rockefeller. senator toomey, senator kerry, senator ayotte, i appreciate the opportunity to present testimony on consumer privacy alongside our newest commissioner as well as my friend cam kerry. the commission commends the recent privacy efforts by the department of commerce as well as the bipartisan leadership your committee has shown on consumer privacy issues. though most of my remarks today will concern privacy policy and especially do not track, the ftc is primarily an enforcement agency and commissioner ohlhausen will describe our recent enforcement efforts. mr. chairman, imagine a cash-strapped college student working part-time to keep up with tuition payments. to make ends meet, she applies online for a loan and obtains it at a favorable rate. but she also goes online because her father suffers from depression, so she wants to research symptoms and potential treatments. soon after, in the mail, she receives another loan offer. this time from a payday learn at a much higher rate. in the evening, she spends time relaxing by catching up with friends' posts on a social network. while online, she notices she's

receiving ads for medication for stress and depression as well as more loan offers. could the lender have sold the information about her need for money to payday lenders who are now offering her loans? could the fact that she researched depression be sold to or shared with potential employers or insurers? can these exchanges of information occur without the consumer's consent or even awareness? the answer to all of these questions is yes. of course. the college student benefits from quick response to loan applications, free access to health information, and an easy way to keep up with friends and family. but as senator kerry noted, the vast majority of americans simply have no knowledge that they're purchasing financial, health, and other personal information that may be sold to data brokers, lead generators,

lenders, insurance companies, employers and just about anybody else. most consumers are entirely unaware of the vast amounts of data about them being collected, sold, and used both online and offline. we at the commission applaud the internet innovation. it's created enormous benefits for consumers and the advertising ecosystem that's provided free content and services, the ones we've all come to expect and enjoy. but as is the nation's privacy protection agency, we are also concerned that some practices by some companies may adversely affect americans and their critical right to privacy. at the ftc, we have been thinking about this issue for more than a decade. we recently released our final privacy report that sets forth what we in the public and private sectors should do to make sure that the right way -- or that the right to privacy remains row best for all americans. the short answer is that

consumers should have more choice and more control. and to ensure that control, a report lays out three simple but powerful principles for companies to follow in handling personal data. first -- this is guidance, not a regulation. first, incorporate privacy protections into products as they are developed. that is, privacy by design. second, offer consumers choice and control over how their data is collected and used. and third, provide more transparency. that is better explanations to consumers about how their data is handled by companies. the final report also recommends that congress consider enacting general privacy legislation as well as specific statutes addressing data security and data brokers. data brokers often hold a wealth of information about consumers and remain utterly invisible to them. in addition, our report calls for a do not track mechanism, one that is easy to use and

persistent to enable consumers to control the flow of information about their activities across websites. it's worth emphasizing your computer is your property. the first chairman i served with used to say, republican chairman, people shouldn't be putting things in your computer without your consent. and i think that's a sort of fundamentally -- a conservative notion. in the last year, industry has made strides towards finalizing a meaningful do not track system. as you know, mr. chairman. indeed, at this point, we are no longer asking whether do not track will exist but only how it will be implemented. we're optimistic that with the encouragement of this committee and especially you, mr. chairman, a do not track mechanism that allows consumers to control the collection of their browsing information with limbed exceptions, for example, to prevent fraud will be in place by the end of the year. just going back to the sort of discussion between senator

toomey and senator kerry and do not track, of course, will be run by industry, won't be run like the government runs do not call. of course vigorous enforcement remains a top priority for our agency, as the commissioner will describe in more detail. just this week we announced a case against the social network myspace. the ftc complaint alleged myspace shared personal user information with advertisers after promising that it would not. the proposed settlement of order prohibits myspace are from making any privacy misrepresentations and requires it to create a comprehensive privacy program and undergo third-party audit. simply cut, this case stands for the proposition that we will hold companies accountable for their privacy commitments. we appreciate the leadership of you, chairman rockefeller, in this committee and look forward

to continuing to work with congress, the administration, industry, other stakeholders on privacy protection going forward. >> thank you. >> thank you, sir. the honorable cameron f. kerry, general counsel, u.s. department of commerce. >> thank you, senator rockefeller. i'm grateful for the opportunity to testify today about the administration's blueprint for data privacy. this blueprint is a framework to enhance consumer privacy while fostering economic growth, job creation and exports for american businesses. the federal trade commission has been a global leader in this area as well as a partner to the department of commerce and valued adviser to the council in developing the privacy blueprint. i welcome being able to join chairman leibowitz the commissioner at the witness table today. the explosion in the collection and storage and analysis of data and digital information offers new frontiers of knowledge and innovation and growth. but senator toomey asked the

question, you know, what is the market failure here? we are now at a tipping point that presents a dual market failure. first, while many companies earn trust as responsible stewards of consumers' personal information, it exceeds the ability of even the most sophisticated consumers to understand and control what information is collected about them. and second, this asymmetry allows outliers and outlaws that are not good stewards of information to take advantage of consumers' trust and lack of information. that is why a graeme companies, consumer groups, the ftc, and the administration support baseline consumer privacy legislation. when it comes to sustaining trust in the digital economy, business and consumer and government interests converge.

the administration's privacy blueprint articulates a consumer privacy bill of rights -- individual control, transparency, respect for context, accuracy, security, access and accuracy, security, and focused collection and accountability. and it calls for congress to give these broad principles the force of law. we recommend two mechanisms to apply these principles. the first is giving the ftc the direct authority to enforce the individual provisions, the bill of rights as enacted rather than relying entirely on its section 5 authority as currently framed. the second is authorizing the ftc to grant safe harbors from enforcement for codes of conduct that address how best to follow the privacy bill of rights in specific context.

the national telecommunications and information administration of the department of commerce is carrying out the administration's blueprint by initiating stake holder-driven processes to develop codes of conduct. ntia is reviewing recommendations on the process including your comments, chairman rockefeller. thank you. ntia should be selecting a topic in convening the first meetings very soon. in addition, i have asked a working group to put the administration's privacy blueprint into legislative language. we are drafting, and we stand ready to work with this committee and with other members of congress to put baseline privacy legislation into law. what we do here is -- what we do here in america is paramount to

u.s. consumers and companies. but we cannot ignore the global reach of the internet. europe is in the process of honing its approach to data privacy. other countries around the world understand the need for rules of the road and are looking for models. we have the clear opportunity. as president obama said in his preface to the privacy blueprint, to offer the world a dynamic model of how to provide strong privacy protection and enable ongoing innovation in new information technologies. baseline privacy legislation will ground our system firmly. so america can be an example for the world and pave the way for privacy standards that are interoperable around the globe. leading by example will encourage other countries to build flexibility and accountability into their commercial data privacy networks.

this model will promote free flow of information across national borders, which helps u.s. companies and u.s. consumers alike. mr. chairman, when i speak to international audiences, i point to the deeply held privacy values of americans that are embedded in our constitution and in privacy laws that couple statutory protection in areas like health records with strong enforcement by the ftc and by state attorneys general. and i get a lot of thank-yous from companies for defending our system. and i get a lot of thank-yous from companies for defending our system. but they want and they need more. they want the u.s. congress to send a clear message to the world that the united states cares about privacy and will protect the privacy of consumers

in all is sectors. mr. chairman, i thank you again for the opportunity to be here today to provide our views, and i welcome the committee's questions. >> thank you very much, sir. commissioner ohlhausen, welcome. >> thank you. chairman rock feller, ranking member toomey and members of the committee, i'm pleased to join chairman liebowitz and cameron kerry, general counsel of the department of commerce. privacy is an important topic for american consumers and i commend you for holding this hearing. but let me say at the outset that my comments and the views presented in this statement are my own and do not really represent the views of the commission or any other commissioner. as you know, my tenure as an ftc commissioner began on april 4th.

so while privacy is an issue in which i have tremendous interest and commitment, my views on privacy from the perspective of a commissioner are just over a month old. while i have read the march 2012 privacy report and formed some initial thoughts, i was not at the commission during its development and release. i'm just now in the process of fully educating myself on the specifics of the report and thinking through the implications of the recommendations. so i'm not yet ready to commit myself to specific positions on all aspects of the privacy issues raised in the report. i am, however, happy to share some of my preliminary views on the best ways to safeguard consumer privacy as well as my thoughts about where the commission should deploy its resources. to start, i firmly believe that consumers should have the tools to protect their personal information through transparency and choices. as i said during my conversation -- confirmation hearing, i support the ftc's strong record of enforcement in the area of privacy. the commission's written testimony highlights many of our enforcement efforts relating to privacy and data security. the ftc has brought more than 100 spam and spire cases including against choice point, cbs, and twitter.

we have also charged companies with failing to live up to privacy promises as in the highly publicized privacy cases against google and facebook, which together will protect the privacy of more than 1 billion users worldwide. as the commissioner, i will urge continuation of the strong enforcement record. as i also said in my confirmation hearing, i support data security legislation. the legislation should empower the ftc to promulgate regulations for the protection of personal data from unauthorized access, as to-do the current bills by chairman rockefeller and chairman pryor. as a parent, i'm especially concerned about protecting our children's privacy in the face of rapid technological advances. i support the commission's multiprong approach in this area. enforcement, regulation, policy research and education. since the enactment of the children's online privacy protection act of 1998, the commission has brought 18 enforcement actions.

in the ongoing proceeding to amend the rule, i will carefully consider the record as i form formulate my views. turning to the commission's privacy report, i would like to commend some important aspects of it. it calls for a policy of privacy by design by which companies build protections into their everyday practices. this helps minimize the risk of privacy breaches and concerns from the outset and should be considered a best practice by companies as they develop new products and services. appropriate use of the notice and choice concept is also core to a sound privacy policy. and i support the report's recognition that there is no single best way to offer notice and choice in all circumstances. i also agree with the concept of reducing burdens on consumers and businesses by identifying circumstances for which choice is not necessary because the collection and use of consumer data is consistent with the context of the transaction or where with the relationship with the consumer. as i have already noted, congress has given the commission enforcement and policy tools to provide a strong framework with which we can protect american consumers.

some of my colleagues, however, have supported additional privacy legislation that would go beyond section 5. the exact contours of such legislation are not yet defined, but my colleagues gave general guidance in the privacy report. the privacy report was clear, however, that the recommended legislation would reach practices that would not be challenged under the current interpretation of section 5, however. i believe this gives me the opportunity to develop my own opinion on what else, in addition to section 5, may be beneficial to consumers. such as whether additional general privacy legislation is needed. i will consult with staff, my fellow commissioners, as well as many other stake holders to gather their views on what problems and possible solutions they see in the area of consumer privacy. some of the issues is what harms are occurring that section 5 cannot reach, and how should harm be measured? as my colleague commissioner rush noted in his dissent, the

commission has in the past specifically advised congress that acts of deception, it will not enforce section 5 in acts of intangible harm. and the own fairness statement suggests that the focus should be on monetary as well as health and safety harms, rather than on more subjective types of harm. although the commission's pro f privacy report did not project the insight of the privacy report, it appears to include reputational harm or the fear of being monitored or other interests. as an initial matter, i have reservations about such an expansion. even with deception, financial and medical information is protected under current law, which likely reflects most consumers' expectations. in other areas, however, consumers have diverse views about sharing information. thus, it's important to proceed carefully to avoid infringing on many preferences. if a consumer is provided with clear notice prior to the collection of information, there

is likely no basis for concluding a consumer cannot make an informed choice. i would like to find out more about the regulatory and technology based efforts under way to provide consumers greater transparency and choice. finally, new restrictions may have an effect on competition by favoring entrenched entities with information over new entries that need to obtain such information. or consuming consolidation for purposes of sharing data. the ftc should be sensitive to these concerns as well. clearly, the technology sector is developing at lightning speed, and we now face issues unheard of even a few years ago. i wish to proceed cautiously in exploring the need for any additional legislation, however, i have concerns about the ability of legislative or regulatory efforts to keep up with the advances of the internet without also imposing unintended chilling effects on many of the enormous benefits

consumers have gained from these advances without curtailing the development and success of the internet economy. thank you for allowing me to participate in today's hearing. we have shown strong leadership in the area of consumer privacy. thank you. >> thank you very much, commissioner. i'll start with the questioning. i'll make this one to chairman lebowitz. with digital advertising alliance has spent a lot of time developing its own consumer guidelines. and they have pledged to follow these guidelines and honor their customers' privacy concerns, and that's a good thing. but we all know, at least i know, that in spite of their good intentions, we see this so many times. whether it's a coal mine, whether it's natural gas. whether it's telephone company. whatever, whatever, whatever. repeats and repeats.

sometimes industries self regulatory efforts do not end up protecting consumers. in my experience corporations are unlikely to regulate themselves out of profits. let me give you an example. back in the 1990 cram, you referred to, on their telephone bills. one, i suppose, could say consumers should understand everything on their telephone bills, and once they've read it in write, if they can see the writing, they're so informed and therefore it's their potenti responsibilities have been replete. the big telephone carriers came to congress at that time, back in the '90s, and told us they would take care of this problem. they told us congress didn't have to pass a law. and that they would eliminate cramming on its own. as you well know, chairman leibowitz, the telephone

industry's efforts to stop cramming were a huge failure, and -- but my question to you is, why might the d.a.'s self-regulatory effort have a better chance of succeeding? >> well, let me just start by saying as you know, we brought a major cramming case today. a contempt order against a company that violated, action against a company that violated an order. i heard senator toomey say a 20-year order and i wondered when i got to the commission, why do we have 20-year orders? we have them because this contempt actually came 13 years after we put this company under order. more than $50 million in injury to consumers with bogus charges on their, placed and their bills. we want to work with you in this committee in a bipartisan way to stop cramming. with respect to the digital advertising alliance, i think they have made meaningful progress, and -- i do think

that, do not track, will be available for consumers i'm optimistic by the end of the year, one way or the other. with your support and efforts. i would say this, though, we have to make sure that do not track is, with a few enumerated exceptions for maybe anti-fraud efforts, is about do not collect. it can't be i can collect consumer information but won't target them with advertisements but monetize it, sell it -- >> cut it off at the starting point. >> i cut it off at the starting point? >> yeah. >> do you want me to -- >> no. no, no. forget it. >> sorry. anyway, so we have to work -- i think we have to work on that. going back to points several of you have made. i was on a west coast trip to the bay area meeting with all of these technology, a bunch of

technology companies, they were wonderful. the privacy as competition issues just a few weeks ago and all of them want to be helpful on privacy. a lot wanted to be helpful on do not track. the one and indeed -- we're not debating anymore whether there will be a do not track initiative. the industry alliance has said they will support a form of do not track. the question, what will be in it and when it will be effectuated. one of the things i heard is that, you know, companies are concerned they want to do the right, but not be at a competitive disadvantage. that's why i feel your efforts are very, very helpful here. >> my time is not up. so you go back to the daa, and they say they're going to do this on their own. but my understanding is that the daa effort leaves some rather large loopholes, as you've observed at least to this point, and i'd like to know about that. >> well, i think it depends on what the exceptions might be to allowing consumers to opt out from third party tracking. just for anti-fraud purposes and

frequency capping so people don't get the same ads sent to them over and over and over, that might be -- might be legitimate. if it applies to things like marketing research, you know, it depends how it's defined. you certainly don't want a loop hole that swallows up the commitment. that's why i think your hearing next week will be very important. >> yes. we're going to have that hearing. >> i know. >> thank you. senator? >> thanks very much, mr. chairman. just -- just to be very clear, i think i know how you'll all answer this, but the -- section 5 of the ftc act does authorize and empower the commission to make enforcement actions against a company that violates its own stated privacy policy. do any of you believe that you lack sufficient enforcement authority in that regard and need any kind of legislative change to that, in that respect? >> you can go first. >> so i would say, it's a

terrific tool for us, but it doesn't do everything. so we have brought a number of cases, commissioner, hasn't mentioned the companies that have violated privacy commitments to consumers probably more than 40 -- including ones against facebook and google. having said that, you know, there are a lot of gaps. so, for example, in the law. for example, we did a report on kids privacy applications. apps, that go to kids through either the android google system or through the apple store. so these apps are great for kids. but only about a quarter of them had privacy policies. we can't mandate a privacy policy but i think everyone understands that privacy policies would be a useful thing to have. now, we've gone back and talked to apple and google and they want to work with us to ensure there are private policies so parents know what they're giving to their children when they're putting kids apps on their

iphones or smartphone, but part of the reason i think that the majority of the commission is a supportive of a general privacy legislation, and you have to get it right, of course, is -- is because it would fill in gaps. part is because i think a lot of businesses want more certainty that you can get when you're not taking a case-by-case approach what we sort of have to do. we do case-by-case and policy. we don't really do regulations except when the it comes to kids' privacy, because congress gave us specific authority to. >> so that is one of the things i want to examine, as i get more settled in as a commissioner is, if there are things that the ftc's current authority can't reach. initially i would say, a deceptive statement in a privacy policy that is a straightforward case for the ftc and successfully brought very many of them. >> that was my question. >> okay. >> so with respect to the violation of the stated pole, policy, nobody feels as though there is any ambiguity or insufficient authority? >> correct. >> none.

>> i think everybody here acknowledges, but just to be clear, do you all agree there are many companies operating on the internet that actively compete on the basis of the privacy policies that they offer, that that is one of the features that they -- that they bring attention to? >> i think that's a good point and i think we have started to see that. of course, one side of our agency is consumer protection. the other side is competition. so we like to see that. when -- i believe when google changed its privacy policy about, i think effective the beginning of march, microsoft had full-page ads in the "new york times" saying, if you want more privacy protection, use bing. so, yes, we're starting to see that. >> i believe that companies are starting to compete on those issues and starting to do that, but, of course, that has to be based on consumer interests. that's an attribute that

americans care about. >> that's the nature of the beast, seems to me. if there is a feature that is important to consumer, business, pursuing their own self-interest, will, in fact, try to attract consumers, by providing that feature, and they will compete on that basis. i find your discussion about do not track very interesting. as i understand it, this is an industry effort. this is not mandated by legislation. >> correct. >> it's not mandated by regulation. it's a voluntary approach, which you're commending. and which the industry, apparently, sees as in its own interests to pursue. so what to you think of this dynamic? whereby presumably with input from consumers and, you know, sort of discovers a process that works for both. >> well, on do not track, i think the majority of the commission is very supportive of

this process. they are making meaningful progress. now, i think part of that is companies want to do the right thing. part may be that the chairman's legislation is out there and i think a lot of people, it probably has a fair amount of support, but we see progress, and we're hopeful that one way or another we get to the finish line by the end of the year. again, some of it depends on precisely what's in the do not track effort but we commend their progress. >> yeah. senator, there is competition on privacy offerings. we would like to see more competition. part of the reason to introduce a set of privacy principles including transparency and control is to create more of an active conversation between businesses and consumers so consumers can make choices, understand the benefits. the problem with existing law today, the reason that we believe that additional ftc