The hearing was jointly sponsored by two House Energy and Commerce Subcommittees that have been active on online privacy and data security issues - Chairwoman Mary Bono Mack's (R-CA) Subcommittee on Commerce, Manufacturing and Trade and Chairman Greg Walden's (R-OR) Subcommittee on Communications and Technology. The hearing garnered considerable interest - members in attendance included Rep. Bono Mack, Rep. Walden, Rep. John Barrow (D-GA), Rep. G.K. Butterfield (D-NC), Rep. Bill Cassidy (R-LA), Rep. Anna Eshoo (D-CA), Rep. Edward Markey (D-MA), Rep. Doris Matsui (D-CA), Rep. Gregg Harper (R-MS), Rep. Bobby Rush (D-IL), Rep. Henry Waxman (D-CA), Rep. Lee Terry (D-NE), Rep. Cliff Stearns (R-FL), Rep. Marsha Blackburn (D-TN), Rep. Bob Latta (R-OH), Rep. Joe Barton (R-TX), Rep. Adam Kinzinger (R-IL), Rep. Pete Olson (R-TX), Rep. Jan Schakowsky (D-IL), and Fred Upton (R-MI).
Economic Impact of Privacy Regulation
One major concern voiced by members at the hearing was whether the FTC, FCC and NTIA and Congress are looking at the economic impact online privacy regulation will have on the internet marketplace and businesses. In particular, Rep. Walden and Rep. Bono Mack voiced concerns for what they termed "regulatory overreach." Rep. Blackburn noted the contribution of online advertising revenue to the online economy and U.S. economy overall and cautioned against stifling innovation, which was echoed by Rep. Kinzinger. Rep. Harper inquired as to whether the FTC and federal government should and will analyze the costs to businesses of online privacy regulation - Ramirez responded that the comments in response to the FTC's December 2011 privacy report provided an opportunity to address these concerns and that the FTC's Bureau of Economics is looking at the issue. Genachowski emphasized the contribution privacy has to the online economy by stimulating consumer trust.
Defining the Harm
Several members, including Rep. Bono Mack, Rep. Blackburn and Rep. Harper, questioned whether real harms caused by consumer online behavioral tracking had been identified and whether Congress was trying to legislate in search of a problem. Rep. Walden stated that at this point in time, it is not clear whether legislation is necessary. Rep. Harper in particular pressed Ramirez on whether the FTC had specific examples of harms to consumers, evidence and documentation, caused by online advertising and tracking. Ramirez responded that the FTC notes numerous public reports such as insurance companies using data aggregation as substitutes for underwriting analysis. Rep. Waxman also asserted that self-regulation is not working, noting a recent Stanford University study which found that many participants in the Network Advertising Initiative - a self-regulatory voluntary code of conduct - violated their own privacy policies by leaving tracking cookies in place despite consumer opt-out.
Agency Jurisdiction and Authority
The discussion also focused on agency existing authority over privacy and what roles the FCC, FTC and NTIA should play in privacy regulation and enforcement - highlighting a potential jurisdictional "turf war" between the FCC and FTC. Genachowski highlighted the FCC's existing jurisdiction through Sections 222, 338, and 631 of the Communications Act, which impose privacy requirements on telecommunications carriers, satellite and cable providers. Genachowski emphasized that the FCC already has authority to require wired and wireless telecommunications carriers to protect customer proprietary network information or CPNI - telephone billing information, numbers called, location, etc. Rep. Butterfield and Rep. Walden noted the broad authority over wireline and wireless Section 222 provides, including location based data but noted Section 222's limitations - applying only to carriers not device providers, operating systems or applications. In response to a question from Rep. Eshoo, Genachowski noted that Congress could clarify the Communications Act to update the network-oriented privacy regime in the digital age, such as CPNI in the context of VoIP services.
Several members emphasized the need to protect children's online privacy and reform the Children's Online Privacy Protection Act (COPPA), which they asserted is fast becoming outdated in the age of social networking and behavioral advertising. Rep. Eshoo noted that policymakers should start with protecting children online, which echoed comments made by Genachowski. Rep. Markey and Rep. Barton noted their Do Not Track Kids Act (H.R. 1895), emphasizing the need to amend COPPA given the explosion of the online ecosystem by obtaining parental consent and providing consumers with a "eraser button" to delete embarrassing data. In response to a question from Rep. Barton, the witnesses noted that neither the FTC nor FCC has a position on the Do Not Track Kids Act. Ramirez also noted that the FTC's highly-anticipated review of COPPA is ongoing but is expected to finish "shortly."
Recent public outcry that News Corp reporters hacked into cell phones served as a backdrop for the hearing, emphasizing the importance of data security in the debate. Genachowski emphasized data security as a consensus-based component to data privacy, which Ramirez agreed with, and noted existing federal authority over these issues based on state and federal wiretap law. Ramirez noted that any data security legislation should include rulemaking authority for the FTC. In response to a question from Rep. Waxman, Genachowski and Ramirez generally supported, or at least did not oppose, expanding data protections to include ISP addresses, social networking usernames and passwords, health information, race, ethnicity, sexual orientation, mother's maiden name, financial information, geolocation information and biometric data. Most notably, Rep. Waxman announced at the hearing that there would soon be a mark-up on a yet-to-be-introduced data security bill.
Rep. Barton and Rep. Blackburn pressed the FTC in particular on whether the FTC was investigating recently released Google+, a social networking platform similar to the controversial Google Buzz, as well as the Facebook facial recognition platform. Ramirez would not comment on specifics but did note that the FTC was looking at the social networking arena. Rep. Barton voiced concern that - with the quick rollout of Google+ - Google did not learn its lesson from Google Buzz and inquired on ways to force companies to change their practices. Ramirez noted that the investigation closed, highlighting the limits of FTC investigative authority.
As Rep. Bono Mack noted, the hearing represents the first in a series of hearings that are planned in the House Energy and Commerce Committee on data privacy and security. The hearing comes on the heels of numerous privacy and data security bills introduced in the past several weeks and months, including Rep. Cliff Stearn's (R-FL) and Rep. Jim Matheson's (D-UT) Consumer Privacy Protection Act of 2011 as well as a slew of data security bills. It is clear there are still a number of issues to be ironed-out that were addressed at the hearing - the economic impact of regulation, agency jurisdictional authority, whether legislation or self-regulation is the appropriate response. It also is clear from the hearing that the FCC, FTC and NTIA, will continue to play a role in the ongoing policy debate. Online consumer privacy and data security continues to garner considerable interest on Capitol Hill.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
Kelley Drye's Government Relations and Public PolicyPractice Group helps clients interpret and shape governing laws, enabling them to achieve and maintain market leadership. The varied backgrounds of its government relations lawyers and professionals enable the team to handle a variety of clients needs including representation and strategic planning.
For more information about this advisory, contact:
Dana B. Rosenfeld
John J. Heitmann
Alysa Zeltzer Hutnik
Christopher M. Loeffler