authority is required is that too much hangs on privacy policies. and there's research throughout that indicates that you'd have to spend 250 hours a year to read every single privacy policy for the average consumer. that's just not something that people are able to do. so people don't really have a choice about a contents of what's in a privacy policy. and as chairman leibowitz mentioned, you know, there are companies out there that don't have privacy policies, and the -- the existing authority doesn't reach those. so what the ftc found about mobile apps is, consistent with a broader survey of the top 50 applications found. only one-third of them had privacy policies. how do you deal with people who don't have privacy policies?

you can't hold -- there are no promises that you can hold them to under section 5. >> i just would want to point out if i could briefly in closing, there's the premise of course the consumers want these privacy features that you're advocating. they're not available, and so the premise is there's a huge untapped potential in the marketplace that nobody's been smart enough to figure out, because if all of that is true, of course, there's a huge incentive for a company to simply offer those policies, advertise extensively and then take all kinds of market share away from the not so clever competitors who haven't figured out that that's important to consumers. so i think that we ought to just proceed cautiously when that's an underlying assumption. >> i call on senator kerry, but i have to point out that's an astounding assertion, astounding degree of faith in the knowledge and time of people.

senator kerry? >> thank you, mr. chairman. commissioner ohlhausen, ebay, hewlett-packard, intel, verizon, other industry leaders, support legislation that senator mccain and i have introduced. obviously these are all capable companies, and important to consumers, et cetera. you said there might be an unintended chilling effect. they don't see an unintended chilling effect. they've signed up. they think this is important. i do not have faith in the american consumer if they're given choices? that they can make those choices? and what's the -- what's the unintended chilling effect of the american consumer? >> thank you, senator kerry. you raise a very important issue. that's one of the things i want to the explore, as i said. i'm one month into my tenure and this is one thing i want to find out more about, but i do think there is the possibility that

companies that are ready, entrenched and have the data they need to create their products may not have the same concerns as a new company that may have a new product that we haven't even thought of yet that may use consumer data in a different way. >> but they're all going to be held to the same standard. the issue here is the individual american consumer's privacy. they're all going to be held to the same standard. i mean, you've set forth the idea that conceivably -- i think you have an economic or physical harm standard that you're applying. but the problem is, what happens if there's -- you know, no risk of economic or physical harm can be proven, but something very personal to people is exposed? a health issue. that they might have cancer. what if they're sexuality is exposed? what if they might be having an affair or something, and that's exposed.

that's damage. it's a violation of their privacy. you can't -- how do you line up with this sort of notion that it's only a physical or economic harm? >> senator, what i was addressing was, how the ftc has already said it would apply its unfairness authority, and what its told congress in the past what the limits were of that. for the ftc to recommend a new legislation that would take into account additional harms is something that i think needs careful consideration. >> that's what we're trying to get at. exactly what we've been doing. giving this careful consideration for two years now. and seems to me we need to kind of break through here a little bit. let me try to get further in that. because some of the argument from senator toomey and others, a notion that somehow this is going to interfere with the freedom to create new apps and so on and so forth.

i just don't see that. you know, consumers choosing how their information is going to be managed is not going to affect what people are going to offer. they're going to offer it with protections. i would assume. but let me ask specifically the other two witnesses. what other privacy principles, other than just this idea of transparency and choice? there are other privacy principles at stake here, like data retention limits, for instance. or, you know, purpose specification, et cetera. can you talk about the -- either of you, sort of what the breadth of interests are here that go beyond just the transparency choice? >> i'm -- well, i -- senator kerry, as i said in my remarks to senator toomey, we can't

depend just on notice and choice. you know, that is part of the problem with the existing system. the principles that we've outlined transparency, respect for security, security principles that you have talked about. we have articulated to the principle of focus collection, which incorporates both use limitations and data minimization. >> can you break it down in a practical way and how that would affect somebody? >> well, the principle recognizes and the reason we've articulated it a little differently than simply data minimization is that in the age of big data, there's a great

deal of data collection that has public benefits. benefits to public health. to research. and often in unforeseen connections in data. so we don't want to discourage that, but what we do want to discourage, i think, consistent with the principle of privacy by design, that, as the ftc articulated it, people make consideration decisions about what data they need to collect and what data they need to retain. >> if i could just follow up. i think embedded in your approach are several important principles. one of them, mr. kerry mentioned, privacy by design, another more transparency, that could be what codes of conduct, one of the benefits of having stakeholders involved in developing codes of conduct.

we discussed this in a previous hearing, we have found privacy policy in the mobile space that are 102 clicks. okay. nobody reads that except our staff who we ask to read it, and then the other thing, this is part of the reason why i think businesses are so supportive of things like, can be in some, supportive of do not track and general privacy legislation. is, it sort of creates a virtuous cycle. if consumers have more trust in the internet, they have, if they have more control, they generally feel like they have more trust in the internet, they do more -- engage in more commerce. and so i think part of the reason why companies support a general privacy legislation is because it's the right thing to do. part of it is because it becomes a virtuous cycle. as my colleague mentioned, you have to watch out for barriers to entry. on the competition site you sometimes see big guys doing things to make it tougher for new innovators but we have not

seen that problem on privacy issues thus far. and the only other point i wanted to mention is, i think we do not -- we try not to take speculative harm into account when we bring cases. we do take, these are bipartisan unanimous cases, reputational harm into account from time to time. for example, the google buzz order we have. google tried to jump-start its first social network by taking confidential g-mail information, which they said would be private, and making it public. by doing that, certainly information, lack the fact someone might be seeing a psychiatrist and on gmail became known to other users. so that kind of harm, where it's not speculative, is one we take into account under our statute. >> i appreciate it. thank you, mr. chairman. and let me just say that i think it's important -- i mean, look, if you had a choice in

transparency, you would be better than you are today. no question about that. but you'd still have a problem, because people could still get your information, use it any way they wish, store it indefinitely, and you wouldn't have any control over a third party purchase or a third sale or, you know, what's the standard by which that information is going to be kept? what happens to it after its been there a long period of time? there are a lot of things there where there's an expectation, i think, that has to be protected here, or people have to have the greater knowledge about than just the choice of what they may do. anyway -- >> thank you, senator kerry. >> thank you very much, mr. chairman. thanks for holding this hearing. thanks to our witnesses. i wanted to first thank chairman leibowitz for the work on cramming that i know you're doing. this has been something i've been focused on for a while along with our attorney general in minnesota and made some strides with some of the major

telephone companies, as you know, agreeing for land lines to police this in a better way. and i know that i saw yesterday you announced you're seeking a civil contempt ruling against a third party billing company. i thank you for that, even though it's not exactly on topic it is kind of. but then move on to other things. today i introduced with senator blumenthal and a few other senators and companion house legislation a bill on password privacy. and it's called the password protection act and this, of course, came out a number of us had gotten contacted by people who had been asked for passwords and some reports on it, and we worked actually with facebook and google and twitter and a lot of the groups, and there seems to be some widespread support for putting some kind of a rule in place to make clear that at least the data that people intend to have be private is private.

what i think former justice brandeis used to call the right to be left alone, and that we have with the new technology, it's very difficult for the laws to keep up. and i was just wondering what the ftc and you, mr. kerry, what the department of commerce is doing with regard to these issues and if you had things come up with password issues and the like? you want to start, senator -- >> well, we have some concern, and we've expressed some concern about the practice of employers asking for facebook passwords and have communicated that to facebook. facebook, sounds like they're working with you. they've noted this may not be part of their terms of service. so it is something we are concerned about. it may be something, by the way, that -- that isn't within our unfair deceptive acts or practices authority. it's sort of an interesting

question we were discussing today before i came up here, but we want to work with you going forward on your legislation. >> very good. mr. kerry? >> all right. thanks, senator. the relation between the consumers and the companies that they deal with and not with their employers, but what i would say is that the use of that information by employers is reflective of one of the critical realities of where we are in the world of information today. that -- that there's so much information out there about people. and the ability to collect and to aggregate that information has gotten so extensive that -- that, you know, it is possible to learn things about people that constitute sensitive information.

even, you know -- even though that sensitive information hasn't been put out there, you know, by itself. what i mean by having to take chairman leibowitz's example of somebody doing a search on health information, now we protect health information under hipaa. health care providers have to protect that, but you can find you know, by aggregating information, you can determine -- you can find out health information but you're not subject to those protections. so the ability to aggregate information creates new risks of harm that haven't existed. >> right. same with the information that might be under password. things about people's religious status. things you would not ask about in an interview that would be behind the password. we're hoping, working with the business community, there will be support here, too, as well as

what the rules of the game are for them. so we've been working on that. my last question is just about industry self-regulation. i think it's important to recognize the proactive steps industry has undertaken to set up and follow best practices, self-regulatory agreements. now we just need to get the word out and make sure they're easy for consumers to use if they want to. how are your agencies working with industry to help get the word out about consumers' rights to privacy and how they can make privacy decisions that are right for them? basically, how do you educate the public about the tools out there now and in addition to what we may be working on, but what's out there now and how are you working with self-regulation entities to make sure these policies are consumer friendly? >> so our report protecting consumer privacy in rapid change, most of the members of the committee are familiar with it, was drafted after working with stakeholders. we held numerous workshops, put out a draft report which

companies generally liked but also got -- but we wanted this we also got more than 460 comments from industry representatives, consumer groups, and various other, of the other people who had something to say and some of those comments are very detail and very, very helpful. i would say the pace of self-regulation has been fairly uneven and i think that's part of -- even if you asked the best company, companies with the best privacy practices about that, they would say that's part of the reason why they're interested in things like do not track standards and privacy legislation. it's so that we'll be migrating towards a more even playing field and also one when consumers have more trust in the internet, which, again, contributes a sort of virtuous cycle of more trust, of more commerce online. >> okay. very good. i think i'm out of time and i will get any other answers in writing from all of you and also

put in a question on cloud computing. something i would like to ask you all about. so thank you very much. >> thank you, senator. senator pryor? >> thank you, mr. chairman. let me start with you, if i may, ms. ohlhausen. i'm curious about your impression of the average internet user's understanding and realization of the extent that his or her information is being collected, and then how it's being used, and how it might affect our lives. i'm just curious about your sense of how the average internet user -- whether how much he gets out of all this. >> well, thank you, senator pryor. that is one of the kinds of issues i'd like to find more about as i talk to ftc staff and stakeholders. i do believe that there are

consumer expectations that financial information will be secured, the medical information will be secured. but as you get away from some of those areas, i do think in, for example, in first-party marketing issues, the ftc and online behavior advertising and also in this report has noted that consumers do expect that the website that they're dealing with may be serving the -- maybe using information to market to them, you know subsequently. has you move away from that paradigm of, you know, a one on one relationship, i think those are good questions i would like to explore further. >> mr. leibowitz, let me ask you kind of a three-part question. from your standpoint, first, are there adequate tools available? and second, are consumers sufficiently aware of those tools? and then, third, are they exercising their choice and

their controls? >> that's a great series of questions. i would say for some things there are adequate tools available. so, for example, if you want to go online -- so mozilla and i believe google and possibly even microsoft offer browsers where you can go incognito. that's a sort of interesting way for consumers if they want to, and if they're aware, to use a tool that empowers them. i think the best companies generally are better about empowering consumers, giving them more tools and more information, but in some instances, consumers just aren't aware. and they're partly not aware -- this goes back to actually senator toomey's point. we all would like to see more competition for privacy, but when you have privacy policies that are, you know, on the

mobile space that are dozens of clicks away, to read through, it's just -- it's hard to have competition without sort of transparency, understanding what those -- understanding what your tools might be and what your options are. and so -- and i'd also say this -- some companies give better protections in the teen space. something you're concerned about. others don't. we've encouraged company, again, we don't regulate. this is not a regulation. we don't regulate net space, but give more options for teens. we all know kids are tech savvy but judgment-poor. >> yeah. i actually was going to ask about teens next, mr. leibowitz, if we could go to that. and that is, i know that we don't require privacy policies right now. but should we require privacy policies when it comes to kids and teens? >> i think that's something we would like to work with you on,

because i think if you can encourage or require companies -- again, above coppa. under copa, we're under a children under the privacy protection act, specific obligations, as this committee knows we're in the process of updating cuppa obligations, i think that's a really good thing to haven't so that you know teens understand some of the consequences. all too often it's after a -- they recognize the importance of privacy, which most consumers recognize if you look at polling data. too often teens recognize the importance of privacy after they've sent something, posted something, read something that caused some harm. so i want to work with you, if up allow me on that issue with you coming forward that would be great. >> as we work on that i'd love to get your thoughts on if, and if so how, operators are misusing teens' personal information? i know you probably have data, a

lot of anecdotal evidence on that, but let me get to mr. kerry, if i can, because i'm almost out of time here. mr. kerry, i know a few moments ago when senator klobuchar was wrapping up looked like you had an answer, a document in your hand and maybe going to answer. i'll give you a chance to do that. first, let me ask about state attorneys general. do you -- is it the administration's or the department of commerce's view that state ags and the ftc should have the authority to seek civil penalties for violation of voluntary privacy commitments or codes of conduct? >> senator, we believe that stated during -- attorney general along with the ftc should be the prime enforcement vehicle. it's important that that -- that enforcement have some weight. we certainly would be glad to you know, as we move forward, to work on legislative language to

work with you to look at how best -- how best to do that. >> and did you want to -- >> sure. >> senator klobuchar asked the question, you know, about building consumer awareness, and the document i was getting out, chairman leibowitz held up his agency's report. the appendix in the white house blueprint sets out the consumer privacy bill of rights, and in doing that, we tried to put it in plain and simple language, and put it into a stand-alone document that is something that consumers can use to understand what to expect from businesses as a tool to build consumer awareness. and you know, that's something we will work to implement

through the multi stakeholder processes that we've now embarked on. i think it's important to the say that those processes are not just self-regulation. we want to involve all stakeholders to involve consumer groups so that that's regulation that's looking out for the interests of everybody and not just the effected business community. >> the -- it was interesting to me that in some of the comments that were made, people talked about breaking the internet. as if this onslaught of -- and also interesting to me that some didn't talk at all about consumers. they talked about the rights of an internet to be able to develop in any way, shape or form that would be, and didn't

get around to talking about the effects on consumers. so i want to get at this, mr. kerry, with you and also with all three of you, actually. breaking the internet policy. that if we were to pass some legislation. we've been working on this about ten years on the commerce committee without the vigor we have of recent, but this is an ongoing process. so privacy already protects people's phone conversations, protect people's television habits. privacy laws protect people's medical records. their financial data. and clearly, our privacy is protected in other technologies where there's sensitive information. now, how does this, which is

called protecting the american people, in ways in which they have every right to the expect to be protected and expect very thoroughly to be protected, do we get into breaking the internet? it's unclear to me that in any way, by any of these types of things do we not -- do we attack the rights and privacy of the internet in their own business. >> well, i'm pleased to answer that question, mr. chairman, because preserving the dynanism, the internet growth, a powerful instrument as it has been, absolutely a guiding premise of the work that we've done. and that's why the model that we've adopted doesn't follow traditional rulemaking model. that simply doesn't work in the

internet environment. it doesn't operate at internet speed. that's why we've incorporated in the multi stakeholder model building on top of a baseline. a floor of rights that consumers can expect and would apply across the board regardless of the business, regardless of the sector. to develop a set of codes of conduct using the same structures of multi-stakeholders, policy development standards, consensus, that have been so successful in the internet space. the world wide web consortium. the ieee. these are the governing bodies of the internet have operated not as the product of any one government, but as a public/private partnership, involving business, involving simple society.

it's worked tremendously successfully. it could work successfully in this base. >> if i could follow-up, mr. chairman. i think the general council is exactly right. privacy and innovation generally go hand in hand and you can protect consumers and protect innovation with respect to do no track the proof is that the business community supports it, and is supportive of moving forward with a do not track option for consumers. >> but was it not, and then i need to call on you, commissioner, but was it also not true that a number of companies got very enthusiastic about doing, do not track on their own, right after your reports came out? >> i would say there was, among the browser companies, like microsoft and mozilla and apple, there was a lot of support for it. there continues to be. again, there are a few -- >> i'm asking about the timing question. am i wrong -- >> yes, very supportive early on and we think they've made progress since. >> that's not the question.

they came out in support right after your two reports came out? >> yes. yes. some of them also came out after the -- more after the report, that is correct. >> yes. >> yes, sir. >> commissioner? >> so to -- >> so on breaking the internet. >> yes. i figured we were. i think that's an important issue, and one that some commenters have raised concerns about, and i think in the debate you get a wide array of views. and people express great concerns about that and other people have great concerns about consumer privacy and i think the ftc tried to strike the balance of meeting consumer expectations. if consumers have protection and expect protections about their financial information and their medical information, i think the ftc has done a good job in bringing cases that, you know, advances expectations for consumers. their deception-based cases