[Senate Hearing 107-1150] [From the U.S. Government Publishing Office] S. Hrg. 107-1150 S. 2201, ONLINE PERSONAL PRIVACY ACT ======================================================================= HEARING before the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ APRIL 25, 2002 __________ Printed for the use of the Committee on Commerce, Science, and Transportation U.S. GOVERNMENT PRINTING OFFICE 91-368 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED SEVENTH CONGRESS SECOND SESSION ERNEST F. HOLLINGS, South Carolina, Chairman DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska Virginia CONRAD BURNS, Montana JOHN F. KERRY, Massachusetts TRENT LOTT, Mississippi JOHN B. BREAUX, Louisiana KAY BAILEY HUTCHISON, Texas BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine RON WYDEN, Oregon SAM BROWNBACK, Kansas MAX CLELAND, Georgia GORDON SMITH, Oregon BARBARA BOXER, California PETER G. FITZGERALD, Illinois JOHN EDWARDS, North Carolina JOHN ENSIGN, Nevada JEAN CARNAHAN, Missouri GEORGE ALLEN, Virginia BILL NELSON, Florida Kevin D. Kayes, Democratic Staff Director Moses Boyd, Democratic Chief Counsel Jeanne Bumpus, Republican Staff Director and General Counsel C O N T E N T S ---------- Page Hearing held on April 25, 2002................................... 1 Statement of Senator Allen....................................... 6 Statement of Senator Burns....................................... 5 Statement of Senator Cleland..................................... 21 Statement of Senator Hollings.................................... 1 Prepared statement........................................... 2 Statement of Senator McCain...................................... 3 Statement of Senator Stevens..................................... 9 Statement of Senator Wyden....................................... 8 Witnesses Dugan, John C., Partner, Covington & Burling, on behalf of The Financial Services Coordinating Council........................ 50 Prepared statement........................................... 52 Lawler, Barbara, Chief Privacy Officer, Hewlett-Packard Company.. 28 Prepared statement........................................... 30 Misener, Paul, Vice President of Global Public Policy, Amazon.com 39 Prepared statement........................................... 41 Rotenberg, Marc, Executive Director, Electronic Privacy Information Center............................................. 33 Prepared statement........................................... 36 Torres, Frank, Legislative Counsel, Consumers Union.............. 22 Prepared statement........................................... 23 Appendix Jaffee, Daniel L., Association of National Advertisers, Inc., letter dated April 25, 2002 to Hon. Ernest F. Hollings......... 71 Kerry, Hon. John F., U.S. Senator from Massachusetts, prepared statement...................................................... 71 S. 2201, ONLINE PERSONAL PRIVACY ACT ---------- THURSDAY, APRIL 25, 2002, U.S. Senate, Committee on Commerce, Science, and Transportation, Washington, DC. The Committee met, pursuant to notice, at 10:15 a.m. in room SR-253, Russell Senate Office Building, Hon. Ernest F. Hollings, Chairman of the Committee, presiding. OPENING STATEMENT OF HON. ERNEST F. HOLLINGS, U.S. SENATOR FROM SOUTH CAROLINA The Chairman. The Committee will come to order. What we have, of course, is our online privacy bill before the Committee, and we have an actual bipartisan bill. The interesting thing is that--and I will put my full statement in the record, but we have got 14 different laws and regulations offering different levels of notice, choice, access and everything else, we have got the Cable Act, the Junk Fax Act, the telemarketing privacy, the video privacy--I comment on that because you would think, in trying to propose privacy for the Internet, that we are doing something real radical--not at all. In fact, you look at the European practice, we have got some 135 blue chip American corporations that have joined in their particular opt-in online privacy provisions, which in a way in a couple of regards are even a little more stringent than ours, but be that as it may, the bipartisan bill sets a uniform Federal standard for the protection of online personal information, and the five core principles are consent, notice, access, security, enforcement. I want to particularly, of the nine cosponsors, thank Senators Inouye, Rockefeller, Breaux and Cleland, who started with us--this has been a sort of a 2-1/2 year exercise, and Senators Kerry, Stevens, and Burns now, who worked with us the past 7 months to craft a bill that takes care of the concerns, not just of the consumers but, of course, the industry itself. We do not want to do anything to stultify--in fact, it is this Senator's view that in providing privacy provisions we are actually establishing trust and confidence in the Internet and therefore encouraging and propagating better and increased use. It has a provision for strong preemption. That is the certainty needed to resolve conflicting State standards. It has an opt-in protection for the sensitive personal information such as financial, health, ethnicity, religious preference, sexual orientation. It has opt-out protection for nonsensitive personal information like marketplace purchases. It has reasonable access, reasonable security and a sensible enforcement by the FTC and the State Attorneys General, of course with the private right of action. When we look at the Federal Trade Commission they have had some 5 years of studies, hearings, meetings with the industry off and on, and the last Federal Trade Commission recommended, in futility, that we legislate, because they could not get an agreed approach, but you can see how the Federal Trade were treated. Eli Lilly exposed 700 Prozac patients and got just a slap on the wrist, so we have it in there as a private right of action with jurisdiction in the Federal court and a showing of actual harm. My full statement is in the record. Let me yield. Senator McCain. [The prepared statement of The Chairman follows:] Prepared Statement of Hon. Ernest F. Hollings, U.S. Senator from South Carolina Today the Commerce Committee will examine S. 2201, the Online Personal Privacy Act of 2002--a bipartisan bill that is sponsored by 10 Senators on this Committee. We plan to report a bill in May, and that makes today's hearing exceedingly timely. It's past time for action on this issue, today will mark the 6th hearing on internet privacy in the last two Congresses. American consumers deserve better privacy protection on the Internet. We intend to give it to them. I am pleased to be joined in my efforts by nine cosponsors on this Committee. We have those who were with me from the beginning--Senators Inouye, Rockefeller, Breaux, and Cleland. And we have additional support, from Senators Kerry, Nelson, Carnahan, Stevens and Burns. I particularly want to commend Senators Kerry, Stevens, and Burns, who have worked with me over the past seven months to craft the sensible, balanced approach that we introduced last week. Let me articulate the principles that allowed us to achieve strong bipartisan support for our legislation--Strong preemption (to give business the certainty it needs in the face of conflicting state standards) Opt-in protection for sensitive personal information (like your financial and health information, your ethnicity, religious preferences, or sexual orientation) Opt-out protection for non-sensitive personal information (like your name and address, and marketplace purchases) Reasonable access Reasonable security Sensible enforcement by the ftc and the state ags, with the limited exception of violations involving sensitive information, which permit a right of action in federal court, premised on a showing of actual harm. Why do we need legislation? Businesses keep confounding consumers with unclear privacy policies that state, ``your privacy is important to us,'' but subsequently outline exceptions crafted to allow almost any use of personal information. Other Web sites don't post privacy policies, safe in the knowledge that they face no legal jeopardy under current law for selling your information. Some have argued that Americans' concerns about privacy no longer exist after September 11th. But poll after poll consistently demonstrates the American people want companies they patronize to seek their permission prior to using their personal information for commercial profit. As recently as February, a Harris survey found that 63% of Americans want internet privacy legislation. At the same time, advances in technology have provided the tools to seamlessly compile and enhance highly detailed personal profiles and histories of Internet users. Cookies and web bugs, and who knows what other technologies, all enable the surreptitious collection of individuals' personal information, including every click of their computer mouse, online. Moreover, severe privacy breaches continue without consequence. Last year, Eli Lilly disclosed a list of hundreds of customers suffering from depression, bulimia, and obsessive compulsive disorder. Eli Lilly's response? An apology, and a promise it won't happen again. But an apology and a promise is not enough for those patients whose medical history was divulged publicly. Sensible privacy legislation like S. 2201 will stop this, promote consumer confidence, and bolster online commerce. A recent Forrester study reports that online businesses lost $15 billion due to consumer privacy concerns. Those numbers are significant in light of the economic downturn and its exaggerated impact on the high tech internet sector. Good privacy means good business and the internet economy could use a dose of that right now. The shame is that it has taken us this long to get here. It has been nearly two years since the FTC recommendation for Internet privacy legislation, which was reached after five years of diligent study. This recommendation was particularly credible in light of the FTC's record of extensive analysis and its two prior recommendations to allow self- regulation a chance to work. We will hear from our opponents today that it is unfair to regulate online only. But this argument is nothing more than a straw man designed to kill internet privacy legislation. Does anyone remember a similar argument when we passed the children's privacy legislation? Were children's web sites complaining that we were regulating them differently from Toys-R-Us? Of course not. The internet industry supported that legislation. This Committee stands ready to pass similar legislation for all users. Lets start there and then we'll see about the entire marketplace. Others will complain that our bill is premature--that we need to give the Gramm-Leach-Bliley financial privacy rules a chance to work, before we alter them for the Internet. Well--we've seen those rules, and they don't work. Americans have been receiving billions of notices in the mail telling them they can opt-out of the sharing of their personal financial information by financial institutions. These notices make a mockery of the claim that notice and opt-out provides sufficient protection for sensitive information. In many cases, the notices are internally inconsistent and outright deceptive. We need to bring transparency and consistency to privacy protection on the internet by building on the many existing statutes that protect privacy for telephone customers, cable subscribers, video renters, credit card customers, and children on the internet. All Internet users deserve similar protection. Some forward thinking companies know this. Microsoft, Intel, Hewlett-Packard, Expedia, and Earthlink provide opt-in right now. 185 U.S. companies, Including, Microsoft, Intel, Hewlett-Packard, and one of the largest data collection companies, Axciom, have signed on to the EU Safe Harbor, which requires notice, opt-in for sensitive information, access and security. Why should European citizens be granted more protection than Americans? Finally, I want to note that the following high tech trade associations have called for privacy legislation that preempts state law, requires notice and an opportunity to opt-out (and sometimes, even opt-in): the Information Technology Industries Association; the American Electronics Association; the Computer Systems Policy Project; and the Computer Technology Industry Association. Many of the members of these associations actually provide better privacy protection themselves, voluntarily. Despite the good intentions of these companies, unless we take action to establish common-sense protections that will deter bad actors, consumer fears will continue to stifle use of the internet as a trusted commercial medium. I look forward to our witness testimony, and the remarks of my distinguished former chairman, Senator McCain. STATEMENT OF HON. JOHN McCAIN, U.S. SENATOR FROM ARIZONA Senator McCain. Thank you, Mr. Chairman, and I want to thank you for holding this hearing today on the topic of online privacy and your recently introduced bill. I want to thank you for your continued work on this important subject. It is clear that privacy continues to concern many Americans who use the Internet. In a recent Harris interactive poll a majority of the respondents once again voiced their concerns over the use of their personal information online. In past hearings, this Committee has closely examined several issues with respect to online privacy legislation. We considered whether each of the four fair information principles, notice, choice, access, and security, should be mandated for online companies and, if so, how. We also addressed the questions of enforcement and preemption of State law. The Chairman's bill includes each of these elements and offers a solution that seeks compromise on some of the differences we have explored in prior hearings. Differences remain, however, particularly with respect to the private rights of action that this legislation creates, as well as the bill's coverage of access and security. There are, on an even broader level, very significant practical challenges we need to consider with respect to how or if this legislation can be implemented. One challenge we face is the treatment of personally identifiable information that is collected from both online and offline sources, and then merged together in a single consumer data file. Many companies and institutions today operate in both the online and offline world. We see examples of this everywhere. The retail chain, Toys-R-Us, allows customers to shop for the same toys online at Amazon that they can buy in their stores and shopping centers. Many local banks have web sites that allow account holders to check balances, transfer funds between accounts, and write checks to pay their bills online. These businesses must collect and use personal information in both settings in order to provide their goods and services, and sometimes that information must be combined into one customer file. What happens to that combined information if we attempt to legislate for the online world without considering its collection or use in the offline one? Would the same types of notices be applied, even ones designed with the Internet in mind? As these two worlds merge, we must face the practical reality that restrictions intended for the online world may have unintended but significant impact on accepted business practices in the offline world. The second challenge is that Congress passed over 30 Federal laws that already protect the privacy of individuals. We have to be certain to carefully consider the effect of this bill on these existing laws, particularly if its enactment would create ambiguous or conflicting requirements for business and greater confusion for consumers. I would also like to introduce two items into the record today that I believe are essential to our consideration of this legislation. The first are the letters of the Chairman and commissioners of the Federal Trade Commission that I received yesterday afternoon, a second is the 2001 survey of online privacy practices released by the Progress and Freedom Foundation in March, which duplicated the methodology used by the FTC in its 2000 report. The FTC has spent a considerable amount of time and resources addressing the issue of online privacy. After S. 2201 was introduced, I wrote a letter to each of the commissioners asking whether they believed legislation was needed and, if so, what it should contain. I also asked for their comments on the principle features of the legislation. Despite the short amount of time they had to spend, each commissioner did, and I thank them for their efforts. In summary, two of the five commissioners believe that legislation is needed at this time and are supportive of the bill. The other three commissioners, including the Chairman, expressed strong reservations about the workability of the provisions of S. 2201, and the need for legislation in light of existing privacy law, increased FTC enforcement, and industry efforts to improve protections. I want to thank the witnesses for being with us today, and I will be interested in hearing their views on the legislation. Thank you, Mr. Chairman. The Chairman. Thank you. Senator Burns. STATEMENT OF HON. CONRAD BURNS, U.S. SENATOR FROM MONTANA Senator Burns. Thank you, Mr. Chairman. Thanks for holding this hearing today as we wrestle with this problem of privacy in the Internet world. As more and more of our daily activities move online, it is no surprise that privacy is the number one concern among Internet users. I should add that privacy or, rather, the lack of it, is also the top reason why nonusers have not yet ventured into the Internet. The reason for these well-justified concerns are clear. Americans have no safety net on privacy online. In fact, ever more sophisticated technologies are being developed to collect nearly limitless information on individuals without their knowledge. Privacy is not just an individual rights concern, however. Online privacy is central to the future of the economic well-being of the Internet. The rate of growth of e- commerce is clearly being slowed by consumers' rising and legitimate fears about privacy intrusion. Several studies pointed out that the privacy reason preventing more people from making purchases online is the lack of privacy. While the Internet has exhibited massive growth, currently less than one percent of all consumer retail spending is done online. In short, e-commerce still has a huge upside potential, but that potential will never be fulfilled without the basic assurances of consumer privacy. To address these concerns, early in the 106th Congress, Senator Wyden and I introduced an Online Privacy Protection Act which was based on our shared view that while self-regulation should be encouraged, we need to also provide a strong enforcement mechanism to punish the bad actors. I remain convinced that the comprehensive private legislation is necessary to protect consumers, which is why I am the original cosponsor of the bill the Committee is considering today, the Online Personal Privacy Act. The fact that the bipartisan bill was introduced last week with 10 cosponsors on the Committee shows a tremendous support for online privacy that exists on this Committee. The current bill is much improved from the previous versions, and, while it is not perfect by any means, I view it as a reasonable compromise between the opt-out approach, which I favored previously, and the opt-in approach which the Chairman's original bill incorporated. I believe one of the strongest sections of the bill the Committee is considering today is its clear-cut preemption language. In response to the rising call for consumer privacy protection, the Internet risks being subject to a crazy quilt of conflicting regulations on a State-by-State basis. Already, for instance, the State of Minnesota has passed a comprehensive online privacy bill out of its legislature, and California is moving along a similar track. An online privacy law is already on the books in Vermont, which requires an opt-in by consumers before individuals' financial or medical information can be shared with third parties. While the impulse behind these efforts is understandable, companies need regulatory certainty in order to do business efficiently. Clearly, strong Federal preemption is needed and is provided in S. 2201. The robust security requirement is also a very positive aspect of the current bill. The bill simply requires web sites to maintain a reasonable procedure necessary to protect security, confidentiality, and integrity of personally identifiable information. In today's era of hacker intrusion and identity theft, I view this section as absolutely essential to protect consumers. I would like to touch on the idea offered by many who oppose privacy legislation that simply posting a privacy policy is the same as actually ensuring privacy for consumers. While I view the increasing trend toward posting privacy policies as a positive development, the fact remains that many of these policies are frustrating exercises in legalese. It becomes obvious from weeding through the examples of these policies that most were designed with the goal of protecting the companies, rather than informing and empowering the consumers. A perfect example of the potential consequences of the legalistic approach toward privacy policies occurred earlier this month, when millions of consumers downloaded a file- swapping program called Kazaa. Only later did consumers realize that they had agreed to install software that could help turn their computers into nodes on a network controlled by a third company called Brilliant Entertainment, while the company's privacy policy ran over 4,000 words, which explains why most consumers simply clicked on the ``I agree'' button. The concern surrounding these types of abuse led to the requirement in previous bills, on Senator Wyden's and my bill before, and S. 2201, that Privacy policies must be clear, and they must be conspicuous. I look forward to working with the Chairman and my colleagues on the Committee on this critical issue. I also look forward to the testimony today, and I appreciate it, and thank the witnesses for coming today, and I thank the Chairman. The Chairman. Thank you. Senator Allen. STATEMENT OF HON. GEORGE ALLEN, U.S. SENATOR FROM VIRGINIA Senator Allen. Thank you, Mr. Chairman, for holding this hearing. I have read and look forward to working with our witnesses, and thank you all for being here. I think we all can agree that individual people have a significant interest in personal information and an interest in determining how that information is used. Now, throughout this debate, Mr. Chairman, and for those who are in the Committee room here, I have been guided by two principles. First, I think we ought to empower individual consumers to make sure that they have the information necessary to make a reasonable decision and choice on their own. Second, I think we need to encourage to the greatest extent possible market-driven regulation. Many of those market forces already exist. Now, I want to associate myself, Mr. Chairman, with the sentiments expressed by Senator McCain, and I will not repeat many of the points he made, but I do want to touch on them. In this regard, I have concerns that this Committee may be proceeding with legislation prematurely that is unnecessarily burdensome and discriminatory to the online world. I do not think we should discriminate in the treatment of personally identifiable information with regard to the medium through which the information is collected. Why should a consumer's privacy concern regarding information-sharing only accommodate or apply to those consumers who have access to the Internet? Second, and further, there are at least 23 current Federal laws addressing information-sharing and privacy rights. I understand that consumers have specific and legitimate concerns about his or her health and financial information privacy. In addition, whether online or offline, the Gramm-Leach-Bliley Act of 1999, and the Health Insurance Portability and Accountability Act of 1996 already address many of those specific concerns. I would encourage enforcement of our existing laws before we attempt to craft new laws. Third, the Progress and Freedom Foundation released a report on online privacy, a report on the information practices and policies of commercial web sites. Some of the more interesting findings were that commercial web sites are collecting less personally identifiable information than they were 2 years ago. They also pointed out that fewer web sites are using third party cookies to track web surfing behavior. Of the most popular web sites, showing the reaction of the private sector, the sites that receive the most traffic, the use of third party cookies fell from 78 percent to 48 percent, and also the privacy notices--and Senator Burns noted this--are more prevalent and more prominent and more complete. Ninety-nine percent of the 85 busiest web sites have privacy policies that are more comprehensive, in other words, stating how they handle the consumer information, and more accessible from the site's front page. Now, the one rational jurisdictional reason for this legislation and one that I, too, support, and I think is the most important part, has to do with the jurisdiction, the Federal jurisdiction in this, in that it does deal with interstate commerce. The reason the Senate should consider any privacy legislation is to establish a uniform national standard. To have a patchwork of liabilities and rules governed by the States would make it extremely difficult for any business to comply with 50 potentially conflicting privacy laws and regulations, thus arguably affecting interstate commerce. I do want to get into some of the details of how much--and we do need to have a strong preemption. Some States, Mr. Chairman, and others are considering enacting privacy laws under the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, and how will these privacy laws be preempted under this legislation, and if we enact a new law I think we ought to make certain that the strongest, most effective preemption language is included. I would finally say that the treatment in here of affiliated companies as third parties can be seriously troublesome to diversified companies with diversified corporate structures. Many companies consist of dozens of different corporate structures, all of which may share a common customer data base. If a user's consent is required to share personally sensitive, personally identifiable information, even amongst controlled and affiliated subsidiaries, then many larger companies are going to be automatically potentially out of compliance, and just by the very nature of how data management infrastructures are built. So I look forward to working to the extent we can, and I hope we can in a bipartisan fashion with our Committee Members in an approach that informs and empowers individual choice, but also trust the private sector to continue its good work in the market, and I believe that that approach means that we ought to move very cautiously. I would finally state, Mr. Chairman, let us not create any more government-imposed restrictions that create more problems than they solve. Thank you, Mr. Chairman. The Chairman. Thank you. Senator Wyden. STATEMENT OF HON. RON WYDEN, U.S. SENATOR FROM OREGON Senator Wyden. Thank you, Mr. Chairman. I want to start, Mr. Chairman, by commending you, because I think a lot of progress has been made in the last year on this issue. As all of us will recall a year ago, this Committee was to a great extent deadlocked over some arcane matters, particularly this opt-out and opt-in issue. You have produced a hybrid kind of approach that I think makes a lot of sense, and I am planning to work very closely with you in the days ahead so that we can report this legislation. There is an important challenge today, because I do not think this country can afford an EXXON VALDEZ of privacy. We have already seen some very serious problems. It was not very long ago when the Eli Lilly Company unintentionally disseminated the e-mail addresses of more than 600 people taking Prozac, and I would just say, particularly to people in industry, if there is an EXXON VALDEZ of privacy, it will not be possible to get the kind of preemption protection that is envisaged in this legislation. If there are those kinds of calamitous events, every State in this country is going to go off and essentially do their own thing, and at that point the horse will be out of the barn, and it will not be possible to get preemption protection, as many in industry are seeking. Now, there are a number of concerns that I have at this point. I do want to make sure that with respect to the notice provision that there is a short, understandable notice provision, something that consumers can become familiar with in the years ahead. I also think it is important to explore ideas for safe harbor provisions so that the many companies in this country that are acting responsibly will have a clear path of certainty and safety under the legislation that Congress may pass, but there is no question in my mind important progress has been made in the last year, and I look forward to working with you, Mr. Chairman and Senator McCain and others to report this legislation. The Chairman. Thank you. Senator Stevens. STATEMENT OF HON. TED STEVENS, U.S. SENATOR FROM ALASKA Senator Stevens. Thanks very much, Mr. Chairman. I do not have a written statement, but I would say that I agree with Senator McCain about the offline concept, and I think we probably should be willing, those of us who sponsor this legislation, to listen to some of those concerns. Also, I have some concerns that I have expressed to you about the right of private action, and I think there ought to be some limitation on that. We ought to rely on the agencies first and then rely on private action only when it is necessary to raise the issues in the courts. And Senator McCain, I do not know if you know it, some of the commissioners sent us copies of the letters they wrote back to you, others did not. If you would share all of them with us, I think it would be good for the record to know what the commissioners are thinking about this. I do think, as Senator Allen said, we have a job to do now, and it is time that we got this done, and I think we should not be afraid of broadening this legislation. Thank you very much. The Chairman. Very good. Senator Cleland. Senator McCain. Mr. Chairman, I would ask the letters be included in the record. The Chairman. Those letters will be included. [The information referred to follows:] Federal Trade Commission Washington, DC, April 24, 2002 Hon. John McCain, Ranking Member, Committee on Commerce, Science, and Transportation, Washington, DC. Dear Senator McCain: Thank you for your letter of April 19, 2002, requesting my views on S. 2201, the Online Personal Privacy Act. Personal privacy issues are a key priority at the Commission. Because a variety of practices can have negative consequences, consumer concerns about privacy are strong and justified. Avoiding these consequences requires a strong law enforcement presence, and we have increased by 50 percent FTC resources targeted to addressing privacy problems. Our agenda includes: A proposed rulemaking to establish a national, do not call registry; Greater efforts to enforce both online and offline privacy promises; Beefed up enforcement against deceptive spam; A new emphasis on assuring information security; Putting a stop to pretexting; Increased enforcement of the Children's Online Privacy Protection Act; and New initiatives to both help victims of I.D. theft and assist criminal prosecution of this crime. The concerns about privacy that motivate our enforcement agenda have led others, including many members of Congress, to propose new laws, such as S. 2201, the Online Personal Privacy Act. There are potential benefits from general privacy legislation. If such legislation could establish a clear set of workable rules about how personal information is used, then it might increase consumer confidence in the Internet. Moreover, federal legislation could help ensure consistent regulation of privacy practices across the 50 states. Although we should consider carefully alternative methods to protect consumer privacy and to reduce the potential for misuse of consumers' information, enactment of this type of general legislation is currently unwarranted. \1\ --------------------------------------------------------------------------- \1\ There may be areas in which new legislation is appropriate to address a specific privacy issue. This letter addresses my concerns about broad, general legislation governing online privacy issues. --------------------------------------------------------------------------- Five points underscore my concern about general, online privacy legislation: 1. Drafting workable legislative and regulatory standards is extraordinarily difficult. The recently-enacted Gramm-Leach-Bliley Act (``GLB''), which applies only to financial institutions, required the multiple mailings of over a billion privacy notices to consumers with little current evidence of benefit. \2\ Our experience with GLB privacy notices should give one great pause about whether we know enough to implement effectively broad-based legislation, even if it was limited to notices. --------------------------------------------------------------------------- \2\ I am unaware of any evidence that the passage of GLB increased consumer confidence in the privacy of their financial information. In contrast to GLB's notice requirements, certain GLB provisions targeting specific practices have directly aided consumer privacy. For example, the law prohibits financial institutions from selling lists of account numbers for marketing purposes, and makes it illegal for third parties to use false statements (``pretexting'') to obtain customer information from financial institutions in most instances. --------------------------------------------------------------------------- Unlike GLB, the proposed legislation deals with a wide variety of very different businesses, ranging from the websites of local retailers whose sales cross state lines to the largest Internet service providers in the world. Thus, implementation of its notice requirement will likely be even more complicated. Moreover, the legislation adds requirements for access not found in GLB. The recommendations of the FTC's Advisory Committee on Online Access and Security make clear that no consensus exists about how to implement this principle on a broad scale. \3\ Perhaps reflecting these same concerns, S. 2201 grants the FTC broad rulemaking authority. The only legislative guidance is the requirement that the procedures be reasonable. The statute is silent, for example, on how to balance the benefits of convenient customer access to their information with the inherent risks to security that greater access would create. The FTC has no answer to this conundrum. We do not know how to draft a workable rule to assure that consumers' privacy is not put at risk through unauthorized access. --------------------------------------------------------------------------- \3\ The Committee's Final Report is available at www.ftc.gov/acoas/ papers/finalreport.htm. --------------------------------------------------------------------------- The inherent complexity of general privacy legislation raises many difficulties even with provisions that are conceptually attractive in the abstract. For example, the proposed legislation imposes different requirements on businesses based on whether they collect ``sensitive'' or ``nonsensitive'' personal information. Although this may be a conceptually sound approach, we have no practical experience in implementing it, and attempting to draw such distinctions appears fraught with difficulty, both in drafting regulations and assuring business compliance. Under the statute, for example, the fact that I am a Republican is considered sensitive, but a list of books I buy and websites I visit are not. Similarly, the broad state preemption provision would provide highly desirable national uniformity. Questions about the scope of preemption would inevitably arise, however. How would the preemption provision affect, for example, state laws on the confidentiality of attorney/client communications for attorneys using websites to increase their efficiency in dealing with their clients? Moreover, what are the implications for state common law invasion of privacy torts when the invasion of privacy occurs online? Another problem is that, except for provisions reconciling the provisions of this bill with the provisions of the Children's Online Privacy Protection Act and certain provisions of the Federal Communications Act, there are no provisions reconciling the proposed legislation with other important Federal privacy legislation. For example, it is unclear how S. 2201's requirement of notice and ``opt- in'' choice for disclosure of financial information collected online would be reconciled with GLB's notice and ``opt-out'' requirements for the same information. Nor is it clear whether a credit reporting agency's use of a website to facilitate communications with its customers would subject it to a separate set of notice, access, and security requirements, beyond those already in the Fair Credit Reporting Act. I want to emphasize that I note these examples, not to criticize the drafting of the proposed legislation, but to illustrate the inherent complexity of what it is trying to accomplish. 2. The legislation would have a disparate impact on the online industry. Second, I am concerned about limiting general privacy legislation to online practices. Whatever the potential of the Internet, most observers recognize that information collection today is also widespread offline. Legislation subjecting one set of competitors to different rules, simply based on the medium used to collect the information, appears discriminatory. Indeed the sources of information that lead to our number one privacy complaint--ID Theft--are frequently offline. Of course, applying the legislation offline would increase the complexity of implementation, again underscoring the difficulties inherent in general privacy legislation. 3. We have insufficient information about costs and benefits. Third, although we know consumers value their privacy, we know little about the cost of online privacy legislation to consumers or the online industry. Again, the experience under GLB indicates that the costs of notice alone can be substantial. Under S. 2201, these costs may be increased by the greater number of businesses that must comply, by uncertainty over which set of consent procedures apply, and by the difficulty of implementing access and security provisions. 4. Rapid evolution of online industry and privacy programs is continuing. Fourth, the online industry is continuing to evolve rapidly. Recent surveys show continued progress in providing privacy protection to consumers. \4\ Almost all (93 percent) of the most popular websites provide consumers with notice and choice regarding sharing of information with third parties. Some of the practices of most concern to consumers, such as the use of third party cookies, have declined sharply. Moreover fewer businesses are collecting information beyond email addresses. These changes demonstrate and reflect the more important form of choice: the decision consumers make in the marketplace regarding which businesses they will patronize. Those choices will drive businesses to adopt the privacy practices that consumers desire. --------------------------------------------------------------------------- \4\ The Progress and Freedom Foundation recently released the results of its 2001 Privacy Survey, available at www.pff.org/pr/ pr032702privacyonline.htm. --------------------------------------------------------------------------- Perhaps most important for the future of online privacy protection, 23 percent of the most popular sites have already implemented the Platform for Privacy Preferences (P3P). This technology promises to alter the landscape for privacy disclosures substantially. Microsoft has incorporated one implementation of P3P in its web browser; AT&T is testing another, broader implementation of this technology. By the time the Act's disclosure regulations might reasonably take effect, \5\ the technological possibilities for widespread disclosure may differ substantially. Although S. 2201 anticipates this development by requiring the National Institute of Standards to promote the development of P3P technology, legislation enacted now cannot take advantage of such nascent technology. Moreover, it may inadvertently reduce the incentives for businesses and consumers to adopt this technology if disclosures are required using other approaches. --------------------------------------------------------------------------- \5\ Again, GLB is instructive. It was almost two years between the enactment of the statute and the effective date of the privacy rules promulgated thereunder. --------------------------------------------------------------------------- 5. Diversion of resources from ongoing law enforcement and compliance activities. Finally, there is a great deal the FTC and others can do under existing laws to protect consumer privacy. Indeed, since 1996, five new laws have had a substantial impact on privacy-related issues. \6\ We should gain experience in implementing and enforcing these new laws before passing general legislation. Implementation of yet another new law will require both industry and government to focus their efforts on a myriad of new implementation and compliance issues, thus displacing resources that might otherwise improve existing privacy protection programs and enforce existing laws. Simply shifting more resources to privacy related matters will not, at least in the short term, correct this problem. The newly-assigned staff would need to develop the background necessary to deal with these often complex issues. The same is likely true for business compliance with a new law. Without more experience, we should opt for the certain benefits of implementing our aggressive agenda to protect consumer privacy, rather than the very significant effort of implementing new general legislation. --------------------------------------------------------------------------- \6\ Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 (amended 9/30/ 96); Health Insurance Portability and Accountability Act, 42 U.S.C. Sec. 1320 (enacted 8/21/98); Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 (enacted 10/21/98); ID Theft Assumption & Deterrence Act, 18 U.S.C. Sec. 1028 (enacted 10/30/98); GLB, 15 U.S.C. Sec. 6801 (enacted 11/12/99). Moreover, since 1996, the FTC has been applying its own statute to protect privacy. --------------------------------------------------------------------------- Conclusion We share the desire to provide American consumers better privacy protection and to ensure that American businesses face consistent state and Federal standards when handling consumer information. Nonetheless, we believe that enactment of this general online privacy legislation is premature at this time. We can better protect privacy by continuing aggressive enforcement of our current laws. Sincerely, Timothy J. Muris Chairman ______ Federal Trade Commission Washington, DC, April 24, 2002 Hon. John McCain, Ranking Member, Committee on Commerce, Science, and Transportation, Washington, DC. Re: S. 2201 (The Online Personal Privacy Act) Dear Senator McCain: I am pleased to provide my views on S. 2201, the Online Personal Privacy Act, which was introduced by Chairman Hollings on April 18, 2002. Although I share the view of the sponsors of this legislation that privacy is important to American consumers, there has been no market failure that would justify the passage of legislation regulating privacy practices concerning most types of information. Even if such a market failure exists, I am not persuaded that the benefits of such legislation, including the proposed Online Personal Privacy Act, exceed its costs. Indeed, the best means of protecting consumer privacy without unduly burdening the New Economy is through a combination of industry self-regulation and aggressive enforcement of existing laws that are relevant to privacy by the FTC and other appropriate regulatory agencies. This approach is flexible enough to respond rapidly to technological change and to the tremendous insight we are gaining from the ongoing dialogue among government, industry, and consumers on privacy issues. You have asked for my assessment of whether legislation is needed. I believe legislation should be reserved for problems that the market cannot fix on its own. To my knowledge, there is no evidence of a market failure with respect to online privacy practices, nor are there signs of impending market failure that would warrant burdensome legislation. As a result of a continuing and energetic dialogue among industry, government and consumer representatives, industry is stepping up to the plate and leading the way toward enhancing consumer privacy online. Flexible and efficient privacy tools are increasingly addressing consumer concerns. Indeed, the evidence indicates that the market is responding to consumers' concerns and demands about privacy. A recent Progress and Freedom Foundation study \1\ tells us that there has been a significant decline in the amount of personal information that websites are collecting from visitors. \2\ At the same time, there has been an increase in the voluntary adoption of privacy practices. The study indicates that privacy policies have become more common and more consumer-friendly over the past year. In addition, the percentage of the most popular sites offering consumers a choice whether their information can be shared with third parties increased from 77% in 2000 to 93% in 2001. The privacy-enabling technology, Platform for Privacy Preferences (P3P), is being deployed rapidly, and industry has generally become more responsive to the privacy concerns of consumers. --------------------------------------------------------------------------- \1\ Adkinson, William F. Jr., Jeffrey A. Eisenach, Thomas M. Lenard, Privacy Online: A Report on the Information Practices and Policies of Commercial Web Sites. Washington, D.C.: Progress & Freedom Foundation (2002). Available at: http://www.pff.org/publications/ privacyonlinefinalael.pdf. \2\ Among the most popular 100 sites, the proportion collecting personal information fell from 96% in 2000 to 84% in 2001. Similar to this finding, the proportion of those firms employing ``cookies'' fell from 78% to 48% in the past year. --------------------------------------------------------------------------- These trends clearly demonstrate that the online marketplace is dynamic, and that firms are working hard to find the ``right'' pattern for information management practices. In addition, the survey results show that the most frequently visited websites (and much of the Internet as a whole) have clearly recognized that information management policies and privacy practices are necessary parts of everyday business on the Internet. Consumers expect privacy protection and firms realize that it is to their competitive advantage to respond to customer expectations. To the extent that consumers have demanded privacy, these results show that the market has provided it. Contrary to arguments by proponents of legislation that consumers' privacy concerns are retarding the growth of electronic commerce, electronic commerce is growing rapidly without new privacy legislation. Online transactions have roughly doubled each year between 1997 and 1999, and annual consumer purchases have risen from roughly $5 billion in 1998 to $32 billion in 2001. Recent data on online holiday shopping are even more dramatic, rising from roughly $1 billion in 1997 to nearly $14 billion in 2001--a 1300% increase. E-commerce thus is growing rapidly in the absence of new privacy regulation. \3\ --------------------------------------------------------------------------- \3\ It is interesting to compare the growth of electronic commerce to the growth in the use of debit cards. Between 1988 and 1996, debit transactions slowly rose from virtually nothing to less than $50 billion annually. As consumers' experience with these cards increased, however, debit card spending jumped to $300 billion in 2000. This massive growth in debit card transactions was not caused by federal regulatory action, but resulted from consumers' positive experiences with the cards. --------------------------------------------------------------------------- For many years now, it has been my understanding that Congress seeks to weigh the costs and benefits of new legislation, with the goal of avoiding doing more harm than good. To my knowledge, there is no evidence concerning the costs associated with the proposed legislation, nor an assessment of whether those costs are outweighed by the ill- defined economic benefits that might follow. I do not believe legislation should be adopted without careful consideration of the problems it may create. Perhaps the most glaring cost associated with the bill, and with any online-specific privacy legislation, is that it discriminates in favor of offline commerce. It is important to remember that electronic commerce currently constitutes a very small portion of all commercial activity. It is difficult to understand drawing a distinction between offline and online privacy. I would suggest that it is likely that consumers share similar concerns in both situations. I believe it is essential to consider the costs and benefits of regulating both online and offline privacy before any legislation is enacted. To evaluate other costs associated with the notice and choice requirements of the Online Personal Privacy Act, the Commission's experience with the Gramm-Leach-Bliley Act (GLB Act) is instructive. The GLB Act requires that financial institutions issue privacy notices to their customers and, in certain circumstances, provide them with the opportunity to opt out of disclosures of nonpublic personal information to nonaffiliated third parties. To comply with the GLB Act last year, firms incurred great expense in disseminating privacy notices, yet very few consumers opted out. Among the difficulties encountered in complying with the GLB Act was the challenge of communicating complex information to consumers. Industry would face these same challenges in communicating notice and choice in the online context, and a requirement to provide ``robust'' notice to consumers does little to solve these problems. It also would be difficult for static regulation to keep pace with technology. For example, regulation mandating notice provided on a website may be inapplicable to Web-enabled handheld devices, such as cell phones. A requirement to provide ``reasonable access and security'' is difficult to define. In its May 2000 report, the Commission's Advisory Committee on Online Access and Security was unable to reach consensus as to the amount and type of access that should be provided to consumers. \4\ Given the complexity of this issue, I do not believe that it is a suitable topic for broad-based legislation or regulation. More important, the Commission already has the ability to address security breaches through the enforcement of existing statutes. \5\ --------------------------------------------------------------------------- \4\ In 1999, the Commission established an Advisory Committee on Online Access and Security to provide advice and recommendations to the Commission regarding implementation of reasonable access and adequate security by domestic commercial websites. The Committee's final report to the Commission on May 15, 2000, described options for implementing reasonable access to, and adequate security for, personal information collected online and the advantages and disadvantages of each option. \5\ See In the Matter of Eli Lilly and Co., FTC File No. 012 3214 (consent agreement accepted, Jan. 17, 2002) (alleging that Eli Lilly unintentionally disclosed personal information collected from consumers by not taking appropriate steps to protect the confidentiality and security of that information). --------------------------------------------------------------------------- In addition, I am not aware of reliable information about the likely costs associated with providing access and, in particular, the costs of maintaining a clickstream database that could be easily accessible to consumers and easily altered. \6\ I therefore question whether the $3.00 fee allowed by S. 2201 for consumers to obtain access to their information would be sufficient to cover the expense. Although some firms--obviously the larger ones--might be able to absorb the costs associated with this access mandate, other firms might be unable to provide the service for a minimal fee and would be unable to continue business with their current model. This possibility seems terribly unfair to small business and harmful to competition in electronic commerce. --------------------------------------------------------------------------- \6\ Under the proposed legislation, clickstream data, as collected by third-party cookies, are considered to be personally identifiable information to which consumers should have access. --------------------------------------------------------------------------- Finally, in an attempt to empower consumers, this legislation gives them a private right of action. While this measure is aimed at increasing compliance with the law, I fear that a private right of action may result in unintended consequences. More specifically, increased private litigation over information management policies may chill further innovation on the part of businesses that may fear that any change in their information management practices will be met with lawsuits. In summary, the electronic marketplace is still evolving. Industry and government have been working diligently to address consumers' privacy concerns. Businesses have made admirable progress over the past several years and have no intention of standing down. Industry leaders are directly involved in seeking solutions to meet consumer demands and concerns. From a business standpoint, it just makes good sense. Now is not the time for the federal government to legislate and effectively halt progress on these self-regulatory efforts. New, complicated, and ambiguous laws will force innovation and investment to take a back seat to compliance and bureaucratic process. At the end of the day, we will have made far less progress in finding solutions to privacy concerns than we would have if we had simply relied on government and private sector cooperation and market forces. Thank you for the opportunity to offer my views on these issues. I look forward to working with you in the future. Sincerely, Orson Swindle, Commissioner ______ Federal Trade Commission Washington, DC, April 24, 2002 Hon. John McCain, Ranking Member, Committee on Commerce, Science, and Transportation, Washington, DC. Re: S. 2201 (The Online Personal Privacy Act) Dear Senator McCain: In anticipation of the Senate Commerce Committee's April 25, 2002 hearing on S. 2201, the Online Personal Privacy Act (``OPPA''), you have asked each Commissioner of the Federal Trade Commission to comment on whether legislation is needed and, if so, what such legislation should contain. As you know, the FTC has long been involved with the issue of consumer privacy and I have also personally devoted a great deal of time and thought to this matter. Accordingly, I appreciate the opportunity to offer my views about privacy legislation and comment on the principal features of the OPPA. In the past, a particular area of focus for me has been the question of whether federal legislation is necessary. In the Commission's May 2000 Congressional Report, ``Privacy Online: Fair Information Practices in the Electronic Marketplace,'' a majority of the FTC recommended that Congress enact online privacy legislation. In my accompanying statement and written testimony, I expressed my support for thoughtful and balanced online privacy legislation that is coupled with meaningful self-regulation and enforcement of existing laws. \1\ --------------------------------------------------------------------------- \1\ This position represented a change from my prior opinion which did not support legislation but, instead, called for industry self- regulatory measures. Compare Statement of Commissioner Mozelle W. Thompson Before Senate Comm. On Commerce, Science and Transp. (May 25, 2000), with Statement of Commissioner Mozelle W. Thompson Before Senate Comm. On Commerce, Science and Transp. (July 13, 1999). --------------------------------------------------------------------------- I also stated that such privacy legislation should incorporate the well-established fair information practice principles of notice, choice, access and security and should provide for federal preemption of inconsistent state laws. Further, legislation should be organic and sufficiently flexible to take into account the type and sensitivity of the data at issue. My conclusion has not changed and, as discussed below, I believe that today's market conditions make an even more compelling case for legislation. Moreover, I support the OPPA because it contains the above described elements and represents a thoughtful, balanced and well- reasoned approach to the privacy issue. On-line Privacy Legislation Is Needed Consumer confidence is one of the most important features of American economic strength and, as demonstrated by recent declines in dot-com industries, emerging markets and young industries are particularly vulnerable to consumer uncertainty. It is not surprising then, that those industries involved in the developing electronic marketplace, or ``e-commerce,'' have begun to direct greater attention and more resources to strategies that address consumer confidence. Members of this industry are asking what is needed to allow e-commerce to reach its potential and fully develop into a stable and robust market? One answer is data privacy. Studies continue to indicate that consumers' foremost concern with respect to e-commerce is the privacy of their personal data. Indeed, last year Forrester Research estimated that consumers' online privacy concerns cost $15 billion of potential e-commerce revenue. Also, 73% of online consumers who refused to purchase online did so because of privacy concerns. Moreover, one need only compare the stock prices of those companies engaged in online profiling, before and after settling complaints about their business practices, to find a clear example of the value to consumers of certainty and confidence in a new market. To date, the FTC has provided a strong privacy foundation by way of the agency's law enforcement regime combined with our efforts in promoting industry self-regulation. Although consumers and businesses involved in e-commerce have benefitted from these efforts, they are no longer sufficient because there are still online companies that fail to protect consumer information. Without a legislative backdrop, too much of the risk of e-commerce is shifted to the consumer at a time when consumer confidence is critical. Law enforcement measures are by their nature retroactive, focusing on events that have already occurred. Once a consumer has lost his or her privacy--be it through identity theft, the creation of an unauthorized profile based upon the consumer's online activities or by some other means--it is generally impossible to make that consumer whole again. This condition is made more serious because the Internet allows instantaneous, inexpensive and unlimited transmission of data while computer databases permit storage and unprecedented manipulation. Moreover, it is difficult for the consumer to even know that his or her privacy has been violated until, in some cases, years after the fact. \2\ Consequently, without legislation, e-commerce will remain an uncertain marketplace in which only those consumers on the fringe will participate. --------------------------------------------------------------------------- \2\ These features, coupled with technology that allows websites to surreptitiously collect consumer information, distinguish the online consumer environment from the offline world. --------------------------------------------------------------------------- The absence of legislation also forces the Commission into the unusual position of going after the good actors that have strong privacy policies, while the bad remain largely unreachable by agencies like the FTC, thus leaving these businesses free to violate consumer trust. Without the type of legislative backdrop that the Commission called for in 2000, and which OPPA provides, I am afraid there will continue to be many free riders and companies with inadequate information practices. Necessary Elements For Effective Privacy Legislation I believe that the OPPA addresses many of the most delicate problems associated with a legislative privacy framework. First, it contains the fair information principles and allows for flexibility and change. The OPPA avoids a ``one size fits all'' approach to the notice requirements and provides a reasonableness test for access. The OPPA is also more reflective of a ``real world'' consumer environment because it employs a sliding scale that affords more protection to more sensitive information. Second, by preempting state law, the OPPA will prevent the possibility of multiple standards that could ``Balkanize'' e-commerce and prove overly burdensome to business and too confusing for consumers. Finally, in granting the FTC rulemaking authority, the OPPA will permit strong enforcement, with special sensitivity to industry and consumer needs, while also providing a means for state participation. Thank you again for providing me with this opportunity to discuss privacy legislation and the OPPA. I also hope that you will continue to consider the FTC a resource as your work progresses on this important issue. Sincerely yours, Mozelle W. Thompson, Commissioner ______ Federal Trade Commission Washington, DC, April 24, 2002 Hon. John McCain, Ranking Member, Committee on Commerce, Science, and Transportation, Washington, DC. Dear Senator McCain: Thank you for your letter of April 19, 2002 asking me to comment on Chairman Hollings Senate Bill 2201, ``The Online Personal Privacy Act.'' Your letter asked two questions: First, whether I believe legislation is needed, and if so, what it should contain. Second, you asked for my comments on the principal features of S. 2201. I. Is legislation needed? Yes, legislation is needed to protect consumers' privacy. Absent federal standards to be followed by all persons and entities that collect private information, it is unlikely that consumers will be adequately protected from identity theft, commercial harassment, and hucksterism. In addition, dissatisfaction with and mistrust of online business practices by the American people will continue to grow; an uneven patchwork of state laws will proliferate; and consumer confidence in e-commerce will be undermined. Industry has not been able or willing to effectively self-regulate. While some responsible companies have stepped up to the plate, the financial incentives work against a universal commitment by e-business to provide effective privacy protection for consumers. Business interests will undoubtedly point to a recent Progress and Freedom Foundation survey as evidence that federal legislation is not necessary because websites are collecting less personally identifiable information and privacy notices are prevalent, more prominent, and more complete. These arguments completely miss the mark. First, the survey reveals that nearly all sites surveyed continue to collect personally identifiable information. \1\ Second, the mere posting of a privacy policy does not ensure effective consumer protection and often is only pretty packaging of empty content. --------------------------------------------------------------------------- \1\ The survey indicated that 90 percent of the random sample, and 96 percent of the most popular sites, collect personally identifiable information compared with 97 percent and 99 percent in 2000. This is hardly a statistically significant decline. In fact, an April 11, 2002, New York Times article (attached) chronicled how some of the Internet's most frequently visited sites are expanding their collection and commercial use of personally identifiable information. --------------------------------------------------------------------------- Just any legislation is not enough. In my view, strong privacy legislation should: preempt inconsistent or weaker state law; incorporate effective notice and choice, adequate access, reasonable security, and strong enforcement remedies; be free from exceptions created for special interests or industries; require affirmative consumer consent before sensitive personally identifiable information is collected through any means either online or offline; and avoid tactics that unduly delay the effective date of the Act. II. Senate Bill 2201 Senate Bill 2201 provides long-awaited, strong protection measures for consumers in the online world. My only concern with this proposed legislation is its limited reach. In my view, federal legislation is necessary to protect the privacy of personally identifiable consumer information in the offline as well as online commercial realms. These marketplaces are often intertwined and indistinguishable. In fact, I believe that the wired world facilitates the effective, constant aggregation of endless varieties of real-time ``surfer'' information and combines it with commercial information gathered through traditional ``offline'' means. I would strongly support the expansion of this Bill's consumer protections to the ``offline'' collection of personally identifiable consumer information. That said, Senate Bill 2201 is a balanced, comprehensive approach to protecting consumer privacy online. By incorporating the concepts of notice, choice, access, security, and enforcement, it creates a level playing field for both consumers and industry. However, I offer the following comments: Preemption I believe that federal legislation should preempt inconsistent and weaker state privacy laws which do not effectively protect consumers and tend to frustrate the development of e-commerce. On the other hand, I generally support the power of states to enact legislation that offers their citizens stronger consumer protections than federal law where the federal law merely establishes a ``floor'' of minimum protection standards. However, if passage of a federal law ``with teeth,'' is feasible, I believe that both consumers and industry would value the uniformity and predictability that federal preemption offers. Title I--Online Privacy Protection Section 101 I applaud Title I's coverage of personally identifiable information that is collected, used or disclosed. Previous bills focused only on the ``collection'' of information, yet many privacy breaches occur when information is used or disclosed without the consumer's knowledge or consent after collection. Notice and Consent I strongly support the inclusion of Section 102(b) which requires a consumer's affirmative consent (``opt-in'') before, or at the time that, certain sensitive information is collected. An opt-in consent requirement guarantees consumer notice and meaningful choice, and compels the collector to clarify its practices in order to entice the consumer to agree to them. It effectively equalizes the bargaining position of consumers and e-merchants in the market for personal information. While I prefer an opt-in standard for the collection of all personally identifiable information, the Bill's requirement of robust notice and opt-out consent for nonsensitive personally identifiable information improves on the level of notice and choice currently provided by many websites. Also, I support the permanence of consent provision found in Section 102(e), which essentially provides that a consumer's privacy preferences stay with the user despite corporate changes. Section 103's requirement that changes in privacy policies or the existence of privacy breaches be communicated to consumers is particularly commendable. Many websites place the privacy protection burden on consumers to keep track of changes in a website's privacy policy. Section 103 appropriately places that responsibility on the internet service provider, online service provider, or operator of a commercial website. Likewise, the Bill's provision requiring user notification of material changes in the privacy policy allows consumers to utilize updated, relevant information when deciding how or whether to protect their own personal information. Section 103 illustrates the balanced approach of this Bill to the extent it acknowledges that there may be situations where delayed consumer notifications is appropriate. The exceptions contained in Section 104 seem reasonable and again reflect the Bill's inherent respect for the need to balance the vital privacy interests of consumers with the economic and financial interests of e-business. Access The access provision of Section 105 appropriately enables consumers to suggest corrections or deletions of personally identifiable information that the provider or operator has collected or combined with personally identifiable information gathered from other sources. The reasonableness test incorporated in this section strikes an appropriate balance among the competing interests of consumer privacy, the relative sensitivity of different types of personal information, and the burdens and costs imposed on the website operator. Security The security provision in Section 106 is consistent with the approach taken by the Commission in its Gramm-Leach-Bliley Act Security Rulemaking. Rather than dictate a one-size-fits-all solution, it is up to the website to establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of the data it maintains. Title II--Enforcement I am impressed with the range of remedies included under this Title, including the authority to impose civil penalties and establish redress funds for consumers for violations of Title I. In addition, this Title allows private rights of action as well as state actions. Title III--Application to Congress and Federal Agencies To my knowledge, the federal agencies do not trade in private consumer information for commercial purposes. Therefore, I see no justification for Section 302. However, I do believe that federal agencies should provide notice to consumers about their information collection practices consistent with applicable federal law. Title IV--Miscellaneous Section 402 provides that the effective date of the Act will be the day after the date the Commission publishes a final rule under Section 403. While I am pleased that there is no ``grace period'' for compliance with this Title, I am disappointed that data collectors will be free from liability for data they collected without consumer consent before the Act's effective date. I also hope that Congress will resist obvious delaying tactics, such as proposals for additional studies. Technical concerns Section 403 may need technical modifications to achieve the Bill's goals. Our staff would be pleased to assist you in these efforts. Specifically, Section 403 should reflect that the rulemaking contemplated by the Act is to be conducted pursuant the Administrative Procedures Act rather than through a Magnuson Moss Rulemaking. I appreciate the opportunity to express my views, and I hope they are helpful. Sincerely, Sheila F. Anthony, Commissioner ______ Federal Trade Commission Washington, DC, April 24, 2002 Hon. John McCain, Ranking Member, Committee on Commerce, Science, and Transportation, Washington, DC. Dear Senator McCain: You have asked that members of the Federal Trade Commission provide their individual views on a privacy bill, ``The Online Personal Privacy Act,'' S. 2201, and I am pleased to respond. It is important to express a key reservation up front. This statement of my individual views is constrained by my understanding of the context of your request. Like any other citizen, I have personal views on fundamental issues in the privacy debate (e.g., the question of whether it is appropriate to speak of a ``right to privacy'' in the context of private consensual transactions as opposed to intrusions by government; the balance between any privacy rights of one party and the First Amendment rights of another; and the question of whether it is realistic to expect that most barriers to disclosure will prove effective in the long term). However, there is no reason why you or any other lawmaker should be particularly interested in my opinions about these value-laden issues, so I understand that you are asking for my views in the context of the responsibilities and capabilities of the Federal Trade Commission. In other words, this response is constrained by an appreciation of the limitations of our institutional expertise. \1\ --------------------------------------------------------------------------- \1\ My previous statements on privacy issues are enclosed with this letter. --------------------------------------------------------------------------- To be blunt, I do not believe it is my place to advise Congress on the bottom line issue of whether it is or is not a good idea to legislate on privacy issues. (To the extent I presumed to do so in the past, I have changed my mind.) The Federal Trade Commission, in my view, functions best as a facilitator, which attempts through law enforcement and education \2\ to ensure that consumers are not misinformed about the goods and services that they buy and that sellers are not disabled by illegal private constraints. But, in the absence of Congressional direction to the contrary, we are neutral about the terms of sale that are freely determined. We have strong institutional confidence in the ability of adequately informed consumers to make their own choices about what they want (including, presumably, varying levels of privacy protection) without interference from government. We are good at specifying what is adequate disclosure of the terms of sale but we are not good at devising rules for what the terms of sale should be. --------------------------------------------------------------------------- \2\ The Commission also provides a forum for the exchange of views among outside individuals and groups. --------------------------------------------------------------------------- With this awareness of our limitations, I join with those colleagues who express serious reservations about the ``Online Personal Privacy Act,'' S. 2201. I generally concur in their conclusions, but write separately to emphasize my particular perspective. I simply do not believe that S. 2201 can be enforced in a coherent way. The following is a summary list of the reasons: 1. I do not believe it is workable or reasonable to treat privacy differently in the online world than in the offline world to the extent that the information collected is the same, regardless of the site of collection or the means of dissemination. It is obvious that different modes of disclosure might be required, but it is illogical to regulate one medium and not the other. 2. Congress may, in its judgment, determine that it is appropriate to mandate some form of ``notice'' to consumers about what will happen to their personal information. For one thing, mandated notice would eliminate the present awkward situation whereby a company that volunteers information about its privacy policy \3\ risks prosecution if the information is inaccurate, but one that volunteers nothing risks nothing. \4\ Recent experience with mandated notice, however, suggests that it is not enough for Congress simply to require that it be done. \5\ Businesses have to be given more precise guidance about the forms of notice that will be useful to consumers. This is something that the Federal Trade Commission, as an institution, knows something about. It might be appropriate to direct the Commission or some other appropriate body to survey the quality of notices that are either voluntarily provided or mandated today, and then recommend a template for notice that would be meaningful. This project would inform the policy debate and ultimately, perhaps, provide the framework for legislation. --------------------------------------------------------------------------- \3\ And, apparently, an overwhelming majority do, according to the most recent evidence. William F. Adkinson, Jr., Jeffrey A. Eisenach and Thomas Lenard, Progress & Freedom Foundation, ``Privacy Online: A Report on the Information Practices and Policies of Commercial Websites'' www.pff.org/pr/pr032702privacyonline.htm. \4\ The vendor may, of course, incur marketplace risk. \5\ Gramm-Leach-Bliley Act, 15 U.S.C. Sec. Sec. 6801-6810; and Interagency Public Workshop: Get Noticed: Effective Financial Privacy Notices (December 4, 2001) http://www.ftc.gov/bcp/workshops/glb/ index.html. 3. The issue of ``choice'' or ``consent'' is much more complex than the bill seems to recognize. At first glance, it seems obvious that the whole purpose of notice is to enable consumers to make informed choices. It is necessary, however, to think about the consequences of choice. If there is no cost or reduced benefit associated with the choice to opt-out (or failure to opt-in), then the added expense of accommodating these choices will be borne by consumers less tender of their privacy. (No one suggests that people who do not want to use their supermarket charge cards because of the information disclosed should be entitled to the discount anyway.) On the other hand, if privacy-conscious consumers are disadvantaged too much, their only practical ``choice'' is to seek another provider, and mandated ``opt-outs'' or ``opt-ins'' become essentially meaningless. There would have to be some regulatory regime to determine what is a reasonable in-between position in these circumstances, and I have no idea how this could be done --------------------------------------------------------------------------- across-the-board. 4. Under the bill, further refinements of ``access'' and ``security'' would presumably need to be spelled out in rulemaking proceedings. \6\ As I have said before, ``[i]t is not appropriate to defer all the tough issues for future rule- making.'' \7\ I personally believe, for example, that there is a vast disparity between the costs and benefits of an access regime in most situations, and I further believe that the costs of merely developing and enforcing across-the-board rules would also vastly exceed the benefits. Congress may want to consider whether any tailored expansion of present rights is necessary, \8\ but a blanket mandate of ``access'' rights is unlikely to result in significant benefits overall. --------------------------------------------------------------------------- \6\ S. 2201, Section 403. \7\ Federal Trade Commission, ``Online Profiling: A Report to Congress'' (Part 2) (Statement of Commissioner Thomas B. Leary, Concurring in Part and Dissenting in Part)(July 2000) http:// www.ftc.gov/os/2000/07/onlineprofiling.htm#LEARY. \8\ The Fair Credit Reporting Act , 15 U.S.C. Sec. Sec. 1681 et seq., and the Children's Online Privacy Protection Act of 1998, 15 U.S.C. Sec. Sec. 6501 et seq., are among the federal laws that grant access rights. These are major objections, but the following issues are also --------------------------------------------------------------------------- significant: 5. S. 2201 distinguishes ``sensitive'' from ``non-sensitive'' personal information. \9\ These categories seem arbitrary. For example, as Chairman Muris points out in his letter to you of this date, some might feel that information about the books they read is a lot more sensitive than their political affiliation. Moreover, information that is merely ``inferred'' from data \10\ may be just as sensitive as information ``about'' \11\ certain aspects of an individual. \12\ --------------------------------------------------------------------------- \9\ S. 2201, Sections 102 and 401. \10\ S. 2201, Section 401. \11\ S. 2201, Section 401. \12\ See, In the Matter of Eli Lilly and Co., FTC File No. 012-3214 (January 18, 2002) http://www.ftc.gov/opa/2002/01/elililly.htm. This case involved the improper disclosure of the identity of people who had regularly obtained information about a certain psychotropic medication, but did not disclose whether they actually took the medication. 6. The distinction between ``clear and conspicuous'' notice and ``robust'' notice \13\ seems unworkable as a legal mandate. Articulation of the latter undercuts the significance of the former. If some form of notice is ever mandated by Congress, it should be both. --------------------------------------------------------------------------- \13\ S. 2201, Sections 102 and 401. 7. The bill is silent about the extent to which privacy protections travel with consumers' personal information. In general, Gramm-Leach-Bliley's privacy provisions require downstream recipients of covered data only to use the information in a fashion that is consistent with the consumers' stated privacy preferences or only for uses that are exempted from the notice and choice requirements (such as credit reporting). In this sense, the protections flow with the information. I seriously question whether this concept can be applied across the economy, but without it, the privacy --------------------------------------------------------------------------- protections of the bill may be nullified. 8. As Chairman Muris notes, some of the provisions of S. 2201 attempt to reconcile the legislation's privacy protections with other federal statutes that allow limited but beneficial information sharing. However, as currently drafted, S. 2201 might limit a variety of legitimate and beneficial information sharing which covered entities engage in and which Congress would like to continue. It is not clear, for example, whether information about transactions completed online could be communicated to credit bureaus. Without appropriate exclusions, any proposed privacy rules could have a serious anti-consumer impact. 9. This bill would add to the emerging patchwork of federal privacy regulations that apply to personal information \14\ and may ultimately result in ambiguous, conflicting, or impractical requirements for businesses, and greater confusion for consumers as well. For example, S. 2201 provides that ``sensitive'' and ``non-sensitive'' information would be subjected to different levels of protection. Dissemination of ``sensitive'' information would be subject to consumer notice, opt-in choice, access and security. ``Non-sensitive'' information would be protected by ``robust'' notice, opt-out choice, access and security. The specifics of these requirements would all be defined in a future rulemaking. At the same time, ``non-public'' personal information collected by financial institutions (whether online or offline) would be subjected to Gramm-Leach-Bliley's distinct notice, choice and security standards. --------------------------------------------------------------------------- \14\ Among the many federal privacy laws are: Gramm-Leach-Bliley Act, 15 U.S.C. Sec. Sec. 6801-6810 (covers financial institutions, non- public personally identifiable information and requires notice of information practices and an opt-out for sharing information with third parties); Children's Online Privacy Protection Act of 1998, 15 U.S.C. Sec. Sec. 6501 et seq. (covers Web site operators, prohibits collection, use and disclosure of children's online information without verifiable parental consent and provide for parental access rights and imposes security requirements); Fair Credit Reporting Act, 15 U.S.C. Sec. Sec. 1681 et seq. (covers credit bureaus and providers and users of credit data and grants consumers access rights and opt-out rights for certain uses of credit data); and Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 262(a), 110 Stat. 1936 (1996) (codified as amended in scattered sections of 18, 26, 29 and 42 U.S.C.A.); 42 U.S.C.A. Sec. Sec. 1320d to 1320d-8 (West Supp. 1998)(covers a variety of health-related entities and health information and contains requirements that include notice, varying degrees of choice, access, and security). Businesses that seek to comply with both of these regulations would be required to differentiate between online and offline information as well as any possible differences between the notice, choice, and security requirements in the two regulatory schemes. Additionally, our experience to date with Gramm-Leach-Bliley suggests that consumers may need less rather than more complex privacy disclosures in order to understand and execute their rights. It is unrealistic, at this point, to assume that consumers will comprehend the various categories of information as well as the protections that are attached to each --------------------------------------------------------------------------- category of information. 10. The bill provides that ``penalties'' would be imposed for a violation of the statute, and that ``redress'' would be distributed to consumers in an amount not to exceed $200 (for breaches involving non-sensitive personal information). This confuses two separate concepts. Penalties are calculated without regard to consumer injury or ill-gotten gains, and are paid to the Treasury. Redress is intended to make consumers whole. 11. Wholly apart from the burden issues identified above, the bill does not seem to recognize the potential conflict between access and security. Broad access rights will lead to the centralization of data which could result in very significant security breaches. This is a highly technical subject, on which there is no consensus among experts. \15\ --------------------------------------------------------------------------- \15\ Final Report of Federal Trade Commission Advisory Committee on Online Access and Security, published as Appendix D of Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000) http://www.ftc.gov/ acoas/papers/finalreport.htm. I appreciate the opportunity to provide these comments and would be pleased to respond to any further questions. Sincerely, Thomas B. Leary, Commissioner The Chairman. Senator Cleland. STATEMENT OF HON. MAX CLELAND, U.S. SENATOR FROM GEORGIA Senator Cleland. Thank you very much, Mr. Chairman. The difference between the world we see today and the world we saw last year is quite stark. Given September 11, the support for our men and women fighting in uniform, fighting terrorism abroad, for law enforcement efforts to uncover terrorist activity at home have justifiably received support, and I fully support these efforts as well, but on the domestic front, protecting people's privacy at home still remains for me an important issue as well. I am constantly reminded of this fact from stories of people who provide incorrect information to online businesses because of the fear that this information may be improperly used and from consumers choosing to bypass the many services the Internet provides for commercial purposes because they are concerned their online buying habits may be shared with others. The Senate has acted in a manner which I believe is balanced in its approached to online privacy. S. 2201, the bipartisan privacy legislation of which I am a proud cosponsor, incorporates many of the concerns of the high tech industry and balances those with a need of protections that have been advocated by civil liberties groups. Under the bill, sensitive information such as financial and health records, ethnic information, religious affiliation and social security numbers must be protected unless a person provides affirmative consent that this information can be shared. Other nonsensitive information can be shared between companies unless the consumer opts out of this sharing. That is straightforward protection in its most basic form, and, like the Fair Credit Reporting Act, which has worked well for consumers, information will be accessible and correctable. This approach is reasonable, as evidenced by the bipartisan support it has received. I believe that one of Yahoo's former vice presidents for direct marketing correctly frames the issue when he describes Yahoo's recent change in its privacy policy that would require opting out of receiving solicitations. Quote, they would be better off sending offers to a million people who said they want to receive a coupon each day, than to send them to 10 million people and worry about whether you have offended them by finally going too far. This is basic marketing knowledge, and I see no reason why it should not apply to the Internet as well. We have a good privacy protection bill for consumers, and I appreciate the opportunity to work with the Chairman on perfecting this legislation. Thank you, Mr. Chairman. The Chairman. Thank you. We welcome the distinguished panel. Each of the statements of the distinguished witnesses are included in their entireties in the record. The Senators have had a chance to review those statements, and we would ask, in order that we leave some good time for questioning, that each of the witnesses summarize within, let us say, the 7- minute rule. Let me start over on your right and go right across and start with Mr. Torres and end with Mr. Dugan. Mr. Torres. STATEMENT OF FRANK TORRES, LEGISLATIVE COUNSEL, CONSUMERS UNION Mr. Torres. Good morning, Mr. Chairman, Members of the Committee. Consumers Union appreciates the opportunity to discuss our support for S. 2201. S. 2201 is a sound privacy law that will increase consumer trust and confidence in the online marketplace. We commend you and other members who have sponsored this landmark bill. You and your staffs have worked hard to balance the consumer's interest with those of the tech world, bending over backward in some cases to address their concerns. Here are some of the reasons we believe this bill is good. First, S. 2201 will provide both consumers and businesses with clear expectations of how online information will be treated, when it can be shared, and let consumers control the use of their personal data. Up till now, privacy has been addressed sector by sector. We often hear complaints from businesses that one sector is being treated differently from another. S. 2201 responds to those concerns. Consumers Union believes that basing the protection trigger on the type of information collected, rather than any specific industry, is the right way to address online privacy. Second, S. 2201 advances the privacy debate by recognizing the distinction between sensitive and nonsensitive data. More sensitive personal data like financial and medical information warrant the strongest possible protections. A business should first obtain a consumer's consent before protecting or sharing that information outside the scope of the reason for which that data was given. Where data is less sensitive, a less rigorous approach may be appropriate. However, this only works if the notice is good. The robust notice contemplated in S. 2201 will provide an up- front mechanism for consumers to get privacy notices and exercise their opt-out. Third, S. 2201 offers a substantial improvement over the Gramm-Leach-Bliley Act by providing that sensitive financial information cannot be shared without the express consent of consumers, again for reasons outside the scope for which it was given. On the issue of preemption, Consumers Union believes that the strength of S. 2201 must be weighed against State privacy efforts. S. 2201 could set a strong national standard. However, should the bill be scaled back, we would revisit our position on the preemption issue and the bill as a whole. Businesses that choose to collect and share sensitive personal information should be held accountable for their handling of that data. This gets to the question of the private right of action. If wrongful disclosure of sensitive data after a consumer has said no leads to identity theft, for example, shouldn't the consumer be compensated for his or her loss? S. 2201 exercises an abundance of caution on this issue, given the concerns of the industry. It applies only to sensitive data. The consumer must prove actual damages. The amount of damages is limited even for multiple breaches, and actions cannot be brought if the disclosure was caused by systems failure or an event beyond the control of the business. In fact, there are a number of privacy laws that are both opt-in and also allow consumers to go after the wrong-doers. We have not heard, as I am sure we would have, of any explosions of lawsuits in these areas. We know from privacy surveys that consumers are concerned about privacy. They are more concerned about online than offline privacy. They want Congress to act, and they favor an opt-in approach overall. This bill splits between an opt-in and an opt-out approach. Consumers are concerned about privacy because banks have shared sensitive information with felons, or have used sensitive information fraudulently. We are here because of Double Click, Toy Smart, and Yahoo and their practices. Maybe some think it is OK for banks to share customer data with felons, or that companies should be allowed to lie to consumers. We, however, believe that such behavior is unacceptable. The reaction of some to S. 2201 and other privacy bills reminds me of the story of Goldilocks. This bill is too hot, or this one is too cold. Unlike Goldilocks, however, some will never find the privacy law that is just right. They are going to oppose any privacy legislation that Congress offers. S. 2201 gives consumers control over their own information, and it places the burden where it should be, on businesses who want information to convince consumers to share it. Isn't that how the marketplace should be working? Thank you, and I would be happy to answer any questions. [The prepared statement of Mr. Torres follows:] Prepared Statement of Frank Torres, Legislative Counsel, Consumers Union Consumers Union \1\ appreciates the opportunity to present this testimony on the Online Personal Privacy Act, S. 2201. This hearing provides a forum to discuss why American consumers need meaningful and comprehensive online privacy protections, how S. 2201 accomplishes those goals, and Consumers Union's support for the bill. --------------------------------------------------------------------------- \1\ Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education and counsel about goods, services, health, and personal finance; and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. Consumers Union's income is solely derived from the sale of Consumer Reports, its other publications and from noncommercial contributions, grants and fees. In addition to reports on Consumers Union's own product testing, Consumer Reports with approximately 4.5 million paid circulation, regularly, carries articles on health, product safety, marketplace economics and legislative, judicial and regulatory actions which affect consumer welfare. Consumers Union's publications carry no advertising and receive no commercial support. --------------------------------------------------------------------------- Introduction Consumers Union has long been an advocate for strong privacy protections. Along with other consumer and privacy advocates we pushed for amendments to the Gramm-Leach-Bliley Act to try to provide consumers control over how their personal financial information is collected and whether it could be shared. We fought for strong medical privacy regulations and continue to push for privacy related to health like genetic information. Consumers Union is also part of a broad privacy coalition that has supported online privacy protections. Stronger laws are needed to give consumers control over their personal information. Legislative efforts such as S. 2201 will help ensure that consumers are told about how and why information is collected and used, provided access to that data, and given the ability to choose who gets access to their most intimate personal data. S. 2201 represents a balanced and reasonable approach to online privacy. The bill reflects where there could be some agreement on the substantive privacy protections of notice, access and consent. Consumers Union believes that basing the protection trigger on the type of information collected, rather than on any specific industry sector is a right way to ensure consumer data is safeguarded. This is a logical way to consider the privacy issue. Consumers should not have to keep track of all the businesses entities that may be collecting information about them, especially in light of the growing number of cross-industry mergers and the passage of the Gramm-Leach-Bliley Act. S. 2201 provide clear guidance for businesses as well. If you collect and use consumer data covered by the bill, you know what you have to do. Background The right to be left alone appears to have been trumped by the pressure exerted by businesses to protect and expand their ability to gather personally identifiable information from consumers. No part of life is left untouched by data collection activities. Financial and medical records, what you buy, where you shop, your genetic code, are all exposed in a privacy free-for-all. Complete strangers can, for a price, have access to your most intimate secrets. Often, consumers have no choice in whether or not information is collected and no choice in how it is used. Do consumers care about their privacy? You bet they do. According to a survey commissioned by STAR, a subsidiary of Powell Tate, conducted by SWR Worldwide, many consumers report they have informed their primary financial institution of their desire to opt out (31 percent) of information sharing. And 40 percent plan to opt out in the next 12 months. This opt out rate is significantly higher than that reported by financial institutions. The survey, conducted after September 11, also found that more than half of the respondents (57 percent) expressed concern that their primary financial institution may be sharing personal or financial information with its affiliates or third parties. The majority (59 percent) also reported that their level of concern is about the same as it was a year ago. A recent report by KPMG, entitled A New Covenant With Stakeholders: Managing Privacy as a Competitive Advantage, cites a survey of U.S. voters by the Public Opinion Strategies firm last year indicating that strengthening privacy laws to assure that computerized medical, financial or personal records are kept private is the highest-rated issue of concern to voters nationwide. KPMG also noted that increasingly, individuals want to choose who does and does not have access to their medical, financial, purchasing, and other personal information. And, if access is needed, individuals would like to be able to specify for what purposes and to what extent access will be granted. They also want specific assurances that the information they consider private is, in fact, kept private by the organizations with which they do business. Forrester Research found that 72 percent of consumers participating in a survey last year considered it a violation of privacy for businesses to collect and then supply personal data to other companies. 94 percent of Internet users want privacy violators to be disciplined. 70 percent said that Congress should pass legislation protecting privacy on the Internet. In December, Forrester found 69 percent of Americans worried about their financial privacy. Other surveys have estimated that concerns about privacy and lack of trust cost U.S. companies $12.4 billion in 2000 because consumers were reluctant to share their personal information over the Internet. A 2001 study by the Markle Foundation found that by more than a 3 to 1 margin (63-19 percent) the public says it is more concerned about companies collecting personal information online than offline. Nearly two-thirds of the public, 64 percent, say that the government should develop rules to protect people when they are on the Internet, even if it requires some regulation of the Internet. The study also found that the public is looking not only for protection by others, but they want an ability to control their own online experience, and the uses that others might make of what they do online. By a strong 58-37 percent margin, the public prefers an opt-in regime. Finally, the survey concluded that the public perceives that the Internet, although useful, is not yet a medium that enables them to hold others accountable when they go online. All these surveys lead to the same conclusion: the majority of consumers are concerned about the threats to their privacy while online. An Ernst and Young report Privacy Promises Are Not Enough, noted that ``at the core of this trust issue is the fact that consumers do not trust businesses to protect their privacy or follow their stated privacy policies.'' Increasingly, consumers want to choose who does and does not have access to their medical, financial and other personal information. Consumers want to be able to specify for what purposes and to what extent access to their information will be granted. Consumers want assurances that the information they consider sensitive will be kept private by the businesses they use. Often, consumers have no choice in whether or not information is collected and no choice in how it is used. Today, any information provided by a consumer for one reason, such as getting a loan at a bank, can be used for any other purposes with virtually no restrictions. Comments on S. 2201 There are a number of elements of privacy protection that have become clearer over the course of our involvement in the privacy debate which are reflected in S. 2201: A distinction can be made between sensitive and non- sensitive information. S. 2201 advances the privacy debate by recognizing the distinction between sensitive and non-sensitive data. We have commented that more sensitive personal data, like financial and medical information, warrant the strongest possible protections. For this type of data we favor an approach that requires a business to obtain the consumer's consent prior to sharing that data. For other data collected, a lessor standard may be appropriate. We support this approach only if clear notice is given to the consumer prior to the collection of the data and that the consumer is given the opportunity up front to choose not to have his or her information shared with others. We encourage providing specific and uniform mechanisms for exercising an opt-out. For telephone marketing several states are implementing ``do- not-call'' lists. Even the Direct Marketing Association maintains such a list. A one-stop universal opt-out would be a useful tool for consumers. We anticipate that the Federal Trade Commission will move forward soon on a final rule for a national do-not-call list. Perhaps a similar mechanism for the online world should be encouraged. Consumers need a stronger law to protect their personal financial information. S. 2201 offers a substantial improvement over the privacy provision of the Gramm-Leach-Bliley Act by providing that sensitive financial information cannot be shared with affiliates or third parties without the express consent of the consumers. S. 2201 would allow financial institutions to share less sensitive data with their affiliates under the opt- out standard. The Gramm-Leach-Bliley Act falls far short of providing meaningful privacy protections in the financial setting. Loopholes in the law and in this draft rule allow personal financial information to be shared among affiliated companies without the consumer's consent. In many instances, personal information can also be shared between financial institutions and unaffiliated third parties, including marketers, without the consumers consent. Consumers across the country are receiving privacy notices from their financial institutions. Unfortunately these opt outs, in reality, will do little or nothing to prevent the sharing of personal information with others. Other loopholes allow institutions to avoid having to disclose all of their information sharing practices to consumers. In addition, the GLB does not allow consumers to access to the information about them that an institution collects. While states were given the ability to enact stronger protections, those efforts have met fierce resistance by the financial services industry. Reports and surveys conducted by the Privacy Rights Clearinghouse show how poorly written and difficult to understand the financial privacy notices are. Despite those obstacles, a recent survey indicates that consumers are choosing to opt-out. Consumers' health information should not be shared without their express consent. S. 2201 protects personal health information across the board--under the bill health information cannot be shared without the prior consent of the consumer. There appears to be widespread agreement on this principle. Consumers should not be put in the position of privacy intrusions when they go online to seek medical advice or information about prescription drugs, for example. Those seeking medical treatment are most vulnerable and should be allowed to focus on their treatment or the treatment of their loved ones, rather than on trying to maintain their privacy. It is unfair that those citizens must be concerned that information about their medical condition could be provided to others who have no legitimate need to see that information. S. 2201 requires notice and consent prior to the sharing of personal information with others. Online entities that collect personal information should be responsible for providing notice to consumers if they intend to share personal data with others and allow consumers to opt-out of such data collection and sharing third parties. S. 2201 will allow consumers to opt-out of sharing their less sensitive data. This requirement should be easy to implement, in most cases consumer choice can be provided at the point where the information is collected. The opt-out for less sensitive information is distinguishable from the stricter regime that would apply to more sensitive financial and medical data. An opt-out may be adequate for such information provided that the notice and choice is given up-front, prior to the collection, and is clear and in plain English. Consumers Union believes that the ``robust'' notice called for in S. 2201 will provide consumers with the type of notice to get the job done and avoid the pitfalls of the financial privacy notices. This is a reasonable step. Consider the position of the former Vice President of Yahoo!, Seth Godin, who has written about ``permission marketing. He says that about 38 percent of the people that are given a chance to tell his company their interests to get information about things that match their profile do, in fact, opt-in. He goes on to call opt-out a sham. Businesses should be responsible for safeguarding the sensitive data of Internet users if they choose to collect and use that data. Businesses that collect and share sensitive personal information should be held accountable if that information is shared after a consumer has said no to such sharing of information. For example, if disclosure of sensitive financial data without the consumer's consent is the cause of that consumer's identity being stolen, shouldn't the businesses that sold the information be held accountable and be responsible for that consumer's loss? The approach in S. 2201 is reasonable on this issue. It provides a private right of action only related to the misuse of sensitive personal data. Even the, the standard is high--a consumer can only recover upon a showing of actual harm. Actions cannot be brought if a systems failure or an event beyond the control of the business caused the disclosure. We have not seen evidence of an onerous litigation burden despite a number of prior privacy statutes that allow such action. Most of these laws have been on the books for years: Section 616 of the Fair Credit Reporting Act--up to $1,000 for knowing or willful noncompliance plus punitive damages and actual damages for negligent noncompliance; 47 U.S.C. Section 551 Cable Communications Policy Act-- $1,000 or actual damages plus punitive damages; Section 2520 of the Electronic Communication Privacy Act-- between $500 and $10,000 and actual damages; 18 U.S.C. Section 2710 Video Privacy Protection Act-- $2,500 in actual damages plus punitive damages; 47 U.S.C. Section 227 Telephone Consumer Protection Act-- up to $500 for each violation. The strength of S. 2201 must be balanced against any preemption of state law. In response to consumer concerns about privacy several states are poised to act on these issues. We consider the work of the states vital. Consumers Union believes that it is critical to seek the input from the states, including state attorneys general and legislators, before deciding to preempt state privacy efforts. As long as the underlying privacy standards remain strong, S. 2201 will set a strong national privacy standard. Should S. 2201 be weakened Consumers Union would reconsider its continued support for the bill and urge that states be allowed to pass tougher privacy laws. Let us be clear, should the other provisions in the bill change, we would reconsider our position on preemption. Preempting state law is predicated on getting the strongest possible consumer protection in the underlying legislation. The Online Marketplace The ability to collect, share and use data in all sorts of ways boggles the mind. Consumers, in many cases, aren't even aware that data is being collected, much less how profiles about them are created. The information collection overload is particularly troublesome when it becomes the basis for decisions made about an individual--like how much a product or service will cost. Cross industry mergers and consolidations have given financial institutions unprecedented access to consumers' personal data. Technology has made it possible and profitable to mine that data. No law prevents businesses from using data to choose between desirable borrowers and less profitable consumers the institutions may want to avoid. Special software helps guide sales staff through scripted pitches that draw on a customer's profile to persuade the account holder to buy extra, and in some cases junk products. Some web-based businesses already seem to be willing to move beyond the privacy wasteland where GLB left consumers. There no longer appears to be a question, for some, of whether consumers should get notice, access, and control over their information. The challenge is how to effectively put these principles into practice. A May 2000 Consumer Reports survey of web sites, Consumer Reports Privacy Special Report, Big Browser is Watching You, shows that consumers' privacy is not being protected online. The report also shows that privacy notices at several popular sites are inadequate and vague. This data, as do other recent web surveys, shows the state of consumer privacy online continues to hit or miss. Privacy policies are not a substitute for privacy protections, especially when some companies don't even follow what is in their policies. Just because a company has a privacy policy does not mean that they follow Fair Information Practices. And consumers are skeptical about self-regulation. The marketplace is changing daily. The Wall Street Journal reports that Time Warner has the names, addresses and information on the reading and listening habits of 65 million households. USA Today says Time Warner has access to information about its 13 million cable subscribers and from its other businesses, like Time and People magazine. With so much information, how will the competitiveness of the marketplace be impacted by this merger? Will companies who seek to operate under a higher privacy standard be at a competitive disadvantage and unable to compete against a larger entity that is able to make unrestricted use of the personal information it obtains? Do Consumers Benefit from Data Sharing? Financial institutions promised that in exchange for a virtually unfettered ability to collect and share consumers' personal information, that consumers would get better quality products and services and lower prices. This is why, they claimed, consumers shouldn't have strong privacy protections like the ability to stop the sharing of their information among affiliates, or access to that information to make sure its accurate. Let's look at reality. Bank fees for many consumers continue to rise. Information about financial health may actually be used to the consumer's determent if it is perceived that the consumer will not be as profitable as other customers. Both Freddie Mac and Fannie Mae say between 30 and 50% of consumers who get subprime loans, actually qualify for more conventional products, despite all the information that is available to lenders today. Credit card issuers continue to issue credit cards to imposters, thus perpetuating identity theft, even when it seems like a simple verification of the victim's last known address should be a warning. Instead of offering affordable loans, banks are partnering with payday lenders. And when do some lenders choose not to share information? When sharing that information will benefit the consumer-- like good credit histories that would likely mean less costly loans. Chase Manhattan Bank, one of the largest financial institutions in the United States, settled charges brought by the New York attorney general for sharing sensitive financial information with out-side marketers in violation of its own privacy policy. In Minnesota, U.S. Bancorp ended its sales of information about its customers' checking and credit card information to outside marketing firms. Both of these were of questionable benefit for the bank's customers. Other institutions sold data to felons or got caught charging consumers for products that were never ordered. Maybe the right approach is to let institutions that want a consumer's information to be put in a position to convince that consumer that some benefit will be derived from a willingness to give that information up to the institution. Such an approach may increase trust in financial institutions and let consumers have control and choice over their own personal information. The same technology that enables vast amounts of data to be collected can be used to give consumers access to that data. It is a simple thing to tell consumers what is collected and how it is used. Conclusion Consumers face aggressive intrusions on their private lives. Often a consumer is forced to provide personal information to obtain products or services. Many times information that has been provided for one purpose is then used for another reason, unbeknownst to the consumer. Financial institutions, Internet companies health providers and marketers have been caught crossing that line. Meanwhile, identity theft is at an all time high. Sound and comprehensive privacy laws will help increase consumer trust and confidence in the marketplace and also serve to level the playing field. These laws do not have to ban the collection and use of personal data, merely give the consumer control over their own information. Consumers should have the right to be fully and meaningfully informed about an institution's practices. Consumers should be able to choose to say ``no'' to the sharing or use of their information for purposes other than for what the information was originally provided. Consumers should have access to the information collected about them and be given a reasonable opportunity to correct it if it is wrong. In addition to full notice, access, and control, a strong enforcement provision is needed to ensure that privacy protections are provided. S. 2201 provides the privacy protections consumers deserve. The Chairman. Very good. Ms. Lawler. STATEMENT OF BARBARA LAWLER, CHIEF PRIVACY OFFICER, HEWLETT-PACKARD COMPANY Ms. Lawler. Good morning, Mr. Chairman, Members of the Committee. I thank you for the invitation to appear today to discuss the need for stronger Federal protections for consumer privacy and comment specifically on S. 2201. My name is Barbara Lawler, and as the privacy manager for HP I have global responsibility for HP's privacy policy management, implementation, compliance, education, and communication, both for offline and online approaches. We want to commend you, Mr. Chairman, and the Ranking Minority Member, Senator McCain, and the other Members of the Committee for your commitment to finding solutions to address consumer concerns about protecting their privacy. 3 years ago, when HP first advocated the need for a Federal initiative on privacy, we were virtually alone as a corporation in advocating this position. We think times have changed, and that many more companies and associations will support reasonable baseline Federal legislation for protecting consumers' privacy. It is time to develop national privacy standards. Let me start by briefly giving you an overall picture of how we manage privacy at HP. We apply a universal global privacy policy built on the fair information practices mentioned today by the Committee, notice, choice, accuracy and access, security, and oversight. In any language the core commitments are the same, with minimal localization required to reflect local country laws. Some key provisions in our policy include no selling of customer data, no sharing of our customer data outside HP without that customer's permission, customer access to core contact data, and a customer feedback mechanism. We insist, through contractual obligations, that suppliers must abide by our policies. On January 29 of 2001, HP became the first high tech company to self-certify with the U.S. Department of Commerce a safe harbor. This demonstrates our continued leadership to strong privacy practices in the U.S., and because HP manages to a global privacy policy, citizens in the U.S. enjoy the same benefits as those in the EU and elsewhere from HP's privacy policy. I would now like to turn to the language of S. 2201. First of all, let me say that we are pleased to see that the bill bases its notice and consent requirements on clear and conspicuous disclosure. HP has always felt that informed choice depends upon consumers having available the information they need to make informed choices about with whom they wish to share their personal information. We are pleased that section 102 recognizes the importance of requiring this basic consumer protection. We are also pleased that there is a place in this legislation for privacy- enhancing technologies like P3P that enhance the notice and choice capabilities for consumers. We are also pleased that the legislation does not take an either-or stance with regard to the opt-in, opt-out debate. We believe that the continued free flow of nonsensitive personal data with the resulting economic benefits for both consumers and businesses may be best served by an opt-out requirement, allowing room for competitive differentiation. For personal information that is sensitive, an opt-in requirement will give consumers greater confidence in participating in online transactions. HP believes a very constructive discussion can be held as to where the demarcation should be made between opt-in and opt-out. We also agree on the importance of giving consumers reasonable data access to evaluate the accuracy of information collected. An observation that we would make is that from our experience, data access can be a very complex process. Many companies have multiple data bases that collect data from a number of sources and mediums, and they may not be interoperable. An integral problem related to this is that of authentication. Confirming that somebody is indeed who they say they are when they request data access could lead into security and identity theft issues. Creating a potential security breach or identity theft problem while trying to address data access is a very real concern. As to enforcement, we are pleased that the legislation recognizes the importance of the role of the FTC, and we also agree that there is a role for the State Attorneys General in the enforcement of this legislation, and we concur with the balance achieved in the bill between the rights of States to protect their citizens and the right of the FTC, as the expert agency, to interpret its rules. One suggestion we would like to make is to find a role for self-regulatory privacy seal programs that have standards equal to or above those required under this legislation. The more eyes and ears available to resolve privacy disputes will benefit consumers, allowing the FTC to certify reputable seal programs to take a first crack at resolving disputes. Moving to ramp up and comment on the areas where we do have concerns, we must state our strong opposition to the concept of the private right of action for a privacy violation. We agree with the legislation that there is a need for strong, bright lines as to what businesses must do to protect consumer privacy. As we have said, we welcome a healthy debate on opt-in and opt-out, and FTC and State AG enforcement. We would urge the Committee to consider adding language that would allow reputable seal programs to help in protecting consumer privacy. All these initiatives add clarity and certainty to the job of businesses protecting consumer privacy. We are concerned that a private right of action will create less certainty and clarity in the marketplace as each court will supply its own definition of what constitutes actual harm or reasonable access or reasonable security. Calibrating actual monetary loss from privacy evaluations could become an art rather than a science, as in each case each court, each plaintiff lawyer having their own view. In other issues addressed in the bill, we believe that there must be a recognition that the offline world and the online world should be subject to the same privacy rules. We would be pleased to work with the Committee on addressing that need for convergence, recognizing the differences in offline and online implementation. I want to thank you, Mr. Chairman, for the opportunity to testify on S. 2201. HP looks forward to working with the Committee in developing and passing practicable consumer privacy protection this Congress. I would be pleased to answer any questions you may have. [The prepared statement of Ms. Lawler follows:] Prepared Statement of Barbara Lawler, Chief Privacy Officer, Hewlett-Packard Company Mr. Chairman, Members of the Committee, I thank you for the invitation to appear today to discuss the need for stronger federal protections for consumer privacy, and comment specifically on S. 2201. My name is Barbara Lawler, and as the HP Privacy Manager, I have global responsibility for Hewlett-Packard's privacy policy management, implementation, compliance, education and communication, in both the online and offline worlds. By way of background, HP is a leading provider of computing and imaging solutions and services. As a company we are focused on making technology and its benefits accessible to individuals and businesses through networked appliances, beneficial e-services and an ``always on'' Internet infrastructure. As a high-tech company that sells to the consumer market, we are deeply committed to strong privacy practices. HP believes that self- regulation with credible third-party enforcement--such as the Better Business Bureau privacy seal program--is the single most important step that businesses can take to ensure that consumers' privacy will be respected and protected online. We have also felt for some time, that there must be a `floor' of uniform consumer privacy protections which all companies must adhere to. HP has testified on a number of occasions before Congress about our support for strong, practicable, federal privacy protections. We at HP have had much experience in developing and managing consumer-friendly privacy policies and practices, so we welcome the opportunity to share our experiences with the Committee about what we think works--and what may not work--in crafting privacy standards. We want to commend you, Mr. Chairman, the ranking minority Member (Senator McCain), and the other Members of the Committee for your commitment to finding solutions to address consumer concerns about protecting their privacy. Three years ago, when HP first advocated the need for a federal initiative on privacy, we were virtually alone as a corporation in advocating that position. We think times have changed, and that many more companies and associations will support reasonable, baseline federal legislation for protecting consumers' privacy. It is time--past time--to develop national privacy standards. We welcome your leadership in working through the difficult issues that must be resolved if we are to see privacy legislation enacted this year, and we welcome your bill, Mr. Chairman, as a starting point for those discussions. Let me start by giving you an overall picture of how we manage privacy at Hewlett-Packard. HP applies a universal, global privacy policy built on the fair information practices: notice, choice, accuracy & access, security and oversight. Whether in English, French or Japanese, the core commitments are the same, with minimal localization required to reflect local country laws. Key elements of our policy include no selling of customer data, no sharing of customer data outside HP without customer permission, customer access to core contact data and a customer feedback mechanism. We insist through contractual obligations that suppliers must abide by our policy. Our consumer business requires opt-in for email contact and our B2B business is moving to opt-in as well. The HP policy can be viewed in its online form at the lower left- hand corner of every hp.com web page: http://www.welcome.hp.com/ country/us/eng/privacy.htm The guiding principles for managing data privacy at HP are: customers control their own personal data give customers choices that enhance trust and therefore enhance the business put the customer in the lead to determine how HP may use information about them; and have the highest integrity in practices, responses and partners HP people apply the privacy policy to marketing, support, e- services and product generation using a set of HP-developed tools called the ``Privacy Rulebook'' and the ``Web Site Data and Privacy Practices Self-Assessment Tool''. A sample of current HP global privacy initiatives include: company-wide training on implementing privacy standards new application development and business rules for company- wide multiple customer database consolidation Platform for Privacy Preferences (P3P) implementation for our most active web sites Supplier contract compliance assessments I want to underscore some important distinctions around the `opt- in' discussion and add some clarity. It's HP policy to never sell or share our customer data without their express permission. HP has many business relationships with other companies. Companies that act as service providers or suppliers to HP are contractually required through a Confidential Non-Disclosure Agreement and Personal Data Protection Agreement to abide by HP's privacy policy. HP's strategic partnerships and co-marketing partners comprise a different class of business relationships. It is these relationships to which the HP opt-in policy requirement described above applies. Applying the opt-in standard for marketing contact within HP is an order of magnitude more difficult, but we're committed because it's the right thing to do for our customers. Implementing opt-in for marketing contact requires us to evaluate all customer databases and customer privacy choice data elements, re-engineer the data structures, systems and associated processes, change the privacy question format itself, develop implementation guides and tools, and communicate the new standard HP-wide. Some of the challenges we face are in the areas of managing a program-specific customer privacy choice with a `topdown' HP request and resolving a large volume of data where the privacy choice is unknown. On January 29th, 2001, HP became the first high-tech company to certify with the U.S. Department of Commerce for Safe Harbor. This demonstrates our continued leadership to strong privacy practices in the U.S. The Safe Harbor framework offers consistency and continuity for business operations conducted between HP sites located in the United States and the European Union; this is critical for a global enterprise. And because HP manages a global privacy policy, citizens in the U.S. enjoy the same benefits as those in the EU and elsewhere. Finally, I would like to put the privacy issue into the larger perspective of consumer confidence in the global electronic marketplace. While consumers are concerned about their privacy online, they are also concerned about whether their credit cards are safe online, and whether if they order a blue vase from a website in Paris or Tokyo, they will get what they order in the quality and condition they expected. In order for online businesses to truly earn the trust of consumers, we need to expand ongoing efforts to make sure that the global electronic marketplace is a clean, well-lighted venue for both consumers and businesses. For example, consumers need to have confidence that when they do business across national borders, there will be a redress system in place should anything go wrong with the transaction. HP is working with 70+ businesses from around the world through the Global Business Dialogue for electronic commerce to develop a consensus on worldwide standards on consumer redress systems, that is of Alternative Dispute Resolution (ADR). In this effort, we are working with consumer groups and the FTC and the European Commission so that consumers and businesses will be able to quickly, fairly and efficiently resolve complaints related to online transactions. I would now like to turn to the language of S. 2201. First of all, we are pleased that the bill bases its ``Notice and Consent'' requirements upon ``clear and conspicuous'' disclosure. HP has always felt that informed choice depends upon consumers having available the material information they need to make an informed choice with whom they wish to share their personal information. ``Clear and conspicuous'' is a term of art used by the FTC to provide robust notification, and we are pleased that Section 102 recognizes the importance of requiring this basic consumer protection. We are also pleased that there is a place in the legislation for privacy enhancing technologies such as P3P, which enhance notice and support capabilities for consumers. We are also pleased that the legislation does not take an `either- or' stance on the opt-in, opt-out debate. We think the continued free flow of non-sensitive data, with the resulting economic benefits for both consumers and businesses, will be best served by an opt-out requirement and allowing room for competitive differentiation. For personally identifiable information that is of a sensitive nature (as defined by S. 2201), an opt-in requirement will most likely give consumers greater confidence in participating in online transactions. HP believes a very constructive discussion can be held as to where the demarcation should be made between opt-in and opt-out. We agree that as a general rule, the consent or denial of a consumer for permission to collect or disclose personally identifiable information should remain in effect until the consumer decides to change their preference. We also agree on the importance of giving consumers reasonable data access to evaluate the accuracy of information collected. An observation we would make is that from our experience, data access can be a complex process. Many companies have multiple databases that collect data from a number of sources and mediums, and which may not be interoperable. Merging these data files is a prolonged, expensive process, though a process that is underway throughout industry. A commensurate problem is that of authentication. Ensuring that someone is indeed who they say they are when they request access may bleed into security and identity theft issues. Creating a security breech or an identity theft problem while trying to address the access issue is a real concern. Having said that, we would like to work with the Committee to find practicable, secure and cost-effective, solutions to the problems of access. As to enforcement, we are pleased that the legislation recognizes the importance of the role of the FTC. Utilizing clear statutory parameters, we welcome an FTC rulemaking that will allow an opportunity to develop implementation rules and to help define with greater specificity the terms of the legislation. We also agree that there is a role for the state Attorneys General in the enforcement of this legislation, and we concur with the balance achieved in the bill, between the rights of states to protect their citizens, and the right of the FTC--as the expert agency--to interpret its rule. One suggestion we would make, is to find a role for self-regulatory privacy seal programs that have standards equal or above those required under this legislation. As we have stated, we belong to the BBB privacy program, which we believe is quite strict, and which requires that any consumer complaint must be addressed through a dispute resolution process. The more eyes and ears available to resolve privacy disputes will benefit consumers, and allowing the FTC to certify reputable seal programs to take a first crack at resolving disputes would be beneficial. Turning to areas of the bill where we have concerns, we must state our strong opposition to the concept of a private right of action for a privacy violation. We agree with the legislation that there need to be strong, bright lines as to what businesses must do to protect their customers' privacy. As we have said, we welcome a healthy debate on opt-in and opt-out; we welcome FTC and state Attorneys General enforcement, and we would urge the Committee to consider adding language that will allow reputable seal programs to help in protecting consumer privacy. All of these initiatives add clarity and certainty to the job of protecting consumer privacy. We are concerned that a private right of action will create less certainty and clarity in the marketplace, as each court will supply its own definition as to what constitutes ``actual harm'' or ``reasonable access'' or ``reasonable security''. Calibrating ``actual monetary loss'' from privacy violations will therefore be an art rather than a science, as on each case, each court, and each plaintiff lawyer having their own view of the matter. Consumers deserve adequate protections, and this bill--as we have described--fills a void in privacy protections. At the same time, businesses need certainty as to the rules of the road, so that they can meet the obligations required to address privacy issues. A private right of action in this dynamic environment places this need for clarity and certainty on its head; legislation with a private right of action will offer consumers and businesses less certainty at a time when we need more clarity as to what should be the national, uniform privacy compact. On other issues addressed in the bill, we believe that there must be a recognition that the offline world and online world should be subject to the same privacy rules. We would be pleased to work with the Committee in addressing that need for convergence recognizing the differences in offline and online implementation. We also believe that ``Whistleblower'' law should be uniform across industries and therefore not considered for inclusion in this bill. Industry should not be piecemealed by variations in employment law relating to whistleblowers. And again,--for the reasons stated above-- we are concerned about a private right of action included in the Whistleblower section. Thank you Mr. Chairman for the opportunity to testify on S. 2201. HP looks forward to working with the Committee in developing--and passing--practicable consumer privacy protection, this Congress. I would be pleased to answer any questions that you may have. The Chairman. Thank you very much. Mr. Rotenberg. STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER Mr. Rotenberg. Thank you very much, Mr. Chairman, Members of the Committee. My name is Marc Rotenberg. I am executive director of the Electronic Privacy Information Center, and I would like to thank you for the opportunity to be here this morning. We have worked with a wide range of privacy and consumer organizations over the years since your original bill was introduced to seek support for important privacy legislation in the Congress. I think it is clear that across the country public support for privacy protection is still very high, even with the progress which industry has made over the last several years, and there has been progress, there is still a fundamental lack of trust and confidence in the online marketplace. Legislation does not solve the problem of privacy protection, but I think it will take a big step forward in establishing the type of trust, confidence, stability, and continuity that allow businesses and consumers to participate in this new electronic environment with confidence that the personal information will be protected. The types of problems which the marketplace simple cannot solve are clear today. You can enter into a relationship with an online business, read a privacy policy, provide your personal information, and the company then decides to change its privacy policy. What do you do at that point? You can go online, provide information to a business which perhaps is not so well-run. Eventually, they seek the protection of bankruptcy law, and they take their customer data base and they put it online to the highest bidder. You can go to a commercial web site, look at a 20-page privacy policy and decide you have got better things to do with your life, click ``I agree,'' and take your risks. What the legislation does is to try to deal with those types of problems that arise specifically in the online environment and make it difficult for consumers to have the type of confidence and assurance that they need when they type in the names of their children, their credit card numbers, where they live, their spouse's names, and so forth. Now, as you may know, this version of the bill does not go as far as many privacy and consumer groups would like to go. We believe as a general matter that opt-in is a better approach, because it gives consumers better control. We think preemption raises serious concerns about the ability of States to protect the interest of their own citizens, and there are other areas as well where we think further changes might be necessary, but nonetheless I think this is an important step forward. Now, in my testimony I draw attention to a few areas that I hope the Committee will consider as you look at the legislation a little bit more closely, and I am going to highlight them now very briefly. I am concerned about the law enforcement exception, which is actually a new issue in the drafting of this bill, simply because it is so broad. The way privacy laws typically work is to create a presumption against disclosure and then to allow exceptions in such circumstances as a warrant or a court order to allow criminal investigations to go forward, but that exception has to be narrowly crafted to ensure that any person who shows up in a business with a piece of paper saying they work for a Government agency is not able to get every record in the possession of that business, and I think it would be in the interest of both businesses and consumers to try to narrow that exception. I also think if it were possible to expand the access provision so that people would know a bit more about the information about them that is held by the companies, that would be beneficial. As the bill is currently drafted, consumers will largely know only the information that they provide to the company, which is, frankly, fairly self-evident. Let me say a couple of words, if I may, about the enforcement provision, because I have read a number of comments in the news stories from folks speaking for industry about this provision that it makes me wonder if they are reading the same bill that I was reading. The bill creates a private right of action, without question, but this is a private right of action that I cannot imagine any good attorney wanting to take a case based upon, and the reasons are very simple. First of all, it requires a showing of actual harm, which is extremely difficult to do in privacy cases, and the reason that Federal statutes typically set out a liquidated damages amount of $2,500, or $1,000 or whatever an appropriate amount may be, is because it is hard to show harm when personal information is disclosed. But the second thing that this bill does is to take out any compensation, any award of attorney's fees or for actual costs incurred that a court would routinely award. In other words, even if you prevail, even if you are able to show actual harm under the private right of action set out in this bill, you are only going to be compensated for the amount of your harm and any costs associated with your litigation will not be recoverable. Now, I think this is just too high a burden for people who are trying to seek redress where their rights have been lost, and I think you have two solutions. One, you can put back in the type of compensation that you would routinely receive in Federal litigation, which includes reasonable attorney's fees, or you can say, if you want to bring a privacy case, go to small claims court, and this is the approach that was taken in the Telephone Consumer Protection Act, and I think that approach could work as well, but this current approach, contrary to what you may read in the newspapers, is not going to open a floodgate of litigation. At best, you may see a trickle of cases from a few people who have a lot of money and want to pursue a privacy claim. On the distinction between personally identifiable information and sensitive personally identifiable information, I think the privacy community would generally prefer the broader or the higher standard, which would be treat all information as being sensitive, but I do think the bill strikes a reasonable balance, and I think it strikes a common-sense balance that how we view medical information and financial information is not the same as how we view the lettuce we buy or the paper towels we buy in the grocery store, and maybe it is appropriate to make that distinction which the bill makes here. The one suggestion I would make in terms of where you might draw that line is to consider that issues related to political belief and intellectual freedom really should fall under the category of sensitive personal information. As the bill is currently drafted, you put religious belief as sensitive, personal information, and you put political party affiliation under that category, but a person's political beliefs which may be reflected in their purchases online I think also should be entitled to similar protection. The approach to technologies for protecting personal policy is very good, and I think that could be expanded to consider a wide range of solutions that industry may develop and that consumers would favor. So in conclusion, Mr. Chairman and Members of the Committee, I think this is very important legislation. I think it is timely legislation. I think there are an awful lot of people in the United States that would feel more comfortable going online, using the Internet, making transactions and buying stuff, if they knew that there was some privacy protection in place to help safeguard them. [The prepared statement of Mr. Rotenberg follows:] Prepared Statement of Marc Rotenberg, Executive Director, Electronic Privacy Information Center Mr. Chairman, Members of the Senate Commerce Committee, thank you for the opportunity to testify today on S. 2201, the Online Personal Privacy Act. My name is Marc Rotenberg. I am the Executive Director of the Electronic Privacy Information Center in Washington, DC. EPIC is a public interest research and advocacy organization that focuses on emerging civil liberties issues. I am also the chairman of Privacy International, a human rights organization based in London. It is clear that the protection of privacy remains one of the top concerns in the United States today. Even with the dramatic events of the past year, Americans continue to make clear in opinion polls, news articles, and everyday conversation that one of the great challenges in our era of hi-tech convenience is to avoid the loss of personal privacy. Today we get sports scores online, read news stories, send messages to friends and colleagues, participate in discussions, buy books and CDs, shop for home loans, make travel plans, and purchase gifts for our relatives. All of this is made possible because of a new computer network technology that has linked together the inexpensive desktop computers that we have in our homes. The benefits of the Internet are clear, but so too are the risks. In many respects, this ongoing support for the right of privacy is not surprising. Privacy protection has a long history in the United States. Many countries have simply not afforded their citizens the right to use telephones without eavesdropping, to hold credit reporting firms accountable for inaccurate disclosures that impact a consumer's ability to participate in the marketplace, to find a job, to obtain health insurance, or to buy a home. New privacy laws have frequently been developed in response to the challenges of new technology. Congress enacted privacy laws for the telephone network, computer databases, cable television, videotape rentals, automated health records, electronic mail, and polygraphs. In each case, it was never the intent to prohibit the technology or to prevent the growth of effective business models. Instead, the purpose was to establish public trust and confidence in the use of new technologies that had the ability to gather a great amount of personal information and, if used improperly, to undermine the right of privacy. With the Internet, a piecemeal approach has been taken. A law was passed to protect the privacy interests of minor children. The FTC exercised its section 5 authority for a limited number of privacy cases. Some US firms endorsed the Safe Harbor Arrangement, providing at least for their European customers, baseline privacy protection. Many companies also attempted to address public concerns about online privacy through the development of privacy policies, the hiring of privacy officials, and support for third-party accreditation services. Some progress has been made. But serious problems remain. Companies post privacy policies, enter into relationships with consumers, collect personal information, and then decide to change their policies. Companies create assurances of protection, run into financial troubles, seek protection under bankruptcy law, and then sell their customers' data to the highest bidder. Companies post privacy policies that require the help of both an English major and a commercial lawyer to understand, and even then the policies are misleading and contradictory. Companies acquire information from customers for one purpose and then turn around and sell it for another without the customer's knowledge and consent. And companies avoid the adoption of genuine Privacy Enhancing Technologies that could minimize privacy risk and promote the development of electronic commerce because there is no financial consequence to do otherwise. In each of these examples, there is no market-based solution. And all of this takes place in an environment where the data-collection practices are far more extensive than in the physical world. In theory consumers could bring suit for breach of contract, but privacy harms are difficult to measure, class action lawsuits have not had much success, and even the FTC has struggled to find a way to apply traditional consumer protection law to the new challenges of online privacy. The Online Personal Privacy Act seeks to establish trust and confidence in the disclosure of personal information in the online environment. This is central to the growth of electronic commerce and the online marketplace. The Act follows the approach of virtually every modern privacy law in the United States. The Act sets out ``Fair Information Practices'' for the collection and use of personal information provided by users of the Internet to those who operate commercial web sites or provide Internet services or online services. As a general matter, the Online Privacy Protection Act contains the basic elements of an effective privacy law. There are provisions for access and for enforcement. There are security obligations and notice requirements. There are opportunities for enforcement. In many respects the Act also tracks the better practices followed by companies today as well as the Safe Harbor Arrangement that US firms have increasingly followed in their online commercial relations with customers in Europe and other countries. Law Enforcement Exception As with many privacy laws, the Act creates a presumption against the disclosure of personal information and then sets out limited circumstances when the information may properly be disclosed. For a privacy law to be effective, it is critical that these exceptions be carefully drafted and as narrow as possible. In my opinion, the exception for disclosure to law enforcement agencies (sec. 103(e)) is too broad. In fact, I could not find another privacy law that would make it so easy for so many public officials to get access to personal information that would be otherwise protected in law. The problem is the list of entities--``law enforcement, investigatory, national security, regulatory agency, or Department of United States''--coupled with the phrase ``in response to a request or demand made under authority granted to that agency or department.'' That formulation essentially defeats the Fourth Amendment purpose of ensuring that the judiciary plays a role where a lawful search is authorized. I urge you to stay with the standard in other privacy laws that grants authority to a ``law enforcement agency'' acting on a federal or state warrant, a court order, or a properly executed administrative order. This provides the government with a wide range of opportunity to obtain information in the course of a criminal investigation in a manner that ensures judicial oversight and minimizes the risk of abuse. Access Provision The access provision (sec. 105) follows a principle widely recognized in US privacy law and that is the ability of person to see the records held by others. Consumers receive access to credit reports, to medical records, and to cable billing information. Under the Privacy Act they are also able to obtain records of information about them held by federal agencies. But the provision in the Online Personal Privacy Act is narrower than it should be. Consumers generally know what information they have provided to companies. What they do not know is what information the company is providing about them to others. The access provisions should allow consumers to be aware of disclosures to third parties. Also, the bill rightly ensures that copies of this information will be available at a reasonable fee and that the fee is waived in those cases where the consumer may not be able to pay or where there is fraud. A provision should also be included to provide free access in those cases where the provider or operator receives payment or consideration from a third party for the disclosure of the user's information. This is a principle of fairness and equity that will make companies more respectful of the privacy interests of their customers. Enforcement Mr. Chairman, the section on enforcement raises several difficult problems. It rightly seeks to provide several ways to ensure actual implementation of the practices set out in Title I, but it is not clear whether these provisions individually, or taken together, provide an adequate means of protection. It is likely that the primary means of enforcement will be through the Federal Trade Commission since any violation of the Act will be considered a violation of Section 5 of the FTC Act. However, the FTC Act does not provide any actual relief to affected parties. The FTC will have the authority to enter into a consent decree to prevent the company from engaging in similar acts in the future. The State Attorneys General retain significant authority to pursue actors that violate Title I but the FTC retains the ability to prevent these matters from going forward. Considering that the bill also preempts the authority of states to enact stronger measures to safeguard the interests of their citizens, this provision represents a significant transfer of authority from the states to Washington, DC. Structurally, the Act places a great deal of faith on the ability of the FTC to pursue privacy violations. I believe that this can be made to work but it will require extensive public oversight. The critical role of the FTC becomes even clearer when you consider the private right of action created by section 203. Some of the industry lobbyists have claimed that this bill will open a floodgate of litigation. But a fair reading of the Act reveals that it will be remarkable if there is more than a trickle of cases. Section 203 is drafted in such a way as to pile high all the hurdles of litigation without any of the benefits. Litigants will be required to establish ``actual harm'' which is difficult in privacy cases, and the reason that federal law typically provides for liquidated damages. They will be required to go into federal district court when violations have occurred but there will be no payment for a lawyer or costs incurred and very limited opportunity for damages if they prevail. It is hard to imagine who but the most affluent would be able to pursue such a case. The private right of action provision in this bill is far narrower than any other privacy law with which I am familiar. Typically, a federal privacy law allows a person to recover actual damages not less than a set amount of at least $2,500, punitive damages, reasonable attorney fees and litigation costs, and such other relief as a court may determine. And even with these incentives, privacy cases are infrequent and damages, when they are awarded, are nominal. It takes an extremely determined plaintiff to pursue these cases. At the very least, the Committee should either allow individual consumers to go into small claims court to seek relief for violations of the Act, as they are able to do currently under the Telephone Consumer Protection Act, or if they must go into federal court, the Act should provide for reasonable attorneys fees, costs, and such other relief as a court may provide. Even with this change, proving actual harm in a privacy case will remain very difficult. Application to Congress and Federal Agencies Mr. Chairman, I am pleased to see that Title III of the Act extends baseline privacy standards to federal agencies and to the United States Congress. This sends a clear message that Internet privacy protection should apply to both the public and private sector. Title III should also be made clear that nothing in this Act will alter the obligations set out in the Privacy Act of 1974, which applies to all federal agencies that collect personal information on US citizens whether or not they are providers or operators under the definitions of the Act. But here again I must point out that, unless the law enforcement access provision in Section 103 is narrowed, any federal agency could defeat the purpose of this Online Personal Privacy Act simply by granting itself the authority to routinely engage in actions that would otherwise violate the provisions set out in Title I. It simply does not make sense to pass a privacy law that seeks to impose privacy obligations on a federal agency and then leaves the agency with the authority, if it so chooses, to remove the obligations. Definition of Sensitive Personally Identifiable Information The Act makes an important distinction between Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII). The first is generally subject to the opt-out approach, while the second would require opt-in. While many privacy experts, including me, have favored the opt-in rule for all transfers of personal information, I believe the approach set out in the bill can be made to work. It reflects a general recognition that there is a distinction between medical and financial information on the one hand and the type of paper towel or lettuce we buy on the other. It also follows an approach that is increasingly found in Europe and other regions of the world to make clear that a stronger privacy standard should apply to more sensitive personal information. The definition of Sensitive Personally Identifiable Information set out in the Act reflect both a commonsense understanding and the practice that is currently evolving. The one additional subject area that I hope you will consider adding to the category of Sensitive Personally Identifiable Information is for matters of intellectual freedom and political belief. The United States in particular has a long tradition of seeking to safeguard the records of the books that people borrow in libraries, the video tapes they rent, and the cable programs they watch. In a recent case, a state Supreme Court made clear the high level of privacy associated with records of bookstore customers. With the Internet in particular, there is a significant risk that a very detailed picture of a person's political beliefs could be easily compiled and distributed with little regard for the right of privacy. I believe that if this were done by government actors it would implicate deeply held First Amendment values and should not be permitted. Privacy Enhancing Technologies Efforts to develop tools that will enhance online privacy and could diminish the need for further legislation should certainly be encouraged. The bill proposes P3P as one possible approach. I believe a better research program would focus on genuine Privacy Enhancing Techniques that enable online transactions and commerce, and minimize the risk of privacy loss. Such approaches include techniques for ``authentication without identification,'' which means simply that consumers could engage in verifiable transactions with online merchants without disclosing their actual identities much as they do today in the physical world with cash and credit cards. Other research topics might include techniques for enabling online access that do not create additional security risks, developing methods for consumers to more readily track the subsequent disclosure of their personal information, and ensuring by technical measures that individuals will maintain greater control over the personal information they provide to others. It is clear that a wide range of approaches will be necessary to safeguard online privacy. Technology has a critical role to play. But the privacy technologies must be designed with the central goal of protecting privacy. Conclusion In conclusion, Mr. Chairman and Members of the Committee, the Online Personal Privacy Act is an important step forward in the advancement of privacy law in the United States. It responds to overwhelming public support for stronger privacy protection on the Internet. It seeks to ensure that the right of privacy will carry forward as new commercial opportunities are developed and new technologies emerge. I hope the Committee will take the steps necessary to strengthen the provisions in the bill so as to ensure that the intent of the sponsors is realized in practice. Thank you again for the opportunity to appear before the Committee today. I would be pleased to answer your questions. The Chairman. Thank you very much. Mr. Misener. STATEMENT OF PAUL MISENER, VICE PRESIDENT OF GLOBAL PUBLIC POLICY, AMAZON.COM Mr. Misener. Good morning, Chairman Hollings, Senator McCain, Members of the Committee. My name is Paul Misener. I am Amazon.com's vice president for global public policy. Thank you for inviting me to testify today on S. 2201. We greatly appreciate the time and energy you and your staff have committed to consumer information privacy issues, as well as your continuing willingness to hear Amazon.com's perspectives. Mr. Chairman, Amazon.com is the Internet's No. 1 retailer, with well over 35 million customers. We have as much experience and as much at stake as any entity on these issues. Although Amazon.com has serious concerns about several aspects of this bill, we look forward on behalf of our customers and company to working with you and your Committee to address all of these issues. Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal information is important to our customers and, thus, is important to us. Therefore, Mr. Chairman, we share your goal of providing consumers the personal privacy protections they want, and we already provide, with one understandable exception, the substantive protections that a reasonable interpretation of your bill would require. Indeed, at Amazon.com we manifest our commitment to privacy by providing our customers notice, choice, including opt-in choice where appropriate, access and security. So why do we do so? Well, the reason is simple. Privacy is important to our customers, and therefore important to Amazon.com. We simply are responding to market forces. Amazon.com believes S. 2201's most serious shortcoming is that, as drafted, it would not apply equally to online and offline activity. In our view, it makes little sense to treat consumer information collected online differently from the same consumer information collected through offline media such as point-of-sale purchase tracking, warranty registration cards, and magazine subscriptions. Offline privacy practices differ from online practices in only three relevant respects, and in two of these respects consumers get more privacy protection online than offline. In any case, these differences are not addressed in this bill. Rather, virtually identical practices would be treated differently. Moreover, online transactions account for only a tiny percentage, as Senator Burns pointed out, just 1 percent of all consumer transactions, and people on the unfortunate side of the digital divide, generally those with less money and education, would receive no protections from an online-only law. This is not to suggest that an online-only approach never was credible. To the contrary, based on what little was known publicly about both online and offline privacy practices as recently as 2 years ago, one easily could have concluded at the time that online privacy issues deserved discriminatory treatment, especially in order to avoid a potential privacy disaster, but now we know there is little justification for discriminating against online. Mr. Chairman, Amazon.com gratefully acknowledges that S. 2201 contains two important provisions that would be good for our customers, company, and industry. First, it would confirm our believe that the privacy promises a company makes to consumers must still apply to the private information consumers provide to that company even after ownership of the company or information changes. Second, it intends to preempt inconsistent or additional State laws. It would be difficult or impossible for nation-wide entities to comply with as many as 50 conflicting laws, and it would be unfair, if not also unconstitutional, to permit the citizens of one State to make the privacy decisions for citizens of another. Mr. Chairman, we also have identified the following areas of serious concern in S. 2201. Amazon.com will focus its cooperative, constructive efforts on these issues as well as on the online-offline parity point, in an effort to provide you and your commitment as much information as possible. We are very concerned that section 203, on private rights of action, would give overly aggressive litigants a new tool to extract rents from, quote, good-guy companies with relatively deep pockets. It is clear from the recent privacy sweeps that the most popular and, thus, the most successful web sites already are providing outstanding privacy protections. Unfortunately, however, it will be these, quote, good guys that litigants attack, because these are the entities capable of paying big judgments. Indeed, under the current bill it would be far more lucrative to bring a class action suit to catch a good guy on a technicality than catch a bad guy in an egregious act. And the threat is astounding. A company could be hit with a judgment of $5,000 per user per violation with a showing of but minimal actual harm and no showing of malfeasance. Because class actions are not precluded, there probably would be a class action alleged for every potential violation, and for a company like ours, with 35 million customers, the implications are staggering. And worse for consumers, allowing such private rights of action would cause the good guys to make their privacy notices much more legalistic and much less readable just so that they would fare better in a lawsuit. We believe a regulatory body such as FTC, on the other hand, could balance the competing interests of legal precision against simplicity. Another key concern for us are the access and deletion requirements in section 105. This section seems to require data deletion on demand, which would be extraordinarily expensive and would dramatically hinder our efforts to thwart fraud and consumer identity theft. Indeed, this provision would likely end up making consumer identity theft easier by making criminal activity much harder to trace. Further, the quote, reasonable security requirements of section 106 are cause for great concern, especially among Amazon.com's engineers. Companies have every possible motivation, including extant tort law, to maintain effective security against hackers. Nonetheless, if there is a security breach, it may be very difficult for a company to argue that, quote, reasonable precautions were taken. With little precedent for guidance, the fact of a breach would make any failed security precautions look unreasonable. In other words, without clarifying language, the security reasonableness standard likely would function as a strict liability standard. Last, we are very concerned about the vague and sometimes incorrect definitions listed in section 401. What for example is, ``robust notice'' on a web-enabled cell phone or other small-screen device such as a remote terminal on the kitchen wall, or on the automobile dashboard? Mr. Chairman, in conclusion, Amazon.com is pro-privacy in response to consumer demand and competition. We already provide our customers notice, choice, access, and security. You have called for these same features in S. 2201, and although we have many concerns with this bill, we appreciate that you recognize, as we do, the importance of consumer privacy. Our foremost concern with S. 2201 is that it would apply only to some companies and only to 1 percent of consumer transactions. Amazon.com respectfully requests that any privacy legislation that moves forward out of this Committee apply to all transactions, not merely those conducted online. Although Amazon.com welcomes two key components of this bill, we also have serious concerns with several other specific provisions. We look forward to working with you and your Committee to address these issues. Thank you again for inviting me to testify. I welcome your questions. [The prepared statement of Mr. Misener follows:] Prepared Statement of Paul Misener, Vice President, Global Public Policy, Amazon.com Chairman Hollings, Senator McCain, and Members of the Committee, my name is Paul Misener. I am Amazon.com's Vice President for Global Public Policy. Thank you for inviting me to testify today on S. 2201, The Online Personal Privacy Act. Although, as I will describe throughout this testimony, Amazon.com has serious concerns about several aspects of this bill, we greatly appreciate the time and energy you and your staff have committed to consumer information privacy issues, as well as your continuing willingness to hear Amazon.com's perspectives. Amazon.com also gratefully acknowledges that S. 2201 contains two important provisions that we could support. First, this bill would confirm our belief that the privacy promises a company makes to consumers must still apply to the private information consumers provide to that company, even after ownership of the company or information changes. Second, S. 2201 intends to preempt inconsistent or additional state laws. It would be difficult or impossible for nationwide websites to comply with as many as fifty conflicting laws, and it would be unfair (if not also unconstitutional) to permit the citizens of one state to make the privacy decisions for the citizens of another. Both of these provisions in S. 2201 are welcome and would be good for our customers, company, and industry. As for our concerns, Mr. Chairman, Amazon.com is the Internet's number one retailer and, therefore, has as much experience (and as much at stake) as any other entity on these issues. On behalf of our customers and company, we look forward to working with you and your Committee to address the concerns we raise in this testimony. I hope that you will welcome our perspectives in the constructive and cooperative spirit in which they are offered. Privacy at Amazon.com Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal information is important to our customers and, thus, is important to us. Indeed, as Amazon.com strives to be Earth's most customer-centric company, we must provide our customers the very best shopping experience, which is a combination of convenience, personalization, privacy, selection, savings, and other features. Therefore, Mr. Chairman, Amazon.com shares your goal of providing consumers the personal privacy protections they want, and we already provide most of the substantive protections that a reasonable interpretation of your bill would require. At Amazon.com, we manifest our commitment to privacy by providing our customers notice, choice, access, and security. Before I describe these four facets of privacy protection at Amazon.com, please allow me to explain how we use customer information. Personalization at Amazon.com In general, Amazon.com uses personally identifiable customer information to personalize the shopping experience at our store. Rather than present an identical storefront to all visitors, our longstanding objective is to provide a unique store to every one of our customers, now totaling well over 35 million people. In this way, our customers may readily find items they seek, and discover other items of interest. If, for example, you buy a Stephen King novel from us, we likely will recommend other thrillers the next time you visit the site. Amazon.com now inserts, among the now-familiar ``tabs'' atop our Web pages, a special tab with the customer's name on it. When I visited Amazon.com's site last week, for example, the tabs included Books, Electronics, DVDs, and ``Paul's Store.'' By clicking on the ``Paul's Store'' tab, Amazon.com introduced me to six smaller stores, including one named, ``Your Kitchen and Housewares Store,'' which featured a Calphalon Commercial Nonstick Collector's Edition 10-Inch International Griddle/Crepe Pan, which I promptly bought. It was no coincidence, of course, that Amazon.com recommended this crepe pan to me, and that I liked it: using so-called ``collaborative filtering'' techniques, which compare my past purchases (many of which are cookware items) to anonymous statistics on thousands of other Amazon.com purchases, Amazon.com computers automatically--and correctly--predicted that I would want that crepe pan. Similar personalization is provided in the traditional Amazon.com recommendations on the home page, in purchase follow-up recommendations, in the ``New for You'' feature, and in some varieties of email communications. Customers can improve the quality of these recommendations in several ways, including by deleting individual Amazon.com purchases from consideration, and by rating the products they buy at Amazon.com or elsewhere. For example, last year I bought my niece a few CDs from the singer Britney Spears but, because I do not want similar music recommended to me, I have deleted these CDs from the list of items Amazon.com uses to produce my recommendations. In addition, on Amazon.com's site, I can rate a CD that I might have purchased at Wal-Mart, in order to improve the quality of Amazon.com's music recommendations to me. Obviously, Amazon.com's personalization features directly benefit our customers. And, just as obviously, these features require the collection and use of personally identifiable customer information. The question, then, is how do we protect the privacy of this information? Privacy Practices at Amazon.com As I indicated earlier, Amazon.com manifests its privacy commitment by providing notice, choice, access, and security. Notice. Amazon.com was one of the first online retailers to post a clear and conspicuous privacy notice. And in the summer of 2000, we proudly unveiled our updated and enhanced privacy policy by taking the unusual step of sending email notices to all of our customers, then totaling over 20 million people. Choice. We also provide our customers meaningful privacy choices. In some instances, we provide opt-out choice, and in other instances, we provide opt-in choice. For example, Amazon.com will share a customer's information with a wireless service provider only after that customer makes an opt-in choice. We simply are not in the business of selling customer information and, thus, beyond the very narrow circumstances enumerated in our privacy notice, there is no information disclosure without consent. Access. We are an industry leader in providing our customers access to the information we have about them. They may easily view and correct as appropriate their contact information, payment methods, and purchase history. And, with a feature called ``The Page You Made,'' customers even can see part of the ``click-stream'' record of products they view while browsing Amazon.com's online store. Security. Finally, Amazon.com vigilantly protects the security of our customers' information. Not only have we spent tens of millions of dollars on security infrastructure, we continually work with law enforcement agencies and industry to share security techniques and develop best practices. It is very important to note that, other than an obligation to live up to pledges made in our privacy notice, there is no legal requirement for Amazon.com to provide our customers the privacy protections that we do. Market Forces at Work So why do we provide notice, choice, access, and security? The reason is simple: privacy is important to our customers, and thus it is important to Amazon.com. We simply are responding to market forces. Indeed, if we don't make our customers comfortable shopping online, they will shop at established brick and mortar retailers, who are our biggest competition. Moreover, online--where it is virtually effortless for consumers to choose among thousands of competitors--the market provides all the discipline necessary. Our customers will shop at other online stores if we fail to provide the privacy protections they demand. These market realities lead Amazon.com to eschew the term ``industry self-regulation.'' We believe this concept--which often is touted as a substitute for legislation and government regulation-- suggests that companies must act altruistically in order to provide consumers the protections they deserve. But this suggestion simply is not true. Companies must provide the privacy protections consumers demand or be forced out of business. Nowhere is this more true than among website-based retailers: a consumer can easily choose among hundreds of retailers without leaving her home. Contrast that with brick and mortar retail, which presents consumers with only a very small number of store choices within a reasonable driving distance. Moreover, as Amazon.com has consistently stated, and last year testified before this Committee, these market realities also lead us to conclude that there is no inherent need for privacy legislation, at least for typical website-based business-to-consumer commerce. The Federal Trade Commission's annual privacy sweeps (this year conducted by the Progress and Freedom Foundation at the behest of the Commission) confirm that those companies with high levels of privacy protections are the ones that succeed in this robust market. There simply is no market failure for legislators to address; indeed, as just noted, the ``online'' retail market is inherently more competitive than that of traditional ``offline'' retail. Put another way, if there is a market failure, it is with offline, not online consumer transactions. Notwithstanding these points on the inherent need for legislation, Mr. Chairman, Amazon.com wants to work cooperatively and constructively with you and your Committee on this issue. For S. 2201, we have one general concern, and several specific concerns, which I will describe momentarily. Let me again say, however, that we greatly appreciate the work you and your staff have put into this bill. Fairness Among Transactions and Consumers Before addressing specific provisions of S. 2201, please allow me to comment on what Amazon.com believes to be the bill's most serious shortcoming: As drafted, S. 2201 would require companies to provide various privacy protections, but only for a tiny fraction of consumer transactions. And, S. 2201 would not require companies to provide any protections for tens of millions of American consumers with relatively low incomes and limited educational backgrounds. As I previously have testified before this Committee, Amazon.com believes that privacy legislation must apply equally to online and offline activities, including the activities of our offline retail competitors. It makes little sense to treat consumer information collected online differently from the same (or often far more sensitive) consumer information collected through other media, such as offline credit card transactions, mail-in warranty registration cards, point-of-sale purchase tracking, and magazine subscriptions. Offline Privacy Practices. For example, the offline consumer information collection practices of brick and mortar retailers are described on the website (http://www.epic.org/privacy/profiling/) of the Electronic Privacy Information Center (EPIC): ``Many supermarkets are offering membership cards that grant discounts to consumers. What often goes unmentioned is that these club cards enable the store to create detailed profiles of individuals' consumption habits. These profiles are linked to individually-identifiable information, often with the requirement at enrollment that the consumer show state-issued identification. Since many supermarkets sell more than just food (alcohol, cigarettes, pharmaceuticals, etc.), the companies can collect volumes of information about individuals' habits.'' ``The danger in this profiling is increased by the fact that supermarkets are not limited by law in sharing the information they collect. A supermarket can sell the information to a health insurance company or to other aggregators in order to make a more complete profile on an individual.'' ``The risks of profiling based on consumption are often derided by supermarket profilers. They may say that `no one cares if you like asparagus more than broccoli.' But, that's not the issue. Individuals have different definitions of sensitive information. And the profilers aren't interested in whether you're buying one vegetable over another. They are more likely to want to know whether an individual is buying baby diapers or adult diapers.'' My wife and I know about these offline privacy practices firsthand. Our son is nearly five months old. Last month, after buying many packages of baby diapers from Giant Food, where we have a ``loyalty card,'' we received a Giant Food ``baby brochure,'' which essentially is an advertising packet. Clearly, this baby brochure solicitation from Giant came merely as a result of purchasing baby products from Giant stores: Giant's computers compiled information about our buying habits and decided to start sending us baby literature. To be clear, I don't mind receiving such solicitations nor, I believe, do most Americans. It makes more sense for me to receive baby product ads than the brochures I often receive on lawn care services in spite of the fact that I live in a townhouse. I just mind that S. 2201 would ignore such offline practices, yet regulate the exact same personalization services provided by online entities such as Amazon.com. Warranty registration cards, as EPIC also points out on its website, are yet another way offline entities collect, enter into electronic databases, and sell personally identifiable information that often is entirely unrelated to the subject of the warranty. Several weeks ago, my wife and I needed to buy a new clothes washer and dryer. The warranty registration cards for these large and potentially dangerous appliances had labels telling us to complete and return the cards in the interest of safety. But, for some reason, they also needed to know our household income and our reading habits! Consumers are essentially asked to either provide private information or be unsafe. Similarly, an earlier purchase of a small, but potentially dangerous, space heater included a warranty registration card (again emphasizing the safety aspects of registration) that asked for my household income, where my family took our last vacation, whether we read the Bible, and whether anyone in the household has prostate problems. Because the private information sought from consumers is clearly unrelated to the product subject to the warranty, and probably unrelated to other products sold by the manufacturers of my washer/dryer and space heater, it is obvious that, under the guise of safety, highly private consumer information is being collected and sold. Obviously, these offline privacy practices are no less deserving-- and often far more deserving--of Congress' attention than online practices. Amazon.com firmly believes that, in fairness to consumers (if not also companies), online and offline privacy practices must be treated equally. The former and current chairs of the Federal Trade Commission have supported this view. In testimony before this Committee nearly two years ago, on May 25, 2000, then-Chairman Robert Pitofsky, in a colloquy with Senator Kerry, testified that, ``[I] have increasingly come to the view that the theory of distinguishing online from offline is really rather weak. I was recently influenced by one of our advisory panel people who said, ``What is the point of treating warranty information from when a consumer files a warranty card, that is just going to be read into an electronic format by some clerk--Why would you treat that information differently from another?'' I found that a very powerful argument. I am also influenced by the fact that we hear through mergers, joint ventures, and otherwise, that online and offline companies are merging their databases. And that's another reason we should think about both.'' Current FTC Chairman Timothy Muris, in testimony before the Senate Appropriations Committee on March 19, 2002, said that, ``Consumers are deeply concerned about the privacy of their personal information, both online and offline. Although privacy concerns have been heightened by the rapid development of the Internet, they are by no means limited to the cyberworld. Consumers can be harmed as much by the thief who steals credit card information from a mailbox or dumpster as by the one who steals that information from a Web site.'' And, last October, in a speech to the Privacy 2001 Conference, Chairman Muris specifically addressed the scope of privacy legislation, saying, ``I am concerned about limiting legislation to online practices. Whatever the potential of the Internet, most observers recognize that information collection today is more widespread offline than online. Legislation limited to online practices perhaps seemed attractive when Internet commerce was expanding almost limitlessly. Today, however, it is increasingly difficult to see why one avenue of commerce should be subject to different rules than another, simply based on the medium in which it is delivered.'' Mr. Chairman, parity is necessary in fairness to online companies. It simply would not be equitable to saddle online retailers with requirements that our brick and mortar (or mail or telephone order) competitors do not face, nor would it be fair to mislead consumers by telling them their privacy would be substantially protected by an online-only bill when, in fact, only a tiny fraction of their transactions would be addressed. Online-Offline Differences. Some people contend, however, that online activities deserve discriminatory treatment under the law because of some inherent differences between online and offline business-to-consumer relations. As described above, there are many obvious similarities. I acknowledge, however, that there are three relevant differences between online and offline. Although one of these differences could lead to online consumers having relatively less privacy, the other two differences actually give online consumers more privacy protection than offline consumers. The one difference that potentially gives online consumers less privacy protection is the availability of so-called ``click-stream'' information, by which a website operator can observe, for example, what individual visitors see while visiting a website. In the retail context, this means web-based retailers can tell what a customer looks at, not just what he buys. Amazon.com has turned this technical capability into customer- friendly features by which we better personalize our customers' shopping experience. We do this in two principal ways: First, we automatically display items that take into account a customer's recent shopping. If a customer has been looking at cameras, for example, the site may automatically display for her a camera tripod. Second, in our ``The Page You Made'' feature, we display, on the side of the screen, links back to some of the items the customer has looked at. Thus, instead of scrolling back through the site (the online equivalent of walking back to the other side of the store), we provide a simple way for a customer to get back to the items she earlier examined. Again, these features rely on the use of ``click-stream'' information. But even this ability to see what is shopped but not bought is not entirely unique to online entities. Professor Clarke L. Caywood, in his top-selling marketing and PR textbook, The Handbook of Strategic Public Relations & Integrated Communications (McGraw-Hill, 1997), describes the same practice in the brick and mortar world: ``Marketers at Wal-Mart, a large discount retail chain, for example, spend several days each week in their own stores (and those of the competition) watching consumers shop, questioning them about their purchases, and asking them for feedback. At the end of each week, they return to their headquarters office and, in conjunction with their colleagues who have also spent time in stores in other locales, they discuss what's on the consumer's mind, what trends they need to watch, and what problems they need to correct. Armed with that information, they can tailor all manner of programs to the immediate needs of customers in a very specific local area.'' Importantly, even if Congress considers the ``click-stream'' difference between online and offline to be crucial enough to warrant discriminatory treatment under the law, no federal bill introduced to date, not even S. 2201, is based upon this particular difference. Rather, S. 2201 and previous online-only bills would apply discriminatory legal treatment to activities that, for all practical purposes, are identical online and offline. And, if differences between online and offline activities are the key, online transactions, in two important respects, actually protect consumer privacy better than offline transactions. One respect is physical characteristics. Those Wal-Mart employees said to follow consumers around stores--and, indeed, any employee of a brick and mortar store, watching from the floor or hidden cameras overhead--can see physical personal characteristics unknown to online retailers. Wal- Mart knows your sex and race; if you are pregnant; how well you dress; and if you have acne. They also know where you are. Indeed, when one of Amazon.com's customers visits our store, we cannot know their location. They may be at home, at the office, with their laptop computer at the airport, on the beach with their wireless PDA, or at an ``Internet Cafe'' in Paris. We simply don't know. But, when I use my Mobil credit card, Exxon-Mobil knows exactly where I am, and can track my movements. My physical location at any given time is, I would think, highly sensitive information. And, yet, by my reading of Mobil's privacy policy, Exxon- Mobil would not even allow me to opt-out of Mobil using that information internally or sharing it with Mobil's ``joint marketing partners.'' S. 2201 would do nothing to change such offline situations, but would require online retailers to obtain (as Amazon.com already does) opt-in approval before transferring sensitive information. Again, if there's a privacy problem somewhere, it's offline. And, for those who point out that offline consumers can always wear dark sunglasses or pay cash in order to remain anonymous, I note that online consumers have many, much easier ways to remain anonymous. They may easily set their web browser to block cookies or may use anonymizing software tools provided by companies such as Zero-Knowledge Systems. Amazon.com's privacy notice describes how to block cookies and provides link to Zero-Knowledge and other anonymizer companies. Amazon.com Compliance with a Privacy Bill. At last summer's House Commerce Committee hearing on privacy, one Committee member kindly noted that the companies represented, including Amazon.com, are ``the good guys.'' The implication was that the ``bad guys'' should be the target of privacy legislation, and that we ``good guys'' need not fear a reasonable law. In one sense, this Representative was exactly right. Amazon.com does not fear the direct effects of reasonable privacy legislation because, unlike the vast majority of our competition in the brick and mortar world, we already provide notice, meaningful choice, access, and security. Indeed, if truly reasonably interpreted, almost all of the substantive requirements of S. 2201 likely would have little direct effect on Amazon.com and its customers. (The most notable exception would be the bill's extraordinarily burdensome access/deletion requirement.) We already are providing the privacy protections at the heart of this bill, including excellent access by customers to their own private information, simply because that is what our customers want. Offline Compliance with a Privacy Bill. However, in addition to a grave fear of being unfairly exposed to a spate of highly unreasonable lawsuits (which I will discuss in a moment), we fear any law that implicitly allows our offline competitors free rein to continue to be privacy ``bad guys,'' unbeknownst to consumers. Indeed, although we are confident that, if consumers really knew what was happening to their private information in the offline world, instead of being mislead to believe that their privacy is more at risk online, they actually would flock to do business with online ``good guys'' like Amazon.com. But, with the considerable media hype and misinformation surrounding online privacy issues, and the relative dearth of revelations about offline consumer information privacy practices, we believe it would be very unfair to let our competitors surreptitiously collect, use, or transfer consumers' private information. Consumers Online and Offline. But most importantly, it would be fundamentally misleading to American consumers to enact a law that applies only to online entities because, for the foreseeable future, the putative protections of such a law would apply to just a tiny fraction of consumer transactions. Last year, online sales accounted for only one percent of all retail trade in the United States. Obviously, any law that addresses only online transactions could not benefit consumers much at all compared to one that equally addresses online and offline activities. Moreover, a law that addresses only online activities would have the perverse effect of failing to provide any benefits to those on the less fortunate side of the digital divide. Indeed, consumers who, because of economic situation, education, or other factors, are not online would receive no benefits from an online- only law. Prior Online-Only Approaches. This is not to suggest that an online-only approach never was credible. To the contrary, based on what little was known publicly about both online and offline privacy practices as recently as two years ago, one reasonably could have concluded at the time that online privacy issues deserve discriminatory treatment, especially in order to avoid a potential ``privacy disaster.'' No disaster has occurred, and we believe that facts gathered by this Committee and other bodies reveal that an online privacy disaster is no more likely than an offline privacy disaster. In addition, consumers now better understand that computers are used to record both online and offline transactions. The huge, searchable, and transferable computer databases kept by offline companies are just as much at risk as the information collections of online entities. In any case, the bills introduced to date would do little or nothing to forestall privacy disasters, either online or offline. Moreover, as elaborated throughout this testimony, discussions over the past few years have shown that there are few meaningful differences between online and offline privacy practices, and that some of these differences actually serve to protect consumer privacy better online. And, finally, as documented in the annual online privacy sweeps conducted by the FTC, et al., starting in 1998, it is clear that online entities have made extraordinary strides to enhance their privacy practices over the past four years. Offline privacy practices certainly have not improved at anywhere near this pace, if at all, over the same period. In sum, Mr. Chairman, although currently-available facts demonstrate that online practices do not deserve discriminatory treatment, there were good reasons why many people believed only a few years ago that such discrimination was warranted. Privacy Bill Benefits to Industry. Even if this law would do little or nothing to benefit the vast majority of consumer transactions, it has been suggested, such as in S. 2201's Findings, that an online privacy bill would be good for online companies because the consumer trust it would spawn would lead to additional sales. This belief implies that the online industry, which has not sought a bill, either does not know what is best for itself or has a hidden agenda. Speaking for Amazon.com, I can say unequivocally that our agenda since our founding in the mid-1990s, has been to provide our customers the very best shopping experience. We believe, with good reason, that if S. 2201 were enacted, it would dramatically interfere with our ability to serve our customers. Indeed, S. 2201 has been reviewed by key personnel throughout our company and has provoked expressions of grave concern, particularly in the engineering department. These ``can-do'' engineers and programmers, who have built up our computer system all the way from our CEO's garage to the Fortune 500 in just seven years, seriously question whether we possibly could comply with the technical requirements of this bill. And, even if somehow they could make our systems comply, our engineers fear that many of the bill's provisions would seriously jeopardize our systems' security and anti-fraud efforts. Questionable Industry Support for an Online-only Bill. It is often said that, even if not a majority, at least some in ``industry'' support an online-only legislative approach. The relevant question is, which industry? The principal proponents of an online-only law do very little business online with consumers. One of the companies, a hardware manufacturer, does but a fraction of its business online, while its biggest competitor does 100% of its business online. It is not difficult to imagine why the first company might support a burdensome online-only approach. Moreover, this same hardware manufacturer sells business hardware and services to Internet-based companies and, potentially at least, would benefit from a law that would require substantial technical investments by online companies. Lastly, the other major technology firm that supports online-only legislation actually manufactures computer components and makes only a tiny percentage of its sales to consumers, whether online or offline. It is difficult to believe this company knows much more about serving web- based customers than Amazon.com knows about semiconductor dumping practices. Relative Expediency of an Online-only Bill. Finally, it also has been said that ``online'' and ``Internet'' transactions are being singled out because it would be too difficult to craft a law that protects the other 99% of consumer transactions. Although it is hard to believe that expediency is the reason for the ``online-only'' focus, it is important to note that other bills have been (or soon will be) introduced in Congress that address both online and offline transactions. And, certainly this Committee has jurisdiction over all channels of commerce. Moreover, passing an online-only law at this point likely would delay passage of an offline bill for many years and, thus, actually would hurt the chances of providing privacy protections for consumers offline. In any case, it certainly would not be 99 times more difficult to craft a law that protects 99 times as many consumer transactions. Conclusion. For all the foregoing reasons, we firmly believe that any privacy legislation that moves forward out of this Committee should apply to all consumer transactions, not merely the one percent conducted online. Key Positive Provisions in S. 2201 Mr. Chairman, as noted earlier, we believe that there are at least two key provisions in S. 2201 that we could support. We appreciate the fact that you included these in your bill. They are the following: Continuing Promise (Section 102(e)(1)(b)): This explicit confirmation that ``the promise runs with the information'' is good. Although we believe existing common law and Section 5 of the FTC act already would prevent successor entities from treating information less restrictively than was promised at the time the information was collected, we appreciate and support the enactment of this clarifying language, particularly because it removes potential ambiguity in bankruptcy proceedings. Preemption (Preamble Section 4): As noted above, this is a necessary and good provision to ensure equal consumer privacy protections nationwide and to allow nationwide entities to comply (it would be virtually impossible for a nationwide website to comply with conflicting rules from multiple jurisdictions). Even though state laws most likely would fail a constitutional challenge, the expense and uncertainty of litigation could be avoided with this sort of Congressionally adopted ceiling. Given the agreement on the need to preempt inconsistent state laws, we merely need to ensure that this language is adequately clear. (Reviewing courts look for clear congressional intent; ambiguous language favors non- preemption.) Specific Areas of Concern about S. 2201 Mr. Chairman, we also have identified the following areas of serious concern in S. 2201. Amazon.com will focus its cooperative and constructive efforts on these issues, as well as on the online-offline parity point, in an effort to provide you and your Committee as much information as soon as possible. Our principal concerns are as follows: Private Rights of Action (Section 203): As noted above, we fear giving overly aggressive litigants a new tool to extract rents from ``good guy'' companies with relatively deep pockets. It is clear from the FTC/PFF sweeps that the most popular and, thus, the most successful, websites already are providing outstanding privacy protections. Unfortunately, however, it will be these ``good guys'' that litigants attack, because these are the entities capable of paying big judgments. Indeed, under the current bill, it would be far more lucrative to bring a class action suit to catch a ``good guy'' on a technicality than catch a ``bad guy'' in an egregious act. A company could be hit with a judgment of $5,000 per user per violation (with up to a $100,000 kicker for repeated violations) with a showing of but minimal actual harm and showing no malfeasance. Because class actions are not precluded, there probably will be a class action alleged for every potential violation. And, if the alleged violation is a part of a company doing business, there will be gigantic cases. Allowing such private rights of action will cause the ``good guys'' to make their privacy notices much more legalistic--and much less readable to consumers--just so that they would fare better in a lawsuit. Unreadably long privacy statements and fine-print legalese would become the norm. A regulatory body such as the Federal Trade Commission, on the other hand, could balance the competing interests of legal precision and simplicity. In addition, the uniformity necessary to run nationwide websites would be destroyed by a host of litigants suing companies all across the country. A single authority, such as the FTC, could provide the nationwide approach that private litigation cannot. State Actions (Section 204): In a highly unusual, if not entirely unprecedented, grant of power, this section would allow state attorneys general to bring class actions on behalf of all their residents, unfairly exposing online entities to politically motivated lawsuits. Access and Deletion (Section 105): Several of the terms in this section, such as ``reasonable access,'' ``reasonable opportunity,'' and ``suggest,'' are ambiguously defined and it is unclear how the ambiguity will be resolved. Is this a matter for the Courts or perhaps a broad FTC rulemaking? This section seems to require data deletion, which would dramatically hinder our efforts to limit fraud and thwart consumer identity theft. Indeed, this provision likely would end up making consumer identity theft easier, by making criminal activity much harder to trace. Further, just imagine asking a bank, or credit card company, or brick and mortar store, to simply ``forget'' a transaction conducted with them last month, or last year! Our information technology department tells us that the access/deletion requirements would require extraordinary costly technical measures. They also fear that, even if it would be possible to meet these requirements, our security and anti- fraud measures would be compromised. Finally, there are very narrow exceptions to law enforcement disclosure. One situation not addressed is where a website operator discovers fraud and wants federal help investigating it. Could we be liable if we report fraud to law enforcement or to the victim of the fraud? And what if the victim files a civil suit? Does the fraudster really have a right to contest that motion? ``Reasonable'' Security (Section 106): Companies have every possible motivation, including tort law, to maintain effective security against hackers. There is no need for a new statute to require it. After a security breach, it may very be difficult to argue that ``reasonable'' precautions were taken. With little precedent for guidance, the fact of a breach would make any failed security precautions look unreasonable. In other words, without clarifying language, a security ``reasonableness'' standard likely would function as a strict liability standard. On the other hand, to the extent that security practices of other entities become well known, it also would be a concern if ``reasonable'' were defined as ``what everybody else is doing.'' This interpretation could make it risky for companies to take innovative approaches to security. Any detailed, public investigation of whether a company took reasonable precautions might reveal too much to hackers about what a company does and does not do. Information Collection (Section 101(a)): Even if S. 2201 were not modified to apply to offline entities, this provision could unfairly be read to impose requirements on online entities' use of offline information that is, and would remain, available to offline entities without restriction. Online entities should face no more restrictions on offline information than do offline entities. Notice and Consent (Section 102): ``Clear and conspicuous,'' ``affirmative consent,'' and ``robust'' all are ambiguous terms, despite the definitions offered in Section 401, particularly with regard to the various technical means for delivering this information. For example, robust notice on a web-enabled telephone--with a very small display--might be very different from robust notice on a wide- screen monitor. We are concerned about the general prescriptions on ``use'' disclosures. How detailed must these disclosures be? If the requirement is for super-detailed specifications, then companies will have to anticipate too many small variations on the general theme of how information is used, instead of focusing on the most important general points. Importantly, if too much information is required, consumers will not be presented readable disclosures. Finally, as for ``methods of using,'' we are concerned that this might require the revelation of potentially sensitive technical information not relevant to consumers, but very relevant and useful to hackers. For sensitive information, are ``opt-in'' (in the title) and ``affirmative consent'' (in the text) the same thing? There is considerable ambiguity in both of these terms. Would the ``initial robust notice'' requirement force website operators, every time they collect a little more PII, to go back and give robust notice? Yet if the visitor just returns, and the operator doesn't collect PII, then no robust notice is required. And, under the construct of this bill, every web page visit, which produces click-stream information, creates PII when it's combined with a user's identity. We fear that repetitive opt-out requirements would be burdensome and annoying to consumers. Definitions (Section 401): This section, in addition to containing many ambiguities, incorrectly defines the term ``cookie.'' Further, the definition of ``robust notice'' is not clear. What is ``actual notice''? Is it subjective? Also, the definition itself contains a ``use'' (``to use or disclose that information for marketing or other purposes''). Does this mean you have to give Robust Notice, before the collection of PII, but Robust Notice is the same as actual notice that you intend to use for marketing or ``other'' purposes. Is a website's link to a privacy notice ``robust'' in this way? And what about ``robust notice'' on a wireless or other small screen device such as the remote terminal on the kitchen wall or the automobile dashboard? We have identified these principal concerns with S. 2201, and plan to continue our analysis and dedicate our attention to providing the Committee information on each of these points. Conclusion In conclusion, Mr. Chairman, Amazon.com is pro-privacy in response to consumer demand and competition. We already provide our customers notice, choice (including opt-in choice where appropriate), access, and security. You have called for these same features in S. 2201 and, although we have many concerns with this bill, we appreciate that you recognize, as we do, the importance of consumer privacy. Our foremost concern with S. 2201 is that it would apply only to some companies and only to one percent of consumer retail transactions. For the many reasons articulated in this testimony, Amazon.com respectfully requests that any privacy legislation approved by this Committee apply to all consumer transactions, not merely those conducted online. In addition, Amazon.com has serious concerns with several specific provisions in the bill. Primary of these are the provisions for nearly unfettered class action litigation; access/deletion obligations that would jeopardize our security and anti-fraud efforts; and technically infeasible security requirements. We look forward to working with you and your Committee to address all of these issues. Thank you again for inviting me to testify; I look forward to your questions. The Chairman. Thank you, sir. Mr. Dugan. STATEMENT OF JOHN C. DUGAN, PARTNER, COVINGTON & BURLING, ON BEHALF OF THE FINANCIAL SERVICES COORDINATING COUNCIL Mr. Dugan. Thank you, Mr. Chairman, Senator Hollings, Senator McCain. I am testifying today on behalf of the Financial Services Coordinating Council, whose members include the American Bankers Association, the American Council of Life Insurers, the American Insurance Association, and the Securities Industry Association. These organizations represent thousands of large and small banks, insurance companies, and securities firms that, taken together, provide financial services to virtually every household in America. The FSCC is keenly aware of the need to maintain the privacy of personal information. With the enactment of the Gramm-Leach-Bliley Act in 1999, thousands of financial institutions across the country have expended enormous amounts of time, energy, and resources to provide financial institution customers with comprehensive privacy protections. These mandatory protections include notice of the institution's information that must be clear, conspicuous, and provided annually, opt-out choice regarding the institution's sharing of information with nonaffiliated third parties, security in the form of mandatory policies, systems, and controls to ensure that personal information remains confidential, and enforcement of privacy protections via the full panoply of enforcement powers of the agencies that already regulate financial institutions, the Federal bank regulators, the Securities and Exchange Commission, State insurance authorities, and the Federal Trade Commission. All of these mandatory privacy protections apply equally to financial institution consumers in both the offline and online context. The proposed requirements of S. 2201 would apply to financial institutions on top of this already extensive privacy regime. As a result, the FSCC strongly opposes S. 2201 for the following five reasons. First, as I said, financial institution are subject already to the comprehensive privacy regulation that Congress carefully debated and enacted just less than 3 years ago. It would be both unnecessary and costly to subject them to the new and conflicting restrictions included in S. 2201, which would translate into two types of notices to consumers, two types of consent provisions, redundant security requirements, and two distinct types of enforcement regimes. The FSCC believes that financial institutions should be subject to a single privacy regime that applies equally in all contexts, as is the case now. Second, we believe the bill will thwart the development of e-commerce by, for example, imposing dual and conflicting privacy standards for companies that collect information both offline and online, as Senator McCain indicated before, often from the same customer. S. 2201 would severely impair a company's ability to operate under this clicks and bricks business model. Such a company would be forced to maintain two separate information systems, an offline system subject to any applicable offline privacy regulations, and an online system subject to both those privacy requirements and the requirements contained in S. 2201. In many cases, as I said, the two systems would apply to personal information collected from the same individual, and such a two-tiered system would be extremely costly and burdensome to manage, and it could cause some companies, especially smaller ones, to avoid online operations altogether. Third, S. 2201 would have a disproportionate impact on financial institutions, even though financial institutions are already subject to extensive privacy regulation. This is so because the bill regulates so-called sensitive information such as account balance and insurance policy information, much more stringently than nonsensitive information. Sensitive information is subject to the opt-in and class action enforcement, while nonsensitive information is subject only to the opt-out and no private right of action. For most types of businesses, the increased restrictions and sensitive information present relatively few additional problems, because sensitive information does not constitute the core of their business. That is not the case with financial institutions. There, such information frequently is the business of banks, insurance companies, and securities firms. For example, an online clothing retailer might want to provide special discount coupons to its best customers, who might be those individuals who purchase more than a certain amount of clothing each year. The retailer's discount offer would be subject to the bill's opt-out requirement, and a violation of the requirement would not be subject to a private right of action or class action enforcement. In contrast, a bank might want to give its biggest depositors a discount on unrelated financial services such as an insurance product, or a loan, or an insurance company might want to reward a large life insurance policyholder with a discount on his or her car insurance. In these cases, the discount offers would be subject to the bill's opt-in requirement, and any related violations of the statute would be subject to class action enforcement. Thus, financial institutions, which are subject to much more comprehensive privacy regulation than other online businesses, are subject to the bill's most onerous restrictions with respect to their core businesses, while less-regulated online providers are not. The FSCC believes this is unfair and unnecessary. Fourth, the FSCC believes that a number of the bill's provisions are simply far too restrictive, including both the opt-in and the access provision. In addition, the bill includes far too few exceptions to both its opt-in and opt-out requirements to recognize legitimate business-sharing and use practices that are necessary for companies to stay in business and provide customer service, such as sharing information with credit bureaus, securitizing mortgages, and a variety of other practices which I have included in more detail in my written statement. Moreover, the bill's opt-in and opt-out apply to any unrelated use of information, which would act as a new and unprecedented barrier to businesses communicating and marketing products to their own consumers. We think this restriction is just too broad. Finally, as others have testified, the FSCC believes that the bill's regulatory approach is unnecessary in view of the increasingly effective self-regulatory efforts of the online industry, including through new technologies. For all of these reasons, the FSCC opposes S. 2201. I would be happy to answer any questions you may have. [The prepared statement of Mr. Dugan follows:] Prepared Statement of John C. Dugan, Partner, Covington & Burling, on behalf of the Financial Services Coordinating Council My name is John Dugan, and I am a partner with the law firm of Covington & Burling. I am testifying today on behalf of the Financial Services Coordinating Council (``FSCC''), whose members include the American Bankers Association, American Council of Life Insurers, American Insurance Association, and Securities Industry Association. These organizations represent thousands of large and small banks, insurance companies, and securities firms that, taken together, provide financial services to virtually every household in America. The FSCC appreciates the opportunity to testify before this Committee on S. 2201, the Online Personal Privacy Act. We are keenly aware of the need to maintain the privacy of personal information. With the enactment of the Gramm-Leach-Bliley Act in 1999 (the ``GLB Act''), thousands of financial institutions across the country have expended enormous amounts of time, energy, and resources to provide financial institution customers with comprehensive privacy protections. Coupled with the protections mandated by the Fair Credit Reporting Act, these consumers now must be provided-- Notice of the institution's practices regarding information collection, disclosure, and use, which must be clear, conspicuous, and updated each year; Opt-Out Choice regarding the institution's sharing of information with nonaffiliated third parties, and in certain instances, with affiliates; Security in the form of mandatory policies, procedures, systems and controls to ensure that personal information remains confidential; and Enforcement of privacy protections via the full panoply of enforcement powers of the agencies that regulate financial institutions, i.e., the federal bank regulators, the Securities and Exchange Commission, state insurance authorities, and the Federal Trade Commission. In addition to these protections, customers of financial institutions that handle personal health information receive the extensive privacy protections of federal and state medical privacy laws. All of these mandatory privacy protections apply equally to financial institution consumers in both the offline and online contexts. Taken together, they form perhaps the most comprehensive set of mandatory privacy protections in the country. The proposed requirements of S. 2201 would apply to financial institutions on top of this extensive privacy regime. The FSCC strongly opposes S. 2201 bill for the following reasons. First, financial institutions are subject already to the comprehensive privacy regulation described above, which Congress carefully debated and enacted less than three years ago; it would be both unnecessary and costly to subject them to the new and conflicting restrictions included in S. 2201. Second, the bill will thwart the development of e-commerce by, for example, imposing dual and conflicting privacy standards for companies that collect information both online and offline, often from the same customer. Third, parts of the bill apply much more restrictively to financial institutions, because of the nature of their business, than they do to other types of companies--even though financial institutions are already subject to extensive privacy regulation. Fourth, a number of the bill's provisions are simply far too restrictive. Finally, the FSCC believes that the bill's heavy regulatory approach is unnecessary in view of the increasingly effective self-regulatory efforts of the online industry, including through new technologies. I. Financial Institutions and their Customers Don't Need Yet Another Set of Privacy Rules S. 2201 seems to be aimed primarily at online businesses and advertisers that are not now subject to mandatory privacy regulation. But the bill sweeps in any business that deals with any consumer via the Internet, which means that privacy-regulated businesses like financial institutions are included as well. Because of the financial institution privacy protections described above, which are already in place and apply in the online context, the FSCC believes that the bill's application to financial institutions is unnecessary. Just over two years ago, Congress carefully considered the costs and benefits of the privacy-related restrictions that ought to apply to financial institutions and their consumers, which resulted in Title V of the GLB Act. Financial regulators subsequently implemented detailed privacy regulations for the first time, and financial institutions have spent many millions of dollars to build systems to comply and protect customer information. Financial institution customers now enjoy the benefit of those protections, which ought to be given a chance to work. Moreover, S. 2201 would subject financial institutions to a whole new layer of privacy regulations that would apply at the same time as those imposed by the GLB Act and other financial privacy laws. That would mean two types of notices to customers, two types of consent provisions, redundant security requirements, and two distinct types of enforcement regimes. This is far too burdensome and costly. It could also confuse customers, which in turn would result in conflicting instructions by consumers to their financial institutions (e.g., opt- out in one context, opt-in in another). Financial institutions should be subject to a single privacy regime that applies equally in all contexts. II. S. 2201 Will Thwart the Development of Electronic Commerce The Internet is bringing enormous social and economic benefits to its users and to nations around the world. It is empowering individuals to seek, receive, and share information and ideas. It is changing how we educate, shop, spend our time, and transact business. And, perhaps most importantly, it is equalizing access to information, giving everyone with a computer and an Internet connection an opportunity both to acquire and use information more effectively. Throughout its short history, the Internet has been a virtually regulation-free environment. In the United States, regulations affecting the privacy of information online have been limited to only those necessary to protect our most vulnerable online population-- children. Because of this philosophy of regulatory restraint, electronic commerce has thrived. According to a recent U.S. Department of Commerce survey, more than half of Americans are using the Internet and among these Internet users, 39 percent of them are making online purchases. While the European Union has adopted comprehensive privacy regulations, the United States has avoided such an approach. On numerous occasions, government officials have appropriately voiced concern over problems inherent with applying old legislative paradigms to the constantly changing Internet. These concerns appropriately recognize (1) that market-driven solutions to online problems provide the most effective means to ensure the continued growth of the Internet, and (2) that any governmental regulation should target discrete concerns and be carefully tailored to reach no broader than necessary in order to solve the problem at hand. The Children's Online Privacy Protection Act (``COPPA'') and the Electronic Signatures in Globalization Act (``ESIGN'') reflect this balanced approach. Both laws are narrowly tailored to target specific online concerns and provide a workable legal framework within which these concerns can be resolved. S. 2201 is a marked departure from this philosophy of restraint and targeted governmental action. The bill treats information collected online differently than information collected by other means and thereby subjects the vast majority of U.S. companies to two substantially different privacy regimes in the offline and online environments. In practice, this approach will retard the use of online channels, or, at the very least, require a company to adhere to the bill's substantive requirements with respect to all of its information collection activities. Today, companies like financial institutions frequently operate according to a ``clicks and bricks'' business model under which customer relationships begin offline and migrate online. Specifically, a company collects personal information about a consumer offline when it begins a relationship with a consumer and then again online when the consumer, on his own or through the prompting of the company, uses the company's services over the Internet. In many cases, the information collected online is exactly the same as that collected offline (i.e., name, address, account number), but in other cases the information may be different. As a result, it is fairly typical that a company has one database that includes both personal information initially collected non-electronically (and subsequently entered into a computer) and similar or different information collected over the Internet. S. 2201 would severely impair a company's ability to operate under this ``clicks and bricks'' business model. Such a company would be forced to maintain two separate information systems--an offline system subject to any applicable offline privacy regulations (such as the GLB Act or healthcare privacy rules) and an online system subject to both those privacy requirements and the requirements contained in S. 2201. In many cases the two systems would apply to personal information collected from the same individual. Such a two-tiered system would be extremely costly and burdensome to manage. And it could cause some companies, especially smaller ones, to avoid online operations altogether. III. S. 2201 Will Have a Disproportionate Impact on Financial Institutions S. 2201 creates two categories of personally identifiable information--``sensitive'' and ``non-sensitive''--and regulates sensitive information much more stringently than non-sensitive information. The bill requires online operators to obtain opt-in consent before they collect, disclose, or otherwise use sensitive information, and would use a private right of action and class actions to address violations of such requirements. In contrast, with respect to non-sensitive information, the bill requires only opt-out consent and establishes no express private right of action for individuals. For most types of businesses, the increased restrictions on ``sensitive'' information present relatively few additional problems, because ``sensitive information'' does not constitute the core of their business. That is not the case with financial institutions. S. 2201 defines ``sensitive personally identifiable information'' to include ``sensitive financial information,'' and that term includes the amount of income earned or losses suffered by an individual; balance ``information'' regarding any financial services account; any insurance policy information; and outstanding credit card, debt, or loan obligations. Although such information may be incidental to the operations of many online companies, it frequently is the business of banks, insurance companies, and securities firms. For example, an online clothing retailer might want to provide special discount coupons to its best customers, who might be those individuals who purchased more than a certain amount of clothing each year. The retailer's discount offer would be subject to the bill's opt- out requirement, and a violation of the requirement would not be subject to a private right of action or class action enforcement. In contrast, a bank might want to give its biggest depositors a discount on unrelated financial services such as an insurance product or a loan. Or an insurance company might want to reward a large term-life insurance policyholder with a discount on his or her car insurance. In these cases, the discount offers would be subject to the bill's opt-in requirement, and any related violations of the statute would be subject to (and a target for) class action enforcement. Thus, financial institutions, which are subject to much more comprehensive privacy regulation than other online businesses, are perversely subject to the bill's most onerous restrictions with respect to their core businesses, while less regulated online providers are not. As discussed below, it would be extremely costly and unfair to target financial institutions with some of the bill's most restrictive provisions, i.e., the opt-in and private right of action, which also have particularly negative effects on financial institutions that handle health information. A. S. 2201's ``opt-in'' requirement will effectively prohibit core financial institution practices that benefit consumers. Financial institutions are well aware of the unique position of responsibility they have regarding an individual's personal information, including health information. The member companies of the trade groups belonging to the FSCC are strongly committed to the principle that individuals have a legitimate interest in the proper collection and handling of their personal information and that these companies have an obligation to assure individuals of the confidentiality of that information. However, the FSCC strongly opposes S. 2201's opt-in requirement, especially when it is coupled with the bill's unrelated use requirement. That is, unlike the GLB Act, which applies only to disclosures of personal information by a financial institution to third parties, S. 2201 also restricts virtually any use of personal information by the institution itself, even if the information were not disclosed to others and were used to benefit the customer. This would constitute a new and unnecessary roadblock between all companies and their customers. The combination of the opt-in and unrelated use restrictions would require financial institutions to contact customers and obtain their prior permission to engage in core business activities involving personal information--which in practice would constitute a de facto prohibition on responsible information sharing that benefits consumers. Not even Europe's Privacy Directive, which on paper is one the most stringent privacy regimes, goes this far. Instead, the EU Directive permits entities to follow an opt-out approach with respect to the use and disclosure of financial information. The FSCC believes that there is a fundamental flaw with the way opt-in requirements work. Such provisions deprive consumers of benefits from information sharing, such as discounts on other types of financial products. In essence, an opt-in creates a ``default rule'' that stops the free flow of information (which is especially critical to Internet transactions). This in turn makes the provision of financial services more expensive and reduces the products and services that can be offered. Further, consumers rarely exercise opt-in consent of any kind--even those consumers who would want to receive the benefits of information sharing if they knew about them. In contrast, a meaningful opt-out gives privacy-sensitive consumers as much choice as an opt-in, but without setting the default rule to deny benefits to consumers who are less privacysensitive. B. S. 2201's narrow exceptions to the bill's opt-in (and opt-out) will prevent critical information sharing by financial institutions. Privacy regimes that impose customer consent restrictions on financial institutions nearly always include a range of specific exceptions. These exceptions cover circumstances in which consent is either implied, unnecessary, or would impede a legitimate public policy goal. For example, the Gramm-Leach-Bliley Act and its implementing regulations at both the federal and state level recognize well over 30 such exceptions, which are critically important to financial institutions doing business with their customers. Such ``doing business'' exceptions, which have never been controversial, permit disclosures that are necessary, for example, to prevent fraud, create credit histories, underwrite insurance, engage in risk management practices, securitize loans, outsource functions to agents, obtain legal advice, etc. In contrast, S. 2201 includes only four exceptions to the bill's opt-in and opt-out requirements. Section 104's exceptions apply to certain information collection, use, and disclosure practices that are necessary to (1) protect the security or integrity of the website; (2) conduct a transaction, deliver a product, or complete an arrangement for which personal information has been provided; (3) provide other products or services that are ``integrally related'' to the transaction, service, product, or arrangement for which the consumer provided the information; and (4) to comply with law enforcement or a judicial process. These provisions, although vague, were clearly crafted to reach services provided in the context of completing online retail sales. Yet financial institutions necessarily do much more with online information than engage in marketing or the other extremely narrow range of activities covered by the bill's exceptions. The combination of the opt-in and unrelated use provisions could potentially shut down core business use and sharing practices, including sharing information with credit bureaus, securitizing mortgages, running normal credit card operations, and engaging in a range of activities related to insurance underwriting. It is unlikely that these activities would qualify as ``necessary to conduct'' or ``integrally related'' to the transaction, service, or product obtained by the consumer. This would have the unintended, negative consequence of disadvantaging, rather than helping, consumers. C. The private-right-of-action provision will invite abusive class action litigation against financial institutions. Under the bill's private right of action, any showing of actual harm involving sensitive information, however small, will provide a plaintiff with a guaranteed recovery of at least $5,000 per violation. Such a provision is clearly intended to attract class action litigation as an enforcement mechanism. Because financial institutions' core business involves information that the bill deems ``sensitive,'' the bill would make them the new target of choice for the plaintiffs' bar. This is both unfair and unnecessary. Unlike most online businesses, financial institutions are already heavily regulated, and their regulators have broad powers to punish violations of law--which they do not hesitate to exercise. That is why, in the privacy context, Congress chose not to authorize a private right of action or class actions as a means to enforce the GLB Act's privacy provisions. Instead, enforcement is accomplished through the full panoply of enforcement powers of the relevant financial regulator, e.g., federal banking agencies for banks; the SEC for securities firms; state insurance authorities for insurance companies; and the FTC for non-traditional ``financial institutions.'' This enforcement regime works. The FSCC therefore strongly opposes the creation of a new class action mechanism that, while having little impact on most online businesses, would create a huge and unnecessary new source of litigation cost for financial institutions. D. The bill will have a disproportionate impact on financial institutions that handle health information. S. 2201 includes individually identifiable health information within the definition of sensitive information that is subject to the bill's stricter opt-in requirements. This ignores the complex and detailed issues surrounding the protection of health information. Financial institutions, particularly insurance companies, must be able to disclose or otherwise use personally identifiable health information to perform essential, legitimate insurance business functions, such as underwriting and claims evaluations. In addition, insurers must be able to disclose and use personally identifiable health information to perform important business functions that are not necessarily directly related to a particular insurance contract but that are essential to the administration or servicing of insurance policies generally, such as, for example, developing and maintaining of computer systems. An opt-in that would jeopardize these uses and disclosures of personally identifiable health information would also jeopardize insurers' ability to serve and fulfill their contractual obligations to existing and prospective customers. Insurers also must regularly disclose personal health and financial information to: (1) state insurance departments as a result of their general regulatory oversight of insurers, which includes regular market conduct and financial examinations of insurers; (2) self-regulatory organizations, such as the Insurance Marketplace Standards Association (IMSA), which imposes and monitors adherence to requirements with respect to member insurers' conduct in the marketplace; and (3) state insurance guaranty funds, which seek to satisfy policyholder claims in the event of impairment or insolvency of an insurer or to facilitate rehabilitations or liquidations that typically require broad access to policyholder information. In addition, insurers need to (and, in fact, in some states are required to) disclose personal information in order to protect against or to prevent actual or potential fraud. Such disclosures are made not only to law enforcement agencies, but also to state insurance departments, the Medical Information Bureau (MIB), or outside attorneys or investigators, who work for the insurer. To the extent that S. 2201's opt-in would limit these disclosures, it would undermine the public policy reason for making them--to protect consumers. Existing federal and state privacy regimes, including the final Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) promulgated by the Department of Health and Human Services as required by the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), provide fundamental protections to the privacy of health information. Unlike S. 2201, the HIPAA Privacy Rule includes a variety of carefully considered exceptions to its authorization requirement in order to strike a proper balance between the legitimate expectations of consumers concerning the treatment of their information and the ability of insurers and others to use personal health information responsibly. Also, many state laws and regulations, particularly those adopted recently to implement the privacy requirements of the GLB Act, contain sections specifically addressing the confidentiality of health information and specifically providing exceptions to their opt-in requirements applicable to disclosures of health information. In short, the issue of health information privacy is difficult and complex. It is, at best, unclear how the health provisions of S. 2201 compare and/or integrate with existing laws and what impact this legislation will have on financial institutions. At worst, the combination of the opt-in and class action enforcement could have extremely negative consequences. IV. Other Concerns with S. 2201 There are a number of other fundamental problems with the provisions of S. 2201 that are not unique to financial institutions. ``Use'' Restrictions. The problem with the bill's blanket restriction on unrelated ``uses'' of information is not limited to sensitive information covered by the opt-in. It also applies to nonsensitive information covered by the opt-out. (A business may not disclose or ``otherwise use'' information collected online without notice and opt-out.) Among other things, this will impair a business from engaging in generally accepted marketing activities with its own customers, and a charity from soliciting contributors for additional contributions. Thus, the FSCC believes the use restriction is both unnecessary and overly broad. Access. S. 2201 will impose access requirements that will be extremely costly and that will reduce security on the Internet. S. 2201 subjects access requests to a vague reasonableness test and fails to exclude information, such as trade secrets or internal operating procedures, to which consumers should never have access. In addition, S. 2201 fails to recognize that information may not be maintained in centralized databases searchable by customer name. (And privacy advocates have long advocated that businesses should not be encouraged to establish such centralized databases because of increased possibilities for obtaining and using too much information about an individual too easily.) Even where databases are highly centralized, the costs of complying with this requirement will far exceed the nominal charges permitted under the bill. S. 2201 also fails to define what it means to ``delete'' a record in an electronic environment. For example, must all back-up tapes be retrieved from storage and searched for relevant records when a ``delete'' request is received? What about requests to delete personal information when there is a legal obligation or important business reason to retain such information? The bill does not provide guidance on these important questions. Financial institutions already provide their customers--often in real time--with access to the personal information of greatest concern to them, i.e., their account balances and transaction statements. In addition, the Fair Credit Reporting Act provides consumers with extensive access and correction rights regarding financial institution information that is used to make very significant decisions about them, i.e., to grant or deny credit or insurance. For these reasons, there is no need to impose an additional and vague access requirement that can be used for ``fishing expeditions'' to search for violations of the Act--especially when violations can be easily translated into class action litigation. Security. S. 2201 contains security requirements that duplicate those already established for financial institutions in the GLB Act. Specifically, the GLB Act and its implementing regulations require that each financial institution protect the security and confidentiality of customers' nonpublic personal information and implement a comprehensive security program. The differences between the security provisions of S. 2201 and the GLB Act will lead to unnecessary increased costs to ensure that security procedures meet multiple sets of requirements. V. S. 2201 Is Unnecessary Because Private Sector Efforts Are Working Finally, apart from the fact that financial institutions are already subject to comprehensive privacy regulation, the FSCC believes that the private sector has taken and continues to take significant steps to address online privacy concerns. These efforts are particularly well suited for solving privacy-related problems on the Internet. This is so because private sector initiatives generally can respond more quickly than legislative solutions to changing technologies and evolving online business and social practices. In addition, private-sector mechanisms, because they are consumer driven by nature, are more likely to permit users to choose among various solutions based on their individual privacy preferences and thereby avoid the problem of over- and under-breadth that is unavoidable in government regulation, which typically must be one dimensional in nature. Recent surveys indicate that the private sector's efforts at self- regulation are working. For example, the Privacy Online report released earlier this year by the Progress and Freedom Foundation shows that nearly all of the most popular websites (99%) and the vast majority of randomly sampled websites (80%, up from 64% in 2000) post some form of privacy notice if they collect personally identifiable information. Of those websites collecting personally identifiable information, 71% of randomly sampled sites and 89% of the most popular sites offer consumers some form of choice with respect to disclosing that information internally, and almost all (93% up from 77% last year) of the most popular sites and the majority of randomly sampled sites (65%) offer consumers choice over disclosures to third parties. Finally, the survey showed that websites are increasingly likely to tell consumers that they are taking adequate security measures to protect collected information. In addition, website operators continue to seek certification under seal programs such as TRUSTe and BBBOnLine. By the end of 2001, TRUSTe had certified more than 2000 websites in a variety of industries (up from roughly 500 websites in 1999) and BBBOnLine has certified more than 760 sites, up from 450 two years ago. The FTC has recognized that such seal programs are an effective method for delivering privacy protections to consumers. In particular, the FTC has endorsed seal programs as a means of complying with the provisions of COPPA--the FTC has created a safe harbor so that websites that comply with, for example, TRUSTe's children's privacy seal, will be deemed to be in compliance with COPPA as well. In addition to these efforts, technology provides compelling solutions to many online privacy concerns. For example, P3P, a privacy- enhancing technology that enables users to specify a level of privacy protection based on a website's practices for tracking data, is continuing to gain acceptance and prominence as an effective method of protecting consumers' online privacy. Among the most popular websites, 23% have implemented P3P, and Internet Explorer 6 includes the P3P function. In sum, like the Federal Trade Commission, the FSCC believes that the significant and evolving steps taken by the private sector to address online privacy concerns makes additional governmental regulation unnecessary at this time, including S. 2201. The Chairman. Very good. Mr. Dugan, we appreciate the position of the bankers and the insurance industry and the securities group, but all you have to do is go get a loan from the bank and you will see how many requirements that are required, and all the information that is necessary to get that loan. There is no question--getting right to the point, the Federal Trade Commission for 5 years did as we in this Committee asked. We asked them to bring the industry in, correlate it, have hearings, they had numerous hearings time and again, and I mention this because one of the witnesses would quote just part of what Mr. Pitofsky found, that the Federal Trade Commission after 5 years, 2 years ago--so that means we have been on it sevem years--they recommended congressional action to protect the consumer privacy online. Otherwise, all the fear and bother about the online-offline comparisons, witness after witness has pointed out the differences. It culminated into the Children's Online Privacy Protection under Senator Bryan some 4 years ago, and it has worked wonderfully well. We have not had all of the Chicken Little, the sky is going to fall if you do not regulate the offline with the online. Otherwise, with respect to the right of action, I will have to agree with Mr. Rotenberg that there is a virus in this Congress, because we are all opposed to politicians and we do not like lawyers, and anything that refers to our right of action, you would think that we had never had any enforcement, and of course when we refer to the different--like the National Highway Transportation Safety Board, we got into Firestone case, and we found out that in a 5-year period 99 million recalls, they were all voluntary on account of the private right of action. Not a one in 5 years of the 99 million did the particular governmental Federal commission direct that there be a recall, so we have had hard experience at this Committee level with respect to it. And the diversity, Ms. Lawler, that you find that might cause trouble of one jury finding one finding and a different jury in a different section of the country finding differently would be sort of confusing. It was not until the forefathers, they put that in in the Seventh Amendment, the Bill of Rights, the trial by jury, for the very reason that we wanted to respect that diversity. Senator McCain. Senator McCain. Thank you, Mr. Chairman. I would like to ask first of all, from all the members of the panel, two questions. How should we treat information collected online and offline that is merged together into one consumer data file, and should all identical types of information, whether collected online or offline, be subject to the same privacy restrictions? We will begin with you, Mr. Torres. Mr. Torres. Senator, we would love to see a comprehensive privacy bill passed by this Congress and signed by the President into law. Unfortunately, the way that privacy has been treated in this country has been sector by sector. We have looked at video records, we have looked at cable television viewing habits, we have the FCRA, which protects some of the financial information. Telephone records are also covered. Gramm-Leach-Bliley, while we do not necessarily agree with the position taken by the industry council about the effectiveness of the law, nonetheless that is the law on the books, so the way we have done information in the past, it has been sector by sector, so it is not surprising that we should treat, or that the concept is out there in this bill that we should treat the online sector as kind of--that we should not treat it at all, because we are concerned about implications in the offline world, and I have got three responses to that, really. We should treat it differently. It is different. It is a different medium. The way they collect information is different. Senator McCain. My question is, if it is merged together into one consumer data file. Mr. Torres. If it is merged together in one consumer data file, it should go to the stronger protections, perhaps, because it is the companies that choose the way they collect their information in either the online or the offline setting. It is the companies that choose to merge that data together. We should not fault the consumer for what the company does and say we cannot control this company because they choose to make this complicated. I do not have a choice, if I think the IRS laws are too complicated, because I have got a lot of complex financial transactions, to say, whoa, this is too complicated, I should not have to comply with this. It is, I choose to merge this information together. I have got full faith and confidence in this industry, that can find zillions of ways to slice and dice this information, to use it without telling the consumers what they are doing with it, to try to sell consumers junk products, based upon the information they collect from consumers, and now they cannot figure out how to provide the consumers notice and opt-out, and I mean, the companies are not prohibited from using this information to serve the client, for what the customer gave them the information to do. What they are not allowed to do without giving the consumer some level of control is to go out and sell this information. Senator McCain. Mr. Torres, my time is limited, and we have four other respondents. As much as I appreciate your knowledge and your passion, I thank you. Ms. Lawler. Let me comment about merging online and offline data sources by way of HP's actual practices, which are that that is the fact today for us, and particularly when we look at the different types of sources, Mr. Misener from Amazon.com mentioned a few. One he did not mention that is actually the single largest source of our customer data is our call center business, and that would be support call centers, or pre-sales call centers, where someone calls because they have a problem they need fixed or help with, with regard to one of their HP products. So when we talk about merging data into a single data base, I would actually qualify that and say, with many large, global companies like HP, we are not talking about merged data in a data base. We are talking about several, and our efforts have actually focused on reducing the hundreds into the several into the few. It will be never less than a few, given the vast and broad nature of our customers. Our perspective is, we treat them the same, when you look at the statements made by the FTC last fall, that the presumption is that the offline policies and practices are the same as those stated in our online privacy statement. Senator McCain. So then they should be subject to the same privacy restrictions, in your view? Ms. Lawler. We would be comfortable with that. Senator McCain. Mr. Rotenberg. Mr. Rotenberg. Senator, I think the obligations for companies operating on the Internet should apply when they marry that data with the offline data that is in their possession on the same customers. I think it is very important--you know, if we learned nothing else from the last 5 years, it is clear that the privacy risks associated with the online world are different from those in the physical world. Senator McCain. Would you agree also, with the changing technology, that the challenges change as well? Mr. Rotenberg. Certainly, Senator, I agree the technology will evolve and the law will evolve. The good thing about this bill is that it follows the general principles that have been used in the past to protect privacy and fair information practices, and those principles which really relate to the collection and use of customer information stay pretty much the same even as the technology changes. But if I may, sir, make one other point, companies operating on the Internet have the benefit of an enormous opportunity that those in the physical world do not. They can track their customers moving from one web page to another. They can plant cookies. They can use e-mails. Some of this is very effective, and some of it has helped build companies like Amazon that today has 35 million customers, but I certainly think that privacy obligations carry along with those new, innovative business practices. Senator McCain. Thank you. Mr. Misener, you do not need me to repeat the question, do you? Mr. Misener. No, I do not, thank you, sir. Senator McCain, the same information ought to be treated the same. The consumer's perspective on this is fairly obvious. Why should they care if their privacy is violated through one medium as opposed to another? It ought to be treated equally. It seems to me there is no reason, no principled reason to treat them any differently, or to treat the information any differently. We have heard from a couple of the other witnesses that there are true differences between the online Internet medium and other channels of commerce. I would submit to you that there are, and if there are differences that warrant legislation specified or specifically tailored to those differences, that is something we ought to talk about. Unfortunately, the way these bills have gone, including S. 2201, is that they treat the same kind of practices differently. They do not hone in on the differences. I would submit to you, Senator McCain, that in the offline world retailers know the race and the sex and the personal appearances of their customers. We do not. In the offline world, retailers know where the customers are. They can track them around the country. We cannot. We have no idea where they are physically. Those are two very serious privacy differences that actually favor the online world. If we want to talk about differences, we ought to legislate about---- Senator McCain. Favor the offline world? Mr. Misener. Well, that privacy is better in the online world, and so if there are true differences here, let us talk about the differences and hone in on those, but where the collection methods and the use and the treatment of the information and the information itself are identical, they ought to be treated identically under the law. Senator McCain. Mr. Dugan. Mr. Dugan. Senator, I agree, we cannot see how you can treat the information differently. If you operate in two channels at once for the same customer you could not have two separate checking accounts for one person, for example. We think they should be treated the same. They are treated the same under the Gramm-Leach-Bliley privacy scheme that applies to financial institutions in both the offline and the online context, and we think that is appropriate. Senator McCain. But they are not under this legislation? Mr. Dugan. That is correct. Senator McCain. Thank you very much, Mr. Chairman. The Chairman. Thank you. Senator Burns. Senator Burns. I would like to ask the panel one question along the same lines as Senator McCain asked. Why is it we hear the clamor for privacy online when much or more is collected offline? Mr. Rotenberg. Senator, if I could try to answer this, I think it really is because the data collection practices are different. If you go into a store--you know, it is interesting, you go into a store and you purchase a product, you can pay by cash, and pay by credit card. There is a very good chance the store has no idea who you are unless you choose to sign up for a catalogue or have something shipped to your home, and the thought that walking down an aisle, or picking up a book, or looking at a product that you might be interested in could somehow be recorded is really the exception rather than the rule. The online world is very different. We know this. I mean, we know this because of the way the cookies operate, because of the http protocols. It is just much easier to follow people online, so when the list of Prozac people is published, that is the kind of problem that could only happen on the Internet. Ms. Lawler. Senator Burns, what I would like to add to that, I think it gets down to the fundamental trust relationship that consumers have with the organizations they do business with, and when you have that personal interaction, or you can choose that personal interaction when you walk into a store, or walk onto the concrete in an auto dealer, that is very different than when you cannot see with whom you are dealing. It is a nameless, faceless entity, so I think the perceived and real standards become higher in individuals' minds when they are dealing with a company that may or may not have a brick-and-mortar presence as well. Mr. Misener. If you do not mind, Senator, I would just like to add to that that I think part of it--and you have asked why is there more attention being paid to it. I think part of it is frankly just a carryover from what the novelty of the Internet is that really began five, six, 7 years ago, when people were sitting before a computer and it is a mysterious thing. It is a computer, as opposed to the friendly store, or the friendly cards they fill out, the subscriptions I get. My wife and I just bought a washer and dryer, and the warranty registration card has labeling all over it saying, for your safety, fill out this and return this for your safety, and these are dangerous devices, and so they want to know for my safety what my household income is and whether or not we read the Bible. It is not scary when you fill out the little card in pencil and mail it in, right? But the reality is, when that card gets filled out and sent in, it gets entered into a huge computer data base which is shared, and the information is sold wherever, and in this instance it is far more safe to share your information with Amazon.com. Mr. Dugan. Senator, my only comment is, from a financial institution's perspective, they do not see much difference. Customers are obviously concerned about privacy, but they see it the same way whether it is online or offline. Senator Burns. I would imagine--yes, sir, Mr. Torres. Mr. Torres. I was just going to say, I think consumers, when they go online, may venture into different areas that they would not necessarily go to in the offline world. I mean, I have looked up an awful lot of, because of a family situation an awful lot of medical information online. The thought that that is being tracked is rather frightening, whereas I might not necessarily go to a bookstore or to the library and look that up, but it is available to me, and so just where you can go online is quite different. Senator Burns. As for the second area of concern, in a meeting with various interest parties around about the bill the Committee is concerned with today, I heard a lot of alarm about the private right of action language. Could you comment on the private right of action section contained in S. 2201? Is it overly broad in scope, or is it too limited? Does anybody want to take a shot at that? Mr. Dugan. Sure, I will take a shot. We believe it is far too broad, and because financial institutions deal in sensitive information, it is really aimed at financial institutions, even though we already are subject to privacy protections and enforcement. Our regulators, for example, bank regulators can impose penalties of $1 million a day for violations of privacy violations of the Gramm-Leach-Bliley Act. We think that is sufficient. It is a system that works. There is no reason to apply a private right of action in that circumstance, and the provision in this bill does, as I think someone was saying before, you have to show some actual harm, it is true, but if you show any bit of actual harm, then it is a minimum $5,000 per customer per violation, and if you have millions of customers, as many companies do, that is an invitation to class action litigation. Senator Burns. Let me put a footnote on this, and whether it is too broad or too narrow. Give me your idea on safe harbor. Mr. Rotenberg. Mr. Chairman, first of all--I am sorry, Senator Burns, as the Chairman explained, you need some kind of private right of action because otherwise all your chips basically sit on the FTC. I mean, that is the way the bill is structured, and if the FTC does not choose to take action, people who may have been actually aggrieved will have no place to turn, and so that is where this provision comes from. As I explained in my opening statement, I think it is too narrow. I think it places all the burdens of litigation without any of the benefits, and I cannot imagine any lawyer, unless kind of a bighearted person wants to do it on a pro bono basis, litigating on the basis of this provision, and so I gave two suggestions. One is to treat it as other privacy statutes do, which is to give people the opportunity to recover for cause. You can even cap, by the way--I mean, I understand the industry concern. You do not need to have sort of big, open-ended damages. You could have a cap on damages, or go into small claims court. On safe harbor, I think it can be made to work, but enforcement is key, because you have to understand that is another hurdle, another sort of black hole where, you know, we can lose track of what is actually happening and whether there is enforcement of the good provisions in the bill. Mr. Torres. Senator, we would be very skeptical of a safe harbor unless it was properly structured in such a way that it was not such a harsh hurdle to overcome, and also have some kind of teeth to it so that the standards were at least equivalent. And to the private right of action, it is just--I mean, the thought that--we cannot even get--let me put it this way . I work on a lot of different financial and banking issues. We cannot get the bank regulators to go after predatory lenders. The thought that they would go after a bank to seek a $1 million penalty for a privacy violation, I just do not see that happening. I mean, we talk a lot about accountability and responsibility. You know, we are about to pass a bankruptcy bill that is going to sock it to consumers, and hold them accountable and responsible. Why can't we ask for that same type of standard of industry? If they are so concerned about privacy, they are so concerned about doing the right thing, and they say that they are, why don't they stand up and say, OK, and the private right of action here, the hurdles are high. If anything, it is narrow, but perhaps it does strike the right balance, because to use it, it has got to be a real bad thing for a consumer to use it, so in a way it is self-limiting, and may be the right approach. Mr. Misener. Just very quickly, Senator, there are two competing consumer interests here. Consumer interest one is enforcement. They want to ensure that if there is a law on the books that it is enforceable. If it has no teeth, then it is not useful. On the other hand, consumers also want clear, readable notice given to them. We have these two competing things. One is, companies will try to protect themselves against lawsuits by making the privacy policy extraordinarily long, detailed, legalistic, unreadable. On the other hand, they want to provide their consumers and their customers something that is useful to them, something that actually they will read and understand. These kinds of things are competing interests that an agency like the FTC could take into account. Yes, it may not have been entirely, precisely, legally correct, but it was trying to communicate to consumers what they were really doing. A class action attorney will have no such balancing desire. He will focus in on the legal precision only, and not care whether or not it was readable. Senator Burns. Ms. Lawler. Ms. Lawler. Thank you. With regard to the safe harbor, we think there is an excellent place for that in the overall enforcement scheme, and I would comment in particular on our involvement in the BBB online privacy sale program, which also meets the first line of enforcement requirement for the safe harbor self-certification. We think that takes a good place in that regard. With regard to the private right of action, some of my concerns would be a little bit on the opposite side of the class action suits, and based on observations we have made very recently in the industry and with some of our colleagues, that you have similar to what is happening with many of the State anti-spam laws, which are the spambulance chasers, where individuals---- Senator Burns. Do not get started on spam. [Laughter.] Ms. Lawler. In any event, what we see is not attorneys getting involved looking for large, deep pockets, but individuals perhaps turning their own interpretation of the law on its side in an effort merely to gain some additional income. Senator Burns. Thank you. The Chairman. Senator Wyden. Senator Wyden. Thank you, and I thank all of our panel. As you know, millions of the privacy notices that get mailed out today, particularly the ones in Gramm-Leach-Bliley just end up in the trash can. They literally show up at the house and into the trash they go, and these notices are particularly important, because this is something that empowers consumers, and they get a sense of what it is the companies are collecting about them, and for the life of me I cannot figure out why it is not possible to come up with a short, understandable notice and format, so as to give consumers these basic protections. I would be curious what would be wrong, in the judgment of this panel, with using something along the lines of what is done for nutritional labeling. This is an effort, it is a requirement, it is done the same way on all food products, consumers grow familiar with it, they know to look for it, it is truly a useful tool, and I have got to think that there is enough ingenuity at this table to come up, working on a bipartisan basis with the Chairman and Senator McCain, to come up with something like this that would be helpful to the public. Maybe we could just start with Mr. Dugan, and I have got a few questions for this panel. Mr. Dugan. Senator, you raise a good point. In the Gramm- Leach-Bliley act, financial institutions have been frustrated by the fact that in many cases, although they have gone to tremendous time and expense to prepare the notices, as required by the law and the regulations, that they have been perceived as too complicated and too legalistic, and the problem is exactly what Paul was talking about earlier, that in order to comply with the detailed requirements of the privacy regulations, in order to avoid legal liability, there is a real fear that if you get simpler you can expose yourself. Nevertheless, in the wake of what happened with the first round of Gramm-Leach-Bliley notices, I think there was a lot of education that occurred both with respect to companies and with respect to agencies. It is why the FTC had a big interagency privacy short notice conference in December. It has prompted an effort by the industry to come up and look at precisely the kinds of short notices that you are talking about, but I have to tell you--and I think that is going to make progress. I think we are going to produce something over time, but I have to tell you that is something that takes some care to do right and do in a way that does not expose you to liability. It took a long time to come up with a food labeling notice that was acceptable to the parties involved and to the Government. I think it is very much a worthwhile endeavor and very much a good point, and it is something we do need to work on in the privacy context. Senator Wyden. Are the rest of you comfortable with looking at the nutritional labeling concept just as a model? Obviously, food is different than technology, but this sector has so much expertise it ought to be possible to do something, other than in effect put all of this mail in the trash can, and that is what is happening today. Mr. Misener. Senator, we would certainly be happy to look into that sort of thing. We want to be able to communicate as clearly as possible to our customers. I will say that the clear effect of having a private right of action in a bill like this would be to move it the other direction. It would become less clear, much more complicated, much more legalistic, much longer. Ms. Lawler. Let me just add that HP would enjoy very much being a part of this discussion. We actually have some best practices that we could bring to the table that we are currently providing in many of our online places for data collection. There is definitely a balance between providing the right level of specificity so that you do not open yourselves up unnecessarily to legal exposure, but I think the overriding principle is definitely clear, simple, informed notice for consumers, and I think along with that, though, is the importance of real, sincere, earnest consumer education on those standards in the labeling that I think are the fair information practices we are talking about. Senator Wyden. Let me turn now to you, Mr. Misener, with respect to industry's position on why it is important to have a law. You all are the No. 1 retailer in this field. I mean, it seems to me that if there is an EXXON VALDEZ of privacy, as I have come to describe it, this just shatters consumer confidence. This makes people stay away from the kinds of initiatives your company is built on. I do not see how all of these voluntary efforts--and I think they are good, and P3P, for example, is the very good, I do not see how they are going to control the bad apples, and I think that is why it is important to have one sensible Federal initiative in this area, and why we spent a lot of time, as you know, working with you, Senator Burns and I and Chairman Hollings, to try to get it done right, but aren't the stakes enormous if nothing is done here, and some of those bad apples shatter consumer confidence? Mr. Misener. Thank you, Senator, and you have been consistent in this position for many years, and we certainly appreciate that. If we thought that it would be in the best interest of our customers and company to have a bill like this adopted, we would be here lobbying for it. Senator Wyden. But just talk about the concept. Understand, I am not a sponsor of a bill right now. I am interested in working with the Chairman and people like yourself to get something done that addresses this, so just talk conceptually about what happens if the bad apples---- Mr. Misener. Conceptually, the bill would do nothing to prevent the next EXXON VALDEZ of privacy, would do nothing to get at the bad actors. It would do everything to expose the good guys to litigation. The little guys who are potentially the bad actors who are not doing well in the market because they are bad actors will not be the targets of litigation. They do not have any pockets. The litigators will go after the big names. They will go after my company and other household names. We see no additional benefit to our customers, either existing or future customers, in having that ability. Just to sort of pile on, on top if it, Senator, we have really eschewed the term self-regulation. You will never hear me use that because it implies some sort of altruism on behalf of consumers, that companies are going to regulate themselves out of the goodness of their hearts. The reality is, is that companies will lose business. They will lose their existing customers, they will not gain new customers if they do not have the privacy protections that consumers want, and so this is a market-regulating thing. Just as much as the prices of our products are market regulators, so are the levels of privacy protections we provide. Senator Wyden. Well, again, I am open with respect to the details here, and that is why I have not signed on to the legislation, but I will tell you, with respect to the key concepts here like preemption, if there are these horrendous incidents where people's medical records, for example, get out, preemption has gone. Industry will not get something that they feel very strongly about. You will have 50 States off to the races, and the whole matter of preemption will be gone, and so we hope you will work with us so we can get it done right, and that is one of the reasons why I am not a sponsor of the legislation today, and I am anxious to work with all of you on it. A question for you, if I could, Mr. Torres, on the safe harbor, because again, this goes right to the heart of how we are going to bring together folks in the consumer movement who I have worked with for many years, and people in industry. I think with so many e-commerce companies hurting right now, really struggling, it is understandable why they are nervous about possible exposure under a new privacy statute. How far are you all willing to go to provide this safe harbor kind of concept so that there is a clear path to certainty and safety for companies that we end up rewarding the self-regulatory efforts that are responsible? How far are you all willing to go in terms of meeting industry halfway on the safe harbor idea? Mr. Torres. Well, Senator, considering how far we have come on this legislation, to go a little bit farther and talk about how to structure a safe harbor, we would certainly be open to that as a way of recognizing the efforts of some of the better companies out there who have responded to consumer privacy concerns. Senator Wyden. One last question, maybe for either of the industry representatives, and Mr. Rotenberg, maybe we could get you into this one. With respect to access, this, too, is going to be an important issue if we are going to get a meaningful piece of legislation. Access is what makes consumers feel secure. They know that they can get to this critical information. Where is the common ground between industry and consumers with respect to access rights? Why don't, Mr. Rotenberg, you and Mr. Misener take this one on? Mr. Rotenberg. Thank you, Senator. Actually, having been a customer of Amazon, I can say that in many ways Amazon has been a leader in trying to provide their customers with a very extensive display of the personal information that the company has acquired, and it is an important way to establish trust and confidence for the company to disclose to its customers the information that it has on them. It is really--without access, we are left only with the notices, which are largely like disclaimers. The problems, I think, arise in other circumstances with companies that have not developed this practice that basically say, as this bill seems to suggest, we will give you the information about you that you have already provided to us, and that is not enough, I think, for most consumers to understand what types of profiles are being built, what kind of data is being linked, what other information is informing the company in its decisionmaking with the consumers, and so it is really over in that category of information that I think there is also an interest of access. Mr. Misener. Thank you, Senator. Certainly, access is very important. As Mr. Rotenberg points out, Amazon.com has really attempted to provide it as best as possible. I think perhaps the bigger question here is, given that only 1 percent of consumer transactions are consummated online, what about the other 99 percent, no access at all? Is that the result here? I would think a question to some consumer groups might be, why fight so hard for this 1 percent and leave aside the other 99? Senator Wyden. My time has expired. I would only say to this panel I think you all, and the cross-section of people that the Chairman has at this table, you all may have the clout to kill Federal legislation this year. I think that that would be a big mistake. I think it would be a big mistake because a lot of consumers in this country would get hurt, and I think it would be a huge mistake for industry. As you know, I am the principal sponsor of the Internet tax freedom bill to promote commerce online. You have these privacy problems, and you undo a lot of what we have achieved with the Internet tax freedom bill, so what I have told the Chairman is, I am going to work very closely with him, because I think it is time to get moving, folks. I think it is time to get a bill passed, and there are areas such as the one I have talked about with respect to the notice provision where, instead of putting all the stuff in the trash cans of America the way we are doing today, under the various requirements of today, we can do something that is constructive by looking at models like nutritional labeling, and so I hope you will work with all of us. I am going to work with the Chairman and Senator McCain, because I think it is time to get going and pass a law, and I thank you, Mr. Chairman. The Chairman. Thank you, Senator. I enjoyed your observation, because let us assume the bill is killed and nothing happens, do not worry about it, the States are going to legislate. This crowd--I sort of resent polls, and pollster politicians. For 25 years I never did see one, and now I have got to look at them now, because the people do not pay attention until the very end of the campaign, and so that is where you have got to put your money and your TV, but the bankers are not going to get by, and the insurance companies, and the securities. They are going to legislate for you. And so the reason we are moving now is because the politicians all up here, as much as they dislike private rights of action and whoopee, let's get all the lawyers and everything else like that, they even see now that this is the No. 1 issue on every poll that every one of these Senators are taking, and that is why we are able to finally move, after 7 years. I can tell you--and I do not mind putting in a bill for the offline the same as the online. I can tell you, 7 years, that will wait 70 years. That is not going anywhere. I can tell you myself. I used to represent a 123 chain supermarket, and I can see that notice sticking up in the doorway as you come in about how they are going to use the information about what you are buying and sell it around. That poor store would close in the next week. They would lose all their business. People would be scared. Everybody is interested in privacy offline, online, offline, online, we all know that, but it has gotten to be such a problem and can be managed and will be managed either by the States or the Federal Government, and we here at the Federal level cannot let the perfect be the enemy of the good. I mean, if we wait around, and continue to wait around, we will never get anything done. So you folks have brought into focus some real concerns about this particular bill. These have been very valuable presentations here today. The Committee is indebted to you, and we will proceed from this point on. We thank you very, very much. The Committee will be in recess, subject to the call of the chair. [Whereupon, at 11:55 a.m., the Committee adjourned.] A P P E N D I X Prepared Statement of Hon. John F. Kerry, U.S. Senator from Massachusetts Mr. Chairman, thank you for holding this hearing. This is a continuation of a process that began in the previous Congress to develop Internet privacy legislation. We are now very near to a bill that empowers consumers to have confidence in the security of the Internet and will allow the Web to continue to grow as an engine of commerce. I think we are getting very close to achieving that balance. The Chairman has introduced a bill that I am proud to co-sponsor. It is strongly pro-consumer. Its basic premise is that if consumers give their private information out over the Internet, it should be used only for the reason it was given, unless the consumer decides otherwise. For the first time, we have legislation that creates two separate tracks for personal information--non-sensitive and sensitive. As I have said before, I believe that consumers have different expectations for privacy with respect to their shopping habits or hobbies than they do their medical information or financial information about their religion or sexual orientation. And, accordingly, the bill allows operators to collect nonsensitive information unless a user decides he or she does not want to permit such an action. Sensitive information is assumed to be private, unless a user allows the operator or service provider to collect that information. One of the most important elements of the bill is that it requires operators to provide ``clear and conspicuous'' notice about the collection of personal information. Many well-known websites already do this, much to their credit. However, many online service providers do not have clear, easy-to-understand privacy policies. I believe that requiring this robust notice is a ``must'' for any privacy legislation. This bill meets that requirement. Another critical requirement of privacy legislation met by this bill is that it ensures that web site operators and service providers must meet only one standard of privacy. The bill preempts state laws, so that operators are not faced with the cumbersome responsibility of having 51 different privacy notices and 51 different ways for a user to opt-in or opt-out, depending on their residency. Finally, let me add that technology has an important role to play in this debate. Obviously, if I believed technology held all the answers to guaranteeing Internet privacy, I would not be supporting the Chairman's bill. However, it can help Internet users feel comfortable browsing, shopping and doing research--be it academic or consumer research. The Platform for Privacy Preferences, which I understand Microsoft has recently made available to its consumers, holds great promise in helping consumers determine what sites they can trust and which they are not comfortable with. Mr. Chairman, today's hearing represents another step in the long march to enacting sound Internet privacy policy. As we go forward on this bill there will undoubtedly be some changes and some further improvements. I stand ready to work with both you and the witnesses, as well as other interested parties to help in that process. ______ Association of National Advertisers, Inc. April 25, 2002 Hon. Ernest F. Hollings, Chairman, Commerce, Science, and Transportation Committee, Washington, DC. Dear Mr. Chairman: On behalf of the Association of National Advertisers (ANA), I am writing to submit these comments and questions about S. 2201, the ``Online Personal Privacy Act.'' I would like to request that these comments be included in the official hearing record. ANA is the advertising industry's oldest trade association and the only group dedicated exclusively to enhancing the ability and protecting the rights of companies to market their products and services on a national and regional basis. Our members are a cross- section of American industry, consisting of manufacturers, retailers and service providers. Representing more than 8,000 separate advertising entities, our member companies market a wide array of products and services to consumers and other businesses. Many of our members are actively engaged in e-commerce. Privacy protection is a critical issue for both consumers and marketers. The future of the Internet and the future of target marketing, which provides the economic foundation for economic efficiency and support for the marketplace of ideas, all depend on our finding a solution to the legitimate privacy concerns of consumers. Marketers understand that the full potential of the Internet will never be reached unless consumers feel secure in the online environment. S. 2201 contains some positive features, such as federal preemption of state laws. It is a more sophisticated proposal than earlier legislation, recognizing that all information collected online is not created equal. However, we have several significant concerns about the bill: (1) ANA strongly opposes the access and security provisions of the bill and the private right of action for consumers. These provisions would expose commercial websites to tremendous potential liability and class action lawsuits, and in our view, are unreasonable. (2) S. 2201 would attempt to regulate the entire universe of online commercial activity and conflict with numerous privacy laws already on the books. (3) The bill would impose massive new costs and major new burdens on every business that operates online. (4) Mandating the use of a sweeping opt-in approach for all sensitive information raises serious First Amendment concerns. (5) The bill would result in a barrage of notice disclosures that would be counterproductive for consumers and businesses. ANA does not believe that broad new federal privacy legislation is necessary. No government or combination of governments has the resources to police all of cyberspace effectively. We believe that consumers can be best protected through a combination of existing privacy laws and regulations, privacy enhancing technology, effective self-regulation and the backstop of the FTC's current powers to stop false, deceptive or unfair acts or practices. The Business Community has Responded to Consumer Concerns ANA believes that the findings in the bill do not adequately recognize the efforts that the business community has made to protect privacy, or the legal enforceability of those steps. Almost every major commercial website has adopted and posted privacy policies to tell consumers how they collect and use information. The private sector has developed three major seal programs (BBBOnline, TRUSTe and CPA Webtrust) to assure consumers that websites are in fact carrying out their online privacy policies. New technologies from ``cookie cutters'' to P3P, the Platform for Privacy Preferences, are providing consumers with the tools they need to protect their privacy. While more remains to be done, we believe the online community has made substantial progress. The most recent ``privacy sweep'' shows continued industry progress. That survey of the most popular websites was released in March by the Progress and Freedom Foundation (PFF) and is available at their website at www.pff.org. The survey was conducted by Ernst & Young, based on the methodology of the most recent FTC survey. The key findings of the survey are: (1) websites are collecting less information; (2) privacy notices are more prevalent, more prominent and more complete; and (3) consumers have more opportunities to choose how personally identifiable information is used. Virtually all of the most popular websites surveyed had privacy notices, while 90% of the random sample of websites posted privacy notices. Self-regulation already has gone a long way and continues to be strengthened every day. FTC Already has Legal Authority to Enforce Privacy Promises Last October, FTC Chairman Timothy Muris announced a major new privacy agenda for the Commission, including greatly increased resources, more consumer outreach and education and new enforcement initiatives. At that time, the Chairman stated that the Commission did not need new legislation to protect consumer privacy. We share the Chairman's conclusion that a more vigorous federal cop on the beat, combined with the various efforts of the private sector, can provide consumers with the best protection of their privacy in our new economy. Once a company posts a privacy policy, the FTC has jurisdiction to go after the website if it does not live up to the privacy promises made. The FTC has brought a number of enforcement cases based on this authority. Thus, the statement in the findings of S. 2201 that current law provides only ``minimal'' protections is inaccurate. The Scope of the Proposed Legislation is Very Broad As you know, the United States has historically taken a sectoral approach to privacy regulation, adopting specific rules to apply to a specific industry and specific perceived problems. As a result, there are more than ten separate federal regulatory privacy regimes, including the Children's Online Privacy Protection Act, the Cable Communications Policy Act, the Telephone Consumer Protection Act, the Video Privacy Protection Act, the Gramm-Leach-Bliley (GLB) Act, the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act, to name just a few. S. 2201 would seem to regulate the entire universe of online commercial activity. How would the bill relate to all of the other privacy laws already on the books, such as GLB and the health privacy rules? Would companies in those industries be subject to yet another inconsistent privacy regime? The answer appears to be yes. Under GLB, financial service firms are not required to get consumer consent through opt-in before sharing information with affiliates and subsidiaries. GLB adopts an opt-out approach for this information and this was one of the most contentious issues in the GLB debate. Yet S. 2201 would require an opt-in approach for any collection, use or transfer of sensitive financial information, whether to affiliates or any other group. One fundamental question that Congress must address is what is the harm that the legislation is seeking to address. Consumers have a legitimate concern about how health or financial information about them might be used by someone else. Thus we have the GLB and health privacy laws and regulations to address those specific concerns and potential harms. S. 2201 would regulate every part of the online economy, including information about how many shirts someone orders from a retailer and what color, size and price they were. What is the potential harm that can come to a consumer from the use or transfer of that type of general commercial information? Does that potential harm justify a sweeping new privacy regime that imposes costs and burdens on every business in America that uses the Internet? ANA believes it is critical to determine how S. 2201 would be harmonized with all the existing federal privacy laws. A major diversified business could easily find itself subject to multiple and conflicting requirements and definitions. Conflicting definitions and standards on when a consumer may opt-out of the transfer of information to another entity would be very confusing to consumers and could have a chilling effect on their willingness to permit information to be shared in the marketplace. As discussed below, there is substantial economic evidence that such a result could impose multibillion dollars of costs on various industry sectors. ANA Supports Uniform, Federal Enforcement of Privacy Laws If broad privacy legislation is passed by the Congress, then federal preemption should be a key part of the package. The Internet is the first truly global medium and we must be very careful not to allow Internet privacy regulation to become Balkanized through multiple, inconsistent state laws. Therefore, we support language that clearly preempts state law or regulations on the collection, use or disclosure of personally identifiable information obtained through the Internet. However, the preemption provision in S. 2201 may not actually go far enough. Many of the other federal privacy laws, such as GLB, allowed states to go beyond federal law and adopt their own state laws. It is not clear that the preemption provision in S. 2201 would have any impact on any of these state laws already on the books. Access and Security Provisions are Unreasonable ANA is also concerned about the provisions of the bill that would require that consumers receive access to all information held about them by a company. This could be a very costly process for a major global marketer with multiple divisions and subsidiaries. If a packaged goods company has 40 different websites for each of their branded products, are they treated as separate entities for purposes of the access requirement? If not, the access provision may require the corporate parent to pull together the disparate information held by various subsidiaries to create a dossier on a consumer. This, in turn, raises new security concerns about the ability of hackers or other unauthorized persons to gain access to this newly created profile. These issues are very challenging and complex. Several years ago, the FTC created an Advisory Committee on Online Access and Security (ACOAS). After months of serious consideration, neither the FTC nor the advisory committee were able to establish clear standards on how to implement these policies. Everyone agrees on the concepts of access and security, but these issues are the true Gordian Knot of privacy. Providing consumers with broad access to information, without adequate protections, poses potential severe security risks. Overly stringent security precautions can make access very difficult. How is the access to be provided? Online or offline? How was the $3 fee for providing a consumer access determined? It seems very low in regard to potential collection costs for companies with multiple subsidiaries or disparate databases. Does the committee have any economic evidence of what the actual costs might be for companies to provide access? Without this type of data, it would be dangerous to impose this type of maximum fee. Furthermore, even if the fee could be justified today, can the Congress really assess what would be reasonable fees into the future? A more flexible approach should be developed. Not all information is created equal. A consumer may have a greater interest in access to sensitive information that a website has collected. Is giving a consumer access to all general marketing information collected about him so important as to justify the cost and burden to companies to provide this access? Are these costs justified in light of potential increased security risks? Private Right of Action is Unreasonable We strongly oppose the provisions of the bill that would provide consumers with a private right of action to sue websites that somehow violate the privacy regime. By creating a damage award of at least $5,000 per plaintiff, the bill would put popular websites at risk for large class action lawsuits. Companies would be forced to spend substantial amounts even to defend frivolous claims. Under section 203 of the bill, upon a showing of actual harm, a consumer is allowed to recover the GREATER of the actual monetary loss from the violation, or $5,000. Assume you had a group of 1,000 consumers who allege that a website has failed to provide reasonable access to sensitive data and a court determined that the actual monetary loss from the violation was $3 per consumer. Under S. 2201, the total award for this case would not be $3,000 (1,000 consumers X $3 per consumer), but rather would be $5 million (1,000 consumers X $5,000 per consumer). This would essentially be a punitive damages model that would strongly encourage litigation even if any actual harm were minimal. This potential risk could be devastating for many online companies, which often begin as start-up firms or small family businesses. The risk would be very significant even for major multinational firms. The Opt-In Requirement is Unworkable Mandating the use of an opt-in approach for the collection and use of all sensitive PII would add tremendous costs and raises serious First Amendment concerns. ANA is a member of the Privacy Leadership Initiative (PLI). PLI has carried out a number of economic studies to determine the value of information transfer in our economy and the potential costs of an opt- in regulatory regime. In the financial arena, a number of studies demonstrate multi-billion dollar annual savings from accurate credit reporting and the avoidance of fraud due to the collection of data and data access. In the apparel sales area alone, it was demonstrated that if catalog sellers were unable to use routine data that they collect from customers and obtain third party data, they would have to raise their prices by more than $1.4 billion annually. These studies are available at the PLI website, www.understandingprivacy.org. The PLI studies show that gaining affirmative consent under an opt- in system from consumers is a very difficult and expensive process. For example, US West recently conducted an affirmative consent trial using both call centers and direct mail. Outbound telemarketing calls obtained an opt-in rate of 29% of residential subscribers at a cost of $20.66 per positive response. Direct mail was much less successful, obtaining a positive response rate between 5% and 11% and costing between $29.32 and $34.32 per positive response. US West concluded that opt-in was not a viable approach because it was too difficult, too time intensive and too costly. Therefore, the cost implications of this legislation could be very substantial. An opt-in requirement, however, implicates issues that go far beyond cost and economic efficiency. Some courts and legal scholars believe that it raises serious First Amendment issues. In 1999 in U.S. West v. Federal Communications Commission, 182 F.3d 1224, the 10th Circuit Court of Appeals held that the government must carry out a careful calculation of costs and benefits associated with burdens on speech imposed by an opt-in rule. In that case, the court struck down an FCC rule that contained an opt-in requirement, concluding that the rule violated the First Amendment. These First Amendment considerations must be carefully analyzed before a broad opt-in approach is adopted, or the government will not meet the requirements laid out by the Supreme Court for the protection of commercial speech. Balkanization of Information S. 2201 treats information collected online differently than information collected by other means, such as by telephone, direct mail or fax. Since many businesses provide services to their customers both online and offline, this will mean that information will have to be identified and handled based on how it was received. This requirement will create major incentives to balkanize information about consumers, which will result in significant increased costs with little added benefit for the consumer. Merging offline data with online data appears to trigger the massive regulatory regime of this legislation. This could create incentives for inefficient information practices, as companies seek to avoid the massive liability they could face under the private right of action provisions of the legislation. S. 2201 would create numerous classes of information that are subject to special and differential treatment. This is in addition to the different classes of information established by the privacy provisions of GLB and the Fair Credit Reporting Act. This ever- increasing Balkanization of information databases is both costly and inefficient. Barrage of Notice Disclosures S. 2201 requires special notice disclosures that differ from the notice requirements of GLB and other federal privacy laws. It may not be possible to satisfy all of these various notice requirements in a single notice. Further, any resulting notices are likely to be complex and confusing to consumers. Notice requirements are tied to ``material'' changes in a company's current practices, rather than to the information provided in a prior notice. Thus, even if a company disclosed a prospective practice in its privacy notice, the company would still need to provide a new notice when it actually changes its policies. This will lead to a barrage of notices as new notices are provided in response to relatively minor changes in information practices. Section 102(d) of the bill states that a website must provide ``robust notice'' at its ``first collection of non-sensitive personally identifiable information from that user.'' However, the section then goes on to provide that ``a subsequent collection of additional or materially different non-sensitive personally identifiable information from that user shall be treated as a first collection.'' It thus seems that ``robust notice'' must be provided at every point where ``additional'' non-sensitive PII is collected. This would lead to massive and repetitive disclosure regimes proliferated across the Internet and every business sector, regardless of cost effectiveness. Sweeping Government Regulation Does Not Guarantee Privacy Protection The adoption of sweeping government regulation is no guarantee that consumer privacy will actually be better protected. Europe offers a good example. Although their privacy laws are generally considered more restrictive and comprehensive than those in this country, a January 2001 study by Consumers International indicated that European sites appear often to be actually less effective in protecting personal privacy than American websites. For example, the study found that despite all the rules, 60 percent of European sites lack a privacy policy; only 9 percent of the European sites ask the consumer for permission to sell information about them. Indeed, the study found that U.S.-based sites tended to set higher standards for privacy policies. Consumers International, Privacy@net: An International Comparative Study of Consumer Privacy on the Internet, (January 2001). In fact, Professor Fred Cate of the University of Indiana School of Law has argued that the more restrictive European privacy laws also have failed to quell consumer fears. Despite wide differences in our legal and regulatory approach, polls on consumer privacy concerns show nearly identical results in the U.S. and Europe. For example, Professor Cate cites a Lou Harris & Associates poll in 1999 that found that U.S. and German consumers surveyed demonstrated virtually identical fears about privacy on the Internet. See: IBM Multi-National Consumer Privacy Survey (1999). Therefore, any claims that broad privacy legislation mirroring the European model will drastically diminish public anxiety about privacy and generate dramatic increases in online commercial activity do not seem to be founded on solid research. Nor can they provide the justification for such comprehensive and restrictive legislation as S. 2201. Conclusion Privacy gives rise to very complex issues and no one, in industry or government, has all of the answers. We believe the business community is actively working to address the legitimate privacy concerns of consumers. The online business community has faced tremendous economic challenges in the last year, as companies continue to try to develop profitable business models. Most of the survivors began as small businesses and start-up firms. S. 2201 is well intended and there are several improvements over earlier proposals. However, ANA believes this bill would impose tremendous new costs and unreasonable burdens on companies of all sizes, and therefore should be rejected. We appreciate your sincere concerns about consumer privacy and look forward to continuing to work with you and your staff on these critical issues. Sincerely, Daniel L. Jaffe, Executive Vice President