[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


 OVERSIGHT OF THE FEDERAL TRADE COMMISSION: STRENGTHENING PROTECTIONS 
                FOR AMERICANS' PRIVACY AND DATA SECURITY

=======================================================================

                                HEARING

                               BEFORE THE

            SUBCOMMITTEE ON CONSUMER PROTECTION AND COMMERCE

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 8, 2019

                               __________

                           Serial No. 116-31


      Printed for the use of the Committee on Energy and Commerce
      
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]     

                   govinfo.gov/committee/house-energy
                        energycommerce.house.gov
                        
                        
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
40-157 PDF                  WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------                        
                    COMMITTEE ON ENERGY AND COMMERCE

                     FRANK PALLONE, Jr., New Jersey
                                 Chairman
BOBBY L. RUSH, Illinois              GREG WALDEN, Oregon
ANNA G. ESHOO, California              Ranking Member
ELIOT L. ENGEL, New York             FRED UPTON, Michigan
DIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois
MIKE DOYLE, Pennsylvania             MICHAEL C. BURGESS, Texas
JAN SCHAKOWSKY, Illinois             STEVE SCALISE, Louisiana
G. K. BUTTERFIELD, North Carolina    ROBERT E. LATTA, Ohio
DORIS O. MATSUI, California          CATHY McMORRIS RODGERS, Washington
KATHY CASTOR, Florida                BRETT GUTHRIE, Kentucky
JOHN P. SARBANES, Maryland           PETE OLSON, Texas
JERRY McNERNEY, California           DAVID B. McKINLEY, West Virginia
PETER WELCH, Vermont                 ADAM KINZINGER, Illinois
BEN RAY LUJAN, New Mexico            H. MORGAN GRIFFITH, Virginia
PAUL TONKO, New York                 GUS M. BILIRAKIS, Florida
YVETTE D. CLARKE, New York, Vice     BILL JOHNSON, Ohio
    Chair                            BILLY LONG, Missouri
DAVID LOEBSACK, Iowa                 LARRY BUCSHON, Indiana
KURT SCHRADER, Oregon                BILL FLORES, Texas
JOSEPH P. KENNEDY III,               SUSAN W. BROOKS, Indiana
    Massachusetts                    MARKWAYNE MULLIN, Oklahoma
TONY CARDENAS, California            RICHARD HUDSON, North Carolina
RAUL RUIZ, California                TIM WALBERG, Michigan
SCOTT H. PETERS, California          EARL L. ``BUDDY'' CARTER, Georgia
DEBBIE DINGELL, Michigan             JEFF DUNCAN, South Carolina
MARC A. VEASEY, Texas                GREG GIANFORTE, Montana
ANN M. KUSTER, New Hampshire
ROBIN L. KELLY, Illinois
NANETTE DIAZ BARRAGAN, California
A. DONALD McEACHIN, Virginia
LISA BLUNT ROCHESTER, Delaware
DARREN SOTO, Florida
TOM O'HALLERAN, Arizona
                                 ------                                

                           Professional Staff

                   JEFFREY C. CARROLL, Staff Director
                TIFFANY GUARASCIO, Deputy Staff Director
                MIKE BLOOMQUIST, Minority Staff Director
            Subcommittee on Consumer Protection and Commerce

                        JAN SCHAKOWSKY, Illinois
                                Chairwoman
KATHY CASTOR, Florida                CATHY McMORRIS RODGERS, Washington
MARC A. VEASEY, Texas                  Ranking Member
ROBIN L. KELLY, Illinois             FRED UPTON, Michigan
TOM O'HALLERAN, Arizona              MICHAEL C. BURGESS, Texas
BEN RAY LUJAN, New Mexico            ROBERT E. LATTA, Ohio
TONY CARDENAS, California, Vice      BRETT GUTHRIE, Kentucky
    Chair                            LARRY BUCSHON, Indiana
LISA BLUNT ROCHESTER, Delaware       RICHARD HUDSON, North Carolina
DARREN SOTO, Florida                 EARL L. ``BUDDY'' CARTER, Georgia
BOBBY L. RUSH, Illinois              GREG GIANFORTE, Montana
DORIS O. MATSUI, California          GREG WALDEN, Oregon (ex officio)
JERRY McNERNEY, California
DEBBIE DINGELL, Michigan
FRANK PALLONE, Jr., New Jersey (ex 
    officio)
                             
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Jan Schakowsky, a Representative in Congress from the State 
  of Illinois, opening statement.................................     1
    Prepared statement...........................................     2
Hon. Cathy McMorris Rodgers, a Representative in Congress from 
  the State of Washington, opening statement.....................     4
    Prepared statement...........................................     5
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................     6
    Prepared statement...........................................     8
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     9
    Prepared statement...........................................    11

                               Witnesses

Joseph J. Simons, Chairman, Federal Trade Commission.............    13
    Prepared statement \1\.......................................    15
    Answers to submitted questions...............................   107
Christine S. Wilson, Commissioner, Federal Trade Commission......    42
    Answers to submitted questions...............................   135
Rebecca Kelly Slaughter, Commissioner, Federal Trade Commission..    43
    Answers to submitted questions...............................   143
Noah Joshua Phillips, Commissioner, Federal Trade Commission.....    45
    Answers to submitted questions...............................   151
Rohit Chopra, Commissioner, Federal Trade Commission.............    46
    Answers to submitted questions...............................   169

                           Submitted Material

Letter of March 20, 2019, from Mr. Pallone and Ms. Schakowsky to 
  Joseph J. Simons, Chairman, Federal Trade Commission, submitted 
  by Ms. Schakowsky..............................................    85
Letter of April 1, 2019, from Joseph J. Simons, Chairman, Federal 
  Trade Commission, to Ms. Schakowsky, submitted by Ms. 
  Schakowsky.....................................................    88
Letter of October 26, 2018, from James L. Madara, Executive Vice 
  President and Chief Executive Officer, American Medical 
  Association, to Joseph J. Simons, Chairman, Federal Trade 
  Commission, submitted by Mr. Rush..............................    93
Letter of May 6, 2019, from Marc Rotenberg, President, and 
  Caitriona Fitzgerald, Policy Director, Electronic Privacy 
  Information Center, to Ms. Schakowsky and Mrs. Rodgers, \2\ 
  submitted by Ms. Schakowsky
Letter of May 8, 2019, from Richard Hunt, President and Chief 
  Executive Officer, Consumer Bankers Association, to Mr. Pallone 
  and Mr. Walden, submitted by Ms. Schakowsky....................    95

----------

\1\ Mr. Simons and the four FTC Commissioners submitted a joint 
prepared statement.
\2\ The letter has been retained in committee files and also is 
available at https://docs.house.gov/meetings/IF/IF17/20190508/109415/
HHRG-116-IF17-20190508-SD004.pdf.
Letter of May 8, 2019, from Michael Beckerman, President and 
  Chief Executive Officer, Internet Association, to Ms. 
  Schakowsky and Mrs. Rodgers, submitted by Ms. Schakowsky.......    99
Letter of May 7, 2019, from Brad Thaler, Vice President of 
  Legislative Affairs, National Association of Federally-Insured 
  Credit Unions, to Ms. Schakowsky and Mrs. Rodgers, submitted by 
  Ms. Schakowsky.................................................   101
Letter of May 8, 2019, from Tina Olson Grande, Healthcare 
  Leadership Council, on behalf of the Confidentiality Coalition, 
  Electronic Privacy Information Center, to Ms. Schakowsky and 
  Mrs. Rodgers, submitted by Ms. Schakowsky......................   103

 
 OVERSIGHT OF THE FEDERAL TRADE COMMISSION: STRENGTHENING PROTECTIONS 
                FOR AMERICANS' PRIVACY AND DATA SECURITY

                              ----------                              


                         WEDNESDAY, MAY 8, 2019

                  House of Representatives,
  Subcommittee on Consumer Protection and Commerce,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:30 a.m., in 
the John D. Dingell Room 2123, Rayburn Rayburn House Office 
Building, Hon. Jan Schakowsky (chairwoman of the subcommittee) 
presiding.
    Members present: Representatives Schakowsky, Castor, Kelly, 
O'Halleran, Lujan, Cardenas, Blunt Rochester, Soto, Rush, 
Matsui, McNerney, Dingell, Pallone (ex officio), Rodgers 
(subcommittee ranking member), Upton, Burgess, Latta, Guthrie, 
Bucshon, Hudson, Carter, Gianforte, and Walden (ex officio).
    Also present: Representative Walberg.
    Staff present: Billy Benjamin, Systems Administrator; 
Jeffrey C. Carroll, Staff Director; Evan Gilbert, Deputy Press 
Secretary; Lisa Goldman, Senior Counsel; Waverly Gordon, Deputy 
Chief Counsel; Tiffany Guarascio, Deputy Staff Director; Alex 
Hoehn-Saric, Chief Counsel, Communications and Consumer 
Protection; Zach Kahan, Outreach and Member Service 
Coordinator; Meghan Mullon, Staff Assistant; Alivia Roberts, 
Press Assistant; Tim Robinson, Chief Counsel; Chloe Rodriguez, 
Policy Analyst; Ben Rossen, FTC Detailee; C. J. Young, Press 
Secretary; Jordan Davis, Minority Senior Advisor; Margaret 
Tucker Fogarty, Minority Staff Assistant; Melissa Froelich, 
Minority Chief Counsel, Consumer Protection and Commerce; Bijan 
Koohmaraie, Minority Counsel, Consumer Protection and Commerce; 
and Brannon Rains, Minority Legislative Clerk.
    Ms. Schakowsky. The Subcommittee on Consumer Protection and 
Commerce will now come to order. We will begin with Member 
opening statements, and I will begin for 5 minutes.

 OPENING STATEMENT OF HON. JAN SCHAKOWSKY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    So, good morning, and thank you to the Federal Trade 
Commission for being with us this morning. It is really an 
honor to have all of you here. It means a great deal to us.
    The FTC is an independent agency created by Congress to 
protect the American people. Recent media reports have focused 
on the Federal Trade Commission's potentially record-breaking 
fine of Facebook. The fact of the matter is that I believe that 
the public information known about this case underscores the 
need for comprehensive privacy legislation. And we are really 
going to focus, at least I am, on privacy legislation and what 
we can do.
    And while I appreciate the Commission's work on and action 
on the Facebook case, I believe the reality is that a large 
fine in a single case does not meaningfully solve the problems 
that consumers face because of the FTC's lack of tools it needs 
to fulfill the mission to protect consumers in today's economy. 
The FTC needs increased funding and the APA, Administration 
Procedures Act--I can't stand those acronyms, OK--the 
rulemaking authority, at a minimum, to restore consumers' 
confidence in today's digital and brick-and-mortar marketplace, 
the FTC should be able to pursue multiple investigations both 
large and small.
    And, Chairman Simons, I want to thank you and offer my 
support for APA rulemaking that you said that you wanted to 
see. We know the American people are counting on us to act. 
According to a recent survey, 67 percent of American adults 
want the Government to act to protect them and to protect their 
privacy. But as it stands right now, the FTC does not have 
authority to obtain civil penalties for initial violations for 
most unfair or deceptive practices, making matters much worse.
    The Federal Trade Commission has only 40 full-time staff 
devoted to privacy and data security. Contrast that with the 
United Kingdom Information Commissioner's Office which has 
about 500 employees for a country about one-fifth of the size 
of the United States. And unfortunately, Chairman Simons, 
unlike other recent administrations, you have not appointed a 
chief technologist, and in fact only five people at the FTC 
right now are identified as technologists.
    Energy and Commerce Democrats feel we have an obligation to 
provide a solid piece of legislation that protects consumer 
privacy. We have begun conversations now with the Republicans 
as well, and I am very hopeful that legislation will be 
bipartisan, and I am looking forward to working with all of you 
on the Federal Trade Commission in designing this legislation. 
We welcome the Commissioners today to learn how we can assist 
them in fulfilling their mission, our joint mission.
    [The prepared statement of Ms. Schakowsky follows:]

               Prepared Statement of Hon. Jan Schakowsky

    I yield myself 5 minutes for an opening statement.
    Good morning and thank you to the Federal Trade Commission 
for being here with us this morning. The FTC is an independent 
agency created by Congress to protect the American people.
    Recent media reports have focused on FTC's potentially 
record-breaking fine of Facebook. The fact of the matter is 
that the public information known about that case underscores 
the need for comprehensive privacy legislation.
    And while I appreciate the Commission's work and action on 
the Facebook case, I believe the reality is that a large fine 
in a single case does not meaningfully solve the problems 
consumers face because of the FTC's lack of tools it needs to 
fulfill the mission to protect consumers in today's economy.
    The FTC needs increased funding and Administrative 
Procedure Act rulemaking authority at a minimum to restore 
consumer confidence in today's digital and brick-and-mortar 
marketplaces. The FTC should be pursuing multiple 
investigations, both large and small. Chairman Simons has 
publicly voiced support for Administration Proceedings Act 
rulemaking authority, and I am appreciative of those comments.
    We know the American people are counting on us to act. 
According to a recent survey, 67 percent of American adults 
want the Government to act to protect their privacy.
    But, as it stands, the FTC does not have authority to 
obtain civil penalties for initial violations for most unfair 
or deceptive practices. Making matters much worse, the FTC has 
only 40 full-time staff devoted to privacy and data security. 
Contrast that with the United Kingdom Information 
Commissioner's Office, which has about 500 employees for a 
country about one fifth the size of the United States. And 
unfortunately, Chairman Simons, unlike other recent 
administrations, has not appointed a Chief Technologist, and 
only 5 people at the FTC are technologists.
    Energy and Commerce Democrats feel we have an obligation to 
produce a solid piece of legislation that protects consumer 
privacy. We've begun conversations now with the Republicans. 
It's my hope that this legislation will be bipartisan. And I am 
looking forward to working with the FTC in designing this 
legislation.
    I welcome the Commission today to learn how we can assist 
them in fulfilling their mission.

    Ms. Schakowsky. I want to yield the balance of my time to 
Congressman Lujan.
    Mr. Lujan. Thank you, Chairwoman Schakowsky. And I thank 
Chairman Pallone, Ranking Members Walden and Rodgers, for this 
important hearing today on privacy and data security.
    Let me start with just a few numbers: 500 million, 148 
million, and 87 million. These are the numbers of consumers 
impacted by the Marriott, 500 million; Equifax data breaches, 
148 million; and the Facebook-Cambridge Analytica scandal, 87 
million. These massive numbers represent real people, people 
whose trust and privacy has been violated. Most of them not 
been made whole, still vulnerable today.
    Here is another number, 21. It has been 21 years since 
Congress passed even limited privacy legislation, the 
Children's Online Privacy Act. In 1998, America Online had 14 
million subscribers, Google was a month old, and Facebook 
didn't even exist. These numbers make it real; we must act to 
pass comprehensive data privacy and security legislation.
    And most recently in 2017, when we discovered and learned 
about the breach with Equifax back in September of '17, there 
were hearings held in October of '17. It appeared that there 
were commitments made in this committee to the American people 
that action would be taken before the holiday season and here 
we are today, still where no action taken and that is why this 
hearing matters so very much.
    And so with that, Madam Chair, I thank you for the hearing. 
I urge us to act. And I thank the Commissioners for their 
testimony and I look forward to today's discussion. And I yield 
back.
    Ms. Schakowsky. Would anyone else on the Democratic side 
want the time that is remaining? Otherwise, I yield back and I 
now recognize the ranking member, Ms. McMorris Rodgers, for her 
opening statement.

      OPENING STATEMENT OF HON. CATHY McMORRIS RODGERS, A 
    REPRESENTATIVE IN CONGRESS FROM THE STATE OF WASHINGTON

    Mrs. Rodgers. Thank you, Madam Chairman, and welcome to 
everyone, the Chairman and the Commissioners from the Federal 
Trade Commission.
    Today's hearing is very important. Whether through 
deceptive advertising, fraud, or other schemes, bad actors 
regularly try to game the system and destroy trust. The FTC has 
been one of the top cops on the consumer protection beat for 
decades. I am glad that you are here to discuss the 
Commission's vital mission to protect consumers and promote 
competition and innovation especially as it relates to one of 
the most important issues today, our privacy.
    In America's 21st century economy, our days start and end 
by exchanging our information with products that save us time, 
keep us informed, connect us with our communities. Many of us 
start our day by asking Alexa or Siri, ``What is the weather 
today?'' Then we browse Facebook and Instagram, open some 
emails, read the news, check for traffic updates on our 
iPhones, and if the traffic doesn't look too bad there is time 
to order groceries to be picked up or delivered after work. And 
that is just before we walk out the door. All day long, we are 
sharing our information with the internet marketplace. And for 
people who use health trackers and apps, it might not even stop 
when you go to sleep.
    This free flow of information drives much of the innovation 
and technology growth here in the United States. Bottom line, 
we make choices every day to be connected, and when we do, we 
must be able to trust that our privacy is protected. We deserve 
to know how our data is being collected, how it is being used, 
and who it is being shared with. There shouldn't be so many 
surprises, and these protections shouldn't change depending 
upon which State we are in.
    In a recent survey, 75 percent of respondents said privacy 
protections should be the same everywhere they go. The vast 
majority of Americans want the same protections whether they 
live in Eastern Washington, San Francisco, New Jersey, or 
Illinois. That is why I have been advocating and leading for a 
national standard for data privacy that, one, doesn't leave our 
privacy vulnerable in a patchwork; two, increases transparency 
and targets harmful practices like Cambridge Analytica; three, 
improves data security practices; and four, is workable for our 
Nation's innovators and small businesses.
    So, today, I look forward to hearing from the Federal Trade 
Commission which is the main cop on the beat to enforce privacy 
standards, promote transparency, and hold companies 
accountable. The FTC's mission is to protect consumers and 
promote innovation. Our four principles for data privacy law 
are in line with the mission. It is about protecting consumers 
from concrete harms, empowering the choices that they make, and 
also promoting new technologies that we haven't even dreamed of 
yet. This Congress should lead on writing privacy rules of the 
road. I remain ready and willing to work with my colleagues on 
this committee for a bipartisan solution that puts consumers 
and their choices first.
    In various proposals, some groups have called for the FTC 
to have additional resources and authorities. I remain 
skeptical of Congress delegating broad authority to the FTC or 
any agency. However, we must be mindful of the complexities of 
this issue as well as the lessons learned from previous grants 
of rulemaking authority to the Commission.
    The FTC's jurisdiction is incredibly broad. Its authority 
extends beyond just big tech, touching almost every aspect of 
our marketplace from loyalty programs at your local grocery 
store to your favorite coffee shop. The existing statutory 
rulemaking authority given to the FTC by Congress must also be 
part of the discussion. Had the FTC undertook rulemaking 
efforts on any number of issues we will discuss today, even 
starting 8 to 10 years ago, those efforts could have already 
been completed. The history of the FTC's authority is 
important, and it should not be transformed from a law 
enforcement agency to a massive rulemaking regime.
    To understand the pain this could cause, look no further 
than GDPR in Europe. Investment in startups in Europe is down 
40 percent and thousands of U.S. firms are no longer operating 
in the EU because they can't take on the millions of dollars in 
compliance cost. If we decide to increase FTC's resources and 
authority to enforce privacy law, then this committee must 
exercise its oversight of the Commission to its fullest. 
Oversight must be a part of the conversation, so Congress does 
its job to review and hold the FTC accountable.
    Thank you, everyone, for being here, and I look forward to 
our discussion.
    [The prepared statement of Mrs. Rodgers follows:]

           Prepared Statement of Hon. Cathy McMorris Rodgers

    Good morning and welcome to the Consumer Protection and 
Commerce Subcommittee hearing with the Federal Trade 
Commission.
    Thank you Chairman Simons, and Commissioners Phillips, 
Wilson, Chopra, and Slaughter.
    Whether through deceptive advertising, fraud, or other 
schemes, bad actors regularly try to game our system. The FTC 
has been one of the top cops on the consumer protection beat 
for decades.
    I'm glad you are here to discuss the Commission's vital 
mission to protect consumers and promote competition and 
innovation especially as it relates to one of the most 
important issues today--data privacy.
    In America's 21st century economy, our days start and end 
by exchanging our information with products the save us time, 
keep us informed, and connect us with our communities.
    Many of us start our days asking Alexa or Siri, what's the 
weather today? Then we browse Facebook and Instagram open some 
emails and read the news; check for traffic updates on our 
iPhones and if traffic doesn't look too bad, there's time to 
order groceries to be picked up or delivered after work.
    And that's just before we walk out the door.
    All day long we are sharing our information with the 
internet marketplace and for people who use health trackers and 
apps, it might not even stop when you go to sleep. This free 
flow of information drives much of the innovation and 
technology growth here in the U.S.
    Bottom line, we make choices every day to be connected and 
when we do, we should be able to trust that our privacy is 
protected.
    We deserve to know how our data is collected, how it's 
used, and who it's being shared with. There should be no 
surprises and these protections shouldn't change depending on 
what State we're in.
    In recent survey, 75 percent of respondents said privacy 
protections should be the same everywhere they go. The vast 
majority of Americans want the same protections whether they 
are in Eastern Washington, San Francisco, New Jersey, or 
Illinois.
    That's why we've been advocating and leading for a national 
standard for data privacy that:
    One, doesn't leave our privacy vulnerable in a patchwork
    Two, increases transparency and targets harmful practices, 
like Cambridge Analytica
    Three, improves data security practices
    And four, is workable for our Nation's innovators and small 
businesses.
    So today, I look forward to hearing from the Federal Trade 
Commission which is the main cop on the beat to enforce privacy 
standards, promote transparency, and hold companies 
accountable.
    The FTC's mission is to protect consumers and promote 
innovation. Our four principles for a data privacy law, are in 
line with that mission.
    It's about protecting consumers from concrete harms, 
empowering the choices they make and also, promoting the new 
technologies that we haven't even dreamed of yet. This Congress 
should lead on writing the privacy rules of the road.
    I remain ready and willing to work with my colleagues on 
the committee for a bipartisan solution that puts consumers and 
their choices first.
    In various proposals some groups have called for the FTC to 
have additional resources and authorities. I remain skeptical 
of Congress delegating broad authority to the FTC or any 
agency, however we must be mindful of the complexities of these 
issues as well as the lessons learned from previous grants of 
rulemaking authority to the Commission.
    The FTC's jurisdiction is incredibly broad. Its authority 
extends beyond just Big Tech, touching almost every aspect of 
our marketplace--from loyalty programs at your local grocery 
store to your favorite coffee shop.
    The existing statutory rulemaking authority given to the 
FTC by Congress must also be part of this discussion. Had the 
FTC undertook rulemaking efforts on any number of issues we 
will discuss today. even starting 8 to 10 years ago. those 
efforts could have already been completed.
    The history of the FTC's authority is important, and it 
should not be transformed from a law enforcement agency to a 
massive rulemaking regime. To understand the pain this could 
cause look no further than GDPR in Europe.
    Investment in startups in Europe is down 40 percent and 
thousands of US firms are no longer operating in the EU because 
they can't take on the millions of dollars in compliance costs.
    If we decide to increase the FTC's resources and authority 
to enforce a privacy law, then this committee must exercise its 
oversight of the Commission to its fullest extent.
    Oversight must be part of this conversation. so Congress 
does its job to review and hold the FTC accountable.
    Thank you all for being here today and I look forward to 
our discussion.

    Ms. Schakowsky. The gentlelady yields back. And now I 
recognize the chair of the full committee, Mr. Pallone, for 5 
minutes.

OPENING STATEMENT OF HON. FRANK PALLONE, Jr., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Madam Chair.
    The Federal Trade Commission plays a critical role in 
protecting American consumers and promoting competition in the 
marketplace. It is a relatively small agency, but the breadth 
of its mission is vast. As the Nation's consumer protection 
agency, the FTC works to protect consumers from a variety of 
unfair and deceptive practices including false advertising, 
illegal telemarketing, unfair debt collection and fraud.
    Last year, the FTC received nearly 3 million complaints 
from consumers who reported losing around $1\1/2\ billion to 
fraud. Seniors particularly were preyed upon by criminals 
pretending to need money to bail their grandchildren out of 
jail. Veterans were tricked into giving their credit card 
information to a thief who claimed to work for the Veterans 
Choice Program, just as examples. And these two examples of the 
thousands of frauds the FTC face every day, many are 
perpetrated through robocalls which I am working to address 
through the Stopping Bad Robocalls Act.
    But that is not the only way fraudsters commit their 
offenses and the FTC needs more support and more authority to 
prevent scams and enforce the law. The FTC is also the Nation's 
primary enforcer in the area of privacy and data security. Talk 
about a daunting job. When you consider that companies today 
monitor every move we make, they are tracking where we go, who 
we are with, our private conversations, our health, the 
websites we visit, and increasingly what we do inside our 
homes. And as we have learned from the concerning privacy 
issues surrounding Cambridge Analytica and Facebook and from 
massive data breaches like the one at Equifax, there is little 
reason to believe that consumers can trust these companies with 
our personal data.
    The FTC can and should be doing more to protect consumers 
and Congress needs to give the FTC the tools it needs to be 
more effective. That starts with resources. The FTC has fewer 
employees today than it did in the 1980s when the internet did 
not exist. It has just 40 employees responsible for protecting 
the data of 300 million Americans. I think that is just 
unacceptable, particularly when you consider that the United 
Kingdom, which has a much smaller population, has more than 500 
people who protect the privacy and data of its residents.
    So we have to give the FTC the resources it needs to become 
a global leader on privacy and data security. The FTC also 
needs more authority to prevent privacy abuses from happening 
in the first place and to ensure that companies properly secure 
the personal data entrusted to them. Too often, the FTC can do 
little more than give a slap on the wrist to companies the 
first time they violate the law. That is because it lacks the 
authority to impose a monetary penalty for initial violations.
    Currently, the FTC can only order a company to stop the bad 
practices and promise not to do it again. And if we really want 
to deter companies from breaking the law, the FTC needs to be 
able to impose substantial fines on companies the first time. 
To make matters worse, there are no strong and clear Federal 
privacy laws and regulations that establish a baseline for how 
companies collect, use, share, and protect consumer 
information. The FTC lacks the ability to issue such 
regulations, leaving Americans left to the whims of 
corporations.
    Companies should not be gathering consumer information 
without a good reason and should have clear consent when they 
use that information for purposes a consumer would not 
reasonably expect. When I search online about the side effects 
of a medicine, I don't expect that information to be shared 
with advertisers, data brokers, or insurance companies, and it 
shouldn't be shared unless I say so.
    Companies also need to protect the data they collect so 
Americans are not as vulnerable to identity theft, scams, and 
other unfair and deceptive acts as they are today. So Congress 
should pass, or must pass strong, comprehensive privacy 
legislation, and this committee intends to take that action. 
The legislation that we pass should give consumers control over 
their personal data including giving consumers the ability to 
access, correct, and delete their personal information. And it 
should shift the burden to companies to ensure they only use 
the information consistent with reasonable consumer 
expectations.
    So I look forward to hearing from all the Commissioners 
about how the FTC can better fulfill its mission in this 
important area of consumer protection.
    [The prepared statement of Mr. Pallone follows:]

             Prepared Statement of Hon. Frank Pallone, Jr.

    The Federal Trade Commission (FTC) plays a critical role in 
protecting American consumers and promoting competition in the 
marketplace. It is a relatively small agency, but the breadth 
of its mission is vast.
    As the Nation's consumer protection agency, the FTC works 
to protect consumers from a variety of unfair and deceptive 
practices, including false advertising, illegal telemarketing, 
unfair debt collection, and fraud.
    Last year, the FTC received nearly 3 million complaints 
from consumers who reported losing around $1.5 billion to 
fraud. Seniors were preyed upon by criminals pretending to need 
money to bail their grandchildren out of jail. Veterans were 
tricked into giving their credit card information to a thief 
who claimed to work for the Veterans Choice Program.
    These are just two examples of the thousands of frauds the 
FTC faces every day. Many are perpetrated through robocalls, 
which I am working to address through the Stopping Bad 
Robocalls Act. But that is not the only way fraudsters commit 
their offences and the FTC needs more support and more 
authority to prevent scams and enforce the law.
    The FTC is also the Nation's primary enforcer in the area 
of privacy and data security. Talk about a daunting job when 
you consider that companies today monitor every move we make. 
They are tracking where we go, who we are with, our private 
conversations, our health, the websites we visit, and, 
increasingly, what we do inside our homes. As we have learned 
from the concerning privacy issues surrounding Cambridge 
Analytica and Facebook, and from massive data breaches like the 
one at Equifax, there is little reason to believe that 
consumers can trust these companies with our personal data.
    The FTC can and should be doing more to protect consumers, 
and Congress needs to give the FTC the tools it needs to be 
more effective. That starts with resources. The FTC has fewer 
employees today than it did in the 1980s when the Internet did 
not exist. It has just 40 employees responsible for protecting 
the data of 300 million Americans. That's unacceptable--
particularly when you consider that the United Kingdom, which 
has a much smaller population, has more than 500 people who 
protect the privacy and data of its residents. We must give the 
FTC the resources it needs to become a global leader on privacy 
and data security.
    The FTC also needs more authority to prevent privacy abuses 
from happening in the first place and to ensure that companies 
properly secure the personal data entrusted to them.
    Too often, the FTC can do little more than give a slap on 
the wrist to companies the first time they violate the law. 
That's because it lacks the authority to impose a monetary 
penalty for initial violations. Currently, the FTC can only 
order a company to stop the bad practices and promise not to do 
it again. If we really want to deter companies from breaking 
the law, the FTC needs to be able to impose substantial fines 
on companies the first time.
    To make matters worse, there are no strong and clear 
Federal privacy laws and regulations that establish a baseline 
for how companies collect, use, share, and protect consumer 
information. The FTC lacks the ability to issue such 
regulations leaving Americans left to the whims of 
corporations.
    Companies should not be gathering consumer information 
without a good reason and should have clear consent when they 
use that information for purposes a consumer would not 
reasonably expect. When I search online about the side effects 
of a medicine, I don't expect that information to be shared 
with advertisers, data brokers, or insurance companies and it 
shouldn't be shared unless I say so. Companies also need to 
protect the data they collect so Americans are not as 
vulnerable to identity theft, scams, and other unfair and 
deceptive acts as they are today.
    Congress must pass strong, comprehensive privacy 
legislation, and this committee will take action. The 
legislation should give consumers control over their personal 
data, including giving consumers the ability to access, 
correct, and delete their personal information. And it should 
shift the burden to companies to ensure they only use the 
information consistent with reasonable consumer expectations.
    I look forward to hearing from all of the Commissioners 
about how the FTC can better fulfill its mission in this 
important area of consumer protection. Thank you, and I yield 
back my time.

    Mr. Pallone. And unless somebody wants the time, there is 
not much left--yes, I will yield to the gentlewoman from 
Florida.
    Ms. Castor. Well, I thank the chairman of the committee for 
yielding the time.
    And I just wanted to start out by saying that America needs 
a modern online privacy law and the Federal Trade Commission 
needs the tools and resources to effectively enforce law and 
hold bad actors accountable. And I think, I encourage you all 
today to also discuss the Children's Online Privacy Protection 
Act because I think it is in need of substantial updates, 
especially looking at how we enforce it, the sham safe harbor 
provisions, and your opinions on adopting some reasonable 
collection parameters. So thank you, and I yield back.
    Mr. Pallone. And I yield back, Madam Chair.
    Ms. Schakowsky. The gentleman yields back, and now I will 
recognize the ranking member of the committee, Mr. Walden, for 
5 minutes.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. Good morning, Madam Chair. Thanks for having 
this hearing. I want to welcome our Commissioners as well for 
being here from the Federal Trade Commission. Thank you. We 
will be informed by your testimony and we appreciate the work 
you do at the FTC.
    We know you're tasked with broad and important 
responsibilities and it is a jurisdiction that spreads out over 
almost every aspect of the United States economy from large 
household name technology companies at Silicon Valley to small 
mom and pop shops in rural America. But recently concerns 
surrounding data security and data privacy including questions 
about what information is collected, how companies use that 
information, who that information is shared with, and what 
protections exist for consumers have demanded more and more 
congressional attention and appropriately so.
    In the last Congress, this committee held very high-profile 
hearings around incidents involving data security and data 
privacy issues with CEOs. They sat right there from Equifax; 
Mark Zuckerberg was there for 5 hours from Facebook; we had 
those from Twitter as well. We also held hearings focused on 
securing consumer information, on understanding algorithmic 
decision making, exploring the online advertising ecosystem and 
how it operates, and an oversight hearing with you, the FTC. 
Privacy was a premier issue during these hearings, but as we 
learned, this is also a tough issue to legislate on. Privacy 
does not mean the exact same thing to each and every person.
    I want to echo the sentiments of my colleague, 
Representative Rodgers, who outlined the vast benefits 
consumers also get from the use of their information online. It 
is a goods for services exchange. We don't always know that but 
we do benefit from that. We cannot lose sight of the tremendous 
benefits consumers get from the use of this data: access to 
top-tier journalism, affordable and quickly delivered products, 
telehealth and research initiatives, and much, much more.
    Here in the United States we have a thriving startup 
ecosystem and a regulatory environment that enables small 
businesses to grow and compete in no small part because the 
free flow of information. And as a result, companies innovate, 
they create jobs in America, and offer consumers options and 
convenience that most of us never dreamed would be possible.
    I believe it is important we work together toward a 
bipartisan, Federal privacy bill and we are ready and willing 
to tackle crafting such a bill. I think we were informed by our 
hearings in the last 2 years and are more than prepared now to 
move forward to write legislation in a bipartisan way. A 
Federal privacy bill must set one national standard. Allowing a 
patchwork of State laws will not only hurt innovation and small 
businesses, but will limit consumers' options online. Consumers 
expect a seamless online experience and I do not want to see 
that taken away.
    We must protect innovation and small businesses. We should 
learn from Europe where large companies are only getting larger 
and unfortunately small companies are getting smaller or 
disappearing altogether online. You know, JPMorgan Chase & 
Company CEO Jamie Dimon recently said Dodd-Frank created a moat 
around his company, which is exactly what we risk doing with 
the likes of Google and Facebook and the big ones, because they 
will always be able to comply, and they will just get bigger if 
we don't craft the law correctly.
    We must enhance security for consumers. Companies must have 
reasonable practices in place to protect consumer information, 
period. We must increase transparency. Consumers deserve to 
know how their information is collected, how it is used, and 
how it is shared. And we must improve accountability. When 
companies fail to keep their promises or outright misuse 
consumer information, those companies must be held accountable. 
This goes to the heart of the enforcement issues. Federal Trade 
Commission accomplishes its consumer protection mission through 
law enforcement, by bringing action against companies who 
engage in unfair or deceptive acts or practices. And we know 
you have a big decision before you right now involving one of 
those companies.
    Through advocacy, through consumer and business education 
efforts, you do it all. The FTC can file injunctions, you can 
levy civil penalties, and you can seek remedies on behalf of 
consumers to redress harms. The Federal Trade Commission 
generally operates a highly effective, bipartisan agency, 
returning millions directly to consumers after they are 
defrauded, and I look forward to hearing an update on those 
efforts. I also look forward to hearing about the consumer 
protection hearings and what the agency has learned about 
privacy harms and risks.
    Every agency has challenges and recent court changes in 
cases have changed the direction of some agency activity to 
refocus on due process. I am encouraged that these types of 
improvements would help small businesses understand their 
rights when faced with the full force of the FTC. I believe the 
FTC is the right agency to enforce new privacy law with 
appropriate safeguards and process improvements to ensure 
strong, consistent enforcement.
    Some have suggested the quick answer is more money, more 
rulemaking authority, and more employees. There is no quick 
fix, I would argue. I would like to hear from the Chairman 
about his views on unbounded rulemaking at the FTC and whether 
the agency can compete for talent with the big tech companies 
that are moving to the DC area. And we must consider market 
realities and ask if there are more effective ways to get 
experts to the FTC for unique cases.
    So, Madam Chair, thanks for having this hearing. I think it 
is really important and we look forward to working with you and 
others on the committee to get this right and get it into law. 
And I yield back.
    [The prepared statement of Mr. Walden follows:]

                 Prepared Statement of Hon. Greg Walden

    Good morning. I want to thank Chairman Simons and 
Commissioners Phillips, Wilson, Chopra, and Slaughter for being 
here. I am glad to see the five of you here again after our 
productive conversation last summer before this subcommittee.
    The Federal Trade Commission is tasked with broad and 
important responsibilities and its jurisdiction spreads out 
over almost every aspect of the U.S. economy--from large, 
household-named technology companies in Silicon Valley to small 
mom-and-pop shops in rural America.
    But, recently, concerns surrounding data security and data 
privacy, including questions about what information is 
collected, how companies use that information, who that 
information is shared with, and what protections exist for 
consumers, have demanded more Congressional attention.
    Last Congress, this committee held high-profile hearings 
around incidents involving data security and data privacy 
issues with the CEOs of Equifax, Facebook, and Twitter. We also 
held hearings focused on: securing consumer information; 
understanding algorithmic decision making; exploring the online 
advertisement ecosystem and how it operates; and an oversight 
hearing with you, the FTC.
    Privacy was a premiere issue during these hearings. But as 
we learned, this is a tough issue; privacy does not mean the 
exact same thing to every American.
    I want to echo the sentiments of my colleague Rep. Rodgers 
who outlined the vast benefits consumers get from the use of 
their information online. We cannot lose sight of the 
tremendous benefits consumers get from the use of data--access 
to top-tier journalism, affordable and quickly delivered 
products, telehealth and research initiatives, and much more.
    Here in the U.S., we have a thriving startup ecosystem and 
a regulatory environment that enables small businesses to grow 
and compete, in no small part because of the free flow of 
information. And, as a result, companies innovate, create new 
jobs, and offer consumers options and convenience.
    I believe it is important that we work together toward a 
bipartisan Federal privacy bill. And we are ready and willing 
to tackle crafting such a bill. I hope that we can continue 
down the bipartisan path together.
    A Federal privacy bill must set one national standard. 
Allowing a patchwork of State laws will not only hurt 
innovation and small businesses but will limit consumers 
options online. Consumers expect a seamless online experience, 
and I do not want to see that taken away.
    We must protect innovation and small businesses. We should 
learn from Europe--where large companies are only getting 
larger and small companies are only getting smaller. JPMorgan 
Chase & Co. CEO Jamie Dimon recently said Dodd-Frank created a 
moat around his company--which is exactly what we risk doing 
with the likes of Google and Facebook if we do not carefully 
craft a national privacy bill.
    We must enhance security for consumers. Companies must have 
reasonable practices in place to protect consumer information.
    We must increase transparency--consumers deserve to know 
how their information is collected, used, and shared.
    And we must improve accountability. When companies fail to 
keep their promises or outright misuse consumer information, 
those companies must be held accountable. This goes to the 
heart of the enforcement issues.
    The FTC accomplishes its consumer protection mission 
through law enforcement--by bringing actions against companies 
who engage in unfair or deceptive acts or practices; through 
advocacy; and through consumer and business education efforts. 
The FTC can file injunctions, levy civil penalties, and can 
seek remedies on behalf of consumers to redress their harms.
    The FTC generally operates as a highly effective bipartisan 
agency. Returning millions directly to consumers after they are 
defrauded, and I look forward to hearing an update on those 
efforts. I also look forward to hearing about the consumer 
protection hearings and what the agency has learned about 
privacy harms and risks.
    Every agency has challenges, and recent court cases have 
changed the direction of some agency activity to refocus on due 
process. I am encouraged that these types of improvements would 
help small businesses understand their rights when faced with 
the full force of the FTC.
    I believe the FTC is the right agency to enforce a new 
privacy law with appropriate safeguards and process 
improvements to ensure strong, consistent enforcement. Some 
have suggested that the quick answer is more money, more 
rulemaking authority, and more employees. There is no quick 
fix. I would like to hear from the Chairman about his views on 
unbounded rulemaking for the FTC, and whether the agency can 
compete for talent with the big tech firms moving to the DC 
area. We must consider market realities and ask if there is a 
more effective way to get experts to the FTC for unique cases.
    I look forward to hearing from you all about how you are 
thinking of using the current tools at the FTC to address 
privacy concerns in our digital world.
    Thank you.

    Ms. Schakowsky. The gentleman yields back. And the Chair 
would like to remind Members that, pursuant to committee rules, 
all Members' written opening statements shall be made part of 
the record.
    Next, I am going to introduce all of our witnesses, but I 
want to tell all of you that I had a standing-room-only FTC-
sponsored scam workshop in my district along with Congressman 
Brad Schneider, which was amazing, and I would encourage all 
Members to consider doing that. The turnout was unprecedented, 
and people really appreciated it. So thank you.
    So let me introduce our witnesses. The Honorable Joseph 
Simons, Chairman of the Federal Trade Commission; Commissioner 
Christine Wilson; Honorable Commissioner Rebecca Kelly--Rebecca 
Kelly Slaughter, sorry; Commissioner Noah Joshua Phillips; 
Commissioner Rohit Chopra. We are happy to have you all, and we 
want to thank our witnesses for joining us today. We look 
forward to your testimony.
    And at this time, the Chair will now recognize each witness 
for 5 minutes to provide their opening statements.
    Before we begin, I would like to explain the lighting 
system. I think probably most of you know that the light will 
initially be green at the start of your opening statement, then 
it will go to yellow when you have 1 minute, and then it will 
go to red. And we would appreciate it very much if you would 
end in those 5 minutes. So, Chairman Simons, you are recognized 
for your 5 minutes.

  STATEMENTS OF JOSEPH J. SIMONS, CHAIRMAN, AND CHRISTINE S. 
  WILSON, REBECCA KELLY SLAUGHTER, NOAH JOSHUA PHILLIPS, AND 
     ROHIT CHOPRA, COMMISSIONERS, FEDERAL TRADE COMMISSION

                 STATEMENT OF JOSEPH J. SIMONS

    Mr. Simons. Chairman Schakowsky, Ranking Member Rodgers, 
and distinguished members of the subcommittee, it is an honor 
and a privilege to appear before you today, and especially with 
my esteemed colleagues, my fellow Commissioners.
    The FTC is a highly effective, independent agency with a 
broad mission to protect consumers and maintain competition in 
most sectors of the economy. On the competition side, examples 
of our vigorous enforcement program include cases like Impax 
and AbbVie where we successfully attacked anticompetitive 
conduct by pharmaceutical companies.
    Ms. Schakowsky. If you could hold just for a minute.
    We got the message, and if you will put the signs down, 
appreciate it.
    Thank you. Go ahead.
    Mr. Simons. Yes. We successfully attacked anticompetitive 
conduct by pharmaceutical companies, achieving a $448 million 
judgment in the latter case. We also recently filed an 
important case against a company called Surescripts, a health 
IT company with a monopoly over e-prescribing that is 
maintaining and acquired that monopoly through exclusionary 
conduct.
    And on the research and policy front, our extensive 
Hearings on Competition and Consumer Protection in the 21st 
Century have involved more than 350 panelists and more than 850 
public comments. On the consumer protection side, we are very 
active as well, with matters ranging from student debt relief 
scams to various types of false advertising and many other 
cases in between.
    But today I would like to focus my remarks on data security 
and privacy. As you have said, the FTC has been the primary 
Federal agency charged with protecting consumer privacy since 
1970 with the passage of the FCRA. From the growth of the 
internet to the mobile device explosion to the arrival of the 
Internet of Things and artificial intelligence, we have 
continuously expanded our focus on privacy to reflect how 
consumer data fuels these changes in the marketplace.
    Our primary legal authority in this space is Section 5 of 
the FTC Act, which prohibits deceptive or unfair commercial 
practices. But Section 5 is an imperfect tool--imperfect tool. 
For example, Section 5 does not allow the Commission to seek 
civil penalties for first-time privacy violations. It does not 
allow us to reach nonprofits and common carriers even when 
their practices have serious implications for consumer privacy 
and data security.
    These limitations have a critical effect on our ability to 
protect consumers, which is why we urge Congress to enact 
privacy and data security legislation enforceable by the FTC 
which grants the FTC civil penalty authority, targeted APA 
rulemaking authority, and jurisdiction over nonprofits and 
common carriers. Irrespective of any new legislation, however, 
we will continue to use every tool currently at our disposal to 
address consumer harm including authorities given to us by the 
Congress like the Children's Online Privacy Protection Act and 
the Safeguards Rule.
    We have aggressively pursued privacy and data security 
cases to date bringing more than 65 data security cases as well 
as more than 60 general privacy cases. For example, we recently 
brought cases against two companies whose alleged lax security 
practices resulted in a breach of 8 million consumers' data. 
And in March, the FTC announced a record $5.7 million civil 
penalty as part of its settlement with video social networking 
app Musical.ly for collecting children's personal information 
online without first obtaining parental consent.
    To complement our efforts, we also engage in policy 
initiatives in the privacy and data security areas. In addition 
to the hearings I mentioned, which included 4 days of panels 
that specifically addressed consumer privacy and data security, 
we recently issued 6(b) orders to several internet service 
providers to evaluate their privacy practices. We will use the 
information we learned from this study to better inform our 
policy and our enforcement work.
    Finally, many of our privacy and data security 
investigations in cases involve complex facts and technologies 
and well-financed defendants. And as we told you in response to 
Chairman Pallone and Schakowsky's resource letter, it is 
critical that the FTC have sufficient resources to support its 
investigative and litigation needs particularly as demand for 
enforcement in this area continues to grow. We are committed to 
using every resource effectively to protect consumers and to 
promote competition, to anticipate and respond to changes in 
the marketplace, and to meet current and future challenges.
    We look forward to working with the subcommittee and the 
Congress and I am very happy to answer your questions. Thank 
you so much.
    [The joint prepared statement of Mr. Simons and the four 
Commissioners follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Ms. Schakowsky. And thank you, Mr. Chairman, sticking 
within the time, too, appreciate that.
    And now, Commissioner Wilson, you are recognized for 5 
minutes.

                STATEMENT OF CHRISTINE S. WILSON

    Ms. Wilson. Chairman Schakowsky, Ranking Member Rodgers, 
Chairman Pallone, and Ranking Member Walden, thank you for the 
opportunity to testify. It is an honor to appear before you and 
the distinguished members of the subcommittee for the first 
time since I joined the Commission 8 months ago. Today I would 
like to highlight two areas where I respectfully believe 
Congress could assist the FTC in fulfilling its mission to 
protect consumers. First, enactment of privacy legislation, and 
second, clarification of the FTC's authority under Section 
13(b) of the FTC Act.
    With respect to privacy legislation, I agree with Chairman 
Simons' opening statement on this topic. I too encourage 
Congress to enact privacy legislation to be enforced by the 
FTC. Businesses need clarity and certainty regarding rules of 
the road in this important area. The passage of the California 
Consumer Privacy Act and the prospect of potentially 
conflicting bills in myriad States have created confusion and 
uncertainty in the business community. And in light of the fact 
that online commerce is not just national, but international in 
scope, I encourage Congress to include preemption in any 
Federal privacy legislation. Even more importantly, consumers 
need clarity regarding how their data is collected, used, and 
shared. Privacy legislation should address these concerns and 
could help build public trust around data collection and use.
    Privacy legislation is also necessary to address the 
emerging gaps and sector-specific approaches created by 
evolving technologies. For example, HIPAA applies to medical 
offices but not wearables, apps, or websites like WebMD. Data 
protections should be based on the sensitivity of the data, not 
the entity or mechanism through which it is collected.
    And while privacy is important, so is competition. Federal 
privacy legislation must be carefully crafted to maintain 
competition and foster innovation. GDPR may have lessons to 
teach us in this regard. Preliminary research indicates that 
GDPR may have created unintended consequences, including a 
decrease in investment and startups and entrenchment of 
dominant players in the digital advertising market. Reports 
also indicate that compliance with GDPR is costly and difficult 
for small businesses and new entrants.
    U.S. legislation should seek to avoid these negative 
consequences. There are three other elements I believe should 
also be included in Federal privacy legislation: civil monetary 
penalties, which Congress has provided for in other statutes 
that are enforced by the FTC including COPPA and the 
Telemarketing Sales Rule; jurisdiction over nonprofits and 
carriers which collect, common carriers which collect 
significant volumes of sensitive information; and targeted, 
narrow APA rulemaking authority so the FTC can enact rules to 
supplement legislation and to permit adjustments in response to 
technological developments.
    Turning to section 13(b) of the FTC Act, I think it is 
important for Congress to provide assistance through 
clarification of the FTC's authority under section 13(b) of our 
statute. Decades of cases have established two key principles. 
First, the FTC may bring actions in Federal district court to 
obtain injunctive relief, and second, the authority to grant 
injunctive relief confers upon courts the full panoply of 
equitable remedies including equitable monetary relief.
    Our ability to protect consumers relies heavily on this 
authority, but recent decisions have raised questions about the 
scope of our authority that conflict not only with long-
established case law, but also with the clear intent of 
Congress. Earlier this year, a case in the third circuit held 
the FTC can't seek injunctive relief when the challenged 
conduct is not ongoing or imminent, but fraudsters frequently 
cease their unlawful conduct when they learn of impending law 
enforcement actions. The third circuit standard could prevent 
us from seeking relief in Federal district court in these 
circumstances, even if we can show the conduct is likely to 
recur based on past practices.
    And another concerning development arose in the ninth 
circuit where a judge questioned the FTC's authority to obtain 
equitable monetary relief under section 13(b). But courts have 
long held that granting the FTC authority to seek injunctive 
relief also gives courts the authority to grant the full range 
of equitable relief. We believe this interpretation more 
accurately reflects congressional intent.
    We thank you for your assistance, and I look forward to 
answering your questions.
    Ms. Schakowsky. Thank you. And now we recognize 
Commissioner Slaughter for 5 minutes.

              STATEMENT OF REBECCA KELLY SLAUGHTER

    Ms. Slaughter. Thank you Chair Schakowsky, Ranking Member 
Rodgers, Chairman Pallone and Ranking Member Walden, and 
distinguished members of the subcommittee for inviting us here 
today. I am Rebecca Kelly Slaughter and I am so pleased to be 
here with my colleagues on behalf of the FTC.
    I want to begin by echoing Chairman Simons and most of my 
fellow Commissioners, and ask Congress to pass a comprehensive 
Federal privacy law that would give the FTC civil penalty 
authority, targeted APA rulemaking authority, and jurisdiction 
over nonprofits and common carriers. We have some of these 
powers in limited degree already and where we have them, we use 
them responsibly.
    In particular, where Congress has granted us privacy 
related rulemaking authority, the Commission has used to put 
out clear rules, engage in meaningful, participatory notice and 
comment, and amend our rules to keep up with technological 
developments. For example, the FTC has rulemaking authority 
under COPPA. We put out an initial rule and have since adapted 
it to address innovations that affect children's privacy, 
social networking, online access via smart phone, and the 
availability of geolocation information. As we have made these 
changes, we have conducted workshops and sought input through 
formal notice and comment.
    The rule provides clear guidance to firms on how they can 
comply with the law and then we enforce the law consistent with 
the rule, for example, in our settlement with Musical.ly that 
the Chairman referenced, a company that is now known as TikTok, 
earlier this year. The Graham-Leach-Bliley Act also gives us 
some limited privacy related rulemaking authority for 
information held by certain financial institutions.
    In March, the Commission sought comment on proposed 
amendments to the safeguards and privacy rules under this law. 
Based on our experience, we determined that the rules could 
benefit from modernization. We analyzed different models for 
strengthening them and we sought input from stakeholders 
regarding the best way to implement new requirements.
    Just as you in Congress are doing, we at the Commission are 
reflecting carefully on the types of substantive privacy 
provisions that might best protect consumers today and in the 
future. The public hearings initiated by Chairman Simons have 
been a showcase for these debates.
    I want to briefly highlight one of my own observations for 
your consideration. Much of our Section 5 authority and some of 
our privacy rules up to this point have been grounded in the 
principles of notice and consent. The notice and consent 
framework began as a sensible application of basic consumer 
protection principles to privacy. Tell consumers what you are 
doing with their data, secure consent, and keep your promises.
    But in order for a notice and consent regime to be 
effective each element must be meaningful. Notice must give 
consumers information they need and can understand, and 
consumers must have a choice about whether to consent. Today, 
notice is mostly in the form of lengthy, click-through 
contracts. Few consumers have the time and legal training 
required to understand them and consumers often have no choice 
but to say yes to these contracts.
    They must cede all control over their data to access 
services critical to their everyday lives. They don't have the 
option to turn to a competing, more privacy-protective service. 
In other words, when it comes to our digital lives, neither 
notice nor consent feels particularly meaningful today. As you 
consider better protections for consumer privacy, I want to 
encourage solutions that don't place all the burden on 
consumers as much as the existing framework does.
    Finally, amidst the important ongoing discussions of the 
resources allocated to our agency, I want to conclude by 
highlighting what a good return on investment the FTC is for 
the American consumer. In fiscal year 2018, the Commission's 
budget was $306 million and our actions returned over $1.6 
billion to consumers. So, for every dollar the American 
taxpayer gave to the FTC, staff returned 5. We welcomed the 
recent letters from Chairs Schakowsky and Pallone asking what 
the Commission could do with more resources and the 
Commission's response illustrated the good use to which we 
could put additional funding.
    Approximately two-thirds of our budget goes to our greatest 
asset, staff pay and benefits. Unfortunately, our headcount has 
declined over the past decade even as demands on the agency 
have increased. The letters that we sent illustrated what we 
could do with an additional 50 or 75 or 100 million dollars, 
some of which would allow us to bring our staffing levels up to 
where they were in 1982, well before the internet, and still 
below where they were in the 1970s.
    So I look forward to working with the committee on both 
sides of the aisle as you think about this important 
legislation, and I look forward to taking your questions. Thank 
you.
    Ms. Schakowsky. Thank you very much, and now Commissioner 
Phillips is recognized for his 5 minutes.

               STATEMENT OF NOAH JOSHUA PHILLIPS

    Mr. Phillips. Thank you. Chair Schakowsky, Ranking Member 
Rodgers, Chairman Pallone, Ranking Member Walden, distinguished 
members of the subcommittee, thank you for the opportunity to 
appear before you today. I am honored to be back here with my 
fellow Commissioners to highlight the important work that the 
FTC and its talented staff do on behalf of American consumers. 
I realize that privacy is one of the main topics that we are 
going to talk about today, and I look forward to answering any 
questions that you have.
    But, first, I want to highlight what the FTC has been doing 
in an area that is critical to all Americans, healthcare. 
Americans are concerned about their healthcare. All of us spend 
more time than we should trying to find a doctor who takes our 
insurance, shopping for the best prescription prices, dealing 
with insurers, and so on. And all too often we pay more than we 
should with the annual cost of healthcare accounting for nearly 
18 percent of annual GDP. The FTC has focused on healthcare for 
decades. In my nomination process, I called for this Commission 
to continue that essential work and I am pleased today to 
report that we have.
    On the competition side, the Commission has been very busy. 
Following the FTC's Supreme Court victory in the Actavis case, 
which subjected pay-for-delay settlements to antitrust 
scrutiny, we have worked hard to rid the market of this 
anticompetitive conduct. Pay-for-delay settlements delay 
generic entry, preventing earlier consumer access to cheaper 
pharmaceuticals, and forcing Americans to pay higher prices for 
the drugs they need. The Commission has obtained several orders 
prohibiting such settlements, including two this year that 
included the final remaining Actavis defendants.
    Just weeks ago, this Commission reached a decision in its 
case against the generic manufacturer Impax which entered into 
a pay-for-delay settlement with Endo, a brand manufacturer. On 
a unanimous basis, we rendered the first FTC opinion on pay-
for-delay settlements since the Actavis case, banning Impax 
from engaging in this harmful conduct. I know that stopping 
anticompetitive conduct and pay-for-delay settlements has also 
been a focus of this committee, and I appreciate the chairman, 
ranking member, and Congressman Rush's recognition of this 
important issue.
    This Commission is fighting anticompetitive conduct in 
court. We recently obtained a Federal court judgment ordering 
AbbVie to pay nearly $500 million in relief to consumers 
overcharged for AndroGel, as a result of AbbVie's 
anticompetitive manipulation of our civil justice system. And 
as the Chairman mentioned, just weeks ago we sued Surescripts, 
a monopolist we allege employed illegal vertical and horizontal 
restraints to maintain its monopolies over two e-prescription 
markets. In addition to targeting the cost of healthcare, this 
case addresses important competition issues like two-sided 
markets, network effects, and innovation harms.
    Our consumer protection work on healthcare also provides 
results to consumers who too often get duped into buying bogus 
products and services, sometimes even foregoing needed care. 
Stopping deceptive health claims, providing guidance to 
business, and educating consumers continue to be top priorities 
for this Commission. Last month, the FTC settled with 
defendants charged with deceptively marketing cognitive 
improvement supplements using sham websites and fake clinical 
studies and endorsements. Our actions stopped the scam which 
reaped over $14 million from unsuspecting consumers.
    The FTC also recently cracked down on deceptively 
advertised amniotic stem cell therapy which its promoters 
claimed could treat serious diseases including Parkinson's, MS, 
and heart attacks. The FTC just mailed checks over half a 
million dollars to victims. We also recently brought charges 
against defendants who claimed that their Nobetes pill could 
treat diabetes even after the FDA and FTC warned them that they 
needed scientific evidence which they didn't have. The list 
goes on.
    We are focused on protecting consumers in the opioid crisis 
and have brought several actions to return money to consumers 
who were duped into treatments that weren't real. And as our 
work on the opioid crisis shows, the FTC leverages our 
resources and partners with other agencies to maximize our 
impact. Working with the FDA as we did on opioids, we jointly 
issued 13 warning letters to companies marketing e-liquids used 
in e-cigarettes in packaging that resembled kid-friendly food 
products like juice boxes, candy, or cookies. Like yours, our 
goal is to protect kids.
    I hope this testimony has been helpful to you in showing 
how the FTC makes a daily impact on the lives of American 
consumers both by protecting their wallets and their health. 
Thank you, and I look forward to your questions.
    Ms. Schakowsky. Thank you very much. And last but not 
least, Commissioner Chopra, it is your 5 minutes.

                   STATEMENT OF ROHIT CHOPRA

    Mr. Chopra. Thank you. Chair Schakowsky, Ranking Member 
Rodgers, and members of the committee, thank you for holding 
this hearing to examine the Federal Trade Commission's role in 
policing digital markets against misuse and abuse of data.
    Today, I want to talk about a market failure affecting 
families, businesses, and the labor force: terms of service, 
the contracts that we theoretically read and evaluate online. 
The FTC and Congress need to confront these take-it-or-leave-it 
contracts particularly when it comes to potentially unfair 
terms. Many terms of service consist of thousands and thousands 
of words written in legal jargon. According to some estimates, 
if Americans had to read all of these contracts it would take 
them approximately 250 hours per year.
    Studies overwhelmingly confirm that we just don't read 
these terms and we are now becoming numb to companies imposing 
regulations that make us cede our rights and even our property. 
For example, terms of service for streaming music apps have 
given companies access to your contacts and photos, even though 
it is a music app. To use certain, quote, free photo sharing 
apps, the maker of the apps reserves the right to use your 
name, likeness, and image even for commercial purposes. Other 
terms of service slip in language that says the company will 
absolutely ignore ``do not track'' settings in your browser.
    These nonnegotiable contracts are giving firms the right to 
fingerprint your device, often allowing them to create a 
dossier on you even if you don't register for an account. These 
contracts aren't just claiming the right to monetize your 
personal information and property, they also revoke many of 
your legal rights and can even allow firms to change terms at 
any time whenever they want.
    Contracts are and should be a critical foundation of 
commerce. They help parties bargain and put their promises on 
paper. But when contracts aren't negotiated, they can easily 
become riddled with one-sided terms, and both dominant players 
and unscrupulous firms can exploit their position to the 
detriment of fair competition.
    Now the FTC has a strong tradition of restricting unfair 
contract terms. In the 1980s, during the Reagan administration, 
the FTC banned a slew of terms and consumer credit contracts 
including confessions of judgment where consumers waived all of 
their defenses in court if they were sued. The FTC found that 
terms like these were the product of an unequal bargain where 
consumers could not protect their interests.
    More recently, both the FTC and Congress have cracked down 
on gag clauses on a bipartisan basis. Nondisparagement 
provisions in take-it-or-leave-it contracts that forbid us from 
posting truthful reviews online for products and services are 
now banned. This is a boon for consumers and competition. 
Buyers will be able to find out what others have experienced, 
and sellers that invest in quality in customer service will be 
rewarded in the market. It is time for us to own up to the fact 
that today's digital contracts can lead to a race to the 
bottom.
    In addition to making use of the FTC's existing 
authorities, Congress should also look for ways to stop 
companies from exploiting their bargaining position through 
these contracts. For example, we can look to reforms enacted by 
other developed countries, such as the 2010 law in Australia 
that allowed consumer protection and competition authorities to 
enforce laws on more unfair contract terms.
    I would suggest that there are two aspects that warrant our 
attention. First, we need to look at the circumstances that 
these contracts are imposed and whether one side has more 
power, information, or leverage. Second, we need to look at the 
terms themselves, particularly any one-sided terms that 
unreasonably favor the drafting party. It will be especially 
critical to closely scrutinize the terms imposed in take-it-or-
leave-it contracts on entrepreneurs and small businesses like 
app developers and online merchants, especially when they can 
see their data taken away or their rights removed. This can 
impede fair competition and we should look closely at it.
    Thank you, and I look forward to all of your questions.
    Ms. Schakowsky. Thank you all. We have now concluded 
witness opening statements for our panel. We will now move to 
Member questions. Each Member will have 5 minutes to ask 
questions of our witnesses, and I will start by recognizing 
myself for 5 minutes.
    So we know the FTC does not have enough resources to devote 
to privacy and data security enforcement. The FTC has only 
about a thousand employees altogether to fulfill the dual 
mission of competition and consumer protection which is less 
than what the agency had, as we heard earlier, in 1983. Of 
those, only about 40 people are charged with protection of 
privacy and security of American consumers. I can find that 
pretty shocking. The American people deserve more and better.
    So my question is for Chairman Simons. You have said before 
that you believe the FTC must, quote, vigorously enforce, 
unquote, the laws entrusted to it. How can the FTC vigorously 
protect consumer privacy when it has only 30 lawyers working on 
behalf of the whole country?
    Mr. Simons. Thank you, Chairman. So like you have said 
before, we are a small agency but we fight above our weight. So 
we are very aggressive with the resources that we have, but if 
we had more resources I guarantee that we would put those to 
very good use.
    In terms of--one thing to keep in mind, I think 
particularly with respect to the legislation that you are 
considering, is that would significantly, no matter who you 
talk to, really, that would significantly expand our authority. 
And in particular, if that legislation is passed, there is no 
question that we would need very substantial increases in our 
resources.
    And as you said in your opening statement, Madam Chairman, 
the U.K. authority has 500 employees dedicated to privacy and 
even the Irish authority has about 140. So us starting at 40 
and then trying to enforce something similar to what they are 
enforcing with their authority, obviously, you know, shows a 
gap.
    Ms. Schakowsky. OK, thank you.
    As you had mentioned, Mr. Chairman, earlier this year we 
sent a letter to the FTC to get more information about how the 
Commission would use additional resources, and I ask unanimous 
consent to put that in the record. Hearing none, so ordered.
    [The information appears at the conclusion of the hearing.]
    Ms. Schakowsky. Your response indicated that the Commission 
could hire 160 more staff with $50 million in additional 
funding or 360 more staff with an additional $100 million 
funding. You also said that a hundred new attorneys focused on 
privacy and security would allow the FTC significantly to boost 
its enforcement activity and also improve the agency's ability 
to monitor compliance of companies already under the order.
    So I am concerned about this issue of monitoring compliance 
with existing orders because we have all seen how, for example, 
Facebook continues to rampantly abuse consumer privacy despite 
being under an order with the Federal Trade Commission. So the 
question, Chairman Simons, is how does the FTC make sure that 
companies comply with orders that require a comprehensive 
program to protect privacy and security?
    Mr. Simons. Yes, so thank you, Chairman. One of the really 
great things about the FTC as an institution is that it has a 
history of engaging in self-critical examination. And the 
privacy program, looking back at the FTC as a whole, is a 
relatively young program. So we are seeing what is happening 
with some of these orders.
    And this also was explored at our hearings and we are 
taking that to heart and increasing the provisions in our model 
orders to beef up, for example, assessor provisions so the 
assessors actually have a much more fulsome role and we can get 
the benefit of their investigation. And also, we are creating a 
provision that requires certification by a senior officer in 
the company. And in order to make that certification, the 
officer is under an obligation to actually conduct an 
investigation and gather evidence regarding their compliance 
with the order.
    Ms. Schakowsky. Let me ask Commissioner Chopra, does the 
FTC have the resources and authority necessary to effectively 
monitor compliance and enforce its existing orders? I am 
concerned that the FTC doesn't even require anyone to submit 
assessments to the agency after the first one.
    Mr. Chopra. Well, of course we are using a century-old law 
to do much of our privacy and data security work, so obviously 
authority and resources will help. Of course, we are all aware 
no amount of resources is really going to--we don't know how 
much we will actually be able to tackle the vast problem that 
we have at hand.
    So, in addition to resources, you know, bright line rules 
that really give clear guidance and have real teeth and 
accountability and especially penalties will also help us 
advance that mission. The more blurry it is, the more it is 
going to be harder to enforce, the more some firms will be able 
to get through loopholes and small firms will suffer.
    So I also encourage you to think about not just having the 
FTC enforce some of these rules, but other parties as well. We 
need those force multipliers.
    Ms. Schakowsky. Thank you. Now I yield to the ranking 
member of our subcommittee.
    Mrs. Rodgers. Thank you, Madam Chair. And again, thank you, 
everyone, for your testimony here.
    Chairman Simons, last month the FTC held a hearing on the 
FTC's approach to consumer privacy. Your remarks focused on the 
fact that privacy violations can cause a range of harms. I 
believe any Federal privacy bill should focus on protecting 
consumers from concrete harms. What did you learn from the 
hearing about specific harms that can help us craft an 
enforceable privacy bill?
    Mr. Simons. Thank you, Representative. What I would say is 
that we learned quite a bit at those hearings. We learned that 
there is a widespread consensus among stakeholders in the 
privacy community to support the Federal privacy legislation 
that you are talking about, you know, you as a committee.
    And they are also talking about how to--notice and comment, 
notice and choice has been a primary vehicle as we discussed 
and folks in the hearings emphasized that it really should also 
turn on assessments and accountability. And so, we are focused 
on that as well and also deidentification of data. Those are 
the things that came up at the hearing and that were most 
recommended by a broad group of people.
    Mrs. Rodgers. Great, thank you.
    Commissioner Phillips, can you explain why it is important 
for a Federal privacy approach to be risk-based and what harms 
we should as Congress be protecting against?
    Mr. Phillips. Congressman Ranking Member, thank you for 
that question. The tradition of the United States since 1970 
with respect to privacy has been a risk-based one. We have 
chosen to look at particular areas where risk is heightened, 
like information about kids or health information, and single 
out those areas for special and heightened treatment. That to 
me makes all the sense in the world.
    This conversation that we are having about a broader 
consumer privacy law because it reaches broader and because it 
potentially applies to a far broader swath of data, some of 
which may raise similar kinds of risk, some of which may make 
less, to me means that we have to have a really serious 
conversation, and in particular that Congress needs to have 
really a serious conversation what the problems are we want to 
solve, what the wrongs are that we want to right.
    So one of the things that I have heard today is a concern 
about, let's say, transparency, right. Consumers don't have the 
time to look over a long policy. Maybe they don't understand 
the legal jargon. Are there things that we can do to increase 
that level of awareness and maybe also provide more clarity for 
business? That could be a good outcome.
    But I think what is critical to this debate is two things. 
The first, leaving aside the tools of how we solve the problem, 
let's agree on the problems we want to solve, say, 
transparency, or at least do our best to solve, and then let's 
think about how to build a scheme around that.
    Mrs. Rodgers. As a follow up, is there a risk of delegating 
too much rulemaking authority to the FTC that creates 
uncertainty for industry, particularly the small businesses and 
startups?
    Mr. Simons. Thank you again for that question. I think 
there is, and to me the risk exists on two levels. The first is 
really a basic constitutional one, which is the privacy debate 
is really interesting because it is one where there is a lot of 
general agreement on the need for something, but a lot of 
disagreement on the specifics.
    So let me take as an example, two consumers both pushed ads 
as they walk by a Starbucks. One consumer might experience that 
as, ``Great, that reminds me--I want the latte, and I want to 
get a dollar off.'' But the other consumer might say, ``Hey, 
that is really creepy. How did you know I was there?'' Those 
are both very reasonable interpretations of the same facts, but 
what they demonstrate is that different people have different 
tastes for privacy. So in this context, when you give broad 
rulemaking authority, you ask five of us or maybe even just 
three of us to decide what we want. That is no substitute for 
the democratic process.
    So that is the first thing. The second thing, which you 
mentioned and which is really important, is that, whatever the 
rules are, they ought to basically remain over time. And there 
is a chance that, you know, issues get politicized or people 
have very earnest disagreements and over time the rules shift. 
Whether you like more restrictive rules or less restrictive 
rules, we should all agree that having consistent rules over 
time makes sense.
    Mrs. Rodgers. OK, thank you. I have more questions, but my 
time is expired. I will yield back.
    Ms. Schakowsky. I now recognize Ms. Castro--Castor for 5 
minutes, sorry.
    Ms. Castor. Thank you, Madam Chair.
    Chairman Simons in his testimony mentioned the recent FTC 
fine of $5.7 million against the video social networking app 
Musical.ly--it is now known as TikTok--to settle allegations 
that the company illegally collected information on children in 
violation of the Children's Online Privacy Protection Act. You 
said this is the largest civil penalty obtained by the FTC in a 
children's privacy case, but in actuality there really haven't 
been very many. And when you look at the circumstances here, I 
don't think the fine fits the crime.
    You had reports that they were collecting location data on 
children that was discernible to people in the neighborhood. 
They made it very difficult to close accounts. They made it 
practically impossible to complain. They would not delete 
profiles after someone did close an account.
    So, and by the way do you all know the valuation of the 
Chinese company that owns TikTok? ByteDance, as of November 
2018, ByteDance was valued at $75 billion. That means the FTC's 
record-setting fine was 0.0076 percent of ByteDance's value. No 
CEO is going to blink an eye at a fine that inconsequential. 
Companies will just see small FTC fines as the cost of doing 
business and will continue to elevate profits over privacy, 
especially when it comes to our kids.
    Commissioner Chopra and Commissioner Slaughter, you issued 
a joint statement in responses. You said, ``Executives of big 
companies who call the shots at companies that break the law 
should be held accountable,'' I guess personally accountable, 
and the FTC has gone after executives when they have direct 
control and are calling the shots here.
    Commissioner Chopra, why was it important to make that 
statement and is it clear the FTC has the authority to go after 
executives of tech companies for violating privacy laws?
    Mr. Chopra. Well, let me just say that the FTC goes after 
individuals all the time, especially when it comes to small-
time scammers. I do think we need to level the playing field a 
bit and make sure that in our investigations when it comes to 
privacy we are also looking at the role of individuals who made 
the decision that it was worth violating the law in order to 
profit.
    So, I want to make sure that in our investigations we are 
investigating that and we are holding them accountable when we 
have clear evidence of a violation, because you are right. For 
some firms fines are a parking ticket and a cost of doing 
business and we cannot change behavior unless those penalties 
are painful and often that means finding out who at the top 
called the shots.
    Ms. Castor. Commissioner Slaughter, I want you to answer 
that but I also heard you loud and clear on the privacy 
policies. Everyone knows that these notice and consent and 
privacy policies, they are simply not working, and it is 
particularly egregious when it comes to children and parents.
    In COPPA, they are completely inadequate to protect 
children's privacy, and I am worried no matter how much that we 
revise those notice and choice provisions it will not be 
sufficient and companies will find ways to around it to get to 
our children's data without parents fully understanding what 
their children are agreeing to share.
    The one answer was contained maybe in the FTC's 2012 
privacy report that discussed reasonable collection 
limitations, which I understand to mean that companies only 
collect data that is consistent with the context of a 
particular transaction or the consumer's relationship with the 
business. It could also include limitations on sharing, sale, 
retention, and usage.
    Should Congress include a reasonable collection limitation 
section in privacy legislation going forward?
    Ms. Slaughter. Thank you for the question, Congresswoman. 
Let me try to take both of those points quickly, mindful of 
your time. The first is, I agree with your point and my 
colleague's point that fines can't be meaningless to companies. 
If we care about them, they need to be enough to effectively 
both deter specific wrongdoing by that company in the future 
and effectuate general deterrence.
    I would like to make a clarifying point because I have 
heard a couple of Members talk about fines the FTC can levy. 
And just to be very clear, unlike some of our counterparts in 
Europe, we can't independently assess fines. Where we find a 
violation of an order or a rule, we can go to court and seek 
civil penalties and a court could assess penalties and then in 
order to avoid that process, we can negotiate with a company to 
reach an outcome that we think is fair and just. But those are 
negotiated penalties they are not levied fines, and I think 
that is a meaningful distinction.
    And, secondly, the statement that my colleague and I 
released in the TikTok case did go to the question of 
individual accountability, making sure our investigations 
effectively assess where it lies if enforcement is proper, and 
I think we also have to think about the injunctive relief that 
we provide in any particular case. I think about it as sort of 
a multilegged stool, again how to best effectuate specific 
enforcement making sure this company doesn't violate the law 
again, and general deterrence, making sure other companies know 
that if they don't follow the law, the consequences will be 
meaningful to them.
    And then----
    Ms. Schakowsky. We are going to have to wrap. We are going 
to have to wrap it up there.
    Ms. Slaughter. OK, then the short version of your question 
about purpose limitations, I agree. I think they are really 
important.
    Ms. Castor. Thank you.
    Ms. Schakowsky. Thank you. The Chair now recognizes Mr. 
Burgess for 5 minutes.
    Mr. Burgess. Thank you. And thank you all for being here 
for this hearing. This is important. You are an important 
agency and this subcommittee does have an important role to 
fulfill as far as oversight of the important agency that you 
represent.
    So, some other Members have done a good job of articulating 
how for a very large company a fine simply is a cost of doing 
business and it is of no consequence and they are able to pick 
up and move on. I would like to focus just a little bit on 
smaller companies where the ability of the Federal Trade 
Commission to require compliance or even consent decrees may be 
a death knell for that company.
    And a company that comes to mind, a case that has 
interested me for some time, is LabMD. Most of you were 
probably not on the Commission when LabMD became a thing back 
in the--a decade ago. And it has worked its way through the 
courts and, if I understand correctly, the most recent was an 
eleventh circuit court decision that actually put some of onus 
back on the FTC saying you have actually got to define these 
things that you want with what you want a company to comply.
    But, you know, LabMD that case stands out to me as the 
object lesson. Here was a viable business providing a great 
service to the urologic practices that depended upon the 
handling of lab tests and pathologic specimens and now that 
company is gone and it is gone because of a relatively 
arbitrary FTC decision. And then, ultimately, the guy that 
pushed it all the way to the eleventh circuit, really, LabMD 
was not the one that was at fault.
    So, Commissioner Phillips, you have talked about the 
healthcare issue, so assuming that you have some knowledge of, 
even though none of you were on the Commission when LabMD 
started, Chairman Simons said, you know, that the FTC--what was 
the--that you engage in self-critical examination, so what does 
your self-critical examination tell you as far as the LabMD 
case is concerned?
    Mr. Simons. Congressman, thank you for the question. As you 
noted earlier, none of the five of us were here when the LabMD 
case was brought and I do want to reserve judgment on the work 
that others did. But I think your fundamental point is 
absolutely right, which is we need to think and, in fact, the 
statutes that we enforce command us to think very critically 
about remedies and the impact that they have.
    Sometimes more are warranted. Sometimes less are warranted. 
Sometimes injunctive relief may be more important. Sometimes 
fines are more important. We have case law to guide us and we 
also have the benefit of experience. And I think critically 
that we need to learn from our experiences and sometimes that 
may militate in favor of changing what we are doing.
    The Chairman mentioned earlier what we are doing on our 
model orders with respect to testing how well they are working. 
But it can cut both ways, and I think that is something we 
always really need to take into account.
    Mr. Burgess. Well, it is just--and when Mr. Walden was 
chairman of the full committee and we did have--he referenced 
we had representatives from Facebook here discussing things 
with them, a consent decree for a company the size of Facebook 
is inconsequential. It doesn't affect them one way or the 
other. The fine that Ms. Castor referenced to the company with 
a bottom line of 67 billion or whatever it was, that fine is 
inconsequential.
    But for small businesses, the heavy hand of the Federal 
Trade Commission basically can spell the end of their business 
and in this case, unfortunately, it did. But even a consent 
decree, which your consent decrees run a number of years, for a 
company to have to disclose that ``Yes, I want to handle your 
lab specimens. I want to handle your confidential medical data. 
Just so you know, I am under a consent decree from the Federal 
Trade Commission until 2032,'' that probably ends that 
company's ability to render that service. Would you agree?
    Mr. Phillips. I absolutely think that issues like the 
length of consent decrees need to be considered. Commissioner 
Wilson and I recently wrote in a case where the party had 
violated a consent decree in a really bad way, so we agreed 
with the penalty. But one of the things that we said together 
is that experience and law and the facts of the case, not 
necessarily by the way how it is publicly perceived, but the 
facts of the case and the applicable law and our experience as 
the agency ought to guide us in how we apply remedies.
    Mr. Chopra. Dr. Burgess, can I add?
    Mr. Burgess. Sure.
    Mr. Chopra. I want to agree with your sentiment on this, 
which is we need to avoid ever appearing that we are strong-
arming small defendants and letting large ones kind of off the 
hook. I think there needs to be an evenness in this, because 
you are right that even a subpoena can be very, very costly for 
small firms.
    So I take also away that we need to think hard about where 
we are allocating our resources. Are we allocating our 
resources to a lot of small firms or are we really thinking and 
gaining credibility by challenging larger firms who commit harm 
on a wide scale and who have the resources to litigate? Because 
litigation, actually, also gives much more credibility to the 
outcome rather than just sometimes settlements.
    Mr. Burgess. Great. I have a number of other questions. I 
will submit those for the record. I yield back my time.
    Ms. Schakowsky. Thank you. The Chair now recognizes 
Representative Kelly for 5 minutes.
    Ms. Kelly. Thank you, Madam Chair.
    One of the key tools that FTC has used in enforcing privacy 
cases is deception authority, particularly when a company 
hasn't told the truth in its privacy policy. But there is no 
national law that requires companies to have a privacy policy 
in the first place. For instance, a recent report found that 85 
percent of the apps and browser extensions in the Google Chrome 
Web Store didn't have a privacy policy at all.
    Chairman Simons, do you believe it would be helpful to the 
FTC's ability to enforce the law companies were required to 
disclose their privacy practices?
    Mr. Simons. I think this is something that the Congress 
should definitely consider in its consideration of new Federal 
privacy legislation. And what you have just said illustrates 
the imperfect nature and the lack of authority that we have, 
which is that our privacy program is based in large part on 
this deception authority that we have under Section 5, a 
hundred-year-old statute which was never designed or legislated 
with any intent toward privacy issues that we see today 
obviously, so thank you for that.
    Ms. Kelly. You are welcome. Even when a company has privacy 
policies, it practically takes a law degree to understand it or 
is so vague that it is meaningless to consumers. Some have 
suggested that it would be useful to provide consumers with 
clear, concise, and consistent disclosures that would make it 
easy to understand how companies use and share personal 
information.
    Commissioner Chopra, do you think it would be helpful if a 
law required companies to label their privacy practices in a 
way that provided clear and consistent disclosures to consumers 
with wording and pictorial depictions like a 3 and a dollar 
sign if data was sold to a third party?
    Mr. Chopra. Yes. I think better disclosure that is clear is 
always good, but on top of disclosure we have to sometimes 
recognize that users sometimes actually have no choice, you 
know, when it comes to filling out their job application, when 
it comes to enrolling in school, they may not have a choice.
    So I want us to also think about, you know, what are the 
types of terms that maybe should be presumptively unlawful or 
where there is a higher burden to bear or where some data is 
just off limits, because we don't want to disguise ourselves 
into thinking people can meaningfully compare all the time.
    Ms. Kelly. And my next question, is there something else 
that Congress can do to help consumers better understand how 
their data is used? And anyone can answer.
    Mr. Chopra. Yes. Well, I will just add too that when it 
comes to deception we need to also think about dark patterns 
and other tactics that are being used to trick consumers into 
handing over their data. They use complex testing in order to 
nudge you. Often it is almost impossible to figure out how to 
close your account or delete your data and it raises very 
serious questions about whether it may be a violation of our 
deception standard, but more clarity would help.
    Ms. Kelly. OK. Turning to a different subject, I wanted to 
talk about the interception of privacy rights and civil rights. 
Algorithms that profile users and target content to specific 
groups can too easily result in discriminatory practices 
against marginalized communities. For example, investigative 
journalists have found that employers advertise jobs 
exclusively to men on Facebook and also build internal 
algorithms that negatively ranked women for job placement.
    Nearly 2 years ago, the Tech Accountability Caucus, which I 
chair, wrote a letter to Facebook about their discriminatory 
ads that allowed people to exclude housing applicants based on 
protected characteristics like race, gender, and sexuality. I 
am glad that HUD finally took action on this case and that 
Facebook has ceased its practice of racial affinity 
advertising.
    Again, Commissioner Chopra, would it be helpful if Congress 
explicitly applied existing civil rights laws to data privacy 
by, for example, prohibiting discriminatory uses of personal 
information?
    Mr. Chopra. Yes, this is really serious because with 
algorithms and machine learning they essentially allow some 
firms to either knowingly or unknowingly evade our 
antidiscrimination laws. It reinforces biases against rural 
Americans, against people of color, so us to attack what is 
going on behind those scenes is absolutely critical. And, you 
know, no algorithm is going to be free of bias and we need to 
make sure that the digital economy is not reinforcing biases.
    Ms. Kelly. Thank you.
    And, Madam Chair, I just wanted to let you know that 
joining me today are two young people very interested in 
privacy. One is from Tuesday's Children. Her father was a 
retired major in the Army who is now deceased. So they are 
listening in the back attentively to what we are going to do, 
so thank you and I yield back my time.
    Ms. Schakowsky. Thank you. The Chair now recognizes Mr. 
Latta. No, is he not here? Oh, I am sorry. Mr. Walden showed up 
again and I am happy to recognize you for 5 minutes.
    Mr. Walden. Thank you. I sort of snuck in from the other 
hearing. But thank you, Madam Chair.
    And, Chairman Simons, it has been a few decades, but there 
was a time when the FTC, as we heard, was given broad 
rulemaking authority but stepped past bounds of what Congress 
and the public supported. This required further congressional 
action and new restrictions on the Commission.
    In testimony submitted for this hearing, the FTC supports 
APA rulemaking authority for privacy legislation. Do you have 
any concerns with Congress delegating broad rulemaking 
authority to the FTC and would you support limiting that 
rulemaking authority to issues that cannot be foreseen by this 
Congress?
    Mr. Simons. I have substantial concerns and please do not 
do it. Do not give us broad rulemaking authority, give us 
targeted rulemaking authority. Just as--because we are worried 
about what exactly what you have described happening again and 
the agency becoming politicized and we want it, so what we 
really want to have is we want to have the Congress----
    Mr. Walden. Very specific.
    Mr. Simons [continuing]. Come up with bipartisan Federal 
privacy legislation, have it fairly well defined, COPPA is a 
good model, and give us targeted rulemaking authority so that 
we can keep it up to date, make technical changes for 
developments in technology or in business methods. But please 
do not give us broad-based authority.
    Mr. Walden. All right.
    Mr. Simons. The last thing that we want to have is to have 
you dump that question on us, the big, broad question.
    Mr. Walden. Yes.
    Mr. Simons. We would rather have elected officials do that.
    Mr. Walden. You know, and too often when we face a tough 
problem, we do that to agencies. We say, ``Yes, we can't really 
figure this out, so we are just going to give you rulemaking 
authority. You go figure it out.''
    Mr. Simons. Yes.
    Mr. Walden. And then when you do, we object.
    Mr. Simons. Right. Please don't do that.
    Mr. Walden. Because you didn't get it right, even though we 
couldn't figure it out. And so, I think it is, the obligation 
is on our shoulders to be as refined and targeted as possible.
    I guess I have sort of a yes or no question for all of you. 
One of the issues we are wrestling with as the Energy and 
Commerce Committee and looking at something nationwide, do you 
all support a Federal preemption of existing State laws or can 
privacy work on a State-by-State patchwork basis?
    It strikes me the internet, this, you know, some of them 
described with tubes and all that, right?
    Mr. Simons. Right.
    Mr. Walden. It actually crosses borders--who knew? And so, 
I am trying to figure out how it works if we don't do a 
nationwide law. Do you, I mean----
    Mr. Simons. Yes, I share your concerns about the patchwork. 
And I think, you know, the sense of it would be that if the 
legislation is substantial enough----
    Mr. Walden. Right.
    Mr. Simons [continuing]. Then I think it makes sense to 
preempt. But having said that, I also think that even if you 
preempt, you should give enforcement authority to the State 
Attorneys General.
    Mr. Walden. All right.
    Ms. Wilson, what is your guidance on this?
    Ms. Wilson. I agree that preemption is necessary. As you 
note, there are State boundaries that get crossed. There are 
national boundaries that get crossed. Consumers are looking for 
a seamless experience and, frankly, businesses need guidance. 
We have heard examples of bills that have conflicting 
provisions. For example, one State will say this is opt-in and 
another says it is opt-out. And businesses, literally, cannot 
comply with both of those State laws. And so, I believe that we 
do need Federal privacy legislation that contains preemption.
    And I agree with Chairman Simons that the State AGs----
    Mr. Walden. Has to be robust.
    Ms. Wilson [continuing]. Who can assist in enforcing will 
act as a force multiplier as Commissioner Chopra noted.
    Mr. Walden. Yes.
    Mr. Chopra. Mr. Walden, can I----
    Mr. Walden. Well, if I could just----
    Mr. Chopra. Sorry. Well, go ahead.
    Mr. Walden. Yes, we will get to you, but Ms. Slaughter?
    Ms. Slaughter. I am sympathetic to the desire for 
uniformity, consistency, clarity, and predictability in a 
national law. I would be concerned about a Federal law that 
lowered standards that already exist in the States, so I think 
the appropriateness of preemption is best evaluated in terms of 
whether a Federal law meets or exceeds the level of protections 
that States can provide and whether it allows them the 
opportunity to fill any gaps that may remain after a Federal 
law is developed.
    Mr. Walden. OK.
    Mr. Phillips?
    Mr. Phillips. Thank you, Congressman, or thank you, 
Chairman--Ranking Member.
    Mr. Walden. Chairman in exile.
    Mr. Phillips. Yep. No, no, no. I hope I pulled that one 
back quickly enough.
    Mr. Walden. You are all right.
    Mr. Phillips. I think preemption is essential for a few 
reasons. The first is to give businesses the clarity that they 
need and the second is to meet the expectation that we have all 
been talking about, about aligning consumer understanding with 
what is going on. The more variability that you have, the less 
transparency, the less consumer power.
    Mr. Walden. Right.
    Mr. Phillips. The other thing we need to keep in mind is 
competition. Having multiple laws means multiple different 
compliance costs.
    Mr. Walden. Right.
    Mr. Phillips. That is harder for smaller firms, easier for 
big ones. Another thing to keep in mind--I will finish very 
quickly--is international interoperability. We have to consider 
our national interests in cross-border data flows.
    And, finally, with respect to establishing just a floor 
that is a model that we have in HIPAA, and I think Congress 
ought to take a very careful look at how the HIPAA model works 
because the studies show that State HIPAA laws have inhibited 
the roll-out of electronic medical record use. They have 
inhibited innovation, and reduction of costs in the medical 
field, and startups are struggling with this.
    I may be wrong, I may be right. People can take different 
views. But I think that is a very good area to look at the 
data, see what is going on, and see how it would apply here.
    Mr. Walden. Madam Chair, with your indulgence, could our 
final Commissioner weigh in? My time is expired.
    Mr. Chopra. Yes, I just want to make sure I caution you 
that preemption can also have a lot of unintended consequences. 
In Illinois, for example, there is a biometric law. There are 
other laws that may not, may complement and not conflict. My 
own experience in this relates to the mortgage meltdown where 
broad preemption of State mortgage laws clearly wreaked more 
havoc because States that wanted to provide certain safeguards 
to their homeowners had that robbed of them.
    So I think it is important that we just make sure we are 
not making things worse and at the same time----
    Mr. Walden. That is a good point.
    Mr. Chopra [continuing]. Promoting lots of beneficial entry 
into the marketplace.
    Mr. Walden. Yes, I go back to my Jamie Dimon quote that 
said you can overregulate to the point only the bigs can afford 
to comply, and now you have snuffed out competition. So, this 
is why it is hard. We want to get it right for our consumers, 
we don't want to snuff out innovation. So, thanks for all the 
work you are doing there in helping us.
    And, Madam Chair, thanks for your indulgence in this and 
for having this hearing.
    Ms. Schakowsky. I now recognize the chairman of the full 
committee, Mr. Pallone.
    Mr. Pallone. Thank you, Madam Chair.
    Companies are collecting more data than ever and using it 
in ways that most consumers would never imagine. If I download 
a flashlight app, for example, it shouldn't need my precise 
location and it definitely shouldn't then go and sell that 
information to the highest bidder, all without my permission. 
Yet the FTC does not have the authority to enact rules that 
could establish reasonable limits on uses of data and no 
comprehensive Federal law currently exists.
    So I want to start with Chairman Simons. In your testimony 
you support Federal privacy and data security legislation, 
which I appreciate, but some have argued that the FTC has not 
done enough with the authority it has been given. How can 
Congress be sure that the FTC will aggressively protect 
consumers if given new authority?
    Mr. Simons. My mantra is vigorous enforcement, so as long 
as I am the Chairman we are going to vigorously enforce. I will 
have to say also that we have brought lots of cases in this 
area where we can. We have brought about, when you consider the 
full range of privacy authority that we have ranging from 
Section 5 to the FCRA to COPPA to Do Not Call to CAN-SPAM, we 
have brought over 500 cases.
    So I would say we have been pretty active, but our 
authority is limited as you describe, and so, if we get more 
authority, we will need more resources.
    Mr. Pallone. OK. Let me go to Commissioner Chopra.
    How important is it that comprehensive privacy legislation 
set reasonable limits on the way the data can be used such as 
through data minimization and restrictions on selling or 
sharing data beyond the consumers' reasonable expectations?
    Mr. Chopra. Yes, these bright line standards will also be 
easier to enforce. We will not have to go through as much 
extended investigation and also it will make it easier for 
businesses. So I think when you are being affirmative about 
what is inbounds and out of bounds, that is better.
    Mr. Pallone. OK. I am going to go back to the Chairman 
again. Although privacy is an important issue, it is obviously 
not the only critical consumer protection issue within the 
FTC's jurisdiction. And topping the list of the FTC's nearly 3 
million complaints were imposter scams, where a scammer 
pretends to be from the IRS or the Social Security 
Administration or another trusted organization to get people to 
turn over money or personal information.
    Consumers reported losing nearly $488 million in these 
kinds of scams last year. So let me ask you, Chairman, consumer 
education is important but the burden should not fall on 
consumers to stop fraud. So what is the FTC doing to stop these 
scams and prevent them from becoming even more common? I mean 
these are the things that I hear about on regular basis from 
constituents, particularly seniors.
    Mr. Simons. Right. Thank you for that question. There is no 
single fix to this pernicious scam, but so we try to implement 
a multipronged approach. We have substantial law enforcement to 
stop these things from occurring where we can find and sue the 
perpetrators. But we really do think that enforcement along 
with consumer and business education, consumer guidance and 
business guidance are important and so we tackle this on a two-
front basis.
    Mr. Pallone. All right.
    Mr. Phillips. Chairman, may I just add briefly to that?
    Mr. Pallone. Sure, go ahead.
    Mr. Phillips. I really want to thank you for that question, 
in particular for the following reason. You have been talking 
recently a lot about the need for resources. It is important, 
especially as the headlines focus on particular issues with 
which we deal also to consider the ones like scams that don't 
always grab the headlines. That work has always been and should 
remain really important work that we do.
    So when you think about resource questions, I would 
encourage you to consider all the work that all the different 
bureaus at that FTC does and how important they collectively 
are to the national interest.
    Mr. Simons. Yes, can I just say one other thing? The FTC is 
a very busy place. People generally are not sitting down and 
doing nothing. They are all very highly active. They are all 
very highly productive. And so, if we are going to devote more 
resources, for example, to privacy, we would probably have to 
take them away from something like potentially going after some 
of these scams.
    Mr. Pallone. Unless we have more resources, but, believe 
me, I am the last person who thinks that Federal agencies or 
the people that work there don't do anything. I am constantly 
reminding people that they work very hard because oftentimes 
people think that government and politicians don't do anything, 
but, in fact, we all work very hard, or most of us do.
    So thank you again. Thank you, Madam Chair.
    Ms. Schakowsky. Thank you, the gentleman yields back. And 
now I recognize Mr. Guthrie.
    Mr. Guthrie. Thank you, Madam Chair, for the recognition. 
Thank you all for being here. And I will agree with my friend, 
The Chairman, that people in our agencies do work very hard and 
sometimes we need to make sure we give them the right direction 
and how we as the policymakers would like for them to work.
    And one thing that I have been concerned about as we move 
forward and we need to move forward on a privacy bill, I am for 
that, but the one thing I am concerned, I think Mr. Phillips 
mentioned that some of the smaller companies can't deal with it 
as much as some of the bigger companies.
    And so, I have talked about innovation and whatever the 
healthcare or anything here, kind of my common theme is how do 
we keep this innovation that is moving forward. And so, 
Chairman Simons, I believe any Federal bill must ensure all 
companies no matter the size of their compliance department can 
continue to innovate and compete. And what do you think about 
this concern and how should we consider this drafting 
legislation?
    Mr. Simons. So this is a really critical concern, thank you 
for raising it.
    Mr. Guthrie. And any of the others can answer too. I called 
and said your name, but others can answer if they would like 
to, to how we can make sure people can compete, but go ahead.
    Mr. Simons. Yes, so what I was going to say is, so we have 
a dual mission, consumer protection including privacy and 
competition, so we are sensitive, really, to both. And the 
thing that--one of the things that we are very concerned about 
is the situation where, so, for example, if you require opt-in 
for certain kinds of information or maybe even all the 
information, that makes it much easier for high-tech platforms 
that are consumer-facing to get that opt-in. And so, for a new 
company or a small company, it is very difficult to get that 
kind of opt-in and access to that data.
    So that might constitute a very significant disadvantage 
for the small companies and the new entrants and cause a huge 
advantage for the existing high-tech platforms. And, in fact, I 
understand that a high-level competition official from the 
European Union is concerned about this because he thinks that 
business is being pushed by the GDPR to Google and Facebook.
    Mr. Guthrie. That was my next question. So concerned about 
what GDPR, what I have heard what you just said and how we 
guard against that. So I mean, just what you just kind of said, 
if Mr. Phillips or anybody else would like to talk about that 
because that was my next question in light of what we know 
about GDPR what should we be concerned about. And you just 
started going into that, so I wanted to make sure we finish 
that and if some others would like to talk to it as well.
    Mr. Phillips. Thank you. Congressman, I think this is such 
a critical question. The important thing to remember, while a 
lot of this debate focuses on a few very large firms, the use, 
the collection, the monetization of data is endemic in the 
economy. It is everywhere. It is lots of little firms too. And 
I think the most essential thing to do is to go and consult 
with those firms and ask them, ``Hey, how would this look for 
you?'' You know, we want the small businesses to higher coders 
not lawyers. If you have five people and one of them is a 
lawyer, maybe that is not good for innovation and competition. 
So I think consulting with them, asking how the rules apply to 
them, not just the big firms, is critical.
    Mr. Chopra. Yes, I would love to add just two points here. 
I think you are right that we have to think hard about 
competition. And one of the things I worry a lot about it is we 
are seeing a real slowdown in small business/new business 
formation even in the digital economy.
    You know, many venture capitalists, many new firms that are 
starting are saying, you know, ``The big guys actually have 
already taken all the key data. We are never going to catch up. 
We now have to create our business maybe just to sell to 
them.'' That can really distort innovation in our country and I 
am really, I am increasingly worried that our lack of attention 
to this issue is deterring lots of entrepreneurs from wanting 
to challenge those incumbents. So we need to think hard about 
that.
    With respect to GDPR, GDPR uses essentially a principles-
based regulatory scheme. So on one hand that might create some 
flexibility. On the other hand, it can also lead to 
uncertainty. And with bright line rules that actually is easier 
for everyone to comply with rather than huge complexity that 
only the largest firms can lawyer up to figure out.
    Mr. Guthrie. OK. I am going to switch gears real quick 
about something in my home, one of my home industries which is 
Kentucky bourbon. And we have heard from a lot of our 
distillers and people who ship that counterfeiting distilled 
spirits is on the rise both domestically and abroad. I only 
have a few seconds. So this is a problem because consumers 
aren't getting the goods they purchased and counterfeit spirits 
can pose a serious hazard.
    Chairman Simons, can you speak to the FTC's ability to 
monitor and regulate these sales? I know they are through 
websites and it is difficult to do.
    Mr. Simons. Yes, so this type of thing is obviously of 
concern to us. It is a deception. You know, it is 
counterfeiting, like you said. The primary agencies that have 
jurisdiction over this, I think, are actually the Treasury 
Department and the DOJ who actually has criminal authority. So 
I think this is more of an issue for those agencies.
    Mr. Guthrie. OK. Well, thank you very much and my time is 
expired and I yield back.
    Ms. Schakowsky. Now the Chair recognizes Mr. O'Halleran for 
5 minutes.
    Mr. O'Halleran. Thank you, Madam Chair.
    Good afternoon. Now I see it is afternoon and thank you for 
appearing before us today. Your role in protecting consumers 
and competition is critical, particularly in a world where 
innovation and technology is rapidly advancing and consumers 
are faced with navigating the maze of new technological 
developments and regulations. Like my colleagues on this 
committee, I look forward to learning more from all of you 
about this work.
    This week, the FTC is celebrating National Small Business 
Week--I thank you for doing that--acknowledging the important 
contributions of small businesses, their owners, and in our 
communities. As you may know, the 1st district of Arizona is 
home to many small businesses, it is mostly a rural district, 
including mom and pop shops. Many of these business owners are 
located in those types of rural areas throughout the country.
    A critical role of the FTC is to provide consumer education 
and conduct and outreach. These efforts include providing 
practical and plain language guidance on many issues for small 
business owners, many of whom are not up to the speed that the 
larger businesses are. In fact, the FTC has conducted several 
roundtables over the past couple of years to educate small 
business owners on various matters including cybersecurity.
    It is my understanding that the Commission heard many 
concerns from small business owners about data security 
including concerns pertaining to the mobile phones and cloud 
devices. I would like to hear more about these initiatives and 
programs for small business owners and specifically how the FTC 
is tailoring its educational and outreach campaigns to those 
small businesses in rural areas and how to expand it also as 
you move forward.
    I have two questions. I want to start with Mr. Simons and 
then anybody can jump in. I believe these small business 
outreach initiatives are important for the FTC to continue. In 
your view, what more can the FTC do to build upon the work of 
these small businesses' initiatives moving forward?
    And the second question is, as you know, Congress is 
currently considering proposals to include in legislation on a 
range of issues impacting consumer privacy and data security. 
As the FTC considers enforcement actions against corporations 
who violate privacy laws, how does the FTC consider enforcement 
actions against small businesses versus those against larger 
companies? Mr. Simons?
    Mr. Simons. Thank you, Congressman. So let me start the 
last question first. So we have a standard for data security 
that is a reasonableness standard. It is not a one-size-fits-
all and we are very nervous about anyone who would suggest a 
one-size-fits-all standard, because as you can imagine a huge 
company can afford to spend hundreds of millions of dollars on 
its data security because it has so much volume over which to 
spread it and the cost per unit is going to be trivial, right. 
But if you make small businesses do those same types of data 
security measures, they will be out of business. They wouldn't 
even come close to making money.
    So it is really important that we do this reasonableness 
standard, we consider how small the business is, how costly it 
is to provide data security, and what kind of data the company 
has. If it is not very sensitive then you don't worry so much 
about the security, or you don't worry as much and what you 
would expect them to do in terms of data security measures 
would be a lot smaller.
    In terms of the outreach to businesses and consumers, this 
is a critical thing that we do. And people suggest to me 
sometimes that maybe you should divert some resources from that 
to doing more law enforcement, more litigation, for example, 
and I think that is a mistake. We really need to have this 
consumer outreach and outreach to the business community and we 
could do more of it if we had more resources.
    Mr. O'Halleran. Thank you, anybody else?
    Ms. Slaughter. Thank you, Congressman. I would just add 
that I think there are elements of what are in the rules and 
the laws that are important; there are also important questions 
about the application of prosecutorial discretion. When we see 
particular cases, I think it is incumbent upon us to consider 
what is the company that we are considering. How big is it? 
What is its compliance opportunities or costs, and take that 
seriously in making sure that our cases and, more importantly, 
our remedies are carefully tailored to the particular 
defendants we have in front of us; it is not a one-size-fits-
all approach.
    Mr. O'Halleran. Thank you. And, you know, talking about 
smaller businesses for a second, I appreciate what you said 
about the issue, but they also fit into the entire security 
chain and privacy chain and how they blend into that is 
important for the overall security of the process. So it is 
kind of, I worry about both ways, so.
    Mr. Simons. It is a balance you have to strike. You know, 
it is like most things in life, there are tradeoffs.
    Mr. O'Halleran. Thank you, Madam Chair, and I yield.
    Ms. Schakowsky. The Chair now recognizes Mr. Bucshon for 5 
minutes.
    Mr. Bucshon. Thank you, Madam Chairwoman.
    Health information is some of the most valuable data that 
is out there. It is very private, very personal, but also very 
valuable to people. And I was a healthcare provider before. So, 
Chairman Simons, one of the focuses that I will have on a 
privacy bill, how we address health information not covered by 
HIPAA and how does the Commission deal with this type of health 
information now and how should we be thinking through this 
issue when fitness trackers and other health apps are very 
popular and becoming more popular?
    Mr. Simons. Yes, I mean if you are talking about the same 
data that is covered by HIPAA and you are talking about, you 
know, it is really, it is sensitive data, you have to think 
about treating it in a similar manner. And one of the things 
that I think is the real advantage of the Federal privacy 
legislation that you were considering is that it would be 
broad-based and not cabined to particular types of information. 
And so, I think that makes things easier to deal with.
    Mr. Bucshon. Yes, because, you know, there is going to--I 
mean there is real-time glucose monitoring for diabetics, and 
people may not want people to know that they are diabetic and 
that information could be out there, or your blood pressure 
could be high and people may not know. I mean it is going to be 
real important that we figure how we protect that type of 
information, I think.
    Mr. Simons. Yes, I agree.
    Mr. Bucshon. Yes.
    Ms. Wilson, do you have any comments? Commissioner Wilson?
    Ms. Wilson. I agree that the Federal Trade Commission has 
long applied a risk-based approach to the evaluation of privacy 
and the more sensitive the information, the greater the 
protections it deserves. We have taken the same approach with 
Federal legislation, children's information in COPPA, health 
information in HIPAA.
    The gaps that you are mentioning concern me. Emerging 
technologies change the landscape and some of this very 
sensitive information is not currently covered under Federal 
legislation. We can get at it through our Section 5 authority, 
but having guidance at the Federal level would be very useful, 
and so greater authority in that area would help protect this 
information more.
    Mr. Bucshon. Yes, because I mean we have been talking 
about, you know, how you have to click ``agree'' if you want to 
get a certain account, right, and that is probably true with 
devices that now monitor your health, right. And so that will 
be an area we have to look at too. People, you know, broadly as 
you mentioned that people should know if they put on a certain 
device that it may very well transmit health information to 
someone, and it may be in the paperwork and you may just not 
know.
    I will give you a second.
    Ms. Wilson. So I completely agree. I think consumers are 
able to make decisions that are in their own best interest if 
they have information about the choices that they have. But 
there is a lot of consumer confusion right now. There is a lack 
of clarity about what is being done with their data. Greater 
transparency is an imperative.
    Mr. Bucshon. Yes, and even when they know maybe that their 
health information is going to be transmitted, they still 
should have some coverage for the privacy of that like under 
HIPAA.
    Mr. Chopra. I just wanted to add, something that makes this 
even harder is with artificial intelligence and machine 
learning. Even if we don't hand over our health information, 
companies may know our health information based on what we are 
searching in terms of our symptoms, geolocation of where we are 
going. So that is going to make it really difficult when 
formulas and algorithms are determined and it may even know our 
health conditions even if they have not been formally 
diagnosed.
    Mr. Bucshon. Yes, I mean if you have your phone on you and 
you show up at an oncologist's office that tells people kind 
of----
    Mr. Chopra. You have cancer.
    Mr. Bucshon. Yes, and I don't know how we protect that.
    Commissioner Phillips, do you have any comments on this?
    Mr. Phillips. I said earlier that one of the things that 
Congress has done over time is it has looked at areas of 
greater levels of risk and I think this is an area that 
deserves strong consideration, and I think I agree with all my 
colleagues when I say that. The one thing I would add is that I 
do think it is important not just to consider the what in terms 
of HIPAA, but how HIPAA has worked. HIPAA, the studies show, 
has sometimes prevented what can be really pro-competitive and 
pro-consumer technology.
    Mr. Bucshon. Yes, yes.
    Mr. Phillips. You know, you fill out a form every time you 
go to the doctor's office, every single doctor, and the doctors 
can't talk to each other so you have to repeat your symptoms 
to----
    Mr. Bucshon. Oh, I am very well aware of that problem.
    Mr. Phillips. And so, I do think when we talk about HIPAA 
we ought to think about how it is working and how it is not 
working.
    Mr. Bucshon. OK, thank you all, I yield back.
    Ms. Schakowsky. I now recognize Congresswoman Blunt 
Rochester.
    Ms. Blunt Rochester. Thank you, Madam Chairwoman, and thank 
you all for your testimonies. First, before I get into my 
questions about privacy and data security, I want to ask you 
about our seniors who face scams especially through exploited 
practices like gift cards. And today I am introducing the Stop 
Senior Scams Act with my friend and colleague, Mr. Walberg of 
Michigan, who is across the aisle. And this bill is a House 
companion to a bill introduced by Senators Casey and Moran 
earlier this year.
    I know you and your staff are working with the Senators and 
I look forward to working with you further as we consider this 
bill on the House side. And, Commissioners, I just wanted to 
ask briefly if you are seeing a lot of this like on the rise in 
terms of the scams for seniors with these gift cards? If you 
could just briefly and then we will jump into the other 
questions.
    Mr. Simons. This is a big issue for us. You know, we are 
focused very much and have a high priority for scams dealing 
with the senior community. And we put out, we do a whole bunch 
of different things in terms of education. We put out guidance 
that, you know, if it is a gift card it is only supposed to be 
for gifts, right.
    We have a program what we call Pass it On, which is an 
effort to, as one of my colleagues said, be a force multiplier. 
It is to get people in the seniors' community to help other 
people in the seniors community avoid these types of things. So 
this is something we are very focused on and outreach is very 
important in this regard.
    Ms. Blunt Rochester. Great. I look forward to working with 
you on this. I want to shift to the privacy and data questions 
and I want to turn our attention to something that came up 
earlier when Representative Kelly was speaking. I think it was 
Commissioner Chopra who talked about dark patterns and that it 
is gaining a lot of notoriety.
    And I really wanted to kind of focus on this, because for 
those who don't know what it is, and I am going to ask you, 
Commissioner Chopra, to actually share how you would describe 
this. How I have it is, it is a pattern, or for--a dark pattern 
is a website or app design that is intentionally deceptive in 
order to push users into content, products, or even participate 
in data collection activities without their informed consent. 
And I can bet everybody in this room has been a victim to this. 
And even, ironically, if you Google dark patterns, later you 
will probably be affected by this.
    In the privacy space, many of my colleagues have touched on 
similar issues as it impacts consumers, children, and social 
media, but most recently even the IRS Free File had a 
connection to dark patterns. People seeking income-based 
assistance in filing their taxes were potentially steered 
unsuspectingly to products that were neither part of the IRS 
program or were free. And entities like Facebook we hear are--
that they are affected by it, but there are even more out 
there.
    So if you could talk a little bit about this practice. And 
then if you could also talk about what we in Congress should be 
doing to address it.
    Mr. Chopra. Sure. And, Congresswoman, I am not an expert on 
it, but my general understanding is that using various sorts of 
testing and tactics, firms can nudge consumers into choosing 
certain things or deterring them. And one of the, I believe the 
researcher who coined the term also uses the term ``roach 
motel,''----
    Ms. Blunt Rochester. Yes.
    Mr. Chopra [continuing]. Which is that you can check in, 
create an account but it is impossible to get out. And one of 
the things that I hope that we can really modernize some of our 
analytical tools, use different types of economics including 
behavioral economics, to understand how consumers actually can 
be harmed by this.
    I am not positive, to be honest I am happy to answer 
questions for the record about whether our deception authority 
here is enough, but it is very troubling.
    Ms. Blunt Rochester. Yes, I was actually going to ask about 
deception authority, but you said you are not sure.
    One of the other questions, as the more that you all 
talked, when you talked about artificial intelligence, machine 
learning, geolearning, one of the questions I really have is 
from a workforce perspective. Are we in government, do we have 
the skills, the capabilities, the training to be able to be a 
step ahead of what is upon us now? I would love to--yes, 
Commissioner Wilson?
    Ms. Wilson. So I think this is one of the great things 
about the Federal Trade Commission. We do have a history of 
engaging in competition and consumer protection R&D. And 
Chairman Simons, last summer, announced the competition and 
consumer protection hearings for the 21st century, and we have 
held hearings with dozens and dozens and hundreds of 
participants and comments focusing on things like AI and 
machine learning and algorithms and how these affect consumers 
and the kinds of harms that can be created.
    And so, I think we are continuing to learn and to move up 
the learning curve and I think with that learning we can begin 
to identify precisely the resources that we need to fulfill our 
mission of protecting consumers.
    Ms. Blunt Rochester. My time has run out, but I had so many 
questions as well about behavioral research and study, but 
thank you so much for your testimony.
    Ms. Schakowsky. And of course all of the questions can be 
submitted for the record. We hope our witnesses will reply.
    And now let me recognize--oh, Mr. Hudson has arrived. You 
have 5 minutes.
    Mr. Hudson. I thank the chairwoman and thank you to all the 
Commissioners for your time today.
    Chairman Simons, as you have heard today, we are committed 
to protecting small businesses and promoting innovation. Some 
other agencies are using or considering regulatory sandboxes 
for new innovations. Can you explain this concept and whether 
you believe we should consider a similar approach for privacy 
regulations?
    Mr. Simons. So the regulatory sandbox as I understand it--
and thank you for the question, Congressman--is a situation 
where small businesses would be able to--play is not the right, 
I mean that is the analogy--but to get started. And so, for 
example, people have proposed that for small businesses that 
they wouldn't have to comply with like, for example, maybe a 
Federal privacy legislation that you pass in the coming months 
until they get to a certain size.
    And to be honest, I have thoughts positive and negative 
about that. So the positive is it cuts down, clearly, on the 
cost of getting into business and maybe allows people to grow 
that would never get off the ground. On the other hand, if the 
privacy legislation you pass really is protecting people, you 
know, small businesses can get a lot of sensitive information 
and you really worry about that.
    Mr. Hudson. I appreciate that answer.
    Mr. Phillips. Congressman.
    Mr. Hudson. Commissioner Phillips, do you support the use 
of regulatory sandboxes and what are the barriers you see to 
doing something similar like this?
    Mr. Phillips. So I think it is something very much worthy 
of consideration, but I want to add something and this may be 
my mistake, but I have a slightly different understanding of 
how at least internationally some of these regulatory sandboxes 
at working.
    My understanding is and it may be how you structure it, it 
isn't necessarily just a shield for liability for small 
businesses, it is an opportunity maybe where the law is gray or 
something that is close to the line where under the supervision 
of the regulator the business can undertake an innovative thing 
that might be legally questionable. This is something they are 
pioneering in the United Kingdom right now on privacy. It has 
been utilized in the financial space.
    I do think consistent with and as a parent of small 
children allowing your kids to play in the sandbox that 
supervision is key, but I do think it is an opportunity to 
test, you know, where are there maybe some pro-competitive 
impacts to the conduct. The Chairman is a hundred percent right 
that small businesses can present risks just like big 
businesses can. It is a question of how you structure it. But 
there are some, really, examples out there that I think you 
should consider.
    Mr. Hudson. Great. I appreciate that.
    Chairman Simons, as you know there are many other 
industries across the United States that are subject to various 
privacy laws. Some of the most familiar are the Health 
Insurance Portability and Accountability Act for the healthcare 
industry; Graham-Leach-Bliley for financial services. Do you 
believe the FTC would have to exercise concurrent jurisdiction 
with the other Federal agencies to implement a national privacy 
law and, if so, how would you recommend we do that?
    Mr. Simons. Well, I think it depends on what you pass, 
right, so you could pass a law that says yes or says no to that 
question. And also I think it depends on, you know, how much, 
you know, what you put in the law in terms of whether as a 
result of that whether you want to make, you know, what is now 
covered by HIPAA covered by your new privacy legislation or 
some of these other things, whether you want to fold that in or 
not. So it is kind of hard to say in a vacuum.
    Mr. Hudson. But if we follow that example, you know, how 
would we implement that, the HIPAA example?
    Mr. Simons. Oh, so you mean if you had these jurisdictions?
    Mr. Hudson. As far as agencies going to work together.
    Mr. Simons. We would just have to coordinate to make sure 
we don't step on each other. I mean we have lots of that. Like, 
for example, the FDA and the FTC are regulating, you know, 
drugs in different ways, but it is the same drug, you know, so 
that kind of coordination is common.
    Mr. Hudson. Got you.
    Bouncing back to Commissioner Phillips, a difficult piece 
of this privacy discussion is the sharing of consumer data and 
downstream misuse. We know sharing information offers great 
benefits, but once a company shares that information, we see 
misuse from companies two or three steps down the supply chain.
    How does the Commission approach this issue and do you have 
any recommendations on this point for a Federal bill?
    Mr. Simons. I think looking at the supply chain and 
understanding the full scope of companies involved in the use 
of data, which is breathtaking, right, in its scope, is 
critical. We need to understand how the data are being used. We 
also though need to understand that the point at which the 
consumer interacts with the company is a very critical point 
for transparency and things like that.
    Mr. Hudson. Thank you.
    And, Madam Chairman, my time is about up, so I will yield 
back. I thank the Commissioners.
    Ms. Schakowsky. The gentleman yields back.
    I understand there is some desire by the panel of witnesses 
for a short break. I understand that, so let's make a maximum 
of 5 minutes and let--and then they will come back, OK. Or 
maybe Members as well would like to take that moment.
    [Recess.]
    Ms. Schakowsky. The committee hearing will resume and I 
will recognize for 5 minutes, Mr. Lujan.
    Mr. Lujan. Thank you, Madam Chair.
    Commissioner Slaughter, rapid advancements in technology 
have transformed the way that companies use personal data. In 
just over a decade, we have moved from a world of desktop 
computers to one where each of us has devices always on, it 
seems always collecting data about everything we do and 
everywhere that we go. It is vital that the FTC keep current on 
new technology and train its staff on emerging consumer 
protection issues.
    Despite the often-technical nature of privacy and security 
matters, the FTC has only five full-time staffers classified as 
technologists. How do technologists help the staff attorneys on 
privacy and data security cases?
    Ms. Slaughter. Thank you for the question, Congressman. 
Technologists are extremely important. When we need to 
understand the material with which we are working in any 
particular case, and the more highly technical the field, the 
more highly technical the practices that we are investigating, 
the more we can benefit from the experience of a technologist. 
I think, I routinely try to rack my brain to think of cases we 
have encountered not just in the privacy and data security 
area, but across our mission in competition and consumer 
protection that don't involve some technological element and it 
is very difficult for me to think of any.
    Mr. Lujan. What role do technologists play in helping 
identify cases where someone might have violated the law?
    Ms. Slaughter. I think they can play an extremely valuable 
role. I mean we, our case identification comes from consumer 
complaints, it comes from press stories, it comes from 
experience of staff who identify issues, and technologists can 
apply a level of expertise to picking out technological-
specific issues that might not necessarily occur to an attorney 
independently.
    Mr. Lujan. Commissioner Slaughter, do you know how many of 
the five technologists the FTC has work on privacy and data 
security enforcement?
    Ms. Slaughter. I am not actually entirely sure how to 
answer that direct question, but to the extent that you are 
suggesting that five technologists is not a lot for the scope 
of the work that we are obligated to do in privacy and data 
security, I agree that we could benefit from a lot more 
technological expertise.
    Mr. Lujan. Chairman Simons, do you know how many of the 
five technologists work on privacy and data security 
enforcement?
    Mr. Simons. My understanding is that one----
    Mr. Lujan. Your microphone, please.
    Mr. Simons. My understanding is that at one point or 
another they all do.
    Mr. Lujan. Are there enough technologists for the FTC to do 
their work?
    Mr. Simons. We could certainly use more. And what we do 
with them, actually, is so they do original research. They also 
educate our lawyers, so it is kind of a bit of a force 
multiplier. And in addition, they serve another very important 
function is where we don't have internal resources sufficient 
to help us with our cases, they identify experts for us outside 
the agency who we can then hire on a contract basis.
    Mr. Lujan. And one specific question to all the 
Commissioners, do you agree that it would help the FTC's 
enforcement activities if there were more technologists working 
directly with staff attorneys?
    Mr. Simons. Yes.
    Mr. Lujan. Yes?
    Ms. Wilson. Yes.
    Ms. Slaughter. Yes. We put an economist on every case that 
we consider both competition and consumer protection. I think 
we could benefit from technologists too.
    Mr. Phillips. Congressman, yes. But I just want to 
reiterate a point that the Chairman made, which is the use of 
outside experts. The thing about technology is, there is a lot 
of it, and a lot of it is different. If you bring someone on 
permanently, they may have expertise in a given area, but if 
you use the money to hire on a case-by-case basis, you can be 
more tailored, more efficient, and look at more different kinds 
of technology.
    Mr. Lujan. Just as long as those experts don't have a 
conflict of interest with the space you are playing in?
    Mr. Phillips. Oh, of course you want to avoid conflict of 
interest in hiring outside folks.
    Mr. Long. Commissioner Chopra?
    Mr. Chopra. Yes, I agree with Commissioner Slaughter 
completely.
    Mr. Lujan. Appreciate that.
    Mr. Chairman, the last several FTC Chairs have appointed a 
chief technologist to advise the Commissioners on significant 
policy issues involving new technologies. You have now been in 
charge of the agency for more than a year at a time when the 
FTC is addressing some of the most significant privacy and data 
security issues in the agency's history, and yet you have 
chosen not to appoint a chief technologist to assist you on the 
Commission. Why not?
    Mr. Simons. Well, that was one of the first things I looked 
at upon becoming Chairman. And what struck me right out of the 
box was that the chief technologist is appended to the 
Chairman's Office in a kind of unusual way in the 
organizational chart. The chief technologist had no direct 
reports, no infrastructure for him or her, no staff. They 
weren't directly connected to the staff of the Bureau of 
Consumer Protection or the Bureau of Competition, and so that 
struck me as an odd organizational structure.
    And so, I talked to people in the Bureau of Competition and 
Bureau of Consumer Protection. The Bureau of Consumer 
Protection has its own technologist staff called the Office of 
Technology Research and Investigation. That is where the five 
technologists are housed. That group works extremely well with 
the people in the Bureau of Consumer Protection and they were 
going to be very upset if I moved those people out.
    I was thinking about creating a Bureau of Technology. So 
rather than do that we created a technology task force in the 
Bureau of Competition which is going to have a technology 
fellow. And I have transferred the FTE from the chief 
technology officer to the technology task force in the Bureau 
of Competition so we have more boots on the ground in terms of 
dealing with these investigations that we are conducting.
    Mr. Lujan. But still very clear that more technologists 
would be of beneficiary, especially with the numbers that I 
shared earlier, 500 million, 148 million, 87 million just to 
name three examples.
    Mr. Simons. Yes.
    Mr. Lujan. Thank you for the time, Madam Chair.
    Ms. Schakowsky. Thank you and now I recognize Mr. 
Gianforte.
    Mr. Gianforte. Thank you, Madam Chair.
    And thank you for being here for this important topic. Last 
week, we had another subcommittee hearing on robocalls. And 
Montanans are getting bombarded with robocalls and they are 
sick and tired of them. One constituent in my district got a 
call from her little brother. Unfortunately, her little brother 
had died of a heroin overdose a couple of months earlier. This 
was a terrible situation for her and nobody should really have 
to go through this. This has to end.
    I am just curious, Mr. Chairman, what is the Commission 
doing to stop robocalls like these?
    Mr. Simons. Yes, thank you for that question. And, first of 
all, this is an issue for domestic tranquility in my own 
household. This is, to me, when I was coming into office this 
was probably the most important thing at least in that my wife 
was telling me about and then lots of other people too, and it 
is such an incredible inconvenience. And worse than that it is 
not just an inconvenience, it often leads to fraud.
    So our Do Not Call rule has been overcome by technological 
advances and so we have to find other ways to do it and we are 
proceeding on multiple fronts. We still continue to bring 
significant enforcement actions to shut these people down who 
are doing these robocalls; we coordinate with the FCC. And the 
other thing that we would really like help from you in the 
Congress is to give us jurisdiction over common carriers, 
because there are some common carriers that cater to this 
robocall traffic, particularly the traffic that originates from 
overseas. And if we had the ability to go after these common 
carriers, we could, I think, put a significant dent in these 
robocalls.
    Mr. Gianforte. OK. We have the situation where these 
robocallers, if that is a noun, masquerade as local numbers.
    Mr. Simons. Yes.
    Mr. Gianforte. Would this common carrier authority allow 
you to go after those individuals and that behavior?
    Mr. Simons. Yes, in the sense that we could identify the 
carriers that are facilitating the robocallers and just stop 
them from, like in the case of the foreign ones stop them from 
entering the U.S. telephone network at the outset.
    Ms. Slaughter. Can I just jump in there, Congressman, and 
add that----
    Mr. Gianforte. Yes, Commissioner.
    Ms. Slaughter [continuing]. I think the Chairman referenced 
how technological innovations have overtaken us and you 
mentioned this neighborhood spoofing problem. I think it is 
also worth Congress considering whether not just enforcement 
should be applicable to common carriers, but whether there 
should be more onus placed on the cell phone carriers in the 
first place and more responsibility placed on them to stop some 
of this traffic that goes over their network, I think, in the 
first instance even before you consider the enforcement on the 
back end.
    Mr. Gianforte. OK, thank you.
    Commissioner Phillips, my understanding is that when the 
FTC seeks to recover ill-gotten gains from any entity that has 
violated FTC competition rules, the Commission seeks to recover 
the profits from the unlawful act. Is that correct and can you 
briefly explain how the Commission calculates ill-gotten gains?
    Mr. Phillips. Do you mean in the competition context?
    Mr. Gianforte. Yes.
    Mr. Phillips. Yes, and thank you for that clarification. So 
let me give a little context and then give you the answer. The, 
traditionally, three things that we have considered in the 
context of whether to pursue ill-gotten gains disgorgement in a 
competition case include whether the rule is clear, so whether 
it is serving that deterrent function that we want it to; 
second, we consider is there a reasonable basis to calculate 
it, and I will talk about how we have and, in fact, how it 
applied in a case that I mentioned earlier; and third, we 
consider whether there are other ways of remediating the issue, 
so civil lawsuits and things like that also being out there.
    In the AbbVie case, which is a good example, what we did a 
lot of, you know, hard economic or like a lot of measurement to 
determine what they were making relative to what they would 
have been making without the anticompetitive conduct. In that 
case it was a sham litigation keeping drugs off the market. And 
so that is the differential at which we look, you know, what 
you made and what you would have made without doing the thing 
you weren't supposed to do.
    Mr. Gianforte. OK, thank you.
    Chairman Simons, I am concerned with legislating for the 
sake of legislating and seeking to solve a problem that may not 
exist. I believe any Federal privacy bill must focus on 
specific harms. You talked to this earlier. Can you elaborate a 
little bit on why it is so important we focus on privacy harms 
to consumers in our attempt to legislate in this area?
    Mr. Simons. I mean I agree with you completely. Thank you 
for that question that if it ain't broke, don't fix it. And if 
you are going to, you know, you only want to create legislation 
for things that are causing problems and you have a fix for it. 
So in the privacy sector, however, the harm, I think, is very 
tricky and that is one of the reasons that we--and also with 
data security one of the reasons we need civil penalty 
authority, because it is hard to measure in any kind of 
precise, quantitative way if you are talking about, you know, a 
monetary relief.
    And so, because of that factor you really need to do civil 
penalties and you need to think about is there a harm like a 
privacy invasion or something like that which is not 
monetarily--you can't--it is hard to quantify but it is still a 
harm. People, it still bothers people. It still, it can lead to 
other problems.
    Mr. Gianforte. OK, thank you.
    On that I yield back, Madam Chair.
    Ms. Schakowsky. Thank you and I now recognize Mr. Soto for 
5 minutes.
    Mr. Soto. Thank you, Chairwoman.
    I think it is safe to say at this point that the internet 
is integral to our daily lives and has been for over 20 years, 
which is why it is so shocking that there hasn't been a single 
law to regulate internet privacy directly during that time and 
beforehand. So it is my belief that the biggest threat to 
internet integrity is congressional inaction. We see a 
patchwork of statutes, 1914, FTC Act creating your Commission, 
who would have thought that President Woodrow Wilson would have 
such an influence on the internet? 1986, Electronic 
Communications Privacy Act to protect communications; also 
1986, Computer Fraud and Abuse Act. 1998, Children's Online 
Privacy Act, which was referenced by Congresswoman Castor. 
2003, the CAN-SPAM Act to protect us against unsolicited 
emails.
    Most of these predate the internet and pretty much all of 
them were created when dial-up was still the form of getting on 
the internet. So I just want to make a statement to say that 
you know, you all are charged with a really impossible task. 
You have to interpret these isolated moonstones to come up with 
this comprehensive privacy regime because Congress hasn't given 
you direction on it.
    So thank you for doing what is nearly impossible to do, 
which is regulate privacy without laws to directly do that. 
Even the courts have filled in the gap with Carpenter v. U.S. 
establishing cell phone privacy.
    So, Madam Chairwoman, I hope that we will out of this 
committee be able to develop some key protections, making sure 
that companies have a duty of care, a duty to protect civil 
rights, and a duty to protect privacy. And that the penalties 
will be sufficient so it is more costly to pay for a breach 
than it is to pay for sufficient cybersecurity investments.
    Second, I hope that we establish that Americans have a 
right to control their information, a right to stop the use of 
their information if they choose so, and if they do, companies 
should have a right to charge for their services. And third, 
waivers should be put in plain language. I want to get out how 
we are determining damages. We heard a little bit of that 
discussion before.
    I have read in the paper that there may be a fine against 
Facebook between 3 to 5 billion dollars. Chairman Simon, what 
is the total amount of that fine?
    Mr. Simons. Oh, I am sorry, Congressman, but I can't talk 
about an ongoing nonpublic investigation.
    Mr. Soto. What factors do you generally utilize in 
determining those types of damages?
    Mr. Simons. So you would look at the prior conduct, the 
culpability, the ability to pay, and the deterrent effect.
    Mr. Soto. Commissioner Chopra, if it was at the upper end 
of $5 billion, do you think that would be a sufficient 
deterrent for the activities complained of?
    Mr. Chopra. I think it is not appropriate to comment on 
that. Obviously, deterrence is important. When it comes to 
violations of our rules, violations of our orders, nothing can 
be the cost of doing business.
    Mr. Soto. Turning to the TikTok settlement that 
Congresswoman Castor talked about, Chairman Simon, what were 
the factors utilized in determining that fine?
    Mr. Simons. I believe the ones I articulated.
    Mr. Soto. And----
    Mr. Simons. And the other thing too is that you know, this 
is a negotiation that resulted in a settlement. And we also 
have to take into account what the likely outcome would have 
been in court and if we couldn't have done better in court, 
then it makes sense to settle. And that is one of the issues 
that we face kind of generally is that historically the civil 
penalty awards have been quite low and so one of the things we 
are thinking about is a way to get them generally raised on 
average.
    Mr. Soto. So that is something else this committee has to 
work on then is to make sure that the civil penalties are a 
sufficient deterrent.
    Commissioner Slaughter, was the TikTok settlement a 
sufficient deterrent for on the behavior complained of?
    Ms. Slaughter. The statement that Commissioner Chopra and I 
put out in connection with that settlement explained that the 
investigation and, really, most of the negotiation of how to 
resolve that case took place before this slate of Commissioners 
was constituted. And it is very difficult for us, I think as a 
general matter, to look back without having been part of a 
conversation to discuss it, so we were focusing on in the 
future whether it is--not whether--that it is important that 
our investigations, including of large companies, really ask 
all the questions that we need to determine where liability 
properly lies.
    Mr. Soto. Thank you for that. I want to turn to identity 
theft. We see in our notes 444,000 complaints of identity 
theft. Chairman Simons, do you know the cost to the economy or 
the loss to the economy that identity theft on the internet 
poses currently?
    Mr. Simons. I think the average is about $150 per person.
    Mr. Soto. And so, do you have an overall figure for that or 
do we have to multiply it by 330 million?
    Mr. Simons. I don't other than it is quite large.
    Mr. Soto. OK, thanks. And I yield back.
    Ms. Schakowsky. The gentleman yields back and now I ask Mr. 
Carter for his 5 minutes.
    Mr. Carter. Thank you, Madam Chair.
    And, Mr. Simons and Commissioners, thank you for being 
here. This is an extremely important subject as you well know 
and we in Congress are depending on you and we are relying on 
you to help us through this because it is something that we 
want to get right. And it is certainly something that our 
constituents and the citizens of our country need to have right 
and to be done by right.
    Mr. Simons, I want to ask you, where in the current law, 
where does the FTC's ability to enforce privacy or where does 
it end? I mean, you know, I have heard you say before that the 
FTC is the cop on the beat when it comes to privacy and I 
understand that. But, you know, where does your authority end 
at this point or under current law?
    Mr. Simons. Right. Thank you for that question, 
Congressman. So, our general Section 5 authority comes from 
that hundred-year-old statute which was not designed, for sure, 
to deal with this kind of issue, so I credit my predecessors at 
the FTC for basically inventing a privacy program out of 
Section 5. I think they did a terrific job with the material 
they had available on them and it is based largely on a 
deception authority.
    So we started out by saying you should have a privacy 
policy at your company and then if you divert from it then that 
is a deception and we can hold you accountable. And then we 
expanded that to include, for example, things that look like 
privacy torts at common law and we cover those under 
unfairness. But in terms of the general privacy authority, not 
including FCRA or COPPA or whatever, this is really it and it 
is pretty narrow.
    Mr. Carter. So you would agree that something more would 
help?
    Mr. Simons. Yes. I mean that is why we are encouraging the 
Congress to adopt privacy legislation.
    Mr. Carter. OK, and not only for that reason, but I mean, 
if we look at the other laws that are being proposed like in 
California and Europe, you know, here we have a situation where 
we really need something to be preemptive particularly in the 
case of what is being offered in California.
    I mean it is very important that the Private Right of 
Action that is being proposed in California that that would be 
an additional punishment on top of the FTC action as I 
understand it. And certainly, we don't need plaintiffs' 
attorneys to be involved in this. We need the FTC to be the cop 
on the beat as you describe them.
    Mr. Simons. Yes. I think what I have said before is that we 
should be the enforcer of that legislation that you are 
considering and you should allow the State Attorneys General to 
enforce as well, just as they do in lots of other areas in 
conjunction with us. They are a terrific partner and I would 
strongly recommend that.
    Mr. Carter. So you have the ability and you do take action 
on fining certain--and posing financial penalties. How do you 
come about--how do you come up with that? I mean how do you 
determine how much that is?
    Mr. Simons. Well, it depends on the case that is involved. 
And just to be clear, we don't actually have any fining 
authority ourselves like our counterparts do in Europe. We 
would have to go to court, actually, to get a fine paid unless 
it was pursuant to a consent settlement.
    Mr. Carter. OK, so you have to go to court, so you have to 
justify it in court as to why you think it should be that much?
    Mr. Simons. Yes, so that is the limiting factor in all of 
this. Anytime you are thinking about a settlement, if the 
settlement gets to a point where you say to yourself, ``Gee, we 
probably cannot do nearly as well as this, or maybe we could do 
just about as well as this in litigation, but the litigation 
has lots of risks,'' so when you get to that point then you 
really should settle. I mean that is the appropriate thing to 
do. Otherwise, if you are just going to go to court and 
irrespective of the settlement, then that really becomes almost 
unethical or potentially harassment.
    Mr. Carter. So when the financial penalty is imposed where 
does it go?
    Mr. Simons. So specifically for a civil penalty that would 
go to the Treasury, so that would be for an order violation or 
like in COPPA we have civil penalty authority. That would apply 
there. With respect to our 13(b) authority where we go in and 
get injunctive relief and we get consumer redress that gets 
disbursed to the consumers.
    Mr. Carter. OK. Well, you know, again I would look at this 
as being a tremendous opportunity for us as Members of Congress 
to work in a bipartisan fashion to come up with something that 
would benefit everyone and certainly, you know, would benefit 
citizens. And if I get input of any kind, certainly privacy is 
one of the things that is on top of the list. I mean 
constituents are consistently telling me, you know, we need 
this. We need this. And this is something, you know, we don't 
want to stifle innovation or anything, but we do need our 
privacy protected.
    So thank you very much and thank all of you for your work 
on this, and I yield back.
    Ms. Schakowsky. The gentleman yields back and now I 
recognize Mr. McNerney, patient Mr. McNerney, for 5 minutes.
    Mr. McNerney. Well, I thank the chairlady. And one of the 
problems of being last is that all the questions I wanted to 
ask have already been asked, so forgive me if I am repetitive 
here.
    But Pete Olson, my Republican colleague Pete Olson, and I 
are cochairs of the AI Caucus, and one of the areas that I am 
interested in is algorithmic biasing and data biasing. And we 
have discussed that a little bit already, but I know that the 
FTC has had a couple of hearings focused on AI and there was a 
report entitled, ``Big Data: A Tool for Inclusion or 
Exclusion.''
    Chairman, what steps is the FTC taking today to protect 
consumers from potential harm and bias in AI algorithms and----
    Mr. Simons. This is something we look at carefully and is a 
priority for us. We had a recent case, actually, involving a 
company that does background screening using algorithms and the 
algorithms improperly associated people with criminal records. 
So we got them to fix their algorithms, this is a form of AI. 
So this is something we are looking at. It is real.
    Mr. McNerney. Well, you don't have any authority over 
algorithms and decision making on lethal use of force, say, in 
law enforcement, do you?
    Mr. Simons. I don't think so. I mean anything that is 
criminal we wouldn't have jurisdiction over.
    Mr. McNerney. OK. Is the agency developing any guidance or 
educational tools to help address the problem?
    Mr. Simons. I think we have business outreach that suggests 
that businesses think about these types of issues as they are, 
you know, and they look for biases and the results of their 
algorithms in AI.
    Mr. McNerney. Well, I know that Mr. Lujan asked a similar 
question regarding the importance of technologists. Is the 
Commission planning on hiring technologists in the AI field 
specifically for bias?
    Mr. Simons. We don't have a specific plan to do that unless 
we get more resources. But what we do in the interim is we use 
our existing technologists on our staff to do outreach to the 
technology community and to talk to experts, to have 
conferences, and to help them educate our staff.
    Mr. McNerney. But are there any other AI potential harms 
that the FTC is considering besides biasing?
    Mr. Simons. There probably are, but I just, you know, I 
can't think of it, as I said.
    Mr. McNerney. Anyone else on the Commission?
    Mr. Chopra. Sure, Congressman. One other area we think 
about with respect to artificial intelligence is in our work to 
enforce laws against anticompetitive conduct. Sometimes 
algorithms and AI can help online sellers collude on price. It 
can lead to, you know, other anticompetitive conduct, and we 
are thinking about this across the agency.
    Mr. Simons. Yes, one thing about that that is interesting 
is if AI allows companies to tacitly collude more easily that 
might be a justification for more aggressive merger enforcement 
in industries where that is occurring.
    Mr. McNerney. Chairman, does the Commission have the 
authority to structure civil penalties to be meaningful to 
large companies without devastating small companies? Do you 
have that authority?
    Mr. Simons. Yes. We have flexibility in that regard.
    Mr. McNerney. OK, so you don't need any congressional 
legislation or anything like that.
    Mr. Simons. Not to deal with the flexibility issue.
    Mr. McNerney. Thank you. I understand the agency held 13 
hearings to evaluate practices of both Competition and Consumer 
Protection Bureaus. I know you are still in the process of 
receiving comments, but I do have a series of questions about 
these hearings especially because I know these hearings took up 
a significant amount of the resources and the Commission has 
limited resources.
    Can you give me the top three takeaways from these 
hearings? What is the basis of what you have learned?
    Mr. Simons. So one of the things we learned is that merger 
retrospectives are really important and we got a lot of good 
testimony on that and that is something we really need. And if 
we got more resources that is one of the things we would do, 
and in particular merger retrospectives as relate to vertical 
mergers. That was highly recommended.I don't think really that 
is the literature, the literature on merger retrospectives is 
much greater on horizontal and is much less on the vertical 
merger side. So that was one.
    With respect to privacy and data security, we got a lot of 
feedback that we really do need civil penalty authority, that 
we need targeted rulemaking, and that we need jurisdiction over 
common carriers and nonprofits.
    Mr. McNerney. I mean a little schizophrenic about 
rulemaking, I mean you want the rulemaking to be targeted----
    Mr. Simons. Yes.
    Mr. McNerney [continuing]. But you don't want it to put you 
in a bind as well, so I understand that.
    Mr. Simons. No, so we would like--at least my view is that 
these privacy issues involve very serious and significant 
societal and cultural value judgments, and those should be made 
to the greatest extent possible by elected officials and not 
people who are unelected. So our view is that--my view is that 
you should make those judgments.
    And we are happy to help you make them. We are happy to 
work with you. We are happy to provide analysis of the 
tradeoffs that any particular piece of legislation may present. 
But, you know, at the end of the day, our view is that Congress 
should do that and we should have authority to do rulemaking 
that allows us to keep the whatever you pass up-to-date and 
consistent with new technology and new business methods.
    Mr. McNerney. Thank you. Thank you, Chairwoman.
    Ms. Schakowsky. The gentleman yields back. And, Mr. 
Cardenas, you are recognized for 5 minutes.
    Mr. Cardenas. Thank you very much. Thank you very much, 
Madam Chairwoman, for having this important hearing with the 
FTC. My question to the FTC is that in 2018 FTC cases resulted 
in a total of about $2.3 billion in refunds for consumers who 
lost money to frauds and other unfair or deceptive practices. I 
commend you for doing that especially when you look in light of 
the overall budget for FTC is about $300 million per annum. But 
recent Federal court decisions put the FTC's power to get 
compensation for consumers at a serious risk, particularly in 
cases where the company has stopped violating the law. For 
example, my question is can one of you explain how these 
decisions limit the FTC's authority under Section 13(b) of the 
FTC Act?
    Ms. Wilson. Sure, so this is a critical issue, thank you 
for raising it, and it is why I addressed it in my opening 
statement that the issue is that the third circuit has recently 
put in place a standard that would enable us to go after 
conduct in courts only if the conduct is ongoing or imminent.
    And so, if in the course of an investigation a defendant 
halts the conduct that we are challenging, say, a fraudster 
stops defrauding people or an advertiser suspends dubious 
advertising claims, then we are unable to go after that conduct 
under the third circuit standard unless we are able to show 
that it is imminent. So even if the fraudster has engaged in 
fraud in the past but is not doing it at this moment, unless we 
can prove that it is imminent, we can't reach it.
    And this is a serious question that has been raised about 
the scope of our authority. We believe that this flies against 
a long line of cases saying otherwise, but we would appreciate 
clarification from Congress on the scope of our 13(b) 
authority.
    Mr. Cardenas. OK, thank you.
    Chairman Simons, how serious of an issue are these 
decisions for the FTC's enforcement of Section 5?
    Mr. Simons. So if they were to become the law of the land, 
so to speak, this would be highly problematic for us. I think 
it would basically destroy our fraud program. We wouldn't be 
able to recover consumer redress----
    Mr. Cardenas. Fraud as in protecting the consumers, 
protecting the people of America.
    Mr. Simons. Yes, like you referenced to whatever it was, 
the 2.3 billion or whatever, we wouldn't be able to recover 
that if these cases became law.
    Mr. Cardenas. OK. What do these cases do to the FTC's 
ability to make consumers whole?
    Mr. Simons. They really just take it away.
    Mr. Cardenas. OK, so basically the FTC in this as what we 
are talking about at the moment is actually helping the 
American people set something right, so the FTC is actually a 
part of that.
    Mr. Simons. Yes, absolutely.
    Mr. Cardenas. OK, so Congress could write clarifying law, 
right, that that is what Congress hopefully should and will do.
    Mr. Simons. Yes, we would love for you to do that.
    Mr. Cardenas. Yes. Hopefully I can talk to some 
congressional Members and we will do that.
    Mr. Phillips. Congressman, could I add just one thing to 
that?
    Mr. Cardenas. Yes, please.
    Mr. Phillips. And I absolutely agree with my colleagues 
that clarifying longstanding precedent on the impact of 13(b) 
is essential. I want to add another thing. Next year the SAFE 
WEB Act is going to expire. This is an essential tool that we 
use to work with our partners abroad to do cross-border 
consumer protection including privacy enforcement. I think it 
is a no-brainer and you ought to consider that as well.
    Mr. Cardenas. Thank you.
    Mr. Chopra, do you have anything to add to that?
    Mr. Chopra. I agree with my colleagues completely.
    Mr. Cardenas. Good. That is great. Appointed by Democrat 
and Republicans and you all agree on this issue. Good, good, 
good, good.
    So when it comes to made in the USA, my time is limited so 
I will cut to the point and the question. I am concerned that 
the FTC settled on some cases for no money without so much as 
an admission of liability and some defendants effectively 
cheated consumers and got away with little more than lying 
about products being made in America. That obviously has a 
value on the streets of America. I personally love to buy made 
in America products.
    But for someone to actually lie about it when they make the 
product, put it out to market, and then for there not to be any 
way of them having to pay a price for doing that for duping the 
American people, Chairman Simons, where are we at with that?
    Mr. Simons. Yes, so historically for decades that has been 
the approach that the Commission has pursued in these made in 
the USA cases. They have only got injunctive relief. But we are 
now going to hold a workshop and look at what we need to do in 
terms of beefing up our remedies.
    Mr. Cardenas. So hopefully FTC will come out with a more 
aggressive, appropriately aggressive stance when it comes to 
people lying about made in America.
    Mr. Simons. That may very well be the outcome of the 
workshop.
    Mr. Chopra. Just like in privacy legislation where you are 
thinking about civil penalties to deter this conduct, Congress 
gave the FTC the power to activate penalties for made in USA 
violations 25 years ago. We have not yet turned that switch on 
and I hope that we can explore and potentially turn that switch 
on, because we need to deter this and put a stop to it, because 
this absolutely harms every single honest manufacturer in 
America who makes goods here at home.
    Mr. Cardenas. Yes.
    Ms. Wilson. If I could add one point, the cases that have 
been reported on this issue were decided and settled between 
staff and the parties before this slate of Commissioners 
arrived, and as Chairman Simons noted in his statement, when 
the settlements were first announced. We do intend to look at 
this policy going forward, but the decision of many of the 
commissioners was to not upset the work that had already been 
done by staff in the previous slate of commissioners, but to 
look at this going forward.
    Mr. Cardenas. Madam Chair, if I can have 5 seconds.
    If someone is willing to lie boldface about made in 
America, I as a grandparent am afraid that that product might 
have cheated on other things such as chemicals and other 
matters that might be involved in the net product that might 
end up in the hands of my grandchildren or any other American 
family. Thank you very much, Madam Chair, yield back.
    Ms. Schakowsky. Mr. Walberg, I am going to call on you, 1 
second.
    Let me just point out to the committee that every single 
Member on both sides of the aisle have shown up to this 
hearing. That doesn't happen all the time, and I think it is a 
tribute to the issue, but also to our commissioners. So I want 
to thank you.
    Mr. Walberg is waiving on to our committee. We are happy to 
have you, and you have 5 minutes.
    Mr. Walberg. Thank you, Madam Chairwoman, and thank you for 
consenting to waiving me on this subcommittee. And while I am 
not on the subcommittee, certainly I have an interest in being 
a member of the Energy and Commerce Committee. I appreciate you 
allowing me this opportunity.
    Thank you, each of you, for being here today as well. You 
have a big job and we wish you well and we hope that we can be 
supporters and fellow laborers in making the difference.
    I wanted to come here today to ask questions about a topic 
very important to me and my constituents, and that is scams 
against targeting our Nation's seniors. Michigan seniors, in my 
case, have spent a lifetime working to save for financially 
secure retirements. In the digital age, scams targeting seniors 
and their hard-earned money are growing in number and 
sophistication, and safeguarding vulnerable seniors needs to be 
a top priority. I am one. It is important to me. Today, 
Representative Blunt Rochester, who I believe mentioned this 
already, she and I will be introducing legislation, the Stop 
Senior Scams Act, to help prevent fraudsters from targeting 
seniors with prepaid or gift card scams.
    While the committee is working on legislation to address 
annoying robocalls and that scam our seniors into giving away 
their savings or personal information, gift card scams are 
another way fraudsters target seniors. Companies like Target or 
Wal-Mart are on the front lines against these scams, and their 
ability to educate their employees with best practices and 
training to recognize the signs of scam can make a huge 
difference in stopping a scammer. The Stop Senior Scams Act 
would create a forum at the Federal Trade Commission to 
communicate about best practices like this.
    And so, Chairman Simons, I would like to ask you if you 
could please talk about what the Commission is doing to prevent 
frauds and scams against seniors and how legislation like this 
Stop Senior Scams Act would align with the FTC's consumer 
protection mission.
    Mr. Simons. Thank you, Congressman. So this is a 
multipronged approach at the FTC. We engage in strenuous 
efforts going after these specific scams that target seniors. 
We have what is very important, I think, and very effective is 
a program of outreach to the senior community and we have a 
specific program that was designed called Pass It On, where we 
try to kind of essentially deputize senior citizens to help 
their fellow senior citizens avoid scams. So they are talking 
about it in their local communities and it is on top of mind 
and they know what to watch out for. And your legislation, you 
know, it sounds like I couldn't agree more with the goals of it 
and I would be happy to work with you on it.
    Mr. Phillips. Congressman.
    Mr. Walberg. Yes.
    Mr. Phillips. If I could just add one thing, since we are 
here in a public hearing and hopefully the public is paying 
attention. What I want to say to American consumers about this 
critical issue to which you and Congresswoman Rochester have 
devoted such important attention, if a business tells you that 
you need to pay with a gift card, it could very well be a scam 
and people need to be on the lookout for that. We are going to 
be doing our jobs, but it is also important that we communicate 
to the public.
    Mr. Simons. Yes, the real thing here is, if somebody wants 
you to pay with a gift card and that is what you are telling 
you, it is probably a scam. Gift cards are for gifts, they are 
not for forms of payment.
    Mr. Walberg. From your lips to seniors' ears then.
    Mr. Simons. Yes.
    Mr. Walberg. What developments, Chairman Simons, have there 
been in financial scams affecting seniors and how can the 
Commission help stop these scams from spreading to larger 
groups of seniors?
    Mr. Simons. So these things are just evolving continually 
and it is, you know, you stop one type of scam and another type 
of scam arises. And so, the trick for us is to stay on our 
toes, pay attention to what is going on, and move to each 
succeeding new scam.
    And one of the things that enables us to do that is our 
Consumer Sentinel database which is an incredible tool for law 
enforcement and particularly for dealing with scams. It has an 
enormous number of complaints in it and shared by us with the 
local State authorities across the country, and it is a great 
asset.
    Mr. Walberg. OK, any other comments?
    Mr. Chopra. I hope that we also start paying closer 
attention to how seniors are scammed online. More and more 
seniors are also participating in the digital economy, also 
connecting with family, and many, especially those who suffer 
from diminished capacity can be particularly at risk.
    Mr. Walberg. Well, I appreciate that. It is a big issue and 
it is not going away and it is expanding. So our efforts 
together will be very helpful for the constituents I represent 
and those all over this great country.
    So, Madam Chairwoman, thank you for allowing me this time.
    Ms. Schakowsky. Thank you, Mr. Walberg.
    I just want to--I am surprised none of you mentioned that 
the FTC does do these scam workshops. I don't know if they are 
everywhere, but we really have this amazing one in the Chicago 
area, Brad Schneider and I. And the FTC organized it, but 
brought in a representative of the Attorney General, various 
other State agencies, and it was spectacular. It was chaired by 
the Federal Trade Commission.
    So I don't know if it is in Mr. Walberg's district, but I 
would suggest that you ask for one of those. It was really 
good.
    Mr. Simons. And we would be thrilled to do it.
    Ms. Schakowsky. OK. And so, Mr. Rush was here earlier, but 
we welcome him back for his 5 minutes of questions. Mr. Rush?
    Mr. Rush. Yes, I want to thank you, Madam Chair.
    It has been one of the--the means of committees that--those 
that pull us in a different direction, and some of them when 
they come in, they come in right before it is over. So I know 
those who sit patiently were not overwhelmed with enthusiasm 
when they saw me walk through the door, but it is the way this 
place operates.
    So I want to thank you, Madam Chair, for holding this 
hearing. And I want to begin by asking unanimous consent to 
offer into the record an October 2018 letter from the AMA. So I 
ask unanimous consent.
    Ms. Schakowsky. Without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. Rush. All right. I want to begin by saying that the FTC 
is one of my most favorite agencies in the Federal Government. 
I worked very closely with the FTC, particularly when I chaired 
this subcommittee some years ago and did some really good work 
with the FTC.
    But I want to--Chairman Simons, on October 26, '18, the AMA 
sent you a letter encouraging the FTC to monitor insulin 
pricing and market competition out of increasing concerns that 
the rapid rise on the price of insulin may be attributed to 
anticompetitiveness rather than research and development. If, 
Mr. Chairman, as the letter alleges, if this is true, how would 
the FTC respond? And the second part on the question is, have 
you investigated the claims made in the AMA letter?
    Mr. Simons. Thank you for the question, Congressman. So I 
can't respond specifically to any nonpublic investigation that 
is going on, but I will say this. We are very focused on 
pricing in the pharmaceutical sector. We monitor pricing on a 
monthly basis over a wide range of drugs to see if there are 
any anomalies like the one you just described, and we look 
specifically to see if they are caused by anticompetitive 
activity. And if they are, this is a source of case generation 
for us, so these are a source of investigations. So that is the 
type of, exactly the type of thing that we could look at.
    Mr. Rush. Is there any one of the commissioners that might 
want to respond?
    Mr. Chopra. Yes. I think the situation we see with insulin 
is it is not isolated. It really, we see it all over. I believe 
in the case of insulin it is really only three players--Eli 
Lilly, Nova Nordisk, Sanofi--who really have all the volume. 
The original patent was sold for $3 generations ago.
    We see a lot of challenges across the pharmaceutical market 
with respect to abuse of intellectual property. My colleagues 
talked about some of the work there. But we have to use all of 
our tools to crack down on anticompetitive conduct and the 
fewer and fewer players we have in the market that raises more 
concerns.
    And it just bugs me that some of these treatments are old. 
Insulin is not dramatically different than it used to be and 
the fact that people can't get it affordably and are skipping 
out on it----
    Mr. Rush. Right.
    Mr. Chopra [continuing]. It is literally killing them.
    Mr. Rush. Anybody else?
    Mr. Phillips, I understand you had some nice things to say 
about me earlier. I really appreciate it. It came across my 
desk.
    Mr. Phillips. Absolutely, Congressman. In my opening 
statement I talked about the work that we are doing on a 
bipartisan basis at the FTC to help deal with the cost of 
healthcare, on the competition side included a lot of really 
good work over the last year, a half a billion judgment, an 
important antitrust case filed weeks ago, a decision on pay-
for-delay settlements, which I know have been very important to 
you, that we issued 5-nothing, just a few weeks ago. So I want 
you to know from me that the cost of healthcare and rooting out 
anticompetitive conduct in the healthcare industry is and will 
remain a focus for all of us.
    Mr. Rush. Well, thank you.
    Madam Chair, thank you so very much for your indulgence and 
I yield back the balance of my time.
    Ms. Schakowsky. Thank you, Mr. Rush.
    Just a little bit of business left. I request unanimous 
consent to enter the following testimony or letters, other 
information into the record. Without objection, so ordered.
    A letter for the record, Oversight of the Federal Trade 
Commission: Strengthening Protection for--oh, OK; a letter from 
the Electronic Privacy Information Center; a letter from 
Consumer Bankers Association; a letter from the Internet 
Association; a letter from the National Association of 
Federally-Insured Credit Unions; and a letter from the 
Confidentiality Coalition.
    [The information appears at the conclusion of the 
hearing.]\1\
---------------------------------------------------------------------------
    \1\ The Electronic Privacy Information Center letter has been 
retained in committee files and also is available at https://
docs.house.gov/meetings/IF/IF17/20190508/109415/HHRG-116-IF17-20190508-
SD004.pdf.
---------------------------------------------------------------------------
    And, finally, I want to thank our ranking member. I want to 
thank the staff on both sides of the aisle. And I especially 
want to thank our witnesses, members of the Federal Trade 
Commission, for coming here today.
    I remind Members that pursuant to committee rules they have 
10 business days to submit additional questions for the record 
to be answered by the witnesses who have appeared. I would ask 
each witness to respond promptly to any such requests that you 
may receive.
    And at this time, the subcommittee is adjourned.
    [Whereupon, at 1:26 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    

                                 [all]