WASHINGTON, D.C.—This is the third hearing on consumer privacy that we have held in the 112th Congress. As I have repeatedly emphasized, Americans are often completely unaware of the vast amounts of information that is being collected and stored on them. I have focused on the need for companies to provide everyday consumers with a clear understanding of what information they are collecting, where the information goes and how it is being used. I have also asked companies to give consumers an easy way for them to stop those collection practices. I don’t think this is too much to ask of companies that are making millions, if not billions, of dollars off of consumers’ personal information.
Poll after poll shows that Americans are increasingly concerned about their loss of privacy; and those same polls show that Americans don’t know what to do about it. It is my intent, as Chairman of the Committee of jurisdiction, to change that. I want ordinary consumers to know what is being done with their personal information, and I want to give them the power to do something about it.
This is why I have introduced S. 917, the Do-Not-Track Online Act of 2011. This bill is based on a simple concept. With an easy click of the mouse, consumers can tell all online companies that they do not want their information collected. Under my bill, companies would be obliged to honor that request. It’s that simple.
Senator Kerry has also introduced a bill, S.799, the Commercial Bill of Rights Act of 2011, which is a less targeted, more comprehensive piece of legislation; and other members of this Committee have similarly voiced strong interest in privacy matters. I believe these hearings form the basis for building bipartisan consensus about legislation to protect consumer privacy.
Today’s hearing is also about data security, which directly implicates consumer privacy—we are reminded of this, I’m afraid, every day in the headlines. The recent security breaches at Citibank, Sony, and Epsilon show that companies are increasingly vulnerable to cyberattacks that compromise the safety and privacy of Americans. When criminals break into a database and steal credit card numbers, social security numbers, or even email addresses, they can use this information to commit identity theft, which can have devastating consequences for the victims.
This is why Senator Pryor and I have reintroduced S. 1207, the Data Security and Breach Notification Act. The bill would impose an obligation on companies to adopt basic security protocols to protect sensitive consumer data; and would further require these companies to notify affected consumers in the wake of a security breach.
The bill would also require greater transparency in the “data broker” industry. These are companies that amass vast amounts of data on consumers and sell that information to other companies, often for marketing purposes. Americans do not have any direct relationship with these data brokers and often have no idea that such companies even exist and have files of information on them.
There is broad consensus that federal data security legislation is necessary. The Obama Administration included a breach notification provision similar to the provision in S. 1207 in its cybersecurity proposal. In order for this bill to be ready for floor consideration as part of the larger cybersecurity effort, I will work with Senator Pryor and all of my colleagues on both sides of the aisle to mark-up data security legislation.
I look forward to hearing from today’s witnesses, and I thank them for their participation.