 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
H.R. 4678, the Consumer Privacy Protection Act of 2002
Subcommittee on Commerce, Trade, and Consumer Protection
Mr. John P. Palafoutas
Mr.
Chairman, Members of the Committee, I thank you for the invitation to appear
today to discuss the need for stronger federal protections for consumer
privacy, and comment specifically on H.R. 4678, the "Consumer Privacy
Protection Act of 2002." My name is John Palafoutas, and as AeA's Senior Vice
President of Domestic Policy and Congressional Affairs, I have responsibility
for policy implementation of AeA's Internet privacy initiative, as directed by
our Board of Directors. By way of background, AeA is the nation's largest
high-tech trade association. AeA
represents more than 3,000 companies with 1.8 million employees. These 3000+ companies span the
high-technology spectrum, from software, semiconductors, medical devices and
computers to Internet technology, advanced electronics and telecommunications
systems and services. With 17 regional
U.S. councils and offices in Brussels and Beijing, AeA offers a unique global
policy grassroots capability and a wide portfolio of valuable business services
and products for the high-tech industry. AeA has been the accepted voice of the U.S. technology community since
1943. If you'd like more information about us and our mission, you can visit
our website at www.aeanet.org. Mr.
Chairman and Mr. Towns, I especially want to thank you both for your leadership
on the issue of Internet privacy. By
seeking out information from all corners - consumer groups, privacy advocates,
and the high tech industry - you have shown your commitment to creating
bipartisan legislation that is well rounded and responsive to the concerns of
all. I also wish to commend your
committee's Majority Counsel, Ramsen Betfarhad. In his persistence and professionalism, he has served this
Committee well. Privacy
is an especially important topic for our member companies, as you may recall
Mr. Chairman when you spoke at our Board of Directors meeting in May of this
year. Every one of our member
companies' businesses revolves around the Internet in one way or another. Protecting online consumers is of paramount
importance to our companies. It is for this reason that AeA has been
championing the cause of strong, non-discriminatory pre-emptive federal privacy
legislation for almost two years now - something that no other trade
association can lay claim to. As
use of the Internet continues to grow, online vendors are gathering more
information about the purchasing habits of their customers. The increase in the
collection and use of this data has raised public concern over precisely what
information is being collected about consumers, how that information is being
used, and whether it is being transferred to third parties. As a result, addressing
concerns related to the collection and use of consumer information is becoming
of increasing importance to legislators at the state and federal levels. E-commerce continues to be one of the driving forces behind
the growth of the U.S. and world economy. Online companies collect a tremendous
amount of information about customers in order to provide discounted goods and
services, efficiently target niche markets, and notify customers of new
products and services. Furthermore, these personal information databases are a
valuable business asset for online companies. These companies use the databases
not only to promote their own products, but oftentimes transfer this
information to third party marketers. This allows companies to obtain and
attract additional revenue and funding for their operations. However, surveys
show that consumers are concerned over how their information is collected,
used, and distributed. Policy
makers face a dilemma in addressing two very legitimate needs. On one side of the balance is the very real
need for consumer privacy, and on the other, the constructive actions business
has undertaken in numerous self-regulatory solutions. The role of government is to be the balance point in the middle -
assuring that effective and enforceable solutions are implemented fairly,
without jeopardizing the beneficial uses of this information by online
companies. Caution must also be taken to assure against the adoption of
burdensome regulations that could impede the continued growth of online commerce
or patchwork state level solutions that are neither consonant nor enforceable
across a borderless medium. The
imposition of stringent privacy regulations on the Internet could severely slow
down the projected e-commerce growth. The Department of Commerce predicts
e-commerce to pass $300 billion by the end of this year while some in private
industry are predicting numbers much higher. It is for this reason that we have put considerable thought and effort
into our privacy principles. AeA's Privacy Principles We
first released our Privacy Principles in January of 2001 in order to guide
federal policy makers in considering balanced, pre-emptive privacy legislation
that is sensitive to the needs of consumers and to the Internet's economic and
technical realities. These principles
have been crafted from input and advice garnered from AeA's member companies,
our Grassroots Network, and responses from town hall meetings across the
country. Overwhelmingly, the responses
all identified the grim possibility of multiple and conflicting state privacy
regulations as their top legislative concern. Federal
preemption legislation plays a crucial role in ensuring consistency and
certainty into the marketplace. The
passage of Internet privacy legislation this past year in California and
Minnesota highlights the growing need for preemption legislation. The inherent danger is both imminent and
profound. Other states are now looking
to make a template of these new laws - laws that are provincial in nature and
unconcerned with their deleterious impact on interstate commerce. Further,
only the federal government is in a position to create uniform U.S. privacy
standards that not only protect American consumers, but that will harmonize
with international privacy directives. Federal legislation should not, however, attempt to replace or impede
constructive private sector efforts, but rather build upon the baseline that
they have laid down. What good federal preemption language will
do is protect consumers without imposing burdensome, impractical new
requirements. Poorly crafted
legislation will translate into higher consumer costs, fewer online services,
and less free content - thus hurting the same consumers such legislation
intends to benefit. Mr.
Chairman, because this legislation largely comports with AeA's Privacy
Principles, AeA believes that H.R. 4678 is generally good legislation, and with
some technical adjustments, it is something I believe AeA member companies may
support. Legislation
Should Ensure National Standards. H.R. 4678 Does This. The
Internet is a new and powerful tool of interstate commerce. Public policies
related to Internet privacy should be national in scope, thus avoiding a
patchwork of state and local mandates. This uniform framework will promote the
growth of interstate e-commerce, minimize compliance burdens, sustain a
national marketplace and make it easier for consumers to protect their
privacy. H.R.
4678 successfully preempts state and local statutory law, common law, and rules
and regulations dealing with the use of personally identifiable information
(PII) in interstate commerce. Legislation
Should Not Discriminate Against the Internet. H.R. 4678 Doesn't. Consumers
should have confidence that their privacy will be respected regardless of the
medium used. Similar privacy principles should apply online and offline. Public
policy should not discriminate against electronic commerce by placing unique
regulatory burdens on Internet-based activities. H.R.
4678 makes no distinction between the online and offline worlds. Legislation
Should Provide Individuals with Notice. H.R. 4678 Does This. Web sites that collect personally identifiable information
should provide individuals with clear and conspicuous notice of their
information practices at the time of information collection. Individuals should
be notified as to what type of information is collected about them, how the
information will be used, and whether the information will be transferred to
unrelated third parties. Because H.R. 4678 requires data collectors who sell customer
PII to post notice at the time of data collection, consumers will know that the
collector's practices may raise an issue of consumer privacy, and allows them
to find out exactly what those practices are. Further, H.R. 4678 sets out the requirements for what the notice must
contain, as well as allowing the FTC to issue guidelines and advisory opinions. Legislation
Should Ensures Consumer Choice. H.R.
4678 Does This. Consumers
should have the opportunity to opt out of the use or disclosure of their
personally identifiable information for purposes that are unrelated to the
purpose for which it was originally collected. Consumers should be allowed to
receive benefits and services from vendors in exchange for the use of
information. It is important that the consumer understands this use and is able
to make an informed choice to provide information in return for the benefit
received. H.R.
4678 mandates that all data collectors shall
allow consumers to opt-out of the sale of their PII to non-affiliated third
parties, and the withholding of consent will last five years. Legislation
Should Leverage Market Solutions. H.R.
4678 Does This. Private
sector privacy codes and seal programs are an effective means of protecting
individuals' privacy. Lawmakers should
recognize and build upon the self-regulatory mechanisms the private sector has
put in place and continues to build. These mechanisms are backed by the
enforcement authority of the Federal Trade Commission and state attorneys
general. Public policies also should allow organizations to implement fair
information practices flexibly across different mediums and encourage
innovation and privacy enhancing technologies. H.R.
4678 rewards participation in recognized seal programs by placing the burden of
proving non-compliance on the FTC, as well as allowing for the use of binding
private arbitration. Legislation Should Utilize Existing Enforcement Authority. H.R. 4678 Does This. With the imposition of notice requirements, the Federal
Trade Commission should use its existing authority to enforce the mandates of
federal legislation. Legislation should not create any new private rights of
action. H.R. 4678 provides that any violation will be an unfair or
deceptive act under §5 of the Federal Trade Commission Act, thus not adding new
sanctions into the already expanding pantheon of penalties. However, H.R. 4678 imposes strict monetary
penalties that we believe are excessive, especially the doubling of civil penalties. Legislation Should Avoid Conflicting or Duplicative Standards. H.R. 4678 Does This. In cases where more than one government agency seeks to
regulate the privacy practices of a particular organization or industry, those
agencies should offer a single coordinated set of standards. H.R. 4678 ensures that organizations complying with other
federal privacy laws dealing with the protection of a consumer's PII are deemed
to be in compliance with this act. AeA Does Have Some Concerns with H.R. 4678: H.R. 4678 Does Not YET Protects Consumers in the Public and Private Arena. Government and non-profit organizations collect a tremendous
amount of personally identifiable information about citizens. The need to
foster consumer confidence applies to private and public sector activities.
Government agencies and non-profit organizations that collect personally
identifiable information should be required to follow fair information
practices imposed on the private sector by law or regulation. It is well known that consumer information
gleaned from government websites is often traded to third-parties without
notice or consent. We believe this to
be an unacceptable practice. H.R. 4678
should hold all government websites - federal, state, and local - to the same
high standards imposed upon private industry. H.R. 4678 May Have a Negative Impact on the EU Data Protection Safe Harbor. Back in 2000, a safe harbor was negotiated that would
provide U.S. companies with protection from the EU Data Protection if they agreed
to abide by the privacy principles included in the Safe Harbor. The EU only agreed to the U.S.'s
self-regulatory approach if the FTC provided the enforcement mechanism for
those companies that signed up for the safe harbor. As it stands today, 242 American corporations have signed up for
the Safe Harbor, and many of those companies are AeA Members. Further investigation needs to be undertaken
to determine if H.R. 4678 will harmonize with the EU Data Directive, and if it
doesn't then if it will not jeopardize the negotiated Safe Harbor now in
place. It is one thing to say that we
are in compliance with the European Data Directive, and it is quite another to
convince the Europeans of that fact. We believe that while these concerns are not fatal to the
bill at hand, they do present very important questions that do need to be
addressed before our unqualified support can be given to H.R. 4678. My staff and I will be happy to work with
you and the Subcommittee in taking up these issues. Mr. Chairman, thank you for the opportunity to testify on H.R. 4678. AeA looks forward to working with the Committee in developing - and passing - practicable consumer privacy protection, if not in this Congress then in the next. I would be pleased to answer any questions that you may have.
|
|||||||||||
|
