible anticompetitive conduct. The U.S. antitrust 
agencies facilitate dialogue and promote convergence through multiple 
channels, including through strong bilateral relations with foreign 
competition agencies and multilateral competition organization projects 
and initiatives. When appropriate, the FTC also works with other 
agencies within the U.S. government to advance consistent competition 
enforcement policies, practices, and procedures in other parts of the 
world.\76\
---------------------------------------------------------------------------
    \75\ In competition matters, the FTC also seeks to collaborate with 
the state Attorneys General to maximize results and use of limited 
resources in the enforcement of the U.S. antitrust laws.
    \76\ For example, the Commission works through the U.S. 
government's interagency processes to ensure that competition-related 
issues that also implicate broader U.S. policy interests, such as the 
protection of intellectual property and non-discrimination, are 
addressed in a coordinated and effective manner.
---------------------------------------------------------------------------
    On the consumer protection side, enforcement cooperation is the top 
priority of the FTC's international consumer protection program. In a 
global, digital economy, the number of FTC investigations and cases 
with cross-border components--including foreign-based targets and 
defendants, witnesses, documentary evidence, and assets--continues to 
grow. During the last Fiscal Year, the FTC cooperated in 43 
investigations, cases, and enforcement projects with foreign consumer, 
privacy, and criminal enforcement agencies. To sustain this level of 
productive cooperation, the agency often works through global 
enforcement networks, such as the International Consumer Protection and 
Enforcement Network, the Global Privacy Enforcement Network, the 
Unsolicited Communications Enforcement Network, and the International 
Mass Marketing Fraud Working Group. Just last month, for example, the 
FTC organized an Unsolicited Communications Enforcement Network 
conference with 11 foreign enforcement agencies (plus the FCC) to 
develop international approaches on robocalls, tech support scams, and 
other online abuses.
    The FTC's key tool for cross-border enforcement is the U.S. SAFE 
WEB Act.\77\ Passed in 2006 and renewed in 2012, this Act strengthens 
the FTC's ability to work on cases with an international dimension. It 
has allowed the FTC to share evidence and provide investigative 
assistance to foreign authorities in cases involving spam, spyware, 
misleading health and safety claims, privacy violations and data 
security breaches, and telemarketing fraud. In many of these cases, the 
foreign agencies investigated conduct that directly harmed U.S. 
consumers, while in others, the FTC's action led to reciprocal 
assistance.
---------------------------------------------------------------------------
    \77\ Undertaking Spam, Spyware, and Fraud Enforcement With 
Enforcers Beyond Borders Act (U.S. SAFE WEB Act), Pub. L. No. 109-455, 
120 Stat. 3372, extended by Pub. L. No. 112-203, 126 Stat. 1484 
(amending 15 U.S.C. Sec. Sec. 41 et seq.).
---------------------------------------------------------------------------
    The U.S. SAFE WEB Act has been a remarkable success. The FTC has 
responded to 130 SAFE WEB information sharing requests from more than 
30 foreign enforcement agencies. The FTC has issued more than 115 civil 
investigative demands in more than 50 investigations on behalf of 
foreign agencies, both civil and criminal. The Commission has also used 
this authority to file suit in Federal court to obtain judicial 
assistance for one of its closest law enforcement partners, the 
Canadian Competition Bureau.\78\ The FTC's foreign law enforcement 
partners similarly have assisted FTC enforcement actions. In cases 
relying on the U.S. SAFE WEB Act, the FTC has collected millions of 
dollars in restitution for injured consumers, both foreign and 
domestic. For example, the FTC worked with DOJ, the Royal Canadian 
Mounted Police, and other Canadian agencies to obtain a Montreal court 
order returning nearly $2 million to the U.S. victims of a mortgage 
assistance and debt relief scam.\79\ In the privacy arena, the FTC used 
key provisions of the U.S. SAFE WEB Act to collaborate successfully 
with the Office of the Privacy Commissioner of Canada in the FTC's 
first case involving Internet-connected toys. Specifically, in 2018, 
the FTC brought an enforcement action against V-Tech, a Hong Kong-based 
electronics toy manufacturer, alleging COPPA violations.\80\ The Act 
sunsets in 2020: the Commission requests that Congress reauthorize this 
important authority and eliminate the sunset provision.
---------------------------------------------------------------------------
    \78\ Press Release, Competition Bureau Canada, Bureau case against 
Rogers, Bell, Telus and the CWTA advances thanks to collaboration with 
U.S. Federal Trade Commission (Aug. 29, 2014), http://
www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/03805.html.
    \79\ Press Release, FTC, FTC Returns $1.87 Million to Consumers 
Harmed by Debt Relief Scam (May 9, 2016), https://www.ftc.gov/news-
events/press-releases/2016/05/ftc-returns-187-million-consumers-harmed-
debt-relief-scam.
    \80\ U.S. v. VTech Elec. Ltd. et al., No. 1:18-cv-00114 (N.D. Ill. 
Jan. 8, 2018), https://www.ftc.gov/enforcement/cases-proceedings/162-
3032/vtech-electronics-limited.
---------------------------------------------------------------------------
    The Act also underpins the FTC's ability to participate in cross-
border cooperation arrangements, including the EU-U.S. Privacy Shield 
Framework, which facilitates billions of transatlantic data flows.\81\ 
Critically, the Act also expressly confirms the FTC's authority both to 
challenge practices occurring in other countries that harm U.S. 
consumers, a common scenario in cases involving fraud, and to challenge 
U.S. business practices harming foreign consumers, such as Privacy 
Shield violations.
---------------------------------------------------------------------------
    \81\ See generally https://www.ftc.gov/tips-advice/business-center/
privacy-and-security/privacy-shield. The FTC's SAFE WEB powers enable 
stronger cooperation with European data protection authorities on 
investigations and enforcement against possible Privacy Shield 
violations, a point cited in the European Commission's Privacy Shield 
adequacy decision. See Commission Implementing Decision No. 2016/1250 
(on the adequacy of the protection provided by the EU-U.S. Privacy 
Shield), 2016 O.J. L207/1 at  51, https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=OJ:L:2016:207:FULL&from=EN.
---------------------------------------------------------------------------
    A key focus of the FTC's international privacy efforts is support 
for global interoperability of data privacy regimes. The FTC works with 
the U.S. Department of Commerce on three key cross-border data transfer 
programs for the commercial sector: the EU-U.S. Privacy Shield, the 
Swiss-U.S. Privacy Shield, and the Asia-Pacific Economic Cooperation 
(``APEC'') Cross-Border Privacy Rules (CPBR) System. As already 
explained, the Privacy Shield programs provide legal mechanisms for 
companies to transfer personal data from the EU and Switzerland to the 
United States with strong privacy protections. The APEC CBPR system is 
a voluntary, enforceable code of conduct protecting personal 
information transferred among the United States and other APEC 
economies. The FTC enforces companies' privacy declarations and 
commitments in these programs, bringing cases as violations of Section 
5 of the FTC Act.\82\ The FTC also works closely with agencies 
developing and implementing new privacy and data security laws around 
the world, including Asia, Africa, and Latin America. And the FTC 
convenes discussions on important and emerging privacy issues. For 
example, just two weeks ago, senior officials from the agency-conducted 
meetings with government officials and other stakeholders in India, 
together with partners from the U.K. and Japan, on India's proposed 
data security and privacy legislation.
---------------------------------------------------------------------------
    \82\ See, e.g., ReadyTech Corp., No. C-4659 (Oct. 25, 2018), 
https://www.ftc.gov/enforcement/cases-proceedings/182-3100/readytech-
corporation-matter; Md7, LLC, No. C-4629 (Nov. 29, 2017), https://
www.ftc.gov/enforcement/cases-proceedings/172-3172/md7-llc; Tru 
Commc'n, Inc., No. C-4628 (Nov. 29, 2017), https://www.ftc.gov/
enforcement/cases-proceedings/172-3171/tru-communication-inc; Decusoft, 
LLC, No. C-4630 (Nov. 29, 2017), https://www.ftc.gov/enforcement/cases-
proceedings/172-3173/decusoft-llc; Sentinel Labs, Inc., No. C-4608 
(Apr. 14, 2017), https://www.ftc.gov/enforcement/cases-proceedings/162-
3250/sentinel-labs-inc; Vir2us, Inc., No. C-4609 (Apr. 14, 2017), 
https://www.ftc.gov/enforcement/cases-proceedings/162-3248/vir2us-inc; 
SpyChatter, Inc., No. C-4614 (Apr. 14, 2017), https://www.ftc.gov/
enforcement/cases-proceedings/162-3251/spychatter-inc.
---------------------------------------------------------------------------
VII. Conclusion
    The FTC remains committed to marshalling its resources efficiently 
in order to effectively protect consumers and promote competition, to 
anticipate and respond to changes in the marketplace, and to meet 
current and future challenges. We look forward to continuing to work 
with the Subcommittee and Congress, and we would be happy to answer 
your questions.

    Senator Moran. It's my understanding that my understanding 
was incorrect: that you all hoped to make an opening statement. 
We do not have your written testimony as required by our rules, 
but I think it would be a mistake for us not to hear from you 
if you're prepared to do so.
    So we do not have in front of us their written statement, 
but all the Commissioners would like to make a statement, and I 
now recognize Mr. Chopra.

  STATEMENT OF HON. ROHIT CHOPRA, COMMISSIONER, FEDERAL TRADE 
                           COMMISSION

    Mr. Chopra. Chairman Moran, Ranking Member Blumenthal and 
members of the Subcommittee, thank you for holding this 
hearing.
    The FTC has a clear mission: to make sure markets are fair 
and competitive, not corrupted by conflicts of interest, 
distortions, and lies. The primary way we seek to accomplish 
this is through our law enforcement program.
    Today I want to talk about some of the most important 
questions that the FTC must routinely answer when enforcing the 
law. Given all the misconduct in the market, which companies 
are the best targets, and, after investigation, when should we 
push for a settlement and when should we go to trial?
    In my view, no matter how big or powerful they might be, we 
must hold companies accountable for widespread failures and we 
must always be willing to take them to court. Forty-five years 
ago, Congress gave the FTC the authority to sue companies and 
individuals in Federal court using Section 13(b) of the FTC 
Act. The FTC can go to court to seek restitution for victims, 
take back ill-gotten gains, permanently halt harmful practices, 
and seek other changes to business practices.
    And like almost every other Federal enforcement agency with 
the power to take companies to court, the FTC resolves most of 
its actions through settlements. And without question, 
settlements are important. No agency can litigate everything, 
but no agency should ever appear to strong-arm small defendants 
into financial ruin while letting large companies off the hook 
with a slap on the wrist.
    Now, in the aftermath of the financial crisis, we saw how 
large firms saw settlements as nothing more than the cost of 
doing business. After all, corporate boards on Wall Street 
almost never agreed to a settlement that threatened their 
profit model. And while big penalties made for good headlines, 
I question whether they truly deterred lawbreaking. Too many 
individual executives evaded accountability and even got 
rewarded with a bonus for their skillful dealings with the 
government. Unsurprisingly, even after big settlements, we saw 
how agencies continued to fight fire after fire with companies 
like Wells Fargo where abuse was widespread.
    In trials, we get to find out the whole story told from 
both sides by the actual individuals who called the shots and 
we see due process in action. And when the government prevails, 
the law can provide for recoupment of certain taxpayer costs.
    Now, the FTC has shown it is willing to go to trial. Too 
often, pharmaceutical companies go to great lengths to protect 
monopolies created by their patents. Take the example of 
AbbVie, the pharmaceutical giant famous for continuing to 
raises prices and creating billions of dollars in healthcare 
costs with the blockbuster drug Humira.
    In 2014, the FTC sued AbbVie for filing sham patent 
infringement lawsuits that stopped generic drug makers from 
challenging another top-selling product, AndroGel. A few months 
ago, a court ruled that AbbVie did indeed use sham lawsuits to 
illegally maintain its monopoly. The court ordered the company 
to pay 448 million dollars for its wrongdoing that harmed 
patients, the public, and its competitors. After the ruling, we 
saw pharmacies who were allegedly harmed by these practices 
filing their own actions, and certain aspects of this matter 
remain on appeal.
    In another matter, after years of litigation and a trial, a 
court-ordered DISH Network to pay $280 million for its Do Not 
Call violations, and in a few weeks the FTC will begin its 
trial against semiconductor giant Qualcomm for its alleged 
anti-competitive tactics in the chip market.
    Filing a lawsuit and taking a powerful corporation to trial 
is tough. In my past agency experience, I have seen how going 
up against a company with legions of lawyers and lobbyists and 
PR professionals can be daunting for an agency with finite 
resources. But Congress cannot expect any agency, including the 
FTC, to meet its mission unless it is unambiguous to the market 
that we have the resources and the resolve to go to court no 
matter how big or connected a company may be.
    It will be critical for Congress to continue to support our 
13(b) authority and to ensure that every law enforcement agency 
exercises its prosecutorial discretion in ways that create real 
accountability for those that break the law.
    Thank you, and I look forward to your questions.
    Senator Moran. Thank you, Commissioner.
    Commissioner Phillips.

 STATEMENT OF HON. NOAH JOSHUA PHILLIPS, COMMISSIONER, FEDERAL 
                        TRADE COMMISSION

    Mr. Phillips. Thank you. Chairman Moran, Ranking Member 
Blumenthal, distinguished members of the Subcommittee, thank 
you for the opportunity to appear before you today. Thanks 
especially to Senator Nelson for his thoughtful and kind 
remarks earlier.
    I'm honored to be back here, especially with my fellow 
commissioners, to highlight the important work that the FTC and 
its talented staff do every day on behalf of American 
consumers. In my brief remarks, I'd like to address two 
international issues as well as the legislative process that 
you all have undertaken on consumer privacy.
    While offering incredible opportunities for American 
consumers, the digital economy poses new challenges for law 
enforcement particularly relating to cross-border activities. 
In 2006, Congress recognized this and passed the U.S. SAFE WEB 
Act allowing the FTC to share evidence with and assist foreign 
authorities in matters involving issues such as privacy 
violations and data breach. U.S. SAFE WEB also confirms our 
authority to challenge foreign frauds that harm U.S. consumers 
or involve material conduct in the United States. Using SAFE 
WEB, we have worked with foreign authorities to stop illegal 
conduct and secure millions for consumers and sometimes even 
obtain criminal convictions with the help of our partners.
    SAFE WEB is a vital tool but it sunsets next year.
    Congress should reauthorize it and should eliminate the 
sunset provision.
    Next, the FTC works with the Department of Commerce to 
enable transatlantic data flows and support American business 
leadership through three cross-border data transfer programs 
including the E.U./U.S. Privacy Shield. We as an agency look 
for Privacy Shield violations in four ways.
    First, referrals from the Department of Commerce; second, 
priority referrals from the European Union; third, we look for 
violations in every privacy investigation that we conduct as an 
agency; and finally, we conduct proactive monitoring for 
Privacy Shield participants. We are committed to the success of 
these cross-border data transfer mechanisms. We have brought 
nearly 50 actions over the course of their lives, and 
enforcement will remain a priority for all of us.
    Finally, on the ongoing debate we are all having as a 
nation on consumer privacy, I want to stress three points. 
First, privacy can be a nebulous concept. And as you consider 
legislation, it is critical to be clear and frank about the 
wrongs you seek to right. Advocates for new regulation invoke a 
variety of alleged market failures to justify new rules: from 
data insecurity to imperfect information about data sharing to 
creepiness and surveillance. According to the NTIA, while 
online privacy concerns appear generally to be declining, 
Americans' level of concern about privacy issues varies based 
on the subject, with people substantially more concerned about 
issues like identity theft and consumer fraud than, for 
example, the collection of data by firms or the loss of control 
of data.
    Reasonable minds can differ on the privacy risks. But 
everyone should agree that the best policy is developed when 
aimed at clearly defined harms and with consensus built about 
how to address them. High-profile incidents and large firms 
dominate headlines, but legal restrictions have an impact that 
is broader and more fundamental.
    Second, any new rules will come with tradeoffs: to 
consumers, innovation, and competition. As I've said elsewhere, 
regulations can chill innovation and competition, including by 
entrenching incumbents. We need to keep small businesses and 
startups in mind.
    To be clear, that is not to say that we should not 
reevaluate our privacy regime given emerging issues and 
technologies, but neither can we ignore half a century of our 
nation's experience balancing privacy and other interests 
including tremendous levels of innovation. On innovation, 
America has been leading. I am concerned that early indications 
about the European GDPR indicate reduced investment in 
technology and greater concentration in ad tech.
    The tradeoffs are not easy and there are no simple answers. 
So my third point is that, given the important value judgments 
that must be made, Congress is the place to make them. Broad 
delegations to an expert agency are a poor substitute for the 
lawmaking process that our founders created. I was honored to 
work here in the Senate for seven years, so I have great faith 
in the capacity of Congress to listen to the public, to build 
consensus, and to reach the right answer.
    Of course the FTC with our talented staff and half a 
century of experience enforcing privacy law stand ready to 
assist you in fashioning legislation and we will enforce any 
new privacy authority that Congress deems fit to assign us.
    Thank you for your time, and I look forward to answering 
any questions that you may have.
    Senator Moran. Thank you, Commissioner.
    Commissioner Slaughter.

   STATEMENT OF HON. REBECCA KELLY SLAUGHTER, COMMISSIONER, 
                    FEDERAL TRADE COMMISSION

    Ms. Slaughter. Thank you. Can you hear me?
    Chairman Moran, Ranking Member Blumenthal and members of 
the Subcommittee, thank you so much for inviting us here today.
    I have spent my first six months at the FTC immersed in 
getting to know the talented staff of the agency and 
understanding the opportunities and challenges they see on the 
ground as the Commission fulfills its dual missions of 
protecting consumers and promoting competition.
    As Senator Blumenthal noted, in today's increasingly data-
driven and concentrated economy, consumers demand and deserve 
vigorous enforcement from the FTC. That is precisely what 
Chairman Simons has pledged, and I join him in his commitment. 
We should and we will enforce the law against wrongdoers to the 
fullest extent that our authority and our resources allow and 
we should continue to engage in critical self-examination to 
identify ways we can do more within those parameters. However, 
I want to use my time today to highlight how additional 
resources and authority would enable the Commission to better 
protect consumers and promote competition.
    Let me first address resources. I'll begin with an example. 
In 2012, the FTC sued a payday lender known as AMG that buried 
consumers with illegal fees. The FTC aggressively litigated 
this matter and ultimately secured a hard-fought $1.3 billion 
court order against the defendants in 2016. Two months ago, in 
late September, the FTC returned over $500 million to AMG-
related victims.
    The outcome in AMG is instructive in two ways. First, it 
demonstrates that the FTC provides meaningful results for 
consumers that far exceed our resources. On that one day in 
September, we returned to consumers more than our entire 
appropriated budget for Fiscal Year 2018, which is about $300 
million. In fact, during all of Fiscal Year 2018, Commission 
actions resulted in over $1.6 billion being returned to 
consumers, more than five times our annual budget. Put another 
way, the FTC provides an extremely good return on investment 
for the American taxpayer.
    The AMG resolution also demonstrates a second plain but 
paramount point. Good outcomes for consumers take time and 
money, especially where the target of the investigation is a 
large, well-financed corporation. Very simply, no substitute 
for careful, thorough investigation and, where appropriate, 
aggressive litigation.
    I agree with Commissioner Chopra's comments about the value 
of litigation and I want to be clear about what it means from a 
resource perspective. Litigation requires teams of dedicated 
and talented staff and complementary resources. Case such as 
AMG and the AbbVie case that Commissioner Chopra mentioned 
demonstrate the talent and the dedication are here, but imagine 
how much more we could be doing with additional resources.
    The challenges consumers face in the marketplace today are 
growing in number and complexity. To address them, the FTC must 
initiate more investigations and litigate more cases. Those 
cases have become more complex both legally and technologically 
and they involve defendants with deep pockets and armies of 
attorneys. Our resources have not kept pace with these 
developments.
    As one key metric, consider that we had about 50 percent 
more full-time-equivalent employees in the beginning of the 
Reagan administration than we do today. It is critical that the 
FTC has sufficient resources to support its work, particularly 
as demands for enforcement in so many complex areas continue to 
grow.
    In addition to sufficient resources, sufficient authority 
is critical for the FTC to meet the demands of the 21st century 
marketplace. Expanding our authority to seek monetary penalties 
for violations of the law, providing the FTC with better 
rulemaking authority, and eliminating jurisdictional exemptions 
would each go a long way to help the FTC better meet today's 
challenges as well as tomorrow's.
    I want to highlight in particular that the limitations on 
our authority are particularly constraining when it comes to 
protecting consumer data. No matter how big the breach or how 
egregious the conduct, the FTC has no authority to seek 
financial penalties for most types of abuse or misuse of 
consumer data. We also lack the authority to engage in notice-
and-comment rulemaking in the areas of consumer privacy and 
data security, and the common carrier and nonprofit exemptions 
put some of the largest hosts of consumer data beyond our 
reach.
    I strongly support Chairman Simons's call for Congress to 
consider enacting Federal privacy legislation that would 
address these limitations. I believe we need a law that 
requires companies to take consumer privacy seriously, gives 
the FTC the authority to impose significant penalties for 
failing to do so, and invests the necessary resources for the 
FTC to carry out Congress's directive effectively.
    I look forward to continuing this important dialogue with 
you and to taking your questions.
    Senator Moran. Thank you.
    Now Commissioner Wilson.

 STATEMENT OF HON. CHRISTINE S. WILSON, COMMISSIONER, FEDERAL 
                        TRADE COMMISSION

    Ms. Wilson. Thank you, Chairman Moran, Ranking Member 
Blumenthal, and distinguished members of the Subcommittee for 
the opportunity to appear before you and testify today. It is 
an honor to be here for the first time since I joined the 
Commission two months ago.
    I would like to highlight today one of the areas I 
identified as a priority during the confirmation process: the 
healthcare industry. As you know, this industry impacts every 
American and takes a bite out of each paycheck. Given its 
importance, it should come as no surprise that the FTC is quite 
active in this segment of the economy. I would like to briefly 
discuss two issues associated with healthcare, one related to 
consumer protection and the other to competition.
    On the consumer protection side, the marketing of unproven 
or ineffective treatments for serious health conditions is 
unfortunately all too common and rightly remains a top priority 
for FTC enforcement. One important area is marketing that 
targets opioid addiction. The CDC estimates that a staggering 
115 Americans die every day--every day--from an opioid 
overdose. People seeking life-saving help for opioid addiction 
or withdrawal must get the right kind of help as soon as they 
are ready to receive it. Products that promise miracle cures or 
fast results can cost precious time and money and can 
contribute to relapse or even death.
    The Commission has sued two companies that marketed bogus 
withdrawal and addiction treatment products. The FTC also is 
conducting a number of non-public investigations in this area. 
Thanks to the leadership of members of this Committee including 
Senators Cortez Masto and Capito, the FTC can now bring civil 
penalty authority to bear when companies market sham opioid 
treatments and services.
    Earlier this year, the FTC partnered with the FDA to send 
warning letters to marketers selling products that claimed to 
help with opioid addiction. The FTC also collaborated with the 
Substance Abuse and Mental Health Services Administration to 
release a fact sheet on getting the right help with opioid 
dependence or withdrawal. Armed with our expanded resources, 
the FTC will continue to support local, state, and Federal 
agencies combating the opioid epidemic.
    On the competition side, the FTC has long recognized and 
challenged false and unsubstantiated health claims, but REMS 
abuses, in contrast, are a relatively recent problem. The FTC 
continues to investigate allegations that branded 
pharmaceutical companies misuse Risk Evaluation and Mitigation 
Strategies, known as REMS, to impede competition.
    In theory, a REMS program is designed to protect patient 
safety by managing the known or potential risks associated with 
the use or distribution of certain medications. Often times 
that is also the practice. But sometimes branded manufacturers 
misuse REMS to thwart entry by would-be generic competitors. 
This conduct upsets the careful balance between competition and 
innovation that Congress established in both the Hatch-Waxman 
Act and the Biologics Price Competition and Innovation Act.
    REMS abuses can take various forms. But regardless of the 
precise method employed, concerns arise when branded 
manufacturers subvert laws and regulations that are designed to 
protect the health and safety of consumers and instead use 
those frameworks to insulate themselves from competition. By 
excluding competitors from the market, branded drug companies 
can price products higher than they otherwise would, preventing 
drug prices from falling. Recognizing that REMS abuse is a 
competition problem, the FTC has used its existing powers to 
investigate potential antitrust violations and is actively 
looking for a good case to bring. The Commission has also 
engaged in advocacy, including filing amicus briefs in private 
litigation.
    We are grateful that members of the subcommittee share our 
concerns and have proposed legislation that would more directly 
address this problem. FTC staff have provided technical 
assistance on various bills and we will continue to support 
these important legislative efforts.
    I am happy to answer any questions you may have.
    Senator Moran. Thank you very much.
    I'm going to defer to the Ranking Member who has another 
hearing to attend. I'll turn to him for questions, then it'll 
be my turn and then we'll----
    Senator Blumenthal. Great.
    Senator Moran.--work our way across.
    [Applause.]
    Senator Blumenthal. Before he leaves, I want to join in 
thanking Senator Nelson for his leadership over such a 
distinguished and extraordinary period of time. Thank you, 
Senator.
    I also want to thank each of you for your testimony today, 
and I want to begin with coming back to big tech.
    This morning, a member of the U.K. parliament disclosed 
that an entity with Russian I.P. addresses was pulling over 3 
billion data points a day about Facebook users, using 
fraudulent means. This allegation is new and chilling.
    Mr. Chairman, were you aware of it?
    Mr. Simons. Not until it was reported.
    Senator Blumenthal. Facebook never disclosed it to you and 
they never disclosed it to us; correct?
    Mr. Simons. That's my understanding.
    Senator Blumenthal. I am assuming that the FTC continues to 
have an ongoing investigation; correct?
    Mr. Simons. Yes, absolutely.
    Senator Blumenthal. It has been eight months since the FTC 
first indicated that investigation. Since then, the United 
Kingdom's Information Commissioner's Office issued penalties to 
Facebook regarding the matter of privacy violation, and on 
Sunday, a U.K. parliamentary committee also seized a trove of 
documents from the company Six Four Three regarding Facebook's 
privacy practices.
    The urgency of this investigation could not be clearer. Can 
you tell us when you will be done and when you will have 
results of this investigation?
    Mr. Simons. Thank you, Senator.
    It's inappropriate for me to comment on a specific non-
public investigation, but let me say the following: Any time 
you see a press report of a significant privacy issue, a 
potential privacy violation of our authority, it is safe to 
assume that we either are investigating it already or shortly 
after that media release we will investigate it.
    The other thing to keep in mind is that when companies have 
problems that become public that are serial in nature--as you 
described, new problems--you can also assume that we will be 
looking at those too. I am standing here----
    Senator Blumenthal. With all due respect, Mr. Chairman--and 
I do have great respect for you--you're saying it's safe to 
assume. It is not safe to assume anything.
    Mr. Simons. It's safe to assume what my staff is doing, 
what our staff is doing.
    Senator Blumenthal. But we need to know, and that was my 
question, when you will have some results; because these 
continuing violations clearly show that we have something more 
than a single bad-actor problem and it is not only Facebook. I 
want to be fair to Facebook. It is not only Facebook.
    And one of the most dramatic and important questions that 
was asked--and I asked it during the hearings with Mark 
Zuckerberg--was how many more Cambridge Analyticas are there 
out there? We still have no idea. So I think you have an 
obligation to tell us when you think this investigation will be 
done.
    Mr. Simons. We're going to do this--our goal is to do this 
as fast as possible and get to the right result as soon as 
possible, but I cannot comment on the details of any specific 
non-public investigation. I'm sorry, Senator.
    Senator Blumenthal. How many full-time employees are 
assigned to investigate Facebook's privacy and data protection 
practices?
    Mr. Simons. Again, I can't comment on a non-public 
investigation.
    Senator Blumenthal. Are you satisfied there are sufficient 
resources devoted to this investigation?
    Mr. Simons. That is my goal with respect to every 
investigation that the FTC is conducting, and especially the 
most important ones.
    Senator Blumenthal. Facebook knew about Cambridge Analytica 
at least since December 2015. Did Facebook disclose this matter 
to the FTC prior to March 2018?
    Mr. Simons. Again, Senator, I'm sorry, but it's 
inappropriate for me to comment on the specific details of a 
non-public investigation.
    Senator Blumenthal. Well, without being unduly critical of 
your predecessors, are you satisfied that the Facebook consent 
decree was adequately enforced?
    Mr. Simons. What I would say is this: We do engage in self-
critical examination. It's a very important part of our history 
and we take that very seriously. And so one of the things we 
are looking at is how to modify our orders to make sure that 
things that shouldn't have happened before don't happen again.
    Senator Blumenthal. Are you monitoring the Cambridge 
Analytica bankruptcy?
    Mr. Simons. Again, I don't want to comment on a specific 
non-public investigation.
    Senator Blumenthal. Do you have any investigation 
concerning the issues relating to Google that I mentioned 
earlier?
    Mr. Simons. Again, I can't comment on any non-public 
investigations that may or may not be going on.
    Senator Blumenthal. Well, I think that, again, with all due 
respect, the American people really deserve to know more about 
these ongoing investigations, either generally as to timeframe, 
amounts of resources, and, indeed whether you have wrongdoing 
and abuses under investigation. I'm not talking only about 
Facebook but about other companies as well.
    Mr. Simons. Our goal is to vigorously enforce, and we are 
working hard at that and I think we are going to . . . One 
thing I hope to do, Senator, is I hope to turn your opinion 
around in terms of the performance of the FTC. That is one of 
my main goals with respect to you and others in the Congress.
    Senator Blumenthal. Well, I appreciate that and I have 
great respect for, again, the commissioners and the very 
dedicated professionals that you have working for you at the 
FTC and I share my colleagues' view that, to some extent, it 
may be a matter of resources but we need to know what is needed 
for, as you put it, turning around performance.
    Mr. Chairman, I have many more questions and I'm going to 
defer to my colleagues now and stay roughly within the five-
minute rule. Thank you.
    Senator Moran. You were late, you talked long, and our 
agreement is that you're not coming back.
    Senator Blumenthal. I will be back; I shall return. But I 
thank you for those kind words, Mr. Chairman.
    Senator Moran. Senator Blumenthal has focused on Facebook 
and current investigations. I just would add to what he said: 
that this Subcommittee and me personally, will do everything we 
can to provide you the resources, both legal and financial, and 
we will continue to monitor.
    We obviously want more information than you're capable of 
giving us, Mr. Chairman, at this point in time, but we're going 
to pay a lot of attention to this issue. And by that, I think 
we are conveying its importance to us and to you.
    Let me start with a resource question. Senator Udall and I 
used to serve together on FSGG that funds the FTC. He abandoned 
me, so I think I'm the only appropriator in the room. I would 
say to you that I have a strong interest in ensuring that your 
agency has the resources it needs to effectively and 
efficiently protect consumers from unfair and deceptive 
practices. In part, our efforts will be determined by what the 
administration and you request in your budget submission.
    I would start with, because I think your workload is 
growing and I think it is going to continue to grow, I think 
it's conceivable that Congress will give you greater 
authorities, but let's start with just what you have current 
authority to do at the FTC.
    Let me see if I can get you to tell me in short order, in 
few words, does the FTC have the necessary resources to enforce 
its current consumer data privacy and security authorities as 
provided by Section 5 of the FTC Act and other relevant 
statutes?
    Mr. Simons. Senator, I think we do, but let me also say 
that if we had additional resources, I guarantee they could be 
put to very good use.
    Senator Moran. I think anyone could say that, Mr. Chairman. 
I think I--well, in my own household.
    Mr. Simons. Fair.
    Senator Moran. So what is it that you would do if you had 
more resources?
    Let me make certain I stick with current. What would you do 
under your current authorization, what you're legally obligated 
to do? What more would you do if you had additional resources?
    Mr. Simons. So I think we would--we have an enormous 
litigation level going on inside the Commission, and if that 
remains the same, our staff is literally almost killing 
themselves, they're working so hard on these litigations. If 
that remains at an historic high level or increases, we would 
need more resources for that.
    In addition, we probably could use some resources with 
respect to the Bureau of Economics and also technology 
resources.
    Senator Moran. It's my understanding that a significant 
amount of work at the FTC is provided by consultants and by 
outside counsel. Is that the best method by which you can 
perform your responsibilities?
    Mr. Simons. So not so much outside counsel, but 
consultants, experts; so economists, technology people. And 
what we want to do is we want to have a good mix because we 
want to have the technology available to us that we need, and 
so that may vary from case to case. And so sometimes you'll 
have new types of cases that you haven't had before and you 
bring in a consultant specifically for that case because that 
may come and go; it may not be sustained. So I think you want a 
mix. You want a core of people who are inside the agency and 
supplement that with outside consultants.
    Senator Moran. I've tried to focus and I want to make sure 
that any commissioner who has a comment to make about this 
topic has that opportunity. But I tried to get you to tell me 
about current responsibilities----
    Mr. Simons. Yes.
    Senator Moran.--and current needs for resources based upon 
those current responsibilities.
    I also would ask you that as we develop--and I indicated in 
my opening statement and Senator Blumenthal confirmed in his 
that we're working to author legislation related to privacy. I 
also need from you not only yours--as Commissioner Phillips 
indicated a willingness to provide us and a number of you 
indicated the things that you would suggest in that 
legislation, but I also need to understand what the additional 
resources that would be necessary that would come with 
additional responsibilities or greater authorities of the FTC.
    So I want to make sure that as we develop legislation, 
we're not operating in a vacuum in which we would have the 
likelihood of saying, well, this is what the law should be, but 
knowing that the law would be somewhat irrelevant if the 
resources aren't there to enforce the new authority. So I need 
to know what additional resources it would take as we develop 
this legislation?
    Let me see if any of the commissioners have anything they'd 
like to respond to my questions or comments or perhaps 
different than the Chairman.
    Mr. Chopra. Well, Senator, I'll just add that with respect 
to data privacy and security, more and more sectors of our 
economy, whether it's the automotive industry, the agriculture 
industry, retail, there is more and more data collection, and 
our largest firms in the economy are relying heavily on how to 
monetize that data. So this is not just about consumer-facing 
businesses; it is a bigger and bigger part of the U.S. GDP. And 
if that is going to grow, then the FTC's resources have to grow 
commensurately. When cities grow and get much bigger, they hire 
more cops, and we have to do the same for us.
    Senator Moran. Anyone need or want to add--want or need to 
add something to this? Ms. Slaughter?
    Ms. Slaughter. Yes, I'll just--I'll echo what Commissioner 
Chopra said and say I agree with everything Chairman Simon said 
he would do with more resources.
    I would depart only that I think we do need them. I don't 
think that we have enough resources right now to do the job 
that consumers and Congress expects of us. I think we want to 
do that job. And those additional technologists, those 
additional employees getting us anywhere back to near the 
staffing levels we had in the Reagan administration I think 
would be very valuable to carry out our mission.
    Senator Moran. Let me say just from my perspective, I've 
never met an agency or a department or a Commission that didn't 
believe they needed more resources. I hear it on an ongoing 
basis.
    But I think this is different. I am sympathetic to that 
plea because the volume--as Commissioner Chopra says, the city 
is growing. And there has to be a greater focus on how we spend 
the money, but that is insufficient in this case, I think, to 
have the necessary resources to meet the demand.
    Senator?
    Mr. Phillips. Yes.
    Senator Moran. Senator, Phillips or--didn't mean to----
    Mr. Phillips. I expect my colleagues will agree with me. As 
my colleagues have said, it bears repeating, we work very 
nimbly and we work very efficiently, so you should trust in the 
fact that we are giving great credence to the resources we are 
given and we are employing them efficiently.
    Senator Moran. All right. Thank you.
    Senator Klobuchar.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman. 
Thanks for having this popular hearing.
    So when you were talking about the town growing, the other 
thing that has really grown, as the commissioners know, is 
mergers, and we've had a 50 percent increase in the number of 
mergers in just the last 5 years.
    And I thank you, Mr. Chairman, for your testimony in front 
of the Antitrust subcommittee that Chairman Lee and I have 
chaired for a long period of time. And as you know, I have a 
bill to add more resources to that piece of your work by 
charging some extra fees on some of the mega mergers, the very 
large mergers. And could you just explain to my Commerce 
Committee friends here your feelings on doing something like 
that?
    Mr. Simons. Yes. So this is one of the things I mentioned 
before. We have like an historic level of litigation going on 
at the agency right now, and particularly on the competition 
side. So when I showed up on May 1 at the agency, there were 
four merger cases being litigated at once. I don't remember 
that ever happening.
    Senator Klobuchar. Just to the legislation because I have 
so many other questions.
    Mr. Simons. So--and one of the things we want to do and 
which also is I think in your legislation, which is to do 
merger retrospectives. So one of the things we need to do for 
that is more economists. And so that will help us get a better 
sense of, you know, whether our merger enforcement has been too 
lax, whether we have to tighten it up and how much.
    Senator Klobuchar. And just for my colleagues' sake, 
Senator Lee and Senator Moran is interested in this bill, some 
version of this only because it's not more taxpayer money; it 
is the humongous billion-, trillion-dollar mergers that these 
guys are trying to analyze. And so that's why we are looking at 
it as a way to get them the resources to do it as well as the 
Justice Department with Mr. Delrahim.
    Second, my colleague Senator Blumenthal asked a lot about 
Facebook. As you know, I've been very involved with that with 
the Honest Ads Act, with the privacy legislation that I have 
with Senator Kennedy.
    Could you tell me, Mr. Chairman, will the FTC make a 
statement at the conclusion of this investigation to inform the 
public of the circumstances surrounding this breach and whether 
Facebook's action or lack thereof violated the terms of its 
consent order?
    Mr. Simons. I would think so.
    Senator Klobuchar. OK. Thank you.
    Commissioner Slaughter, you were talking, I know you do a 
lot on privacy. Can you talk about why it's important to have 
disclosures on online ads and disclaimers? Of course this is 
something that is under some of the FCC's jurisdiction, but in 
general why do you think that's important?
    Ms. Slaughter. Thank you, Senator, for the question.
    Disclosures help consumers understand what is happening 
with their data, with the information that they're seeing. The 
FTC has the opportunity to police against deceptive disclosures 
in various circumstances, but if there is no disclosure, we 
could not call the disclosure deceptive specifically in most 
circumstances.
    Senator Klobuchar. Right.
    Ms. Slaughter. So I think I under--I am familiar with your 
bill. I think it's a really important contribution to the 
debate around making sure consumers understand what they're 
seeing and from whom they're seeing it.
    Senator Klobuchar. And as you know, some of the companies 
including Twitter and Facebook have done this voluntarily, but 
we're going to have a patchwork. We have a lot of other 
platforms that aren't doing it at all and a complete crazy 
situation where TV, radio, and newspaper is required and these 
guys aren't.
    Commissioner Chopra, why is it important for the FTC to 
have enforcement over privacy violations? And could you talk 
about--we have in our bill, Senator Kennedy and I, notification 
of consumers of a privacy violation within 70 hours. Do you 
support something like that?
    Mr. Chopra. Yes, I think we need some clear rules of the 
road at the Federal level of when people's data is essentially 
stolen from them.
    And look, you can pass all the privacy laws you want, but 
if there's no enforcement and no penalties for violating them, 
no one's going to follow them.
    Senator Klobuchar. Right.
    OK. And then Commissioner Slaughter, back to you.
    The CREATES Act. This is something that Senator Grassley 
and Leahy and Lee and I have introduced on the Senate side. 
This is of course about prescription drugs and trying to get 
more competition going. Do you believe the legislation could 
help put a stop to some of the anti-competitive practices?
    As you know, Senator Grassley and I have our pay-for-delay 
bill that I know we will pass if we could just get a vote, and 
I know the FTC, all of you have been involved in this issue. Do 
you want to comment further on that?
    Ms. Slaughter. Sure. These are very important issues for 
consumers. Commissioner Wilson in her opening talked about REMS 
abuse and the problems of REMS abuse, and we're actively 
looking for opportunities to enforce, but I know the 
legislation that's out there would make it a lot harder for the 
bad practices to happen, to begin with, and a lot easier for us 
to enforce against them.
    Ms. Slaughter. Very good.
    Well, I will ask--Commissioner Phillips and Wilson, I will 
be asking you something in writing because my time is now 
ended.
    Look at those crossed arms. It is time for me to end my 
questions.
    So thank you very much for your time and your really good 
work and your commitment to making the FTC as bipartisan as it 
has been for so long and working together even though you 
probably don't agree on every single thing. Thank you.
    Senator Moran. Pleased to recognize Chairman Thune.

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    The Chairman. Well, good afternoon, and I want to thank 
Chairman Moran and Ranking Member Blumenthal for holding this 
hearing and for their continued work on FTC oversight and also 
want to thank all the commissioners for being here today to 
provide the Committee with an update of some of the FTC's 
activities.
    Earlier this fall, the FTC began a series of innovation 
hearings aimed at ensuring the Commission can meet the 
challenges posed by modern economic and consumer trends, and 
I'm looking forward to hearing more about how these sessions 
will inform the Commission's competition consumer protection 
work. I'm also here to discuss possible comprehensive data 
privacy legislation with the commissioners as well.
    Currently the Committee and several key members are 
exploring privacy legislation, I'm sure as you know, and it 
would be helpful to know from the commissioners if you all 
support this effort, if you think the FTC's an appropriate 
enforcement agency, and what kind of penalties and statutory 
tools are going to be needed to ensure compliance.
    Let me start with you, Mr. Simons, Mr. Chairman. In the 
past, the Commission has used its authority under Section 6(b) 
of the FTC Act to study particular industries or practices. For 
example, in 2014, the Commission completed a 6(b) study of the 
data broker industry and issued a report of its findings along 
with some recommendations.
    Would the Commission consider using its 6(b) authority to 
study consumer information data flows; specifically, sending 
requests to Google, Facebook, Amazon and others in the tech 
industry to learn what information they collect from consumers 
and how that information is used, shared and sold?
    Mr. Simons. 6(b) is a really powerful tool and that's the 
type of thing that might very well make sense for us to use it 
for.
    The Chairman. Well, it seems to me, at least, based upon 
what we know and what we observe happening around us today and 
there would be a lot of interest among consumers in this 
country in having that sort of information available.
    Mr. Simons. And that may be guided also by what comes out 
of our hearings.
    The Chairman. Right.
    Mr. Chopra. And Senator, the 6(b) studies can actually 
inform not just our consumer protection enforcement, but, in 
the case you mention, also our antitrust enforcement where data 
and data flows is of intense interest to us.
    The Chairman. Yes. And I want to shift to that for just a 
minute because, as I'd mentioned earlier, this Committee has 
been exploring comprehensive consumer privacy legislations and 
we've held two hearings this fall earlier, one with industry 
and one with public-interest groups, to discuss the issue of 
consumer privacy.
    And this would be for any of you to respond to, but do you 
support efforts by Congress to develop comprehensive privacy 
legislation?
    Mr. Simons. Absolutely.
    Mr. Phillips. Yes, I support those efforts.
    Mr. Chopra. Yes.
    Ms. Slaughter. Yes.
    Ms. Wilson. Yes.
    The Chairman. Good answer.
    So now for the harder question, and that is, in your view, 
are there key features that should be included in any privacy 
legislation?
    Mr. Simons. So one of the things that we've asked for on 
the data security side is civil penalty authority in order to 
create effective deterrents, and my sense is that the same 
dynamic is going to apply on the privacy side as well, so I 
think that will be very important, that there is civil penalty 
authority.
    The Chairman. Yes. Is that a view that is shared by members 
of the Commission?
    Mr. Phillips. Senator, I have a slightly different view on 
that.
    The Chairman. OK.
    Mr. Phillips. And it's not a totally settled one. As I said 
in my opening remarks, one of the things about privacy is that 
it is a nebulous concept and different people see different 
risks as greater. Those are very reasonable debates. A lot of 
people have strong feelings about this.
    It is critical that Congress decide what the harms are and 
then target tools to address those harms. I don't think that 
the liability standard, what harms we are addressing, can be 
separated from the civil penalties. You have to think about the 
two together: what you're enforcing and how. Because what you 
don't want to do, penalties can chill conduct. You want to make 
sure that the conduct that you're chilling is bad conduct, not 
conduct that potentially benefits consumers.
    Ms. Wilson. If I could also address this. First of all, I 
do encourage Congress to pursue privacy legislation. Businesses 
need clarity and certainty regarding the rules of the road. 
Markets work best when consumers have complete information and 
can make informed choices. And studies show that right now 
consumers do not understand what is being done with their data. 
And current legislation does provide protections but it's been 
outstripped by technological developments.
    For example, HIPAA protects medical information stored in 
the doctors' files but not the medical information collected by 
your Fitbit. And so I think I perhaps have a slightly different 
perspective than Commissioner Phillips.
    I do believe the FTC should be the one to enforce any new 
legislation that is prepared, and I think in terms of elements 
of new legislation, I think it should grant jurisdiction to the 
FTC over nonprofits and common carriers. I think it should 
provide for civil monetary penalties. I think it should grant 
targeted APA rulemaking authority and I think it should be 
undertaken in conjunction with a national data breach 
notification and data security law.
    The Chairman. Good. So does everybody on the Commission 
share the view that the FTC is the appropriate enforcement 
agency for comprehensive privacy legislation?
    Mr. Simons. Yes.
    Mr. Phillips. Yes.
    Ms. Slaughter. Yes.
    The Chairman. And you answered this question, too, but to 
the other members of the Commission: Should Congress repeal the 
common-carrier exemption to the FTC Act?
    Ms. Wilson. Yes.
    Mr. Phillips. Yes.
    Mr. Chopra. Yes.
    Mr. Simons. You bet.
    The Chairman. Mr. Chairman, my time is expired, so thank 
you and I will yield back.
    Senator Moran. I will treat you better than I treated 
Senator Blumenthal.
    Senator Markey.

               STATEMENT OF HON. EDWARD MARKEY, 
                U.S. SENATOR FROM MASSACHUSETTS

    Senator Markey. Thank you, Mr. Chairman.
    We're celebrating the 20th anniversary of the Child Online 
Privacy Protection Act which I authored back 20 years ago. Now 
we're seeing where the holes might exist in the modern era. 
Google's You Tube is a particularly troubling example. Last 
year an enormous 80 percent of 6- through 12-year-olds used You 
Tube on a daily basis yet Google claims that even its third-
most You Tube channel, Toy Reviews for Kids, is not targeted to 
children, meaning COPPA does not apply.
    Chairman Simon, in your opinion, is Toy Reviews for Kids 
targeted to children?
    Mr. Simons. Thank you, Senator. I don't want to comment on 
any specific investigation that may or may not be going on, but 
that clearly would be of concern to us, Senator.
    Senator Markey. I hope it would be a concern because 
they're collecting data from kids about what their preferences 
would be, which can be used to market back to them.
    I also sent the Commission a letter after a recent study 
found that thousands of apps were accessing children's 
sensitive information such as location without obtaining the 
required consent. The study also found that Google's app store 
is including games that aren't COPPA compliant in its kids' 
section.
    Chairman Simons, in light of this evidence, will you commit 
to investigating allegations that app developers track kids' 
each and every movement and whether app stores such as Google 
take adequate steps to ensure apps labeled as kid-friendly are 
in fact kid-friendly and do not track children?
    Mr. Simons. We got your letter and we share your concerns. 
The Commission has a long history of protecting children from 
deception and unfair advertising practices online and this will 
continue to be a priority for us.
    Senator Markey. Just for the record, new research found 
that over half of reviewed apps were violating COPPA and many 
games were collecting kids' geolocation data without consent. I 
urge you to follow up and to proceed accordingly.
    Earlier this month I sent the Federal Trade Commission a 
letter encouraging the Commission to investigate manipulative 
marketing in children's apps. A new study found that children's 
games frequently disguise advertisements, coerce children into 
making in-app purchases and, characterize themselves as 
educational when they are in fact saturated with advertising.
    Chairman Simons, do you believe this business practice 
constitutes unfair and deceptive practices under Section 5 of 
the Federal Trade Commission Act?
    Mr. Simons. Yes. Without reaching a conclusion on any 
specific issues or specific matters, nonpublic investigations 
or whatever, certainly that would--that's a concern for us.
    Senator Markey. And just a little more info here, in one 
game the main character starts crying if the child playing does 
not spend money on the app. In another game, Harvey 
continuously urges players to put on clothing that can only be 
unlocked through an extra purchase. So these are, from my 
perspective, unfair and deceptive practices taking advantage of 
kids, and we just have to do something about it. So thank you 
for that.
    And finally just let me say that we do need new protections 
for young people. Any comprehensive privacy legislation that 
Congress considers next year must include special safeguards 
for children and teens. Must update the Child Online Privacy 
Protection Act of 1998. First and foremost, we need to extend 
special protections to 13, 14, and 15-year-olds who right now 
are not covered. We only went to under 13 in 1998.
    And so toward that goal, I will be reintroducing the Do Not 
Track Kids Act of 2019. So in addition to extending privacy 
protection to teens, the bill bans targeted advertisements to 
children, creates an eraser button for parents and children by 
requiring companies to permit users to eliminate personal 
information posted by the child and prohibits the sale of 
connected devices targeted toward children and minors unless 
they meet the strongest possible cybersecurity standards.
    Commissioner Chopra, what do you think? Do we need to add 
protections into these areas?
    Mr. Chopra. Well, I hope that as part of the whole 
comprehensive privacy bill debate you look at updating that. 
There are places where we will have some ideas of where it 
needs to be updated and catch up.
    And let me just say that this is part of the reason why it 
was good Congress gave us rulemaking. Rulemaking allows us, 
with the parameters you set, to update the law based upon 
what's happening in the marketplace rather than it just staying 
static.
    Senator Markey. Yes. If we reach a consensus on nothing 
else, it should be on the children of our country not just 
being a product that all these companies trying to create for 
their own financial benefit.
    Thank you, Mr. Chairman.
    Senator Moran. Thank you, Senator Markey.
    Senator Udall.

                 STATEMENT OF HON. TOM UDALL, 
                  U.S. SENATOR FROM NEW MEXICO

    Senator Udall. Thank you very much, Mr. Chairman.
    And let me just say I'm still on the Appropriations 
Committee and I'm not going to abandon you if you want the FTC 
to have additional resources and I'm happy to co-lead a letter 
with you or whatever to push for the additional resources. I 
think it's appalling that they're below the Reagan 
administration level in terms of employees and I think we all 
know that they have made a very persuasive case on that here 
today.
    While the FTC should be conducting a significant amount of 
work to protect consumers, I'm very concerned about what the 
appointment of Matthew Whitaker as Acting Attorney General says 
about the future of consumer protection, not only in the World 
Patent Marketing case but other consumer protection enforcement 
actions.
    Before he was hired as Chief of Staff to Attorney General 
Jeff Sessions, Matthew Whitaker served as a paid Advisory 
Committee Board Member to World Patent Marketing. World Patent 
Marketing is under criminal investigation by the FBI for 
allegedly scamming millions of dollars from consumers. It paid 
a $25 million fine to settle the FTC investigation and to shut 
down the company.
    Mr. Whitaker is known to have sent at least one threatening 
e-mail to a dissatisfied customer to defend his company, and 
most shockingly, media stories say he was issued a subpoena for 
documents but failed to comply with the subpoena. Reportedly, 
he was too busy moving to go to Washington, D.C. to go to work 
for the Justice Department.
    The FTC is tasked with a critical mission, consumer 
protection, and we must do all we can to protect your ability 
to continue to do so.
    Chairman Simons, my colleagues and I sent you a letter this 
morning regarding Mr. Whitaker's involvement with the World 
Parent Marketing case. It is worrisome if a person so closely 
involved in World Patent Marketing could fail to respond to a 
lawful subpoena and that he is now appointed to be the Nation's 
chief law enforcement officer, which many believe is 
unconstitutional and illegal.
    I will now ask you a series of yes-or-no questions.
    Did the FTC seek a subpoena from Mr. Whitaker in the World 
Patent Marketing case?
    Mr. Simons. Senator, so this case was done before any of us 
showed up at the Commission and I don't have the details of 
what went on in the case. It was quite extensive. But I would 
be more than happy for the staff to come talk to you and brief 
you. They have all the details.
    Senator Udall. OK. We'd be happy to do that and we would 
really like to have solid answers on these.
    Mr. Simons. Absolutely.
    Senator Udall. If you don't have a copy of the letter, I 
hope you have it, but----
    Mr. Simons. I haven't seen it yet but I'll make sure I get 
it and----
    Senator Udall. The House is also very interested in this. 
House Democratic members wrote you about this case seeking 
information to be shared. Are you complying with that request?
    Mr. Simons. We certainly are.
    Senator Udall. OK. And you'll give us everything you're 
giving them?
    Mr. Simons. We certainly will.
    Senator Udall. OK. And you've agreed to brief us on the 
details.
    Additionally, if the Department of Justice attempts to 
interfere with the enforcement of the stipulated order against 
World Patent Marketing, will you notify both the majority and 
minority staff of this committee?
    Mr. Simons. The only reservation I have is if my general 
counsel tells me for some reason I can't do it, but absent 
that, yes.
    Senator Udall. But thinking about it here, I mean if that 
happened----
    Mr. Simons. Oh, it would----
    Senator Udall.--interfering with you, you must be concerned 
about that.
    Mr. Simons. Oh, I would be extremely concerned.
    Senator Udall. Yes, yes. And so I'm not even sure you'd 
listen to your general counsel, would you?
    That's OK.
    Mr. Simons. Yes. Any kind of----
    Senator Udall. You don't need to answer that one.
    Mr. Simons. Any kind of political intervention----
    Senator Udall. Yes.
    Mr. Simons.--would be something I would be very, very 
allergic to.
    Senator Udall. OK. Good.
    Mr. Chopra. Senator, I just want to say I have no concern 
about any of my colleagues, including the Chairman, engaging in 
any special treatment or being stooges to anybody, and you 
should have no concern that we are going to exercise our 
authority independently.
    Senator Udall. Good. Thank you.
    Ms. Slaughter. I also wanted to add that I think it's 
important. I think I can speak for all of my colleagues here 
when I say that, from our perspective, compliance with FTC 
subpoenas and investigation demands are not optional and we 
will pursue people who receive them to the fullest extent of 
the law to ensure compliance.
    Senator Udall. Thank you, Commissioner Slaughter.
    Mr. Chairman, are you aware of any previous instance when a 
potential party to an FTC order has served in a senior DOJ 
position? Can you--any of you, can you think of anyone where 
you had that situation?
    We've been trying to research it. We can't find anything. 
So do you----
    Mr. Simons. No, I'm not aware of any.
    Senator Udall. Any of you can think of anybody who has been 
promoted and the guy's now Acting Attorney General of the 
United States of America?
    OK. Thank--your blankness, I will take that as you can't 
think of any incidents. Is that fair?
    Mr. Simons. That's fair.
    Senator Udall. All of you are nodding.
    Mr. Phillips, please.
    Mr. Phillips. I just wanted to add one thing. I wanted to 
add one thing my colleague has said. And you absolutely should 
rest assured that we will not let any kind of politics 
interfere with the work we do.
    What I will also say is that the history of our work with 
the Justice Department has been a very positive thing. We've 
worked together as partners. And I hope I speak--I'm certain I 
speak for all of us when I say we all expect that to continue.
    Mr. Simons. And it has continued.
    Senator Udall. Yes. And I know that very well. That's what 
concerns me. I'm very aware of what you're saying.
    Mr. Simons. We recently had a big case involving Moneygram 
where they did a terrific job working alongside our staff and 
we recovered $125 million.
    Senator Udall. Yes. Thank you all for your service. Really 
appreciate the work you do on behalf of consumers.
    Thank you, Mr. Chairman. Sorry for running over a little 
bit there, but I was kind of taking General Blumenthal's lead 
here. That's how I know him. You know, we're former attorneys 
general. He served 20 years. I only served 8, so I still call 
him General.
    Senator Moran. And part of your time was indicting a 
willingness to cooperate with me, so I wasn't counting it, 
Senator Udall. Thank you.
    Senator Hassan.

               STATEMENT OF HON. MAGGIE HASSAN, 
                U.S. SENATOR FROM NEW HAMPSHIRE

    Senator Hassan. Well, thank you, Mr. Chair and Ranking 
Member Blumenthal. Thank you for holding this hearing.
    And thank you to all of the commissioners. Thank you for 
your service and for your testimony and answers today.
    I want to start by following up on the topic of how we're 
doing on protecting our kids that Senator Markey started to 
raise.
    Earlier this year at the confirmation hearing for most of 
you, I discussed the possibility of the FTC examining the issue 
of children in the videogame space. Specifically we discussed 
loop boxes which allow in-game purchases with real currency, 
for surprise winnings, and most of you agreed that this is an 
area that could use additional oversight by the FTC.
    Loop boxes are now endemic in the videogame industry and 
are present in everything from casual smart phone games to the 
newest, high-budget videogame releases. Loop boxes will 
represent a 50-billion-dollar industry by the year 2022 
according to the latest research estimates.
    Children may be particularly susceptible to engaging with 
these in-game purchases which are often considered integral 
components of videogames. And just this month, Great Britain's 
gambling commission released a report finding that 30 percent 
of children have used loop boxes in videogames. The report 
further found that this exposure may correlate with the rise in 
young problem gamblers in the United Kingdom. Belgium, the 
Netherlands, Japan, and other countries have all moved to 
regulate the use of loop boxes in videogames given this close 
link to gambling.
    So given the seriousness of this issue, I think it is in 
fact time for the FTC to investigate these mechanisms to ensure 
that children are being adequately protected and to educate 
parents about potential addiction or other negative impacts of 
these games.
    Would you commit to undertaking this project and keeping 
this Committee informed about it?
    Mr. Simons. Yes.
    Mr. Chopra. Yes.
    Mr. Phillips. Yes.
    Senator Hassan. I'm seeing nodding heads.
    Ms. Wilson. Yes.
    Ms. Slaughter. Yes.
    Senator Hassan. Wonderful. Thank you.
    I also wanted to follow up on something that I know is of 
an interest to Commissioner Slaughter, and Commissioner Wilson, 
you mentioned it too, so maybe I'll just--I'll start with you, 
Commissioner Slaughter, and then we'll let anybody else who 
wants to respond.
    We've discussed that the heroin, fentanyl and opioid crisis 
is our most pressing public health and safety challenge facing 
both my home state of New Hampshire and the home states of just 
about everybody in the United States Senate. It's taking a 
massive toll on our communities, our workforce, our economy.
    So we all understand that this is an epidemic that impacts 
people from all walks of life, in every corner of every state, 
and it really requires a concerted, all-hands-on-deck response 
and approach including from agencies that may not traditionally 
be focused on some of the issues that the epidemic presents.
    It's my understanding that the investigation surrounding 
deceptive marketing practices with regard to products like 
opioids. And Commissioner Wilson, you mentioned recovery 
programs as well. But it's my understanding that right now 
these are handled through a 1971 Memorandum of Understanding 
between the FTC and the FDA.
    Is the protocol from 1971 working specifically for opioids 
or should we revisit this to ensure that we're doing all we can 
to fight the epidemic? And I'll start with you, Commissioner 
Slaughter.
    Ms. Slaughter. Thank you for the question, Senator. As a 
parent, as a person, the opioid epidemic literally keeps me up 
at night and I agree with you that it is something that 
requires an all-hands-on-deck.
    Too many of these addictions start with legal 
prescriptions----
    Senator Hassan. Right.
    Ms. Slaughter.--in the first place, and so I think one of 
the really important tools we need to apply is all collective 
efforts to keep people from getting addicted to begin with. And 
I think it is a great idea for the FTC, the FDA, DOJ to all sit 
down together and consider how we can best employ the statutory 
tools at all of our disposal to most effectively combat this 
epidemic where it starts.
    Senator Hassan. Thank you.
    Commissioner Wilson, would you like to comment?
    Ms. Wilson. I agree with Commissioner Slaughter's comments. 
I would also like to note my understanding since I arrived is 
that the FTC and the FDA have been working closely on ways to 
combat this problem together----
    Senator Hassan. Right.
    Ms. Wilson.--have sent out letters to marketers of products 
that appear to have false claims. But I agree that if there are 
ways that we can work more closely together, we should be doing 
that.
    Senator Hassan. Thank you.
    Anyone else want to comment?
    Mr. Chopra. I guess I'll just say that we now know years 
later that the maker of OxyContin knew----
    Senator Hassan. Right.
    Mr. Chopra.--that their drug was very addictive, being 
snorted, and they continued to advertise it as the less 
addictive pill.
    Now, if we don't figure out how to sanction companies like 
this, we will see this happen again----
    Senator Hassan. Right.
    Mr. Chopra.--in a different field. So we need to see all of 
this that is happening as downstream from that.
    Senator Hassan. Yes.
    Mr. Chopra. We know that what happened, we did not get 
justice there, and so we have to be on alert and maybe be 
thinking broadly about how are we going to hold pharmaceutical 
companies accountable when they break the law repeatedly? You 
know, we grant them government patents----
    Senator Hassan. Right.
    Mr. Chopra.--for them to promote innovation, but when they 
consistently abuse it, we really need to think about what the 
sanction should be.
    Senator Hassan. Thank you all for that, and I look forward 
to working with you all on it. Thank you. Thank you, Mr. Chair.
    Senator Moran. Senator Cortez Masto.

           STATEMENT OF HON. CATHERINE CORTEZ MASTO, 
                    U.S. SENATOR FROM NEVADA

    Senator Cortez Masto. Thank you. Thank you, Mr. Chair and 
Ranking Member for holding this hearing, and welcome to all 
five of you.
    Let me just say I am very supportive and have been over the 
years of the FTC and have, similar to my colleagues, as an AG, 
worked closely with the FTC and so appreciate your candor in 
coming forward and talking about the needs and the direction, 
where you see we need to be focused for the future.
    I do support additional resources. I think you are 
understaffed for just the very reasons we talked about today, 
and I know, as somebody with former law enforcement, yes, you 
can always use more money, but it can be used so effectively to 
not only protect consumers and competition but we've seen the 
positive impacts of it. So I support any direction that we move 
forward for your organization.
    Let me jump back, though, to the conversation that we have 
on privacy and data security. This is our future, and we need 
to get a handle on this. That's why this is a discussion that I 
so appreciate some of my colleagues are working on legislation. 
I'm looking at something as well.
    But one of the conversations we've had over many hearings 
is this idea of data minimization, and as you are aware, we're 
talking about this is the idea that businesses should only 
collect, process, and store the minimum amount of data that is 
necessary to carry out the purposes for which it is collected. 
But we also know that at the same time we are in the age of big 
data analytics which is going to be necessary as we move 
forward with smart communities, artificial intelligence, so 
many important technological future for the use of this 
technology.
    I'm curious on your thoughts on how we balance that. And 
let me put it to you this way: A lot of the questions on this 
have been asked on your thoughts on how we address data 
security and privacy.
    One of the things I heard, though, was the targeted 
rulemaking authority FTC should have, and I'm curious.
    And I know that was Commissioner Wilson; you talked about 
that. What do you mean by targeted? And if you could address 
it.
    Are you including in that the idea that finding this 
balance between minimization as well as big data analytics and 
how, by giving you that targeted authority, it allows you to 
kind of grow into this space and evolve and be flexible with it 
without Congress coming in and dictating this is where you can 
only go and this is where you cannot go? So I'm curious just if 
you don't mind talking a little bit about targeted rulemaking 
authority.
    Ms. Wilson. Sure. To take a step back, when you talk about 
the data minimization and artificial intelligence, these are 
topics that the FTC is exploring in the hearings that are being 
held. We have held a number of hearings on related topics. We 
will continue to explore these topics. We appreciate the input 
that we have been provided and we are working through that 
input with the FTC staff and so we will continue to think about 
and grapple with these issues.
    In terms of the rulemaking that I mentioned, Congress 
enacted COPPA, Gramm-Leach-Bliley, a number of other laws and 
then delegated to the FTC after creating the broad strokes of 
the legislation filling in the gaps and creating some of the 
specifics to the rulemaking authority of the Federal Trade 
Commission. I do agree that that would be appropriate here.
    As my fellow commissioner, Commissioner Phillips, 
mentioned, we do believe it is appropriate for Congress to 
establish the balance between the different values that are 
being considered but then to ask the FTC as the expert agency 
to help flesh out some of the specifics and then to maintain a 
rule going forward that can evolve as the market evolves.
    Senator Hassan. Please, go ahead.
    Ms. Slaughter. I want to add that I think some of the 
benefits of rulemaking that are important to consider are, 
first, flexibility. As technology evolves and practices evolve, 
we want rules to change and evolve and keep pace with them, and 
rules can change and evolve more easily and more quickly than 
statutes can, often.
    And the second is the element of rulemaking that involves 
openness, transparency, and stakeholder involvement. Notice-
and-comment rulemaking requires an opportunity for 
stakeholders, public advocates, good government groups to have 
an opportunity to consider the rules that we might propose, to 
issue comments, to have us reconsider them. And that back and 
forth is a really important part to keep, make sure we're doing 
it right and make sure stakeholders are actively engaged. I 
think those are benefits that are important to keep in mind as 
you consider crafting legislation.
    Senator Hassan. Thank you.
    Mr. Chopra. Senator, on minimization, this is really in 
some ways not a new concept. In the Fair Credit Reporting Act, 
there's disposal. In COPPA, there are some minimization 
concepts. In GDPR and many of the other global privacy laws, 
data minimization is key.
    And I want to be responsive to your question. You can still 
harness some of the benefits without necessarily keeping a 
dossier on every individual consumer about individual data. If 
you run a search engine, your algorithm can get better and 
better without you keeping the search history of every single 
person who has used it. So I'm not sure the tradeoffs are 
incredibly hard. They need to be thoughtful.
    But I think that balance and minimization, that's becoming 
the global norm, and because the U.S. has not really passed a 
comprehensive privacy law, the rest of the world is essentially 
already converging around that, so I expect that our firms are 
also going to be complying with that anyway.
    Senator Hassan. OK. Thank you. I notice my time is up. 
Thank you.
    Senator Moran. Senator Capito.

            STATEMENT OF HON. SHELLEY MOORE CAPITO, 
                U.S. SENATOR FROM WEST VIRGINIA

    Senator Capito. Thank you, Mr. Chairman. Thank all of you. 
Thank you for your service and thank you for being with us 
today.
    I recently had a birthday, and my phone rang and I looked 
down and I thought, oh, I'm sure this is a birthday greeting 
from one of my friends that I didn't have in my address book, 
and lo and behold, it was a robocall trying to sell me 
insurance. I cannot tell you how many times my constituents say 
to me, Congress has got to do something about this. I thought 
we had. We addressed it. We've had hearings on it.
    And so I guess my question to you is because I know there's 
some jurisdictional issues with FCC and FTC, so I'm going to 
throw it open to the panel. How can we stop this practice of 
spoofing numbers and locations onto your phone? And really for 
elderly people, which I represent a state that has a lot of 
elderly people, when you tell your grandmother don't pick up 
the phone unless you know who it is, you could be doing her a 
good service or maybe not such a good service because it could 
be somebody registering an emergency call or something to help 
her out.
    So would anybody like to tell me the status of this and 
who's really taking the lead here between the FCC and the FTC?
    Mr. Simons. I think this is a joint effort. So they have 
authority and powers that we don't have and maybe vice versa. 
So we work with them to try to--like for example, one of the 
things that they have done recently is empower the carriers to 
do some call blocking and identification, which is helpful.
    On our side, one of the things that we have done is run 
technology challenges that have produced some software which is 
now on the market which you can load onto your smart phone and 
which will block robocalls, and one of them even will send the 
call to a bot which will keep the robocaller online 
indefinitely, wasting their money and time and not yours.
    One other thing I would say is that I think it would be a 
significant help to us in dealing with these robocalls if we 
got rid of the common carrier exemption because a lot of the 
robocalls are coming through specific carriers and these 
carriers know that they are transmitting robocalls.
    Senator Capito. So that would take a legislative action, 
then?
    Mr. Simons. Yes.
    Senator Capito. To block that.
    Mr. Simons. Right.
    Senator Capito. Well, you know, again, I think it's 
frustrating and a challenge. We all get it. But for particular 
reasons, I think it can be damaging to individuals.
    Mr. Simons. Oh, yes.
    Senator Capito. I'm going to change to the topic of 
fraudulent addiction and recovery centers. I believe 
Commissioner Wilson mentioned it in her opening statement. 
Senator Cortez Masto and I were able to get that into the big 
bill based on stories of people either--I guess the term is 
``body brokering,'' which I hadn't really heard, or convincing 
addicts to attend fraudulent rehab centers.
    Not really having a quality index of rehab centers and 
particularly for an area like mine and other areas that are 
deeply affected, this is of grave concern.
    So Commissioner Wilson, could you speak to that a little 
bit, what direction the FTC is going on this?
    Ms. Wilson. So my understanding--of course I've been there 
just a few short weeks, but my understanding is that staff is 
very focused on monitoring claims that are made and ensuring 
that claims that are made are valid and accurate, and to the 
extent they're not, staff is pursuing those claims. There are a 
number of non-public investigations that are ongoing right now, 
and I think we all agree with you that this is a significant 
issue. If people are addicted and are seeking to end that 
addiction, they need legitimate help as soon as they are ready 
to receive it, and wasting time and money with false or 
ineffective treatments is a travesty.
    Ms. Wilson. Or even treatments where you fraudulently bring 
them into your system for treatment and all you're doing is 
giving them more drugs at the same time. I know a couple of 
those cases have come up.
    But I know as friends of parents who have had this issue, 
you're going to do anything you can to help your child or your 
husband or your wife, whoever it is, and you're so vulnerable 
at this time, especially maybe it's not your first treatment 
but it's your second or third and numerous overdoses and 
everything. So this is an area of great concern.
    Did anybody else want to speak about that on the panel? 
Yes. Commissioner Phillips, yes.
    Mr. Phillips. I just wanted to thank you both for your 
efforts. You've given us new authority and we mean to use it.
    Senator Capito. OK. Last question I have on fraudulent 
marketing would be the--I didn't realize this was a problem but 
my staff brought it to my attention--the fraudulent ``Made In 
America'' label. How prevalent is this and what are some of the 
means you're going to use to try to curb this practice?
    Mr. Simons. This is fairly prevalent. We get hundreds of 
these, hundreds of complaints a year that people are improperly 
using the Made In the U.S.A. label, and we are committed to 
investigating those.
    I mean usually a lot of times what happens is the firm, the 
company doesn't even realize that it's a violation and so we 
explain to them it's a violation and they stop it.
    Sometimes companies do it intentionally. Sometimes we tell 
them and they don't stop, and those people we sue. And one of 
the things that we're exploring now, as a general rule, we've 
only gotten injunctive relief in cases like this previously but 
now we're exploring whether we can find a good case that would 
be appropriate for monetary relief to serve as an additional 
deterrent.
    Mr. Chopra. I just want to add here that I think there are 
manufacturers out there who hire American workers and who 
purposefully do that because they want to put the flag on their 
product, and for those who lie, this cheapens the Made In 
U.S.A. label. So it's not just hurting American consumers, it's 
hurting every American manufacturer who----
    Ms. Wilson. Right.
    Mr. Chopra.--is trying to do right. So you know, I want us 
to be much more aggressive with this, actually, and if you and 
Senator Cortez Masto want to team up again, you know, finding 
civil penalties for some of these bad actors, we can really 
make sure we increase compliance levels.
    And I got to tell you, right now there's country-of-origin 
labeling issues in agriculture, country-of-origin issues in 
product marketing. We have to do more to put a stop to this 
because this is extremely unfair to honest companies.
    Ms. Slaughter. I would agree with everything my colleagues 
have said and I would add that Commissioner Chopra's point 
about financial-penalty authority is a well-taken one. In order 
for us to assess monetary--we'd say penalties, but in order for 
us to get a monetary remedy right now we'd have to show a 
monetary harm and show a price premium and make that 
demonstration. That can be very difficult to do.
    So we can't just say you've broken the law, now pay the 
government money, even if the ability to do so might really 
deter some of this reprehensible behavior.
    Mr. Chopra. We would like to reduce these--or at least I 
would like to reduce these settlements that end in no money, no 
findings of fact, no nothing. We just received a comment letter 
from a company who actually was denied the ability to sell 
their products to the members of the military because one of 
our respondents actually was violating this. So this is 
extremely unfair and we need to fix it.
    Senator Capito. All right. Thank you.
    Thank you, Mr. Chairman.
    Senator Moran. Senator Blumenthal surprised me and 
indicated he has a couple more questions.
    Senator Blumenthal.
    Senator Blumenthal. Thanks, Mr. Chairman. I know how 
grateful you are for my additional questions.
    I want to again, by the way, in all seriousness, thank 
Senator Moran for his leadership here. Believe it or not, we 
have an excellent team going. And I want to thank our staff who 
have prepared for this hearing.
    And come back to the Whitaker issue that was raised with 
you, Mr. Simons, Chairman Simons. There has been a report that 
Mr. Whitaker contacted one consumer to say that there would be, 
in quotes, serious civil and criminal consequences, end quote, 
if that consumer engaged in any further online negative reviews 
of World Patent Marketing.
    Are you aware of that report?
    Mr. Simons. I've seen that; yes, sir.
    Senator Blumenthal. Are you aware of facts that would 
substantiate it?
    Mr. Simons. I don't have the detail on that.
    As I mentioned to Senator Udall, this case was completed 
before we showed up. We would be happy----
    Senator Blumenthal. Well, it was----
    Mr. Simons. And we would be very happy to have the staff 
who has all the details provide a complete briefing for you.
    Senator Blumenthal. Are you aware of facts that would 
substantiate that report?
    Mr. Simons. Personally, no.
    Senator Blumenthal. But your staff has such facts?
    Mr. Simons. My staff has--has the facts.
    Senator Blumenthal. OK. You would agree with me, would you 
not, that that kind of statement----
    Mr. Simons. That's troubling.
    Senator Blumenthal.--would be improper?
    Mr. Simons. That's troubling, yes.
    Senator Blumenthal. And possibly illegal.
    Mr. Simons. That's troubling.
    Senator Blumenthal. Are you aware of a subpoena that was 
issued to Mr. Whitaker? Or that Mr. Udall, Senator Udall has 
asked you a similar question. I'm asking you whether you're 
aware of any subpoena that's been issued to Mr. Whitaker by the 
FTC?
    Mr. Simons. I haven't studied what subpoenas have been 
issued in that case but, like I said, the staff has all the 
details, and it's not a secret. They would be more than happy 
to provide a briefing.
    Senator Blumenthal. Are you aware that the e-mail Mr. 
Whitaker sent to that consumer was on the FTC's docket in that 
case?
    Mr. Simons. I'm not aware personally of that.
    Senator Blumenthal. Would you be aware of subpoenas that 
have not been complied with?
    Mr. Simons. Potentially, but, you know, I'm not aware of 
what happens with every subpoena that the Commission issues. We 
issue lots of subpoenas.
    Senator Blumenthal. This subpoena is a pretty high-profile 
one; correct?
    Mr. Simons. Like I said, we weren't at the Commission when 
this was voted out.
    Senator Blumenthal. Would you agree with me that anyone, 
particularly somebody involved in the case as a potential 
defendant, has an obligation to comply with FTC subpoenas?
    Mr. Simons. Yes, we definitely expect people to comply with 
subpoenas when we issue them.
    There might be circumstances where they wouldn't. Like so, 
for example, if the case--if the subpoena went out and the case 
settled the next day, then you don't go out and try to enforce 
the subpoena because you've gotten what you need already and 
you've settled the case.
    But generally, if we need the information, we should 
enforce the subpoena.
    Senator Blumenthal. But that kind of circumstance was not 
present here, was it?
    Mr. Simons. I don't know. But like I said, the staff would 
be happy to brief you.
    Senator Blumenthal. Well, I'm asking you these questions 
not only because they are significant to Mr. Whitaker but they 
are important to compliance with your subpoenas. If World 
thinks that they can claim, well, I'm moving from one house to 
another or I'm moving from Washington, D.C. to Iowa or Iowa to 
Washington, D.C. and that's enough reason to just say forget 
about it, you'll have diminished compliance with your 
subpoenas, and that will take more resources to enforce them. 
So----
    Mr. Simons. I agree.
    Senator Blumenthal.--it's really in your interest to have 
answers to these questions.
    Mr. Simons. Yes, I agree.
    Ms. Wilson. If I can jump in for one minute.
    Senator Blumenthal. Yes, of course.
    Ms. Wilson. As a senior commissioner on the Commission, it 
is my responsibility to work with the general counsel's office 
to respond to motions to quash or motions to limit subpoenas 
and CIDs. I can tell you we take this very seriously. There has 
been an instance recently where I worked with the general 
counsel's office to say, No, we are not going to quash the CID 
and we fully expect that the respondents will not comply, and 
we will take them to court to make sure we get the information 
that we need from them. I've actually told my staff I'd like to 
sit in the investigational hearing when those people are 
brought in to give testimony because I'd like to see who it is 
that wants to flout the authority of the Federal Trade 
Commission. So we do take this very seriously.
    Senator Blumenthal. I'm sure you do.
    Well, let me ask you, Mrs. Wilson. Do you have knowledge of 
this subpoena to Mr. Whitaker?
    Ms. Wilson. I have no knowledge of these circumstances, no.
    Senator Blumenthal. And why not?
    Ms. Wilson. Because I was sworn in two months ago.
    Senator Blumenthal. Well, you had to know we were going to 
ask you about it today; right?
    Ms. Wilson. The Chairman's office has been dealing with 
this issue, it's my understanding, and I have not been briefed 
on this topic.
    Senator Blumenthal. Well, I really think that you owe this 
Committee answers quickly about this subpoena for the sake of 
your law enforcement credibility.
    Mr. Simons. We're happy to provide the details. The staff 
can give a briefing; they can be full and open and it's not an 
issue. We'd be happy to do it.
    Senator Blumenthal. And when you're going to be full and 
open, I assume there's no problem with our disclosing ----
    Mr. Simons. No.
    Senator Blumenthal.--the circumstances because the case has 
been settled; correct?
    Mr. Simons. Correct.
    Senator Blumenthal. OK. And by the way, a 26-million-dollar 
settlement, that's not a nickel-and-dime. It's an all-time 
case.
    Mr. Simons. No. That's a serious case for us, absolutely.
    Senator Blumenthal. Right. Has anyone from the White House 
ever communicated with you about this case?
    Mr. Simons. Not with me.
    Senator Blumenthal. With anyone in the FTC, whether it's 
the staff or any of the present or past commissioners?
    Mr. Simons. Certainly not that I'm aware of.
    Senator Blumenthal. Any other commissioners aware of any 
contact from anyone in the White House from the President on 
down about this case?
    And the record should show that everyone is shaking their 
heads no.
    And are you aware of the White House contacting anyone at 
the FTC about Mr. Whitaker if not about this case?
    Mr. Simons. No.
    Senator Blumenthal. And the same is true of others.
    Mr. Simons. No.
    Senator Blumenthal. Has the White House contacted you, Mr. 
Chairman, or other commissioners about hiring anyone for either 
the FTC staff or in any other capacity?
    Mr. Simons. I don't remember anything like that.
    Senator Blumenthal. No one has asked you to hire anyone 
either from the private sector or from another government 
agency?
    Mr. Simons. I don't remember. I mean I don't have--I have 
very little contact with the White House.
    Senator Blumenthal. What kind of contact do you have?
    Mr. Simons. I have had lunch at the White House mess where 
I was introduced to the nominee for the BCFP and the General 
Counsel of the Commerce Department because our agencies, you 
know, work together, and that's really about it.
    Senator Blumenthal. And the purpose of that lunch was to 
introduce you to those individuals?
    Mr. Simons. Yes.
    Senator Blumenthal. OK. And I'm assuming that you will let 
this Committee know of any contacts between you or any of the 
commissioners and the White House staff, meaning any of the 
political appointments including the President.
    Mr. Simons. You mean in conjunction with Mr. Whitaker?
    Senator Blumenthal. Or in any other way. Can we have that 
commitment from you?
    Mr. Simons. I think I would like to talk to the General 
Counsel just to make sure there's not a reason that I can't do 
it.
    Senator Blumenthal. I'm happy to give you that opportunity. 
Thank you.
    That concludes my questions, Mr. Chairman. Thank you.
    Senator Moran. Senator Blumenthal, thank you very much. As 
you indicated, I appreciate the opportunity to work with you.
    Let me ask a couple of questions and then I think we can 
conclude this hearing.
    There has been concerns raised about the recently adopted 
California Consumer Privacy Act. Those concerns--that Act is 
expected to take effect in 2020. The concerns are that that 
legislation will influence other states to enact their own 
versions of privacy regulations, each of which would 
potentially impose differing obligations on companies and 
different types of protections and remedies for consumers.
    As the Federal agency that has primary expertise over 
unfair and deceptive practices affecting interstate commerce, 
what are your thoughts about this state-by-state approach to 
regulating privacy practices of U.S. companies and whether that 
complicates the consumer's ability to enjoy the same privacy 
protections no matter where they live or use the Internet?
    Do you believe that there is a potential for consumer 
confusion between Federal standards and varying state-by-state 
approaches?
    Mr. Simons. I'll take that.
    Sure. I think that is a possibility. If you've got a good 
Federal statute and you've got state statutes that are either 
inconsistent or varied, I think you can get confusion, and 
depending on the right--you know, what the mix is and the 
details, Federal preemption might be the way to go on that.
    Senator Moran. Mr. Phillips.
    Mr. Phillips. Thank you, Senator.
    One of the things that I've said publicly, including here 
today, about Federal privacy legislation is that we should keep 
competition in mind. For large businesses, it's easy to deal 
with lots of different compliance costs. For smaller 
businesses, having one clear rule can help them compete.
    Mr. Chopra. Can I just add that of all the preemption that 
occurs, you should tread very, very carefully. We saw how 
preemption of state law in the mortgage market--and the same 
argument was used about making sure that there's enough entry, 
not confusion. That preemption of state laws there was 
catastrophic, and there are certain states that may want to 
have higher standards than the Federal law.
    We can talk about material conflicts, but broad preemption 
I think would be a huge mistake, but I'm happy to keep talking 
about that with you and figure out how we can balance all the 
things you're concerned about.
    Ms. Slaughter. I would say that I am not concerned about 
states that want to have strong laws. I am concerned about the 
idea of inconsistent laws between states. I think there could 
be a case for Federal preemption as long as a Federal law was 
really meaningful and really strong. I would be very concerned 
about a weak Federal law that replaced strong state laws.
    Ms. Wilson. I do respect federalism and states as 
laboratories for democracy. In the words of Justice Brandeis, 
the states provide an important opportunity to conduct novel 
social and economic experiments.
    And so I would be wary of advocating for preemption in very 
many circumstances. But I think in this kind of circumstance, 
it will be important to do that. I think for the reasons you 
described, for consumer confusion but also businesses need 
clarity and predictability so that we don't dampen innovation 
and chill competition.
    As Commissioner Phillips noted, if there are small 
companies trying to get into the marketplace and they are 
looking at a patchwork of laws, it raises the costs for them to 
enter, and so I think in this kind of circumstance preemption 
would be useful for consumers and useful for competition 
itself.
    Senator Moran. I have great regard for everyone's 
commentary on this topic. It's a challenge.
    Ms. Slaughter, you did say something that catches my 
attention in that this may be the way to find the solution to 
this issue is by the strength of the Federal law. In other 
words, there's a give and take that takes place here, something 
that we can further explore as we try to figure out a solution 
to Federal legislation.
    I support privacy rules that afford consumers the same 
protection no matter where they are in the Internet ecosystem, 
slightly a different topic than the one that we just were 
talking about.
    Would you agree that regulating and enforcing privacy rules 
based on the sensitivity of the data collected, used or 
transferred or stored is a preferred approach and in the best 
interest of consumers in terms of certainty and transparency? 
In other words, the standard, the focus should be on the type 
of data that's involved and its consequences of being impaired 
from privacy protection.
    Senator--oh, I've call you Senator twice. I've promoted you 
on two occasions and I'm sorry. Commissioner Phillips.
    Mr. Phillips. In my heart, Senator, I'm still a staffer.
    What I would say is this: The system we have today in 
America, the system we've had for a long time protects health 
information especially; it protects information about children, 
it protects financial information. And that reflects a 
collective judgment that there are certain kinds of data that 
the disclosure of which inappropriately may pose greater risks 
and may require greater care.
    Additionally, something we talk a lot about in the privacy 
world is the idea of context; you know, what consumer 
expectations are in a given circumstance. It may be reasonable 
for a consumer to expect more sensitive data to be treated with 
more care, so I definitely think that there is a wisdom to how 
things have long been done. There's a collective wisdom 
reflected in our laws today.
    I'm sorry. I think that's definitely an important issue to 
keep in mind. Thank you.
    Senator Moran. Let me turn to a different topic. The FTC 
began holding open hearings in September to evaluate evolving 
technologies and business practices in an increasingly 
globalized economy while also identifying possible changes to 
competition and consumer protection laws and enforcement 
priorities.
    Other topics including data security and privacy are 
scheduled to occur in the near future, as I understand, in 
early 2019. What would you describe as a high-level takeaway or 
priority action item that you've identified through this public 
process to date?
    What have you learned so far, Mr. Chairman?
    Mr. Simons. I think what we've learned so far is a lot of--
we've gotten views from both sides of the spectrum across a 
whole range and so we're getting terrific input. We've had 200 
people testify already from diverse backgrounds and we've had a 
large number of written comments, some of them very detailed 
and very thoughtful, so we're getting a lot of input.
    I think at this point we're still--we still have more to 
go, and in particular, we're going to get comments at the end 
of the process. So I think as of this point we are still 
absorbing the input and synthesizing it and we don't really 
have any takeaways in terms of what the specific output of the 
hearings is going to be.
    Mr. Chopra. Senator, one initial takeaway I have is that 
data is a more and more valuable asset every day to firms that 
are in our economy. The traditional ways we have looked at how 
to enforce some of our laws, whether it be on the antitrust 
side or the consumer protection side, we are trying to develop 
further views on that because there is clearly a race to get 
all of our data and figure out how to monetize it in a big way.
    This raises some issues that we deal with. It raises 
national security issues. But we are in learning mode. But 
certainly we have to accept that we are going to do our job in 
a very data-oriented economy where that is similar to gold.
    Senator Moran. Thank you for that comment. I have one 
question and then I'm going to turn to Senator Cruz.
    This one is for Commissioner Slaughter. As you are well 
aware, we were successful in enacting better online ticket 
sales, the Bots Act in 2016. We provided the FTC and state 
attorneys general authority to treat any, quote, circumvention 
of a security measure, access control system or other 
technological measures including online bots to suppress ticket 
purchasing limits as an unfair or deceptive practice.
    I understand there's an upcoming workshop on this topic and 
I was interested if you would explain this to me. But more 
broadly than that, how are we coming along on the enforcement 
of the Bots Act?
    Ms. Slaughter. Thank you for the question, Senator. This is 
one of those issues like robocalls that people really care 
about. Consumers really, really care about it and it really 
makes them nuts when they cannot get tickets to their favorite 
show or a play, and that's an important thing for us to take 
seriously.
    So it was my pleasure and privilege and honor as a Senate 
staffer to work with your office on the legislation and now it 
is my pleasure and privilege and honor to be in the position of 
considering the enforcement of it. So I would say two things to 
you.
    First in terms of enforcement, we're actively monitoring 
for enforcement opportunities. It's an important tool that 
we've been given and we need to use it and we would like to use 
it.
    And then in terms of the workshop, our goal I think is to 
gather stakeholders, get input to make sure we're staying 
abreast of the technological developments in the ticket 
industry. It is a very fast-moving target and so we want to 
make sure we know what's going on, we're targeting our 
investigations and enforcement efforts appropriately and that 
we're appropriately communicating with you to make sure that we 
continue to have the tools we need to try to tackle this 
important problem.
    Senator Moran. Do you have any colleagues as commissioners 
who don't share your enthusiasm for the Bots Act that I need to 
question?
    Ms. Slaughter. I cannot imagine that any of my colleagues 
don't share my enthusiasm.
    Senator Moran. Well, maybe I should ask them.
    Are there any commissioners who do not share the enthusiasm 
for the Bots Act?
    Mr. Phillips. That was a double negative, but we share her 
enthusiasm.
    Senator Moran. Thank you.
    Senator Cruz.

                  STATEMENT OF HON. TED CRUZ, 
                    U.S. SENATOR FROM TEXAS

    Senator Cruz. Thank you, Mr. Chairman. Welcome everyone, 
and I would ask you to convey my well wishes to all the 
wonderful people that work at the FTC.
    Mr. Simons. I would be happy to do that.
    Senator Cruz. It's good to see you.
    I want to raise a topic that we've discussed at some length 
in the past, which is big tech, and there are many issues about 
big tech that intersect with the FTC's mission and mandate.
    So I want to start with this past spring the Commission 
received several requests to investigate Google's alleged 
violations of privacy. One request from Senators Blumenthal and 
Markey detailed what they described as Google's deceptive and 
intrusive collection of location information on android smart 
phones. Another request came from the Electronic Privacy 
Information Center raising concerns about Google's tracking of 
in-store purchases.
    Yet another was filed by seven consumer groups about 
Google's deceptive-by-design user privacy settings, and the 
list goes on.
    And I wanted to ask Chairman Simons has the Commission 
investigated the claims in those letters and what have you all 
found?
    Mr. Simons. So I can't talk about any specific non-public 
investigation, as you know, but one thing I will say is that if 
you read about it in the press, if there's a Congressional 
letter that points out a potential problem, we are on it.
    Senator Cruz. Good.
    Mr. Simons. We look at those things very carefully.
    Senator Cruz. I am glad to hear that.
    Let me ask a broader question to each of the commissioners.
    During the February nomination hearing which most of you 
all participated in, I highlighted concerns that was raised in 
an article published in Esquire that detailed how, quote, 
Facebook and Google are together worth $1.3 trillion, which to 
put that in perspective, you could merge the world's top five 
advertising agencies with five major media companies and still 
need to add five major communications companies. And by the 
way, that would be WPP, Omnicon, Publicist, IPG, Dentsu, 
Disney, Time Warner, 21st Century Fox, CBS, Viacomm, AT&T, 
Verizon, Comcast, Charter, and DISH all merged into one giant 
company and that would still only total 90 percent of what 
Google and Facebook are together worth.
    Does the Commission have concerns about that massive 
accumulation of power that big tech has and, in particular, how 
should antitrust law approach that massive concentration of 
power?
    Mr. Simons. Thank you, Senator.
    So in the antitrust context, we're worried about exercise 
of market power, right? And so that's where you want to look 
for the anticompetitive conduct; that's where you want to look 
for your case generation and for your investigations. And so of 
course when you've got a situation . . .
    But let me say this, also, which is that the fact that 
they're big doesn't mean it's a problem under the antitrust 
laws. Big is not necessarily bad. But if you got big by being 
bad, if you got big through anti-competitive conduct or you're 
staying big because of anti-competitive conduct, that's 
something that we need to prohibit and we need to stop.
    Senator Cruz. Any other commissioners have thoughts on 
that?
    Mr. Chopra. Senator, I'll just add that if you talk to 
investors, many of them will tell you that they're not going to 
fund a new startup unless they can figure out how to sell that 
company to an existing large incumbent like Google and 
Facebook. And that makes me question, do we have a really 
competitive, innovative economy where investors are putting 
money only into ideas that they can sell to an existing 
incumbent?
    We should want to live in an economy where people are 
investing to create new ideas that challenge and that create 
real rivalry. And I worry about writ large when companies are 
trying to get going but a larger incumbent can seal their fate 
by cutting them off. So you know, we take these issues 
seriously on the privacy side and the antitrust side, but it is 
clear that we have to think about this hard and so do you.
    Senator Cruz. I think you raise good and important concerns 
there.
    Let me shift the discussion slightly to a different aspect 
of big tech's power, which is as I'm home in Texas and 
listening to Texans, a concern that I hear on virtually a daily 
basis is that the major technology companies are far too 
willing to engage in censorship, that are using their market 
power to silence voices in the political market's face and the 
public discourse with which they disagree.
    In recent weeks, media outlets have reported that Facebook 
fired a senior executive because of his political views. We've 
also seen Twitter recently getting bolder and bolder, blocking 
conservatives altogether from speaking and just banning them 
from the platform because what they were saying was 
inconsistent with Twitter's political views.
    And one of the frustrating things from the perspective of 
this Committee is that there is virtually no transparency. 
There are no objective data. Twitter, Facebook, Google, they 
don't answer any questions. They don't answer the extent to 
which they are silencing people, the extent to which political 
bias is affecting those decisions.
    How can and should the FTC address that concern that is 
being raised? And it is a concern of millions across the 
country.
    Mr. Simons. It's not clear to me that the FTC should be 
addressing that at all. What you're describing is something 
similar to what the FCC used to do with the Fairness Act and so 
maybe there's an FCC angle there that it is appropriate for 
either the Congress to pursue or maybe the FCC to pursue. But 
unless it's something that relates to a competition issue or 
its unfair or deceptive, then I don't think we have a role.
    Mr. Chopra. I'll just add here that I think the public, 
you're right, knows very little about how some of these 
companies make decisions, and there are free speech issues 
which may not be in our, you know, authority.
    But certainly, and as you know, Senator Cruz, the FTC has 
its 6(b) authority where we can compel certain information 
about business practices, and based upon a vote of the 
Commission, make some of that information public.
    I think the FTC is well situated to do quite a bit of study 
and reveal some of those findings about how some of these 
companies operate but I will think hard about what you're 
mentioning about speech as well.
    Senator Cruz. And I would very much encourage you to do so.
    And I would also encourage the Commission, when you say 
that you don't think you have the authority to address these 
issues, you do have extensive consumer protection authority. 
And when tech companies are holding themselves out to the 
public and customers as neutral public forums and are actively 
engaged in hidden censorship, that is actively deceptive, and 
the FTC has a great deal of authority to address deception and 
to help provide transparency.
    And right now, big tech has been very comfortable refusing 
to answer these questions. The FTC I think has ample authority 
to help provide that transparency, which is I think something 
both the public and Congress would be very interested in 
knowing the answers to.
    Mr. Phillips. Senator, if I could just add one thing just 
to echo something the Chairman said before, we are very mindful 
of the very important antitrust and consumer protection 
authorities that we wield.
    I think part of the concern is those are not authorities to 
police the First Amendment itself. And you've been such a 
leader in defending the First Amendment. We want to make sure 
that we do the job assigned to us very carefully but that we 
not tread into First Amendment-implicating space.
    Senator Moran. Senator Blumenthal.
    Senator Blumenthal. I just want to make sure we understand 
each other. Senator Cruz was asking questions about antitrust 
authority, and, as you will recall, I made similar reference 
earlier in this hearing and one of you indicated that your 
authority is limited to deceptive and misleading practice.
    The fact is you do have antitrust authority; correct?
    Mr. Simons. Correct.
    Senator Blumenthal. Very much. And the misuse of market 
power or market share, which is implied possibly--underscore 
``possibly''--by some of what we've seen lately certainly would 
be within your jurisdiction; correct?
    Mr. Simons. Yes.
    Senator Blumenthal. I notice Mr. Phillips----
    Mr. Phillips. Yes.
    Senator Blumenthal.--is nodding his head in assent and 
others are as well.
    I think, you know, that we're expecting you to use the full 
range of your authority--consumer protection, antitrust--and 
they're both really--and deceptive and misleading practices 
that affect consumers and antitrust affects consumers. In fact, 
the misuse of market power may include deceptive and 
misleading----
    Mr. Simons. Sure.
    Senator Blumenthal.--practices. So what I'd like to ask is 
a commitment from you that you will assess the market share of 
the big tech companies, the top five, and that you will report 
back to us on what that market share is.
    Mr. Chopra. Well, I think our hearings and any studies we 
might do to compel information--you know, market share is a 
little bit of a tricky issue with this one. But let me just say 
we have the antitrust laws, we have the FTC Act, we have other 
statutes Congress has given us, but several of the largest tech 
companies on the plant are also under order by the FTC--Google, 
Facebook, Twitter and there's more--and we expect that those 
orders are followed. They are not suggestions. And so we also 
have that tool as well.
    Senator Blumenthal. Well, this is a big question, and I'm 
not going to prolong this hearing but I would like to follow up 
on it with some questions for the record on information that 
you could provide us that would reflect on the current 
potential antitrust issues that we've raised here. Thank you.
    Senator Moran. Thank you all very much.
    No further questions from me, but I would indicate that 
you've caught my attention on the U.S. SAFE WEB 
reauthorization, and if you'd have your staff visit with my 
staff, we'd be interested in working with you about its 
reauthorization.
    And I've always had the practice of allowing witnesses 
before our Subcommittee to add anything to the record they'd 
like to add. Is there anyone who has spoken today that would 
like to say anything further, something you left out, something 
you want to clear up or something that you feel like we did not 
ask you?
    All heads are shaking to the negative, suggesting that you 
too are ready for this hearing to come to a conclusion.
    The hearing record will remain open for two weeks. During 
this time, senators are asked to submit any questions for the 
record. Upon receipt, the witnesses are requested to submit 
their written answers to the Committee.
    I again thank you for appearing today and appreciate your 
cooperation. I was impressed by the nature of your responses, 
your testimony, your articulation of complicated matters, and I 
was particularly pleased to see the nature of the relationship 
that appears to be among all of you in working together that is 
appealing to me.
    With that, this hearing is now adjourned.
    [Whereupon, at 4:49 p.m., the hearing was adjourned.]

                            A P P E N D I X

                      Electronic Privacy Information Center
                                  Washington, DC, November 26, 2018

Hon. Jerry Moran, Chairman,
Hon. Richard Blumenthal, Ranking Member,
U.S. Senate Committee on Commerce, Science, and Transportation,
Subcommittee on Consumer Protection, Product Safety, Insurance, and 
            Data 
            Security,
Washington, DC.

Dear Chairman Moran and Ranking Member Blumenthal:

    We write to you in advance of the hearing ``Oversight of the 
Federal Trade Commission.'' \1\ We appreciate your interest in the role 
of the FTC and consumer protection. We look forward to working with the 
Commerce Committee in the next Congress. Your oversight of the Federal 
Trade Commission is critical to safeguard the interests of American 
consumers and businesses.
---------------------------------------------------------------------------
    \1\ Oversight of the Federal Trade Commission, 115th Cong. (2018), 
Senate Comm. on Commerce, Sci., and Trans., Subcomm. on Consumer 
Protection, Product Safety, Insurance, and Data Security (Nov. 27, 
2018), https://www.commerce.senate.gov/public/index.cfm/2018/11/
oversight-of-the-federal-trade-commission.
---------------------------------------------------------------------------
    From EPIC's perspective, the FTC must do more far more to address 
the growing threats to consumer privacy and to assure our trading 
partners as to the adequacy of data protection in the United States. 
Consumers today face unprecedented risks of identity theft, financial 
fraud, and data breaches. And because so many U.S. firms collect 
personal data of European consumers, the FTC's failure to enforce 
consent orders also risks continued trade relations with the country's 
largest trading partners. Before giving the FTC more authority, the 
Senate Commerce Committee should review the FTC's use of its current 
authority and ask specific questions about commitments made regarding 
the enforcement of consent orders and merger review. In February, the 
new Commissioners said there would be vigorous enforcement. That simply 
has not happened.
    For many years, EPIC has worked with the Senate Commerce Committee 
to help protect the privacy rights of Americans.\2\ EPIC has also 
played a leading role at the FTC, helping to establish the Commission's 
authority to bring privacy investigations and to protect the personal 
data of American consumers.\3\ EPIC is the group that filed the 
comprehensive complaint against Facebook with the FTC in 2009, 
resulting in the Commission's 2011 Consent Order with Facebook,\4\ and 
is the group that sued the FTC for the Commission's failure to enforce 
a similar order against Google.\5\
---------------------------------------------------------------------------
    \2\ See, e.g, Impact and Policy Implications of Spyware on 
Consumers and Businesses Before S. Comm. on Commerce, Sci., and 
Transp., 110th Cong. (2008) (statement of Marc Rotenberg, Executive 
Director, EPIC), https://epic.org/privacy/dv/Spyware_Test061108.pdf; 
Protecting Consumers' Phone Records Before the S. Comm. On Commerce, 
Sci., and Transp., 109th Cong. (2006) (statement of Marc Rotenberg, 
Executive Director, EPIC), https://epic.org/privacy/iei/
testimony2806.pdf.
    \3\ Letter from EPIC Executive Director Marc Rotenberg to FTC 
Commissioner Christine Varney (Dec. 14, 1995), http://epic.org/privacy/
internet/ftc/ftc_letter.html (urging the FTC to investigate the misuse 
of personal information by the direct marketing industry); See also 
EPIC, In the Matter of DoubleClick, Complaint and Request for 
Injunction, Request for Investigation and for Other Relief, before the 
Federal Trade Commission (Feb. 10, 2000), http://epic.org/privacy/
internet/ftc/DCLK_complaint.pdf; EPIC, In the Matter of Microsoft 
Corporation, Complaint and Request for Injunction, Request for 
Investigation and for Other Relief (July 26, 2001), http://epic.org/
privacy/consumer/MS_complaint.pdf, In the Matter of Choicepoint, 
(Complaint, Request for Investigation and for Other Relief) (Dec. 16, 
2004), http://epic.org/privacy/choicepoint/fcraltr12.16.04.html.
    \4\ In the Matter of Facebook, Inc. (EPIC, Complaint, Request for 
Investigation, Injunction, and Other Relief) before the Federal Trade 
Commission, Washington, D.C. (filed Dec. 17, 2009), http://
www.epic.org/privacy/inrefacebook/EPIC-FacebookComplaint.pdf.
    \5\ EPIC v. FTC, 844 F. Supp. 2d 98 (D.D.C. 2012), https://
epic.org/privacy/ftc/google/EPICvFTC-CtMemo.pdf.
---------------------------------------------------------------------------
    Below, EPIC raises five critical points for committee 
consideration: (1) The FTC fails to enforce its own consent orders; (2) 
Even when the FTC finds violations, it does not sanction companies; (3) 
The FTC failed to stop mergers that threaten consumer privacy; (4) The 
FTC lacks transparency; and (5) The United States needs a data 
protection agency.
Why Does the FTC Fail to Enforce Its Own Consent Orders?
    In 2011, the FTC entered into a Consent Order with Facebook, 
following an extensive investigation and complaint pursued by EPIC and 
several U.S. consumer privacy organizations. The Consent Order 
specifically prohibited Facebook from transferring personal data to 
third parties without user consent.\6\ As EPIC told this Committee in 
April of this year, the transfer of personal data on 87 million 
Facebook users to Cambridge Analytica could have been prevented had the 
FTC enforced its 2011 Consent Order against Facebook.\7\ The obvious 
question now is ``why did the FTC fail to act?''
---------------------------------------------------------------------------
    \6\ Fed. Trade Comm'n., In re Facebook, Decision and Order, FTC 
File No. 092 3184 (July 27, 2012), https://www.ftc.gov/sites/default/
files/documents/cases/2012/08/120810facebookdo.
pdf.
    \7\ See, Letter from EPIC to S. Comm. on the Judiciary and S. Comm 
on Commerce, Sci. and Trans. (Apr. 9, 2018), https://epic.org/
testimony/congress/EPIC-SJC-Facebook-Apr2018.pdf.
---------------------------------------------------------------------------
    In 2011, EPIC also obtained a significant judgment at the FTC 
against Google after the disastrous roll-out of Google ``Buzz.'' \8\ In 
that case, the FTC established a consent order after Google tried to 
enroll Gmail users into a social networking service without obtaining 
meaningful consent.\9\ But a problem we did not anticipate became 
apparent almost immediately: the FTC was unwilling to enforce its own 
consent orders. Almost immediately after the settlements, both Facebook 
and Google began to test the Commission's willingness to stand behind 
its judgments: Dramatic changes in the two companies' advertising 
models led to more invasive tracking of Internet users, user behaviors 
both online and offline were tracked and merged, and Facebook used 
facial recognition tools on Internet users who were not even using 
their platform. Still the FTC did nothing.
---------------------------------------------------------------------------
    \8\ In the Matter of Google, Inc., EPIC Complaint, Request for 
Investigation, Injunction, and Other Relief, before the Federal Trade 
Commission, Washington, D.C. (filed Feb. 16, 2010), https://epic.org/
privacy/ftc/googlebuzz/GoogleBuzz_Complaint.pdf.
    \9\ Press Release, Fed. Trade Comm'n., FTC Charges Deceptive 
Privacy Practices in Googles Rollout of Its Buzz Social Network: Google 
Agrees to Implement Comprehensive Privacy Program to Protect Consumer 
Data (Mar. 30, 2011), https://www.ftc.gov/news-events/press-releases/
2011/03/ftc-charges-deceptive-privacy-practices-googles-rollout-its-
buzz.
---------------------------------------------------------------------------
    In March 2018, after the Cambridge Analytica scandal became public, 
the FTC announced it would reopen the investigation of Facebook.\10\ In 
a press release, the FTC stated that ``[c]ompanies who have settled 
previous FTC actions must also comply with FTC order provisions 
imposing privacy and data security requirements. Accordingly, the FTC 
takes very seriously recent press reports raising substantial concerns 
about the privacy practices of Facebook.'' \11\ Chairman Simons also 
told this Committee in February, a ``first priority for the 
Commission'' will be ``vigorous enforcement,'' \12\ and Commissioner 
Rohit Chopra stated in May that ``FTC orders are not suggestions.'' 
\13\
---------------------------------------------------------------------------
    \10\ Press Release, Fed. Trade Comm'n., Statement by the Acting 
Director of FTC's Bureau of Consumer Protection Regarding Reported 
Concerns About Facebook Privacy Practices (Mar. 26, 2018), https://
www.ftc.gov/news-events/press-releases/2018/03/statement-acting-
director-ftcs-bureau-consumer-protection.
    \11\ Id.
    \12\ Nomination Hearing, 115th Cong. (2018), S. Comm. on Science, 
Commerce and Transportation, (Feb. 14, 2018) (Joseph Simons, Chairman, 
Fed. Trade Comm'n. at 59:40), https://www.commerce.senate.gov/public/
index.cfm/hearings?ID=EECF6964-F8DC-469E-AEB2-D7C161
82A0E8.
    \13\ Memorandum from Commissioner Rohit Chopra to Commission Staff 
and Commissioners, Fed. Trade Comm'n, (May 14, 2018), https://
www.ftc.gov/system/files/documents/public_state
ments/1378225/chopra_-_repeat_offenders_memo_5-14-18.pdf.
---------------------------------------------------------------------------
    Despite strong words, eight months have passed since the FTC's 
announcement of a new investigation, but still there is no judgment, no 
report, nor even a public statement about one of the most serious data 
breaches in U.S. history. It is critical that the FTC conclude the 
Facebook matter, issue a significant fine, and ensure that the company 
upholds its privacy commitments to users.
    The Committee should ask the FTC Chairman and the Commissioners: 
When will there be a final determination in the Facebook investigation? 
What other steps can the FTC take to assure the American public that 
the Commission will enforce its legal orders?
Even When the FTC Finds Violations, It Does Not Sanction Companies
    EPIC filed a complaint with the FTC in 2015 regarding Uber's 
egregious misuse of personal data.\14\ That complaint led to an FTC 
settlement with Uber in August 2017.\15\ But shortly after announcing 
that settlement, the FTC discovered that Uber had failed to disclose 
another massive data breach of its third-party cloud storage 
service.\16\ The breach exposed unencrypted files containing more than 
25 million names and e-mail addresses, 22 million names and phone 
numbers, and 600,000 names and driver's license numbers.\17\ Uber 
became aware of this breach in November 2016 but waited a full year to 
notify its customers while secretly paying the hackers $100,000 through 
its ``bug bounty'' program. Furthermore, Uber failed to notify the FTC 
of this breach despite the fact that it occurred during the FTC's 
investigation into Uber's failure to protect consumer data.
---------------------------------------------------------------------------
    \14\ EPIC Complaint to the FTC, In the Matter of Uber Technologies, 
Inc. (June 22, 2015), https://epic.org/privacy/internet/ftc/uber/
Complaint.pdf.
    \15\ Agreement Containing Consent Order FILE NO. 1523054, In the 
Matter of Uber Technologies, Inc., https://www.ftc.gov/system/files/
documents/cases/1523054_uber_technologies_
agreement.pdf.
    \16\ Press Release, Fed. Trade Comm'n., Uber Agrees to Expanded 
Settlement with FTC Related to Privacy, Security Claims (Apr. 12, 
2018), https://www.ftc.gov/news-events/press-releases/2018/04/uber-
agrees-expanded-settlement-ftc-related-privacy-security.
    \17\ Id.
---------------------------------------------------------------------------
    Last month, the FTC finalized a revised settlement with Uber.\18\ 
The modified settlement requires Uber to submit all of its biennial 
privacy assessments to the FTC, rather than just the initial 
assessment, but those assessments will not be made public. Despite 
Uber's repeated failures to protect consumer data, the proposed Order 
contains no mandatory provisions for how Uber will safeguard consumer 
data. The FTC imposed no fines.
---------------------------------------------------------------------------
    \18\ Press Release, Fed. Trade Comm'n., Federal Trade Commission 
Gives Final Approval to Settlement with Uber (Oct. 26, 2018), https://
www.ftc.gov/news-events/press-releases/2018/10/federal-trade-
commission-gives-final-approval-settlement-uber.
---------------------------------------------------------------------------
    It is the responsibility of the FTC to protect consumer privacy and 
prosecute companies that engage in unfair or deceptive trade practices. 
The Commission has failed to do so. This is even more troubling because 
the Commission claimed that its inability to impose fines hampers its 
enforcement powers.\19\ But there is no such hurdle in cases involving 
companies like Uber that are already subject to FTC consent orders.
---------------------------------------------------------------------------
    \19\ Oversight of the Federal Trade Commission Before the Subcomm. 
on Dig. Commerce and Consumer Prot. of the H. Comm. on Energy & 
Commerce, 115th Cong. 6 (2018) (statement of Joseph J. Simons, 
Chairman, Fed. Trade Comm'n), https://www.ftc.gov/system/files/
documents/public_statements/1394526/
p180101_ftc_testimony_re_oversight_house_07182018.pdf.
---------------------------------------------------------------------------
Why Has the FTC Failed to Stop Mergers that Threaten Consumer Privacy?
    The FTC must also address the serious threats to consumer privacy 
posed by increasing consolidation among the dominant technology firms 
in the United States. Facebook's strategic acquisitions of Instagram 
and WhatsApp, and their use of consumer data from both acquisitions, 
provide two examples. As Columbia professor Tim Wu writes in his new 
book The Curse of Bigness: Antitrust in the New Gilded Age, the 
failures of antitrust enforcement ``sit right in front of our faces: 
the centralization of the once open and competitive tech industries 
into just a handful of giants. . .'' \20\ The FTC's failure to take 
these threats into account in its merger review process is one of the 
main reasons that consumer privacy has diminished and the secretive 
tracking and profiling of consumers has proliferated.
---------------------------------------------------------------------------
    \20\ Tim Wu, The Curse of Bigness: Antitrust in the New Gilded Age 
23 (2018).
---------------------------------------------------------------------------
    In 2007, EPIC warned the FTC that Google's acquisition of 
DoubleClick would lead to Google tracking consumers across the web, 
accelerating its dominance of the online advertising industry.\21\ The 
FTC ultimately allowed the merger to go forward over the compelling 
dissent of Pamela Jones Harbour.\22\ Not surprisingly, Google today 
accounts for 90 percent of all Internet searches and, together with 
Facebook, absorbs 73 percent of all digital advertising revenue in the 
United States.\23\
---------------------------------------------------------------------------
    \21\ In the Matter of Google Inc. and DoubleClick Inc., (EPIC 
Complaint, Request for Injunction, Investigation, and Other Relief), 
(Apr. 20, 2007), https://epic.org/privacy/ftc/google/epic_
complaint.pdf.
    \22\ In the Matter of Google/DoubleClick, FTC File No. 070-0170 
(2007) (Harbor, C., dissenting), https://www.ftc.gov/sites/default/
files/documents/public_statements/statement-matter-google/doubleclick/
071220harbour_0.pdf.
    \23\ Editorial, Break Up Google, Boston Globe (June 14, 2018), 
https://apps.bostonglobe.com/opinion/graphics/2018/06/break-google/.
---------------------------------------------------------------------------
    Despite the clear lessons from Google-DoubleClick, in 2014, the FTC 
failed to impose privacy safeguards for Facebook's acquisition of 
WhatsApp, a text-messaging service that attracted users specifically 
because of its strong privacy protections.\24\ The FTC allowed the 
merger based on assurances by both companies that they would honor 
WhatsApp users' privacy.\25\ But in 2016, WhatsApp announced that it 
would begin disclosing its users' personal information to Facebook.\26\ 
The UK Information Commissioner's Office blocked WhatsApp's transfer of 
data to Facebook,\27\ and the European Commission fined Facebook $122 
million for misleading European authorities about the data 
transfer.\28\ But the FTC again failed to take action.
---------------------------------------------------------------------------
    \24\ In the Matter of WhatsApp, Inc., (EPIC and Center for Digital 
Democracy Complaint, Request for Investigation, Injunction, and Other 
Relief) (Mar. 6, 2014), https://epic.org/privacy/ftc/whatsapp/WhatsApp-
Complaint.pdf.
    \25\ See, See Letter from Jessica L. Rich, Director, Bureau of 
Consumer Prot., Fed. Trade Comm'n., to Facebook and WhatsApp (Apr. 10, 
2014), https://epic.org/privacy/internet/ftc/whatsapp/FTC-facebook-
whatsapp-ltr.pdf (concerning the companies' pledge to honor WhatsApp's 
privacy promises).
    \26\ WhatsApp, Looking Ahead for WhatsApp, WhatsApp Blog, (Aug. 25, 
2016), https://blog.whatsapp.com/10000627/Looking-ahead-for-WhatsApp.
    \27\ Information Commissioner's Office, WhatsApp, Inc. (Mar. 12, 
2018), https://ico.org.uk/media/action-weve-taken/undertakings/2258376/
whatsapp-undertaking-20180312.pdf.
    \28\ Press Release, European Commission, Mergers: Commission Fines 
Facebook €110 Million for Providing Misleading Information About 
WhatsApp Takeover (May 18, 2017), http://europa.eu/rapid/press-
release_IP-17-1369_en.htm.
---------------------------------------------------------------------------
    Chairman Joseph Simons said in February that ``the FTC needs to 
devote substantial resources to determine whether its merger 
enforcement has been too lax, and if that is the case, the agency needs 
to determine the reason for such failure and to fix it.'' \29\ More 
pointedly, Congress must ensure that the Commission uses its current 
authorities to the fullest extent possible. For example, as EPIC has 
argued elsewhere, the Commission could ``unwind'' the Facebook-WhatsApp 
deal because of Facebook's failure to uphold its commitments to 
users.\30\ Even the founders of WhatsApp have acknowledged that 
Facebook broke its commitments. How can it be that the FTC does not act 
in such circumstances?
---------------------------------------------------------------------------
    \29\ Nomination Hearing Before the S. Comm. on Science, Commerce 
and Transportation, 115th Cong. (2018) (testimony of Joseph Simons, 
Nominee to be Chairman, Fed. Trade Comm'n.), https://
www.commerce.senate.gov/public/index.cfm/hearings?ID=EECF6964-F8DC-
469E-AEB2
-D7C16182A0E8.
    \30\ Marc Rotenberg, The Facebook-WhatsApp Lesson: Privacy 
Protection Necessary for Innovation, Techonomy (May 4, 2018), https://
techonomy.com/2018/05/facebook-whatsapp-lesson-privacy-protection-
necessary-innovation/.
---------------------------------------------------------------------------
    The Committee should ask the FTC Chairman and the Commissioners: 
Will the FTC unwind the Facebook-WhatsApp deal? What further steps is 
the FTC going to take to protect consumer privacy in its merger review 
process?
The FTC Lacks Transparency
    The FTC should be more transparent about its review of companies 
under consent orders. Earlier this year, EPIC filed a Freedom of 
Information Act lawsuit against the FTC to publicly release the 
biennial audits of Facebook's privacy practices and related records to 
understand why the FTC failed to bring any enforcement action against 
the company.\31\ As a result of EPIC's lawsuit, the FTC released 
several communications between the FTC and Facebook that reveal the 
comfortable relationship between the Commission and Facebook.\32\
---------------------------------------------------------------------------
    \31\ See EPIC, EPIC v. FTC, https://www.epic.org/foia/ftc/
facebook/.
    \32\ See EPIC, EPIC v. FTC: FOIA Documents, https://www.epic.org/
foia/ftc/facebook/#foia.
---------------------------------------------------------------------------
    In the early years following the 2011 Consent Decree, a set of e-
mails revealed disagreement between Facebook and the FTC over potential 
enforcement action on Facebook's proposed changes to its Data Use 
Policy and Statement of Rights and Responsibility.\33\ In a September 
11, 2013 e-mail, the FTC counsel wrote that the agency is ``greatly 
disappointed that [Facebook] did not provide [the FTC with] the 
information [the FTC] requested to assess Facebook's compliance with 
the Commission's orders.'' \34\ The e-mail alludes to an earlier phone 
call where Facebook would not answer the agency's questions to eight 
specific issues, ``essentially making the call a waste of time.'' \35\ 
Facebook responded to this e-mail by stating they were ``surprised and 
concerned by the suggestion'' that they did not address the FTC's 
questions and stated that Facebook does not ``believe there is any 
credible basis to assert that [the FTC's] questions relate to 
Facebook's obligation under the Consent Order.'' \36\ Following this 
exchange, Facebook cooperated with the FTC's request for information, 
having stated that the provided information ``reflects Facebook's 
continued commitment to cooperation and collaboration with [the FTC].'' 
\37\
---------------------------------------------------------------------------
    \33\ See E-mail from S. Ashlie Beringer, Partner, Gibson, Dunn & 
Crutcher, to Reenah Kim, et al., Attorney, Fed. Trade Comm'n 83-86, 
https://epic.org/foia/ftc/facebook/EPIC-18-03-20-FTC-FOIA-20181019-FTC-
FB-Addtl-Communications-2013.pdf.
    \34\ Id. at 83-84.
    \35\ Id. at 84.
    \36\ Id. at 83.
    \37\ Letter from S. Ashlie Beringer, Partner, Gibson, Dunn & 
Crutcher, to Reenah Kim, et al., Attorney, Fed. Trade Comm'n 98 (Sept. 
30, 2013), https://epic.org/foia/ftc/facebook/EPIC-18-03-20-FTC-FOIA-
20181019-FTC-FB-Addtl-Communications-2013.pdf.
---------------------------------------------------------------------------
    Communications since 2013 reflect a similar lack of commitment by 
the FTC to enforce the terms of the original consent order. For 
example, in a chain of e-mails, the FTC expressed concerns about the 
scope of Facebook's 2015 assessment, stating ``[the auditor's] report 
does not demonstrate whether and how Facebook addressed the impact of 
the acquisitions on its Privacy Program.'' \38\ In another e-mail, the 
FTC expressed similar concerns about the 2017 assessment and whether 
the audit evaluated the company's acquisitions impact on Facebook's 
privacy program.\39\ The FTC accepted Facebook and its auditor's 
response letters assuring the Commission that the auditor addressed the 
impact of acquisitions on Facebook's privacy program at face value 
without additional inquiry.\40\ The release of this information, as a 
result of EPIC's lawsuit, provides insight into the FTC's inability to 
make use of its current enforcement authorities.
---------------------------------------------------------------------------
    \38\ Letter from Laura D. Koss, et al., Attorney, Fed. Trade Comm'n 
to Edward Palmieri, Assoc. General Counsel, Facebook 117-118 (June 4, 
2015), https://epic.org/foia/FTC/facebook/EPIC-18-03-20-FTC-FOIA-
20181012-FTC-FB-Communications.pdf.
    \39\ Letter from Reenah Kim, Attorney, Fed. Trade Comm'n to Edward 
Palmieri, Assoc. General Counsel, Facebook 134-136 (June 1, 2017), 
https://epic.org/foia/FTC/facebook/EPIC-18-03-20-FTC-FOIA-20181012-FTC-
FB-Communications.pdf.
    \40\ See Response Letters from Facebook and PwC to Fed. Trade 
Comm'n 108-119, https://epic.org/foia/ftc/facebook/EPIC-18-03-20-FTC-
FOIA-20180910-FB-Assessment-Records-2013.pdf.
---------------------------------------------------------------------------
The United States Needs a Data Protection Agency
    The Federal Trade Commission helps to safeguard consumers and to 
promote competition, but the FTC is not an effective data protection 
agency. The agency lacks authority to enforce basic data protection 
obligations and has failed to enforce the orders it has established. 
The FTC also lacks the ability, authority and expertise to engage the 
broad range of challenges we now confront--such as Internet of Things, 
Artificial Intelligence, connected vehicles, and more. This problem 
will not be solved by granting the FTC more authority: the agency has 
failed to use the authority it already has.
    Given the enormity of the challenge, the United States would be 
best served to do what other countries have done and create a dedicated 
data protection agency. An independent agency could more effectively 
utilize its resources to police the current widespread exploitation of 
consumers' personal information and would be staffed with personnel who 
possess the requisite expertise to regulate the field of data security.
    The United States is one of the few advanced economies in the world 
that does not have a Federal data protection agency, even though the 
original proposal for such an institution emerged from the United 
States in the 1970s.\41\ The practical consequence is that the U.S 
consumers experience the highest levels of data breach, financial 
fraud, and identity theft in the world. And U.S. businesses, with their 
vast collections of personal data, remain the target of cyber-attack by 
criminals and foreign adversaries. The Cambridge Analytica case is just 
one illustration of the ways in which that vulnerability threatens not 
only U.S. citizens, but also our democratic institutions. The longer 
the United States continues on this course, the greater will be the 
threats to consumer privacy, democratic institutions, and national 
security.
---------------------------------------------------------------------------
    \41\ See EPIC, The Privacy Act of 1974, https://epic.org/privacy/
1974act/#history.
---------------------------------------------------------------------------
    As the data breach epidemic reaches unprecedented levels, the need 
for an effective, independent data protection agency has never been 
greater.
Conclusion
    The FTC has failed to make use of its current legal authorities to 
enforce consent orders and unwind mergers that stifle innovation and 
competition. Seven years have passed since the FTC heralded the consent 
order with Facebook, and yet the Commission has not issued a single 
fine against the company that has been widely criticized for its 
business practices. It is unclear how additional regulatory authority 
will fix that problem.
    EPIC appreciates the Committee's decision to convene this hearing 
and respects the FTC's role as the lead consumer protection agency in 
the United States. But as for data protection in the United States, the 
FTC is not up to the task. It is time to establish an independent 
Federal data protection agency.
    We ask that this letter be entered in the hearing record. EPIC 
looks forward to working with the Committee on these issues of vital 
importance to the American public.
            Sincerely,

/s/Marc Rotenberg                    /s/Caitriona Fitzgerald
Marc Rotenberg                       Caitriona Fitzgerald
EPIC President                       EPIC Policy Director
 
/s/Christine Bannan                  /s/Enid Zhou
Christine Bannan                     Enid Zhou
EPIC Consumer Privacy Counsel        EPIC Open Government Counsel
 
/s/Lorraine Kisselburgh              /s/Jeff Gary
Lorraine Kisselburgh                 Jeff Gary
EPIC Scholar in Residence            EPIC Legislative Fellow
 

Additional Resources
   In the Matter of Facebook, Inc. (EPIC, Complaint, Request 
        for Investigation, Injunction, and Other Relief) before the 
        Federal Trade Commission, Washington, D.C. (filed Dec. 17, 
        2009), http://www.epic.org/privacy/inrefacebook/EPIC-
        FacebookComplaint.pdf.

   In the Matter of Facebook, Inc. (EPIC, Supplemental 
        Materials in Support of Pending Complaint and Request for 
        Injunction, Request for Investigation and for Other Relief) 
        before the Federal Trade Commission, Washington, D.C. (filed 
        Jan. 14, 2010), http://www.epic.org/privacy/inrefacebook/EPIC-
        FacebookCom
        plaint.pdf.

   Fed. Trade Comm'n., Facebook Settles FTC Charges That It 
        Deceived Consumers by Failing to Keep Privacy Promises, Press 
        Release, (Nov. 29, 2011), https://www.ftc.gov/news-events/
        press-releases/2011/11/facebook-settles-ftc-charges-it-
        deceived-consumers-failing-keep.

   EPIC v. FTC, 844 F. Supp. 2d 98 (D.D.C. 2012), https://
        epic.org/privacy/ftc/google/EPICvFTC-CtMemo.pdf.

   EPIC, In re Facebook and Facial Recognition (2018), https://
        www.epic.org/privacy/ftc/facebook/facial-recognition2018.

   Info. Comm'rs Office, Findings Recommendations and Actions 
        from ICO Investigation into Data Analytics in Political 
        Campaigns (2018), https://ico.org.uk/about-the-ico/news-and-
        events/news-and-blogs/2018/07/findings-recommendations-and-
        actions-from-ico-investigation-into-data-analytics-in-
        political-campaigns.

   EPIC Statement to Subcomm. on Antitrust, Competition Policy, 
        and Consumer Rights of the S. Comm. on the Judiciary, 115th 
        Cong. (2018), https://epic.org/testimony/congress/EPIC-SJC-
        AntitrustOversight-Oct2018.pdf.

   EPIC Statement to Subcomm. on Research and Tech. of the H. 
        Comm. on Sci., Space, and Tech., 115th Cong. (2018)), https://
        epic.org/testimony/congress/EPIC-HSC-AI-June2018.pdf.
                                 ______
                                 
                                                  November 26, 2018
Joseph J. Simons, Chairman,
Federal Trade Commission,
Washington, DC.

VIA EMAIL TRANSMISSION

Dear Chairman Simons:

    We, the undersigned consumer, privacy and civil liberties 
organizations, write to express our disappointment about the comments 
\1\ that the Federal Trade Commission (FTC) staff recently submitted to 
the National Telecommunications and Information Administration's 
request for comments on ``Developing the Administration's Approach to 
Consumer Privacy.'' \2\ We appreciate the work that the FTC has done 
over the years to protect consumers' privacy, within the limitations 
that it describes in its comments.\3\ However, we remain frustrated by 
the agency's failure to act promptly on timely and important privacy-
related complaints \4\ before the agency as well as by the lack of 
adequate enforcement actions for cases resolved in recent years.\5\
---------------------------------------------------------------------------
    \1\ https://www.ftc.gov/system/files/documents/advocacy_documents/
ftc-staff-comment-ntia-developing-administrations-approach-consumer-
privacy/p195400_ftc_comment_to_ntia_112018.pdf.
    \2\ Federal Register Vol. 83, No 187 (September 26, 2018), notice 
and request for comments, https://www.gpo.gov/fdsys/pkg/FR-2018-09-26/
pdf/2018-20941.pdf.
    \3\ Supra at pages 18-19.
    \4\ For instance, the FTC has taken no action on a complaint that 
consumer and privacy groups made in 2016 alleging that cable and 
satellite providers were deceiving consumers about their privacy 
practices; see letter sent to the FTC one year after the complaint was 
submitted, https://consumerfed.org/wp-content/uploads/2017/06/6-12-17-
FTC-Consumer-Privacy_Letter.pdf. Another example is the complaint that 
consumer and privacy groups made about the internet-connected doll, My 
Friend Cayla, in 2016, see December 2017 letter demanding action, 
http://www.commercialfreechildhood.org/consumer-and-privacy-groups-
demand-action-toys-spy-children.
    \5\ See, for example, April 6, 2018 complaint to the FTC from 
consumer and privacy groups alleging that Facebook violated previous 
Consent Order, https://consumerfed.org/wp-content/uploads/2018/04/
consumer-privacy-groups-ftc-complaint-facebook-facial-recognition.pdf, 
and recent consumer and privacy group comments to the FTC about its 
failure to protect privacy in its merger review process, https://
consumerfed.org/wp-content/uploads/2018/08/consumer-privacy-groups-
comment-on-intersection-between-privacy-big-data-and-competition.pdf.
---------------------------------------------------------------------------
    What is most troubling to us in these comments, however, is the 
FTC's apparent position, citing a study by the advertising industry, 
that a policy approach in which consumers were opted out of online 
advertising by default would not be appropriate because ``the likely 
result would include the loss of advertising-funded online content.'' 
\6\ The study fails to cite any empirical data suggesting that without 
targeted advertising, free online content will decrease. We would have 
hoped that the FTC would take a broader look at the evidence, rather 
than relying on a self-serving study by one stakeholder.
---------------------------------------------------------------------------
    \6\ Supra at page 18.
---------------------------------------------------------------------------
    The FTC's stated position ignores the fact that contextual 
advertising, which does not raise the same privacy concerns as 
behavioral advertising, would still be possible. In addition, the FTC 
fails to recognize that placing the burden on individuals to deal with 
the privacy-intrusive nature of behavioral tracking and targeting is 
unfair. Privacy management across hundreds of websites and untold 
numbers of advertisers and data brokers, many hidden from public view, 
is an impossible task for consumers.
    That is why the General Data Protection Regulation (GDPR) in Europe 
places the burden on data controllers to demonstrate that they have a 
legal basis to collect, use or share an individual's personal 
information. A data controller can only process personal data if it has 
a legal basis to do so, which includes the processing on the basis of a 
freely given, specific, informed and unambiguous consent.\7\ In fact, 
European data protection authorities have clarified that opt-in consent 
should be required ``for tracking and profiling for purposes of direct 
marketing, behavioural advertisement, data-brokering, location-based 
advertising or tracking-based digital market research.'' \8\ We suggest 
that the FTC's position is out of step with most of the rest of the 
world, and it makes consumers in the United States second class 
citizens when it comes to privacy protection.
---------------------------------------------------------------------------
    \7\ Information about the GDPR and other EU data protections is 
available at https://ec.europa.eu/info/law/law-topic/data-protection/
data-protection-eu_en.
    \8\ Opinion 06/2014 on the notion of legitimate interests of the 
data controller under Article 7 of Directive 95/46/EC, http://
ec.europa.eu/justice/data-protection/index_en.htm.
---------------------------------------------------------------------------
    In its comments, the FTC cites examples of how consumer data fuels 
innovation, most of which (such as better responses to emergency 
situations, improved fraud detection, safer homes, better health and 
wellness, improved inventory control, easier-to-find parking, and 
increased connectivity) can be accomplished without necessarily unduly 
impinging on individuals' privacy.\9\ These data uses (1) are 
specifically related to the purposes for which the individuals provided 
their data; (2) could be accomplished with aggregate data; or (3) could 
be allowed under reasonable exceptions (e.g., fraud control). ``More 
relevant online experiences,'' on the other hand, is something that 
consumers should be given the option to affirmatively agree to if they 
wish. We do not think that ``more relevant'' should be read to mean 
more beneficial to advertisers.
---------------------------------------------------------------------------
    \9\ Supra at pages 10-11.
---------------------------------------------------------------------------
    The FTC staff also commented that the benefits of privacy 
regulation should be weighed against potential costs to competition and 
gives as an example a small outdoor equipment company seeking to expand 
its customer base.\10\ We suggest that a narrow-minded economic 
balancing test ignores the fundamental right to privacy that should be 
the proper starting point for analysis. In any event, nothing would 
prevent that small outdoor equipment company from serving ads on a 
contextual basis--for instance, on a camping or hiking site. 
Furthermore, if the FTC took more assertive action to ensure that 
search engines cannot dominate the online ecosystem and unfairly rig 
the results,\11\ individuals would be able to find that small company 
more easily. It seems that the FTC relies on its own failures to police 
competition in the online marketplace as justification for overriding 
the privacy interests of consumers.
---------------------------------------------------------------------------
    \10\ Id.
    \11\ See European Commission press release announcing fine levied 
against Google for imposing illegal restrictions on Android device 
manufacturers and mobile network operators to cement its dominant 
position in general Internet search (July 18, 2018), http://europa.eu/
rapid/press-release_IP-18-4581_en.htm. The FTC missed an opportunity to 
rein in Google's anti-competitive behavior five years earlier, see 
Craig Timberg, ``FTC: Google did not break antitrust law with search 
practices,'' Washington Post (January 3, 2013), https://
www.washingtonpost.com/business/technology/ftc-to-announce-google-
settlement-today/2013/01/03/ecb599f0-55c6-11e2-bf3e-
76c0a789346f_story.html?utm_term=.3d532f0e0425.
---------------------------------------------------------------------------
    We appreciate the fact that the FTC continues to call for Congress 
to enact privacy and security legislation, and we support enhancing the 
agency's resources, rulemaking authority and enforcement capabilities. 
We do not believe, however, that the scale should be tipped in favor of 
corporate interests over the fundamental civil and human rights of 
individuals.
            Sincerely,

Campaign for a Commercial Free Childhood

Center for Digital Democracy

Consumer Action

Consumer Federation of America

Consumer Watchdog

Customer Commons

Electronic Frontier Foundation

Electronic Privacy Information Center

Media Alliance

National Hispanic Media Coalition

Privacy Rights Clearinghouse

Public Citizen

Public Knowledge

Stop Online Violence Against Women

U.S. PIRG

CC: Commissioner Noah Joshua Phillips
Commissioner Rohit Chopra
Commissioner Rebecca Kelly Slaughter
Commissioner Christine S. Wilson
Andrew Smith, Director, Bureau of Consumer Protection
Maneesha Mithal, Director, Division of Privacy and Identity Protection
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                         Hon. Joseph J. Simons
    Question 1. You recently attended the Second Annual Privacy Shield 
Review. Did the European regulators raise any concerns about the 
effectiveness of the program? Do you think Privacy Shield is operating 
effectively and will continue to be a valid means for businesses to 
transfer personal data to the United States from Europe?
    Answer. The European Commission (EC) issued its report on the 
Annual Review in December 2018. I agree with the ultimate conclusion of 
the EC report: Privacy Shield remains a robust program for protecting 
privacy and enabling transatlantic data flows. The report found that 
U.S. authorities continue to improve the program, highlighting the 
proactive approach to enforcement by the FTC. The EC raised concerns 
with the national security aspects of the program, specifically 
requesting the nomination of an Ombudsperson within the State 
Department. The Administration has since created and filled a Privacy 
Shield Ombudsperson position.

    Question 2. Vertical mergers such as the merger between AT&T and 
Time Warner have garnered some attention lately. The Federal Trade 
Commission (FTC) and the Department of Justice (DOJ) have not updated 
vertical merger guidance since 1984. Do you believe that the FTC and 
DOJ should issue new guidance on vertical mergers?
    Answer. I believe that the 1984 Non-Horizontal Merger Guidelines do 
not reflect current scholarship and thinking on vertical merger 
enforcement.\1\ They are significantly out of date. If we were to 
attempt to draft new guidelines, we would probably have to start from 
scratch, based on the practical learning and experience of more recent 
merger challenges and investigations.
---------------------------------------------------------------------------
    \1\ U.S. Dep't of Justice Non-Horizontal Merger Guidelines (1984), 
https://www.justice.gov/sites/default/files/atr/legacy/2006/05/18/
2614.pdf.
---------------------------------------------------------------------------
    Over the years, the Commission and its staff have provided 
substantial insight on vertical merger analysis through speeches and 
other policy work,\2\ and through rigorous case selection.\3\ The 
Commission is actively considering whether we--along with our sister 
agency, the Antitrust Division of the Department of Justice--should 
formally publish vertical merger guidelines. This topic is a key focus 
of the FTC's ambitious program of Hearings on Competition and Consumer 
Protection in the 21st Century.\4\ Two panel discussions on vertical 
mergers were held in November 2018, and the Commission has invited 
public commentary on the topic.
---------------------------------------------------------------------------
    \2\ See, e.g., Bruce Hoffman, Vertical Merger Enforcement at the 
FTC, Remarks at Credit Suisse 2018 Washington Perspectives Conference 
(Jan. 10, 2018), https://www.ftc.gov/public-statements/2018/01/
vertical-merger-enforcement-ftc (explaining the FTC's current analysis 
of proposed vertical mergers and highlighting the extent to which that 
analysis has moved beyond the 1984 Non-Horizontal Merger Guidelines).
    \3\ For example, the Commission recently challenged a vertical 
merger between Northrop Grumman, a leading provider of missile systems 
to the Department of Defense, and Orbital ATK, a key supplier of solid 
rocket motors. In re Northrop Grumman, Dkt. C-4652 (June 5, 2018), 
https://www.ftc.gov/enforcement/cases-proceedings/181-0005-c-4652/
northrop-grumman-orbital-atk. See also In re Sycamore Partners II, 
L.P., Staples, Inc., and Essendant Inc., Dkt. C-4667 (Jan. 25, 2018), 
https://www.ftc.gov/enforcement/cases-proceedings/181-0180/sycamore-
partners-ii-lp-staples-inc-essendant-inc-matter (consent agreement 
resolving charges that a merger between Staples, the world's largest 
retailer of office products and related services, and Essendant, a 
wholesale distributor of office products, was likely to harm 
competition in the market for office supply products sold to small- and 
mid-sized businesses).
    \4\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection; see also FTC Workshop, FTC Hearing #5: Competition and 
Consumer Protection in the 21st Century (Nov. 1, 2018), https://
www.ftc.gov/news-events/events-calendar/ftc-hearing-5-competition-
consumer-protection-21st-century.

    Question 3. Government lawsuits to stop mergers are litigated using 
different procedures depending on which agency, the FTC or DOJ, handles 
the case. Do you think Congress should take action to ensure that 
agencies follow the same procedures, or do you support another 
approach?
    Answer. While I have no opinion as to whether Congress should take 
action, I note that there are significant benefits to the Commission's 
administrative litigation path; in particular, it provides the 
Commission an opportunity to develop important aspects of competition 
law. But if the FTC is denied a preliminary injunction in a merger 
matter in Federal court, I do not believe the Commission should pursue 
that matter in administrative litigation. The Commission has not 
pursued an administrative proceeding following the denial of a 
preliminary injunction in Federal court for over twenty years. I agree 
with this approach.
    Separately, it is not clear to me whether it would be beneficial to 
prohibit the FTC from conducting an administrative proceeding while the 
parties to a merger remain unable to close their transaction for a 
significant period of time. Many transactions are subject to 
multijurisdictional reviews, whether by foreign competition authorities 
or state regulators. Under current law, the FTC can commence an 
administrative action while other reviews are pending. The FTC may 
delay an injunction action in Federal court until other review 
processes are completed and the merger is imminent. This approach could 
have certain advantages that I believe are worth discussing when 
thinking about making changes to the Commission's process for 
challenging mergers.
    In the recent Tronox case, the FTC was able to complete an 
administrative trial while the parties waited for foreign approvals.\5\ 
Once those approvals were granted and the parties would have been able 
to close their transaction, the FTC filed suit in Federal court seeking 
a preliminary injunction. The existence of the record from the FTC 
administrative proceeding allowed the parties to avoid a substantial 
discovery period in the Federal proceeding, enabled the district court 
judge to substantially expedite the preliminary injunction hearing, and 
very likely reduced the overall time for the court to reach a decision. 
In this case, the injunction was granted. If the injunction had not 
been granted, the parties likely would have been able to close their 
transaction faster than if there had been no FTC administrative 
proceeding. To the extent there was duplication between the two 
proceedings, it appears to have been minor, and the matter was very 
likely resolved faster as a result. Certainly, it reduced cost and 
resource burdens on the Federal district court.
---------------------------------------------------------------------------
    \5\ FTC v. Tronox Ltd. and Nat'l Titanium Dioxide Co. Ltd. 
(Cristal), No. 1:18-cv-01622 (D.D.C. Sept. 12, 2018), https://
www.ftc.gov/enforcement/cases-proceedings/171-0085/tronox-limited-et-
al-ftc-v.

    Question 4. Should Congress amend Section 5(n) of the FTC Act, 
which addresses unfair practices, to clarify what constitutes 
``substantial injury?'' If so, how?
    Answer. No. Neither the Commission, nor the courts that have ruled 
on this issue, have struggled to interpret that element of Section 
5(n). Substantial injury can be financial, physical, reputational, or 
unwanted intrusions. Financial injury can manifest in a variety of 
ways: fraudulent charges, delayed benefits, expended time, opportunity 
costs, fraud, and identity theft, among other things.\6\ Physical 
injuries include risks to individuals' health or safety, including the 
risks of stalking and harassment.\7\ Reputational injury involves 
disclosure of private facts about an individual, which damages the 
individual's reputation. Tort law recognizes reputational injury.\8\ 
The FTC has brought cases involving this type of injury, for example, 
in a case involving public disclosure of individuals' Prozac use \9\ 
and public disclosure of individuals' membership on an infidelity-
promoting website.\10\ Finally, unwanted intrusions involve two 
categories. The first includes activities that intrude on the sanctity 
of people's homes and their intimate lives. The FTC's cases involving a 
revenge porn website,\11\ an adult-dating website,\12\ and companies 
spying on people in their bedrooms through remotely-activated webcams 
fall into this category.\13\ The second category involves unwanted 
commercial intrusions, such as telemarketing, spam, and harassing debt 
collection calls.
---------------------------------------------------------------------------
    \6\ See, e.g., TaxSlayer, LLC, No. C-4626 (F.T.C. Oct. 20, 2017), 
https://www.ftc.gov/enforcement/cases-proceedings/162-3063/taxslayer 
(alleging delayed benefits, expended time, and risk of identity theft).
    \7\ See, e.g., FTC v. Accusearch, Inc., No. 06-CV-0105 (D. Wyo. May 
3, 2006), https://www
.ftc.gov/enforcement/cases-proceedings/052-3126/accusearch-inc-dba-
abikacom-jay-patel (alleging that telephone records pretexting 
endangered consumers' health and safety).
    \8\ Under the tort of public disclosure of private facts (or 
publicity given to private life), a plaintiff may recover where the 
defendant's conduct is highly offensive to a reasonable person. 
Restatement (Second) of Torts Sec. 652D (1977).
    \9\ Eli Lilly and Co., No. C-4047 (F.T.C. May 8, 2002), https://
www.ftc.gov/enforcement/cases-proceedings/012-3214/eli-lilly-company-
matter.
    \10\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \11\ FTC v. EMP Media, Inc., et al., No. 2:18-cv-00035 (D. Nev. 
Jan. 9, 2018), https://www.ftc
.gov/enforcement/cases-proceedings/162-3052/emp-media-inc-myexcom.
    \12\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \13\ See Press Release, FTC Halts Computer Spying (Sept. 25, 2012), 
https://www.ftc.gov/news-events/press-releases/2012/09/ftc-halts-
computer-spying; see also Aaron's, Inc., C-4442 (F.T.C. Mar. 10, 2014), 
https://www.ftc.gov/enforcement/cases-proceedings/122-3256/aarons-inc-
matter.

    Question 5. Should the FTC issue more guidance to marketers on the 
level of support needed to substantiate their claims? If so, when do 
you anticipate that such guidance could be issued?
    Answer. The FTC has issued extensive guidance over the years to 
help marketers determine the level of support needed to substantiate 
claims. The Commission first articulated the relevant factors used to 
determine the level of evidence required to substantiate objective 
performance claims in Pfizer, Inc.\14\ Those factors included the type 
of claim, type of product, consequences of a false claim, benefits of a 
truthful claim, cost of developing substantiation for the claim, and 
amount of substantiation experts in the field believe is reasonable. 
The Commission and the courts have reaffirmed this standard many times 
since 1972.\15\ In addition, the FTC also has provided extensive 
guidance through Guides and staff guidance documents.\16\ FTC staff 
regularly provide further guidance through speeches and presentations 
to industry trade groups and industry attorneys.
---------------------------------------------------------------------------
    \14\ 81 F.T.C. 23 (1972)
    \15\ See, e.g., Thompson Med. Co., 104 F.T.C. 648, 813 (1984), 
aff'd, 791 F.2d 189 (D.C. Cir. 1986); Daniel Chapter One, 2009 WL 
5160000 at *25-26 (F.T.C. 2009), aff'd, 405 Fed. Appx. 505 (D.C. Cir. 
2010) (unpublished opinion), available at 2011-1 Trade Cas. (CCH)  
77,443 (D.C. Cir. 2010); POM Wonderful, LLC, 155 F.T.C. 1, 55-60 
(2013), aff'd, 777 F.3d 478 (D.C. Cir. 2015), cert. denied, 136 S. Ct. 
1839, 194 L. Ed. 2d 839 (2016); FTC Policy Statement Regarding 
Substantiation, 104 F.T.C. 839, 840 (1984) (appended to Thompson Med. 
Co., 104 F.T.C. 648 (1984)).
    \16\ See, e.g., Guides for the Use of Environmental Marketing 
Claims, 16 C.F.R. Sec. 260.2 (2019), https://www.ecfr.gov/cgi-bin/text-
idx?SID=bd96b2cdcd01f7620d43e50a9d1d8cec&mc=true&
node=se16.1.260_12&rgn=div8; Dietary Supplements: An Advertising Guide 
for Industry, https://www.ftc.gov/tips-advice/business-center/guidance/
dietary-supplements-advertising-guide-industry.
---------------------------------------------------------------------------
    The Commission's precedent and subsequent guidance set forth 
flexible principles that can be applied to multiple products and 
claims. These materials do not attempt to answer every question about 
substantiation, given the virtually limitless range of advertising 
claims, products, and services to which it could be applied. Instead, 
they seek to strike the right balance: specific enough to be helpful, 
but not so granular as to overlook some important factor that might 
arise, and thereby chill useful speech.

    Question 6. In June, the 11th Circuit vacated the Commission's data 
security order against Lab-MD. What effect, if any, will this have on 
the Commission's data security orders going forward?
    Answer. The Eleventh Circuit determined that the mandated data 
security provision of the Commission's LabMD Order was insufficiently 
specific. We are engaged in an ongoing process to craft appropriate 
order language in data security cases, based on the Eleventh Circuit 
opinion, feedback we received from our December hearing on data 
security, and our own internal discussion of how to use our existing 
tools to implement remedies that better deter future misconduct.

    Question 7. If Federal privacy legislation is passed, what 
enforcement tools would you like to be included for the FTC?
    Answer. First, I would recommend that Congress consider giving the 
FTC the authority to seek civil penalties for initial privacy 
violations, which would create an important deterrent effect. Second, 
while the process of enacting Federal privacy legislation will involve 
difficult tradeoffs that are appropriately left to Congress, targeted 
APA rulemaking authority, similar to that in the Children's Online 
Privacy Protection Act, would allow the FTC to keep up with 
technological developments. For example, in 2013, the FTC used its APA 
rulemaking authority to amend the COPPA Rule to address new business 
models, including social media and collection of geolocation 
information, that did not exist when the initial 2000 Rule was 
promulgated. Third, the FTC could use broader enforcement authority to 
take action against common carriers and nonprofits, which it cannot 
currently do under the FTC Act.

    Question 8. During the hearing, I asked you whether the FTC would 
consider using its section 6(b) authority to study consumer information 
data flows, specifically sending requests to Google, Facebook, Amazon, 
and others in the tech industry to learn what information they collect 
from consumers and how that information is used, shared, and sold. You 
responded, ``Sure, 6(b) is a really powerful tool and that's the type 
of thing that might very well make sense for us to use it for.'' I 
believe the FTC's section 6(b) authority could provide some much needed 
transparency to consumers about the data practices of large technology 
companies, and help identify areas that may require additional 
attention from lawmakers. Can you explain in more detail whether you 
believe the FTC should conduct a study pursuant to section 6(b) of the 
Federal Trade Commission Act on the data collection, use, filtering, 
sharing, and sale practices of large technology companies?
    Answer. I agree with you that the FTC's section 6(b) authority 
could be used to provide some much needed transparency to consumers 
about the data practices of large technology companies. We are 
developing plans to issue 6(b) orders in the technology area.
                                 ______
                                 
      Response to Written Question Submitted by Hon. Roy Blunt to 
                         Hon. Joseph J. Simons
    Question. The Food and Drug Administration (FDA) cataloged reports 
that patients have foregone or discontinued their doctor prescribed 
medications, in some cases resulting in serious injury and death, after 
seeing lawsuit advertisements making claims about certain FDA-approved 
medications.
    It is incumbent upon the Federal Trade Commission (FTC) to examine 
and curb false and misleading advertising practices, particularly when 
such practices result in serious injury and death.
    What is the FTC doing to stop these false and misleading lawsuit 
advertising practices?
    Answer. Some of these advertisements could be unfair or deceptive 
in violation of the FTC Act. The FTC is monitoring attorney advertising 
that solicits people who may have been harmed by prescription drugs or 
medical devices to determine whether such advertising is likely to 
cause physical or financial harm to consumers. We also are consulting 
with the FDA to determine how we may assist each other in protecting 
consumers. In particular, among other requests, we are seeking FDA 
input as to whether particular ads contain misleading statements 
concerning the risks associated with specific drugs and the potential 
risk to patients of discontinuing the drugs without a doctor's 
consultation. In addition, we are seeking information from the FDA 
concerning adverse event reports suggesting a patient stopped taking 
his or her medication after viewing such advertising. However, it 
should be noted that adverse event reports do not establish causation, 
and an enforcement action would have to be based on more than a 
reported incident.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                         Hon. Joseph J. Simons
    Question 1. Section 5(a) of the FTC Act, which prohibits ``unfair 
or deceptive acts or practices in or affecting commerce'' is the legal 
basis for a body of consumer protection law that covers data privacy 
and security practices. The FTC has brought hundreds of cases to date 
to protect the privacy and security of consumer information held by 
companies of all sizes under this authority. The FTC staff recently 
submitted comments to the National Telecommunications and Information 
Administration (NTIA) that clearly indicate the FTC staff's view that 
the FTC would be the appropriate agency to enforce a new comprehensive 
privacy legislative framework. Do you agree with the staff's view?
    Answer. Absolutely. The FTC has developed a substantial body of 
expertise on privacy issues over the past several decades, by bringing 
hundreds of cases, hosting approximately 70 workshops, and conducting 
numerous policy initiatives. The FTC is committed to using all of its 
expertise, its existing tools under the FTC Act and sector-specific 
privacy statutes, and whatever additional authority Congress gives us, 
to protect consumer privacy while promoting innovation and competition 
in the marketplace.

    Question 2. As Congress evaluates opportunities to create 
meaningful Federal legislation to appropriately ensure privacy of 
consumers' data, there have been suggestions to increase the FTC's 
authorities to enforce in this space. Will you commit to working with 
this Committee in measuring what resources, if any, will be needed to 
allow the agency to enforce any additional authorities that may or may 
not be provided in Federal legislation?

    Question 3. Sharing responsibilities with the DOJ's Antitrust 
Division, the FTC enforces antitrust law in a variety of sectors as 
described by your testimony. While the vast majority of premerger 
filings submitted to enforcement agencies do not raise competition 
concerns, the FTC challenged 45 mergers since the beginning of 2017, 
and of those, the FTC only voted to initiate litigation to block five 
transactions. Would you please describe the resource needs of the 
agency associated with hiring qualified outside experts to support its 
litigation efforts? Please explain how developments in the high-
technology sector are accounted for in the FTC's decision-making 
process related to antitrust enforcement.
    Answer. I appreciate your attention to the agency's resource needs. 
As I mentioned in my November 27 testimony, the FTC is committed to 
maximizing its resources to enhance its effectiveness in protecting 
consumers and promoting competition, to anticipate and respond to 
changes in the marketplace, and to meet current and future challenges. 
Resource constraints, however, remain a significant challenge. As 
discussed in more detail below, evolving technologies and intellectual 
property issues continue to increase the complexity of antitrust 
investigations and litigation. This complexity, coupled with the rising 
costs of necessary expert witnesses and increases in caseload, 
sometimes leads to financial and personnel resource limitations. In the 
past, we have requested additional resources for experts, information 
technology, and more full-time employees in support of our mission to 
protect consumers and promote competition. These continue to be 
critical areas of need for our agency. If we were to receive additional 
resources, they likely would be applied to these areas as needed.
    Qualified experts are an essential resource in all of the FTC's 
competition cases heading toward litigation (including some cases that 
ultimately are resolved via consent orders, through which we obtain 
effective relief without litigation). For example, the services of 
expert witnesses are critical to the successful investigation and 
litigation of merger cases; experts provide insight on proper 
definition of product and geographic markets, the likelihood of entry 
by new competitors, and the development of models to contrast merger 
efficiencies with potential competitive harm.
    Expert witness costs are highly dependent on the number, scope, 
duration, and disposition of our Federal and administrative court 
challenges. The cost of an expert, for example, increases if we require 
the expert to testify or produce a report. To limit these costs, the 
FTC has identified and implemented a variety of strategies, including 
using internal personnel from its Bureau of Economics as expert 
witnesses whenever practical. The opportunities to use internal experts 
as testifying experts are limited, however, by several factors, 
including staff availability, testifying experience, and the 
specialized expertise required for specific matters. Under my 
direction, the FTC will continue to evaluate how to increase its use of 
internal experts and control expert costs without compromising case 
outcomes or reducing the number of enforcement actions.
    In addition to expert witness costs, you asked about how 
developments in the high-technology sector factor into the FTC's 
decision-making process related to antitrust enforcement. The FTC 
follows closely activity in the high-technology sector. Given the 
important role that technology companies play in the American economy, 
it is critical that the Commission--in furthering its mission to 
protect consumers and promote competition--understand the current and 
developing business models and scrutinize incumbents' conduct to ensure 
that they abide by the same rules of competitive markets that apply to 
any company. When appropriate, the Commission will take action to 
counter any harmful effects of coordinated or unilateral conduct by 
technology firms.
    The fundamental principles of antitrust do not differ when applied 
to high-technology industries, including those in which patents or 
other intellectual property are highly significant. The issues, 
however, are often more complex and require different expertise, which 
may necessitate the hiring of outside experts or consultants to help us 
develop and litigate our cases. The FTC also strives to adapt to the 
dynamic markets we protect by leveraging the research, advocacy, and 
education tools at our disposal to improve our understanding of 
significant antitrust issues and emerging trends in business practices, 
technology, and markets. For example, last fall, the Commission 
launched its Hearings on Competition and Consumer Protection in the 
21st Century to consider whether the FTC's enforcement and policy 
efforts are keeping pace with changes in the economy, including 
advancements in technology and new business models made possible by 
those developments.\17\ Under my leadership, the FTC will continue to 
scrutinize technology mergers and conduct by technology firms to ensure 
not only that consumers benefit from their innovative products, but 
also that competition thrives in this dynamic and highly influential 
sector. Our recent announcement of a new Technology Task Force within 
the Bureau of Competition demonstrates our commitment to monitoring 
competition in U.S. technology markets, investigating any potential 
anticompetitive conduct in those markets, and taking enforcement 
actions when warranted.
---------------------------------------------------------------------------
    \17\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection. Recent hearings included a two-day workshop on the 
potential for collusive, exclusionary, and predatory conduct in 
multisided, technology-based platform industries. FTC Workshop, FTC 
Hearing #3: Competition and Consumer Protection in the 21st Century 
(Oct. 15-17, 2018), https://www.ftc.gov/news-events/events-calendar/
2018/10/ftc-hearing-3-competition-consumer-protection-21st-century. 
Similarly, in early November, the Commission held a two-day workshop on 
the antitrust frameworks for evaluating acquisitions of nascent 
competitors in the technology and digital marketplace, and the 
antitrust analysis of mergers and conduct where data is a key asset or 
product. FTC Workshop, FTC Hearing #6: Competition and Consumer 
Protection in the 21st Century (Nov. 6-8, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-6-competition-consumer-pro
tection-21st-century. Also in November, the Commission held a two-day 
workshop on the competition and consumer protection issues associated 
with algorithms, artificial intelligence, and predictive analysis in 
business decisions and conduct. FTC Workshop, FTC Hearing #7: 
Competition and Consumer Protection in the 21st Century (Nov. 13-14), 
https://www.ftc.gov/news-events/events-calendar/ftc-hearing-7-
competition-consumer-protection-21st-century.

    Question 4. Earlier this year, I introduced legislation called the 
Senior Scams Prevention Act with Senator Bob Casey to combat continued 
and increasingly complex attempts to defraud one of the Nation's most 
vulnerable populations, our senior community. This bill seeks to ensure 
retailers, financial institutions and wire transfer companies have the 
resources to train employees to help stop financial frauds and scams on 
seniors. Would you agree that awareness and education, guided by ``best 
practices'' established by industry and government partners, is a 
valuable tool in preventing consumer harms against our Nation's 
seniors?
    Answer. Yes, I agree, and your question fully aligns with the FTC's 
work in this area. Protecting older consumers is one of the agency's 
top priorities. As the population of older Americans grows, the FTC's 
efforts to identify scams affecting seniors and to bring aggressive law 
enforcement action, as well as provide awareness and useful advice to 
seniors, are increasingly vital. Based on consumer research, the FTC 
developed its Pass It On campaign to share preventative information 
about frauds and scams with older adults.\18\ This popular campaign, 
used by many of our partners, engages active older adults to share 
these educational materials with others in their communities, including 
people in their lives who may particularly benefit from this 
information. The FTC stands ready to work with industry and government 
partners to create additional materials for industry, such as 
retailers, financial institutions, and wire transfer companies, to help 
prevent harm to our Nation's seniors.
---------------------------------------------------------------------------
    \18\ Consumer Information--Pass it on, https://
www.consumer.ftc.gov/features/feature-0030-pass-it-on (providing 
consumer information on identity theft, imposter scams, charity fraud, 
and other topics).

    Question 5. In its comments submitted to NTIA on ``Developing the 
Administration's Approach to Consumer Privacy,'' the FTC discussed the 
various cases that it has taken up to address privacy-related harms to 
consumers, and it specifically noted four categories of harms: 
financial injury, physical injury, reputational injury, and unwanted 
intrusion. Could you please briefly describe each category while noting 
any FTC enforcement considerations specific to that type of harm?
    Answer. Certainly. Financial injury can manifest in a variety of 
ways: fraudulent charges, delayed benefits, expended time, opportunity 
costs, fraud, and identity theft, among other things.\19\ Physical 
injuries include risks to individuals' health or safety, including the 
risks of stalking and harassment.\20\ Reputational injury involves 
disclosure of private facts about an individual, which damages the 
individual's reputation. Tort law recognizes reputational injury.\21\ 
The FTC has brought cases involving this type of injury, for example, 
in a case involving public disclosure of individuals' Prozac use \22\ 
and public disclosure of individuals' membership on an infidelity-
promoting website.\23\ Finally, unwanted intrusions involve two 
categories. The first includes activities that intrude on the sanctity 
of people's homes and their intimate lives. The FTC's cases involving a 
revenge porn website,\24\ an adult-dating website,\25\ and companies 
spying on people in their bedrooms through remotely-activated webcams 
fall into this category.\26\ The second category involves unwanted 
commercial intrusions, such as telemarketing, spam, and harassing debt 
collection calls. In terms of enforcement considerations, as noted 
above, the FTC is very mindful of ensuring that it addresses these 
harms, while not impeding the benefits of legitimate data collection 
and use practices.
---------------------------------------------------------------------------
    \19\ See, e.g., TaxSlayer, LLC, No. C-4626 (Oct. 20, 2017), https:/
/www.ftc.gov/enforcement/cases-proceedings/162-3063/taxslayer (alleging 
delayed benefits, expended time, and risk of identity theft).
    \20\ See, e.g., FTC v. Accusearch, Inc., No. 06-CV-0105 (D. Wyo. 
May 3, 2006), https://www.ftc.gov/enforcement/cases-proceedings/052-
3126/accusearch-inc-dba-abikacom-jay-patel (alleging that telephone 
records pretexting endangered consumers' health and safety).
    \21\ Under the tort of public disclosure of private facts (or 
publicity given to private life), a plaintiff may recover where the 
defendant's conduct is highly offensive to a reasonable person. 
Restatement (Second) of Torts Sec. 652D (1977).
    \22\ Eli Lilly and Co., No. C-4047 (May 8, 2002), https://
www.ftc.gov/enforcement/cases-proceedings/012-3214/eli-lilly-company-
matter.
    \23\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \24\ FTC v. EMP Media, Inc., et al., No. 2:18-cv-00035 (D. Nev. 
Jan. 9, 2018), https://www.ftc.gov/enforcement/cases-proceedings/162-
3052/emp-media-inc-myexcom.
    \25\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \26\ See Press Release, FTC Halts Computer Spying (Sept. 25, 2012), 
https://www.ftc.gov/news-events/press-releases/2012/09/ftc-halts-
computer-spying; see also Aaron's, Inc., No. C-4442 (F.T.C. Mar. 10, 
2014), https://www.ftc.gov/enforcement/cases-proceedings/122-3256/
aarons-inc-matter.

    Question 6. In the FTC's recent comments in NTIA's privacy 
proceeding, the FTC said that its ``guiding principles'' are based on 
``balancing risk of harm with the benefits of innovation and 
competition.'' Would you describe what this means, how you strike this 
balance, and how it is applied in practice under your Section 5 
authority in the FTC Act?
    Answer. In unfairness cases, section 5(n) of the FTC Act requires 
us to strike this balance. It does not allow the FTC to bring a case 
alleging unfairness ``unless the act or practice causes or is likely to 
cause substantial injury to consumers, which is not reasonably 
avoidable by consumers themselves and not outweighed by benefits to 
consumers or to competition.'' Thus, for example, in our data security 
complaints and orders, we often plead the specific harms that consumers 
are likely to suffer from a company's data security failures. We do not 
assert that companies need to spend unlimited amounts of money to 
address these harms; in many of our cases, we specifically allege that 
the company could have fixed the security vulnerabilities at low or no 
cost.

    Question 7. The FTC's comments pertaining to ``control'' in NTIA's 
privacy proceeding stated, ``Choice also may be unnecessary when 
companies collect and disclose de-identified data, which can power data 
analytics and research, while minimizing privacy concerns.'' How would 
the FTC suggest Federal regulation account for de-identified data, if 
at all?
    Answer. One possible standard identified in the FTC's 2012 Privacy 
Report states that data is de-identified if it is not ``reasonably 
linkable'' to a consumer, computer, or device.\27\ Data can be deemed 
to be de-identified to the extent that a company: (1) takes reasonable 
measures to ensure that the data is de-identified; (2) publicly commits 
not to try to re-identify the data; and (3) contractually prohibits 
downstream recipients from trying to re-identify the data. Although 
this language provides some general principles for de-identification, 
we would be happy to work with your staff on drafting more specific 
legislative language.
---------------------------------------------------------------------------
    \27\ FTC Report, Protecting Privacy in an Era of Rapid Change: 
Recommendations for Businesses and Policymakers (Mar. 2012), https://
www.ftc.gov/sites/default/files/documents/reports/federal-trade-
commission-report-protecting-consumer-privacy-era-rapid-change-
recommenda
tions/120326privacyreport.pdf

    Question 8. Your testimony indicated that continued technological 
developments allow illegal robocallers to conceal their identities in 
``spoofing'' caller IDs while exponentially increasing robocall volumes 
through automated dialing systems. These evolving technological changes 
mean that the critical law enforcement efforts of the FTC cannot be the 
only solution, and your testimony described the additional steps the 
FTC is taking to develop innovative solutions to these issues. Would 
you please describe the process and outcomes of the four public 
challenges that the FTC held from 2013 to 2015? Are there plans to 
incentivize innovators to combat robocalls in the future?
    Answer. The FTC's process for its robocall challenges included 
public announcements, committees with independent judges, and, in some 
cases, cash prizes awarded under the America COMPETES Reauthorization 
Act.\28\ To maximize publicity, the FTC announced each of its four 
challenges in connection with public events. The FTC announced the 
first robocall challenge at the FTC's 2012 Robocall Summit. In 2014, 
the FTC conducted its second challenge, ``Zapping Rachel,'' at DEF CON 
22. The FTC conducted its third challenge, ``DetectaRobo,'' in June 
2015 in conjunction with the National Day of Civic Hacking. The final 
phase of the FTC's fourth public robocall challenge took place at DEF 
CON 23. When the FTC held its first public challenge, there were few, 
if any, call blocking or call labeling solutions available for 
consumers. Today, two FTC challenge winners, NomoRobo and Robokilller, 
offer call blocking applications, and there are hundreds of mobile apps 
offering call blocking and call labeling solutions for cell phones. 
Many home telephone service providers also now offer call blocking and 
call labeling solutions. The FTC will not hesitate to initiate 
additional innovation contests if it identifies further challenges that 
could meaningfully benefit consumers by reducing the harm caused by 
illegal robocalls.
---------------------------------------------------------------------------
    \28\ Details About the FTC's Robocall Initiatives, https://
www.consumer.ftc.gov/features/feature-0025-robocalls.
---------------------------------------------------------------------------
    In addition to developing call blocking and call labeling 
technology, the telecom industry has also developed call verification 
technology, called STIR/SHAKEN, to help consumers know whether a call 
is using a spoofed Caller ID number and to assist call analytics 
companies in implementing call blocking and call labeling products. If 
widely implemented and made available to consumers, the STIR/SHAKEN 
protocol should minimize unwanted calls. Certain industry members have 
begun to roll out this technology in beta-testing mode. We will monitor 
this industry initiative and, assuming the results are as expected, 
continue to encourage its implementation.

    Question 9. Would you please describe the FTC's coordination 
efforts with state, federal, and international partners to combat 
illegal robocalls?
    Answer. The FTC frequently coordinates its efforts with its state, 
federal, and international partners. The FTC often brings robocall 
enforcement actions with states as co-plaintiffs. For example, in the 
FTC's case against Dish Network, the FTC brought the case jointly with 
California, Illinois, North Carolina, and Ohio. Collectively, the 
states and the FTC obtained a historic $280 million trial verdict.\29\
---------------------------------------------------------------------------
    \29\ Press Release, FTC and DOJ Case Results in Historic Decision 
Awarding $280 Million in Civil Penalties Against Dish Network and 
Strong Injunctive Relief for Do Not Call Violations (June 6, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/06/ftc-doj-case-
results-historic-decision-awarding-280-million-civil. The case is on 
appeal before the Seventh Circuit Court of Appeals.
---------------------------------------------------------------------------
    The FTC also coordinates outreach and education with the FCC. In 
2018, the agencies co-hosted two robocall events--a policy forum that 
discussed technological and law enforcement solutions to the robocall 
problem \30\ and a public expo that allowed companies to showcase their 
call blocking and call labeling products for the public.\31\ 
Additionally, the FTC and FCC hold quarterly calls, speak regularly on 
an informal basis, and coordinate on a monthly basis with our state 
partners through the National Association of Attorneys General. The FTC 
also engages with international partners through participation in 
international law enforcement groups such as the International Consumer 
Protection Enforcement Network, International Mass Marketing Fraud 
Working Group, and Unsolicited Communications Network (formerly known 
as the London Action Plan).
---------------------------------------------------------------------------
    \30\ Press Release, FTC and FCC to Host Joint Policy Forum and 
Consumer Expo to Fight the Scourge of Illegal Robocalls (Mar. 22, 
2018), https://www.ftc.gov/news-events/press-releases/2018/03/ftc-fcc-
host-joint-policy-forum-illegal-robocalls.
    \31\ Press Release, FTC and FCC to Co-Host Expo on April 23 
Featuring Technologies to Block Illegal Robocalls (Apr. 19, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/04/ftc-fcc-co-host-
expo-april-23-featuring-technologies-block-0.

    Question 10. Your testimony described the limitations of the FTC's 
current data security enforcement authority provided by Section 5 of 
the FTC Act including: lacking civil penalty authority, lacking 
authority over non-profits and common carrier activity, and missing 
broad APA rulemaking authority. Please describe each of these 
limitations and how adjusted FTC authority to address these items would 
improve the protection of consumers from data security risks.
    Answer. Under current law, the FTC cannot obtain civil penalties 
for first-time data security violations. I believe this lack of civil 
penalty authority under-deters problematic data security practices. If 
Congress were to give the FTC the authority to seek civil penalties for 
first-time violators (subject to statutory limitations on the 
imposition of civil penalties, such as ability to pay and stay in 
business), better deterrence would be achieved. Additionally, should 
Congress enact specific data security legislation, it would be 
important for the FTC to have associated APA rulemaking authority \32\ 
so that the Commission can enact rules and amend them as necessary to 
keep up with technological developments. For example, in 2013, the FTC 
was able to use its APA rulemaking authority to amend its Rule under 
the Children's Online Privacy Protection Act to address new business 
models, including social media and collection of geolocation 
information, that did not exist when the initial 2000 Rule was 
promulgated. As to nonprofits and common carriers, news reports are 
filled with breaches affecting these sectors (e.g., the education 
sector) but the FTC does not currently have jurisdiction over them. 
Giving the FTC jurisdiction over these entities to enforce data 
security laws would create a level playing field and ensure that these 
entities would be subject to the same rules as other entities that 
collect similar types of data.
---------------------------------------------------------------------------
    \32\ The FTC is not seeking general APA rulemaking authority for a 
broad statute like Section 5.
---------------------------------------------------------------------------
                                 ______
                                 
 Response to Written Questions Submitted by Hon. Richard Blumenthal to 
                         Hon. Joseph J. Simons
Facebook: FTC Investigation Status
    In May, the Bureau of Consumer Protection took the rare step of 
acknowledging a ``non-public investigation'' into the privacy practices 
of Facebook. It is now over eight months since the FTC's announcement 
with no further comment or report.

    Question 1. How many full-time employees have been primarily 
assigned to investigate Facebook's privacy and data protection 
practices?

    Question 2. Who is responsible for coordinating the investigation 
of Facebook? What divisions of the FTC are involved in the 
investigation?

    Question 3. Has the FTC made requests for documents or conducted 
interviews with Facebook, Cambridge Analytica, and other relevant 
parties?

    Question 4. Is the FTC in regular contact with its European 
counterparts on their investigation of Facebook?

    Question 5. Does the FTC require further resources, including 
technologists or privacy lawyers, in order to complete its 
investigation of Facebook?
    Answer. Although the existence of this investigation has been made 
public, details about the investigation, including how it is being 
staffed and any steps that have or have not been taken, are non-public. 
Therefore, we cannot answer these questions at this time.

    Question 6. Has the FTC ever taken issue with Facebook or Google's 
assessments under their consent decrees?

    Question 7. Has the Commission reviewed its consent decree with 
Google this year to determine whether the company is in compliance?
    Answer. As part of its review of compliance with consent decrees, 
the FTC carefully reviews all assessments, seeks additional information 
as appropriate, and reviews compliance through a variety of means. 
However, because any investigation of a specific company's compliance 
is non-public, we cannot comment specifically about the steps taken 
regarding Google or Facebook.
Privacy Rules
    We know that Americans care about privacy--that they eagerly want 
these rights. We need baseline rules. Companies should not store 
sensitive information indefinitely and use that data for purposes that 
people never intended. Federal rules must set meaningful obligations on 
those that handle our data. We must enable consumers to trust and 
control their personal data.

    Question 8. Do you support providing state AGs with the power to 
enforce Federal privacy protections and would you commit to working 
with state AGs?
    Answer. Yes. I view the Attorneys General as important partners in 
protecting consumers. I endorse a model that gives state Attorneys 
General the power to enforce Federal privacy protections, which ensures 
that there are multiple enforcers on the beat.

    Question 9. Why is it important that the FTC have rulemaking 
authority when it comes to privacy? Where best would rulemaking be 
applied?
    Answer. The process of enacting Federal privacy legislation will 
involve difficult tradeoffs that are appropriately left to Congress. 
Targeted APA rulemaking authority within those parameters is important, 
because it will enable the FTC to keep up with technological 
developments. For example, Congress gave the FTC APA rulemaking 
authority to implement the Children's Online Privacy Protection Act. In 
2013, the FTC was able to use this authority to amend a rule it had 
initially promulgated in 2000, in order to address new business models, 
including social media and collection of geolocation information, as 
well as new technologies such as smart phones, that did not exist when 
the initial 2000 rule was promulgated.

    Question 10. Do you believe elevating the Office of Technology 
Research and Investigation to the Bureau level would meaningfully help 
the FTC in addressing new technological developments across its 
mandates?
    Answer. At this time, I do not believe that elevating the Office of 
Technology Research and Investigation to the Bureau level would 
meaningfully enhance the FTC's ability to vigorously pursue our current 
enforcement mandates. I am, however, actively considering how best to 
integrate technologists into our agency and how most effectively to 
deploy our limited resources to address our needs in this area. This 
effort includes evaluating the information developed at the 
Commission's Hearings on Competition and Consumer Protection in the 
21st Century.

    Question 11. When will the FTC appoint a Chief Technology Officer?
    Answer. I have held off on appointing a Chief Technology Officer 
because I was actively considering the best way to utilize our existing 
resources and integrate new ones, across both our consumer protection 
and competition missions. We recently announced the creation of a 
Technology Task Force within the Bureau of Competition, which will be 
dedicated to monitoring competition in U.S. technology markets, 
investigating any potential anticompetitive conduct in those markets, 
and taking enforcement actions when warranted. The task force will 
include a Technology Fellow who will provide important technical 
assistance and expertise to support the task force's investigations. In 
addition, members of the task force will coordinate with their 
counterparts in the Bureau of Consumer Protection who also focus on 
technology platforms. Once the new task force is up and running, we 
will be in a better position to evaluate our need for technologists, 
including a Chief Technology Officer, and how best to integrate and 
leverage additional expertise.
Board Accountability
    Question 12. What is the FTC doing to investigate and hold 
accountable individual board members and executives who knowingly 
assist their companies in committing fraud? What more should the FTC be 
doing in this regard?
    Answer. The FTC always considers the potential liability of 
individual officers and others who participated in or controlled 
deceptive and unfair practices. In cases where the FTC finds evidence 
of wrongdoing that meets the applicable legal standard, and where 
naming the individual is appropriate to obtain full and complete relief 
for consumers and appropriate injunctive relief, we do so.
Net Neutrality
    After the FCC abdicated its responsibility to protect net 
neutrality this year, we are left with no discernible rules to prevent 
Internet service providers from blocking or slowing Internet traffic. 
We have already started to see the effects of this disastrous decision. 
Earlier this month, Senators Markey, Wyden, and I wrote to several 
mobile carriers on reports those companies throttled video streaming 
applications. These practices would violate the core principle of net 
neutrality.

    Question 13. Has the FTC investigated reports that mobile carriers 
are throttling video applications?
    Answer. As you know, because the Commission's investigations are 
not public, I cannot comment on the practices of specific companies. 
However, the Commission has a strong interest in ensuring that 
companies stand by their promises to consumers and do not engage in 
deceptive or unfair practices. In general, except for the period when 
the FCC reclassified Broadband Internet Access Service (``BIAS'') as a 
common carrier activity and the FTC lost the ability to protect 
consumers in this space, FTC staff has been monitoring and will 
continue to monitor the marketing and business practices of BIAS 
providers. To determine whether particular instances of throttling are 
deceptive or unfair, the Commission must evaluate what representations 
the provider made to consumers about its services, as well as available 
information and data about the nature and quality of the services 
actually provided to consumers.
    The Commission will closely review any relevant research that may 
support or disprove particular advertising claims or provide evidence 
of particular business practices. When reviewing such reports, we 
evaluate a study's design, scope, and results, and consider how the 
study relates to a particular claim or informs a particular practice.

    Question 14. If an Internet service provider blocks an application, 
does the FTC have the authority to investigate and penalize such 
actions?
    Answer. When the FCC reclassified BIAS as a common carrier 
activity, the FTC temporarily lost the ability to protect consumers in 
this space because the FTC does not have authority over common carrier 
activities. The FTC brought several types of cases against BIAS 
providers prior to 2015.\1\ Now that the reclassification has been 
reversed, we can bring those types of cases again.\2\ If a company 
makes claims about blocking that are materially misleading, or if the 
practice causes substantial consumer injury that is not reasonably 
avoidable and not outweighed by benefits to consumers or competition, 
the FTC can bring an enforcement action under Section 5. In addition, 
the FTC has experience enforcing the antitrust laws to prevent unfair 
methods of competition for the benefit of consumers in many different 
markets. As part of its Hearings on Competition and Consumer Protection 
in the 21st Century, the agency will hold public hearings on March 20, 
2019 to continue to explore how the FTC can use its enforcement 
authority most effectively in BIAS markets. If the FTC identifies, 
through these hearings or otherwise, that it does not have sufficient 
authority or resources to protect consumers or address competition 
issues in BIAS markets, the agency will report this to Congress.
---------------------------------------------------------------------------
    \1\ See, e.g., FTC v. TracFone Wireless, Inc., No. 3:15-cv-00392-
EMC (N.D. Cal. Feb. 20, 2015), https://www.ftc.gov/enforcement/cases-
proceedings/132-3176/straight-talk-wireless-tracfone-wireless-inc; FTC 
v. AT&T Mobility, LLC, No. 3:14-CV-04785-EMC (N.D. Cal. Oct. 28, 2014), 
https://www.ftc.gov/enforcement/cases-proceedings/122-3253/att-
mobility-llc-mobile-data-service; In re America Online, Inc., No. C-
4105 (Jan. 28, 2004), https://www.ftc.gov/enforcement/cases-
proceedings/002-3000/america-online-inc-compuserve-interactive-
services-incin; In re Juno Online Servs., Inc., No. C-4016 (June 25, 
2001), https://www.ftc.gov/enforcement/cases-proceedings/002-3061/juno-
online-services-inc.
    \2\ FTC v. AT&T Mobility LLC, 883 F.3d 848, 863-64 (9th Cir. 2018) 
(en banc) (concluding that ``the FTC may regulate common carriers' non-
common-carriage activities'').

    Question 15. You have said that blocking, throttling, and paid 
prioritization could be deemed unfair practice(s) under the right 
circumstances. What would be ``the right circumstances'' that would 
have to occur for the FTC to pursue net neutrality enforcement?
    Answer. As the Commission noted in its Policy Statement on 
Unfairness,\3\ and as codified in 15 U.S.C. Sec. 5(n), to be unfair, an 
act or practice must cause or be likely to cause substantial injury. 
Such injury ``must be substantial; it must not be outweighed by any 
countervailing benefit to consumers or competition that the practice 
produces; and it must be an injury that consumers themselves could not 
reasonably have avoided.'' \4\
---------------------------------------------------------------------------
    \3\ See FTC Policy Statement on Unfairness, appended to Int'l 
Harvester Co., 104 F.T.C. 949, 1070 (1984).
    \4\ Id.
---------------------------------------------------------------------------
    Pursuant to this authority, the Commission sued AT&T Mobility LLC, 
alleging that the company deceptively promised consumers unlimited data 
but then reduced speeds, in some instances by nearly 90 percent, 
without telling consumers. We also alleged that the company unfairly 
locked consumers into long-term contracts based on promises of 
unlimited service and charged early termination fees if the consumers 
canceled their plans.\5\
---------------------------------------------------------------------------
    \5\ FTC v. AT&T Mobility LLC, No. 3:14-cv-04785-EMC (N.D. Cal. Oct. 
28, 2014), https://www.ftc.gov/enforcement/cases-proceedings/122-3253/
att-mobility-llc-mobile-data-service.

    Question 16. What specific resources and expertise does the FTC 
have to address technical issues of discrimination of Internet traffic 
by ISPs? Has the FTC hired technical experts to investigate violations 
of net neutrality?
    Answer. FTC staff includes technologists with generalized expertise 
who regularly work with investigation and case teams to analyze a wide 
range of technical data, including in matters relating to network 
traffic analysis. The Commission also regularly hires independent 
consulting and testifying experts to provide more specialized expertise 
on a dedicated and ongoing basis. In addition, the Commission consults 
with staff at other agencies, including the FCC, as needed, regarding 
technical issues.
Copycat Military Websites
    Last month, I led a group of nine Senators in writing the FTC, 
asking the Commission to release the full list of schools that 
purchased user information from copycat military websites. These 
websites, with names like Army.com and EnlistArmy.com, mimicked 
official military enlistment websites and deceived prospective recruits 
into thinking they would be contacted by an official ``military 
representative.'' To truly stop such unscrupulous companies from taking 
root again, it is critical that the institutions that knowingly 
purchased these ill-gotten leads are also held to account.

    Question 17. Do you agree that such post-secondary schools should 
be held liable for deceptive third-party marketing conducted on their 
behalf? Will you commit to pursuing such cases to root out fraud at the 
source?
    Answer. No individual or entity, including post-secondary schools, 
should be able to avoid complying with the law by outsourcing deceptive 
marketing to third parties. In fact, the Commission has pursued several 
law enforcement actions to root out such conduct. In June 2018, the 
Commission obtained an order against Credit Bureau Center, a credit 
monitoring company, which held the company liable for deceptive third-
party marketing conducted on its behalf.\6\ The Commission has also 
pursued law enforcement actions against affiliate marketing networks 
for the deceptive conduct of their third-party marketing affiliates. 
The FTC recognizes the importance of pursuing all actors in the 
marketing ecosystem that fail to comply with the law.
---------------------------------------------------------------------------
    \6\ FTC v. Credit Bureau Center, LLC, No. 1:17-cv-194 (N.D. Ill. 
June 26, 2018), https://www.ftc.gov/enforcement/cases-proceedings/162-
3120/credit-bureau-center-llc-formerly-known-myscore-llc.
---------------------------------------------------------------------------
    The Commission will continue to monitor the marketplace for unfair 
or deceptive conduct on the part of post-secondary schools that benefit 
from the deceptive practices of third parties and will actively 
investigate wherever warranted.
SoFi Penalties
    Last month, the FTC proposed a settlement with SoFi--the online 
student loan refinancer that had greatly exaggerated in advertisements 
how much student loan borrowers would save when they refinance through 
the company. Unfortunately, the FTC was not able to require SoFi to pay 
any kind of penalty for its misconduct. As you noted in your testimony, 
this is one of the significant flaws in FTC's Section 5 authority. 
However, the CFPB or State Attorneys General could have sought 
meaningful penalties for SoFi's misconduct under existing law.

    Question 18. Why didn't you work with State AGs to ensure SoFi 
would be subject to civil penalty for its misconduct? How will you make 
sure there is cooperation with State AGs in the future--in order to 
more effectively deter bad actors from violating the law?
    Answer. The FTC regularly consults and coordinates with our Federal 
and state law enforcement partners when bringing actions to stop 
deception and other unlawful practices in the marketplace.\7\ We will 
continue to work with our partners, where appropriate, to use our 
respective tools to most effectively protect consumers.
---------------------------------------------------------------------------
    \7\ See, e.g., Press Release, FTC, Partners Conduct First 
Compliance Sweep under Newly Amended Used Car Rule (July 12, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/07/ftc-partners-
conduct-first-compliance-sweep-under-newly-amended; Press Release, FTC, 
BBB, and Law Enforcement Partners Announce Results of Operation Main 
Street (June 18, 2018), https://www.ftc.gov/news-events/press-releases/
2018/06/ftc-bbb-law-enforcement-partners-announce-results-operation-
main; Press Release, FTC, State Law Enforcement Partners Announce 
Nationwide Crackdown on Student Loan Debt Relief Scams (Oct. 13, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/10/ftc-state-law-
enforcement-partners-announce-nationwide-crackdown.
---------------------------------------------------------------------------
    We believe our action against SoFi secures appropriately strong and 
timely relief to protect consumers from the unlawful conduct in this 
case--by ensuring that SoFi stops making deceptive savings claims 
regarding its loans and other credit products. If SoFi violates the 
FTC's order in this matter, the FTC could seek significant civil 
penalties against it. Further, when announcing this action, the FTC 
sent warning letters to other student loan advertisers who were making 
savings claims.
FTC Investigation of Algorithms
    Section 6(b) of the FTC Act gives the agency broad investigatory 
and information-gathering powers. For example, in the 1970s the FTC 
used its Section 6(b) authority to require companies to submit product-
line specific information, enabling the agency to assess the state of 
competition across markets.
    The FTC has released reports on big data and the harms biased 
algorithms can cause to disadvantaged communities. These reports drew 
attention to the potential loss of economic opportunity and diminished 
participation in our society. Yet, information on how these algorithms 
work, and on the inputs that go into them, remains opaque.

    Question 19. Where the FTC consider using its Section 6(b) 
investigative power to help us understand how these algorithms and 
black-box A.I. systems work--the biases that shape them, and how those 
can affect trade, opportunity, and the market?
    Answer. I agree that algorithms and artificial intelligence are 
important topics of study. In 2017, the FTC and Department of Justice 
submitted a joint paper on algorithms and collusion to the Organization 
for Economic Cooperation and Development as part of the OECD's broader 
look at the role of competition policy and the digital age.\8\ More 
recently, we examined the competition and consumer protection 
implications of algorithms, artificial intelligence, and predictive 
analytics as part of the Commission's Hearings on Competition and 
Consumer Protection in the 21st Century.\9\ The two-day hearing 
featured technologists, scientists, academics, and industry leaders (as 
well as economists and lawyers), who gathered to educate us and the 
broader competition and consumer protection community about how these 
technologies work, how they are used in the marketplace, and their 
policy implications. The Commission also invited public comments on 
this topic.
---------------------------------------------------------------------------
    \8\ Note to the OECD by the United States on Algorithms and 
Collusion, DAF/COMP/WD(2017)41 (May 26, 2017), https://www.ftc.gov/
system/files/attachments/us-submissions-oecd-other-international-
competition-fora/algorithms.pdf.
    \9\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection; FTC Workshop, FTC Hearing #7: Competition and Consumer 
Protection in the 21st Century (Nov. 13-14, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-7-competition-consumer-
protection-21st-century.
---------------------------------------------------------------------------
    I will keep you apprised of any initiatives that come out of our 
hearings project. I also appreciate your interest in the Commission 
conducting a study of algorithms and artificial intelligence under 
Section 6(b) of the FTC Act. I intend to conduct 6(b) studies in the 
technology area, though the subjects of these studies are still being 
considered.
FTC Consent Decree on Unrepaired Recalls
    Most consumers probably do not know that, while new car dealers are 
prohibited from selling vehicles with open recalls, used car dealers 
are not. A recent FTC consent decree, which I strenuously disagreed 
with and is currently being scrutinized in the courts, allows the sale 
of used cars with unrepaired recalls. According to the consent decree, 
car dealers can advertise that cars with unrepaired safety recalls like 
a defective Takata airbag are ``safe'' or have passed a ``rigorous 
inspection''--as long as they have a disclosure that the vehicle may be 
subject to an unrepaired recall and directs consumers on how they can 
determine the vehicle has an open recall.

    Question 20. In your opinion, is a car with an open, unrepaired 
recall, a ``safe'' car? Why would the FTC allow unsafe cars to be 
advertised as ``safe'' and ``repaired for safety,'' with or without a 
vague, contradictory and confusing disclaimer?
    Answer. I believe that all auto recalls pose safety risks to 
consumers, and that unrepaired recalls should be fixed.
    Our orders do not allow unsafe cars to be advertised as ``safe.'' 
For example, if a car dealer claims that a specific car with a risk of 
exploding airbags is ``safe,'' it would violate our orders, whether or 
not they made the required disclosures. Specifically, Part I of the 
orders prohibits safety-related claims unless there is a clear and 
conspicuous disclosure about recalls and the claim is not otherwise 
misleading.
    Before our orders were issued, car dealers were selling used 
vehicles subject to open recalls (a practice currently permitted under 
Federal product safety law), while widely making inspection claims that 
we alleged were deceptive. Our actions create a new floor of legal 
protection for consumers. Now, if the respondents in our actions make 
any claims suggesting a vehicle has been inspected for safety issues, 
they must clearly and conspicuously disclose that their vehicles may be 
subject to open recalls and how consumers can determine the recall 
status of a particular car. Importantly, the orders define ``clear and 
conspicuous'' to prohibit exactly the sort of confusing or 
contradictory disclosures you mention. These disclosures must be 
``easily understandable by ordinary consumers'' and cannot be 
``contradicted or mitigated by, or inconsistent with, anything else in 
the communication.''
Tesla's Deceptive ``Autopilot'' Advertisements
    Two consumer groups--the Center for Auto Safety and Consumer 
Watchdog--have petitioned the FTC to investigate Tesla's potentially 
deceptive advertising of its ``Autopilot'' system. As you may know, 
there have been at least two deaths and additional injuries in the 
United States linked to Tesla Autopilot. Consumer advocates have 
criticized that Tesla's deceptive and misleading use of term 
``Autopilot'' for its assisted-driving system falsely conveys to 
drivers that their vehicles are self-driving.

    Question 21. What is the FTC doing to investigate these concerns?
    Answer. As you noted, the Center for Auto Safety and Consumer 
Watchdog have asked the FTC to investigate the marketing of the Tesla 
Autopilot driving system. As is our normal procedure when we get such 
requests, we have spoken with the parties involved to better understand 
the issues. However, whether or not we have opened a law enforcement 
investigation is non-public, and we can neither confirm nor deny the 
existence of any such investigation.
Contact Lens Rule
    In November 2016, the Federal Trade Commission issued a Notice of 
Proposed Rulemaking proposing amendments to the Contact Lens Rule aimed 
at promoting competition and consumer choice in the marketplace for 
prescription contact lenses.

    Question 22. When does the Commission intend to finalize this 
rulemaking?
    Answer. The Commission initially published a Federal Register 
notice generally requesting comments on the Rule in September 2015. 
Based on review of the 660 comments received, the Commission published 
a Notice of Proposed Rulemaking (NPRM) in December 2016, requesting 
comment on proposed Rule amendments. The NPRM proposed to amend the 
rule to require prescribers to obtain a signed acknowledgment after 
releasing a contact lens prescription to a patient, and maintain it for 
three years. The purpose of the proposed amendment was to enhance both 
compliance and our ability to enforce the rule (by providing a record 
that the prescription was given out). We received over 4,100 additional 
comments in response to this NPRM.
    The Commission held a workshop on March 7, 2018 to collect 
additional information on various Rule-related issues, including the 
proposed amendments. The public comment period associated with the 
workshop closed on April 6, 2018. We received and reviewed 
approximately 3,500 additional comments.
    We collected additional information during the workshop and in 
public comments, and are considering alternatives to increase 
prescriber compliance with the Rule without imposing unnecessary 
burdens on prescribers. In addition, based on the comments received, we 
are considering additional modifications to the Rule. The FTC staff 
intends to submit a recommendation to the Commission in the coming 
months. If the Commission decides that additional public input would be 
beneficial, the Commission would allow an appropriate period of time 
for public input. The length of the comment period would depend on the 
complexity of the modifications under consideration, but most likely it 
would be 30-60 days; the original NPRM had a 60-day comment period, and 
we accepted comments for about 30 days after the workshop. The timeline 
for then completing the rulemaking and issuing the final rule would 
depend on the number and complexity of the comments received.
Questions on Non-Compete Clauses
    I am concerned about the growth of non-compete clauses, which block 
employees from switching jobs to another employer in the same sector 
for a certain period of time. These clauses weaken workers' bargaining 
power once they are in the job, because workers often cannot credibly 
threaten to leave if their employer forces refuses to give them a raise 
or imposes poor working conditions. According to the Economic Policy 
Institute, roughly 30 million workers--including one in six workers 
without a college degree--are now covered by non-compete clauses.
    The consensus in favor of addressing non-compete clauses is 
growing. For example, just this past December, an interagency report 
indicated that non-compete clauses can be harmful in certain contexts, 
such as the healthcare industry. Yet, the FTC has not yet undertaken 
forceful action. In September, Commissioner Chopra suggested that the 
FTC use its rulemaking authority to ``remove any ambiguity as to when 
non-compete agreements are permissible or not.''

    Question 23. Do you agree with the proposal that the FTC use its 
rulemaking authority to address non-compete clauses? I invite you to 
explain your reasoning regarding your stance.
    Answer. I am still considering whether the FTC should use its 
rulemaking authority to address non-compete employment agreements or 
whether other approaches might be better. I am particularly interested 
in sectors of the economy where employee training requirements are not 
significant. Non-competes in those instances are less likely to be 
justified by efficiencies and are more likely to be anticompetitive on 
balance.
Questions on Local Merger Enforcement
    Even though big national mergers typically garner the most media 
attention, smaller mergers can often raise monopoly concerns on the 
local level. This can be true in the healthcare industry, for example. 
In November, Commissioner Simons told me: ``Some local mergers may be 
too small to require Hart-Scott-Rodino premerger notification, but may 
still have anticompetitive effects.''

    Question 24. Would you agree with me that Hart-Scott-Rodino 
premerger notifications help antitrust enforcers catch concerning 
mergers?
    Answer. Yes, I agree that the premerger notification requirements 
of the Hart-Scott-Rodino Premerger Notification Act help antitrust 
enforcers identify anticompetitive mergers before they are consummated, 
preventing consumer harm. Once a merger is consummated and the firms' 
operations are integrated, it can be very difficult, if not impossible, 
to ``unscramble the eggs'' and restore the acquired firm to its former 
status as an independent competitor.

    Question 25. What sort of anticompetitive effects might be raised 
by local mergers even when those mergers are too small to require Hart-
Scott-Rodino premerger notification?
    Answer. Anticompetitive mergers harm consumers through higher 
prices and by reducing quality, choices, and innovation, or by 
thwarting competitors' entry into a market.\10\ The arena of 
competition affected by a merger may be geographically bounded (e.g., 
confined to a small or local area) if geography limits some customers' 
willingness or ability to substitute to some products or services, or 
some suppliers' willingness or ability to serve some customers.\11\
---------------------------------------------------------------------------
    \10\ U.S. Dep't of Justice & Fed. Trade Comm'n Horizontal Merger 
Guidelines Sec. 1 (2010), https://www.ftc.gov/public-statements/2010/
08/horizontal-merger-guidelines-united-states-department-justice-
federal (``A merger enhances market power if it is likely to encourage 
one or more firms to raise price, reduce output, diminish innovation, 
or otherwise harm customers as a result of diminished competitive 
constraints or incentives.'').
    \11\ Id. at Sec. 4.2. In antitrust analysis, a relevant market 
identifies a set of products or services and a geographic area of 
competition in which to analyze the potential effects of a proposed 
transaction. The purpose of market definition is to identify options 
available to consumers. See id. at Sec. 4 (describing market definition 
in antitrust analysis).
---------------------------------------------------------------------------
    The FTC often examines local geographic markets when reviewing 
mergers in retail markets, such as supermarkets, pharmacies, retail gas 
or diesel fuel stations, or funeral homes, or in service markets, such 
as health care. For example, in a recent Federal court action to enjoin 
the proposed merger of two rival physician services providers, the FTC 
and the State of North Dakota defined the relevant geographic market as 
the Bismarck-Mandan, North Dakota, Metropolitan Statistical Area--a 
four-county area that includes the cities of Bismarck and Mandan and 
smaller communities within the surrounding 40 to 50 mile radius.\12\ 
The types of anticompetitive effects that may occur in local markets 
are the same as those that may occur in larger geographic markets: 
higher prices, lower levels of service, reduced innovation, and fewer 
choices.
---------------------------------------------------------------------------
    \12\ FTC v. Sanford Health, No. 1:17-cv-0133 (D.N.D. Dec. 13, 
2017), https://www.ftc.gov/enforcement/cases-proceedings/171-0019/
sanford-health-ftc-state-north-dakota-v. The U.S. District Court for 
the District of North Dakota granted the FTC and State of North 
Dakota's preliminary injunction motion on December 13, 2017. The 
parties have appealed and the case is now pending before the Eighth 
Circuit.

    Question 26. What action would you recommend either the FTC or 
Congress take in order to assist Federal and state antitrust enforcers 
in catching local mergers that raise anticompetitive concerns?
    Answer. I have no opinion as to whether Congress should take 
action. Identifying anticompetitive mergers remains one of the top 
priorities of the agency's competition mission. The vast majority of 
mergers the FTC investigates are reported and examined at the premerger 
stage. The FTC does, however, devote significant attention to 
identifying unreported, often consummated, mergers that could harm 
consumers. With respect to both mergers that do not meet the premerger 
notification requirements and potentially anticompetitive conduct, the 
FTC relies on the trade press and other news articles, consumer and 
competitor complaints, hearings, economic studies, and other means to 
identify harmful practices that threaten competition. The FTC also 
routinely partners with state Attorneys General in its enforcement 
efforts; state Attorneys General routinely join the FTC as co-
plaintiffs in the FTC's Federal court litigations, such as in the North 
Dakota physician services merger litigation discussed above.
Question on Horizontal Shareholding
    Recent research has raised questions about whether horizontal 
shareholding harms competition in our economy. I would like to 
understand your view on this ongoing research.

    Question 27. Do you believe that horizontal shareholding raises 
anticompetitive concerns?
    Answer. The short answer is that I do not yet know enough to draw 
sound, reliable conclusions on this point. The research on this topic 
is still at a relatively early stage, and the studies that have been 
completed so far have yielded conflicting results. At present, this 
remains a very unsettled issue.\13\
---------------------------------------------------------------------------
    \13\ See Note to the OECD by the United States on Common Ownership 
by Institutional Investors and Its Impact on Competition at  1, DAF/
COMP/WD(2017)86 (Nov. 28, 2017), https://www.ftc.gov/system/files/
attachments/us-submissions-oecd-other-international-competition-fora/
common_ownership_united_states.pdf (explaining that ``[g]iven the 
ongoing academic research and debate, and its early stage of 
development, the U.S. antitrust agencies are not prepared at this time 
to make any changes to their policies or practices with respect to 
common ownership by institutional investors.'').
---------------------------------------------------------------------------
    There is little doubt that active investment (i.e., investment that 
seeks to control a company, obtain board seats and the like) in 
competitors can create the kinds of competition problems that the 
antitrust laws are designed to address. The antitrust agencies have 
long policed improper relationships between corporate competitors, even 
when these relationships fall short of a full combination or merger. 
For example, Section 8 of the Clayton Act effectively prohibits so-
called ``interlocking directorates'' in which an officer or director of 
one firm serves as an officer or director of a competitor. But it is an 
open question whether the same kinds of problems created by active 
investments may also manifest from investments by institutional 
investors in competing companies.
    The theory put forward, purportedly supported by early research, is 
that large institutional investors' shareholdings in competing firms in 
the same industry may blunt the competitive vitality of rival firms 
and, consequently, lead to higher prices and other anticompetitive 
effects. For example, if a company's shareholders have equity interests 
in a rival, that company may be less likely to engage in a price war or 
other forms of aggressive competition that could reduce its rival's 
profits, because the rival's profits are ultimately returned to the 
company's shareholders through their interests in the rival. Proponents 
of this theory argue that the risk of upsetting common investors may 
make it easier for firms to maintain stable market conditions or 
potentially even increase prices, compared to market conditions that 
might prevail without common ownership by large, institutional 
investors.
    Critics of this theory have cited methodological problems with the 
original research, as well as various structural issues that would make 
it difficult or even impossible for institutional investors in the real 
world to play the envisioned disciplining role. Critics also point out 
that any remedy to address these concerns would likely increase the 
cost of retail investment, and thereby cause harm to ordinary 
investors.
    To date, there is no reliable consensus as to which side in this 
debate has the stronger argument, and the limited research suggests 
this question will remain unsettled until additional empirical work is 
completed in this area. Given the formative nature of the academic 
debate, I cannot definitively take a position on this issue. Additional 
study is required and, as I mention below, the Commission is currently 
helping to facilitate such work.

    Question 28. Do you believe that our antitrust laws can be used to 
address the anticompetitive concerns raised by horizontal shareholding?
    Answer. As noted above, I am still evaluating the viability of this 
concern. Therefore, I believe the use of the agency's enforcement 
powers in this area would be premature. That said, antitrust doctrine 
is flexible, allowing us to address even novel harms in the economy. If 
the Commission were to identify a meritorious case against common 
ownership by a single institutional investor, I believe we could bring 
such a case, even though we have not previously litigated that type of 
case. The Commission's ability to take future action in this area 
would, of course, be circumscribed by prior case law, due process 
considerations, and legal standards. The Commission would be unlikely 
to take enforcement action in this area without sufficient confidence 
that it can demonstrate to the courts both that the underlying theory 
of harm is robust, and that a specific set of passive investments has 
had actual anticompetitive effects in the real world.

    Question 29. What, if anything, are you doing to address any 
potential harms of horizontal shareholding?
    Answer. In December 2018, the Commission held a full-day public 
hearing that was largely devoted to exploring the merits of the common 
ownership issue in greater detail.\14\ At this event, which was part of 
our Hearings on Competition and Consumer Protection in the 21st 
Century, respected academics and industry experts on both sides of this 
issue shared their expertise. The Commission also invited public 
comments on this topic.
---------------------------------------------------------------------------
    \14\ FTC Workshop, FTC Hearing # 8: Competition and Consumer 
Protection in the 21st Century (Dec. 6, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-8-competition-consumer-
protection-21st-century.
---------------------------------------------------------------------------
    We are still accepting public comments on this issue. Once the 
comment period ends, we intend to carefully evaluate all of the public 
submissions and the workshop testimony with a view towards better 
refining our understanding of the merits of this concern. Hearings like 
this one serve to bring together experts with different views, allowing 
them to hear and respond to criticisms of their positions, which we 
have found to be useful in fostering future academic work in areas of 
continuing interest to the agency.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Maggie Hassan 
                        to Hon. Joseph J. Simons
    Question 1. This is an issue that is particularly important and 
concerning to me, and it is one that my colleagues and I have contacted 
the FTC about before.
    Answer. It is vitally important that we support our military 
veterans and their families, and I am honored to have worked on 
legislation improving veterans' access to workforce training, 
education, and health care, many of which have become law. We are 
committed to giving our veterans access to the tools they need to 
improve their education and employment opportunities.
    Unfortunately, certain companies and academic institutions have 
shamefully and brazenly engaged in unscrupulous and often illegal 
``lead-generating'' practices where schools pay companies, such as 
Sunkey Publishing, Fanmail, and Victory Media, to steer prospective 
student-veterans to them by claiming the schools are ``military-
friendly'' or falsely representing the schools as affiliated with or 
endorsed by the Department of Defense.
    My colleagues and I have sent letters urging the FTC to investigate 
these harmful, deceptive, and unfair marketing practices by military-
branded websites that target veterans, service members, and their 
families, and I applaud the FTC for taking action against some of these 
schools and companies.
    Knowing the names of offenders would be important for prospective 
student-veterans as they determine which schools or career training 
institutions they would like to attend.
    In your response to one of our letters, you cite Federal statute 
and regulations as prohibiting the release of the names of the schools 
that participated in lead-generating schemes. Your letter notes that 
the FTC may vote to initiate a process to release the names of the 
schools.
    Given the importance of this information to student-veterans, and 
with the understanding that no one wants to hinder ongoing 
investigations, does the FTC intend to hold a vote to release the names 
of the involved schools? Why or why not?
    Answer. Thank you for recognizing the Commission's work in 
combating deception against military consumers and military recruits. 
As mentioned in my response to the October 9, 2018 letter from you and 
several of your colleagues inquiring about schools that used deceptive 
lead generators to market their programs, the FTC shares your concerns 
about ensuring that those who serve or who want to serve are not 
deceived in making decisions about their educational futures.
    In my response to your letter, I explained that the information you 
requested is non-public material because we obtained it during the 
course of a law enforcement investigation. The Commission can provide 
you with information to contact the party that submitted the 
information to us. If you have determined that contacting the submitter 
directly is not a viable course of action, I can further consider 
whether the Commission should hold a vote on the release of information 
about the identity of lead purchasers. Several factors would play into 
such consideration, including whether the release of the information 
could prejudice ongoing or future law enforcement efforts. Furthermore, 
the FTC generally does not release information pertaining to 
individuals and entities that have not been adjudged to have violated 
the law; a key question to address in determining whether to depart 
from that practice in this instance is whether release of the 
information would benefit consumers or, conversely, cause confusion in 
the marketplace.

    Question 2. Brewers and non-alcoholic beverage makers are large 
consumers of aluminum. The price index for the storage and 
transportation costs of the aluminum they purchase, the ``Midwest 
Premium,'' has increased dramatically since President Trump's tariffs 
were implemented.
    Do you believe that the end-users of metal would meet the 
definition of ``consumer'' for FTC purposes? If so, could the FTC 
investigate the sharp increase in the Midwest Premium? If not, do you 
believe the Department of Justice, or another Federal agency is more 
appropriate to investigate? Finally, if another agency commences an 
investigation, can the FTC provide expertise and support for that 
investigation?
    Answer. Depending on the facts, end-users of aluminum could be 
harmed by a violation of the antitrust laws even though they are 
businesses rather than individuals. For example, in an FTC action to 
enjoin the merger of the second-and third-largest U.S. glass container 
manufacturers, the FTC alleged the transaction would likely harm the 
customers who use glass containers: brewers and distillers.\15\
---------------------------------------------------------------------------
    \15\ In re Ardagh Group and Saint-Gobain Containers, Dkt. No. D-
9356 (Mar. 24, 2014), https://www.ftc.gov/enforcement/cases-
proceedings/131-0087/ardagh-group-sa-saint-gobain-containers-inc-
compagnie-de.
---------------------------------------------------------------------------
    If the Commission finds or is presented with evidence that a firm 
within our jurisdiction is engaging in conduct that harms competition 
and may violate the antitrust laws, we will review that information for 
potential law enforcement action. As you know, the FTC shares 
jurisdiction over the enforcement of the antitrust laws with the 
Department of Justice. The agencies use a ``clearance'' process to 
ensure that only one agency investigates and, if necessary, challenges 
any given transaction. Assignment to one agency or the other takes 
place after preliminary review of a transaction, based principally on 
each agency's relative expertise in the markets relevant to the 
proposed transaction. For many years, the Department of Justice has 
pursued antitrust enforcement in aluminum; the Department also works 
closely with the Commodities Futures Trading Commission in this area. 
Thus, the FTC would likely refer any evidence of anticompetitive 
conduct involving Midwest Premium aluminum pricing to our sister agency 
and, if requested, would coordinate with the Department of Justice on 
any ensuing investigation.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                         Hon. Joseph J, Simons
Privacy
    Question 1. Do you support strong civil penalties for consumer 
privacy violations?
    Answer. Yes. Under the FTC's current authority, we cannot seek 
civil penalties for initial privacy violations of Section 5 of the FTC 
Act. I believe we need the ability to seek civil penalties for initial 
violations in order to more effectively deter unlawful conduct. These 
penalties would of course be subject to the statutory limitations in 
Section 5(n) of the FTC Act, including ability to pay, degree of 
culpability, and ability to continue to do business.

    Question 2. The California Consumer Protection Act goes into effect 
in January 2020. As Congress considers pre-emption of that state law, 
what additional authority should we give the FTC to ensure that 
consumer privacy adequately is protected?
    Answer. I support the enactment of Federal privacy legislation that 
would be enforced by the FTC and contain at least three components. 
First, as I noted above, any such legislation should give the 
Commission the ability to seek civil penalties for initial privacy 
violations. Second, it should give the Commission the ability to 
conduct APA rulemaking in order to make sure any legislation keeps pace 
with technological developments. Third, it should give the Commission 
jurisdiction over nonprofits and common carriers. Beyond these general 
parameters, I note that the process of enacting Federal privacy 
legislation will involve difficult tradeoffs that are appropriately 
left to Congress. No matter the specific privacy or data security laws 
Congress enacts, the Commission commits to using its extensive 
expertise and experience to enforce them vigorously and 
enthusiastically.

    Question 3. A recent New York Times analysis found that both the 
Apple App Store and the Google Play Store have apps in their respective 
children's or family sections that potentially violate COPPA.\16\ What 
specific role should platform owners play to ensure COPPA compliance on 
their platforms?
---------------------------------------------------------------------------
    \16\ Valentino-DeVries, J., Singer, N., Krolick, A., Keller, M. H., 
How Game Apps That Captivate Kids Have Been Collecting Their Data, N.Y. 
Times, Sept. 12, 2018, https://www.nytimes.com/interactive/2018/09/12/
technology/kids-apps-data-privacy-google-twitter.html.
---------------------------------------------------------------------------
    Answer. In 2012, the Commission revised the COPPA Rule to cover not 
just websites, app developers, and other online services but also third 
parties collecting personal information from users of those sites or 
services. At that time, the Commission made clear that it did not 
intend to make platforms responsible merely for offering consumers 
access to someone else's child-directed content. Rather, platforms 
would be liable under COPPA only if they had actual knowledge that they 
were collecting personal information from a child-directed app. At the 
same time, platforms are in a unique position to set and enforce rules 
for apps that seek placement in the platform's store, and to drive good 
practices. We encourage platforms to pursue best practices in this 
regard, beyond those required by COPPA. For example, platforms can 
serve an important educational function for apps that may not 
understand the requirements of COPPA.

    Question 4. Compliance for mobile apps may be hard to achieve 
against fly-by-night operators overseas who do not care if their apps 
violate U.S. law. How can the Vtech Electronics investigation and civil 
penalty serve as an example for how the FTC can hold foreign app 
developers responsible for violating COPPA?
    Answer. In addition to the VTech case you mention, the Commission 
has taken action in a number of privacy- or security-related cases 
against companies that have a foreign presence.\17\ We rely on the U.S. 
SAFE WEB Act Amendments to the FTC Act to address unfair and deceptive 
acts or practices involving foreign commerce. Using this authority, the 
agency has been able to obtain successful relief for consumers in the 
United States against the foreign entities that manufactured the 
devices at issue (as well as their U.S. subsidiaries in certain 
matters) when they purposefully directed their activities to the United 
States by advertising, marketing, distributing, or selling their 
products to U.S. consumers.This relief has included a substantial civil 
penalties in the VTech and inMobi settlements. More recently, the FTC 
took action against Blu, a U.S.-based phone manufacturer that was 
allowing its Chinese service provider to access text messages and other 
private information, contrary to its representations to consumers.\18\
---------------------------------------------------------------------------
    \17\ In re: TRENDnet, Inc., No. C-4426 (Jan. 16, 2014), https://
www.ftc.gov/enforcement/cases-proceedings/122-3090/trendnet-inc-matter; 
United States v. InMobi Pte Ltd., No. 3:16-cv-3474 (N.D. Cal. June 22, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3203/
inmobi-pte-ltd; In re ASUSTeK Computer Inc., No. C-4587 (July 18, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/142-3156/
asustek-computer-inc-matter; In re HTC America Inc., No. C-4406 (July 
25, 2013), https://www.ftc.gov/enforcement/cases-proceedings/122-3049/
htc-america-inc-matter.
    \18\ In re BLU Prods. and Samuel Ohev-Zion, No. C-4657 (Sept. 6, 
2018), https://www.ftc.gov/enforcement/cases-proceedings/172-3025/blu-
products-samuel-ohev-zion-matter.
---------------------------------------------------------------------------
    Due to some of the practical challenges the Commission faces in 
bringing enforcement actions against foreign companies, the Commission 
has also used other means to address illegal conduct affecting U.S. 
consumers. For example, a few years ago, Commission staff sent a 
warning letter to a Chinese company, Baby Bus, about COPPA violations 
relating to the collection of children's personal information through 
its apps. The Commission copied the three U.S.-based app platforms on 
this communication. The company quickly responded and addressed the 
concerns.
    In determining how to address illegal conduct by foreign companies, 
we generally consider a number of factors. These include the nature and 
breadth of harm or potential harm to U.S. consumers from the foreign 
company's practices; the legal rules relating to service, evidence 
collection, and enforceability in the jurisdiction where the target is 
based; practical issues, such as whether the company has incentives to 
enter into a settlement with the FTC and remediate its conduct such as 
a large base of U.S. customers and supplier/distributor relationships 
in the United States; and resource issues such as the added time and 
costs of proceeding against a foreign entity. We also, in appropriate 
cases, seek cooperation from foreign counterparts who may be able to 
provide us with relevant information or be able to better address the 
conduct at issue.

    Question 5. The COPPA safe harbor organizations must submit an 
annual report to the Federal Trade Commission, Can you share the 
reports from the last 5 years?
    Answer. The FTC-approved safe harbor organizations do submit annual 
reports to the FTC each year. Unfortunately, we are not able to 
disclose these reports because they contain confidential proprietary 
information, which is exempt from disclosure by FOIA and Section 6(f) 
of the FTC Act.
Concussions
    Question 6. As you all are aware, I continue to bring attention to 
issue of helmet safety and marketing practices--particularly equipment 
that children use for sports. While there has been increased testing 
and awareness of traumatic brain injury caused by sports, I remain 
concerned that companies are mischaracterizing their equipment's 
ability to prevent or lessen concussions or other head injuries. Have 
FTC staff been able to continue their good work monitoring the helmet 
and other sports equipment in the marketplace to ensure that helmets 
and other gear is not being marketed in a deceptive manner?
    Answer. Following its investigation into football helmet 
manufacturers and settlement against Brain-Pad, Inc.,\19\ a mouthguard 
manufacturer, FTC staff have continued to monitor the marketplace for 
claims related to head injuries. When appropriate, staff have sent 
warning letters, civil investigative demands, and voluntary requests 
for information to marketers of athletic equipment.
---------------------------------------------------------------------------
    \19\ In re Brain-Pad, Inc. and Joseph Manzo, No. C-4375 (Nov. 5, 
2012), https://www.ftc.gov/enforcement/cases-proceedings/122-3073/
brain-pad-inc

    Question 7. Have staff from the FTC been briefed by the National 
Football League or other entities that are conducting research on 
helmet design and safety?
    Answer. FTC staff have not been briefed by the National Football 
League or other entities conducting research on helmet design and 
safety, although we are following research and development in the area.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                        to Hon. Joseph J. Simons
Pet Leasing
    I appreciate the Commission's attention to my request with six of 
my colleagues for the FTC to investigate the practice of pet leasing 
that is leading some consumers into confusing or deceptive contractual 
obligations that cause them to have an issue with their beloved pet and 
negatively impact their financial status, such as credit scores, for 
far into the future. This is an issue that is a little under the radar 
but needs strong oversight and attention under your deceptive practices 
mandate if there are concerning financial practices being discovered.

    Question. Can I get a further commitment from you all to keep my 
office informed of actions and determinations you all may make 
pertaining to this concerning issue and the Humane Society and Animal 
Legal Defense Fund's formal petition to the Commission?
    Answer. The FTC is committed to protecting consumers from unfair or 
deceptive acts or practices, including any such practices carried out 
by merchants or third-party leasing and financing companies. Since our 
response to your letter last November, FTC staff have met with the 
Humane Society and Animal Legal Defense Fund to discuss their joint 
formal petition to the Commission. The FTC will continue to keep your 
office informed of public actions the Commission takes concerning pet 
leasing or the Humane Society and Animal Legal Defense Fund's petition 
to the Commission.
Data Minimization vs Big Data
    A topic that has come up a lot during our discussions on privacy is 
data minimization. This is a concept that I have been considering on as 
I work on developing a comprehensive data privacy bill. As you're 
aware, this is the idea that businesses should only collect, process, 
and store the minimum amount of data that is necessary to carry out the 
purposes for which is was collected. There are obvious advantages to 
this as it minimizes the risk of data breaches and other privacy harms. 
At the same time, big data analytics are going to be crucial for the 
future and play an important role in smart cities, artificial 
intelligence, and other important technologies that fuel economic 
growth. I think it is important to find a balance between minimization 
and ensuring that data, especially de-identified data, is available for 
these applications.

    Question. Can you describe how you view this balance and how we in 
Congress can ensure that people's data is not abused but can still be 
put to use in positive ways?
    Answer. Your question neatly captures the dilemma. Businesses can 
apply ``big data'' analysis tools to gain insights from large data sets 
that help the business to innovate--for example, to improve an existing 
product. This analysis can provide new consumer benefits, such as the 
development of new features. On the other hand, consumers' data may be 
used for unexpected purposes in ways that are unwelcome.\20\ Long-term 
retention of consumer information--such as sensitive financial 
information--also presents a data security issue.\21\
---------------------------------------------------------------------------
    \20\ See, e.g., Press Release, FTC Charges Deceptive Privacy 
Practices in Google's Rollout of Its Buzz Social Network (Mar. 30, 
2011), https://www.ftc.gov/news-events/press-releases/2011/03/ftc-
charges-deceptive-privacy-practices-googles-rollout-its-buzz) (alleging 
that Google deceptively repurposed information it had obtained from 
users of its Gmail e-mail service to set up the Buzz social networking 
service, leading to public disclosure of users' e-mail contacts).
    \21\ See, e.g., In re Ceridian Corp., No. C-4325 (June 8, 2011), 
https://www.ftc.gov/enforcement/cases-proceedings/102-3160/ceridian-
corporation-matter) (final order resolving charges that the company 
created unnecessary risks by storing information such as individuals' 
e-mail address, telephone number, Social Security number, date of 
birth, and direct deposit account number indefinitely on its network 
without a business need).
---------------------------------------------------------------------------
    The FTC issued a report on the subject of the benefits and risks of 
big data that contains guidance for companies that use big data 
analytics.\22\ In November 2018, the Commission also hosted a workshop 
on the intersections between big data, privacy, and competition.\23\ We 
are happy to work with your staff to develop legislation on how to 
balance the benefits and risks of big data.
---------------------------------------------------------------------------
    \22\ See FTC Report, Big Data: A Tool for Inclusion or Exclusion? 
Understanding the Issues (Jan. 2016), https://www.ftc.gov/system/files/
documents/reports/big-data-tool-inclusion-or-exclusion-understanding-
issues/160106big-data-rpt.pdf.
    \23\ See FTC Workshop, FTC Hearing #6: Competition and Consumer 
Protection in the 21st Century (Nov. 6-8, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-6-competition-consumer-
protection-21st-century.
---------------------------------------------------------------------------
FTC Resource Needs--Staffing Specifics
    To get a sense of the challenge additional authority or 
requirements on your commission may be, can you tell us how many full 
time technologists do you have on staff at the FTC?

    Question 1. More broadly, how many staff does the FTC have working 
on data privacy?

    Question 2. Do you have the resources you need to effectively 
protect privacy in the digital age?

    Question 3. If not, what additional resources would be helpful?
    Answer. We have about 5 full time staff whose positions are 
classified as technologists. Beyond these specific full-time employees, 
we have a number of investigators and lawyers who have developed 
significant in-house technical expertise through their enforcement and 
policy work in the areas of big data, cybersecurity, the online 
advertising ecosystem, Internet of Things, artificial intelligence, and 
related fields. When the FTC needs more complex and richer information 
about a specific industry or technology, we supplement our internal 
technological proficiency by hiring outside technical experts to help 
us develop and litigate cases. We also keep abreast of technological 
developments by hosting an annual event called PrivacyCon, in which we 
call on academics to present original research on privacy and security 
issues. If provided additional funding, we would hire additional 
technologists and other staff to enhance our privacy and data security 
enforcement efforts.
    Answer to Question 1. As reflected in the Commission's annual 
budget request, the Division of Privacy and Identity Protection has 
approximately 40 staff tasked with protecting consumers' privacy and 
security. Additionally, staff from other Divisions and regional offices 
also work on data privacy issues.\24\
---------------------------------------------------------------------------
    \24\ See, e.g., Press Release, LifeLock to Pay $100 Million to 
Consumers to Settle FTC Charges it Violated 2010 Order (Dec. 17, 2015), 
https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-
100-million-consumers-settle-ftc-charges-it-violated ($100 million 
settlement for order violation obtained by the Division of 
Enforcement); Press Release, Online Talent Search Company Settles FTC 
Allegations it Collected Children's Information Without Consent and 
Misled Consumers (Feb. 5, 2018), https://www.ftc.gov/news-events/press-
releases/2018/02/online-talent-search-company-settles-allegations-it-
collected (settlement for COPPA violations obtained by Midwest Region 
staff); FTC, Website: Cybersecurity for Small Businesses (website 
created by the Division of Consumer and Business Education), https://
www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity.
---------------------------------------------------------------------------
    Answer to Questions 2 and 3. The Commission works hard to 
effectively employ whatever resources Congress gives us. While we use 
our existing resources efficiently, we believe that the agency could 
use additional resources. Some areas in which we could use additional 
resources include the hiring of additional technologists and the hiring 
of additional staff to monitor and enforce compliance with privacy and 
data security orders. Furthermore, if Congress were to give the FTC 
additional rulemaking and enforcement tools in the privacy area, we 
would need more resources to handle those tasks while continuing the 
agency's existing enforcement, policy, and education work. Whatever 
resources Congress gives us, we will put to good use.
General Privacy Recommendations
    Question 1. While privacy was a significant topic of the oversight 
hearing, as we look to develop a bill, can you specifically lay out 
some of the top priorities you individually would like to see included 
and what do you think gets overlooked in the conversations policymakers 
have with allowing for future innovations and yet raising the bar for 
protecting consumers?
    Answer. In its written testimony, the Commission urged Congress to 
consider enacting privacy legislation that would be enforced by the 
FTC. The testimony recognized that, while the agency remains committed 
to vigorously enforcing existing privacy-related statutes, Congress may 
be able to craft Federal legislation that would more seamlessly address 
consumers' legitimate concerns regarding the collection, use, and 
sharing of their data and provide greater clarity to businesses while 
retaining the flexibility required to foster competition and 
innovation. As far as top priorities for such legislation: first, 
Congress should give the Commission authority to deter violations by 
fining companies for initial violations, as it has for violations of 
other statutes. Second, Congress should ensure that all types of 
companies across the economy are held accountable for protecting 
consumers' privacy and security. As one example, the Commission has 
long urged the repeal of the FTC Act's provision that places limits on 
the agency's ability to go after law violations by common carriers and 
by non-profits. Third, Congress should consider giving the FTC targeted 
APA rulemaking authority so that the FTC can enact rules to keep up 
with technology developments. An excellent example of this approach 
appears in statutes such as CAN-SPAM and COPPA.

    Question 2. Can you also outline the optimal role you see for our 
state Attorneys General in this privacy enforcement process?
    Answer. I see the state Attorneys General as important partners in 
protecting consumers. For a number of statutes, such as COPPA, Congress 
enacted legislation that enables Attorneys General to enforce the law 
in addition to the Commission. We applaud this model. A number of state 
AGs have brought actions to enforce COPPA, for example, which benefits 
consumers because there are multiple cops on the beat. And when state 
Attorneys General bring these actions, they are enforcing the same 
legal standard that other states and the Commission are enforcing, so 
the same protections apply consistently nationwide.
Updated Aspects of Banking or Health Care Data Security
    Given the incredibly innovative technologies being developed, from 
apps that are commonly used in various banking transactions, to 
wearables that by design are tracking personally sensitive health care 
related metrics by the second, there is a lot of data being collected, 
stored and utilized.
    And many of these technologies are providing incredibly helpful in 
cases like telemedicine to help residents of rural communities. Within 
your testimony, you stated quote ``The Commission also must continue to 
prioritize, examine, and address privacy and data security with a fresh 
perspective.''

    Question 1. So do you think there is a need for a broader 
conversation about how our current banking and health care information 
protection statutes like HIPAA, for example, and regulators like the 
FTC serve in aiding the different enforcement agencies ensure these 
laws are moving ahead with the times?
    Answer. Laws and regulators certainly need to keep up with the 
times. The series of hearings the Commission has been holding on a wide 
range of issues are one part of the Commission's process to do just 
that. Laws regarding financial privacy, in particular, have been 
changing rapidly at the state level, with the adoption of new laws by 
states such as New York and South Carolina with respect to financial 
institutions and insurance companies, respectively. The Commission has 
been following these developments closely.

    Question 2. Are there any specific examples or thoughts you have on 
what kind of further considerations need to be given to these kinds of 
technologies given the increased personal nature of the type of data 
that is being collected, stored and utilized?
    Answer. With respect to financial and health privacy specifically, 
it is important that privacy and security obligations apply regardless 
of the type of entity that is collecting the data. For both financial 
and health privacy, that is not currently the case. Companies covered 
by HIPAA, such as health plans and certain medical providers, have 
specific obligations with respect to health information they collect; 
meanwhile, other entities that collect the same types of information 
(e.g., data brokers, health apps, health information websites) may not 
face the same obligations. Similarly, financial institutions have 
obligations under the Gramm-Leach-Bliley (GLB) Act to protect 
information such as account numbers and SSNs, but other entities 
collecting the same types of information do not.

    Question 3. Is it time for a reconsideration or expansion of 
safeguards at all stages of transmission of consumer's banking 
information?
    Answer. While the Commission does not have jurisdiction over banks 
and does not have the expertise to comment on banking information 
specifically, I do believe it is time for a reexamination of safeguards 
for financial institutions generally. The FTC has jurisdiction over a 
wide range of non-bank financial institutions such as tax preparers, 
mortgage brokers, payday lenders, credit bureaus, and debt collectors. 
The FTC enforces the GLB Safeguards Rule, which applies to these 
institutions. As part of its periodic review of its rules and guides, 
the Commission is currently reviewing its GLB Safeguards Rule, which 
requires financial institutions to take reasonable measures to secure 
consumers' data. More broadly, in urging Congress to consider enacting 
privacy legislation that would be enforced by the FTC, the Commission 
expects that the legislative process would involve a fresh new look at 
the current regulatory landscape, and would consider harmonizing and 
updating that landscape where needed. We agree that financial 
information, in particular, should be maintained securely throughout 
the information lifecycle.

    Question 4. What regulatory structures and rules under the Gramm-
Leach-Bliley Act could apply to other entities which collect and hold 
sensitive information?
    Answer. The Commission's GLB Safeguards Rule requires financial 
institutions to develop, implement, and maintain a comprehensive, 
written information security program, and, as noted above, is currently 
under review. One of the strengths of the Rule is its flexible, 
process-based approach, which requires the institution to implement 
administrative, technical, and physical safeguards appropriate to the 
size and complexity of the financial institution, the nature and scope 
of its activities, and the sensitivity of the customer information at 
issue. The Rule also requires each financial institution, among other 
things, to keep its security program up-to-date--for example, by 
adjusting the program to address new types of threats. This process of 
continual updating is essential. We believe a similar, process-based 
approach would be appropriate for a wide range of companies. To respond 
to companies' desire for more specific guidance about which security 
measures to adopt, the Rule's process-based, results-oriented approach 
can be combined with more specific technology-neutral requirements.

    Question 5. From your perspective, should entities such as 
financial institutions be on the list of those to be informed of any 
compromised personally identifiable information when associated 
accounts are involved?
    Answer. Previous legislation that would require data breach 
notification has required that companies notify the nationwide credit 
reporting companies, possibly because these are large, well-known 
entities that would be expected to develop processes to handle such 
notifications. Although consumers would presumably notify their bank, 
for example, if a company were to inform them that their bank account 
information has been exposed in a breach, direct notification of 
financial institutions could enable the institution to take additional 
measures to monitor breached accounts for fraud, even if the consumer 
does not take action.
First and Third Party Entities
    There has been a lot of calls for a privacy bill that evens the 
playing field and is technologically neutral. This is important, but it 
is also important to think about how consumers interact with different 
entities. For example, many small and medium sized businesses contract 
with secondary firms that process data on their behalf. The consumer 
has no relationship with these entities, and so many of the 
requirements like transparency and control are more difficult to meet.

    Question. How do we address this problem while ensuring a bill 
maintains an even playing field and does not favor any one business 
model?
    Answer. One of consumers' main privacy concerns is the sharing of 
their data--particularly the sale of their data--with third parties 
with whom, often, the consumer has no direct relationship. At the same 
time, large entities that collect vast amounts of data from consumers 
may be able to share information widely within their organizations, 
without sharing with ``third parties,'' while smaller competitors 
cannot. The implications on competition of different privacy regimes is 
one of the issues that the Commission has been examining in its ongoing 
series of hearings. One option to protect privacy in a way that does 
not disadvantage smaller players would be to impose requirements based 
on factors other than whether the entity is a ``third party''--for 
example, by restricting the use of certain information for particular 
purposes by both first parties and third parties. We would be pleased 
to work with your staff further on this issue.
Privacy Risky Communities/Groups
    Question 1. Do you think that certain communities or groups are any 
more or less vulnerable to privacy risks and harms?
    Answer. Yes. Part of the discussion around big data and AI, for 
example, concerns the potential for bias, such as perpetuating 
historical discrimination, even unintentionally, through the use of 
biased data. In a 2016 report, Big Data: A Tool for Inclusion or 
Exclusion? Understanding the Issues, the Commission staff reported on a 
workshop relating to the risks and benefits of big data. The report 
recognized that big data analysis can bring significant consumer 
benefits, but also may cause harm relating to disparate treatment. For 
example, the report noted that potential inaccuracies and biases in 
data analysis might lead to detrimental effects for low-income and 
underserved populations. The Commission has worked to address issues 
particularly affecting certain communities or groups through a number 
of means, including a series of seminars and other events around the 
country and through consumer education.\25\
---------------------------------------------------------------------------
    \25\ See, e.g., Common Ground Conferences and Roundtables Calendar, 
https://www.con
sumer.gov/content/common-ground-conferences-and-roundtables-calendar; 
Consumer Information--Fraud Affects Every Community, https://
www.consumer.ftc.gov/features/every-community.

    Question 2. Should privacy law and regulations account for such 
unique or disparate harms, and if so, how?
    Answer. Certainly, harmful discriminatory treatment based on an 
individual's race, age, gender, religion, national origin, sexual 
orientation, and other prohibited factors should not be lawful. 
Existing laws, such as the Fair Credit Reporting Act and the Equal 
Credit Opportunity Act, offer important protections against unlawful 
discrimination. As noted above, much of the discussion around 
discriminatory treatment in the privacy area relates to the possibility 
that the use of algorithms will perpetuate past discrimination, even 
unintentionally.\26\ Panelists at the Commission's November 2018 
hearing on competition and consumer protection issues associated with 
the use of algorithms, artificial intelligence, and predictive 
analytics delved into these complicated issues.\27\ We are happy to 
work with you to think through these issues as you craft legislation to 
prevent unlawful discrimination.
---------------------------------------------------------------------------
    \26\ See, e.g., Elizabeth Weise, Amazon Same-Day Delivery Less 
Likely in Black Areas, Report Says, USA Today (Apr. 22, 2016), https://
www.usatoday.com/story/tech/news/2016/04/22/amazon-same-day-delivery-
less-likely-black-areas-report-says/83345684/ (mapping Amazon's al
gorithmically-based same day delivery areas in certain cities, as 
originally proposed, with historical segregation in those cities).
    \27\ See FTC Workshop, FTC Hearing #7: Competition and Consumer 
Protection Issues in the 21st Century (Nov. 13-14), https://
www.ftc.gov/news-events/events-calendar/ftc-hearing-7-competition-
consumer-protection-21st-century.
---------------------------------------------------------------------------
Immediate Civil Penalties Authority
    Noting from your FTC testimony, ``Section 5 (of the FTC Act), 
however, is not without limitations. For example, Section 5 does not 
provide for civil penalties, reducing the Commission's deterrent 
capability.''

    Question. While I appreciate the long term successes of the FTC in 
many respects to investigate data security matters, what are your 
thoughts to whether there is enough of a deterrent effect with Section 
5 authority when you can't immediately enforce against those who misuse 
data with civil penalties right from the start, rather than as the 
result of often times flagrant offenses to their already establish 
consent decrees?
    Answer. In the data security area, I believe that Congress should 
enact legislation giving the FTC the authority to seek civil penalties 
against first-time violators, which we cannot currently do under the 
FTC Act. I support such legislation precisely because I believe that 
our existing legal regime does not provide sufficient deterrence.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                           Hon. Rohit Chopra
    Question 1. Vertical mergers such as the merger between AT&T and 
Time Warner have garnered some attention lately. The Federal Trade 
Commission (FTC) and the Department of Justice (DOJ) have not updated 
vertical merger guidance since 1984. Do you believe that the FTC and 
DOJ should issue new guidance on vertical mergers?
    Answer. Vertical mergers can threaten competition. For example, as 
I noted in my dissenting statement in the Fresenius/NxStage matter, 
vertical mergers can make it tougher for a new business to get off the 
ground.
    Senior officials in the antitrust agencies have openly communicated 
that the 1984 guidelines do not provide useful guidance.\1\
---------------------------------------------------------------------------
    \1\ See D. Bruce Hoffman, Vertical Merger Enforcement at the FTC, 
Prepared Remarks for Delivery at the Credit Suisse 2018 Washington 
Perspectives Conference (Jan. 10, 2018), available at http://
www.ftc.gov/system/files/documents/public_statements/1304213/
hoffman_vertical_
merger_speech_final.pdf.
---------------------------------------------------------------------------
    It is troubling that the agencies have published guidance that we 
do not actually follow. I am very open to the idea of updating these 
guidelines.

    Question 2. Government lawsuits to stop mergers are litigated using 
different procedures depending on which agency, the FTC or DOJ, handles 
the case. Do you think Congress should take action to ensure that 
agencies follow the same procedures, or do you support another 
approach?
    Answer. While I appreciate the theoretical concerns that have been 
raised, it does not appear that this has much real world impact. There 
are broader issues that stem from the FTC and DOJ having concurrent 
jurisdiction in merger review that Congress might consider giving a 
higher priority for examination. For example, thought should be given 
to ways to improve our clearance process.

    Question 3. Should Congress amend Section 5(n) of the FTC Act, 
which addresses unfair practices, to clarify what constitutes 
``substantial injury?'' If so, how?
    Answer. Both the courts and the Commission have identified various 
types of injury that meet this criterion. If there are additional types 
of injury that Congress wishes to codify, I am happy to work with you 
to determine how to best achieve those goals.

    Question 4. Should the FTC issue more guidance to marketers on the 
level of support needed to substantiate their claims? If so, when do 
you anticipate that such guidance could be issued?
    Answer. Both consumers and marketers that are interested in 
complying with the law benefit from FTC guidance. Given case law, the 
Commission's Policy Statement on Advertising Substantiation, and other 
Commission statements, there is certainly an array of information to 
assist marketers with compliance, but I am always open to hearing ways 
to improve information to help law-abiding businesses.

    Question 5. In June, the 11th Circuit vacated the Commission's data 
security order against Lab-MD. What effect, if any, will this have on 
the Commission's data security orders going forward?
    Answer. Given this decision, as well as feedback from stakeholders 
and our recent hearing on data security, we are actively engaged in 
discussions on how our orders can provide optimal deterrence under our 
existing Section 5 authority.

    Question 6. If Federal privacy legislation is passed, what 
enforcement tools would you like to be included for the FTC?
    Answer. Federal privacy legislation needs enforcement teeth to be 
effective. In addition to strong civil penalty authority, it would be 
useful for the FTC to have independent litigating authority. Commission 
fines must be strong enough to realign market incentives, rather than 
representing a cost of doing business. I look forward to working with 
Congress to identify additional tools and authorities to make any 
legislation effective.

    Question 7. During the hearing, I asked the Chairman whether the 
FTC would consider using its section 6(b) authority to study consumer 
information data flows, specifically sending requests to Google, 
Facebook, Amazon, and others in the tech industry to learn what 
information they collect from consumers and how that information is 
used, shared, and sold. I believe the FTC's section 6(b) authority 
could provide some much needed transparency to consumers about the data 
practices of large technology companies, and help identify areas that 
may require additional attention from lawmakers. What are your views 
with respect to the FTC potentially conducting a study pursuant to 
section 6(b) of the Federal Trade Commission Act on the data 
collection, use, filtering, sharing, and sale practices of large 
technology companies such as Google, Facebook, Amazon, and others?
    Answer. Yes, the FTC should pursue a 6(b) study about the practices 
in the technology sector. This will help advance our competition and 
consumer protection mission. The FTC's research function is fundamental 
to how we should work to make markets fair and effective.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                           Hon. Rohit Chopra
    Question 1. Section 5(a) of the FTC Act, which prohibits ``unfair 
or deceptive acts or practices in or affecting commerce'' is the legal 
basis for a body of consumer protection law that covers data privacy 
and security practices. The FTC has brought hundreds of cases to date 
to protect the privacy and security of consumer information held by 
companies of all sizes under this authority. The FTC staff recently 
submitted comments to the National Telecommunications and Information 
Administration (NTIA) that clearly indicate the FTC staff's view that 
the FTC would be the appropriate agency to enforce a new comprehensive 
privacy legislative framework. Do you agree with the staff's view?
    Answer. It is clear that data is playing an ever-increasing role in 
shaping all markets. From banking to real estate to travel to health 
care, every industry is relying on more and more data. Federal 
legislation should avoid problems of regulatory arbitrage that can 
impede Federal enforcement. Even if the FTC has enforcement authority 
over a new law, it will be critical to ensure that this supplements, 
and does not supplant, the role of state law enforcement.

    Question 2. As Congress evaluates opportunities to create 
meaningful Federal legislation to appropriately ensure privacy of 
consumers' data, there have been suggestions to increase the FTC's 
authorities to enforce in this space. Will you commit to working with 
this Committee in measuring what resources, if any, will be needed to 
allow the agency to enforce any additional authorities that may or may 
not be provided in Federal legislation?
    Answer. Yes.

    Question 3. Sharing responsibilities with the DOJ's Antitrust 
Division, the FTC enforces antitrust law in a variety of sectors as 
described by your testimony. While the vast majority of premerger 
filings submitted to enforcement agencies do not raise competition 
concerns, the FTC challenged 45 mergers since the beginning of 2017, 
and of those, the FTC only voted to initiate litigation to block five 
transactions. Would you please describe the resource needs of the 
agency associated with hiring qualified outside experts to support its 
litigation efforts? Please explain how developments in the high-
technology sector are accounted for in the FTC's decision-making 
process related to antitrust enforcement.
    Answer. Expert spending is costly. Compared to other statutes we 
enforce, our antitrust laws lack clear presumptions and rules, making 
litigation lengthy and resource-intensive. Given the state of the law, 
it is necessary to ensure adequate resources for litigation.
    To be seen as an effective and credible enforcer, we must have 
enough qualified experts to collect and analyze data on business 
practices in the technology sector.

    Question 4. Earlier this year, I introduced legislation called the 
Senior Scams Prevention Act with Senator Bob Casey to combat continued 
and increasingly complex attempts to defraud one of the Nation's most 
vulnerable populations, our senior community. This bill seeks to ensure 
retailers, financial institutions and wire transfer companies have the 
resources to train employees to help stop financial frauds and scams on 
seniors. Would you agree that awareness and education, guided by ``best 
practices'' established by industry and government partners, is a 
valuable tool in preventing consumer harms against our Nation's 
seniors?
    Answer. Older Americans are disproportionately affected by fraud, 
and any effort to enlist industry and government in protecting them 
from the worst abuses is commendable. Educational initiatives can 
complement aggressive enforcement of those who defraud older American 
consumers.

    Question 5. In its comments submitted to NTIA on ``Developing the 
Administration's Approach to Consumer Privacy,'' the FTC discussed the 
various cases that it has taken up to address privacy-related harms to 
consumers, and it specifically noted four categories of harms: 
financial injury, physical injury, reputational injury, and unwanted 
intrusion. Could you please briefly describe each category while noting 
any FTC enforcement considerations specific to that type of harm?
    Answer. The FTC staff comment identified financial injury, physical 
harm, reputational injury, and unwanted intrusion as four categories of 
privacy harms that FTC enforcement actions have acted to address. 
Financial injury is the injury that an act or practice causes to a 
consumer's financial position. The NTIA comment notes that financial 
injury manifests in a variety of ways, including through fraudulent 
charges, delayed benefits, expended time, opportunity costs, fraud, and 
identity theft. Consumers may also suffer financial injury when they 
purchase a product sold through deceptive representations. Physical 
injuries include risks to individuals' health or safety, including the 
risk of stalking or harassment. Reputational injury involves disclosure 
of damaging private facts about an individual. And unwanted intrusion 
includes both activities that intrude on the sanctity of people's homes 
or intimate lives and commercial intrusions.
    Through its enforcement of particular statutes or rules, like the 
Fair Debt Collections Practices Act, Telemarketing Sales Rule, and 
COPPA, the FTC vindicates particular legislative and regulatory 
judgments meant to prevent harms such as these.
    This effort to categorize privacy harms should not be seen as 
creating an exclusive list or harms, nor should it be read to exclude 
from FTC scrutiny activities that may not directly implicate these 
types of harm. For example, the FTC Act prohibits companies from making 
certain misrepresentations in connection with privacy and data 
security. To the extent that a company acts in a manner that is 
deceptive under the law, the FTC must be able to take appropriate 
action.

    Question 6. In the FTC's recent comments in NTIA's privacy 
proceeding, the FTC said that its ``guiding principles'' are based on 
``balancing risk of harm with the benefits of innovation and 
competition.'' Would you describe what this means, how you strike this 
balance, and how it is applied in practice under your Section 5 
authority in the FTC Act?
    Answer. The FTC's staff comment reflects the fact that many of the 
FTC's enforcement efforts related to privacy and data security have 
proceeded under the FTC's Section 5 unfairness authority. Section 5(n) 
of the FTC Act requires that the FTC weigh the actual or likely 
substantial injury of an act or practice against countervailing 
benefits to consumers or competition. The FTC must be sure that it is 
not over-or under-estimating either side of the balance. Of course, 
Section 5's deception standard does not require this balancing 
exercise.

    Question 7. The FTC's comments pertaining to ``control'' in NTIA's 
privacy proceeding stated, ``Choice also may be unnecessary when 
companies collect and disclose de-identified data, which can power data 
analytics and research, while minimizing privacy concerns.'' How would 
the FTC suggest Federal regulation account for de-identified data, if 
at all?
    Answer. While companies may sometimes claim that data has been 
``de-identified,'' in some cases these data can be easily ``re-
identified.'' We would be happy to work with you should you choose to 
specifically legislate on this issue.

    Question 8. Your testimony indicated that continued technological 
developments allow illegal robocallers to conceal their identities in 
``spoofing'' caller IDs while exponentially increasing robocall volumes 
through automated dialing systems. These evolving technological changes 
mean that the critical law enforcement efforts of the FTC cannot be the 
only solution, and your testimony described the additional steps the 
FTC is taking to develop innovative solutions to these issues. Would 
you please describe the process and outcomes of the four public 
challenges that the FTC held from 2013 to 2015? Are there plans to 
incentivize innovators to combat robocalls in the future?
    Answer. The FTC's process for its robocall challenges included 
public announcements, committees with independent judges, and, in some 
cases, cash prizes awarded under the America COMPETES Reauthorization 
Act.\2\ To maximize publicity, the FTC announced each of its four 
challenges in connection with public events. The FTC announced the 
first robocall challenge at the FTC's 2012 Robocall Summit. In 2014, 
the FTC conducted its second challenge, ``Zapping Rachel'' at DEF CON 
22. The FTC conducted its third challenge, ``DetectaRobo,'' in June 
2015 in conjunction with the National Day of Civic Hacking. The final 
phase of the FTC's fourth public robocall challenge took place at DEF 
CON 23. When the FTC held its first public challenge, there were few, 
if any, call blocking or call labeling solutions available for 
consumers. Today, two FTC challenge winners, NomoRobo and Robokilller, 
offer call blocking applications, and there are hundreds of mobile apps 
offering call blocking and call labeling solutions for cell phones. 
Many home telephone service providers also now offer call blocking and 
call labeling solutions. The FTC will not hesitate to initiate 
additional innovation contests if it identifies further challenges that 
could meaningfully benefit consumers by reducing the harm caused by 
illegal robocalls.
---------------------------------------------------------------------------
    \2\ See ``Details About the FTC's Robocall Initiatives'' at https:/
/www.consumer.ftc.gov/features/feature-0025-robocalls
---------------------------------------------------------------------------
    In addition to developing call blocking and call labeling 
technology, the telecom industry has also developed call verification 
technology, called STIR/SHAKEN, to help consumers know whether a call 
is using a spoofed Caller ID number and assist call analytics companies 
in implementing call blocking and call labeling products. If widely 
implemented and made available to consumers, the STIR/SHAKEN protocol 
should minimize unwanted calls. Certain industry members have begun to 
roll out this technology and it is in beta testing mode. We will keep a 
close eye on this industry initiative and continue to encourage its 
implementation.

    Question 9. Would you please describe the FTC's coordination 
efforts with state, federal, and international partners to combat 
illegal robocalls?
    Answer. The FTC frequently coordinates its efforts with its state, 
federal, and international partners. The FTC often brings robocall 
enforcement actions with states as co-plaintiffs. For example, in the 
FTC's case against Dish Network, litigated for the FTC by the 
Department of Justice, the FTC brought the case jointly with 
California, Illinois, North Carolina, and Ohio. Collectively, the 
states and the FTC obtained a historic $280 million trial verdict.\3\
---------------------------------------------------------------------------
    \3\ Press Release, FTC and DOJ Case Results in Historic Decision 
Awarding $280 Million in Civil Penalties Against Dish Network and 
Strong Injunctive Relief for Do Not Call Violations (June 6, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/06/ftc-doj-case-
results-historic-decision-awarding-280-million-civil. The case is on 
appeal before the Seventh Circuit Court of Appeals.
---------------------------------------------------------------------------
    The FTC also coordinates outreach and education with the FCC. In 
2018, the agencies co-hosted two robocall events--a policy forum that 
discussed technological and law enforcement solutions to the robocall 
problem \4\ and a public expo that allowed companies offering call 
blocking and call labeling services to showcase their products for the 
public.\5\ Additionally, the FTC and FCC hold quarterly calls, speak 
regularly on an informal basis, and coordinate on a monthly basis with 
our state partners through the National Association of Attorneys 
General. The FTC also engages with international partners through 
participation in international law enforcement groups such as the 
International Consumer Protection Enforcement Network, International 
Mass Marketing Fraud Working Group, and the Unsolicited Communications 
Network (formerly known as the London Action Plan).
---------------------------------------------------------------------------
    \4\ Press Release, FTC and FCC to Host Joint Policy Forum and 
Consumer Expo to Fight the Scourge of Illegal Robocalls (Mar. 22, 
2018), https://www.ftc.gov/news-events/press-releases/2018/03/ftc-fcc-
host-joint-policy-forum-illegal-robocalls.
    \5\ Press Release, FTC and FCC to Co-Host Expo on April 23 
Featuring Technologies to Block Illegal Robocalls (Apr. 19, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/04/ftc-fcc-co-host-
expo-april-23-featuring-technologies-block-0.

    Question 10. Your testimony described the limitations of the FTC's 
current data security enforcement authority provided by Section 5 of 
the FTC Act including: lacking civil penalty authority, lacking 
authority over non-profits and common carrier activity, and missing 
broad APA rulemaking authority. Please describe each of these 
limitations and how adjusted FTC authority to address these items would 
improve the protection of consumers from data security risks.
    Answer. As a general matter, the FTC Act does not provide the 
Commission with the authority to seek civil penalties from first-time 
violators of Section 5. Providing the FTC with expanded civil penalty 
authority would assist the FTC in its efforts to deter illegal conduct. 
Without civil penalties, companies with unlawful privacy and security 
practices get a free bite at the apple. Strong civil penalties and 
clear rules of the road are critical to deter lax privacy and security 
practices.
    The FTC Act excludes or exempts non-profits and common carriers 
from the FTC's jurisdiction, but non-profits and common carriers rely 
on consumer data just as other persons subject to the FTC's 
jurisdiction do. Broadened FTC authority that also covers non-profits 
and common carriers will eliminate opportunities for arbitrage and help 
ensure that persons collecting, storing, using, disposing of, or 
transporting consumer data do so in accordance with consistent rules.
    The FTC Act provides the FTC with authority to issue rules that 
define with specificity acts or practices in or affecting commerce that 
are unfair or deceptive. Through this authority, the FTC could issue 
rules pertaining to data privacy and security. Unfortunately, this 
rulemaking must be conducted in accordance with the Magnuson-Moss 
Warranty Act, which adds time-consuming requirements to the rulemaking 
process that go well-beyond the requirements of the Administrative 
Procedure Act. Granting the FTC the authority to issue data security 
rules in accordance with the Administrative Procedure Act would allow 
the Commission to issue timely and appropriate rules that keep pace 
with technological development and seek civil penalties if companies 
violate them.
                                 ______
                                 
 Response to Written Questions Submitted by Hon. Richard Blumenthal to 
                           Hon. Rohit Chopra
Privacy Rules
    We know that Americans care about privacy--that they eagerly want 
these rights. We need baseline rules. Companies should not store 
sensitive information indefinitely and use that data for purposes that 
people never intended. Federal rules must set meaningful obligations on 
those that handle our data. We must enable consumers to trust and 
control their personal data.

    Question 8. Do you support providing state AGs with the power to 
enforce Federal privacy protections and would you commit to working 
with state AGs?
    Answer. Yes. There is precedent for state attorney general 
enforcement of Federal privacy law. For example, state attorneys 
general have the authority to take action under the Children's Online 
Privacy Protection Act. However, this should not necessarily be a 
substitute for state attorneys general enforcing their own state laws 
protecting citizen data.

    Question 9. Why is it important that the FTC have rulemaking 
authority when it comes to privacy? Where best would rulemaking be 
applied?
    Answer. If privacy rules cannot evolve with changing technology, 
this will threaten fair competition and fair treatment of consumers.
    For example, the last major privacy legislation, COPPA, was in 
1998. If we did not have rulemaking authority, we would not have been 
able to make critical updates as the landscape evolved to mobile apps. 
Additionally, rulemaking means that the public will weigh in and help 
shape how it works. I believe in Joy's Law--``no matter who you are, 
most of the smartest people work for someone else,''--ccoined by Sun 
Microsystems co-founder Bill Joy. We need the input of the best 
researchers, engineers, entrepreneurs and the critically, the 
populations most at risk in privacy lapses.

    Question 10. Do you believe elevating the Office of Technology 
Research and Investigation to the Bureau level would meaningfully help 
the FTC in addressing new technological developments across its 
mandates?
    Answer. The line between ``consumer protection'' and 
``competition'' is very blurry in today's digital economy. Just as our 
lawyers and economists make substantial contributions to our mission, 
the FTC would benefit from additional employees with professionalized 
technical skills and capabilities. Elevating the staff from the Office 
of Technology Research and Investigation into a new Bureau of 
Technology would be one potential step in helping us rise to meet the 
challenge of how markets and business models work today.
Board Accountability
    Question 12. What is the FTC doing to investigate and hold 
accountable individual board members and executives who knowingly 
assist their companies in committing fraud? What more should the FTC be 
doing in this regard?
    Answer. The FTC should focus on holding individual board members 
and executives accountable when they break the law. While individuals 
are typically pursued in smaller matters, I believe we should sharpen 
our focus on individuals in all investigations, regardless of the size 
of the firm. This is especially true for firms subject to an existing 
Commission order.
FTC Investigation of Algorithms
    Section 6(b) of the FTC Act gives the agency broad investigatory 
and information-gathering powers. For example, in the 1970s the FTC 
used its Section 6(b) authority to require companies to submit product-
line specific information, enabling the agency to assess the state of 
competition across markets.
    The FTC has released reports on big data and the harms biased 
algorithms can cause to disadvantaged communities. These reports drew 
attention to the potential loss of economic opportunity and diminished 
participation in our society. Yet, information on how these algorithms 
work, and on the inputs that go into them, remains opaque.

    Question 19. Where the FTC consider using its Section 6(b) 
investigative power to help us understand how these algorithms and 
black-box A.I. systems work--the biases that shape them, and how those 
can affect trade, opportunity, and the market?
    Answer. Black-box algorithms increasingly make decisions about our 
lives. This can raise serious concerns about fairness and civil rights. 
The FTC should consider a wide range of potential studies to better 
understand how markets, technology, and business models work today.
FTC Consent Decree on Unrepaired Recalls
    Most consumers probably do not know that, while new car dealers are 
prohibited from selling vehicles with open recalls, used car dealers 
are not. A recent FTC consent decree, which I strenuously disagreed 
with and is currently being scrutinized in the courts, allows the sale 
of used cars with unrepaired recalls. According to the consent decree, 
car dealers can advertise that cars with unrepaired safety recalls like 
a defective Takata airbag are ``safe'' or have passed a ``rigorous 
inspection''--as long as they have a disclosure that the vehicle may be 
subject to an unrepaired recall and directs consumers on how they can 
determine the vehicle has an open recall.

    Question 20. In your opinion, is a car with an open, unrepaired 
recall, a ``safe'' car? Why would the FTC allow unsafe cars to be 
advertised as ``safe'' and ``repaired for safety,'' with or without a 
vague, contradictory and confusing disclaimer?
    Answer. It is extremely concerning that American drivers are 
unknowingly purchasing used cars with open recalls. While we have 
pursued enforcement cases relating to deceptive advertising in the 
past, I am concerned that these actions without the threat of civil 
penalties do not do enough to deter this sort of behavior, which puts 
people on the road at risk. We should utilize the rulemaking authority 
granted to us in 2010 pursuant to Section 1029 of the Dodd-Frank Act to 
ensure that we can seek civil penalties on an auto dealer's first 
offense.
Question on Non-Compete Clauses
    I am concerned about the growth of non-compete clauses, which block 
employees from switching jobs to another employer in the same sector 
for a certain period of time. These clauses weaken workers' bargaining 
power once they are in the job, because workers often cannot credibly 
threaten to leave if their employer forces refuses to give them a raise 
or imposes poor working conditions. According to the Economic Policy 
Institute, roughly 30 million workers--including one in six workers 
without a college degree--are now covered by non-compete clauses.
    The consensus in favor of addressing non-compete clauses is 
growing. For example, just this past December, an interagency report 
indicated that non-compete clauses can be harmful in certain contexts, 
such as the healthcare industry. Yet, the FTC has not yet undertaken 
forceful action. In September, Commissioner Chopra suggested that the 
FTC use its rulemaking authority to ``remove any ambiguity as to when 
non-compete agreements are permissible or not.''

    Question 23. Do you agree with the proposal that the FTC use its 
rulemaking authority to address non-compete clauses? I invite you to 
explain your reasoning regarding your stance.
    Answer. The prevalence of non-compete clauses are a significant 
concern. Firms may be using these clauses to suppress wages and impede 
a competitive labor market. I support examining the use of all tools, 
including rulemaking, to address concerns of anticompetitive conduct 
with respect to non-compete clauses and other terms and conditions in 
worker and independent contractor agreements.
Question on Local Merger Enforcement
    Even though big national mergers typically garner the most media 
attention, smaller mergers can often raise monopoly concerns on the 
local level. This can be true in the healthcare industry, for example. 
In November, Commissioner Simons told me: ``Some local mergers may be 
too small to require Hart-Scott-Rodino premerger notification, but may 
still have anticompetitive effects.''

    Question 24. Would you agree with me that Hart-Scott-Rodino 
premerger notifications help antitrust enforcers catch concerning 
mergers?
    Answer. Yes.

    Question 25. What sort of anticompetitive effects might be raised 
by local mergers even when those mergers are too small to require Hart-
Scott-Rodino premerger notification?
    Answer. Hospitals and Main Street retail are some of the 
foundations of a local economy. Mergers like these that are not subject 
to the requirements under the HSR Act can be just as anticompetitive as 
mergers that are. They can lead to higher prices and less access to 
necessities like food and health care.

    Question 26. What action would you recommend either the FTC or 
Congress take in order to assist Federal and state antitrust enforcers 
in catching local mergers that raise anticompetitive concerns?
    Answer. This is an important issue for local economies across the 
country. We should closely examine whether our reporting regime 
adequately captures transactions that lead to potentially 
anticompetitive effects. I look forward to working with you and other 
interested offices on this issue.
Question on Horizontal Shareholding
    Recent research has raised questions about whether horizontal 
shareholding harms competition in our economy. I would like to 
understand your view on this ongoing research.

    Question 27. Do you believe that horizontal shareholding raises 
anticompetitive concerns?
    Answer. This is a new area of concern that we need to learn more 
about. There is an emerging literature about this topic that focuses on 
passive investment vehicles. I am also interested in how holdings by 
private pools of capital, such as private equity and hedge funds, could 
raise a special set of anticompetitive concerns.

    Question 28. Do you believe that our antitrust laws can be used to 
address the anticompetitive concerns raised by horizontal shareholding?
    Answer. I do not know if our laws are sufficient to address 
potential problems. Our 21st Century Hearings on Competition and 
Consumer Protection are covering this issue. I plan to study the record 
on this issue closely to assess any anticompetitive concerns.

    Question 29. What, if anything, are you doing to address any 
potential harms of horizontal shareholding?
    Answer. I am still gathering information to determine the 
appropriate course of action.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                          to Hon. Rohit Chopra
Pet Leasing
    I appreciate the Commission's attention to my request with six of 
my colleagues for the FTC to investigate the practice of pet leasing 
that is leading some consumers into confusing or deceptive contractual 
obligations that cause them to have an issue with their beloved pet and 
negatively impact their financial status, such as credit scores, for 
far into the future. This is an issue that is a little under the radar 
but needs strong oversight and attention under your deceptive practices 
mandate if there are concerning financial practices being discovered.
    Question. Can I get a further commitment from you all to keep my 
office informed of actions and determinations you all may make 
pertaining to this concerning issue and the Humane Society and Animal 
Legal Defense Fund's formal petition to the Commission?
    Answer. Consistent with the FTC's Rules of Practice, we are happy 
to provide your office with updates on this topic.
Bureau of Technology
    Former Commissioner Terrell McSweeny has suggested creating a 
Bureau of Technology at the FTC.

    Question 1. Does the Commission have sufficient resources and 
staffing to protect consumer privacy in the digital age?
    Answer. Given the challenges faced in the digital marketplace, more 
resources would help advance the goal of protecting consumer privacy 
and competition.

    Question 2. Do support the establishment of a Bureau of Technology?
    Answer. Just as our lawyers and economists make substantial 
contributions to our mission, the FTC would benefit from additional 
employees with professionalized technical skills and capabilities. 
Establishing a new Bureau of Technology would be one important step in 
helping us rise to meet the challenge of how markets and business 
models work today.
Robocalls
    Obviously protecting consumers from fraud is a fundamental tenet of 
the FTC. And I applaud your work in both the education and enforcement 
sectors of protecting consumers. But one area we all are still 
struggling to stay ahead of the curve on is robocalls. That's why I 
have legislation, the Deter Obnoxious, Nefarious, and Outrageous 
Telephone Calls, or DO NOT Call Act with four of my Senate colleagues. 
It would increase the deterrent against illegal robocalls by imposing a 
potential criminal penalty rather than just civil fines. While these 
tools would be more for the Federal Communications Commission, we are 
obviously interested in fighting this problem on all fronts.

    Question 1. Would you agree that in addition to finding more 
effective technological tools to fight this problem, that this kind of 
enhanced deterrent needs to receive serious consideration in Congress 
to help provide regulators the tools to hold bad actors accountable for 
this persistent nuisance and scurrilous action by scammers?
    Answer. Yes, more tools to hold bad actors accountable would be 
helpful.

    Question 2. Are there additional actions Congress should be 
considering related to this specific challenge?
    Answer. Congress should consider repealing the common carrier 
exemption in the FTC Act. In addition, Congress may need to weigh 
whether criminal penalties are appropriate for the worst abusers of 
robocalling.
Data Minimization vs Big Data
    A topic that has come up a lot during our discussions on privacy is 
data minimization. This is a concept that I have been considering on as 
I work on developing a comprehensive data privacy bill. As you're 
aware, this is the idea that businesses should only collect, process, 
and store the minimum amount of data that is necessary to carry out the 
purposes for which is was collected. There are obvious advantages to 
this as it minimizes the risk of data breaches and other privacy harms. 
At the same time, big data analytics are going to be crucial for the 
future and play an important role in smart cities, artificial 
intelligence, and other important technologies that fuel economic 
growth. I think it is important to find a balance between minimization 
and ensuring that data, especially de-identified data, is available for 
these applications.

    Question. Can you describe how you view this balance and how we in 
Congress can ensure that people's data is not abused but can still be 
put to use in positive ways?
    Answer. Data minimization and big data are complementary. Some 
assume that ``big data'' means that more is simply better, but firms 
collecting massive amounts of data face practical, computational, and 
architectural constraints.
    We need to ensure that when firms accumulate massive amounts of 
data, they do not engage exclusionary conduct and other anticompetitive 
practices. This is also important in merger review, where data is a 
critical asset. We will also need to take steps to ensure that there 
are mechanisms to ensure that big data does not lead to discrimination 
or reinforce biases.
General Privacy Recommendations
    Question 1. While privacy was a significant topic of the oversight 
hearing, as we look to develop a bill, can you specifically lay out 
some of the top priorities you individually would like to see included 
and what do you think gets overlooked in the conversations policymakers 
have with allowing for future innovations and yet raising the bar for 
protecting consumers?
    Answer. Technology moves quickly. The best thing we can do is make 
sure that this movement is happening within a competitive market that 
ensures autonomy, choice, and individual rights. We need to take aim at 
all of the structural incentives and business models that can distort 
competition and infringe on personal privacy.
    For example, we need to address ``terms of service'' that include 
one-sided terms that lead to a race to the bottom. Also overlooked is 
the role of data in mergers and acquisitions. We need to look carefully 
at whether firms are combining data to erode privacy and exclude 
competition. We also need to examine whether there are conflicts of 
interest in certain types of business models that harm both users and 
competitors.

    Question 2. Can you also outline the optimal role you see for our 
state Attorneys General in this privacy enforcement process?
    Answer. State Attorneys General play a critical law enforcement 
role and are often times in a better position to quickly identify and 
respond to problems that impact citizens of their states than Federal 
law enforcement is. Any privacy enforcement regime should recognize and 
account for this reality and enable states to act as necessary to 
protect their citizens. In addition to enforcing their own state law 
protecting citizen data, I support state attorney general enforcement 
authority of Federal privacy protections.
Data Privacy--Binding Contracts?
    We live with this time information inundation where people can't 
really read privacy policies and fairly agree to their content. But, we 
all know that basically no one reads privacy policies--and indeed, no 
reasonable person should read privacy policies, because according to 
research done at Carnegie Mellon, it would take 76 work days to read 
all of the privacy policies on encounters in a year. Companies take 
advantage of the fact that no one reads privacy policies to bury terms 
in those policies that no rational consumer would agree to (such as 
Grindr selling its users HIV status to third parties).

    Question. Should these terms of service be binding contracts?
    Answer. No. ``Terms of service'' include one-sided terms that are 
contributing to a race to the bottom. Congress will need to ensure that 
terms of service are not used to strip away rights and erode 
competition.
Privacy Risky Communities/Groups
    Question 1. Do you think that certain communities or groups are any 
more or less vulnerable to privacy risks and harms?
    Answer. Yes. For example, communities of color have been subject to 
``digital redlining'' where a company uses surveillance to build a 
profile that infers race, and then restricts the opportunities that 
they can see based on that profile. Privacy isn't an abstract concept 
for people whose personal information is used to restrict, for example, 
housing or job opportunities.

    Question 2. Should privacy law and regulations account for such 
unique or disparate harms, and if so, how?
    Answer. It is critical that Americans are able to vindicate their 
civil rights. Privacy law and regulations should affirmatively address 
protecting civil rights. We need to take a hard look at how behavioral 
advertising might infringe on our civil rights. We also need to make 
sure that algorithms do not operate in the shadows that are 
discriminatory by design.
Immediate Civil Penalties Authority
    Noting from your FTC testimony, ``Section 5 (of the FTC Act), 
however, is not without limitations. For example, Section 5 does not 
provide for civil penalties, reducing the Commission's deterrent 
capability.''

    Question. While I appreciate the long term successes of the FTC in 
many respects to investigate data security matters, what are your 
thoughts to whether there is enough of a deterrent effect with Section 
5 authority when you can't immediately enforce against those who misuse 
data with civil penalties right from the start, rather than as the 
result of often times flagrant offenses to their already establish 
consent decrees?
    Answer. Without civil penalties, companies with unlawful security 
practices get a free bite at the apple. Strong civil penalties and 
clear rules of the road are critical to deter lax security practices.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Maggie Hassan to 
                           Hon. Rohit Chopra
    Question 3. The heroin, fentanyl, and opioid crisis is the most 
pressing public health and safety challenge facing both my home state 
of New Hampshire and our country, and it is taking a massive toll on 
our communities, our workforce, and our economy.
    This crisis affects people from all walks of life in every corner 
of my state and the entire country, and it requires an ``all-hands-on-
deck'' response, including from agencies that may not traditionally be 
focused on these issues.
    Would you please describe the FTC's efforts to regulate 
unscrupulous treatment programs? More specifically, are you able to 
discuss illegal lead generation and what the FTC is doing to combat 
this practice that harms those who have taken the first step towards 
confronting substance use disorder?
    Answer. Across the country, opioid addiction is tearing apart the 
lives of individuals, their families, and their communities. It is 
critical that the FTC do everything in its power to tackle this 
problem. As I noted in a letter to the House Energy and Commerce 
Committee, I am particularly concerned about lead generators and body 
brokers who collude with treatment centers to target addiction 
sufferers. Rather than helping these sufferers, these entities gouge 
them, their families, and their insurance companies. Last year, the 
Opioid Addiction Recovery Fraud Prevention Act granted the FTC new 
authority for combatting those who seek to profit from this epidemic, 
and is essential that we exercise this authority with vigor.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Amy Klobuchar to 
                           Hon. Rohit Chopra
    Question. The Federal Trade Commission's budget has remained flat 
for the past several years despite increasing demands on your agency's 
resources, including a significant rise in merger filings.

   If additional resources were made available to the Federal 
        Trade Commission, how would you deploy those resources to 
        advance the agency's consumer protection and competition 
        missions?

    Answer. The Commission oversees vast sectors of the economy with a 
staff significantly smaller than what it was a generation ago. We are 
in particular need of additional technologists who can analyze emerging 
antitrust and consumer protection challenges, and attorneys prepared to 
take firms to court when they break the law.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                           Hon. Rohit Chopra
Privacy
    Question 1. Do you support strong civil penalties for consumer 
privacy violations?
    Answer. Yes. Absent real penalties, there will be no deterrence for 
bad actors.

    Question 2. The California Consumer Protection Act goes into effect 
in January 2020. As Congress considers pre-emption of that state law, 
what additional authority should we give the FTC to ensure that 
consumer privacy adequately is protected?
    Answer. Any Federal privacy law should create more competition, 
give users meaningful rights, and come with real consequences for 
violators. At the same time, I am concerned that broad preemption of 
state laws would do more harm than good. We look forward to working 
with you closely as these efforts progress.

    Question 3. A recent New York Times analysis found that both the 
Apple App Store and the Google Play Store have apps in their respective 
children's or family sections that potentially violate COPPA.\1\ What 
specific role should platform owners play to ensure COPPA compliance on 
their platforms?
---------------------------------------------------------------------------
    \1\ Valentino-DeVries, J., Singer, N., Krolick, A., Keller, M. H., 
``How Game Apps That Captivate Kids Have Been Collecting Their Data.'' 
The New York Times. 2018, September 12. https://www.nytimes.com/
interactive/2018/09/12/technology/kids-apps-data-privacy-google-
twitter.html
---------------------------------------------------------------------------
    Answer. The 2012 revisions to the COPPA rule make platforms liable 
if they have actual knowledge of collecting personal information from a 
child-directed app. We will need to keep a close eye on platforms to 
ensure that they are not purposely turning a blind eye to violations of 
COPPA. We will also need to continue reviewing the COPPA rules on a 
regular basis, given the influence of the major tech platform 
companies.

    Question 4. Compliance for mobile apps may be hard to achieve 
against fly-by-night operators overseas who do not care if their apps 
violate U.S. law. How can the Vtech Electronics investigation and civil 
penalty serve as an example for how the FTC can hold foreign app 
developers responsible for violating COPPA?
    Answer. The FTC will need to keep a close eye on foreign operators 
collecting information on American users. I support continued efforts 
to monitor and hold violators accountable.

    Question 5. The COPPA safe harbor organizations must submit an 
annual report to the Federal Trade Commission, Can you share the 
reports from the last 5 years?
    Answer. Given that the Commission voted to designate these 
organizations, I support the sharing of performance data submitted by 
COPPA safe harbor organizations, subject to law and regulation 
governing confidentiality. I have reviewed these reports and am 
concerned that these organizations are not engaging in fulsome 
monitoring and collection of consumer complaints.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                       Hon. Noah Joshua Phillips
    Question 1. Vertical mergers such as the merger between AT&T and 
Time Warner have garnered some attention lately. The FTC and DOJ have 
not updated vertical merger guidance since 1984. Do you believe that 
the FTC and DOJ should issue new guidance on vertical mergers?
    Answer. Antitrust officials, practitioners, and scholars recognize 
that, in many respects, the 1984 Non-Horizontal Merger Guidelines \1\ 
reflect neither current practice nor scholarship on vertical merger 
enforcement.\2\ New guidelines should be based on modern caselaw, the 
practical experience of recent merger challenges and investigations, 
and insights from both theoretical and empirical scholarship.
---------------------------------------------------------------------------
    \1\ U.S. Department of Justice, Non-Horizontal Merger Guidelines 
(1984), https://www.justice
.gov/sites/default/files/atr/legacy/2006/05/18/2614.pdf.
    \2\ See, e.g., Aldrin Brown, US DOJ Seeks to Issue New Vertical 
Merger Guidelines `Within the Next Year,' Antitrust Chief Says, PARR 
(Oct. 30, 2018) (quoting Assistant Attorney General Makan Delrahim as 
stating that these guidelines are ``not used'' and do not ``[r]eflect 
new evidence or case law''); Bruce Hoffman, Vertical Merger Enforcement 
at the FTC, Remarks at Credit Suisse 2018 Washington Perspectives 
Conference (Jan. 10, 2018), https://www.ftc.gov/public-statements/2018/
01/vertical-merger-enforcement-ftc.
---------------------------------------------------------------------------
    Over the years, the agencies have provided substantial insight on 
vertical merger analysis through speeches and other policy work,\3\ and 
through rigorous case selection.\4\ I am open to drafting new 
guidelines, provided they reflect guidance from the courts, experience 
from agencies, and the weight of scholarship on the question.
---------------------------------------------------------------------------
    \3\ See, e.g., Bruce Hoffman, Vertical Merger Enforcement at the 
FTC, Remarks at Credit Suisse 2018 Washington Perspectives Conference 
(Jan. 10, 2018), https://www.ftc.gov/public-state
ments/2018/01/vertical-merger-enforcement-ftc (explaining the FTC's 
current analysis of proposed vertical mergers and highlighting the 
extent to which that analysis has moved beyond the 1984 Non-Horizontal 
Merger Guidelines).
    \4\ For example, the Commission recently challenged several 
vertical mergers, including one between Northrop Grumman, a leading 
provider of missile systems to the Department of Defense, and Orbital 
ATK, a key supplier of solid rocket motors. Northrop Grumman, No. C-
4652 (F.T.C. 2018), https://www.ftc.gov/enforcement/cases-proceedings/
181-0005-c-4652/northrop-grumman
-orbital-atk. See also Sycamore Partners II, L.P., No. C-4667 (F.T.C. 
2019), https://www.ftc.gov/enforcement/cases-proceedings/181-0180/
sycamore-partners-ii-lp-staples-inc-essendant-inc-matter (consent 
agreement resolving charges that a merger between Staples, the world's 
largest retailer of office products and related services, and 
Essendant, a wholesale distributor of office products, was likely to 
harm competition in the market for office supply products sold to 
small- and mid-sized businesses); Fresenius Medical Care AG & Co. KGaA, 
No. C-4671 (F.T.C. 2019), https://www.ftc.gov/enforcement/cases-
proceedings/171-0227/fresenius-medical-care-nxstage-medical-matter.

    Question 2. Government lawsuits to stop mergers are litigated using 
different procedures depending on which agency, the FTC or DOJ, handles 
the case. Do you think Congress should take action to ensure that 
agencies follow the same procedures or do you support another approach?
    Answer. There is no good reason for different standards for 
preliminary injunctive relief between the two antitrust enforcement 
agencies, and Congress adopting carefully crafted legislation to align 
standards could be beneficial. As a practical matter, courts typically 
interpret the standard to be applied when the FTC files for a 
preliminary injunction in pre-merger cases to be the same as for such 
DOJ filings. Making it clear via statute that the two standards are the 
same would, however, eliminate: (1) any potential for different 
standards to be erroneously adopted; and (2) the criticism that 
companies may face different standards depending on the happenstance of 
which agency reviews its transaction.
    With respect to the FTC's administrative litigation path, there are 
several additional considerations. The FTC has utilized administrative 
litigation to help develop antitrust doctrine in important ways--
including in complex and critical areas like healthcare. The 
Commission's reworking of its approach to hospital mergers is perhaps 
the most striking example of the FTC's successful use of administrative 
litigation to advance antitrust enforcement.\5\ In contemplating 
legislation regarding the FTC's use of administrative litigation, 
Congress should consider whether and to what extent it desires the 
Commission to continue using administrative litigation--as opposed to 
Federal court litigation--to develop antitrust doctrine.
---------------------------------------------------------------------------
    \5\ See, e.g., Edith Ramirez, Chairwoman, Fed. Trade Comm'n, 
Retrospectives at the FTC: Promoting an Antitrust Agenda, Remarks at 
ABA Retrospective Analysis of Agency Determinations in Merger 
Transactions Symposium (June 28, 2013), https://www.ftc.gov/public-
statements/2013/06/retrospectives-ftc-promoting-antitrust-agenda; S. 
2102: the Standard Merger & Acquisition Review Through Equal Rules Act 
of 2015 Before the Subcomm. on Antitrust, Competition Policy & Consumer 
Rights of the S. Comm. on the Judiciary, 114th Cong. 4 (2015) 
(statement of Jonathan M. Jacobson, Partner, Wilson Sonsini Goodrich & 
Rosati, PC), https://www.judi
ciary.senate.gov/imo/media/doc/10-07-15%20Jacobson%20Testimony.pdf.
---------------------------------------------------------------------------
    Congress should also consider whether and to what extent 
administrative litigation may make the ultimate resolution of cases 
more efficient. Whether a case is litigated in Federal court or 
administratively may make a difference, particularly for unconsummated 
mergers. Merging parties remain unable to close their transaction for a 
significant period of time, for example when they are subject to review 
by multiple authorities. The FTC can commence an administrative action 
while other reviews are pending and delay an injunction action in 
Federal court until other review processes are completed and the merger 
is imminent. In the recent Tronox case, the FTC filed its case in 
December 2017 and litigated it administratively while the parties 
waited for foreign approvals.\6\ In the summer of 2018, once those 
approvals were granted and the parties would have been able to close 
their transaction, the FTC filed suit in Federal court, seeking a 
preliminary injunction. The pre-existing administrative record allowed 
the parties to avoid a substantial discovery period in the Federal 
proceeding, enabled the district court judge to expedite its hearing 
and to issue a ruling in September 2018. However, the administrative 
litigation remains pending before the Commission. In other recent 
merger cases where the Commission has sought a preliminary injunction 
in Federal court from the beginning, Federal courts were able to issue 
rulings on the preliminary injunctions--which typically effectively end 
any litigation and obviate the need for any administrative trial--
within six months.\7\
---------------------------------------------------------------------------
    \6\ Tronox Ltd., No. 9377 (F.T.C. 2018), https://www.ftc.gov/
enforcement/cases-proceedings/171-0085/tronoxcristal-usa.
    \7\ See, e.g., Sysco Corporation, No. 9364 (F.T.C. 2015), https://
www.ftc.gov/enforcement/cases-proceedings/141-0067/syscousf-holdingus-
foods-matter; Staples, Inc., No. 9367 (F.T.C. 2016), https://
www.ftc.gov/enforcement/cases-proceedings/151-0065/staplesoffice-depot-
matter.
---------------------------------------------------------------------------
    That said, the Commission's use of administrative litigation for 
merger review has met with criticism. Some express concern that the FTC 
has ``two bites at the apple'' when it comes to mergers: the Commission 
can seek a preliminary injunction in Federal court, and if it loses, 
can continue to a full administrative trial before an ALJ (an option 
the DOJ does not have).\8\ The Commission has not continued to litigate 
a merger case after losing a preliminary injunction motion in Federal 
court for over twenty years, and modern policy is to stop litigating 
after such a loss. I agree with that policy. That said, the policy 
could be changed by the Commission, while it would not be able to 
unilaterally deviate from legislation adopting this policy.
---------------------------------------------------------------------------
    \8\ See, e.g., Antitrust Modernization Commission, Report and 
Recommendations, ch. II.A (2007), https://govinfo.library.unt.edu/amc/
report_recommendation/amc_final_report.pdf.
---------------------------------------------------------------------------
    There also is a concern that, in administrative litigation, the 
Commission essentially serves as a check on itself--it votes to issue a 
complaint, and then is the factfinder and decision-maker as to the 
ultimate merits of that complaint before parties have any opportunity 
to go to Federal court.\9\ The FTC ultimately finds liability (on one 
or more counts) in administrative litigation an overwhelming percent of 
the time, often overruling the Administrative Law Judge (who renders an 
initial decision, following an administrative trial) to do so.\10\ This 
has led some to question the administrative process and the use of the 
ALJ.
---------------------------------------------------------------------------
    \9\ See Mark Leddy, Christopher Cook, James Abell & Georgina 
Eclair-Heath, Transatlantic Merger Control: The Courts and the 
Agencies, 43 Cornell Int'l L.J. 25, 53 (2010) (``[T]he FTC's recent 
proposals [  ] raise concerns about prosecutorial bias and lack of 
effective judicial oversight.''); Maureen K. Ohlhausen, Administrative 
Litigation at the FTC: Effective Tool for Developing the Law or Rubber 
Stamp?, 12(4) J. Competition L. & Econ. 1 (2016) (describing and 
analyzing the concerns); David A. Balto, The FTC at a Crossroads: Can 
It Be Both Prosecutor and Judge?, 28 Legal Backgrounder 1, 1 (2013); 
Report of the American Bar Association Section of Antitrust Law Special 
Committee to Study the Role of the Federal Trade Commission, 58 
Antitrust L.J. 43, 118 (1989) (``No thoughtful observer is entirely 
comfortable with the FTC's (or other agencies') combining of prosecutor 
and adjudicatory functions. Whenever the same people who issued a 
complaint later decide whether it should be dismissed, concern about at 
least the appearance of fairness is inevitable.'').
    \10\ See, e.g., A. Douglas Melamed, Comments on Public Workshop 
Concerning the Prohibition of Unfair Methods of Competition In Section 
5 of the Federal Trade Commission Act 14 (Oct. 14, 2008), https://
www.ftc.gov/policy/public-comments/comment-537633-00004 (``Over that 
25-year period [from 1983-2007], respondents did not win a single 
[Sherman Act] case [before the ALJ]. The staff won 16 cases and lost 
none. That record now covers the 26-year period from 1983 to 2008. [] 
Notably, respondents had greater difficulty winning before the 
Commission than before the ALJs. Respondents actually won four of the 
sixteen cases before the ALJ.'' (emphasis in original)); Joshua Wright, 
Supreme Court Should Tell FTC To Listen To Economists, Not Competitors 
On Antitrust, Forbes (Mar. 14, 2016), https://www.forbes.com/sites/
danielfisher/2016/03/14/supreme-court-should-tell-ftc-on-antitrust/
#76b9fd647c16 (``[T]he FTC has ruled for itself in 100 percent of its 
cases over the past three decades--though it is reversed more often 
than the decisions of Federal court judges.'')
---------------------------------------------------------------------------
    In considering whether to take action to align the approaches of 
the two Federal antitrust agencies, Congress should keep in mind these 
benefits and potential drawbacks.

    Question 3. Should Congress amend Section 5(n) of the FTC Act, 
which addresses unfair practices, to clarify what constitutes 
``substantial injury?'' If so, how?
    Answer. I do not have a view at this time as to whether Congress 
should clarify the definition of ``substantial injury'' under Section 
5(n). Historically, the Commission has interpreted substantial injury 
to include financial,\11\ physical,\12\ reputational,\13\ or unwanted 
intrusions.\14\
---------------------------------------------------------------------------
    \11\ Financial injury can manifest in a variety of ways: fraudulent 
charges, delayed benefits, expended time, opportunity costs, fraud, and 
identity theft, among other things. See, e.g., Complaint, TaxSlayer, 
LLC, No. C-4626 (F.T.C. Oct. 20, 2017), https://www.ftc.gov/
enforcement/cases-proceedings/162-3063/taxslayer (alleging delayed 
benefits, expended time, and risk of identity theft).
    \12\ Physical injuries include risks to individuals' health or 
safety, including the risks of stalking and harassment. See, e.g., 
Complaint, FTC v. Accusearch, Inc., No. 06-CV-0105 (D. Wyo. April 27, 
2006), https://www.ftc.gov/enforcement/cases-proceedings/052-3126/
accusearch-inc-dba-abikacom-jay-patel (alleging that telephone records 
pretexting endangered consumers' health and safety).
    \13\ Reputational injury involves disclosure of private facts about 
an individual, which damages the individual's reputation. Tort law 
recognizes reputational injury. The FTC has brought cases involving 
this type of injury, for example, in a case involving public disclosure 
of individuals' Prozac use and public disclosure of individuals' 
membership on an infidelity-promoting website. Eli Lilly And Company, 
No. C-4047 (F.T.C. May 8, 2002), https://www.ftc.gov/enforcement/cases-
proceedings/012-3214/eli-lilly-company-matter; FTC v. Ruby Corp. et 
al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 2016), https://www.ftc.gov/
enforcement/cases-proceedings/152-3284/ashley-madison.
    \14\ Finally, unwanted intrusions involve two categories. The first 
includes activities that intrude on the sanctity of people's homes and 
their intimate lives. The FTC's cases involving a revenge porn website, 
an adult-dating website, and companies spying on people through 
remotely-activated webcams fall into this category. The second category 
involves unwanted commercial intrusions, such as telemarketing, spam, 
and harassing debt collection calls.
---------------------------------------------------------------------------
    Some have raised questions as to the scope of injury appropriately 
covered by Section 5(n), including whether (and how) 5(n) should be 
applied to intangible injuries.\15\ In response to some of these 
questions, on December 12, 2017, the FTC hosted a workshop in 
Washington, DC to discuss ``informational injuries'', which are 
injuries--both market-based and non-market \16\--that consumers may 
suffer from privacy and security incidents, such as data breaches or 
unauthorized disclosure of data. The workshop asked participants to 
discuss and develop analytical frameworks to help guide future 
application of the ``substantial injury'' prong in cases involving 
informational injury.
---------------------------------------------------------------------------
    \15\ See, e.g., Oversight of the Federal Trade Commission; Hearing 
Before the S. Comm. on Commerce, Science, and Transportation, 114th 
Cong. 74 (2016) (written question submitted by Sen. Thune, Chairman, S. 
Comm. on Commerce, Science, and Transportation) (asking about the use 
of the FTC's unfairness doctrine to address intangible and non-economic 
harms, including whether ``there a predictable limiting factor on the 
types of harm that will result in FTC enforcement actions''), https://
www.govinfo.gov/content/pkg/CHRG-114shrg25376/pdf/CHRG-
114shrg25376.pdf; LabMD, Inc. v. FTC, 678 F. App'x 816, 820 (11th Cir. 
2016) (noting that ``it is not clear that a reasonable interpretation 
of Sec. 45(n) includes intangible harms like those that the FTC found 
in this case.''); Concurring Statement of Acting Chairman Maureen K. 
Ohlhausen in the Matter of Vizio, Inc. at 1, FTC v. VIZIO, Inc., No. 
2:17-cv-00758 (D.N.J. 2017) (noting ``the need for the FTC to examine 
more rigorously what [type of harm] constitutes `substantial injury' in 
the context of information about consumers.''), https://www.ftc.gov/
public-statements/2017/02/concurring-statement-acting-chairman-maureen-
k-ohlhausen-matter-vizio-inc.
    \16\ ``Market-based'' injuries can be objectively measured--for 
example, credit card fraud and medical identity theft affect consumers' 
finances in a directly measurable way. Alternatively, a ``non-market'' 
injury, such the embarrassment that comes from a breach of sensitive 
health information, cannot be objectively measured using available 
tools because there is no functioning market for it.
---------------------------------------------------------------------------
    This work targets issues that Congress is now considering 
addressing through privacy legislation. I believe the discussion about 
the scope of Section 5(n) is relevant to that consideration.

    Question 4. Should the FTC issue more guidance to marketers on the 
level of support needed to substantiate their claims? If so, when do 
you anticipate that such guidance could be issued?
    Answer. The FTC has issued extensive guidance over the years to 
help marketers in determining the level of support needed to 
substantiate claims. The Commission first articulated the relevant 
factors used to determine the level of evidence required to 
substantiate objective performance claims in Pfizer, Inc., 81 F.T.C. 23 
(1972). Those factors included the type of claim, type of product, the 
consequences of a false claim, the benefits of a truthful claim, the 
cost of developing substantiation for the claim, and the amount of 
substantiation experts in the field believe is reasonable. The 
Commission and the courts have reaffirmed this standard many times 
since 1972.\17\ In addition, the FTC also has provided extensive 
guidance through Guides and staff guidance documents.\18\ In addition, 
FTC staff provide additional guidance through speeches and 
presentations to industry trade groups and industry attorneys.
---------------------------------------------------------------------------
    \17\ See, e.g., Thompson Med. Co., 104 F.T.C. 648, 813 (1984), 
aff'd, 791 F.2d 189 (D.C. Cir. 1986); Daniel Chapter One, 2009 WL 
5160000, at *25-26 (F.T.C. 2009), aff'd, 405 Fed. Appx. 505 (D.C. Cir. 
2010) (unpublished opinion), available at 2011-1 Trade Cas. (CCH)  
77,443 (D.C. Cir. 2010); POM Wonderful, LLC, 155 F.T.C. 1, 55-60 
(2013), aff'd, 777 F.3d 478 (D.C. Cir. 2015), cert. denied, 136 S. Ct. 
1839, 194 L. Ed. 2d 839 (2016); FTC Policy Statement Regarding 
Substantiation, 104 F.T.C. 839, 840 (1984) (appended to Thompson Med. 
Co., 104 F.T.C. 648 (1984)).
    \18\ See Guides for the Use of Environmental Marketing Claims, 16 
C.F.R. Sec. 260.2 (2019), https://www.ecfr.gov/cgi-bin/text-
idx?SID=bd96b2cdcd01f7620d43e50a9d1d8cec&mc=true&
node=se16.1.260_12&rgn=div8; FTC, Dietary Supplements: An Advertising 
Guide for Industry, https://www.ftc.gov/tips-advice/business-center/
guidance/dietary-supplements-advertising-guide-industry.
---------------------------------------------------------------------------
    The Commission's precedent and other guidance sets forth flexible 
principles that can be applied to multiple products and claims. It does 
not attempt to answer every question about substantiation, given the 
virtually limitless range of advertising claims, products, and services 
to which it could be applied. Instead, it seeks to strike the right 
balance between being specific enough to be helpful but not so granular 
that it would overlook some important factor that might arise under 
given circumstances and thereby actually chill useful speech.

    Question 5. In June, the 11th Circuit vacated the Commission's data 
security order against Lab-MD. What effect, if any, will this have on 
the Commission's data security orders going forward?
    Answer. The U.S. Court of Appeals for the Eleventh Circuit 
determined that the mandated data security provision of the 
Commission's LabMD Order was insufficiently specific. That ruling 
effectively mandates that our data security orders be more 
prescriptive, which is not necessarily good from a policy perspective. 
The flexible approach we had applied, which both the Commission and 
defendants generally preferred, permitted firms to base their data 
security compliance on the particular risks and needs of individual 
firms. Congress should consider whether to address the ruling of the 
Eleventh Circuit through a statutory fix.
    The Court having issued its order, however, we are now working to 
craft order language in data security cases that is consistent with the 
Eleventh Circuit's opinion.

    Question 6. If Federal privacy legislation is passed, what 
enforcement tools would you like to be included for Federal Trade 
Commission?
    Answer. The question of tools is a secondary one, which cannot and 
should not be considered in the abstract. Answering the question 
necessarily requires preliminary determinations first as to what harms 
Congress wishes to address and, second, what liability standards it 
adopts to address those harms. Civil penalties, for instance, are 
better tailored to conduct that is clearly-defined--for example, 
violations of specific rules set forth in FTC consent orders or 
regulations like COPPA. Otherwise, the prospect of paying them may 
chill innovation and other conduct that benefits consumers. The FTC has 
rulemaking authority today.\19\ It differs from APA rulemaking in 
several respects, following restraints imposed upon the Commission by 
Congress after attempts by the agency to ban certain types of 
advertising to children. Rulemaking authority raises important issues 
of delegation and democratic accountability. Congress, not an 
administrative agency, is the best place to make policy with a profound 
impact on a substantial portion of the economy. Congress should 
consider that the flexibility that rulemaking permits also allows for 
changes in rules over time, which--regardless of the underlying 
policy--can be terrifically difficult for businesses attempting to 
adapt.
---------------------------------------------------------------------------
    \19\ 15 U.S.C. Sec. 57a.
---------------------------------------------------------------------------
    Today, the FTC cannot take action against telecommunications common 
carriers and non-profits. I support removing those jurisdictional 
limitations.

    Question 7. During the hearing, I asked the Chairman whether the 
FTC would consider using its section 6(b) authority to study consumer 
information data flows, specifically sending requests to Google, 
Facebook, Amazon, and others in the tech industry to learn what 
information they collect from consumers and how that information is 
used, shared, and sold. I believe the FTC's section 6(b) authority 
could provide some much needed transparency to consumers about the data 
practices of large technology companies, and help identify areas that 
may require additional attention from lawmakers. What are your views 
with respect to the FTC potentially conducting a study pursuant to 
section 6(b) of the Federal Trade Commission Act on the data 
collection, use, filtering, sharing, and sale practices of large 
technology companies such as Google, Facebook, Amazon, and others?
    Answer. The Commission's 6(b) authority enables it to conduct 
economic studies that do not have a specific law enforcement purpose, 
but rather are for the purpose of obtaining information about ``the 
organization, business, conduct, practices, management, and relation to 
other corporations, partnerships, and individuals'' of the entities to 
whom the inquiry is addressed. As with subpoenas and CIDs, the 
recipient of a 6(b) order may file a petition to limit or quash, and 
the Commission may seek a court order requiring compliance.\20\
---------------------------------------------------------------------------
    \20\ In addition, the Commission may commence suit in Federal court 
under Section 10 of the FTC Act, 15 U.S.C. Sec. 50, against any party 
who fails to comply with a 6(b) order after receiving a notice of 
default from the Commission. After expiration of a thirty-day grace 
period, the defaulting party is liable for a penalty for each day of 
noncompliance.
---------------------------------------------------------------------------
    The FTC has used its 6(b) authority to study and answer discrete 
questions regarding industry practices, such as to gather information 
regarding the marketing practices of major alcoholic beverage 
advertisers to study whether voluntary industry guidelines for reducing 
advertising and marketing to underage audiences had been effective.\21\ 
Another example is the Commission's July 2002 report, Generic Drug 
Entry Prior to Patent Expiration,\22\ which was the product of a 6(b) 
study, and the results of which the Commission was able to publish 
publicly pursuant to 15 U.S.C. Sec. 46(f).
---------------------------------------------------------------------------
    \21\ FTC Press Release, FTC Orders Alcoholic Beverage Manufacturers 
to Provide Data for Agency's Fourth Major Study on Alcohol Advertising 
(April 12, 2012), https://www.ftc.gov/news-events/press-releases/2012/
04/ftc-orders-alcoholic-beverage-manufacturers-provide-data-agencys
    \22\ FTC, Generic Drug Entry Prior to Patent Expiration: An FTC 
Study (July 2002), https://www.ftc.gov/sites/default/files/documents/
reports/generic-drug-entry-prior-patent-expiration-ftc-study/
genericdrugstudy_0.pdf.
---------------------------------------------------------------------------
    For any 6(b) study of the wide-ranging tech sector to be effective, 
it should focus on areas where there is reason to suspect wrongdoing is 
occurring or where the Commission believes it lacks adequate 
understanding of the conduct, practice, or management in question. 
Casting too broad a net could easily incur costs in excess of the 
information's incremental benefit, as occurred with the Commission's 
Line of Business program, which was designed to compel annual reporting 
of financial and statistical data by hundreds of manufacturing firms 
but was discontinued after being plagued by recurring non-compliance 
and costly legal battles.\23\ Congress (to the extent it seeks to 
direct such studies) and the Commission should develop clear and 
concise goals for such studies, to ensure that we have a concrete goal 
to work towards and to avoid, as much as possible, lengthy and 
expensive disputes over the scope or burden of such orders.
---------------------------------------------------------------------------
    \23\ B.J. Linder & Allan H. Savage, The Line of Business Program: 
The FTC's New Tool, 21 Cal. Mgmt. Rev. 57 (1979).
---------------------------------------------------------------------------
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                       Hon. Noah Joshua Phillips
    Question 1. Set to expire on September 30, 2020, the U.S. SAFE WEB 
Act allows for increased cooperation with foreign law enforcement 
authorities through confidential information sharing and the provision 
of investigative assistance. Specifically, the law authorizes the FTC 
to provide assistance to foreign law enforcement agencies to support 
their investigations and enforcement actions. Your testimony requested 
that Congress reauthorize this authority while eliminating the sunset 
provision. Would you please explain how U.S. SAFE WEB Act will impact 
U.S. consumers?
    Answer. Our economy is increasingly globalized, digitized, and 
connected. These changes generate incredible opportunity, but also pose 
new problems for American consumers, such as traditional scams that now 
thrive online and new, Internet-enabled, frauds. They also raise law 
enforcement challenges, like the enhanced ability of scammers to act 
anonymously or move ill-gotten gains outside our jurisdiction; and 
roadblocks to international law enforcement cooperation.
    Congress has been an essential ally in this fight. In 2006, it 
passed the U.S. SAFE WEB Act. SAFE WEB allows the FTC to share evidence 
with and provide investigative assistance to foreign authorities in 
cases involving issues including spam, spyware, privacy violations and 
data breach. It also confirms our authority to challenge foreign-based 
frauds that harm U.S. consumers or involve material conduct in the 
United States.
    Using SAFE WEB, the FTC has worked with authorities abroad to stop 
illegal conduct and secure millions in judgements from fraudsters, 
sometimes even criminal convictions. The FTC uses SAFE WEB authority in 
important international privacy cases. We collaborated with Canadian 
and Australian privacy authorities on the massive data breach of the 
Toronto-based, adult dating website AshleyMadison.com,\24\ and we 
worked again with Canadian authorities on the FTC's first children's 
privacy and security case involving connected toys, a settlement with 
electronic toy manufacturer VTech Electronics \25\ under the Children's 
Online Privacy Protection Act.
---------------------------------------------------------------------------
    \24\ FTC Press Release, Operators of AshleyMadison.com Settle FTC, 
State Charges Resulting From 2015 Data Breach that Exposed 36 Million 
Users' Profile Information (Dec. 14, 2016), https://www.ftc.gov/news-
events/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-
state-charges-resulting.
    \25\ FTC Press Release, Electronic Toy Maker VTech Settles FTC 
Allegations That it Violated Children's Privacy Law and the FTC Act 
(Jan. 8, 2018), https://www.ftc.gov/news-events/press-releases/2018/01/
electronic-toy-maker-vtech-settles-ftc-allegations-it-violated.
---------------------------------------------------------------------------
    In total, the FTC has responded to more than 130 SAFE WEB 
information-sharing requests from 30 foreign enforcement agencies. We 
have issued more than 115 civil investigative demands in more than 50 
investigations on behalf of foreign agencies, civil and criminal. The 
FTC has collected millions of dollars in restitution for injured 
consumers, both foreign and domestic.
    SAFE WEB helps protect Americans by policing and instilling 
confidence in the digital economy, but it sunsets in 2020. I believe 
that American consumers will be best served if Congress reauthorizes 
this authority and eliminates the sunset provision.

    Question 2. Section 5(a) of the FTC Act, which prohibits ``unfair 
or deceptive acts or practices in or affecting commerce'' is the legal 
basis for a body of consumer protection law that covers data privacy 
and security practices. The FTC has brought hundreds of cases to date 
to protect the privacy and security of consumer information held by 
companies of all sizes under this authority. The FTC staff recently 
submitted comments to the National Telecommunications and Information 
Administration (NTIA) that clearly indicate the FTC staff's view that 
the FTC would be the appropriate agency to enforce a new comprehensive 
privacy legislative framework. Do you agree with the staff's view?
    Answer. Absolutely. The FTC has developed a substantial body of 
expertise on privacy issues over decades by bringing hundreds of cases, 
hosting approximately 70 workshops, and conducting numerous policy 
initiatives. The FTC is committed to using all of its expertise, its 
existing tools under the FTC Act, and whatever additional authority 
Congress gives us, to protect consumer privacy while at the same time 
promoting innovation and competition in the marketplace.

    Question 3. As Congress evaluates opportunities to create 
meaningful Federal legislation to appropriately ensure privacy of 
consumers' data, there have been suggestions to increase the FTC's 
authorities to enforce in this space. Will you commit to working with 
this Committee in measuring what resources, if any, will be needed to 
allow the agency to enforce any additional authorities that may or may 
not be provided in Federal legislation?
    Answer. Yes. The FTC has developed substantial expertise in the 
area of data privacy and security and we are committed to working with 
Congress to help determine whether and what additional resources may be 
appropriate, commiserate with any new authorities.

    Question 4. Sharing responsibilities with the DOJ's Antitrust 
Division, the FTC enforces antitrust law in a variety of sectors as 
described by your testimony. While the vast majority of premerger 
filings submitted to enforcement agencies do not raise competition 
concerns, the FTC challenged 45 mergers since the beginning of 2017, 
and of those, the FTC only voted to initiate litigation to block five 
transactions. Would you please describe the resource needs of the 
agency associated with hiring qualified outside experts to support its 
litigation efforts? Please explain how developments in the high-
technology sector are accounted for in the FTC's decision-making 
process related to antitrust enforcement.
    Answer. As a threshold matter, it is well-recognized that the vast 
majority of premerger filings do not raise competitive concerns, and so 
the percentage of reviewed versus challenged mergers is not the result 
of a resource problem. Nor does a low incidence of full-phase 
investigations or merger challenges, relative to the total number of 
filings, indicate lax merger enforcement or the deterioration of 
competition. The ultimate antitrust question is whether a merger is 
likely to harm competition and consumers, and the FTC challenges far 
fewer mergers than it reviews because most simply do not raise 
competitive issues. That said, I appreciate your attention to the 
agency's resource needs. As we mentioned in our November 27 testimony, 
the FTC works very hard to accomplish as much as possible with the 
resources we have. We are tasked with the important dual goals of 
protecting consumers and promoting competition, both which are of 
increasing importance in the changing economy. Resource constraints 
remain a significant challenge. Evolving technologies and intellectual 
property issues, among others, continue to increase the complexity of 
antitrust investigations and litigation. That complexity, coupled with 
the rising costs of critical expert witnesses and increases in 
caseload, sometimes leads to financial and personnel resource 
limitations. In the past, we have requested additional resources for 
experts, information technology, and more full-time employees in 
support of our mission to protect consumers and promote competition. We 
also have heard the need for additional paralegals to help support our 
staff attorneys; paralegals can provide very valuable services and 
allow attorneys to devote more time to substantive issues, but they are 
a rare commodity at the Commission today. These all continue to be 
critical areas of need for our agency. If we receive additional 
resources, we plan to apply them to these areas.
    Qualified experts are a critical resource in all of the FTC's 
competition cases heading toward litigation. For example, expert 
witness services are critical to merger cases, as they help the FTC 
satisfy key burdens such as defining product and geographic markets and 
estimating the likely harms (and countering defendants' estimation of 
any alleged procompetitive benefits).
    Expert witness costs are highly dependent on the number, scope, 
duration, and disposition of our Federal and administrative court 
challenges--increasing (often significantly) as these factors increase. 
To limit these costs, the FTC has continued to identify and implement a 
variety of strategies, including using internal personnel from its 
Bureau of Economics as expert witnesses whenever practical. The 
opportunities to use internal experts as testifying experts are 
limited, however, by several factors, including staff availability, 
testifying experience, and the specialized expertise required for 
specific matters.
    As with other critical areas under our jurisdiction, the FTC 
closely follows activity and developments in the high-technology 
sector. Given the important role that technology companies play in the 
modern American economy, the Commission has prioritized understanding 
the competition and consumer protection issues that can arise in this 
space.
    The fundamental principles of antitrust do not differ when applied 
to high-technology industries, including those in which patents or 
other intellectual property are highly significant. The issues, 
however, can be more complex and require different expertise, which may 
necessitate the hiring of outside experts or consultants to help us 
develop and litigate our cases. The FTC strives to adapt to the dynamic 
markets we protect by leveraging the research, advocacy, and education 
tools at our disposal. For example, last fall, the Commission launched 
its Hearings on Competition and Consumer Protection in the 21st Century 
to understand better both the advancements in technology and the new 
business models they support, and how to target enforcement efforts in 
these evolving spaces.\26\
---------------------------------------------------------------------------
    \26\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection. Recent hearings included a two-day workshop on the 
potential for collusive, exclusionary, and predatory conduct in 
multisided, technology-based platform industries. FTC, FTC Hearing on 
Competition and Consumer Protection in the 21st Century #3: Multi-Sided 
Platforms, Labor Markets, and Potential Competition (Oct. 15-17, 2018), 
https://www.ftc.gov/news-events/events-calendar/2018/10/ftc-hearing-3-
competition-consumer-protection-21st-century. Similarly, in early 
November, the Commission held a two-day workshop on the antitrust 
frameworks for evaluating acquisitions of nascent competitors in the 
technology and digital marketplace, and the antitrust analysis of 
mergers and conduct where data is a key asset or product. FTC, FTC 
Hearing on Competition and Consumer Protection in the 21st Century #6: 
Privacy, Big Data, and Competition (Nov. 6-8, 2018), https://
www.ftc.gov/news-events/events-calendar/ftc-hearing-6-competition-
consumer-protection-21st-century. Also in November, the Commission held 
a two-day workshop on the competition and consumer protection issues 
associated with algorithms, artificial intelligence, and predictive 
analysis in business decisions and conduct. FTC, FTC Hearing on 
Competition and Consumer Protection in the 21st Century #7: The 
Competition and Consumer Protection Issues of Algorithms, Artificial 
Intelligence, and Predictive Analytics (Nov. 13-14, 2018), https://
www.ftc.gov/news-events/events-calendar/ftc-hearing-7-competition-
consumer-protection-21st-century.

    Question 5. Earlier this year, I introduced legislation called the 
Senior Scams Prevention Act with Senator Bob Casey to combat continued 
and increasingly complex attempts to defraud one of the Nation's most 
vulnerable populations, our senior community. This bill seeks to ensure 
retailers, financial institutions and wire transfer companies have the 
resources to train employees to help stop financial frauds and scams on 
seniors. Would you agree that awareness and education, guided by ``best 
practices'' established by industry and government partners, is a 
valuable tool in preventing consumer harms against our Nation's 
seniors?
    Answer. I agree that awareness and education are essential to 
protect our Nation's seniors. Indeed, protecting older Americans has 
long been a top priority, and it is increasingly important as that 
population grows. To this end, we engage in research, education, and 
enforcement actions focused on educating and protecting older 
Americans, including our Pass It On campaign,\27\ to help both protect 
seniors and prosecute wrongdoers.
---------------------------------------------------------------------------
    \27\ FTC, Consumer Information--Pass it on, https://
www.consumer.ftc.gov/features/feature-0030-pass-it-on (providing 
consumer information on identity theft, imposter scams, charity fraud, 
and other topics).
---------------------------------------------------------------------------
    More generally, our anti-fraud activities are at the core of our 
law enforcement efforts, protecting not just seniors but a broad range 
of vulnerable consumer populations, including minorities and veterans. 
That includes efforts to stop fraudulent business opportunity schemes, 
police unsubstantiated health claims, and shut down sham charities that 
prey on unsuspecting consumers and target their hard-earned savings.
    The Commission must and will keep a focus on these efforts, which 
protect consumers from immediate and tangible harms. We are ready and 
willing to work with additional partners--from government, civil 
society, academia, and industry--to identify and prevent harms to older 
consumers, as well as other vulnerable consumers.

    Question 6. In its comments submitted to NTIA on ``Developing the 
Administration's Approach to Consumer Privacy,'' the FTC discussed the 
various cases that it has taken up to address privacy-related harms to 
consumers, and it specifically noted four categories of harms: 
financial injury, physical injury, reputational injury, and unwanted 
intrusion. Could you please briefly describe each category while noting 
any FTC enforcement considerations specific to that type of harm?
    Answer. Certainly. Financial injury can manifest in a variety of 
ways: fraudulent charges, delayed benefits, expended time, opportunity 
costs, fraud, and identity theft, among other things.\28\ Physical 
injuries include risks to individuals' health or safety, including the 
risks of stalking and harassment.\29\ Reputational injury involves 
disclosure of private facts about an individual, which damages the 
individual's reputation. Tort law recognizes reputational injury.\30\ 
The FTC has brought cases involving this type of injury, for example, 
in a case involving public disclosure of individuals' Prozac use \31\ 
and public disclosure of individuals' membership on an infidelity-
promoting website.\32\ Finally, unwanted intrusions involve two 
categories. The first includes activities that intrude on the sanctity 
of people's homes and their intimate lives. The FTC's cases involving a 
revenge porn website,\33\ an adult-dating website,\34\ and companies 
spying on people in their bedrooms through remotely-activated webcams 
fall into this category.\35\ The second category involves unwanted 
commercial intrusions, such as telemarketing, spam, and harassing debt 
collection calls. In terms of enforcement considerations, as noted 
above, the FTC is very mindful of ensuring that it addresses these 
harms, while not impeding the benefits of data collection and use 
practices.
---------------------------------------------------------------------------
    \28\ See, e.g., Complaint, TaxSlayer, LLC, No. C-4626 (F.T.C. Oct. 
20, 2017), https://www.ftc.gov/enforcement/cases-proceedings/162-3063/
taxslayer (alleging delayed benefits, expended time, and risk of 
identity theft).
    \29\ See, e.g., Complaint, FTC v. Accusearch, Inc., No. 06-CV-0105 
(D. Wyo. April 27, 2006), https://www.ftc.gov/enforcement/cases-
proceedings/052-3126/accusearch-inc-dba-abikacom-jay-patel (alleging 
that telephone records pretexting endangered consumers' health and 
safety).
    \30\ Under the tort of public disclosure of private facts (or 
publicity given to private life), a plaintiff may recover where the 
defendant's conduct is highly offensive to a reasonable person. 
Restatement (Second) of Torts Sec. 652D (1977).
    \31\ Eli Lilly and Co., No. C-4047 (F.T.C. 2002), https://
www.ftc.gov/enforcement/cases-proceedings/012-3214/eli-lilly-company-
matter.
    \32\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. 2016), 
https://www.ftc.gov/enforcement/cases-proceedings/152-3284/ashley-
madison.
    \33\ FTC v. EMP Media, Inc., et al., No. 2:18-cv-00035 (D. Nev. 
2018), https://www.ftc.gov/enforcement/cases-proceedings/162-3052/emp-
media-inc-myexcom.
    \34\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. 2016), 
https://www.ftc.gov/enforcement/cases-proceedings/152-3284/ashley-
madison.
    \35\ See FTC Press Release, FTC Halts Computer Spying (Sept. 25, 
2012), https://www.ftc.gov/news-events/press-releases/2012/09/ftc-
halts-computer-spying; see also Aaron's, Inc., No. C-4442 (F.T.C. Mar. 
10, 2014), https://www.ftc.gov/enforcement/cases-proceedings/122-3256/
aarons-inc-matter.
---------------------------------------------------------------------------
    I note additionally that the definition of ``substantial injury'' 
under Section 5(n) has been interpreted by the Commission in the past 
to reach these types of harms. ``Privacy'' harms often involve largely 
non-economic harms, potentially including harms not presently 
cognizable under the FTC Act. In considering privacy legislation, I 
urge Congress to study and understand the harms it wishes to address 
and craft remedies appropriate to them.

    Question 7. In the FTC's recent comments in NTIA's privacy 
proceeding, the FTC said that its ``guiding principles'' are based on 
``balancing risk of harm with the benefits of innovation and 
competition.'' Would you describe what this means, how you strike this 
balance, and how it is applied in practice under your Section 5 
authority in the FTC Act?
    Answer. In its comments to NTIA, the Commission wrote that it 
``supports a balanced approach to privacy that weighs the risks of data 
misuse with the benefits of data to innovation and competition'', 
noting that striking that balance is ``essential to protecting 
consumers and promoting competition and innovation.'' \36\ Recognizing 
the kinds of harms we have pursued in privacy enforcement matters--
financial, physical, and reputational injury, and unwanted intrusions--
we also recognized the many benefits and innovations that the sharing 
of data have achieved for American consumers. The Commission went on to 
warn that ``privacy standards that give short shrift to the benefits of 
data-driven practices may negatively affect innovation and 
competition'' and that ``regulation can unreasonably impede market 
entry or expansion by existing companies.''
---------------------------------------------------------------------------
    \36\ Federal Trade Commission Staff, Comment to the National 
Telecommunications and Information Administration on Developing the 
Administration's Approach to Consumer Privacy (Nov. 9, 2018), https://
www.ftc.gov/policy/advocacy/advocacy-filings/2018/11/ftc-staff-comment-
ntia-developing-administrations-approach.
---------------------------------------------------------------------------
    All of this means that, in thinking about regulation or law 
enforcement with respect to privacy, we must keep in mind that we are 
talking about one of the most dynamic aspects of the global economy, 
one where the U.S. is a leader in innovation and job growth. We should 
be clear about the harms we wish to stop, and weigh those against the 
benefits.
    In unfairness cases, Section 5(n) of the FTC Act requires us to 
strike this balance. It does not allow the FTC to bring a case alleging 
unfairness ``unless the act or practice causes or is likely to cause 
substantial injury to consumers, which is not reasonably avoidable by 
consumers themselves and not outweighed by benefits to consumers or to 
competition.'' Thus, for example, in our data security complaints and 
orders, we often plead the specific harms that consumers are likely to 
suffer from a company's data security failures. We do not assert that 
companies need to spend unlimited amounts of money to address these 
harms; in many of our cases, we specifically allege that the company 
could have fixed the security vulnerabilities at low or no cost.
    As with any law enforcement agency, we should and do exercise our 
discretion when deciding whether to pursue matters and how to resolve 
them. In so doing, we should keep our guiding principles in mind and 
focus on deterring real and significant harms to consumers, providing 
the right incentives to the marketplace to take reasonable steps that 
will limit both consumer harm and liability, and avoiding the creation 
of a culture of uncertainty and fear that would impede consumer-
friendly innovation.

    Question 8. The FTC's comments pertaining to ``control'' in NTIA's 
privacy proceeding stated, ``Choice also may be unnecessary when 
companies collect and disclose de-identified data, which can power data 
analytics and research, while minimizing privacy concerns.'' How would 
the FTC suggest Federal regulation account for de-identified data, if 
at all?
    Answer. In our NTIA comment, we reference different types of 
privacy-related harms: financial, physical, reputational, and unwanted 
intrusion. All these types of harms are mitigated, or even eliminated, 
when data cannot be tracked to a consumer. As such, appropriately de-
identified data does not raise the same risks and should be treated 
differently, especially considering the benefits of using such data for 
innovative, consumer-friendly purposes.

    Question 9. Your testimony indicated that continued technological 
developments allow illegal robocallers to conceal their identities in 
``spoofing'' caller IDs while exponentially increasing robocall volumes 
through automated dialing systems. These evolving technological changes 
mean that the critical law enforcement efforts of the FTC cannot be the 
only solution, and your testimony described the additional steps the 
FTC is taking to develop innovative solutions to these issues. Would 
you please describe the process and outcomes of the four public 
challenges that the FTC held from 2013 to 2015? Are there plans to 
incentivize innovators to combat robocalls in the future?
    Answer. The FTC's process for its robocall challenges included 
public announcements, committees with independent judges, and, in some 
cases, cash prizes awarded under the America COMPETES Reauthorization 
Act.\37\ To maximize publicity, the FTC announced each of its four 
challenges in connection with public events. The FTC announced the 
first robocall challenge at the FTC's 2012 Robocall Summit. In 2014, 
the FTC conducted its second challenge, ``Zapping Rachel'' at DEF CON 
22. The FTC conducted its third challenge, ``DetectaRobo,'' in June 
2015 in conjunction with the National Day of Civic Hacking. The final 
phase of the FTC's fourth public robocall challenge took place at DEF 
CON 23. When the FTC held its first public challenge, there were few, 
if any, call blocking or call labeling solutions available for 
consumers. Today, two FTC challenge winners, NomoRobo and Robokilller, 
offer call blocking applications, and there are hundreds of mobile apps 
offering call blocking and call labeling solutions for cell phones. 
Many home telephone service providers also now offer call blocking and 
call labeling solutions. The FTC will not hesitate to initiate 
additional innovation contests if it identifies further challenges that 
could meaningfully benefit consumers by reducing the harm caused by 
illegal robocalls.
---------------------------------------------------------------------------
    \37\ See FTC, Consumer Information--Robocalls, https://
www.consumer.ftc.gov/features/feature-0025-robocalls.
---------------------------------------------------------------------------
    In addition to developing call blocking and call labeling 
technology, the telecom industry has also developed call verification 
technology, called STIR/SHAKEN, to help consumers know whether a call 
is using a spoofed Caller ID number and assist call analytics companies 
in implementing call blocking and call labeling products. If widely 
implemented and made available to consumers, the STIR/SHAKEN protocol 
should minimize unwanted calls. Certain industry members have begun to 
roll out this technology and it is in beta testing mode. We will keep a 
close eye on this industry initiative and continue to encourage its 
implementation.

    Question 10. Would you please describe the FTC's coordination 
efforts with state, federal, and international partners to combat 
illegal robocalls?
    Answer. Robocalls are a pernicious problem, a fact of which the 
average American consumer is reminded several times a day.
    The FTC frequently coordinates its efforts with its state, federal, 
and international partners. The FTC often brings robocall enforcement 
actions with states as co-plaintiffs. For example, in the FTC's case 
against Dish Network, litigated for the FTC by the Department of 
Justice, the FTC brought the case jointly with California, Illinois, 
North Carolina, and Ohio. Collectively, the states and the FTC obtained 
a historic $280 million trial verdict.\38\
---------------------------------------------------------------------------
    \38\ FTC Press Release, FTC and DOJ Case Results in Historic 
Decision Awarding $280 Million in Civil Penalties against Dish Network 
and Strong Injunctive Relief for Do Not Call Violations (June 6, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/06/ftc-doj-case-
results-historic-decision-awarding-280-million-civil. The case is on 
appeal before the Seventh Circuit Court of Appeals.
---------------------------------------------------------------------------
    The FTC also coordinates outreach and education with the FCC. In 
2018, the agencies co-hosted two robocall events--a policy forum that 
discussed technological and law enforcement solutions to the robocall 
problem \39\ and a public expo that allowed companies offering call 
blocking and call labeling services to showcase their products for the 
public.\40\ Additionally, the FTC and FCC hold quarterly calls, speak 
regularly on an informal basis, and coordinate on a monthly basis with 
our state partners through the National Association of Attorneys 
General. The FTC also engages with international partners through 
participation in international law enforcement groups such as the 
International Consumer Protection Enforcement Network, International 
Mass Marketing Fraud Working Group, and the Unsolicited Communications 
Network (formerly known as the London Action Plan).
---------------------------------------------------------------------------
    \39\ FTC Press Release, FTC and FCC to Host Joint Policy Forum on 
Illegal Robocalls (Mar. 22, 2018), https://www.ftc.gov/news-events/
press-releases/2018/03/ftc-fcc-host-joint-policy-forum-illegal-
robocalls.
    \40\ FTC Press Release, FTC and FCC to Co-Host Expo on April 23 
Featuring Technologies to Block Illegal Robocalls (Apr. 19, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/04/ftc-fcc-co-host-
expo-april-23-featuring-technologies-block-0.

    Question 11. Your testimony described the limitations of the FTC's 
current data security enforcement authority provided by Section 5 of 
the FTC Act including: lacking civil penalty authority, lacking 
authority over non-profits and common carrier activity, and missing 
broad APA rulemaking authority. Please describe each of these 
limitations and how adjusted FTC authority to address these items would 
improve the protection of consumers from data security risks.
    Answer. Congress should consider all these tools in fashioning data 
security legislation. For good reason, the FTC Act does not give the 
Commission penalty authority for first-time violators. If Congress were 
to give the FTC the authority to seek civil penalties for first-time 
violators of data security rules specifically (subject to statutory 
limitations on the imposition of such penalties, such as ability to 
pay), we would have greater ability to deter potentially harmful 
conduct. Due to asymmetric information, interdependent systems, and 
difficulties in tracing ID theft to a particular firm, there are 
reasons to believe that in many circumstances firms may lack sufficient 
incentives to adequately invest in data security under current law.\41\ 
Correctly calibrated civil penalties would cause companies to 
internalize the full costs of inadequate data security, fostering 
proper incentives to protect consumer data.
---------------------------------------------------------------------------
    \41\ See, e.g., Steven Shavell, Foundations of Economic Analysis of 
Law 244 (2004) (when victims cannot identify the injurer, injurers will 
lack adequate incentives to take care); George Akerlof, The Market for 
``Lemons'': Quality Uncertainty and the Market Mechanism, 84 Q.J. Econ. 
488 (1970); Howard Kunreuther & Geoffrey Heal, Interdependent Security, 
26 J. Risk & Uncertainty 231 (2003).
---------------------------------------------------------------------------
    As to APA rulemaking authority, were Congress to enact specific 
data security legislation, APA rulemaking authority would allow us more 
efficiently to adopt implementing rules. Such authority will ensure 
that the FTC can enact rules and amend them as necessary to keep up 
with technological developments. However, as I have stated in other 
contexts, the difficult judgments as to details and shape of data 
security legislation should be made in Congress, not at the agency 
level. This will provide for more certainty and consistency, and is the 
more appropriate democratic forum.
    As to non-profits and common carriers, we are all well aware of the 
regular reports of breaches impacting these sectors. Indeed, the need 
for security in these sectors is not appreciably different from the 
need in many other sectors of the economy already under FTC 
jurisdiction. Giving us jurisdiction for data security in these sectors 
will create more consistency across the marketplace and allow for more 
certainty and clarity.
                                 ______
                                 
 Response to Written Questions Submitted by Hon. Richard Blumenthal to 
                       Hon. Noah Joshua Phillips
Privacy Rules
    We know that Americans care about privacy--that they eagerly want 
these rights. We need baseline rules. Companies should not store 
sensitive information indefinitely and use that data for purposes that 
people never intended. Federal rules must set meaningful obligations on 
those that handle our data. We must enable consumers to trust and 
control their personal data.

    Question 8. Do you support providing state AGs with the power to 
enforce Federal privacy protections and would you commit to working 
with state AGs?
    Answer. Attorneys General can be important partners in protecting 
consumers, acting as force multipliers for Federal law enforcement. I 
think this is a valuable model that Congress should weigh. It should 
also consider whether to allow the FTC authority to assert exclusive 
jurisdiction when necessary, to ensure consistent and coherent 
application of Federal law.

    Question 9. Why is it important that the FTC have rulemaking 
authority when it comes to privacy? Where best would rulemaking be 
applied?
    Answer. Rulemaking authority raises important issues of delegation 
and democratic accountability. Congress, not an administrative agency, 
is the best place to make policy with a profound impact on a 
substantial portion of the economy. Congress should consider that the 
flexibility that rulemaking permits also allows for changes in rules 
over time, which--regardless of the underlying policy--can be 
terrifically difficult for businesses attempting to adapt.

    Question 10. Do you believe elevating the Office of Technology 
Research and Investigation to the Bureau level would meaningfully help 
the FTC in addressing new technological developments across its 
mandates?
    Answer. I do not believe that elevating the Office of Technology 
Research and Investigation to the Bureau level would meaningfully help 
the FTC.
Board Accountability
    Question 12. What is the FTC doing to investigate and hold 
accountable individual board members and executives who knowingly 
assist their companies in committing fraud? What more should the FTC be 
doing in this regard?
    Answer. The FTC always considers the potential liability of 
individual officers and others who knowingly assist fraud. Where we 
find the appropriate facts, we name such people as defendants.
FTC Investigation of Algorithms
    Section 6(b) of the FTC Act gives the agency broad investigatory 
and information-gathering powers. For example, in the 1970s the FTC 
used its Section 6(b) authority to require companies to submit product-
line specific information, enabling the agency to assess the state of 
competition across markets.
    The FTC has released reports on big data and the harms biased 
algorithms can cause to disadvantaged communities. These reports drew 
attention to the potential loss of economic opportunity and diminished 
participation in our society. Yet, information on how these algorithms 
work, and on the inputs that go into them, remains opaque.

    Question 19. Where the FTC consider using its Section 6(b) 
investigative power to help us understand how these algorithms and 
black-box A.I. systems work--the biases that shape them, and how those 
can affect trade, opportunity, and the market?
    Answer. Advancements in algorithm design, A.I. systems, and data 
analytics have played and continue to play a crucial role in spurring 
innovation that can deliver significant benefits to our society and 
drive our Nation's economic growth. Given their significance, I agree 
that algorithms and artificial intelligence are important topics of 
study. In 2017, the FTC and Department of Justice submitted a joint 
paper on algorithms and collusion to the Organization for Economic 
Cooperation and Development as part of the OECD's broader look at the 
role of competition policy and the digital age.\1\ More recently, we 
examined the competition and consumer protection implications of 
algorithms, artificial intelligence, and predictive analytics as part 
of the Commission's Hearings on Competition and Consumer Protection in 
the 21st Century.\2\ The two-day hearing featured a distinguished group 
of technologists, scientists, public servants, academics, and industry 
leaders (as well as economists and lawyers), who gathered to educate us 
and the broader competition and consumer protection community about how 
these technologies work, how they are used in the marketplace, and 
their policy implications. The Commission also invited public 
commentary on this topic.
---------------------------------------------------------------------------
    \1\ Note by the United States on Algorithms and Collusion, OECD 
Doc. DAF/COMP/WD(2017)41 (May 26, 2017), https://www.ftc.gov/policy/
reports/us-submissions-oecd-2010-present#oecd.
    \2\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection; FTC, FTC Hearing on Competition and Consumer Protection in 
the 21st Century #7: The Competition and Consumer Protection Issues of 
Algorithms, Artificial Intelligence, and Predictive Analytics (Nov. 13-
14, 2018), https://www.ftc.gov/news-events/events-calendar/ftc-hearing-
7-competition-consumer-protection-21st-century.
---------------------------------------------------------------------------
    The Commission will keep you apprised of any initiatives that come 
out of our hearings project. I also appreciate your interest in the 
Commission conducting a study of algorithms and artificial intelligence 
under Section 6(b) of the FTC Act. It is my understanding that the 
agency intends to conduct 6(b) studies in the technology area, though 
the subjects of these studies are still being considered.
FTC Consent Decree on Unrepaired Recalls
    Most consumers probably do not know that, while new car dealers are 
prohibited from selling vehicles with open recalls, used car dealers 
are not. A recent FTC consent decree, which I strenuously disagreed 
with and is currently being scrutinized in the courts, allows the sale 
of used cars with unrepaired recalls. According to the consent decree, 
car dealers can advertise that cars with unrepaired safety recalls like 
a defective Takata airbag are ``safe'' or have passed a ``rigorous 
inspection''--as long as they have a disclosure that the vehicle may be 
subject to an unrepaired recall and directs consumers on how they can 
determine the vehicle has an open recall.

    Question 20. In your opinion, is a car with an open, unrepaired 
recall, a ``safe'' car? Why would the FTC allow unsafe cars to be 
advertised as ``safe'' and ``repaired for safety,'' with or without a 
vague, contradictory and confusing disclaimer?
    Answer. We share your concerns regarding the safety issues raised 
by recalls in the used automobile marketplace. As you note, while 
Federal auto safety law requires that all new cars sold be free from 
recalls, it does not prohibit auto dealers from selling used cars with 
open recalls.
    However, the FTC Act enables the Commission to stop auto dealers 
selling such cars from engaging in misleading advertising practices 
that mask the existence of open recalls. In an effort to stop such 
claims, in 2016 and 2017, the Commission brought actions against 
General Motors Company, CarMax, Inc., and four other large used car 
dealerships. In these actions, the Commission alleged that these 
companies' advertising claims violated the FTC Act by touting the 
rigorousness of their used car inspections while failing to clearly 
disclose the existence of unrepaired safety recalls in some cars.\3\
---------------------------------------------------------------------------
    \3\ FTC Press Release, GM, Jim Koons Management, and Lithia Motors 
Inc. Settle FTC Actions Charging That Their Used Car Inspection Program 
Ads Failed to Adequately Disclose Unrepaired Safety Recalls (Jan. 28, 
2016), https://www.ftc.gov/news-events/press-releases/2016/01/gm-jim-
koons-management-lithia-motors-inc-settle-ftc-actions; FTC Press 
Release, CarMax and Two Other Dealers Settle FTC Charges That They 
Touted Inspections While Failing to Disclose Some of the Cars Were 
Subject to Unrepaired Safety Recalls (Dec. 16, 2016), https://
www.ftc.gov/news-events/press-releases/2016/12/carmax-two-other-
dealers-settle-ftc-charges-they-touted.
---------------------------------------------------------------------------
    Our orders stop this deceptive conduct and provide important 
additional protections for consumers. First, they prohibit each company 
from making any safety-related claim about its vehicles unless the 
vehicles are recall-free, or, alternatively, the company discloses 
clearly and conspicuously \4\ and in close proximity to the 
representation both that the vehicles may be subject to open recalls 
and how consumers can determine the recall status of a particular car. 
This means that, if any car on the companies' lots is subject to an 
open recall, every time the companies make these types of inspection 
claims, they must prominently disclose this important information on 
recalls. Further, the orders required each company to warn consumers 
who already purchased one of its used cars that the vehicle may have an 
open recall.
---------------------------------------------------------------------------
    \4\ Importantly, the orders define ``clearly and conspicuously'' in 
detail to mean, among other things, that disclosures must be 
``difficult to miss (i.e., easily noticeable) and easily understandable 
by ordinary consumers,'' and to require that ``[a] visual disclosure, 
by its size, contrast, location, the length of time it appears, and 
other characteristics, must stand out from any accompanying text or 
other visual elements so that it is easily noticed, read, and 
understood.'' E.g., General Motors LLC, No. C-4596, 2016 WL 7383980, at 
*4, (F.T.C. 2016).
---------------------------------------------------------------------------
    Without our actions, these car sellers could not only continue to 
sell used vehicles subject to open recalls (a practice currently 
permitted under Federal product safety law), but could also make 
misleading inspection claims masking this fact--without in any way 
disclosing the possibility of recalls. Under the Commission's orders, 
consumers will instead receive important information about open recalls 
whenever respondents make these kinds of claims.\5\
---------------------------------------------------------------------------
    \5\ Beyond this sweep of cases, in October 2018, the FTC secured 
orders in the Passport Toyota matter against a group of dealerships, 
and their principals, for mailing more than 21,000 fake ``urgent'' 
recall notices to consumers. We alleged that the vast majority of the 
vehicles covered by the notices did not have open recalls, but that the 
dealers instead used these fake recall notices to increase business at 
the dealerships' service departments. Complaint, FTC v. Passport 
Imports, Inc., No. 8:18-cv-03118 (D. Md. Oct. 10, 2018), https://
www.ftc.gov/enforcement/cases-proceedings/162-3193/passport-imports-
inc-passport-toyota.
---------------------------------------------------------------------------
Question on Non-Compete Clauses
    I am concerned about the growth of non-compete clauses, which block 
employees from switching jobs to another employer in the same sector 
for a certain period of time. These clauses weaken workers' bargaining 
power once they are in the job, because workers often cannot credibly 
threaten to leave if their employer forces refuses to give them a raise 
or imposes poor working conditions. According to the Economic Policy 
Institute, roughly 30 million workers--including one in six workers 
without a college degree--are now covered by non-compete clauses.
    The consensus in favor of addressing non-compete clauses is 
growing. For example, just this past December, an interagency report 
indicated that non-compete clauses can be harmful in certain contexts, 
such as the healthcare industry. Yet, the FTC has not yet undertaken 
forceful action. In September, Commissioner Chopra suggested that the 
FTC use its rulemaking authority to ``remove any ambiguity as to when 
non-compete agreements are permissible or not.''

    Question 23. Do you agree with the proposal that the FTC use its 
rulemaking authority to address non-compete clauses? I invite you to 
explain your reasoning regarding your stance.
    Answer. Recent research shows that non-compete clauses may be far 
more prevalent in the modern economy than enforcers realized. The 
validity and enforceability of these clauses is not always clear--some 
states have strict limitations against enforcing such clauses and it is 
uncertain today whether employees covered by such clauses always 
understand their legal position.
    I fear the increase in various labor restrictions may be combining 
to stifle worker mobility, and with it potentially wages and 
opportunities, as well. Non-compete clauses, no-poach agreements (which 
also appear to have proliferated in some spaces), and occupational 
licensing requirements (which have dramatically increased in scope in 
recent decades) all and together affect workers' ability to find and 
obtain desirable jobs. Many of the insights regarding the prevalence of 
non-competes clauses and no-poach agreements have come to light only 
recently, and the Commission has been closely following these 
developments and working to understand better the scope and effects of 
such clauses, to add to its long-established work on occupational 
licensing. It is not clear that non-compete clauses present antitrust 
issues, except in narrow circumstances; but as the agency tasked with 
protecting consumers and competition, the FTC is working to understand 
how such clauses may impact markets, alone or in combination with other 
restrictive clauses.
    A rulemaking is probably premature at this stage, as these issues 
deserve careful study and a clear understanding of both how such terms 
may impact labor flow and how best to tailor any rules or enforcement 
efforts to achieve better outcomes. Several states have begun efforts 
to curb the use of non-competes, and senators have been working on 
bills that would help limit such practices nationwide. I look forward 
to working with members on this critical question.
Question on Local Merger Enforcement
    Even though big national mergers typically garner the most media 
attention, smaller mergers can often raise monopoly concerns on the 
local level. This can be true in the healthcare industry, for example. 
In November, Commissioner Simons told me: ``Some local mergers may be 
too small to require Hart-Scott-Rodino premerger notification, but may 
still have anticompetitive effects.''

    Question 24. Would you agree with me that Hart-Scott-Rodino 
premerger notifications help antitrust enforcers catch concerning 
mergers?
    Answer. Yes, I agree that the premerger notification requirements 
of the Hart-Scott-Rodino Premerger Notification Act (HSR) help 
antitrust enforcers identify anticompetitive mergers before they are 
consummated, preventing consumer harm. Once a merger is consummated and 
the firms' operations are integrated, it can be very difficult, if not 
impossible, to ``unscramble the eggs'' and restore the acquired firm to 
its former status as an independent competitor.
    It is important, however, to ensure that the HSR filing 
requirements are tailored properly. The FTC typically issues requests 
for additional documents and evidence for only a very small percentage 
of filings it receives--with wide, bipartisan agreement that most 
mergers do not pose competitive problems--and ultimately enters into 
consent decrees or seeks to block even fewer mergers. In other words, 
HSR filing requirements today cast a very large net to catch a very 
few--albeit very important--fish. Given the vast expansion of antitrust 
regimes around the globe in recent years, the U.S. should endeavor to 
be a leader in setting meaningful and appropriate premerger filing 
requirements, and to avoid setting a standard that would allow other 
jurisdictions to say they are following the U.S. in using antitrust 
regimes as a method of increasing government revenues.

    Question 25. What sort of anticompetitive effects might be raised 
by local mergers even when those mergers are too small to require Hart-
Scott-Rodino premerger notification?
    Answer. Anticompetitive mergers can harm consumers in several ways, 
including by increasing prices and reducing output, or by lowering 
quality or services, hampering innovation, or diminishing new entry or 
expansion.\6\ These harmful effects can manifest in local as well as 
more geographically-expansive mergers. Although the harms local mergers 
present are, by definition, restricted to a smaller geographic area, 
their effects can still be pernicious.\7\
---------------------------------------------------------------------------
    \6\ U.S. Department of Justice & Federal Trade Commission, 
Horizontal Merger Guidelines Sec. 1 (2010), https://www.ftc.gov/public-
statements/2010/08/horizontal-merger-guidelines-united-states-
department-justice-federal (``A merger enhances market power if it is 
likely to encourage one or more firms to raise price, reduce output, 
diminish innovation, or otherwise harm customers as a result of 
diminished competitive constraints or incentives.'').
    \7\ Id. at Sec. 4.2. In antitrust analysis, a relevant market 
identifies a set of products or services and a geographic area of 
competition in which to analyze the potential effects of a proposed 
transaction. The purpose of market definition is to identify options 
available to consumers. See id. at Sec. 4 (describing market definition 
in antitrust analysis).
---------------------------------------------------------------------------
    The FTC often examines local geographic markets in the course of 
its merger review, both when assessing the effects that mergers of 
national companies might have in local areas and when examining local 
mergers. For instance, the FTC typically considers local geographic 
markets in retail markets, such as supermarkets, pharmacies, retail gas 
or diesel fuel stations, or funeral homes, and in service markets, such 
as health care. In a recent Federal court action seeking to enjoin the 
proposed merger of two rival physician services providers, the FTC and 
State of North Dakota defined the relevant geographic market as the 
Bismarck-Mandan, North Dakota, Metropolitan Statistical Area--a four-
county area that includes the cities of Bismarck and Mandan and smaller 
communities within the surrounding 40 to 50 mile radius.\8\
---------------------------------------------------------------------------
    \8\ FTC v. Sanford Health, No. 1:17-cv-0133 (D.N.D. 2017), https://
www.ftc.gov/enforcement/cases-proceedings/171-0019/sanford-health-ftc-
state-north-dakota-v. The U.S. District Court for the District of North 
Dakota granted the FTC and State of North Dakota's preliminary 
injunction motion on December 13, 2017. The parties have appealed and 
the case is now pending before the Eighth Circuit.

    Question 26. What action would you recommend either the FTC or 
Congress take in order to assist Federal and state antitrust enforcers 
in catching local mergers that raise anticompetitive concerns?
    Answer. While I have no opinion as to whether Congress should take 
action, identifying anticompetitive mergers remains one of the FTC's 
top competition priorities. Today, the FTC devotes the bulk of its 
merger review efforts to transactions that parties report pre-
consummation. However, the FTC also closely monitors M&A activity more 
broadly, to identify unreported (often, but not always, consummated) 
mergers that could harm consumers. The FTC uses the trade press and 
other news articles, consumer and competitor complaints, hearings, 
economic studies, and other means to identify such potentially harmful 
activity (both merger and other conduct). The FTC also routinely works 
with state attorneys general in its enforcement efforts; state 
attorneys general routinely join the FTC as co-plaintiffs in Federal 
court litigations, such as in the North Dakota physician services 
merger litigation discussed above.
Question on Horizontal Shareholding
    Recent research has raised questions about whether horizontal 
shareholding harms competition in our economy. I would like to 
understand your view on this ongoing research.

    Question 27. Do you believe that horizontal shareholding raises 
anticompetitive concerns?
    Answer. See below.

    Question 28. Do you believe that our antitrust laws can be used to 
address the anticompetitive concerns raised by horizontal shareholding?
    Answer. See below.

    Question 29. What, if anything, are you doing to address any 
potential harms of horizontal shareholding?
    Answer. Today, there is insufficient evidence to conclude that 
horizontal shareholding presents real competitive concerns. There have 
been a few recent and notable papers attempting to analyze the 
competitive effects of such holdings, but they do not yet provide a 
basis for enforcers attempting to extrapolate whether a larger, more 
pernicious phenomenon is at play.\9\
---------------------------------------------------------------------------
    \9\ See Note by the United States on Common Ownership by 
institutional investors and its impact on competition at  1, OECD Doc. 
DAF/COMP/WD(2017)86 (Nov. 28, 2017), https://www.ftc.gov/policy/
reports/us-submissions-oecd-2010-present#oecd (explaining that 
``[g]iven the ongoing academic research and debate, and its early stage 
of development, the U.S. antitrust agencies are not prepared at this 
time to make any changes to their policies or practices with respect to 
common ownership by institutional investors.''); see also Noah Joshua 
Phillips, Commissioner, Federal Trade Commission, Opening Remarks at 
FTC Hearing on Competition and Consumer Protection in the 21st Century 
#8: Corporate Governance, Institutional Investors, and Common Ownership 
(Dec. 6, 2018), https://www.ftc.gov/public-statements/2018/12/opening-
remarks-commissioner-noah-joshua-phillips-ftc-hearing-8; Noah Joshua 
Phillips, Commissioner, Federal Trade Commission, Prepared Remarks at 
the Global Antitrust Economics Conference: Taking Stock: Assessing 
Common Ownership, (June 1, 2018), https://www.ftc.gov/public-
statements/2018/06/taking-stock-assessing-common-ownership.
---------------------------------------------------------------------------
    The U.S. antitrust agencies define common ownership as ``the 
simultaneous ownership of stock in competing companies by a single 
investor, where none of the stock holdings is large enough to give the 
owner control of any of these companies''.\10\ It is distinct from 
``cross ownership'', wherein a company holds an interest in one of its 
competitors, and other joint venture or co-partner scenarios, which 
have long been a focus of U.S. antitrust law.
---------------------------------------------------------------------------
    \10\ Note by the United States on Common Ownership by institutional 
investors and its impact on competition at  1, OECD Doc. DAF/COMP/
WD(2017)86 (Nov. 28, 2017), https://www.ftc.gov/policy/reports/us-
submissions-oecd-2010-present#oecd.
---------------------------------------------------------------------------
    The general theory of harmful common shareholdings is that large 
institutional investors' common holdings may lead firms to compete less 
aggressively--by virtue of the companies' knowledge that more 
aggressive competition may not be in the interest of such shareholders, 
by active encouragement from such investors, or simply by the failure 
of large shareholders to spur competition--and thereby lead to higher 
prices or other harmful effects. Proponents of this theory point to 
several empirical papers that purport to identify such effects, and 
several have proposed wide-ranging remedies that they argue would solve 
this alleged problem. In response, critics have identified various 
methodological flaws in the original research, which they argue call 
into question the results of these papers. They further identify 
alleged shortcomings in the harmful common ownership theory, including 
the absence of a clear mechanism of harm, the failure to distinguish 
between the economic owners and the beneficial owners of the shares at 
issue, and the fact that the theory assumes managers behave in ways 
diametrically opposed to how theory and real world evidence from 
corporate law experience have demonstrated they typically behave.
    The FTC has continued to stay abreast of the common ownership 
research. In November 2017, the Commission participated in an 
Organisation for Economic Co-operation and Development (OECD) 
conference devoted to this topic. The Commission also held a full-day 
workshop, supplemented by a public comment process, in December 2018 
that was largely devoted to exploring the merits of the common 
ownership issue.\11\ At the workshop, which was part of our Hearings on 
Competition and Consumer Protection in the 21st Century, respected 
academics and industry experts on both sides of this issue shared their 
expertise with both us and the public.
---------------------------------------------------------------------------
    \11\ FTC, FTC Hearing on Competition and Consumer Protection in the 
21st Century #8: Corporate Governance, Institutional Investors, and 
Common Ownership (Dec. 6, 2018), https://www.ftc.gov/news-events/
events-calendar/ftc-hearing-8-competition-consumer-protection-21st-
century.
---------------------------------------------------------------------------
    From what we have seen so far, I do not believe there is sufficient 
evidence to warrant policy changes in response to the alleged common 
shareholding problem. I have identified a series of questions for 
scholars to answer and that I believe would help shed more light on the 
issue and whether such changes may be warranted.\12\
---------------------------------------------------------------------------
    \12\ Noah Joshua Phillips, Commissioner, Federal Trade Commission, 
Opening Remarks at FTC Hearing on Competition and Consumer Protection 
in the 21st Century #8: Corporate Governance, Institutional Investors, 
and Common Ownership (Dec. 6, 2018), https://www.ftc.gov/public-
statements/2018/12/opening-remarks-commissioner-noah-joshua-phillips-
ftc-hearing-8; Noah Joshua Phillips, Commissioner, Federal Trade 
Commission, Prepared Remarks at the Global Antitrust Economics 
Conference: Taking Stock: Assessing Common Ownership, (June 1, 2018), 
https://www.ftc.gov/public-statements/2018/06/taking-stock-assessing-
common-ownership.
---------------------------------------------------------------------------
    The FTC has tools already at our disposal to monitor and discipline 
anticompetitive activity, which we will continue to deploy where the 
law and evidence provide a basis for doing so. In considering any 
policy changes--some proposals for which have been extreme--the 
Commission will also bear in mind that many Americans benefit from the 
low-cost investment options large institutional investors make 
possible.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                      to Hon. Noah Joshua Phillips
Pet Leasing
    I appreciate the Commission's attention to my request with six of 
my colleagues for the FTC to investigate the practice of pet leasing 
that is leading some consumers into confusing or deceptive contractual 
obligations that cause them to have an issue with their beloved pet and 
negatively impact their financial status, such as credit scores, for 
far into the future. This is an issue that is a little under the radar 
but needs strong oversight and attention under your deceptive practices 
mandate if there are concerning financial practices being discovered.
    Question. Can I get a further commitment from you all to keep my 
office informed of actions and determinations you all may make 
pertaining to this concerning issue and the Humane Society and Animal 
Legal Defense Fund's formal petition to the Commission?
    Answer. The FTC is committed to protecting consumers from unfair or 
deceptive acts or practices, including any such practices carried out 
by merchants or third party leasing and financing companies. Since our 
response to your letter last November, FTC staff has met with the 
Humane Society and Animal Legal Defense Fund to discuss their joint 
formal petition to the Commission. The FTC will continue to keep your 
office informed of public actions the Commission takes concerning pet 
leasing or the Humane Society and Animal Legal Defense Fund's petition 
to the Commission.
Data Minimization vs Big Data
    A topic that has come up a lot during our discussions on privacy is 
data minimization. This is a concept that I have been considering on as 
I work on developing a comprehensive data privacy bill. As you're 
aware, this is the idea that businesses should only collect, process, 
and store the minimum amount of data that is necessary to carry out the 
purposes for which is was collected. There are obvious advantages to 
this as it minimizes the risk of data breaches and other privacy harms. 
At the same time, big data analytics are going to be crucial for the 
future and play an important role in smart cities, artificial 
intelligence, and other important technologies that fuel economic 
growth. I think it is important to find a balance between minimization 
and ensuring that data, especially de-identified data, is available for 
these applications.
    Question. Can you describe how you view this balance and how we in 
Congress can ensure that people's data is not abused but can still be 
put to use in positive ways?
    Answer. This is one of the most important questions that we need to 
ask when evaluating any future privacy regime. Algorithims, Big Data 
and AI are areas of tremendous and important innovation that have the 
potential to provide significant benefits for our economy, for 
consumers, and for our national welfare.
    Your question neatly captures the dilemma. Businesses can apply 
``big data'' analysis tools to gain insights from large data sets that 
help the business to innovate, for example to improve an existing 
product. This analysis can provide new consumer benefits, such as the 
development of new features. On the other hand, consumers' data may be 
used for unexpected purposes in ways that are unwelcome.\13\ Long-term 
retention of consumer information--such as sensitive financial 
information--also presents a data security issue.\14\
---------------------------------------------------------------------------
    \13\ See, e.g., FTC Press Release, FTC Charges Deceptive Privacy 
Practices in Google's Rollout of Its Buzz Social Network (Mar. 30, 
2011), https://www.ftc.gov/news-events/press-releases/2011/03/ftc-
charges-deceptive-privacy-practices-googles-rollout-its-buzz) (alleging 
that Google deceptively repurposed information it had obtained from 
users of its Gmail e-mail service to set up the Buzz social networking 
service, leading to public disclosure of users' e-mail contacts).
    \14\ See, e.g., Ceridian Corp., No. C-4325 (F.T.C. 2011), https://
www.ftc.gov/enforcement/cases-proceedings/102-3160/ceridian-
corporation-matter) (resolving charges that the company created 
unnecessary risks by storing information such as individuals' e-mail 
address, telephone number, Social Security number, date of birth, and 
direct deposit account number indefinitely on its network without a 
business need).
---------------------------------------------------------------------------
    The FTC has issued a report on the subject of the benefits and 
risks of big data that contains guidance for companies that use big 
data analytics.\15\ Last fall, the Commission also hosted a workshop on 
the intersections between big data, privacy and competition.\16\ We are 
happy to work with your staff to develop legislation on how to balance 
the benefits and risks of big data.
---------------------------------------------------------------------------
    \15\ See FTC, Big Data: A Tool for Inclusion or Exclusion? 
Understanding the Issues (Jan. 2016), https://www.ftc.gov/system/files/
documents/reports/big-data-tool-inclusion-or-exclusion-understanding-
issues/160106big-data-rpt.pdf.
    \16\ See FTC, FTC Hearing on Competition and Consumer Protection in 
the 21st Century #6: Privacy, Big Data, and Competition(Nov. 6-8, 
2018), https://www.ftc.gov/news-events/events-calendar/ftc-hearing-6-
competition-consumer-protection-21st-century.
---------------------------------------------------------------------------
General Privacy Recommendations
    Question 1. While privacy was a significant topic of the oversight 
hearing, as we look to develop a bill, can you specifically lay out 
some of the top priorities you individually would like to see included 
and what do you think gets overlooked in the conversations policymakers 
have with allowing for future innovations and yet raising the bar for 
protecting consumers?
    Answer. As an initial matter, in considering whether to develop 
comprehensive privacy legislation, I urge Congress to first study, 
identify, and understand the harms it wishes to address. Only through 
that crucial inquiry can Congress the develop policy and craft remedies 
appropriate to the problem it is trying to solve. It is also essential 
that Congress carefully and fully weigh the costs and benefits of any 
legislation and, in particular, the costs of regulation to innovation 
and competition, and the potential entrenchment of incumbents that may 
result. Regulation, by its nature, involves tradeoffs; only if we do 
our best to understand the tradeoffs can we make coherent and 
thoughtful decisions in lawmaking.
    In terms of my priorities for any legislation, my number one 
priority is data security legislation, to be enforced by the FTC--
though not identical to privacy legislation, nothing will do more for 
privacy that improved data security. The Commission has been calling 
for data security legislation for years on a bipartisan basis, as it is 
necessary to provide both security to consumers and coherence to the 
market. I also support civil money penalty authority as part of data 
security legislation, to correct flaws in the market that result in an 
under-investment in security.\17\ And, in addition, I believe that the 
FTC needs legislation that will address the Court's concerns in LabMD 
and permit the Commission to once again apply a ``reasonableness'' 
standard in data security orders, which provides the flexibility that 
the market requires.\18\
---------------------------------------------------------------------------
    \17\ See, e.g., Steven Shavell, Foundations of Economic Analysis of 
Law 244 (2004) (where consumers cannot trace the full harm to the 
injurer, injurers will not internalize the full amount of harm).
    \18\ LabMD v. FTC, 894 F.3d 1221 (11th Cir. 2018).
---------------------------------------------------------------------------
    There are other immediate, consumer protection enforcement needs. I 
urge Congress to amend the FTC Act to undo the ViroPharma decision \19\ 
and make it clear to courts and litigants alike that the Commission's 
authority is not limited to ongoing conduct, but rather that the 
Commission can pursue enforcement actions and, where appropriate, 
monetary relief, even for conduct that has ceased.
---------------------------------------------------------------------------
    \19\ FTC v. Shire ViroPharma, Inc., No. 18-1807, 2019 WL 908577 (3d 
Cir. 2019).
---------------------------------------------------------------------------
    As for broader privacy legislation, in considering whether and what 
to do, Congress is not acting in a vacuum. The United States has 
already been working with our economic allies on privacy issues for 
decades--for instance, in the form of the OECD Privacy Framework and 
the APEC Privacy Framework \20\--and these can and should form the 
basis for the discussion. Moreover, while any legislation should 
maintain the FTC's role as that nation's primary privacy and data 
security enforcement agency, I would stress that it is Congress that 
should make the difficult and important decisions in the privacy and 
data security sphere--while the Commission can issue implementing 
regulations, any legislation will necessarily involve value judgements 
that should be left to Congress, not unelected Commission officials.
---------------------------------------------------------------------------
    \20\ OECD, The OECD Privacy Framework (2013), http://www.oecd.org/
sti/ieconomy/oecd_privacy_framework.pdf.
---------------------------------------------------------------------------
    I also believe that, in considering legislation, Congress should 
focus on information asymmetry, helping ensure that the market, and 
consumers in particular, have more, and more accessible, information on 
which to make informed decisions. I also believe there is value in 
encouraging companies to engage in internal privacy assessments so that 
they better understand their own landscape and can make informed, risk-
based decisions about how they gather, use, and share data.
    In terms of FTC-specific authority, as I have said elsewhere, I 
support removing common carrier and non-profit exceptions to the FTC's 
authority, but I remain cautious on civil penalties outside of the data 
security context. Penalties are tools, and whether penalties are 
appropriate and effective will ultimately depend on the liability 
scheme that Congress sets up in any legislation, and specifically 
whether Congress applies a more rules-based approach or a looser 
standards-based approach, as well as whether the data demonstrate that 
penalties in fact effectively deter the relevant conduct, rather than 
chill beneficial conduct.

    Question 2. Can you also outline the optimal role you see for our 
state Attorneys General in this privacy enforcement process?
    Answer. Attorneys General can be important partners in protecting 
consumers, acting as force multipliers for Federal law enforcement. I 
think this is a valuable model that Congress should weigh. It should 
also consider whether to allow the FTC authority to assert exclusive 
jurisdiction when necessary, to ensure consistent and coherent 
application of Federal law.
Privacy Risky Communities/Groups
    Question 1. Do you think that certain communities or groups are any 
more or less vulnerable to privacy risks and harms?
    Answer. Yes. Congress previously has recognized that certain 
communities or groups may be more or less vulnerable to privacy risks 
and harms when promulgating the Children's Online Privacy Protection 
Act, and certain provisions of Gramm-Leach Bliley and the Health 
Insurance Portability and Accountability Act. The Commission also has 
worked to address issues particularly affecting certain communities or 
groups through a number of means, including law enforcement as well as 
a series of seminars and other events around the country and through 
consumer education.\21\
---------------------------------------------------------------------------
    \21\ See, e.g., FTC, Common Ground Conferences and Roundtables 
Calendar, https://www.consumer.gov/content/common-ground-conferences-
and-roundtables-calendar; FTC, Consumer Information--Fraud Affects 
Every Community, https://www.consumer.ftc.gov/features/every-community.

    Question 2. Should privacy law and regulations account for such 
unique or disparate harms, and if so, how?
    Answer. Yes. I believe the approach Congress took with COPPA, GLB 
and HIPAA is instructive here. Existing laws like the Fair Credit 
Reporting Act and the Equal Credit Opportunity Act also provide 
important protections against unlawful discrimination. The Commission 
is happy to work with you to think through these issues as you craft 
legislation.
Immediate Civil Penalties Authority
    Noting from your FTC testimony, ``Section 5 (of the FTC Act), 
however, is not without limitations. For example, Section 5 does not 
provide for civil penalties, reducing the Commission's deterrent 
capability.''

    Question. While I appreciate the long term successes of the FTC in 
many respects to investigate data security matters, what are your 
thoughts to whether there is enough of a deterrent effect with Section 
5 authority when you can't immediately enforce against those who misuse 
data with civil penalties right from the start, rather than as the 
result of often times flagrant offenses to their already establish 
consent decrees?
    Answer. For good reason, the FTC Act does not give the Commission 
penalty authority for first-time violators. If Congress were to give us 
the authority to seek civil penalties for first-time violators of data 
security rules specifically (subject to statutory limitations on the 
imposition of such penalties, such as ability to pay), we would have 
greater ability to deter potentially harmful conduct. Due to asymmetric 
information, interdependent systems, and difficulties in tracing ID 
theft to a particular firm, there are reasons to believe that in many 
circumstances firms may lack sufficient incentives to adequately invest 
in data security under current law.\22\ Correctly calibrated civil 
penalties would cause companies to internalize the full costs of 
inadequate data security, fostering proper incentives to protect 
consumer data.
---------------------------------------------------------------------------
    \22\ See, e.g., Steven Shavell, Foundations of Economic Analysis of 
Law 244 (2004) (when victims cannot identify the injurer, injurers will 
lack adequate incentives to take care); George Akerlof, The Market for 
``Lemons'': Quality Uncertainty and the Market Mechanism, 84 Q.J. Econ. 
488 (1970); Howard Kunreuther & Geoffrey Heal, Interdependent Security, 
26 J. Risk & Uncertainty 231 (2003).
---------------------------------------------------------------------------
    However, for privacy more broadly, it must be remembered that 
penalties are a tool; and, in my view, the question of tools is a 
secondary one, that cannot and should not be considered in the 
abstract. That question necessarily requires preliminary determinations 
first as to what harms Congress wishes to address and second, what 
liability standards it adopts to address those harms. Civil penalties 
are better tailored to conduct that is clearly defined--for example, 
violations of specific rules set forth in FTC Consent Orders or 
regulations like COPPA. Otherwise, the prospect of paying them may 
chill innovation and other conduct that benefits consumers.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Amy Klobuchar to 
                       Hon. Noah Joshua Phillips
    Question 1. The FTC is charged with enforcing the Children's Online 
Privacy Protection Act (COPPA) and has done so for the last two 
decades. Protecting the privacy of children has never been more 
important than it is now, but the online privacy of all Americas is 
also increasingly at risk.

   Both of you have recently commented that we should learn 
        from the FTC's experience in enforcing COPPA when we consider 
        our approach to protecting consumer privacy more broadly. What 
        lessons should we take away from the Commission's experience 
        enforcing COPPA when considering ways to protect online privacy 
        and data security for all Americans?

    Answer. I believe that our experience with COPPA--in particular, 
its enactment and its implementation--can help inform and guide efforts 
to protect online privacy and data for all Americans.
    The American privacy framework is built upon identifying risks and 
then designing a solution that balances competing interests. This 
requires evaluating the sensitivity of the information involved and the 
potential harms that would result from its collection, use or 
disclosure, and then creating a solution that will limit these harms 
while still allowing appropriate use of even sensitive information. 
With COPPA, rather than trying to protect children's privacy and safety 
by enacting draconian legislation that could severely limit children's 
experience on the Internet, Congress instead created a comprehensive, 
yet flexible, framework to protect both children's privacy and 
children's ability to access interactive content on the Internet. And, 
importantly, Congress itself made the tough choices in balancing 
privacy and the tradeoffs inherent in privacy regulation, most notably, 
the age of children to be covered by COPPA.
    We can also learn lessons from the implementation of COPPA. In 
including the modifier ``taking into consideration available 
technology'' in its definition of ``verifiable parental consent'', 
Congress gave the FTC the latitude, in drafting the first iteration of 
the COPPA Rule, to develop a consent mechanism based upon how the 
child's information would be used and with whom it would be shared. In 
crafting the Rule, FTC staff recognized that the cost of a 
technologically rigorous mechanism could sometimes outweigh its 
benefits, especially if there was less risk associated with the 
collection and use of the child's information. Importantly, they were 
able to engage in this cost-benefit analysis because Congress drafted 
the COPPA statute with this consideration in mind. Congress should 
study the history of COPPA enforcement and rulemaking in considering 
whether and how to proceed on broader privacy legislation.
    COPPA is a deliberately paternalistic statute, because it deals 
with children; so it is not necessarily a model for broader privacy 
legislation. But, despite the fact that COPPA is twenty years old, its 
more flexible approach to protecting children's privacy which considers 
benefits and harms has been a critical component in its continuing 
success and effectiveness.

    Question 2. The Federal Trade Commission's budget has remained flat 
for the past several years despite increasing demands on your agency's 
resources, including a significant rise in merger filings.

   If additional resources were made available to the Federal 
        Trade Commission, how would you deploy those resources to 
        advance the agency's consumer protection and competition 
        missions?

    Answer. I appreciate your attention to the agency's resource needs. 
As we mentioned in our November 27 testimony, the FTC works very hard 
to accomplish as much as possible with the resources we have. We are 
tasked with the important dual goals of protecting consumers and 
promoting competition, both which are of increasing importance in the 
changing economy. Resource constraints remain a significant challenge. 
Evolving technologies and intellectual property issues, among others, 
continue to increase the complexity of antitrust investigations and 
litigation. That complexity, coupled with the rising costs of critical 
expert witnesses and increases in caseload, sometimes leads to 
financial and personnel resource limitations. In the past, we have 
requested additional resources for experts, information technology, and 
more full-time employees in support of our mission to protect consumers 
and promote competition. We also have heard the need for additional 
paralegals to help support our staff attorneys; paralegals can provide 
very valuable services and allow attorneys to devote more time to 
substantive issues, but they are a rare commodity at the Commission 
today. These all continue to be critical areas of need for our agency. 
If we receive additional resources, we plan to apply them to these 
areas.
    On the competition side, qualified experts are a key resource in 
all of the FTC's cases--both merger and conduct--heading toward 
litigation. Expert witness services are critical to these cases, as 
they help the FTC satisfy key burdens such as defining product and 
geographic markets and estimating the likely harms (and countering 
defendants' estimation of any alleged procompetitive benefits). Expert 
witness may often prove crucial to litigated cases on the consumer 
protection side, as well.
    Expert witness costs are highly dependent on the number, scope, 
duration, and disposition of our Federal and administrative court 
challenges--increasing (often significantly) as these factors increase. 
To limit these costs, the FTC has continued to identify and implement a 
variety of strategies, including using internal personnel from its 
Bureau of Economics as expert witnesses whenever practical. The 
opportunities to use internal experts as testifying experts are 
limited, however, by several factors, including staff availability, 
testifying experience, and the specialized expertise required for 
specific matters.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                       Hon. Noah Joshua Phillips
Privacy
    Question 1. Do you support strong civil penalties for consumer 
privacy violations?
    Answer. Penalties are a tool and, in my view, the question of tools 
is a secondary one, which cannot and should not be considered in the 
abstract. That question necessarily requires preliminary determinations 
first as to what harms Congress wishes to address and second, what 
liability standards it adopts to address those harms. Civil penalties 
are better tailored to conduct that is clearly-defined--for example, 
violations of specific rules set forth in FTC Consent Orders or 
regulations like COPPA. Otherwise, the prospect of paying them may 
chill innovation and other conduct that benefits consumers.

    Question 2. The California Consumer Protection Act goes into effect 
in January 2020. As Congress considers pre-emption of that state law, 
what additional authority should we give the FTC to ensure that 
consumer privacy adequately is protected?
    Answer. I support Congress including preemption of the California 
Consumer Protection Act, should it take up Federal privacy legislation. 
Clarity and consistency in the regulation of technology, rather than a 
patchwork of laws, is critical, especially to protecting the ability of 
small firms to compete.
    In terms of additional authority, the first question we must ask is 
about the harms--what privacy harms are we focused on and trying to 
solve. Only when we understand that can we make the policy decision 
over which tools--new authorities--are necessary and appropriate. That 
said, the one authority that we unquestionably should have in any new 
privacy law is the authority to enforce that law against common 
carriers and non-profits. The current state of the law creates 
unprincipled inconsistencies, and we should rectify those to allow for 
more clarity and consistency across markets.

    Question 3. A recent New York Times analysis found that both the 
Apple App Store and the Google Play Store have apps in their respective 
children's or family sections that potentially violate COPPA.\23\ What 
specific role should platform owners play to ensure COPPA compliance on 
their platforms?
---------------------------------------------------------------------------
    \23\ Jennifer Valentino-DeVries, Natasha Singer,Aaron Krolik, 
Michael H. Keller, How Game Apps That Captivate Kids Have Been 
Collecting Their Data, New York Times (Sept. 12, 2018), https://
www.nytimes.com/interactive/2018/09/12/technology/kids-apps-data-
privacy-google-twitter.html.
---------------------------------------------------------------------------
    Answer. In 2012, the Commission revised the COPPA Rule to cover not 
just websites, app developers, and other online services but also third 
parties collecting personal information from users of those sites or 
services. At that time, the Commission made clear that it did not 
intend to make platforms responsible merely for offering consumers 
access to someone else's child-directed content. Rather, they would be 
liable under COPPA only if they had actual knowledge that they were 
collecting personal information from a child-directed app. At the same 
time, platforms are in a unique position to set and enforce rules for 
apps that seek placement in the platform's store and to drive good 
practices. We encourage platforms to pursue best practices in this 
regard, beyond those required by COPPA. For example, platforms can 
serve an important educational function for apps that may not 
understand the requirements of COPPA.

    Question 4. Compliance for mobile apps may be hard to achieve 
against fly-by-night operators overseas who do not care if their apps 
violate U.S. law. How can the Vtech Electronics investigation and civil 
penalty serve as an example for how the FTC can hold foreign app 
developers responsible for violating COPPA?
    Answer. When Congress takes action and enacts a privacy statute, it 
is the FTC's job to faithfully execute congressional will and enforce 
that law. This is important in all contexts, but I would argue it is 
especially important when protecting the privacy of children. As a 
Federal Trade Commissioner, I consider it crucial that we continue to 
investigate businesses' practices as they relate to children's privacy, 
and that we enforce this law as Congress intended. At the new FTC, 
COPPA enforcement ought to be a signature feature of our American 
privacy regime.
    In addition to the VTech case you mention, the Commission has taken 
action in a number of privacy- or security-related cases against 
companies that have a foreign presence (see, e.g., TrendNet, inMobi, 
ASUS, and HTC).\24\ In some of these cases, for example, a foreign 
entity manufactured the devices at issue. In each of these cases, the 
FTC obtained successful relief for consumers in the United States, 
including a substantial civil penalty in the VTech and inMobi 
settlements. More recently, the FTC took action against Blu, a U.S.-
based phone manufacturer that was allowing its Chinese service provider 
to access text messages and other private information, contrary to its 
representations to consumers.\25\ The Commission has also used other 
means to address illegal conduct affecting U.S. consumers. For example, 
a few years ago Commission staff sent a warning letter to a Chinese 
company, Baby Bus, about COPPA violations relating to the collection of 
children's personal information through its apps. The Commission copied 
the app platforms on this communication. The company quickly responded 
and addressed the concerns.
---------------------------------------------------------------------------
    \24\ TRENDnet, Inc., No. C-4426 (F.T.C. 2014), https://www.ftc.gov/
enforcement/cases-proceedings/122-3090/trendnet-inc-matter; United 
States v. InMobi Pte Ltd., No. 3:16-cv-3474 (N.D. Cal. 2016), https://
www.ftc.gov/enforcement/cases-proceedings/152-3203/inmobi-pte-ltd; 
ASUSTeK Computer Inc., No. C-4587 (F.T.C. 2016), https://www.ftc.gov/
enforcement/cases-proceedings/142-3156/asustek-computer-inc-matter; HTC 
America Inc., No. C-4406 (F.T.C. 2013), https://www.ftc.gov/
enforcement/cases-proceedings/122-3049/htc-america-inc-matter.
    \25\ BLU Prods., No. C-4657 (F.T.C. 2018), https://www.ftc.gov/
enforcement/cases-proceedings/172-3025/blu-products-samuel-ohev-zion-
matter.

    Question 5. The COPPA safe harbor organizations must submit an 
annual report to the Federal Trade Commission. Can you share the 
reports from the last 5 years?
    Answer. Industry self-regulatory organizations and the COPPA safe 
harbor programs are critical partners in the FTC's privacy enforcement 
efforts. The FTC-approved safe harbor organizations submit annual 
reports to the FTC each year. However, organizations claim 
confidentiality with respect to the information in their annual 
reports.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                      Hon. Rebecca Kelly Slaughter
    Question 1. Vertical mergers such as the merger between AT&T and 
Time Warner have garnered some attention lately. The FTC and DOJ have 
not updated vertical merger guidance since 1984. Do you believe that 
the FTC and DOJ should issue new guidance on vertical mergers?
    Answer. Given the enormous impact that vertical mergers could have 
on the economy, markets, and consumers, I think the Commission should 
closely scrutinize them, particularly when they involve oligopoly 
markets and markets with high barriers to entry.\1\ There is broad 
agreement that the 1984 non-horizontal guidelines do not reflect the 
Commission's current enforcement practice. Indeed, Commission 
investigations and cases have identified a range of competition 
concerns arising from vertical mergers, including limiting access to or 
raising the costs of key inputs, restricting access to an important 
customer, inhibiting entry by new competitors, evading regulations, 
facilitating coordination, and anticompetitive information sharing. I 
recently urged the Commission to routinely conduct retrospective 
examinations of vertical merger enforcement decisions. This would allow 
the Commission to see if its predictions about a merger were correct 
and facilitate the Commission's ability to take any necessary 
enforcement action. The Commission is considering whether the agencies 
should issue guidance on vertical merger enforcement and such 
retrospectives would be critical to informing such an endeavor.
---------------------------------------------------------------------------
    \1\ For my detailed views on vertical mergers, please see my 
statement dissenting from In the Matter of Sycamore Partners, Staples, 
and Essendant, No. 181-0180 (Jan. 28, 2019), https://www.ftc.gov/
system/files/documents/public_statements/1448321/
181_0180_staples_essendant_
slaughter_statement.pdf.

    Question 2. Government lawsuits to stop mergers are litigated using 
different procedures depending on which agency, the FTC or DOJ, handles 
the case. Do you think Congress should take action to ensure that 
agencies follow the same procedures or do you support another approach?
    Answer. I do not think Congress should take action to change the 
procedures used by the Federal Trade Commission to carry out its merger 
enforcement mission. Congress intentionally created the Commission as 
an antitrust enforcement entity distinct from the DOJ. Accordingly, the 
FTC Act provides the Commission with additional tools to study markets 
and enforce the laws that are critical to our mission. Specifically, 
the administrative litigation process has been enormously useful in 
developing certain aspects of the law regarding mergers, such as 
mergers between hospitals. I do not share the concern some have 
articulated that the different statutory procedures between the 
agencies produce different outcomes; to the contrary, I think it is 
widely recognized that, in order to block a transaction, the DOJ and 
Commission both must show that a transaction would likely be 
anticompetitive.

    Question 3. Should Congress amend Section 5(n) of the FTC Act, 
which addresses unfair practices, to clarify what constitutes 
``substantial injury?'' If so, how?
    Answer. The Commission has alleged and Courts have found that 
``substantial injury'' can take the form of financial, physical, or 
reputational injuries. In addition, the Commission has alleged and 
Courts have found that ``substantial injury'' can take the form of an 
unwanted intrusion into the sanctity of people's homes and their 
intimate lives. As a general matter, there is no need to clarify what 
constitutes ``substantial injury'' under Section 5(n) of the FTC Act.
    In many areas, however, the FTC also has specific rules that allow 
it to target specific law violations and seek monetary penalties 
without having to demonstrate or quantify ``substantial injury.'' For 
example, while abusive telephone calls are an unfair practice that 
cause substantial injury in the form of an unwanted intrusion into 
consumers' homes that wastes their time, the Telemarketing Sales Rule 
sets out with specificity which practices are abusive and imposes a 
penalty for violations. This gives clarity to business and reduces the 
Commission's enforcement burden of having to prove that the calls 
amounted to ``substantial injury'' in each case. I believe the 
Commission would benefit from the authority to issue similar rules in 
the areas of privacy and data security, both to give clarity to 
business and to reduce the Commission's enforcement burden of having to 
prove that each data breach causes ``substantial injury'' to consumers.

    Question 4. Should the FTC issue more guidance to marketers on the 
level of support needed to substantiate their claims? If so, when do 
you anticipate that such guidance could be issued?
    Answer. The FTC has issued extensive guidance over the years to 
help marketers in determining the level of support needed to 
substantiate claims. The Commission first articulated the relevant 
factors used to determine the level of evidence required to 
substantiate objective performance claims in Pfizer, Inc., 81 F.T.C. 23 
(1972). Those factors included the type of claim, type of product, the 
consequences of a false claim, the benefits of a truthful claim, the 
cost of developing substantiation for the claim, and the amount of 
substantiation experts in the field believe is reasonable. The 
Commission and the courts have reaffirmed this standard many times 
since 1972.\2\ In addition, the FTC also has provided extensive 
guidance through Guides and staff guidance documents.\3\ Finally, FTC 
staff provide additional guidance through speeches and presentations to 
industry trade groups and industry attorneys.
---------------------------------------------------------------------------
    \2\ See, e.g., Thompson Med. Co., 104 F.T.C. 648, 813 (1984), 
aff'd, 791 F.2d 189 (D.C. Cir. 1986); Daniel Chapter One, 2009 WL 
5160000 at *25-26 (F.T.C. 2009), aff'd, 405 Fed. App'x 505 (D.C. Cir. 
2010) (unpublished opinion), available at 2011-1 Trade Cas. (CCH)  
77,443 (D.C. Cir. 2010); POM Wonderful, LLC, 155 F.T.C. 1, 55-60 
(2013), aff'd, 777 F.3d 478 (D.C. Cir. 2015), cert. denied, 136 S. Ct. 
1839, 194 L. Ed. 2d 839 (2016); FTC Policy Statement Regarding 
Substantiation, 104 F.T.C. 839, 840 (1984) (appended to Thompson Med. 
Co., 104 F.T.C. 648 (1984)).
    \3\ See Guides for the Use of Environmental Marketing Claims, 16 
C.F.R. Sec. 260.2 (2019), https://www.ecfr.gov/cgi-bin/text-
idx?SID=bd96b2cdcd01f7620d43e50a9d1d8cec&mc=true&node=se16.1
.260_12&rgn=div8; Dietary Supplements: An Advertising Guide for 
Industry, https://www
.ftc.gov/tips-advice/business-center/guidance/dietary-supplements-
advertising-guide-industry.

    Question 5. In June, the 11th Circuit vacated the Commission's data 
security order against Lab-MD. What effect, if any, will this have on 
the Commission's data security orders going forward?
    Answer. The Eleventh Circuit determined that the mandated data 
security provision of the Commission's LabMD Order was insufficiently 
specific. The opinion did not have any effect on the FTC's use of 
Section 5 to protect consumers from deceptive or unfair data security 
practices. The Commission is engaged in an ongoing process to craft 
appropriate order language in data security cases, based on the 
Eleventh Circuit opinion, feedback we received from our December 
hearing on data security, and our own internal discussion of how our 
orders can create better deterrence of future misconduct, using our 
existing tools.
    One of the reasons I support comprehensive data security and 
privacy legislation is that such legislation could limit the impact of 
competing court opinions by directly empowering the FTC to require 
reasonable data security and privacy practices.

    Question 6. If Federal privacy legislation is passed, what 
enforcement tools would you like to be included for Federal Trade 
Commission?
    Answer. I support strong comprehensive privacy legislation that 
would (1) empower the FTC to seek significant monetary penalties for 
privacy violations in the first instance; (2) give the FTC APA 
rulemaking authority, to allow us to craft flexible rules that reflect 
stakeholder input and can be periodically updated to keep up with 
technological developments; and (3) repeal the common carrier and 
nonprofit exemptions under the FTC Act to ensure that more of the 
entities entrusted with consumer data are held to a consistent 
standard. Moreover, I support an increase in resources and personnel to 
enable the FTC to use these enforcement tools effectively.

    Question 7. During the hearing, I asked the Chairman whether the 
FTC would consider using its section 6(b) authority to study consumer 
information data flows, specifically sending requests to Google, 
Facebook, Amazon, and others in the tech industry to learn what 
information they collect from consumers and how that information is 
used, shared, and sold. I believe the FTC's section 6(b) authority 
could provide some much needed transparency to consumers about the data 
practices of large technology companies, and help identify areas that 
may require additional attention from lawmakers. What are your views 
with respect to the FTC potentially conducting a study pursuant to 
section 6(b) of the Federal Trade Commission Act on the data 
collection, use, filtering, sharing, and sale practices of large 
technology companies such as Google, Facebook, Amazon, and others?
    Answer. The Commission's 6(b) investigative authority is a critical 
tool that the Commission can use to increase its understanding of 
industries and markets in order to inform both our competition and 
consumer protection policy and enforcement agendas. There are many 
issues in the technology arena that could be the subject of a 6(b) 
study, and I would support such an effort.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                      Hon. Rebecca Kelly Slaughter
    Question 1. Section 5(a) of the FTC Act, which prohibits ``unfair 
or deceptive acts or practices in or affecting commerce'' is the legal 
basis for a body of consumer protection law that covers data privacy 
and security practices. The FTC has brought hundreds of cases to date 
to protect the privacy and security of consumer information held by 
companies of all sizes under this authority. The FTC staff recently 
submitted comments to the National Telecommunications and Information 
Administration (NTIA) that clearly indicate the FTC staff's view that 
the FTC would be the appropriate agency to enforce a new comprehensive 
privacy legislative framework. Do you agree with the staff's view?
    Answer. Yes. The FTC has the experience and expertise to enforce 
new comprehensive privacy legislation--and the demonstrated dedication 
to consumers to do so effectively. The FTC's dual missions demand that 
we think critically about the impact of regulations and enforcement on 
both consumers and the competitive marketplace, which will be valuable 
in executing whatever framework Congress passes.

    Question 2. As Congress evaluates opportunities to create 
meaningful Federal legislation to appropriately ensure privacy of 
consumers' data, there have been suggestions to increase the FTC's 
authorities to enforce in this space. Will you commit to working with 
this Committee in measuring what resources, if any, will be needed to 
allow the agency to enforce any additional authorities that may or may 
not be provided in Federal legislation?
    Answer. Yes.

    Question 3. Sharing responsibilities with the DOJ's Antitrust 
Division, the FTC enforces antitrust law in a variety of sectors as 
described by your testimony. While the vast majority of premerger 
filings submitted to enforcement agencies do not raise competition 
concerns, the FTC challenged 45 mergers since the beginning of 2017, 
and of those, the FTC only voted to initiate litigation to block five 
transactions. Would you please describe the resource needs of the 
agency associated with hiring qualified outside experts to support its 
litigation efforts? Please explain how developments in the high-
technology sector are accounted for in the FTC's decision-making 
process related to antitrust enforcement.
    Answer. The Commission is always looking for ways to use existing 
resources more efficiently, but additional resources would be put to 
good use and help us to do more to further our competition and consumer 
protection missions. With respect to our merger enforcement efforts, 
economic and other experts are necessary to support investigations and 
bring litigation. As larger and larger mergers come before the 
Commission and complexity of investigations increase, the cost of 
outside experts becomes a greater resource burden. Resource constraints 
can require the agency to make difficult tradeoffs between litigating a 
case to achieve the optimal result and settling for a good but 
imperfect resolution.
    Competition in the technology industry must be closely monitored 
and the Commission is well equipped to examine fast-moving high-
technology markets. However, I think that creating a Bureau of 
Technology would be useful for centralizing technological expertise and 
more regularly deploying technologists to assist in both competition 
and consumer protection investigations. As you know, there continues to 
be some overlap between competition and consumer protection issues and 
the Commission should always be mindful of the fact that what we do in 
the competition arena could impact our consumer protection mission and 
vice versa.

    Question 4. Earlier this year, I introduced legislation called the 
Senior Scams Prevention Act with Senator Bob Casey to combat continued 
and increasingly complex attempts to defraud one of the Nation's most 
vulnerable populations, our senior community. This bill seeks to ensure 
retailers, financial institutions and wire transfer companies have the 
resources to train employees to help stop financial frauds and scams on 
seniors. Would you agree that awareness and education, guided by ``best 
practices'' established by industry and government partners, is a 
valuable tool in preventing consumer harms against our Nation's 
seniors?
    Answer. Yes, coupled with effective law enforcement, efforts to 
empower our senior consumers to recognize and avoid scams are 
invaluable. The FTC works closely with multiple federal, state, and 
private partners to increase awareness about frauds that target our 
seniors, and we have developed our own Pass It On campaign to share 
preventative information about frauds and scams with older adults.

    Question 5. In its comments submitted to NTIA on ``Developing the 
Administration's Approach to Consumer Privacy,'' the FTC discussed the 
various cases that it has taken up to address privacy-related harms to 
consumers, and it specifically noted four categories of harms: 
financial injury, physical injury, reputational injury, and unwanted 
intrusion. Could you please briefly describe each category while noting 
any FTC enforcement considerations specific to that type of harm?
    Answer. Financial injury describes harm that can be quantified, 
such as lost money, time, or opportunity. When we talk about physical 
injury, that covers harms arising from increased risks to an 
individuals' health or safety, including their mental and emotional 
health. Reputational injury involves disclosure of private facts about 
an individual, which damages the individual's reputation. Finally, 
unwanted intrusion into the sanctity of people's homes, communications 
and intimate lives also constitute serious harms. Outside of lost 
dollars, quantifying appropriate relief to address these serious harms 
can present enforcement challenges that would be eased by consumer 
privacy legislation that imposed money penalties for privacy 
violations.

    Question 6. In the FTC's recent comments in NTIA's privacy 
proceeding, the FTC said that its ``guiding principles'' are based on 
``balancing risk of harm with the benefits of innovation and 
competition.'' Would you describe what this means, how you strike this 
balance, and how it is applied in practice under your Section 5 
authority in the FTC Act?
    Answer. When the Commission brings an action sounding in its 
unfairness authority under Section 5 of the FTC Act, we can only 
challenge an act or practice that ``causes or is likely to cause 
substantial injury to consumers, which is not reasonably avoidable by 
consumers themselves and not outweighed by benefits to consumers or to 
competition.'' The FTC does not, however, need to engage in this 
specific inquiry when it proceeds under its deception authority 
pursuant to Section 5 of the FTC Act. For example, when a company makes 
promises to consumers about how it will collect, store or use consumer 
data and breaks those promises, the FTC need not engage in any 
balancing inquiry to bring an enforcement action.

    Question 7. The FTC's comments pertaining to ``control'' in NTIA's 
privacy proceeding stated, ``Choice also may be unnecessary when 
companies collect and disclose de-identified data, which can power data 
analytics and research, while minimizing privacy concerns.'' How would 
the FTC suggest Federal regulation account for de-identified data, if 
at all?
    Answer. To the extent that Federal regulation would be more 
permissive in its treatment of de-identified data, I would urge careful 
consideration to ensure that data cannot be re-linked to individuals. 
For example, I would point to the formulation used in the EU General 
Data Protection Regulation (``GDPR''), which makes clear that 
``anonymization'' of personal data refers to de-identified data for 
which direct and indirect personal identifiers have been removed and 
steps have been taken to ensure that the data can never be re-
identified.

    Question 8. Your testimony indicated that continued technological 
developments allow illegal robocallers to conceal their identities in 
``spoofing'' caller IDs while exponentially increasing robocall volumes 
through automated dialing systems. These evolving technological changes 
mean that the critical law enforcement efforts of the FTC cannot be the 
only solution, and your testimony described the additional steps the 
FTC is taking to develop innovative solutions to these issues. Would 
you please describe the process and outcomes of the four public 
challenges that the FTC held from 2013 to 2015? Are there plans to 
incentivize innovators to combat robocalls in the future?
    Answer. The FTC's process for its robocall challenges included 
public announcements, committees with independent judges, and, in some 
cases, cash prizes awarded under the America COMPETES Reauthorization 
Act.\4\ To maximize publicity, the FTC announced each of its four 
challenges in connection with public events. The FTC announced the 
first robocall challenge at the FTC's 2012 Robocall Summit. In 2014, 
the FTC conducted its second challenge, ``Zapping Rachel'' at DEF CON 
22. The FTC conducted its third challenge, ``DetectaRobo,'' in June 
2015 in conjunction with the National Day of Civic Hacking. The final 
phase of the FTC's fourth public robocall challenge took place at DEF 
CON 23. When the FTC held its first public challenge, there were few, 
if any, call blocking or call labeling solutions available for 
consumers. Today, two FTC challenge winners, NomoRobo and Robokilller, 
offer call blocking applications, and there are hundreds of mobile apps 
offering call blocking and call labeling solutions for cell phones. 
Many home telephone service providers also now offer call blocking and 
call labeling solutions. The FTC will not hesitate to initiate 
additional innovation contests if it identifies further challenges that 
could meaningfully benefit consumers by reducing the harm caused by 
illegal robocalls.
---------------------------------------------------------------------------
    \4\ See FTC, ``Details About the FTC's Robocall Initiatives,'' 
https://www.consumer.ftc.gov/features/feature-0025-robocalls.
---------------------------------------------------------------------------
    In addition to developing call blocking and call labeling 
technology, the telecom industry has also developed call verification 
technology, called STIR/SHAKEN, to help consumers know whether a call 
is using a spoofed Caller ID number and assist call analytics companies 
in implementing call blocking and call labeling products. If widely 
implemented and made available to consumers, the STIR/SHAKEN protocol 
should minimize unwanted calls. Certain industry members have begun to 
roll out this technology and it is in beta testing mode. We will keep a 
close eye on this industry initiative and continue to encourage its 
implementation.

    Question 9. Would you please describe the FTC's coordination 
efforts with state, federal, and international partners to combat 
illegal robocalls?
    Answer. The FTC frequently coordinates its efforts with its state, 
federal, and international partners. The FTC often brings robocall 
enforcement actions with states as co-plaintiffs. For example, in the 
FTC's case against Dish Network, litigated for the FTC by the 
Department of Justice, the FTC brought the case jointly with 
California, Illinois, North Carolina, and Ohio. Collectively, the 
states and the FTC obtained a historic $280 million trial verdict.\5\
---------------------------------------------------------------------------
    \5\ Press Release, FTC and DOJ Case Results in Historic Decision 
Awarding $280 Million in Civil Penalties Against Dish Network and 
Strong Injunctive Relief for Do Not Call Violations (June 6, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/06/ftc-doj-case-
results-historic-decision-awarding-280-million-civil. The case is on 
appeal before the Seventh Circuit Court of Appeals.
---------------------------------------------------------------------------
    The FTC also coordinates outreach and education with the FCC. In 
2018, the agencies co-hosted two robocall events--a policy forum that 
discussed technological and law enforcement solutions to the robocall 
problem \6\ and a public expo that allowed companies offering call 
blocking and call labeling services to showcase their products for the 
public.\7\ Additionally, the FTC and FCC hold quarterly calls, speak 
regularly on an informal basis, and coordinate on a monthly basis with 
our state partners through the National Association of Attorneys 
General. The FTC also engages with international partners through 
participation in international law enforcement groups such as the 
International Consumer Protection Enforcement Network, International 
Mass Marketing Fraud Working Group, and the Unsolicited Communications 
Network (formerly known as the London Action Plan).
---------------------------------------------------------------------------
    \6\ Press Release, FTC and FCC to Host Joint Policy Forum and 
Consumer Expo to Fight the Scourge of Illegal Robocalls (Mar. 22, 
2018), https://www.ftc.gov/news-events/press-releases/2018/03/ftc-fcc-
host-joint-policy-forum-illegal-robocalls.
    \7\ Press Release, FTC and FCC to Co-Host Expo on April 23 
Featuring Technologies to Block Illegal Robocalls (Apr. 19, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/04/ftc-fcc-co-host-
expo-april-23-featuring-technologies-block-0.

    Question 10. Your testimony described the limitations of the FTC's 
current data security enforcement authority provided by Section 5 of 
the FTC Act including: lacking civil penalty authority, lacking 
authority over non-profits and common carrier activity, and missing 
broad APA rulemaking authority. Please describe each of these 
limitations and how adjusted FTC authority to address these items would 
improve the protection of consumers from data security risks.
    Answer. Under current law, the FTC generally cannot obtain civil 
penalties--in other words, money--for first-time security or privacy 
violations. This means that, in order to be financial liable for data 
security or privacy violations, a company often must violate the law, 
be pursued by the Commission and put under order, and then violate the 
law again. I believe this under-deters problematic data security and 
privacy practices. If Congress were to give us the authority to seek 
civil penalties for first-time violators, better deterrence would be 
achieved. As to APA rulemaking authority, the Commission would benefit 
from such authority in the areas of data security and privacy. 
Rulemaking authority will ensure that the FTC can enact rules, with 
notice and comment and consistent with Congressional direction, and 
amend them as necessary to keep up with technological developments. For 
example, in 2013, the FTC was able to use its APA rulemaking authority 
to amend its Rule under the Children's Online Privacy Protection Act to 
address new business models, including social media and collection of 
geolocation information, that were not in place when the initial 2000 
Rule was promulgated. As to nonprofits and common carriers, news 
reports are filled with breaches affecting these sectors (e.g., the 
education sector), and the FTC does not currently have jurisdiction 
over them. Giving the FTC jurisdiction over these entities for purposes 
of enforcing data security and privacy laws will create a level playing 
field and ensure that these entities are subject to the same rules as 
other entities that collect similar types of data.
                                 ______
                                 
 Response to Written Questions Submitted by Hon. Richard Blumenthal to 
                      Hon. Rebecca Kelly Slaughter
Privacy Rules
    We know that Americans care about privacy--that they eagerly want 
these rights. We need baseline rules. Companies should not store 
sensitive information indefinitely and use that data for purposes that 
people never intended. Federal rules must set meaningful obligations on 
those that handle our data. We must enable consumers to trust and 
control their personal data.

    Question 8. Do you support providing state AGs with the power to 
enforce Federal privacy protections and would you commit to working 
with state AGs?
    Answer. Yes. The state AGs are critical partners in our enforcement 
efforts and would help ensure compliance with Federal privacy rules--we 
cannot have too many cops on the beat.

    Question 9. Why is it important that the FTC have rulemaking 
authority when it comes to privacy? Where best would rulemaking be 
applied?
    Answer. APA rulemaking authority in the area of privacy provides 
two big benefits: (1) notice and comment proceedings and (2) 
flexibility to accommodate changing technology and practices. Notice 
and comment rulemaking requires the FTC to solicit comment from 
stakeholders on proposed rules or changes to a rule, which allows 
industry, advocates, experts and consumers to weigh in. And the ability 
to amend the rule in the future, again with notice and comment, would 
enable the FTC to keep up with technological developments and any 
unanticipated consequences.

    Question 10. Do you believe elevating the Office of Technology 
Research and Investigation to the Bureau level would meaningfully help 
the FTC in addressing new technological developments across its 
mandates?
    Answer. Yes. Our cases are more sophisticated than ever and 
creating, and more critically funding, a body of experts who can assist 
on our most complex competition and consumer protection cases would be 
invaluable. Today we have an economist assigned to every single case; 
but almost all of our cases have a technological element and could 
benefit from a technologist as well. We also need more research in the 
areas of privacy and data security. Right now the FTC's Bureau of 
Economics engages in substantial research and scholarship, producing 
reports and papers on topics relevant to the Commission's consumer 
protection and competition missions. I envision a Bureau of Technology 
serving a very similar role. There are many emerging issues and policy 
questions in the technology space that impact consumers and 
competition: IoT security, AI, data portability, VR. Expert research 
and scholarship on these issues would provide a significant benefit to 
the Commission and public.
Board Accountability
    Question 12. What is the FTC doing to investigate and hold 
accountable individual board members and executives who knowingly 
assist their companies in committing fraud? What more should the FTC be 
doing in this regard?
    Answer. I support increased focus on individual accountability for 
company leaders who knowingly assist their companies in violating the 
law and failing to comply with FTC orders. In February, the FTC 
announced a record-setting COPPA fine against a company, Musical.ly, 
now known as TikTok, that engaged in unlawful practices that put 
children at risk. In connection with this case, I issued a statement 
with my colleague Commissioner Chopra, calling publicly for the FTC to 
look more closely at individuals in such matters going forward.\1\ When 
any company appears to have made a business decision to violate or 
disregard the law, the Commission should identify and investigate those 
individuals who made or ratified that decision and evaluate whether and 
how to hold them accountable.
---------------------------------------------------------------------------
    \1\ Joint Statement of Commissioner Rohit Chopra and Commissioner 
Rebecca Kelly Slaughter, In the Matter of Musical.ly Inc. (now known as 
TikTok), No. 1723004 (Feb. 27, 2019), https://www.ftc.gov/system/files/
documents/public_statements/1463167/chopra_and_slaughter_musi
cally_tiktok_joint_statement_2-27-19.pdf.
---------------------------------------------------------------------------
FTC Investigation of Algorithms
    Section 6(b) of the FTC Act gives the agency broad investigatory 
and information-gathering powers. For example, in the 1970s the FTC 
used its Section 6(b) authority to require companies to submit product-
line specific information, enabling the agency to assess the state of 
competition across markets.
    The FTC has released reports on big data and the harms biased 
algorithms can cause to disadvantaged communities. These reports drew 
attention to the potential loss of economic opportunity and diminished 
participation in our society. Yet, information on how these algorithms 
work, and on the inputs that go into them, remains opaque.

    Question 19. Where the FTC consider using its Section 6(b) 
investigative power to help us understand how these algorithms and 
black-box A.I. systems work--the biases that shape them, and how those 
can affect trade, opportunity, and the market?
    Answer. The Commission's 6(b) investigative authority is a critical 
tool that the Commission can use to increase its understanding of 
industries and markets in order to inform both our competition and 
consumer protection policy and enforcement agendas. There are many 
issues in the technology arena that could be the subject of a 6(b) 
study, and I would support such an effort.
FTC Consent Decree on Unrepaired Recalls
    Most consumers probably do not know that, while new car dealers are 
prohibited from selling vehicles with open recalls, used car dealers 
are not. A recent FTC consent decree, which I strenuously disagreed 
with and is currently being scrutinized in the courts, allows the sale 
of used cars with unrepaired recalls. According to the consent decree, 
car dealers can advertise that cars with unrepaired safety recalls like 
a defective Takata airbag are ``safe'' or have passed a ``rigorous 
inspection''--as long as they have a disclosure that the vehicle may be 
subject to an unrepaired recall and directs consumers on how they can 
determine the vehicle has an open recall.

    Question 20. In your opinion, is a car with an open, unrepaired 
recall, a ``safe'' car? Why would the FTC allow unsafe cars to be 
advertised as ``safe'' and ``repaired for safety,'' with or without a 
vague, contradictory and confusing disclaimer?
    Answer. In my opinion, cars that have an open recall need to be 
fixed.
Question on Non-Compete Clauses
    I am concerned about the growth of non-compete clauses, which block 
employees from switching jobs to another employer in the same sector 
for a certain period of time. These clauses weaken workers' bargaining 
power once they are in the job, because workers often cannot credibly 
threaten to leave if their employer forces refuses to give them a raise 
or imposes poor working conditions. According to the Economic Policy 
Institute, roughly 30 million workers--including one in six workers 
without a college degree--are now covered by non-compete clauses.
    The consensus in favor of addressing non-compete clauses is 
growing. For example, just this past December, an interagency report 
indicated that non-compete clauses can be harmful in certain contexts, 
such as the healthcare industry. Yet, the FTC has not yet undertaken 
forceful action. In September, Commissioner Chopra suggested that the 
FTC use its rulemaking authority to ``remove any ambiguity as to when 
non-compete agreements are permissible or not.''

    Question 23. Do you agree with the proposal that the FTC use its 
rulemaking authority to address non-compete clauses? I invite you to 
explain your reasoning regarding your stance.
    Answer. Non-compete clauses are anticompetitive and unfair for the 
vast majority of workers in our country, and unequivocally for those 
who have little or no bargaining power when negotiating employment 
contracts. A Commission rule to address non-compete clauses should be 
considered among the potential mechanisms for stopping their use so 
that workers reap the benefits of a fair and competitive marketplace 
for their labor.
Question on Local Merger Enforcement
    Even though big national mergers typically garner the most media 
attention, smaller mergers can often raise monopoly concerns on the 
local level. This can be true in the healthcare industry, for example. 
In November, Commissioner Simons told me: ``Some local mergers may be 
too small to require Hart-Scott-Rodino premerger notification, but may 
still have anticompetitive effects.''

    Question 24. Would you agree with me that Hart-Scott-Rodino 
premerger notifications help antitrust enforcers catch concerning 
mergers?
    Answer. Yes.

    Question 25. What sort of anticompetitive effects might be raised 
by local mergers even when those mergers are too small to require Hart-
Scott-Rodino premerger notification?
    Answer. Similar to mergers and acquisitions involving large firms, 
mergers and acquisitions involving small firms in local markets can 
result in competitive harm that violates Section 7 of the Clayton Act. 
For example, a merger might eliminate horizontal competition, resulting 
in higher prices, reduced quality, and/or less innovation. A merger 
might also enable and incentivize anticompetitive conduct resulting 
from vertical integration, including foreclosing or raising the cost to 
rivals of a key input or foreclosing competitors' access to customers. 
Finally, it is not difficult to imagine a large company engaging in 
acquisitions--or potentially serial acquisitions--of nascent 
competitors. These transactions may occur in local markets and be too 
small to trigger HSR notification, but nonetheless merit scrutiny by 
the Commission.

    Question 26. What action would you recommend either the FTC or 
Congress take in order to assist Federal and state antitrust enforcers 
in catching local mergers that raise anticompetitive concerns?
    Answer. The Commission should continue its practice of routinely 
monitoring the market for potentially problematic mergers that do not 
meet the HSR reporting requirements. It should also maintain its close 
working relationship with state Attorneys General to help identify non-
reportable mergers that may be of mutual interest.
Question on Horizontal Shareholding
    Recent research has raised questions about whether horizontal 
shareholding harms competition in our economy. I would like to 
understand your view on this ongoing research.

    Question 27. Do you believe that horizontal shareholding raises 
anticompetitive concerns?
    Answer. I believe that the competitive impact of horizontal 
shareholding merits close attention. If investors hold significant 
minority stakes of competing firms and the investors orchestrate 
collusion between the firms or exercise influence over the firms the 
effect of which would be to substantially lessen competition, I believe 
such actions would raise significant competitive concerns.

    Question 28. Do you believe that our antitrust laws can be used to 
address the anticompetitive concerns raised by horizontal shareholding?
    Answer. The Clayton Act applies to partial acquisitions of 
competing firms that do not confer control, but are likely to 
substantially lessen competition. Traditionally, enforcement has 
focused on cross-ownership acquisitions--or acquisitions between 
competitors--but there is a developing literature about the application 
of the Clayton Act to common ownership acquisitions and the evidence 
that would demonstrate that such acquisitions are likely to 
substantially lessen competition. This is a productive area of research 
and debate, and I believe it raises significant questions for antitrust 
enforcement and competition policy.

    Question 29. What, if anything, are you doing to address any 
potential harms of horizontal shareholding?
    Answer. Going forward, the Commission should be on the lookout for 
common ownership acquisitions that could potentially raise competitive 
concerns and investigate to determine whether there is sufficient 
evidence to merit enforcement action.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                    to Hon. Rebecca Kelly Slaughter
Pet Leasing
    I appreciate the Commission's attention to my request with six of 
my colleagues for the FTC to investigate the practice of pet leasing 
that is leading some consumers into confusing or deceptive contractual 
obligations that cause them to have an issue with their beloved pet and 
negatively impact their financial status, such as credit scores, for 
far into the future. This is an issue that is a little under the radar 
but needs strong oversight and attention under your deceptive practices 
mandate if there are concerning financial practices being discovered.

    Question. Can I get a further commitment from you all to keep my 
office informed of actions and determinations you all may make 
pertaining to this concerning issue and the Humane Society and Animal 
Legal Defense Fund's formal petition to the Commission?
    Answer. Yes. Business models predicated on long-term exorbitant 
leasing terms (such as the rent-to-own industry) have appropriately 
garnered scrutiny and criticism from consumer advocates. The extension 
of these types of practices to something as personal and emotional as 
the relationship between people and their pets is deeply distressing, 
and I appreciate your efforts to raise awareness of the issue. The FTC 
is committed to protecting consumers from unfair or deceptive acts or 
practices, including in this troubling area. FTC staff has met with the 
Humane Society and Animal Legal Defense Fund to discuss their concerns 
and will continue to keep your office informed of the steps we are 
taking in this area.
Bureau of Technology
    Former Commissioner Terrell McSweeny has suggested creating a 
Bureau of Technology at the FTC.

    Question 1. Does the Commission have sufficient resources and 
staffing to protect consumer privacy in the digital age?
    Answer. No. The Commission has used the resources and staffing it 
currently has to bring over 60 data security and privacy cases and to 
engage in extensive consumer and business education and outreach 
regarding privacy and security. And we will continue to use our 
existing resources to do all that we can--but it is not enough. Not a 
week goes by in which a data breach or problematic privacy practice 
does not grab headlines. As consumer data are collected, stored, and 
shared by more and more sectors of the economy, the FTC needs more 
resources and more staff to help ensure that data is secure.

    Question 2. Do support the establishment of a Bureau of Technology?
    Answer. Yes. Our cases are more sophisticated than ever and 
creating, and more critically funding, a body of experts who can assist 
on our most complex competition and consumer protection cases would be 
invaluable. Today we have an economist assigned to every single case; 
but almost all of our cases have a technological element and could 
benefit from a technologist as well. We also need more research in the 
areas of privacy and data security. Right now the FTC's Bureau of 
Economics engages in substantial research and scholarship, producing 
reports and papers on topics relevant to the Commission's consumer 
protection and competition missions. I envision a Bureau of Technology 
serving a very similar role. There are many emerging issues and policy 
questions in the technology space that affect consumers and 
competition: IoT security, AI, data portability, VR. Expert research 
and scholarship on these issues would provide a significant benefit to 
the Commission and public.
Robocalls
    Obviously protecting consumers from fraud is a fundamental tenet of 
the FTC. And I applaud your work in both the education and enforcement 
sectors of protecting consumers. But one area we all are still 
struggling to stay ahead of the curve on is robocalls. That's why I 
have legislation, the Deter Obnoxious, Nefarious, and Outrageous 
Telephone Calls, or DO NOT Call Act with four of my Senate colleagues. 
It would increase the deterrent against illegal robocalls by imposing a 
potential criminal penalty rather than just civil fines. While these 
tools would be more for the Federal Communications Commission, we are 
obviously interested in fighting this problem on all fronts.

    Question 1. Would you agree that in addition to finding more 
effective technological tools to fight this problem, that this kind of 
enhanced deterrent needs to receive serious consideration in Congress 
to help provide regulators the tools to hold bad actors accountable for 
this persistent nuisance and scurrilous action by scammers?
    Answer. Yes, I support increasing the deterrent against illegal 
robocalls, including through criminal penalties. In addition, 
technological tools should be developed and applied to identify those 
who are using sophisticated technology to evade detection, and we must 
continue to work with our international partners to ensure that the 
threat of penalties meaningfully reaches scammers who may escape the 
jurisdiction of U.S. law enforcement.

    Question 2. Are there additional actions Congress should be 
considering related to this specific challenge?
    Answer. I recommend Congress consider requiring or strongly 
incentivizing voice service providers to offer call-blocking services 
to all customers and to implement the STIR/SHAKEN protocol. In 
addition, repealing the common-carrier exemption from the FTC act would 
enable us to bring enforcement actions against carriers that routinely 
and knowingly pass illegal traffic across their networks. Carriers 
should have both the authority and the responsibility to keep nuisance 
spam calls off their networks.
Data Minimization vs Big Data
    A topic that has come up a lot during our discussions on privacy is 
data minimization. This is a concept that I have been considering on as 
I work on developing a comprehensive data privacy bill. As you're 
aware, this is the idea that businesses should only collect, process, 
and store the minimum amount of data that is necessary to carry out the 
purposes for which is was collected. There are obvious advantages to 
this as it minimizes the risk of data breaches and other privacy harms. 
At the same time, big data analytics are going to be crucial for the 
future and play an important role in smart cities, artificial 
intelligence, and other important technologies that fuel economic 
growth. I think it is important to find a balance between minimization 
and ensuring that data, especially de-identified data, is available for 
these applications.
    Question. Can you describe how you view this balance and how we in 
Congress can ensure that people's data is not abused but can still be 
put to use in positive ways?
    Answer. I agree that there is significant tension in how we balance 
the known benefits of data minimization with the benefits that might be 
derived from big data analytics. As a starting point, I believe that 
careful consideration of several topics would help inform this 
balancing: (1) the benefits and potential harms that arise from big 
data; (2) how best to ensure that de-identified data is not later re-
linked to individuals; and (3) whether and how to preserve consumer 
choice regarding how de-identified data is used beyond the expected 
purposes for which it is collected.
General Privacy Recommendations
    Question 1. While privacy was a significant topic of the oversight 
hearing, as we look to develop a bill, can you specifically lay out 
some of the top priorities you individually would like to see included 
and what do you think gets overlooked in the conversations policymakers 
have with allowing for future innovations and yet raising the bar for 
protecting consumers?
    Answer. From an enforcement perspective, my priorities include (1) 
empowering the FTC to seek significant monetary penalties for privacy 
violations in the first instance; (2) giving the FTC APA rulemaking 
authority, to allow us to craft flexible rules that reflect stakeholder 
input and can be periodically updated to keep up with future 
innovations; and (3) repealing the common carrier and nonprofit 
exemptions under the FTC Act to ensure that more of the entities 
entrusted with consumer data are held to consistent standards. From a 
policy perspective, I care deeply about making sure consumers have 
meaningful information about how and when their data is being 
collected, used and shared; lengthy and unintelligible click-through 
contracts do not provide this information today. Furthermore, I am 
concerned that consumers do not have meaningful choice when it comes to 
accepting the terms presented today for data use and sharing, because 
refusal to consent often leaves consumers unable to access services 
necessary for participation in contemporary democratic society. I think 
policymakers should endeavor to provide consumers with as much choice 
as practicable regarding their data; to that end, I encourage Congress 
to also think seriously about the implications of privacy rules on 
competition so that if a customer prefers a more privacy-protective 
product, she has the information and options available to meet that 
preference.

    Question 2. Can you also outline the optimal role you see for our 
state Attorneys General in this privacy enforcement process?
    Answer. I believe state Attorneys General should be given full 
enforcement authority under any Federal privacy legislation. The state 
AGs are critical partners in our enforcement efforts and would help 
ensure compliance with Federal privacy rules--we cannot have too many 
cops on the beat.
Data Privacy--Binding Contracts?
    We live with this time information inundation where people can't 
really read privacy policies and fairly agree to their content. But, we 
all know that basically no one reads privacy policies--and indeed, no 
reasonable person should read privacy policies, because according to 
research done at Carnegie Mellon, it would take 76 work days to read 
all of the privacy policies on encounters in a year. Companies take 
advantage of the fact that no one reads privacy policies to bury terms 
in those policies that no rational consumer would agree to (such as 
Grindr selling its users HIV status to third parties).

    Question. Should these terms of service be binding contracts?
    Answer. Without comprehensive privacy legislation, the FTC relies 
heavily on our Section 5 authority to police data security and privacy 
practices, including our deception authority. For example, when a 
company makes representations to its users through its privacy policies 
but does not fulfill those promises, the FTC can bring and has brought 
enforcement actions against the company. In addition, if a company 
buries a material term of service in its terms and conditions, 
particularly if it is unexpected or contrary to the impression created 
more prominently elsewhere, it is unlikely that such a disclosure is 
adequate.
    As a general matter, we should be concerned about terms of service 
written so opaquely and unintelligibly that no reasonable customer can 
read or understand them. Furthermore, I am concerned that consumers do 
not have meaningful choice when it comes to accepting the terms 
presented today for data use and sharing, because refusal to consent 
often leaves consumers unable to access services necessary for 
participation in contemporary democratic society.
Privacy Risky Communities/Groups
    Question 1. Do you think that certain communities or groups are any 
more or less vulnerable to privacy risks and harms?
    Answer. I am concerned that marginalized communities and groups are 
especially vulnerable to elevated privacy risks and harms. Groups that 
historically have been subject to profiling or targeting are 
understandably wary of invasions of privacy. For example, we have heard 
from LGBTQ civil rights organizations about the unique risks their 
community faces from privacy violations. I would encourage the FTC to 
take an intersectional approach and work with you as well as directly 
affected communities to identify any existing data on these unique 
vulnerabilities and to explore research opportunities to gather and 
analyze additional data.

    Question 2. Should privacy law and regulations account for such 
unique or disparate harms, and if so, how?
    Answer. Privacy law and regulations should protect all consumers, 
but I believe there may be instances where additional protections are 
needed for certain types of data or certain groups of consumers--for 
example, our youngest consumers.
Immediate Civil Penalties Authority
    Noting from your FTC testimony, ``Section 5 (of the FTC Act), 
however, is not without limitations. For example, Section 5 does not 
provide for civil penalties, reducing the Commission's deterrent 
capability.''

    Question. While I appreciate the long term successes of the FTC in 
many respects to investigate data security matters, what are your 
thoughts to whether there is enough of a deterrent effect with Section 
5 authority when you can't immediately enforce against those who misuse 
data with civil penalties right from the start, rather than as the 
result of often times flagrant offenses to their already establish 
consent decrees?
    Answer. One need only open a newspaper (or scroll through a news 
feed) on any given day to see reports of new privacy and data-security 
incidents. If our current regime provided an effective deterrent, we 
would see fewer and fewer of these reports rather than more and more. 
So I do not believe that our Section 5 authority provides enough of a 
deterrent, which is one reason that I support comprehensive privacy 
legislation that would give the FTC the authority to impose money 
penalties for first-time violations.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Amy Klobuchar to 
                      Hon. Rebecca Kelly Slaughter
    The FTC is charged with enforcing the Children's Online Privacy 
Protection Act (COPPA) and has done so for the last two decades. 
Protecting the privacy of children has never been more important than 
it is now, but the online privacy of all Americas is also increasingly 
at risk.
    Question 1. Both [you and Commissioner Noah Phillips] have recently 
commented that we should learn from the FTC's experience in enforcing 
COPPA when we consider our approach to protecting consumer privacy more 
broadly. What lessons should we take away from the Commission's 
experience enforcing COPPA when considering ways to protect online 
privacy and data security for all Americans?
    Answer. One key takeaway from the Commission's experience enforcing 
COPPA is the flexibility afforded by APA Rulemaking. For example, in 
2013, the FTC was able to use its APA rulemaking authority to amend the 
COPPA Rule to address new business models, including social media and 
collection of geolocation information, that were not in place when the 
initial 2000 Rule was promulgated.
    The Federal Trade Commission's budget has remained flat for the 
past several years despite increasing demands on your agency's 
resources, including a significant rise in merger filings.

    Question 2. If additional resources were made available to the 
Federal Trade Commission, how would you deploy those resources to 
advance the agency's consumer protection and competition missions?
    Answer. The Commission is always looking for ways to use existing 
resources more efficiently, but additional resources would be put to 
good use and help us to do more to further our competition and consumer 
protection missions.
    With respect to our competition mission, additional resources could 
be dedicated to economic experts to support investigations and 
litigations, freeing up funding for more investigations and enforcement 
generally. Similarly, increasing the number of retrospective analyses 
of our merger enforcement decisions could be resource-intensive, but 
they help us learn from our enforcement decisions and inform future 
enforcement or merger investigations. Moreover, additional resources 
could be devoted to conducting studies of specific industries, 
including technology-related industries, in order to enhance and 
sharpen the Commission's understanding of competitive dynamics in 
emerging and developing markets.
    With respect to our consumer protection mission, additional 
resources to support the increasing numbers of investigations and 
enforcement actions are essential. In particular, the Commission needs 
more technologists, experts, investigators, and attorneys to keep pace 
with the challenges facing consumers in an increasingly complex and 
digital marketplace.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                      Hon. Rebecca Kelly Slaughter
Privacy
    Question 1. Do you support strong civil penalties for consumer 
privacy violations?
    Answer. Yes.

    Question 2. The California Consumer Protection Act goes into effect 
in January 2020. As Congress considers pre-emption of that state law, 
what additional authority should we give the FTC to ensure that 
consumer privacy adequately is protected?
    Answer. I support strong comprehensive privacy legislation that 
would (1) empower the FTC to seek significant money penalties for 
privacy violations in the first instance; (2) give the FTC APA 
rulemaking authority, to allow us to craft flexible rules that reflect 
stakeholder input and can be periodically updated to keep up with 
technological developments; and (3) repeal the common carrier and 
nonprofit exemptions under the FTC Act to ensure that more of the 
entities entrusted with consumer data are held to consistent standards. 
Moreover, I support an increase in resources and personnel to enable 
the FTC to use these enforcement tools effectively.

    Question 3. A recent New York Times analysis found that both the 
Apple App Store and the Google Play Store have apps in their respective 
children's or family sections that potentially violate COPPA. What 
specific role should platform owners play to ensure COPPA compliance on 
their platforms?
    Answer. In 2012, the Commission revised the COPPA Rule to cover not 
only websites, app developers, and other online services but also third 
parties collecting personal information from users of those sites or 
services. At that time, the Commission made clear that it did not 
intend to make platforms responsible merely for offering consumers 
access to someone else's child-directed content. Rather, they would be 
liable under COPPA only if they had actual knowledge that they were 
collecting personal information from a child-directed app. At the same 
time, platforms are in a unique position to set and enforce rules for 
apps that seek placement in the platform's store and to drive good 
practices.

    Question 4. Compliance for mobile apps may be hard to achieve 
against fly-by-night operators overseas who do not care if their apps 
violate U.S. law. How can the Vtech Electronics investigation and civil 
penalty serve as an example for how the FTC can hold foreign app 
developers responsible for violating COPPA?
    Answer. In addition to the VTech case you mention, the Commission 
has taken action in a number of privacy- or security-related cases 
against companies that have a foreign presence, including Musical.ly, 
TrendNet, inMobi, ASUS, and HTC.\2\ In each of these cases, the FTC 
obtained successful relief for consumers in the United States, 
including a substantial civil penalty in the Musical.ly, VTech, and 
inMobi settlements. The Commission has also used other means to address 
illegal conduct affecting U.S. consumers. For example, a few years ago 
Commission staff sent a warning letter to a Chinese company, Baby Bus, 
about COPPA violations relating to the collection of children's 
personal information through its apps. The Commission copied the app 
platforms on this communication. The company quickly responded and 
addressed the concerns.
---------------------------------------------------------------------------
    \2\ United States v. Musical.ly, No. 2:19-cv-01439 (C.D. Cal. filed 
Feb. 27, 2019), https://www.ftc.gov/enforcement/cases-proceedings/172-
3004/musically-inc; In re: TRENDnet, Inc., No. C-4426 (Jan. 16, 2014), 
https://www.ftc.gov/enforcement/cases-proceedings/122-3090/trendnet-
inc-matter; United States v. InMobi Pte Ltd., No. 3:16-cv-3474 (N.D. 
Cal. filed June 22, 2016), https://www.ftc.gov/enforcement/cases-
proceedings/152-3203/inmobi-pte-ltd; In re ASUSTeK Computer Inc., No. 
C-4587 (July 18, 2016), https://www.ftc.gov/enforcement/cases-
proceedings/142-3156/asustek-computer-inc-matter; In re HTC America 
Inc., No. C-4406 (July 25, 2013), https://www.ftc.gov/enforcement/
cases-proceedings/122-3049/htc-america-inc-matter.

    Question 5. The COPPA safe harbor organizations must submit an 
annual report to the Federal Trade Commission, Can you share the 
reports from the last 5 years?
    Answer. The FTC-approved safe harbor organizations do submit annual 
reports to the FTC each year. However, these organizations claim 
confidentiality with respect to the information in their annual 
reports. I generally support increased transparency of these reports, 
and I would be glad to work with your office to identify appropriate 
ways to make this information available.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                        Hon. Christine S. Wilson
    Question 1. Vertical mergers such as the merger between AT&T and 
Time Warner have garnered some attention lately. The FTC and the DOJ 
have not updated vertical merger guidance since 1984. Do you believe 
that the FTC and DOJ should issue new guidance on vertical mergers?
    Answer. I believe that the 1984 Department of Justice Non-
Horizontal Merger Guidelines \1\ are out of date. As we heard during 
our hearing on the topic in November 2018, our understanding of the 
economics of vertical integration has changed over the past thirty-five 
years.\2\ The law governing vertical relationships, and particularly 
vertical conduct such as resale price maintenance, has also changed 
since then.\3\
---------------------------------------------------------------------------
    \1\ U.S. Dep't of Justice Non-Horizontal Merger Guidelines (1984), 
https://www.justice.gov/sites/default/files/atr/legacy/2006/05/18/
2614.pdf.
    \2\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection; see also FTC Workshop, FTC Hearing #5: Competition and 
Consumer Protection in the 21st Century (Nov. 1, 2018), https://
www.ftc.gov/news-events/events-calendar/ftc-hearing-5-competition-
consumer-protection-21st-century.
    \3\ See, e.g., Leegin Creative Leather Prods., Inc. v. PSKS, Inc., 
551 U.S. 887 (2007) (minimum resale price maintenance must be analyzed 
under the rule of reason rather than the per se rule); State Oil Co. v. 
Khan, 552 U.S. 3 (1997) (same holding, but as applied to maximum resale 
price maintenance).
---------------------------------------------------------------------------
    The agencies traditionally issue guidelines to promote transparent 
and predictable agency enforcement. This goal can be achieved in 
several different ways. For example, the agencies may use guidelines to 
summarize the current state of the law. Alternatively, when the law is 
not particularly clear, the agencies may use guidelines to clarify how 
they intend to approach topics on which there is no clear binding 
precedent. The agencies may also use guidelines either (a) to disclose 
and formalize an approach the agencies already use or (b) to advance 
new analytic techniques. For a variety of reasons, it is not clear to 
me that new vertical merger guidelines could meaningfully increase the 
transparency and predictability of our vertical merger decisions.
    However, there is a range of alternatives between the two extremes 
of issuing guidelines and saying nothing. For example, the agencies 
already provide substantial insight on vertical merger analysis through 
speeches,\4\ public statements,\5\ and rigorous case selection.\6\ I 
believe this approach is well worth considering as an alternative to 
issuing new formal guidelines.
---------------------------------------------------------------------------
    \4\ See, e.g., Christine S. Wilson, Vertical Merger Policy: What Do 
We Know and Where Do We Go?, Keynote Address at GCR Live 8th Annual 
Antitrust Law Leaders Forum (Feb. 1, 2019), https://www.ftc.gov/system/
files/documents/public_statements/1455670/wilson_-_vertical_mer
ger_speech_at_gcr_2-1-19.pdf; Bruce Hoffman, Vertical Merger 
Enforcement at the FTC, Remarks at Credit Suisse 2018 Washington 
Perspectives Conference (Jan. 10, 2018), https://www
.ftc.gov/public-statements/2018/01/vertical-merger-enforcement-ftc 
(explaining the FTC's current analysis of proposed vertical mergers and 
highlighting the extent to which that analysis has moved beyond the 
1984 Non-Horizontal Merger Guidelines).
    \5\ See, e.g., In re Fresenius Med. Care AG & Co., FTC File No. 
171-0227 (Feb. 19, 2019), https://www.ftc.gov/enforcement/cases-
proceedings/171-0227/fresenius-medical-care-nxstage-medical-matter 
(Statements of (i) Chairman Simons, Commissioner Phillips, and 
Commissioner Wilson; (ii) Commissioner Chopra; and (iii) Commissioner 
Slaughter); In re Sycamore Partners II, L.P., FTC File No. 181-0180 
(Jan. 28, 2019), https://www.ftc.gov/enforcement/cases-proceedings/181-
0180/sycamore-partners-ii-lp-staples-inc-essendant-inc-matter 
(Statements of (i) Chairman Simons, Commissioner Phillips, and 
Commissioner Wilson; (ii) Commissioner Wilson; (iii) Commissioner 
Chopra; and (iv) Commissioner Slaughter).
    \6\ For example, the Commission recently challenged a vertical 
merger between Northrop Grumman, a leading provider of missile systems 
to the Department of Defense, and Orbital ATK, a key supplier of solid 
rocket motors. In re Northrop Grumman, Dkt. C-4652 (June 5, 2018), 
https://www.ftc.gov/enforcement/cases-proceedings/181-0005-c-4652/
northrop-grumman-orbital-atk. The Commission also accepted consent 
agreements to settle allegations that two other vertical mergers would, 
absent the remedies imposed, diminish competition. See Fresenius Med. 
Care AG & Co., FTC File No. 171-0227 (Feb. 19, 2019), https://
www.ftc.gov/system/files/documents/public_statements/1455719/
171_0227_fresenius_nxstage_majority_statement_2-19-19.pdf (Statement of 
Chairman Simons, Commissioner Phillips, and Commissioner Wilson 
Concerning the Proposed Acquisition of NxStage Medical, Inc. by 
Fresenius Medical Care AG & Co. KGaA) (explaining consent agreement 
addresses horizontal concern regarding harm to competition in market 
for bloodline tubing sets for hemodialysis treatment but finding no 
evidence of competitive harm from vertical concerns); In re Sycamore 
Partners II, L.P., Staples, Inc., and Essendant Inc., Dkt. C-4667 (Jan. 
25, 2018), https://www.ftc.gov/enforcement/cases-proceedings/181-0180/
sycamore-partners-ii-lp-staples-inc-essendant-inc-matter (Statement of 
Chairman Simons, Commissioner Phillips, and Commissioner Wilson) 
(consent agreement resolving charges that a merger between Staples, the 
world's largest retailer of office products and related services, and 
Essendant, a wholesale distributor of office products, was likely to 
harm competition in the market for office supply products sold to 
small- and mid-sized businesses).

    Question 2. Government lawsuits to stop mergers are litigated using 
different procedures depending on which agency, the FTC or DOJ, handles 
the case. Do you think Congress should take action to ensure that 
agencies follow the same procedures, or do you support another 
approach?
    Answer. It is not clear to me why the use of different procedures, 
by itself, is problematic. Nor, apparently, was it clear to the 
legislators that enacted these different statutes. Absent strong 
evidence that these differences in procedure meaningfully affect the 
ultimate result, I see little reason to alter the machinery of 
antitrust enforcement.
    One procedural difference between the two antitrust agencies is the 
Commission's unique authority to initiate administrative litigation, 
which we call ``Part 3'' litigation after the relevant portion of our 
Rules of Practice. In theory it could be problematic for the agency to 
file a merger case in Part 3 litigation after seeking a preliminary 
injunction in Federal district court and having that request denied. I 
myself would not support proceeding in that circumstance. Yet the 
Commission has very rarely done so in practice, and indeed has over the 
years put in place several safeguards to ensure the practice remains 
very rare. For example, under Commission Rule 3.26,\7\ the Commission 
automatically stays a pending Part 3 matter if a Federal district court 
denies the staff's request for a preliminary injunction and the 
respondent makes a timely motion thereafter to withdraw the case from 
Part 3 adjudication.\8\ Moreover, the Commission's stated policy is to 
proceed in such circumstances only when several conditions are met.\9\ 
In practice these conditions obtain, and the Commission proceeds, only 
very rarely.\10\
---------------------------------------------------------------------------
    \7\ 16 C.F.R. Sec. 3.26.
    \8\ Id. Sec. 3.26(c).
    \9\ See Administrative Litigation Following the Denial of a 
Preliminary Injunction: Policy Statement, 60 Fed. Reg. 39,741 (Aug. 3, 
1995), available at https://www.ftc.gov/sites/default/files/
attachments/merger-review/950803administrativelitigation.pdf.
    \10\ See, e.g., Press Release, FTC Withdraws Appeal Seeking a 
Preliminary Injunction to Stop LabCorp's Integration with Westcliff 
Medical Laboratories, Mar. 24, 2011, https://www.ftc.gov/news-events/
press-releases/2011/03/ftc-withdraws-appeal-seeking-preliminary-
injunction-stop-labcorps (noting the vote to withdraw the matter from 
litigation was 5-0); Statement of Commissioners Leibowitz, Kovacic, and 
Ramirez, In re Laboratory Corp. of Am., FTC Docket No. 9345 (Apr. 21, 
2011), available at https://www.ftc.gov/system/files/documents/
public_state
ments/568671/110422labcorpcommstmt.pdf (concluding, under an earlier 
version of Rule 3.26 and after applying the factors listed in the 
Commission's 1995 policy statement, that the Commission should not 
proceed with administrative litigation following a Federal district 
court's order denying a request for a preliminary injunction).
---------------------------------------------------------------------------
    In contrast to the largely theoretical problems with Part 3 
litigation, there is substantial evidence that this procedure can 
provide real benefits. A detailed analysis of every case the Commission 
brought in Part 3 since 1977--more than one hundred cases in all--
concluded that our administrative litigation authority provided ``clear 
value'' in complex antitrust cases that require the agency's 
``institutional expertise in law and economics.'' \11\ This has been 
particularly true in ``healthcare mergers, pay-for-delay agreements, 
and state-action immunity'' cases.\12\ The same analysis found scant 
evidence that the Part 3 process disfavors defendants.\13\
---------------------------------------------------------------------------
    \11\ Maureen K. Ohlhausen, Administrative Litigation at the FTC: 
Effective Tool for Developing the Law or Rubber Stamp?, 12 J. Comp. L. 
& Econ. 623, 656 (2016).
    \12\ Id.
    \13\ Id. at 656-57 (noting both due process protections afforded to 
defendants and the significant proportion of cases (40 percent) in 
which the Commission ultimately rejected antitrust liability).
---------------------------------------------------------------------------
    In summary, I am loathe to ``fix'' procedural differences between 
the two antitrust agencies without strong evidence both that there is a 
problem and that the proposed solution is meaningfully better. For 
example, there is scant evidence that one procedural difference, Part 3 
administrative litigation, is problematic. There is instead substantial 
evidence that Part 3 litigation has helped us protect competition in 
key sectors of our economy, such as health care.

    Question 3. Should Congress amend Section 5(n) of the FTC Act, 
which addresses unfair practices, to clarify what constitutes 
``substantial injury?'' If so, how?
    Answer. No. Neither the Commission, nor the Courts who have ruled 
on this issue, have struggled to interpret that element. Substantial 
injury can be financial, physical, reputational, or unwanted 
intrusions. Financial injury can manifest in a variety of ways: 
fraudulent charges, delayed benefits, expended time, opportunity costs, 
fraud, and identity theft, among other things.\14\ Physical injuries 
include risks to individuals' health or safety, including the risks of 
stalking and harassment.\15\ Reputational injury involves disclosure of 
private facts about an individual, which damages the individual's 
reputation. Tort law recognizes reputational injury.\16\ The FTC has 
brought cases involving this type of injury, for example, in a case 
involving public disclosure of individuals' Prozac use \17\ and public 
disclosure of individuals' membership on an infidelity-promoting 
website.\18\ Finally, unwanted intrusions involve two categories. The 
first includes activities that intrude on the sanctity of people's 
homes and their intimate lives. The FTC's cases involving a revenge 
porn website,\19\ an adult-dating website,\20\ and companies spying on 
people in their bedrooms through remotely-activated webcams fall into 
this category.\21\ The second category involves unwanted commercial 
intrusions, such as telemarketing, spam, and harassing debt collection 
calls.
---------------------------------------------------------------------------
    \14\ See, e.g., TaxSlayer, LLC, No. C-4626 (F.T.C. Oct. 20, 2017) 
(Complaint), https://www.ftc.gov/enforcement/cases-proceedings/162-
3063/taxslayer (alleging delayed benefits, expended time, and risk of 
identity theft).
    \15\ See, e.g., FTC v. Accusearch, Inc., No. 06-CV-0105 (D. Wyo. 
May 3, 2006) (Complaint), https://www.ftc.gov/enforcement/cases-
proceedings/052-3126/accusearch-inc-dba-abikacom-jay-patel (alleging 
that telephone records pretexting endangered consumers' health and 
safety).
    \16\ Under the tort of public disclosure of private facts (or 
publicity given to private life), a plaintiff may recover where the 
defendant's conduct is highly offensive to a reasonable person. 
Restatement (Second) of Torts Sec. 652D (1977).
    \17\ Eli Lilly and Co., No. C-4047 (F.T.C. May 8, 2002), https://
www.ftc.gov/enforcement/cases-proceedings/012-3214/eli-lilly-company-
matter.
    \18\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \19\ FTC v. EMP Media, Inc., et al., No. 2:18-cv-00035 (D. Nev. 
Jan. 9, 2018), https://www.ftc.gov/enforcement/cases-proceedings/162-
3052/emp-media-inc-myexcom.
    \20\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \21\ See Press Release, FTC Halts Computer Spying (Sept. 25, 2012), 
https://www.ftc.gov/news-events/press-releases/2012/09/ftc-halts-
computer-spying; see also Aaron's, Inc., C-4442 (F.T.C. Mar. 10, 2014), 
https://www.ftc.gov/enforcement/cases-proceedings/122-3256/aarons-inc-
matter.

    Question 4. Should the FTC issue more guidance to marketers on the 
level of support needed to substantiate their claims? If so, when do 
you anticipate that such guidance could be issued?
    Answer. The FTC has issued extensive guidance over the years to 
help marketers in determining the level of support needed to 
substantiate claims. The Commission first articulated the relevant 
factors used to determine the level of evidence required to 
substantiate objective performance claims in Pfizer, Inc., 81 F.T.C. 23 
(1972). Those factors included the type of claim, the type of product, 
the consequences of a false claim, the benefits of a truthful claim, 
the cost of developing substantiation for the claim, and the amount of 
substantiation experts in the field believe is reasonable. The 
Commission and the courts have reaffirmed this standard many times 
since 1972.\22\ The FTC also has provided extensive guidance through 
Guides, staff guidance documents, speeches, and presentations to 
industry trade groups and industry attorneys.\23\
---------------------------------------------------------------------------
    \22\ See, e.g., Thompson Med. Co., 104 F.T.C. 648, 813 (1984), 
aff'd, 791 F.2d 189 (D.C. Cir. 1986); Daniel Chapter One, 2009 WL 
5160000 at *25-26 (F.T.C. 2009), aff'd, 405 Fed. Appx. 505 (D.C. Cir. 
2010) (unpublished opinion), available at 2011-1 Trade Cas. (CCH)  
77,443 (D.C. Cir. 2010); POM Wonderful, LLC, 155 F.T.C. 1, 55-60 
(2013), aff'd, 777 F.3d 478 (D.C. Cir. 2015), cert. denied, 136 S. Ct. 
1839, 194 L. Ed. 2d 839 (2016); FTC Policy Statement Regarding 
Substantiation, 104 F.T.C. 839, 840 (1984) (appended to Thompson Med. 
Co., 104 F.T.C. 648 (1984)).
    \23\ See Guides for the Use of Environmental Marketing Claims, 16 
C.F.R. Sec. 260.2 (2019), https://www.ecfr.gov/cgi-bin/text-
idx?SID=bd96b2cdcd01f7620d43e50a9d1d8cec&mc=true&
node=se16.1.260_12&rgn=div8; Dietary Supplements: An Advertising Guide 
for Industry, https://www.ftc.gov/tips-advice/business-center/guidance/
dietary-supplements-advertising-guide-industry.
---------------------------------------------------------------------------
    As late as 2014, the Commission took a more stringent view on 
substantiation, requiring in orders that companies support challenged 
diet and health claims with two randomized, placebo-controlled, double 
blind clinical trials (``RCTs'').\24\ Recently, the D.C. Circuit 
correctly rejected the Commission's heightened requirements on First 
Amendment grounds, noting the Commission failed ``to justify a 
categorical floor of two RCTs for any and all disease claims.'' \25\ 
Today, the Commission has returned to its traditional, more flexible 
standard.\26\ As noted above, this approach is encapsulated in the 
Pfizer opinion and reflects the central role of balancing the costs of 
prohibiting truthful claims against the benefits of prohibiting false 
claims.\27\
---------------------------------------------------------------------------
    \24\ See Applied Food Sciences, Inc., FTC File No. 142-3054 (Sept. 
10, 2014) (stipulated final judgment and order), https://www.ftc.gov/
system/files/documents/cases/140908afsstip1.pdf; In re The Dannon 
Company, Inc., FTC File No. 082-3158 (Feb. 4, 2011) (decision and 
order), https://www.ftc.gov/sites/default/files/documents/cases/2011/
02/110204dannondo.pdf; In re Nestle Healthcare Nutrition, Inc., FTC 
File No. 092-3087 (Jan. 18, 2011) (decision and order), https://
www.ftc.gov/sites/default/files/documents/cases/2011/01/
110118nestledo.pdf; FTC v. Iovate Health Sciences USA, Inc., Case. No. 
10-CV-587 (W.D.N.Y. July 29, 2010) (stipulated final judgment and 
order), https://www.ftc.gov/sites/default/files/documents/cases/2010/
07/100729iovatestip.pdf. This level of substantiation exceeds what is 
specified in the Commission's Dietary Supplements Guide. Dietary 
Supplements: An Advertising Guide for Industry, https://www.ftc.gov/
tips-advice/business-center/guidance/dietary-supplements-advertising-
guide-industry.
    \25\ POM Wonderful, LLC v. FTC, 777 F.3d 478, 502 (D.C. Cir. 2015) 
(``If there is a categorical bar against claims about the disease 
related benefits of a food product or dietary supplement in the absence 
of two RCTs, consumers may be denied useful, truthful information about 
products with a demonstrated capacity to treat or prevent serious 
disease. That would subvert rather than promote the objectives of the 
commercial speech doctrine.'').
    \26\ See e.g., Nobetes Corp., Case No. 2:18-cv-10068-KS (Dec. 13, 
2018) (stipulated order) (requiring ``competent and reliable scientific 
evidence shall consist of human clinical testing of the Covered 
Product, or of an Essentially Equivalent Product, that is sufficient in 
quality and quantity based on standards generally accepted by experts 
in the relevant disease, condition, or function to which the 
representation relates, when considered in light of the entire body of 
relevant and reliable scientific evidence, to substantiate that the 
representation is true.''), https://www.ftc.gov/system/files/documents/
cases/nobetes_-_signed_stipulated_order.pdf.
    \27\ See generally J. Howard Beales, Timothy J. Muris & Robert 
Pitofsky, In Defense of the Pfizer Factors, in THE REGULATORY 
REVOLUTION AT THE FTC: A THIRTY-YEAR PERSPECTIVE ON COMPETITION AND 
CONSUMER PROTECTION 83 (James C. Cooper ed., 2013) (All three of the 
authors served as Director of the Bureau of Consumer Protection and two 
served as Chairman at the FTC. The article provides a comprehensive 
discussion of Pfizer).
---------------------------------------------------------------------------
    The Commission's guidance sets forth flexible principles that can 
be applied to multiple products and claims. It does not attempt to 
answer every question about substantiation, given the virtually 
limitless range of advertising claims, products, and services to which 
it could be applied. Instead, it seeks to strike the right balance 
between being specific enough to be helpful but not so granular that it 
would overlook some important factor that might arise under given 
circumstances and thereby actually chill useful speech.

    Question 5. In June, the 11th Circuit vacated the Commission's data 
security order against Lab-MD. What effect, if any, will this have on 
the Commission's data security orders going forward?
    Answer. The Eleventh Circuit determined that the mandated data 
security provision of the Commission's LabMD Order was insufficiently 
specific. The opinion did not have any effect on the FTC's use of 
Section 5 to protect consumers from deceptive or unfair data security 
practices. We are engaged in an ongoing process to craft appropriate 
order language in data security cases, based on the Eleventh Circuit 
opinion, feedback we received from our December hearing on data 
security, and our own internal discussion of how our orders can create 
better deterrence of future misconduct using our existing tools.

    Question 6. If Federal privacy legislation is passed, what 
enforcement tools would you like to be included for the FTC?
    Answer. First, I would recommend that Congress consider giving the 
FTC the authority to seek civil penalties for initial privacy 
violations, which will create an important deterrent effect. Second, 
while the process of enacting Federal privacy legislation will involve 
difficult tradeoffs that are appropriately left to Congress, targeted 
APA rulemaking authority, similar to that in the Children's Online 
Privacy Protection Act, will allow the FTC to keep up with 
technological developments. For example, in 2013, the FTC was able to 
use its APA rulemaking authority to amend the COPPA Rule to address new 
business models, including social media and collection of geolocation 
information, that were not in place when the initial 2000 Rule was 
promulgated. Third, the FTC could use broader enforcement authority to 
take action against common carriers and nonprofits, which it cannot 
currently do under the FTC Act. I also believe that the promulgation of 
Federal privacy legislation should be undertaken in conjunction with 
national data breach notification and data security legislation.

    Question 7. During the hearing, I asked you whether the FTC would 
consider using its section 6(b) authority to study consumer information 
data flows, specifically sending requests to Google, Facebook, Amazon, 
and others in the tech industry to learn what information they collect 
from consumers and how that information is used, shared, and sold. You 
responded, ``Sure, 6(b) is a really powerful tool and that's the type 
of thing that might very well make sense for us to use it for.'' I 
believe the FTC's section 6(b) authority could provide some much needed 
transparency to consumers about the data practices of large technology 
companies, and help identify areas that may require additional 
attention from lawmakers. Can you explain in more detail whether you 
believe the FTC should conduct a study pursuant to section 6(b) of the 
Federal Trade Commission Act on the data collection, use, filtering, 
sharing, and sale practices of large technology companies?
    Answer. The FTC's section 6(b) authority could be used to conduct a 
study about the data practices of large technology companies. The FTC 
has a comparative advantage in policy research and development through 
the use of 6(b) studies, which allows the Commission to proceed in 
measured and thoughtful ways on complicated policy questions. I will 
continue to encourage the Commission to issue 6(b) studies in the 
technology area.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                        Hon. Christine S. Wilson
    Question 1. Section 5(a) of the FTC Act, which prohibits ``unfair 
or deceptive acts or practices in or affecting commerce'' is the legal 
basis for a body of consumer protection law that covers data privacy 
and security practices. The FTC has brought hundreds of cases to date 
to protect the privacy and security of consumer information held by 
companies of all sizes under this authority. The FTC staff recently 
submitted comments to the National Telecommunications and Information 
Administration (NTIA) that clearly indicate the FTC staff's view that 
the FTC would be the appropriate agency to enforce a new comprehensive 
privacy legislative framework. Do you agree with the staff's view?
    Answer. Absolutely. The FTC has developed a substantial body of 
expertise on privacy issues over the past several decades, by bringing 
hundreds of cases, hosting approximately 70 workshops, and conducting 
numerous policy initiatives. The FTC is committed to using all of its 
expertise, its existing tools under the FTC Act, and whatever 
additional authority Congress gives us, to protect consumer privacy 
while promoting innovation and competition in the marketplace.

    Question 2. As Congress evaluates opportunities to create 
meaningful Federal legislation to appropriately ensure privacy of 
consumers' data, there have been suggestions to increase the FTC's 
authorities to enforce in this space. Will you commit to working with 
this Committee in measuring what resources, if any, will be needed to 
allow the agency to enforce any additional authorities that may or may 
not be provided in Federal legislation?
    Answer. Yes. We can certainly use additional resources, additional 
staff, and additional authorities including civil penalties, targeted 
APA rulemaking, and jurisdiction over non-profits and common carriers. 
We are committed to utilizing whatever additional tools Congress gives 
us efficiently and vigorously.

    Question 3. Sharing responsibilities with the DOJ's Antitrust 
Division, the FTC enforces antitrust law in a variety of sectors as 
described by your testimony. While the vast majority of premerger 
filings submitted to enforcement agencies do not raise competition 
concerns, the FTC challenged 45 mergers since the beginning of 2017, 
and of those, the FTC only voted to initiate litigation to block five 
transactions. Would you please describe the resource needs of the 
agency associated with hiring qualified outside experts to support its 
litigation efforts? Please explain how developments in the high-
technology sector are accounted for in the FTC's decision-making 
process related to antitrust enforcement.
    Answer. I appreciate your attention to the agency's resource needs. 
The FTC is committed to maximizing its resources to enhance its 
effectiveness in protecting consumers and promoting competition, to 
anticipate and respond to changes in the marketplace, and to meet 
current and future challenges. Resource constraints, however, remain a 
significant challenge. As discussed in more detail below, evolving 
technologies and intellectual property issues continue to increase the 
complexity of antitrust investigations and litigation. This complexity, 
coupled with the rising costs of critical expert witnesses and 
increases in caseload, sometimes leads to financial and personnel 
resource limitations. In the past, we have requested additional 
resources for experts, information technology, and more full-time 
employees in support of our mission to protect consumers and promote 
competition. These continue to be critical areas of need for our 
agency. If we receive additional resources, they likely would be 
applied to these areas as needed.
    Qualified experts are a critical resource in all of the FTC's 
competition cases heading toward litigation. For example, the services 
of these expert witnesses are critical to the successful investigation 
and litigation of merger cases, as they provide insight on proper 
definition of product and geographic markets, the likelihood of entry 
by new competitors, and the development of models to contrast merger 
efficiencies with potential competitive harm.
    Expert witness costs are highly dependent on the number, scope, 
duration, and disposition of our Federal and administrative court 
challenges. The cost of an expert, for example, increases if we require 
the expert to testify or produce a report. To limit these costs, the 
FTC has identified and implemented a variety of strategies, including 
using internal personnel from its Bureau of Economics as expert 
witnesses whenever practical. The opportunities to use internal experts 
as testifying experts are limited, however, by several factors, 
including staff availability, testifying experience, and the 
specialized expertise required for specific matters. I will continue to 
encourage the FTC to evaluate how to increase its use of internal 
experts and control expert costs without compromising case outcomes or 
reducing the number of enforcement actions.
    In addition to expert witness costs, you asked about how 
developments in the high-technology sector factor into the FTC's 
decision-making process related to antitrust enforcement. The FTC 
closely follows activity in the high-technology sector. Given the 
important role that technology companies play in the American economy, 
it is critical that the Commission--in furthering its mission to 
protect consumers and promote competition--understand the current and 
developing business models and scrutinize incumbents' conduct to ensure 
that they abide by the same rules of competitive markets that apply to 
any company. When appropriate, the Commission will take action to 
counter the harmful effects of coordinated or unilateral conduct by 
technology firms.
    The fundamental principles of antitrust do not differ when applied 
to high-technology industries, including those in which patents or 
other intellectual property are highly significant. The issues, 
however, are often more complex and require different expertise, which 
may necessitate the hiring of outside experts or consultants to help us 
develop and litigate our cases. The FTC also strives to adapt to the 
dynamic markets we protect by leveraging the research, advocacy, and 
education tools at our disposal to improve our understanding of 
significant antitrust issues and emerging trends in business practices, 
technology, and markets. For example, last fall, the Commission 
launched its Hearings on Competition and Consumer Protection in the 
21st Century to consider whether the FTC's enforcement and policy 
efforts are keeping pace with changes in the economy, including 
advancements in technology and new business models made possible by 
those developments.\28\ I will continue to encourage the agency to 
scrutinize technology mergers and conduct by technology firms to ensure 
not only that consumers benefit from their innovative products, but 
also that competition thrives in this dynamic and highly influential 
sector.
---------------------------------------------------------------------------
    \28\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection. Recent hearings included a two-day workshop on the 
potential for collusive, exclusionary, and predatory conduct in 
multisided, technology-based platform industries. FTC Workshop, FTC 
Hearing #3: Competition and Consumer Protection in the 21st Century 
(Oct. 15-17, 2018), https://www.ftc.gov/news-events/events-calendar/
2018/10/ftc-hearing-3-competition-consumer-protection-21st-century. 
Similarly, in early November, the Commission held a two-day workshop on 
the antitrust frameworks for evaluating acquisitions of nascent 
competitors in the technology and digital marketplace, and the 
antitrust analysis of mergers and conduct where data is a key asset or 
product. FTC Workshop, FTC Hearing #6: Competition and Consumer 
Protection in the 21st Century (Nov. 6-8, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-6-competition-consumer-pro
tection-21st-century. Also in November, the Commission held a two-day 
workshop on the competition and consumer protection issues associated 
with algorithms, artificial intelligence, and predictive analysis in 
business decisions and conduct. FTC Workshop, FTC Hearing #7: 
Competition and Consumer Protection in the 21st Century (Nov. 13-14), 
https://www.ftc.gov/news-events/events-calendar/ftc-hearing-7-
competition-consumer-protection-21st-century.

    Question 4. Earlier this year, I introduced legislation called the 
Senior Scams Prevention Act with Senator Bob Casey to combat continued 
and increasingly complex attempts to defraud one of the Nation's most 
vulnerable populations, our senior community. This bill seeks to ensure 
retailers, financial institutions and wire transfer companies have the 
resources to train employees to help stop financial frauds and scams on 
seniors. Would you agree that awareness and education, guided by ``best 
practices'' established by industry and government partners, is a 
valuable tool in preventing consumer harms against our Nation's 
seniors?
    Answer. Yes. Protecting older consumers is one of the agency's top 
priorities. As the population of older Americans grows, the FTC's 
efforts to identify scams affecting seniors and to bring aggressive law 
enforcement action, as well as provide awareness and useful advice to 
seniors, become increasingly vital. Using research, the FTC developed 
its Pass It On campaign to share preventative information about frauds 
and scams with older adults.\29\ This popular campaign, used by many of 
our partners, engages active older adults to share the materials with 
people in their communities, including people in their lives who may 
need this information. The FTC stands ready to work with industry and 
our government partners to create additional material for industry, 
including retailers, financial institutions, wire transfer companies 
and others to help prevent harm to our Nation's seniors.
---------------------------------------------------------------------------
    \29\ FTC, FTC Website: Consumer Information--Pass it on, https://
www.consumer.ftc.gov/features/feature-0030-pass-it-on (providing 
consumer information on identity theft, imposter scams, charity fraud, 
and other topics).

    Question 5. In its comments submitted to NTIA on ``Developing the 
Administration's Approach to Consumer Privacy,'' the FTC discussed the 
various cases that it has taken up to address privacy-related harms to 
consumers, and it specifically noted four categories of harms: 
financial injury, physical injury, reputational injury, and unwanted 
intrusion. Could you please briefly describe each category while noting 
any FTC enforcement considerations specific to that type of harm?
    Answer. Certainly. Financial injury can manifest in a variety of 
ways: fraudulent charges, delayed benefits, expended time, opportunity 
costs, fraud, and identity theft, among other things.\30\ Physical 
injuries include risks to individuals' health or safety, including the 
risks of stalking and harassment.\31\ Reputational injury involves 
disclosure of private facts about an individual, which damages the 
individual's reputation. Tort law recognizes reputational injury.\32\ 
The FTC has brought cases involving this type of injury, for example, 
in a case involving public disclosure of individuals' Prozac use \33\ 
and public disclosure of individuals' membership on an infidelity-
promoting website.\34\ Finally, unwanted intrusions involve two 
categories. The first includes activities that intrude on the sanctity 
of people's homes and their intimate lives. The FTC's cases involving a 
revenge porn website,\35\ an adult-dating website,\36\ and companies 
spying on people in their bedrooms through remotely-activated webcams 
fall into this category.\37\ The second category involves unwanted 
commercial intrusions, such as telemarketing, spam, and harassing debt 
collection calls. In terms of enforcement considerations, as noted 
above, the FTC is very mindful of ensuring that it addresses these 
harms, while not impeding the benefits of data collection and use 
practices.
---------------------------------------------------------------------------
    \30\ See, e.g., TaxSlayer, LLC, No. C-4626 (F.T.C. Oct. 20, 2017) 
(complaint), https://www.ftc.gov/enforcement/cases-proceedings/162-
3063/taxslayer (alleging delayed benefits, expended time, and risk of 
identity theft).
    \31\ See, e.g., FTC v. Accusearch, Inc., No. 06-CV-0105 (D. Wyo. 
May 3, 2006) (complaint), https://www.ftc.gov/enforcement/cases-
proceedings/052-3126/accusearch-inc-dba-abikacom-jay-patel (alleging 
that telephone records pretexting endangered consumers' health and 
safety).
    \32\ Under the tort of public disclosure of private facts (or 
publicity given to private life), a plaintiff may recover where the 
defendant's conduct is highly offensive to a reasonable person. 
Restatement (Second) of Torts Sec. 652D (1977).
    \33\ Eli Lilly and Co., No. C-4047 (F.T.C. May 8, 2002), https://
www.ftc.gov/enforcement/cases-proceedings/012-3214/eli-lilly-company-
matter.
    \34\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \35\ FTC v. EMP Media, Inc., et al., No. 2:18-cv-00035 (D. Nev. 
Jan. 9, 2018), https://www.ftc.gov/enforcement/cases-proceedings/162-
3052/emp-media-inc-myexcom.
    \36\ FTC v. Ruby Corp., et al., No. 1:16-cv-02438 (D.D.C. Dec. 14, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3284/
ashley-madison.
    \37\ See Press Release, FTC Halts Computer Spying (Sept. 25, 2012), 
https://www.ftc.gov/news-events/press-releases/2012/09/ftc-halts-
computer-spying; see also Aaron's, Inc., No. C-4442 (F.T.C. Mar. 10, 
2014), https://www.ftc.gov/enforcement/cases-proceedings/122-3256/
aarons-inc-matter.

    Question 6. In the FTC's recent comments in NTIA's privacy 
proceeding, the FTC said that its ``guiding principles'' are based on 
``balancing risk of harm with the benefits of innovation and 
competition.'' Would you describe what this means, how you strike this 
balance, and how it is applied in practice under your Section 5 
authority in the FTC Act?
    Answer. Regulations may impose significant costs on regulated 
companies, so new regulations must be handled with care to avoid 
stifling innovation or entrenching incumbents. The FTC has a 
longstanding history of weighing the countervailing benefits when 
determining if an injury to consumers justifies the imposition of a 
remedy. In unfairness cases, section 5(n) of the FTC Act requires us to 
strike this balance. It does not allow the FTC to bring a case alleging 
unfairness ``unless the act or practice causes or is likely to cause 
substantial injury to consumers, which is not reasonably avoidable by 
consumers themselves and not outweighed by benefits to consumers or to 
competition.'' Thus, for example, in our data security complaints and 
orders, we often plead the specific harms that consumers are likely to 
suffer from a company's data security failures. We do not assert that 
companies need to spend unlimited amounts of money to address these 
harms; in many of our cases, we specifically allege that the company 
could have fixed the security vulnerabilities at low or no cost.

    Question 7. The FTC's comments pertaining to ``control'' in NTIA's 
privacy proceeding stated, ``Choice also may be unnecessary when 
companies collect and disclose de-identified data, which can power data 
analytics and research, while minimizing privacy concerns.'' How would 
the FTC suggest Federal regulation account for de-identified data, if 
at all?
    Answer. This question is an excellent one, and pertains to an area 
in which I continue to listen to various perspectives and analyze 
policy ramifications. There are many potentially important uses for de-
identified data. But protecting privacy using de-identified information 
is becoming more complex as new and powerful tools are able to combine 
data sets and extract information. One possible standard identified in 
the FTC's 2012 Privacy Report states that data is de-identified if it 
is not ``reasonably linkable'' to a consumer, computer, or device.\38\ 
Data can be deemed to be de-identified to the extent that a company: 
(1) takes reasonable measures to ensure that the data is de-identified; 
(2) publicly commits not to try to re-identify the data; and (3) 
contractually prohibits downstream recipients from trying to re-
identify the data. Additionally, I think that we must invest in 
research and education to ensure consumers and the market place 
understand the evolving risks associated with de-identified data. 
Although this language provides some general principles for de-
identification, we would be happy to work with your staff on drafting 
more specific legislative language.
---------------------------------------------------------------------------
    \38\ Available at https://www.ftc.gov/sites/default/files/
documents/reports/federal-trade-commission-report-protecting-consumer-
privacy-era-rapid-change-recommendations/120326privacy
report.pdf.

    Question 8. Your testimony indicated that continued technological 
developments allow illegal robocallers to conceal their identities in 
``spoofing'' caller IDs while exponentially increasing robocall volumes 
through automated dialing systems. These evolving technological changes 
mean that the critical law enforcement efforts of the FTC cannot be the 
only solution, and your testimony described the additional steps the 
FTC is taking to develop innovative solutions to these issues. Would 
you please describe the process and outcomes of the four public 
challenges that the FTC held from 2013 to 2015? Are there plans to 
incentivize innovators to combat robocalls in the future?
    Answer. The FTC's process for its robocall challenges included 
public announcements, committees with independent judges, and, in some 
cases, cash prizes awarded under the America COMPETES Reauthorization 
Act.\39\ To maximize publicity, the FTC announced each of its four 
challenges in connection with public events. The FTC announced the 
first robocall challenge at the FTC's 2012 Robocall Summit. In 2014, 
the FTC conducted its second challenge, ``Zapping Rachel'' at DEF CON 
22. The FTC conducted its third challenge, ``DetectaRobo,'' in June 
2015 in conjunction with the National Day of Civic Hacking. The final 
phase of the FTC's fourth public robocall challenge took place at DEF 
CON 23. When the FTC held its first public challenge, there were few, 
if any, call blocking or call labeling solutions available for 
consumers. Today, two FTC challenge winners, NomoRobo and Robokiller, 
offer call blocking applications, and there are hundreds of mobile apps 
offering call blocking and call labeling solutions for cell phones. 
Many home telephone service providers also now offer call blocking and 
call labeling solutions. The FTC will not hesitate to initiate 
additional innovation contests if it identifies further challenges that 
could meaningfully benefit consumers by reducing the harm caused by 
illegal robocalls.
---------------------------------------------------------------------------
    \39\ See ``Details About the FTC's Robocall Initiatives'' at 
https://www.consumer.ftc.gov/features/feature-0025-robocalls.
---------------------------------------------------------------------------
    In addition to developing call blocking and call labeling 
technology, the telecom industry has also developed call verification 
technology, called STIR/SHAKEN, to help consumers know whether a call 
is using a spoofed Caller ID number and assist call analytics companies 
in implementing call blocking and call labeling products. If widely 
implemented and made available to consumers, the STIR/SHAKEN protocol 
should minimize unwanted calls. Certain industry members have begun to 
roll out this technology and it is in beta testing mode. I understand 
Chairman Pai recently called on the Nation's largest carriers to 
provide details about their caller ID authentication plans for 2019. I 
support this industry initiative.

    Question 9. Would you please describe the FTC's coordination 
efforts with state, federal, and international partners to combat 
illegal robocalls?
    Answer. The FTC frequently coordinates its efforts with its state, 
federal, and international partners. The FTC often brings robocall 
enforcement actions with states as co-plaintiffs. For example, in the 
FTC's case against Dish Network, litigated for the FTC by the 
Department of Justice, the FTC brought the case jointly with 
California, Illinois, North Carolina, and Ohio. Collectively, the 
states and the FTC obtained a historic $280 million trial verdict.\40\
---------------------------------------------------------------------------
    \40\ Press Release, FTC and DOJ Case Results in Historic Decision 
Awarding $280 Million in Civil Penalties Against Dish Network and 
Strong Injunctive Relief for Do Not Call Violations (June 6, 2017), 
https://www.ftc.gov/news-events/press-releases/2017/06/ftc-doj-case-
results-historic-decision-awarding-280-million-civil. The case is on 
appeal before the Seventh Circuit Court of Appeals.
---------------------------------------------------------------------------
    The FTC also coordinates outreach and education with the FCC. In 
2018, the agencies co-hosted two robocall events--a policy forum that 
discussed technological and law enforcement solutions to the robocall 
problem \41\ and a public expo that allowed companies offering call 
blocking and call labeling services to showcase their products for the 
public.\42\ Additionally, the FTC and FCC hold quarterly calls, speak 
regularly on an informal basis, and coordinate on a monthly basis with 
our state partners through the National Association of Attorneys 
General. The FTC also engages with international partners through 
participation in international law enforcement groups such as the 
International Consumer Protection Enforcement Network, International 
Mass Marketing Fraud Working Group, and the Unsolicited Communications 
Network (formerly known as the London Action Plan).
---------------------------------------------------------------------------
    \41\ Press Release, FTC and FCC to Host Joint Policy Forum and 
Consumer Expo to Fight the Scourge of Illegal Robocalls (Mar. 22, 
2018), https://www.ftc.gov/news-events/press-releases/2018/03/ftc-fcc-
host-joint-policy-forum-illegal-robocalls.
    \42\ Press Release, FTC and FCC to Co-Host Expo on April 23 
Featuring Technologies to Block Illegal Robocalls (Apr. 19, 2018), 
https://www.ftc.gov/news-events/press-releases/2018/04/ftc-fcc-co-host-
expo-april-23-featuring-technologies-block-0.

    cQuestion 10. Your testimony described the limitations of the FTC's 
current data security enforcement authority provided by Section 5 of 
the FTC Act including: lacking civil penalty authority, lacking 
authority over non-profits and common carrier activity, and missing 
broad APA rulemaking authority. Please describe each of these 
limitations and how adjusted FTC authority to address these items would 
improve the protection of consumers from data security risks.
    Answer. Under current law, the FTC cannot obtained civil penalties 
for first-time security violations. I believe this under-deters 
problematic data security practices. If Congress were to give us the 
authority to seek civil penalties for first-time violators (subject to 
statutory limitations on the imposition of civil penalties, such as 
ability to pay and stay in business), better deterrence would be 
achieved. As to APA rulemaking authority, though we are not seeking 
general APA rulemaking authority for a broad statute like Section 5, 
were Congress to enact specific data security legislation, it is 
important for the FTC to have APA rulemaking authority. Such authority 
will ensure that the FTC can enact rules and amend them as necessary to 
keep up with technological developments. For example, in 2013, the FTC 
was able to use its APA rulemaking authority to amend its Rule under 
the Children's Online Privacy Protection Act to address new business 
models, including social media and collection of geolocation 
information, that were not in place when the initial 2000 Rule was 
promulgated. As to nonprofits and common carriers, news reports are 
filled with breaches affecting these sectors (e.g., the education 
sector) and the FTC does not currently have jurisdiction over them. 
Giving the FTC jurisdiction over these entities for purposes of 
enforcing data security laws will create a level playing field and 
ensure that these entities are subject to the same rules as other 
entities that collect similar types of data.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Amy Klobuchar to 
                        Hon. Christine S. Wilson
    Question 1. Net neutrality is the bedrock of a fair, fast, open, 
and global internet. Now that the FCC has eliminated critical net 
neutrality protections that prevent Internet service providers from 
blocking, slowing, and prioritizing web traffic, it is clear that the 
FTC now has primary authority in preventing Internet abuses.
    a. Can you please describe the Commission's activity in policing 
the internet?
    b. Does the FTC have the resources and expertise to effectively 
fulfill its mission in this area?
    Answer. The consumer protection and competition issues raised by 
the growth of the Internet and all of its subsidiary technologies are 
not new to the FTC, which is well equipped to analyze potential conduct 
and business arrangements that may impact consumers and competition. 
The FTC's complementary competition and consumer protection tools are 
capable of protecting consumers and competition online.
    The FTC has significant expertise in understanding competition in 
broadband markets.\1\ From an antitrust perspective, the ultimate issue 
is whether broadband Internet access providers engage in unilateral or 
joint conduct that is likely to harm competition in a relevant market.
---------------------------------------------------------------------------
    \1\ See generally Comment of the Staff of the Bureau of Consumer 
Protection, Bureau of Competition, and Bureau of Economics of the Fed. 
Trade Comm'n, WC Docket No. 17-108 (filed July 17, 2017), https://
www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-
bureau-consumer-protection-bureau-competition-bureau-economics-federal-
trade/ftc_staff_comment_to_fcc
_wc_docket_no17-108_7-17-17.pdf; Fed. Trade Comm'n, Broadband 
Connectivity Competition Policy (2007), https://www.ftc.gov/reports/
broadband-connectivity-competition-policy-staff-report.
---------------------------------------------------------------------------
    The FTC has reviewed a number of mergers in the Broadband Internet 
Access Service (``BIAS'') and Internet markets, and has required 
remedies where necessary to preserve competition. For example, in 2014, 
Nielsen Holdings N.V. agreed to divest and license assets and 
intellectual property to address the FTC's concerns that its 
acquisition of Arbitron Inc. might substantially lessen competition.\2\ 
In 2000, the Commission reviewed the merger of America Online, Inc. 
(``AOL'') and Time Warner and issued an order that resolved antitrust 
concerns by imposing a number of conditions to prevent the integrated 
firm from denying access to or discriminating against unaffiliated 
Internet Service Providers (``ISPs'').\3\ In 2006, the FTC scrutinized 
a transaction among firms that provided multichannel video programming 
distribution, closing its investigation after determining that the 
evidence did not suggest the proposed acquisition was likely to 
substantially lessen competition in any geographic region in the United 
States.\4\
---------------------------------------------------------------------------
    \2\ Nielsen Holdings N.V., No. C-4439 (F.T.C. Feb. 24, 2014), 
https://www.ftc.gov/enforcement/cases-proceedings/131-0058/nielsen-
holdings-nv-arbitron-inc-matter.
    \3\ Am. Online, Inc., No. C-3989 (F.T.C. Apr. 17, 2001), https://
www.ftc.gov/enforcement/cases-proceedings/0010105/america-online-inc-
time-warner-inc.
    \4\ Comcast Corporation, No. 051-0151 (F.T.C. Jan. 31, 2006) 
https://www.ftc.gov/public-statements/2013/07/acquisition-comcast-
corporation-and-time-warner-cable-inc-cable-assets.
---------------------------------------------------------------------------
    Likewise, the FTC's consumer protection tools are well suited to 
ensure that companies keep their promises to consumers about their 
broadband service. The FTC can take action against Section 5 violations 
by BIAS providers, also known as ISPs, for non-common carrier 
activities including deceptive advertising of services or prices, 
privacy violations, or unfair billing methods. The FTC recently has 
brought a number of throttling cases. In 2015, the FTC settled charges 
that TracFone, a large prepaid wireless provider, failed to disclose 
that it throttled the speeds of consumers on ``unlimited'' data plans. 
The company paid $40 million in consumer refunds.\5\ The FTC is 
currently litigating against AT&T Mobility over allegations that the 
company unfairly throttled the speeds of consumers on plans advertised 
as ``unlimited.'' \6\
---------------------------------------------------------------------------
    \5\ FTC v. TracFone Wireless, Inc., No. 15-cv-00392-EMC (N.D. Cal. 
Feb. 20, 2015), https://www.ftc.gov/enforcement/cases-proceedings/132-
3176/straight-talk-wireless-tracfone-wireless-inc.
    \6\ FTC v. AT&T Mobility LLC, 87 F. Supp. 3d 1087 (N.D. Cal. 2015) 
(No. C-14-4785 EMC) (complaint).
---------------------------------------------------------------------------
    The FTC has the expertise to effectively fulfill its mission in 
this area. The FTC also has the requisite resources. If Congress were 
to entrust us with additional resources, I am confident that we could 
deploy those resources in efficient and effective manners.

    Question 2. The Federal Trade Commission's budget has remained flat 
for the past several years despite increasing demands on your agency's 
resources, including a significant rise in merger filings.
    a. If additional resources were made available to the Federal Trade 
Commission, how would you deploy those resources to advance the 
agency's consumer protection and competition missions?
    Answer. To effectively and efficiently perform our antitrust and 
consumer protection missions, the FTC must receive sufficient funding 
to attract and retain competent staff, conduct investigations, engage 
in our important research and development, and produce timely consumer 
education materials. If additional resources were made available to the 
FTC, I would prioritize three areas.
    Health care expenditures as a percentage of GDP have been growing 
for several decades, and accounted for 17.9 percent of GDP in 2017. 
Given the importance of this sector to ordinary Americans, the FTC has 
long devoted significant attention to this arena. Both the FTC's Bureau 
of Competition and its Bureau of Consumer Protection have played a key 
role in promoting vibrant competition, ensuring accurate information 
about products and services, protecting consumers' sensitive medical 
information, and advising government entities on the likely impact of 
new regulations on entry and competition. The past decade has seen 
significant regulatory and technological changes that impact health 
care, as well as notable innovations in how health care is delivered to 
patients. The continuing growth of this sector, combined with 
significant concerns about health care costs, misuse of sensitive data, 
and burgeoning occupational licensing requirements, underscore the need 
for the FTC to maintain its focus on this industry. It is imperative 
for the FTC to continue increasing its understanding of how these 
developments affect patient choice and the quality of patient care, and 
how these changes should be incorporated into the Commission's advocacy 
and enforcement efforts.
    Trade across borders and the rapid proliferation of competition and 
consumer protection regimes generate benefits for consumers and 
businesses, but also give rise to potential pitfalls. Consumers can 
easily fall prey to fraudsters who have never set foot on U.S. soil, 
and foreign cartels can raise the prices of goods imported into the 
United States. American businesses can face exclusionary conduct from 
foreign competitors that limits access to markets overseas, and foreign 
governments can apply their competition laws in ways that 
disproportionately disadvantage U.S. companies. The FTC, together with 
the DOJ Antitrust Division, has long played a role in coordinating with 
and providing technical assistance to competition and consumer 
protection agencies in other jurisdictions. But challenges remain, and 
now more than ever the FTC and the DOJ Antitrust Division must assume a 
global leadership role in advancing sensible antitrust and consumer 
protection policies that promote competition, protect consumers, and 
move away from the use of competition and consumer protection regimes 
to favor national champions and advance industrial policy goals.
    Advances in technology create many benefits for consumers but 
present enforcement complexities for the FTC. Some of the most 
controversial public policy issues--e.g., the intersection of 
intellectual property and antitrust, data security and privacy--are 
rooted in continuing technological advances. An informed understanding 
of how technologies work and how their use affects consumers is 
therefore necessary to the sensible and economically grounded exercise 
of the FTC's authority. The FTC historically has taken advantage of its 
unique R&D capabilities--including 6(b) studies, hearings, and 
workshops to stay abreast of technological developments that may 
implicate new enforcement priorities and challenges, to fashion sound 
enforcement policies, and to make policy recommendations to Congress, 
as well as to Federal and state agencies. In fact, the FTC recently 
announced the creation of a task force, within the Bureau of 
Competition, to investigate competition in U.S. technology markets and 
take enforcement action when warranted. In light of this new 
initiative, the FTC is well positioned to be a thought leader on the 
complex issues that arise in this arena, and should continue taking 
full advantage of that capability.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                        Hon. Christine S. Wilson
Privacy
    Question 1. Do you support strong civil penalties for consumer 
privacy violations?
    Answer. Yes. Under the FTC's current authority, we cannot seek 
civil penalties for initial privacy violations of Section 5 of the FTC 
Act. I believe we need the ability to seek civil penalties for initial 
violations in order to more effectively deter unlawful conduct. These 
penalties would of course be subject to the statutory limitations in 
Section 5(n) of the FTC Act, including ability to pay, degree of 
culpability and ability to continue to do business.

    Question 2. The California Consumer Protection Act goes into effect 
in January 2020. As Congress considers pre-emption of that state law, 
what additional authority should we give the FTC to ensure that 
consumer privacy adequately is protected?
    Answer. I support the enactment of Federal privacy legislation that 
would be enforced by the FTC and contain at least three components. 
First, as I noted above, it should give the Commission the ability to 
seek civil penalties for initial privacy violations. Second, it should 
give the Commission the ability to conduct APA rulemaking in order to 
make sure any legislation keeps up with technological developments. 
Third, it should give the Commission jurisdiction over nonprofits and 
common carriers. Beyond these general parameters, I note that the 
process of enacting Federal privacy legislation will involve difficult 
tradeoffs that are appropriately left to Congress. I also believe that 
the promulgation of Federal privacy legislation should be undertaken in 
conjunction with national data breach notification and data security 
legislation. No matter the specific privacy or data security laws 
Congress enacts, the Commission commits to using its extensive 
expertise and experience to enforce them vigorously and 
enthusiastically.

    Question 3. A recent New York Times analysis found that both the 
Apple App Store and the Google Play Store have apps in their respective 
children's or family sections that potentially violate COPPA.\7\ What 
specific role should platform owners play to ensure COPPA compliance on 
their platforms?
---------------------------------------------------------------------------
    \7\ Valentino-DeVries, J., Singer, N., Krolick, A., Keller, M. H., 
How Game Apps That Captivate Kids Have Been Collecting Their Data, N.Y. 
Times, Sept. 12, 2018, https://www.nytimes.com/interactive/2018/09/12/
technology/kids-apps-data-privacy-google-twitter.html.
---------------------------------------------------------------------------
    Answer. In 2012, the Commission revised the COPPA Rule to cover not 
just websites, app developers, and other online services but also third 
parties collecting personal information from users of those sites or 
services. At that time, the Commission made clear that it did not 
intend to make platforms responsible merely for offering consumers 
access to someone else's child-directed content. Rather, they would be 
liable under COPPA only if they had actual knowledge that they were 
collecting personal information from a child-directed app. At the same 
time, platforms are in a unique position to set and enforce rules for 
apps that seek placement in the platform's store and to drive good 
practices. We encourage platforms to pursue best practices in this 
regard, beyond those required by COPPA. For example, platforms can 
serve an important educational function for apps that may not 
understand the requirements of COPPA.

    Question 4. Compliance for mobile apps may be hard to achieve 
against fly-by-night operators overseas who do not care if their apps 
violate U.S. law. How can the Vtech Electronics investigation and civil 
penalty serve as an example for how the FTC can hold foreign app 
developers responsible for violating COPPA?
    Answer. The Commission benefits significantly from the expertise of 
its Office of International Affairs in cases involving foreign 
companies or individuals. In addition to the VTech case you mention, 
the Commission has taken action in a number of privacy- or security-
related cases against companies that have a foreign presence (see, 
e.g., TrendNet, inMobi, ASUS, and HTC).\8\ In some of these cases, for 
example, a foreign entity manufactured the devices at issue. In each of 
these cases, the FTC obtained successful relief for consumers in the 
United States, including substantial civil penalties in the VTech and 
inMobi settlements. More recently, the FTC took action against BLU, a 
U.S.-based phone manufacturer that was allowing its Chinese service 
provider to access text messages and other private information, 
contrary to its representations to consumers.\9\ The Commission has 
also used other means to address illegal conduct affecting U.S. 
consumers. For example, a few years ago Commission staff sent a warning 
letter to a Chinese company, Baby Bus, about COPPA violations relating 
to the collection of children's personal information through its apps. 
The Commission copied the app platforms on this communication. The 
company quickly responded and addressed the concerns.
---------------------------------------------------------------------------
    \8\ In re: TRENDnet, Inc., No. C-4426 (Jan. 16, 2014), https://
www.ftc.gov/enforcement/cases-proceedings/122-3090/trendnet-inc-matter; 
United States v. InMobi Pte Ltd., No. 3:16-cv-3474 (N.D. Cal. June 22, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/152-3203/
inmobi-pte-ltd; In re ASUSTeK Computer Inc., No. C-4587 (July 18, 
2016), https://www.ftc.gov/enforcement/cases-proceedings/142-3156/
asustek-computer-inc-matter; In re HTC America Inc., No. C-4406 (July 
25, 2013), https://www.ftc.gov/enforcement/cases-proceedings/122-3049/
htc-america-inc-matter.
    \9\ In re BLU Prods. and Samuel Ohev-Zion, No. C-4657 (Sept. 6, 
2018), https://www.ftc.gov/enforcement/cases-proceedings/172-3025/blu-
products-samuel-ohev-zion-matter.

    Question 5. The COPPA safe harbor organizations must submit an 
annual report to the Federal Trade Commission, can you share the 
reports from the last 5 years?
    Answer. The FTC-approved safe harbor organizations do submit annual 
reports to the FTC each year. However, organizations claim 
confidentiality with respect to the information in their annual 
reports.
                                 ______
                                 
 Response to Written Questions Submitted by Hon. Richard Blumenthal to 
                        Hon. Christine S. Wilson
    Question 1. Do you support providing state AGs with the power to 
enforce Federal privacy protections and would you commit to working 
with state AGs?
    Answer. Yes. The Attorneys General are important partners in 
protecting consumers, and I believe the model of giving state Attorneys 
General the power to enforce Federal privacy protections ensures that 
there are multiple enforcers investigating potential law violations.

    Question 2. Why is it important that the FTC have rulemaking 
authority when it comes to privacy? Where best would rulemaking be 
applied?
    Answer. The process of enacting Federal privacy legislation will 
involve difficult tradeoffs that are appropriately left to Congress. 
APA rulemaking authority within those parameters is important, because 
it will enable the FTC to keep up with technology developments. For 
example, Congress gave the FTC APA rulemaking authority to implement 
the Children's Online Privacy Protection Act. In 2013, the FTC was able 
to use this authority to amend a Rule it had initially promulgated in 
2000, in order to address new business models, technologies such as 
smart phones, and social media and collection of geolocation 
information. I believe providing the FTC with APA rulemaking in 
targeted areas, as Congress did with the Children's Online Privacy 
Protection Act, would be most effective.

    Question 3. Do you believe elevating the Office of Technology 
Research and Investigation to the Bureau level would meaningfully help 
the FTC in addressing new technological developments across its 
mandates?
    Answer. At this time, I do not believe that elevating the Office of 
Technology Research and Investigation to the Bureau level would 
meaningfully help the FTC. However, I share your concerns and am 
actively thinking about how best to integrate technologists into our 
agency and how most effectively to deploy our limited resources to 
address our needs in this area. The FTC recently announced the creation 
of a task force within the Bureau of Competition to investigate 
competition in U.S. technology markets and take enforcement action when 
warranted. The task force will collaborate closely with the Bureaus of 
Consumer Protection and Economics. Moreover, we are continuing to 
examine technology markets to ensure consumers benefit from robust 
competition. This effort includes evaluating the information developed 
at the Commission's Hearings on Competition and Consumer Protection in 
the 21st Century.

    Question 4. What is the FTC doing to investigate and hold 
accountable individual board members and executives who knowingly 
assist their companies in committing fraud? What more should the FTC be 
doing in this regard?
    Answer. The FTC always considers the potential liability of 
individual officers and others who participated in or controlled 
deceptive and unfair practices. In cases where the FTC finds evidence 
of wrongdoing that meets the applicable legal standard, and where 
naming the individual is appropriate to obtain full and complete relief 
for consumers and appropriate injunctive relief, we do so.

    Question 5. Where the FTC consider using its Section 6(b) 
investigative power to help us understand how these algorithms and 
black-box A.I. systems work--the biases that shape them, and how those 
can affect trade, opportunity, and the market?
    Answer. I agree that algorithms and artificial intelligence are 
important topics of study. The FTC has issued a report on the subject 
of the benefits and risks of big data that contains guidance for 
companies that use big data analytics.\10\ In 2017, the FTC and 
Department of Justice submitted a joint paper on algorithms and 
collusion to the Organization for Economic Cooperation and Development 
(``OECD'') as part of the OECD's broader look at the role of 
competition policy and the digital age.\11\ More recently, we examined 
the competition and consumer protection implications of algorithms, 
artificial intelligence, and predictive analytics as part of the 
Commission's Hearings on Competition and Consumer Protection in the 
21st Century.\12\ The two-day hearing featured a distinguished group of 
technologists, scientists, public servants, academics, and industry 
leaders (as well as economists and lawyers), who gathered to educate us 
and the broader competition and consumer protection community about how 
these technologies work, how they are used in the marketplace, and 
their policy implications. The Commission also invited public 
commentary on this topic.
---------------------------------------------------------------------------
    \10\ See FTC, FTC Report--Big Data: A Tool for Inclusion or 
Exclusion? Understanding the Issues (Jan. 2016), https://www.ftc.gov/
system/files/documents/reports/big-data-tool-inclusion-or-exclusion-
understanding-issues/160106big-data-rpt.pdf.
    \11\ Note to the OECD by the United States on Algorithms and 
Collusion, DAF/COMP/WD(2017)41 (May 26, 2017), https://www.ftc.gov/
system/files/attachments/us-submissions-oecd-other-international-
competition-fora/algorithms.pdf.
    \12\ FTC, Hearings on Competition and Consumer Protection in the 
21st Century, https://www.ftc.gov/policy/hearings-competition-consumer-
protection; FTC Workshop, FTC Hearing #7: Competition and Consumer 
Protection in the 21st Century (Nov. 13-14, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-7-competition-consumer-
protection-21st-century.
---------------------------------------------------------------------------
    The FTC has a comparative advantage in policy research and 
development through the use of 6(b) studies, which allows the 
Commission to proceed in measured and thoughtful ways on complicated 
policy questions. I will continue to encourage the Commission to stay 
abreast of developments in these areas, including through the use of 
6(b) studies, when appropriate.

    Question 6. In your opinion, is a car with an open, unrepaired 
recall, a ``safe'' car? Why would the FTC allow unsafe cars to be 
advertised as ``safe'' and ``repaired for safety,'' with or without a 
vague, contradictory and confusing disclaimer?
    Answer. I share your concerns regarding the safety issues raised by 
recalls in the used automobile marketplace. As you note, while Federal 
auto safety law requires that all new cars sold be free from recalls, 
it does not prohibit auto dealers from selling used cars with open 
recalls.
    However, the FTC Act enables the Commission to stop auto dealers 
selling such cars from engaging in misleading advertising practices 
that mask the existence of open recalls. In an effort to stop such 
claims, in 2016 and 2017, the Commission brought actions against 
General Motors Company, CarMax, Inc., and four other large used car 
dealerships.\13\ In these actions, the Commission alleged that these 
companies' advertising claims violated the FTC Act by touting the 
rigorousness of their used car inspections while failing to clearly 
disclose the existence of unrepaired safety recalls in some cars.
---------------------------------------------------------------------------
    \13\ See Press Release, GM, Jim Koons Management, and Lithia Motors 
Inc. Settle FTC Actions Charging That Their Used Car Inspection Program 
Ads Failed to Adequately Disclose Unrepaired Safety Recalls, Jan. 28, 
2016, https://www.ftc.gov/news-events/press-releases/2016/01/gm-jim-
koons-management-lithia-motors-inc-settle-ftc-actions; Press Release, 
CarMax and Two Other Dealers Settle FTC Charges That They Touted 
Inspections While Failing to Disclose Some of the Cars Were Subject to 
Unrepaired Safety Recalls, Dec. 16, 2016, https://www.ftc.gov/news-
events/press-releases/2016/12/carmax-two-other-dealers-settle-ftc-
charges-they-touted.
---------------------------------------------------------------------------
    Our orders stop this deceptive conduct and provide important 
additional protections for consumers.

    Question 7. Do you agree with the proposal that the FTC use its 
rulemaking authority to address non-compete clauses? I invite you to 
explain your reasoning regarding your stance.
    Answer. I do not believe the Commission should use its rulemaking 
authority to address non-compete clauses. The Commission has long 
assessed the legality of business conduct on a case-by-case basis, 
rather than through blanket rulemaking, and we should continue to do 
so. So too have the courts, which have established the firm legal rule 
that a covenant not to compete does not violate the Sherman Act if it 
is ancillary to a significant lawful business purpose of the contract 
and is reasonably limited in scope to protect legitimate interests.\14\ 
The inquiry into the reasonableness of the scope of the clauses 
typically considers the duration, territory, and type of product 
involved. To the extent that these factors are factual, the case-by-
case approach of the common law is an appropriate way to develop the 
law regarding non-compete clauses. There is no reason to deviate from 
the common law tradition to establish Commission rules to assess non-
compete clauses.
---------------------------------------------------------------------------
    \14\ See, e.g., Eichorn v. AT&T Corp., 248 F.3d 131, 145 (3d Cir. 
2001).

    Question 8. Would you agree with me that Hart-Scott-Rodino 
premerger notifications help antitrust enforcers catch concerning 
mergers?
    Answer. Yes, I agree that the premerger notification requirements 
of the Hart-Scott-Rodino Premerger Notification Act help antitrust 
enforcers identify anticompetitive mergers before they are consummated, 
preventing consumer harm. Once a merger is consummated and the firms' 
operations are integrated, it can be very difficult, if not impossible, 
to ``unscramble the eggs'' and restore the acquired firm to its former 
status as an independent competitor.

    Question 9. What sort of anticompetitive effects might be raised by 
local mergers even when those mergers are too small to require Hart-
Scott-Rodino premerger notification?
    Answer. Anticompetitive mergers harm consumers through higher 
prices and by reducing quality, choices, and innovation, or by 
thwarting competitors' entry into a market.\15\ The arena of 
competition affected by a merger may be geographically bounded (e.g., 
confined to a small or local area) if geography limits some customers' 
willingness to or ability to substitute to some products, or some 
suppliers' willingness or ability to serve some customers.\16\
---------------------------------------------------------------------------
    \15\ U.S. Dep't of Justice & Fed. Trade Comm'n Horizontal Merger 
Guidelines Sec. 1 (2010), https://www.ftc.gov/public-statements/2010/
08/horizontal-merger-guidelines-united-states-department-justice-
federal (``A merger enhances market power if it is likely to encourage 
one or more firms to raise price, reduce output, diminish innovation, 
or otherwise harm customers as a result of diminished competitive 
constraints or incentives.'').
    \16\ Id. at Sec. 4.2. In antitrust analysis, a relevant market 
identifies a set of products or services and a geographic area of 
competition in which to analyze the potential effects of a proposed 
transaction. The purpose of market definition is to identify options 
available to consumers. See id. at Sec. 4 (describing market definition 
in antitrust analysis).
---------------------------------------------------------------------------
    The FTC often examines local geographic markets when reviewing 
mergers in retail markets, such as supermarkets, pharmacies, retail gas 
or diesel fuel stations, or funeral homes, or in service markets, such 
as health care. For example, in a recent Federal court action to enjoin 
the proposed merger of two rival physician services providers, the FTC 
and State of North Dakota defined the relevant geographic market as the 
Bismarck-Mandan, North Dakota, Metropolitan Statistical Area--a four-
county area that includes the cities of Bismarck and Mandan and smaller 
communities within the surrounding 40 to 50 mile radius.\17\ The types 
of anticompetitive effects that may occur in local markets are the same 
as those that may occur in larger geographic markets--higher prices, 
lower levels of service, reduced innovation, and fewer choices.
---------------------------------------------------------------------------
    \17\ FTC v. Sanford Health, No. 1:17-cv-0133 (D.N.D. Dec. 13, 
2017), https://www.ftc.gov/enforcement/cases-proceedings/171-0019/
sanford-health-ftc-state-north-dakota-v. The U.S. District Court for 
the District of North Dakota granted the FTC and State of North 
Dakota's preliminary injunction motion on December 13, 2017. The 
parties have appealed and the case is now pending before the Eighth 
Circuit.

    Question 10. What action would you recommend either the FTC or 
Congress take in order to assist Federal and state antitrust enforcers 
in catching local mergers that raise anticompetitive concerns?
    Answer. I have no opinion as to whether Congress should take 
action, but note that identifying anticompetitive mergers remains one 
of the top priorities of the agency's competition mission. The vast 
majority of mergers the FTC investigates are reported and examined at 
the premerger stage. The FTC, however, also devotes significant 
attention to identifying unreported, often consummated, mergers that 
could harm consumers. Both for mergers that do not meet the premerger 
notification requirements and for conduct matters, the FTC uses the 
trade press and other news articles, consumer and competitor 
complaints, hearings, economic studies, and other means to identify 
harmful practices that threaten competition. The FTC also routinely 
works with states' Attorneys General in its enforcement efforts, and 
state Attorneys General routinely join the FTC as co-plaintiffs in the 
FTC's Federal court litigations, such as in the North Dakota physician 
services merger litigation discussed above.

    Question 11. Do you believe that horizontal shareholding raises 
anticompetitive concerns?
    Answer. The short answer is that I do not yet know enough to draw 
sound, reliable conclusions here. Very little empirical research has 
been done on this topic, and the few studies that have been completed 
are quite controversial. At present, this remains a very unsettled 
issue.\18\
---------------------------------------------------------------------------
    \18\ See Note to the OECD by the United States on Common Ownership 
by Institutional Investors and Its Impact on Competition at  1, DAF/
COMP/WD(2017)86 (Nov. 28, 2017), https://www.ftc.gov/system/files/
attachments/us-submissions-oecd-other-international-competition-fora/
common_ownership_united_states.pdf (explaining that ``[g]iven the 
ongoing academic research and debate, and its early stage of 
development, the U.S. antitrust agencies are not prepared at this time 
to make any changes to their policies or practices with respect to 
common ownership by institutional investors.'').
---------------------------------------------------------------------------
    There is little doubt that active investment (i.e., investment that 
seeks to control a company, obtain board seats and the like) in 
competitors can create the kinds of competition problems that the 
antitrust laws are designed to address. The antitrust agencies have 
long policed improper relationships between corporate competitors, even 
when they fall short of a full combination or merger. For example, 
Section 8 of the Clayton Act effectively prohibits so-called 
``interlocking directorates'' in which an officer or director of one 
firm serves as an officer or director of a competitor. But it is an 
open question whether the same kinds of problems created by active 
investments may also arise as the result of investments by 
institutional investors in competing companies.
    The general theory is that cross-holdings by large institutional 
investors may blunt the competitive vitality of rival firms within that 
industry, and lead to higher prices and other effects. For example, if 
a company's shareholders have interests in a rival, that company may be 
less likely to engage in a price war or other forms of aggressive 
competition that could reduce its rival's profits because those profits 
are ultimately returned to the company's shareholders through their 
interests in the rival. Proponents of this theory note that the risk of 
upsetting common investors may make it easier for firms to maintain 
stable market conditions or potentially even increase prices over what 
might prevail without common ownership by large, institutional 
investors. Critics have cited methodological problems in the original 
research and various structural issues that would make it difficult or 
even impossible for institutional investors to play the disciplining 
role envisioned by this theory in the real world. Critics also point 
out that any remedy to address these concerns would likely increase the 
cost of retail investment and thereby cause harm to ordinary investors.
    To date, there is no reliable consensus as to which side in this 
debate has the stronger argument, and the limited research suggests 
this question will remain unsettled until additional empirical work is 
completed in this area. Given the formative nature of the academic 
debate, I cannot definitively take a position on this issue. Additional 
study is required, which as I mention below, the Commission is 
currently helping to facilitate.

    Question 12. Do you believe that our antitrust laws can be used to 
address the anticompetitive concerns raised by horizontal shareholding?
    Answer. As noted above, I am still evaluating the viability of this 
concern. The use of the agency's enforcement powers in this area is 
therefore premature in my view.
    That said, antitrust doctrine is flexible, allowing us to address 
even novel harms in the economy. The fact that the FTC has not 
litigated a case involving horizontal shareholding by a single 
institutional investor is not a bar to the Commission's launching a 
meritorious case, should it identify one. However, the Commission's 
ability to take future action in this area will be circumscribed by 
prior caselaw, due process considerations, and the need to demonstrate 
actual anticompetitive effects in the real world.
    The Commission is unlikely to take enforcement action in this area 
until it has sufficient confidence that it can demonstrate to the 
courts both that the underlying theory of harm is robust, and that a 
specific set of passive investments has had actual anticompetitive 
effects in the real world. Should those conditions be satisfied, the 
Commission could take action under current law.

    Question 13. What, if anything, are you doing to address any 
potential harms of horizontal shareholding?
    Answer. In December 2018, the Commission held a full-day workshop 
that was largely devoted to exploring the merits of the common 
ownership issue in greater detail.\19\ At the workshop, which was part 
of our Hearings on Competition and Consumer Protection in the 21st 
Century, respected academics and industry experts on both sides of this 
issue shared their expertise with both us and the public. The 
Commission also invited public commentary on this topic.
---------------------------------------------------------------------------
    \19\ FTC Workshop, FTC Hearing # 8: Competition and Consumer 
Protection in the 21st Century (Dec. 6, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-8-competition-consumer-
protection-21st-century.
---------------------------------------------------------------------------
    We are still accepting public comments on this issue. Once the 
comment period ends, we intend to carefully evaluate all of the public 
submissions and the workshop testimony with a view towards better 
refining our understanding of the merits of this concern. Workshops 
like the one we held also serve to bring together those of different 
views, allowing them to hear and respond to criticisms of their 
positions, which we have found to be useful in fostering future 
academic work in areas of continuing interest to the agency.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                      to Hon. Christine S. Wilson
Pet Leasing
    I appreciate the Commission's attention to my request with six of 
my colleagues for the FTC to investigate the practice of pet leasing 
that is leading some consumers into confusing or deceptive contractual 
obligations that cause them to have an issue with their beloved pet and 
negatively impact their financial status, such as credit scores, for 
far into the future. This is an issue that is a little under the radar 
but needs strong oversight and attention under your deceptive practices 
mandate if there are concerning financial practices being discovered.

    Question. Can I get a further commitment from you all to keep my 
office informed of actions and determinations you all may make 
pertaining to this concerning issue and the Humane Society and Animal 
Legal Defense Fund's formal petition to the Commission?
    Answer. The FTC is committed to protecting consumers from unfair or 
deceptive acts or practices, including any such practices carried out 
by merchants or third party leasing and financing companies. As the 
proud owner of four cats and three dogs, I am committed to the well-
being of all pets and their humans. Pet owners are entitled to 
understand whether their payments are going towards a lease or a 
purchase. For these reasons, I commit to continuing to keep your office 
informed of public actions the Commission takes concerning pet leasing 
or the Humane Society and Animal Legal Defense Fund's petition to the 
Commission.
Data Minimization vs Big Data
    A topic that has come up a lot during our discussions on privacy is 
data minimization. This is a concept that I have been considering on as 
I work on developing a comprehensive data privacy bill. As you're 
aware, this is the idea that businesses should only collect, process, 
and store the minimum amount of data that is necessary to carry out the 
purposes for which is was collected. There are obvious advantages to 
this as it minimizes the risk of data breaches and other privacy harms. 
At the same time, big data analytics are going to be crucial for the 
future and play an important role in smart cities, artificial 
intelligence, and other important technologies that fuel economic 
growth. I think it is important to find a balance between minimization 
and ensuring that data, especially de-identified data, is available for 
these applications.

    Question. Can you describe how you view this balance and how we in 
Congress can ensure that people's data is not abused but can still be 
put to use in positive ways?
    Answer. Your question neatly captures the dilemma. Businesses can 
apply ``big data'' analysis tools to gain insights from large data sets 
that help the business to innovate, for example, to improve an existing 
product. This analysis can provide new consumer benefits, such as the 
development of new features. On the other hand, consumers' data may be 
used for unexpected purposes in ways that are unwelcome.\20\
---------------------------------------------------------------------------
    \20\ See, e.g., Press Release, FTC Charges Deceptive Privacy 
Practices in Google's Rollout of Its Buzz Social Network (Mar. 30, 
2011), https://www.ftc.gov/news-events/press-releases/2011/03/ftc-
charges-deceptive-privacy-practices-googles-rollout-its-buzz) (alleging 
that Google deceptively repurposed information it had obtained from 
users of its Gmail e-mail service to set up the Buzz social networking 
service, leading to public disclosure of users' e-mail contacts).
---------------------------------------------------------------------------
    The FTC has issued a report on the benefits and risks of big data 
that contains guidance for companies that use big data analytics.\21\ 
Last fall, the Commission also hosted a workshop on the intersections 
between big data, privacy and competition.\22\ We are happy to work 
with your staff to develop legislation on how to balance the benefits 
and risks of big data.
---------------------------------------------------------------------------
    \21\ See FTC, FTC Report--Big Data: A Tool for Inclusion or 
Exclusion? Understanding the Issues (Jan. 2016), https://www.ftc.gov/
system/files/documents/reports/big-data-tool-inclusion-or-exclusion-
understanding-issues/160106big-data-rpt.pdf.
    \22\ See FTC Workshop, FTC Hearing #6: Competition and Consumer 
Protection in the 21st Century (Nov. 6-8, 2018), https://www.ftc.gov/
news-events/events-calendar/ftc-hearing-6-competition-consumer-
protection-21st-century.
---------------------------------------------------------------------------
General Privacy Recommendations
    Question 1. While privacy was a significant topic of the oversight 
hearing, as we look to develop a bill, can you specifically lay out 
some of the top priorities you individually would like to see included 
and what do you think gets overlooked in the conversations policymakers 
have with allowing for future innovations and yet raising the bar for 
protecting consumers?
    Answer. In its testimony, the Commission urged Congress to consider 
enacting privacy legislation that would be enforced by the FTC. The 
testimony recognized that, while the agency remains committed to 
vigorously enforcing existing privacy-related statutes, Congress may be 
able to craft Federal legislation that would more seamlessly address 
consumers' legitimate concerns regarding the collection, use, and 
sharing of their data and provide greater clarity to businesses while 
retaining the flexibility required to foster competition and 
innovation. Such legislation would also demonstrate our country's 
commitment to global leadership in the digital economy in light of the 
patchwork of emerging privacy standards both domestically and abroad. 
As far as top priorities for such legislation, first, Congress should 
give the Commission authority to deter violations by fining companies 
for initial violations, as it has for violations of other statutes. 
Second, Congress should ensure that all types of companies across the 
economy must protect consumers' privacy and security. As one example, 
the Commission has long urged the repeal of the FTC Act's provision 
that places limits on the agency's ability to go after law violations 
by common carriers and by non-profits. Third, Congress should consider 
giving the FTC targeted APA rulemaking authority so that the FTC can 
enact rules to keep up with technology developments. Excellent examples 
of this approach appear in statutes such as CAN-SPAM and COPPA.

    Question 2. Can you also outline the optimal role you see for our 
state Attorneys General in this privacy enforcement process?
    Answer. The Attorneys General are important partners in protecting 
consumers. For a number of statutes, such as COPPA, Congress enacted 
legislation that enables Attorneys General to enforce the law in 
addition to the Commission. I applaud this model. A number of state 
Attorneys General have brought actions to enforce COPPA, for example, 
so there is not just one enforcer. And when state Attorneys General 
bring these actions, they are enforcing the same standard that other 
states and the Commission are enforcing, so the same protections apply 
consistently nationwide.
Privacy Risky Communities/Groups
    Question 1. Do you think that certain communities or groups are any 
more or less vulnerable to privacy risks and harms?
    Answer. Yes. Congress previously has recognized that certain 
communities or groups may be more or less vulnerable to privacy risks 
and harms when promulgating the Children's Online Privacy Protection 
Act, and certain provisions of Gramm-Leach Bliley and the Health 
Insurance Portability and Accountability Act. The Commission also has 
worked to address issues particularly affecting certain communities or 
groups through a number of means, including law enforcement as well as 
a series of seminars and other events around the country and through 
consumer education.\23\
---------------------------------------------------------------------------
    \23\ See, e.g., FTC, Website: Common Ground Conferences and 
Roundtables Calendar, https://www.consumer.gov/content/common-ground-
conferences-and-roundtables-calendar; FTC, Web
site: Consumer Information--Fraud Affects Every Community, https://
www.consumer.ftc.gov/features/every-community.

    Question 2. Should privacy law and regulations account for such 
unique or disparate harms, and if so, how?
    Answer. Yes. I believe the approach Congress took with COPPA, GLB 
and HIPAA is instructive here. Existing laws like the Fair Credit 
Reporting Act and the Equal Credit Opportunity Act also provide 
important protections against unlawful discrimination. The Commission 
is happy to work with you to think through these issues as you craft 
legislation.
Immediate Civil Penalties Authority
    Noting from your FTC testimony, ``Section 5 (of the FTC Act), 
however, is not without limitations. For example, Section 5 does not 
provide for civil penalties, reducing the Commission's deterrent 
capability.''

    Question. While I appreciate the long term successes of the FTC in 
many respects to investigate data security matters, what are your 
thoughts to whether there is enough of a deterrent effect with Section 
5 authority when you can't immediately enforce against those who misuse 
data with civil penalties right from the start, rather than as the 
result of often times flagrant offenses to their already establish 
consent decrees?
    Answer. In the data security area, I believe that Congress should 
enact legislation giving the FTC the authority to seek civil penalties 
against first-time violators, which we cannot currently do under the 
FTC Act. I support such legislation precisely because I believe that 
our existing legal regime does not provide sufficient deterrence.

                               [all]