A pioneer in electronic commerce, Amazon.com opened its virtual doors in July 1995 and today offers books, electronics, toys, CDs, videos, DVDs, kitchenware, tools, and much more.  With well over 30 million customers in more than 160 countries, Amazon.com is the Internet's number one retailer. 

Mr. Chairman, Amazon.com is pro-privacy.  The privacy of personal information is important to our customers and, thus, is important to us. 

Indeed, as Amazon.com strives to be Earth's most customer-centric company, we must provide our customers the very best shopping experience, which is a combination of convenience, personalization, privacy, selection, savings, and other features. 

At Amazon.com, we manifest our commitment to privacy by providing our customers notice, choice, access, and security.  Before I describe these four facets of privacy protection at Amazon.com, please allow me to explain how we use customer information. 

In general, Amazon.com uses personally identifiable customer information to personalize the shopping experience at our store.  Rather than present an identical storefront to all visitors, our longstanding objective is to provide a unique store to every one of our customers, now totaling well over 35 million people.  In this way, our customers may readily find items they seek, and discover other items of interest.  If, for example, you buy a Stephen King novel from us, we likely will recommend other thrillers the next time you visit the site.

 Amazon.com now inserts, among the familiar "tabs" atop our Web pages, a special tab with the customer's name on it.  When I visited Amazon.com's site yesterday, for example, the tabs included Books, Electronics, DVDs, and "Paul's Store."  By clicking on the "Paul's Store" tab, Amazon.com introduced me to six smaller stores, including one named, "Your Kitchen and Housewares Store," which featured a Calphalon professional nonstick 5-quart saucepan (which I promptly bought). 

It was no coincidence, of course, that Amazon.com recommended this saucepan to me, and that I liked it:  using so-called "collaborative filtering" techniques, which compare my past purchases to anonymous statistics on thousands of other Amazon.com purchases, Amazon.com computers automatically - and correctly - predicted that I would want the saucepan. 

Similar personalization is provided in the traditional Amazon.com recommendations on the home page, in purchase follow-up recommendations, in the "New for You" feature, and in some varieties of email communications.  Customers can improve the quality of these recommendations in several ways, including by removing individual Amazon.com purchases from consideration, and by rating the products they buy at Amazon.com or elsewhere.  For example, I bought my niece a few CDs from the singer Britney Spears but, because I did not want similar music recommended to me, I removed these CDs from the list of items Amazon.com uses to produce my recommendations.  In addition, on Amazon.com's site, I can rate a CD that I might have purchased at Wal-Mart to improve the quality of my music recommendations. 

Obviously, Amazon.com's personalization features directly benefit our customers.  And, just as obviously, these features require the collection and use of personally identifiable customer information.  The question, then, is how do we protect the privacy of this information? 

As I indicated earlier, Amazon.com manifests its privacy commitment by providing notice, choice, access, and security. 

Notice.  Amazon.com was one of the first online retailers to post a clear and conspicuous privacy notice.  And last summer, we proudly unveiled our updated and enhanced privacy policy by taking the unusual step of sending email notices to all of our customers, then totaling over 20 million people. 

Choice.  We also provide our customers meaningful privacy choices.  In some instances, we provide opt-out choice, and in other instances, we provide opt-in choice.  For example, Amazon.com will share a customer's information with a wireless service provider only after that customer makes an opt-in choice.  We simply are not in the business of selling customer information and, thus, beyond the very narrow circumstances enumerated in our privacy notice, there is no information disclosure without consent.

 Access.  We are an industry leader in providing our customers access to the information we have about them.  They may easily view and correct as appropriate their contact information, payment methods, purchase history, and even the "click-stream" record of products they view while browsing Amazon.com's online stores. 

Security.  Finally, Amazon.com vigilantly protects the security of our customers' information.  Not only have we spent tens of millions of dollars on security infrastructure, we continually work with law enforcement agencies and industry to share security techniques and develop best practices. 

It is very important to note that, other than an obligation to live up to pledges made in our privacy notice, there is no legal requirement for Amazon.com to provide our customers the privacy protections that we do. 

So why do we provide notice, choice, access, and security?  The reason is simple:  privacy is important to our customers, and thus it is important to Amazon.com.  We simply are responding to market forces. 

Indeed, if we don't make our customers comfortable shopping online, they will shop at established brick and mortar retailers, who are our biggest competition.  Moreover, online - where it is virtually effortless for consumers to choose among thousands of competitors - the market provides all the discipline necessary.  Our customers will shop at other online stores if we fail to provide the privacy protections they demand. 

These market realities lead us to conclude that there is no inherent need for privacy legislation.  That said, we have been asked whether Amazon.com could support a privacy bill.  Perhaps we could, but only under certain circumstances. 

Under no circumstances would we support state or local laws governing online privacy.  Not only would such laws be constitutionally suspect, a nationwide website like Amazon.com would find it difficult if not impossible to comply with fifty or more sets of conflicting rules. 

At the federal level, Amazon.com could support a bill that would require notice and meaningful choice, but only if it would preempt inconsistent state laws, bar private rights of action, and address both online and offline activities.  Please allow me to briefly explain each of these points. 

 Preempt State Law.  First, any federal privacy legislation applied to online activities must preempt inconsistent state laws, for it would be virtually impossible for a nationwide website to comply with conflicting rules from multiple jurisdictions.  Even though such laws most likely would fail a constitutional challenge, the expense and uncertainty of litigation should be avoided with a Congressionally adopted ceiling. 

Bar Private Rights of Action.  Second, Amazon.com could support a privacy bill only if it would bar private rights of action.  The threat of aggressive private litigation would cause companies to balkanize their privacy notices for the sake of legal defensibility, at the expense of simplicity and clarity.  Ten-page privacy statements and fine-print legalese would become the norm.  A regulatory body such as the Federal Trade Commission, on the other hand, could balance the competing interests of legal precision and simplicity.  A class action plaintiffs' lawyer would have no such motivation. 

In addition, the aforementioned uniformity necessary to run nationwide websites would be destroyed by a host of trial lawyers suing companies all across the country.  A single authority, such as the FTC, could provide the nationwide approach that private litigation cannot. 

Parity with Offline Activities.  Third, and finally, Amazon.com believes that privacy legislation must apply equally to online and offline activities, including the activities of our offline retail competitors.  It makes little sense to treat information collected online differently from the same - and often far more sensitive - information collected through other media, such as offline credit card transactions, mail-in warranty registration cards, point-of-sale purchase tracking, and magazine subscriptions. 

On one hand, such parity is necessary in fairness to online companies.  It simply would not be equitable to saddle online retailers with requirements that our brick-and-mortar or mail order competitors do not face.   

But more importantly, it would be misleading to American consumers to enact a law that applies only to online entities because, for the foreseeable future, the putative protections of such a law would apply only to a tiny fraction of consumer transactions.  Last year, online sales accounted for less than one percent of all retail business.  Obviously, any law that addresses only online transactions could not benefit consumers much at all compared to one that equally addresses online and offline activities such as using a grocery store loyalty card or subscribing to a magazine. 

Moreover, to the extent it provides real consumer benefits, a law that addresses only online activities would have the perverse effect of failing to provide any benefits to those on the less fortunate side of the digital divide.  Indeed, consumers who, because of economic situation, education, or other factors, are not online would receive no benefits from a new, online-only law. 

In sum, Mr. Chairman, Amazon.com is pro-privacy in response to consumer demand and competition.  We believe market forces are working and, thus, believe there is no inherent need for legislation.  We firmly oppose the adoption of any non-federal privacy law that addresses online activities.  Nonetheless, Amazon.com could support limited federal legislation, but only if it preempts state laws, only if it bars private rights of action, and only if it applies to offline as well as online activities. 

Thank you again for inviting me to testify, I look forward to your questions.