communications including sensitive conversations can be easily captured, exposing aspects of your life to companies that are simply nobody's business. but when information collected about you is used to make your buying experience better or serve you better, you'll find a majority of the people have absolutely no problem consenting to that kind of use. but the collector ought to have the right to make that judgment, the value proposition with respect to the consumer. most americans don't have any awareness that there's no general law of privacy in commerce in the u.s. today governing these transactions. and when it's brought to their attention, they say they want one. our largest trading partners have such laws. build on the european standard. but i believe it's important for us to set our own standard, something that could, in fact,

be more flexible and more stakeholder driven and less punitive than what exists in europe today. but just as capable of delivering strong privacy protects. so in keeping with the spirit that the united states normally doesn't, you know, wait for someone else to set the standard and then borrow it, we ought to be setting our own standard. the final agency reports that have been issued recently that we ought to lay out a blueprint of privacy principles for legislation. senator john mccain and i have agreed on one approach, and i introduced that approach with him more than a year ago. it reflects each of

that the individual consumer has the right to make that decision. so can we get there? i think it's up to the members of this committee. the bipartisan proposal that senator mccain and i offered up, is, as i said, not the only way to approach this. we're ready to negotiate. and i think we ought to compromise in this effort to reach a fair standard. but we need to get down to that discussion because we really can't afford another year of delay which may in the end wind up putting america into a default position on this, which would be far less flexible, thoughtful, and sensitive to our own business interests. and i think that americans ought to know that congress believes that in the digital age every individual american has a right to an expectation of privacy.

i hope we can find that way forward, mr. chairman. >> thank you very much, senator kerry. i want to proceed now to our witnesses, and we'll have ample time for questioning and others will be -- members will be coming and leaving. let's start by preference of order, would be to start with the honorable john liebovitz, chairman of the federal trade commission, then honorable -- i'm going to skip over you to the guy who's general counsel to the department of commerce, who is somehow related to senator kerry. and then come back to you as a cleanup. is that all right? >> sure. >> so let's start with chairman liebowitz. >> thank you, chairman rockefeller. senator toomey, senator kerry, senator ayotte, i appreciate the opportunity to present testimony on consumer privacy alongside our newest commissioner as well

as my friend cam kerry. the commission commends the recent privacy efforts by the dp of commerce as well as the bipartisan leadership your committee has shown on consumer privacy issues. though most of my remarks today will concern privacy policy and especially do not track, the ftc is primarily an enforcement agency and commissioner ole hawesen will describe our recent enforcement efforts. mr. chairman, imagine a cash-strapped college student working part-time to keep up with tuition payments. to make ends meet, she applies online for a loan and obtains it at a favorable rate. but she also goes online because her father suffers from depression, so she wants to research symptoms and potential treatments. soon after, in the mail, she receives another loan offer. this time from a payday learn at a much higher rate. in the evening, she spends time relaxing by catching up with friends' posts on a social network. while online, she notices she's

receiving ads for medication for stress and depression as well as more loan offers. could the lender have sold the information about her need for money to payday lenders who are now offering her loans? could the fact that she researched depression be sold to or shared with potential employers or inshunners? can these exchanges of information occur without the consumer's consent or even awareness? the answer to all of these questions is yes. of course. the college student benefits from quick response to loan applicati applications, free access to health information, and an easy way to keep up with friends and family. but as senator kerry noted, the vast majority of americans simply have no knowledge that they're purchasing financial, health, and other personal information may be sold to data brokers, lead generators, lenders, insurance companies,

employers and just about anybody else. most consumers are entirely unaware of the vast amounts of data about them beinged, sold, and used both online and offline. we at the commission applaud the internet innovation. it's created enormous benefits for consumers and the advertising ecosystem that's provided free content and services, the ones we've all come to expect and enjoy. but as is the nation's privacy protection agency, we are also concerned that some practices by some companies may adversely affect americans and their critical right to privacy. at the ftc, we have been thinking about this issue for more than a decade. we recently released our final privacy report that sets forth what we in the public and private sectors should do to make sure that the right way -- or that the right to privacy remains row best for all americans. the short answer is that consumers should have more choice and more control. and to ensure that control, a report lays out three simple but

powerful principles for companies to follow in handling personal data. first -- this is guidance, not a regulation. first, incorporate privacy protections into products as they are developed. that is, privacy by design. second, offer consumers choice and control over how their data is collected and used. and third, provide more transparency. that is better explanations to consumers about how their data is handled by companies. the final report also recommends that congress consider enacting general privacy legislation as well as specific statutes addressing data security and data brokers. data brokers often hold a wealth of information about consumers and remain utterly invisible to them. in addition, our report calls for a do not track mechanism, one that is easy to use and persistent to enable consumers to control the flow of information about their activities across websites.

it's worth emphasizing your computer is your property. the first chairman i served with used to say, republican chairman, people shouldn't be putting things in your computer without your consent. and i think that's a sort of fundamentally -- a conservative notion. in the last year, industry has made strides towards finalizing a meaningful do not track system. as you know, mr. chairman. indeed, at this point, we are no longer asking whether do not track will exist but only how it will be implemented. we're optimistic that with the encouragement of this committee and especially you, mr. chairman, a do not track mechanism that allows consumers to control the collection of their browsing information with limbed exceptions, for example, to prevent fraud will be in place by the end of the year. just going back to the sort of discussion between senator toomey and senator kerry and do not track, of course, will be run by industry, won't be run like the government runs do not call. of course vigorous enforcement

remains a top priority for our agency, as the commissioner will describe in more detail. just this week we announced a case against the social network myspace. the ftc complaint alleged myspace shared personal user information with advertisers after promising that it would not. the proposed settlement of order prohibits myspace are from making any privacy misrepresentations and requires it to create a comprehensive privacy program and undergo third-party audit. simply cut, this case stands for the proposition that we will hold companies accountable for their privacy commitments. we appreciate the leadership of you, chairman rockefeller, in this committee and look forward to continuing to work with congress, the administration, industry, other stakeholders on privacy protection going forward. >> thank you. >> thank you, sir. the honorable karen f. kerry, general counsel, u.s. department of commerce. >> thank you, senator rockefeller. i'm grateful for the opportunity

to testify today about the administration's blueprint for data privacy. this blueprint is a framework to enhance consumer privacy while fostering economic growth, job creation and exports for american businesses. the federal trade commission has been a global leader in this area as well as a partner to the department of commerce and valued adviser to the council in developing the privacy blueprint. i welcome being able to join chairman liebowitz the commissioner at the witness table today. the explosion in the collection and storage and analysis of data and digital information offers new frontiers of knowledge and innovation and growth. but senator toomey asked the question, you know, what is the market failure here?

we are now at a tipping point that presents a dual market failure. first, while many companies earn trust as responsible stewards of consumers' personal information, it exceeds the ability of even the most sophisticated consumers to understand and control what information is collected about them. and second, this asymmetry allows outliers and outlaws that are not good stewards of information to take advantage of consumers' trust and lack of information. that is why a graeme companies, consumer groups, the ftc, and the administration support baseline consumer privacy legislation. when it comes to sustaining trust in the digital economy, business and consumer and government interests converge. the administration's privacy

blueprint articulates a consumer privacy bill of rights -- individual control, transparency, respect for context, accuracy, security, access and accuracy, security, and focused collection and accountability. and it calls for congress to give these broad principles the force of law. we recommend two mechanisms to apply these principles. the first is giving the ftc the direct authority to enforce the individual provisions, the bill of rights as enacted rather than relying entirely on its section 5 authority as currently framed. the second is authorizing the ftc to grant safe harbors from enforcement for codes of conduct that address how best to follow the privacy bill of rights in specific context.

the national telecommunications and information administration of the department of commerce is carrying out the administration's blueprint by initiating stake holder-driven processes to develop codes of conduct. ntiaa is reviewing recommendations on the process including your comments, chairman rockefeller. thank you. ntaa should be selecting a topic in convening the first meetings very soon. in addition, i have asked a working group to put the administration's privacy blueprint into legislative language. we are drafting, and we stand ready to work with this committee and with other members of congress to put baseline privacy legislation into law. what we do here is -- what we do

here in america is paramount to u.s. consumers and companies. but we cannot ignore the global reach of the internet. europe is in the process of honing its approach to data privacy. other countries around the world understand the need for rules of the road and are looking for models. we have the clear opportunity. as president obama said in his preface to the privacy blueprint, to offer the world a dynamic model of how to provide strong prooich si protection and enable ongoing innovation in new information technologies. baseline privacy legislation will ground our system firmly. so america can be an example for the world and pave the way for privacy standards that are interoperable around the globe. leading by example will

encourage other countries to build flexibility and accountability into their commercial data privacy networks. this model will promote free flow of information across national borders, which helps u.s. companies and u.s. consumers alike. mr. chairman, when i speak to international audiences, i point to the deeply held privacy values of americans that are embedded in our constitution and in privacy laws that couple statutory protection in areas like health records with strong enforcement by the ftc and by state attorneys general. and i get a lot of thank yous from companies for defending our system. but they want and they need more. they want the u.s. congress to send a clear message to the world that the united states cares about privacy and will

prothe text the privacy of consumers in all is sectors. mr. chairman, i thank you again for the opportunity to be here today to provide our views, and i welcome the committee's questions. >> thank you very much, sir. commissioner, welcome. >> thank you. chairman rock feller, ranking member toomey and members of the committee, i'm pleased to join chairman liebowitz and cameron kerry, general counsel of the department of commerce. privacy is an important topic for american consumers and i commend you for holding this hearing. but let me say at the outset that my comments and the views, presentationed in this statement are my own and do not really represent the views of the commission or any other commissioner. as you know, my tenure as an ftc commissioner began on april 4th. so while privacy is an issue in which i have tremendous interest and commitment, my views on privacy from the perspective of a commissioner are just over a

month old. while i have read the march 2012 privacy report and formed some initial thoughts, i was not at the commission during its development and release. i'm just now in the process of fully educating myself on the specifics of the report and thinking through the implications of the recommendations. so i'm not yet ready to commit myself to specific positions on all aspects of the privacy issues raised in the report. i am, however, happy to share some of my preliminary views on the best ways to safeguard consumer privacy as well as my thoughts about where the commission should deploy its resources. to start, i firmly believe that consumers should have the tools to protect their personal information through transparency and choices. as i said during my conversation hearing, i support the ftc's strong record of enforcement in the area of privacy. the commission's written testimony highlights many of our enforcement erts relating to privacy and data security. the ftc has brought more than 100 spam and spire cases

including against choice point, cbs, and twitter. we have also charged companies with failing to live up to privacy promises as in the highly publicized privacy cases against google and facebook, which together will protect the privacy of more than 1 billion users worldwide. as the commissioner, i will urge continuation of the strong enforcement record. as i also said in my confirmation hearing, i support data security legislation. the legislation should em power the ftc to promulgate regulations for the protection of personal data from unauthorized access, as to-do the current bills by chairman rockefeller and chairman pryor. as a parent, i'm especially concerned about proteging our children's privacy in the face of rapid technological advances. i support the commission's multiprong approach in this area. enforcement, regulation, policy research and education. since the enactment of the children's online privacy protection act of 1998, the commission has brought 18 enforcement actions. many the ongoing proceeding to

amend the rule, i will carefully consider the record as i form late my views. turning to the commission's privacy report, i would like to commend some important aspects of it. it calls for a policy of privacy by design by which companies build protections into their everyday practices. this helps minimize the risk of privacy breaches and concerns from the outset and should be considered a best practice by companies as they develop new products and services. appropriate use of the notice and choice concept is also core to a sound privacy policy. and i support the report's recognition that there is no single best way to offer notice and choice in all circumstances. i also agree with the concept of reducing burdens on consumers and businesses by identifying circumstances for which choice is not necessary because the collection and use of consumer data is consistent with the context of the transaction or where with the relationship with the consumer. as i have already noted, congress has given the commission enforcement and policy tools to provide a strong

framework with which we can protect american consumers. some of my colleagues, however, have supported additional privacy legislation that would go beyond section 5. the exact contours of such legislation are not yet defined, but my colleagues gave general guidance in the privacy report. the privacy report was clear, however, that the the recommend legislation would reach practices that would not be challenged under the current interpretation of section 5, however. i believe this gives me the opportunity to develop my own opinion on what else in addition to section 5 may be beneficial to consumers such as whether additional general privacy legislation is needed. i will consult with ftc staff, my fellow commissioners as well as many other stakeholders to gather views on what problems and possible solutions they see in the area of consumer privacy. some of the issues i will examine are, what harms are occurring now that section 5 cannot reach? and how should harm be measured? as my colleague commissioner rush noted in his dissent to the privacy report, the commission

has in the past specifically advised congress that absent deception it will not enforce section 5 against alleged intangible harm and the ftc's own unfairness statements sufgts the focus should be on monetary as well as health and safety harms rather than more subjective types of harm. although the commission's privacy report did not rejects the fundamental insight of the harm-based approach it appears to embrace an expansion of harm including reputational harm or other privacy interests and as an initial matter, i have reservations about such an expansion. even absent deception, financial and medical information is protected under current law, which likely reflects most consumers' expectations. in other area, however, consumers fear have diverse viewers about sharing information. thus it is important to proceed carefully to avoid impinging on many consumers' preferences. if a consumer is provided with clear notice prior to the information, there is likely no

basis that a consumer cannot make an informed choice. i would also like to find out more about the progress of the self-raeg regulatory and technology based empts underway to provide greater transparency and choice about the collection and use of their data. finally, new restrictions may also have an affect on competition favoring entrenched it entities with consumer information over new entrants who need to obtain such information or encouraging industry consolidation for purposes of sharing data. the ftc should be sensitive to these concerns as were el. clearly the technology sector is develops at lightning speed and we now face issues unheard of even a few years ago. i wish to proceed cautiously in exploring the need for additional general privacy legislation, however. i have concerns about the ability of legislative or regulatory efforts to keep up with the innovations and advances of the internegligent without also imposing unintended chilling effects on many of the benefits consumers gained or

without curtailing success of the internet economy. thank you for allowing me to participate in today's hearing. this committee has strong strong leadership in the area of consumer privacy and i look forward to working with you to ensure that american consumer privacy is protected. thank you. >> thank you very much, commissioner. i'll start with the questioning. i'll make this one to chairman liebowitz. the digital advertising alliance has spent a lot of time developing its own consumer guidelines. >> uh-huh. >> and they have pledged to follow these guide lines and honor their customer privacy concern, and that's a good thing. but we all know, at least i know, that in spite of their good intentions, that you just see this so many times. whether it's a coal mine. whether it's natural gas. whether it's a telephone company, whatever, whatever, whatever. repeats and repeats.

sometimes industries self-regulatory efforts do not end up protecting consumers. in my experience, corporations are unlikely to regulate themselves out of profits. let me give you an example. back in the 1990s, consumers were getting bogus charges, cram, you referred to, on their telephone bills. consumers should understand everything on their telephone bills and once they've read it in writing, if they can see the writing, they're so informed and, therefore, it's their responsibilities -- they've been replete. the big telephone carriers came to congress at that time, back in the '90s, and told us they would take care of this problem. they told us congress didn't have to pass a law. and that they would eliminate cramming on its own. as you well know, chairman liebowitz, the telephone

industry's efforts to stop cramming were a huge failure, and -- but my question to you is, why might the d.a.'s self-regulatory effort have a better chance of succeeding? >> well, let me just start by saying a you know, we brought a major cramming case today. a contempt order against a company that violated, action against a company that violated and order. i heard a 20-year order. i wondered, why 20-year orders? we have them because this con temp actually came 13 years after we put this company under order. more than $50 million in injury to consumers with bogus charges on their, placed and their bills. we want to work with you in this committee in a bipartisan way to stop cramming. with respect to the digital advertising alliance, i think they have made meaningful progress, and -- i do think

that, do not track, will be available for consumers i'm optimistic by the end of the year pr one way or the other. with your support and efforts. i would say this, though, we have to make sure that do not track is, with a few enewspaperer airted exceptions for maybe anti-fraud efforts, is about do not collect. it can't be i can collect consumer information but won't target them with advertisements but monetize it, sell it -- >> cut it off at the starting point. >> i cut it off at the starting point? >> yeah. >> do you want me to -- >> no. no, no. forget it. >> sorry. anyway, so we have to work -- i hi we have to work on that. going back to points several of you have made. i was on a west coast trip to the bay area meeting with all of these technology, a bunch of technology companies's they were wonderful. the privacy as competition issues just a few weeks ago and all of them want to be helpful on privacy. a lot wanted to be helpful on do not track. the one and indeed -- we're not

debating anymore whether there will be a do not track initiative. the industry alliance has said they will support a form of do not track. the question, what's will be be in it and when. will be effectuated. one of the things i sheared that you know, companies are stimd concerned he want to do the right thing but not at a competitive disadvantage. that's why i feel your efforts are very very helpful here. >> my time is not up. so you go back to the daa, and they say they're going to do this on their own. but my understanding is that the daa effort leaves some rather large loopholes, as you've observed at least to this point, and i'd like to know about that. >> well, i think it depends on what the exceptions might be to allowing consumers to opt out from third party tracking. just for anti-fraud purposes and

frequency capping so people don't get the same ads sent to them over and over and over, that might be -- might be legitimate. if it applies to things like marketing research, you know, it depends how it's defined. you certainly don't want a loop thiel swallows of you the commitment. that's why i think your hearing next week will be very important. >> yes. we're going to have that hearing. >> i know. >> thank you. senator? >> thanks very much, mr. chairman. just -- just to be very clear, i think i know how you'll all answer this, but the -- section 5 of the ftc act does authorize and empower the commission to make enforcement actions against a company that vile aipts its own privacy policy. do any of you believe that you lack sufficient enforcement authority in that regard and need any kind of legislative change to that,s in that respect? >> you can go first. >> so i would say, it's a

terrific tool for us, but it doesn't do everything. soap we have brought the number of cases, commissioner, hasn't mentioned the companies that have violated privacy commitments to consumers probably more than 40 -- including ones against facebook and google. having said that, you know, there are a lot of gaps. so, for example, in the law. for example, we did a report on kids privacy applications. apps, that go to kids through either the android google system or through the apple store. so these apps are great for kids. but only about a quarter of them had privs ip policies. privacy policies. we can't mandate a privacy policy but i think everyone understands that privacy policies would be a useful thing to have. now, we've gone back and talked to apple and google and they want to work with us to ensure there are private policies so parents know what they're giving to their children when they're