putting kids apps on their iphones or smartphone, but part of the reason i think that the majority of the commission is a portative of general privacy legislation, and you have to get right, of course, is -- is because it would fill in gaps. part is because i think a lot of businesses want more certainty that you can get when you're not taking a case-by-case approach what we sort of have to do. we do case-by-case and policy. we don't really do regulations except when the it comes to kids' privacy, because congress gave us specific authority to. >> so that is one of the things i want to examine, as i get more settled in as a commissioner is, if there are things that the ftc's current authority can't reach. initially i would say, a deceptive statement in a privacy policy that is a straightforward case for the ftc and successfully brought very many of them. >> that was my question. >> okay. >> so with respect to the violation of the stated pole, nobody feels as though there's any am ba gubiguity or insuffic

authority? >> correct. >> no. >> i think everybody here acknowledges, but just to be clear, do you all agree there are many companies operating on the internet that activity compete on the basis of the privacy policies that they offer, that that is one of the features that they -- that they bring attention to? >> i think that's a good point and i think we have started to see that. of course, one side of our agency is consumer protection. the other side is competition. so we like to see that. when -- i believe when google changed its privacy policy ab t about, i think effective the beginning of march, microsoft had full-page ads in the "new york times" saying, if you want more privacy protection, use bing. so, yes, we're starting to see that. >> i believe that companies are starting to compete on those issues and starting to do that, but, of course, that has to be based on consumer interests. that's an atrophy that americans care about. >> that's the nature of the

beast, seems to me. if there is a feature that is important to consumer, business, pursuing their own self-interest, will, in fact, try to attract consumers, by providing that feature, and they will compete on that basis. i find your discussion about do not track very interesting. as i understand it, this is an industry effort. this is not mandated by legislation. >> correct. >> it's not mandated by regulation. it's a voluntary approach, which you're commending. and which the industry, apparently, sees as in its own interests to pursue. so what do you they of this dynamic? whereby an industpresume blip w input from consumers and, you know -- sort of discovers a -- a process that works for both. >> well, on do not track, i think the majority of the commission is very supportive of

this process. they are making meaningful progress. now, i think part of that is companies want to do the right thing. part may be that the chairman's legislation is out there and i think a lot of people, it probably has a fair amount of support, but we see progress, and we're hopeful that one way or another we get to the finish line by the end of the year. >> again, some of it pretends on precisely what's in the do not track effort but we commend their progress. >> yeah. senator, there is competition on privacy offerings. we would like to see more comp tipgs. part of the reason to introduce a set of privacy principles including transparency and control is to create more of an active conversation between businesses and consumers so consumer, can make choices, understand the benefits. the problem with existing law today, the reason that we believe that additional ftc authority is required is, that

too much hangs on privacy policies. and there's research throughout that indicates that you'd have to spend 250 hour as year to read every single privacy policy for the average consumer. that's just not something that people are able to do. so people don't really have a choice about a contents of what's in a privacy policy. and as chairman liebowitz mentioned, you know, there are companies out there that don't have privacy policies, and the -- the existing authority doesn't reach those. so what the ftc found about mobile apps is, consistent with a broader survey of the top 50 applications found. only one-third of them had privacy policies. how do you deal with people who don't have privacy policies?

you can't hold -- there are no promises that you can hold them to under section 5. >> i just would want to point out if i could briefly in closing, there's the premise of course the consumers want these privacy features that you're advocating. they're not available, and so the premise is there's a huge untapped potential in the marketplace that nobody's been smart enough to figure out, because if all of that is true, of course, there's a huge incentive for a company to simply offer those policies, advertise extensively and then take all kinds of market share away from the not so clever kpelters who haven't figured out that that's important to consumers. so i think that we ought to the just proceed cautiously when that's an underlying assumption. >> i call on senator kerry, budg budgbut i have to point out that's an astounding degree of faith in the knowledge and time of people. senator kerry? >> thank you, mr. chairman.

>> commissioner ohlhausen, ebay, hewlett-packard, intel, verizon, other industry leaders, support legislation that senator mccain and i have introduced. obviously these are all capable companies, and important to consumers, et cetera. you said there might be an unintended chilling effect. they don't see an unintended chilling effect. they've signed up. they think this is important. i do not have faith in the american consumer if they're given choices? that they can make those choices? and what's the -- what's the unintended chilling effect of the american consumer? >> thank you, senator kerry. you raid a very important issue. that's one of the things i want to the explore, as i said. i'm one month into my tenure and this is one thing i want to find out more about, but i do think there is the possibility that

companies that are ready entrenched and have the data they need to create their products may not have the same concerns as a new company that may have a new product that we haven't even thought of yet that may use consumer data in a different way. >> but they're all going to be hemmed to the same standard, the issue here is the individual american consumer's privacy. they're all going to be held to the same standard. i mean, you've set forth the idea that conceivably -- i think you have an economic or physical harm standard that you're applying. but the problem is, what happens if there's -- you know, no risk of economic or physical harm can be proven, but something very personal to people is exposed? a health issue. that they might have cancer. what if they're sexuality is exposed? what if they might be having an affair or something, and that's exposed. that's damage.

it's a violation of their privacy. you can't -- how do you line up with this sort of notion that it's only a physical or economic harm? >> senator, what i was addressing was, how the ftc has already stead would apply its unfairness authority, and what its told congress in the past what the limits were of that. for the ftc to recommend ap new legislation that would take into account additional harms is somethinging that i think needs careful consideration. >> that's what we're trying to get at. exactly what we've been doing. giving this careful consideration for two years now. and seems to me we need to kind of break through here a little bit. let me try to get further in that. because some of the argument from senator toomey and others, a notion that somehow this is going to interfere with the freedom to create new apps and

so on and so forth. i just don't see that. you know, consumers choosing how their information is going to be managed is not going to affect what people are going to offer. they're going to offer it with protections. i would assume. but let me ask specifically the other two witnesses. what other privacy principles, other than just this idea of transparency and choice? there are other privacy principles at stake here, like data retention limits, for instance. or, you know, purpose specification, et cetera. can you talk about the -- either of you, sort of what the breadth of interests are here that go beyond just the transparency choice? >> i'm -- well, i -- senator kerry, as i said in my remarks to senator toomey, we can't

depend just on notice and choice. you know, that is part of the problem with the existing system. the principles that we've outlined transparency, respect for security, security principles that you have talked about. we have articulated to the principle of focus collection, which incorporates both use limitation limitations and data minimization. >> can you break it down in a practical way and how that would affect somebody? >> well, the principle recognizes and the reason we've articulated it a little differently than simply data minimization is that in the age of big data, there's a great

deal of data collection that has public benefits. benefits to public health. to research. and often in unforeseen connections in data. so we don't want to discourage that, but what we do want to discourage, i think, consistent with the principle of privacy by design, that, as the ftc atick la articulated it, people make consideration decisions about what data they need to collect and what data they need to retain. >> if i do just follow-up. i think embedded in your approach are several important principles. one of them, mr. kerrey mentioned, privacy by design, another more transparency, that could be what codes of conduct, one of the benefits of having

stakeholders involved in developing codes of conduct. we discussed this in a previous hearing, we have found privacy policy in the mobile space that are 102 clicks. okay. nobody reads that except our staff who wep ask to read it, and then the other thing, this is part of the reason why i think businesses are so supportive of things like, can be in some, supportive of do not track and general privacy legislation. is, it sort of creates a virtuous cycle. in consumers have more trust in the internet, they have, if they have more control, they generally feel like they have more trust in the internet, they do more -- engage in more commerce. and so i think part of the reason why companies support a general privacy legislation is because it's the right thing to do. part of it is because it becomes a virtuous cycle. as my colleague mentioned, you have to watch out for barriers to entry. on the competition site you sometimes see big guys doing things to make it tougher for new innovators but we have not

seen that problem on privacy issues thus far. and the only other point i wanted to mention is, i think we do not -- we try not to take speculative harm into account when we bring cases. we do take, these are bipartisan unanimous cases, reputational harm into account from time to time. for example, the google buzz order we have. google tried to jump-start its first social network by taking confidential gee maim information and making it public. by doing that, certainly information, lack the fact someone might be seeing a psychiatrist and on gmail became known to other users. so that kind of harm, where it's not speculative, is one we take into account under our statute. >> i appreciate it. thank you, and let me say that i think it's important -- i mean, look, if you had a choice and

transparency, better than you are today. no question about that. but you'd still have a problem, because people could still get your information, use it any way they wish, store it indefinitely, and you wouldn't have nip control over a third party purchase or a third sale or, you know, what's the standard by which that information is going to be kept? what happens to it after its been there a long period of time? there are a lot of things there where there's an expectation, i think, that has to be protected here, or people have to have the greater knowledge about just the choice of what they may do. anyway -- >> thank you, senator kerry. >> thank you very much, mr. chairman. thanks for holding this hearing. thanks to our witnesses. i wanted to first chaunk, chairman liebowitz, for the work on cramming that i know you're doing. this has been something i've been focused on for a while along with our attorney general in minnesota and made some strides whip some of the major

telephone companies, as you know agreeing for land lines to police this in a better way and i saw yesterday you're seeking a civil contempt ruling against a third-party billing company. i thank you for that, even though it's not exactly on topic it is kind of. but then move on to other thi things. today i introduced with senator bloomen hall and a few other senators and companion house legislation a bill on password privacy. and it's calmed the password protection act and this, of course, came out a number of us had gotten contact the by people who had been asked for passwords and some reports on it, and we worked actually with facebook and google and twitter and a lot of the groups, and there seems to be some widespread support for putting some kind of a rule in place to make clear that at least the data that people intend to have be private is private.

what i think former justice brandeis used to call the right to be legitimate alone and that we have with the new technology, it's very difficult for the laws to keep up, and i was just wondering what the ftc and you, mr. kerry, what the department of commerce is doing with regard to these issues and if you've had things come up with password issues and the like? you want to start, senator -- >> well, we have some concern, and we've expressed some concern about the practice of employers asking for facebook passwords and have communicate thatd toll that to facebook. facebook, sounds like they're working with you. they've noted this may not be part of their terms of service. so it is something we are concerned about. it may be something, by the way, that -- that isn't within our unfair deceptive acts or practices authority. it's sort of an interesting

question we were discussing today before i came up here, but we want to work with you are going forward on your legislation. >> very good. mr. kerry? >> all right. thanks, senator. the relation between the consumers and the companies that they deal with and not with their employer, but what i would say is that the use of that information by employers is reflective of one of the critical realities of where we are in the world of information today. that -- that there's so much information out there about people. and the ability to collect and to aggregate that information has gotten so extensive that -- that, you know, it is possible to learn things about people that constitute sensitive

information. even, you know -- even though that sensitive information hasn't been put out there, you know, by itself. what i mean by having to take chairman liebowitz' example of somebody doing a search on health information. now, we protect health information under hipaa. health care providers have to protect that, but you can find you know, by aggregating information, you can determine -- you can find out health information s but you're not subject to those protections. so the ability to aggregate creates new risks of harm that haven't xichted. >> right. same with the information that might be under password. things about people's religious status. things you would not ask about in an interview that would be behind the password. we're hoping, working with the business community, there will be support here, too, as well as

what the rules of the game are for them. so we've been working on that. my last question is just about industry self-regulation. i think it's important to recognize the corrective stechs industry has undertaken to set up and follow best practices, self-regulatory agreements. now we just freed to get the word out and make sure they're easy for consumers to use if they wanted to. how are your agencies working with industry to help get the word out about consumers' rights to privacy and how they can make privacy decisions that are right for them? basically, how do you educate the public about the tools out there now and in addition to what we may be working on, but what's out there now and how are you working with self-regulation ent tips to make sure these policies are consumer friendly? >> so our report protecting consumer privacy in rapid change, most of the members of the committee are familiar with it, was drafted after working with stakeholders. we held numerous workshops, put out a draft report which

companies generally liked but also got -- but we wanted this we also got more than 460 comments from industry representatives, consumer groups, and various other, of the other people who had somethinging to say and some of those comments are very detail and very, very helpful. i would sap the pace of self-regulation has been fairly uneven and i think that's part of -- even if you asked the best company, companies with the best privacy practices than they would say, that's part of the reason they're interested in things like, do not track standards and privacy legislation. it's so that we'll be mig greating towards a more even playing field and also one when consumers have more trust in the internet, which, again, contributes a sort of vegtuous cycle of more trust, of more commerce online. >> okay. very good. ip think i'm out of time and i will get any other answers in writing from all of you and also put in a question on cloud

computing. something i would like to ask you all about. so thank you very much. >> thank you, senator. senator pryor? >> thank you, mr. chairman. let me start with you, if i may, ms. ohlhausen. i'm curious about your impression of the average internet user's -- understanding and realization, the extent that his or her information is being collected, and then how it's being used, and how it might affect our lives. i'm just curious about your sense of how the average internet user -- whether how much he gets out of all this. >> well, thank you, senator pryor prp that is one of the kinds of issues ooibd like to find more about as i talk to ftc staff and stakeholders. i do believe that there are consumer expectations that

financial information will be secured, the medical information will be secured. but as you get away from some of those areas, i do think in, for example, in first-party marketing issue, the ftc and online behavior advertising and also in this report has noted that consumers do expect that the website that they're dealing with may be serving the -- maybe using information to market to them, you know subsequently. has you move away from that paradigm of, you know, a one on one relationship, i think those are good questions i would like to explore further. >> mr. liebowitz, let me ask you kind of a three-part question. from your standpoint, first, are there adequate tools available? and second, are consumers sufficiently aware of those tools? and then, third, are they exercising their choice and

their controls? that that' that's-. >> that's a great series of questions. i would say for some things there are adequate tools available. so, for example, if you want to go online -- so mozilla and i believe google and possibly even microsoft offer browsers where you can go incognito. that's a sort of interesting way for consumers if they want to, and if they're aware, to use a tool that empowers them. i think the best companies generally are better about empowering consumers, giving them more tools and more information, but in some instances, consumers just aren't aware. and they're partly not aware -- this goes back to actually senator toomey's point. we all would like to see more competition for privacy, but when you have privacy policies that are, you know, on the

mobile space that are dozens of clicks away, to read through, it's just -- it's hard to have competition without sort of transparency, understanding what those -- understanding what your tools might be and what your options are. and so -- and i'd also say this -- some companies give better protections in the teen space. something you're concerned about. others don't. we've encouraged company, again, we don't regulate. this is not a regulation. we don't regulate net space, but give more options for teens. we all know kids are text savvy but judgment-poor. >> yeah. i actually was going to ask about teens next, mr. liebowitz, if we could go to that, and that is, i know that we don't require privacy policies right now. but shot we require privacy policies when it comes to kids and teens? i. think that's something we would like to work with you on, because i think if you can encourage or require compani

companies -- again, above copa. under copa, we're under a children's under the privacy protect act, specific obligations, as this committee knows we're in the process of updating copa obligations, i think that's a really good thing to haven't so that you know teens understand some of the consequences. all too often it's after a -- they recognize the importance of privacy, which most consumers recognize if you look at polling data. aural toop often teens recognize the importance of privacy after they've sent something, poechted something, read something that caused some harm. so i want to work with you, if up aloy me on that issue with you coming forward that would be great. as we work on that i'd love to get your thoughts on if, and if so how, operators are misusing teens' personal information? i know you probably have data, a lot of anecdotal evidence on that but let me get to mr. kerpy if i can, because i'm almost out

of time here. mr. kerry, i know a few moments ago when senator klobuchar was wrapping up looked like you had an answer, a document in your hand and maybe going to answer. i'll give awe chanyou a chance that. first, let me ask about state attorneys general. do you -- is it the administrations or the department of commerce's view that state a.g.s and the ftc should have the authority to seek civil penalties for violation of voluntary privacy commitments or codes of conduct? >> senator, we believe that stated during -- attorney general along with the ftc should be the prime enforcement vehicle. it's important that that -- that enforcement have some weight. we certainly would be glad to you know, as we move forward, to work on legislative language to

work with you to look at how best -- how best to do that. >> and did you want to -- >> sure. >> senator klobuchar asked the question, you know, about building consumer awareness, and the document i was getting out, chairman liebowitz held his agency's report. the appendix in the white house blueprint sets out the consumer privacy bill of rights, and in doing that, we tried to put it in plain and simple language, and put it into a standard-alone document that is something that consumers can use to understand what to expect from businesses as a tool to build consumer awareness. and you know, that's something we will work to implement through the multistakeholder

processes that we've now embarked on. i think it's important to the say that those processes are not just self-regulation. we want to eninvolve all stakeholders to involve consumer groups so that that's regulation that's looking out for the interests of everybody and not just the effected business community. >> the -- it was interesting to me that in some of the comments that. made, people talked about breaking the internet. as if this onslaught of -- and also interesting to me that some didn't talk at all about consumers. they talked about the rights of an internet to be able to develop in any way, shape or form that would be, and didn't

get around to talking about the effects on consumers. so i want to get at this, mr. kerry, with you and also with all three of you, actually. breaking the internet policy. that if we william to d -- were to pass some legislation. we've been working on this about ten years on the commerce committee without the vigor we have of recent, but this is an ongoing process. so privacy already protects people's phone conversations, protect people's television habits. privacy laws protect people's medical records. their financial data. and clearly, our privacy is protected in other technologies where there's sensitive information. now, how does this, which is calmed protecting the american people, in wa