[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
PROTECTING CONSUMER PRIVACY IN THE ERA OF BIG DATA
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CONSUMER PROTECTION AND COMMERCE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
FEBRUARY 26, 2019
__________
Serial No. 116-7
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
govinfo.gov/committee/house-energy
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
36-508 PDF WASHINGTON : 2020
--------------------------------------------------------------------------------------
COMMITTEE ON ENERGY AND COMMERCE
FRANK PALLONE, Jr., New Jersey
Chairman
BOBBY L. RUSH, Illinois GREG WALDEN, Oregon
ANNA G. ESHOO, California Ranking Member
ELIOT L. ENGEL, New York FRED UPTON, Michigan
DIANA DeGETTE, Colorado JOHN SHIMKUS, Illinois
MIKE DOYLE, Pennsylvania MICHAEL C. BURGESS, Texas
JAN SCHAKOWSKY, Illinois STEVE SCALISE, Louisiana
G. K. BUTTERFIELD, North Carolina ROBERT E. LATTA, Ohio
DORIS O. MATSUI, California CATHY McMORRIS RODGERS, Washington
KATHY CASTOR, Florida BRETT GUTHRIE, Kentucky
JOHN P. SARBANES, Maryland PETE OLSON, Texas
JERRY McNERNEY, California DAVID B. McKINLEY, West Virginia
PETER WELCH, Vermont ADAM KINZINGER, Illinois
BEN RAY LUJAN, New Mexico H. MORGAN GRIFFITH, Virginia
PAUL TONKO, New York GUS M. BILIRAKIS, Florida
YVETTE D. CLARKE, New York, Vice BILL JOHNSON, Ohio
Chair BILLY LONG, Missouri
DAVID LOEBSACK, Iowa LARRY BUCSHON, Indiana
KURT SCHRADER, Oregon BILL FLORES, Texas
JOSEPH P. KENNEDY III, SUSAN W. BROOKS, Indiana
Massachusetts MARKWAYNE MULLIN, Oklahoma
TONY CARDENAS, California RICHARD HUDSON, North Carolina
RAUL RUIZ, California TIM WALBERG, Michigan
SCOTT H. PETERS, California EARL L. ``BUDDY'' CARTER, Georgia
DEBBIE DINGELL, Michigan JEFF DUNCAN, South Carolina
MARC A. VEASEY, Texas GREG GIANFORTE, Montana
ANN M. KUSTER, New Hampshire
ROBIN L. KELLY, Illinois
NANETTE DIAZ BARRAGAN, California
A. DONALD McEACHIN, Virginia
LISA BLUNT ROCHESTER, Delaware
DARREN SOTO, Florida
TOM O'HALLERAN, Arizona
------
Professional Staff
JEFFREY C. CARROLL, Staff Director
TIFFANY GUARASCIO, Deputy Staff Director
MIKE BLOOMQUIST, Minority Staff Director
Subcommittee on Consumer Protection and Commerce
JAN SCHAKOWSKY, Illinois
Chairwoman
KATHY CASTOR, Florida CATHY McMORRIS RODGERS, Washington
MARC A. VEASEY, Texas Ranking Member
ROBIN L. KELLY, Illinois FRED UPTON, Michigan
TOM O'HALLERAN, Arizona MICHAEL C. BURGESS, Texas
BEN RAY LUJAN, New Mexico ROBERT E. LATTA, Ohio
TONY CARDENAS, California, Vice BRETT GUTHRIE, Kentucky
Chair LARRY BUCSHON, Indiana
LISA BLUNT ROCHESTER, Delaware RICHARD HUDSON, North Carolina
DARREN SOTO, Florida EARL L. ``BUDDY'' CARTER, Georgia
BOBBY L. RUSH, Illinois GREG GIANFORTE, Montana
DORIS O. MATSUI, California GREG WALDEN, Oregon (ex officio)
JERRY McNERNEY, California
DEBBIE DINGELL, Michigan
FRANK PALLONE, Jr., New Jersey (ex
officio)
C O N T E N T S
----------
Page
Hon. Jan Schakowsky, a Representative in Congress from the State
of Illinois, opening statement................................. 3
Prepared statement........................................... 4
Hon. Cathy McMorris Rodgers, a Representative in Congress from
the State of Washington, opening statement..................... 5
Prepared statement........................................... 7
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 8
Prepared statement........................................... 10
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 11
Prepared statement........................................... 12
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, prepared statement.............................. 101
Witnesses
Brandi Collins-Dexter, Senior Campaign Director, Color of Change. 14
Prepared statement \1\....................................... 16
Answers to submitted questions............................... 230
Roslyn Layton, Ph.D., Visiting Scholar, American Enterprise
Institute...................................................... 21
Prepared statement........................................... 23
Answers to submitted questions............................... 232
Denise E. Zheng, Vice President, Technology and Innovation,
Business Roundtable............................................ 34
Prepared statement........................................... 36
Answers to submitted questions............................... 254
David F. Grimaldi, Jr., Executive Vice President, Public Policy,
Interactive Advertising Bureau................................. 39
Prepared statement........................................... 41
Answers to submitted questions............................... 255
Nuala O'Connor, President and Chief Executive Officer, Center for
Democracy & Technology......................................... 52
Prepared statement........................................... 54
Answers to submitted questions............................... 258
Submitted Material
Article of January 15, 2019, ``2019 Data Privacy Wish List:
Moving From Compliance To Concern,'' by Ameesh Divatia,
Forbes.com, submitted by Mr. Lujan............................. 103
Statement of the Berkeley Media Studies Group, et al., ``The Time
is Now: A Framework for Comprehensive Privacy Protection and
Digital Rights in the United States,'' submitted by Ms.
Schakowsky..................................................... 105
----------
\1\ Ms. Collins-Dexter's entire statement, including supplemental
material that does not appear in the printed edition, has been retained
in committee files and also is available at https://docs.house.gov/
meetings/IF/IF17/20190226/108942/HHRG-116-IF17-Wstate-Collins-DexterB-
20190226.pdf.
Letter of February 26, 2019, from Brent Gardner, Chief Government
Affairs Officer, Americans for Prosperity, to Ms. Schakowsky,
submitted by Ms. Schakowsky.................................... 107
Letter of February 25, 2019, from Edward J. Black, President and
Chief Executive Officer, Computer & Communications Industry
Association, to Ms. Schakowsky and Mrs. Rodgers, submitted by
Ms. Schakowsky................................................. 108
Letter of February 13, 2019, from Access Humboldt, et al., to
U.S. Senator Roger Wicker, et al., submitted by Ms. Schakowsky. 115
Letter of February 25, 2019, from American Hotel & Lodging
Association, et al., to Mr. Pallone, et al., submitted by Ms.
Schakowsky..................................................... 119
Letter of February 25, 2019, from Gary Shapiro, President and
Chief Executive Officer, Consumer Technology Association, to
Mr. Pallone, et al., submitted by Ms. Schakowsky............... 122
Comments of November 9, 2018, submitted by Engine to the
Department of Commerce, Docket Number 180821780-878-01,
submitted by Ms. Schakowsky.................................... 124
Letter of February 25, 2019, from Evan Engstrom, Executive
Director, Engine, to Ms. Schakowsky, et al., submitted by Ms.
Schakowsky..................................................... 134
Statement of the American Bankers Association, February 26, 2019,
submitted by Ms. Schakowsky.................................... 135
Letter of February 26, 2019, from David French, Senior Vice
President, Government Relations, National Retail Federation, to
Mr. Pallone, et al., submitted by Ms. Schakowsky............... 144
Letter of November 9, 2018, from David French, Senior Vice
President, Government Relations, National Retail Federation, to
David J. Redl, Assistant Secretary for Communications and
Information, National Telecommunications and Information
Administration, Department of Commerce, submitted by Ms.
Schakowsky..................................................... 152
Letter of February 26, 2019, from Scott Talbott, Senior Vice
President of Government Affairs, Electronic Transactions
Association, to Ms. Schakowsky and Mrs. Rodgers, submitted by
Ms. Schakowsky................................................. 166
Letter of February 26, 2019, from Jon Leibowitz, Co-Chair, 21st
Century Privacy Coalition, to Mr. Pallone, et al., submitted by
Ms. Schakowsky................................................. 170
Letter of February 26, 2019, from Mark Neeb, Chief Executive
Officer, Association of Credit and Collection Professionals, to
Ms. Schakowsky and Mrs. Rodgers, submitted by Ms. Schakowsky... 173
Letter of February 25, 2019, from Will Rinehart, Director of
Technology and Innovation Policy, American Action Forum, to Ms.
Schakowsky and Mrs. Rodgers, submitted by Mrs. Rodgers......... 175
Letter of February 25, 2019, from Thomas A. Schatz, President,
Council for Citizens Against Government Waste, to Mr. Pallone,
et al., submitted by Mrs. Rodgers.............................. 190
Letter of February 26, 2019, from the Coalition for a Secure and
Transparent Internet to Ms. Schakowsky and Mrs. Rodgers,
submitted by Mrs. Rodgers...................................... 193
Letter of February 26, 2019, from Charles Duan, Technology and
Innovation Policy Director, R Street Institute, et al., to Ms.
Schakowsky and Mrs. Rodgers, submitted by Mrs. Rodgers......... 195
Letter of February 25, 2019, from Tim Day, Senior Vice President,
U.S. Chamber of Commerce, to Ms. Schakowsky and Mrs. Rodgers,
submitted by Mrs. Rodgers...................................... 198
Letter of February 25, 2019, from Katie McAuliffe, Executive
Director, Digital Liberty, to subcommittee members, submitted
by Mrs. Rodgers................................................ 204
Letter of February 25, 2019, from Michael Beckerman, President
and Chief Executive Officer, Internet Association, to Ms.
Schakowsky and Mrs. Rodgers, submitted by Mrs. Rodgers......... 206
Excerpt from Report of the Attorney General's Cyber Digital Task
Force, Department of Justice, submitted by Mr. Latta........... 212
Statement by Google, undated, submitted by Mrs. Rodgers.......... 216
Letter of February 26, 2019, from Jimi Grande, Senior Vice
President, Government Affairs, National Association of Mutual
Insurance Companies, to Mr. Pallone, et al., submitted by Mrs.
Rodgers........................................................ 228
Letter of February 26, 2019, from Rob Atkinson, President,
Information Technology and Innovation Foundation, et al., to
Mr. Pallone and Mr. Walden, submitted by Mrs. Rodgers \2\
----------
\2\ The letter has been retained in committee files and also is
available at https://docs.house.gov/meetings/IF/IF17/20190226/108942/
HHRG-116-IF17-20190226-SD024.pdf.
PROTECTING CONSUMER PRIVACY IN THE ERA OF BIG DATA
----------
TUESDAY, FEBRUARY 26, 2019
House of Representatives,
Subcommittee on Consumer Protection and Commerce,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:01 a.m., in
the John D. Dingell Room 2123, Rayburn House Office Building,
Hon. Jan Schakowsky (chair of the subcommittee) presiding.
Members present: Representatives Schakowsky, Castor,
Veasey, Kelly, O'Halleran, Lujan, Cardenas, Blunt Rochester,
Soto, Rush, Matsui, McNerney, Dingell, Pallone (ex officio),
Rodgers (subcommittee ranking member), Upton, Burgess, Latta,
Guthrie, Bucshon, Hudson, Carter, Gianforte, and Walden (ex
officio).
Also present: Representatives Eshoo and Clarke.
Staff present: Jeffrey C. Carroll, Staff Director;
Elizabeth Ertel, Office Manager; Evan Gilbert, Press Assistant;
Lisa Goldman, Counsel; Waverly Gordon, Deputy Chief Counsel;
Tiffany Guarascio, Deputy Staff Director; Alex Hoehn-Saric,
Chief Counsel, Communications and Technology; Zach Kahan,
Outreach and Member Service Coordinator; Dan Miller, Policy
Analyst; Joe Orlando, Staff Assistant; Kaitlyn Peel, Digital
Director; Tim Robinson, Chief Counsel; Chloe Rodriguez, Policy
Analyst; Mike Bloomquist, Minority Staff Director; Adam
Buckalew, Minority Director of Coalitions and Deputy Chief
Counsel, Health; Jordan Davis, Minority Senior Advisor; Melissa
Froelich, Minority Chief Counsel, Consumer Protection and
Commerce; Peter Kielty, Minority General Counsel; Bijan
Koohmaraie, Minority Counsel, Consumer Protection and Commerce;
Ryan Long, Minority Deputy Staff Director; Brannon Rains,
Minority Staff Assistant; and Greg Zerzan, Minority Counsel,
Consumer Protection and Commerce.
Ms. Schakowsky. The Subcommittee on Consumer Protection and
Commerce will now be called to order.
So I am going to begin with a few comments that are off the
clock and then invite our ranking member to do the same. I am
going to say good morning and thank you all for joining us
today. And before we officially start the hearing, I would like
to welcome you to the first Consumer Protection and Commerce
Subcommittee of the 116th Congress.
Consumer protection has long been my passion and what first
drew me to public life. I like to call our subcommittee the
Nation's legislative helpline because we field consumer
complaints. The subcommittee's jurisdiction is vast in scope,
ranging from the safety of cars to consumer product defects to
consumer fraud, both online and offline.
In the past, when Democrats controlled the House, this
subcommittee was responsible for making pools and children's
products safer, increased the fuel efficiency of cars, and made
sure that agencies aggressively protect consumers over
corporate interests. Under my leadership this subcommittee will
be extremely active and push companies and the administration
to put consumers first.
I look forward to working with Ranking Member McMorris
Rodgers. I believe there are so many issues on which we will be
able to work together in a bipartisan way. I would also like to
welcome several new Democratic Members, Representative Mark
Veasey from Texas--let's see, where I am looking the wrong way,
OK--and Robin Kelly from Illinois, my home State; Tom
O'Halleran from Arizona; Lisa Blunt Rochester from Delaware;
and Darren Soto from Florida, are all new to the Energy and
Commerce Committee and they also were smart enough to pick this
best subcommittee at a very exciting time.
I also welcome back many familiar faces and appreciate your
continued commitment to consumer protection issues. And I would
like to thank Tony Cardenas for serving as my vice chair of the
subcommittee and he will provide the subcommittee with
invaluable leadership.
And, finally, I would like to recognize the return of my
friend Debbie Dingell. Over the past 2 weeks we have mourned
the passing of her husband, John Dingell, who was so important
to this committee over the years and a friend to so many.
Debbie has been a stalwart, but I know it has been a difficult
time.
Debbie, you have all of our sympathy and support from the
entire subcommittee. And with the indulgence of my ranking
member, just to let Debbie say a few words.
Debbie?
Mrs. Dingell. I just want to thank you and all of my
colleagues. John Dingell loved this committee. He thought the
work that they did was very important, and I hear him in my ear
going, ``Woman, get on,'' and hearing him in the ears of
everybody, ``Work together for the American people.'' Thank
you.
Ms. Schakowsky. I have been reminded that Darren Soto's
birthday is today? Oh, yesterday. OK, never mind.
OK. So Ranking Member McMorris Rodgers, would you like to
take a couple of minutes to welcome your new Members as well?
Mrs. Rodgers. Thank you. Thank you, Madam Chair and to all
the members of the committee. Welcome to the committee, and I
too want to extend my heartfelt thoughts and prayers to Debbie
and so appreciate her friendship, her leadership on this
committee, and I would join in saying let's work together. As
John Dingell would challenge us, let's work together for the
American people. And it is great to have you back, Debbie.
To the new members of the committee, I would like to
recognize some of the newest Members on our side of the aisle:
Mr. Hudson from North Carolina--he will be here shortly--Mr.
Carter from Georgia, Mr. Gianforte from Montana, and I also
have the privilege of having former chairmen on this side of
the aisle, Bob Latta and Burgess as well as full committee
chairmen on this subcommittee.
I look forward to working with you, Madam Chair, on putting
consumers first while ensuring that we continue to celebrate
the innovation and all that it has meant to the American way of
life and improving our quality of life. As Americans we have
led the world in technology and innovation, and I look forward
to the many issues that are before this committee and working
to find that bipartisan ground wherever possible. Thank you.
Ms. Schakowsky. Let's shake on that.
Mrs. Rodgers. All right.
Ms. Schakowsky. All right. So I yield myself 5 minutes now
for an opening statement.
OPENING STATEMENT OF HON. JAN SCHAKOWSKY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
And as I said earlier, our subcommittee is the Nation's
legislative helpline, and our first hearing, ``Protecting
Consumer Privacy in the Era of Big Data,'' couldn't be more
timely because the phone at the end of the helpline is
definitely ringing off the hook.
According to a recent survey, over 80 percent of U.S.
adults were not very confident in the security of personal
information held by social media, retail, and travel and travel
companies, and 67 percent wanted the government to act to
protect them. There is good reason for consumer suspicion.
Modern technology has made the collection, analysis, sharing,
and the sale of data both easy and profitable.
Personal information is mined from Americans with little
regard for the consequences. In the last week alone, we learned
that Facebook exposed individual private health information and
they thought was--that consumers thought was protected in
closed groups, and collected--and Facebook also collected data
from third-party app developers on issues as personal as
women's menstrual cycle and cancer treatment. People seeking
solace may instead find increased insurance rates as a result
of the disclosure of that information.
But Facebook isn't alone. We have seen the data collection
industry transform from a nascent industry most Americans
haven't heard of to an economic powerhouse gobbling up every
piece of consumer data it can both online and offline. While
many companies claim to provide notice and choice to consumers,
the truth is that they provide little reason for believing we
are protected.
Who has the time to wade through the dozens of privacy
policies that impact them? How many people think about being
trapped through their phone or by the overhead light in the
store? And often, the only choice that we have to avoid data
collection is not to go to the store or to use the app. Reports
of the abuse of personal information undoubtedly give Americans
the creeps.
But this data isn't being collected to give you the creeps.
It is being done to control markets and make a profit. Without
a comprehensive, Federal privacy law the burden has fallen
completely on consumers to protect themselves and this has to
end. Without a doubt, there are legitimate and beneficial
reasons for consumers to use personal--for companies to use
personal information, but data collection must come with
responsibilities. There should be limits on the collection of
consumers' data and on the use and sharing of their personal
information.
My goal is to develop strong, sensible legislation that
provides meaningful protection for consumers while promoting
competitive markets and restoring America's faith in business
and government. Rules alone though are not enough. We also need
aggressive enforcement. Unfortunately, in recent years the
Federal Trade Commission's enforcement action have done little
to curb the worst behavior in data collection and data
security.
Any legislation must give Federal regulators the tools to
take effective action to protect consumers. It is important to
equip regulators and enforcers with the tools and funding
necessary to protect privacy, but it is also critical to make
sure that requests for more tools and privacy are not used as a
excuse for inaction. We must understand why the FTC hasn't used
its existing suite of tools to the full extent such as section
5 authority to ban unfair methods of competition or its ability
to enforce violators.
So I welcome our witnesses today to learn about how we
should achieve these goals given the breadth of the issue. This
will be the first of several hearings. Others will allow us to
focus on specific issues of concern to the public.
[The prepared statement of Ms. Schakowsky follows:]
Prepared statement of Hon. Jan Schakowsky
Good morning and thank you all for joining us today. Before
we start the hearing, I'd like to welcome you to the first
Consumer Protection and Commerce Subcommittee of the 116th
Congress. Consumer protection is my passion, and what first
drew me to public life. I like to call our subcommittee the
Nation's legislative helpline, because we field consumer
complaints.
The subcommittee's jurisdiction is vast in scope, ranging
from the safety of cars to consumer product defects to consumer
fraud--both online and offline. In the past when Democrats
controlled the House, this subcommittee was responsible for
making pools and children's products safer, increasing the fuel
efficiency of cars, and made sure agencies aggressively
protected consumers over corporate interests.
Under my leadership, this subcommittee will be extremely
active and push companies and the administration to put
consumers first.
I look forward to working with Ranking Member McMorris
Rodgers. I believe there are many issues on which we will be
able to work together.
As I said earlier, our subcommittee is the Nation's
legislative helpline, and our first hearing, ``Protecting
Consumer Privacy in the Era of Big Data,'' couldn't be more
timely because the phone at the helpline is ringing off the
hook. According to a recent SAS survey, over 80 percent of U.S.
adults were not very confident in the security of personal
information held by social media, retail, and travel companies
and 67 percent wanted the government to act to protect them.
There is good reason for consumers' suspicion. Modern
technology has made the collection, analysis, sharing, and sale
of data both easy and profitable. Personal information is mined
from Americans with little regard for the consequences.
In the last week alone, we learned that Facebook exposed
individuals' private health information they thought was
protected in closed groups, and collected data from third-party
app developers on issues as personal as women's menstrual
cycles and cancer treatments. People seeking solace may instead
find increased insurance rates as a result of the disclosure of
that information.
But Facebook isn't alone. We have seen the data collection
industry transform from a nascent industry most Americans
haven't heard of to an economic powerhouse gobbling up every
piece of consumer data it can--both online and offline.
While many companies claim to provide notice and choice to
consumers, the truth is this provides little real protection.
Who has the time to wade through the dozens of privacy policies
that impact them daily? How many people think about being
tracked through their phones or by the overhead lights in a
store? And often the only ``choice'' they have to avoid data
collection is not to go to the store or use an app.
Reports of the abuse of personal information undoubtedly
give Americans the creeps. But this data isn't being collected
to give you the creeps. It's being done to control markets and
make a profit.
Without a comprehensive Federal privacy law, the burden has
fallen completely on consumers to protect themselves. This must
end.
Without a doubt, there are legitimate and beneficial
reasons for companies to use personal information, but data
collection must come with responsibilities. There should be
limits on the collection of consumers' data and on the use and
sharing of their personal information. My goal is to develop
strong, sensible legislation that provides meaningful
protections for consumers while promoting competitive markets
and restoring Americans' faith in business and government.
Rules alone are not enough. We also need aggressive
enforcers. Unfortunately, in recent years, the Federal Trade
Commission's (FTC) enforcement actions have done little to curb
the worst behavior in data collection and data security. Any
legislation must give Federal regulators the tools to take
effective action to protect consumers. It is important to equip
regulators and enforcers with the tools and funding necessary
to protect privacy, but it is also critical to make sure that
requests for more tools and privacy are not used as an excuse
for inaction. We must understand why the FTC hasn't used its
existing suite of tools to the fullest extent, such as its
Section 5 authority to ban ``unfair methods of competition'' or
its ability to enforce violations of consent decrees.
I welcome our witnesses today to learn how we should
achieve these goals. Given the breadth of this issue, this will
be the first of several hearings. Others will allow us to focus
on specific issues of concern to the public.
At the same time, I want to work with my colleagues on both
sides of the aisle on drafting privacy legislation. I have
talked to a number of you about your priorities, and I want
them to be reflected in what gets reported from this
subcommittee.
I look forward to working with each of you on this
important issue.
I now yield to Ranking Member Cathy McMorris Rogers for 5
minutes.
Ms. Schakowsky. So I look forward to working with all of
you on both sides of the aisle, and I now yield to Ranking
Member Cathy McMorris Rodgers for 5 minutes.
OPENING STATEMENT OF HON. CATHY McMORRIS RODGERS, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF WASHINGTON
Mrs. Rodgers. Thank you, Madam Chair. I would like to thank
you for organizing this first hearing of the Congress on
privacy and security. It really builds on important work that
was done in the past by Chairman Walden and Latta in the last
Congress and then Chairman Upton and Burgess in the 114th
Congress. I am hopeful that we can find a bipartisan path to
move forward on a single American approach to privacy, one that
is going to protect consumers and individual privacy, one that
ensures that consumers continue to benefit from the amazing
technology and innovation that has happened in recent years.
This morning I would like to lay out four principles as we
approach this effort, one that supports free markets, consumer
choice, innovation, and small businesses, the backbone of our
economy. We often celebrate small businesses in America.
Principle number 1, one national standard. The Constitution
was crafted around the concept that one national marketplace
would make America stronger in certain areas. It also
recognizes the importance of intellectual property rights, free
expression, and the rights of ``We the People'' to be protected
from the power of government.
The internet knows no borders. It has revolutionized our
Nation's economy by seamlessly connecting businesses and people
across the country. Online, a small business in Spokane,
Washington can as easily reach customers in Illinois and New
Jersey as in Eastern Washington. Distance is no longer a
barrier. The internet economy is interstate commerce and
subject to Federal jurisdiction.
There is a strong groundswell of support for a Federal
privacy law that sets a national standard. Many recognize the
burdens multiple State laws would create, but what would it
mean for someone in Washington State who buys something online
from a small business in Oregon to ship to their family in
Idaho? This is a regulatory minefield that will force
businesses to raise prices on their customers. Setting one
national standard makes common sense and is the right approach
to give people certainty.
Principle number 2, transparency and accountability.
Companies must also be more transparent when explaining their
practices. For example, we learned last week that Google
included a microphone in their Nest device but failed to
disclose it, and Facebook is collecting very personal health
information from apps, the Chair mentioned that. Transparency
is critical. When unfair or deceptive practices are identified,
there should be enforcement and there should be consequences
strong enough to improve behavior.
Principle number 3, improving data security. Another area
important to this debate is data security. Perfect security
doesn't exist online, and companies are bombarded by hackers
every second of every day. Certain data is more valuable on the
black market, which is why Social Security Numbers, credit card
data, and log-in credentials are always major targets for
criminals. One goal must be to improve people's awareness. For
one, how their information is being collected and used, and
two, how companies are protecting it and how people can protect
themselves.
Our focus should be on incentivizing innovation security
solutions and certainty for companies who take reasonable steps
to protect data, otherwise we risk prescriptive regulations
that cannot be updated to keep up with the bad actors' newest
tactics.
Principle number 4, small businesses. We must not lose
sight of small- and medium-sized businesses and how heavy-
handed laws and regulations can hurt them. Established, bigger
companies can navigate a complex and burdensome privacy regime,
but millions of dollars in compliance costs aren't doable for
startups and small businesses. We have already seen this in
Europe, where GDPR has actually increased, has helped increase
the market share of the largest tech companies while forcing
smaller companies offline with millions of dollars in
compliance costs.
These startups and small businesses could be innovating the
next major breakthrough in self-driving technology, health
care, customer service, and so many other areas. To keep
America as the world's leading innovator we cannot afford to
hold them back. Heavy-handed and overly cautious regulations
for all data will stop innovation that makes our roads safer,
health care more accessible, and customer service experiences
better.
I am glad our teams were able to work together on today's
hearing. This is a good step forward in finding a bipartisan
solution for these critical issues. And as we move forward, I
am sure there is going to be more hearings in the future to
allow more small business owners, startups, and entrepreneurs
to join this conversation.
I believe we have a unique opportunity here for a
bipartisan solution that sets clear rules for the road on data
privacy. In its best use data has made it possible for grocery
aisles to be organized on how people shop. But we need to
explore data privacy and security with forward-looking
solutions, and I look forward to hearing from the witnesses and
being a part of this discussion today.
Thank you very much, Madam Chair.
[The prepared statement of Mrs. Rodgers follows:]
Prepared statement of Hon. Cathy McMorris Rodgers
Good morning and welcome to our first Consumer Protection
and Commerce Subcommittee hearing. I would like to congratulate
Chair Schakowsky.
I would also like to recognize the newest Members of the
Subcommittee, Mr. Hudson from North Carolina, Mr. Carter from
Georgia, and Mr. Gianforte from Montana. I look forward to
working with all of the Members this Congress. Our jurisdiction
includes vast portions of the economy and I look forward to
working with you on bipartisan solutions that improve the lives
of all Americans. I also would like to thank the Chair for
organizing this first hearing of the Congress on privacy and
security. This hearing builds on the good work of Chairmen
Walden and Latta in the last Congress, and Chairmen Upton and
Burgess in the 114th Congress. While there have been issues
achieving bipartisan consensus in the past, I'm encouraged that
we can find a bipartisan path forward on a single American
approach to privacy--one that supports free markets, consumer
choice, innovation and small businesses---the backbone of our
economy.
Principle #1: One National Standard
The Constitution was crafted around the concept that one
national marketplace would make America stronger in certain
areas. It also recognizes the importance of intellectual
property rights, free expression, and the rights of ``We, the
People'' to be protected from the power of the government. The
Internet knows no borders. It has revolutionized our nation's
economy by seamlessly connecting businesses and people across
the country.
Online, a small business in Spokane can just as easily
reach customers in Illinois and New Jersey. Distance is no
longer a barrier. The Internet economy is interstate commerce
and subject to Federal jurisdiction. There is a strong
groundswell of support for a Federal privacy law that sets a
national standard. Many recognize the burdens a patchwork of
State laws would create. What would it mean for someone in
Washington State who buys something online from a small
business in Oregon to ship to their family in Idaho? This is a
regulatory minefield that will force businesses to raise prices
on their customers. Setting one national standard is common
sense and it's the right approach to give people certainty.
Principle #2: Transparency and Accountability
Companies must also be more transparent when explaining
their practices. For example, we learned last week that Google
included a microphone in their Nest device but failed to
disclose it and Facebook is collecting very personal health
information from apps. Transparency is critical. When unfair or
deceptive practices are identified there should be enforcement
and there should be consequences strong enough to improve
behavior.
Principle #3: Improving Data Security
Another area important to this debate is data security.
Perfect security doesn't exist online, and companies are
bombarded by hackers every second of every day. Certain data is
more valuable on the black market, which is why social security
numbers, credit card data, and login credentials are always
major targets for criminals. Our goal must be to improve
people's awareness for one, how their information is being
collected and used; two, how companies are protecting it; and
three, how people can protect it themselves.
Our focus should be on incentivizing innovative security
solutions and certainty for companies who take reasonable steps
to protect data. Otherwise, we risk proscriptive regulations
that cannot be updated to keep up with the bad actors' newest
tactics.
Principle #4: Small Businesses
Finally, we must not lose sight of small and medium-sized
businesses and how heavy-handed laws and regulations can hurt
them. Established bigger companies can navigate a complex and
burdensome privacy regime. But millions of dollars in
compliance costs aren't doable for startups and small
businesses. We have already seen this in Europe, where GDPR has
actually helped increase the market shares of the largest tech
companies while forcing smaller companies offline with millions
of dollars in compliance costs.
These startups and small businesses could be innovating the
next major breakthrough in self-driving technology, health
care, customer service, and more. To keep America as the
world's leading innovator, we cannot afford to hold them back.
Heavy-handed and overly cautious regulations for all data
will stop innovation that makes our roads safer, health care
more accessible, and customer service experiences better. I'm
glad our teams were able to work together on today's hearing.
This is a good step forward to finding a bipartisan solution
for these critical issues. As we move forward, I hope we make
sure there's enough time before the next hearings to allow
small business owners, startups, and entrepreneurs to join the
conversation.
We have a unique opportunity here for a bipartisan solution
that sets clear rules for the road on data privacy in America.
In its best use, data has made it possible for grocery store
aisles to be organized based on how people shop. By exchanging
our data with email providers, we receive free email and photo
storage. Ridesharing services analyze traffic patterns and real
time data on accidents to get us home safer and faster. These
are just some examples of how data in aggregate has saved us
time and money, kept us safe, and improved our lives.
As we continue to explore data privacy and security, we
must find a forward-thinking solution that fosters innovation
and protects consumers from bad data practices that have caused
people harm or create real risks. By achieving both, America
will maintain our robust internet economy and continue to be
the best place in the world to innovate.
Thank you again to all of the witnesses for being here
today and I look forward to your testimony. I yield back.
Ms. Schakowsky. Thank you. The gentlelady yields back and
now the Chair recognizes Mr. Pallone, chairman of the full
committee, for 5 minutes for his opening statement.
OPENING STATEMENT OF HON. FRANK PALLONE, Jr., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you. I also wanted to welcome back
Debbie Dingell. Debbie has shown tremendous strength and
courage during the past few weeks, and you were missed, Debbie,
and we are glad you are back today. So I just wanted to say
that.
Welcome to the first hearing of the Consumer Protection and
Commerce Subcommittee. We renamed the subcommittee to emphasize
the importance of putting consumers first, and that is the lens
through which I view the important issue of consumer privacy.
How do we empower consumers and impose reasonable limits on
companies that collect and use our own personal information?
In the past we have talked about major data breaches and
scandals involving the misuse and unauthorized sharing of
people's data and we have talked about the potential for
emerging technologies to be used in unintended and potentially
harmful ways. But privacy isn't just about major incidents or
predictions of the future, it is an everyday issue constantly
affecting our lives and the lives of our children.
Almost every company that we interact with and even many we
don't are conducting surveillance of us. When we visit a single
website, many companies are tracking our actions on that site,
what we click on, how long we are on each page, even our mouse
movements and that is true for each of the dozens of sites most
of us visit every day.
When we go out our location is tracked on our phones. Video
surveillance of stores, on the street, in doctors' offices
record what we do and who we are with. The purchases we make
are recorded by the stores through store loyalty programs and
by the credit cards we use to make those purchases. And
companies use that information to sort and commodify us too.
Inferences are drawn and we are labeled as a Democrat or
Republican, white or Latino, gay or straight, pregnant teen, a
grieving parent, a cancer survivor, so many more, and this is
all done without our knowledge. And then our personal
information and related inferences are being shared and sold
many times over. Companies may share our information with
business partners and affiliates that we have never heard of.
Our data also may be sold to data brokers who collect massive
amounts of data about all of us and then sell that off to
anyone who is willing to pay for it.
The scope of it all is really mind-boggling. Without a
doubt there are positive uses of data. Companies need personal
information to deliver a package or charge for a service. Some
data is used for research and development of new products and
improving services and sometimes it is used for fraud
prevention or cybersecurity purposes and some of it is used for
scientific research to find new treatments for medical
conditions.
But in some cases data use results in discrimination,
differential pricing, and even physical harm. Low-income
consumers may get charged more for products online because they
live far away from competitive retailers. Health insurance
companies could charge higher rates based on your food
purchases or info from your fitness trackers. A victim of
domestic violence may even have a real-time location tracking
information sold to their attacker. And these are simply
unacceptable uses of people's data.
Yet for the most part, here in the U.S. no rules apply to
how companies collect and use our information. Many companies
draft privacy policies that provide few protections and are
often unread. One study calculated that it would take 76 years
to read all the privacy policies for every website the average
consumer visits every year.
And even if you could read and understand these privacy
policies, often your only choice is to accept the terms or not
use the service. In a lot of situations that is not an option.
Consider when you need to pay for parking at a meter or use a
website for work. You don't really have that choice. So we can
no longer rely on a notice and consent system built on
unrealistic and unfair foundations. As the chairwoman said, we
need to look forward towards comprehensive privacy legislation,
legislation that shifts the burden off consumers and puts
reasonable responsibility on those profiting from the
collection and use of our data.
Because consumer privacy isn't new to this committee, we
have been talking about it for years, yet nothing has been done
to address the problem and this hearing is the beginning of a
long overdue conversation. It is time that we move past the old
model that protects the companies using the data and not the
people. So I look forward to hearing from our witnesses today
on how we can work together to accomplish this. I plan to work
with my colleagues on both sides of the aisle to craft strong,
comprehensive privacy legislation that puts consumers first.
And I just want to thank you, Chairman Schakowsky, when you
said that, you know, what this committee is all about is
putting consumers first, and I think that having this hearing
as you are today on the privacy issue is a strong indication
that that is exactly what we intend to do. Thank you again.
[The prepared statement of Mr. Pallone follows:]
Prepared statement of Hon. Frank Pallone, Jr.
Welcome to the first hearing of the Consumer Protection and
Commerce Subcommittee. We renamed the subcommittee to emphasize
the importance of putting consumers first. And that is the lens
through which I view the important issue of consumer privacy--
how do we empower consumers and impose reasonable limits on
companies that collect and use our personal information?
In the past, we've talked about major data breaches and
scandals involving the misuse and unauthorized sharing of
people's data. And we've talked about the potential for
emerging technologies to be used in unintended and potentially
harmful ways. But privacy isn't just about major incidents or
predictions of the future. It's an everyday issue, constantly
affecting our lives and the lives of our children.
Almost every company that we interact with, and even many
we don't, are conducting surveillance of us. When we visit a
single website, many companies are tracking our actions on that
site-what we click on, how long we are on each page, even our
mouse movements. And that's true for each of the dozens of
sites most of us visit every day.
When we go out, our location is tracked on our phones.
Video surveillance at stores, on the street, and in doctors'
offices record what we do and who we are with. The purchases we
make are recorded by the stores we buy from, through store
loyalty programs, and by the credit cards we use to make those
purchases.
Companies use that information to sort and commodify us,
too. Inferences are drawn and we are labelled as gay or
straight, Democrat or Republican, white or Latino, a pregnant
teen, a grieving parent, a cancer survivor, and so much more.
All without our knowledge.
Plus, our personal information and related inferences are
being shared and sold many times over. Companies may share our
information with business partners and affiliates, which may be
strangers to you. Our data also may be sold to data brokers,
who collect massive amounts of data about all of us, and then
sell that off to anyone willing to pay for it. The scope of it
all is mindboggling.
Without a doubt, there are positive uses of data. Companies
need personal information to deliver a package or charge for a
service. Some data is used for research and development of new
products and improving services. Sometimes it's used for fraud
prevention or cybersecurity purposes. And some is used for
scientific research to find new treatments for medical
conditions.
But in some cases, data use results in discrimination,
differential pricing, and even physical harm. Low-income
consumers may get charged more for products online because they
live far away from competitive retailers. Health insurance
companies could charge higher rates based on your food
purchases or information from your fitness tracker. A victim of
domestic violence may even have real-time location tracking
information sold to their attacker.
Yet, for the most part, in the U.S., no rules apply to how
companies collect and use our information. Many companies draft
privacy policies that provide few protections and are often
unread. One study calculated that it would take 76 years to
read all of the privacy policies for every website the average
consumer visits each year. And even if you could read and
understand each privacy policy, often your only choice is to
accept the terms or not use the service. And when you need to
pay for parking at a meter or use a website for work, you don't
really have that choice at all. We can no longer rely on a
``notice and consent'' system built on such unrealistic and
unfair foundations.
As Chair Schakowsky said, we need to look toward
comprehensive privacy legislation-legislation that shifts the
burdens off consumers and puts reasonable responsibility on
those profiting from the collection and use of our data.
As I said, consumer privacy isn't new to this committee.
We've been talking about it for years. And yet, nothing has
been done to address the problems. But times have changed. We
are not going to fail consumers any more.
This hearing is beginning of that conversation. We need to
move past the old model that protects the companies using the
data, not the people. I look forward to hearing from our
witnesses today on how we can do this. And I plan to work with
my colleagues on both sides of the aisle to craft strong,
comprehensive privacy legislation that puts consumers first.
Ms. Schakowsky. I thank the gentleman. The gentleman yields
back and now the Chair recognizes Mr. Walden, ranking member of
the full committee, for 5 minutes for his opening statement.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. Well, good morning and welcome to our Members
and our witnesses and congratulations to both Representative
Rodgers as the new lead Republican and to Representative Jan
Schakowsky as the new chair of the Consumer Protection and
Commerce Subcommittee. I know we are off to a good start this
morning.
We have a lot of important issues to work on in this
subcommittee and I am hopeful we can continue the bipartisan
achievements out of this subcommittee from Chair Schakowsky and
Representative Latta's SELF DRIVE Act to legislation focused on
the Internet of Things and the oversight of the FTC, CPSC, and
NHTSA. I hope we can continue working together for the benefit
of the American consumer.
I would also like to thank Chairs Pallone and Schakowsky
for picking up on the privacy and security issues as the topic
of the first hearing for this subcommittee. From the disrupter
series of hearings that we held in the last Congress to the
first congressional hearings with major tech companies' CEOs,
this committee has been on the forefront of getting answers for
our constituents.
The debate over privacy, it is not new. From the first
Kodak camera to caller ID, major privacy debates ensued when
new innovation was introduced. But there are new challenges
when it comes to privacy, and we have heard some of that today
from our Members. Privacy means different things to different
people, which makes this debate even more challenging in the
age of Instagram and YouTube.
I believe it is important that we work together toward a
bipartisan Federal privacy bill that, one, improves
transparency, accountability, and security for consumers; that,
two, protects innovation and small businesses; and, three, sets
one national standard. Now the first issue, as some like to
frame as incredibly divisive, falls under the most basic
principle underpinning our jurisdiction, and that is the term
``interstate commerce.''
A Federal privacy bill needs to be just that, one that sets
the national standard for commercial collection use and sharing
of personal data in the best interest of consumers. The Supreme
Court has recently reaffirmed the principles of the commerce
clause. State laws cannot discriminate against interstate
commerce. They cannot impose undue burdens on interstate
commerce and should take into consideration the small
businesses startups and others who engage in commerce across
State lines.
There are many policy areas where it makes sense for States
to innovate. However, the internet does not stop at a State
line and neither should innovative privacy and security
solutions. Your privacy and security should not change
depending on where you live in the United States. One State
should not set the standards for the rest of the country.
We can improve the security and privacy of consumers' data
without adding to the confusion or harming small businesses and
entrepreneurs, so Congress should thoughtfully consider what
various States are proposing so we can deliver that certainty
and do so with a national standard. We can learn from
California and we can learn from Washington and a growing
number of other States who have drafted their own legislation
reinforcing why we should begin with an agreement that a
Federal privacy bill sets one national standard.
Now a truly American approach to privacy and security can
give consumers better control by supporting innovative
solutions without massively expanding the regulatory State. We
should avoid creating a system that floods people's inboxes
with privacy policies that frankly they do not read, or click
through notices that even make simple tasks very frustrating.
We can and should, however, learn from previous efforts here at
home and abroad.
So transparency and accountability are critical to move
forward and measurably improve consumers' ability to choose
between services they want to use. People need to receive a
clearer understanding of exactly how their data are used by the
digital services with whom they interact. The FTC has announced
their investigation into both Equifax and Facebook. The outcome
of their work will help Congress evaluate the effectiveness of
laws currently on the books and the enforcement tools utilized
to hold companies accountable. We can write bill after bill and
the FTC can publish rule after rule, but if we do not have
effective enforcement, they are just rules on paper.
So I believe we have a unique opportunity to address some
of the most complex privacy and security questions of the day
and I look forward to working with my colleagues across the
aisle on setting a national framework and getting this debate
moving forward toward a bipartisan national solution. With
that, Madam Chair, I yield back.
[The prepared statement of Mr. Walden follows:]
Prepared statement of Hon. Greg Walden
Good morning. Welcome to our Members and witnesses.
Congratulations to both Representative Rodgers as the new
lead Republican, and to Representative Schakowsky as the new
chair for the Consumer Protection and Commerce Subcommittee.
We have a lot of important issues to work on in this
subcommittee, and I am hopeful we can continue the bipartisan
achievements out of this subcommittee. From Chair Schakowsky
and Rep. Latta's SELF DRIVE Act, to legislation focused on the
Internet of Things, and oversight of the FTC, C.P.S.C. and
NHTSA, I hope we can continue working together for the benefit
of the American consumer.
I would like to thank Chairs Pallone and Schakowsky for
picking up the privacy and security issues as the topic of the
first hearing for the subcommittee. From the Disrupter Series
of hearings, to the first congressional hearings with major
tech company CEOs, this committee has been on the forefront of
getting answers for our constituents.
The debate over privacy is not new. From the first Kodak
camera to caller-ID, major privacy debates ensued when they
were introduced. But there are new challenges when it comes to
privacy. Privacy means different things to different people,
which makes this debate even more challenging in the age of
Instagram and YouTube stars comfortably sharing their most
private moments in real time.
I believe it is important that we work together toward a
bipartisan Federal privacy bill that: improves transparency,
accountability, and security for consumers; protects innovation
and small businesses; and sets one national standard.
The first issue, that some like to frame as incredibly
divisive, falls under the most basic principle underpinning our
jurisdiction: interstate commerce. A Federal privacy bill needs
to be just that: one that sets the national standard for
commercial collection, use, and sharing of personal data in the
best interest of consumers.
The Supreme Court has recently reaffirmed the basic
principles of the Commerce Clause: State laws cannot
discriminate against interstate commerce, they cannot impose
undue burdens on interstate commerce, and should take into
consideration the small businesses, startups, and others who
engage in commerce across State lines.
There are many policy areas where it makes sense for States
to innovate; however, the internet does not stop at State lines
and neither should innovative privacy and security solutions.
Your privacy and security should not change depending on where
you are in the United States. One State should not set the
standards for the rest of the country. We can improve the
security and privacy of consumers' data without adding to the
confusion or harming small businesses and entrepreneurs--so
Congress should thoughtfully consider what various States are
proposing so we deliver that certainty with a national
standard.
We can learn from California, Washington, and a growing
number of other States who have drafted their own legislation--
reinforcing why we should begin with an agreement that a
Federal privacy bill sets one national standard.
A truly American approach to privacy and security can give
consumers better control by supporting innovative solutions
without massively expanding the regulatory state. We should
avoid creating a system that floods people's inboxes with
privacy policies they do not read or click-through notices that
make even simple tasks frustrating. We can, and should, learn
from previous efforts here at home and abroad.
Transparency and accountability are critical to move
forward and measurably improve consumers ability to choose
between services they want to use. People need to receive a
clearer understanding of exactly how their data are used by the
digital services with whom they interact.
The FTC has announced their investigations into both
Equifax and Facebook. The outcome of their work will help
Congress evaluate the effectiveness of laws currently on the
books, and the enforcement tools utilized to hold companies
accountable. We can write bill after bill, and the FTC could
publish rule after rule, but if we do not have effective
enforcement, they are just words on paper.
I believe we have a unique opportunity to address some of
the most complex privacy and security questions of our day.
I look forward to working with my colleagues across the
aisle on setting the framework for this debate and moving
forward towards a bipartisan national solution.
Thank you and I yield back.
Ms. Schakowsky. Thank you. The gentleman yields back. And
the Chair would like to remind Members that pursuant to
committee rules, all Members' written opening statements shall
be made part of the record.
And now I would like to introduce our witnesses for today's
hearing and thank you all for coming. We have Ms. Brandi
Collins-Dexter, senior campaign director, media, democracy and
economic Justice, at Color of Change; Dr. Roslyn Layton,
visiting scholar at the American Enterprise Institute; Ms.
Denise Zheng--is that correct, ``Zhong''? OK--vice president,
technology and innovation, Business Roundtable; Dr. Dave
Grimaldi, executive vice president for public policy, IAB; and
Dr. Nuala O'Connor, president and CEO at the Center for
Democracy & Technology.
And let's begin then with Ms. Collins-Dexter.
STATEMENTS OF BRANDI COLLINS-DEXTER, SENIOR CAMPAIGN DIRECTOR,
COLOR OF CHANGE; ROSLYN LAYTON, PH.D., VISITING SCHOLAR,
AMERICAN ENTERPRISE INSTITUTE; DENISE E. ZHENG, VICE PRESIDENT,
TECHNOLOGY AND INNOVATION, BUSINESS ROUNDTABLE; DAVID F.
GRIMALDI, Jr., EXECUTIVE VICE PRESIDENT, PUBLIC POLICY,
INTERACTIVE ADVERTISING BUREAU; AND NUALA O'CONNOR, PRESIDENT
AND CHIEF EXECUTIVE OFFICER, CENTER FOR DEMOCRACY & TECHNOLOGY
STATEMENT OF BRANDI COLLINS-DEXTER
Ms. Collins-Dexter. Good morning Madam Chair, Ranking
Member Rodgers, Committee Chairman Pallone, Committee Ranking
Member Walden, and members of the subcommittee. My name is
Brandi Collins-Dexter, and I am a senior campaign director at
Color of Change, the largest online civil rights organization
in the United States with more than 1.5 million members who use
technology to fight for change.
In the wild, wild West of the digital economy,
discriminatory marketing practices are so lucrative that entire
industries have sprung up to discriminate for dollars. One
company called Ethnic Technologies--subtle, I know--developed
software that predicts an individual's ethnic origin based on
data points easily purchased from ISPs and then sells that
data, which has been turned into a predictive algorithm, to any
company that wants to target groups or services to a particular
ethnic group. Part of what we are seeing now is bad online
behavior that circumvents civil rights laws.
Google and Facebook have both had numerous complaints filed
against them for allowing discriminatory housing and employment
ads. State commission reports found that voter suppression ads
were specifically targeted towards black Americans on social
media during the 2016 Presidential election and that social
media companies made misleading or evasive claims about those
efforts.
Additionally, low-income communities are targeted by
predatory payday loan companies that make billions of dollars
in interest and fees on the back of struggling families. We
have seen online price gouging and digital redlining where
corporations like Staples have used geotracking and personal
data to charge customers higher prices for products based on
their geography. Some data brokers even lump consumers into
categories like, quote unquote, getting by, compulsive online
gamblers. One company has even used a category called ``Speedy
Dinero,'' described as, quote, ``Hispanic communities in need
of fast cash receptive to some prime credit offers.''
Last week, as was mentioned, Facebook was caught obtaining
sensitive personal information submitted to entirely separate
mobile apps using software that immediately shares data with
social networks for ad targeting. I mean, literally, my iPad
knows more about me than my husband and he is an ex-journalist
who is very nosy. Even information that feels innocuous can
become a proxy for a protected class. And sensitive
information, right now corporations are able to easily combine
information about you that they have purchased and create a
profile of your vulnerabilities.
Earlier this month, Color of Change joined with advocacy
groups to urge Congress to put civil and human rights at the
center of the privacy fight. Our letter states in part, ``Civil
rights protections have existed in brick and mortar commerce
for decades. Platforms and other online services should not be
permitted to use consumer data to discriminate against
protected classes or deny them opportunities in commerce,
housing, and employment, or full participation in our
democracy.''
There are many bills out there, some we think are weak and
some like language we have seen from Senator Cortez Masto, so a
great deal of promise. But ultimately we would like to see
bipartisan legislation written through an antidiscrimination
lens that prevents manipulative or exclusionary marketing
practices that exacerbate poverty. It should offer a baseline
that does not preempt innovative State policy and it must
contain enforcement mechanisms and not rely on self-regulation.
Some say privacy is the currency you pay to engage in our
digital ecosystem. We should not have to make that choice. Our
communities need to trust that when we go online we can count
on our privacy and the safety of our information for ourselves
and our children. This shouldn't be a game of political
football. Eighty percent of Americans support making it illegal
for companies to sell or share their personal information. At
least 80 percent of us believe that we should have control over
how companies use our information.
Privacy is a concept in its most aspirational sense. It is
not merely about the freedom and ability to close your digital
curtain, so to speak. Instead, we should consider privacy and
digital rights for all a necessary framework crucial for
ensuring that our human, civil, and constitutional rights are
not confined to our offline lives, but are also protected
online where so much of our daily life occurs. I would even say
that if we fail in the mission to ensure our rights online are
protected, we stand to render many of our offline rights
meaningless.
Thank you again for having me here today, and I look
forward to your thoughts.
[The prepared statement of Ms. Collins-Dexter follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Schakowsky. Thank you. I meant to mention that each of
you has 5 minutes, and I appreciate you, Ms. Collins-Dexter,
for sticking to that. The lights that will go on initially will
be green, and then the light will turn yellow when you have 1
minute remaining, and then red means you need to stop.
And so, Dr. Layton, you are recognized for 5 minutes.
STATEMENT OF ROSLYN LAYTON
Dr. Layton. Good morning. Thank you, Chair Schakowsky, Ms.
McMorris Rodgers, and members of the committee. It is an honor
to be here, and I am heartened by your bipartisanship.
Today I represent only myself and my research. I have lived
in the European Union for the last decade, and I work at a
European university where I make international internet policy
comparisons. As the mother of three Danish-American children, I
am legitimately interested in policy that makes Europe a better
place.
The academic literature shows that online trust is a
function of institutions, business practices, technologies, and
users' knowledge. But unfortunately the EU rejected this
formula for its data protection policy. My hope is that
Congress will avoid the mistakes of the GDPR and ultimately
leapfrog Europe with a better framework based upon privacy-
enhancing technologies, a strong Federal standard, and consumer
education.
To analyze a policy like the GDPR we must evaluate its
real-world effects. Since its implementation, Google, Facebook,
and Amazon have increased their market share in the EU. This is
a perverse outcome for a policy promised to level the playing
field. Today, only 20 percent of EU companies are online. There
is little to no data that shows that small and medium-sized
enterprises are gaining as a result of the GDPR.
The data shows a consistent lag in the small to medium-
sized business segment particularly for them to modernize their
websites and market outside their own EU country. Now this
outcome isn't necessarily surprising. As a Nobel Prize
economist, George Stigler, observed 40 years ago, regulation is
acquired by industry and operated for its benefit. A number of
large companies have come out in support of the GDPR. It
doesn't surprise me either, that is because it cements their
market position. They don't need permissionless innovation
anymore, but they don't have a problem depriving startups of
the same freedom.
Now to comply with the GDPR today, an average firm of 500
employees will spend about $3 million. And thousands of U.S.
firms have decided that this is not worthwhile, including the
Chicago Tribune, which is no longer visible in the European
Union. There are over 1,000 American news media that no longer
reach Europeans. This is also concerning because the EU is the
destination of two-thirds of America's digital goods and
services.
Now the GDPR might be justified if it created greater trust
in the digital ecosystem, but there is no such evidence. After
a decade of these kinds of data protection regulations in the
EU, in which users endure intrusive pop-ups and disclosures in
every digital site they visit, Europeans report no greater
sense of trust online. More than half of the survey respondents
in the UK alone say that they feel no better since the GDPR
took effect and it has not helped them to understand how their
data is used.
I am skeptical of both the GDPR and the CCPA in California
with their laundry list of requirements, 45 in Europe and 77 in
California. These are not scientifically tested and there is no
rational policy process to vet their efficacy. Now I imagine if
we held--now what would happen if we would hold government to
the same standards? Australia tried a ``when in doubt, opt
out'' policy and half a million people left the national
healthcare record program. It crashed their system for
healthcare.
We have another reason to be skeptical of the claims of the
EU being morally superior with their GDPR. Their networks are
not secure because they are built with equipment by dubious
Chinese equipment makers. Your data protection standard means
little if the Chinese Government can hack your data through
back doors.
In any event, Europe's attempt to create a common market
for data is something that was actually part of our founding
and of our country with our national standard in interstate
commerce, which has been discussed, and I support such a
national standard for sensitive data consistently applied
across enterprises. To leap the Europeans on data protection we
need to review the empirical research that the Europeans
ignored, namely how privacy-enhancing technologies and user
knowledge will promote online trust.
The answer is not to copy the EU, but to build world-class,
scientifically superior, privacy-enhancing technologies here in
the United States. Congress should incentivize the development
of such technologies through grants and competitions and
provide safe harbors for their research, development, and
practice. There is no consumer protection without consumer
education and we should support people to acquire their digital
competence so they make informed decisions about the products
they use.
In closing, please do not fall prey to the European
regulatory fallacy which substitutes the bureaucratization of
data instead of a natural right of privacy. Increasing the
number of agencies and bureaucrats who govern our data does not
increase our privacy. It reduces our freedom, makes enterprise
more expensive, and deters innovation. Thank you for your
leadership. I welcome your questions.
[The prepared statement of Dr. Layton follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Schakowsky. Thank you.
Ms. Zheng, you are recognized for 5 minutes.
STATEMENT OF DENISE E. ZHENG
Ms. Zheng. Thank you, Chairwoman Schakowsky, Ranking Member
McMorris Rodgers, members of the subcommittee, thank you for
the opportunity to testify on behalf of the Business
Roundtable.
Business Roundtable represents more than 200 CEOs of the
largest American companies that operate in nearly every corner
of the economy including technology, telecommunications,
retail, banking, health, manufacturing, automotive, and many
other industries. Our companies touch virtually every American
consumer. They process 16 trillion in global consumer payments
each year and service roughly 40 million utilities customers
across the country.
They fly more than 250 million passengers to their
destinations each year and provide wireless communications and
internet services to more than 160 million consumers. They
sponsor nearly 70 million medical insurance memberships and
deliver more than 42 million packages every single day. Data
privacy is a major priority for the Business Roundtable
especially as companies that rely on data and digital platforms
to deliver products and services to consumers and to conduct
day-to-day business operations.
That is why CEOs from across industry sectors have come
together to call for a Federal privacy law that provides
consistent consumer privacy protections, promotes
accountability, and fosters innovation and competitiveness. We
strongly support giving consumers control over how their
personally identifiable information is collected, used, and
shared.
At the same time, it is important to remember the value of
data in our economy as well as the enormous benefits that data-
driven services provide to our consumers. Data enables
companies to deliver more relevant and valuable user experience
to consumers. It allows companies to detect and prevent fraud
on user accounts and to combat cybersecurity attacks. It
creates greater productivity and cost savings for manufacturing
to transportation and logistics and it leads to breakthroughs
in health and medical research.
Innovation thrives in stable policy environments where new
ideas can be explored and flourish within a well-understood
legal and regulatory framework. So in December, Business
Roundtable released a proposal for privacy legislation. Our
proposal is the product of extensive deliberation with the
chief privacy officers of our companies and approval from CEOs
across industry sectors.
We believe that privacy legislation must prioritize four
important objectives. First and foremost, it should champion
consumer privacy and promote accountability. Legislation should
include strong protections for personal data that enhance
consumer trust and demonstrate U.S. leadership as a champion
for privacy.
Second is fostering innovation and competitiveness
especially in a dynamic and evolving technology landscape.
Legislation should be technology-neutral and allow
organizations to adopt privacy protections that are appropriate
to the specific risks such as the sensitivity of the data.
Third, it should harmonize privacy protections. Congress
should enact a comprehensive, national law that ensures
consistent protections and avoids a State-by-State approach
that leads to disjointed consumer protections, degraded user
experience, and barriers to investment and innovation.
And fourth, legislation should promote consumer privacy
regimes that are interoperable on a global basis and it should
seek to bridge differences between the U.S. and foreign privacy
regimes.
At the heart of the Business Roundtable proposal is a set
of core individual rights that we believe consumers should have
over their data, including transparency. Consumers deserve to
have clear and concise understanding of the personal data that
a company collects, the purposes for which that data is used,
and whether and for what purposes personal data is disclosed to
third parties.
Control, consumers should have meaningful control over
their data based upon the sensitivity of the information
including the ability to control whether that data is sold to
third parties. Consumers should also have the right to access
and correct inaccuracies in their personal data about them and
they should have the right to delete personal data.
A Federal privacy law should be comprehensive and apply a
consistent, uniform framework to the collection, use, and
sharing of data across industry sectors. It should also
recognize that there are situations that do justify exceptions
such as cases of public health and safety, or to prevent fraud
and provide cybersecurity, or when certain data is necessary to
deliver a product or a service that the consumer requested, or
to ensure First Amendment rights and to protect the rights of
other individuals.
Establishing and protecting these consumer rights also
requires effective, consistent, and coordinated enforcement to
provide accountability and protect consumer rights. Absent
action from Congress, we will be subject not only to a growing
confusing set of State government requirements, but also to
different data protection laws from governments in Europe,
countries like Brazil, and elsewhere. Make no mistake,
consumers deserve meaningful, understandable, and consistent
privacy rights regardless of where they live and where their
data may be located.
I thank the subcommittee for its leadership in holding this
hearing and for encouraging a dialogue and I look forward to
the questions. Thank you.
[The prepared statement of Ms. Zheng follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Schakowsky. Thank you.
Mr. Grimaldi, you are now recognized for 5 minutes.
STATEMENT OF DAVID F. GRIMALDI, Jr.
Mr. Grimaldi. Thank you, Chairman Schakowsky, Ranking
Member McMorris Rodgers, and members of the committee. I
appreciate the opportunity to testify here today. I am Dave
Grimaldi, executive vice president for Public Policy at the
Interactive Advertising Bureau which was founded in 1996 and
headquartered in New York City. We represent over 650 leading
media and technology companies that are responsible for
selling, delivering, and optimizing digital advertising or
marketing campaigns.
Today the U.S. economy is increasingly fueled by the free
flow of data. One driving force in this ecosystem is data-
driven advertising. Advertising has helped power the growth of
the internet for decades by delivering innovative tools and
services for consumers and businesses to connect and
communicate. Data-driven advertising also allows consumers to
access these resources at little to no cost to them and it has
created an environment where small publishers and start-up
companies can enter the marketplace to compete against the
internet's largest players.
As a result of this advertising based model, U.S.
businesses of all sizes have been able to grow online and
deliver widespread consumer and economic benefits. According to
a 2017 study, in 2016 the U.S. ad-supported internet created
10.4 million jobs and added 1.1 trillion to the U.S. economy.
The study, designed to provide a comprehensive review of
the entire internet economy and answer questions about its
size, what comprises it, and the economic and social benefits
Americans deprive from it, revealed key findings that analyze
the economic importance as well as the social benefits of the
internet. And, indeed, as the Federal Trade Commission noted in
its recent comments to the National Telecommunications and
Information Administration, if a subscription-based model
replaced the ad-based model, many consumers would not be able
to afford access to or would be reluctant to utilize all of the
information, products, and services they rely on today and that
could become available in the future.
The time is right for the creation of a new paradigm for
data privacy in the United States. And IAB, working with
Congress and based on our members' successful experience
creating privacy programs that consumers understand and use,
can achieve a new Federal approach that instead of bombarding
consumers with notices and choices comprehensively describes
clear, workable, and consistent standards that consumers,
businesses, and law enforcers can rely upon. Without a
consistent Federal privacy standard, a patchwork of State
privacy laws will create consumer confusion, present
substantial challenges for businesses trying to comply with
these laws, and fail to meet consumers' expectations about
their digital privacy.
We ask Congress to standardize privacy protections across
the country by passing legislation that provides important
protections for consumers while allowing digital innovation to
continue to flourish. We caution Congress not to rely on the
framework set forth in Europe's General Data Privacy Regulation
or California's Consumer Privacy Act as examples of the ways in
which a national privacy standard should function.
Far from being a desirable model, the GDPR shows how overly
restrictive frameworks can be harmful to competition and
consumers alike. Less than a year into GDPR's applicability the
negative effects of its approach have already become clear. The
GDPR has led directly to consumers losing access to online
resources with more than 1,000 U.S.-based publishers blocking
European consumers from access to online material, in part
because of the inability to profitably run advertising.
To that unfortunate end, as was pointed out before, I would
note that the Chicago Tribune, including its Pulitzer Prize-
winning stories on government corruption, faulty government
regulation, et cetera, is no longer accessible in Europe due to
GDPR. Additionally, the San Fernando Sun newspaper. which has
been open since 1904. is no longer accessible, and The Holland
Sentinel, founded in 1896. can no longer be seen in Europe.
Small businesses and startups also saw the negative impact
of GDPR with many choosing to exit the market. Consent banners
and pop-up notices have been notably ineffective at curbing
irresponsible data practices or truly furthering consumer
awareness and choice. The CCPA follows in the footsteps of GDPR
and could harm consumers by impeding their access to expected
tools, content, and services, and revealing their personal
information to unintended recipients due to lack of clarity in
the law.
To achieve these goals, IAB asks Congress to support a new
paradigm that would follow certain basic principles. First, in
contrast to many existing privacy regimes, a new law should
impose clear prohibitions on a range of harmful and
unreasonable data collection and use practices specifically
identified in the law. Consumers will then be protected from
such practices without the need for any action on their part.
Second, a new law should distinguish between data practices
that pose a threat to consumers and those that do not, rather
than taking a broad-brush approach to all data collection and
use. And finally, the law should incentivize strong and
enforceable compliance and self-regulatory programs and thus
increase compliance by creating a rigorous safe harbor process.
IAB asks for Congress' support in developing such a
framework. We look forward to partnering with you to enhance
consumer privacy and thank you for your time today and I
welcome your questions.
[The prepared statement of Mr. Grimaldi follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Schakowsky. Thank you.
And, Ms. O'Connor, you are recognized for 5 minutes.
STATEMENT OF NUALA O'CONNOR
Ms. O'Connor. Chairwoman Schakowsky, Ranking Member
McMorris Rodgers, members of the subcommittee, thank you for
the opportunity to testify today. My colleagues and I at the
Center for Democracy & Technology are tremendously excited
about the prospect of Federal privacy legislation. We
appreciate your leadership in taking on this challenging issue.
Privacy and data over the last several decades have become
full of jargon and overly complexified, so I have one basic
message today and that is notice and choice are no longer a
choice. Any privacy legislation that merely cements the current
status quo of the notice and consent model for personal data is
a missed opportunity.
Let me take a moment to demonstrate why that status quo is
not working for individual consumers and companies. If I could
respectfully request the Members and their staff to take out
their phones--some of you already have them out, I hear them
ringing--and take a look at the home page. Open it up with
whatever you use to open up your phone. Mine is my fingerprint
and it is not working. Now look at your home page. How many
apps do you have? I have 262 apps on my phone. I had 261 until
Saturday night when the kids said, ``Mom, we want Chipotle for
dinner,'' and I had to download again the Postmates app, so now
it is 262. The average person has around 80, according to
current research. You can call me an overachiever or just a
working mom.
But for each of these 80 or so applications you have
already given the company behind it your consent to use your
personal data and likely in a variety of ways. For some of
those apps you are sharing your location data, others your
financial data, your credit card numbers, some of your apps
have information about your physical activity, your health, and
other intimate information even in real time.
Regardless of the types of data, you have received 80
notices and 80 different consents have already been given. Do
you remember the personal data you agreed to consent to give
and do you remember the purposes for which you shared it? Do
you have a good understanding of how the companies behind those
apps and devices are going to use that information 6 weeks from
now, 6 months or 6 years from now?
Now let's assume for the sake of this demonstration that
each of those 80 companies has even just a modest number of
information-sharing agreements with third parties. Back in
2015, which is the ancient times of the internet, the average
smart phone app was already automatically sharing data with at
least three companies and three different parties. You don't
know those companies, you don't have a direct relationship with
them, and now they have your personal information because you
were given notice and you consented. And that means the average
smart phone user has given consent for their data to be used by
at least 240 different entities.
That doesn't reflect how information is already being
shared by the companies with vendors, corporate affiliates,
business partners--in reality, the number is likely much higher
and that is just what is on your phone. That 240 number doesn't
account for your other devices, the devices in your daily life
in your house, in your car, your other online accounts, data
initially collected in the non-digital world, loyalty programs,
cameras, paper surveys, and public records. Does that feel like
you have control over your personal information? But you gave
your consent at some point.
Clearly, it is time for a change. Some will say that the
way to fix this problem is just make more privacy policies,
more notices, make them clearer so consumers can better
understand those decisions. More checkboxes will provide the
appearance of choice, but not real options for consumers.
Pursuing legislation like this just doubles down on our current
system of notice and choice and further burdens already busy
consumers.
There is fundamentally no meaningful way for people to make
informed, timely decisions about the many different data
collectors and processors with whom we interact every day.
Instead, the goal should be to define our digital civil rights.
What reasonable behavior can we expect from companies that hold
our data? What rights do we have that are so precious they
cannot be signed away?
The Center for Democracy & Technology has drafted
comprehensive legislation that is already available and has
been shared with your staffs. I am happy to answer questions
about it today. But most importantly, our bill and any
meaningful privacy legislation must first prohibit unfair data
practices, particularly the repurposing or secondary use of
sensitive data with carefully scoped exceptions.
Two, prevent data-driven discrimination and civil rights
abuses. Three, provide robust and rigorous enforcement.
Reasonable data security practices and individual-controlled
rights, such as the right to access, correct, and delete your
data are obviously essential. Enacting clear comprehensive
rules will facilitate trust and cement America's economic and
ethical leadership on technology.
Now is the time for real change. You have the opportunity
to shape a new paradigm for data use and you have the support
of the majority of Americans to do so. Thank you.
[The prepared statement of Ms. O'Connor follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Schakowsky. Thank you.
So we have now concluded our opening statements and we now
will move to Member questions. Each Member will have 5 minutes
to ask questions of our witnesses and I will start by
recognizing myself for 5 minutes.
So this is a stack of, really, just some of the privacy
policies of the websites, apps, stores, and other services I
interacted with just yesterday and actually not all of
yesterday. I haven't read them all. And I check the weather on
my phone so I have a privacy policy for that app. I flew into
town yesterday. I have the privacy policy for the airline and
for the online travel.
In order to get onto the plane I had to go my phone. I used
the app to book the flight. I went to the drugstore and used my
loyalty card so I have that privacy policy. I checked the news
online so I have a few privacy policies of a few of the
newspaper sites that I visited. I watched TV. I went online. I
used my cell phone. I have a privacy policy for my cable
provider, my internet service provider, my cell phone
manufacturer and the operating system, and that is still just
some of them.
And at that point did I have the option to proceed--and I
didn't have the option at any point to proceed without agreeing
to the terms. And frankly I think like most consumers because I
am anxious to actually get the job done, I agree. I agree. So
this stack does not include each of their service providers or
affiliates or the data broker that gets my information from
them or a third party advertiser, advertising company or
analytic company or whoever else is lurking unseen to me and
unheard and unknown.
By the way, a lot of these policies are pretty vague about
what they do with my data and who they share it with or sell it
to. This is the limitation of the notice and consent system
that we use right now. A person should not need to have an
advanced law degree to avoid being taken advantage of. We need
to find solutions that take the burden off the consumer and put
some responsibilities on those who want our data.
So, Ms. Collins-Dexter, can you talk a little bit about
some of the ways that our data is being used by consumers and
then, Ms. O'Connor, if you could follow up.
Ms. Collins-Dexter. Some of the ways in which our data is
being used by consumers?
Ms. Schakowsky. We are talking about--oh no, being--I am
sorry--how it is being used by companies. I am sorry.
Ms. Collins-Dexter. Yes, it is being used in all sorts of a
number of ways. And I think to your point earlier, I think even
if we know our data is being used in a number of ways, even if
we--black folks, I think a report was released last week that
said black people are actually more likely to read the fine
print before they sign onto things on the internet and have
long believed that their information and data was being sold,
and yet that hasn't made us particularly safer. We have still
had to experience all sorts of ways in which our data is being
used against us.
Even data points that feel innocuous can be used as sort of
proxies for protected class. I offered some examples in the
document that I shared with you. But another example comes from
the insurance industry in the realm of car insurance, for
example. Auto insurance telematics devices collect what would
be considered, quote unquote, non-sensitive data such as
vehicle speed, the time of day someone is driving, the miles
driven, the rates of acceleration and braking.
Those devices aren't collecting what we would consider
sensitive data such as location and driver's identity, and yet
that information is being used to like charge people higher
rates for insurance. And it happens at that people most likely
to be driving at night, most likely to be braking, all of these
things are usually like working, lower-class people.
Ms. Schakowsky. If I could interrupt, and we will get more
of that. But I want to see if Ms. O'Connor wants to add at
least one thing to this.
Ms. Collins-Dexter. Sure.
Ms. O'Connor. Thank you so much.
There is a primary purpose for data. When you give your
data to a company to deliver that yellow sweater they need to
know your name and address. That makes sense. There are
secondary purposes in terms of business processing and
activities that might be legitimate, where we feel in our draft
legislation the secondary purpose for sensitive data, like, for
example, the fingerprint I was using to open my phone, I want
to be able to open my phone with that, I don't want that
sensitive biometric data used for a secondary purpose by that
company or by other companies.
So we would say there is a higher level of sensitivity
around biometric data. Intimate or immutable information about
you deserves a second, a higher level of care. And also there
is sharing, obviously there is your data going from a first
party to an entirely separate third party in the transaction
that would lead to concern and those parties should be bound by
the promises that first party made.
Ms. Schakowsky. Thank you. And now let me recognize our
ranking member, Cathy McMorris Rodgers.
Mrs. Rodgers. Thank you, Madam Chair. I appreciate again
everyone being here, and I do believe that there is bipartisan
support to move forward so that we can ensure strong protection
of personal data that will ensure that we are improving upon
consumer trust and demonstrating U.S. leadership in privacy and
innovation.
I am concerned about the patchwork of privacy and security
laws that I see coming at the State level. And we are moving
forward in Washington State, there is a debate going on as well
as other States that are taking action that I believe are going
to lead to higher cost and impact on consumers. It is actually
going to increase their prices and reduce the options that
consumers have.
I would like to start with Dr. Layton and just ask the
question, do you think that it is important for one Federal
privacy law to set that national standard and, if so, just
explain some more why.
Dr. Layton. Thank you for the question. I was heartened to
hear our panelists and our representatives agree that we do
need a comprehensive Federal standard.
Because California is such a large economy, if it can go
forward with its particular rules it can dictate the rules for
the rest of America. We have talked a lot about rights here on
this panel and all of Americans have rights and it isn't fair
that one State gets to dictate for everyone else. We should
certainly look at California and learn from them, but it is, as
I understand, a law that came together in 1 week and that was
their choice about how they did it. So I certainly agree that
we need a national standard.
Mrs. Rodgers. I would like to ask Mr. Grimaldi and Ms.
Zheng if you also would address this question and if your
members agree with the one national standard.
Mr. Grimaldi. Thank you, Congresswoman, we do. But make no
mistake, we are very much in favor of the concepts of
transparency and accountability and choice which are the
bedrocks of CCPA and the reason that Californians came together
to rally behind a law and the merits in it.
But to echo what Dr. Layton said, that patchwork could have
incredibly negative effects on the American internet economy
because it will force compliance costs not just on California
companies but on all companies in America. It will imbalance
what the larger providers can pay for those compliance costs
and to retrofit their systems and to get ready to field what
will be likely a barrage of lawsuits and, quite honestly, just
fewer users, meaning fewer advertising costs once the
enforcement of CCPA goes into effect in January.
And that is not indicative of a good privacy policy that
provides to consumers what they currently enjoy, their content,
their news, their video, and everything else.
Ms. Zheng. I also completely agree. Thank you for that
question, Ranking Member McMorris Rodgers.
I think from the Business Roundtable perspective a national
consumer privacy law should not mean that consumers get less
protections than currently exist, but if we set the standard at
an appropriate level it can mean that every American across
this country has protections that they don't currently have. So
when we developed our proposal we looked at the California law.
We looked at GDPR. We looked at other State proposals and FTC
authority and tried to take the best practices of each of these
individual laws in developing our proposal.
Mrs. Rodgers. Great. And just as a follow-up, I think as we
move forward we need to be very concerned about making sure
that we are protecting individuals' privacy but also ensuring
that we are not becoming too regulatory, that the regulations
are not too complex and through the regulations actually
helping, or like the largest actors can pay those costs but it
will make it harder for our startups and our innovators to get
into the marketplace.
Dr. Layton, would you just address what you have seen with
GDPR to date as far as the impact on businesses or innovators?
Dr. Layton. Yes. Well, in the case of the European Union,
you have a data protection authority in each State and you have
a super regulator overseeing that. And when this has come into
play there was no training, there was no funding to help the
particular agencies to get up to speed. They are not all
equipped with the same set of skills. Some regulators may have
worked there their whole life, other ones may be new. They have
a different set of expertise. So, and each country had its own
particular rules. And this issue and question around how do
they manage this going forward that even the framers of the
GDPR themselves said it will be 2 years before we have a
judgment because of the actual process and how long it takes
and so on.
So in the minds of the Europeans that this was also an
important what they see as a way to empower government that
they are looking to place people in jobs. They expect that they
were going to have 75,000 more bureaucrats working in these
particular jobs to look over the privacy and so on. So it is--
they are sort of--it reflects what is going on in the EU today
is a desperation. There are many people dissatisfied with the
European Union. You probably know about Brexit. And this is a
way that the EU is trying to respond to demonstrate to
constituents that the EU can do something and it is not, you
know, in the U.S. we might say, well, let's make it better or
innovate----
Ms. Schakowsky. If you could wrap up.
Dr. Layton. Yes. So that was my point. Thank you.
Mrs. Rodgers. Thank you. I will yield back.
My time is expired.
Ms. Schakowsky. Now the gentlelady from Florida, Kathy
Castor.
Ms. Castor. Thank you. You know, Americans are increasingly
fed up with the violation of their privacy by online companies.
There is just simply a massive amount of data being collected
on each and every person. And then when that data is used,
misused without their permission, or there is a breach of their
financial data or their health data, I mean that is, it is
really outrageous we have let it get this far. And I think
American consumers understand that this needs to be fixed.
So I want to thank Chairwoman Schakowsky for calling this
hearing, and I look forward to working with her and the other
Members on this committee to adopt strong privacy protections
for American families and consumers.
Ms. O'Connor, help us assess the current state of
Americans' online privacy protections. Let me know if you agree
or disagree with these statements. Currently there is no
general Federal law that requires online companies to have
privacy policies or protect our privacy. Is that correct or not
correct?
Ms. O'Connor. That is correct.
Ms. Castor. And there is no general Federal law that
requires an online company to secure our personal information
or notify a customer if his or her personal information has
been stolen. Is that correct?
Ms. O'Connor. That is correct.
Ms. Castor. And the only way the Federal Trade Commission
is able to examine companies that violate our privacy is
through Section 5, unfair or deceptive acts or practices
authority, which basically means that companies can do whatever
they want with our data as long as they don't lie about what
they are doing. Is that right?
Ms. O'Connor. That is correct.
Ms. Castor. So is it accurate to say that a bad online
actor can collect all sorts of very personal information such
as your location, your birthday, your messages, your biometric
data, your Social Security Number, political leanings without
your permission and sell it to the highest bidder as long as
they don't lie about what they are doing?
Ms. O'Connor. That is pretty accurate.
Ms. Castor. Well, that is outrageous. And I think that is
why American consumers now have--there has been an awakening to
what has been happening. They understand this now and they are
demanding strong privacy protections.
One of the areas that concerns me the most, Ms. Collins, is
the data that is collected on children. There is a bedrock
Federal law, the Children's Online Privacy Protection Act, that
is supposed to protect kids from data being gathered on them
and being targeted, but it was signed into law over 20 years
ago. And think about how much the internet has changed in 20
years, the apps that are available to kids, the toys that talk
to them and gather data.
Do you agree that COPPA needs to be updated as well?
Ms. Collins-Dexter. Yes, I do. Can I expand on that a
little more?
Ms. Castor. Please. I noticed in your testimony you cited a
Cal Berkeley study where they identified how many apps targeted
to kids that are probably gathering their data. Could you go
into that in greater detail?
Ms. Collins-Dexter. Yes. Yes. So I mean, I think a
general--COPPA is the only Federal internet privacy law on the
books and beyond that I think it is a solid blueprint for what
comprehensive privacy legislation could look like with an opt-
in model and placing obligations on companies for adequate
disclosure. But as you point out, it is 20 years old and, like
the Civil Rights Act, it does not account for the digital
economy we are immersed in today.
So as I mention, a Cal Berkeley study found that thousands
upon thousands of children's apps currently available on Google
Play violate COPPA. The fact that the market is flooded with
data collection apps and devices targeted at kids like Echo
Dot, CloudPets, Furby Connect, and others should alarm us. More
than one-third of U.S. homes have a smart toy. And so it is
really important for us to like really, you know, think of the
implications of that as we look to modernize that legislation.
Ms. Castor. Because we kind of have an understanding now
that online companies are building profiles on all of us with
huge amounts of data. But they are doing this to our kids now,
notwithstanding the fact that we have a Federal law that
supposedly says you can't do this. Is that right?
Ms. Collins-Dexter. That is correct.
Ms. Castor. Ms. O'Connor, I don't think the average
American parent understands that the apps and the toys that are
provided, you know, for their kids to have fun and play games
are creating these shadow profiles. Is that accurate?
Ms. O'Connor. I work in technology and I have many, many
children and I feel overwhelmed with the choices and the lack
of transparency about not just their online environment, but as
you point out correctly the devices in our daily lives, even
the toys and what they can and cannot collect. And it doesn't
necessarily matter that it is identifiable by name if it is
targeting you based on your habits and preferences and choices
that could close their world view as opposed to open it up,
which is what we would hope the internet would do.
Ms. Castor. Thank you very much. I yield back.
Ms. Schakowsky. I now recognize the ranking member of the
full committee, Mr. Walden, for 5 minutes.
I am sorry? Oh, I am sorry. Was that wrong?
OK, let me recognize Mr. Upton for 5 minutes.
Mr. Upton. Thank you, Madam Chair. It is a delight to be
here. I know that Mr. Walden is at the other hearing. I think
he intends to come back.
Ms. Zheng, I think that we all recognize that the elephant
in the room is truly we can have a system that is 40 or 50 with
States or we are going to have one standard. What is the
perception from the number of companies that you represent from
the Business Roundtable in terms of how they would have to deal
with maybe as many as 30 or 40 different standards, as I would
figure that a number of States might join up with and team up
with others? What is the reaction to that? It goes along with
what Ms.----
Ms. Zheng. Yes, we strongly believe that a fragmented sort
of regulatory environment where we pursue a State-by-State sort
of regulatory approach to privacy makes for very inconsistent
consumer protections. It also creates massive barriers to
investment and innovation for companies that have to operate in
all of these different States. It is simply unworkable.
And so that is why we think it is necessary to have a
single national Federal privacy law that preempts State laws.
And I think the assumption that preemption weakens existing
privacy protections is a false assumption. You know, we
strongly believe that a Federal consumer privacy law should be
strong and should provide additional protections for consumers
that are consistent across every State in the country.
As I think, you know, folks here mentioned earlier,
devices, data, people, they constantly move across borders,
across States. A State-by-State approach just simply doesn't
work for this type of domain. And, in fact, even when you look
at California's own privacy law, there is a rather strong
preemption clause in the California law that preempts city,
county, and municipality laws within the State of California,
likely for exact same reason why a Federal privacy law should
preempt State laws.
Mr. Upton. And are you aware, is anyone tracking what the
other 49 States might be doing?
Ms. Zheng. We are. I think a lot of folks on this panel are
as well.
Mr. Upton. Yes. And are any of those States getting close
to something like California has done? I know it is a new
legislative year for many States, but----
Ms. Zheng. There are a number of----
Mr. Upton [continuing]. What are your thoughts on where
other States may be?
Ms. Zheng. Yes. I think there are roughly about 30
different State legislative proposals related to privacy. They
all take, many of them take very, very different approaches or
regulate certain types of sectors. Some of them are more
general. Some of them may be focused on specific types of
information that are personal. But what it demonstrates is that
there is a ton of interest within the States and they are not
taking a coherent, consistent approach.
Mr. Upton. And what are your thought--do you think that any
of these States will actually do anything yet this calendar
year or not? I know that it is early.
Ms. Zheng. It is hard to say, but I think it is highly,
highly likely that a number of States will pass privacy laws
this year.
Mr. Upton. I know I don't have a lot of time left as I ask
my last question, but I thought that Mr. Grimaldi had some very
good comments in his testimony about four different parts to
achieve the goals. One, to have clear prohibitions on a range
of harmful, unreasonable data collection; two, is that the new
laws should distinguish between data practices that pose a
threat to consumers and those that don't; three, that the law
should incentivize a strong and enforceable compliance and
self-regulatory programs; and, finally, that it should reduce
consumer and business confusion by preempting the growing
patchwork of State privacy laws.
As it relates to the first three, knowing where I think I
know you all are in part four, where are you in terms of your
thoughts as to those first three principles? And maybe if we
can just go down the line and we will start it with Ms.
Collins-Dexter as to whether she thinks that is a good idea or
not, briefly, knowing that I have a minute left.
Ms. Collins-Dexter. Could you repeat that one more time?
Apologies. I was like taking furious notes.
Mr. Upton. So Mr. Grimaldi had three, four points of which
I think that the first three that I would like to focus on.
One, that the clear, have clear prohibitions on a range of
harmful and unreasonable data collection and use practices
specifically identified by the law, these are goals for
legislation. Two, that the new laws should distinguish between
data practices that pose a threat to consumers and those that
don't. And third, that the law should incentivize a strong and
enforceable compliance in self-regulatory programs.
So I guess now we just have to go to yes or no with 20
seconds left.
Ms. Collins-Dexter. Yes.
Mr. Upton. Dr. Layton?
Dr. Layton. Yes.
Mr. Upton. Ms. Zheng?
Ms. Zheng. Yes.
Mr. Upton. And Ms. O'Connor?
Ms. O'Connor. Yes.
Mr. Upton. OK.
Ms. O'Connor. The self-regulation alone is not going to be
enough. That was revolutionary in 1999, but it is no longer
sufficient to protect consumers today.
Mr. Upton. My time has expired. Thank you.
Ms. Schakowsky. I now recognize Mr. Veasey for 5 minutes.
Mr. Veasey. Thank you, Madam Chair. You know, earlier, in
Ms. Collins-Dexter's testimony something really, you know,
concerned me and really hit home for me when she was talking
about, you know, how poor people are being targeted for some of
this marketing and these privacy issues that we are having. And
for a lot of the people that do fall within that category, it
is going to be very important for them that these services
remain, quote unquote, free, whatever free is. And of course we
know that nothing is really free.
And what is so troubling about that is that in our society
obviously we live in an economy that is based on profit and
gain. What is the sweet spot? I would like to know maybe from
Ms. Zheng or Mr. Grimaldi from a business standpoint what is
the sweet spot? How can you still provide these services for
free for the constituents that I represent and the people that
Ms. Collins-Dexter was talking about, how do you preserve them
being able to access this without them having to pay additional
fees, but the market research and the other things that go
along with these services being free, and how do you combine
all of that? Is there a real sweet spot in all of this?
Ms. Zheng. So I think--thank you for that question,
Congressman. It is a really important issue and I am glad that
you raised it and I am glad that Ms. Collins-Dexter raised it.
It is complex. It requires additional attention. There is
significant technical, legal, and ethical considerations as
well. Companies should not be using personal data about
consumers to make discriminatory decisions in the areas of
employment, housing, lending, insurance, or the provision of
services.
But defining that line between using an algorithm to
discriminate against consumers and using it to target, for
example, ads in Spanish to Spanish-speaking consumers is
challenging. So we need to be mindful of some of the more,
these legitimate uses of certain demographic information that
enable products and services to be better tailored to a
consumer.
But we recognize that this is a really important issue as
is the, you know, differential pricing issue that you raised.
Although we have significant concerns with the particular
approach taken in the California law, we welcome the
opportunity to work with the committee on this issue and
consider different proposals though. Thank you.
Mr. Veasey. For the areas where these companies are trying
to obviously maximize their return on investment where they
need control groups and run tests, can that still happen, Mr.
Grimaldi, with more consumer protection? And obviously the
consumer protection is definitely needed. I think that you can
just listen to just a very few minutes of today's testimony and
realize that.
Mr. Grimaldi. Correct, Congressman Veasey. Associating
myself with Denise's comments, we need to break apart any
discriminatory practices from good practices. And you mentioned
the value exchange that goes on behind consumers transacting
their business on the internet and Chairman Schakowsky went
through a long list of what she has only done in the last 48
hours going to a store, taking a flight, et cetera. Those are
useful practices that people come to accept. However, that
information cannot be gamed for reasons of eligibility, of
discrimination, of price discrimination. Our industry is
absolutely against that.
There is a self-regulatory code that our companies adhere
to in the Digital Advertising Alliance, a body that we stood
up, stipulating to what Ms. O'Connor has said in that self-
regulation, the reason that we are here, we need help apart
from self-regulation. We are here to partner with Congress to
say it is past time, we are overdue in a national framework
that speaks to these issues.
But yes, there are good uses. There are harmful uses. That
is what we need to break apart and distinguish.
Mr. Veasey. Madam Chair, I yield back. Thank you.
Ms. Schakowsky. I now recognize the ranking member of the
full committee, Mr. Walden.
Mr. Walden. Thank you, Madam Chair. And as you know we have
another hearing going on upstairs, so I'm having to bounce back
and forth.
In the United States we currently enjoy an environment that
allows small to medium-sized companies to grow, to raise money
and compete and in large part because they do not have to come
to the government to get their business plans approved and how
we have successfully legislated based on well-defined risks and
harms.
Dr. Layton, if data sharing and privacy is regulated
differently by individual States in the U.S., what will that do
to the American marketplace?
Dr. Layton. So assuming this could pass a court challenge,
because I think it would violate the commerce clause as we
discussed, I don't see how it is possible you can send products
into other States if you are a retailer in Maine and you have
to send your products to 50 different States and you have to
have 50 different ways to do it. I don't see why you would
start that business. I think you would move to another
industry.
Mr. Walden. So how has GDPR impacted Google's market share
in the EU?
Dr. Layton. It has increased since it came into effect.
Mr. Walden. And I think that is what we are showing right
here on the slide that nobody could read from afar, I am sure.
Maybe we can put it on the big screen and take me off, which
would be a pleasant experience for everybody. But I don't have
a copy of that here at my desk.
[Slide.]
Mr. Walden. But I think what you are seeing here is that
small innovators are actually leaving this space, right? And
investment in small entrepreneurs is going down in Europe and
going up in the United States since GDPR was put in place. Is
that accurate?
Dr. Layton. Yes. So this particular graph is looking at
what is, what they are highlighting here is the competitor, the
analytics competitor. So Google Analytics is running on a lot
of websites and depending on the company they may have multiple
competitors to Google Analytics. Retailers have a set, you
know, different sorts of areas.
So essentially some media companies, some larger firms are
kicking off the smaller competitors for their--they are kicking
them off, so that means that those trackers have not been
firing. That is what this is measuring.
Mr. Walden. Yes. My understanding shows that shortly after
GDPR was implemented, Google's market share increased by almost
a full percent and smaller ad tech firms suffered losses of
anywhere from 18 percent to almost 32 percent. GDPR has proven
to be anticompetitive and makes it more difficult for small
businesses to compete and just one example of that negative
impact. Now there may be other things going on affecting these
numbers, I will stipulate to that. But clearly GDPR has had an
effect.
Mr. Grimaldi, since GDPR has been in effect, academic
research shows that investments in startup companies in the EU
have dropped by an aggregate of 40 percent, 4-0. Compare that
to the United States, where in 2018 investments and startups
neared $100 billion, which is the highest year since the dot-
com boom, protecting consumers including protecting them from a
marketplace devoid of choices so they are forced to use certain
products or services.
What should an American approach to data privacy look like
and that does not hamper small business and investment?
Mr. Grimaldi. Thank you, Chairman. You are correct. We are
seeing that fall off in Europe and it is not because--I listed
some newspapers at the beginning that are not currently
operating in Europe and it is not because they are not
complying with the law and it is not because they were at
fault. It is because they just can't afford that kind of a
pivot to construct their services that could be at legal risk,
at great legal risk.
This is one of the many things that we are seeing with CCPA
that is going to be a major deterrent, if not a killing blow,
to American companies that can't deal with the labyrinth in
construct of new regulations in California, or other States
that might force them to take down their online advertising
funding regime for fear that they could be susceptible to a
major lawsuit because they did not classify or categorize data
in a way that could be returned to consumers.
Because they currently, these companies don't have those
structures in place and now in order to do something that again
I stipulate was correct in its founding--transparency, choice,
accountability--is now potentially going to force companies to
say we just can't afford to retrofit all of our systems and be
able to collect that much data, and even if we do there is a
litigation risk that we wouldn't be able to swallow. So.
Mr. Walden. Could you put that litigation risk in common
person's terms? What are we talking about here if you are a
small business online?
Mr. Grimaldi. Correct. Under CCPA some of the provisions--
and we are active as I think many in this room are in dealing
with the California Attorney General's Office, former
Congressman Xavier Becerra being that Attorney General. He is
taking a look at the current law and promulgating it to be
enforced in January. The litigation risk could mean that if a
consumer requests their data from a company, if a consumer
reaches out and says, ``What do you have on me and how is it
shared,'' a company has to be able to provide that in a certain
time frame. And if it doesn't, it is in violation of the law.
That litigation risk you can compound into the thousands or
hundreds of thousands of requests that will multiply into the
millions and billions of dollars. And that is something that
smaller companies would not be able to deal with.
Mr. Walden. My time has expired. I thank all of our
witnesses for enlightening us in this issue. Thank you.
Ms. Schakowsky. And now I yield to the chairman of the full
committee, Mr. Pallone.
Mr. Pallone. Thank you, Madam Chair. I wanted to build on
your questions. Some uses of our data is certainly concerning.
This committee has explored many of them, Cambridge Analytica's
use of people's data to manipulate their political opinions and
influence their votes, for example. And we had hearings with
Equifax, Facebook, and Twitter.
We can't begin to reveal just how little we all know about
who is collecting our data or what they are actually
collecting. And I think many of us have this vague idea that
everyone is collecting everything and that there is nothing we
can do about it, but in my opinion that is not acceptable
because some data maybe just shouldn't be collected at all.
So in that vein I wanted to ask Ms. O'Connor, data
collection has become extremely profitable leading some
companies to collect every bit of data they can, but is there a
line that shouldn't be crossed? Should there be some limits on
actual collection?
Ms. O'Connor. It would be our position that yes, at least
as to the most sensitive information there should be very clear
notices and awareness on the part of the consumer, again the
example I used of my fingerprint in my phone being collected
for one purpose, not being used for any other. When I use a map
app they obviously need to know my location. I do not want that
location sold or transferred.
Are there types of data that shouldn't be collected at all?
In our bill, in our proposal we look very seriously at issues
of precise geolocation, biometric information, children's data,
content of communications, and health information as deserving
higher sensitivity and higher protections.
Mr. Pallone. All right. Let me ask Ms. Collins-Dexter, how
do you think we should be--well, how should we be thinking
about limits on collection and what about limits on sharing,
sharing with or selling to third parties?
Ms. Collins-Dexter. I echo Ms. O'Connor. I think we should
be looking at all of this right now. Companies have a financial
incentive to collect as much information as they can and store
it forever with no obligation not to do that. I think we have
to have meaningful data minimization requirements. I think we
have to definitely look at the various ways in which
information is often used as a proxy for race.
So, for example, we know that Facebook and a lot of big
tech companies actually don't collect explicitly race data.
However, many things around geolocation and daily habits are
able to like put together this data profile in which like
people are able to ascertain race and that is used for
predatory marketing practices.
And so we have to be able to like parse through all of that
information and keep a constant eye on impact, which I think
should be at the core of any legislation that we are looking
at.
Mr. Pallone. Thank you.
Ms. O'Connor, what about limits on sharing with or selling
to third parties?
Ms. O'Connor. Absolutely. We put those in two separate
buckets. First, limits on sharing again for the most highly
sensitive of the categories I mentioned, particularly things
that are immutable or most intimate about you. On selling we
would also put limitations, or sharing with third parties that
the third parties would have to be bound by whatever promises
the first party made about that data.
So absolutely, we would look very hard and limit secondary
use and third-party sharing.
Mr. Pallone. Thank you. I just wanted to ask about limits
on sharing people's information with affiliates, because we
know that many corporations own multiple affiliated companies
that the average person would not contact, like YouTube,
Android, and DoubleClick are all owned by Google, or Jet.com
and Sam's Club both owned by Walmart. Data collectors who say
they don't sell data to third parties may still want to share
that with their affiliates.
So let me ask Ms. Collins-Dexter, should there be limits on
sharing people's information with these corporate's affiliates?
Ms. Collins-Dexter. Yes, absolutely. We should definitely
be looking at how these third party companies are operating as
we saw with Facebook last week and as we continue to see with,
as you all have mentioned, Cambridge Analytica and others. You
have these third-party data mining companies that aren't
regulated, aren't looked at. They are gathering data, scraping
it, selling it to companies for predatory marketing purposes,
selling them to like law enforcement without our consent and
because we don't even know that these companies are looming in
the background it really even further limits our choice or
ability to say no.
Mr. Pallone. And just quickly, Mr. Grimaldi, behavioral
ads, advertising needs data to target as to the most
appropriate audiences. How would limitations on the collection
and retention affect your member companies? Are there limits
that can be established through legislation that provide
reasonable protections to consumers that your member companies
would accept?
Mr. Grimaldi. Sure, thank you. We currently have a very
robust, self-regulatory program that is targeted to consumers
having transparency into their online behavioral advertising
and the ability to click through the ad via an icon in the
upper right corner of every ad that is served over a trillion
times per month that takes you to a page that says, why am I
seeing this ad and how can I stop seeing it?
There is tremendous uptake in terms of people going through
that ad up to the tune of about 70 to 80 million unique
impressions. So we offer that control. One of the messages
today before you is as much as we are trying to educate
consumers on that there is still a need for a Federal program
that can help us distinguish what kind of advertising is
working, what is considered harmful and what do consumers need
to know.
Again before they click on something it could be something
that is very much tailored to what they are looking for, an ad
that speaks to them. We have much research that shows that
consumers prefer targeted behavioral advertising rather than
generic advertising, but we want to make sure consumers have
those controls so that they can stop seeing those ads and again
that could be enshrined.
Mr. Pallone. Thank you.
Ms. Schakowsky. And now I yield to Mr. Latta, the former
chair of this subcommittee and my friend.
Mr. Latta. Well, thank you very much. If I could ask just a
quick point of personal privilege and congratulate the Chair on
assuming the gavel. So congratulations, it is a great
subcommittee.
And Madam Chair, before I begin I would also like unanimous
consent to enter into the record excerpts from the WHOIS report
from the Department of Justice Attorney General's cybersecurity
task force.
Ms. Schakowsky. Sorry. Without objection, so ordered.
[The information appears at the conclusion of the hearing.]
Mr. Latta. Thank you, Madam Chair, if I could reclaim about
30 seconds there.
Last Congress, the Energy and Commerce Committee held
nearly a dozen hearings discussing privacy and security issues.
That includes much publicized hearings where we heard from the
CEOs of Facebook and Twitter about how the companies collect,
safeguard, and use data. From those hearings it was clear that
while these companies provide a service that Americans like,
consumers aren't always clear about what happens with their
personal information.
With the California law slated to take effect at the
beginning of next year, time is of the essence. In divided
government it is not always easy to tackle the tough problems,
but I believe the time is right to work together on a Federal
data privacy solution. Both consumer groups and business
organizations have come onboard in calling for a national
standard. We all agree that consumers should have transparency
and accountability and that we want to ensure that the United
States stays the prime location for innovation and technology.
Dr. Layton, if I could ask you, I have been hearing from
many groups regarding the loss of access to information about
domain name registration or the WHOIS data and the role it
plays in protecting consumers. Would you explain how WHOIS
increases online transparency so that consumers may have a
better understanding of who they are interacting with online?
Dr. Layton. Right. So the WHOIS database, for just lack of
a better way, would be a sort of address book for the internet,
who is registered, who owns what particular domain.
Mr. Latta. And following up, would you want to comment on
how the GDPR is creating challenges to accessing that data?
Dr. Layton. Absolutely, so one of the key problems is that
because of its ability to retract information, that people
are--that the domain name registers are masking their identity.
This is making it very difficult for law enforcement to find
out perpetrators of crimes. It is also an issue to if you need
to contact things where intellectual property, for example.
So there are many concerns with this and this reflects, you
know, our historical view of privacy of prioritizing the right
to know. We believe that the public has a right to know about
these things.
Mr. Latta. Well, could you go into a little more depth
about on how, you know, that information helps in identifying
those bad actors and those criminals that are out there and
that law enforcement needs to be able to find those individuals
and bad actors?
Dr. Layton. Right. Well, in just the same way that if you
looked at a phone book and you would see, well, you know, a
certain address and this place, who lives at that address, I
mean that is a key function of law enforcement. So if you are
taking that away for the internet for global, for law
enforcement everywhere that it is a serious problem.
Mr. Latta. And if you could list your top three concerns
for the GDPR and also the CCPA which is the California law?
Dr. Layton. Sure. Well, I would say the first concern from
the U.S. perspective would be First Amendment free speech
concerns that the level of government requirements is so high
that it reduces expression. That would be number one. I would
certainly say safety would be number two with regard to just
what you described. You have other issues with people who have
committed crimes in the European Union who are asking that
their records be erased or removed that have committed murders,
child molestation, and so on. That is a serious problem.
And I would say thirdly, the sort of a dumbing down of
consumers that there is creating a false sense of security that
somehow that regulators have the answer on what to do, it
doesn't allow consumers to take responsibility for when they go
online. And I would add number four, which is I think that you
are freezing in place technologies and you don't let them
evolve.
So, for example, the EU will require using certain kinds of
data protection technologies, but we can actually make them
better. So if you require a company to do technology A today, I
can invent technology B tomorrow and I am not allowed to
upgrade to it. So that is a major problem as well.
Mr. Latta. All right, I appreciate it very much and I yield
back the balance of my time.
Mr. O'Halleran [presiding]. Next will be Mr. Lujan, New
Mexico.
Mr. Lujan. Thank you very much, Mr. Chairman, for this
important hearing. Let me jump into this.
In 2000, the FTC recommended that Congress enact a consumer
internet privacy legislation. That was 19 years ago. This
subcommittee held a hearing after the Equifax breach in 2017.
We had Mark Zuckerberg before the full committee in April 2018.
The 115th and previous Congresses failed to pass meaningful
privacy protections even though there were commitments made to
the American people.
So as we jump into this, Ms. O'Connor, an entire economy
based on data has been built but we didn't stop to consider the
risks and potential downsides companies collecting data have
put consumers at risk.
Mr. Grimaldi, in your testimony you say that the law should
incentivize strong and enforceable compliance and self-
regulatory programs by creating a safe harbor process, but I am
concerned that incentives won't be enough. We need some
accountability. So what one of the ideas that we have is to
require companies to conduct risk assessments, if you want to
process data for consumer-related uses you need to assess the
foreseeable risks of such uses.
So, Ms. O'Connor, yes or no, should we require risk
assessments so companies factor the risk and potential harms in
their decision making?
Ms. O'Connor. Certainly the concept of risk assessments or
privacy impact assessments has been around since even before
those FTC hearings, which I attended in the year 2000 and
before, and certainly that is part of a robust privacy program.
But we do want to be mindful of the burden on small businesses
and make sure that the legislation that is comprehensive is
elegant and efficient. It is simple. It is streamlined and easy
for a small, a medium, and a large company to know what the
rules are and to abide by them.
So while I am certainly in favor of and I have implemented
a number of PIAs or risk assessments in my time in the
government and in the private sector, I want to make sure that
the law is simple and clear for consumers and for companies.
Mr. Lujan. So assuming the same disclaimer holds true to
the next question, yes or no, should we require a privacy
protection officer at companies that collect large amounts of
data who would be responsible for training staff, conducting
audits, working with authorities, and advocating for privacy
with the entity?
Ms. O'Connor. Yes.
Mr. Lujan. There is a great editorial that was authored in
Forbes, January 15th, 2019, titled ``2019 Data Privacy Wish
List: Moving From Compliance To Concern.'' I would ask
unanimous consent to submit it into the record.
Ms. Schakowsky [presiding]. Without objection.
[The information appears at the conclusion of the hearing.]
Mr. Lujan. In it one of the points that was made here is
from a move from privacy compliance to concern and care. That
``rather a philosophy that treats data with extreme care and
with prevention of data breaches in mind,'' that that is
something that companies should be doing. So that is where I am
thoughtful from a incentive prospective, but what we must be
doing going forward.
Ms. Collins-Dexter, you highlighted in your testimony some
important aspects here. And I am concerned about implications
for access to housing, lending, digital redlining, and voter
suppression as we talked about information that is shared that
is sensitive. Would you agree that this is a problem?
Ms. Collins-Dexter. Yes. I absolutely do.
Mr. Lujan. Have companies responded when it has been
brought to their attention that their products or services are
having discriminatory effects?
Ms. Collins-Dexter. On the whole, no, it has not. We have
sat at the table. Part of our model is a corporate
accountability model which requires direct engagement in
negotiation. We have sat at many companies, Facebook included,
for many years and have a lot of discussions with them. And for
every policy they develop we tend to find weeks, days, months
later that the problem is really much larger than what was
initially indicated. And so self-regulation has not proven to
be a viable option.
Mr. Lujan. So with that being said, have the responses from
industry been adequate in this space?
Ms. Collins-Dexter. Have the responses from the industry?
Mr. Lujan. Been adequate?
Ms. Collins-Dexter. No.
Mr. Lujan. Are there changes companies have made
voluntarily that should be made into law? And we can get into
the details, just yes or no.
Ms. Collins-Dexter. Yes.
Mr. Lujan. So we would be happy to work with you in that
space.
Mr. Grimaldi, the IAB represents over 650 media and
technology companies that together account for 86 percent of
online advertising in the U.S. You heard the quote that I
referenced from this editorial. Are these companies looking to
protect my privacy when they are making business decisions?
Mr. Grimaldi. Congressman, they are. They are without a
doubt. One of the things again why we are here today is to ask
government to fill in those holes that we can't fill in. Should
there be mandatory components of a privacy policy that does not
let a user accidentally click something to give consent? Is
there other pieces where we could work with you on
strengthening what we already have put in the market for
consumer controls.
Mr. Lujan. Let me ask a question as my time expires and I
will be happy to submit that to the record so we can get a
response. Would you agree that companies need to shift to a
philosophy that treats data with extreme care with prevention
of data breaches in mind?
Mr. Grimaldi. I think what needs to be defined are those
unreasonable and reasonable uses of data. Again many on the
committee have said we use data, we give our data to certain
apps or to certain programs to help us every day. Is that data
being used for those purposes? Are there harmful uses of data?
I think the absolute answer is yes. Are there guardrails we can
put around it, more self-regulation, more partnership, yes.
Mr. Lujan. Madam Chair, just as my time has expired and I
thank you for the latitude here, it just seems that we wouldn't
be here today if, in fact, there was an effort to concern and
care versus just compliance. And I think that is what we are
looking for is how can we work on this collectively and
together such that we get to that point. So I appreciate that
time. Thank you, Madam Chair.
Ms. Schakowsky. I recognize for 5 minutes Congressman
Bucshon.
Mr. Bucshon. Thank you, Madam Chairwoman.
I was a healthcare provider before, and health information
is some of the most sensitive information that is out there and
it is also some of the most valuable. So I hope that whatever
we do here in Congress specifically addresses health
information because it is really critical and important.
As you may have heard, last week it was revealed that
Google's Nest Guard home security device had a microphone
inside the device that consumers did not know about and it was
not disclosed. As I have discussed in prior hearings on data
privacy including with Mr. Zuckerberg, I am concerned about the
inappropriate collection of audio data. And it seems that
everyone denies that that happens, but I think everyone knows
that it probably does.
So Ms. Zheng, can you expand on how the right to privacy
would play into this type of practice and how we would deal
with that?
Ms. Zheng. Thank you for that question, Congressman. When
it comes to audio data if it is personally identifiable
information or personal information and falls within the scope
of a privacy, you know, a new privacy bill, I certainly believe
that transparency, control, access, the right to correct it,
the right to delete it, should be rights the consumer should
have including for audio data.
Mr. Bucshon. Because that is going to be important because
if we exclude things that you actually type on the internet but
we don't have things in privacy where if you are talking your
phone picks it up and sends a keyword to someone and they
advertise based on that, then we are missing the boat on that.
I want to prevent collection of data without consumers'
knowledge and audio data would be there.
And, Dr. Layton, do current laws cover this type of
omission from Google about a microphone? And second, if we
decide to grant additional authority to the FTC, would you have
any suggestions on how the FTC may play a role on addressing
intrusive data collection policies including audio data without
harming innovation?
Dr. Layton. Thank you, Congressman. I think it is excellent
that you raised the point when you use various devices in your
home, Alexa home and so on, you are having conversations with
your family members. And I think law enforcement has actually
used some of that data in some cases and with good purposes for
it, actually. In terms of the Federal Trade Commission, they
are engaged in this process now. I don't know if audio is a
specific part of their inquiry. I would have to get back to you
on that.
Mr. Bucshon. OK.
Dr. Layton. I can't recall at this moment. But I don't see
from a technical perspective why audio would be different
because it would be recorded as the same data. Even though you
are speaking it, it would be transcribed into a data file, so.
Mr. Bucshon. OK. The other thing I want to quickly say, and
then I have a question for Mr. Grimaldi, is that also we need
to address hardware as part of this. Not just an app but
hardware, because data, location data is really important. And
there was a local news media here in town who turned off their
phone and did everything they could except take the battery
out. Went all over the city of DC and then went back, plugged
it in, and all the metadata everywhere they were was recorded,
and as soon as they turned that phone on it all went out to the
internet. So hopefully anything we do on privacy also includes
hardware, not just apps, not just software. That would be
important.
So, Mr. Grimaldi, in your testimony you highlight that
data-driven advertising has helped power the growth of the
internet by delivering innovative tools and services to
consumers. Many constituents including myself, and I am going
along the audio theme here, have concerns about how
conversations when not directly using an app, device, or other
electronic device appear in a later online ad based on keywords
in the conversation. Can you help me understand how this is
happening?
Mr. Grimaldi. Sure. There is--and also I think it is
important to understand the difference between personal data
and synonymized data. And that is if you were using, if you
were in your conversation using words that were flagged that
weren't, you know, Congressman Bucshon, but they were an
individual who was into hunting or was into automotive, cars,
you name it, sports, that data could be tagged for you and used
to serve you better targeted ads.
Mr. Bucshon. Can I just interrupt for a second? So I was
having a conversation with my communications director, this
happened about a month ago, talking about a certain subject and
the next day he got ads on his computer specifically about that
particular subject. We happened to be talking about tennis
because he is a tennis instructor, but nonetheless. So
continue.
Mr. Grimaldi. Right. And without intimate knowledge of how
that hardware is constructed, if I were to take that as an
example of just your web browsing those sorts of things could
be flagged in order to serve you ads that are not generic, that
are more tailored to your interests and done in a way that
again the word ``synonymized,'' meaning you are put into a
category rather than your name, your address, your Social
Security Number, but just your likes and dislikes. And then
that enters a marketplace behind the web where that information
is used to serve you better ads without linking you personally
to your information, your intimate information. It is another
piece of that reasonable and unreasonable construct we are
talking about.
Mr. Bucshon. OK. My time has expired, but I want to make
sure that whatever we do here in this committee it includes
audio data and also considers location data based on hardware
within a device. Thank you very much. I yield back.
Ms. Schakowsky. I recognize Congresswoman Rochester.
Ms. Blunt Rochester. Thank you, Madam Chairwoman. And thank
you so much for setting the tone of this hearing and this is a
vitally important topic for Delawareans but also for our
Nation, and I want to thank the panel as well.
You know, more and more in our daily activities they
involve the use of the internet. Many of us pay our bills,
shop, play games, and keep in contact with friends and
relatives through websites or online applications. However,
with all of these activities taking place online, websites are
amassing more and more personal information. This presents
serious privacy concerns.
Large-scale data breaches are becoming more common and
consumers have a right to know what is being collected, how it
is being used, and should be notified when a breach has
occurred. Most of you on the panel today have discussed the
need to give consumers more control over their own information,
to get more control over their own information and should it
be, you know, how it should be collected and how it should be
used.
And I want to drill down just a little bit deeper on that
and ask Ms. Zheng, the Business Roundtable's privacy framework
promotes the idea of giving the right to access the correct,
and correct inaccuracies in the information collected about
them. So can you talk a little bit about what you mean by
information collected about them and does that just refer to
data points collected or does it also include any inferences
made based on that data?
Ms. Zheng. Congressman, that is a good question and it is a
very specific and detailed question that to be honest with you
we still need to discuss within our membership. Right now as we
drafted our proposal, our framework, the right to access,
correct, and delete your data does apply to your actual
personal data. So, but to answer your further question I would
need to follow up with you.
Ms. Blunt Rochester. And I am going to ask a few other
people questions around this as well. I mean I think a lot of
us are familiar with, you know, the story of the individual at
Target who got the coupons, came to the father's house for a
pregnant teen, and again it was inferences.
And so I want to ask Ms. Collins-Dexter, what are your
thoughts on access and correction and should consumers be able
to see and correct inaccurate inferences made about them? And I
want to start with you.
Ms. Collins-Dexter. Yes, absolutely. We think that people
should, similar to a credit report, have an opportunity to
challenge and correct information. One of the things that we
have even seen with some of our work around voting records and
purges that have happened across the country is that there is a
lot of data collected and based on like inaccurate names or
misspelled names that allow for voters to be purged from files
across the country.
I think, you know, as we think about all of the various
data points and all of the mistakes that happen, again we are
finding the people that tend to be most impacted are low-income
communities of people of color, people who aren't able to
actively challenge and correct the record on themselves. So I
would say it is extremely important on a number of different
fronts that we are allowed to do that and any privacy
legislation should allow for that.
Ms. Blunt Rochester. Thank you.
And, Mr. Grimaldi, you didn't really talk about consumers'
right to access and correct information collected in your
testimony, but how do you think giving those rights to
consumers would affect your member companies?
Mr. Grimaldi. Thanks, Congresswoman. To echo what some of
my co-panelists have said, consumers have a right to delete
their data and I think there are things to explore with those
rights. There are obviously fraud, misuse, other components
that could negatively affect either a consumer's online
experience or their just life experience, and we are seeing
that contemplated in Europe and we are seeing that contemplated
in California. There are problems though I would point out that
could come about when consumers request their data to be
deleted and the authentication of those consumers requesting
it.
One of the major pitfalls that we are currently working on
with the California law is if somebody could have their data
deleted, how do they authenticate themselves to make sure it is
them? If somebody can request their data, how do we know it is
them and it is not somebody stalking them or somebody meaning
to do them harm. Those are really important questions.
Ms. Blunt Rochester. You know, I want to kind of close out
my comment by just saying that why this is so important is
because I think a lot of people do feel that it is a fait
accompli. This is the world that we now live in. And that is
really what the role of Congress is, is to make sure consumer
protection going back to what our chairwoman said. Thank you so
much. My time has expired.
Ms. Schakowsky. I now recognize for 5 minutes Congressman
Carter.
Mr. Carter. Thank you very much, Madam Chair, and thank
you, all of you for being here. This is an extremely important
subject and we want to do the right thing, so that is why we
got you here. You are the experts. You are the ones we want to
learn from and hopefully build upon.
Dr. Layton, I want to start with you. First of all,
earlier, one of my colleagues mentioned the WHOIS database. Can
you explain that very briefly what that is exactly?
Dr. Layton. Well, I just use the address book for the
internet, you know, those who registering the names that they
have to disclose who they are.
Mr. Carter. Well, it is clear through your testimony as
well as your background that you have a good grasp of GDPR and
the impact that this had. It is my understanding that the
WHOIS, or ICANN is the governing agency over WHOIS, that they
have actually run into problems with this and they have
actually said that they are not going to be collecting that
data anymore?
Dr. Layton. So, no. They have actually for some, for quite
a long, at least a year they have been trying to work with the
officials in the European Union to highlight to them the
problems and to find a resolution. And the pressure from the,
you know, extreme privacy advocates in the European Union are
not letting them come to a resolution. So as I understand
today, I don't have the most up-to-date, but I think there is
an impasse right now because it is not resolved. So the
information is not available.
Mr. Carter. Well, this is the kind of thing that we want to
learn from. I mean we don't want to make the same kind of
mistake that obviously they have made and because it is my
understanding that WHOIS data is very important particularly to
law enforcement. Has that been your experience?
Dr. Layton. Yes. Well, absolutely. I mean it is a major
issue for law enforcement, intellectual property rights holder,
you know, people in the public who may need to do research and
so on. I think the lesson learned here is, you know, we have
heard before the way to hell is paved with good intentions. I
think everyone has had good intentions and they have
overreached. They went too far. They didn't have a process to
test the various provisions. Everybody got to tack on what they
thought made sense and then they just bring it over the finish
line and we have to live with it.
Mr. Carter. What do you think we could learn from that? I
mean how could we make it better?
Dr. Layton. Well, at least one of the things I would say in
terms of how we are ahead in this respect, in the United States
we have a transparent policy process. When we are submitting
anything to the Federal Trade Commission, as part of what they
are doing you have to disclose your name, who you are, you are
conducting this hearing today.
The policy process now in the EU because of this rule means
you can mask your identity. So you can submit into a regulatory
hearing, you don't have to say your name. You don't have to say
who you are, for privacy reasons. So what I would encourage
Congress to do is keep with our tradition for the public's
right to know, to continue in this vein as you are having the
hearings today, and to, you know, to take these steps to look
at where it hasn't worked and to not make the same mistakes.
Mr. Carter. Let me move on. Earlier we talked about market
share particularly as some of the companies have grown in
market share and at the expense of others as a result of the
GDPR. What is the primary reason for the change in market share
for some of these companies?
Dr. Layton. So, well, in many respects there are, it is
because a number of firms have exited the market. They have
decided they are no longer going to operate, so in many
respects that the advertising market has shrunk in the sense
that there are fewer properties on which to conduct advertising
that would be one thing. The other issue is that when those
other smaller players leave it just means that people visit the
larger players more.
Mr. Carter. Has this had an impact, obviously it has had an
impact on the exports to Europe of various content and digital
goods?
Dr. Layton. Right. Well, so for me when I am sitting in my
office in Copenhagen and I try to go to Chicago Tribune, I
cannot open it. I just see a white page that says, ``Sorry, we
are not delivering our content.'' And, you know, that is
unfortunate for me, I can't see the information. It is too bad
for the advertiser, they can't put the advertisement on the
page. It is sad for the 1 million Americans that live in the
EU.
Mr. Carter. I was about to say it obviously has an impact
on them, and they are not able to get the information.
Dr. Layton. Right. So, but I think as Mr. Grimaldi, he
pointed it out very well and I think his testimony makes it
very clear it is not that they don't want to do it, but it
costs too much money and there is a regulatory uncertainty. The
legal risk is so high because it is not just--it is so new,
this rule, so we don't know how they will be interpreted and it
is a whole value chain that all of the partners who might be
working with Chicago Tribune or whomever may also be liable. So
they don't want to take the risk.
Mr. Carter. Well, again I want to thank all of you for
being here. I think there are important lessons that we can
learn from the experiences about the European Union as well as
what we are trying to do in California. Obviously what we don't
need is 50 different sets of rules governing. We need one set
of rules here in America.
And hopefully, and I have always said I don't want to
stifle innovation so that is one thing I hope we keep in mind
in this committee as we move forward. Thank you, Madam Chair,
and I yield back.
Ms. Schakowsky. Thank you. And now I welcome the vice chair
of this committee, Mr. Cardenas.
Mr. Cardenas. Thank you very much, Madam Chair, and thank
you for holding this very important matter before the public.
And to the ranking member as well, thank you.
Ms. O'Connor, would you like to shed maybe a little bit of
light on the dialogue that we just witnessed over the last 3 or
4 minutes about the EU and maybe the mistakes they made and
things that we could learn and the cross reference between
innovation and privacy?
Ms. O'Connor. Thank you so much, sir. I think it is fairly
certain that we in the United States will pass a United States
law that reflects our values and our cultural traditions and
our unique opportunity here as the birthplace of Silicon
Valley. But I think there are also our shared values, values of
respect and dignity, values of customer trust that our
companies, our U.S.-bred companies can certainly adhere to.
I think privacy and security are a form of corporate social
responsibility in the digital age and are essential to doing
business in a thriving U.S. economy and around the world. Yes,
it is important to get to a Federal standard, but it is
important that that standard be strong and be understandable by
small, medium, and large enterprises in the United States and,
most importantly, be one that customers can trust, that
consumers and citizens of this country can have certainty that
their information is being treated fairly, that they are not
being discriminated against, and that they understand the
consequences of the bargains that they strike with companies.
Mr. Cardenas. Well, one thing that I enjoy the most is
being able to go back to my district and I am blessed that my
two grandchildren live in my district, so I can drive 5
minutes, jump on the carpet and roll around with them and play
with them and know that when they grab a toy--like my 6-month-
old, she is at that age where everything goes in her mouth--
know that consumer protection is something that we take for
granted in this country. We didn't do that back in the day
maybe decades ago, but at least today I know that there is a
99.999 percent chance that that toy is not going to hurt my
little granddaughter.
Speaking of children, under the CCPA businesses are
supposed to provide an opt-in mechanism for children 16 and
under to allow companies to sell their personal information as
defined by the CCPA. How do they know whether the children are
16 and under, under any system?
Ms. O'Connor. Well, that is such a great point because it
requires more authentication and more knowledge in order to
know who your consumer is. I think you have identified one of
the very compelling gaps in our coverage right now, the above
COPPA but below majority age group in our country. I have
several of those people living in my house right now and they
are a challenging age on the internet to say the least. And it
certainly bears consideration of what we should do going
forward to consider whether COPPA is working adequately and
what to do with that in-between age group.
Mr. Cardenas. What is the mechanism to get parental consent
for children under 13?
Ms. O'Connor. It is somewhat complicated and requires
several steps of the parent self-authenticating and providing
phone numbers or email addresses or the like. I seem to do this
every single day on my computer for my youngest child. But it
still is fraught with some peril that the child may be
providing inaccurate information or that the data may be used
in a way that is unanticipated by the parent or the child.
Mr. Cardenas. Under the Federal law COPPA companies must
obtain parental consent before collecting personal information
online from children under the age of 13. How do companies
verify parental consent and how does the FTC enforce this?
Ms. O'Connor. The parent often has to respond to an email
verifying that they are the parent or that they have
authorization. The FTC has taken some cases and I think there
is concern in the marketplace about whether the enforcement
mechanisms have really fully grasped the complexity of the
issue both in the online world and as you point out in the
Internet of Things world.
Mr. Cardenas. What seems to be the logic or the history on
the difference between a 12-year-old and a 13-year-old, and why
is that the cutoff point?
Ms. O'Connor. I am sorry. I can't speak to the legislative
history on why that number. It certainly is one that bears a
relevance in a number of cultural traditions. But I think we
all know that one 13-year-old is not the same as another in
many households and there is a large age group between again 13
and 18 that we should be thinking about as well.
Mr. Cardenas. How do we expect a 13-year-old to do, wade
through this without parental consent or somebody, an adult
helping them?
Ms. O'Connor. I totally agree. I think kids, teenagers, and
grownups in this country deserve greater supports and
protections around their personal data online and off.
Mr. Cardenas. I think it would be naive for us to believe
that there isn't a motivation out there with the largest
corporations in the world and getting more dominant and larger
for them not to look at our children as consumers. If you look
at the bandwidth of a consumer power of a teenager and a 20-
some-year-old and a 30-some-year-old, et cetera, there is
tremendous motivation for individuals to abuse the information
of our children. And I think it is important that--thank you
for the confidence that you gave that you believe that Congress
is actually going to pass something. I hope that we do. Thank
you for that confidence. I yield back.
Ms. Schakowsky. And now I yield 5 minutes to Mr. Gianforte.
Mr. Gianforte. Thank you. And, first, I would like to thank
the chairwoman and ranking member for welcoming me to this
committee. Thank you. I look forward to serving and I am
encouraged by the conversation today. I think there is some
good bipartisan common ground here to find solutions.
The internet has removed geographic barriers from many our
rural areas that previously prevented small companies in rural
towns from competing globally. Concerns about data misuse are
warranted, but creating an overburdensome regulatory
environment would have devastating effects for this coming new
prosperity we are seeing in rural America.
I think we all agree and we have heard it in the testimony
today that consumer data must be secured and that we need more
transparency and accountability in all of our practices and we
need a national standard. Our job is to find a balance between
these overly prescriptive laws like GDPR and versus a patchwork
of 50 different laws in different States. Trying to comply with
either would devastate small businesses. We have heard that in
the testimony today, while increasing market share for some of
the largest companies we see and this is what has caused the
concern.
The burdensome top down approach taken by GDPR can stifle
innovation and lead to less information simply because it is
too costly to comply. It is imperative then we adopt one
national standard and that clearly defines the responsibilities
of consumers and businesses and I think we have unanimity on
the panel today, so I appreciate that. Consumer concerns over
their data can be attributed back to a lack of transparency and
misunderstanding of how their information is being collected
and used. Bad actors should be punished. We have seen many of
them pursued by the FTC and also through the loss of consumer
confidence.
The market tends to enter in here. In our internet business
my wife and I started in our home, over 15 years it grew to one
of the top 100 websites in the world. We had about 8 million
consumers a day and we were entrusted with the data for nearly
2,000 organizations around the world. Protecting customer data
was paramount in our business. We knew that the safety of our
customers' data which we protected in the cloud was the key to
continued viability of our business. The stakes and the
consequences could not have been higher. We had to protect our
customer data or face going out of business. It is difficult to
regulate a dynamic industry and hastily rushing to draft
legislation could have more unintended consequences than
solutions. We have seen that in GDPR and in the California
regs. As debate over consumer protection continues we should
pursue one national standard that increases transparency and
accountability while protecting small business and innovation.
I have a couple of questions. Dr. Layton, with all of this
in mind and in light of the light regulatory touch we have
taken in the U.S., historically, can you please discuss what
you believe are the best way to guard against entrenching
larger companies and disadvantaging smaller business?
Dr. Layton. Well, in two words, permissionless innovation.
I mean, I think that that has been one of the most important
things about our economy, was that we allowed companies to try.
Just as you, yourself, you didn't have to--I doubt that you
went to Washington and said, ``May I try this website?'' and
you just got going.
Mr. Gianforte. Yes. OK, thank you.
And, Mr. Grimaldi, we heard from Ms. O'Connor and her
litany of 260 applications--very impressive--and the
intractability of complying with them all. And in your
testimony I thought it was very helpful you recommended moving
from these disclosures and checkboxes to prohibited practices.
Can you give us a couple of examples of prohibited practices
that you would put on that list if we were to draft legislation
with that approach?
Mr. Grimaldi. Sure. Thank you, Congressman. I think Ms.
Collins-Dexter has an unbelievable list in her testimony.
Eligibility, improper targeting because of eligibility, and
discrimination, the use of sensitive information which would
need to be defined, we have spoken a lot about it today that
consumers don't anticipate and would never want to share and
would never want to be used. I would say even if it is
synonymized and not linked to their personal data along the
lines of healthcare providers or addresses, et cetera. I think
that is all important.
Mr. Gianforte. Do we need to differentiate between the
types of data that is being collected and how would you suggest
we do that?
Mr. Grimaldi. Absolutely. I think that is--again, Europe
should not dictate what our national law should be. I don't
think one State should either. I think this body and the Senate
is the best representation of what consumer sentiment is around
these issues. My industry needs trust or else we don't have
people logging on to our websites, we don't have people
clicking on our ads. The whole internet economy is built on
that. These are the things, these are the important
conversations.
Mr. Gianforte. OK, thank you. I want to thank the panel for
your testimony today. It is very helpful. And with that I yield
back.
Ms. Schakowsky. And now a belated happy birthday, and I
call for 5 minutes on Mr. Soto.
Mr. Soto. Thank you, Madam Chairwoman. I believe most
Americans have a basic understanding that their personal data
is being used, but there are certain expectations of privacy
that I think are reasonable for users to be able to have
throughout the United States that their personal data be kept
secure and not be stolen in a cyber breach, that their health
data be protected so that it couldn't just be acquired without
their permission, or that we avoid a society where government
monitors all of our data in some Big Brother-type of situation
that we are seeing now in China and in Russia.
You know, we have heard some complaints about States
getting involved in this and the Supreme Court has gotten
involved in it, which I will get into in a second. Really, the
internet is a part of interstate commerce, but it is this
committee's lack of action in legislating that has created this
vacuum for States to act.
First, I want to just point out that the Supreme Court has
already stated we some right to privacy for our personal data.
In the recent Carpenter v. United States case, they at least
applied the Fourth Amendment to say that government cannot get
personal data from our cell phones without a warrant and I
wouldn't be surprised by a 5-4 majority or more that that is
extended to other rights. So the Supreme Court is already
acting. States have already stepped up.
There has been a lot of talk, first, about a duty of care.
That has mostly been in the purview of academia, but it is
something that we ought to consider, cybersecurity protections,
proper use of data consistent with disclosures, and handling
requests and complaints for use of data. A second big issue we
saw Delaware tackle with requiring privacy policies to be
conspicuously available on websites. I don't think that is much
to ask since we have that for a lot of contracts.
And then, thirdly, is really sort of the big question on
privacy in general. California passed the Consumer Privacy Act
of 2018 where there is a right to request businesses to
disclose data collected, right to request businesses delete
personal information, and then a right to opt-out without being
discriminated against. And I think that is the multitrillion-
dollar question in the room today and that is where I want to
start by asking our panel.
Starting with Ms. O'Connor, do you think that you should be
able to opt out of these sites' ability to collect data without
being discriminated against, basically denied use of service?
Ms. O'Connor. Certainly. And as I mentioned before, there
is a primary purpose and a primary data collection for the
transaction. So to send me the book or the yellow sweater you
have to know my address, but I do think individual consumers
deserve more, not only agency but control over their data and
the data lifecycle to access, correct, and delete data if they
want to as well.
Mr. Soto. Thank you for your input.
And, Ms. Collins-Dexter, do you think you should be able to
opt out without discrimination?
Ms. Collins-Dexter. Yes. I think opt-in forces--well,
rather, I think when you set an opt-in framework it forces
companies to make the case for why data is needed for desired
use and why consumers should consent to that. I think, however,
even in an opt-in framework, I think as we have heard examples
over the day, companies will do all sorts of tricky things to
get consumers to consent to things that they want to do.
And so I think legislation has to really move beyond a
choice framework and really focus on prohibiting harmful use of
data, establishing baseline norms and obligations such as data
minimization and purpose limitation.
Mr. Soto. Thank you.
And turning to innovation on this aspect, Ms. Zheng, do you
think it would be a viable alternative that people can charge a
user fee should they want to opt out of data collection? Would
that still embrace the kind of innovation that you have been
talking about?
Ms. Zheng. Thank you for that question. I think if the
companies choose to do that or choose to adopt that approach
that would make sense, but I am not sure that mandating it in
statute would make any sense. It would certainly hurt
innovation.
Mr. Soto. And, Mr. Grimaldi, on this sort of choice should
you be able to opt out without discrimination or would it be
appropriate to potentially charge the user fee in the
alternative or deny a service altogether?
Mr. Grimaldi. Thanks, Congressman Soto, a couple things. We
see that not in terms of data for shopping data, for other use,
but we see that in terms of just the value of exchange on if
you want to access a certain subscription website and view
their content you have to pay a fee. That is that value
exchange.
To your question of should you be able to opt out and not
receive those services, I think that is another thing that
needs serious contemplation, because I don't think a one-fits-
all approach would work here, just in terms of that being a
defined right and the massive disruption that could cause to
websites large, small, Google, Amazon, a small yogurt shop. If
you opt out of giving your data, can those companies survive?
Are they monetizing it in a way that a consumer knows about
that, has that policy in their face, or the opt-out mechanism
in their face? We supply that, as I mentioned earlier, via a
large multistakeholder regime.
So there are tools out there. Could they be stronger? I
think that is a great question.
Mr. Soto. Thanks. My time has expired.
Ms. Schakowsky. Now I am happy to yield to Congresswoman
Matsui.
Ms. Matsui. Thank you very much, Madam Chair. And I want to
thank the panel for being here today. This has been a very
enlightening discussion. And I just want to make a comment
about the elephant in the room, although I don't really regard
it that way. As you can tell I am from California and there has
been a lot of comment about the California law.
But may I just say about California there has not been much
action on the Federal front, we all know that. And California
being California with its myriad of businesses both big and
small and its diversity, we have rural areas, urban areas, and
suburban areas and it is not something that--we are not a small
State, we have a myriad of opinions. And we are also a very
innovative State, the home of many of the large companies that
actually testified last spring.
So I just will tell you this. There are ways that I know
Mr. Grimaldi saying he is already working with the State of
California, I think that is really very important, but I must
say also that it is something to be considered that it is a
State that is large enough to really be able enact a law but
also to bring in many of the stakeholders too. So that is my
piece on California.
I want to talk about advertising. Advertising supported
models generate revenue through user provided data. Many
platforms have broad statements that claim what is yours is
yours, you own your content. I appreciate that. But I want to
understand more about that. To me that means users ought to
have some say about if, how, and when it is used.
But online platforms have an evolving set of rules for how
partners can interact with the user content and how the
platform may modify or adapt this content as it is distributed.
The hearings this committee has held demonstrate that the real
crux of the issue is how content is used and modified to
develop assumptions and inferences about users to better target
ads to the individual.
I want to ask, how should a Federal privacy law ensure
consumers have a meaningful say about how their data is used
even when that data has modified use to develop inferences
supplemented by additional data or otherwise? And I will start
with you, Ms. O'Connor.
Ms. O'Connor. Thank you so much for that question. We would
believe that there should be limitations on the secondary use
of data that you have provided for a particular service and
obviously transparency around the operations of the company and
their intended use. I think your question gets to the heart of
the matter, which is that individuals do not want to be
discriminated online or offline and they want to know how the
decisions that are being made about them are affecting their
daily lives.
So we would absolutely want to look at issues of
discrimination again in the online-offline world based on the
data that is collected and allow the individual greater agency
and control over that data.
Ms. Matsui. Thank you.
Now it has been noted that advertising is less concerned
with identifying the individual, per se, than with the activity
of the users to predict and infer consumer behavior. But I
wonder if that is becoming a distinction without a difference
even when user content isn't associated with that user's name,
precise information can and is gathered through metadata
associated with messages or tweets. For instance, online
platforms often are offered geospatial metadata that they
provide by parsing messages for location names of interest
including nicknames. This metadata could then be associated
with other publicly available social media data to re-identify
individuals.
Ms. O'Connor or Mr. Grimaldi, so even though advertising
itself may not be considered with identifying the individual in
the context of the Federal privacy law, how do we ensure data
is not being used by others to do so?
Mr. Grimaldi, first.
Mr. Grimaldi. Sure. Thank you, Ms. Matsui. And I think that
those are very important questions that a potential, new,
strong oversight regime would contemplate. A number of folks
have mentioned the Federal Trade Commission. They have brought
500 cases or more on issues around these types. And while they
are incredibly capable and very strong, they don't have the
resources right now, I think, that would allow them to play a
role in a massive part of the American economy.
So I think that that is up for discussion as to whether or
not a new paradigm, the one that we are contemplating could
bring new oversight and new enforcement and that is part of
what we are discussing now. A moment ago I think it was Mr.
Soto or Mr. Cardenas mentioned the jurisprudence in the past
around these issues. And I think it would--I was a staffer on
this committee when long after the 1996 act was passed and
there was much discussion about why that was never updated, why
there was never momentum behind that to update it. And I think
it is because getting in the way of innovation and getting in
the way of consumers enjoying what they want and the services
they are provided is a sticky thing. But in terms of more
oversight and new powers to protect consumers, I think we are
at a place right now where we need to seriously think about
that and make it happen.
Ms. Matsui. OK, thank you. I am out of time. I yield back.
Ms. Schakowsky. And next, also from California, Congressman
McNerney.
Mr. McNerney. There is a lot of us from California. Thank
you.
Ms. Matsui. Big State.
Mr. McNerney. Thank you. I want to thank the witnesses for
your perspectives on this. It is an important subject and it is
complicated. It is not something you can get your hands around
easily, so thank you very much.
My first question goes to all the witnesses and please just
answer yes or no. Is it important that any law that we draft be
able to adapt to technological innovation and advancements over
time? Starting with Ms. Collins.
Ms. Collins-Dexter. Yes.
Dr. Layton. Yes.
Ms. Zheng. Absolutely, yes.
Mr. Grimaldi. Yes.
Ms. O'Connor. Yes.
Mr. McNerney. Unanimous. Well, that makes my point.
In order for comprehensive privacy laws created by this
slow-moving Congress to meet the current challenges and to be
able to adopt the new circumstances, I believe it is critical
that we give the FTC APA rulemaking authority for privacy and
data security. I have called for this over time and I expect to
see that in our policy.
My next question will go to Ms. Collins-Dexter. When
Facebook CEO testified before this committee I asked him if I
could download all of my data that Facebook had and he said an
unqualified yes. And then later in the hearing after being
advised by his staff that that wasn't correct he corrected his
statement. Now, Ms. Collins-Dexter, if a CEO of a major company
that deals in data, that is their business, isn't sure what
data they make available to its users, can we have any
confidence at all that these companies will actually make their
data available to users when requested?
Ms. Collins-Dexter. No, we can't.
Mr. McNerney. Well, good. And clearly it is important that
the comprehensive data privacy legislation grant consumers the
right to access their data and to correct it if it is wrong.
You are not raising your hand to make a statement, I don't
think.
Dr. Layton. No, I agree.
Mr. McNerney. Thank you.
Again Ms. Collins-Dexter, can you explain the risks that
location tracking poses for low-income Americans like so many
of my constituents?
Ms. Collins-Dexter. Yes. I also, if I may, want to sort of
take us back again. I think there has been like a lot of
conversation around patchwork legislation. And while I think
there is certainly issues with GDPR, there is improvements to
be made with California legislation.
I think one thing that I think came up in the testimony
with Mark Zuckerberg that I think we should identify as really
part of the issue of coming here is really an issue around tech
monopolies and how they are consolidating power. And so I
really think that it is important for us to maintain that even
as we are looking at the ways in which they are collecting
innocuous data points such as geolocation in order to ascertain
things around race and come and use that as an opportunity to
use predatory payday advertising, junk food marketing, and all
sorts of sort of harmful advertising targeted at communities in
different locations.
Mr. McNerney. Thanks for that comment. Well, I think it is
important that we limit the use of data location information
and that is something that I will be working with Members
across the aisle on.
Again Ms. Collins-Dexter, in your written testimony you
mention that algorithms work as kind of a black box to drive
exclusionary practices and you need to raise, need to ensure
that fairness in automated decisions. What do you think are
some of the challenges that companies face in this today?
Ms. Collins-Dexter. Yes. I think part of what we are
looking at or thinking about is this proposition of kind of
garbage in-garbage out, right. And so I think there is a lot of
presumptions that algorithms can't be biased or that tech is
neutral. And what we find is history, a long, you know, history
of systemic inequities are actually being and put in from data
points and then replicating models of discrimination free from
accountability.
And so I think, you know, one of the things that we want to
look at is kind of the algorithm, distribution of
advertisements related explicitly to education, employment, and
housing opportunities, algorithmic distribution of political
advertisements in communications, and algorithmic
determinations of product prices and same-day shipping. These
are examples of some of the things in which I think we need to
see more intelligence and information on.
Mr. McNerney. Thank you.
Finally, Ms. O'Connor, I am worried about data security as
well as data privacy. Would you agree with that?
Ms. O'Connor. Yes, sir.
Mr. McNerney. What is the relationship between privacy and
security?
Ms. O'Connor. They are inexplicably linked. They are two
sides of the same coin. In our draft proposal we copy some of
Congresswoman Schakowsky's language about thresholds and best
practices and it is an essential part of a privacy program for
any company large or small.
Mr. McNerney. Thank you. And I just want to say I was
shocked by your earlier statement, Ms. Collins-Dexter, that
discriminatory technology is lucrative to identify ethnicity.
In other words it is a lucrative technology used nefariously.
Thank you. I yield back.
Ms. Schakowsky. And now Mr. O'Halleran for 5 minutes, you
are recognized.
Mr. O'Halleran. Thank you, Madam Chair. And I thank too the
witnesses also that are appearing before us today.
You know, I am all for a national policy, but it has to be
balanced. And it has to be balanced for the good of the people
of America and their privacy. We have to recognize that there
is, you know, not only are these changing times but the speed
at which technology is changing has to be taken into account. I
was a former investigator and I have to tell you, I would love
to be an investigator in these times because of the speed of
information that I could get that used to take me maybe a month
to get, I could get in minutes maybe.
So we have to be very concerned about these issues. And
this is a national dialogue on how to enhance the data privacy
of consumers. This is a debate that it is important not only to
the people in my district in Arizona, but the American people.
I have to kind of thank California and thank Europe for getting
us pushed. Do I agree with necessarily about what they want to
do? No. But do I think it has allowed us to be pushed in the
right direction in a timely fashion? Yes, we should have done
this much sooner.
As members of this committee across the aisle, we must take
seriously our duty to closely examine how to ensure consumer
privacy remains protected in today's increasingly connected
global economy.
Ms. Zheng, as you know my rural district in Arizona is home
to many small businesses who constantly strive to compete in a
modernizing economy and internet ecosystem. Under current law,
the Federal Trade Commission serves as the primary enforcer for
internet privacy as prescribed by the FTC Act. Taking into
consideration the FTC's mandate to combat unfair and disruptive
trade practices, deceptive trade practices against consumers,
what privacy framework do you see as striking the right balance
between protecting the rights of consumers and helping ensure
regulatory certainty for small businesses?
Ms. Zheng. Thank you for that question, Congressman. I
would note that in a number of laws as well as legislative
proposals, lawmakers have contemplated an exception for small
or medium-sized businesses. I assume that is something that
this body will also contemplate. You know, as the Business
Roundtable we do represent large American companies, but many
of our companies do business with small companies as their
clients or as their suppliers so we certainly care about the
well-being of the small business community.
I think, you know, there are different types of thresholds
you could look to in considering a possible small business
exception including potentially the number of records held or
the annual revenue. But I am not certain that the Business
Roundtable is really the best organization to pontificate on
what specifically that threshold ought to be.
Mr. O'Halleran. And probably the reason for my question is
because I want to see that there is a protection for businesses
across the entire spectrum, not just for those with large
business concerns.
Ms. O'Connor, in your testimony you state that existing
privacy regimes rely too heavily on the concept of notice and
consent which you state place an untenable burden on consumers.
As we all know, consumers often overlook the extremely dense
language--here I am--in user agreements and simply accept in
order to use internet applications and services.
Under any new consumer privacy statute how could privacy
notices be simplified for consumers whether they are
technologically experts or novices to better and more
meaningfully understand how their information is being stored,
used, and, if applicable, shared after accepting privacy
agreements? And I will say I believe the chairwoman was correct
in her stack, it is probably a much bigger stack. And we have
to design something that works for the American people. Please.
Ms. O'Connor. Thank you, sir. That is exactly right. The
number of hours and the number of words we would all have to
read on a daily or weekly or monthly basis to stay up-to-date
on the choices we are making online and off about how our data
flows are staggering and overwhelming to any busy consumer. I
think there should be things that are in bounds, again for the
furtherance of the transaction, so the primary purpose of the
deal.
There should be things that are simply out of bounds like
taking biometrics for purposes that are far afield from the
primary purpose of the transaction, and then you could limit
notices to that middle ground of things that are less clear but
that consumers might want that are related to the transactions
that they have at hand or their relationship with the company.
They definitely need to be shorter, clearer, and more to the
point. But notice and choice alone do not get us where we need
to go.
Mr. O'Halleran. Thank you, and I yield. Thank you, Madam
Chair.
Ms. Schakowsky. Now I am happy to yield to my colleague
from Illinois, Mr. Rush.
Mr. Rush. I certainly want to thank you, Madam Chair, and I
want to thank all the witnesses who have appeared before this
subcommittee today. I chaired this subcommittee back in 2007. I
introduced a data bill back in 2007, and we are still here
today discussing data and data security and a data bill. And I
hope that under this current chairman that we are able to
finally come up with a bipartisan bill and that will pass in
Congress and then the President will sign. I certainly look
forward to it and I have been pretty patient about it.
I reintroduced my data protection, data privacy bill, H.R.
1282, that had one provision that dealt with this specter of
data brokers. And I just wanted to know am I off-base, Ms.
Collins? Am I off-base trying to rein in this specter of data
brokers? How big is that problem and as it relates to
protection of consumers' data?
Ms. Collins-Dexter. Yes. I think that you are right to be
concerned. I think there is like so much work we have to do. I
think one of the things that I tried to articulate in my
comments I think is super important is that 50 years ago as a
country we made a sort of social, legislative, and legal
contract that is that certain things would no longer be
accepted in our society. Kids being turned away from
Woolworth's counter was not acceptable. People hanging signs
that said no Jews, dogs or blacks allowed were no longer
acceptable. And we didn't throw our hands up at that time and
say don't go to that restaurant, right. We took an ethical and
moral stance.
And not just that, it was about knowing that if we could
compete globally and thrive economically we had to ensure that
we had more taxpaying members of our community, more people
able to have opportunity and be economically mobile. And so
part of what we are looking at with this like privacy
legislation is basically looking at stopping Jim Crow online.
It is around simply bringing, you know, looking at our online
activities and ensuring that there is--that those same laws
that we created 50 years ago to prevent discrimination apply to
what we do online.
Mr. Rush. Thank you.
Ms. O'Connor, what should we do to regulate data brokers?
Ms. O'Connor. Thank you, sir. And I think underpinning so
many of the questions today is the issue of opaque or
surreptitious surveillance or data collection. And that is the
position again, and I just want to associate myself with Ms.
Collins-Dexter because she is so right that these are issues of
fairness, of transparency, of accountability, and of equality
for all Americans.
Data brokers really came up because of the Fair Housing Act
and the Equal Opportunity Act and the fundamentals of providing
fair credit to all Americans. They served at that time a
purpose. Right now the opaque and surreptitious behind-the-
scenes data collection by third parties that Americans do not
understand is fundamentally untenable going forward.
So, and I think the CEO of one of those companies is
actually directly across the hall right now, so maybe we could
go ask him some of these questions. But they do serve a
purpose. And to the previous comments, we need to reform, we
need transparency, and we need greater control and
accountability over these third parties.
Mr. Rush. In your testimony you discuss how the CDT's draft
legislation--well, I quote you, ``would direct the FTC to
promulgate rules addressing unfair advertising practices,
particularly those that result in unlawful discrimination in
violation of civil rights law.'' Describe for this committee
what should these rules look like?
Ms. O'Connor. There are good laws on the books as we all
know about unfair discrimination and what that looks like in
the offline world. However, intimate and immutable and real-
time decisions can be made about us in the online world even
prior to knowing who we are based on inferences, based on
patterns of surfing and habits. We would simply want to make
sure that each individual's world view is not prescribed and
limited by judgments that are made about them by companies that
they are not aware of. That a child in one part of the country
is not seeing ads for educational opportunities or a grownup is
not seeing credit opportunities that another person is being
served based on judgments companies are making about them
without their knowledge.
Mr. Rush. Thank you, Madam Chair. I yield back.
Ms. Schakowsky. Now it is my pleasure--last but not least--
to call on Representative Kelly, also from Illinois.
Ms. Kelly. Madam Chair, Illinois is holding it down for you
or with you. Thank you, Madam Chair, for holding this hearing
today.
As we have heard, repeated news stories about breaches and
data collection malpractice have shown that it is time for
Federal privacy legislation. As the founder of the Tech
Accountability Caucus, I want to follow up on the discussion of
use of limitations.
Ms. O'Connor, in your testimony you discuss two buckets of
use limitations, the first of which you refer to as unfair data
practices. The CDT draft legislation prohibits secondary uses
of certain sensitive data like biometric information and health
information. Can you clarify something for me? Other than the
specific exceptions listed, is it your intention in the draft
that these seven unfair categories are just not permitted?
Ms. O'Connor. That is correct, ma'am, that the secondary
use of those categories of data would not be permitted. Each
individual would have to enter into a separate contract or
agreement for a separate service or a separate device.
Ms. Kelly. I know we talked about during this hearing about
opting in and all of that, but a company cannot even seek opt-
in consent for their uses; is that correct?
Ms. O'Connor. It would have to be an entirely separate
transaction. That is right.
Ms. Kelly. OK. How did you decide the types of data that
necessitated the extra protections?
Ms. O'Connor. The Center for Democracy & Technology worked
over the last several years and we have stood for and been in
favor of omnibus Federal privacy legislation for the entire 25
years of CDT's existence. But we have re-energized this debate
internally and worked with academics across this country and
really around the world, business partners, other advocates in
civil society and looked at the research and the consumer
polling, the consumer research in this area, and that is where
we ended up with the list that we created.
Ms. Kelly. OK, thank you. And to the panel, are there
certain types of data that shouldn't be collected or used at
all? We can just run down from Ms. Collins-Dexter.
Ms. Collins-Dexter. Yes, I think there is certain pieces of
like personal identifying data, geolocation, things like that
that I think should not be collected and kept in use.
Ms. Kelly. Dr. Layton? Just your opinion, are they any
types of data that shouldn't be used at all or collected?
Ms. Zheng. Thank you, Congresswoman, for that question. I
think that the question deserves a little bit of nuance. What
we are talking about here is, is there data that deserves an
opt-in consent standard and I think the answer to that is
likely yes. For example, a precise geolocation data, the FTC's
current guidance right now is you acquire opt-in consent for
precise geolocation data.
What the Business Roundtable proposal recognizes is that
there are sensitive categories of data that do absolutely
deserve heightened protections and obligations including
potentially opt-in consent.
Ms. Kelly. Thank you.
Mr. Grimaldi. Congresswoman, I would chime in by saying in
order for the entire online ecosystem to work there has to be
data to render a website to provide services, et cetera. And so
in addition to some of the prohibited pieces that we have heard
today that we all agree on, how do we expand that list to
include other things in the marketplace that as my co-panelists
have mentioned are just getting such blowback or are just on
their face too personal, too off limits to be used by our
companies, by other companies, I think that is important. And
we need to make sure that the value that consumers are getting
from their online experience can still be reaped even as we
expand that list and we would love to work with you on that.
Dr. Layton. Congresswoman, I just wanted to come back. I
didn't want to take a position on this because I know, I
actually know of important health and academic studies that
under today's circumstances in the GDPR the data could not be
collected. But data that had been collected in the past has
been used today to make very important conclusions for health
questions. So I only urge--I just want to put a note of
caution, I understand that we have these concerns. But we don't
necessarily know in the future how the data may be available.
So I would tend to fall on the side of where we can
identify that it is sensitive and have a higher standard, but
not necessarily to outlaw it altogether. I am just concerned
about the future because I have seen these studies that, you
know, going forward we won't be able to do these important
health outcome studies in the EU.
Ms. Kelly. OK, thank you. Anything else? I will yield back
the balance of my time. Thank you.
Ms. Schakowsky. So, in closing, first let me request
unanimous consent to enter the following documents into the
record: 1) Public Citizen Framework for Privacy and Digital
Rights for All; 2) a letter from the Americans for Prosperity;
3) a letter from Computer and Communications Industry
Association; 4) a letter from the ACLU and 42 other civil
rights organizations; 5) a letter from Main Street Association;
6) a letter from Consumer Technology Association; 7) Engine
consumer privacy comments; 8) letter from Engine; 9) a letter
from American Bankers Association; 10) the NRF letter; 11) NRF
comments; 12) Electronic Transactions Association letter; 13)
21st Century Privacy Coalition letter; 14) ACA International
letter; 15) Representative Eshoo's opening statement for the
record. You can see the kind of broad spread interest.
I want to thank our ranking member, the staff that worked
so hard on all of this, thank you, and especially our witnesses
for your participation today in this very first hearing of the
session dealing with this issue of data privacy which is
clearly going to go forward. I encourage you to also keep in
touch as we move forward. We welcome your input.
I remind Members that pursuant to committee rules they have
10 business days to submit additional questions for the record
to be answered by the witnesses who have appeared. I ask each
witness to respond promptly to any such requests that you may
receive.
Oh, there is more. OK. So we will have a letter from the
American Action Forum to put in the record, a letter from the
Council for Citizens Against Government Waste, a letter from
consumer tech--oh, I see--a letter from the Coalition for
Secure Transparent Internet, a letter from R Street Institute,
a letter from United States Chamber of Commerce, a letter from
Digital Liberty, a letter from the Internet Association, DOJ
Cyber Digital Task Force, a letter from Google.
Is that it? There is more? OK, a lot of interest. OK.
Still, I had the Public Citizen, I think. But Public Citizen
Framework for Privacy and Digital Rights for All, the
Electronic Transaction Association letter, the letter from the
National Association of Mutual Insurance Companies, a letter
from Information Technology and Innovation Foundation, and
along with the others I ask unanimous consent to put these in
the record. So ordered.
[The information appears at the conclusion of the
hearing.]\1\
---------------------------------------------------------------------------
\1\ The Information Technology and Innovation Foundation letter has
been retained in committee files and also is available at https://
docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=108942.
---------------------------------------------------------------------------
Ms. Schakowsky. And now, I think, at this time the
subcommittee is adjourned.
[Whereupon, at 12:51 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
Prepared statement of Hon. Anna G. Eshoo
I thank Chairwoman Jan Schakowsky for holding today's
hearing and for allowing me to waive on to the Subcommittee on
Consumer Protection and Commerce for this hearing.
Three important events set the table for our debate about
online privacy. In March 2018, we learned that Cambridge
Analytica abused Facebook data to harm our democracy. In May
2018, the European Union's General Data Protection Regulation
went into effect. And in June 2018, then-Governor Jerry Brown
signed into law the California Consumer Privacy Act. These
three events have created the context within which I'm hopeful
that Congress may be able to pass privacy legislation to
protect all Americans. We should keep the lessons of each of
these events in mind as we debate any privacy legislation.
I have long called for protecting users' privacy online,
and I reiterate my commitment to ensuring Congress passes
strong and enforceable privacy legislation. However, not all
privacy proposals are equal. Strengthening disclosures and
simply expanding our ``notice and consent'' regime would be
woefully insufficient for protecting users' privacy. We must
shift the burden of privacy away from consumers who do not--and
could not possibly--read hundreds of privacy policies that each
run thousands of words long. A Federal law should require that
companies minimize collection of personal data, give users
access to and control of their data, eliminate problematic
types of third-party data exchange, and institute safeguards to
secure user data.
Further, too many people are calling for preemption when we
haven't even agreed on the contours of what the law should
include. As Congress debates national privacy standards, it
should take care not to undermine California's groundbreaking
privacy law. Instead, Congress should pass baseline privacy
protections that bring the same--or stronger--safeguards to all
Americans.
I represent much of Silicon Valley, and yes that includes
some of the large tech companies that are at the center of the
problems privacy legislation aims to solve. I also represent a
thriving startup ecosystem. In my district, Y Combinator, the
most successful startup accelerator in the world, has funded
nearly 2,000 startups since 2005. These startups should be seen
as part of the solution. Congress should consider proposals,
such as data portability, that support privacy by encouraging
competition.
Nearly every stakeholder is calling for a Federal privacy
law. I'm hopeful that now is the time we will be able to pass
something that truly protects Americans online.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]