[Senate Hearing 116-118]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 116-118


    DATA BROKERS AND THE IMPACT ON FINANCIAL DATA PRIVACY, CREDIT, 
                   INSURANCE, EMPLOYMENT, AND HOUSING

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                                   ON

EXAMINING DATA BROKERS' INDUSTRY PRACTICES AND STANDARDS AND THE IMPACT 
    THEY HAVE ON ACCESS TO, AND ELIGIBILITY FOR, CREDIT, INSURANCE, 
                        EMPLOYMENT, AND HOUSING

                               __________

                             JUNE 11, 2019

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs
                                
                                
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                                


                Available at: https: //www.govinfo.gov /

                              __________
                                  

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
39-485 PDF                  WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------

            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                      MIKE CRAPO, Idaho, Chairman

RICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio
PATRICK J. TOOMEY, Pennsylvania      JACK REED, Rhode Island
TIM SCOTT, South Carolina            ROBERT MENENDEZ, New Jersey
BEN SASSE, Nebraska                  JON TESTER, Montana
TOM COTTON, Arkansas                 MARK R. WARNER, Virginia
MIKE ROUNDS, South Dakota            ELIZABETH WARREN, Massachusetts
DAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada
MARTHA McSALLY, Arizona              DOUG JONES, Alabama
JERRY MORAN, Kansas                  TINA SMITH, Minnesota
KEVIN CRAMER, North Dakota           KYRSTEN SINEMA, Arizona

                     Gregg Richard, Staff Director

                      Joe Carapiet, Chief Counsel

                Brandon Beall, Professional Staff Member

               Alexandra Hall, Professional Staff Member

                Laura Swanson, Democratic Staff Director

           Corey Frayer, Democratic Professional Staff Member

                      Cameron Ricker, Chief Clerk

                      Shelvin Simmons, IT Director

                    Charles J. Moffat, Hearing Clerk

                          Jim Crowell, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                         TUESDAY, JUNE 11, 2019

                                                                   Page

Opening statement of Chairman Crapo..............................     1
    Prepared statement...........................................    30

Opening statements, comments, or prepared statements of:
    Senator Brown................................................     3
        Prepared statement.......................................    31

                               WITNESSES

Alicia Puente Cackley, Ph.D., Director, Financial Markets and 
  Community Investment, Government Accountability Office.........     4
    Prepared statement...........................................    32
    Responses to written questions of:
        Senator Menendez.........................................   163
        Senator Warren...........................................   163
        Senator Schatz...........................................   166
        Senator Cortez Masto.....................................   169
Pam Dixon, Executive Director, World Privacy Forum...............     5
    Prepared statement...........................................    49
    Responses to written questions of:
        Senator Menendez.........................................   171
        Senator Warren...........................................   176
        Senator Schatz...........................................   183
        Senator Cortez Masto.....................................   186

              Additional Material Supplied for the Record

Letter submitted on behalf of Acxiom by Jordan Abbott, Chief 
  Ethics Office..................................................   202
Letter and responses to written questions of the Banking 
  Committee submitted by Bob Liodice, Chief Executive Office, 
  Association of National Advisers...............................   204
Letter submitted by CoreLogic....................................   210
Letter submitted by Jim Nussle, President & CEO, Credit Union 
  National Association (CUNA)....................................   211
Letter submitted by Brad Thaler, Vice President of Legislative 
  Affairs, National Association of Federally-Insured Credit 
  Unions.........................................................   213

                                 (iii)

 
    DATA BROKERS AND THE IMPACT ON FINANCIAL DATA PRIVACY, CREDIT, 
                   INSURANCE, EMPLOYMENT, AND HOUSING

                              ----------                              


                         TUESDAY, JUNE 11, 2019

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Committee met at 10:03 a.m. in room SD-538, Dirksen 
Senate Office Building, Hon. Mike Crapo, Chairman of the 
Committee, presiding.

            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO

    Chairman Crapo. This hearing will come to order.
    Providing testimony to the Committee today are experts who 
have researched and written extensively on big data: Dr. Alicia 
Cackley, the Director of Financial Markets and Community 
Investment at the Government Accountability Office; and Ms. Pam 
Dixon, Executive Director of the World Privacy Forum. We 
appreciate both of you being here.
    As a result of an increasingly digital economy, more 
personal information is available to companies and others than 
ever before. I have been troubled by Government agencies' and 
private companies' collection of personally identifiable 
information for a long time.
    There have been many questions about how individuals' or 
groups of individuals' information is collected, with whom it 
is shared or sold, how it is used, and how it is secured.
    Private companies are collecting, processing, analyzing, 
and sharing massive data on individuals for all kinds of 
purposes. Even more troubling is that the vast majority of 
Americans do not even know what data is being collected, when 
it is being collected, how it is being collected, by whom, and 
for what purpose.
    In particular, data brokers and technology companies, 
including large social media platforms and search engines, play 
a central role in gathering vast amounts of personal 
information and often without interacting with individuals, 
specifically in the case of data brokers.
    In 2013, the GAO issued a report on information resellers, 
which includes data brokers, and the need for the consumer 
privacy framework to reflect changes in technology in the 
marketplace.
    The report noted that the current statutory consumer 
privacy framework fails to address fully new technologies and 
the growing marketplace for personal information.
    The GAO also provided several recommendations to Congress 
on how to approach the issue to provide consumers with more 
control over their data.
    In 2018, 5 years later, GAO published a blog summarizing 
its 2013 report, highlighting the continued relevance of the 
report's findings.
    The Federal Trade Commission also released a report in 2014 
that emphasized the big role of data brokers in the economy. 
The FTC observed in its report that ``data brokers collect and 
store billions of data elements covering nearly every U.S. 
consumer,'' and that ``data brokers collect data from numerous 
sources, largely without consumers' knowledge.''
    In her report ``The Scoring of America,'' Pam Dixon 
discusses predictive consumer scoring across the economy, 
including the big role that data brokers play. She stresses 
that today no protections exist for most consumer scores, 
similar to those that apply to credit scores under the Fair 
Credit Reporting Act.
    Dixon says, ``Consumer scores are today where credit scores 
were in the 1950s. Data brokers, merchants, government 
entities, and others can create or use a consumer score without 
notice to consumers.''
    Dr. Cackley has also issued several reports on consumer 
privacy and technology, including a report in September 2013 on 
information resellers, which includes data brokers. She says in 
her report that the current consumer privacy framework does not 
fully address new technologies and the vastly increased 
marketplace for personal information. She also discusses 
potential gaps in current Federal law, including the Fair 
Credit Reporting Act.
    The Banking Committee has been examining the data privacy 
issue in both the private and public sectors, from regulators 
to financial companies, to other companies who gather vast 
amounts of personal information on individuals or groups of 
individuals to see what can be done through legislation, 
regulation, or by instituting best practices.
    Enacted in 1970, the Fair Credit Reporting Act is a law in 
the Banking Committee's jurisdiction which aims to promote the 
accuracy, fairness, and privacy of consumer information 
contained in the files of consumer reporting agencies. Given 
the exponential growth and use of data since that time and the 
rise of entities that appear to serve a similar function as the 
original credit reporting agencies, it is worth examining how 
the Fair Credit Reporting Act should work in a digital economy.
    During today's hearing, I look forward to hearing more 
about the structure and practices of the data broker industry 
and technology companies, such as large social media platforms; 
how the data broker industry has evolved within the development 
of new technologies, and their interaction with technology 
companies; what information these entities collect, how it is 
collected, and whom it is shared with and for what purposes; 
what gaps exist in Federal privacy law; and what changes to 
Federal law should be considered to give individuals real 
control over their data.
    I appreciate each of you joining us today and look forward 
to getting some further information about these questions.
    Senator Brown.

           OPENING STATEMENT OF SENATOR SHERROD BROWN

    Senator Brown. Thank you, Mr. Chairman. I appreciate your 
continuing these important, bipartisan efforts to protect 
Americans' sensitive personal information.
    We are looking today at a shadowy industry known as ``data 
brokers.'' Most of you probably have not heard of these 
companies. The biggest ones include names like Acxiom, 
CoreLogic, Spokeo, and ZoomInfo--and maybe one you have heard 
of, Oracle. According to some estimates, 4,000 of these 
companies collect and sell private information, but, 
stunningly--and I am not sure I have ever used that word in 
this Committee--stunningly, not one of them has been willing to 
show up and speak in front of this Committee today. Not one.
    These companies expect to be trusted with the most personal 
and private information you could imagine about millions of 
Americans. They are not even willing to show up and explain how 
their industry works. Some define this as cowardice. It is hard 
to disagree with that. I think it tells you all you need to 
know about how much they want their own faces and names 
associated with that industry.
    As Maciej Ceglowski told us at our last hearing, ``the 
daily activities of most Americans are now tracked and 
permanently recorded by automated systems at Google or 
Facebook.''
    Most of that private activity is not useful without data 
that anchors it to the real world. Facebook, Google, and Amazon 
want to know where you are using your credit cards, where you 
buy your brand-name appliances, if you are recently divorced, 
and how big your life insurance policy is--the kind of data 
that big tech gets from data brokers. They then combine it with 
your social media activity to feed into their algorithms.
    You might have noticed it seems like every product or 
service you buy comes with a survey or a warranty card that 
asks for strangely personal information. Why are all these 
nontech companies so interested in your data?
    It is simple: Data brokers will pay these companies for any 
of your personal information they can get their hands on so 
they can turn around and sell it to Silicon Valley. It is hard 
for ordinary consumers to have any power when, unbeknownst to 
them, they are actually the product bought and sold.
    It reminds me of a time when corporations that had no 
business being in the lending industry decided to start making 
loans and selling them off to Wall Street. We know what 
happened. Manufacturers or car companies decided that consumer 
credit would be a great way to boost their profits. When big 
banks and big tech are willing to pay for something, everyone 
else will find a way to sell it to them, often with devastating 
results.
    For example, Amazon is undermining retailers and 
manufacturers across the country through anticompetitive 
practices. At the same time, it scoops up information from the 
very businesses it is pushing out of the market.
    Then there is Facebook, almost single-handedly undermining 
the profitability of newspapers across the country. It also 
gobbles up personal information that the New York Times allows 
data brokers to collect from its readers.
    Just like in the financial crisis, a group of shadowy 
players sits at the center of the market, exercising enormous 
influence over consumers and the economy while facing little or 
no rules at all. Then they do not show up.
    Chairman Crapo and I are committed to shining a light on 
these companies and keeping an unregulated data economy from 
spiraling out of control. Yesterday it was reported that a 
Department of Homeland Security contractor allowed unauthorized 
access to photos of travelers and their license plates to be 
exposed to potential identity thieves.
    One of the principal differences between the two political 
parties in this town is the suspicion that Democrats have of 
private power and suspicion Republicans typically have of 
Government power. I think you are seeing two parties come 
together on our suspicion of what these data brokers are doing.
    The Chairman and I agree that protecting sensitive 
information like this is timely and important. I look forward 
to the witnesses' testimony.
    Thanks.
    Chairman Crapo. Thank you, Senator Brown, and I appreciate 
our partnership on this issue.
    We will go in the order I introduced you, and, Dr. Cackley, 
you may begin. But before you do, let me just remind both of 
you that we would like you to keep your initial remarks to 5 
minutes so that we can have plenty of time for the Senators to 
engage with you.
    Dr. Cackley.

STATEMENT OF ALICIA PUENTE CACKLEY, Ph.D., DIRECTOR, FINANCIAL 
  MARKETS AND COMMUNITY INVESTMENT, GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Ms. Cackley. Thank you. Chairman Crapo, Ranking Member 
Brown, and Members of the Committee,
    I am pleased to be here today to discuss GAO's work on 
consumer privacy and information resellers, also known as 
``data brokers.''
    My remarks are primarily based on our September 2013 report 
on privacy issues related to information resellers, as well as 
more recent work on internet privacy, data protection, facial 
recognition, and financial technology.
    My statement will focus on two main issues: the lack of an 
overarching Federal privacy law and gaps that exist in the 
current consumer privacy framework.
    No overarching Federal privacy law governs the collection, 
use, and sale of personal information among private sector 
companies, including information resellers. There are also no 
Federal laws designed specifically to address all the products 
sold and information maintained by information resellers. 
Instead, Federal privacy laws covering the private sector are 
narrowly tailored to specific purposes, situations, types of 
information, or entities, such as data related to financial 
transactions, personal health, and eligibility for credit.
    For example, the Fair Credit Reporting Act requires that 
sensitive consumer information be protected and restricts how 
it is shared. But the law only applies to information used to 
determine eligibility for things like credit, insurance, and 
employment. Similarly, the Gramm-Leach-Bliley Act restricts how 
certain financial information is shared, but it only applies to 
entities that fall under the law's specific definition of a 
``financial institution.'' Other privacy statutes address other 
specific circumstances, but there is no Federal statute that 
comprehensively addresses privacy issues in the private sector.
    GAO has stated previously that gaps exist in the U.S. 
consumer privacy framework. We have reported that Federal law 
provides consumers with limited ability to access, control, and 
correct their personal data, particularly data used for 
marketing purposes. Similarly, individuals generally cannot 
prevent their personal information from being collected, used, 
and shared. Yet information that resellers collect and share 
for marketing purposes can be very personal or sensitive. For 
example, it can include information about physical and mental 
health, income and assets, political affiliations, and sexual 
habits and orientation.
    Another area where there are gaps in the consumer privacy 
framework is with respect to new technologies. For example, 
Federal law does not address expressly when companies can use 
facial recognition technology to identify or track individuals, 
nor does it address when consumer knowledge or consent should 
be required for its use. Similarly, no Federal privacy law 
explicitly addresses the full range of practices for tracking 
or collecting data from consumers' online activity or the 
application software for mobile devices. And the rise of 
financial services technologies, known as ``FinTech,'' raises 
new privacy concerns, for example, because new sources of 
personal data are being used to determine creditworthiness.
    In summary, new markets and technologies have vastly 
changed the amount of personal information private companies 
collect and how they use it. But our current privacy framework 
does not fully address these changes. Laws protecting privacy 
interests are tailored to specific sectors and uses, and 
consumers have little control over how their information is 
collected, used, and shared with third parties for marketing 
purposes. As a result, the current privacy framework warrants 
reconsideration by Congress in relation to consumer interests, 
new technologies, and other issues.
    Chairman Crapo, Ranking Member Brown, and Members of the 
Committee, this concludes my statement. I would be pleased to 
answer any questions you may have.
    Chairman Crapo. Thank you.
    Ms. Dixon.

STATEMENT OF PAM DIXON, EXECUTIVE DIRECTOR, WORLD PRIVACY FORUM

    Ms. Dixon. Thank you. Chairman Crapo, Ranking Member Brown, 
and Members of the Committee, thank you for your invitation and 
for the opportunity to talk about something very, very 
meaningful today: the Fair Credit Reporting Act, data brokers, 
and privacy.
    Fifty years ago, this Committee struck a blow for consumers 
for transparency and for fairness when it passed the Fair 
Credit Reporting Act. This Committee talked with stakeholders. 
They found best practices. And before the famous HEW Report 
came out, the Committee report that defined what became fair 
information practices, this Committee created the Fair Credit 
Reporting Act. It was and still is the most important American 
privacy law that we have. But it is not as important as it was. 
There are three reasons why.
    First, credit scores and other scores are being sold and 
used in consumers' lives, and these are unregulated.
    Second, the technology of prediction, what can be called 
``predictive analytics,'' otherwise known as AI and machine 
learning, this technology and suite of technologies has 
advanced profoundly, and especially in the last 3 to 4 years, 
new kinds of predictive abilities have come forth, and we have 
new levels of accuracy in prediction, so that what used to be 
the accuracy of the credit score now is also the accuracy of an 
unregulated credit score, and this introduces new problems for 
consumers.
    Third, these scores are created without due process for 
consumers. How on Earth do we deal with this? This is why 
Congress must expand the Fair Credit Reporting Act to regulate 
currently unregulated scores, especially in the financial 
sector, that are being used in meaningful ways in consumers' 
lives.
    We have other solutions to discuss and other issues to 
discuss. I look forward to your questions. Thank you.
    Chairman Crapo. Thank you very much, Ms. Dixon.
    I would like to ask each of you to answer my first three 
questions, and then I want to get into more discussion. But I 
would like you, if you possibly can, to limit your answers to 
yes or no answers to the first three. I know you will be 
tempted to elaborate, but I will give you that chance.
    First, do you agree that data brokers collect and process 
vast amounts of personal information on nearly every American 
to the extent that they hold more information about individuals 
than the U.S. Government or traditional credit bureaus?
    Ms. Dixon. Yes.
    Ms. Cackley. Yes.
    Chairman Crapo. Second, do you both agree that most 
Americans have no knowledge of these activities and in most 
cases no rights to access, correct, or control the information 
collected about them?
    Ms. Dixon. Yes.
    Ms. Cackley. Yes.
    Chairman Crapo. And then, third, can certain processing and 
uses of this information have significant impact on their 
financial lives?
    Ms. Dixon. Yes. Absolutely.
    Ms. Cackley. Yes.
    Chairman Crapo. All right. Now we will get to where you can 
elaborate. You have both authored reports, as the FTC in 2014, 
that highlight the gaps in the Fair Credit Reporting Act and 
other privacy laws. You have both testified about that in your 
introductory remarks. These gaps allow data brokers to evade 
certain requirements that should be imposed on them.
    What are the steps that we can take? You indicated, Ms. 
Dixon, that we need to expand the Fair Credit Reporting Act, 
and you essentially said the same thing, Dr. Cackley. But what 
specifically does this Committee need to do with regard to 
that?
    Ms. Dixon. Thank you. In regards to the Fair Credit 
Reporting Act, I think very small changes would be very 
meaningful. Let me give you an example. Right now, as you know, 
as you well know, the Fair Credit Reporting Act in regards to 
credit scores applies to individuals. So when we are--you know, 
that is regulated at the individual level.
    However, if you look at the new forms of credit scores that 
are available, they are scored at the household level where the 
Fair Credit Reporting Act does not apply. So you take a ZIP+4, 
and you score a household and give them, let us say, a score of 
720. The household has a very accurate score of 720. Then that 
becomes an unregulated form of credit score. And, you know, 10 
years ago, these scores were quasi-accurate. That has changed.
    Chairman Crapo. Thank you.
    Dr. Cackley?
    Ms. Cackley. So the Fair Credit Reporting Act has a certain 
number of elements to it that are very helpful. It gives 
consumers access, control, the ability to correct information, 
and safeguards privacy. But it only applies in certain 
situations for eligibility decisions. It would be possible to 
think about looking at a broader set of personal sensitive 
information that the Fair Credit Reporting Act could cover that 
would give consumers more of those things, access, control, 
ability to correct, over more personal sensitive information 
than is currently available.
    Chairman Crapo. All right. And I am going to use the term--
well, Ms. Dixon, you used the term ``unregulated credit 
scores.'' There is a set of data that is collected about 
individuals and, as you indicate, households, and this data is 
turned into some kind of an analysis that allows those who use 
the data to influence and manipulate individuals in the 
marketplace.
    Historically, as you have both indicated, the Fair Credit 
Reporting Act has focused primarily on credit bureaus, but the 
scope of who is collecting this data and how it is being used 
has exploded, as you both also discussed.
    The question I have is: Isn't this unregulated score that 
we are talking about that is created for people and then 
managed by AI, isn't that impacting people's credit? Isn't it 
impacting their financial decisions? Isn't it significantly 
focused on that type of influence and manipulation of 
individuals?
    Ms. Cackley. I think it certainly can be. The scores may 
not be credit scores, but they may apply to decisions that 
companies are making about what kinds of products they offer 
people, and at what price they offer things. This is based on a 
score that the consumer does not necessarily see, cannot tell 
is correct, or cannot make any attempt to improve if they do 
not even know it exists.
    Chairman Crapo. And to influence them to make such a 
transaction. I will let you go ahead, Ms. Dixon. I am running 
out of time here, but go ahead, please.
    Ms. Dixon. Thank you. We call any score that is not 
regulated by the Fair Credit Reporting Act ``consumer scores,'' 
and we define that. It is in the written testimony. Consumer 
scores are quite dangerous when they are used in eligibility 
circumstances.
    So, for example, the line between a lead generation, which 
is allowable--you do not have to pull a credit score to create 
a lead generation for a marketing product or a financial 
product. However, if you are just maybe marketing a financial 
product and you have something that is equivalent in accuracy 
to a credit score, all of a sudden this changes the equation. 
There is not even a micrometer in between, you know, what a 
regulation would be and a nonregulated score.
    So if you have essentially something that looks like a 
credit score and that acts like the credit score and is being 
used like the credit score, well, it is the same thing as a 
duck. If it quacks, it is a duck.
    So I think we have to look at the financial products that 
are being marketed with quasi-credit scores very closely. That 
is of high concern. But there are other categories. In ``The 
Scoring of America,'' we identified literally hundreds of types 
of scores: consumer lifetime value scores where consumers are 
segmented according to how valuable they are in terms of their 
purchasing power. There are frailty scores, which is more of a 
medical score. But the scores abound, and the concern I have is 
when people lose opportunities that are meaningful in their 
lives, for example, scores that are used in eligibility 
circumstances not described by the Fair Credit Reporting Act, 
such as admissions to colleges and what-not, imagine having a 
wonderful high school background and working very hard to 
achieve the American dream, and then all of a sudden some score 
says that you will not be as qualified a candidate, having 
nothing to do with your academic achievements but just somehow 
with maybe the neighborhood you grew up in. I find this 
disturbing.
    Chairman Crapo. Agreed.
    Senator Brown.
    Senator Brown. Thank you, Mr. Chairman.
    Ms. Dixon, you noted that tens of thousands of consumers' 
scores affecting millions and millions of consumers are used to 
predict our behaviors, our secret, as you said. Are you 
surprised that Chairman Crapo was not able nor were we able to 
bring in data brokers to speak and testify? Are you surprised 
they were not willing to testify about their business practices 
before this Committee today?
    Ms. Dixon. Actually, I am surprised, and I am actually--I 
wish they were here, and I wish the credit bureaus were here as 
well, because we need to have good industry step forward and to 
give us their best practices that they use. If there is no good 
industry to step forward with best practices, then this 
Committee cannot rearticulate what it did 50 years ago. And I 
do not understand why these industries are not willing to 
discuss what is happening, and I also do not understand why we 
cannot see our scores. Why?
    Senator Brown. I am not sure that they did not show up. I 
guess I would like to--I am not sure I have done this before 
either. I would like to ask anybody in the room that represents 
the data brokers to raise their hand. Lobbyists, lawyers, 
people paid by the data broker industry, any of you here? Any 
of you here that want to raise your hand? I guess is the 
question.
    OK. And if you are, I mean, I will give you an opportunity 
of a lifetime. If you are, we will set up a different chair, 
and you can sit next to Ms. Dixon and Dr. Cackley. OK. All 
right. I guess no surprise there, Mr. Chairman, and that does 
illustrate how--because I know they are watching. I mean, this 
is really important to their industry. It is very important to 
their bottom line, whether they are watching here or whether 
they are watching live stream. But we will move on.
    Ms. Dixon, it seems that data predictions create a vicious 
cycle where the predictions end up often dictating the 
outcomes. For example, could people who have been 
systematically targeted by predatory lenders, having lower 
credit scores, therefore be likely only to see advertisements 
for other predatory financial products? I assume that happens. 
Are there other examples you can think of quickly?
    Ms. Dixon. Yes, the predatory example is one we get phone 
calls about in our office from people who received 
advertisements for financial products, and they did not 
understand that they could have gone out on the market and 
affirmatively looked for the best offer. So these predatory 
marketing devices based on unregulated scores are very 
significant.
    Other significant scores are scores that predict repayment 
of debt. So, for example, it is the poorest consumers who are 
targeted the most for debt repayment, all sorts of things like 
this. The consumer lifetime value scores impact how well you 
are treated by businesses, by how long you are standing in 
line, but the most meaningful circumstances that I can think of 
is when kids are applying to schools and they are getting 
scores that dictate whether or not they are going to be 
accepted to a school based not on their academics but based on 
all of these other things, like a pseudo credit score, like 
what neighborhood they grew up in. There are neighborhood risk 
scores which are the modern-day redlining, and I find them 
deeply objectionable because if we are going to be scored by 
where we live, how have we advanced and how have all the laws 
that have been meant to protect from such things, how are they 
operating if this is still happening today?
    Senator Brown. Thank you for that. So companies that--
particularly your analogy to redlining, bank redlining, 
insurance redlining, now these companies redlining, are you 
worried that companies would offer discounts for products and 
services in exchange for sensitive data, which would lead--you 
sort of implied this--to a two-tiered system where the wealthy 
can afford privacy and everyone else will have to sacrifice 
sensitive information to get access to basic internet services?
    Ms. Dixon. That is certainly part of it. I think it goes 
even more broadly than that. One of the big issues is that you 
get locked into a filter bubble of sorts, a marketing bubble, 
and it is not that people mean to get locked into these, but if 
you are receiving offers, especially for financial tools and 
services, and a consumer does not go outside of the offers they 
receive, they can pay more for autos; they can pay more for 
products; they can pay more for, for example, a TV. Simple 
things. But if you are a consumer on a fixed income, a 
television that costs $2,000 instead of $200 makes a meaningful 
difference in a person's life. That is what worries me the 
most.
    Senator Brown. There is one follow-up, not a question but a 
comment, Mr. Chairman. Thanks for your forbearance. The whole 
idea that people prey on people that are less able to fight 
back,
yesterday I was in Des Moines, not running for President but in 
Des Moines, and I was at a manufactured housing neighborhood, 
and a large hedge fund from Salt Lake City has begun to buy up 
manufactured housing neighborhoods. There are six of them in my 
State. There are a number of them in Iowa. They are in a half 
dozen States at least. They come and they buy these. People 
have paid $50,000 or $60,000 or $70,000 for their manufactured 
home. They pay $200 to $300 a month for the rent on the land, 
and this hedge fund is raising rents over about a period of a 
year, a year and a half, up to 70 percent, and people have 
nowhere to turn. And it is like these companies out there are 
just looking: Where can we come in, extract the most money at 
the lowest cost against people that are the most--have the 
least ability to fight back without political connections? And 
it is just happening across our economy.
    Thank you.
    Chairman Crapo. Thank you, Senator Brown.
    Senator Scott.
    Senator Scott. Thank you, Mr. Chairman. I will note that 
some people go to Des Moines not to run for President, but 
perhaps Vice President.
    [Laughter.]
    Senator Scott. I apologize. I meant----
    Senator Brown. Mr. Chairman, Senator Scott is a really 
smart guy, but that was not the smartest thing he ever said.
    [Laughter.]
    Senator Brown. Go on.
    Senator Scott. Senator Brown, I realize you do not actually 
run for Vice President by the number of votes you get, but I 
think there is a process by which people say they are qualified 
to do things--like ask Ms. Dixon a question.
    So one of your comments that you made sounded--I spent 
about 25 years in the insurance industry, so one of the 
comments you made sounded a little bit like redlining, and I 
would love for you to unpack that a little bit, but just to 
make sure I heard you. So in unregulated ways, credit scores 
that consumers themselves do not know about, that consumers 
have not seen, heard, or contributed to, are being used in ways 
that will impact their financial well-being to include perhaps 
even the likelihood of jobs that they may or may not be 
qualified for, that to me sounds fairly nefarious, but it 
sounds a whole lot like redlining. Can you unpack--if that is 
not what you meant, please clarify what you did mean. And if it 
is what you meant, please drill down a little bit so that we 
can have a little more clarity to what you are talking about.
    Ms. Dixon. Thank you. It is a really complex issue, and in 
``The Scoring of America'' and in my written testimony, I have 
articulated it more fully with footnotes.
    Senator Scott. We have that part.
    Ms. Dixon. Yes. So thank you for your question, because it 
is complex and it is difficult to abstract into a few words. 
Let me try and make a big effort here. All right----
    Senator Scott. I will give you 3 minutes if you need it.
    Ms. Dixon. Let us go for it.
    Senator Scott. OK.
    Ms. Dixon. So there are amazing real-time analytic 
products. Actually, in our update to ``The Scoring,'' we have 
looked at this. So, for example, financial service companies, 
you can look across the United States and see pretty much real 
time the marketplace activity of people who are spending and 
buying and what that looks like in real time. You can drill 
down to the census block level and see how well a neighborhood 
is performing. There is, for example, a product that gives you 
what is called an ``up-front score,'' what the score of that 
neighborhood is. And I will send on follow-up a series of 
screen shots of this to you so you can see it.
    Senator Scott. Thank you.
    Ms. Dixon. But let us say that you are applying for a 
university position, and your neighborhood has a very poor 
score. Well, now that can be taken into consideration. We have 
the college board doing this. They have an adversity score that 
is doing exactly this. So I find this difficult. The lines are 
narrow----
    Senator Scott. Just to interrupt you, Ms. Dixon. I read an 
article I guess a couple weeks ago, Mr. Chairman, about this 
new SAT score that would take into consideration challenges. 
Are you suggesting that that score could--the neighborhood 
score could have an impact on one's SAT score and college 
admittance?
    Ms. Dixon. I do not believe it will have an impact on a 
person's SAT score. I do believe that it can have a much 
further and much larger impact----
    Senator Scott. Ms. Dixon, are you familiar with the new 
iteration of the SAT score which takes into consideration the 
family challenges in----
    Ms. Dixon. Yes.
    Senator Scott. OK.
    Ms. Dixon. Yes, I am, and that is what I am referring to. 
So while that score is meant to provide context, here is the 
problem. One of the factors that it uses is a neighborhood risk 
score, and that neighborhood risk score is a secret score. 
Consumers do not get to see it. Currently, the college board 
adversity score, the students' score, they are not allowed to 
see it. It is a secret score.
    Now, let us bring this score into transparency. Let us 
apply some of the principles of the Fair Credit Reporting Act. 
Let us give people access to the score. Let them know what 
factors went into the score. Let us make it fair. That is my 
point.
    And right now this does not fall under the Fair Credit 
Reporting Act by all law. It does not fall into any eligibility 
circumstance, not yet. But that is what I am saying. We need to 
have fairness. Technology is going to advance, and it is 
important that it does. We need to stay competitive in the 
United States within machine learning and AI. It is very, very 
crucial for our economic future. But we need fairness and 
transparency, and we really need the Fair Credit Reporting Act 
to be guiding best practices and saying, look, technology, yes, 
uses need to be right. That is the deal.
    Senator Scott. Thank you.
    Mr. Chairman and Ranking Member, I would love for us to do 
all that we can to compel some of the companies in the industry 
to participate in a future hearing.
    Chairman Crapo. You have both of our agreement already on 
that, Senator Scott.
    Senator Scott. Thank you, sir.
    Chairman Crapo. Thank you.
    Senator Reed.
    Senator Reed. Well, thank you, Mr. Chairman. And thank you 
to the witnesses for their testimony.
    In previous hearings, echoing some of the comments of my 
colleagues, in particular Senator Kennedy, where a lot of the 
information should be viewed as being owned by the person, not 
by these data brokers. And we have to create real opportunities 
to protect your data. We have got some legal statutes in place 
like the Fair Credit Reporting Act, HIPAA, et cetera, where it 
is clear by statute. And then we have got some information that 
is very public. It is published, and it is linked notices in 
newspapers, et cetera. And then there is all the information 
that is just accumulated by being on a computer.
    It comes back down to, I think, three principles. This is 
my view. One is that consumers, people, should have the ability 
to opt out of any information collection system. Then, second, 
this information should be at some point expunged, 6 months, a 
year, et cetera. And then if it is violated by anybody, a data 
broker or a collector or anyone else, then they should have the 
right to go to court and say, ``You have ruined me.''
    So let us start with both your comments on how do we get 
sort of an effective opt-out. You know, my sense is that 
someone using or going to a website, it is hard to figure out 
where the opt-out is. Sometimes they do not even offer that. 
Should we in the U.S. Congress say you have to have a very 
prominent opt-out, do not collect my data? Let us start with 
Dr. Cackley and then Ms. Dixon.
    Ms. Cackley. So an opt-out possibility is certainly 
something that is available and is used in certain 
circumstances. I think there are more circumstances where it 
could be helpful. I do not know that that as a solution alone 
would do the trick in terms of if you think about all of the 
times when you go online and you are supposed to read the 
disclosures and click on things.
    Senator Reed. No one reads the disclosures.
    Ms. Cackley. Yeah, exactly, and so it may be that no one 
will read the opt-out either.
    Senator Reed. That is why the opt-out cannot be hidden in 
the disclosures. It has to pop right up here saying, ``Click 
yes or no.''
    Ms. Cackley. Absolutely. Right. I think if someone knows 
that they do not want their data to be collected and they can 
opt out right away, that is a way to do it. In other 
circumstances, people may not understand what the opt-out is, 
really----
    Senator Reed. I think if you start with the major 
platforms, the Googles, and et cetera, if they cannot collect 
the data, then that data is not going to get down the road to 
the brokers because they do not have it.
    Ms. Cackley. Absolutely.
    Senator Reed. And that is the first place, I think, to 
begin.
    Ms. Dixon?
    Ms. Dixon. Thank you. I was honored to serve at the OECD as 
part of their AI expert group. I just finished helping them 
write the global guidelines on AI, and something that I learned 
in that process even more so than I already had is that our 
data world, our data ecosystems have become so profoundly 
complex that I am not at all persuaded anymore that opt-out is 
possible, because if you recall, you know, the Russian nesting 
dolls where you have the big doll and then all the--you open 
the doll and there is another doll. And then you open it up 
again and there is another doll. This is what data is like.
    So let us say we do opt out of, you know, a platform. Well, 
what about all of the financial transactions. The financial 
transactions and our retail purchase histories are actually the 
basis of a lot of data broker analysis. And then it gets worse. 
As you get into the dolls, here is one that really is very, 
very challenging, and that is this. Data brokers right now, if 
they did not collect another piece of data on us--here is 
something really to think about--they could simply create data 
about us because that is the state of the technology. And I do 
not know how to create an opt-out that is that far removed from 
us.
    However, that being the case, I do believe there are things 
we can do, especially if we focus on restricting negative uses 
that harm consumers and really look at the endpoints of that 
process, and also at the beginning and say, hey, what are the 
standards you are using? What can we do to make good standards? 
And at the end, what are the standards for use? How can we 
control these two points?
    But I think there is a role for opt-out, for example, 
especially for human subject research, where there must be 
meaningful consent. As a tool, I think it has lost a lot of its 
power.
    Senator Reed. You have studied this longer than I, but I 
think it is a place to begin, and it is not a perfect solution, 
but, you know, you cannot make the perfect the enemy of the 
good. If it gives people a little more protection, I think it 
should be pursued.
    The other aspects of this, too, as you pointed out, with 
this synthetic--they create the synthetic data. Sort of purging 
it periodically might also help this. Again, I think you have 
put your finger on this dilemma now. The complexity, the 
ability to gather indirectly, not directly, data is profound. 
But if we do not take some simple steps, it gets worse. It does 
not get better.
    Thank you.
    Chairman Crapo. Thank you.
    Senator Schatz.
    Senator Schatz. Thank you, Mr. Chairman. Thank you to the 
testifiers.
    Ms. Dixon, you know, we are talking about some reforms to 
the Fair Credit Reporting Act, and what worries me a bit is 
that, as important as I think it is to bring data brokers back 
into the fold in terms of how the statutes governs their 
behavior, the Fair Credit Reporting Act does not actually work 
as it relates to the credit bureaus. The credit bureaus put the 
onus on the consumer. The consumer has to pay to correct or 
monitor his or her own data, and so that statute is broken. And 
so to the extent that we are going to put all of these shadow 
data brokers under FCRA, I think we have to be clear-eyed about 
how imperfect that system is for millions and millions of 
Americans. I would like you to comment on that.
    Ms. Dixon. Well, I agree with you. That is why I said that 
even our best American privacy law is not as important as it 
used to be. It does have cracks and fissures. However, it does 
something very important. It makes it so that things are not 
secret. You and I, we can look at our credit score. This is 
huge. This is a huge improvement from pre-2000 when it was 
illegal to do so. We can see our bureau report and correct it. 
We cannot see our other scores, and this is problematic.
    Senator Schatz. Fair enough. Let me ask you a sort of 
technical question. What is the relationship between data 
brokers and credit bureaus? In other words, are some of these 
credit bureaus getting into the data broker business? Have some 
of them acquired data brokers? What is their relationship?
    Ms. Dixon. Yes, so, for example, Equifax and Experian, a 
lot of times what they will do is they will have part of their 
business as a formal regulated credit reporting business, and 
then other aspects of their business are unregulated----
    Senator Schatz. Which is what they would characterize as 
the ``marketing side.''
    Ms. Dixon. Yes, I am aware that they call it ``marketing.'' 
However, I call it the ``consumer scoring side.'' But, yes, 
your point is absolutely correct. And, additionally, you 
mentioned that there is, you know, also first party. One of the 
things that has been happening is there is a lot of data 
privacy concerns, and there is a real move now for a lot of 
different types of businesses to purchase data brokers and 
bring them in so that they are dealing with first-party data. 
So now we have a fracture in the data broker business model 
where you cannot just say, ``Well, here are the data brokers. 
Let us regulate them.'' That is not possible anymore. Maybe 25, 
30 years ago, but not now. I think we really have to look at 
practices and say, hey, are you using the data for these 
purposes, especially in regards to eligibility.
    Senator Schatz. But the challenge, to follow up on what 
Senator Scott talked about in terms of digital redlining, is 
that to the extent that they are using data sets that are 
essentially in combination a proxy for race, and to the extent 
that those algorithms are not transparent, it is incredibly 
difficult to imagine that even if we put them under FCRA and 
even if the FTC were authorized to go after--or CFPB were 
authorized to go after them, just to make the case would be 
incredibly difficult. Am I correct there?
    Ms. Dixon. I believe you are correct, and that is why we 
proposed a standard bill that really looks at creating new 
standards to start to build a mesh network to fill in these 
gaps. Because you are correct, there are important gaps here.
    Senator Schatz. And under FCRA and in the sort of old days, 
you used to have shadow shoppers to try to figure out whether 
there was discrimination in terms of impact as opposed to in 
terms of intent. And yet it seems to me that there could be a 
way where we could subject all of these data brokers to a 
regime where they had to--they did not have to provide the code 
for their algorithm, but they had to provide a regulator with 
the ability to utilize the algorithm and see if the--and run a 
bunch of reps and figure out if, statistically speaking, it 
was, in fact, a proxy for race or if there was a disparate 
impact on protected classes.
    Ms. Dixon. I think that is right. And, you know, it is not 
that algorithms are bad. It is not that scoring is bad. It is 
how it is used----
    Senator Schatz. And some of this could actually alleviate 
the problem of the credit bureaus in terms of the 3 or 4 
million people who have bad credit scores that are incorrect. 
And so if you can come up with an alternative that is 
nondiscriminatory, it provides a real opportunity.
    I will just offer one last thought, and I would like both 
of your comments for the record. We are working on legislation 
and I am working on legislation to establish a duty of care, 
because I think the problem is in a sectoral approach some of 
these companies are--I do not know if they are a FinTech 
company or a tech company or under the HIPAA regime, and they 
sort of evade the various regulations because it is not clear 
where they belong. And in any case, once the data has been 
collected, either voluntarily or not, either through the 
internet of Things or at one point you clicked ``I agree'' 
because you signed up for a social platform, the question is: 
What is the obligation of the company who is in possession of 
your data? And the duty of care is the most simple way to say 
cross-sectorally you may not intentionally harm any person 
whose data you are in possession of. And that is why the duty 
of care is such a clean way to address all of this because, 
otherwise, we are going to be always a decade behind whatever 
these new-fangled companies are attempting to do to us. But if 
I could take that for the record, please.
    Ms. Dixon. Yes, I think that that is a potentially very 
good approach. I think Vermont did something like this at the 
State level where they said you cannot purchase data with the 
intent to defraud or discriminate. So I do think that ensuring 
that fairness is percolating throughout the system is a really 
good remedy.
    Senator Schatz. Thank you.
    Chairman Crapo. Senator Cortez Masto--oh, did you want to 
have Dr. Cackley----
    Senator Schatz. No. I was going to take those for the 
record.
    Chairman Crapo. So he will let you respond in writing, is 
what he is saying.
    Senator Schatz. Thank you.
    Chairman Crapo. Senator Cortez Masto.
    Senator Cortez Masto. Thank you. I appreciate that. But I 
would like to hear what Dr. Cackley had to say as well.
    Chairman Crapo. All right.
    Ms. Cackley. So in terms of, I think, a duty of care, a 
basic part of a comprehensive privacy law, that would be a good 
element to include. What we have reported is that given the 
gaps that the sectoral approach allows in terms of privacy, we 
have recommended that Congress really consider a more 
comprehensive approach and include within it several different 
elements, and a duty-of-care element should certainly be part 
of that consideration.
    Senator Cortez Masto. Yeah, I like that idea, too. I think 
it is very innovative. Along with that, transparency would be 
key, right? The consumer knows that whatever regulated credit 
score or unregulated credit score, whatever is being used that 
is based on an algorithm that is identifying their factors, 
they should have access to that, correct?
    Ms. Cackley. Access, control, ability to correct, all of 
those are important elements, yes.
    Senator Cortez Masto. OK. So, Ms. Dixon, I understand in 
2015 Allstate insurance began selling consumer driving data, 
and Allstate Chairman and CEO Tom Wilson said that the property 
casualty insurance company hopes to profit from the sale of 
telematics data and then pass on savings to consumers by 
lowering premiums.
    Is Allstate unusual in its plans to capture this 
information about people's driving data to earn additional 
profit? And, I am just curious, how many insurers have adopted 
telematics? And what has been the impact, if you know?
    Ms. Dixon. So my understanding is that they are no longer 
the only insurance company doing this. There are now several 
insurance companies. And there are also health insurance 
companies who are saying, hey, give us access to a variety of 
your data and we will give you commensurate lower rates when 
applicable.
    So I think that these are rather uncomfortable things, and, 
to put it mildly, I would really like to see guardrails on how 
these are used. I do not think we can stop what is happening in 
prediction. Prediction is getting cheaper, and it is getting 
more accurate. So we cannot stop it. However, I think we can 
take a multifactorial approach to the problems, the real 
problems that these situations impose. Do we want consumers 
giving away their data in order to, you know, have a better 
premium? And I think that you should be able to have 
protections without giving away your data. We need good rights 
here.
    Senator Cortez Masto. Right.
    Ms. Dixon. And to do that, we are going to have to have 
good rules of the road that encompass new technology, but keep 
the values, let us make a decision, and not be financially 
penalized for it. And should an insurance company be able to 
sell this data? That is a question we need to have as a matter 
of public discussion. It should not just be decided just by 
industry. It needs to be a multistakeholder conversation about 
that.
    Senator Cortez Masto. And this type of data is what goes 
into what you have identified as the neighborhood risk scores 
that----
    Ms. Dixon. That is part of it.
    Senator Cortez Masto.----companies could use, correct?
    Ms. Dixon. Oh, there are so many scores, but, yes----
    Senator Cortez Masto. But that could be part of it, there 
is so much data.
    Ms. Dixon. Absolutely.
    Senator Cortez Masto. And the other concern I am 
understanding is that because of the new technology and 
algorithms, the concern is that this information with respect 
to unregulated credit scores could end up providing higher 
accuracy levels than the regulated credit scores, such that the 
banks or other financial institutions would start using those 
unregulated credit scores more so than the regulated. Is that 
right?
    Ms. Dixon. Well, I think that banks in particular are very, 
very careful about these kinds of uses. Of the people that we 
have interviewed, they have been very, very careful. Actually, 
some of the people I worry about the most are the people who 
are not in banks and who want to pull a credit score product to 
do marketing. And instead of actually going through the 
regulation and making a firm offer of credit or insurance, they 
will just kind of skirt around the edges and pull the, you 
know, unregulated credit score and then make these offers. 
Someone discussed today especially if it is a predatory offer, 
this is where things get very problematic. If you have a 
consumer who is identified in the credit score 400 to 500 level 
and someone does not want to make a firm offer of credit or 
insurance but they want that number and they want to use that 
number to market a product maybe for bill consolidation or for 
payday loans, then I think we all need to be very interested in 
protections for that.
    Senator Cortez Masto. Thank you. And I notice my time is 
also up. I will also just submit this for the record, facial 
recognition and data that comes from that. It is topical right 
now, and the question would be: Should that information be 
shared with third parties like data brokers to be utilized? I 
am curious about your thoughts on companies in general--which I 
think it was just in the paper today, airlines were looking at 
using this type of facial recognition data. So I will submit 
that for the record.
    Thank you so much for this conversation today. I appreciate 
it, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Warner.
    Senator Warner. Thank you, Mr. Chairman. Let me, first of 
all, just associate myself with both your comments and the 
Ranking Member's comments. It is pretty remarkable that you 
invited the data industry, the data brokers to come, and they 
did not show up. I think that is a very telling statement.
    I know folks have talked about the Fair Credit Reporting 
Act. I know we have talked about a variety of issues. I have 
been thinking a lot about this in terms of the social media 
companies. You know, the data brokers are really just one piece 
of the overall growing data economy, and we are talking a lot 
about third-party vendors. Obviously, I have got concerns as 
well about first-party vendors, the Amazons, the Facebooks, the 
Googles.
    Would you both agree that, candidly, most Americans do not 
have the slightest idea of what kind of data is being collected 
about them and what that data is worth?
    Ms. Cackley. I think it is definitely true that most 
Americans do not understand the breadth of data that is 
collected about them. They may be aware in certain instances 
where they have checked yes or provided something, but they do 
not know the true extent of it.
    Senator Warner. Ms. Dixon?
    Ms. Dixon. Thank you. The complexity of data flows right 
now is extraordinary, and you are correct, first parties, third 
parties, everything is blending. And if you look at even just 
identity, you can have an identity that overlaps in 20 
different data ecosystems. And as a result, it has become very 
difficult for anyone to map the data.
    There is this amazing chart that was produced by the 
advertising industry for itself, actually, and it maps this 
extraordinarily. It looks like the Tokyo subway lines. I mean, 
it is incredibly complex. And I do not know that it is possible 
to fully map our data anymore.
    So if that is the case, how on Earth do we cabin practices 
so that there is almost like a set of routine uses where here 
are the acceptable uses for companies, end of discussion, boom; 
and then outside of this, not acceptable uses. We are going to 
have to find our way to something like that, and we might have 
to distinguish it by sector and by perhaps even individual 
companies. But I would like to see that very fairly 
adjudicated. I am really interested in seeing people talk with 
each other to figure this out. We need to have very meaningful 
discussions to figure out where the data is going and how we 
can best protect it. But I do not think people know about----
    Senator Warner. One of the things that you touched on 
briefly, one of the areas I have got some bipartisan 
legislation that would try to focus on some of the manipulative 
practices, so-called dark patterns use, where, you know, in 
layman's terms, you have six sets of arrows clicking on--you 
know, pointing you toward the ``I agree'' button and you can 
never find the ``unsubscribe'' button, and there are a host of 
practices that go on in the industry where people give up this 
information, oftentimes unwittingly, and through 
extraordinarily sophisticated psychological tools being used by 
the companies and others to get this information.
    I know my time is getting down. I would just like your 
commentary. I believe consumers ought to have a right to know 
what data is being collected about them. I believe we need to 
take it a step further and also have some basic valuation in 
terms of how much that data is worth. And I am an old telcom 
guy. For a long time, it used to be really hard to bring 
competition in the telco market until we instituted, by 
Government regulation, number portability. I believe that same 
concept, data portability ought to be brought into the data 
economy so that if you are not liking how you are being 
treated--I think about it mostly in the social media context, 
but there are a variety of areas, in the credit-scoring areas 
as well, where, you know, if we had that knowledge of what data 
was being collected, what it is worth, and then if you did not 
like the way Facebook was treating you or some other 
enterprise, you were easily able to move all of your data in 
one swipe to a new company or a new platform. I think you could 
bring some additional competitive practices to the area.
    In these last couple seconds, data valuation, data 
knowledge, and data portability, ideas? Comments? Suggestions?
    Ms. Dixon. I really like the idea of data interoperability 
so there is more freedom----
    Senator Warner. With portability, you have got to have 
interoperability or it does not work.
    Ms. Dixon. Yes. But I think that it is going to be 
something that will end up working out in time, but it should 
be a good priority.
    Ms. Cackley. So this is not something that we have looked 
at specifically, but I think to the degree that you are talking 
about comprehensive legislation that really covers all of the 
different platforms and parties, then that kind of 
interoperability would be----
    Senator Warner. We would like to share with both of you 
some of the work we have been doing, and I think there could be 
broad-based bipartisan support.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Kennedy.
    Senator Kennedy. Thank you, Mr. Chairman.
    If I go on the internet and I search and I look at social 
media and I buy something on Amazon, let us say, who--I mean, 
my actions, my behavior is recorded. We call that ``data.'' Who 
owns it?
    Ms. Dixon. I have a white paper I am going to send to you. 
We spent a lot of time thinking about this issue. So the issue 
of data ownership is quite difficult to parse, but let me give 
you my best shot and let us have a discussion.
    Senator Kennedy. Well, I would like to have a discussion, 
but first I would like to have an answer.
    Ms. Dixon. Here is the answer: I view data in our current 
data ecosystems as a common pool resource. I think a lot of 
different entities can lay claim to that data. However, no one 
gets to own it, and--well, in some cases they can.
    Senator Kennedy. You do not think that I own my data?
    Ms. Dixon. It depends on where you have used it and where 
it is. I think there are some----
    Senator Kennedy. How about you?
    Ms. Cackley. I do not think there is an answer to who owns 
your data once you have taken an action, especially in some 
ways interacted with another company.
    Senator Kennedy. Well, let us suppose that Congress passed 
a law that said the consumer owns his data and he or she can 
knowingly license it. What would be wrong with that?
    Ms. Cackley. I do not think there would be anything wrong 
with it. I think it would have impact on who could then collect 
your data or whether data could be collected.
    Senator Kennedy. No, I could license my data knowingly.
    Ms. Cackley. Right.
    Senator Kennedy. Now in terms of knowingly licensing my 
data that I own, what sort of disclosures should a social media 
company, for example, make to me in terms of how it is going to 
use my data? Right now they make disclosures, but they do not 
inform the consumer. I have said before some of those things 
are 7, 8, 9, 10 pages, written by lawyers, you could hide a 
dead body in them, and nobody would find the body. I mean, 
nobody reads them. That is not knowing consent. What would a 
social media company have to tell me in order for me to know 
what they are doing?
    Ms. Dixon. May I offer an example from the medical field? 
So under HIPAA, there are very meaningful mechanisms prior to a 
consumer agreeing to release their information outside of the 
protection of HIPAA. However, one of the concerns that has come 
up with this is that it has become very, very easy for 
consumers, patients, to ``donate'' their data. And what has 
happened is that people have donated their data and taken it 
out of the protections of HIPAA without meaningful consent.
    Senator Kennedy. Ms. Dixon, I am not trying to be rude. I 
am trying to get answers. Here is my question: If I own my data 
and I license it, I need to understand what licensing it means. 
What needs to be disclosed to me?
    Ms. Dixon. My understanding, looking at other fields--
because this is not something I have studied at length. My 
understanding is that is a serious agreement, and it would 
require massive disclosures. I think you could almost put a 
graveyard in that disclosure, you know, compared to----
    Senator Kennedy. And you do not think it is possible to 
write a disclosure that the consumer would understand? Is that 
what you are saying?
    Ms. Dixon. In this area, I would have to really look at 
that. Again, this is not an area of research for me, but I----
    Senator Kennedy. What do you think, Doc?
    Ms. Cackley. I think it would be very complicated. It is 
not an area that we have looked at either, but if Congress were 
to pass a law that allowed consumers to license their own data, 
that would require a large amount of regulations to go along--
--
    Senator Kennedy. So you both think that we should just 
allow companies to do what they want with our data, that this 
problem is impossible to solve?
    Ms. Cackley. No, no. I do not think I meant that at all. I 
just meant that it would have to be worked through. It is not 
an easy fix.
    Senator Kennedy. No, I do not think there are any easy 
fixes around here.
    Ms. Dixon. And I do not mean that either. I believe that we 
should have rules of the road, and we should have agreed-upon 
rules on what----
    Senator Kennedy. I agree with that, too, and everybody--we 
have had a lot of interesting discussions about this, but no 
offense to you, two, but the experts never offer a solution. To 
me the solution is the consumer owns his data. You can license 
it. Licensing has to be knowing and intentional. You can move 
your data. Portability should be an option. I can change my 
mind about licensing it. And companies will adapt to that. They 
will have no choice.
    Thank you, Mr. Chairman.
    Chairman Crapo. Senator Menendez.
    Senator Menendez. Thank you, Mr. Chairman.
    I have the same concerns as Senator Kennedy because we seem 
to be living in an age of data breaches. Just last week, we 
learned of a breach concerning a medical billing company, 
American Medical Collection Agency, that may have exposed the 
personal, financial, and even medical data of 20 million 
patients who were customers of Quest Diagnostics and LabCorp.
    So let me ask you, Ms. Dixon, people are rightly concerned 
that some of their personal data is now exposed and could be 
used against them. Can data brokers legally compile, aggregate, 
or sell data that has been acquired through an illegal hack?
    Ms. Dixon. I am not an attorney, so I think that is a 
question an attorney could better answer you. But my first best 
guess is I do not think you can use improperly information that 
has been disclosed in an unauthorized manner for your own 
business purposes. That seems like that would be really out of 
bounds.
    Senator Menendez. Dr. Cackley, do you have any idea?
    Ms. Cackley. I do not know the answer, but I can certainly 
find out.
    Senator Menendez. Yeah, well, I would appreciate that.
    Should people be concerned that data not otherwise covered 
by HIPAA is ending up in the hands of data brokers even in the 
absence of a hack? Are billing companies like American Medical 
Collection Agency selling non-HIPAA data to brokers?
    Ms. Dixon. This is an ongoing area of grave concern for us. 
There are actually scores of health data. There is a frailty 
score that can predict very closely how sick you are and when 
you might possibly die. I think that there are all sorts of 
scores and products related to----
    Senator Menendez. I am not sure I want to check on that 
data myself.
    Ms. Dixon. Yeah. Me either. But----
    Senator Menendez. But that is pretty frightening, isn't it?
    Ms. Dixon. It is. You know, health data that is not covered 
under HIPAA has become an increasing area, so----
    Senator Menendez. Well, let me ask you this: When hackers 
gain access to non-HIPAA data like in the Quest data breach, 
can data brokers apply machine learning to these data points to 
infer or reconstruct sensitive HIPAA-protected medical data?
    Ms. Dixon. I actually do not think that they need to 
acquire unauthorized data to do that. They can just look at our 
purchase histories and get an awful lot of data about us. But 
in terms of what is happening with this entire area, the data 
breaches of medical data actually can lead to forms of identity 
theft and medical identity theft that are very, very difficult 
to cure and can have extremely meaningful consequences in 
people's lives.
    Senator Menendez. Well, let me ask you, then, HIPAA is 
nearly 25 years old, and the 2009 HITECH Act provided updates 
which were concerning health information technology. But I am 
still concerned that we are playing catch-up when it comes to 
protecting patients. You know, of all the information that 
should be private and privileged to you, your health standing 
should be extraordinary--there are all types of consequences in 
that, in employment and discrimination, in a whole host of 
things. Are there gaps in HIPAA and other data security laws 
that need to be addressed to better protect people today in 
this 21st century threat? What coordination is missing between 
existing legal protections?
    Ms. Dixon. I do think there are gaps, and the biggest gaps 
that exist right now are the gaps that exist between the 
sectoral protections, and I do not think the answer is to just 
rip out the sector protections that exist, such as the Fair 
Credit Reporting Act or HIPAA or Sarbanes-Oxley, et cetera, but 
to find a way to fill those gaps in. For example, victims of 
medical identity theft can use their Fair Credit Reporting Act 
rights to get their financial information corrected. But under 
HIPAA it is not possible for them because it does not exist in 
the statute. It is not possible for them to get a deletion 
similar to the FCRA in their health file, so they can actually 
carry around inaccurate information which can really have an 
impact on their treatment and insurance costs. And there is not 
a solution yet. So this is the kind of gap we need to address.
    Senator Menendez. All right. Last, there was one breach 
that compromised the personal information of 20 million 
patients. That is pretty troubling. One data broker has data on 
300 million consumers. We are still reeling from the Equifax 
breach which affected 145.5 million consumers. If the 
information of 300 million consumers were to be compromised, we 
might start calling private information public information 
because at the end of the day that is the result of it.
    What are the ramifications for a consumer if a data broker 
is breached? And should we hold them to a higher standard of 
security, especially because their volume is so consequential?
    Ms. Dixon. Data broker breaches are very significant. So my 
assessment of this is that the various State data breach laws 
are doing a pretty good job, especially in some cases where the 
data breach law is quite strong, in forcing disclosures and 
notices. But I think we need to do more to ensure that all of 
the information held that is sensitive and health related, et 
cetera, is duly notified to the consumer.
    The problem with the data brokers is what they will say is, 
oh, wait, wait, we do not have a direct relationship with the 
consumers; we cannot notify them. And I think that is a gap 
that needs to be resolved. Now, the State of Vermont has 
resolved that gap.
    Senator Menendez. Well, they could reach back to the entity 
that provided them the data in the first place, and they could 
notify, could they not?
    Ms. Dixon. I believe that that could happen. And it has 
happened in some----
    Senator Menendez. I just think they should be held to a 
higher standard of security because the consequences of 
incredible numbers of Americans that are subject to having 
their privacy breached and their health care breached is just 
beyond acceptance.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Rounds.
    Senator Rounds. Thank you, Mr. Chairman, and thank you for 
holding this hearing today.
    I would like to see, in listening to this, if I have picked 
up the grasp of some of the challenges we have here. It would 
appear to me that we are talking about, first of all, the 
question of the security of the data that is actually being 
collected. Second of all, it appears that we are questioning 
whether or not there is an appropriate way for individual 
consumers or individuals to actually find out and to have 
access to what these organizations, these nonregulated 
organizations actually have. And, finally, this appears that it 
may very well be a work-around with regard to the information 
that is being collected and then disseminated from what a 
regulated entity would have.
    In a nutshell, are those the three areas? And would there 
be other areas that you would also identify? I would ask each 
of you for your thoughts.
    Ms. Cackley. Those are certainly three of the main points 
that have come up today. I think the other piece that we have 
not touched on maybe as much is outside of the data brokers 
themselves. There are other technologies with privacy issues, 
you know, mobile devices, facial recognition technology--we did 
mention that--with financial technology. All of these are areas 
of concern that fall outside potentially the protections of 
FCRA in particular.
    Senator Rounds. The use of machine learning and artificial 
intelligence in this process. OK.
    Ms. Dixon?
    Ms. Dixon. So my focus has really never been on the 
technologies as an endpoint. My focus has always been on, OK, 
so we have technological processes that are going to continue 
through time, but what does that actually mean in practice. I 
have always looked at the practice. So your assessment of where 
the sticking points are is accurate. The thing I would add is 
this: I think it is going to become, as we move forward and 
prediction gets cheaper, I think prediction is going to be 
coming to a mobile phone near us, like ours. And I think we 
have to be very cautious about looking at categories of 
technologies and labeling them as bad. Similarly, in industry, 
I think we have to be very careful and say, OK, what are the 
practices that we want to go after here and want to address 
because they are harming consumers. And if we can do that in a 
truly multifactorial way, I think that will be helpful. 
Wherever these practices exist, wherever they are, we need to 
be addressing them because they are meaningful and have 
impacts.
    Senator Rounds. There is a difference between the way that 
we have looked at data and data collection and privacy in the 
United States versus the way that it has been done in some 
other parts of the world. Here we follow and we use Gramm-
Leach-Bliley within the United States, but in Europe they take 
a different approach--the GDPR, which seeks to really achieve a 
different and more comprehensive approach, but would be rather 
challenging.
    Can you share with me the thought process or your analysis 
of the differences or the advantages, one versus the other, 
between the way that we handle it today in the United States 
versus what they are doing in Europe with the GDPR in its 
current form?
    Ms. Cackley. So we have not looked at GDPR directly yet, 
but I can say that there are definitely some elements of GDPR 
that embody the Fair Information Practices Principles, which 
are the basis of some of our privacy regulation already. There 
are other pieces of GDPR that are not in the U.S. privacy 
framework, and one of the main ones, I would say, is the right 
to be forgotten. The right to be forgotten is a part of GDPR 
that really is not encompassed in the U.S. privacy framework.
    Senator Rounds. Ms. Dixon?
    Ms. Dixon. The GDPR, as you know, it was built on the EU 
95/46, so it has a lot of bureaucratic history behind it. If 
you look at what they were trying to do and all the derogations 
and what-not, it is a really complex and thought structure.
    I think that it does provide for baseline privacy 
protections, but they do not have the sectoral system and they 
do not have government privacy. So I think there is one thing I 
will say. In our country, the Privacy Act is very effective in 
regulating certain aspects of government information 
collection. They do not have anything like that.
    Senator Rounds. Thank you. I see my time has expired, Mr. 
Chairman. Thank you to both of you for your answers today. And, 
Mr. Chairman, once again thank you for the opportunity here 
today with this hearing on this very important topic.
    Chairman Crapo. Thank you, Senator Rounds.
    Senator Sinema.
    Senator Sinema. Thank you, Mr. Chairman. And thank you to 
our witnesses for being here today.
    At the Committee's last hearing on privacy, I spoke about 
the importance of privacy to Arizonans. We are practical people 
who want the modern conveniences that technology brings, but we 
value our privacy. So I am committed to making sure that 
Arizonans know how our data is being used so that we can make 
informed decisions.
    Arizonans also do not like assumptions being made about us 
or how we choose to live our lives, particularly if some of 
those assumptions are wrong, which is why current privacy and 
consumer scoring laws concern both me and many Arizonans.
    In 2013, the FTC completed and published a 10-year 
congressionally mandated study on the accuracy of credit 
reports. The FTC found that one in five consumers had an error 
on at least one of their three credit reports. So, Ms. Dixon, 
first, thank you for being here. I want to talk quickly about 
credit scores as a starting point and what happens if you or I 
were one of those consumers.
    How drastically could an error in a credit report 
negatively affect an Arizonan's credit score?
    Ms. Dixon. Yes, that effect would be profound. So, for 
example, for victims of identity theft, if someone has run up 
your credit and it is not actually your error, you could be 
seen as not making your payments, et cetera, and you can 
literally move from a 780 score to a 620 in very short order. 
It only takes about a month. And then what you have is a 
situation where, if you are about to buy a home--and these are 
from the calls we get. This is not just a hypothesis here. The 
home you are about to buy, all of a sudden you cannot qualify 
for a mortgage because of identity theft.
    So, yes, any error from any source that is in your credit 
report, it is a piece of serious business.
    Senator Sinema. So, Ms. Dixon, you said this could 
potentially prevent an Arizonan from buying a home. Would it 
also get in the way of financing an education or starting a 
small business or expanding one's business?
    Ms. Dixon. Absolutely.
    Senator Sinema. Wow, that is really troubling.
    Under the Fair Credit Reporting Act, if an Arizonan thinks 
his or her credit report or score is inaccurate, they can 
appeal it with the bureau. Is that correct?
    Ms. Dixon. That is correct.
    Senator Sinema. And if so, how?
    Ms. Dixon. Yes, there is a very specific procedure outlined 
in law where the bureaus must respond, and there is a series of 
steps that they can take, and both the Federal Trade Commission 
and the CFPB have numerous help- and hot-lines to help everyone 
through, and the State AGs also do as well. But there are very 
well documented recourses for consumers in this situation.
    Senator Sinema. Well, that is good. So we have established 
it is important to have an accurate credit score and there is a 
process to appeal it and fix it. But, increasingly, businesses 
are using so-called consumer scores that rank, rate, and 
segment consumers based on public-private and government data 
that is packaged and sold by data brokers and others. So 
sometimes this public data is inaccurate. It is often outdated 
or it could be incomplete.
    So are all consumer scores made available to consumers just 
like credit scores are?
    Ms. Dixon. Actually, almost none of them are. In fact, I 
have had almost no success. Despite trying to get consumer 
scores and asking companies for my consumer score, it is almost 
impossible to get them.
    Senator Sinema. But then how would an Arizonan know if his 
or her consumer score was inaccurate if they cannot get access 
to it?
    Ms. Dixon. That is the same question I have. They would not 
know.
    Senator Sinema. Wow. So let us say that an Arizonan were 
able to find out that his or her consumer score is inaccurate. 
Are all consumer scores covered under the FCRA so that there is 
a similar appeals process to resolve inaccuracies?
    Ms. Dixon. No consumer scores that are unregulated are 
currently covered under the FCRA. Unless it is a formal credit 
score as articulated by the FCRA and used in an eligibility 
circumstance, it is not covered.
    Senator Sinema. Well, that is very concerning, but thank 
you for sharing that information with us.
    Mr. Chairman and Ranking Member Brown, it is clear that we 
have a lot of work to do here. We have got to update our 
privacy laws to reflect new trends that are occurring in both 
business and technology to make sure that Americans have the 
right to correct their record, whether it is their credit score 
or their consumer score, on who they are, how they have lived 
their lives, and what mistakes or inaccuracies that might be 
occurring in their lives.
    So I thank you for being here, our witnesses, and I look 
forward to working with the Committee on this. And, Mr. 
Chairman, I yield back.
    Chairman Crapo. Thank you.
    That concludes the first round, but Senator Brown and I 
would like to do a second round, and you are welcome to join in 
with us, Senator, if you would like.
    There are so many questions. One of them I want to get back 
to which has been brought up by several Senators is this notion 
of the tension between doing a comprehensive bill like the GDPR 
in Europe or a sectoral approach like we do in the United 
States. And I think we all can understand there is sort of a 
push and a pull on both sides of that question.
    It seems to me, though, that we do not have a choice, at 
least at a basic level, to deal with all data collection in the 
same way. I think one of you mentioned earlier that it is all 
blending. It used to be that we could clearly distinguish what 
a credit bureau did and the credit report that a credit bureau 
prepared. Now we have massive amounts--I think Senator Brown 
referenced the 4,000 number, but I do not even know what the 
number is--of entities that are collecting data. My 
understanding is that the apps on my iPhone, many of them 
collect data even when I am not using them to report further to 
others about whatever it is, data that is not even often 
related to the app. And it seems to me that all of that data is 
in one way or another not just blending but being utilized for 
many, many different purposes, one of which is credit, one of 
which is retail sales, one of which is college applications, 
one of which is mortgages. I mean, the list can go on and on 
and on.
    So I guess I would like to have each of you just briefly--
because I have got some more questions, but briefly indicate do 
you believe that at some basic point the United States needs to 
have a comprehensive set of standards and requirements that 
would cover some basics, like when data is being collected, who 
is collecting it, whether there is an opt-in or an opt-out, 
what rights to manage or even remove one's data exist?
    Ms. Cackley. Yes, I think that is where we are right now, 
that the sectoral approach leaves too many gaps. You may not 
need to completely change to a comprehensive framework, you 
could merge elements of a comprehensive and sectoral approach 
in some ways. But a comprehensive framework that gives basic 
privacy rights and abilities for consumers to know what their 
data is and how to correct it, how to control it, is definitely 
something that needs to be addressed.
    Chairman Crapo. Thank you.
    Ms. Dixon?
    Ms. Dixon. Let me share with you that I have been seeking 
an answer to the question you just asked for about 27 years, so 
here is what I have come up with, and it is just--it is my 
opinion. What if the sectoral system was a feature, not a bug, 
born from thoughtful deliberation about very focused issue 
areas with a lot of buy-in? What if we have not been able to 
pass comprehensive legislation because our system requires more 
buy-in than other systems? These are just the hypotheses that I 
am working with.
    So if that is the case--and, also I have to tell you, I am 
quite concerned about the deep disruption to privacy law that 
would occur if there was massive preemption. But be that the 
case, what if there was a way to do a surgical strike and to 
provide guardrails in the areas that need it the most, that 
would fill in the sectoral gaps? That is what I am very 
interested in.
    So I think that something that had really important 
principles, fair information practices, principles, and then 
the adaptation of those principles for the gaps that exist. So 
I do think that standards have been a neglected part of the 
privacy conversation. I have no idea why we do not have more 
standards in privacy.
    This mobile phone has loads of standards that attach to it, 
but for our privacy and for data brokers, where are the 
standards? Well, let us create some. Let us start there. I am 
all for starting cautiously and working with best practices, 
but to give things teeth and to abide by the larger principles.
    So a nice amalgamation of all of the above, something that 
is multifactorial. I do not think we have silver bullets 
available to us anymore.
    Chairman Crapo. Well, thank you. And just one other quick 
question, and then I will turn to Senator Brown. We have talked 
a lot about the problems we are trying to address here, whether 
harm is caused by the use of data, whether credit is impacted, 
whether people are redlined or denied access to products or 
opportunities. It seems to me that when you approach the issue 
from that perspective, which is a very legitimate approach, 
that there is another issue that is--I do not know if I would 
call it a ``harm.'' Maybe it is. But there is simply a privacy 
issue. A lot of Americans, I believe, do not want to have to 
prove that they were harmed. They do not want people collecting 
data on them, or they do not want certain data collected. It is 
sort of the right to be forgotten or the right to opt out of 
certain segments of data collection.
    Is that a legitimate right that we should try to protect?
    Ms. Dixon. It is a legitimate option that we need to be 
able to have. The adversity score, I think that any child who 
is applying for college should be able to say, hey, wait, I do 
not want my neighborhood being part of that. Do they have to 
prove harm? I do not think they should have to. They should be 
able to say, hey, no, this is not something I want. It is 
legitimate.
    Chairman Crapo. Dr. Cackley?
    Ms. Cackley. I think that is right, that it is important 
for people to be able to make a choice about what data they 
share and what data they do not.
    Chairman Crapo. Senator Brown.
    Senator Brown. Thank you.
    Ms. Dixon, this is the last round of questions, blessedly, 
for both of you. And please be really brief on these because I 
have several questions.
    Should Federal regulators and supervisors have full access 
to every company's predictive models so they can evaluate them 
for bias and other legal compliance?
    Ms. Dixon. I believe they would have to hire about a 
million people if they did that. I am not sure of the answer to 
that question, but I have a lot of thoughts on this, and I will 
send you written follow-up.
    Senator Brown. OK. That would be good, including if there 
is a list of companies whose models you believe should be 
available to regulators for review.
    Ms. Dixon. I will send that to you.
    Senator Brown. OK.
    Senator Brown. A technology expert at our last hearing 
stated, ``While our online economy depends on collection and 
permanent storage of highly personal data, we do not have the 
capacity to keep such large collections of user data safe over 
time.'' Do you agree with that statement?
    Ms. Dixon. I think it is very difficult to keep user data 
safe 100 percent of the time.
    Senator Brown. Should companies be required to expunge 
certain types of user data after, say, 60 or 90 days?
    Ms. Dixon. You know, I think there are very good arguments 
for that, and there is a continuum for that. And I will respond 
to that in writing.
    Senator Brown. OK. Thanks.
    Senator Brown. Do companies who currently use personal data 
for profit see existing penalties as little more than the cost 
of doing business? That is often the case in this town, that a 
few-million-dollars fine on a multi-billion-dollar company is 
the cost of doing business. How strong do penalties and other 
enforcement mechanisms need to be in order to hold these 
companies accountable?
    Ms. Dixon. I do not know the answer to that question. 
However, I do think that having very good enforcement is an 
important stick, and I think we need carrots and sticks to make 
things right.
    Senator Brown. Is holding executives personally accountable 
one way?
    Ms. Dixon. I do not know about that.
    Senator Brown. Does that mean no or you just do not know?
    Ms. Dixon. It means that I literally do not know the answer 
to that.
    Senator Brown. A technology expert at our last hearing 
stated, ``While it is possible in principle to throw one's 
laptop into the sea and renounce all technology, it is no 
longer possible to opt out of a surveillance society.'' Do you 
agree with that statement?
    Ms. Dixon. Absolutely. I do not believe that an opt-out 
village exists.
    Senator Brown. So what would a meaningful consent contract 
between users and tech companies or users and data brokers or a 
meaningful opt-out policy look like?
    Ms. Dixon. So it needs to be multifactorial and not just 
rely on consent, because consent is a really difficult vehicle 
for that. I have a lot of very complete thoughts on that, and I 
will follow up in writing.
    Senator Brown. OK. You are going to be busy in the next few 
days.
    Ms. Dixon. That is all right. I have a lot on this.
    Senator Brown. And the last question. As you point out in 
your testimony, household data can serve as a proxy for an 
individual credit score. Some data that seems innocuous, like 
Instagram posts, can actually yield predictive data about a 
user's mental health. How do we know what data is inherently 
sensitive and what data is innocuous but can become sensitive 
when it is used to make predictions?
    Ms. Dixon. Right. One of the most difficult things that I 
have had to grapple with as a privacy expert and someone who 
cares so much about privacy is that it is so difficult to say, 
here, this is sensitive data, here, this is sensitive data. It 
is all becoming sensitive depending on how it is analyzed, and 
that is why privacy protections have had to become much more 
multifactorial and much more subtle in responding to this new 
issue.
    Senator Brown. In part, that movement, if you will, from it 
is initially not sensitive but becomes that is a result of just 
the power of--the quantity and quality of computing power, 
correct?
    Ms. Dixon. We were in a digital era. We are really moving 
into the predictive era, and it changes everything.
    Senator Brown. OK. Very good.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, and that does conclude the 
questioning for today's hearing.
    For Senators who wish to submit questions for the record, 
those questions are due to the Committee by Tuesday, June 18th, 
and we ask the witnesses to respond to those questions as 
quickly as you can once you receive them.
    Again, we thank you both for not only your time here today 
but the attention and analysis that you have given to this 
issue and will give to the issue as we proceed.
    With that, this hearing is adjourned.
    [Whereupon, at 11:32 a.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
    Providing testimony to the Committee today are experts who have 
researched and written extensively on big data: Dr. Alicia Cackley, 
Director of Financial Markets and Community Investment at the 
Government Accountability Office; and Ms. Pam Dixon, Executive Director 
of the World Privacy Forum.
    As a result of an increasingly digital economy, more personal 
information is available to companies than ever before.
    I have been troubled by government agencies and private companies' 
collection of personally identifiable information for a long time.
    There have been many questions about how individuals' or groups of 
individuals' information is collected, with whom it is shared or sold, 
how it is used and how it is secured.
    Private companies are collecting, processing, analyzing and sharing 
considerable data on individuals for all kinds of purposes.
    Even more troubling is that the vast majority of Americans do not 
even know what data is being collected, by whom and for what purpose.
    In particular, data brokers and technology companies, including 
large social media platforms and search engines, play a central role in 
gathering vast amounts of personal information, and often without 
interacting with individuals, specifically in the case of data brokers.
    In 2013, the GAO issued a report on information resellers, which 
includes data brokers, and the need for the consumer privacy framework 
to reflect changes in technology and the marketplace.
    The report noted that the current statutory consumer privacy 
framework fails to address fully new technologies and the growing 
marketplace for personal information.
    The GAO also provided several recommendations to Congress on how to 
approach the issue to provide consumers with more control over their 
data.
    In 2018--five years later--GAO published a blog summarizing its 
2013 report, highlighting the continued relevance of the report's 
findings.
    The Federal Trade Commission also released a report in 2014 that 
emphasized the big role of data brokers in the economy.
    The FTC observed in the report that ``data brokers collect and 
store billions of data elements covering nearly every U.S. consumer,'' 
and that ``data brokers collect data from numerous sources, largely 
without consumers' knowledge.''
    In her report ``The Scoring of America,'' Pam Dixon discusses 
predictive consumer scoring across the economy, including the big role 
that data brokers play.
    She stresses that today, no protections exist for most consumer 
scores similar to those that apply to credit scores under the Fair 
Credit Reporting Act.
    Dixon says, ``Consumer scores are today where credit scores were in 
the 1950s. Data brokers, merchants, government entities and others can 
create or use a consumer score without notice to consumers.''
    Dr. Cackley has also issued several reports on consumer privacy and 
technology, including a report in September 2013 on information 
resellers, which includes data brokers.
    She says in her report that the current consumer privacy framework 
does not fully address new technologies and the vastly increased 
marketplace for personal information.
    She also discusses potential gaps in current Federal law, including 
the Fair Credit Reporting Act.
    The Banking Committee has been examining the data privacy issue in 
both the private and public sectors, from regulators to financial 
companies to other companies who gather vast amount of personal 
information on individuals or groups of individuals, to see what can be 
done through legislation, regulation or by instituting best practices.
    Enacted in 1970, the Fair Credit Reporting Act is a law in the 
Banking Committee's jurisdiction which aims to promote the accuracy, 
fairness and privacy of consumer information contained in the files of 
consumer reporting agencies.
    Given the exponential growth and use of data since that time, and 
the rise of entities that appear to serve a similar function as the 
original credit reporting agencies, it is worth examining how the Fair 
Credit Reporting Act should work in a digital economy.
    During today's hearing, I look forward to learning more about the 
structure and practices of the data broker industry and technology 
companies, such as large social media platforms; how the data broker 
industry has evolved with the development of new technologies, and 
their interaction with technology companies; what information these 
entities collect, and with whom it is shared and for what purposes; 
what gaps exist in Federal privacy law; and what changes to Federal 
law, including the Fair Credit Reporting Act, should be considered to 
give individuals real control over their data.
    I appreciate each of you joining us today to discuss this important 
issue.
                                 ______
                                 
              PREPARED STATEMENT OF SENATOR SHERROD BROWN
    I appreciate Chairman Crapo continuing these important, bipartisan 
efforts to protect Americans' sensitive personal information.
    Today, we're looking at a shadowy industry known as ``data 
brokers.'' Most of you probably haven't heard of these companies. The 
biggest ones include names like Acxiom, CoreLogic, Spokeo, ZoomInfo, 
and Oracle. According to some estimates, 4,000 of these companies are 
collecting and selling our private information, but not one of them was 
willing to show up and speak in front of the committee today. Not one.
    These companies expect to be trusted with the most personal and 
private information you could imagine about millions of Americans, but 
they're not even willing to show up and explain how their industry 
works. I think that tells you all you need to know about how much they 
want their own faces and names associated with their industry.
    As Maciej Ceglowski told us at our last hearing, ``the daily 
activities of most Americans are now tracked and permanently recorded 
by automated systems at Google or Facebook''
    But most of that private activity isn't useful without data that 
anchors it to the real world. Facebook, Google, and Amazon want to know 
where you're using your credit cards, whether you buy name-brand 
appliances, if you're recently divorced, and how big your life 
insurance policy is. That's the kind of data that big tech gets from 
data brokers, and they then combine it with your social media activity 
to feed into their algorithms.
    You might have noticed it seems like every product or service you 
buy comes with a survey or a warranty card that asks for strangely 
personal information. Why are all these nontech companies so interested 
in your data?
    It's simple--data brokers will pay those companies for any of your 
personal information they can get their hands on, so they can turn 
around and sell it to Silicon Valley. It's hard for ordinary consumers 
to have any power when unbeknownst to them, they're actually the 
product being bought and sold.
    It reminds me of a time when corporations that had no business 
being in the lending industry decided to start making loans and selling 
them off to Wall Street. Manufacturers or car companies decided that 
consumer credit would be a great way to boost their profits. When big 
banks and big tech companies are willing to pay for something, everyone 
else will find a way to sell it to them, often with devastating 
results.
    For example, Amazon is undermining retailers and manufacturers 
across the country through anti-competitive practices, and at the same 
time, it's scooping up data from the very businesses it's pushing out 
of the market.
    Then there's Facebook--it has almost single-handedly undermined the 
profitability of newspapers across the country. It's also gobbling up 
personal information that The New York Times allows data brokers to 
collect from its readers.
    Just like in the financial crisis, a group of shadowy players sits 
at the center of the market, exercising enormous influence over 
consumers and the economy while facing little or no rules at all.
    Chairman Crapo and I are committed to shining a light on these 
companies, and to keeping an unregulated data economy from spiraling 
out of control. I look forward to the witnesses' testimony, and to 
continuing to work with Chairman Crapo in a bipartisan manner.
                                 ______
                                 
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

 RESPONSE TO WRITTEN QUESTION OF SENATOR MENENDEZ FROM ALICIA 
                         PUENTE CACKLEY

Q.1. Can data brokers legally compile, aggregate, or sell data 
that has been acquired through an illegal hack?

A.1. GAO has not conducted work to determine the extent to 
which data brokers are collecting, compiling, aggregating, or 
selling data that was acquired through illegal hacks, or the 
legality of such actions. However, we reported in March 2019 
(GAO-19-230) that, except in certain circumstances, companies 
are generally not required to be transparent about the consumer 
data they hold or how they collect, maintain, use, and secure 
these data. Further, we recommended more than a decade ago that 
Congress consider whether to expand more broadly the class of 
entities explicitly required to safeguard sensitive personal 
information, including considering whether information 
resellers should be required to safeguard all sensitive 
personal information they hold (GAO-06-674). Even still, 
statutes like the Computer Fraud and Abuse Act provide some 
protection by making the knowing unauthorized access of 
computers a crime, and FTC has used its enforcement authority 
to address some instances of unfair or deceptive behavior in 
the sale of information or its use in advertising. Notably, in 
2014, FTC alleged that a data broker sold hundreds of thousands 
of loan applications that contained sensitive data, including 
consumers' names, addresses, phone numbers, employers, Social 
Security numbers, and bank account numbers (including routing 
numbers) to entities that it knew had no legitimate need for 
such data. FTC alleged that, as a result, at least one of those 
purchasers used the information to withdraw millions of dollars 
from consumers' accounts without their authorization. FTC and 
the involved companies settled this case in 2016, which 
included monetary judgments and a permanent ban for all 
defendants on selling, transferring, or otherwise disclosing 
consumers' sensitive personal information.
                                ------                                


 RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARREN FROM ALICIA 
                         PUENTE CACKLEY

Q.1. In response to the Equifax data breach, I opened an 
investigation into the causes, impacts, and response to the 
exposure of personal data of nearly 150 million Americans. 
Equifax and other credit reporting agencies collect consumer 
data without permission, and consumers have no way to prevent 
their data from being collected and held by private companies. 
My investigation found that Equifax failed to adopt standard 
cybersecurity measures, in large part because Federal law 
incentivizes pursuit of profits over the protection of 
sensitive data.
    Your written testimony notes, ``[The Fair Credit Reporting 
Act (FCRA)] protects the security and confidentiality of 
personal
information collected or used to help make decisions about 
individuals' eligibility for credit, insurance or employment. 
FCRA limits resellers' use and distribution of personal 
data.''\1\ This law, however, is not specifically designed to 
address cybersecurity threats.\2\ In your view, how should 
Federal regulators address this gap in the oversight and 
enforcement of privacy safeguards?
---------------------------------------------------------------------------
    \1\ Written testimony of Alicia Cackley to the U.S. Senate 
Committee on Banking, Housing, and Urban Affairs, June 11, 2019, 
https://www.banking.senate.gov/imo/media/doc/Cackley%20
Testimony%206-11-19.pdf.
    \2\ Letter from Acting Federal Trade Commission Chair Maureen 
Ohlhausen to Senator Elizabeth Warren, October 3, 2017.

A.1. There is currently no comprehensive Federal statute to 
address consumer privacy, which is one reason that Federal 
regulators are limited in their ability to address potential 
gaps in current law. In a 2013 report (GAO-13-663), we 
recommended that Congress consider updating the consumer 
privacy framework to reflect the effects of changes in 
technology and the marketplace--changes that have included new 
and greater cybersecurity threats. Criteria for developing such 
a framework could include the Fair Information Practice 
Principles--and a key principle is that personal information 
should be protected with reasonable security safeguards against 
risk such as loss or unauthorized access, destruction, 
---------------------------------------------------------------------------
modification, or disclosure.

Q.1.a. How would legislation to establish and provide Federal 
authority and resources to monitor data security practices of 
credit reporting agencies and data brokers benefit consumers?

A.1.a. Stronger Federal oversight of data security practices 
could help to ensure that consumer reporting agencies and data 
brokers better safeguard all sensitive personal information, 
which could protect consumers from identity theft and other 
effects of data breaches. To strengthen such oversight, our 
February 2019 report on consumer reporting agencies (GAO-19-
196) recommended that Congress consider giving FTC civil 
penalty authority to enforce Gramm-Leach-Bliley Act's (GLBA) 
safeguarding provisions. In addition, we have long held that 
data protections should apply broadly. For example, in 2006 
(GAO-06-674), we noted that much of the personal information 
maintained by information resellers that did not fall under 
FCRA or GLBA was not necessarily required by Federal law to be 
safeguarded, even when the information is sensitive and subject 
to misuse by identity thieves. We therefore recommended that 
Congress consider requiring information resellers to safeguard 
all sensitive personal information they hold.

Q.1.b. In your view, would legislation to impose strict 
liability penalties for breaches involving consumer data at 
credit reporting agencies and data brokerages lead to 
improvements in consumer data security? Would consumers benefit 
if such penalties were imposed on data brokers?

A.1.b. GAO has not reviewed the issue of how strict liability 
penalties for breaches involving consumer data at consumer 
reporting agencies and other information resellers would affect 
consumer data security or consumers. However, we have 
highlighted the importance of providing agencies with civil 
penalty authority, which can also be a strong enforcement tool. 
In our February 2019 report on oversight of consumer reporting 
agencies (GAO-19-196), we recommended that Congress consider 
giving FTC civil penalty authority to enforce GLBA's 
safeguarding provisions. Currently, to obtain monetary redress 
for these violations, FTC must identify affected consumers and 
any monetary harm they may have experienced. However, harm 
resulting from privacy and security violations (such as a data 
breach) can be difficult to measure and can occur years in the 
future, making it difficult to trace a particular harm to a 
specific breach. FTC currently lacks a practical enforcement 
tool for imposing civil money penalties that could help to 
deter companies from violating data security provisions of GLBA 
and its implementing regulations. Such deterrence could benefit 
consumers because companies may be motivated to develop 
stronger procedures for data security that would protect 
consumer data from theft and security breaches.

Q.2. Despite there being laws in place to regulate consumer 
credit reporting, your written testimony notes that there are 
``no Federal laws designed specifically to address all the 
products sold and information maintained by [data 
brokers].''\3\ Given the limited ability of individuals to 
access, control, and correct their personal data, as well as 
the limited legal framework to regulate data brokers, would the 
inadequacy of current laws be addressed by regulating data 
brokers under the Fair Credit Reporting Act?
---------------------------------------------------------------------------
    \3\ Written testimony of Alicia Cackley to the U.S. Senate 
Committee on Banking, Housing, and Urban Affairs, June 11, 2019, 
https://www.banking.senate.gov/imo/media/doc/Cackley%20
Testimony%206-11-19.pdf.

A.2. GAO has not conducted work specifically assessing the 
advantages and disadvantages of regulating all information 
resellers (data brokers) under the Fair Credit Reporting Act. 
In 2013 (GAO-13-663), we noted gaps in Federal privacy law--
including that it did not always cover consumer information 
used by information resellers for marketing purposes or other 
uses not covered by provisions of the Fair Credit Reporting 
Act. We recommended that Congress consider strengthening the 
consumer privacy framework to address these gaps, but we did 
---------------------------------------------------------------------------
not recommend a specific regulatory scheme for doing so.

Q.2.a. Credit reporting agencies make billions of dollars 
collecting and selling information about consumers, but 
consumers have little ability to control how their personal 
information is collected and used by these agencies. How would 
legislation to give consumers more control over personal 
financial data and to create a uniform, Federal process for 
obtaining and lifting credit freezes benefit consumers? Would 
consumers benefit if such legislation also applied to currently 
unregulated parts of the industry, such as data brokerages?

A.2.a. While consumers currently do not have a uniform, Federal 
process for credit freezes, the Economic Growth, Regulatory 
Relief, and Consumer Protection Act required the three 
nationwide consumer reporting agencies to place and lift 
freezes at no cost to the consumer. Freezes must be placed 
within 1 business day, and lifted within 1 hour, of receiving a 
telephone or electronic request. However, consumers must 
contact each of the three agencies individually and request the 
freeze. Consumers obtain a PIN from each company, which enables 
them to lift or remove a freeze at a later date. Before the 
2018 Act, consumers typically had to pay $5-$10 per agency to 
place a credit freeze. In our March 2019 report (GAO-19-230) on 
data breaches and limitations of identity theft services, some 
experts had noted cost and inconvenience as some of the 
limitations to a credit freeze.\4\ The new law addresses these 
concerns to some degree by making credit freezes free and 
requiring these consumer reporting agencies to lift freezes 
expeditiously on request.
---------------------------------------------------------------------------
    \4\ GAO, Data Breaches: Range of Consumer Risks Highlights 
Limitations of Identity Theft Services, GAO-19-230 (Washington, DC: 
March 27, 2019).
---------------------------------------------------------------------------
    In terms of less-regulated segments of the information 
reseller industry--most notably, companies or data not covered 
by FCRA--our 2013 recommendation to Congress (GAO-13-663) 
suggested updating the consumer privacy framework in ways that 
could address this gap. In particular, two key elements we said 
such legislation should consider are (1) the adequacy of 
consumers' ability to access, correct, and control their 
personal information in circumstances beyond those currently 
accorded under FCRA; and (2) whether there should be additional 
controls on the types of personal or sensitive information that 
may or may not be collected and shared.
                                ------                                


 RESPONSES TO WRITTEN QUESTIONS OF SENATOR SCHATZ FROM ALICIA 
                         PUENTE CACKLEY

Q.1. Are data sets collected by data brokers getting into the 
blood stream of credit, employment, and housing decision 
making, in a way that evades FCRA?

A.1. GAO has not conducted work to determine the extent to 
which information collected by data brokers is being used to 
make credit, employment, and housing decisions in ways that do 
not comply with the Fair Credit Reporting Act (FCRA). However, 
in a 2018 report on financial technology (GAO-19-111), we 
evaluated consumer protection issues related to FinTech 
lenders' use of alternative data--that is, data not 
traditionally used by the national consumer reporting agencies 
in calculating a credit score--to make loan decisions.\1\ Five 
of the 11 FinTech lenders we interviewed said they used 
alternative data to supplement traditional data when making a 
credit decision, with one using it exclusively. These lenders 
told us that they obtain the data from borrowers, data 
aggregators, national databases, or other sources. Consumers 
may face risk of harm due to inaccurate credit assessments when 
FinTech lenders use alternative data to underwrite loans. 
Inaccurate data or models could classify borrowers as higher 
credit risks than they actually are. This could result in those 
borrowers paying unnecessarily high interest rates (and 
increase risk of default), or it could result in creditworthy 
borrowers being denied credit. While FCRA requires that 
borrowers have an opportunity to check and correct inaccuracies 
in their credit reports, borrowers could face challenges 
checking and correcting alternative data, which typically are 
not shown in credit reports. Further, it may not be transparent 
to consumers and regulators what specific information 
alternative credit-scoring systems use, how such use affects 
consumers, and what consumers might do to improve credit access 
and pricing.
---------------------------------------------------------------------------
    \1\ GAO, Financial Technology: Agencies Should Provide 
Clarification on Lenders' Use of Alternative Data, GAO-19-111 
(Washington, DC: Dec. 19, 2018).

Q.2. Under current law, do companies that collect and sell 
information about consumers have any duty to consumers about 
---------------------------------------------------------------------------
how that information will be used?

A.2. The legal obligation to consumers related to the use of 
consumer information varies based on the content and context of 
that use. No comprehensive Federal privacy law governs the 
collection, use, and sale of personal information by private-
sector companies. While there are Federal laws addressing 
commercial privacy issues, they are generally narrowly tailored 
to specific purposes, situations, types of information, or 
sectors or entities--such as data related to financial 
transactions, personal health, and eligibility for credit. 
These laws include provisions that can restrict how certain 
companies use consumer information they collect or sell--by, 
for example, limiting the disclosure of certain types of 
information to a third party without an individual's consent.
    For example, FCRA--which applies to personal information 
used for certain eligibility determinations--gives consumers 
the right, among other things, to opt out of allowing consumer 
reporting agencies to share their personal information with 
third parties for prescreened marketing offers. Another example 
is the Gramm-Leach-Bliley Act, which imposes certain sharing 
and disclosure restrictions on financial institutions or 
entities that receive nonpublic personal information from such 
institutions. For instance, a third party that receives 
nonpublic personal information from a financial institution to 
process consumers' account transactions generally may not use 
or resell the information for marketing purposes. Similarly, 
other laws, such as the Health Insurance Portability and 
Accountability Act of 1996 and the Children's Online Privacy 
Protection Act of 1998, also restrict how consumer information 
can be used, but they too apply narrowly to specific entities 
or types of information.

Q.3. If consumers are discriminated against or harmed because 
of how that data is used, who is responsible?

A.3. While the responsible party, if any, is going to vary 
based on the facts and circumstances of each case, our January 
2019 report on internet privacy (GAO-19-52) examined some 
examples of Federal Trade Commission (FTC) enforcement actions 
taken against companies related to internet privacy.\2\ In 
these enforcement actions FTC alleged each company's practices 
were unfair, deceptive, a violation of the Children's Online 
Privacy Protection Act (COPPA), a violation of a settlement 
agreement, or a combination of these reasons. In that report we 
found that between July 1, 2008, and June 30, 2018, FTC filed 
101 internet privacy enforcement actions, 15 of which included 
COPPA enforcement actions against a variety of companies. Of 
the 101 internet privacy actions, we reported that 51 involved 
internet content providers, 21 involved software developers, 12 
involved the sale of information or its use in advertising, 5 
involved manufacturers, 1 involved an internet service 
provider, and 11 involved a variety of different products, such 
as those provided by rent-to-own companies or certification 
services. In nearly all 101 cases companies settled with FTC, 
which required the companies to make changes in their policies 
or practices as part of the settlement. We reported that during 
that 10-year period, FTC leveled civil penalties against 15 
companies for alleged violations of COPPA regulations totaling 
$12.7 million. These civil penalties ranged from $50,000 to $4 
million with an average amount of $847,333. We also reported 
that FTC can seek to compel companies to provide monetary 
relief to those they have harmed and during that period FTC 
levied civil penalties against companies for violations of 
consent decrees or obtained monetary relief to consumers from 
companies for a total of $136.1 million. These payment orders 
ranged from $200,000 to $104.5 million and the average amount 
was $17 million.\3\
---------------------------------------------------------------------------
    \2\ GAO, internet Privacy: Additional Federal Authority Could 
Enhance Consumer Protection and Provide Flexibility, GAO-19-52 
(Washington, DC: Jan. 15, 2019).
    \3\ However, this sum does not represent the amount of money that 
consumers actually received or that was forfeited to the U.S. Treasury. 
In some cases, including the payment order for $104.5 million, FTC 
suspended the judgment because of the defendants' inability to pay.

Q.4. If a data broker is breached and a consumer suffers harm 
---------------------------------------------------------------------------
from identity theft, who is liable?

A.4. As with the broader case of consumer harm, liability in 
identity theft cases is a matter of the facts and circumstances 
of each individual case. GAO hasn't examined liability 
specifically with regard to data breaches. However, as noted 
above, in our January 2019 report (GAO-19-52) we found that 12 
of FTC's internet privacy enforcement actions between July 1, 
2008, and June 30, 2018, involved the sale of information or 
its use in advertising. Notably, in 2014, FTC alleged that a 
data broker sold hundreds of thousands of loan applications 
that contained sensitive data, including consumers' names, 
addresses, phone numbers, employers, Social Security numbers, 
and bank account numbers, including the bank routing numbers, 
to entities that it knew had no legitimate need for such 
data.\4\ FTC alleged that, as a result, at least one of those 
purchasers used the information to withdraw millions of dollars 
from consumers' accounts without their authorization. FTC and 
the involved companies settled this case in 2016, which 
included monetary judgments and a permanent ban for all 
defendants on selling, transferring, or otherwise disclosing 
consumers' sensitive personal information without consent.\5\
---------------------------------------------------------------------------
    \4\ See Complaint, Federal Trade Commission v. Sitesearch 
Corporation, dba LeapLab et al., No. 2:14-cv-02750-NVW (D. Ariz. Dec. 
22, 2014), https://www.ftc.gov/system/files/documents/cases/
141223leaplabcmpt.pdf; see also Complaint, Federal Trade Commission v. 
Ideal Financial Solutions, Inc., et al., No. 2:13-cv-00143-MMD-GWF (D. 
Nev. Jan. 28, 2013), https://www.ftc.gov/sites/default/files/documents/
cases/2013/02/130220ifscmpt.pdf.
    \5\ See Stipulated Final Order for Permanent Injunction and 
Settlement of Claims, Federal Trade Commission v. Sitesearch 
Corporation, dba LeapLab, a Nevada corporation; et al., No. CV-14-
02750-PHX-NVW (D. Ariz., Feb. 5, 2016), https://www.ftc.gov/system/
files/documents/cases/160218leaplaborder_0.pdf; see also Order Granting 
in Part Motion for Summary Judgment and Motion for Default Judgment, 
Entering Final Judgment, and Closing Case, Federal Trade Commission v. 
Ideal Financial Solutions, Inc., et al., No. 2:13-cv-00143-JAD-GWF (D. 
Nev. Feb. 23, 2016), https://www.ftc.gov/system/files/documents/cases/
160309ideal
financialorder.pdf.

Q.5. Do you think Federal law should require companies that 
collect and use consumer data to take reasonable steps to 
prevent unwanted disclosures of data and not use data to the 
---------------------------------------------------------------------------
detriment of those consumers?

A.5. While GAO has not taken a position on whether Federal law 
should require all companies to take measures to protect all 
consumer data and to not use that data to the detriment of 
consumers, we have previously recommended in GAO-13-663 that 
Congress consider strengthening the current consumer privacy 
framework. In making our recommendation, we noted that current 
privacy law is not always aligned with the Fair Information 
Practice Principles. One of these principles directly addresses 
unwanted disclosures: ``security safeguards'' is the principle 
that personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized 
access, destruction, use, modification, or disclosure. Other 
principles address not using a consumer's data to the detriment 
of that consumer: for example, ``use limitation'' is the 
principle that data should not be used for other than a 
specified purpose without consent of the individual or legal 
authority.
    In addition, GAO has made a number of specific 
recommendations for modifying Federal law that relate to 
protecting consumer data held by private companies.

   LIn May 2019 (GAO-19-340), we recommended that 
        Congress consider providing the Internal Revenue 
        Service (IRS) with explicit authority to establish 
        security requirements for paid tax return preparers' 
        and Authorized e-file Providers' systems.\6\

    \6\ GAO, Taxpayer Information: IRS Needs to Improve Oversight of 
Third-Party Cybersecurity Practices, GAO-19-340 (Washington, DC: May 9, 
2019).

   LIn February 2019 (GAO-19-196), we recommended that 
        Congress consider providing the Federal Trade 
        Commission with civil penalty authority for the 
        safeguarding provisions of the Gramm-Leach-Bliley Act, 
        which would help the agency act against data security 
        violations by financial institutions.\7\
---------------------------------------------------------------------------
    \7\ GAO, Consumer Data Protection: Actions Needed to Strengthen 
Oversight of Consumer Reporting Agencies, GAO-19-196 (Washington, DC: 
Feb. 21, 2019).

   LIn June 2006 (GAO-06-674), we recommended that 
        Congress consider requiring information resellers to 
        safeguard all sensitive personal information they 
        hold--not just information covered under the 
        safeguarding provisions of the Fair Credit
        Reporting Act and Gramm-Leach-Bliley Act.\8\
---------------------------------------------------------------------------
    \8\ GAO, Personal Information: Key Federal Privacy Laws Do Not 
Require Information Resellers to Safeguard All Sensitive Data, GAO-06-
674 (Washington, DC: June 26, 2006).
---------------------------------------------------------------------------
                                ------                                


  RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM 
                     ALICIA PUENTE CACKLEY

Q.1. What does it mean for financial markets now that FINRA can 
essentially predict and decide in real time, or near real-time 
investor behavior? What does it mean for other financial and 
technical sectors?

A.1. In a March 2018 GAO forum (GAO-18-142SP), we highlighted 
the use of artificial intelligence (AI) in financial services, 
including market surveillance oversight activities.\1\ At the 
time of the forum, the Financial Industry Regulatory Authority 
(FINRA) was developing a prototype AI-based system, called the 
Dynamic Surveillance Platform, which used supervised machine 
learning capabilities to learn and detect different patterns of 
market anomalies to enhance the ability to detect instances of 
potential illegal manipulation of the securities and options 
markets. With new AI-based tools, as well as future data 
enhancements to increase the visibility of each trading 
transaction offered by a new consolidated audit trail being 
developed, regulators were hopeful that employing machine 
learning capabilities will help identify future intentional 
manipulation of the markets.
---------------------------------------------------------------------------
    \1\ GAO, Technology Assessment: Artificial Intelligence: Emerging 
Opportunities, Challenges, and Implications, GAO-18-142SP (Washington, 
DC: March 28, 2018).
---------------------------------------------------------------------------
    During the forum, industry participants and regulators 
highlighted both benefits and challenges offered by the use of 
AI tools in the marketplace. Benefits included enhanced 
surveillance monitoring (by an entity internally as well as 
externally by financial regulators) and tools to better detect 
and prevent improper market conduct and enforce existing laws 
and regulations in the marketplace. At the same time, 
challenges and growing pains associated with technological 
advances of AI-based tools also exist. For instance, banking 
regulators and other industry observers said that banks are 
reluctant to move quickly in implementing AI tools for lending 
operations due to concerns about meeting requirements under 
existing laws and regulations (e.g., requirements stemming from 
fair lending laws that prohibit discriminatory practices on 
lending, whether intentional or not, based on race, gender, 
color, religion, national origin, marital status, or age).

Q.2. What are some of the gaps in currently existing law with 
respect to how enforcement agencies deal with this multitude of 
laws and what should we be thinking about in the Banking 
Committee as we prepare to potentially consider broader privacy 
legislation drafted by the Commerce Committee?

A.2. Many existing privacy statutes in the United States were 
developed before the advent of many current technologies and 
before companies were collecting and sharing such vast 
quantities of consumer personal information. We reported in a 
2013 review of information resellers (GAO-13-663) that we 
believed that gaps exist in the current statutory privacy 
framework, and we believe this remains true today.\2\ In 
particular, the current framework does not fully address 
changes in technology and marketplace practices that 
fundamentally have altered the nature and extent to which 
personal information is being shared with third parties. 
Moreover, while current laws protect privacy interests in 
specific sectors and for specific uses, consumers generally 
have little control over how their information is collected, 
used, and shared with third parties for marketing purposes.
---------------------------------------------------------------------------
    \2\ GAO, Information Resellers: Consumer Privacy Framework Needs to 
Reflect Changes in Technology and the Marketplace, GAO-13-663 
(Washington, DC: Sept. 25, 2013).
---------------------------------------------------------------------------
    If Congress considers broader privacy legislation to 
strengthen the consumer privacy framework, we believe that 
among the issues that should be considered are:

   Lthe adequacy of consumers' ability to access, 
        correct, and control their personal information in 
        circumstances beyond those currently accorded under the 
        Fair Credit Reporting Act;

   Lwhether there should be additional controls on the 
        types of personal or sensitive information that may or 
        may not be collected and shared;

   Lchanges needed, if any, in the permitted sources 
        and methods for data collection; and

   Lprivacy controls related to new technologies, such 
        as web tracking and mobile devices.

At the same time, we recognize that different legislative 
approaches to improving privacy involve tradeoffs and believe 
that any strengthened privacy framework should also seek not to 
unduly inhibit the benefits to consumers, commerce, and 
innovation that data sharing can accord.
                                ------                                


  RESPONSES TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM PAM 
                             DIXON

Q.1. In the hearing, you stated it is of ``grave concern'' that 
data not covered by HIPAA is ending up in the hands of data 
brokers.

Q.1.a. Are medical billing companies selling non-HIPAA data to 
brokers?

A.1.a. We are most familiar with third-party medical billing 
companies that inappropriately use HIPAA data for fraudulent 
purposes. We are less familiar with medical billing companies 
selling non-HIPAA data. The risk of HIPAA data misuses, 
however, is significant by itself.
    One major modality medical billing companies have used is 
to fraudulently use HIPAA data to bill Medicare/Medicaid 
directly, apart from original billing tasks. In another model, 
medical billers may simply overcharge for services. These 
activities are a form of medical identity theft, and typically 
results in fraudulent changes to the health file. The Office of 
the Inspector General wrote a brief but seminal report about 
billing companies in March, 2000.\1\ In the report, the OIG 
noted the complex problems with medical billing, including 
problems with transparency and auditing. There continue to be 
many cases relating directly to problems with medical 
billers.\2\
---------------------------------------------------------------------------
    \1\ See https://oig.hhs.gov/oei/reports/oei-05-99-00100.pdf.
    \2\ See, for example, the 2015 Medicaid case: https://
www.justice.gov/usao-wdnc/pr/owner-medical-billing-company-indicted-
health-care-fraud-and-aggravated-identity-theft; and the more recent 
case from July 2019: https://www.justice.gov/usao-sdoh/pr/medical-
billing-company-owner-sentenced-prison-health-care-fraud.
---------------------------------------------------------------------------
    OIG has established voluntary compliance guidance for 
medical billing, but the guidance dates from 1998.\3\ HBMA has 
established medical billing credentialing and training for 
companies, which currently functions as a set of best 
practices.\4\ We believe much more can be done here, for 
example, we would like to see many more credentialed members of 
HBMA, and more encouragement from Congress for either 
certification or some additional form of oversight for medical 
billing companies.
---------------------------------------------------------------------------
    \3\ See https://www.oig.hhs.gov/fraud/docs/complianceguidance/
thirdparty.pdf.
    \4\ See https://www.hbma.org/content/certification/hbma-compliance-
accreditation-program/accredited-companies.
---------------------------------------------------------------------------
    Medical billing deserves an update from OIG and from 
Congress. It would be a particularly productive area to update.

Q.1.b. How pervasive of a problem is medical identity theft?

A.1.b. We first identified medical identity theft as a problem 
in testimony to NCVHS in 2005, then wrote the first known 
report on the topic in 2006.\5\ We continue to research the 
field, and can now give you precise quantifications of the 
problem, State by State.
---------------------------------------------------------------------------
    \5\ See https://www.worldprivacyforum.org/2006/05/report-medical-
identity-theft-the-information-crime-that-can-kill-you/.
---------------------------------------------------------------------------
    In January 2020 we will publish our State of Medical 
Identity Theft report, which follows our 2017 Geography of 
Medical Identity Theft report.\6\ We published an interactive 
data visualization of medical identity theft in the United 
States, by State that accompanied the report.\7\
---------------------------------------------------------------------------
    \6\ See https://www.worldprivacyforum.org/2017/12/new-report-the-
geography-of-medical-identity
theft/.
    \7\ World Privacy Forum, Medical Identity Theft Mapped by State: 
Data Visualization. https://www.worldprivacyforum.org/2017/12/medical-
identity-theft-reports-to-the-consume-financial-protection-bureau/.
---------------------------------------------------------------------------
    In our 2020 report, we again have found pervasive incidents 
of medical identity theft across the United States, with some 
States showing more serious problems. We have included two 
screen shots of our pre-publication data to give you a visual 
view of the numbers. The numbers from 2013-2018 are final, and 
the numbers for 2019 run to Dec. 1. Our January report with the 
final 2019 numbers will have nearly identical statistics as the 
screenshots attached here.
    As you can see from the data, medical identity theft is now 
present in all States. This data has been adjusted per 
population rate. We note persistent patterns of medical 
identity theft through the southeastern corridor, with hot 
spots in Texas, Georgia, Florida, South Carolina, and Nevada. 
We note that New Jersey was a hot spot, but has seen 
improvement in recent years, as has Illinois.

Medical Identity Theft complaints, 2013-2019:



Medical Identity Theft Complaints, 2019
Rate per 1 Million Population



Q.1.c. When patients are victims of medical identity theft, 
what recourse do they have to correct errors on their files?

A.1.c. Patients can use their rights under the FCRA to correct 
the financial aspects of their healthcare provider records. 
However, patients do not have commensurate rights under HIPAA 
to delete or correct errors in their medical records. Under 
HIPAA, patients can request the addition of an amendment to 
their records. An amendment request does not have to be honored 
by the healthcare
provider. Amendment requests do not mandate the removal or 
correction of information, they simply allow consumers to 
dispute the information. Healthcare providers typically do not 
delete information in a health file.
    There are some workarounds. A responsible healthcare 
provider can remove inaccurate information from a patient's 
record and leave only a numeric cross reference to the 
information introduced by the fraudulent activities. For 
example, if a patient was fraudulently billed for having 
cancer, the patient's health record would reflect that error. 
The heathcare provider could remove that and other related 
information introduced by the fraudulent activity, and 
sequester it into a new ``John or Jane Doe'' file, leaving only 
a numeric cross reference. This is one of the several best 
practices for handling errors in records resulting from medical 
identity theft.
    However--this issue needs to be addressed legislatively so 
that there is a national standard for how to assist victims in 
correcting their health records after medical identity theft 
has introduced errors. Ultimately, a national-level solution 
will improve data for the entire health system as well as help 
victims. This is a gap that needs to be addressed.

Q.1.d. Typically, how often do these cases go unresolved?

A.1.d. Anecdotally, many cases go unresolved. We are aware of 
many patients over the years who have chosen to ignore the 
problems, because they simply could not resolve them. Part of 
the way we know this is from ongoing phone calls over the years 
since the first publication of our report in 2006. We have 
found that there is a high degree of variability in healthcare 
providers' responses. We believe a uniform procedure for 
correction could improve outcomes for victims and providers 
alike.

Q.2. You also mentioned that we need to do more to ensure that 
consumers are notified when a data broker suffers a breach that 
exposes consumers' sensitive information.

Q.2.a. Given that data brokers often do not have a direct 
relationship with consumers, what do you think is the best way 
for Congress to ensure that consumers are notified when their 
data is exposed by a breach?

A.2.a. Data brokers should have specific requirements to make 
breach notification to consumers. It is not reasonable that 
data brokers cannot find a way to contact consumers who are not 
their direct customers, but nevertheless have lists and APIs 
filled with highly identifiable personal data of these same 
consumers, including email addresses, home addresses, phone 
numbers, and sometimes social media handles. Of all entities, 
data brokers have the information on hand to make appropriate 
breach notification--even those that do not have a direct 
relationship to the consumer.

Q.2.b. Is there a way for consumers to better control how their 
data is shared with brokers, perhaps by requiring some sort of 
affirmative consent?

A.2.b. Requiring consent in some circumstances and providing a 
uniform opt-out with enforcement procedures and penalties for 
noncompliance would be helpful for better controlling data 
management among data broker companies.
    Currently, there is not a uniform, comprehensive, or simple 
way for consumers to control how their data is shared with 
brokers, nor to opt out. Not all data brokers provide an opt 
out. Those that do can be difficult for most consumers to find. 
To opt out of all data brokers operating in the United States 
is not possible today. Even if it were possible, most consumers 
would need to be an extraordinary amount of time to find and 
request data broker opt outs. A central data broker 
registration point would be helpful to solve this problem.
    Vermont passed a modest but important data broker 
registration law that did not include opt-out requirements. 
However, the registration law is still helpful so that 
consumers know what data brokers are operating in their State. 
A handful of other States have passed some limited opt-out 
requirements, for example, some States allow members of the 
judiciary and law enforcement the right to opt out of data 
broker databases.
    Both data broker registration and opt-out requirements have 
roles to play in improving consumer control.

Q.3. The World Privacy Forum's website says ``Some commercial 
data brokers allow some categories of consumers to opt out of 
some limited uses and disclosures of personal information.'' 
That quote does not inspire confidence in consumers that they 
have control over their data.

Q.3.a. Does the data broker industry have a comprehensive and 
uniform opt-out policy for consumers?

A.3.a. No. The data broker industry does not have a uniform or 
comprehensive opt-out policy for consumers. The data broker 
industry has a poor record of how they handle opt outs. Here 
are some of the key issues:

   LOpt-outs often require additional identity 
        information, including digital scans of Government IDs, 
        which consumers are rightly concerned about giving to a 
        data broker.

   LSome sites charge opt-out fees. For example, the 
        DMA charges a fee to consumers to opt out. Consumers 
        should be able to opt out free of charge.

   LData brokers--many of them--make the opt-outs so 
        difficult that the hurdle is too high for any but the 
        most persistent and determined consumer. See the FTC 
        complaint we wrote in regards to this issue.\8\ There 
        are also a lot of nudges to redirect people from opting 
        out.
---------------------------------------------------------------------------
    \8\ See https://www.worldprivacyforum.org/2009/04/public-comments-
request-for-declaration-regarding-fairness-of-opt-out-methods-and-
investigation-into-acxiom-ussearch-publicrecordsnow-and-usa-people-
search-consumer-opt-outmethods-for-compliance-with/.

   LWe have worked with many survivors of crime and 
        domestic violence regarding data broker issues. When we 
        work with individuals to try to opt out, we find that 
        it takes people about 40 hours on average to get 
        through all of the opt-outs. And that is a first pass 
---------------------------------------------------------------------------
        of just the larger data brokers that do allow opt-outs.

   LNot all opt-outs ``take.'' The rates for opt-out 
        failure vary widely by site.

   LFCRA compliance among data brokers is woefully low; 
        data brokers that are offering background checks often 
        disclaim responsibility by noting that consumers can 
        only search for themselves. How are these sites 
        ensuring no FCRA violations are occurring? Where is the 
        oversight on this?

   LAnd on top of all of this, can consumers even find 
        all of the data brokers to opt-out from?

Q.3.b. What is the best approach for giving consumers power 
over their data given that current data broker opt-out options 
are ``quite limited'' and that it is nearly impossible to tell 
the effect an opt-out will actually have?

A.3.b. First, it is important to institute multifactoral 
solutions. Data brokers present complex problems and challenges 
for consumers. There isn't a ``single silver bullet'' solution 
that will capture everything.
    Second, there are many small solutions which, if put in 
place, would facilitate meaningful improvements for consumers 
regarding data brokers. When taken together, if a thoughtful 
grouping of solutions could be enacted, it would be helpful. 
(Opt out plus registration plus data breach requirement plus 
oversight, et cetera.)
    Third, self regulation has utterly failed in the data 
broker industry. We do not need to spend any more time on this. 
It hasn't worked, and is not likely to work.
    Fourth, data brokers have many business models. It is a 
complex sector, and the definitional boundaries are challenging 
to set. There is not one sole definition anymore of a data 
broker. It makes sense at this point to consider a variety of 
regulatory strategies to match the type of data broker. For 
example, People Search data brokers should be required to 
provide opt-outs to consumers. Data brokers creating aggregate 
credit scores should be subject to the FCRA in their uses of 
household-modeled scores. (The FCRA will need to be expanded 
for this to happen.)
Solutions that will help:
  1. LLegislation that requires data brokers to not use or 
        disclose consumer data for any fraudulent or criminal 
        purpose, and requires data brokers to not use consumer 
        data in a discriminatory way or for any discriminatory 
        purpose.

  2. LLegislation requiring data brokers to provide an opt-out 
        to consumers. All People Search data brokers should be 
        required to provide an opt-out.

  3. LLegislation mandating a comprehensive, unified opt-out in 
        content and format.

  4. LLegislation providing for a unified registry of all 
        categories of data brokers (Vermont State statute, 
        exemplar.)

  5. LExpansion of the FCRA to expand definitions of 
        eligibility to ensure that household or aggregate 
        credit scoring and other meaningful consumer scores are 
        regulated.

  6. LLegislation that requires all data brokers to provide 
        data breach notification to consumers.

  7. LLegislation that requires data brokers to maintain 
        security standards, and actively set requirements for 
        meeting security targets, benchmarks, and show security 
        improvements.

Q.3.c. What happens to a consumer's data once they have opted 
out?

A.3.c. Consumers' data, after they have placed an opt-out 
request, is most frequently suppressed in some way. The opt-out 
data is frequently still held by the data broker, but when data 
brokers ``suppress'' the data, they do not allow it to be 
visible to the public for a period of time.
    A number of data brokers require opt-outs to be repeated 
after a period of time, and there are no rules of the road for 
what period of time will be involved. It can be 1 year, 2 
years, 3 years, et cetera. Consumers are on their own to keep 
track of how often they will have to go through the opt-out 
process.
                                ------                                


RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARREN FROM PAM DIXON

Q.1. In response to the Equifax data breach, I opened an 
investigation into the causes, impacts, and response to the 
exposure of personal data of nearly 150 million Americans.
    Equifax and other credit reporting agencies collect 
consumer data without permission, and consumers have no way to 
prevent their data from being collected and held by private 
companies. My investigation found that Equifax failed to adopt 
standard cybersecurity measures, in large part because Federal 
law incentivizes pursuit of profits over the protection of 
sensitive data.

Q.1.a. Your written testimony notes, ``Credit scores and 
predictions are being sold that are not regulated by [The Fair 
Credit Reporting Act (FCRA)]'' and that ``The technology 
environment is facilitating more scores being used in more 
places in consumers' lives, and not all uses are positive.'' 
Your proposed solutions include bringing unregulated forms of 
credit scoring under the FCRA and studying new areas of 
eligibility that need to fall under the FCRA. Given the limited 
ability of individuals to access, control, and correct their 
personal data, as well as the limited legal framework to 
regulate data brokers, would the inadequacy of current laws be 
addressed by regulating data brokers under the Fair Credit 
Reporting Act?

A.1.a. It would be of great help for Congress to clarify that 
aggregate credit scores should already be regulated under the 
FCRA, and to study new areas of eligibility. These actions 
would provide for significant improvements in solving some of 
the more egregious issues related to credit and other ``grey 
area'' eligibility decisions. These changes, should Congress 
take action, would remedy certain aspects of the current 
problems. I agree that these changes would not address every 
challenge posed by data broker activities. But these changes 
would capture a good portion of some of the more serious and 
systemic problems consumers are facing.
    In 2013, WPF testified before Congress about non-FCRA or 
unregulated credit scores, warning that they were problematic 
and could create consumer harm. In 2014, we wrote a report 
called The Scoring of America that more fully documented the 
non-FCRA credit scores. We have found that in 2019, unregulated 
credit scores are now widespread and are being used on data 
broker lists and in electronic data append services. We are 
deeply concerned that the use of unregulated credit scores is 
poised to create substantial, widespread consumer harm as the 
use of these scores becomes an entrenched business practice.
    I would like to respond in additional detail to your 
questions.
    First, regarding issues relating generally to data 
availability, even though unregulated credit scores use third-
party data, which now circulates in abundance, this use does 
not automatically mean the scores are unregulated. The 
alternative credit scores such as those offered by PRBC are 
regulated credit scores. Alternative data is considered 
regulated just as if it were credit bureau data. This creates a 
strong basis for determining that it is not just the use of 
traditional credit bureau data that causes the applicability of 
the FCRA to a score. Using third-party data therefore does not 
constitute a condition under which a score does not fall under 
FCRA regulation.
    Second, household-level scores may still be applied to an 
individual consumer. Even though companies and credit bureaus 
creating and using unregulated versions of credit scores make 
great efforts to explain that the scores are ``aggregated'' to 
a household level data, or census block-level data, or ZIP+4 
data, it does not mean that the data will not be used as a 
proxy for a credit score of an individual living at that 
address.
    If an aggregate credit score is applied to an individual at 
a decision-making point that would be regulated if it were a 
traditional credit score, then the credit score, even if it is 
an aggregate, ZIP+4 modeled score, still must be regulated 
under the FCRA because it is being applied to an individual. We 
stress that as long as a person's home address is known, then a 
ZIP+4 credit score can be applied to that person as an 
individual. Additionally, any person who gives a general ZIP 
Code at a point of purchase, for example, could be scored in 
near real-time and decisions can be made about that person as 
an individual based on the ZIP Code of the neighborhood they 
live in. In this way, too, unregulated credit scores may be 
applicable to individuals.
    Note the following exemplars:

  A. LEquifax Aggregated FICO Scores.\1\
---------------------------------------------------------------------------
    \1\ See https://www.equifax.com/business/aggregated-fico-scores/.

  B. LTransUnion offers TransUnion Audiences. This is what the 
        company calls a summary level view of credit profiles 
        at a geographic (ZIP+4) level. This is TransUnion's 
        version of an unregulated credit score, and the scoring 
---------------------------------------------------------------------------
        is offered as a service.

     L``Our consumer finance audiences are aggregated and de-
        personalized using ZIP+4 microgeographies to achieve a 
        high level of targeting effectiveness while maintaining 
        regulatory compliance.''\2\
---------------------------------------------------------------------------
    \2\ TransUnion Audience Buying Guide, https://www.transunion.com/
resources/transunion/doc/insights/buying-guides/TU-digital-audience-
buying-guide-july-2018.pdf.

---------------------------------------------------------------------------
     Land

     L``TransUnion audiences are sourced from anonymized, 
        aggregated consumer credit data, delivering valuable 
        credit behavior intelligence. Built from TransUnion's 
        consumer database consisting of more than 230 million 
        U.S. records, aggregated credit data provides a 
        summary-level view of credit profiles at a geographic 
        (ZIP+4) level. TransUnion audiences target the 
        consumers most likely to have the financial ability to 
        qualify and respond.''\3\
---------------------------------------------------------------------------
    \3\ Nielsen Data as a Service Data Partners, TransUnion. http://
sites.nielsen.com/daas-partners/partner/transunion/.

  C. LAnalytics IQ offers a GeoCreditIQ product,\4\ which is 
        its version of an unregulated consumer score. Analytics 
        IQ states that:
---------------------------------------------------------------------------
    \4\ Analytics IQ. https://analytics-iq.com/what-we-do/. For a more 
detailed description, see: https://analyticsiq.com/downloads/
analyticsiq-productsheet-geocreditiq.pdf.

     L``Credit-related data, even summarized at a geographic 
        level, should always come directly from the source--
        U.S.-based credit bureaus. That is the approach 
        AnalyticsIQ takes to create the foundation of our 
        GeoCreditIQ data. By working directly with the bureaus, 
        our GeoCreditIQ data is extremely accurate and 
        predictive. With GeoCreditIQ marketers get the best of 
        both worlds. The data correlates highly to actual 
        credit scores, however, it is less restrictive and very 
        powerful in everyday marketing activities.''\5\
---------------------------------------------------------------------------
    \5\ Analytics IQ GeoCreditIQ brochure, https://analytics-iq.com/
downloads/analyticsiq-product
sheet-geocreditiq.pdf.

  D. LExperian offers its Premier Aggregated Credit Statistics 
        score. The ``The Premier Aggregated Credit Statistics 
        product is derived from the credit profiles of more 
        than 220 million credit-active consumers and averaged 
        at the ZIP-Code level.''\6\ Experian states that this 
        score is ``Beneficial to virtually any industry, 
        including debt collections, education, government, 
        financial services, capital markets and data 
        analytics.''\7\ Experian states that customers can 
        ``Get unprecedented insight into the credit health of 
        neighborhoods across the United States.'' And it also 
        states that it can be used for debt collections, which 
        typically is applied at an individual level. It has 
        used its data to score the top 25 neighborhoods with 
        the most mortgage debt, for example.\8\ Experian's ZIP 
        Code credit score is offered as a service.
---------------------------------------------------------------------------
    \6\ Experian Premier Aggregated Credit Statistics. Available at 
https://www.experian.com/consumer-information/premier-aggregated-
credit-statistics.html.
    \7\ Supra note 5.
    \8\ Experian Blog Post, ZIP Codes with the Highest Mortgage Debt, 
July 22, 2019. https://www.experian.com/blogs/ask-experian/research/
zip-codes-with-the-highest-mortgage-debt/.

  E. LNextMark sells a data broker list of ``Summarized Credit 
        Scores FICO-Like Mailing List.''\9\ The data card 
        states: ``Summarized Credit Scores are used to help our 
        clients target segments of the population at varying 
        levels of credit worthiness. It is carefully built upon 
        the historic financial transaction data of hundred of 
        millions of consumers, aggregated at the ZIP+4 level.'' 
        The data card has further recommendations for use:
---------------------------------------------------------------------------
    \9\ Nextmark, https://lists.nextmark.com/
market;jsessionid624D63468C12F73E52082D474F1C4
9C9?page-order/online/datacard&id=281247.

     L``Recommendations for Banking, Insurance and Automotive 
---------------------------------------------------------------------------
        Industries:

     LOverlay summarized credit scores on your database to 
        determine credit worthy, or subprime for special 
        finance offers.

     LRecommendations for mortgage industry:

     LSubprime Program: Identify consumers with debt and credit 
        challenges: Choose summarized credit FICO-like ranges 
        of less than 600, specific loan dates and loan amounts 
        or LTV. . . .''

  F. LThe Dataman Group has ``Modeled Credit Score Prospect 
        Lists.''\10\ The lists include a profitability score, 
        and uses layers of data to score at the household 
        level.
---------------------------------------------------------------------------
    \10\ Dataman Group, Modeled Credit Score Lists, https://
www.datamangroup.com/modeled-credit-score-lists/.

     L``This new ConsumerView Profitability Score list select 
        helps identify households likely to pay their debts and 
        ranks households by profitability, allowing marketers 
---------------------------------------------------------------------------
        to target the best prospects based on:

     LProfitability

     LApproval Rates

     LResponse Rates

     LThe scores align very closely to bonafide Credit 
        Scoring--and with this file--no preapproval is needed!
     LThe ConsumerView Profitability Score combines a robust 
        scoring model that offers high levels of refinement for 
        selecting the most profitable prospects combined with 
        our top-notch Consumer Database. This gives you greater 
        precision in predicting, identifying and targeting 
        prospects at the Household Level.''

These are just a few exemplars of the ways in which unregulated 
credit scores are being used today.

    Third, credit scores may only be pulled for purposes 
strictly defined in the FCRA; they cannot be used for general 
marketing purposes. It is already established policy, and law, 
that credit scores cannot be used for general marketing 
purposes except in situations expressly defined by the FCRA. 
Given that unregulated credit scores are accurate proxies for 
regulated credit scores, the use of aggregate ZIP+4 credit 
scores for expansive marketing purposes currently violates 
established law and public policy about uses of credit scores. 
If credit scores were meant to be used for expansive marketing 
purposes, then the FCRA would permit such uses.
    And finally, despite the apparent applicability of the FCRA 
to aggregate credit scores, we do not see mechanisms that have 
been made available to consumers for making the uses of these 
scores transparent. We do not see prominent efforts by credit 
bureaus to allow consumers to see their ZIP+4 credit scores, 
nor household scores, nor reveal who has requested their 
unregulated credit score. We do not see mechanisms for 
consumers to correct errors in their unregulated scores, or to 
prevent other abuses the FCRA and ECOA were designed to 
address. We do not know how or if the credit bureaus are 
affirmatively tracking, monitoring, and policing the uses of 
unregulated credit scores, and we are greatly concerned that 
these scores may also be easily used both applied at an 
individual level and used for eligibility purposes. We do not 
see the credit bureaus and others reporting publicly their 
technological proof of compliance with the FCRA regarding the 
unregulated credit scores.
    Unfortunately, consumers are not able to avoid the harms 
involved with unregulated credit scoring. The lists and 
databases of millions of consumers appended with their 
unregulated credit scores occur without consumers' knowledge or 
ability to correct the data. Financial, educational, 
employment, and other opportunities based on a person's 
unregulated ZIP+4 or household credit score may have profound 
impacts on individuals, but they will not be able to use 
existing FCRA tools to remedy the problems posed by this 
category of credit scores.
    If Congress clarified the FCRA to bring aggregate credit 
scores clearly under the auspices of the FCRA, with no 
interpretational grey areas, it would provide meaningful, 
significant improvement. Aggregate credit scores would no 
longer be able to be used for marketing purposes, these types 
of credit scores would not be able to be quietly applied 
illegally to individual consumers, and an avenue of growing 
harm would be closed.

Q.1.b. Credit reporting agencies make billions of dollars 
collecting and selling information about consumers, but 
consumers have little ability to control how their personal 
information is collected and used by these agencies. How would 
legislation to give consumers more control over personal 
financial data and to create a uniform, Federal process for 
obtaining and lifting credit freezes benefit consumers? Would 
consumers benefit if such legislation also applied to currently 
unregulated parts of the industry, such as data brokerages?

A.1.b. When identity theft remedies were being put in place 
from the mid-1990s though the early 2010s, I observed in real-
time how these remedies beneficially impacted consumers through 
the many phone calls that came in to World Privacy Forum. After 
State security freeze laws were enacted, consumers with 
multistate identity theft issues experienced significant 
relief, as did single-state victims of identity theft. Security 
freeze laws have worked well for consumers, particularly those 
with serious identity theft in their present or past. If a 
uniform Federal process took the strongest and best of the 
State laws and created rapid setting and lifting of security 
freezes, that could be beneficial.
    It would be beneficial for security freezes to apply across 
data brokerages as well. This would assist in cases of identity 
theft, and it would assist with safety considerations. We have 
found that in particular, victims of crime, including domestic 
violence and stalking among other crimes, as well as elected 
officials and law enforcement officers, have safety 
considerations that apply to data broker data.

Q.2. Your written testimony calls for legislation to facilitate 
setting due process standards that would fill in meaningful 
gaps in privacy protections. Along with Professor Jane Winn, 
you suggest legislation that would give the Federal Trade 
Commission additional authorities to regulate practices in 
connection with personal data. Relatedly, I have introduced 
legislation to give the Federal Trade Commission more direct 
supervisory authority over data security at credit reporting 
agencies.

Q.2.a. How would legislation to establish and provide Federal 
authority and resources to monitor data security practices of 
credit reporting agencies and data brokers benefit consumers?

A.2.a. Legislation that would provide Federal authority and 
resources to monitor data security practices of CRAs and data 
brokers could benefit consumers in several ways; by setting 
guardrails for the data broker sector generally, by giving 
consumers more agency in the overall process, and by requiring 
data brokers and CRAs to manage data using processes documented 
to facilitate ongoing improvements in outcomes.
    By way of background, the current debate over what Federal 
information privacy legislation should look like is often based 
on the assumption that there are only two models to choose 
from: a market-based approach or a hierarchical rights-based 
approach. Applying Nobel Laureate Elinor Ostrom's principles of 
governance design (Nives Dolsak, Elinor Ostrom & Bonnie J. 
McCay, The Commons in the New Millenium (2003) and a pragmatic 
understanding of scientific knowledge as socially constructed 
makes it possible to find a middle path between a market 
approach or a hierarchical approach to information governance.
    Successful examples of governance mechanisms that lie on 
this middle path include privacy standard setting processes, as 
you noted in your question. Such collaborative standards-
setting efforts should not be confused with privacy self-
regulation, which is one example of a market approach that 
lacks accountability because, as the economist Anthony Ogus 
pointed out in Rethinking Self-Regulation, (Oxford Journal of 
Legal Studies, 1995), private self-regulation is per se 
captured from its inception.
    The term ``voluntary consensus standards'' has a specific 
meaning that is already defined in law. The U.S. Food and Drug 
Administration has been using voluntary consensus standards 
that comply with due process requirements as articulated in the 
Office of Management and Budget (OMB) Circular A-119 for more 
than 20 years, which has resulted in more than 1,000 recognized 
standards applicable to medical devices. The World Trade 
Organization (WTO), Agreement on Technical Barriers to Trade is 
a core document that outlines how standards may be set by 
independent parties in a fair and appropriate manner that does 
not create transactional or other barriers. These ideas have 
applicability to data ecosystems and privacy risks.
    Within the framework of due process guarantees set out in 
OMB Circular A-119, Federal regulators today have the power to 
recognize compliance with voluntary, consensus standards as 
evidence of compliance with the law for specific, limited 
regulatory purposes. Federal regulators may only use voluntary 
consensus standards to create such safe harbors if the 
standards can be shown to have been developed through processes 
whose openness, balance, consensus, inclusion, transparency and 
accountability have been independently verified.
    When the interface between Federal legislation and 
voluntary, consensus industry standards is working correctly, 
then the private sector (inclusive of all private sector 
stakeholders) takes the lead in developing appropriate, 
context-specific standards for solving policy problems. Next, 
regulators take the lead in assessing whether those private 
standards meet the needs of the American public as well as the 
industry players that developed them. These assessments will 
ideally be conducted in an ongoing manner, and can 
realistically include monitoring that is in real time or near 
real time. Finally, courts stand by ready to serve as 
independent arbiters of the behavior of both industry and 
Government.
    Beyond the standards approach, another important set of 
measures relates to governance that ensures ongoing improvement 
targets are set and achieved. See my response to B, below.

Q.2.b. In your view, would legislation to impose strict 
liability penalties for breaches involving consumer data at 
credit reporting agencies and data brokerages lead to 
improvements in consumer data security? Would consumers benefit 
if such penalties were imposed on data brokers?

A.2.b. Credit Reporting Agencies and data brokers have a 
heightened responsibility to ensure data integrity on all 
fronts, including responsibilities related to data security, 
data integrity, and data breaches. Strict liability 
requirements can have a place in highly sensitive data settings 
to ensure the highest standards of data integrity are being 
met.
    Much has been learned in the last 25 years about data 
protection and digital ecosystems. Data protection laws that 
have already been enacted in 123-plus countries have grown to 
have significant similarities, even when aspects of the law 
have been adapted to unique county-level conditions. See for 
example, the work of Graham Greenleaf on this topic. Data 
breach requirements are spreading globally.
    However, despite all of the work on privacy and data 
protection, baseline governance principles that have 
demonstrated worth in other settings such as environmental, 
manufacturing, and law enforcement contexts, have generally not 
yet been applied in the privacy realm. This is a rich area for 
exploration regarding legislation.
    By themselves, strict liability requirements are not enough 
to create reliably good results in the long term if the goal is 
to substantively improve outcomes for consumers and for the 
businesses that must comply with data breach laws. A 
comprehensive governance system is needed that will facilitate 
the creation of specific and appropriate benchmarking and 
improvement processes to achieve improvement goals.
    Here, we point to the expansive and demonstrably productive 
work of W. Edwards Deming, including his system (and 
principles) of management\11\ and his process cycle of 
continual improvement.\12\ If legislation were to go beyond 
strict liability and also enshrine such types of ongoing 
improvement processes as part of the principles of governance 
within a privacy or data breach context, it would go far to 
creating a more mature and effective approach to data systems 
and processes. Over time, while strict liability will have 
certain baseline compliance effects, it is primarily a tool for 
deterrence. It does not fully work to complete the job of 
bringing businesses up to significant levels of improvement. 
For this to happen, affirmative governance structures also need 
to be in place. Given that privacy is still catching up to 
other business systems thought in other sectors, enshrining 
ideas of continual improvement would be helpful in creating an 
environment where better systems of data governance can be 
created.
---------------------------------------------------------------------------
    \11\ See https://deming.org/explore/fourteenpoints.
    \12\ Plan, Do, Study, Act; https://deming.org/explore/p-d-s-a.
---------------------------------------------------------------------------
                                ------                                


RESPONSES TO WRITTEN QUESTIONS OF SENATOR SCHATZ FROM PAM DIXON

Q.1. Are data sets collected by data brokers getting into the 
blood stream of credit, employment, and housing decision 
making, in a way that evades the FCRA?

A.1. Yes, data sets regarding consumers that are held by data 
brokers are being used for credit, employment, and housing 
decision making in ways that may evade the FCRA. Going one step 
further, data broker data is being used to create consumer 
scores being used in eligibility situations, and this also 
evades the FCRA, or closely skirts it. In our Scoring of 
America report we documented many of the various data streams 
that data brokers utilize in gathering consumers' personal 
data, and we documented the scores themselves.
    In particular, aggregate or modeled credit scores are 
particularly challenging in regards to FCRA compliance. These 
are scores that are typically modeled on ZIP+4, census block, 
or the household level. They are often marketed as comparable 
to regulated credit scores. When household credit scores are 
applied to the individual, I believe this violates the FCRA. 
When the household credit scores are used in eligibility 
circumstances at the individual level, this, too, I believe is 
a violation of the FCRA. In my testimony, I discussed the FICO 
Aggregate Credit Score. It is not the only such score in this 
category.
    Tracking the proliferation of aggregate and modeled credit 
scores is one way to see the significant potential for skirting 
of the FCRA. Questions abound:

   LHow many of these scores are being used in 
        eligibility circumstances?

   LHow are these scores being used in marketing or 
        other circumstances?

   LHow are the companies policing the use of these 
        scores?

   LTo whom or what entities have the scores been sold?

   LHow can the companies producing aggregate credit 
        scores affirmatively demonstrate that their product is 
        only being used in full compliance with the FCRA?

    There are limited ways available to track data broker data. 
However, one of the ways to get a glimpse of it is to review 
the data broker data cards that are available via the list 
broker or data broker websites. Examples include:

   LNextMark List Finder: https://lists.nextmark.com/
        market.

   LExact Data Consumer Lists: https://
        www.exactdata.com/consumer-mailing-lists.html.

   LInfoUSA Consumer Lists: https://www.infousa.com/
        lists/consumer-lists/.

   LDataman Consumer Lists: https://
        www.datamangroup.com/national-consumer-database/.

   LExperian Consumer Sales Leads: https://
        www.experian.com/small-business/sales-leads.jsp.

    This is a very small selection of offerings of detailed 
consumer data available via lists. I note that this is just one 
aspect of data brokering. It happens to be the easiest to 
demonstrate at this time; however, many other data broker 
activities occur out of sight, for example, data APIs, which 
provide the ``list'' on demand and will likely replace older 
list methods fairly soon.
    And to reiterate, it is crucial to understand that the 
production of consumer scores is a way to condense raw data 
broker data into numeric shorthand. Unregulated consumer scores 
can be as challenging to the FCRA as the original raw data, and 
can cause harms when misused in eligibility circumstances.

Q.2. Under current law, do companies that collect and sell 
information about consumers have any duty to consumers about 
how that information will be used? If consumers are 
discriminated against or harmed because of how that data is 
used, who is responsible?

A.2. There is not yet a broad, comprehensively applicable rule 
applicable to duties of care regarding the use of consumer 
data. There are some sectoral protections in place. Additional 
pressures from the States have created a very narrow pathway 
for some rules in some circumstances. We note that California's 
law, the CCPA, has numerous exemptions and loopholes, and thus, 
even in California there is not a broad law that will apply 
routinely to all data brokers. Because of this, there is no 
question that there are meaningful gaps in consumer protection 
at the State and Federal level.
    At the Federal level, the answer to the questions of duty 
and responsibility depends on what entity is holding the data, 
what sectoral regulations are in place, and for unregulated 
companies, what the privacy policy of that company states. For 
example, HIPAA-covered entities do have a duty to patients 
about how protected health information will be used. Entities 
engaging in FCRA-covered activities also have some duties to 
consumers about information use. As good as the FCRA is, in 
some ways, as I mentioned in testimony, it has lost some of its 
effectiveness due to what has become the ``household'' vs. 
individual loophole. In the public sector, the Privacy Act does 
make some stipulations about data use.
    For companies that are not regulated under a sectoral 
regime, the FTC can enforce privacy policies that are posted by 
companies under its FTC Act Sec. 5 authority; but this has its 
limits, and does not provide for a proactive requirement of 
certain duties to consumers regarding data use.
    Vermont, in enacting its first-in-nation 2018 data broker 
legislation, made incremental steps at a State-level toward 
creating at least some duty regarding consumer data when it 
required data brokers to not use consumer data for committing 
fraud, or in a discriminatory way. This is not a comprehensive 
protection, but it remains an important exemplar.

Q.3. If consumers are discriminated against or harmed because 
of how that data is used, who is responsible? If a data broker 
is breached and a consumer suffers harm from identity theft, 
who is liable?

A.3. The answer to both of these questions will depend on the 
circumstances of the discrimination or harm, and the 
complexities of resolving this issue are no small matter. In an 
FCRA context, consumers who experience harm because of 
improperly conducted background checks, for example, have 
recourse. In this situation, an employer may be the responsible 
party, or the background check provider. But outside of the 
FCRA context, harms can accrue that are unregulated, which 
makes the assignation of responsibility more difficult in some 
circumstances.
    For example, when a business uses an aggregate or household 
credit score to determine eligibility for a financial service 
or product, and chooses to decline the consumer for a service 
or product, unless the consumer had a way to know about this 
declension, they would not be likely to learn about the harm. 
In this situation, the creator of the aggregate or household 
score, the seller of the score to the institution that used it, 
and the institution may possibly have some responsibility, but 
this is not yet litigated under the FCRA, and Congress has not 
yet clarified the issue of aggregate or modeled credit scores. 
Until and unless we have additional clarity, it will be very 
difficult to have bright-line responsibility assigna-
tions in this and other areas.
    Regarding data brokers and unregulated scores generally, 
there is a need for more bright-line rules in regards to 
responsibilities and duties, including nondiscrimination.
    Currently, outside of the State of Vermont, and as of 2019, 
also California, which have both passed basic data broker 
registration laws, the answer to this question is not 
straightforward whatsoever, and in large part, it is fair to 
say it is undetermined. In most cases, consumers are unlikely 
to be able to determine with specificity how their information 
was compromised, or what party created the risk. In the case of 
consumer data held by data brokers, it would be very difficult 
for consumers to know which data brokers held their data, much 
less which had breached their data. Specific data broker breach 
requirements and other protections would help ameliorate some 
of these problems.

Q.4. Do you think Federal law should require companies that 
collect and use consumer data to take reasonable steps to 
prevent unwanted disclosures of data and not use data to the 
detriment of those consumers?

A.4. Yes. There are no reasonable arguments against providing 
proper security for consumer data at all stages of its 
lifecycle in a business. And there are no arguments against 
prohibiting using data in a detrimental, discriminatory, or 
unfair way. It is essential to provide for fair data uses and 
prevention of harm regarding consumer data; without such 
provisions, consumer trust will eventually be lost. Abusive 
data practices where data is used in detrimental, 
discriminatory, or unfair ways in consumers' lives is not 
sustainable in a digital economy.
                                ------                                


RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM PAM 
                             DIXON

Q.1. Are there firms that you think are utilizing algorithms to 
expand access for affordable credit or useful financial 
products that are beneficial? If so, which ones?

A.1. Some beneficial examples in this context are found in the 
area of ``thin file'' consumer scoring products. These types of 
credit scores are well understood in the marketplace. Typically 
called ``alternative credit scores,'' thin file credit scores 
are almost always brought in as regulated scores under the 
FCRA. Alternative credit scores typically use a small 
alternative data set to calculate thin file scores. Utility 
payments, rent payments, phone bill payments, and other types 
of steady payments are used as predictors for credit risk for 
people who may not have purchased a home, a car, and may not 
have an extensive credit history for a variety of reasons.
    Exemplars include the FICO UltraFICO,\1\ and ID Analytics 
use of alternative credit data,\2\ particularly the Credit 
Optics Full Spectrum.\3\ These products utilize alternative 
data to provide credit score analysis, and at last check, the 
companies consider the products to be regulated under the FCRA.
---------------------------------------------------------------------------
    \1\ See https://www.fico.com/en/products/ultrafico-score.
    \2\ See https://www.idanalytics.com/solutions-services/credit-risk-
solutions/alternative-credit-data/.
    \3\ See https://www.idanalytics.com/solutions-services/credit-risk-
solutions/.
---------------------------------------------------------------------------
    Thin file or alternative credit scores should not be 
confused with aggregate credit scores. Companies building 
aggregate credit scores typically do not see these models as 
regulated under the FCRA, because these scores apply to 
households, not individuals. This is a loophole in the FCRA, as 
the FCRA only applies to individuals. Aggregate credit scores 
that are created at a household level are not regulated, but 
they nevertheless might be applied to individuals by companies 
seeking an unregulated predictive score.
    Aggregate credit scores can use hundreds and up to more 
than a thousand factors, and can be quite accurate. In short, 
aggregate credit scores can act as an unregulated proxy for the 
traditional credit scores originally regulated under the FCRA. 
This is in contrast to thin file, alternative credit scores, 
which are regulated scores that can be beneficial to previously 
unscored consumers or consumers with minimal credit histories.

Q.2. Do you believe that people should get to see their 
unregulated credit reports and scores just as they do their 
regulated scores?

A.2. Yes, people should be able to see their unregulated credit 
reports and scores. For example, we should be able to see our 
FICO aggregate credit score. We should also be able to see our 
Experian neighborhood risk score, as this score is used to 
create a variety of metrics about households and those living 
in that household. Any score used in matters relating to 
eligibility, or used to determine the character, reputation or 
creditworthiness of an individual should be available and not 
secret.

Q.3. What does it mean for financial markets now that FINRA can 
essentially predict and decide in real time, or near real-time 
investor behavior? What does it mean for other financial and 
technical sectors?

A.3. FINRA is a key exemplar of modern real-time governance. It 
didn't begin that way, but the system has evolved in important 
ways. We think that FINRA is just the beginning of the ``real-
time governance'' movement, where high volumes of data analysis 
and governance is what a lot of compliance reporting is going 
to start looking like in the United States and elsewhere.
    As a self-regulatory organization under the Securities and 
Exchange Act ('34 Act), FINRA is authorized to issue rules 
under Section 15A(b)(6) of the 1934 Act in order to ``. . . 
prevent fraudulent and manipulative acts and practices, to 
promote just and equitable principles of trade, and, in 
general, to protect investors and the public interest and 
Section 15A(b)(9) of the Act.''

Q.4. In the past, FINRA produced periodic summarized reports to 
support its mission. This was fine, and entirely appropriate 
for a paper-based economy and era. From the 1930s when the 
modern U.S. securities law framework was established through to 
the present, regulators such as the Securities and Exchange 
Commission and SROs such as the New York Stock Exchange and the 
National Association of Securities Dealers (whose SRO powers 
were eventually transferred to FINRA) had no choice but to rely 
on periodic reporting from regulated entities as their primary 
source of information. Staff members of regulated entities 
spent huge amounts of time boiling down vast quantities of raw 
data into highly simplified, abstract form for reporting. Then 
staff members of regulators tried to develop an accurate 
understanding of the complex reality summarized in the 
reporting forms through a combination of analysis of the 
reporting forms and selective audits. These paper-based 
reporting and regulatory processes were normal and appropriate 
and used throughout the American economy and world for most of 
the 20th century.
    The computerization of American financial markets was 
driven in the late 1960s and 1970s by the ``paperwork crunch'' 
on Wall Street. As trading volumes increased, paper-based 
clearing and settlement systems became overloaded, making it 
impossible to settle all of 1 day's transactions before the 
start of the next trading day. The first response to the 
paperwork crunch was to close markets earlier, which was 
obviously not a solution that appealed to either financial 
firms or their clients.
    By the end of the 1970s, clearing and settlement systems 
were running on mainframe computers and American banks, 
brokerage firms and insurance companies were world leaders in 
the computerization of their back-office systems. The 
regulatory financial reporting obligations of these firms were 
met through a combination of reports generated by mainframe 
computer systems and information collected and summarized by 
staff members. These reporting and regulatory oversight 
processes were based on point-in-time, low-resolution snapshots 
of the business operations of regulated entities. Regulators 
could see the equivalent of the tip of an iceberg and were 
forced to guess the characteristics of the submerged portion of 
the iceberg. The executives running regulated entities were in 
much the same position.
    In his book, ``Seeing Like a State,'' Harvard political 
science Professor James Scott wrote a book, articulated the 
challenges that modern regulators face when forced to make 
decisions on the basis of the kind of highly compressed 
summaries of complex realities found in periodic reporting by 
regulated entities. The regulator can literally ``see'' only 
what is presented in the summary, and on the basis of that kind 
such summaries, make educated guesses about where to look more 
closely for evidence of violations of law.
    Following the Stock Market Crash of 1987, regulators began 
working with regulated entities to better understand the 
operation of their computer systems and to integrate the 
functioning of those computer systems more directly into their 
regulatory oversight activities. As regulators gained greater 
direct access to the information begin generated by the 
information systems operated by regulated entities, they 
gradually were able to ``see'' something closer to what the 
executives of regulated entities could see.
    By the 2000s, financial market regulators such as the SEC 
and FINRA were developing the capacity to collect and analyze 
raw data feeds directly from regulated entities. This brings us 
to today, where FINRA is using the availability of increased 
technological capacity to acquire real-time transaction data 
regarding TRACE--eligible securities (Trade Reporting and 
Compliance Engine). Instead of receiving periodic reports, 
those subscribing to FINRA's TRACE reporting system now have 
firehoses of real-time data to manage and analyze.
    In the FINRA real-time environment, regulators now have to 
develop their own capacity to analyze these data feeds and draw 
their own inferences from them, which requires huge investments 
in computing capacity and staff with relevant subject matter 
expertise. After these systems are fully operational, then in 
theory what regulators should be able to ``see'' whatever 
executives at regulated entities can ``see.'' The starting 
point of the dialogue between regulators and regulated entities 
can focus on comparing the results of the regulators' analyses 
and the regulated entities' analyses of the same raw data 
generated by the regulated entities' computer systems.
    FINRA's TRACE reporting system was developed specifically 
to assist with this process. To meet its primary mission, FINRA 
will need to continue to ensure that the kinds of compliance 
problems they look for, such as concealed shell companies, 
achieve maximum benefits from the data volume and velocity 
``real time'' affords. ``Real time'' does not automatically 
equal ``better'' unless foundational work has been done to 
ensure that the data has been properly tagged and organized to 
facilitate compliance reporting and response. For example, 
compliance alerts in real-time systems are typically based on 
some form of trigger. Various kinds of data tags and 
identifiers are particularly important to construct properly to 
fulfill this task. With proper triggers in place, real-time 
data firehoses can be purposefully and reliably analyzed at 
scale and at speed in order to create accurate real-time 
governance feedback.
    The ability of regulators to request real-time data from 
regulated entities and to engage in real-time analysis of that 
data for evidence of compliance or violations of the law by the 
regulated entities represents the beginning of a new era of 
``real-time governance.'' In a real-time governance system, 
regulators should be able to respond almost as quickly as 
regulated entities to evidence of a risk of noncompliance. The 
expansion of real-time governance in the United States and 
around the world promises a fundamental breakthrough in risk 
management: citizens should be able to enjoy the best quality 
goods and services and the benefits of rapid technological 
innovation while at the same time also being provided better 
protection from risks.
    In order to lay a foundation for continuous improvement of 
real-time governance systems, regulators and regulated entities 
will need to collaborate to increase the standardization of 
data formats. Back in the 1970s, when each financial service 
firm was installing its own mainframe computer, it was not 
uncommon for each firm to acquire custom-developed, bespoke 
software application. Standards were developed for transaction 
data so that first it could send and receive order and 
execution information from exchanges and other firms quickly 
and accurately, but there was no need to standardize other 
parts of the firms' computer systems.
    By the 2000s, the result was significant diversity across 
firms in the way that some of the information relevant to their 
reporting obligations was generated and stored. Limited 
standardization of data formats and software architectures 
across regulated entities increases the challenges to 
regulators to move to real-time governance because of their 
need to compare compliance-related behaviors across different 
firms with different computer systems.
    Lack of standardization of data formats hampered 
regulators' ability to respond to the 2008 collapse of Lehman 
Brothers and the 2010 Flash Crash. Regulators' efforts to track 
down the course of large volumes of computer-generated orders 
were hampered by the difficulty of comparing data generated by 
different firms. One problem in particular had to do with lack 
of standardization in how customers that were ``legal persons'' 
(e.g., corporations), were identified. The same corporation's 
name might be entered into different firm computers differently 
due to the use of nonstandard abbreviations or even 
typographical errors. The lack of global standards for 
identifying common ownership of financial accounts by business 
entities quickly and accurately was hampering tax and anti-
money laundering regulatory efforts as well.
    In 2011, the Depository Trust & Clearing Corporation (DTCC) 
and the Society for Worldwide Financial Telecommunications 
(SWIFT) launched a collaborative, global standard-setting 
effort that led to the creation of the ``Global Legal Entity 
Identifier'' standard. This standard has been endorsed by the 
Financial Stability Board and the G20 and designated as 
International Organization for Standardization ISO standard 
17442. Some jurisdictions outside the United States have begun 
mandating the use of LEI numbers in certain financial service 
markets in order to increase the effectiveness of regulatory 
oversight processes (e.g., EU Markets in Financial Instruments 
Directive known as MiFID II).
    Any legal entity anywhere in the world can obtain quickly, 
easily and cheaply a globally unique 20 digit LEI number from 
the LEI issuer of their choice, and be confident that it will 
be accepted by regulators and counterparties around the world 
for compliance purposes. The LEI Regulatory Oversight Council 
and the Global Legal Identifier Foundation (GLEIF) jointly 
administer the LEI system. This includes the oversight of a 
global network LEI issuers that compete with each other to 
issue LEI numbers to entities; providing the Global LEI Index, 
an open, searchable database of LEI numbers, and monitoring 
emerging technologies and updating the standard as needed to 
accommodate them.
    The LEI ROC and GLEIF provide a clear example of the kind 
of transparent, accountable and inclusive governance processes 
that are needed to insure that real-time governance serves the 
public and is not captured by industry or leveraged by owners 
of proprietary technologies. The LEI ROC and GLEIF operate in 
all global markets simultaneously to reduce compliance burdens 
on regulated entities, amplify the effectiveness of national 
and global regulators' efforts to protect the public and are 
completely transparent to end users.
    But the public, the regulators that represent the public 
interest, and private firms cannot enjoy any of those benefits 
of real-time governance without a very large, one-time 
investment by the private sector in business process 
reengineering. That is because all private enterprises today 
have some system for identifying themselves to their 
counterparties and keeping track of their counterparties that 
was developed before the global legal entity identifier 
standard was developed. The problem from a software programming 
perspective is similar to the Y2K problem at the end of the 
1990s: software programs that only allocated two digits for 
storing information about years had to be modified to 
accommodate four digit years in order to insure that the year 
2000 was not interpreted by the software as 1900 instead. In a 
similar manner, all business software systems will have to make 
a one-time change to adopt GLEI and phaseout whatever other 
system they were using. Depending on how a firm's computer 
system is organized, this may require undertaking a long, slow, 
difficult process to achieve what appears to be a simple and 
obvious outcome to anyone not familiar with the challenges of 
business processing reengineering.
    With regard to the ability of FINRA or any other regulator 
working with real-time data feeds to fulfill their public 
service mission through real-time governance processes, 
increasing standardization of data formats is an essential part 
of the process of increasing the accuracy of regulators' 
ability to predict the behavior of investors, regulated 
entities and markets generally. The kind of predictions that 
the use of big data and artificial intelligence make possible 
are statistical inferences about the probability of different 
outcomes. The use of data analytics would permit a regulator to 
estimate the probably that certain data revealed a violation of 
the law.
    Using real-time data flows and real-time governance 
processes in this way permits regulators to engage in provable, 
fact-based, and ``risk based'' regulation. This would permit 
regulators to adjust dynamically and in real-time their 
allocation of scarce enforcement resources to those situations 
where they would create the most value for the public. They 
could use real-time governance mechanisms to identify those 
situations where the regulator believes the probability of a 
violation of the law occurring is the highest and the risk of 
harm to the public as a result of that violation is the 
highest, and concentrate their resources there.
    The migration by regulators to real-time governance in 
effect levels the playing field with regard to what the 
executives of regulated entities know and what regulators know. 
In addition, regulators gain deeper insight into the behavior 
of markets generally because unlike the executives of regulated 
entities who can see in detail only their own firms' internal 
operations, regulators will be able to learn from comparing 
detailed, accurate information about operations of all 
regulated entities.
    As regulators give up the 20th century system of regulation 
based on information contained in point-in-time, low resolution 
snapshots of the behavior of regulated entities and move to 
real-time governance instead, regulators will be able to use 
whatever resources they have more effectively, the public will 
be better protected and regulated entities will benefit from 
greater predictability and consistency of regulatory 
enforcement actions.
    It is difficult to overstate the potential significance of 
the move from 20th century command and control bureaucratic 
regulatory processes to real-time governance process not just 
in financial services but in every sector of the American 
economy and across global markets. In the 19th century, 
governments could only act as a ``night watchman state'' 
because of their limited capacity to regulate the economy. By 
the 20th century, the modern regulatory State had come into 
being and could act to protect the public from tainted food, 
poisonous medicines and lethal workplaces. The Administrative 
Procedure Act of 1946 was enacted to insure that the power of 
the modern regulatory State was exercised in a manner 
consistent with the rule of law.
    The fundamental advances in accountability and 
effectiveness ushered in by the APA such as notice and comment 
rulemaking cannot meet the challenge of insuring that 
regulatory power exercised through real-time governance 
processes also conforms to the rule of law. In order to lay a 
statutory foundation for the transparent, accountable and 
inclusive exercise of regulatory power through real-time 
governance processes, a fundamentally new approach to 
regulation is required.
    Such a new legislative interface would be congruent with 
the APA but would explicitly authorize regulators to leverage 
voluntary, consensus standards developed by private standard-
setting organizations that have committed to observing due 
process. Public-private collaborations between Federal 
regulators and private sector standard developing organizations 
have been taking place for decades with the framework of Office 
of Management and Budget Circular 119-A governing Federal 
Participation in the Development and Use of Voluntary Consensus 
Standards and in Conformity Assessment Activities and most 
recently updated in 2016. This new approach to regulatory 
governance is discussed in more detail in the information 
privacy law context in Pam Dixon and Jane Winn, From Data 
Protection to Information Governance (forthcoming 2019) and 
Jane Winn, The Governance Turn in Information Privacy Law (July 
11, 2019), https://ssrn.com/abstract
=3418286.
    Real-time financial sector analysis is no longer a single-
jurisdiction endeavor. It requires multilevel cooperative 
efforts. The example of the Global LEI standard demonstrates 
that the use of a
legislative interface through which regulators and private 
standard-setting organizations can collaborate to achieve real-
time governance that serves the public can work any context, 
not just information privacy law. It also demonstrates that the 
transparency,
accountability and inclusiveness of real-time governance can be 
supported by cooperative efforts with global standard-setting 
organizations as well as American standard setting 
organizations. How these cooperative efforts are accomplished 
requires careful and methodical decision making and planning--
private organizations and the public sector both need to be 
fully committed to insuring the fundamental fairness of their 
own processes. FINRA's system gives us a view into the 
implications of the world to come, and the depth of its new 
technical and policy requirements.

Q.4. Do you believe that there should be something similar to 
the ``legitimate interest'' basis for data processing in the 
United States and, if so, how should we think about nonconsent-
based processing for entities that have no consumer 
relationship such as data brokers?

A.4. Data processing that is not based on consent is an 
important issue to address, because it is going to become front 
and center in the predictive world we are moving into. It is 
not reasonable to think that individuals will be able to 
consent to every bit of processing of their data. That being 
said, we still need structures that ensure nondiscrimination 
and people-beneficial uses of data. Processing varies in levels 
of importance depending on the context and use of the 
processing and data, among other factors.
    We now have some experience with legitimate interests 
processing via the GDPR in Europe. Legitimate interest-based 
processing has proven to be a challenging issue to implement, 
and the results have been uneven thus far. Because of the 
implementation issues with the GDPR, I prefer the idea of 
routine uses as outlined conceptually in the Privacy Act of 
1974. The United States routine uses model allows for data 
processing within limits, based on the context, but prohibits 
other uses outside of the known context and requires 
affirmative consent as the uses and data become more sensitive.
    One of the questions that immediately arises regarding both 
legitimate interest and routine uses is: who gets to decide 
what is a legitimate interest, or what is a routine use? This 
is an important question in a democratic society, and is one of 
the biggest decisions that needs to be determined in a 
democratic process. In the Privacy Act, the concept and 
structure of routine uses allows for individuals, businesses, 
and other entities to have a voice in what those routine uses 
look like, but it is the Government that has the ultimate 
authority to make bright-line decisions.
    The details of deciding upon routine uses can be managed by 
utilizing a combination of sectoral legislation to decide the 
brightest lines (like the floor for HIPAA) and the addition of 
due process voluntary consensus standards that would allow all 
stakeholders to have a fair and robust dialogue to create the 
more granular rules for what constitutes fair routine uses in 
more particularized settings. Voluntary consensus standards are 
due process standards, where all stakeholders have a say in 
what those ``routine uses'' should look like. This kind of 
standards work is in contrast to industry self regulation, 
where only industry has a role in the process and key 
stakeholders (such as consumers) might not be included.
    Again, in some areas, and applying the routine use idea 
broadly, beyond the confines of the Privacy Act, Congress will 
need to make the general bright line boundaries for some 
``routine uses.'' At a more granular level, multistakeholder 
work can set the finer boundary lines, with input from all 
stakeholders. Anything that goes beyond a checkbox will involve 
a more time-intensive process, but one that is well worth the 
effort.

Q.5. How effective are the GDPR's provisions surrounding 
profiling and automated decision making, and is that something 
we should emulate in the United States?

A.5. AI and machine learning systems require a lot of data, and 
they can present a variety of meaningful risks, including 
serious potentials for bias and inappropriate manipulations. 
The approach the GDPR took to automated decision making is 
understandable given the risks, yet the approach is also 
proving to be problematic. I spent over a year as a member of 
the OECD's AI Expert Group (AIGO). The AIGO group was tasked 
with providing extensive technical input into the OECD 
Principles on AI, which have now been ratified by the United 
States and other OECD countries, see: https://www.oecd.org/
going-digital/ai/principles/.
    Something that became very apparent throughout the 
discussions of AIGO was that the GDPR approach to AI processing 
brings many noncompetitive restrictions to data use and 
analysis. The OECD final guidelines took a broader approach 
than the GDPR, one that respected human values and privacy, and 
also innovation and economic growth. It is important that 
democratic societies such as the United States stay highly 
competitive with other jurisdictions in regards to AI and 
Machine Learning. The Belt and Road Initiative (BRI) countries 
(https://www.worldbank.org/en/topic/regional-integration/brief/
belt-and-road-initiative) are focused on winning the AI and 
Machine Learning race, and this focus on achieving AI dominance 
should not be underestimated.
    The United States faces an ethical dilemma. That is: do we 
handle data as aggressively as nondemocratic jurisdictions do 
in order to stay competitive? Or, do we protect privacy and 
take potential risks with our ability to compete? Or is there 
another way? We cannot take a stance of abusing the privacy, 
autonomy, and trust of the American people. And we must also 
innovate and lead in new technologies of prediction. After long 
consideration, I believe it is imperative that we find the 
third way, a way that allows us to retain privacy, autonomy, 
and democratic values while still innovating and staying 
competitive. This is both worthwhile and possible.
    Legislating AI as a broad command and control statute is 
not possible due to the complexity and variety of AI systems. 
We believe that an approach where lawmakers determine a set of 
general principles, then implement those principles with fair 
standards setting processes using OMB Circular A-119 as a due 
process model, will work well for addressing the complex 
challenges AI analytics poses at a granular level.
    This is an admittedly complex topic, and we do have 
forthcoming research on governance of privacy in complex 
ecosystems. In the meantime, a paper written by Jane Winn, who 
is a law professor in the United States and has taught short 
courses in China for many years, articulates some of these 
issues (and potential solutions): The Governance Turn in 
Information Privacy Law (July 11, 2019), https://ssrn.com/
abstract=3418286 or http://dx.doi.org/10.2139/ssrn.3418286.

Q.6. What are some of the gaps in currently existing law with 
respect to how enforcement agencies deal with this multitude of 
laws and what should we be thinking about in the Banking 
Committee as we prepare to potentially consider broader privacy 
legislation drafted by the Commerce Committee?

A.6. There are several meaningful gaps in existing law 
regarding enforcement agencies:

  A. LToo-narrow of enforcement authority at the FTC

  B. LEnforcement gaps between existing sectoral laws

  C. LEnforcement gaps of new sectors

    Regarding the FTC's enforcement authority, this issue has 
been well-discussed in Congress. The primary issues are the 
limitations of The FTC Act to address the full range of modern 
privacy problems, and the limitations created for the FTC under 
Magnuson-Moss, which limits the FTC's rulemaking power. The 
Magnuson-Moss vision of how the FTC should operate is not a 
viable position for the FTC to be held to today, particularly 
in light of the privacy and security concerns attending the 
fast-moving data ecosystem.
    Nevertheless, there is a school of thought that the FTC 
should not be the Nation's main privacy enforcement authority 
due to its constraints. This leads us to the idea of a new 
structure. We favor the creation of a Federal oversight board 
with responsibility for privacy--for example, a 12-member board 
with broad enforcement oversight. An overarching administrative 
privacy enforcement council or board would be in a position to 
spot issues across sectors, agencies, more readily identify a 
broader variety of gaps, and direct resources.
    Regarding enforcement gaps between existing sectoral laws, 
we see three pathways to enforcement. First, focused laws to 
fill in the gaps, accompanied with clear enforcement authority. 
Second, voluntary consensus guidelines at the State and Federal 
level with Government oversight, again, directed at the gaps 
where there is the most need. Third, we see a role for 
certification and other tools to assist with enforcement, 
again, with Government oversight.
    Third, it would make sense to conduct an analysis to 
identify any new sectors or potential sectors that need 
separate rules. Data brokers may be such a sector, so may 
certain kinds of platforms. It is an understatement to note 
that discussions about regulating a group of businesses would 
be an incredibly contentious discussion on all sides. 
Nevertheless, it would still be a good idea to at least have 
the discussion, because it is both reasonable and possible that 
at some point in the future certain types of businesses and 
platforms might be considered a sector unto themselves.

Q.7. How can we ensure the consumer is informed about scoring, 
profiling, and other decisions that are made about them in 
their daily lives while balancing the need to not put the 
entire onus on the consumer?

A.7. Requirements for quality controls such as labeling, 
certification, audit and documentation, bias and accuracy 
testing, among other measures are some of the mitigations that 
could be put in place to reduce informational risks without 
placing the burden entirely on consumers. Rules that require 
affirmative disclosure of meaningful consumer scores is 
important, as are rules that allow consumers to request 
disclosure of smaller scores. We include below a partial list 
developed from our original Scoring of America report:

   LThere should be no secret consumer scores. Anyone 
        who develops or uses a consumer score must make the 
        score name, its purpose, its scale, and the 
        interpretation of the meaning of the scale public. All 
        categories of factors used in a consumer score must 
        also be public, along with the source category of 
        information used in the score.

   LScores used for meaningful decision making about 
        consumers should be subject to quality controls, 
        ideally stipulated in Federal standards.

   LThe creator of a consumer score should state the 
        purpose, composition, and uses of a consumer in a 
        public way that makes the creator subject to Section 5 
        of the Federal Trade Commission Act. Section 5 
        prohibits unfair or deceptive trade practices, and the 
        FTC can take legal action against those who engage in 
        unfair or deceptive activities.

   LAny consumer who is the subject of a consumer score 
        should have the right to see his or her score and to 
        ask for a correction of the score and of the 
        information used in the score. It is the responsibility 
        of business to know when they are using a score to make 
        a decision about a consumer.

   LThose who create or use consumer scores must be 
        able to show that the scores are not and cannot be used 
        in a way that supports invidious discrimination 
        prohibited by law.

   LThose who create or use scores may only use 
        information collected by fair and lawful means. 
        Information used in consumer scores must be 
        appropriately accurate, complete, and timely for the 
        purpose.

   LAnyone using a consumer score in a way that 
        adversely affects an individual's employment, credit, 
        insurance, or any significant marketplace opportunity 
        must affirmatively inform the individual about the 
        score, how it is used, how to learn more about the 
        score, and how to exercise any rights that the 
        individual has.

   LA consumer score creator has a legitimate interest 
        in the confidentiality of some aspects of its 
        methodology. However, that interest does not outweigh 
        requirements to comply with legal standards or with the 
        need to protect consumer privacy and due process 
        interests. All relevant interests must be balanced in 
        ways that are fair to users and subjects of consumer 
        scoring.

   LThe Congress and the FTC should continue to examine 
        consumer scores and most especially should collect and 
        make public more facts about consumer scoring.

   LThe FTC should investigate the use of health 
        information in consumer scoring and issue a report with 
        appropriate legislative recommendations.

   LThe FTC should investigate the use of statistical 
        scoring methods and expand public debate on the 
        proprietary and legality of these methods as applied to 
        consumers.

   LThe Consumer Financial Protection Bureau should 
        examine use of consumer scoring for any eligibility 
        (including identity verification and authentication) 
        purpose or any financial purpose. CFPB should cast a 
        particular eye on risk scoring that evades or appears 
        to evade the restrictions of the FCRA and on the use 
        and misuse of fraud scores. If existing lines allow 
        unfair or discriminatory scoring without effective 
        consumer rights, the CFPB should change the FCRA 
        regulations or propose new legislation.

   LThe CFPB should investigate the selling of consumer 
        scores to consumers and determine if the scores sold 
        are in actual use, if the representations to consumers 
        are accurate, and if the sales should be regulated so 
        that consumers do not spend money buying worthless 
        scores or scores that they have no opportunity to 
        change in a timely or meaningful way.

   LBecause good predictions require good data, the 
        CFPB and FTC should examine the quality of data factors 
        used in scores developed for financial decisioning and 
        other decisioning, including fraud and identity scores. 
        In particular, the use of observational social media 
        data as factors in decisioning or predictive products 
        should be specifically examined.

   LThe use of consumer scores by any level of 
        government, and
        especially by any agency using scores for a law 
        enforcement purpose, should only occur after complete 
        public disclosure, appropriate hearings, and robust 
        public debate. A government does not have a commercial 
        interest in scoring methodology, and it cannot use any 
        consumer score that is not fully transparent or that 
        does not include a full range of Fair Information 
        Practices. Government should not use any commercial 
        consumer score that is not fully transparent and that 
        does not provide consumers with a full range of Fair 
        Information Practices.

   LVictims of identity theft may be at particular risk 
        for harm because of inaccurate consumer scores. This is 
        a deeply under-
        researched area. The FTC should study this aspect of 
        consumer scoring and try to identify others who may be 
        victimized by inaccurate consumer scoring.

Q.8. Should some types of data, such as biometric information, 
even be allowed to be shared with third parties?

A.8. If data--or knowledge derived from that data--is sensitive 
enough, it should not be shared with third parties unless there 
are specific protective rules and risk mitigations in place. 
Some data is too sensitive to simply allow to be freely shared, 
either because as data it is sensitive, or as combined with 
other information, it could lead to knowledge impacting an 
individual's ability to make a living or purchase a home, or 
other issues related to eligibility under the FCRA.
    Working with data types we know well, consider the Social 
Security Number. In the 1980s, the SSN had grown to very broad 
uses in the United States. As a result, at a time when the 
United States was moving from a paper-based world to a digital 
world, certain types of crimes--particularly identity theft--
were greatly facilitated by the relative availability of SSNs. 
An early trickle of identity theft legislation in the mid-1990s 
turned into a torrent of legislation in short order around the 
use, storage, and protection of the SSN.
    SSNs are still used today, but many beneficial protections 
are now in place. Yes, SSNs are still used by third-parties, 
for example, by credit bureaus. But generally, SSN uses are 
much more restricted now. For example, SSNs have been removed 
from being printed on Medicare cards and on drivers' licenses. 
Data types and potential for uses need to be evaluated for 
risks to make a determination about risks related to sharing.
    In taking this a step further and discussing knowledge 
derived from data, think of the mosaic of information that 
outlines an individual's reputation and character such as that 
which would be revealed in a comprehensive background check. 
This is why the FCRA protections around background checks are 
so important. Background checks may be undertaken, but not 
without the subject's knowledge, and there is a procedure for 
disputing errors. Where safety rails do not exist, then more 
risk exists for that data or knowledge.
    Regarding the biometric portion of your query, I would like 
to respond in some detail. It is an important question.
    All biometric data, including genetic data, rises to the 
level of high sensitivity. As such, WPF proposes that 
biometrics be designated as a technology of very high concern, 
and be subjected to meaningful safety guardrails. The United 
States is one of the few countries where biometric technologies 
have not yet been as pervasively implemented as they have been 
in other jurisdictions. But it is very unlikely that the United 
States will fully escape the use of biometrics, as seen in 
airport biometric entry/exit programs, among other biometrics 
programs.
    Because of the significant risks inherent in the uses of 
the technology, biometrics--including facial recognition--
should be classified as a high-risk technology, and procedural 
safety protections that are well-tested and understood in other 
high-risk contexts should be adapted for biometrics and put in 
place as guardrails.
    The guardrails we are proposing are similar to those found 
in existing safety regulations in the United States and Europe.
Regulatory Safety Structures that Act as Guardrails for Biometric 
        Systems (Facial Recognition)
    The protections fall into three key areas: pre-and post-
market safety and quality regulations, use controls, and a 
consumer complaint mechanism.
Pre-and Post Market Safety and Quality Regulations:
    The following pre and post-market safety regulations for 
biometrics are derived from the existing legislative models of 
RoHS, REACH, and the Chemical Safety for the 21st Century Act 
(updates U.S. Toxic Substances Control Act) as well as the Fair 
Credit Reporting Act. Finally, the consumer complaint 
mechanisms at the CFPB and CDC provide the model for the post-
market consumer complaint reporting.

   LClassification: Biometrics would be classified as a 
        ``technology of very high concern.''

   LApplicable to full supply chain: The regulations 
        would apply to the full supply chain and to any entity 
        that produces, develops, sells, assembles, distributes, 
        installs, and uses biometric systems.

   LID risks and reporting requirements: Biometric 
        entities would be required to identify risks in the 
        technology and document and report those risks to the 
        applicable Government body.

   LTesting requirements: Biometric technologies 
        available for use would be required to be tested and 
        evaluated by NIST for accuracy and bias on a regular 
        basis, at a minimum, this review would be updated 
        annually.

   LProven safe prior to launch: The technology must be 
        proven safe and fit for purpose prior to launch, and 
        must be cleared for market by the appropriate 
        Government oversight body. For facial recognition, a 
        nondiscrimination analysis would need to be performed.

   LProduct labeling: The biometric product would be 
        labeled for accuracy and for bias. (Facial 
        recognition.)

   LCertification and training requirements would 
        apply.

   LOngoing monitoring: The full supply chain of 
        vendors and implementors must agree to ongoing 
        monitoring and documentation for compliance. Monitoring 
        can be in real time, or near real time.
Use controls:
    Biometric technology is deployed in specific use cases. 
Some use cases are not objectionable, however, some uses cases 
are objectionable and pose threats of discriminatory impact or 
other harms.

   LSome use cases of biometrics would not be allowed 
        due to safety considerations, or lack of functionality. 
        For example, body cameras equipped with real-time 
        facial recognition are viewed by biometricians and a 
        majority of law enforcement as a high-risk use case. 
        This particular use case has both legal and technical 
        problems.

   LAllowed use cases would have significant 
        definitional controls and procedural requirements. For 
        example, biometrics used in law enforcement 
        investigatory settings would be subject to the 
        procedures set forth at the Federal level. At the State 
        level, the Bureau of Justice Assistance procedures for 
        biometrics use, for example, could be required (https:/
        /www.bja.gov/Publications/Face-Recognition-Policy-
        Development-Template-508-compliant.pdf.)

   LVoluntary Consensus Standards could be used in 
        conjunction with legislation to establish ongoing 
        multistakeholder evaluation of emerging use cases.
Post-Market Consumer Complaint Reporting:
   LVoluntary Consensus Standards could be used in 
        conjunction with legislation to eUsing the adverse 
        event reporting model and the consumer complaint model, 
        biometrics technologies would have a dedicated post-
        market monitoring mechanism at the Federal level.

   LConsumers and others would be able to submit 
        complaints to a central structure.

   LAs with the structure of the existing Consumer 
        Financial Protection Bureau (CFPB) consumer complaints 
        database, complaints would be available for viewing 
        within a matter of a week, and the complaints would be 
        available for download and analysis. This data will 
        provide ongoing insight into problem areas and detailed 
        implementation feedback.
Key Underlying Safety Statutes
    RoHS: EU Directive, also implemented in some U.S. States.

   LAs of July 2019 all RoHS deadlines active; 
        Directive is now applicable to any business that sells 
        electrical or electronic products, equipment, sub-
        assemblies, cables, components, or spare parts directly 
        to RoHS-directed countries, or sells to resellers, 
        distributors or integrators that in turn sell products 
        to these countries, is impacted if they utilize any of 
        the restricted 10 substances.

   LRequires products to be cleared for market prior to 
        launch and meaningful compliance documentation/
        recordkeeping from all parties in the supply chain, 
        regularly updated information, mandatory compliance 
        labeling.

   LIn the United States, California, Colorado, 
        Illinois, Indiana, Minnesota, New Mexico, New York, 
        Rhode Island, and Wisconsin have enacted RoHS-like and 
        e-waste regulations.
REACH: EU Regulation
   LApplies to essentially every product manufactured, 
        imported, or sold within the EU.

   LREACH regulates chemical substances, particularly 
        those known as Substances of Very High Concern (SVHC). 
        Substances considered carcinogenic, mutagenic, toxic 
        for reproduction, or bioaccumulative fall under SVHC 
        criteria.

   LEU manufacturers and importers are required to 
        register all substances produced above a set yearly 
        volume to:

   LID risks associated with the substances they 
        produce.

   LDemonstrate compliance in mitigating the risks to 
        ECHA.

   LEstablish safe use guidelines for their product so 
        that the use of the substance does not pose a health 
        threat.
Chemical Safety for the 21st Century Act: United States, Federal
   LRequires pre-manufacture notification for new 
        chemical substances prior to manufacture.

   LWhere risks are found, requires testing by 
        manufacturers, importers, and processors

   LRequirements for certification compliance

   LReporting and record keeping requirements

   LRequirement that any person manufacturing 
        (including imports), processes, or distributes in 
        commerce a chemical substance or mixture and who 
        obtains information which reasonably supports the 
        conclusion that such substance or mixture presents a 
        substantial risk of injury to health or the environment 
        to immediately inform EPA, except where EPA has been 
        adequately informed of such information. (The EPA 
        screens all TSCA b 8(e) submissions.)

              Additional Material Supplied for the Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                         [all]