Conceptually, a company acquires information; it has to be to deliver a service to the consumer. That company may contract with another company to deliver certain services. That's fair game. The question is what kind of service is offered and did the consumer consent to that ultimate goal being achieved with their personal information.
Ultimately what I am saying is that I think the concepts are found in the current law. They are at a high level of generality, and that's a level of concern. Then there are questions that I keep mentioning about the authority of the regulator, who can act on behalf of individuals, find out where the problems are, and sanction inappropriate conduct. At the level of the standards, I think we have rules of the game in terms of consent and so on that are adequate. It's the apparatus to determine whether compliance occurs and what the sanctions are if a determination is made that there has been inappropriate use, that's where the bigger flaws are.