[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
OVERSIGHT OF THE FEDERAL TRADE COMMISSION: STRENGTHENING PROTECTIONS
FOR AMERICANS' PRIVACY AND DATA SECURITY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CONSUMER PROTECTION AND COMMERCE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
MAY 8, 2019
__________
Serial No. 116-31
Printed for the use of the Committee on Energy and Commerce
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
govinfo.gov/committee/house-energy
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
40-157 PDF WASHINGTON : 2021
--------------------------------------------------------------------------------------
COMMITTEE ON ENERGY AND COMMERCE
FRANK PALLONE, Jr., New Jersey
Chairman
BOBBY L. RUSH, Illinois GREG WALDEN, Oregon
ANNA G. ESHOO, California Ranking Member
ELIOT L. ENGEL, New York FRED UPTON, Michigan
DIANA DeGETTE, Colorado JOHN SHIMKUS, Illinois
MIKE DOYLE, Pennsylvania MICHAEL C. BURGESS, Texas
JAN SCHAKOWSKY, Illinois STEVE SCALISE, Louisiana
G. K. BUTTERFIELD, North Carolina ROBERT E. LATTA, Ohio
DORIS O. MATSUI, California CATHY McMORRIS RODGERS, Washington
KATHY CASTOR, Florida BRETT GUTHRIE, Kentucky
JOHN P. SARBANES, Maryland PETE OLSON, Texas
JERRY McNERNEY, California DAVID B. McKINLEY, West Virginia
PETER WELCH, Vermont ADAM KINZINGER, Illinois
BEN RAY LUJAN, New Mexico H. MORGAN GRIFFITH, Virginia
PAUL TONKO, New York GUS M. BILIRAKIS, Florida
YVETTE D. CLARKE, New York, Vice BILL JOHNSON, Ohio
Chair BILLY LONG, Missouri
DAVID LOEBSACK, Iowa LARRY BUCSHON, Indiana
KURT SCHRADER, Oregon BILL FLORES, Texas
JOSEPH P. KENNEDY III, SUSAN W. BROOKS, Indiana
Massachusetts MARKWAYNE MULLIN, Oklahoma
TONY CARDENAS, California RICHARD HUDSON, North Carolina
RAUL RUIZ, California TIM WALBERG, Michigan
SCOTT H. PETERS, California EARL L. ``BUDDY'' CARTER, Georgia
DEBBIE DINGELL, Michigan JEFF DUNCAN, South Carolina
MARC A. VEASEY, Texas GREG GIANFORTE, Montana
ANN M. KUSTER, New Hampshire
ROBIN L. KELLY, Illinois
NANETTE DIAZ BARRAGAN, California
A. DONALD McEACHIN, Virginia
LISA BLUNT ROCHESTER, Delaware
DARREN SOTO, Florida
TOM O'HALLERAN, Arizona
------
Professional Staff
JEFFREY C. CARROLL, Staff Director
TIFFANY GUARASCIO, Deputy Staff Director
MIKE BLOOMQUIST, Minority Staff Director
Subcommittee on Consumer Protection and Commerce
JAN SCHAKOWSKY, Illinois
Chairwoman
KATHY CASTOR, Florida CATHY McMORRIS RODGERS, Washington
MARC A. VEASEY, Texas Ranking Member
ROBIN L. KELLY, Illinois FRED UPTON, Michigan
TOM O'HALLERAN, Arizona MICHAEL C. BURGESS, Texas
BEN RAY LUJAN, New Mexico ROBERT E. LATTA, Ohio
TONY CARDENAS, California, Vice BRETT GUTHRIE, Kentucky
Chair LARRY BUCSHON, Indiana
LISA BLUNT ROCHESTER, Delaware RICHARD HUDSON, North Carolina
DARREN SOTO, Florida EARL L. ``BUDDY'' CARTER, Georgia
BOBBY L. RUSH, Illinois GREG GIANFORTE, Montana
DORIS O. MATSUI, California GREG WALDEN, Oregon (ex officio)
JERRY McNERNEY, California
DEBBIE DINGELL, Michigan
FRANK PALLONE, Jr., New Jersey (ex
officio)
C O N T E N T S
----------
Page
Hon. Jan Schakowsky, a Representative in Congress from the State
of Illinois, opening statement................................. 1
Prepared statement........................................... 2
Hon. Cathy McMorris Rodgers, a Representative in Congress from
the State of Washington, opening statement..................... 4
Prepared statement........................................... 5
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 6
Prepared statement........................................... 8
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 9
Prepared statement........................................... 11
Witnesses
Joseph J. Simons, Chairman, Federal Trade Commission............. 13
Prepared statement \1\....................................... 15
Answers to submitted questions............................... 107
Christine S. Wilson, Commissioner, Federal Trade Commission...... 42
Answers to submitted questions............................... 135
Rebecca Kelly Slaughter, Commissioner, Federal Trade Commission.. 43
Answers to submitted questions............................... 143
Noah Joshua Phillips, Commissioner, Federal Trade Commission..... 45
Answers to submitted questions............................... 151
Rohit Chopra, Commissioner, Federal Trade Commission............. 46
Answers to submitted questions............................... 169
Submitted Material
Letter of March 20, 2019, from Mr. Pallone and Ms. Schakowsky to
Joseph J. Simons, Chairman, Federal Trade Commission, submitted
by Ms. Schakowsky.............................................. 85
Letter of April 1, 2019, from Joseph J. Simons, Chairman, Federal
Trade Commission, to Ms. Schakowsky, submitted by Ms.
Schakowsky..................................................... 88
Letter of October 26, 2018, from James L. Madara, Executive Vice
President and Chief Executive Officer, American Medical
Association, to Joseph J. Simons, Chairman, Federal Trade
Commission, submitted by Mr. Rush.............................. 93
Letter of May 6, 2019, from Marc Rotenberg, President, and
Caitriona Fitzgerald, Policy Director, Electronic Privacy
Information Center, to Ms. Schakowsky and Mrs. Rodgers, \2\
submitted by Ms. Schakowsky
Letter of May 8, 2019, from Richard Hunt, President and Chief
Executive Officer, Consumer Bankers Association, to Mr. Pallone
and Mr. Walden, submitted by Ms. Schakowsky.................... 95
----------
\1\ Mr. Simons and the four FTC Commissioners submitted a joint
prepared statement.
\2\ The letter has been retained in committee files and also is
available at https://docs.house.gov/meetings/IF/IF17/20190508/109415/
HHRG-116-IF17-20190508-SD004.pdf.
Letter of May 8, 2019, from Michael Beckerman, President and
Chief Executive Officer, Internet Association, to Ms.
Schakowsky and Mrs. Rodgers, submitted by Ms. Schakowsky....... 99
Letter of May 7, 2019, from Brad Thaler, Vice President of
Legislative Affairs, National Association of Federally-Insured
Credit Unions, to Ms. Schakowsky and Mrs. Rodgers, submitted by
Ms. Schakowsky................................................. 101
Letter of May 8, 2019, from Tina Olson Grande, Healthcare
Leadership Council, on behalf of the Confidentiality Coalition,
Electronic Privacy Information Center, to Ms. Schakowsky and
Mrs. Rodgers, submitted by Ms. Schakowsky...................... 103
OVERSIGHT OF THE FEDERAL TRADE COMMISSION: STRENGTHENING PROTECTIONS
FOR AMERICANS' PRIVACY AND DATA SECURITY
----------
WEDNESDAY, MAY 8, 2019
House of Representatives,
Subcommittee on Consumer Protection and Commerce,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:30 a.m., in
the John D. Dingell Room 2123, Rayburn Rayburn House Office
Building, Hon. Jan Schakowsky (chairwoman of the subcommittee)
presiding.
Members present: Representatives Schakowsky, Castor, Kelly,
O'Halleran, Lujan, Cardenas, Blunt Rochester, Soto, Rush,
Matsui, McNerney, Dingell, Pallone (ex officio), Rodgers
(subcommittee ranking member), Upton, Burgess, Latta, Guthrie,
Bucshon, Hudson, Carter, Gianforte, and Walden (ex officio).
Also present: Representative Walberg.
Staff present: Billy Benjamin, Systems Administrator;
Jeffrey C. Carroll, Staff Director; Evan Gilbert, Deputy Press
Secretary; Lisa Goldman, Senior Counsel; Waverly Gordon, Deputy
Chief Counsel; Tiffany Guarascio, Deputy Staff Director; Alex
Hoehn-Saric, Chief Counsel, Communications and Consumer
Protection; Zach Kahan, Outreach and Member Service
Coordinator; Meghan Mullon, Staff Assistant; Alivia Roberts,
Press Assistant; Tim Robinson, Chief Counsel; Chloe Rodriguez,
Policy Analyst; Ben Rossen, FTC Detailee; C. J. Young, Press
Secretary; Jordan Davis, Minority Senior Advisor; Margaret
Tucker Fogarty, Minority Staff Assistant; Melissa Froelich,
Minority Chief Counsel, Consumer Protection and Commerce; Bijan
Koohmaraie, Minority Counsel, Consumer Protection and Commerce;
and Brannon Rains, Minority Legislative Clerk.
Ms. Schakowsky. The Subcommittee on Consumer Protection and
Commerce will now come to order. We will begin with Member
opening statements, and I will begin for 5 minutes.
OPENING STATEMENT OF HON. JAN SCHAKOWSKY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
So, good morning, and thank you to the Federal Trade
Commission for being with us this morning. It is really an
honor to have all of you here. It means a great deal to us.
The FTC is an independent agency created by Congress to
protect the American people. Recent media reports have focused
on the Federal Trade Commission's potentially record-breaking
fine of Facebook. The fact of the matter is that I believe that
the public information known about this case underscores the
need for comprehensive privacy legislation. And we are really
going to focus, at least I am, on privacy legislation and what
we can do.
And while I appreciate the Commission's work on and action
on the Facebook case, I believe the reality is that a large
fine in a single case does not meaningfully solve the problems
that consumers face because of the FTC's lack of tools it needs
to fulfill the mission to protect consumers in today's economy.
The FTC needs increased funding and the APA, Administration
Procedures Act--I can't stand those acronyms, OK--the
rulemaking authority, at a minimum, to restore consumers'
confidence in today's digital and brick-and-mortar marketplace,
the FTC should be able to pursue multiple investigations both
large and small.
And, Chairman Simons, I want to thank you and offer my
support for APA rulemaking that you said that you wanted to
see. We know the American people are counting on us to act.
According to a recent survey, 67 percent of American adults
want the Government to act to protect them and to protect their
privacy. But as it stands right now, the FTC does not have
authority to obtain civil penalties for initial violations for
most unfair or deceptive practices, making matters much worse.
The Federal Trade Commission has only 40 full-time staff
devoted to privacy and data security. Contrast that with the
United Kingdom Information Commissioner's Office which has
about 500 employees for a country about one-fifth of the size
of the United States. And unfortunately, Chairman Simons,
unlike other recent administrations, you have not appointed a
chief technologist, and in fact only five people at the FTC
right now are identified as technologists.
Energy and Commerce Democrats feel we have an obligation to
provide a solid piece of legislation that protects consumer
privacy. We have begun conversations now with the Republicans
as well, and I am very hopeful that legislation will be
bipartisan, and I am looking forward to working with all of you
on the Federal Trade Commission in designing this legislation.
We welcome the Commissioners today to learn how we can assist
them in fulfilling their mission, our joint mission.
[The prepared statement of Ms. Schakowsky follows:]
Prepared Statement of Hon. Jan Schakowsky
I yield myself 5 minutes for an opening statement.
Good morning and thank you to the Federal Trade Commission
for being here with us this morning. The FTC is an independent
agency created by Congress to protect the American people.
Recent media reports have focused on FTC's potentially
record-breaking fine of Facebook. The fact of the matter is
that the public information known about that case underscores
the need for comprehensive privacy legislation.
And while I appreciate the Commission's work and action on
the Facebook case, I believe the reality is that a large fine
in a single case does not meaningfully solve the problems
consumers face because of the FTC's lack of tools it needs to
fulfill the mission to protect consumers in today's economy.
The FTC needs increased funding and Administrative
Procedure Act rulemaking authority at a minimum to restore
consumer confidence in today's digital and brick-and-mortar
marketplaces. The FTC should be pursuing multiple
investigations, both large and small. Chairman Simons has
publicly voiced support for Administration Proceedings Act
rulemaking authority, and I am appreciative of those comments.
We know the American people are counting on us to act.
According to a recent survey, 67 percent of American adults
want the Government to act to protect their privacy.
But, as it stands, the FTC does not have authority to
obtain civil penalties for initial violations for most unfair
or deceptive practices. Making matters much worse, the FTC has
only 40 full-time staff devoted to privacy and data security.
Contrast that with the United Kingdom Information
Commissioner's Office, which has about 500 employees for a
country about one fifth the size of the United States. And
unfortunately, Chairman Simons, unlike other recent
administrations, has not appointed a Chief Technologist, and
only 5 people at the FTC are technologists.
Energy and Commerce Democrats feel we have an obligation to
produce a solid piece of legislation that protects consumer
privacy. We've begun conversations now with the Republicans.
It's my hope that this legislation will be bipartisan. And I am
looking forward to working with the FTC in designing this
legislation.
I welcome the Commission today to learn how we can assist
them in fulfilling their mission.
Ms. Schakowsky. I want to yield the balance of my time to
Congressman Lujan.
Mr. Lujan. Thank you, Chairwoman Schakowsky. And I thank
Chairman Pallone, Ranking Members Walden and Rodgers, for this
important hearing today on privacy and data security.
Let me start with just a few numbers: 500 million, 148
million, and 87 million. These are the numbers of consumers
impacted by the Marriott, 500 million; Equifax data breaches,
148 million; and the Facebook-Cambridge Analytica scandal, 87
million. These massive numbers represent real people, people
whose trust and privacy has been violated. Most of them not
been made whole, still vulnerable today.
Here is another number, 21. It has been 21 years since
Congress passed even limited privacy legislation, the
Children's Online Privacy Act. In 1998, America Online had 14
million subscribers, Google was a month old, and Facebook
didn't even exist. These numbers make it real; we must act to
pass comprehensive data privacy and security legislation.
And most recently in 2017, when we discovered and learned
about the breach with Equifax back in September of '17, there
were hearings held in October of '17. It appeared that there
were commitments made in this committee to the American people
that action would be taken before the holiday season and here
we are today, still where no action taken and that is why this
hearing matters so very much.
And so with that, Madam Chair, I thank you for the hearing.
I urge us to act. And I thank the Commissioners for their
testimony and I look forward to today's discussion. And I yield
back.
Ms. Schakowsky. Would anyone else on the Democratic side
want the time that is remaining? Otherwise, I yield back and I
now recognize the ranking member, Ms. McMorris Rodgers, for her
opening statement.
OPENING STATEMENT OF HON. CATHY McMORRIS RODGERS, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF WASHINGTON
Mrs. Rodgers. Thank you, Madam Chairman, and welcome to
everyone, the Chairman and the Commissioners from the Federal
Trade Commission.
Today's hearing is very important. Whether through
deceptive advertising, fraud, or other schemes, bad actors
regularly try to game the system and destroy trust. The FTC has
been one of the top cops on the consumer protection beat for
decades. I am glad that you are here to discuss the
Commission's vital mission to protect consumers and promote
competition and innovation especially as it relates to one of
the most important issues today, our privacy.
In America's 21st century economy, our days start and end
by exchanging our information with products that save us time,
keep us informed, connect us with our communities. Many of us
start our day by asking Alexa or Siri, ``What is the weather
today?'' Then we browse Facebook and Instagram, open some
emails, read the news, check for traffic updates on our
iPhones, and if the traffic doesn't look too bad there is time
to order groceries to be picked up or delivered after work. And
that is just before we walk out the door. All day long, we are
sharing our information with the internet marketplace. And for
people who use health trackers and apps, it might not even stop
when you go to sleep.
This free flow of information drives much of the innovation
and technology growth here in the United States. Bottom line,
we make choices every day to be connected, and when we do, we
must be able to trust that our privacy is protected. We deserve
to know how our data is being collected, how it is being used,
and who it is being shared with. There shouldn't be so many
surprises, and these protections shouldn't change depending
upon which State we are in.
In a recent survey, 75 percent of respondents said privacy
protections should be the same everywhere they go. The vast
majority of Americans want the same protections whether they
live in Eastern Washington, San Francisco, New Jersey, or
Illinois. That is why I have been advocating and leading for a
national standard for data privacy that, one, doesn't leave our
privacy vulnerable in a patchwork; two, increases transparency
and targets harmful practices like Cambridge Analytica; three,
improves data security practices; and four, is workable for our
Nation's innovators and small businesses.
So, today, I look forward to hearing from the Federal Trade
Commission which is the main cop on the beat to enforce privacy
standards, promote transparency, and hold companies
accountable. The FTC's mission is to protect consumers and
promote innovation. Our four principles for data privacy law
are in line with the mission. It is about protecting consumers
from concrete harms, empowering the choices that they make, and
also promoting new technologies that we haven't even dreamed of
yet. This Congress should lead on writing privacy rules of the
road. I remain ready and willing to work with my colleagues on
this committee for a bipartisan solution that puts consumers
and their choices first.
In various proposals, some groups have called for the FTC
to have additional resources and authorities. I remain
skeptical of Congress delegating broad authority to the FTC or
any agency. However, we must be mindful of the complexities of
this issue as well as the lessons learned from previous grants
of rulemaking authority to the Commission.
The FTC's jurisdiction is incredibly broad. Its authority
extends beyond just big tech, touching almost every aspect of
our marketplace from loyalty programs at your local grocery
store to your favorite coffee shop. The existing statutory
rulemaking authority given to the FTC by Congress must also be
part of the discussion. Had the FTC undertook rulemaking
efforts on any number of issues we will discuss today, even
starting 8 to 10 years ago, those efforts could have already
been completed. The history of the FTC's authority is
important, and it should not be transformed from a law
enforcement agency to a massive rulemaking regime.
To understand the pain this could cause, look no further
than GDPR in Europe. Investment in startups in Europe is down
40 percent and thousands of U.S. firms are no longer operating
in the EU because they can't take on the millions of dollars in
compliance cost. If we decide to increase FTC's resources and
authority to enforce privacy law, then this committee must
exercise its oversight of the Commission to its fullest.
Oversight must be a part of the conversation, so Congress does
its job to review and hold the FTC accountable.
Thank you, everyone, for being here, and I look forward to
our discussion.
[The prepared statement of Mrs. Rodgers follows:]
Prepared Statement of Hon. Cathy McMorris Rodgers
Good morning and welcome to the Consumer Protection and
Commerce Subcommittee hearing with the Federal Trade
Commission.
Thank you Chairman Simons, and Commissioners Phillips,
Wilson, Chopra, and Slaughter.
Whether through deceptive advertising, fraud, or other
schemes, bad actors regularly try to game our system. The FTC
has been one of the top cops on the consumer protection beat
for decades.
I'm glad you are here to discuss the Commission's vital
mission to protect consumers and promote competition and
innovation especially as it relates to one of the most
important issues today--data privacy.
In America's 21st century economy, our days start and end
by exchanging our information with products the save us time,
keep us informed, and connect us with our communities.
Many of us start our days asking Alexa or Siri, what's the
weather today? Then we browse Facebook and Instagram open some
emails and read the news; check for traffic updates on our
iPhones and if traffic doesn't look too bad, there's time to
order groceries to be picked up or delivered after work.
And that's just before we walk out the door.
All day long we are sharing our information with the
internet marketplace and for people who use health trackers and
apps, it might not even stop when you go to sleep. This free
flow of information drives much of the innovation and
technology growth here in the U.S.
Bottom line, we make choices every day to be connected and
when we do, we should be able to trust that our privacy is
protected.
We deserve to know how our data is collected, how it's
used, and who it's being shared with. There should be no
surprises and these protections shouldn't change depending on
what State we're in.
In recent survey, 75 percent of respondents said privacy
protections should be the same everywhere they go. The vast
majority of Americans want the same protections whether they
are in Eastern Washington, San Francisco, New Jersey, or
Illinois.
That's why we've been advocating and leading for a national
standard for data privacy that:
One, doesn't leave our privacy vulnerable in a patchwork
Two, increases transparency and targets harmful practices,
like Cambridge Analytica
Three, improves data security practices
And four, is workable for our Nation's innovators and small
businesses.
So today, I look forward to hearing from the Federal Trade
Commission which is the main cop on the beat to enforce privacy
standards, promote transparency, and hold companies
accountable.
The FTC's mission is to protect consumers and promote
innovation. Our four principles for a data privacy law, are in
line with that mission.
It's about protecting consumers from concrete harms,
empowering the choices they make and also, promoting the new
technologies that we haven't even dreamed of yet. This Congress
should lead on writing the privacy rules of the road.
I remain ready and willing to work with my colleagues on
the committee for a bipartisan solution that puts consumers and
their choices first.
In various proposals some groups have called for the FTC to
have additional resources and authorities. I remain skeptical
of Congress delegating broad authority to the FTC or any
agency, however we must be mindful of the complexities of these
issues as well as the lessons learned from previous grants of
rulemaking authority to the Commission.
The FTC's jurisdiction is incredibly broad. Its authority
extends beyond just Big Tech, touching almost every aspect of
our marketplace--from loyalty programs at your local grocery
store to your favorite coffee shop.
The existing statutory rulemaking authority given to the
FTC by Congress must also be part of this discussion. Had the
FTC undertook rulemaking efforts on any number of issues we
will discuss today. even starting 8 to 10 years ago. those
efforts could have already been completed.
The history of the FTC's authority is important, and it
should not be transformed from a law enforcement agency to a
massive rulemaking regime. To understand the pain this could
cause look no further than GDPR in Europe.
Investment in startups in Europe is down 40 percent and
thousands of US firms are no longer operating in the EU because
they can't take on the millions of dollars in compliance costs.
If we decide to increase the FTC's resources and authority
to enforce a privacy law, then this committee must exercise its
oversight of the Commission to its fullest extent.
Oversight must be part of this conversation. so Congress
does its job to review and hold the FTC accountable.
Thank you all for being here today and I look forward to
our discussion.
Ms. Schakowsky. The gentlelady yields back. And now I
recognize the chair of the full committee, Mr. Pallone, for 5
minutes.
OPENING STATEMENT OF HON. FRANK PALLONE, Jr., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you, Madam Chair.
The Federal Trade Commission plays a critical role in
protecting American consumers and promoting competition in the
marketplace. It is a relatively small agency, but the breadth
of its mission is vast. As the Nation's consumer protection
agency, the FTC works to protect consumers from a variety of
unfair and deceptive practices including false advertising,
illegal telemarketing, unfair debt collection and fraud.
Last year, the FTC received nearly 3 million complaints
from consumers who reported losing around $1\1/2\ billion to
fraud. Seniors particularly were preyed upon by criminals
pretending to need money to bail their grandchildren out of
jail. Veterans were tricked into giving their credit card
information to a thief who claimed to work for the Veterans
Choice Program, just as examples. And these two examples of the
thousands of frauds the FTC face every day, many are
perpetrated through robocalls which I am working to address
through the Stopping Bad Robocalls Act.
But that is not the only way fraudsters commit their
offenses and the FTC needs more support and more authority to
prevent scams and enforce the law. The FTC is also the Nation's
primary enforcer in the area of privacy and data security. Talk
about a daunting job. When you consider that companies today
monitor every move we make, they are tracking where we go, who
we are with, our private conversations, our health, the
websites we visit, and increasingly what we do inside our
homes. And as we have learned from the concerning privacy
issues surrounding Cambridge Analytica and Facebook and from
massive data breaches like the one at Equifax, there is little
reason to believe that consumers can trust these companies with
our personal data.
The FTC can and should be doing more to protect consumers
and Congress needs to give the FTC the tools it needs to be
more effective. That starts with resources. The FTC has fewer
employees today than it did in the 1980s when the internet did
not exist. It has just 40 employees responsible for protecting
the data of 300 million Americans. I think that is just
unacceptable, particularly when you consider that the United
Kingdom, which has a much smaller population, has more than 500
people who protect the privacy and data of its residents.
So we have to give the FTC the resources it needs to become
a global leader on privacy and data security. The FTC also
needs more authority to prevent privacy abuses from happening
in the first place and to ensure that companies properly secure
the personal data entrusted to them. Too often, the FTC can do
little more than give a slap on the wrist to companies the
first time they violate the law. That is because it lacks the
authority to impose a monetary penalty for initial violations.
Currently, the FTC can only order a company to stop the bad
practices and promise not to do it again. And if we really want
to deter companies from breaking the law, the FTC needs to be
able to impose substantial fines on companies the first time.
To make matters worse, there are no strong and clear Federal
privacy laws and regulations that establish a baseline for how
companies collect, use, share, and protect consumer
information. The FTC lacks the ability to issue such
regulations, leaving Americans left to the whims of
corporations.
Companies should not be gathering consumer information
without a good reason and should have clear consent when they
use that information for purposes a consumer would not
reasonably expect. When I search online about the side effects
of a medicine, I don't expect that information to be shared
with advertisers, data brokers, or insurance companies, and it
shouldn't be shared unless I say so.
Companies also need to protect the data they collect so
Americans are not as vulnerable to identity theft, scams, and
other unfair and deceptive acts as they are today. So Congress
should pass, or must pass strong, comprehensive privacy
legislation, and this committee intends to take that action.
The legislation that we pass should give consumers control over
their personal data including giving consumers the ability to
access, correct, and delete their personal information. And it
should shift the burden to companies to ensure they only use
the information consistent with reasonable consumer
expectations.
So I look forward to hearing from all the Commissioners
about how the FTC can better fulfill its mission in this
important area of consumer protection.
[The prepared statement of Mr. Pallone follows:]
Prepared Statement of Hon. Frank Pallone, Jr.
The Federal Trade Commission (FTC) plays a critical role in
protecting American consumers and promoting competition in the
marketplace. It is a relatively small agency, but the breadth
of its mission is vast.
As the Nation's consumer protection agency, the FTC works
to protect consumers from a variety of unfair and deceptive
practices, including false advertising, illegal telemarketing,
unfair debt collection, and fraud.
Last year, the FTC received nearly 3 million complaints
from consumers who reported losing around $1.5 billion to
fraud. Seniors were preyed upon by criminals pretending to need
money to bail their grandchildren out of jail. Veterans were
tricked into giving their credit card information to a thief
who claimed to work for the Veterans Choice Program.
These are just two examples of the thousands of frauds the
FTC faces every day. Many are perpetrated through robocalls,
which I am working to address through the Stopping Bad
Robocalls Act. But that is not the only way fraudsters commit
their offences and the FTC needs more support and more
authority to prevent scams and enforce the law.
The FTC is also the Nation's primary enforcer in the area
of privacy and data security. Talk about a daunting job when
you consider that companies today monitor every move we make.
They are tracking where we go, who we are with, our private
conversations, our health, the websites we visit, and,
increasingly, what we do inside our homes. As we have learned
from the concerning privacy issues surrounding Cambridge
Analytica and Facebook, and from massive data breaches like the
one at Equifax, there is little reason to believe that
consumers can trust these companies with our personal data.
The FTC can and should be doing more to protect consumers,
and Congress needs to give the FTC the tools it needs to be
more effective. That starts with resources. The FTC has fewer
employees today than it did in the 1980s when the Internet did
not exist. It has just 40 employees responsible for protecting
the data of 300 million Americans. That's unacceptable--
particularly when you consider that the United Kingdom, which
has a much smaller population, has more than 500 people who
protect the privacy and data of its residents. We must give the
FTC the resources it needs to become a global leader on privacy
and data security.
The FTC also needs more authority to prevent privacy abuses
from happening in the first place and to ensure that companies
properly secure the personal data entrusted to them.
Too often, the FTC can do little more than give a slap on
the wrist to companies the first time they violate the law.
That's because it lacks the authority to impose a monetary
penalty for initial violations. Currently, the FTC can only
order a company to stop the bad practices and promise not to do
it again. If we really want to deter companies from breaking
the law, the FTC needs to be able to impose substantial fines
on companies the first time.
To make matters worse, there are no strong and clear
Federal privacy laws and regulations that establish a baseline
for how companies collect, use, share, and protect consumer
information. The FTC lacks the ability to issue such
regulations leaving Americans left to the whims of
corporations.
Companies should not be gathering consumer information
without a good reason and should have clear consent when they
use that information for purposes a consumer would not
reasonably expect. When I search online about the side effects
of a medicine, I don't expect that information to be shared
with advertisers, data brokers, or insurance companies and it
shouldn't be shared unless I say so. Companies also need to
protect the data they collect so Americans are not as
vulnerable to identity theft, scams, and other unfair and
deceptive acts as they are today.
Congress must pass strong, comprehensive privacy
legislation, and this committee will take action. The
legislation should give consumers control over their personal
data, including giving consumers the ability to access,
correct, and delete their personal information. And it should
shift the burden to companies to ensure they only use the
information consistent with reasonable consumer expectations.
I look forward to hearing from all of the Commissioners
about how the FTC can better fulfill its mission in this
important area of consumer protection. Thank you, and I yield
back my time.
Mr. Pallone. And unless somebody wants the time, there is
not much left--yes, I will yield to the gentlewoman from
Florida.
Ms. Castor. Well, I thank the chairman of the committee for
yielding the time.
And I just wanted to start out by saying that America needs
a modern online privacy law and the Federal Trade Commission
needs the tools and resources to effectively enforce law and
hold bad actors accountable. And I think, I encourage you all
today to also discuss the Children's Online Privacy Protection
Act because I think it is in need of substantial updates,
especially looking at how we enforce it, the sham safe harbor
provisions, and your opinions on adopting some reasonable
collection parameters. So thank you, and I yield back.
Mr. Pallone. And I yield back, Madam Chair.
Ms. Schakowsky. The gentleman yields back, and now I will
recognize the ranking member of the committee, Mr. Walden, for
5 minutes.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. Good morning, Madam Chair. Thanks for having
this hearing. I want to welcome our Commissioners as well for
being here from the Federal Trade Commission. Thank you. We
will be informed by your testimony and we appreciate the work
you do at the FTC.
We know you're tasked with broad and important
responsibilities and it is a jurisdiction that spreads out over
almost every aspect of the United States economy from large
household name technology companies at Silicon Valley to small
mom and pop shops in rural America. But recently concerns
surrounding data security and data privacy including questions
about what information is collected, how companies use that
information, who that information is shared with, and what
protections exist for consumers have demanded more and more
congressional attention and appropriately so.
In the last Congress, this committee held very high-profile
hearings around incidents involving data security and data
privacy issues with CEOs. They sat right there from Equifax;
Mark Zuckerberg was there for 5 hours from Facebook; we had
those from Twitter as well. We also held hearings focused on
securing consumer information, on understanding algorithmic
decision making, exploring the online advertising ecosystem and
how it operates, and an oversight hearing with you, the FTC.
Privacy was a premier issue during these hearings, but as we
learned, this is also a tough issue to legislate on. Privacy
does not mean the exact same thing to each and every person.
I want to echo the sentiments of my colleague,
Representative Rodgers, who outlined the vast benefits
consumers also get from the use of their information online. It
is a goods for services exchange. We don't always know that but
we do benefit from that. We cannot lose sight of the tremendous
benefits consumers get from the use of this data: access to
top-tier journalism, affordable and quickly delivered products,
telehealth and research initiatives, and much, much more.
Here in the United States we have a thriving startup
ecosystem and a regulatory environment that enables small
businesses to grow and compete in no small part because the
free flow of information. And as a result, companies innovate,
they create jobs in America, and offer consumers options and
convenience that most of us never dreamed would be possible.
I believe it is important we work together toward a
bipartisan, Federal privacy bill and we are ready and willing
to tackle crafting such a bill. I think we were informed by our
hearings in the last 2 years and are more than prepared now to
move forward to write legislation in a bipartisan way. A
Federal privacy bill must set one national standard. Allowing a
patchwork of State laws will not only hurt innovation and small
businesses, but will limit consumers' options online. Consumers
expect a seamless online experience and I do not want to see
that taken away.
We must protect innovation and small businesses. We should
learn from Europe where large companies are only getting larger
and unfortunately small companies are getting smaller or
disappearing altogether online. You know, JPMorgan Chase &
Company CEO Jamie Dimon recently said Dodd-Frank created a moat
around his company, which is exactly what we risk doing with
the likes of Google and Facebook and the big ones, because they
will always be able to comply, and they will just get bigger if
we don't craft the law correctly.
We must enhance security for consumers. Companies must have
reasonable practices in place to protect consumer information,
period. We must increase transparency. Consumers deserve to
know how their information is collected, how it is used, and
how it is shared. And we must improve accountability. When
companies fail to keep their promises or outright misuse
consumer information, those companies must be held accountable.
This goes to the heart of the enforcement issues. Federal Trade
Commission accomplishes its consumer protection mission through
law enforcement, by bringing action against companies who
engage in unfair or deceptive acts or practices. And we know
you have a big decision before you right now involving one of
those companies.
Through advocacy, through consumer and business education
efforts, you do it all. The FTC can file injunctions, you can
levy civil penalties, and you can seek remedies on behalf of
consumers to redress harms. The Federal Trade Commission
generally operates a highly effective, bipartisan agency,
returning millions directly to consumers after they are
defrauded, and I look forward to hearing an update on those
efforts. I also look forward to hearing about the consumer
protection hearings and what the agency has learned about
privacy harms and risks.
Every agency has challenges and recent court changes in
cases have changed the direction of some agency activity to
refocus on due process. I am encouraged that these types of
improvements would help small businesses understand their
rights when faced with the full force of the FTC. I believe the
FTC is the right agency to enforce new privacy law with
appropriate safeguards and process improvements to ensure
strong, consistent enforcement.
Some have suggested the quick answer is more money, more
rulemaking authority, and more employees. There is no quick
fix, I would argue. I would like to hear from the Chairman
about his views on unbounded rulemaking at the FTC and whether
the agency can compete for talent with the big tech companies
that are moving to the DC area. And we must consider market
realities and ask if there are more effective ways to get
experts to the FTC for unique cases.
So, Madam Chair, thanks for having this hearing. I think it
is really important and we look forward to working with you and
others on the committee to get this right and get it into law.
And I yield back.
[The prepared statement of Mr. Walden follows:]
Prepared Statement of Hon. Greg Walden
Good morning. I want to thank Chairman Simons and
Commissioners Phillips, Wilson, Chopra, and Slaughter for being
here. I am glad to see the five of you here again after our
productive conversation last summer before this subcommittee.
The Federal Trade Commission is tasked with broad and
important responsibilities and its jurisdiction spreads out
over almost every aspect of the U.S. economy--from large,
household-named technology companies in Silicon Valley to small
mom-and-pop shops in rural America.
But, recently, concerns surrounding data security and data
privacy, including questions about what information is
collected, how companies use that information, who that
information is shared with, and what protections exist for
consumers, have demanded more Congressional attention.
Last Congress, this committee held high-profile hearings
around incidents involving data security and data privacy
issues with the CEOs of Equifax, Facebook, and Twitter. We also
held hearings focused on: securing consumer information;
understanding algorithmic decision making; exploring the online
advertisement ecosystem and how it operates; and an oversight
hearing with you, the FTC.
Privacy was a premiere issue during these hearings. But as
we learned, this is a tough issue; privacy does not mean the
exact same thing to every American.
I want to echo the sentiments of my colleague Rep. Rodgers
who outlined the vast benefits consumers get from the use of
their information online. We cannot lose sight of the
tremendous benefits consumers get from the use of data--access
to top-tier journalism, affordable and quickly delivered
products, telehealth and research initiatives, and much more.
Here in the U.S., we have a thriving startup ecosystem and
a regulatory environment that enables small businesses to grow
and compete, in no small part because of the free flow of
information. And, as a result, companies innovate, create new
jobs, and offer consumers options and convenience.
I believe it is important that we work together toward a
bipartisan Federal privacy bill. And we are ready and willing
to tackle crafting such a bill. I hope that we can continue
down the bipartisan path together.
A Federal privacy bill must set one national standard.
Allowing a patchwork of State laws will not only hurt
innovation and small businesses but will limit consumers
options online. Consumers expect a seamless online experience,
and I do not want to see that taken away.
We must protect innovation and small businesses. We should
learn from Europe--where large companies are only getting
larger and small companies are only getting smaller. JPMorgan
Chase & Co. CEO Jamie Dimon recently said Dodd-Frank created a
moat around his company--which is exactly what we risk doing
with the likes of Google and Facebook if we do not carefully
craft a national privacy bill.
We must enhance security for consumers. Companies must have
reasonable practices in place to protect consumer information.
We must increase transparency--consumers deserve to know
how their information is collected, used, and shared.
And we must improve accountability. When companies fail to
keep their promises or outright misuse consumer information,
those companies must be held accountable. This goes to the
heart of the enforcement issues.
The FTC accomplishes its consumer protection mission
through law enforcement--by bringing actions against companies
who engage in unfair or deceptive acts or practices; through
advocacy; and through consumer and business education efforts.
The FTC can file injunctions, levy civil penalties, and can
seek remedies on behalf of consumers to redress their harms.
The FTC generally operates as a highly effective bipartisan
agency. Returning millions directly to consumers after they are
defrauded, and I look forward to hearing an update on those
efforts. I also look forward to hearing about the consumer
protection hearings and what the agency has learned about
privacy harms and risks.
Every agency has challenges, and recent court cases have
changed the direction of some agency activity to refocus on due
process. I am encouraged that these types of improvements would
help small businesses understand their rights when faced with
the full force of the FTC.
I believe the FTC is the right agency to enforce a new
privacy law with appropriate safeguards and process
improvements to ensure strong, consistent enforcement. Some
have suggested that the quick answer is more money, more
rulemaking authority, and more employees. There is no quick
fix. I would like to hear from the Chairman about his views on
unbounded rulemaking for the FTC, and whether the agency can
compete for talent with the big tech firms moving to the DC
area. We must consider market realities and ask if there is a
more effective way to get experts to the FTC for unique cases.
I look forward to hearing from you all about how you are
thinking of using the current tools at the FTC to address
privacy concerns in our digital world.
Thank you.
Ms. Schakowsky. The gentleman yields back. And the Chair
would like to remind Members that, pursuant to committee rules,
all Members' written opening statements shall be made part of
the record.
Next, I am going to introduce all of our witnesses, but I
want to tell all of you that I had a standing-room-only FTC-
sponsored scam workshop in my district along with Congressman
Brad Schneider, which was amazing, and I would encourage all
Members to consider doing that. The turnout was unprecedented,
and people really appreciated it. So thank you.
So let me introduce our witnesses. The Honorable Joseph
Simons, Chairman of the Federal Trade Commission; Commissioner
Christine Wilson; Honorable Commissioner Rebecca Kelly--Rebecca
Kelly Slaughter, sorry; Commissioner Noah Joshua Phillips;
Commissioner Rohit Chopra. We are happy to have you all, and we
want to thank our witnesses for joining us today. We look
forward to your testimony.
And at this time, the Chair will now recognize each witness
for 5 minutes to provide their opening statements.
Before we begin, I would like to explain the lighting
system. I think probably most of you know that the light will
initially be green at the start of your opening statement, then
it will go to yellow when you have 1 minute, and then it will
go to red. And we would appreciate it very much if you would
end in those 5 minutes. So, Chairman Simons, you are recognized
for your 5 minutes.
STATEMENTS OF JOSEPH J. SIMONS, CHAIRMAN, AND CHRISTINE S.
WILSON, REBECCA KELLY SLAUGHTER, NOAH JOSHUA PHILLIPS, AND
ROHIT CHOPRA, COMMISSIONERS, FEDERAL TRADE COMMISSION
STATEMENT OF JOSEPH J. SIMONS
Mr. Simons. Chairman Schakowsky, Ranking Member Rodgers,
and distinguished members of the subcommittee, it is an honor
and a privilege to appear before you today, and especially with
my esteemed colleagues, my fellow Commissioners.
The FTC is a highly effective, independent agency with a
broad mission to protect consumers and maintain competition in
most sectors of the economy. On the competition side, examples
of our vigorous enforcement program include cases like Impax
and AbbVie where we successfully attacked anticompetitive
conduct by pharmaceutical companies.
Ms. Schakowsky. If you could hold just for a minute.
We got the message, and if you will put the signs down,
appreciate it.
Thank you. Go ahead.
Mr. Simons. Yes. We successfully attacked anticompetitive
conduct by pharmaceutical companies, achieving a $448 million
judgment in the latter case. We also recently filed an
important case against a company called Surescripts, a health
IT company with a monopoly over e-prescribing that is
maintaining and acquired that monopoly through exclusionary
conduct.
And on the research and policy front, our extensive
Hearings on Competition and Consumer Protection in the 21st
Century have involved more than 350 panelists and more than 850
public comments. On the consumer protection side, we are very
active as well, with matters ranging from student debt relief
scams to various types of false advertising and many other
cases in between.
But today I would like to focus my remarks on data security
and privacy. As you have said, the FTC has been the primary
Federal agency charged with protecting consumer privacy since
1970 with the passage of the FCRA. From the growth of the
internet to the mobile device explosion to the arrival of the
Internet of Things and artificial intelligence, we have
continuously expanded our focus on privacy to reflect how
consumer data fuels these changes in the marketplace.
Our primary legal authority in this space is Section 5 of
the FTC Act, which prohibits deceptive or unfair commercial
practices. But Section 5 is an imperfect tool--imperfect tool.
For example, Section 5 does not allow the Commission to seek
civil penalties for first-time privacy violations. It does not
allow us to reach nonprofits and common carriers even when
their practices have serious implications for consumer privacy
and data security.
These limitations have a critical effect on our ability to
protect consumers, which is why we urge Congress to enact
privacy and data security legislation enforceable by the FTC
which grants the FTC civil penalty authority, targeted APA
rulemaking authority, and jurisdiction over nonprofits and
common carriers. Irrespective of any new legislation, however,
we will continue to use every tool currently at our disposal to
address consumer harm including authorities given to us by the
Congress like the Children's Online Privacy Protection Act and
the Safeguards Rule.
We have aggressively pursued privacy and data security
cases to date bringing more than 65 data security cases as well
as more than 60 general privacy cases. For example, we recently
brought cases against two companies whose alleged lax security
practices resulted in a breach of 8 million consumers' data.
And in March, the FTC announced a record $5.7 million civil
penalty as part of its settlement with video social networking
app Musical.ly for collecting children's personal information
online without first obtaining parental consent.
To complement our efforts, we also engage in policy
initiatives in the privacy and data security areas. In addition
to the hearings I mentioned, which included 4 days of panels
that specifically addressed consumer privacy and data security,
we recently issued 6(b) orders to several internet service
providers to evaluate their privacy practices. We will use the
information we learned from this study to better inform our
policy and our enforcement work.
Finally, many of our privacy and data security
investigations in cases involve complex facts and technologies
and well-financed defendants. And as we told you in response to
Chairman Pallone and Schakowsky's resource letter, it is
critical that the FTC have sufficient resources to support its
investigative and litigation needs particularly as demand for
enforcement in this area continues to grow. We are committed to
using every resource effectively to protect consumers and to
promote competition, to anticipate and respond to changes in
the marketplace, and to meet current and future challenges.
We look forward to working with the subcommittee and the
Congress and I am very happy to answer your questions. Thank
you so much.
[The joint prepared statement of Mr. Simons and the four
Commissioners follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Schakowsky. And thank you, Mr. Chairman, sticking
within the time, too, appreciate that.
And now, Commissioner Wilson, you are recognized for 5
minutes.
STATEMENT OF CHRISTINE S. WILSON
Ms. Wilson. Chairman Schakowsky, Ranking Member Rodgers,
Chairman Pallone, and Ranking Member Walden, thank you for the
opportunity to testify. It is an honor to appear before you and
the distinguished members of the subcommittee for the first
time since I joined the Commission 8 months ago. Today I would
like to highlight two areas where I respectfully believe
Congress could assist the FTC in fulfilling its mission to
protect consumers. First, enactment of privacy legislation, and
second, clarification of the FTC's authority under Section
13(b) of the FTC Act.
With respect to privacy legislation, I agree with Chairman
Simons' opening statement on this topic. I too encourage
Congress to enact privacy legislation to be enforced by the
FTC. Businesses need clarity and certainty regarding rules of
the road in this important area. The passage of the California
Consumer Privacy Act and the prospect of potentially
conflicting bills in myriad States have created confusion and
uncertainty in the business community. And in light of the fact
that online commerce is not just national, but international in
scope, I encourage Congress to include preemption in any
Federal privacy legislation. Even more importantly, consumers
need clarity regarding how their data is collected, used, and
shared. Privacy legislation should address these concerns and
could help build public trust around data collection and use.
Privacy legislation is also necessary to address the
emerging gaps and sector-specific approaches created by
evolving technologies. For example, HIPAA applies to medical
offices but not wearables, apps, or websites like WebMD. Data
protections should be based on the sensitivity of the data, not
the entity or mechanism through which it is collected.
And while privacy is important, so is competition. Federal
privacy legislation must be carefully crafted to maintain
competition and foster innovation. GDPR may have lessons to
teach us in this regard. Preliminary research indicates that
GDPR may have created unintended consequences, including a
decrease in investment and startups and entrenchment of
dominant players in the digital advertising market. Reports
also indicate that compliance with GDPR is costly and difficult
for small businesses and new entrants.
U.S. legislation should seek to avoid these negative
consequences. There are three other elements I believe should
also be included in Federal privacy legislation: civil monetary
penalties, which Congress has provided for in other statutes
that are enforced by the FTC including COPPA and the
Telemarketing Sales Rule; jurisdiction over nonprofits and
carriers which collect, common carriers which collect
significant volumes of sensitive information; and targeted,
narrow APA rulemaking authority so the FTC can enact rules to
supplement legislation and to permit adjustments in response to
technological developments.
Turning to section 13(b) of the FTC Act, I think it is
important for Congress to provide assistance through
clarification of the FTC's authority under section 13(b) of our
statute. Decades of cases have established two key principles.
First, the FTC may bring actions in Federal district court to
obtain injunctive relief, and second, the authority to grant
injunctive relief confers upon courts the full panoply of
equitable remedies including equitable monetary relief.
Our ability to protect consumers relies heavily on this
authority, but recent decisions have raised questions about the
scope of our authority that conflict not only with long-
established case law, but also with the clear intent of
Congress. Earlier this year, a case in the third circuit held
the FTC can't seek injunctive relief when the challenged
conduct is not ongoing or imminent, but fraudsters frequently
cease their unlawful conduct when they learn of impending law
enforcement actions. The third circuit standard could prevent
us from seeking relief in Federal district court in these
circumstances, even if we can show the conduct is likely to
recur based on past practices.
And another concerning development arose in the ninth
circuit where a judge questioned the FTC's authority to obtain
equitable monetary relief under section 13(b). But courts have
long held that granting the FTC authority to seek injunctive
relief also gives courts the authority to grant the full range
of equitable relief. We believe this interpretation more
accurately reflects congressional intent.
We thank you for your assistance, and I look forward to
answering your questions.
Ms. Schakowsky. Thank you. And now we recognize
Commissioner Slaughter for 5 minutes.
STATEMENT OF REBECCA KELLY SLAUGHTER
Ms. Slaughter. Thank you Chair Schakowsky, Ranking Member
Rodgers, Chairman Pallone and Ranking Member Walden, and
distinguished members of the subcommittee for inviting us here
today. I am Rebecca Kelly Slaughter and I am so pleased to be
here with my colleagues on behalf of the FTC.
I want to begin by echoing Chairman Simons and most of my
fellow Commissioners, and ask Congress to pass a comprehensive
Federal privacy law that would give the FTC civil penalty
authority, targeted APA rulemaking authority, and jurisdiction
over nonprofits and common carriers. We have some of these
powers in limited degree already and where we have them, we use
them responsibly.
In particular, where Congress has granted us privacy
related rulemaking authority, the Commission has used to put
out clear rules, engage in meaningful, participatory notice and
comment, and amend our rules to keep up with technological
developments. For example, the FTC has rulemaking authority
under COPPA. We put out an initial rule and have since adapted
it to address innovations that affect children's privacy,
social networking, online access via smart phone, and the
availability of geolocation information. As we have made these
changes, we have conducted workshops and sought input through
formal notice and comment.
The rule provides clear guidance to firms on how they can
comply with the law and then we enforce the law consistent with
the rule, for example, in our settlement with Musical.ly that
the Chairman referenced, a company that is now known as TikTok,
earlier this year. The Graham-Leach-Bliley Act also gives us
some limited privacy related rulemaking authority for
information held by certain financial institutions.
In March, the Commission sought comment on proposed
amendments to the safeguards and privacy rules under this law.
Based on our experience, we determined that the rules could
benefit from modernization. We analyzed different models for
strengthening them and we sought input from stakeholders
regarding the best way to implement new requirements.
Just as you in Congress are doing, we at the Commission are
reflecting carefully on the types of substantive privacy
provisions that might best protect consumers today and in the
future. The public hearings initiated by Chairman Simons have
been a showcase for these debates.
I want to briefly highlight one of my own observations for
your consideration. Much of our Section 5 authority and some of
our privacy rules up to this point have been grounded in the
principles of notice and consent. The notice and consent
framework began as a sensible application of basic consumer
protection principles to privacy. Tell consumers what you are
doing with their data, secure consent, and keep your promises.
But in order for a notice and consent regime to be
effective each element must be meaningful. Notice must give
consumers information they need and can understand, and
consumers must have a choice about whether to consent. Today,
notice is mostly in the form of lengthy, click-through
contracts. Few consumers have the time and legal training
required to understand them and consumers often have no choice
but to say yes to these contracts.
They must cede all control over their data to access
services critical to their everyday lives. They don't have the
option to turn to a competing, more privacy-protective service.
In other words, when it comes to our digital lives, neither
notice nor consent feels particularly meaningful today. As you
consider better protections for consumer privacy, I want to
encourage solutions that don't place all the burden on
consumers as much as the existing framework does.
Finally, amidst the important ongoing discussions of the
resources allocated to our agency, I want to conclude by
highlighting what a good return on investment the FTC is for
the American consumer. In fiscal year 2018, the Commission's
budget was $306 million and our actions returned over $1.6
billion to consumers. So, for every dollar the American
taxpayer gave to the FTC, staff returned 5. We welcomed the
recent letters from Chairs Schakowsky and Pallone asking what
the Commission could do with more resources and the
Commission's response illustrated the good use to which we
could put additional funding.
Approximately two-thirds of our budget goes to our greatest
asset, staff pay and benefits. Unfortunately, our headcount has
declined over the past decade even as demands on the agency
have increased. The letters that we sent illustrated what we
could do with an additional 50 or 75 or 100 million dollars,
some of which would allow us to bring our staffing levels up to
where they were in 1982, well before the internet, and still
below where they were in the 1970s.
So I look forward to working with the committee on both
sides of the aisle as you think about this important
legislation, and I look forward to taking your questions. Thank
you.
Ms. Schakowsky. Thank you very much, and now Commissioner
Phillips is recognized for his 5 minutes.
STATEMENT OF NOAH JOSHUA PHILLIPS
Mr. Phillips. Thank you. Chair Schakowsky, Ranking Member
Rodgers, Chairman Pallone, Ranking Member Walden, distinguished
members of the subcommittee, thank you for the opportunity to
appear before you today. I am honored to be back here with my
fellow Commissioners to highlight the important work that the
FTC and its talented staff do on behalf of American consumers.
I realize that privacy is one of the main topics that we are
going to talk about today, and I look forward to answering any
questions that you have.
But, first, I want to highlight what the FTC has been doing
in an area that is critical to all Americans, healthcare.
Americans are concerned about their healthcare. All of us spend
more time than we should trying to find a doctor who takes our
insurance, shopping for the best prescription prices, dealing
with insurers, and so on. And all too often we pay more than we
should with the annual cost of healthcare accounting for nearly
18 percent of annual GDP. The FTC has focused on healthcare for
decades. In my nomination process, I called for this Commission
to continue that essential work and I am pleased today to
report that we have.
On the competition side, the Commission has been very busy.
Following the FTC's Supreme Court victory in the Actavis case,
which subjected pay-for-delay settlements to antitrust
scrutiny, we have worked hard to rid the market of this
anticompetitive conduct. Pay-for-delay settlements delay
generic entry, preventing earlier consumer access to cheaper
pharmaceuticals, and forcing Americans to pay higher prices for
the drugs they need. The Commission has obtained several orders
prohibiting such settlements, including two this year that
included the final remaining Actavis defendants.
Just weeks ago, this Commission reached a decision in its
case against the generic manufacturer Impax which entered into
a pay-for-delay settlement with Endo, a brand manufacturer. On
a unanimous basis, we rendered the first FTC opinion on pay-
for-delay settlements since the Actavis case, banning Impax
from engaging in this harmful conduct. I know that stopping
anticompetitive conduct and pay-for-delay settlements has also
been a focus of this committee, and I appreciate the chairman,
ranking member, and Congressman Rush's recognition of this
important issue.
This Commission is fighting anticompetitive conduct in
court. We recently obtained a Federal court judgment ordering
AbbVie to pay nearly $500 million in relief to consumers
overcharged for AndroGel, as a result of AbbVie's
anticompetitive manipulation of our civil justice system. And
as the Chairman mentioned, just weeks ago we sued Surescripts,
a monopolist we allege employed illegal vertical and horizontal
restraints to maintain its monopolies over two e-prescription
markets. In addition to targeting the cost of healthcare, this
case addresses important competition issues like two-sided
markets, network effects, and innovation harms.
Our consumer protection work on healthcare also provides
results to consumers who too often get duped into buying bogus
products and services, sometimes even foregoing needed care.
Stopping deceptive health claims, providing guidance to
business, and educating consumers continue to be top priorities
for this Commission. Last month, the FTC settled with
defendants charged with deceptively marketing cognitive
improvement supplements using sham websites and fake clinical
studies and endorsements. Our actions stopped the scam which
reaped over $14 million from unsuspecting consumers.
The FTC also recently cracked down on deceptively
advertised amniotic stem cell therapy which its promoters
claimed could treat serious diseases including Parkinson's, MS,
and heart attacks. The FTC just mailed checks over half a
million dollars to victims. We also recently brought charges
against defendants who claimed that their Nobetes pill could
treat diabetes even after the FDA and FTC warned them that they
needed scientific evidence which they didn't have. The list
goes on.
We are focused on protecting consumers in the opioid crisis
and have brought several actions to return money to consumers
who were duped into treatments that weren't real. And as our
work on the opioid crisis shows, the FTC leverages our
resources and partners with other agencies to maximize our
impact. Working with the FDA as we did on opioids, we jointly
issued 13 warning letters to companies marketing e-liquids used
in e-cigarettes in packaging that resembled kid-friendly food
products like juice boxes, candy, or cookies. Like yours, our
goal is to protect kids.
I hope this testimony has been helpful to you in showing
how the FTC makes a daily impact on the lives of American
consumers both by protecting their wallets and their health.
Thank you, and I look forward to your questions.
Ms. Schakowsky. Thank you very much. And last but not
least, Commissioner Chopra, it is your 5 minutes.
STATEMENT OF ROHIT CHOPRA
Mr. Chopra. Thank you. Chair Schakowsky, Ranking Member
Rodgers, and members of the committee, thank you for holding
this hearing to examine the Federal Trade Commission's role in
policing digital markets against misuse and abuse of data.
Today, I want to talk about a market failure affecting
families, businesses, and the labor force: terms of service,
the contracts that we theoretically read and evaluate online.
The FTC and Congress need to confront these take-it-or-leave-it
contracts particularly when it comes to potentially unfair
terms. Many terms of service consist of thousands and thousands
of words written in legal jargon. According to some estimates,
if Americans had to read all of these contracts it would take
them approximately 250 hours per year.
Studies overwhelmingly confirm that we just don't read
these terms and we are now becoming numb to companies imposing
regulations that make us cede our rights and even our property.
For example, terms of service for streaming music apps have
given companies access to your contacts and photos, even though
it is a music app. To use certain, quote, free photo sharing
apps, the maker of the apps reserves the right to use your
name, likeness, and image even for commercial purposes. Other
terms of service slip in language that says the company will
absolutely ignore ``do not track'' settings in your browser.
These nonnegotiable contracts are giving firms the right to
fingerprint your device, often allowing them to create a
dossier on you even if you don't register for an account. These
contracts aren't just claiming the right to monetize your
personal information and property, they also revoke many of
your legal rights and can even allow firms to change terms at
any time whenever they want.
Contracts are and should be a critical foundation of
commerce. They help parties bargain and put their promises on
paper. But when contracts aren't negotiated, they can easily
become riddled with one-sided terms, and both dominant players
and unscrupulous firms can exploit their position to the
detriment of fair competition.
Now the FTC has a strong tradition of restricting unfair
contract terms. In the 1980s, during the Reagan administration,
the FTC banned a slew of terms and consumer credit contracts
including confessions of judgment where consumers waived all of
their defenses in court if they were sued. The FTC found that
terms like these were the product of an unequal bargain where
consumers could not protect their interests.
More recently, both the FTC and Congress have cracked down
on gag clauses on a bipartisan basis. Nondisparagement
provisions in take-it-or-leave-it contracts that forbid us from
posting truthful reviews online for products and services are
now banned. This is a boon for consumers and competition.
Buyers will be able to find out what others have experienced,
and sellers that invest in quality in customer service will be
rewarded in the market. It is time for us to own up to the fact
that today's digital contracts can lead to a race to the
bottom.
In addition to making use of the FTC's existing
authorities, Congress should also look for ways to stop
companies from exploiting their bargaining position through
these contracts. For example, we can look to reforms enacted by
other developed countries, such as the 2010 law in Australia
that allowed consumer protection and competition authorities to
enforce laws on more unfair contract terms.
I would suggest that there are two aspects that warrant our
attention. First, we need to look at the circumstances that
these contracts are imposed and whether one side has more
power, information, or leverage. Second, we need to look at the
terms themselves, particularly any one-sided terms that
unreasonably favor the drafting party. It will be especially
critical to closely scrutinize the terms imposed in take-it-or-
leave-it contracts on entrepreneurs and small businesses like
app developers and online merchants, especially when they can
see their data taken away or their rights removed. This can
impede fair competition and we should look closely at it.
Thank you, and I look forward to all of your questions.
Ms. Schakowsky. Thank you all. We have now concluded
witness opening statements for our panel. We will now move to
Member questions. Each Member will have 5 minutes to ask
questions of our witnesses, and I will start by recognizing
myself for 5 minutes.
So we know the FTC does not have enough resources to devote
to privacy and data security enforcement. The FTC has only
about a thousand employees altogether to fulfill the dual
mission of competition and consumer protection which is less
than what the agency had, as we heard earlier, in 1983. Of
those, only about 40 people are charged with protection of
privacy and security of American consumers. I can find that
pretty shocking. The American people deserve more and better.
So my question is for Chairman Simons. You have said before
that you believe the FTC must, quote, vigorously enforce,
unquote, the laws entrusted to it. How can the FTC vigorously
protect consumer privacy when it has only 30 lawyers working on
behalf of the whole country?
Mr. Simons. Thank you, Chairman. So like you have said
before, we are a small agency but we fight above our weight. So
we are very aggressive with the resources that we have, but if
we had more resources I guarantee that we would put those to
very good use.
In terms of--one thing to keep in mind, I think
particularly with respect to the legislation that you are
considering, is that would significantly, no matter who you
talk to, really, that would significantly expand our authority.
And in particular, if that legislation is passed, there is no
question that we would need very substantial increases in our
resources.
And as you said in your opening statement, Madam Chairman,
the U.K. authority has 500 employees dedicated to privacy and
even the Irish authority has about 140. So us starting at 40
and then trying to enforce something similar to what they are
enforcing with their authority, obviously, you know, shows a
gap.
Ms. Schakowsky. OK, thank you.
As you had mentioned, Mr. Chairman, earlier this year we
sent a letter to the FTC to get more information about how the
Commission would use additional resources, and I ask unanimous
consent to put that in the record. Hearing none, so ordered.
[The information appears at the conclusion of the hearing.]
Ms. Schakowsky. Your response indicated that the Commission
could hire 160 more staff with $50 million in additional
funding or 360 more staff with an additional $100 million
funding. You also said that a hundred new attorneys focused on
privacy and security would allow the FTC significantly to boost
its enforcement activity and also improve the agency's ability
to monitor compliance of companies already under the order.
So I am concerned about this issue of monitoring compliance
with existing orders because we have all seen how, for example,
Facebook continues to rampantly abuse consumer privacy despite
being under an order with the Federal Trade Commission. So the
question, Chairman Simons, is how does the FTC make sure that
companies comply with orders that require a comprehensive
program to protect privacy and security?
Mr. Simons. Yes, so thank you, Chairman. One of the really
great things about the FTC as an institution is that it has a
history of engaging in self-critical examination. And the
privacy program, looking back at the FTC as a whole, is a
relatively young program. So we are seeing what is happening
with some of these orders.
And this also was explored at our hearings and we are
taking that to heart and increasing the provisions in our model
orders to beef up, for example, assessor provisions so the
assessors actually have a much more fulsome role and we can get
the benefit of their investigation. And also, we are creating a
provision that requires certification by a senior officer in
the company. And in order to make that certification, the
officer is under an obligation to actually conduct an
investigation and gather evidence regarding their compliance
with the order.
Ms. Schakowsky. Let me ask Commissioner Chopra, does the
FTC have the resources and authority necessary to effectively
monitor compliance and enforce its existing orders? I am
concerned that the FTC doesn't even require anyone to submit
assessments to the agency after the first one.
Mr. Chopra. Well, of course we are using a century-old law
to do much of our privacy and data security work, so obviously
authority and resources will help. Of course, we are all aware
no amount of resources is really going to--we don't know how
much we will actually be able to tackle the vast problem that
we have at hand.
So, in addition to resources, you know, bright line rules
that really give clear guidance and have real teeth and
accountability and especially penalties will also help us
advance that mission. The more blurry it is, the more it is
going to be harder to enforce, the more some firms will be able
to get through loopholes and small firms will suffer.
So I also encourage you to think about not just having the
FTC enforce some of these rules, but other parties as well. We
need those force multipliers.
Ms. Schakowsky. Thank you. Now I yield to the ranking
member of our subcommittee.
Mrs. Rodgers. Thank you, Madam Chair. And again, thank you,
everyone, for your testimony here.
Chairman Simons, last month the FTC held a hearing on the
FTC's approach to consumer privacy. Your remarks focused on the
fact that privacy violations can cause a range of harms. I
believe any Federal privacy bill should focus on protecting
consumers from concrete harms. What did you learn from the
hearing about specific harms that can help us craft an
enforceable privacy bill?
Mr. Simons. Thank you, Representative. What I would say is
that we learned quite a bit at those hearings. We learned that
there is a widespread consensus among stakeholders in the
privacy community to support the Federal privacy legislation
that you are talking about, you know, you as a committee.
And they are also talking about how to--notice and comment,
notice and choice has been a primary vehicle as we discussed
and folks in the hearings emphasized that it really should also
turn on assessments and accountability. And so, we are focused
on that as well and also deidentification of data. Those are
the things that came up at the hearing and that were most
recommended by a broad group of people.
Mrs. Rodgers. Great, thank you.
Commissioner Phillips, can you explain why it is important
for a Federal privacy approach to be risk-based and what harms
we should as Congress be protecting against?
Mr. Phillips. Congressman Ranking Member, thank you for
that question. The tradition of the United States since 1970
with respect to privacy has been a risk-based one. We have
chosen to look at particular areas where risk is heightened,
like information about kids or health information, and single
out those areas for special and heightened treatment. That to
me makes all the sense in the world.
This conversation that we are having about a broader
consumer privacy law because it reaches broader and because it
potentially applies to a far broader swath of data, some of
which may raise similar kinds of risk, some of which may make
less, to me means that we have to have a really serious
conversation, and in particular that Congress needs to have
really a serious conversation what the problems are we want to
solve, what the wrongs are that we want to right.
So one of the things that I have heard today is a concern
about, let's say, transparency, right. Consumers don't have the
time to look over a long policy. Maybe they don't understand
the legal jargon. Are there things that we can do to increase
that level of awareness and maybe also provide more clarity for
business? That could be a good outcome.
But I think what is critical to this debate is two things.
The first, leaving aside the tools of how we solve the problem,
let's agree on the problems we want to solve, say,
transparency, or at least do our best to solve, and then let's
think about how to build a scheme around that.
Mrs. Rodgers. As a follow up, is there a risk of delegating
too much rulemaking authority to the FTC that creates
uncertainty for industry, particularly the small businesses and
startups?
Mr. Simons. Thank you again for that question. I think
there is, and to me the risk exists on two levels. The first is
really a basic constitutional one, which is the privacy debate
is really interesting because it is one where there is a lot of
general agreement on the need for something, but a lot of
disagreement on the specifics.
So let me take as an example, two consumers both pushed ads
as they walk by a Starbucks. One consumer might experience that
as, ``Great, that reminds me--I want the latte, and I want to
get a dollar off.'' But the other consumer might say, ``Hey,
that is really creepy. How did you know I was there?'' Those
are both very reasonable interpretations of the same facts, but
what they demonstrate is that different people have different
tastes for privacy. So in this context, when you give broad
rulemaking authority, you ask five of us or maybe even just
three of us to decide what we want. That is no substitute for
the democratic process.
So that is the first thing. The second thing, which you
mentioned and which is really important, is that, whatever the
rules are, they ought to basically remain over time. And there
is a chance that, you know, issues get politicized or people
have very earnest disagreements and over time the rules shift.
Whether you like more restrictive rules or less restrictive
rules, we should all agree that having consistent rules over
time makes sense.
Mrs. Rodgers. OK, thank you. I have more questions, but my
time is expired. I will yield back.
Ms. Schakowsky. I now recognize Ms. Castro--Castor for 5
minutes, sorry.
Ms. Castor. Thank you, Madam Chair.
Chairman Simons in his testimony mentioned the recent FTC
fine of $5.7 million against the video social networking app
Musical.ly--it is now known as TikTok--to settle allegations
that the company illegally collected information on children in
violation of the Children's Online Privacy Protection Act. You
said this is the largest civil penalty obtained by the FTC in a
children's privacy case, but in actuality there really haven't
been very many. And when you look at the circumstances here, I
don't think the fine fits the crime.
You had reports that they were collecting location data on
children that was discernible to people in the neighborhood.
They made it very difficult to close accounts. They made it
practically impossible to complain. They would not delete
profiles after someone did close an account.
So, and by the way do you all know the valuation of the
Chinese company that owns TikTok? ByteDance, as of November
2018, ByteDance was valued at $75 billion. That means the FTC's
record-setting fine was 0.0076 percent of ByteDance's value. No
CEO is going to blink an eye at a fine that inconsequential.
Companies will just see small FTC fines as the cost of doing
business and will continue to elevate profits over privacy,
especially when it comes to our kids.
Commissioner Chopra and Commissioner Slaughter, you issued
a joint statement in responses. You said, ``Executives of big
companies who call the shots at companies that break the law
should be held accountable,'' I guess personally accountable,
and the FTC has gone after executives when they have direct
control and are calling the shots here.
Commissioner Chopra, why was it important to make that
statement and is it clear the FTC has the authority to go after
executives of tech companies for violating privacy laws?
Mr. Chopra. Well, let me just say that the FTC goes after
individuals all the time, especially when it comes to small-
time scammers. I do think we need to level the playing field a
bit and make sure that in our investigations when it comes to
privacy we are also looking at the role of individuals who made
the decision that it was worth violating the law in order to
profit.
So, I want to make sure that in our investigations we are
investigating that and we are holding them accountable when we
have clear evidence of a violation, because you are right. For
some firms fines are a parking ticket and a cost of doing
business and we cannot change behavior unless those penalties
are painful and often that means finding out who at the top
called the shots.
Ms. Castor. Commissioner Slaughter, I want you to answer
that but I also heard you loud and clear on the privacy
policies. Everyone knows that these notice and consent and
privacy policies, they are simply not working, and it is
particularly egregious when it comes to children and parents.
In COPPA, they are completely inadequate to protect
children's privacy, and I am worried no matter how much that we
revise those notice and choice provisions it will not be
sufficient and companies will find ways to around it to get to
our children's data without parents fully understanding what
their children are agreeing to share.
The one answer was contained maybe in the FTC's 2012
privacy report that discussed reasonable collection
limitations, which I understand to mean that companies only
collect data that is consistent with the context of a
particular transaction or the consumer's relationship with the
business. It could also include limitations on sharing, sale,
retention, and usage.
Should Congress include a reasonable collection limitation
section in privacy legislation going forward?
Ms. Slaughter. Thank you for the question, Congresswoman.
Let me try to take both of those points quickly, mindful of
your time. The first is, I agree with your point and my
colleague's point that fines can't be meaningless to companies.
If we care about them, they need to be enough to effectively
both deter specific wrongdoing by that company in the future
and effectuate general deterrence.
I would like to make a clarifying point because I have
heard a couple of Members talk about fines the FTC can levy.
And just to be very clear, unlike some of our counterparts in
Europe, we can't independently assess fines. Where we find a
violation of an order or a rule, we can go to court and seek
civil penalties and a court could assess penalties and then in
order to avoid that process, we can negotiate with a company to
reach an outcome that we think is fair and just. But those are
negotiated penalties they are not levied fines, and I think
that is a meaningful distinction.
And, secondly, the statement that my colleague and I
released in the TikTok case did go to the question of
individual accountability, making sure our investigations
effectively assess where it lies if enforcement is proper, and
I think we also have to think about the injunctive relief that
we provide in any particular case. I think about it as sort of
a multilegged stool, again how to best effectuate specific
enforcement making sure this company doesn't violate the law
again, and general deterrence, making sure other companies know
that if they don't follow the law, the consequences will be
meaningful to them.
And then----
Ms. Schakowsky. We are going to have to wrap. We are going
to have to wrap it up there.
Ms. Slaughter. OK, then the short version of your question
about purpose limitations, I agree. I think they are really
important.
Ms. Castor. Thank you.
Ms. Schakowsky. Thank you. The Chair now recognizes Mr.
Burgess for 5 minutes.
Mr. Burgess. Thank you. And thank you all for being here
for this hearing. This is important. You are an important
agency and this subcommittee does have an important role to
fulfill as far as oversight of the important agency that you
represent.
So, some other Members have done a good job of articulating
how for a very large company a fine simply is a cost of doing
business and it is of no consequence and they are able to pick
up and move on. I would like to focus just a little bit on
smaller companies where the ability of the Federal Trade
Commission to require compliance or even consent decrees may be
a death knell for that company.
And a company that comes to mind, a case that has
interested me for some time, is LabMD. Most of you were
probably not on the Commission when LabMD became a thing back
in the--a decade ago. And it has worked its way through the
courts and, if I understand correctly, the most recent was an
eleventh circuit court decision that actually put some of onus
back on the FTC saying you have actually got to define these
things that you want with what you want a company to comply.
But, you know, LabMD that case stands out to me as the
object lesson. Here was a viable business providing a great
service to the urologic practices that depended upon the
handling of lab tests and pathologic specimens and now that
company is gone and it is gone because of a relatively
arbitrary FTC decision. And then, ultimately, the guy that
pushed it all the way to the eleventh circuit, really, LabMD
was not the one that was at fault.
So, Commissioner Phillips, you have talked about the
healthcare issue, so assuming that you have some knowledge of,
even though none of you were on the Commission when LabMD
started, Chairman Simons said, you know, that the FTC--what was
the--that you engage in self-critical examination, so what does
your self-critical examination tell you as far as the LabMD
case is concerned?
Mr. Simons. Congressman, thank you for the question. As you
noted earlier, none of the five of us were here when the LabMD
case was brought and I do want to reserve judgment on the work
that others did. But I think your fundamental point is
absolutely right, which is we need to think and, in fact, the
statutes that we enforce command us to think very critically
about remedies and the impact that they have.
Sometimes more are warranted. Sometimes less are warranted.
Sometimes injunctive relief may be more important. Sometimes
fines are more important. We have case law to guide us and we
also have the benefit of experience. And I think critically
that we need to learn from our experiences and sometimes that
may militate in favor of changing what we are doing.
The Chairman mentioned earlier what we are doing on our
model orders with respect to testing how well they are working.
But it can cut both ways, and I think that is something we
always really need to take into account.
Mr. Burgess. Well, it is just--and when Mr. Walden was
chairman of the full committee and we did have--he referenced
we had representatives from Facebook here discussing things
with them, a consent decree for a company the size of Facebook
is inconsequential. It doesn't affect them one way or the
other. The fine that Ms. Castor referenced to the company with
a bottom line of 67 billion or whatever it was, that fine is
inconsequential.
But for small businesses, the heavy hand of the Federal
Trade Commission basically can spell the end of their business
and in this case, unfortunately, it did. But even a consent
decree, which your consent decrees run a number of years, for a
company to have to disclose that ``Yes, I want to handle your
lab specimens. I want to handle your confidential medical data.
Just so you know, I am under a consent decree from the Federal
Trade Commission until 2032,'' that probably ends that
company's ability to render that service. Would you agree?
Mr. Phillips. I absolutely think that issues like the
length of consent decrees need to be considered. Commissioner
Wilson and I recently wrote in a case where the party had
violated a consent decree in a really bad way, so we agreed
with the penalty. But one of the things that we said together
is that experience and law and the facts of the case, not
necessarily by the way how it is publicly perceived, but the
facts of the case and the applicable law and our experience as
the agency ought to guide us in how we apply remedies.
Mr. Chopra. Dr. Burgess, can I add?
Mr. Burgess. Sure.
Mr. Chopra. I want to agree with your sentiment on this,
which is we need to avoid ever appearing that we are strong-
arming small defendants and letting large ones kind of off the
hook. I think there needs to be an evenness in this, because
you are right that even a subpoena can be very, very costly for
small firms.
So I take also away that we need to think hard about where
we are allocating our resources. Are we allocating our
resources to a lot of small firms or are we really thinking and
gaining credibility by challenging larger firms who commit harm
on a wide scale and who have the resources to litigate? Because
litigation, actually, also gives much more credibility to the
outcome rather than just sometimes settlements.
Mr. Burgess. Great. I have a number of other questions. I
will submit those for the record. I yield back my time.
Ms. Schakowsky. Thank you. The Chair now recognizes
Representative Kelly for 5 minutes.
Ms. Kelly. Thank you, Madam Chair.
One of the key tools that FTC has used in enforcing privacy
cases is deception authority, particularly when a company
hasn't told the truth in its privacy policy. But there is no
national law that requires companies to have a privacy policy
in the first place. For instance, a recent report found that 85
percent of the apps and browser extensions in the Google Chrome
Web Store didn't have a privacy policy at all.
Chairman Simons, do you believe it would be helpful to the
FTC's ability to enforce the law companies were required to
disclose their privacy practices?
Mr. Simons. I think this is something that the Congress
should definitely consider in its consideration of new Federal
privacy legislation. And what you have just said illustrates
the imperfect nature and the lack of authority that we have,
which is that our privacy program is based in large part on
this deception authority that we have under Section 5, a
hundred-year-old statute which was never designed or legislated
with any intent toward privacy issues that we see today
obviously, so thank you for that.
Ms. Kelly. You are welcome. Even when a company has privacy
policies, it practically takes a law degree to understand it or
is so vague that it is meaningless to consumers. Some have
suggested that it would be useful to provide consumers with
clear, concise, and consistent disclosures that would make it
easy to understand how companies use and share personal
information.
Commissioner Chopra, do you think it would be helpful if a
law required companies to label their privacy practices in a
way that provided clear and consistent disclosures to consumers
with wording and pictorial depictions like a 3 and a dollar
sign if data was sold to a third party?
Mr. Chopra. Yes. I think better disclosure that is clear is
always good, but on top of disclosure we have to sometimes
recognize that users sometimes actually have no choice, you
know, when it comes to filling out their job application, when
it comes to enrolling in school, they may not have a choice.
So I want us to also think about, you know, what are the
types of terms that maybe should be presumptively unlawful or
where there is a higher burden to bear or where some data is
just off limits, because we don't want to disguise ourselves
into thinking people can meaningfully compare all the time.
Ms. Kelly. And my next question, is there something else
that Congress can do to help consumers better understand how
their data is used? And anyone can answer.
Mr. Chopra. Yes. Well, I will just add too that when it
comes to deception we need to also think about dark patterns
and other tactics that are being used to trick consumers into
handing over their data. They use complex testing in order to
nudge you. Often it is almost impossible to figure out how to
close your account or delete your data and it raises very
serious questions about whether it may be a violation of our
deception standard, but more clarity would help.
Ms. Kelly. OK. Turning to a different subject, I wanted to
talk about the interception of privacy rights and civil rights.
Algorithms that profile users and target content to specific
groups can too easily result in discriminatory practices
against marginalized communities. For example, investigative
journalists have found that employers advertise jobs
exclusively to men on Facebook and also build internal
algorithms that negatively ranked women for job placement.
Nearly 2 years ago, the Tech Accountability Caucus, which I
chair, wrote a letter to Facebook about their discriminatory
ads that allowed people to exclude housing applicants based on
protected characteristics like race, gender, and sexuality. I
am glad that HUD finally took action on this case and that
Facebook has ceased its practice of racial affinity
advertising.
Again, Commissioner Chopra, would it be helpful if Congress
explicitly applied existing civil rights laws to data privacy
by, for example, prohibiting discriminatory uses of personal
information?
Mr. Chopra. Yes, this is really serious because with
algorithms and machine learning they essentially allow some
firms to either knowingly or unknowingly evade our
antidiscrimination laws. It reinforces biases against rural
Americans, against people of color, so us to attack what is
going on behind those scenes is absolutely critical. And, you
know, no algorithm is going to be free of bias and we need to
make sure that the digital economy is not reinforcing biases.
Ms. Kelly. Thank you.
And, Madam Chair, I just wanted to let you know that
joining me today are two young people very interested in
privacy. One is from Tuesday's Children. Her father was a
retired major in the Army who is now deceased. So they are
listening in the back attentively to what we are going to do,
so thank you and I yield back my time.
Ms. Schakowsky. Thank you. The Chair now recognizes Mr.
Latta. No, is he not here? Oh, I am sorry. Mr. Walden showed up
again and I am happy to recognize you for 5 minutes.
Mr. Walden. Thank you. I sort of snuck in from the other
hearing. But thank you, Madam Chair.
And, Chairman Simons, it has been a few decades, but there
was a time when the FTC, as we heard, was given broad
rulemaking authority but stepped past bounds of what Congress
and the public supported. This required further congressional
action and new restrictions on the Commission.
In testimony submitted for this hearing, the FTC supports
APA rulemaking authority for privacy legislation. Do you have
any concerns with Congress delegating broad rulemaking
authority to the FTC and would you support limiting that
rulemaking authority to issues that cannot be foreseen by this
Congress?
Mr. Simons. I have substantial concerns and please do not
do it. Do not give us broad rulemaking authority, give us
targeted rulemaking authority. Just as--because we are worried
about what exactly what you have described happening again and
the agency becoming politicized and we want it, so what we
really want to have is we want to have the Congress----
Mr. Walden. Very specific.
Mr. Simons [continuing]. Come up with bipartisan Federal
privacy legislation, have it fairly well defined, COPPA is a
good model, and give us targeted rulemaking authority so that
we can keep it up to date, make technical changes for
developments in technology or in business methods. But please
do not give us broad-based authority.
Mr. Walden. All right.
Mr. Simons. The last thing that we want to have is to have
you dump that question on us, the big, broad question.
Mr. Walden. Yes.
Mr. Simons. We would rather have elected officials do that.
Mr. Walden. You know, and too often when we face a tough
problem, we do that to agencies. We say, ``Yes, we can't really
figure this out, so we are just going to give you rulemaking
authority. You go figure it out.''
Mr. Simons. Yes.
Mr. Walden. And then when you do, we object.
Mr. Simons. Right. Please don't do that.
Mr. Walden. Because you didn't get it right, even though we
couldn't figure it out. And so, I think it is, the obligation
is on our shoulders to be as refined and targeted as possible.
I guess I have sort of a yes or no question for all of you.
One of the issues we are wrestling with as the Energy and
Commerce Committee and looking at something nationwide, do you
all support a Federal preemption of existing State laws or can
privacy work on a State-by-State patchwork basis?
It strikes me the internet, this, you know, some of them
described with tubes and all that, right?
Mr. Simons. Right.
Mr. Walden. It actually crosses borders--who knew? And so,
I am trying to figure out how it works if we don't do a
nationwide law. Do you, I mean----
Mr. Simons. Yes, I share your concerns about the patchwork.
And I think, you know, the sense of it would be that if the
legislation is substantial enough----
Mr. Walden. Right.
Mr. Simons [continuing]. Then I think it makes sense to
preempt. But having said that, I also think that even if you
preempt, you should give enforcement authority to the State
Attorneys General.
Mr. Walden. All right.
Ms. Wilson, what is your guidance on this?
Ms. Wilson. I agree that preemption is necessary. As you
note, there are State boundaries that get crossed. There are
national boundaries that get crossed. Consumers are looking for
a seamless experience and, frankly, businesses need guidance.
We have heard examples of bills that have conflicting
provisions. For example, one State will say this is opt-in and
another says it is opt-out. And businesses, literally, cannot
comply with both of those State laws. And so, I believe that we
do need Federal privacy legislation that contains preemption.
And I agree with Chairman Simons that the State AGs----
Mr. Walden. Has to be robust.
Ms. Wilson [continuing]. Who can assist in enforcing will
act as a force multiplier as Commissioner Chopra noted.
Mr. Walden. Yes.
Mr. Chopra. Mr. Walden, can I----
Mr. Walden. Well, if I could just----
Mr. Chopra. Sorry. Well, go ahead.
Mr. Walden. Yes, we will get to you, but Ms. Slaughter?
Ms. Slaughter. I am sympathetic to the desire for
uniformity, consistency, clarity, and predictability in a
national law. I would be concerned about a Federal law that
lowered standards that already exist in the States, so I think
the appropriateness of preemption is best evaluated in terms of
whether a Federal law meets or exceeds the level of protections
that States can provide and whether it allows them the
opportunity to fill any gaps that may remain after a Federal
law is developed.
Mr. Walden. OK.
Mr. Phillips?
Mr. Phillips. Thank you, Congressman, or thank you,
Chairman--Ranking Member.
Mr. Walden. Chairman in exile.
Mr. Phillips. Yep. No, no, no. I hope I pulled that one
back quickly enough.
Mr. Walden. You are all right.
Mr. Phillips. I think preemption is essential for a few
reasons. The first is to give businesses the clarity that they
need and the second is to meet the expectation that we have all
been talking about, about aligning consumer understanding with
what is going on. The more variability that you have, the less
transparency, the less consumer power.
Mr. Walden. Right.
Mr. Phillips. The other thing we need to keep in mind is
competition. Having multiple laws means multiple different
compliance costs.
Mr. Walden. Right.
Mr. Phillips. That is harder for smaller firms, easier for
big ones. Another thing to keep in mind--I will finish very
quickly--is international interoperability. We have to consider
our national interests in cross-border data flows.
And, finally, with respect to establishing just a floor
that is a model that we have in HIPAA, and I think Congress
ought to take a very careful look at how the HIPAA model works
because the studies show that State HIPAA laws have inhibited
the roll-out of electronic medical record use. They have
inhibited innovation, and reduction of costs in the medical
field, and startups are struggling with this.
I may be wrong, I may be right. People can take different
views. But I think that is a very good area to look at the
data, see what is going on, and see how it would apply here.
Mr. Walden. Madam Chair, with your indulgence, could our
final Commissioner weigh in? My time is expired.
Mr. Chopra. Yes, I just want to make sure I caution you
that preemption can also have a lot of unintended consequences.
In Illinois, for example, there is a biometric law. There are
other laws that may not, may complement and not conflict. My
own experience in this relates to the mortgage meltdown where
broad preemption of State mortgage laws clearly wreaked more
havoc because States that wanted to provide certain safeguards
to their homeowners had that robbed of them.
So I think it is important that we just make sure we are
not making things worse and at the same time----
Mr. Walden. That is a good point.
Mr. Chopra [continuing]. Promoting lots of beneficial entry
into the marketplace.
Mr. Walden. Yes, I go back to my Jamie Dimon quote that
said you can overregulate to the point only the bigs can afford
to comply, and now you have snuffed out competition. So, this
is why it is hard. We want to get it right for our consumers,
we don't want to snuff out innovation. So, thanks for all the
work you are doing there in helping us.
And, Madam Chair, thanks for your indulgence in this and
for having this hearing.
Ms. Schakowsky. I now recognize the chairman of the full
committee, Mr. Pallone.
Mr. Pallone. Thank you, Madam Chair.
Companies are collecting more data than ever and using it
in ways that most consumers would never imagine. If I download
a flashlight app, for example, it shouldn't need my precise
location and it definitely shouldn't then go and sell that
information to the highest bidder, all without my permission.
Yet the FTC does not have the authority to enact rules that
could establish reasonable limits on uses of data and no
comprehensive Federal law currently exists.
So I want to start with Chairman Simons. In your testimony
you support Federal privacy and data security legislation,
which I appreciate, but some have argued that the FTC has not
done enough with the authority it has been given. How can
Congress be sure that the FTC will aggressively protect
consumers if given new authority?
Mr. Simons. My mantra is vigorous enforcement, so as long
as I am the Chairman we are going to vigorously enforce. I will
have to say also that we have brought lots of cases in this
area where we can. We have brought about, when you consider the
full range of privacy authority that we have ranging from
Section 5 to the FCRA to COPPA to Do Not Call to CAN-SPAM, we
have brought over 500 cases.
So I would say we have been pretty active, but our
authority is limited as you describe, and so, if we get more
authority, we will need more resources.
Mr. Pallone. OK. Let me go to Commissioner Chopra.
How important is it that comprehensive privacy legislation
set reasonable limits on the way the data can be used such as
through data minimization and restrictions on selling or
sharing data beyond the consumers' reasonable expectations?
Mr. Chopra. Yes, these bright line standards will also be
easier to enforce. We will not have to go through as much
extended investigation and also it will make it easier for
businesses. So I think when you are being affirmative about
what is inbounds and out of bounds, that is better.
Mr. Pallone. OK. I am going to go back to the Chairman
again. Although privacy is an important issue, it is obviously
not the only critical consumer protection issue within the
FTC's jurisdiction. And topping the list of the FTC's nearly 3
million complaints were imposter scams, where a scammer
pretends to be from the IRS or the Social Security
Administration or another trusted organization to get people to
turn over money or personal information.
Consumers reported losing nearly $488 million in these
kinds of scams last year. So let me ask you, Chairman, consumer
education is important but the burden should not fall on
consumers to stop fraud. So what is the FTC doing to stop these
scams and prevent them from becoming even more common? I mean
these are the things that I hear about on regular basis from
constituents, particularly seniors.
Mr. Simons. Right. Thank you for that question. There is no
single fix to this pernicious scam, but so we try to implement
a multipronged approach. We have substantial law enforcement to
stop these things from occurring where we can find and sue the
perpetrators. But we really do think that enforcement along
with consumer and business education, consumer guidance and
business guidance are important and so we tackle this on a two-
front basis.
Mr. Pallone. All right.
Mr. Phillips. Chairman, may I just add briefly to that?
Mr. Pallone. Sure, go ahead.
Mr. Phillips. I really want to thank you for that question,
in particular for the following reason. You have been talking
recently a lot about the need for resources. It is important,
especially as the headlines focus on particular issues with
which we deal also to consider the ones like scams that don't
always grab the headlines. That work has always been and should
remain really important work that we do.
So when you think about resource questions, I would
encourage you to consider all the work that all the different
bureaus at that FTC does and how important they collectively
are to the national interest.
Mr. Simons. Yes, can I just say one other thing? The FTC is
a very busy place. People generally are not sitting down and
doing nothing. They are all very highly active. They are all
very highly productive. And so, if we are going to devote more
resources, for example, to privacy, we would probably have to
take them away from something like potentially going after some
of these scams.
Mr. Pallone. Unless we have more resources, but, believe
me, I am the last person who thinks that Federal agencies or
the people that work there don't do anything. I am constantly
reminding people that they work very hard because oftentimes
people think that government and politicians don't do anything,
but, in fact, we all work very hard, or most of us do.
So thank you again. Thank you, Madam Chair.
Ms. Schakowsky. Thank you, the gentleman yields back. And
now I recognize Mr. Guthrie.
Mr. Guthrie. Thank you, Madam Chair, for the recognition.
Thank you all for being here. And I will agree with my friend,
The Chairman, that people in our agencies do work very hard and
sometimes we need to make sure we give them the right direction
and how we as the policymakers would like for them to work.
And one thing that I have been concerned about as we move
forward and we need to move forward on a privacy bill, I am for
that, but the one thing I am concerned, I think Mr. Phillips
mentioned that some of the smaller companies can't deal with it
as much as some of the bigger companies.
And so, I have talked about innovation and whatever the
healthcare or anything here, kind of my common theme is how do
we keep this innovation that is moving forward. And so,
Chairman Simons, I believe any Federal bill must ensure all
companies no matter the size of their compliance department can
continue to innovate and compete. And what do you think about
this concern and how should we consider this drafting
legislation?
Mr. Simons. So this is a really critical concern, thank you
for raising it.
Mr. Guthrie. And any of the others can answer too. I called
and said your name, but others can answer if they would like
to, to how we can make sure people can compete, but go ahead.
Mr. Simons. Yes, so what I was going to say is, so we have
a dual mission, consumer protection including privacy and
competition, so we are sensitive, really, to both. And the
thing that--one of the things that we are very concerned about
is the situation where, so, for example, if you require opt-in
for certain kinds of information or maybe even all the
information, that makes it much easier for high-tech platforms
that are consumer-facing to get that opt-in. And so, for a new
company or a small company, it is very difficult to get that
kind of opt-in and access to that data.
So that might constitute a very significant disadvantage
for the small companies and the new entrants and cause a huge
advantage for the existing high-tech platforms. And, in fact, I
understand that a high-level competition official from the
European Union is concerned about this because he thinks that
business is being pushed by the GDPR to Google and Facebook.
Mr. Guthrie. That was my next question. So concerned about
what GDPR, what I have heard what you just said and how we
guard against that. So I mean, just what you just kind of said,
if Mr. Phillips or anybody else would like to talk about that
because that was my next question in light of what we know
about GDPR what should we be concerned about. And you just
started going into that, so I wanted to make sure we finish
that and if some others would like to talk to it as well.
Mr. Phillips. Thank you. Congressman, I think this is such
a critical question. The important thing to remember, while a
lot of this debate focuses on a few very large firms, the use,
the collection, the monetization of data is endemic in the
economy. It is everywhere. It is lots of little firms too. And
I think the most essential thing to do is to go and consult
with those firms and ask them, ``Hey, how would this look for
you?'' You know, we want the small businesses to higher coders
not lawyers. If you have five people and one of them is a
lawyer, maybe that is not good for innovation and competition.
So I think consulting with them, asking how the rules apply to
them, not just the big firms, is critical.
Mr. Chopra. Yes, I would love to add just two points here.
I think you are right that we have to think hard about
competition. And one of the things I worry a lot about it is we
are seeing a real slowdown in small business/new business
formation even in the digital economy.
You know, many venture capitalists, many new firms that are
starting are saying, you know, ``The big guys actually have
already taken all the key data. We are never going to catch up.
We now have to create our business maybe just to sell to
them.'' That can really distort innovation in our country and I
am really, I am increasingly worried that our lack of attention
to this issue is deterring lots of entrepreneurs from wanting
to challenge those incumbents. So we need to think hard about
that.
With respect to GDPR, GDPR uses essentially a principles-
based regulatory scheme. So on one hand that might create some
flexibility. On the other hand, it can also lead to
uncertainty. And with bright line rules that actually is easier
for everyone to comply with rather than huge complexity that
only the largest firms can lawyer up to figure out.
Mr. Guthrie. OK. I am going to switch gears real quick
about something in my home, one of my home industries which is
Kentucky bourbon. And we have heard from a lot of our
distillers and people who ship that counterfeiting distilled
spirits is on the rise both domestically and abroad. I only
have a few seconds. So this is a problem because consumers
aren't getting the goods they purchased and counterfeit spirits
can pose a serious hazard.
Chairman Simons, can you speak to the FTC's ability to
monitor and regulate these sales? I know they are through
websites and it is difficult to do.
Mr. Simons. Yes, so this type of thing is obviously of
concern to us. It is a deception. You know, it is
counterfeiting, like you said. The primary agencies that have
jurisdiction over this, I think, are actually the Treasury
Department and the DOJ who actually has criminal authority. So
I think this is more of an issue for those agencies.
Mr. Guthrie. OK. Well, thank you very much and my time is
expired and I yield back.
Ms. Schakowsky. Now the Chair recognizes Mr. O'Halleran for
5 minutes.
Mr. O'Halleran. Thank you, Madam Chair.
Good afternoon. Now I see it is afternoon and thank you for
appearing before us today. Your role in protecting consumers
and competition is critical, particularly in a world where
innovation and technology is rapidly advancing and consumers
are faced with navigating the maze of new technological
developments and regulations. Like my colleagues on this
committee, I look forward to learning more from all of you
about this work.
This week, the FTC is celebrating National Small Business
Week--I thank you for doing that--acknowledging the important
contributions of small businesses, their owners, and in our
communities. As you may know, the 1st district of Arizona is
home to many small businesses, it is mostly a rural district,
including mom and pop shops. Many of these business owners are
located in those types of rural areas throughout the country.
A critical role of the FTC is to provide consumer education
and conduct and outreach. These efforts include providing
practical and plain language guidance on many issues for small
business owners, many of whom are not up to the speed that the
larger businesses are. In fact, the FTC has conducted several
roundtables over the past couple of years to educate small
business owners on various matters including cybersecurity.
It is my understanding that the Commission heard many
concerns from small business owners about data security
including concerns pertaining to the mobile phones and cloud
devices. I would like to hear more about these initiatives and
programs for small business owners and specifically how the FTC
is tailoring its educational and outreach campaigns to those
small businesses in rural areas and how to expand it also as
you move forward.
I have two questions. I want to start with Mr. Simons and
then anybody can jump in. I believe these small business
outreach initiatives are important for the FTC to continue. In
your view, what more can the FTC do to build upon the work of
these small businesses' initiatives moving forward?
And the second question is, as you know, Congress is
currently considering proposals to include in legislation on a
range of issues impacting consumer privacy and data security.
As the FTC considers enforcement actions against corporations
who violate privacy laws, how does the FTC consider enforcement
actions against small businesses versus those against larger
companies? Mr. Simons?
Mr. Simons. Thank you, Congressman. So let me start the
last question first. So we have a standard for data security
that is a reasonableness standard. It is not a one-size-fits-
all and we are very nervous about anyone who would suggest a
one-size-fits-all standard, because as you can imagine a huge
company can afford to spend hundreds of millions of dollars on
its data security because it has so much volume over which to
spread it and the cost per unit is going to be trivial, right.
But if you make small businesses do those same types of data
security measures, they will be out of business. They wouldn't
even come close to making money.
So it is really important that we do this reasonableness
standard, we consider how small the business is, how costly it
is to provide data security, and what kind of data the company
has. If it is not very sensitive then you don't worry so much
about the security, or you don't worry as much and what you
would expect them to do in terms of data security measures
would be a lot smaller.
In terms of the outreach to businesses and consumers, this
is a critical thing that we do. And people suggest to me
sometimes that maybe you should divert some resources from that
to doing more law enforcement, more litigation, for example,
and I think that is a mistake. We really need to have this
consumer outreach and outreach to the business community and we
could do more of it if we had more resources.
Mr. O'Halleran. Thank you, anybody else?
Ms. Slaughter. Thank you, Congressman. I would just add
that I think there are elements of what are in the rules and
the laws that are important; there are also important questions
about the application of prosecutorial discretion. When we see
particular cases, I think it is incumbent upon us to consider
what is the company that we are considering. How big is it?
What is its compliance opportunities or costs, and take that
seriously in making sure that our cases and, more importantly,
our remedies are carefully tailored to the particular
defendants we have in front of us; it is not a one-size-fits-
all approach.
Mr. O'Halleran. Thank you. And, you know, talking about
smaller businesses for a second, I appreciate what you said
about the issue, but they also fit into the entire security
chain and privacy chain and how they blend into that is
important for the overall security of the process. So it is
kind of, I worry about both ways, so.
Mr. Simons. It is a balance you have to strike. You know,
it is like most things in life, there are tradeoffs.
Mr. O'Halleran. Thank you, Madam Chair, and I yield.
Ms. Schakowsky. The Chair now recognizes Mr. Bucshon for 5
minutes.
Mr. Bucshon. Thank you, Madam Chairwoman.
Health information is some of the most valuable data that
is out there. It is very private, very personal, but also very
valuable to people. And I was a healthcare provider before. So,
Chairman Simons, one of the focuses that I will have on a
privacy bill, how we address health information not covered by
HIPAA and how does the Commission deal with this type of health
information now and how should we be thinking through this
issue when fitness trackers and other health apps are very
popular and becoming more popular?
Mr. Simons. Yes, I mean if you are talking about the same
data that is covered by HIPAA and you are talking about, you
know, it is really, it is sensitive data, you have to think
about treating it in a similar manner. And one of the things
that I think is the real advantage of the Federal privacy
legislation that you were considering is that it would be
broad-based and not cabined to particular types of information.
And so, I think that makes things easier to deal with.
Mr. Bucshon. Yes, because, you know, there is going to--I
mean there is real-time glucose monitoring for diabetics, and
people may not want people to know that they are diabetic and
that information could be out there, or your blood pressure
could be high and people may not know. I mean it is going to be
real important that we figure how we protect that type of
information, I think.
Mr. Simons. Yes, I agree.
Mr. Bucshon. Yes.
Ms. Wilson, do you have any comments? Commissioner Wilson?
Ms. Wilson. I agree that the Federal Trade Commission has
long applied a risk-based approach to the evaluation of privacy
and the more sensitive the information, the greater the
protections it deserves. We have taken the same approach with
Federal legislation, children's information in COPPA, health
information in HIPAA.
The gaps that you are mentioning concern me. Emerging
technologies change the landscape and some of this very
sensitive information is not currently covered under Federal
legislation. We can get at it through our Section 5 authority,
but having guidance at the Federal level would be very useful,
and so greater authority in that area would help protect this
information more.
Mr. Bucshon. Yes, because I mean we have been talking
about, you know, how you have to click ``agree'' if you want to
get a certain account, right, and that is probably true with
devices that now monitor your health, right. And so that will
be an area we have to look at too. People, you know, broadly as
you mentioned that people should know if they put on a certain
device that it may very well transmit health information to
someone, and it may be in the paperwork and you may just not
know.
I will give you a second.
Ms. Wilson. So I completely agree. I think consumers are
able to make decisions that are in their own best interest if
they have information about the choices that they have. But
there is a lot of consumer confusion right now. There is a lack
of clarity about what is being done with their data. Greater
transparency is an imperative.
Mr. Bucshon. Yes, and even when they know maybe that their
health information is going to be transmitted, they still
should have some coverage for the privacy of that like under
HIPAA.
Mr. Chopra. I just wanted to add, something that makes this
even harder is with artificial intelligence and machine
learning. Even if we don't hand over our health information,
companies may know our health information based on what we are
searching in terms of our symptoms, geolocation of where we are
going. So that is going to make it really difficult when
formulas and algorithms are determined and it may even know our
health conditions even if they have not been formally
diagnosed.
Mr. Bucshon. Yes, I mean if you have your phone on you and
you show up at an oncologist's office that tells people kind
of----
Mr. Chopra. You have cancer.
Mr. Bucshon. Yes, and I don't know how we protect that.
Commissioner Phillips, do you have any comments on this?
Mr. Phillips. I said earlier that one of the things that
Congress has done over time is it has looked at areas of
greater levels of risk and I think this is an area that
deserves strong consideration, and I think I agree with all my
colleagues when I say that. The one thing I would add is that I
do think it is important not just to consider the what in terms
of HIPAA, but how HIPAA has worked. HIPAA, the studies show,
has sometimes prevented what can be really pro-competitive and
pro-consumer technology.
Mr. Bucshon. Yes, yes.
Mr. Phillips. You know, you fill out a form every time you
go to the doctor's office, every single doctor, and the doctors
can't talk to each other so you have to repeat your symptoms
to----
Mr. Bucshon. Oh, I am very well aware of that problem.
Mr. Phillips. And so, I do think when we talk about HIPAA
we ought to think about how it is working and how it is not
working.
Mr. Bucshon. OK, thank you all, I yield back.
Ms. Schakowsky. I now recognize Congresswoman Blunt
Rochester.
Ms. Blunt Rochester. Thank you, Madam Chairwoman, and thank
you all for your testimonies. First, before I get into my
questions about privacy and data security, I want to ask you
about our seniors who face scams especially through exploited
practices like gift cards. And today I am introducing the Stop
Senior Scams Act with my friend and colleague, Mr. Walberg of
Michigan, who is across the aisle. And this bill is a House
companion to a bill introduced by Senators Casey and Moran
earlier this year.
I know you and your staff are working with the Senators and
I look forward to working with you further as we consider this
bill on the House side. And, Commissioners, I just wanted to
ask briefly if you are seeing a lot of this like on the rise in
terms of the scams for seniors with these gift cards? If you
could just briefly and then we will jump into the other
questions.
Mr. Simons. This is a big issue for us. You know, we are
focused very much and have a high priority for scams dealing
with the senior community. And we put out, we do a whole bunch
of different things in terms of education. We put out guidance
that, you know, if it is a gift card it is only supposed to be
for gifts, right.
We have a program what we call Pass it On, which is an
effort to, as one of my colleagues said, be a force multiplier.
It is to get people in the seniors' community to help other
people in the seniors community avoid these types of things. So
this is something we are very focused on and outreach is very
important in this regard.
Ms. Blunt Rochester. Great. I look forward to working with
you on this. I want to shift to the privacy and data questions
and I want to turn our attention to something that came up
earlier when Representative Kelly was speaking. I think it was
Commissioner Chopra who talked about dark patterns and that it
is gaining a lot of notoriety.
And I really wanted to kind of focus on this, because for
those who don't know what it is, and I am going to ask you,
Commissioner Chopra, to actually share how you would describe
this. How I have it is, it is a pattern, or for--a dark pattern
is a website or app design that is intentionally deceptive in
order to push users into content, products, or even participate
in data collection activities without their informed consent.
And I can bet everybody in this room has been a victim to this.
And even, ironically, if you Google dark patterns, later you
will probably be affected by this.
In the privacy space, many of my colleagues have touched on
similar issues as it impacts consumers, children, and social
media, but most recently even the IRS Free File had a
connection to dark patterns. People seeking income-based
assistance in filing their taxes were potentially steered
unsuspectingly to products that were neither part of the IRS
program or were free. And entities like Facebook we hear are--
that they are affected by it, but there are even more out
there.
So if you could talk a little bit about this practice. And
then if you could also talk about what we in Congress should be
doing to address it.
Mr. Chopra. Sure. And, Congresswoman, I am not an expert on
it, but my general understanding is that using various sorts of
testing and tactics, firms can nudge consumers into choosing
certain things or deterring them. And one of the, I believe the
researcher who coined the term also uses the term ``roach
motel,''----
Ms. Blunt Rochester. Yes.
Mr. Chopra [continuing]. Which is that you can check in,
create an account but it is impossible to get out. And one of
the things that I hope that we can really modernize some of our
analytical tools, use different types of economics including
behavioral economics, to understand how consumers actually can
be harmed by this.
I am not positive, to be honest I am happy to answer
questions for the record about whether our deception authority
here is enough, but it is very troubling.
Ms. Blunt Rochester. Yes, I was actually going to ask about
deception authority, but you said you are not sure.
One of the other questions, as the more that you all
talked, when you talked about artificial intelligence, machine
learning, geolearning, one of the questions I really have is
from a workforce perspective. Are we in government, do we have
the skills, the capabilities, the training to be able to be a
step ahead of what is upon us now? I would love to--yes,
Commissioner Wilson?
Ms. Wilson. So I think this is one of the great things
about the Federal Trade Commission. We do have a history of
engaging in competition and consumer protection R&D. And
Chairman Simons, last summer, announced the competition and
consumer protection hearings for the 21st century, and we have
held hearings with dozens and dozens and hundreds of
participants and comments focusing on things like AI and
machine learning and algorithms and how these affect consumers
and the kinds of harms that can be created.
And so, I think we are continuing to learn and to move up
the learning curve and I think with that learning we can begin
to identify precisely the resources that we need to fulfill our
mission of protecting consumers.
Ms. Blunt Rochester. My time has run out, but I had so many
questions as well about behavioral research and study, but
thank you so much for your testimony.
Ms. Schakowsky. And of course all of the questions can be
submitted for the record. We hope our witnesses will reply.
And now let me recognize--oh, Mr. Hudson has arrived. You
have 5 minutes.
Mr. Hudson. I thank the chairwoman and thank you to all the
Commissioners for your time today.
Chairman Simons, as you have heard today, we are committed
to protecting small businesses and promoting innovation. Some
other agencies are using or considering regulatory sandboxes
for new innovations. Can you explain this concept and whether
you believe we should consider a similar approach for privacy
regulations?
Mr. Simons. So the regulatory sandbox as I understand it--
and thank you for the question, Congressman--is a situation
where small businesses would be able to--play is not the right,
I mean that is the analogy--but to get started. And so, for
example, people have proposed that for small businesses that
they wouldn't have to comply with like, for example, maybe a
Federal privacy legislation that you pass in the coming months
until they get to a certain size.
And to be honest, I have thoughts positive and negative
about that. So the positive is it cuts down, clearly, on the
cost of getting into business and maybe allows people to grow
that would never get off the ground. On the other hand, if the
privacy legislation you pass really is protecting people, you
know, small businesses can get a lot of sensitive information
and you really worry about that.
Mr. Hudson. I appreciate that answer.
Mr. Phillips. Congressman.
Mr. Hudson. Commissioner Phillips, do you support the use
of regulatory sandboxes and what are the barriers you see to
doing something similar like this?
Mr. Phillips. So I think it is something very much worthy
of consideration, but I want to add something and this may be
my mistake, but I have a slightly different understanding of
how at least internationally some of these regulatory sandboxes
at working.
My understanding is and it may be how you structure it, it
isn't necessarily just a shield for liability for small
businesses, it is an opportunity maybe where the law is gray or
something that is close to the line where under the supervision
of the regulator the business can undertake an innovative thing
that might be legally questionable. This is something they are
pioneering in the United Kingdom right now on privacy. It has
been utilized in the financial space.
I do think consistent with and as a parent of small
children allowing your kids to play in the sandbox that
supervision is key, but I do think it is an opportunity to
test, you know, where are there maybe some pro-competitive
impacts to the conduct. The Chairman is a hundred percent right
that small businesses can present risks just like big
businesses can. It is a question of how you structure it. But
there are some, really, examples out there that I think you
should consider.
Mr. Hudson. Great. I appreciate that.
Chairman Simons, as you know there are many other
industries across the United States that are subject to various
privacy laws. Some of the most familiar are the Health
Insurance Portability and Accountability Act for the healthcare
industry; Graham-Leach-Bliley for financial services. Do you
believe the FTC would have to exercise concurrent jurisdiction
with the other Federal agencies to implement a national privacy
law and, if so, how would you recommend we do that?
Mr. Simons. Well, I think it depends on what you pass,
right, so you could pass a law that says yes or says no to that
question. And also I think it depends on, you know, how much,
you know, what you put in the law in terms of whether as a
result of that whether you want to make, you know, what is now
covered by HIPAA covered by your new privacy legislation or
some of these other things, whether you want to fold that in or
not. So it is kind of hard to say in a vacuum.
Mr. Hudson. But if we follow that example, you know, how
would we implement that, the HIPAA example?
Mr. Simons. Oh, so you mean if you had these jurisdictions?
Mr. Hudson. As far as agencies going to work together.
Mr. Simons. We would just have to coordinate to make sure
we don't step on each other. I mean we have lots of that. Like,
for example, the FDA and the FTC are regulating, you know,
drugs in different ways, but it is the same drug, you know, so
that kind of coordination is common.
Mr. Hudson. Got you.
Bouncing back to Commissioner Phillips, a difficult piece
of this privacy discussion is the sharing of consumer data and
downstream misuse. We know sharing information offers great
benefits, but once a company shares that information, we see
misuse from companies two or three steps down the supply chain.
How does the Commission approach this issue and do you have
any recommendations on this point for a Federal bill?
Mr. Simons. I think looking at the supply chain and
understanding the full scope of companies involved in the use
of data, which is breathtaking, right, in its scope, is
critical. We need to understand how the data are being used. We
also though need to understand that the point at which the
consumer interacts with the company is a very critical point
for transparency and things like that.
Mr. Hudson. Thank you.
And, Madam Chairman, my time is about up, so I will yield
back. I thank the Commissioners.
Ms. Schakowsky. The gentleman yields back.
I understand there is some desire by the panel of witnesses
for a short break. I understand that, so let's make a maximum
of 5 minutes and let--and then they will come back, OK. Or
maybe Members as well would like to take that moment.
[Recess.]
Ms. Schakowsky. The committee hearing will resume and I
will recognize for 5 minutes, Mr. Lujan.
Mr. Lujan. Thank you, Madam Chair.
Commissioner Slaughter, rapid advancements in technology
have transformed the way that companies use personal data. In
just over a decade, we have moved from a world of desktop
computers to one where each of us has devices always on, it
seems always collecting data about everything we do and
everywhere that we go. It is vital that the FTC keep current on
new technology and train its staff on emerging consumer
protection issues.
Despite the often-technical nature of privacy and security
matters, the FTC has only five full-time staffers classified as
technologists. How do technologists help the staff attorneys on
privacy and data security cases?
Ms. Slaughter. Thank you for the question, Congressman.
Technologists are extremely important. When we need to
understand the material with which we are working in any
particular case, and the more highly technical the field, the
more highly technical the practices that we are investigating,
the more we can benefit from the experience of a technologist.
I think, I routinely try to rack my brain to think of cases we
have encountered not just in the privacy and data security
area, but across our mission in competition and consumer
protection that don't involve some technological element and it
is very difficult for me to think of any.
Mr. Lujan. What role do technologists play in helping
identify cases where someone might have violated the law?
Ms. Slaughter. I think they can play an extremely valuable
role. I mean we, our case identification comes from consumer
complaints, it comes from press stories, it comes from
experience of staff who identify issues, and technologists can
apply a level of expertise to picking out technological-
specific issues that might not necessarily occur to an attorney
independently.
Mr. Lujan. Commissioner Slaughter, do you know how many of
the five technologists the FTC has work on privacy and data
security enforcement?
Ms. Slaughter. I am not actually entirely sure how to
answer that direct question, but to the extent that you are
suggesting that five technologists is not a lot for the scope
of the work that we are obligated to do in privacy and data
security, I agree that we could benefit from a lot more
technological expertise.
Mr. Lujan. Chairman Simons, do you know how many of the
five technologists work on privacy and data security
enforcement?
Mr. Simons. My understanding is that one----
Mr. Lujan. Your microphone, please.
Mr. Simons. My understanding is that at one point or
another they all do.
Mr. Lujan. Are there enough technologists for the FTC to do
their work?
Mr. Simons. We could certainly use more. And what we do
with them, actually, is so they do original research. They also
educate our lawyers, so it is kind of a bit of a force
multiplier. And in addition, they serve another very important
function is where we don't have internal resources sufficient
to help us with our cases, they identify experts for us outside
the agency who we can then hire on a contract basis.
Mr. Lujan. And one specific question to all the
Commissioners, do you agree that it would help the FTC's
enforcement activities if there were more technologists working
directly with staff attorneys?
Mr. Simons. Yes.
Mr. Lujan. Yes?
Ms. Wilson. Yes.
Ms. Slaughter. Yes. We put an economist on every case that
we consider both competition and consumer protection. I think
we could benefit from technologists too.
Mr. Phillips. Congressman, yes. But I just want to
reiterate a point that the Chairman made, which is the use of
outside experts. The thing about technology is, there is a lot
of it, and a lot of it is different. If you bring someone on
permanently, they may have expertise in a given area, but if
you use the money to hire on a case-by-case basis, you can be
more tailored, more efficient, and look at more different kinds
of technology.
Mr. Lujan. Just as long as those experts don't have a
conflict of interest with the space you are playing in?
Mr. Phillips. Oh, of course you want to avoid conflict of
interest in hiring outside folks.
Mr. Long. Commissioner Chopra?
Mr. Chopra. Yes, I agree with Commissioner Slaughter
completely.
Mr. Lujan. Appreciate that.
Mr. Chairman, the last several FTC Chairs have appointed a
chief technologist to advise the Commissioners on significant
policy issues involving new technologies. You have now been in
charge of the agency for more than a year at a time when the
FTC is addressing some of the most significant privacy and data
security issues in the agency's history, and yet you have
chosen not to appoint a chief technologist to assist you on the
Commission. Why not?
Mr. Simons. Well, that was one of the first things I looked
at upon becoming Chairman. And what struck me right out of the
box was that the chief technologist is appended to the
Chairman's Office in a kind of unusual way in the
organizational chart. The chief technologist had no direct
reports, no infrastructure for him or her, no staff. They
weren't directly connected to the staff of the Bureau of
Consumer Protection or the Bureau of Competition, and so that
struck me as an odd organizational structure.
And so, I talked to people in the Bureau of Competition and
Bureau of Consumer Protection. The Bureau of Consumer
Protection has its own technologist staff called the Office of
Technology Research and Investigation. That is where the five
technologists are housed. That group works extremely well with
the people in the Bureau of Consumer Protection and they were
going to be very upset if I moved those people out.
I was thinking about creating a Bureau of Technology. So
rather than do that we created a technology task force in the
Bureau of Competition which is going to have a technology
fellow. And I have transferred the FTE from the chief
technology officer to the technology task force in the Bureau
of Competition so we have more boots on the ground in terms of
dealing with these investigations that we are conducting.
Mr. Lujan. But still very clear that more technologists
would be of beneficiary, especially with the numbers that I
shared earlier, 500 million, 148 million, 87 million just to
name three examples.
Mr. Simons. Yes.
Mr. Lujan. Thank you for the time, Madam Chair.
Ms. Schakowsky. Thank you and now I recognize Mr.
Gianforte.
Mr. Gianforte. Thank you, Madam Chair.
And thank you for being here for this important topic. Last
week, we had another subcommittee hearing on robocalls. And
Montanans are getting bombarded with robocalls and they are
sick and tired of them. One constituent in my district got a
call from her little brother. Unfortunately, her little brother
had died of a heroin overdose a couple of months earlier. This
was a terrible situation for her and nobody should really have
to go through this. This has to end.
I am just curious, Mr. Chairman, what is the Commission
doing to stop robocalls like these?
Mr. Simons. Yes, thank you for that question. And, first of
all, this is an issue for domestic tranquility in my own
household. This is, to me, when I was coming into office this
was probably the most important thing at least in that my wife
was telling me about and then lots of other people too, and it
is such an incredible inconvenience. And worse than that it is
not just an inconvenience, it often leads to fraud.
So our Do Not Call rule has been overcome by technological
advances and so we have to find other ways to do it and we are
proceeding on multiple fronts. We still continue to bring
significant enforcement actions to shut these people down who
are doing these robocalls; we coordinate with the FCC. And the
other thing that we would really like help from you in the
Congress is to give us jurisdiction over common carriers,
because there are some common carriers that cater to this
robocall traffic, particularly the traffic that originates from
overseas. And if we had the ability to go after these common
carriers, we could, I think, put a significant dent in these
robocalls.
Mr. Gianforte. OK. We have the situation where these
robocallers, if that is a noun, masquerade as local numbers.
Mr. Simons. Yes.
Mr. Gianforte. Would this common carrier authority allow
you to go after those individuals and that behavior?
Mr. Simons. Yes, in the sense that we could identify the
carriers that are facilitating the robocallers and just stop
them from, like in the case of the foreign ones stop them from
entering the U.S. telephone network at the outset.
Ms. Slaughter. Can I just jump in there, Congressman, and
add that----
Mr. Gianforte. Yes, Commissioner.
Ms. Slaughter [continuing]. I think the Chairman referenced
how technological innovations have overtaken us and you
mentioned this neighborhood spoofing problem. I think it is
also worth Congress considering whether not just enforcement
should be applicable to common carriers, but whether there
should be more onus placed on the cell phone carriers in the
first place and more responsibility placed on them to stop some
of this traffic that goes over their network, I think, in the
first instance even before you consider the enforcement on the
back end.
Mr. Gianforte. OK, thank you.
Commissioner Phillips, my understanding is that when the
FTC seeks to recover ill-gotten gains from any entity that has
violated FTC competition rules, the Commission seeks to recover
the profits from the unlawful act. Is that correct and can you
briefly explain how the Commission calculates ill-gotten gains?
Mr. Phillips. Do you mean in the competition context?
Mr. Gianforte. Yes.
Mr. Phillips. Yes, and thank you for that clarification. So
let me give a little context and then give you the answer. The,
traditionally, three things that we have considered in the
context of whether to pursue ill-gotten gains disgorgement in a
competition case include whether the rule is clear, so whether
it is serving that deterrent function that we want it to;
second, we consider is there a reasonable basis to calculate
it, and I will talk about how we have and, in fact, how it
applied in a case that I mentioned earlier; and third, we
consider whether there are other ways of remediating the issue,
so civil lawsuits and things like that also being out there.
In the AbbVie case, which is a good example, what we did a
lot of, you know, hard economic or like a lot of measurement to
determine what they were making relative to what they would
have been making without the anticompetitive conduct. In that
case it was a sham litigation keeping drugs off the market. And
so that is the differential at which we look, you know, what
you made and what you would have made without doing the thing
you weren't supposed to do.
Mr. Gianforte. OK, thank you.
Chairman Simons, I am concerned with legislating for the
sake of legislating and seeking to solve a problem that may not
exist. I believe any Federal privacy bill must focus on
specific harms. You talked to this earlier. Can you elaborate a
little bit on why it is so important we focus on privacy harms
to consumers in our attempt to legislate in this area?
Mr. Simons. I mean I agree with you completely. Thank you
for that question that if it ain't broke, don't fix it. And if
you are going to, you know, you only want to create legislation
for things that are causing problems and you have a fix for it.
So in the privacy sector, however, the harm, I think, is very
tricky and that is one of the reasons that we--and also with
data security one of the reasons we need civil penalty
authority, because it is hard to measure in any kind of
precise, quantitative way if you are talking about, you know, a
monetary relief.
And so, because of that factor you really need to do civil
penalties and you need to think about is there a harm like a
privacy invasion or something like that which is not
monetarily--you can't--it is hard to quantify but it is still a
harm. People, it still bothers people. It still, it can lead to
other problems.
Mr. Gianforte. OK, thank you.
On that I yield back, Madam Chair.
Ms. Schakowsky. Thank you and I now recognize Mr. Soto for
5 minutes.
Mr. Soto. Thank you, Chairwoman.
I think it is safe to say at this point that the internet
is integral to our daily lives and has been for over 20 years,
which is why it is so shocking that there hasn't been a single
law to regulate internet privacy directly during that time and
beforehand. So it is my belief that the biggest threat to
internet integrity is congressional inaction. We see a
patchwork of statutes, 1914, FTC Act creating your Commission,
who would have thought that President Woodrow Wilson would have
such an influence on the internet? 1986, Electronic
Communications Privacy Act to protect communications; also
1986, Computer Fraud and Abuse Act. 1998, Children's Online
Privacy Act, which was referenced by Congresswoman Castor.
2003, the CAN-SPAM Act to protect us against unsolicited
emails.
Most of these predate the internet and pretty much all of
them were created when dial-up was still the form of getting on
the internet. So I just want to make a statement to say that
you know, you all are charged with a really impossible task.
You have to interpret these isolated moonstones to come up with
this comprehensive privacy regime because Congress hasn't given
you direction on it.
So thank you for doing what is nearly impossible to do,
which is regulate privacy without laws to directly do that.
Even the courts have filled in the gap with Carpenter v. U.S.
establishing cell phone privacy.
So, Madam Chairwoman, I hope that we will out of this
committee be able to develop some key protections, making sure
that companies have a duty of care, a duty to protect civil
rights, and a duty to protect privacy. And that the penalties
will be sufficient so it is more costly to pay for a breach
than it is to pay for sufficient cybersecurity investments.
Second, I hope that we establish that Americans have a
right to control their information, a right to stop the use of
their information if they choose so, and if they do, companies
should have a right to charge for their services. And third,
waivers should be put in plain language. I want to get out how
we are determining damages. We heard a little bit of that
discussion before.
I have read in the paper that there may be a fine against
Facebook between 3 to 5 billion dollars. Chairman Simon, what
is the total amount of that fine?
Mr. Simons. Oh, I am sorry, Congressman, but I can't talk
about an ongoing nonpublic investigation.
Mr. Soto. What factors do you generally utilize in
determining those types of damages?
Mr. Simons. So you would look at the prior conduct, the
culpability, the ability to pay, and the deterrent effect.
Mr. Soto. Commissioner Chopra, if it was at the upper end
of $5 billion, do you think that would be a sufficient
deterrent for the activities complained of?
Mr. Chopra. I think it is not appropriate to comment on
that. Obviously, deterrence is important. When it comes to
violations of our rules, violations of our orders, nothing can
be the cost of doing business.
Mr. Soto. Turning to the TikTok settlement that
Congresswoman Castor talked about, Chairman Simon, what were
the factors utilized in determining that fine?
Mr. Simons. I believe the ones I articulated.
Mr. Soto. And----
Mr. Simons. And the other thing too is that you know, this
is a negotiation that resulted in a settlement. And we also
have to take into account what the likely outcome would have
been in court and if we couldn't have done better in court,
then it makes sense to settle. And that is one of the issues
that we face kind of generally is that historically the civil
penalty awards have been quite low and so one of the things we
are thinking about is a way to get them generally raised on
average.
Mr. Soto. So that is something else this committee has to
work on then is to make sure that the civil penalties are a
sufficient deterrent.
Commissioner Slaughter, was the TikTok settlement a
sufficient deterrent for on the behavior complained of?
Ms. Slaughter. The statement that Commissioner Chopra and I
put out in connection with that settlement explained that the
investigation and, really, most of the negotiation of how to
resolve that case took place before this slate of Commissioners
was constituted. And it is very difficult for us, I think as a
general matter, to look back without having been part of a
conversation to discuss it, so we were focusing on in the
future whether it is--not whether--that it is important that
our investigations, including of large companies, really ask
all the questions that we need to determine where liability
properly lies.
Mr. Soto. Thank you for that. I want to turn to identity
theft. We see in our notes 444,000 complaints of identity
theft. Chairman Simons, do you know the cost to the economy or
the loss to the economy that identity theft on the internet
poses currently?
Mr. Simons. I think the average is about $150 per person.
Mr. Soto. And so, do you have an overall figure for that or
do we have to multiply it by 330 million?
Mr. Simons. I don't other than it is quite large.
Mr. Soto. OK, thanks. And I yield back.
Ms. Schakowsky. The gentleman yields back and now I ask Mr.
Carter for his 5 minutes.
Mr. Carter. Thank you, Madam Chair.
And, Mr. Simons and Commissioners, thank you for being
here. This is an extremely important subject as you well know
and we in Congress are depending on you and we are relying on
you to help us through this because it is something that we
want to get right. And it is certainly something that our
constituents and the citizens of our country need to have right
and to be done by right.
Mr. Simons, I want to ask you, where in the current law,
where does the FTC's ability to enforce privacy or where does
it end? I mean, you know, I have heard you say before that the
FTC is the cop on the beat when it comes to privacy and I
understand that. But, you know, where does your authority end
at this point or under current law?
Mr. Simons. Right. Thank you for that question,
Congressman. So, our general Section 5 authority comes from
that hundred-year-old statute which was not designed, for sure,
to deal with this kind of issue, so I credit my predecessors at
the FTC for basically inventing a privacy program out of
Section 5. I think they did a terrific job with the material
they had available on them and it is based largely on a
deception authority.
So we started out by saying you should have a privacy
policy at your company and then if you divert from it then that
is a deception and we can hold you accountable. And then we
expanded that to include, for example, things that look like
privacy torts at common law and we cover those under
unfairness. But in terms of the general privacy authority, not
including FCRA or COPPA or whatever, this is really it and it
is pretty narrow.
Mr. Carter. So you would agree that something more would
help?
Mr. Simons. Yes. I mean that is why we are encouraging the
Congress to adopt privacy legislation.
Mr. Carter. OK, and not only for that reason, but I mean,
if we look at the other laws that are being proposed like in
California and Europe, you know, here we have a situation where
we really need something to be preemptive particularly in the
case of what is being offered in California.
I mean it is very important that the Private Right of
Action that is being proposed in California that that would be
an additional punishment on top of the FTC action as I
understand it. And certainly, we don't need plaintiffs'
attorneys to be involved in this. We need the FTC to be the cop
on the beat as you describe them.
Mr. Simons. Yes. I think what I have said before is that we
should be the enforcer of that legislation that you are
considering and you should allow the State Attorneys General to
enforce as well, just as they do in lots of other areas in
conjunction with us. They are a terrific partner and I would
strongly recommend that.
Mr. Carter. So you have the ability and you do take action
on fining certain--and posing financial penalties. How do you
come about--how do you come up with that? I mean how do you
determine how much that is?
Mr. Simons. Well, it depends on the case that is involved.
And just to be clear, we don't actually have any fining
authority ourselves like our counterparts do in Europe. We
would have to go to court, actually, to get a fine paid unless
it was pursuant to a consent settlement.
Mr. Carter. OK, so you have to go to court, so you have to
justify it in court as to why you think it should be that much?
Mr. Simons. Yes, so that is the limiting factor in all of
this. Anytime you are thinking about a settlement, if the
settlement gets to a point where you say to yourself, ``Gee, we
probably cannot do nearly as well as this, or maybe we could do
just about as well as this in litigation, but the litigation
has lots of risks,'' so when you get to that point then you
really should settle. I mean that is the appropriate thing to
do. Otherwise, if you are just going to go to court and
irrespective of the settlement, then that really becomes almost
unethical or potentially harassment.
Mr. Carter. So when the financial penalty is imposed where
does it go?
Mr. Simons. So specifically for a civil penalty that would
go to the Treasury, so that would be for an order violation or
like in COPPA we have civil penalty authority. That would apply
there. With respect to our 13(b) authority where we go in and
get injunctive relief and we get consumer redress that gets
disbursed to the consumers.
Mr. Carter. OK. Well, you know, again I would look at this
as being a tremendous opportunity for us as Members of Congress
to work in a bipartisan fashion to come up with something that
would benefit everyone and certainly, you know, would benefit
citizens. And if I get input of any kind, certainly privacy is
one of the things that is on top of the list. I mean
constituents are consistently telling me, you know, we need
this. We need this. And this is something, you know, we don't
want to stifle innovation or anything, but we do need our
privacy protected.
So thank you very much and thank all of you for your work
on this, and I yield back.
Ms. Schakowsky. The gentleman yields back and now I
recognize Mr. McNerney, patient Mr. McNerney, for 5 minutes.
Mr. McNerney. Well, I thank the chairlady. And one of the
problems of being last is that all the questions I wanted to
ask have already been asked, so forgive me if I am repetitive
here.
But Pete Olson, my Republican colleague Pete Olson, and I
are cochairs of the AI Caucus, and one of the areas that I am
interested in is algorithmic biasing and data biasing. And we
have discussed that a little bit already, but I know that the
FTC has had a couple of hearings focused on AI and there was a
report entitled, ``Big Data: A Tool for Inclusion or
Exclusion.''
Chairman, what steps is the FTC taking today to protect
consumers from potential harm and bias in AI algorithms and----
Mr. Simons. This is something we look at carefully and is a
priority for us. We had a recent case, actually, involving a
company that does background screening using algorithms and the
algorithms improperly associated people with criminal records.
So we got them to fix their algorithms, this is a form of AI.
So this is something we are looking at. It is real.
Mr. McNerney. Well, you don't have any authority over
algorithms and decision making on lethal use of force, say, in
law enforcement, do you?
Mr. Simons. I don't think so. I mean anything that is
criminal we wouldn't have jurisdiction over.
Mr. McNerney. OK. Is the agency developing any guidance or
educational tools to help address the problem?
Mr. Simons. I think we have business outreach that suggests
that businesses think about these types of issues as they are,
you know, and they look for biases and the results of their
algorithms in AI.
Mr. McNerney. Well, I know that Mr. Lujan asked a similar
question regarding the importance of technologists. Is the
Commission planning on hiring technologists in the AI field
specifically for bias?
Mr. Simons. We don't have a specific plan to do that unless
we get more resources. But what we do in the interim is we use
our existing technologists on our staff to do outreach to the
technology community and to talk to experts, to have
conferences, and to help them educate our staff.
Mr. McNerney. But are there any other AI potential harms
that the FTC is considering besides biasing?
Mr. Simons. There probably are, but I just, you know, I
can't think of it, as I said.
Mr. McNerney. Anyone else on the Commission?
Mr. Chopra. Sure, Congressman. One other area we think
about with respect to artificial intelligence is in our work to
enforce laws against anticompetitive conduct. Sometimes
algorithms and AI can help online sellers collude on price. It
can lead to, you know, other anticompetitive conduct, and we
are thinking about this across the agency.
Mr. Simons. Yes, one thing about that that is interesting
is if AI allows companies to tacitly collude more easily that
might be a justification for more aggressive merger enforcement
in industries where that is occurring.
Mr. McNerney. Chairman, does the Commission have the
authority to structure civil penalties to be meaningful to
large companies without devastating small companies? Do you
have that authority?
Mr. Simons. Yes. We have flexibility in that regard.
Mr. McNerney. OK, so you don't need any congressional
legislation or anything like that.
Mr. Simons. Not to deal with the flexibility issue.
Mr. McNerney. Thank you. I understand the agency held 13
hearings to evaluate practices of both Competition and Consumer
Protection Bureaus. I know you are still in the process of
receiving comments, but I do have a series of questions about
these hearings especially because I know these hearings took up
a significant amount of the resources and the Commission has
limited resources.
Can you give me the top three takeaways from these
hearings? What is the basis of what you have learned?
Mr. Simons. So one of the things we learned is that merger
retrospectives are really important and we got a lot of good
testimony on that and that is something we really need. And if
we got more resources that is one of the things we would do,
and in particular merger retrospectives as relate to vertical
mergers. That was highly recommended.I don't think really that
is the literature, the literature on merger retrospectives is
much greater on horizontal and is much less on the vertical
merger side. So that was one.
With respect to privacy and data security, we got a lot of
feedback that we really do need civil penalty authority, that
we need targeted rulemaking, and that we need jurisdiction over
common carriers and nonprofits.
Mr. McNerney. I mean a little schizophrenic about
rulemaking, I mean you want the rulemaking to be targeted----
Mr. Simons. Yes.
Mr. McNerney [continuing]. But you don't want it to put you
in a bind as well, so I understand that.
Mr. Simons. No, so we would like--at least my view is that
these privacy issues involve very serious and significant
societal and cultural value judgments, and those should be made
to the greatest extent possible by elected officials and not
people who are unelected. So our view is that--my view is that
you should make those judgments.
And we are happy to help you make them. We are happy to
work with you. We are happy to provide analysis of the
tradeoffs that any particular piece of legislation may present.
But, you know, at the end of the day, our view is that Congress
should do that and we should have authority to do rulemaking
that allows us to keep the whatever you pass up-to-date and
consistent with new technology and new business methods.
Mr. McNerney. Thank you. Thank you, Chairwoman.
Ms. Schakowsky. The gentleman yields back. And, Mr.
Cardenas, you are recognized for 5 minutes.
Mr. Cardenas. Thank you very much. Thank you very much,
Madam Chairwoman, for having this important hearing with the
FTC. My question to the FTC is that in 2018 FTC cases resulted
in a total of about $2.3 billion in refunds for consumers who
lost money to frauds and other unfair or deceptive practices. I
commend you for doing that especially when you look in light of
the overall budget for FTC is about $300 million per annum. But
recent Federal court decisions put the FTC's power to get
compensation for consumers at a serious risk, particularly in
cases where the company has stopped violating the law. For
example, my question is can one of you explain how these
decisions limit the FTC's authority under Section 13(b) of the
FTC Act?
Ms. Wilson. Sure, so this is a critical issue, thank you
for raising it, and it is why I addressed it in my opening
statement that the issue is that the third circuit has recently
put in place a standard that would enable us to go after
conduct in courts only if the conduct is ongoing or imminent.
And so, if in the course of an investigation a defendant
halts the conduct that we are challenging, say, a fraudster
stops defrauding people or an advertiser suspends dubious
advertising claims, then we are unable to go after that conduct
under the third circuit standard unless we are able to show
that it is imminent. So even if the fraudster has engaged in
fraud in the past but is not doing it at this moment, unless we
can prove that it is imminent, we can't reach it.
And this is a serious question that has been raised about
the scope of our authority. We believe that this flies against
a long line of cases saying otherwise, but we would appreciate
clarification from Congress on the scope of our 13(b)
authority.
Mr. Cardenas. OK, thank you.
Chairman Simons, how serious of an issue are these
decisions for the FTC's enforcement of Section 5?
Mr. Simons. So if they were to become the law of the land,
so to speak, this would be highly problematic for us. I think
it would basically destroy our fraud program. We wouldn't be
able to recover consumer redress----
Mr. Cardenas. Fraud as in protecting the consumers,
protecting the people of America.
Mr. Simons. Yes, like you referenced to whatever it was,
the 2.3 billion or whatever, we wouldn't be able to recover
that if these cases became law.
Mr. Cardenas. OK. What do these cases do to the FTC's
ability to make consumers whole?
Mr. Simons. They really just take it away.
Mr. Cardenas. OK, so basically the FTC in this as what we
are talking about at the moment is actually helping the
American people set something right, so the FTC is actually a
part of that.
Mr. Simons. Yes, absolutely.
Mr. Cardenas. OK, so Congress could write clarifying law,
right, that that is what Congress hopefully should and will do.
Mr. Simons. Yes, we would love for you to do that.
Mr. Cardenas. Yes. Hopefully I can talk to some
congressional Members and we will do that.
Mr. Phillips. Congressman, could I add just one thing to
that?
Mr. Cardenas. Yes, please.
Mr. Phillips. And I absolutely agree with my colleagues
that clarifying longstanding precedent on the impact of 13(b)
is essential. I want to add another thing. Next year the SAFE
WEB Act is going to expire. This is an essential tool that we
use to work with our partners abroad to do cross-border
consumer protection including privacy enforcement. I think it
is a no-brainer and you ought to consider that as well.
Mr. Cardenas. Thank you.
Mr. Chopra, do you have anything to add to that?
Mr. Chopra. I agree with my colleagues completely.
Mr. Cardenas. Good. That is great. Appointed by Democrat
and Republicans and you all agree on this issue. Good, good,
good, good.
So when it comes to made in the USA, my time is limited so
I will cut to the point and the question. I am concerned that
the FTC settled on some cases for no money without so much as
an admission of liability and some defendants effectively
cheated consumers and got away with little more than lying
about products being made in America. That obviously has a
value on the streets of America. I personally love to buy made
in America products.
But for someone to actually lie about it when they make the
product, put it out to market, and then for there not to be any
way of them having to pay a price for doing that for duping the
American people, Chairman Simons, where are we at with that?
Mr. Simons. Yes, so historically for decades that has been
the approach that the Commission has pursued in these made in
the USA cases. They have only got injunctive relief. But we are
now going to hold a workshop and look at what we need to do in
terms of beefing up our remedies.
Mr. Cardenas. So hopefully FTC will come out with a more
aggressive, appropriately aggressive stance when it comes to
people lying about made in America.
Mr. Simons. That may very well be the outcome of the
workshop.
Mr. Chopra. Just like in privacy legislation where you are
thinking about civil penalties to deter this conduct, Congress
gave the FTC the power to activate penalties for made in USA
violations 25 years ago. We have not yet turned that switch on
and I hope that we can explore and potentially turn that switch
on, because we need to deter this and put a stop to it, because
this absolutely harms every single honest manufacturer in
America who makes goods here at home.
Mr. Cardenas. Yes.
Ms. Wilson. If I could add one point, the cases that have
been reported on this issue were decided and settled between
staff and the parties before this slate of Commissioners
arrived, and as Chairman Simons noted in his statement, when
the settlements were first announced. We do intend to look at
this policy going forward, but the decision of many of the
commissioners was to not upset the work that had already been
done by staff in the previous slate of commissioners, but to
look at this going forward.
Mr. Cardenas. Madam Chair, if I can have 5 seconds.
If someone is willing to lie boldface about made in
America, I as a grandparent am afraid that that product might
have cheated on other things such as chemicals and other
matters that might be involved in the net product that might
end up in the hands of my grandchildren or any other American
family. Thank you very much, Madam Chair, yield back.
Ms. Schakowsky. Mr. Walberg, I am going to call on you, 1
second.
Let me just point out to the committee that every single
Member on both sides of the aisle have shown up to this
hearing. That doesn't happen all the time, and I think it is a
tribute to the issue, but also to our commissioners. So I want
to thank you.
Mr. Walberg is waiving on to our committee. We are happy to
have you, and you have 5 minutes.
Mr. Walberg. Thank you, Madam Chairwoman, and thank you for
consenting to waiving me on this subcommittee. And while I am
not on the subcommittee, certainly I have an interest in being
a member of the Energy and Commerce Committee. I appreciate you
allowing me this opportunity.
Thank you, each of you, for being here today as well. You
have a big job and we wish you well and we hope that we can be
supporters and fellow laborers in making the difference.
I wanted to come here today to ask questions about a topic
very important to me and my constituents, and that is scams
against targeting our Nation's seniors. Michigan seniors, in my
case, have spent a lifetime working to save for financially
secure retirements. In the digital age, scams targeting seniors
and their hard-earned money are growing in number and
sophistication, and safeguarding vulnerable seniors needs to be
a top priority. I am one. It is important to me. Today,
Representative Blunt Rochester, who I believe mentioned this
already, she and I will be introducing legislation, the Stop
Senior Scams Act, to help prevent fraudsters from targeting
seniors with prepaid or gift card scams.
While the committee is working on legislation to address
annoying robocalls and that scam our seniors into giving away
their savings or personal information, gift card scams are
another way fraudsters target seniors. Companies like Target or
Wal-Mart are on the front lines against these scams, and their
ability to educate their employees with best practices and
training to recognize the signs of scam can make a huge
difference in stopping a scammer. The Stop Senior Scams Act
would create a forum at the Federal Trade Commission to
communicate about best practices like this.
And so, Chairman Simons, I would like to ask you if you
could please talk about what the Commission is doing to prevent
frauds and scams against seniors and how legislation like this
Stop Senior Scams Act would align with the FTC's consumer
protection mission.
Mr. Simons. Thank you, Congressman. So this is a
multipronged approach at the FTC. We engage in strenuous
efforts going after these specific scams that target seniors.
We have what is very important, I think, and very effective is
a program of outreach to the senior community and we have a
specific program that was designed called Pass It On, where we
try to kind of essentially deputize senior citizens to help
their fellow senior citizens avoid scams. So they are talking
about it in their local communities and it is on top of mind
and they know what to watch out for. And your legislation, you
know, it sounds like I couldn't agree more with the goals of it
and I would be happy to work with you on it.
Mr. Phillips. Congressman.
Mr. Walberg. Yes.
Mr. Phillips. If I could just add one thing, since we are
here in a public hearing and hopefully the public is paying
attention. What I want to say to American consumers about this
critical issue to which you and Congresswoman Rochester have
devoted such important attention, if a business tells you that
you need to pay with a gift card, it could very well be a scam
and people need to be on the lookout for that. We are going to
be doing our jobs, but it is also important that we communicate
to the public.
Mr. Simons. Yes, the real thing here is, if somebody wants
you to pay with a gift card and that is what you are telling
you, it is probably a scam. Gift cards are for gifts, they are
not for forms of payment.
Mr. Walberg. From your lips to seniors' ears then.
Mr. Simons. Yes.
Mr. Walberg. What developments, Chairman Simons, have there
been in financial scams affecting seniors and how can the
Commission help stop these scams from spreading to larger
groups of seniors?
Mr. Simons. So these things are just evolving continually
and it is, you know, you stop one type of scam and another type
of scam arises. And so, the trick for us is to stay on our
toes, pay attention to what is going on, and move to each
succeeding new scam.
And one of the things that enables us to do that is our
Consumer Sentinel database which is an incredible tool for law
enforcement and particularly for dealing with scams. It has an
enormous number of complaints in it and shared by us with the
local State authorities across the country, and it is a great
asset.
Mr. Walberg. OK, any other comments?
Mr. Chopra. I hope that we also start paying closer
attention to how seniors are scammed online. More and more
seniors are also participating in the digital economy, also
connecting with family, and many, especially those who suffer
from diminished capacity can be particularly at risk.
Mr. Walberg. Well, I appreciate that. It is a big issue and
it is not going away and it is expanding. So our efforts
together will be very helpful for the constituents I represent
and those all over this great country.
So, Madam Chairwoman, thank you for allowing me this time.
Ms. Schakowsky. Thank you, Mr. Walberg.
I just want to--I am surprised none of you mentioned that
the FTC does do these scam workshops. I don't know if they are
everywhere, but we really have this amazing one in the Chicago
area, Brad Schneider and I. And the FTC organized it, but
brought in a representative of the Attorney General, various
other State agencies, and it was spectacular. It was chaired by
the Federal Trade Commission.
So I don't know if it is in Mr. Walberg's district, but I
would suggest that you ask for one of those. It was really
good.
Mr. Simons. And we would be thrilled to do it.
Ms. Schakowsky. OK. And so, Mr. Rush was here earlier, but
we welcome him back for his 5 minutes of questions. Mr. Rush?
Mr. Rush. Yes, I want to thank you, Madam Chair.
It has been one of the--the means of committees that--those
that pull us in a different direction, and some of them when
they come in, they come in right before it is over. So I know
those who sit patiently were not overwhelmed with enthusiasm
when they saw me walk through the door, but it is the way this
place operates.
So I want to thank you, Madam Chair, for holding this
hearing. And I want to begin by asking unanimous consent to
offer into the record an October 2018 letter from the AMA. So I
ask unanimous consent.
Ms. Schakowsky. Without objection, so ordered.
[The information appears at the conclusion of the hearing.]
Mr. Rush. All right. I want to begin by saying that the FTC
is one of my most favorite agencies in the Federal Government.
I worked very closely with the FTC, particularly when I chaired
this subcommittee some years ago and did some really good work
with the FTC.
But I want to--Chairman Simons, on October 26, '18, the AMA
sent you a letter encouraging the FTC to monitor insulin
pricing and market competition out of increasing concerns that
the rapid rise on the price of insulin may be attributed to
anticompetitiveness rather than research and development. If,
Mr. Chairman, as the letter alleges, if this is true, how would
the FTC respond? And the second part on the question is, have
you investigated the claims made in the AMA letter?
Mr. Simons. Thank you for the question, Congressman. So I
can't respond specifically to any nonpublic investigation that
is going on, but I will say this. We are very focused on
pricing in the pharmaceutical sector. We monitor pricing on a
monthly basis over a wide range of drugs to see if there are
any anomalies like the one you just described, and we look
specifically to see if they are caused by anticompetitive
activity. And if they are, this is a source of case generation
for us, so these are a source of investigations. So that is the
type of, exactly the type of thing that we could look at.
Mr. Rush. Is there any one of the commissioners that might
want to respond?
Mr. Chopra. Yes. I think the situation we see with insulin
is it is not isolated. It really, we see it all over. I believe
in the case of insulin it is really only three players--Eli
Lilly, Nova Nordisk, Sanofi--who really have all the volume.
The original patent was sold for $3 generations ago.
We see a lot of challenges across the pharmaceutical market
with respect to abuse of intellectual property. My colleagues
talked about some of the work there. But we have to use all of
our tools to crack down on anticompetitive conduct and the
fewer and fewer players we have in the market that raises more
concerns.
And it just bugs me that some of these treatments are old.
Insulin is not dramatically different than it used to be and
the fact that people can't get it affordably and are skipping
out on it----
Mr. Rush. Right.
Mr. Chopra [continuing]. It is literally killing them.
Mr. Rush. Anybody else?
Mr. Phillips, I understand you had some nice things to say
about me earlier. I really appreciate it. It came across my
desk.
Mr. Phillips. Absolutely, Congressman. In my opening
statement I talked about the work that we are doing on a
bipartisan basis at the FTC to help deal with the cost of
healthcare, on the competition side included a lot of really
good work over the last year, a half a billion judgment, an
important antitrust case filed weeks ago, a decision on pay-
for-delay settlements, which I know have been very important to
you, that we issued 5-nothing, just a few weeks ago. So I want
you to know from me that the cost of healthcare and rooting out
anticompetitive conduct in the healthcare industry is and will
remain a focus for all of us.
Mr. Rush. Well, thank you.
Madam Chair, thank you so very much for your indulgence and
I yield back the balance of my time.
Ms. Schakowsky. Thank you, Mr. Rush.
Just a little bit of business left. I request unanimous
consent to enter the following testimony or letters, other
information into the record. Without objection, so ordered.
A letter for the record, Oversight of the Federal Trade
Commission: Strengthening Protection for--oh, OK; a letter from
the Electronic Privacy Information Center; a letter from
Consumer Bankers Association; a letter from the Internet
Association; a letter from the National Association of
Federally-Insured Credit Unions; and a letter from the
Confidentiality Coalition.
[The information appears at the conclusion of the
hearing.]\1\
---------------------------------------------------------------------------
\1\ The Electronic Privacy Information Center letter has been
retained in committee files and also is available at https://
docs.house.gov/meetings/IF/IF17/20190508/109415/HHRG-116-IF17-20190508-
SD004.pdf.
---------------------------------------------------------------------------
And, finally, I want to thank our ranking member. I want to
thank the staff on both sides of the aisle. And I especially
want to thank our witnesses, members of the Federal Trade
Commission, for coming here today.
I remind Members that pursuant to committee rules they have
10 business days to submit additional questions for the record
to be answered by the witnesses who have appeared. I would ask
each witness to respond promptly to any such requests that you
may receive.
And at this time, the subcommittee is adjourned.
[Whereupon, at 1:26 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]