A growing number of conservatives are calling for Big Government censorship of social media speech platforms. Censorship proposals are to conservatives what price controls are to radical leftists: completely outlandish, unworkable, and usually unconstitutional fantasies of controlling things that are ultimately much harder to control than they realize. And the costs of even trying to impose and enforce such extremist controls are always enormous.

Earlier this year, The Wall Street Journal ran a response I wrote to a proposal set forth by columnist Peggy Noonan in which she proposed banning everyone under 18 from all social-media sites (“We Can Protect Children and Keep the Internet Free,” Apr. 15). I expanded upon that letter in an essay here entitled, “Should All Kids Under 18 Be Banned from Social Media?” National Review also recently published an article penned by Christine Rosen in which she also proposes to “Ban Kids from Social Media.” And just this week, Zach Whiting of the Texas Public Policy Foundation published an essay on “Why Texas Should Ban Social Media for Minors.”

I’ll offer a few more thoughts here in addition to what I’ve already said elsewhere. First, here is my response to the Rosen essay. National Review gave me 250 words to respond to her proposal:

While admitting that “law is a blunt instrument for solving complicated social problems,” Christine Rosen (“Keep Them Offline,” June 27) nonetheless downplays the radicalness of her proposal to make all teenagers criminals for accessing the primary media platforms of their generation. She wants us to believe that allowing teens to use social media is the equivalent of letting them operate a vehicle, smoke tobacco, or drink alcohol. This is false equivalence. Being on a social-media site is not the same as operating two tons of steel and glass at speed or using mind-altering substances. Teens certainly face challenges and risks in any new media environment, but to believe that complex social pathologies did not exist before the Internet is folly. Echoing the same “lost generation” claims made by past critics who panicked over comic books and video games, Rosen asks, “Can we afford to lose another generation of children?” and suggests that only sweeping nanny-state controls can save the day. This cycle is apparently endless: Those “lost generations” grow up fine, only to claim it’s the  next generation that is doomed! Rosen casually dismisses free-speech concerns associated with mass-media criminalization, saying that her plan “would not require censorship.” Nothing could be further from the truth. Rosen’s prohibitionist proposal would deny teens the many routine and mostly beneficial interactions they have with their peers online every day. While she belittles media literacy and other educational and empowerment-based solutions to online problems, those approaches continue to be a better response than the repressive regulatory regime she would have Big Government impose on society.

I have a few more things to say beyond these brief comments.

First, as I alluded to in my short response to Rosen, we’ve heard similar “lost generation” stories before. Rosen might as well be channeling the ghost of Dr. Fredric Wertham (author of Seduction of the Innocent), who in the 1950s declared comics books a public health menace and lobbied lawmakers to restrict teen access to them, insisting such comics were “the cause of a psychological mutilation of children.” The same sort of “lost generation” predictions were commonplace in countless anti-video game screeds of the 1990s. Critics were writing books with titles like Stop Teaching Our Kids to Kill and referring to video games as “murder simulators,” Ironically, just as the video game panic was heating up, juvenile crime rates were plummeting. But that didn’t stop the pundits and policymakers from suggesting that an entire generation of so-called “vidiots” were headed for disaster. (See my 2019 short history: “Confessions of a ‘Vidiot’: 50 Years of Video Games & Moral Panics“).

It is consistently astonishing to me how, as I noted in 2012 essay, “We Always Sell the Next Generation Short.” There seems to be a never-ending cycle of generational mistrust. “There has probably never been a generation since the Paleolithic that did not deplore the fecklessness of the next and worship a golden memory of the past,” notes Matt Ridley, author of The Rational Optimist.

For example, in 1948, the poet T. S. Eliot declared: “We can assert with some confidence that our own period is one of decline; that the standards of culture are lower than they were fifty years ago; and that the evidences of this decline are visible in every department of human activity.” We’ve heard parents (and policymakers) make similar claims about every generation since then.

What’s going on here? Why does this cycle of generational pessimism and mistrust persist? In a 1992 journal article, the late journalism professor Margaret A. Blanchard offered this explanation:

“[P]arents and grandparents who lead the efforts to cleanse today’s society seem to forget that they survived alleged attacks on their morals by different media when they were children. Each generation’s adults either lose faith in the ability of their young people to do the same or they become convinced that the dangers facing the new generation are much more substantial than the ones they faced as children.”

In a 2009 book on culture, my colleague Tyler Cowen also noted how, “Parents, who are entrusted with human lives of their own making, bring their dearest feelings, years of time, and many thousands of dollars to their childrearing efforts.” Unsurprisingly, therefore, “they will react with extreme vigor against forces that counteract such an important part of their life program.” This explains why “the very same individuals tend to adopt cultural optimism when they are young, and cultural pessimism once they have children,” Cowen says.

Building on Blanchard and Cowen’s observation, I have explained how the most simple explanation for this phenomenon is that many parents and cultural critics have passed through their “adventure window.” The willingness of humans to try new things and experiment with new forms of culture—our “adventure window”—fades rapidly after certain key points in life, as we gradually settle in our ways. As the English satirist Douglas Adams once humorously noted: “Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works. Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. Anything invented after you’re thirty-five is against the natural order of things.”

There is no doubt social media can create or exacerbate certain social pathologies among youth. But pro-censorship conservatives wants to take the easy way out with a Big Government media ban for the ages.

Ultimately, it’s a solution that will not be effective. Raising children and mentoring youth is certainly the hardest task we face as adults because simple solutions rarely exist to complex human challenges–and the issues kids face are often particularly hard for many parents and adults to grapple with because we often fail to fully understand both the unique issues each generation might face, and we definitely fail to fully grasp the nature of each new medium that youth embrace.  Simplistic solution–even proposals for outright bans–will not work or solve serious problems.

An outright government ban on online platforms or digital devices is likely never going to happen due to First Amendment constraints, but even ignoring the jurisprudential barriers, bans won’t work for a reason that these conservatives never bother considering: Many parents will help their kids get access to those technologies and to evade restrictions on their use. Countless parents already do so in violation of COPPA rules, and not just because they worry that their kid won’t have access to what some other kids have. Rather, many parents (like me) both wanted to make sure I could more easily communicate with them, and also ensure that they could enjoy those technologies and use them to explore the world.

These conservatives might think some parents like me are monsters for allowing my (now grown) children to get on social media when they were teens. I wasn’t blind to the challenges, but recognized that sticking one’s head in the ground or hoping for divine intervention from the Nanny State was impractical and unwise. The hardest conversations I ever had with my kids were about the ugliness they sometimes experienced online, but those conversations were also countered by the many joys that I knew online interactions brought them. Shall I tell you about everything my son learned online before 13 about building model rockets or soapbox derby cars? Or the countless sites my daughter visited gathering ideas for her arts and crafts projects when, before the age of 13, she started hand-painting and selling jean jackets (eventually prompting her to pursue an art school degree)? Again, as I noted in my National Review response, Rosen’s prohibitionist proposal would deny teens these experiences and the countless other routine and entirely beneficial interactions that they have with their peers online every day.

There is simply no substitute for talking to your kids in the most open, understanding, and loving fashion possible. My #1 priority with my own children was not foreclosing all the new digital media platforms and devices at their disposal. That was going to be almost impossible. Other approaches are needed.

Yes, of course, the world can be an ugly place. I mean, have you ever watched the nightly news on television? It’s damn ugly. Shouldn’t we block youth access to it when scenes of war and violence are shown? Newspapers are full of ugliness, too. Should a kid be allowed to see the front page of the paper when it discusses or shows the aftermath of school shootings, acts of terrorism, or even just natural disasters? I could go on, but you get the point. And you could try to claim that somehow today’s social media environment is significantly worse for kids than the mass media of old, but you cannot prove it.

Of course you’ll have anecdotes, and many of them will again point to complex social pathologies. But I have entire shelves full of books on my office wall that made similar claims about the effects of books, the telephone, radio and television, comics, cable TV, every musical medium ever, video games, and advertising efforts across all these mediums. Hundreds upon hundreds of studies were done over the past half century about the effects of depictions of violence in movies, television, and video games. And endless court battles ensued.

In the end, nothing came out of it because the literature was inconclusive and frequently contradictory. After many years of panicking about youth and media violence, in 2020, the American Psychological Association issued a new statement slowly reversing course on misguided past statements about video games and acts of real-world violence. The APA’s old statement said that evidence “confirms [the] link between playing violent video games and aggression.”  But the APA has come around and now says that, “there is insufficient scientific evidence to support a causal link between violent video games and violent behavior.” More specifically, the APA now says: “Violence is a complex social problem that likely stems from many factors that warrant attention from researchers, policy makers and the public. Attributing violence to violent video gaming is not scientifically sound and draws attention away from other factors.”

This is exactly what we should expect to find true for youth and social media. Most of the serious scholars in the field already note studies and findings about youth and social media must be carefully evaluated and that many other factors need to be considered whenever evaluating claims about complex social phenomenon.

While Rosen belittles media literacy and other educational and empowerment-based solutions to online problems, those approaches continue to represent the best first-order response when compared to the repressive regulatory regime she would impose on society.

Finally, I want to just reiterate what I said in my brief  National Review response about the enormous challenges associated with mass criminalization or speech platforms. Rosen seems to image that all the costs and controversies will lie on the supply-side of social media. Just call for a ban and then magically all kids disappear from social media and the big evil tech capitalists eat all the costs and hassles. Nonsense. It’s the demand-side of criminalization efforts where the most serious costs lie. What do you really think kids are going to do if Uncle Sam suddenly does ban everyone under 18 from going on a “social media site,” whatever that very broad term entails? This will become another sad chapter in the history of Big Government prohibitionist efforts that fail miserably, but not before declaring mass groups of people criminals–this time including everyone under 18–and then trying to throw the book at them when they seek to avoid those repressive controls. There are better ways to address these problems than with such extremist proposals.

Additional Reading from Adam Thierer on Media & Content Regulation :

• “Should All Kids Under 18 Be Banned from Social Media?”
• “Why Do We Always Sell the Next Generation Short?”
• “The APA’s Welcome New Statement on Video Game Violence“
• “Video Games and Moral Panic“
• Parental Controls & Online Child Protection: A Survey of Tools & Methods, 4th Edition.
• “Technopanics and the Great Social Networking Scare“
• “More on Monkey See-Monkey Do Theories about Media Violence & Real-World Crime“
• “Video Games, Media Violence & the Cathartic Effect Hypothesis.”)
• “The Classical Liberal Approach to Digital Media Free Speech Issues“
• “Left and right take aim at Big Tech — and the First Amendment“
• “When It Comes to Fighting Social Media Bias, More Regulation Is Not the Answer“
• “FCC’s O’Rielly on First Amendment & Fairness Doctrine Dangers“
• “Conservatives & Common Carriage: Contradictions & Challenges“
• “The Great Deplatforming of 2021“
• “A Good Time to Re-Read Reagan’s Fairness Doctrine Veto“
• “Sen. Hawley’s Radical, Paternalistic Plan to Remake the Internet“
• “How Conservatives Came to Favor the Fairness Doctrine & Net Neutrality“
• “Sen. Hawley’s Moral Panic Over Social Media“
• “The White House Social Media Summit and the Return of ‘Regulation by Raised Eyebrow’“
• “The Not-So-SMART Act“
• “The Surprising Ideological Origins of Trump’s Communications Collectivism“

• “Why Regulate Broadcasting: Toward a Consistent First Amendment Standard for the Information Age,” Catholic University Law School, 15 CommLaw Conspectus (Summer 2007): 431-482.
• Testimony at FCC’s Hearing on “Serving the Public Interest in the Digital Era”, March 3, 2010.
• “FCC v. Fox and the Future of the First Amendment in the Information Age,”

Catchy headlines like “Heavy Social Media Use Linked With Mental Health Issues In Teens” and “Have Smartphones Destroyed a Generation?” advance a common trope of generational decline. But a new paper in Nature uses a new and rigorous analytical method to understand the relationship between adolescent well-being and digital technology, finding a “negative but small [link], explaining at most 0.4% of the variation in well-being.”

What really sets apart the new paper from Amy Orben and Andy Przybylski is that it aims to capture a more complete picture of how variables interact. The problem that Orden and Przybylski tackle is endemic one in social science. Sussing out the causal relationship between two variables will always be confounded by other related variables in the dataset. So how do you choose the right combination of variables to test?

An analytical approach first developed by Simonsohn, Simmons and Nelson outlines a method for solving this problem. As Orben and Przybylski wrote, “Instead of reporting a handful of analyses in their paper, [researchers] report all results of all theoretically defensible analyses.” The result is a range of possible coefficients, which can then be plotted along a curve, a specification curve. Below is the specification curve from one of the datasets that Orben and Przybylski analyzed.

Amy Orben and Andrew Przybylski explain why this method is important to policy makers who are interested in the tech use question:

Although statistical significance is often used as an indicator that findings are practically significant, the paper moves beyond this surrogate to put its findings in a real-world context.  In one dataset, for example, the negative effect of wearing glasses on adolescent well-being is significantly higher than that of social media use. Yet policymakers are currently not contemplating pumping billions into interventions that aim to decrease the use of glasses.

Truthfully this is the first time I have encountered specification curve analysis and am quite impressed with its power. For more details, check out the OSF page, the writeup in Nature, and the full paper. Also, Michael Scharkow details how to apply SCA to variance and includes some R code.

California’s continuing effort to make the Internet their own digital fiefdom continued this week with Gov. Jerry Brown signed legislation that creates an online “Eraser Button” just for minors. The law isn’t quite as sweeping as the seriously misguided “right to be forgotten” notion I’ve critique here (1, 2, 3, 4) and elsewhere (5, 6) before. In any event, the new California law will:

require the operator of an Internet Web site, online service, online application, or mobile application to permit a minor, who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s Internet Web site, service, or application by the minor, unless the content or information was posted by a 3rd party, any other provision of state or federal law requires the operator or 3rd party to maintain the content or information, or the operator anonymizes the content or information. The bill would require the operator to provide notice to a minor that the minor may remove the content or information, as specified.

As always, the very best of intentions motivate this proposal. There’s no doubt that some digital footprints left online by minors could come back to haunt them in the future, and that concern for their future reputation and privacy is the primary motivation for the measure. Alas, noble-minded laws like these often lead to many unintended consequences, and even some thorny constitutional issues. I’d be hard-pressed to do a better job of itemizing those potential problems than Eric Goldman, of Santa Clara University School of Law, and Stephen Balkam, Founder and CEO of the Family Online Safety Institute, have done in recent essays on the issue.

Goldman’s latest essay in Forbes argues that “California’s New ‘Online Eraser’ Law Should Be Erased” and meticulously documents the many problems with the law. “The law is riddled with ambiguities,” Goldman argues, including the fact that:

First, it may not be clear when a website/app is “directed” to teens rather than adults. The federal law protecting kids’ privacy (Children’s Online Privacy Protection Act, or COPPA) only applies to pre-teens, so this will be a new legal analysis for most websites and apps. Second, the law is unclear about when the minor can exercise the removal right. Must the choice be made while the user is still a minor, or can a centenarian decide to remove posts that are over 8 decades old? I think the more natural reading of the statute is that the removal right only applies while the user is still a minor. If that’s right, the law would counterproductively require kids to make an “adult” decision (what content do they want to stand behind for the rest of their lives) when they are still kids. Third, the removal right doesn’t apply if the kids were paid or received “other consideration” for their content. What does “other consideration” mean in this context? If the marketing and distribution inherently provided by a user-generated content (UGC) website is enough, the law will almost never apply. Perhaps we’ll see websites/apps offering nominal compensation to users to bypass the law.

Goldman also notes that it is unclear why California should even have the right to be regulating the Internet in this fashion. It is his opinion that, “states categorically lack authority to regulate the Internet because the Internet is a borderless electronic network, and websites/apps typically cannot make their electronic packets honor state borders.” I’ve been moving in that direction for the past decade myself since patchwork policies for the Internet — regardless of the issue — can really muck up the free flow of both speech and commerce. I teased out my own concerns about this in my January essay on “The Perils of Parochial Privacy Policies” and argued that the a world of “50 state Internet Bureaus isn’t likely to help the digital economy or serve the long-term interests of consumers.”  Sadly, some privacy advocates seem to be cheering on this sort of parochial regulation anyway without thinking through those consequences. They are probably just happy to have another privacy law on the books, but as I always try to point out not just in this context but also in debates over online child safety, cybersecurity, and digital copyright protection, the ends rarely justify the means. I just don’t understand why more people who care about true Internet freedom aren’t railing against these stepped-up state efforts (especially the flurry of California activity) and calling it out for the threat that it is.

In an essay over on LinkedIn entitled, “Let’s Delete The ‘Eraser Button,'” Stephen Balkam points out another mystery about the new California law: “It’s unclear why this law was even proposed when there exists a range of robust reporting mechanism across the Internet landscape.” Indeed, in this particular case it seems like much of the law is redundant and unnecessary. “What this bill should have been about is education and awareness, about taking responsibility for our actions and using the tools that already exist across the social media landscape,” Balkam says. “Here are three key actions that can already be taken:

Delete – you can take down or delete postings, comments and photos that you have put up on Facebook, Twitter, YouTube and most of the other platforms. Report – anyone can report abusive comments or inappropriate content by others about you or other people and, in many cases, have them removed. Request – you can ask that you be untagged from a photo or that a posting or photo be removed that has been uploaded by someone else. In addition there are in-line privacy settings on many of the leading social media sites, so that you or your teen can choose who sees what.”

Balkam is exactly right. The tools are already there; it’s the education and awareness that are lacking. As I have pointed out countless times here before, there is no need for preemptive regulatory approaches when less-restrictive and potentially equally effective remedies already exist. We just need to do a better job informing users about the existence of those tools and methods and then explain how to take advantage of them. Just adding more layers of law — especially parochial regulation — is not going to make that happen magically. Worse yet, in the process, such laws open the barn door to far more creative and meddlesome forms of state-based Internet regulation that should concern us all.

And now for the really interesting question that I have no answer to: Will anyone step up and challenge this law in court?

This afternoon, Berin Szoka asked me to participate in a TechFreedom conference on “COPPA: Past, Present & Future of Children’s Privacy & Media.” [CSPAN video is here.] It was a in-depth, 3-hour, 2-panel discussion of the Federal Trade Commission’s recent revisions to the rules issued under the 1998 Children’s Online Privacy Protection Act (COPPA).

While most of the other panelists were focused on the devilish details about how COPPA works in practice (or at least should work in practice), I decided to ask a more provocative question to really shake up the discussion: What are we going to do when COPPA fails?

My notes for the event follow down below. I didn’t have time to put them into a smooth narrative, so please pardon the bullet points.

COPPA will fail in the long-run for two reasons:

(1)    With COPPA, the FTC is engaged in a technological arms race that it cannot win.

• COPPA was formulated for a Web 1.0 world of static websites with limited interactivity. In that environment is worked reasonably well, although it certainly imposed costs on site developers and affected market structure.
• As we moved into a Web 2.0 world of interactive social media in the mid to late-2000s, however, the rule has been strained by marketplace new realities. COPPA’s drafters never really envisioned sites like Facebook, Twitter, etc.
• In our current environment—let’s call it the Web 2.5 world—we have added mobile geolocation and social discovery to the mix and that is straining COPPA to the breaking point.
• But we are about to enter the Web 3.0 world of the “Internet of Things;” a sensor-based world in which the communication technology will literally be woven into the clothes we wear and all the devices we use.
  • Cisco has estimated that by 2020, 37 billion devices will be linked together and communicating.
  • It will be almost impossible for COPPA to keep up with the explosion of these technologies because everything in our lives and our children’s lives will be interconnected, communicating, and collecting data.
  • Information will be ubiquitously collected simply by nature of the technology itself.
  • The entire Web 3.0 world will be one of comprehensive passive information collection.
  • So, notions like “collection”, “directed at children” and “personal information” will be become impossible to enforce absence a flat-out ban on the technologies themselves

(2)    COPPA will also fail because of the simple reality that the more complicated and costly this regulatory regime becomes, the more likely it is that that both kids and parents will ignore it or seek to actively evade it.

• The actual monetary cost of any online service may obviously be one thing parents and kids seek to avoid.
• But the bigger cost is the mental hassle associated with delayed gratification.
  • When people demand certain services, they want them now. And they will get them even when law gets in the way. And sometimes they value the utility / functionality that those services provide more than they value privacy.
  • A 2011 Harvard-Berkeley study pointed out the evasion is already rampant and that many parents are facilitating that result by encouraging their kids to lie about their ages online.
    • This problem will only increase in the Internet of Things era as kids and parents come to expect all their devices to be communicating at all times and retaining data for them.

So, what are we going to do about? How do we prepare for the post-COPPA world that’s coming?

• We shouldn’t just throw up our hands in defeat.
• But we must accept the technological and practical challenges associated with regulation and seek out alternative approaches.
• Best solution, therefore, is: Education, media literacy, and digital citizenship
  • We need to do a much better job educating both kids and adults about sensible online interactions.
  • We need to talk to our kids and each other about being more savvy, sensible, respectful, and resilient media consumers and digital citizens.
  • In encouraging our kids and fellow Netizens to be good “digital citizens,” we must stress smarter online hygiene (sensible personal data use) and better “Netiquette” (proper behavior toward others), which can further both online safety and digital privacy goals.
  • More generally, as part of these digital literacy and citizenship efforts, we must do more  to explain the potential perils of over-sharing information about ourselves and others while simultaneously encouraging consumers to delete unnecessary online information occasionally and cover their digital footprints in other ways.
  • These education and literacy efforts are also important because they help us adapt to new technological changes by employing a variety of coping mechanisms or new social norms. These efforts and lessons should start at a young age and continue on well into adulthood through other means, such as awareness campaigns and public service announcements.

Additional Reading:

• The Unintended Consequences of Well-Intentioned Privacy Regulation
• Thoughts on Latest FTC COPPA Rule Revisions & Online Child Safety / Privacy
• Joint CDT-PFF-EFF Comments on FTC’s COPPA Review & the Dangers of COPPA Expansion
• What We Didn’t Hear at Yesterday’s FTC COPPA Workshop
• COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, by Berin Szoka & Adam Thierer

It was my honor today to be a panelist at a Hill event on “Apps, Ads, Kids & COPPA: Implications of the FTC’s Additional Proposed Revisions,” which was co-sponsored by the Family Online Safety Institute and the Association for Competitive Technology. It was a free-wheeling discussion, but I prepared some talking points for the event that I thought I would share here for anyone interested in my views about the Federal Trade Commission’s latest proposed revisions to the Children’s Online Privacy Protection Act (COPPA).

________

The Commission deserves credit for very wisely ignoring calls by some to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18.

• that would have been a constitutional and technical enforcement nightmare. But the FTC realized that long ago and abandoned any thought of doing that. So that is a huge win since we won’t be revisiting the COPA age verification wars.
• That being said, each tweak or expansion of COPPA, the FTC opens the door a bit wider to a discussion of some sort age verification or age stratification scheme for the Internet.
• And we know from recent AG activity (recall old MySpace age verification battle) and Hill activity (i.e. Markey-Barton bill) that there remains an appetite for doing something more to age-segment Internet populations

But challenging compliance issues remain with expanded COPPA regulations.

• How do third parties accurately determine whether a site where they place a cookie or serve an ad is “directed at children” or “likely to attract an audience that included a disproportionately large percentage of children under age 13”
• Let’s be clear about what is happening here:  = the redefinition of terms we see the agency undertaking here will result in an expansion of liability via regulatory relabeling
• there certainly is an incremental benefit associated with tweaks to the COPPA rule that strengthen its privacy protections, but it is equally true that there are corresponding incremental costs…

With each tweak or expansion of COPPA, the FTC potentially increased regulatory compliance costs, which could impact market structure, innovation, and consumers options and costs.

• FTC estimates that approximately 85-90% of operators potentially subject to the COPPA rule qualify as small entities; up from prior estimate of 80%.
• “Rule may entail some added cost burden to operators, including those that qualify as small entities.” (p. 28) Specifically, “operators will each spend approximately 60 hours” complying with the disclosure requirements of the rule (p. 32), although the agency doesn’t offer much of any explanation for how it came up with that number and, despite hearing from several  commenters that compliance hours were being underestimated by the agency, the FTC says it won’t revise that estimate upward.
• Regardless, the agency at least acknowledges that a real burden exists and, if it is true that these burdens will expand because of the latest revisions to the rule, then competition and innovation could suffer
• We should want to foster an online ecosystem where small entrepreneurs can thrive and compete against giants like Disney and Viacom
• They can comply with these expanded regulatory compliance costs, but not everyone else can, esp. to the little guys
• Which means fewer options for both parents and kids
• Or, it could also mean that we start seeing prices go up where none currently exist.

Still not clear to me what the actual harm is here that we are trying to address, nor is it clear to me how these new rules really do much on the ground to make kids safer online.

• Parental notification is not the end of the online safety story.
• Indeed, when it comes to online safety, it is not what happens before kids get in the door that counts, it’s what happens after kids get inside that really matters.

The Constructive Alternative: Education, Self-Regulation, Codes of Conduct & Best Practices

• When sites create digital communities and invite kids in, I think we can all agree that we want them to be well-lit online neighborhoods where they can interact safely
• A major recent report on parental attitudes about COPPA revealed that what the vast majority of parents want—and this certainly includes me—is helpful tips and advice about what sort of sites and services are appropriate for their kids at a particular age.
• And parents also want some assurances that those online communities take some simple, common sensical steps to keep their digital worlds and applications safe.

• This is why the ongoing dialog about best practices for these sites is so important. Specifically, what is most needed are:
  • Smart ground rules for acceptable behavior;
  • Clear standards for what will not be tolerated; and,
  • Limitations on certain types of functionality and data collection.

• Ex: Everloop’s “3 Cs of Conduct”
  • “BE COOL: Everloop is a safe, fun place for everyone…so no swearing, cheating, bullying or general bad behavior allowed. If you do any of that, we might have to boot you from the loop.”
  • “BE CLEAN: Everloop is not about drugs, alcohol, sex, race or any inappropriate stuff like that. We will block offensive posts.”
  • “BE CONFIDENTIAL: Play safe on Everloop — don’t share your real name, address, phone number, email or passwords with anybody.”

• Ex: Club Penguin = limits functionality within a well-protected walled garden; with outstanding moderation

• But let’s be clear: Even with those sorts of sensible ground rules and best practices in place, a lot of kid-oriented sites and apps are still going collect some data and serve up some ads.

• I know many of you have heard me say it a million times before and are probably getting a little tired of it, but I am going to go ahead and say it again (and with passion): There really is no free lunch! Trade-offs are inescapable in these matters.

• Perhaps in a perfect world we’d have:
  • An infinite number of highly innovative sites
  • That never collected any data or served any ads
  • But yet were still free of charge to parents and kids

• But that is pure fantasy-land talk.

• Yet, what I fear most about the constant expansion of the COPPA regulatory regime is that some people get caught up in that sort of a fairytale and ask us to pretend that no such trade-offs exist.  In other words, some seem to believe that we can have something for nothing.

• Before we go further with more extensive Internet regulation, therefore, I hope we think hard about those trade-offs and about the more constructive steps we might take to encourage education, self-regulation, and best practices for sites that cater to kids and not get caught up in a technopanic about the supposed threat of kids seeing a few ads and having a little data collected about them.

• Because, in most cases, those fears are being greatly overblown while the wondrous benefits we currently enjoy thanks to advertising are being greatly discounted or ignored.

In my most recent weekly Forbes column, “Common Sense About Kids, Facebook & The Net,” I consider the wisdom of an online petition that the child safety advocacy group Common Sense Media is pushing, which demands that Facebook give up any thought of letting kids under the age of 13 on the site. “There is absolutely no proof of any meaningful social or educational value of Facebook for children under 13,” their petition insists. “Indeed, there are very legitimate concerns about privacy, as well as its impact on children’s social, emotional, and cognitive development.” Common Sense Media doesn’t offer any evidence to substantiate those claims, but one can sympathize with some of the general worries. Nonetheless, as I argue in my essay:

Common Sense Media’s approach to the issue is short-sighted. Calling for a zero-tolerance, prohibitionist policy toward kids on Facebook (and interactive media more generally) is tantamount to a bury-your-head-in-sand approach to child safety. Again, younger kids are increasingly online, often because their parents allow or even encourage it. To make sure they get online safely and remain safe, we’ll need a different approach than Common Sense Media’s unworkable “just-say-no” model.

Think about it this way: Would it make sense to start a petition demanding that kids be kept out of town squares, public parks, or shopping malls? Most of us would find the suggestion ludicrous. Kids will be present in those environments not just because they want to be but because, more often than not, their parents or guardians want them to be there as well. That doesn’t me we just throw them into those environments and hope for the best. Instead, we assimilate children gradually into these public spaces and use mentoring strategies to make sure they understand how to cope with the challenges they will face. That’s the same approach we should take in the digital age with online public spaces like Facebook.  As my fellow Forbes contributor Joshua Gans rightly notes, “we want children to experience these networks. Put simply, a parental supervised approach is like giving them training wheels for society.” This approach will better prepare our youth for a future in which their online and offline lives are increasingly intertwined. It represents a more sensible use of our personal and public resources since education and mentoring strategies are entirely constitution and avoid the protracted legal battles that would accompany new regulations.

For more, read my entire column.

Today the Federal Trade Commission released a new report entitled, “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing,” which concludes that “confusing and hard-to-find disclosures do not give parents the control that they need in this area. The FTC argues that “parents need consistent, easily accessible, and recognizable disclosures regarding in-app purchase capabilities so that they can make informed decisions about whether to allow their children to use apps with such capabilities.”

It’s hard to be against the FTC’s “the more disclosure, the better” policy recommendation and I’m not about to come out against it here. But the question is: how much disclosure is enough? Reading through the report and seeing how hard the FTC hammers this point home makes me think the agency wants our app store checkout process to be littered with the pages of fine print disclosure policies that now accompany our credit card statements and home mortgage payments! Seriously, would that make us better off?

As a parent of two kids who both download countless apps on my Android phone, my wife’s iPhone, and our family’s Android tablet, I appreciate a certain amount of disclosure about what sort of information apps are collecting and how they are using it. I think Google’s Android marketplace strikes a nice balance here, providing us with the most crucial facts about what the application will access or share. Apple could do more on disclosure but the company also prides itself (to the dismay of some!) on its rigorous pre-screening process to make sure the apps in the App Store are safe and don’t violate certain privacy and security policies. Yet, as the FTC correctly points out, “the details of this screening process are not clear.” Of course, most Apple users simply don’t give a damn. They’re all too happy to let Apple just take care of it for them even if they’re not really sure what’s happening to their data behind the scenes. The more privacy-sensitive crowd wants greater disclosure and control, of course, and I’m sympathetic to that plea.  But again, how much disclosure is enough? Are you going to wade through pages of disclosure policies and privacy opt-ins before downloading that latest iteration of “Angry Birds” or “Cut the Rope”? Yeah, I didn’t think so.

Anyway, I don’t want to dwell on that. The more interested findings in the survey relate to price and market dynamics and I am hoping people don’t ignore them. After surveying the price of kids’ apps available in the Android Market and Apple App Store, the agency found that, “While prices ranged from free to $9.99, most of the 960 app store promotion pages listed a price of $0.99 or less. Indeed, 77% of the apps in the survey listed an install price of $0.99 or less, and 48% were free.  Free apps appeared to be the most frequently downloaded.” Here’s the pricing breakdown for both Android and Apple:

Folks, these are astonishing numbers. Almost 100% of the most downloaded kids apps in the Android Market are free… as in ZERO dollars and ZERO cents! And while Apple App Store prices tend to be a bit higher, 93% of apps are $2 or less.  This is one of the great consumer success stories of our time. Consumer welfare is vastly enhanced by the presence of hundred of kids apps that serve almost every interest and desire under the sun, and all for less than what you’d pay for a cup of coffee or a gallon of gas.

But wait, there’s more!!

This incredible success story is even more remarkable because of what the FTC finds next about market structure:

Staff found that hundreds of developers were responsible for the apps in the study. Staff encountered 441 unique developers in this study, only twelve of which had apps on both platforms. Only a handful of app developers were responsible for more than 10 apps in our sample. Developers with one app in our sample were popular, accounting for about 50% of all downloads/feedback ratings, even though they were responsible for only about 30% of the apps. In contrast, those developers with more than 10 apps in our sample accounted for about 1% of the feedback ratings for Apple, (and 20% of the downloads for Android) despite accounting for about 20% of all of the apps in the survey. This finding illustrates the broad and diverse nature of the mobile app marketplace.

“Broad and diverse marketplace,” you say?  That might be the understatement of the year!  I challenge you to find another part of not just our online ecosystem but indeed our entire economy that is this broad, diverse, innovate, competitive, and inexpensive.  I’m not sure that such a radically atomistic, mom-and-pop marketplace of entrepreneurs can last forever, but let’s pause and appreciate the fact that it does exist today.

Now, here’s the really interesting part of this story: This is generally what the world of kids’ online services looked like back in the late 1990s as well. It was incredibly diverse with lots of small mom-and-pop sites catering to kids and parents, often at no charge. And then along came COPPA. [Background here for those who are not familiar.] While COPPA helped address the legitimate problems a small handful of bad apples out there at the time created, it also raised serious compliance costs for that entire sector, including the many smaller mom-and-pop sites. In a letter send to the FTC back in 2005, child safety advocate Parry Aftab claimed that, “The cost of obtaining verifiable parental consent for interactive communications is very high, estimated at more than $45 per child, and even at that price difficult to obtain.” I have no idea how accurate that number was then (I think that was way too high of an estimate), or what the compliance cost per child was in the late 1990s, but let’s be conservative and say it was much smaller, perhaps less that a few bucks per child verified under COPPA.  And let’s assume that if we extended COPPA-like regulatory requirements to app stores that there would be some compliance cost. Again, even if the compliance cost was only a buck per kid, can you see how it devastating that would be to all the small mom-and-pop app developers out there who currently only get a dollar or two for their apps (assuming they charge anything at all)? Yes, it’s true that some of them use ads to offset their costs, but those ads have to pick up the tab for all their labor and development costs.  If you add new regulatory compliance costs to the mix, those mom-and-pop developers will be hit very hard. And then we will have far fewer of them. And the ones that remain will likely charge us more than the couple of bucks we pay per app today.

Further, even if the compliance cost per child gets down to a few cents (or tens of cents) per kid for large operators, it’s probably much higher for smaller operators. In other words, most of the costs here are fixed (hiring an extra employee, having lawyers review your policy, etc.), not marginal (the cost of verifying each additional kid), so it’s really hard to say what the real costs are. And with Apple and Google also taking a cut of the apps sold in the market, you really begin to see how adding on any additional compliance costs could hit the bottom lines of smaller app developers in a big way. When margins are this thin, burdensome regulatory mandates hurt even more. And sometimes they can drive you right out of business.

Which brings us back to the FTC’s role here. It’s clear that the consumer protection side of the agency has an important role to play here when it comes to ensuring consumers are better informed about data collection practices and corresponding privacy issues. But let’s not forget that the FTC was originally created as a competition agency. It’s supposed to care about market structure, competition, and consumer welfare. So, I wonder… are the folks in the FTC’s Bureau of Economics paying any attention to what their colleague are doing here? Because if we start layering on privacy regulations, all the good intentions in the world won’t be able to hold back the likely contraction and consolidation of this vibrant industry that will take place as small mom-and-pops struggle to absorb new regulatory burdens and compliance costs.

Something to think about before regulatory intervention drives up consumers prices and drives out of the market the countless entrepreneurs that make this sector so exciting–especially for parents and kids.

Filings are due to the Federal Trade Commission (FTC) today as part of its review of the Children’s Online Privacy Protection Act (COPPA) and the COPPA rule that the FTC devised and enforces. I didn’t have time to pen as much as I wanted, but I did submit a short filing to the agency in the matter based on some of my previous work both with Berin Szoka and on my own.  Here’s the executive summary for my filing:

It goes without saying that the Children’s Online Privacy Protection Act (COPPA) is complicated law and rule. When considering the rule and proposals to amend it, it is easy to get lost in the weeds and ignore the bigger picture. That would be a mistake. There are broader, more important questions that need to be asked as part of the Federal Trade Commission’s effort to expand this regulatory regime. These questions involve not only the costs of increased regulation for online business interests, but the impact of expanded regulation on market structure, competition, and innovation. More importantly, these questions cut to the core of whether the public (including children) will be served with more and better digital innovations in the future. There is no free lunch. Regulation—even well-intentioned regulation like COPPA—is not a costless exercise. There are profound trade-offs for online content and culture that must always be considered.

Whatever one thinks about the effectiveness or sensibility of the COPPA regulatory model for the Web 1.0 world, it is clear that the regime is being strained by the unforeseen realities of the Web 2.0 world of hyper-ubiquitous connectivity and user-generated content creation and sharing. The digital genie cannot be put back in the bottle.  While COPPA may continue to have a marginal role to play in this rapidly evolving world, that role will likely be increasingly limited by the inherent realities of the information age.

Entire filing can be found on the Mercatus website, on SSRN, or via Scribd [Also embedded below in a Scribd reader.] [FILING] Comments of Adam Thierer – Mercatus Center – FTC COPPA 2011 Ammendments

I highly recommend this important new study on “Why Parents Help Their Children Lie to Facebook about Age: Unintended Consequences of the Children’s Online Privacy Protection Act” by danah boyd of New York University, Eszter Hargittai from Northwestern University, Jason Schultz from University of California, Berkeley, and John Palfrey from Harvard University. COPPA is a complicated and somewhat open-ended law and regulatory regime. COPPA requires that commercial operators of websites and services obtain “verifiable parental consent” before collecting, disclosing, or using “personal information” (name, contact inform­ation) of children under the age of 13 if either their website or service (or “portion thereof”) is “directed at children” or they have actual knowledge that they are collecting personal information from a child.

The new study, which surveyed over 1,000 parents of children between the ages of 10 and 14, reveals that, despite the best of intentions, COPPA is having many unintended costs and consequences:

Although many sites restrict access to children, our data show that many parents knowingly allow their children to lie about their age — in fact, often help them to do so — in order to gain access to age–restricted sites in violation of those sites’ ToS. This is especially true for general–audience social media sites and communication services such as Facebook, Gmail, and Skype, which allow children to connect with peers, classmates, and family members for educational, social, or familial reasons.

The authors conclude that “COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data” and that their results “have significant implications for policy–makers, particularly in light of ongoing discussions surrounding COPPA and other age–based privacy laws.” Indeed, this paper could really shake up the debate over online kids’ privacy regulation. I will have more analysis of the paper in my weekly Forbes column this weekend.

Additional reading for COPPA background and current controversies: Berin Szoka & Adam Thierer, “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech,” (May 21, 2009); and Adam Thierer, “Kids, Privacy, Free Speech & the Internet: Finding the Right Balance,” (August 12, 2011).

On Wednesday afternoon, it was my great pleasure to make some introductory remarks at a Family Online Safety Institute (FOSI) event that was held at the Yahoo! campus in Sunnyvale, CA. FOSI CEO Stephen Balkam asked me to offer some thoughts on a topic I’ve spent a great deal of time thinking about in recent years: Who needs parental controls? More specifically, what role do parental control tools and methods play in the upbringing of our children? How should we define or classify parental control tools and methods? Which are most important / effective? Finally, what should the role of public policy be toward parental control technologies on both the online safety and privacy fronts?

In past years, I spent much time writing and updating a booklet on these issues called Parental Controls & Online Child Protection: A Survey of Tools & Methods. It was an enormous undertaking, however, and I have abandoned updating it after I hit version 4.0. But that doesn’t mean I’m not still putting a lot of thought into these issues. My focus has shifted over the past year more toward the privacy-related concerns and away from the online safety issues. Of course, all these issues intersect and many people now (rightly) considered them to largely be the same debate.

Anyway, to kick off the FOSI event, I offered three provocations about parental control technologies and the state of the current debate over them. I buttressed some of my assertions with findings from a recent FOSI survey of parental attitudes about parental controls and online safety.

Provocation #1: While parental controls will continue to play an important role, it may be the case that many parents will not need parental controls technologies quite to the extent we once thought they did.

In one sense, usage of parental control tools is actually surprisingly high. The FOSI survey reported that 53% of parents say they have used parental control tools to assist them in monitoring their child’s Internet usage. That’s much higher than I would have expected.

Of course, that means that the other half of parents aren’t using parental controls. Why aren’t they? It can’t be because parents aren’t aware of the tools. Awareness of parental control tools is growing. According to the FOSI survey, 87% of parents report knowledge of at least one parental control technology.

Some critics claim it’s because the tools are too complicated, but that’s also hard to believe. The tools keep getting easier to use and cheaper—often being completely free of charge.

The better explanation lies in the fact that, first, talking to our kids continues to be the most important approach to mentoring youth and protecting them, just as it was for previous generations of parents. Almost all of the parents surveyed by FOSI (96%) said they have had a conversation with their child about what to do and not to do online.

Second, “household media rules” are the other unforgotten element here. These rules can be quite formal in the sense that parents make clear rules and enforce them routinely in the home over an extended period of time. Other media consumption rules can be fairly informal, however, and are enforced on a more selective basis. In my book on parental controls, I devised a taxonomy of household media rules and outlined four general categories: (1) “where” rules; (2) “when and how much” rules; (3) “under what conditions” rules; and, (4) “what” rules.

The FOSI survey reveals that such household media rules are widely utilized. Nearly all parents (93%) said they have set rules or limits to monitor their children’s online usage. In particular:

• 79% of parents surveyed require their children to only use the computer in a certain area of the house. (This is an example of a “where” rule.)
• 75% of parents limit the amount of time a child can spend online. (This is a “how much” rule.)
• 74% set rules for the times of day a child can be online. (This is a “when” rule.)
• 59% established time limits for use of a child’s cell phone. (This is another “how much” rule.)

Again, many pundits and policymakers routinely ignore the importance of such household media rules when talking about online child safety. They incorrectly assume that lower than expected usage of various parental control technologies means that those tools have failed or that kids are in great danger online. The reality is that most parents usually think of parental control technologies as a backup plan or complement to traditional parental mentoring and rule-setting responsibilities.

In fact, the FOSI survey revealed that, of those parents who have not used parental controls, 60% of them said it was because they already have rules and limits in place. Of course, none of this should be surprising. Most of us over 40 grew up without any parental control tools in our homes. Just like our parents before us, we devise strategies to mentor our youth and guide their development. Simple lessons and smart rules will, therefore, always be the first order of business. Technological controls will often only be used to supplement and better enforce those lessons and rules, if they are used at all.

In sum: parents are parenting!

Provocation #2: Kids are more resilient than we think.

Despite the panic we sometimes hear surrounding online safety and privacy, kids seem to be adapting to online environments and challenges quicker than parents (and policymakers) give them credit for. Without minimizing the seriousness of any particular concern, I think we need to step back and appreciate just how good of a job most kids have done adjusting to the modern Information Revolution.

There’s a great deal of literature in the field of psychology and sociology dealing with resiliency theory. When we think about risk in this world, there exists a range of responses. Prohibition and anticipatory regulation are on one end of the spectrum. Resiliency and adaptation are on the other.

When highly disruptive information technologies come on the scene, the first reaction is often prohibition or anticipatory regulation. That’s driven by fear of the new and unknown. Oftentimes, however, patience is the better disposition. Building resiliency and crafting adaptation strategies often makes more sense. Instilling principles and lessons to last a lifetime will ultimately do more to make our kids smart, savvy cyber-citizens and prepare them for the worst of what the world might throw their way.  It’s like the old “teach a man to fish” approach, except in this case it’s “teach a child to think.”

In many ways, this is precisely what has been happening for the past decade. Both parents and kids have been “learning on the job” so to speak. They’ve been adapting to new online worlds and gradually assimilating them into their lives. In the process, they have learned important lessons and become more resilient.

Of course, some risks are serious enough that they demand a more anticipatory solution, perhaps even prohibition. Child porn and online child abuse of any sort are the primary examples. But for most other things, social adaptation and resiliency responses generally trump prohibition or anticipatory regulation as the smart solution.

Provocation #3: The most interesting and important public policy debate going forward—both for child safety and kids’ privacy concerns—continues to be the vexing question of where to set to defaults and who sets them.

This isn’t the provocative part of this particular provocation. After all, we’ve always know that defaults matter . Psychologists speak of “status quo bias,” or the general inclination for humans to often stick with the choice they’ve initially been offered. Thus, default parental control and privacy-related settings are often quite “sticky.” Where safety and privacy defaults are set out of the gates is usually where they stay for many people.

A lot of people would like to find a way to change that—potentially through regulation—because they do not approve of the initial defaults offered by various online sites, service, or devices.

Generally speaking, there are two sets of hard questions here. First should we default to the most restrictive setting, the least restrictive, or should we force the consumer to make the choice before using the site, service, or device? Second, who makes that call? Private or public actors?

So, here’s my real provocation: We are better served as a society when these defaults evolve organically and are not imposed from above. Trial and error experimentation with varying defaults help us better understand the relative value of online safety and privacy to various users. That experimentation also sends important signals to other players in the marketplace and encourages them to offer innovative alternative or approaches to these issues. [Here’s a longer paper I penned on this issue explain why mandatory and highly restrictive defaults usually aren’t a good idea.]

The obvious objection to my position is that, if companies are the ones setting the defaults, then only their values get heard and their preferred defaults will always prevail. In reality, however, defaults often do evolve from where they are initially set. (Think of how browsers and social networking sites have added and changed privacy and security controls over just the past few years.) Press exposure and social pressure—especially from average parents and advocacy groups—typically help make sure service providers are responsive to needs of their communities.

Importantly, just because some the preferred defaults of some child safety or privacy advocates do not prevail, that doesn’t constitute “market failure.” There are many competing values at work here. First off, we must never forget that only 32% of all U.S. households have children present in them at any given time. And of that 32%, a small subset might need parental controls or enhanced privacy settings. Many others won’t need any. We live in a diverse nation with a wide spectrum of values and approaches when it comes to rearing our children and protection their safety and privacy. Some parents will never use any parental control or privacy tools. Others will layer them on. Others will use a mix of tools and strategies as outlined above.

In the end, we should expect that experimentation with varying defaults will continue and that there will always be some who are cranky about their preferred defaults not prevailing. But I think we are better off if we allow experiments to continue.

After I offered these initial provocations at the FOSI event, we had a terrific conversation among a diverse group of attendees. I took notes and tried to distill the key takeaways from the conversation, which was off the record. Here are 5 themes that I kept hearing coming up again and again from participants:

1. There is no single tool or silver-bullet solution that can solve all these problems; many tools and solutions are needed for the various concerns that are out there today
2. The term “parental controls” is too narrow since it just implies tools. We need a broader term or paradigm that incorporates education, awareness, empowerment, household media rules, etc.
3. Whether we are talking about tools or awareness efforts, there is remains a trade-off between sophistication and usability.  Many people and policymakers say they want more sophisticated tools but then turn around and complain about complexity of those solutions later. Stated differently, there will never be a “Goldilocks formula” that gets it just right precisely because needs and values evolve.
4. There are shifting concerns among parents from old days. In the early days of the Net, the concern tended to be focused more on content consumption (mostly adult material). Today, the concern seems to have shifted strongly toward content creation (ex: user-generated content on social networking sites, Twitter, SMS, etc.)
5. Kids are getting online at a younger age despite regulatory prohibitions such as COPPA and we’re going to have to grapple with that reality and whether we’ll allow it.

Yesterday, the Federal Trade Commission (FTC) released its long-awaited proposed revisions to the Children’s Online Privacy Protection rule (the “COPPA Rule”). Below I offer a few brief thoughts on the draft document. My remarks assume a basic level of knowledge about COPPA so that I don’t have to spend pages explaining the intricacies of this complex law and regulatory regime. If you need background on the COPPA law and rule, please check out this paper by Berin Szoka and me: “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.”

Dodging the COPA / Mandatory Age Verification Bullet

The most important takeaway from yesterday’s proposal involves something the FTC chose not to do: They agency very wisely decided to ignore some requests to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18.  An effort to expand COPPA’s “verifiable parental consent” requirements to all teens would have raised thorny First Amendment issues as well as a host of practical enforcement concerns.  In essence, it would have required Internet-wide age verification of children and adults in order to ensure that everyone was exactly who they claimed to be online. We already had an epic decade-long legal battle over that issue when the constitutionality of the Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA, was tested many times over and always found to be in violation of the First Amendment.

Regardless, the FTC didn’t go there yesterday, so this concern is off the table for now. The agency deserves credit for avoiding this constitutional thicket.

Why Eliminate “Email Plus” Verification?

The FTC proposes the elimination of the current “e-mail plus” method of obtaining veritable parental consent. Under the COPPA rule’s so-called sliding scale approach, sites:

may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step.  Such additional steps have included: obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call, or sending a delayed confirmatory email to the parent after receiving consent.  The purpose of the additional step is to provide greater assurance that the person providing consent is, in fact, the parent.  This consent method is often called “email plus.”

The FTC says that “email plus has outlived its usefulness and should no longer be a recognized approach to parental consent.” That’s crazy. A great number of sites and service that live under COPPA use this method to stay in compliance with the law. This pulls the rug out from under them and creates major short-term marketplace uncertainty.

So, why has the agency done this? It’s not really because email plus has “has outlived its usefulness,” rather, it’s because the agency believes that “continued reliance on email plus has inhibited the development of more reliable methods of obtaining verifiable parental consent.  In fact, the Commission notes that few, if any, new methods for obtaining parental consent have emerged since the sliding scale was last extended in 2006.” [p. 68]

That’s a very interesting observation. But while I agree that few new parental consent methods have been introduced over the past five years, the FTC has not offered any conclusive evidence here that the existence of “email plus” is to blame. The fact of the matter is that online verification is hard, even the parental consent variety. In a different context, banks are still just having people pump in 4-digit PINs at ATMs after a few decades of debit cards being on the market. That doesn’t necessarily mean that the PIN# approach has stifled other forms of authentication, rather, it’s still just the most simple and efficient way of doing things. The same is true of “email plus” in the COPPA context. Yet, the FTC is upending the process in the name of kickstarting innovation in the authentication space. It’s an interesting gamble, but has the agency thought through the consequences of failure?

Importantly, sites and services that cater to children have also been focusing on putting other safety procedures and practices into place during this period. It’s not like parental notification is the end of the online safety story. As I have always noted in all my work on COPPA, it is not what happens before getting in the door that counts. It is what happens after kids get inside that really counts. The FTC ignores that distinction here and just keeps insisting that we can find better ways to perfect “verifiable parental consent” mechanisms.

All this begs the question: Just what is it that the FTC is looking for that would be superior to “email plus”? For the reasons noted above, they obviously cannot force full-blown online age verification on the Internet. But does the agency want a more rigid, second-best verification system perhaps with a possible government role in the formal authentication process? They might. Read on..

So, What’s This about Bringing Government IDs Into the Process?

The FTC makes another interesting proposal on the bottom of pg. 63 when it is discussing other mechanisms for obtaining verifiable parental consent. After rejecting SMS text messages and electronic “sign and send” methods for various reasons, the agency continues on to propose the following:

The Commission also proposes allowing operators to collect a form of government issued identification – such as a driver’s license, or a segment of the parent’s social security number – from the parent, and to verify the parent’s identity by checking this identification against databases of such information, provided that the parent’s identification is deleted by the operator from its records promptly after such verification is complete.

In one sense, this isn’t at all surprising. Our government already engages in some official credentialing activities, so why not use the ones that we’ve already required to get to help out with COPPA enforcement?  How one answers that question depends on your disposition toward large government databases and the purposes to which they might be put. If you are inherently distrustful of government aggregating and cross-referencing massive amounts of data about the citizenry, the idea of using driver’s licenses and Social Security numbers for yet another thing in this world will make you a bit nervous. It certainly makes me a bit paranoid, but mostly because of what I think might come next. If the FTC gets people accustomed to the idea of using “official” forms of identification to authorize online activities, that could be a slippery slope to something far more troubling. It may just start with just driver’s licenses and the last four digits of your Social Security numbers, but that might not be where it ends. Why not throw some biometric identifiers in the mix? Let’s have kids get retinal scans as the schoolhouse door at the beginning of each school year and then make mom and dad get one too so that we can match the whole gang up next time junior wants to visit Club Penguin! [By the way, who in government collects all this info and gets to use it?]

Moreover, if the FTC is now getting rid of the “email plus” verification process and dismissing text messages and electronic “sign and send” methods as alternative, then one could argue that–at least indirectly, if not intentionally–the FTC is starting to tip the market in favor of government solutions to online credentialing.

Perhaps I’m being a bit paranoid here. But when I was serving on the Harvard Berkman Center online child safety task force a few years ago, I saw all sorts of online verification schemes pitched to us, some of which would have government requiring biometric identifiers or other types of digital tokens be utilized in an effort satisfy some amorphous online authentication requirements. I’m not saying that’s where this particular FTC is taking us, but they’re at least opening the door to more “official” government credentialing efforts in the future with this proposal.

Video Conferencing as a Verification Method? Really?

Just as an aside, I must say that I find one of the few new verification methods the FTC endorses–“having a parent connect to trained personnel via video-conference”–to be a bit surprising. (Seriously, did the lobbyists at Skype sneak this proposal in there?!)  The agency states:

The Commission agrees that now commonly-available technologies such as electronic scans and video conferencing are functionally equivalent to the written and oral methods of parental consent originally recognized by the Commission in 1999.  Therefore, the Commission proposes to recognize these two methods in the proposed Rule.

A couple of people on Twitter yesterday pointed out how unlikely it is that video conferencing could be a scalable, workable solution to obtaining verifiable parental consent. Of course, to be fair, this is not the only consent mechanism the agency is suggesting, so I suppose FTC officials would say it’s just an additional verification method from which sites can choose.

But what I have a hard time imagining is that any parent would want to sit down in front of a webcam, fire up Skype (or whatever other video conferencing service they prefer), and start a video chat with some random bloke who works for an online site or service. A lot of parents will find that annoying; potentially even a bit creepy!

More practically, smaller sites probably just don’t have the manpower or resources to make this solution work. Making people available at all hours to get on a video chat with a parent so that their kid can get on the site is just not going to be a workable verification solution for anyone except the largest online sites and services.

Do Data Deletion Requirements Foreshadow a Push for “Eraser Button” / “Right to be Forgotten”?

On pg. 78, the FTC proposes adding a new data retention and deletion provision to the COPPA regulatory regime:

The proposed provision states that operators shall retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.  In addition, it states that an operator must delete such information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

In one sense this is commendable. It really would be wise for more online sites and services–especially those who handle kids info–to consider purging unneeded data more frequently. It helps minimize the potential for data security breaches and other problems.

That being said, I have to wonder how this proposal plays into the emerging debate over mandatory online “eraser buttons” and what the Europeans call “the right to be forgotten.” I recently released a Mercatus Center working paper (“Kids, Privacy, Free Speech & the Internet: Finding The Right Balance”), which examined these notions in greater detail. Simply put, an Internet “eraser button” is challenged by practical realities and principled concerns. It’s unclear how to even enforce such a notion. Moreover, if it could be enforced, it would raise profound free speech issues since it is tantamount to digital censorship and specifically threatens press freedoms. And the economic costs of such a mandate — especially on smaller operators — could be quite significant. See my recent Forbes essay for a discussion of those problems.

Again, the FTC is not proposing a formal “eraser button” in its latest COPPA revision. But by pushing for additional steps to be taken on the data deletion front, the agency might encourage more congressional interest in this topic. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have already included an eraser button proposal in their “Do Not Track Kids Act of 2011.” It will be interesting to see what happens next on this front.  Free speech and privacy rights are on a major collision course here if steps to encourage data deletion become formalized as law or regulatory proposals.

Conclusion

There’s much, much more in the FTC draft to consider that I’m going to hold judgment on for now. For example, plenty has already been said by others regarding the FTC’s proposal to update the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising.  That’s going to lead to all sorts of heartburn for a wide variety of online sites and service providers. It’s also going to complicate the wireless world as geolocation services expand and become a more ubiquitous part of our mobile digital experiences. But, again, I’m going to hold off on saying more on that for now.

In closing, the broader, more important questions that need to be asked are:

• Will these new proposed amendments and expanded regulatory requirements really do anything to make kids safer or their information more secure?
• Has the FTC even attempted to conduct a rough cost-benefit analysis of these new regulations?
• Have the specific burdens these new rules might impose on smaller operators even been considered?
• Correspondingly, will expanded COPPA regulations discourage new innovations that could offer kids and parents more rewarding online experiences?
• And, finally, will the new rules have an impact on the online cost equation by forcing various sites and services to charge higher prices–or charge prices for services that were previously free?

The Commission gives some lip service to these concerns toward the end of the document when it notes on page 94:

While the Rule’s compliance obligations apply equally to all entities subject to the Rule, it is unclear whether the economic burden on small entities will be the same as or greater than the burden on other entities.  That determination would depend upon a particular entity’s compliance costs, some of which may be largely fixed for all entities (e.g., website programming) and others variable (e.g., Safe Harbor participation), and the entity’s income or profit from operation of the website itself (e.g., membership fees) or related sources (e.g., revenue from marketing to children through the site).  As explained in the Paperwork Reduction Act section, in order to comply with the rule’s requirements, website operators will require the professional skills of legal (lawyers or similar professionals) and technical (e.g., computer programmers) personnel.  As explained earlier, the Commission staff estimates that there are approximately 2,000 website or online services that would qualify as operators under the proposed Rule, and that approximately 80% of such operators would qualify as small entities under the SBA’s Small Business Size standards.  The Commission invites comment and information on these issues.

It’ll be interesting to see what sort of feedback the FTC gets on that point. What I hope the agency and others understand is that questions like these are not just about the future of online business interests. Rather, these questions cut to the core of whether the public– including children–will be served with more and better digital innovations in the future. As we’ve noted countless times before here, there is no free lunch. Regulation–even well-intentioned regulation like COPPA–is not a costless exercise. There are profound trade-offs for online content and culture that must always be considered.

Additional Resources / Reading:

• FTC press release announcing new COPPA revisions
• the new proposed amendments [122 pages]
• summary of revisions by IT Law Group
• summary of revisions by Information Law Group
• Fulbright & Jaworski- “Think the FTC’s Proposed Changes to the Children’s Online Privacy Rule Don’t Affect Your Company? Think Again!”
• analysis from Emma Llanso of CDT
• comments on proposed changes from COPPA expert Izzy Neis
• “COPPA: What happens when a generation ignores a law?” – by Robert Niles
• “How will the FTC’s new digital privacy rules impact developers?” by Jason Ankeny
• “Proposed COPPA Rules: A Mobile Perspective” – by Cooley LLP
• my recent paper on potential dangers of COPPA expansion & mandatory “eraser button”
• my paper with Berin Szoka, “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech“

My latest Mercatus Center white paper is entitled “Kids, Privacy, Free Speech & the Internet: Finding The Right Balance.” From the intro:

Concerns about children’s privacy are an important part of [the ongoing privacy debate]. The Children’s Online Privacy Protection Act of 1998 (COPPA) already mandates certain online-privacy protections for children under the age of 13. The goal of COPPA was to enhance parents’ involvement in their children’s online activities and better safeguard kids’ personal information online. The FTC is currently considering an expansion of COPPA, and lawmakers in the House of Representatives introduced legislation that would expand COPPA and apply additional FIPPS regulations to teenagers. Some state-based measures also propose expanding COPPA While well-intentioned, efforts to expand privacy regulation along these lines would cause a number of unintended consequences of both a legal and economic nature. In particular, expanding COPPA raises thorny issues about online free speech and anonymity. Ironically, it might also require that more information about individuals be collected to enforce the law’s parental-consent provisions. There are better ways to protect the privacy of children online than imposing burdensome new regulatory mandates on the Internet and online consumers. Education, empowerment, and targeted enforcement of unfair and deceptive practice policies represent the better way forward.

The paper can be downloaded on SSRN, Scribd, or directly from the Mercatus website at the link above.

On May 26th, it was my great pleasure to participate in a panel discussion on “Growing Up with the Mobile Net,” which was co-sponsored by the Congressional Internet Caucus and Common Sense Media. It was a conversation about kids’ privacy, online safety, teen free speech rights, anonymity, and the possibility of expanding the Children’s Online Privacy Protection Act (COPPA) and implementing the so-called “Internet Eraser Button.”

I was joined on the panel by Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, and Alan Simpson, Vice President of Policy at Common Sense Media. And the session was very ably moderated, as always, by the supremely objective Tim Lordan.*  We really unpacked the “Eraser Button” and “right to be forgotten” notion and thought through the ramifications. And the discussion about the extent of First Amendment rights for teenagers was also interesting.

The video for this 48-minute session can be found on the Congressional Internet Caucus YouTube page here and is embedded below.

Note: During the session, Tim Lordan claimed that he takes no position and that if anyone says he take positions on issues that he will slap a super-injunction on them. Well, I say Tim Lordan is brimming with positions and he’s letting them fly at every juncture. In fact, I’ve never met someone so full of controversial positions in my life as Tim Lordan! OK, so sue me Tim!

As part of what Politico’s Tony Romm calls this week’s “all-out online privacy blitzkrieg,” Rep. Ed Markey (D-Mass) announced he would be proposing legislation aimed at better protecting kids from the supposed evils of online “tracking” and marketing.  Apparently, Rep. Markey’s effort will build on the “Do Not Track” proposal that is garnering so much attention this week.

Lost in the smoke surrounding that privacy blitzkrieg is an important distinction between these two proposals:  There is a very big difference between re-engineering browsers and websites to comply with a “Do Not Track” mandate and a new regulatory scheme aimed at identifying the ages or identities of individuals using certain online sites or services.  Namely, the latter likely necessitates some sort of mandatory age verification or online authentication regime for the Internet.

Let’s take a step back for some context.  Markey helped author the Children’s Online Privacy Protection Act (COPPA) of 1998, which dealt with the collection of information for kids under 13 online. But COPPA wasn’t a strict age verification or online authentication regime for the Internet.  Instead, COPPA mandated a “verifiable parental consent” regime which the Federal Trade Commission (FTC) later enforced using a so-called “sliding scale” approach.  Essentially, sites that are “directed at” kids under 13 are supposed to get parental consent using a variety of mechanisms (credit cards, sign and fax forms, phone calls, etc) before any collection of information takes place. Of course, there are some devilish details here regarding what counts as “directed at” or “collection,” but the crucial point here is that COPPA does not require the formal authentication of web surfer identities or ages — whether they kids or parents.

So, the really tricky question here is how one goes about expanding the COPPA regulatory regime without stumbling into the legal thicket that tied up the Child Online Protection Act (COPA) of 1998, a law which did mandate such an authentication regime and, as a result, witnessed a grueling decade-long legal battle over its constitutionality.  Ultimately, the courts rejected COPA as inconsistent with America’s tradition of anonymous speech, something central to our evolution as a democracy, pre-dating even the First Amendment that protects it from government interference. Thus, we have, at least for now, closed the book on COPA. But are we about to re-open it with COPPA expansion a la the forthcoming Markey bill?

At yesterday’s House Energy & Commerce hearing on “Do Not Track” where he announced his intention to drop legislation, Rep. Markey didn’t offer concrete details about how his bill would work, but he did go out of his way to praise the work of Common Sense Media (CSM) on this front.  This implies his plan will be in line with what CSM has already advocated.  As I noted in this essay in July, CSM recently submitted a filing to the FTC advocating expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.”

As I pointed out in that earlier essay, as well as in this beefy paper with Berin Szoka, “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech,” there are many profound questions raised by any proposal to expand COPPA along the lines that Common Sense Media and presumably now Rep. Markey suggest.  Here are a few questions that privacy advocates and policymakers need to consider before heading down this path:

1. What is the supposed harm that requires such a significant expansion of Internet regulation? Why the need for a massive expansion of federal regulation in this area?  CSM never makes it clear in its FTC filing. Are there corresponding benefits to be considered? Aren’t other values or principles at stake here?
2. What are the free speech implications of their proposals. Extending COPPA to cover older teens will require websites used by large numbers of adults to age verify all users. This raises the same First Amendment concerns about government interference with anonymous communication that caused COPA to be struck down by the courts as unconstitutional. Thus, another lengthy legal battle likely awaits.
3. Is it the case that — in the name of protecting privacy — this approach might demand a massive amount of additional information be collected to facilitate the regulatory regime? Expanded age verification mandates would mean more information has to be collected about kids and their parents, but also about adults who, after all, have to prove they aren’t children!  That means a honey pot of new information would be created and held by someone, potentially the government itself.
4. How would such a proposal cope with all the sites or services that allow voluntary sharing of personal information by children? In an era of widespread user-generated content, instant messaging, online gaming, and other forms of digital interaction, expanded verifiable parental consent requirements become a formidable regulatory problem.
5. Don’t older teens have some speech rights? The Common Sense Media proposal implies that teens are utterly incapable of making decisions for themselves until the day they turn 18.  Never mind that most U.S. states set their age of consent at 16 or 17, for example.  These teens are people who we already allow to hold jobs and drive cars and who will shortly be in college and then eligible to vote and serve in our Armed Forces.  Yet, the CSM approach would require “verifiable parental consent” before older teens could read or look at anything online.
6. What will the economic impact be of this mandate on smaller websites that cater to kids & teens? If expanded regulation crowds out smaller start-ups, the resulting level of creativity and innovation in this market will suffer.  Thus, COPPA expansion could lead to unnecessary industry consolidation as smaller operators are forced to sell to bigger player who can cover regulatory compliance costs.
7. What’s the potential cost to consumers / parents? Expanding verifiable parental consent requirements will no doubt burden the creators or various sites and services, but those costs will ultimately be borne by the public when they are passed along in the form of a fee for services, many of which were previously free of charge.
8. Aren’t there better, less burdensome, ways to protect kids’ privacy online? There are many beneficial steps being taken by site operators today that make kids safer online. If we assume that COPPA is the most important approach to keeping kids safe online, we are making a huge mistake. COPPA is probably one of the least important things that keeps kids safe online. It’s what sites do after kids get into their online communities that is really important because—guess what!—kids are going to get in to social networking communities and other sites.  There are many important steps being taken by countless online sites and communities take to make sure they offer more safe and secure environments for kids. In particular, beyond basic parental controls, moderation and intervention efforts by site operators are increasing within social networking sites, virtual worlds, and many other sites to ensure that they offer such “well lit” online neighborhoods. We should be encouraging a lot more of that and working to find new “oversight and intervention” methods to deal with problems when they pop up. Common Sense Media has done a lot of great work on this front and should have focused on how those methods could be improved instead of how the create a more cumbersome, intrusive, expensive, and ultimately unworkable age verification regulatory regime for the Internet.

As Rep. Markey and his fellow policymakers move forward with any plan to expand COPPA, they should carefully weight these considerations against the supposed evils of online data collection, advertising, and marketing.  It’s certainly true that greater care must be taken by advertisers and marketers when dealing with kids, but education, user / parental empowerment, and industry self-regulation may be the better approach here.

An important anniversary just passed with little more notice than an email newsletter about the report that played a pivotal role in causing the courts to strike down the 1998 Child Online Protection Act (COPA) as an unconstitutional restriction on the speech of adults and website operators. (COPA required all commercial distributors of “material harmful to minors” to restrict their sites from access by minors, such as by requiring a credit card for age verification.)

The Congressional Internet Caucus Advisory Committee is pleased to report that even after 10 years of its release the COPA Commission’s final report to Congress is still being downloaded at an astounding rate – between 700 and 1,000 copies a month. Users from all over the world are downloading the report from the COPA Commission, a congressionally appointed panel mandated by the Child Online Protection Act. The primary purpose of the Commission was to “identify technological or other methods that will help reduce access by minors to material that is harmful to minors on the Internet.” The Commission released its final report to Congress on Friday, October 20, 2000. As a public service the Congressional Internet Caucus Advisory Committee agreed to virtually host the deliberations of the COPA Commission on the Web site COPACommission.org. The final posting to the site was the actual COPA Commission final report making it available for download. In the subsequent 10 years it is estimated that close to 150,000 copies of the report have been downloaded.

The COPA Report played a critical role in fending off efforts to regulate the Internet in the name of “protecting our children,” and marked a shift towards focusing on what, in First Amendment caselaw is called “less restrictive” alternatives to regulation. This summary of the report’s recommendations bears repeating:

After consideration of the record, the Commission concludes that the most effective current means of protecting children from content on the Internet harmful to minors include: aggressive efforts toward public education, consumer empowerment, increased resources for enforcement of existing laws, and greater use of existing technologies. Witness after witness testified that protection of children online requires more education, more technologies, heightened public awareness of existing technologies and better enforcement of existing laws.

In case you haven’t noticed, this is the message Adam Thierer and I have hammered home relentlessly in all the work we do concerning not only child protection but also privacy, data security and other areas of concern about online consumer protection.

On the child protection side, check out our recent joint comments with CDT and EFF warning the FTC not to expand the Child Online Privacy Protection Act (COPPA), lest  it converge with COPA, which the courts have found unconstitutional—and also the lengthy paper we wrote on this subject back in June 2009 well before COPPA reemerged as an issue.

On the privacy side, allow me to quote from my November 2009 comments to the FTC on its Privacy Roundtables (primarily concerning online advertising). Specifically, I laid out a “Principled Pro-Consumer Alternative to Further Regulation:”

The “Privacy Wars” that have waged over how government should regulate online collection and use of data might better be referred to as the “Privacy Proxy Wars” because the most clearly demonstrated “harm” at issue seems to be from government itself, not the private sector.  The Fourth Amendment guarantees that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…”  Americans have a legitimate expectation that this “security” extends to their digital “papers and effects,” yet that expectation is not given effect by current restraints on government access to consumer data in American law.  Thus, we have proposed the following layered approach to concerns about online privacy, focusing on restraining government access to data, rather than crippling the private sector uses of data that directly benefit consumers:

1. Erect a higher “Wall of Separation between Web and State” by increasing Americans’ protection from government access to their personal data—thus bringing the Fourth Amendment into the Digital Age.
2. Educate users about privacy risks and data management in general as well as specific practices and policies for safer computing.
3. Empower users to implement their privacy preferences in specific contexts as easily as possible.
4. Enhance self-regulation by industry sectors and companies to integrate with user education and empowerment.
5. Enforce existing laws against unfair and deceptive trade practices as well as state privacy tort laws.

I look forward to the day when Adam and I aren’t so alone in calling for a unified, consistent approach to online consumer protection across all these issues that begins with demanding a showing of genuine harm or true market failure, but also insists on using (or at least starting with) the least “restrictive” measures to address that problem. In privacy, as with child protection, that means starting with these E-words before rushing to R-words like “regulate, restrict, remove (options),” because those things ultimately retard, rather than encourage, Progress for digital consumers.

Common Sense Media (CSM) is a media “watchdog” group that provides a terrifically useful service to the public through independent reviews of popular media content (movies, music, TV, games, and more). As a parent, I find their service indispensable and, as a policy analyst, I have praised their rating system and their media literacy / digital citizenship programs again and again, including numerous endorsements in my special report on Parental Controls & Online Child Protection and other testimony and filings before Congress and federal regulatory agencies.

Thus, being such a big fan of CSM, I was quite dismayed to see the comments they just submitted to the Federal Trade Commission (FTC) as part of the agency’s review of the Children’s Online Privacy Protection Act (COPPA). They advocate not just expanded educational efforts, which are great, but also expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.”  For all the background on the law and the FTC’s resulting COPPA rule, see this beefy paper Berin Szoka and I authored last year and this testimony and follow-up submission Berin did for the Senate Commerce Committee. And then read the joint submission made by PFF, CDT, and EFF in the same FTC proceeding that CSM just filed in.

Sadly, it’s clear to me that Common Sense Media didn’t take anything we warned about in those papers or filings seriously—or perhaps that they just didn’t bother to read them very carefully, if at all. Their filing is a classic example of good intentions gone wrong. I understand that they want to take additional steps to protect children online, but they completely ignore the practical realities of COPPA expansion and its associated trade-offs:

1. CSM never clearly identifies or quantifies the supposed harm that requires such a significant expansion of Internet regulation. Why the need for a massive expansion of federal regulation in this area?  CSM never makes it clear. Of course, this is becoming old hat here in Washington. Just whisper the word “privacy” and people scream “the sky is falling” and start calling for regulation of all sorts. But are there real harms here? Are there corresponding benefits to be considered? Aren’t other values or principles at stake here. No answer from CSM.
2. CSM never stops to consider the profound free speech implications of their proposals. Don’t they realize that simply extending COPPA to cover older teens will require websites used by large numbers of adults to age verify all users? This raises the same First Amendment concerns about government interference with anonymous communication that caused the 1998 Child Online Protection Act (COPA) to be struck down by the courts as unconstitutional.
3. CSM doesn’t acknowledge that — in the name of protecting privacy – they are essentially demanding a massive amount of additional information be collected to facilitate the regulatory regime they would apparently endorse. Expanded age verification mandates would mean more information has to be collected about kids and their parents, but also about adults who have to prove they aren’t children!
4. CSM never acknowledges that COPPA covers any potential site or tool that allows sharing of personal information by children and that expansion of this regulatory regime in an era of widespread user-generated content, online gaming, texting, and other forms of digital interaction make “expanded verifiable parental consent” a formidable regulatory problem.
5. CSM is essentially treating older teens as if they have no speech rights and are utterly incapable of making decisions for themselves until the day they turn 18.  Never mind that most U.S. states set their age of consent at 16 or 17, for example.  In other words, these aren’t Dora and Diego fans we’re talking about here. These are people who will shortly be in college and eligible to vote and serve in our Armed Forces.
6. CSM never bothers exploring the profound economic impact their proposal will likely have on smaller websites that cater to kids & teens. If expanded regulation crowds out smaller start-ups, the resulting level of creativity and innovation in this market will suffer. Thus, COPPA expansion could lead to unnecessary industry consolidation as smaller operators are forced to sell to bigger player who can cover regulatory compliance costs.
7. CSM never bothers exploring the potential cost to consumers / parents. Expanding verifiable parental consent requirements will no doubt burden the creators or various sites and services, but those costs will ultimately be borne by the public when they are passed along in the form of a fee for services, many of which were previously free of charge.
8. Finally, and perhaps most surprisingly, CSM spends little time focusing on the many beneficial steps being taken by site operators today that make kids safer online. I have said it again and again and again here and elsewhere: If we assume that COPPA is the most important approach to keeping kids safe online, we are making a huge mistake. COPPA is probably one of the least important things that keeps kids safe online. It’s what sites do after kids get into their communities that is really important because—guess what!—kids are going to get in to social networking communities and other sites.  There are many important steps being taken by countless online sites and communities take to make sure they offer more safe and secure environments for kids. In particular, beyond basic parental controls, moderation and intervention efforts by site operators are increasing within social networking sites, virtual worlds, and many other sites to ensure that they offer such “well lit” neighborhoods. We should be encouraging a lot more of that and working to find new “oversight and intervention” methods to deal with problems when they pop up. Common Sense Media has done a lot of great work on this front and should have focused on how those methods could be improved instead of how the create a more cumbersome, intrusive, expensive, and ultimately unworkable age verification regulatory regime for the Internet.

And there are many, many other issues left unexplored by the CSM filing. They’ve simply called for expansion of a regulatory regime without any reference to these challenges, costs, and trade-offs. Again, good intentions can’t excuse sloppy, half-hearted policy analysis.

I’m really quite troubled by this filing and I hope my friends at Common Sense Media will take the time to take a second look at the paper Berin Szoka and I authored last year (“COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech”) as well as the CDT-EFF-PFF joint filing we just submitted to the FTC.  Regulation has consequences and in this case those consequences will be quite profound. CSM has utterly failed to acknowledge them in this filing.

Yesterday, the Federal Trade Commission (FTC) hosted an all-day workshop on “Protecting Kids’ Privacy Online,” which looked into the Children’s Online Privacy Protection Act of 1998 (COPPA) and challenges posed to its enforcement by new technological developments. The FTC staff did a nice job bringing together and moderating 5 panels worth of participants, all of whom had plenty of interesting things to say about the future of COPPA.  But I was more struck by what was not said yesterday. Namely, there was:

• ZERO explanation of the supposed harms of advertising, marketing, and data collection. Advertising-bashing is an old sport here in Washington, so I guess I should not have been surprised to hear several panelists yesterday engaging in teeth-gnashing and hand-wringing about advertising, marketing, and the data collection methods that make it possible. But this grousing just went on and on without any explanation by the critics of the supposed harms that would result from it.
• ZERO appreciation of the benefits of advertising, marketing, and data collection. Not once yesterday — NOT ONCE — did anyone pause to ask what it is that makes all these wonderful online sites, services and content free (or dirt cheap) to consumers.  Everyone at this show was guilty of the “manna fallacy” (that all this stuff just falls magically to Earth from the Net Gods above). Well, back here in the real world, something has to pay for all those goodies, and that something is advertising and marketing, which are facilitated by data collection! Or would you like to pay $19.95 a month for each of those currently free sites and services? Yeah, I didn’t think so.

• Almost ZERO discussion of the excellent steps that so many websites are taking today above and beyond COPPA to make sure online communities are safe. What I found most amazing about the day’s discussion was the way many people seem to assume that COPPA is the most important approach to keeping kids safe online. In reality, as I have pointed out in my past work, COPPA is one the least important things that keeps kids safe online. It’s what sites do after kids get into their communities that is really important. And, until the last panel of the day, we heard very little about the important steps that countless online sites and communities take to make sure they offer more safe and secure environments for kids. In particular, beyond basic parental controls, moderation and intervention efforts by site operators are increasing within social networking sites, virtual worlds, and many other sites to ensure that they offer such “well lit” neighborhoods. Failure to integrate this into the discussion was the major failing of the day.

• Little discussion of the role of parents should play in mentoring their kids online. So, I’m a parent.  Two kids. Ages 8 and 5. Guess what? They love commercial messages! I let them see them. Online and off. We talk about them. I explain to them not to believe everything they see. I explain that sometimes people are just out to sell them silly stuff they don’t need or, worse yet, scam them out of their money. I explain that there’s a lot of crap out there. And I explain to them that they should always consult with mom and dad about purchasing decisions to get our advice and consent. Hey… there’s a word for this: mentoring (otherwise known as “good parenting.”) Yes, yes, I know COPPA is suppose to aid parents in this regard, but honestly, I only think of COPPA as a small speed bump.  It can slow people — either kids or marketers — down a bit, but it will never stop companies from wanting to sell products or people (including kids) from wanting to buy them.  This is life in a capitalistic society, folks. Unless you want to live in some Marxist “Worker’s Paradise” where we ban all commercial messages and tightly limit consumption and consumer choice (and “wasteful capitalist” competition!), you better get used to it. And, to go back to point #1, you have yet to show me how exposure to commercial messages “harms” kids.  I’m not saying I want to subject my kids to an endless bombardment-by-ads, but as with everything else in this world, there is a sensible way to educate them using a combination of good mentoring and media literacy.
• ZERO acknowledgment that COPPA expansion puts the law on a collision course with COPA, which has already been litigated and found unconstitutional. During the fourth panel yesterday on “Emerging Parental Verification Access and Methods,” there was some troubling talk of turning schools or mobile phone operators into online credentialing authorities. I’ve discussed the dangers of these approaches to online age verification here before (especially the insanely misguided suggestion that schools should become DMVs for our kids and be passing out digital credentials). Which brings up a broader concern not really discussed at all yesterday: At what point would an expansion of COPPA’s “verifiable parental consent” requirements converge with the unconstitutional mandatory age verification model found in the Children’s Online Protection Act (COPA)? We fought an epic, decade-long legal battle over COPA only to have the entire framework tossed out as a violation of the First Amendment. This issue was at the heart of the COPPA 2.0 paper Berin Szoka and I released last year, and a theme Berin recently explained in his Senate testimony and subsequent answers to questions for the Congressional Record.

Anyway, I could go on but I’ll just stop there and reference a few other things that we’ve been doing on COPPA and age verification issues more generally. But everyone should stay tuned to this debate because the prospect for COPPA expansion is quite real and it will have profound ramifications, as the subtitle to our first paper down below explains:

• COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, by Berin Szoka & Adam Thierer
• Response of Berin Szoka to Questions from Sen. Mark Pryor Regarding Hearing on “An Examination of Children’s Privacy: New Technologies & the Children’s Online Privacy Protection Act”
• Written Testimony of Berin Szoka, Hearing on “An Examination of Children’s Privacy: New Technologies & the Children’s Online Privacy Protection Act” before the Subcommittee on Consumer Protection, Committee on Commerce, Science & Transportation, U.S. Senate, April 29, 2010
• Final Statement of Adam Thierer to the Internet Safety Technical Task Force
• “USA Today, Age Verification, and the Death of Online Anonymity,” by Adam Thierer, PFF Blog, Jan. 23, 2008
• Social Networking and Age Verification: Many Hard Questions; No Easy Solutions, by Adam Thierer, March 21, 2007.
• “Age Verification for Social Networking Sites: Is it Possible? Is it Desirable?” event transcript, May 11, 2007.

On April 29, I testified before the Senate Commerce Committee’s Consumer Protection Subcommittee on Examining Children’s Privacy: New Technologies and the Children’s Online Privacy Protection Act (COPPA). Today, I filed 23 pages of responses to questions for the Congressional Record from Subcommittee Chairman Mark Pryor (D-AR), touching on many of the concerns and issues Adam Thierer and I developed in our May 2009 paper, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.

At the April hearing, Senators asked whether COPPA could be improved. Today, as in my April oral and written testimony, I again urged lawmakers to “tread carefully” because COPPA, as implemented, basically works. I explained why COPPA’s technological neutrality and flexibility should allow the FTC to keep pace with technological convergence and change without the need for legislative changes. But expanding the statute beyond its limited purposes, especially to cover adolescents under 18, could raise serious constitutional questions about the First Amendment rights of adults as well as older teens and site and service operators, and also have unintended consequences for the health of online content and services without necessarily significantly increasing the online privacy and safety of children.

The Committee’s follow-up questions also inquired about COPPA’s implementation, the subject of today’s FTC Roundtable. I noted that COPPA implementation has gone reasonably well, meeting its primary goal of enhancing parental involvement in children’s online activities, but that implementation has come at a price, since the costs of obtaining verifiable parental consent and otherwise complying with COPPA have, on the one hand, discouraged site and service operators from allowing children on their sites or offering child-oriented content, and, on the other hand, raised costs for child-oriented sites. The FTC could do more to lower compliance costs for website operators, thus allowing achievement of COPPA’s goals at a lower cost for parents and kids in foregone content and services.

Finally, I raised  concerns about the FTC’s seeming invitation for changes to the COPPA statute itself. As a general matter, regulatory agencies should not be in the business of re-assessing the adequacy of their own powers, since the natural impulse of all bureaucracy is to grow. Though the agency has done a yeoman’s job of implementing COPPA, ultimately it is the responsibility of Congress, not the FTC, to make decisions about modifying the statute.

I’m testifying this morning before the Senate Commerce Committee’s Consumer Protection Subcommittee on Examining Children’s Privacy: New Technologies and the Children’s Online Privacy Protection Act at 10 am in 253 Russell. I offered an overview of my testimony in a PFF TechCast interview yesterday.

MP3 file: PFF TechCast #4 – Senate COPPA testimony of Berin Szoka

My pre-scripted oral testimony (PDF) follows below, but you can download my somewhat longer written testimony here, which offers an overview of our past work on this subject at PFF, particularly the paper Adam Thierer and I published last summer COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.

Mr. Chairman and Committee members, thank you for inviting me here today.  My name is Berin Szoka. ^[1] I’m a Senior Fellow at The Progress & Freedom Foundation.  I commend this Committee for studying COPPA, and the FTC for its upcoming COPPA Review and Roundtable.^[2]

Background on COPPA

For an “Internet Jr.” of sites “directed at” children under 13, COPPA requires sites either to age-verify all users or limit functionality to prevent children from making personal information “publicly available”—including the sharing of user-generated content.  COPPA imposes the same requirement on general audience sites when they have actual knowledge a user is under 13.  Because of this forced separation and the costs of age verification, COPPA may well have unintentionally limited choice and competition by driving increased consolidation in the marketplace for child-oriented sites and services online.  On the other hand, COPPA has been reasonably successful in fulfilling Congress’s original goal of “enhancing parental involvement” to protect children’s online privacy and safety.

Whatever this trade-off, I’m here today to caution against expanding COPPA beyond its original, limited purpose. COPPA’s unique value lies in its flexibility, subtlety, and intentional narrowness.

COPPA is flexible because it potentially applies to the entire Internet regardless of the access device used—including services scarcely imaginable in 1998.

COPPA is subtle because it requires “verifiable parental consent” not only if site and service operators gather personal information from kids for their own use, but also if sites enable children to make personal information “publicly available” online.  Even more subtle is COPPA’s creative solution to the thorny problem of age verification.  Unlike the similarly-named Child Online Protection Act,^[3] COPPA only requires age verification of users on sites clearly directed at children, whereas COPA required it for any site offering content deemed “harmful to minors.”

Efforts to Expand COPPA Raise Serious First Amendment Concerns

Back in 1998, Congress wisely chose not to apply COPPA to adolescents.  Unfortunately, recent efforts to expand COPPA have put online privacy, child safety, free speech and anonymity on a collision course.  Several states have proposed what we at PFF have called “COPPA 2.0” laws, extending COPPA to adolescents under 17 or 18.  But once the age threshold rises above 13, it becomes increasingly difficult to distinguish sites “directed at” children below the threshold from general audience sites.  With this seemingly small change, COPPA would essentially converge with COPA:  COPPA would extend beyond a discrete “Internet, Jr.” to require age verification for sites used by many adults—and, indeed, other states have proposed simply extending COPPA to all social networking sites.  But requiring adults and even older teens to prove their age by identifying themselves constitutes a prior restraint on anonymous or pseudonymous communication.  This raises the same First Amendment concerns that caused the courts to strike down COPA.

COPPA Expansion Would Undermine Privacy

Ironically, broad age verification mandates would reduce online privacy by requiring more information to be collected from both adolescents and adults, including credit card information.  While COPPA’s safe harbors play a valuable role in administering self-regulation under COPPA,^[4] government shouldn’t put them in the awkward position of becoming repositories for huge troves of personal information in the name of protecting privacy.

COPPA Expansion Would Not Enhance Child Safety

Nor would COPPA expansion make adolescents safer online.  Some have argued that age verification mandates could protect children by allowing sites to create “safe spaces” that exclude predators.  Unfortunately, the reality is that the technology for reliable age verification simply doesn’t exist.  Even the FTC has made clear that it doesn’t consider COPPA’s verifiable parental consent methods, such as use of a credit card,^[5] as equivalent to strict age verification.^[6]

Fears of Advertising Should Not Drive COPPA Expansion

COPPA expansion could also undermine the viability of many online sites and services.  Some consider marketers the “real predators”—even though advertising is the great “Hidden Benefactor”^[7] that funds the overwhelming majority of “free” Internet content and services.  COPPA already applies to the collection of information that could potentially allow the contacting of a child under 13.  The Network Advertising Initiative already requires verifiable parental consent for behavioral advertising to children under 13.  But if COPPA were expanded to require general audience sites funded by tailored advertising to age-verify all users, it would devolve into the unconstitutional approach found in COPA.  Importantly, COPPA expansion would also raise costs for smaller or new sites and services geared toward minors.  This could discourage new innovation, limit choice, and raise prices for consumers.^[8]

Ultimately, concerns about tailored advertising may be less about privacy than about what advertising scholar Jack Calfee has dubbed the “Fear of Persuasion”—the idea that advertising is inherently manipulative and only grows more so with increased relevance.  But as Calfee notes, “by the age 10 or so, children develop a full understanding of the purpose of advertising and equally important, an active suspicion of what advertisers say.”^[9] If government has a role to play in addressing concerns about tailored marketing, it lies in educating kids about advertising to help them become smarter consumers.  Last week, the FTC launched just such an education campaign with its AdMongo tutorial website (www.admongo.gov).[10] The FTC excels in consumer education, and should be encouraged in these efforts as a less restrictive alternative to regulation.^[11]

Opening the Door to COPPA Expansion through FTC Overhaul via Financial Reform

Finally, financial reform legislation recently passed by the House would give the FTC sweeping new rulemaking powers.  H.R. 4173 would allow the FTC to unilaterally change COPPA, including its age range.  Such decisions should be made by Congress, not the FTC.  If Congress wants to help the FTC implement COPPA, it should consider additional funding for education and enforcement.

Thank you again for inviting me here to testify.

[2] Federal Trade Commission, Request for Public Comment on the FTC’s Implementation of the Children’s Online Privacy Protection Rule, April 5, 2010, http://www.ftc.gov/os/2010/03/100324coppa.pdf; see also COPPA Rule Review Roundtable, http://www.ftc.gov/bcp/workshops/coppa/index.shtml.

[3] 47 U.S.C. § 231.

[4] See Federal Trade Commission, Safe Harbor Program, www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.

[5] Under the FTC’s “sliding scale” approach to obtaining parental consent, other acceptable methods include print-and-fax forms, follow-up phone calls and e-mails, and using encryption certificates.  16 C.F.R. § 312.5(b)(2).

[6] In a February 2007 report to Congress about the status of the law and its enforcement, the FTC said that no changes to COPPA were then necessary because the law had “been effective in helping to protect the privacy and safety of young children online.”  Federal Trade Commission, Implementing the Children’s Online Privacy Protection Act: A Report to Congress at 1, Feb. 2007, www.ftc.gov/reports/coppa/07COPPA_Report_to _Congress.pdf.  In discussing the effectiveness of the parental consent verification methods authorized in the FTC’s sliding scale approach, however, the agency acknowledged that “none of these mechanisms is foolproof.”  Id. at 13. The FTC attempts to distinguish these parental consent verification methods from other kinds of age verification tools in noting that “age verification technologies have not kept pace with other developments, and are not currently available as a substitute for other screening mechanisms.” Id. at 12.

[7] Adam Thierer & Berin Szoka, The Hidden Benefactor: How Advertising Informs, Educates & Benefits Consumers, Progress on Point 6.5, Feb. 2010, www.pff.org/issues-pubs/ps/2010/pdf/ps6.5-the-hidden-benefactor.pdf.

[8] In 2005, the FTC has cited an estimate of $45/child as the cost of obtaining verifiable parental consent for child-oriented sites to comply with COPPA. See Comments of Parry Aftab, Request for Public Comment on the Implementation of COPPA and COPPA Rule’s Sliding Scale Mechanism for Obtaining Verifiable Parental Consent Before Collecting Personal Information from Children at 2, June 27, 2005, www.ftc.gov/os/comments/COPPArulereview/516296-00021.pdf.

[9]/a>Jack Calfee Fear of Persuasion: A New Perspective on Advertising and Regulation, 59 (1997).

[10] Federal Trade Commission to Launch Advertising Literacy Campaign National Program Gives ‘Tweens’ Ages 8 to 12 Skills to Recognize, Understand Advertising, April 26, 2010, www.ftc.gov/opa/2010/04/admongo.shtm.

[11] See, e.g., onguardonline.gov; NetCetera: Chatting With Kids About Being Online, onguardonline.gov/pdf/ tec04.pdf; You Are Here: Where Kids Learn to be Smarter Consumers, ftc.gov/youarehere/. 

The Congressional Internet Caucus Advisory Committee is hosting their second annual State of the Mobile Net conference this Wednesday, April 21 at the DC Hyatt Regency (400 New Jersey Ave NW). The conference runs 12-5 pm followed by a cocktail reception. This conference and the larger State of the Net conference are probably the two best annual Internet policy events in DC, so I hope you’ll attend! This year’s SOMN includes a bonus: a “Growing Up with the Mobile Net” seminar coordinated by Common Sense Media, 9-11:45 am. I’ll be on the first panel of the morning on Kids’ Privacy on the Mobile Net: Is it PII or TMI? with:

• Amanda Lenhart of the Pew Internet & American Life Project, veritable goddess of cyber-sociological data (check out her terrific Social Media & Young Adults report);
• Phyllis Marcus, who handles childrens’ privacy and COPPA issues at the FTC (and is one of my favorite people there); and
• Alan Simpson, Common Sense Media, a tireless advocate for educating children & parents.

I can only assume Alan asked me to be on this distinguished panel panel to represent kids directly on account of my baby-faced-ness! Jerry Rubin famously said, “Don’t trust anyone over thirty”—so I’ve still got 3.5 months of trustworthiness to go! (Or perhaps he actually read the huge PFF paper Adam Thierer and I did last summer about COPPA and my recent post on the FTC’s recently announced COPPA implementation review or my testimony on Maine’s COPPA 2.0 law.) Anyway, the rest of the day looks great (so register here), including these sessions:

• 10:30-11:45 am Will Mobile Technology Transform Learning, or Destroy It?
• 12:50-1:50 pm Keynotes and Q&A: The Disruptive Pace of Mobile Net Evolution with Anna Gomez, Deputy Assistant Secretary, NTIA & Blair Levin, Director, Broadband Task Force, FCC
• 2-3 pm Creating a Ubiquitous Mobile Net: At What Cost? or  Navigating the Apps Marketplaces
• 3:30-4:30 pm Locating Your Privacy or Spectrum: The Oxygen of the Mobile Net
• 4:30-5:30 pm Consumer Protection In The Mobile Marketplace: Who’s Job Is It?

The Federal Trade Commission (FTC) today announced the release of an 18-page Request for Public Comment (embedded below) on its implementation of the Children’s Online Privacy Protection Act or 1998 (COPPA), which governs online sharing by, and collection of information from, children under age 13. The FTC had previously announced that it would accelerate the review, which had been planned for 2015, particularly because of concerns about the mobile marketplace, as noted in the FTC’s report on that topic released in February.

COPPA has undoubtedly succeeded in its primary goal of enhancing parental involvement in their child’s online activities in order to protect the privacy and safety of children online.  Yet these benefits have come at a price, as COPPA’s considerable compliance costs (estimated at $45/child, which can be crushing in the era of “free”) have likely reduced the digital media choices available for children.  So I’m glad to see the Commission recognize these trade-offs by asking about the costs and benefits of COPPA and any proposed changes right off the bat (Questions 1-5). Such trade-offs are an inevitable part of life and policymakers can’t simply ignore them, even when it’s “for the children.”

The Potential for COPPA Expansion

I look forward to seeing comments on the important questions raised by the Commission about precisely how best to implement the framework enacted by Congress.  But I do worry that the Commission has explicitly invited proposals for legislative changes to the statute itself. In particular:

6. Do the definitions set forth in Part 312.2 of the Rule accomplish COPPA’s goal of protecting children’s online privacy and safety? … 28. Does the commenter propose any modifications to the Rule that may conflict with the statutory provisions of the COPPA Act? For any such proposed modification, does the commenter propose seeking legislative changes to the Act?

Note that question #6 does not include the critical limitation “consistent with the Act’s requirements,” which appears no less than 17 times in subsequent questions about specific aspects of the current rules. Whatever the FTC intended, this will omission, combined with question #28, will be taken as an open invitation by many to propose not just changes in how the COPPA rules are implemented, but wholesale revisions to the COPPA statute itself.

(In this sense, this inquiry is somewhat reminiscent of the FCC’s far more open-ended inquiry in its related “Empowering Parents” proceeding, where the FCC all but asked commenters to draw up new statutory authority for the agency and go lobby Congress to enact it. Check out the joint comments PFF filed with EFF in that important proceeding.)

Most troubling would be any proposal to extend COPPA to cover adolescents age 13-17—which Congress considered, but rejected, back in 1998 in recognition of the free speech rights at stake. As Adam Thierer & I explained in our June 2009 PFF paper, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, at least four states have considered such “COPPA 2.0” laws in recent years. Maine actually passed such a law last summer but decided not to enforce it and gave up on trying to amend it, as Braden recently explained. (See my testimony on that new Maine law here.)

In practice, such COPPA 2.0 laws would require age verification of all visitors to general audience websites, and would likely therefore be struck down by the courts on First Amendment grounds for much the same reasons the courts have struck down efforts to require age verification for access to pornography. In essence, a “scaled-up” COPPA would converge with COPA as a broad age verification mandate, as we explained in our COPPA 2.0 paper. Furthermore, such broad age verification mandates could, ironically, reduce online privacy by requiring more information to be collected from both adolescents and adults for age verification purposes, while doing little to make adolescents safer.

Even if COPPA’s age bracket is not expanded, I worry that broad revision of key terms like “collection” (Question #10) and “personal information” (#12-13) could have serious unintended consequences for online advertising and data use, which are the lifeblood of the online ecosystem.

COPPA Under the “FTC On Steroids”

Both these concerns will grow significantly if the FTC succeeds in obtaining sweeping new powers in pending legislation related to financial reform. Although Rep. Barney Frank’s “Wall Street Reform and Consumer Protection Act of 2009” (H.R. 4173) is mostly famous for creating a Consumer Financial Protection Agency, it would also “put the FTC on steroids,” in the words of Jim Miller, FTC Chairman from 1981 to 1985.

In particular, the bill would give the FTC broad APA rulemaking authority. Today, the FTC can issue rules only subject to certain important procedural safeguards, but Congress has given it specific mandates to issue narrow rules under the APA in particular areas—like COPPA and CAN-SPAM. If such legislation were ultimately enacted (which now depends on the Senate), the FTC could conceivably supplement COPPA’s rules for kids under 13 with its own APA rules for older kids—and Congress would never have to revisit the issue at all. Indeed, it’s not clear how the COPPA statute would continue constrain the agency in reshaping the COPPA rules.

But even if the FTC doesn’t take such a drastic step to expand COPPA, the new enforcement powers the FTC would gain under HR 4173 could transform how COPPA is implemented. For the first time, the FTC would be able to impose civil penalties for any violation of Section V of the FTC Act, including violations of COPPA; bring suit on its own rather than going through the DOJ; and go after parties that merely provided “substantial assistance” to those that violated COPPA. In such an enforcement environment, the potential cost of violating COPPA could become astronomical, as every separate violation (even on a per user or per day basis) could be subject to a fine of up to $16,000.

FTC Chairman Jon Leibowitz has pushed for all this authority, including at Senate testimony back in February, but promised to use these powers only wisely. However, when pressed to enumerate areas in which APA rulemaking authority would be helpful, Leibowtiz could only respond that, “…we’d really want to […] think for a while if we got this authority about what we wanted to do and what we wouldn’t want to do…” So… does that include COPPA, Mr. Chairman?

Chairman Leibowitz may not intend to use these powers to expand COPPA or radically change COPPA enforcement, but as I’ve said, I fear these soothing promises of regulatory restraint will ultimately prove hollow, if not under this FTC Chairman, then under his successors. And any discussion of re-writing COPPA has to take into consideration such radical changes in the FTC’s rulemaking and enforcement powers.

What about Education?

Finally, I’m surprised to see that the word “education” is used nowhere in the FTC’s Request for Comments. Just about everyone involved in debates about online child safety and privacy would agree that the solution begins with education—even if it doesn’t end there. One might have thought the FTC would ask about whether effective implementation of COPPA’s goals required more education efforts rather than (or perhaps in combination with) stricter regulations—especially since the FTC has done such a terrific job with its own education efforts, such as:

• OnGuard Online, the inter-agency website intended to educate all Internet users about online safety
• NetCetera, the FTC’s excellent child safety effort
• The “You Are Here” virtual mall launched by the FTC last year to educate kids in 5th-8th grade (age 10-14) about marketing both online and offline.

What’s Next

Comments on the COPPA review are due June 30, 2010. Adam Thierer and I will definitely be filing comments on behalf of PFF. If you’re planning to file, too, and would like to compare notes, we’d be happy to hear from you.

FTC COPPA Review Request for Comments – March 24 2010 http://d1.scribdassets.com/ScribdViewer.swf

That’s basically what FTC Chairman Jon Leibowitz told the Association of National Advertisers when he spoke to their “Advertising Law & Public Policy” conference last Thursday. As I noted last week, there’s intense pressure in Congress to pass a financial regulatory overhaul and, unfortunately, the version passed by the House in December—Rep. Barney Frank’s “Wall Street Reform and Consumer Protection Act of 2009” (H.R. 4173)—would also grant the Federal Trade Commission vast new powers for all its regulations, not just those relating to the non-bank financial institutions it currently regulates. In particular, HR 4173 would:

• Make it far easier (and not just faster) for the FTC to issue all kinds of new regulations on its own, without a specific Congressional mandate to do so and instead of relying on case-by-case enforcement to punish “unfair” or “deceptive” acts and practices;
• Reduce public input into those regulations;
• Impose heavy civil penalties on companies before notifying them that a practice might be “unfair” or “deceptive”;
• Prosecute those who merely provided “substantial assistance” to someone engaged in “unfair” or “deceptive” acts or practices; and
• Sue on its own authority, instead of through DOJ (as now).

I summarized my concerns about this bill in this short interview with PFF’s new communications director, Mike Wendy, last week: [display_podcast]

Leibowitz has lobbied hard to have his agency put on steroids (as former FTC Chairman Jim Miller put it), asking for all these things, as well as more funding, at the first Senate hearing on Hr 4173 back in February. (Conveniently, he was the only witness!) He repeated his calls for these powers on Thursday but tried to allay fears about how they’d be used. As Communications Daily reports:

The FTC would use expanded authority only where consumers suffer “significant harm,” bad behavior is common in the industry, standards would improve practices and the expected burdens are “reasonable,” Leibowitz said. “We’d be really stupid if we try to solve every problem in American society with a rule,” he said, so the commission will use any new authority “very judiciously….”  Where business practices and consumer expectations are “evolving,” self-regulation is working and First Amendment issues are involved, the FTC would hold back, he said… [including] behavioral advertising and marketing to children. It would show “enormously bad judgment to pursue those matters, Leibowitz said. “We do believe in self-regulation.”

I’m glad to hear Commission Leibowitz say all this but… well, I fear these soothing promises of regulatory restraint will ultimately prove hollow, if not under this FTC Chairman, then under his successors (just as I am not comforted by FCC Chairman Julius Genachowski’s similar promises not to regulate the Internet, no matter how sincere he may be). Strangely, Leibowitz promises the FTC will regulate only when “bad behavior is common in the industry”—and yet HR 4173 would eliminate the requirement of the FTC’s current Magnuson-Moss rulemaking procedures that a regulated practice must be “prevalent.” (The Direct Marketing Association’s Linda Wooley discussed this critical issue in detail in her testimony.) This illustrates a broader point: the whole point of restraining our regulatory agencies by statute is that we all know better than to trust a regulator when he says, “Oh, don’t worry, we’re not really going to use all that power—and if we do, we’ll be sure to use it carefully!”

The FTC May Need New Focused Mandates, But Not More Broad Powers

Leibowitz singled out “negative-option marketing (where marketers presume consumers want a certain product and charge them for it unless they opt-out) as an example of the kinds of scams the FTC would use its new powers to punish. Perhaps he’s right that the FTC may not be able to adequately address such unfair and deceptive practices today. But it does not follow that this requires increasing the FTC’s powers across the board. Sen. Kay Bailey Hutchison hit the nail on the head in her remarks at last week’s Senate Commerce Committee hearing on HR 4173:

In evaluating whether, and how, to change the scope and extent of FTC regulatory authority, I believe we must first ask whether there is a particular exigency, or area of consumer harm, that is so pervasive that the FTC’s existing enforcement capabilities and rulemaking processes are not sufficient to address the issue.  Second, if there is such an exigency, is the proposed legislative change broadly applied, resulting in greater regulatory burdens across a wide range of industries, or is it appropriately narrow to provide the FTC greater ability to develop rules and carry out enforcement actions directly relevant to that exigency.  Third, we need to consider whether the FTC has sufficient personnel in key areas of its responsibility to carry out its enforcement and consumer protection mandates.

In written testimony, FTC Commissioner William Kovacic supported retaining Moss-Magnuson’s additional procedural safeguards because:

While many other agencies do have the authority to issue rules following notice and comment procedures [under the Administrative Procedure Act (APA)], the Commission’s rulemaking is unique due to the range of subject matter (unfair or deceptive acts or practices) and sectors (reaching broadly across the economy, except for specific carve-outs). Except where Congress has given the FTC a more focused mandate to address particular problems, beyond the FTC Act’s broad prohibition of unfair or deceptive acts or practices, I believe that it is prudent to retain procedures beyond those encompassed in the APA.

Congress has already enacted several such statutes, such as COPPA, telemarketing, the CAN-SPAM Act and mortgages, and if the FTC could identify particular problems that require a new mandate to issue rules under the APA. Yet, as Linda Wooley noted in her testimony, when Commissioner Leibowitz was asked at last month’s hearing to enumerate areas in which APA rulemaking authority would be helpful, he could only respond that, “…we’d really want to […] think for a while if we got this authority about what we wanted to do and what we wouldn’t want to do…”

William Allen Rogers's 1904 cartoon recreates an episode in Gulliver's Travels, with T.R. as Gulliver

In other words, Leibowitz wants Congress to write his agency a blank check to do whatever it deems necessary in the future. Specifically, the FTC would get to decide which issues were appropriate for preemptive regulation, as well as achieving much the same effect of aggressive regulation through litigation designed to intimidate—imitating Teddy Roosevelt’s approach to foreign policy: “Speak softly and carry a big stick!“

We’ve been down this road before. In the 1970s, the FTC so thoroughly abused its uniquely vast jurisdiction by issuing rules to, among other things, ban advertising to children, that it was dubbed the “National Nanny” by the Washington Post—hardly a Thatcherite bastion. This experience led Congress in 1980 to impose the procedural safeguards that would be repealed by HR 4173. Congress was so angry it actually briefly shut down the agency to make it clear that it had not dubbed the agency a regulatory knight errant, free to tilt its steely lance at imagined windmills of “unfairness” or “deception.”

The Dodd Bill: A Welcome Alternative to HR 4173

HR 4173 was sent to the Senate in December, and in January, the bill was referred to the Senate Banking Committee, chaired by Sen. Chris Dodd. The Senate Commerce Committee, which held the two hearings discussed above, has jurisdiction only over the bill’s implications for non-financial regulation. So the two committees will have to work out some kind of compromise before the Senate can pass a bill—which will probably have to be reconciled with what the House passed. That procedural posture is important because it means the Senate has the opportunity to do what the House did not: Pause and consider whether financial overhaul really requires reinventing the FTC as the “National Nanny” it was well on its way to becoming back in the 1970s—and, in particular, what such a radical change to the FTC’s powers would mean for the Internet and other media regulated by the agency.

The good news is that Sen. Dodd’s draft 1336-page legislation seems to do precisely what Sen. Hutchinson and others have suggested: Change the FTC’s authority only with regards to a particular problem—in this case, financial regulation. (Dodd’s bill differs in a number of other respects from HR 4173). In a nutshell, Dodd’s bill would transfer the FTC’s consumer financial protection functions to the newly created Bureau of Consumer Protection at the Federal Reserve, but the FTC could also punish violations of the bill’s financial protections on its own under Section 5 of the FTC act.  Further, the Fed’s BCP would have to consult with the Federal Trade Commission before imposing any regulations. The FTC could impose civil penalties, but only for “knowing violations” of the CFPA Act—i.e., only for financial offenses. In an important recognition of the dangers of unbridled agency discretion, the Dodd bill also imports the FTC’s existing definition of “unfairness” as requiring that an act or practice be “likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers” and which is “not outweighed by countervailing benefits to consumers or to competition.”

The bad news is that Dodd’s bill is unlikely to be the final word on the FTC’s authority, as Sen. Rockefeller’s Commerce Committee may insist on some or all of the provisions of HR 4173 that expand the FTC’s powers across the board among a flurry of other amendments. Still, whatever its other shortcomings or advantages, Dodd’s bill offers a path forward for financial overhaul that does not require remaking the FTC—and thus transforming regulation of the Internet, other media, advertising, cyber-security and privacy—among many other things. And for that, the Dodd bill deserves careful consideration as an alternative to just giving the FTC all the power it could ever want, and then just hoping the agency doesn’t abuse it—which is essentially what Chairman Leibowitz, much like the FCC’s Chairman Genachowski, is suggesting we do.

by Adam Thierer & Berin Szoka, Progress Snaphot 6.1

Stephanie Clifford of the  New York Times posted a very interesting article this week summarizing a recent “on-the-record chat” the Times staff had with Federal Trade Commission (FTC) chairman Jon Leibowitz and FTC Bureau of Consumer Protection chief David Vladeck.  The interview [discussed by Braden here] is profoundly important in that it reveals an alarming disconnect regarding the relationship between “privacy” regulation and the future of media, which were the subjects of their discussion with Times staff.  Namely, Leibowitz and Vladeck apparently fail to appreciate how the delicate balance between commercial advertising and journalism is at risk precisely because of the sort of regulations they apparently are ready to adopt.  Because the value of online advertising depends on data about its effectiveness and consumers’ likely interests, and because advertising is indispensable to funding media, what’s ultimately at stake here is nothing short of the future of press freedom.

The “Day of Reckoning” Is Upon Us

Leibowitz and Vladeck spend the first half of The Times interview wringing their hands about “privacy policies,” the declarations made by websites and advertising networks about their data collection and use practices (for which the FTC can and must hold them accountable).  But the two feel that privacy policies don’t adequately inform consumers.  Chairman Leibowitz claims that online companies “haven’t given consumers effective notice, so they can make effective choices.”  And Mr. Vladeck states that advise-and-consent models “depended on the fiction that people were meaningfully giving consent.” But he and the FTC seem ready to abandon the notice and choice model because the “literature is clear” that few people read privacy policies, Vladeck told the Times.  He and Leibowitz continue:

“Philosophically, we wonder if we’re moving to a post-disclosure era and what that would look like,” Mr. Vladeck said. “What’s the substitute for it?” He said the commission was still looking into the issue, but it hoped to have an answer by June or July, when it plans to publish a report on the subject. Mr. Leibowitz gave a hint as to what might be included: “I have a sense, and it’s still amorphous, that we might head toward opt-in,” Mr. Leibowitz said.

This clearly foreshadows the regulatory endgame we have long suspected was coming.  When the FTC released its “Self-Regulatory Principles for Online Behavioral Advertising” eleven months ago, we asked: “What’s the Harm & Where Are We Heading?”  Their answers to both questions have become clearer with each new calculated comment—all apparently intended to slowly “turn up the heat” on the advertising industry so that the proverbial frog will stay in the pot until the water finally boils.  Leibowitz’s FTC has simply dodged the “harm” question with a four-part strategy:

1. Cobble together a “record” full of sympathy-evoking anecdotes submitted by advocates of regulation in comments and the FTC’s ongoing “Exploring Privacy” Roundtables;
2. Let the most extreme Chicken Littles fulminate about the grand conspiracy of “neuromarketing manipulation” and the like (and sometimes even shout down FTC staff in panel discussions) in order to redefine the “reasonable center” of the debate;
3. Define-down “harm” as purely a matter of “consumer expectations” or consumers’ “dignity interests” (whatever that vague and infinitely elastic term means); and
4. Attack the effectiveness of “consent” itself by suggesting that consumers cannot be trusted to understand privacy policies or be expected to make any effort to protect their own privacy.

Conveniently, this strategy leads right back to the “day of reckoning” Chairman Leibowitz threatened was coming last February: We are heading precisely where he told us we would be—to full-on, opt-in regulation.  The writing on the wall becomes more apparent every day: Leibowitz set out to bring online advertising to heel even before becoming Chairman, and his Commission is reprising almost precisely the same approach that led to the passage of the Children’s Online Privacy Protection Act (COPPA) of 1998: building a case for new authority, dismissing industry self-regulation as ineffective, and finally presenting a report to Congress intended to produce a rapid legislative response.  After the FTC presented its report on the need for regulation in congressional testimony in June 1998, it took Congress just four months to pass COPPA—and much of that time was consumed by the summer recess.  In short, Leibowitz is mounting a carefully choreographed campaign for increased regulation.

The only real question is whether Leibowitz will somehow try to use the FTC’s existing authority over “unfair or deceptive” trade practices or wait for expanded authority from Congress.  While most observers typically assume that such expanded authority would come in the form of a privacy-specific bill—be it a broad “baseline” privacy bill or one specifically focused on online data collection for advertising purposes—the authority Leibowitz yearns for could just as easily come in the form of increased rulemaking authority as part of a broader bill that allows the FTC to preemptively regulate practices that are not deceptive but merely deemed “unfair.”

This would take the agency “ Back to the Future”—to the late 1970s, when the agency reached the height of its efforts to regulate purely on “unfairness” grounds by trying to ban advertising to children.  The agency’s behavior earned it the moniker “National Nanny” from the Washington Post, hardly a bastion of regulatory skepticism.[1] That outpouring of popular resentment caused a heavily Democratic Congress to cut-off the Democratic-led agency’s regular funding and prohibit it from regulating advertising merely on the grounds of “unfairness.”  In essence, they told the agency to “go back to its knitting” and focus on protecting consumers from demonstrated harms.^[2] Duly chastened (and actually shut down for several days), the FTC formulated a meaningful legal standard for “unfairness,” which Congress codified in 1994: for a practice to be unfair, the injury it causes must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid.

Under this statutory standard, as FTC Commissioner Thomas Rosch has argued, the commission must carefully consider:

[the] legitimate pro-consumer and pro-competitive benefits that result from [targeted advertising]. Absent hard data weighing these benefits against the limited “invasion of privacy interests” involved, it would seem difficult to conclude that treating that practice as an actionable violation of the “unfairness” prong of Section 5 will pass muster.[3]

So Leibowitz and Vladeck either need to get serious about weighing the costs and benefits of targeted advertising—or, in the absence of such actually measuring these trade-offs, get Congress to give them the authority to regulate.  But one thing is clear from their past statements: they are in a hurry to do  something. As Vladeck told The Times last August, “There is a sense of urgency around here… Consumers, I don’t think are sufficiently protected under the current regime.”  Apparently, the case is closed in their minds.

“Left Hand, Meet Right Hand”

The second half of the  Times interview concerns the future of news. Chairman Leibowitz is not optimistic:

“There are some areas where you clearly see positive creative destruction,” Mr. Leibowitz said, giving the example of travel agents who were replaced by Orbitz and other online-booking systems. The news, he said, was not one of those. “When you’re dealing with something as critical as news is to a democracy, you need to ensure, certainly, that it’s independent, but also that it’s vibrant going forward,” he said. Areas like investigative reporting, foreign and domestic bureaus, and state-house reporting, he said, would likely falter under blog operations because of “economies of scale.”

He said he wasn’t sure what the solution was, but threw out a few ideas discussed at the conference: maybe special tax treatment for newspapers, a Corporation for Public Broadcasting-like fund, or for the newspaper industry to charge fees for the re-use of its content, similar to the model that the American Society of Composers, Authors and Publishers uses. [emphasis added]

Mr. Chairman, with all due respect, haven’t you forgotten about the solution that has powered private media for a few centuries in this country?  You know— advertising!  Indeed, what’s stunning about these comments is the complete disconnect with what Leibowitz and Vladeck said earlier in the interview.  It certainly may be the case that they said more on the subject than what The Times has reported, but given their escalating rhetoric, it seems likely that significantly increased FTC regulation is on the horizon.  And, yet, as Chairman Leibowitz marches us into this brave new world of regulating Internet media through their key funding source, he and Mr. Vladeck seem to have little appreciation of the vital role played by advertising in sustaining a truly free and vibrant press.

An Attack on Advertising Is an Attack on Media Itself

Let’s step back and revisit Media Economics 101.  Almost every serious scholar in the field acknowledges this truism: Advertising cross-subsidizes media platforms and the creation of valuable information—especially news.  “Advertising is the mother’s milk of all the mass media,”  Wall Street Journal technology columnist Walt Mossberg has noted.  Similarly, Harold L. Vogel, author of Entertainment Industry Economics, the leading text in the field, has noted, “Advertising is the key common ingredient in the tactics and strategies of all entertainment and media company business models.  Indeed, it might further be said that advertising has substantively subsidized the production and delivery of news and entertainment throughout the last century.”[4] Mossberg agrees and notes, “Without ads, most editorial products and other programming would be either unavailable or prohibitively expensive.”

The reason for the indispensability of advertising is simple: Information (including news and other forms of “content”) has “public good” characteristics that make it is very difficult (and occasionally impossible) for information-publishers to recoup their investments.  Simply put, they quite literally lack pricing power: Whatever they charge, someone else will charge less for a close substitute, inevitably leading to “free” distribution of the content, even though the content is anything but free to produce.  Advertising is the one business model that has traditionally saved the day by rewarding publishers for attracting the attention of an audience.

Which raises another under-appreciated point: Private advertising promotes press independence.  “Newspapers, magazines, radio, television, and many websites all receive their primary income from advertising,” notes William F. Arens, author of  Contemporary Advertising, another leading textbook in the field. “This facilitates freedom of the press and promotes more complete information” he concludes.[5] Why?  Because, contrary to what some critics claim, advertising and marketing help keep private media providers independent of the need for taxpayer subsidies or private patrons.  This begs an even more profound question: If not advertising, then what else?

A “Public Option” for the Press?

What’s most troubling about Chairman Leibowitz’s comments to the Times is that he has apparently found his alternative to advertising: a “public option” for the press! He mentions special tax treatment for newspapers or a new CPB-like fund (don’t we already have one?) as two possibilities.  That certainly will be music to the ears of radical, pro-regulatory activist groups like the ironically-named “Free Press,” which wants to see a massive “public works” program for the media sector.

Free Press recently filed comments with the FTC in the agency’s recent workshop, “Can Journalism Survive the Internet Age?” and proposed a far-reaching industrial policy for “saving the news.”  They call for over $50 billion in subsidies for the Corporation for Public Broadcasting and other bureaucracies, a “journalism jobs program” for that would be part of AmeriCorps, a variety of new tax incentives for struggling media operations or individuals who support favored institutions, and an assortment of government incentives to encourage local ownership and media divestiture (by handing over control to smaller operators or minority-owned groups).  Ironically, “Free Press” has also floated the concept of “a small tax on advertising” as one way to pay for a press bailout.

The organization’s founder Robert W. McChesney, the prolific neo-Marxist media scholar, penned an essay with John Nichols of The Nation last year, claiming that saving journalism essentially requires that media become an appendage of the State.  Although advertising has supported journalism as a “public good” for centuries, the only way they can conceive to provide a public good is to socialize its means of production.  Thus, journalism, like education and national defense, requires constant government oversight and support: “A moment has arrived at which we must recognize the need to invest tax dollars to create and maintain news gathering, reporting and writing with the purpose of informing all our citizens.”  They ask us to consider the $60 billion in government spending they propose as a “free press ‘infrastructure project,’” which would “keep the press system alive.”

Some in Congress seem willing to listen.  The Senate has already held hearings about the future of journalism.  And Senator Benjamin L. Cardin (D-MD) recently introduced what he has called the “Newspaper Revitalization Act,” which would allow newspapers to become nonprofit organizations in an effort to help them stay afloat.  Importantly, however, the bill would also disallow political endorsements on newspaper editorial pages—which, like campaign finance restrictions, would be a boon for incumbent politicians.  That bill should serve as fair warning to journalists about the sort of strings lawmakers will attach to press-welfare efforts going forward.  What other “golden shackles” might come with media subsidies?

To be clear, Chairman Leibowitz hasn’t called for a complete press takeover along the lines of the Free Press plan.  Yet, he hasn’t answered a key question in this debate: Who pays for news?  He appears ready to endorse a bold new regulatory scheme for the Internet and online media that, in the name of “protecting privacy” would put at risk the one traditionally successful method of supporting private media operations—advertising.  As the Pew Research Center’s Project for Excellence in Journalism noted in its latest State of the News Media report, “The problem facing American journalism is not fundamentally an audience problem or a credibility problem.  It is a revenue problem—the decoupling… of advertising from news.”  There’s probably no way policymakers can stop this process, nor should they try.  But they shouldn’t be creating new obstacles to the survival of traditional media creators, either.

Unfortunately, that’s exactly what Chairman Leibowitz’s new regulatory scheme would do.  The revenue “delta” between “smart” advertising (tailored to consumers’ likely interests and measured for effectiveness in producing clicks, purchases, etc.) and “dumb advertising” (based purely on surrounding keywords or demographics of users presumed to visit the site) is difficult to measure but potentially enormous—even 10 times as great for some sites.[6] The difference between opt-in and opt-out could be nearly as dramatic, because it’s difficult to get consumers to opt-in for anything, especially for small players—which means that opt-in regulation could, perversely, force consolidation in the online advertising and content markets.  If the FTC cares about its statutory responsibility to safeguard competition, they should take this dynamic seriously and be hyper-cautious about heavy-handed mandates that could derail smarter advertising.

Finally, to be fair, in his interview, the Chairman also suggests the newspaper industry might want to find new way “to charge fees for the re-use of its content.”  We’re certainly not opposed to the notion and think that, if it could somehow be made to work (especially by removing antitrust obstacles), it could part of a diverse revenue mix for digital journalism.  But, there’s the rub.  Micropayments inevitably face the problem of “mental transaction costs”  that likely swamp the perceived value of most content and, like pay-walls, have generally worked only in media environments characterized by a scarcity of providers and a uniqueness of a sufficiently valuable product.  These cold, hard economic realities are why advertising remains indispensable.

The Principled Alternative to Regulation

Convinced that privacy policies simply don’t work, Leibowitz and Vladeck are asking what a “post-disclosure era” would look like.  We appreciate the continued sensitivities expressed by certain groups and individuals about online privacy and data use more generally.  But there is another way forward.  We have proposed the following “5-E” layered approach to concerns about online privacy, focusing on restraining government access to data as a clear harm, rather than crippling the private sector uses of data that directly benefit consumers:

1. Erect a higher “Wall of Separation between Web and State” by increasing Americans’ protection from government access to their personal data—thus bringing the Fourth Amendment into the Digital Age.
2. Educate users about privacy risks and data management in general as well as specific practices and policies for safer computing.
3. Empower users to implement their privacy preferences in specific contexts as easily as possible.
4. Enhance self-regulation by industry sectors and companies to integrate with user education and empowerment.
5. Enforce existing laws against unfair and deceptive trade practices as well as state privacy tort laws.

Such a layered approach would not only be a “less restrictive” alternative to top-down, one-size-fits-all government regulation, but also potentially more effective in key respects than government data use/collection mandates.  In an ideal world, adults would be fully empowered to tailor privacy decisions, like speech decisions, to their own values and preferences (“household standards”).  Consumers would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information. Importantly, those tools and methods would give them the ability to block the things they don’t like—annoying ads or the collection of data about them, as well as objectionable content—while also helping them find the information and content they desire.

But of course, the devil’s in the details.  Leibowitz and Vladeck would set the bar so high as to what constitutes “effective” consumer choice that current privacy policies necessarily fail their test—if only because most users don’t care enough to make the “right” privacy choices.  Privacy policies, even if read by relatively few consumers, nonetheless allow privacy advocates, journalists and watchdog-bloggers to scrutinize what companies say they’re doing—promises to which the FTC should hold companies stringently.  That’s clearly not good enough for Leibowitz and Vladeck, who want to give up on “notice and choice” and move on to “opt-in” mandates.  But why not first try to make “notice” more effective?  The advertising industry is currently developing standardized interfaces that could communicate key information about privacy practices in a single icon, label or other easily-digested “consumer touch point.”

More radically, why focus on tinkering with consumer interfaces, when standardized data disclosure formats like the Protocol for Privacy Preferences (P3P) could distill legalistic privacy policies into “machine-readable” code?  Such disclosures could provide a powerful form of “notice” that the ordinary consumer could “use”: simply setting their own privacy preferences in a browser tool that automatically implements those preferences by blocking tracking that users object to.  Such a privacy disclosure format could also allow the FTC to automate enforcement of its existing authority to punish unfair or deceptive trade practices.

Conclusion

And so we return to the question the FTC asked in its recent workshop, “Can Journalism Survive the Internet Age?”  Answer: Not if the FTC kills the golden goose that lays the golden eggs through onerous advertising regulations and data controls in the name of “privacy.”  Chairman Leibowitz and Bureau Chief Vladeck shouldn’t foreclose the possibility that advertising can play a central role in the future of a free press in the Digital Age—just as it has done historically in the United States.  Indeed, they would be wise to remember that advertising has always been with us.  As the Supreme Court noted in its 1996 decision, 44 Liquormart, Inc. v. Rhode Island.

Advertising has been a part of our culture throughout our history. Even in colonial days, the public relied on “commercial speech” for vital information about the market. Early newspapers displayed advertisements for goods and services on their front pages, and town criers called out prices in public squares. Indeed, commercial messages played such a central role in public life prior to the founding that Benjamin Franklin authored his early defense of a free press in support of his decision to print, of all things, an advertisement for voyages to Barbados.[7]

Of course, for advertising to continue to play the role as sustainer of the press, it must be allowed to evolve.  Media operators—large and small alike—must be allowed to craft new strategies, some of which may require data collection and marketing practices that will make some privacy-sensitive users uncomfortable, but will also ensure that the goose keeps on laying golden eggs for them and everyone else.

While Chairman Leibowitz may decry the creative destruction at work in the news sector and information industries today, that shakeup will continue and, no doubt, be painful for incumbent players.  Advertising alone may not “save the day” for media as it has in the past, but it will likely remain essential to sustaining private media platforms and providers going forward— if federal policymakers allow it.  The alternative—massive government intervention into the news and media sectors—is too horrifying to think about.

[1] Washington Post, March 1, 1978.

[2] Congress terminated the FTC’s efforts to prohibit advertising to children, and barred the agency from issuing any advertising regulation predicated solely on unfairness for three years.  FTC Improvements Act, Pub. L. No. 96-252, § 11 (May 1980).  See generally J. Howard Beales, Director of the Bureau of Consumer Protection, Federal Trade Commission, The FTC’s Use of Unfairness Authority: Its Rise, Fall, and Resurrection, www.ftc.gov/speeches/beales/unfair0603.shtm.

[3] Thomas Rosch, Some Reflections on the Future of the Internet: Net Neutrality, Online Behavioral Advertising, and Health Information Technology, Remarks at U.S. Chamber of Commerce Telecommunications & E-Commerce Committee Fall Meeting, October 26, 2009, 13, www.ftc.gov/speeches/rosch/091026chamber.pdf.

[4] Harold L. Vogel, Entertainment Industry Economics (Cambridge, MA: Cambridge University Press, 7th Edition, 2007), at 46.

[5] William F. Arens, Contemporary Advertising (McGraw-Hill Irwin, 10^th Ed., 2006) at 50.

[6] See Berin Szoka & Mark Adams, The Benefits of Online Advertising & Costs of Privacy Regulation, PFF Working Paper, Nov. 8, 2009, www.scribd.com/doc/22445754/Benefits-of-Online-Advertising-Paper.

[7] 517 U.S. 484, 495 (1996), http://www.law.cornell.edu/supct/html/94-1140.ZO.html

______________________________

Related PFF Publications

• Privacy Trade-Offs: How Further Regulation Could Diminish Consumer Choice, Raise Prices, Quash Digital Innovation & Curtail Free Speech, Berin Szoka, Comments to the Federal Trade Commission “Exploring Privacy” Roundtable, November 10, 2009.
• Online Advertising & User Privacy: Principles to Guide the Debate, Berin Szoka & Adam Thierer, Progress Snapshot 4.19, Sept. 2008.
• Targeted Online Advertising: What’s the Harm & Where Are We Heading?, Berin Szoka & Adam Thierer, Progress on Point 16.2, April 2009.
• Privacy Polls v. Real-World Trade-Offs, Berin Szoka, Progress Snapshot 5.10, Oct. 2009.
• The Benefits of Online Advertising & Costs of Privacy Regulation, Berin Szoka & Mark Adams, PFF Working Paper, Nov. 8, 2009.
• Benefits of Online Advertising, Berin Szoka, Mark Adams, Howard Beales, Thomas Lenard & Jules Polonetsky, PFF Capitol Briefing, July 2009.
• Public Option for Press Should Get the Red Pen, Adam Thierer, The Daily Caller, Jan. 12, 2010.

On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

What Unites Advocates of Speech Controls & Privacy Regulation? [pdf]

by Adam Thierer & Berin Szoka The Progress & Freedom Foundation, Progress on Point No. 16.19

Anyone who has spent time following debates about speech and privacy regulation comes to recognize the striking parallels between these two policy arenas. In this paper we will highlight the common rhetoric, proposals, and tactics that unite these regulatory movements. Moreover, we will argue that, at root, what often animates calls for regulation of both speech and privacy are two remarkably elitist beliefs:

1. People are too ignorant (or simply too busy) to be trusted to make wise decisions for themselves (or their children); and/or,
2. All or most people share essentially the same values or concerns and, therefore, “community standards” should trump household (or individual) standards.

While our use of the term “elitism” may unduly offend some understandably sensitive to populist demagoguery, our aim here is not to launch a broadside against elitism as Time magazine culture critic William H. Henry once defined it: “The willingness to assert unyieldingly that one idea, contribution or attainment is better than another.”^[1] Rather, our aim here is to critique that elitism which rises to the level of political condescension and legal sanction. We attack not so much the beliefs of some leaders, activists, or intellectuals that they have a better idea of what it in the public’s best interest than the public itself does, but rather the imposition of those beliefs through coercive, top-down mandates.

That sort of elitism—elitism enforced by law—is often the objective of speech and privacy regulatory advocates. Our goal is to identify the common themes that unite these regulatory movements, explain why such political elitism is unwarranted, and make it clear how it threatens individual liberty as well as the future of free and open Internet. As an alternative to this elitist vision, we advocate an empowerment agenda: fostering an environment in which users have the tools and information they need to make decisions for themselves and their families.

I. The Elitism of Speech Regulation

First, consider how those two elitist beliefs identified above are on display when lawmakers or regulatory advocates make efforts to control speech or content.^[2] Calls to regulate free speech are often premised on the belief that something must be done to “protect The Children.”^[3] Personal and parental responsibility ^[4] are regarded as inadequate safeguards ^[5] since some parents will inevitably fall down on the job by not adequately shielding their children’s eyes and ears from potentially objectionable (or supposedly harmful) speech. Therefore, government must regulate content that is indecent, profane, excessively violent, and so on. The definition of those things is then left to unelected bureaucrats and judges to make on our behalf.

But it’s not just about “The Children.” Some regulatory advocates believe that even the choices made by consenting adults must be disregarded because some people fail to understand the supposedly destructive nature of the speech they are consuming. Government must act to protect people from making what some regulatory advocates regard as destructive or even immoral choices that could bring harm to them or their loved ones.

In sum, regulatory advocates are essentially saying that people cannot be trusted or left to their own devices and, therefore, government must intervene and establish a baseline “community standard” on behalf of the entire citizenry to tell them what‘s best for them.^[6] Even if those citizens have tools and information at their disposal to make sensible decisions about objectionable content, that’s not good enough because they might not do the job properly. Government must do it for them!

II. The Elitism of Privacy Regulation

This same mentality motivates calls for privacy regulations. Those who call for government interventions to “protect privacy” often claim that people too willingly surrender personal information about themselves and that they don’t understand the adverse consequences of those actions.^[7] Alternatively, regulatory advocates claim that advertising and marketing efforts are inherently “manipulative” and that people do not realize they are being duped into surrendering personal information or into buying products or services they supposedly don’t need.^[8] Of course, those regulatory advocates rarely pause to explain to us how it is that they were not also duped and manipulated by the same things—again revealing their deeply-rooted elitism! (As discussed below, this makes it clear how the psychological phenomenon of “third-person effect hypothesis” is driving much of this debate.)

“Protecting The Children” is also used as a rhetorical cover for regulation here, but not as often in debates over speech controls.^[9] Instead, regulatory advocates mostly focus on adults who are presumed not to know what is in their own best interest—necessitating paternalistic government intervention on their behalf.

III. Intellectual Schizophrenia on Both the Left & Right

What is particularly interesting about all this is the way these two issues expose a sort of intellectual schizophrenia at work on both the Left and Right of the political spectrum. Left-leaning policymakers and intellectuals typically decry censorship efforts (except where “commercial speech,” “hate speech” and “bias” are at issue), but are quick to rally around proposals to layer privacy regulations on the Internet. The opposite is often true of many on the Right of the political spectrum: They typically declare privacy regulations to be paternalistic and antithetical to free enterprise (or perhaps just erosive of efforts to legislate morality),^[10] but in the next breath advocate controls on content they find objectionable.

Few on either side stop to consider the relationship between speech and privacy. In fact, they are but two sides of the same coin. After all, what is your “right to privacy” but a right to stop me from observing you and speaking about you?^[11] “Protecting privacy,” therefore, typically means restricting speech rights in the process. Advocates of privacy regulation often insist that the use, processing and collection of information are “conduct” unprotected by the First Amendment, but in fact, the First Amendment broadly protects the gathering and distribution of information as part of the process of communication (“speech”).^[12] Similarly, attempts to “clean up” speech or “protect The Children,” often require regulations that would betray the privacy of adults by expanding the role of government, and impose serious burdens on businesses and markets—such as age verification mandates ^[13] or extensive data retention requirements.^[14]

IV. Common Tactics & Regulatory Mechanisms

The two movements also share common political tactics and regulatory approaches. Privacy advocates generally favor “opt-in” mandates as the federal “baseline standard” for any website collecting information about users, especially their browsing habits (regardless of whether the information is “personally identifiable”). In other words, the law would create a property right in such “personal information” (ironically, many advocates of this approach criticize or reject intellectual property.) In a similar vein, many advocates of speech controls push for mandatory parental control tools or restrictive default settings.^[15] That is, if government won’t censor speech outright, regulatory advocates want lawmakers to at least (1) require that media, computing and communications devices be shipped to market with parental controls embedded or included (as proposed in Australia and with China’s “Green Dam” filter),^[16] and possibly, (2) that such controls be defaulted to their most restrictive position—forcing users to opt-out of the controls later if they want to consume media rated above a certain threshold.

More sophisticated advocates of speech controls and privacy regulation will likely argue that their paternalism is less elitist or intrusive because they merely want to “nudge” the public into making “better” decisions. Economist Richard Thaler and legal scholar Cass Sunstein (director of President Obama’s Office of Information and Regulatory Affairs, responsible for analyzing most new federal regulations) popularized this approach with their 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness. Based on behavioral economics studies, they argue that both government and private actors must inevitably make decisions about “choice architecture” and that, by setting defaults, incentives and rules smartly, “choice architects” can and should improve decision-making without blocking, fencing-off or significantly burdening choices.^[17]

In this regard, Sunstein and Thaler’s approach parallels the work of Lawrence Lessig, one of the most influential Internet policy thinkers. Lessig has argued that the “architecture” of “code” (how software is written) “regulates” all online activities and requires government oversight and intervention to keep in check. Otherwise, he warned ominously a decade ago, “Left to itself, cyberspace will become a perfect tool of control.”^[18] Lessig’s hyper-pessimistic predictions have proven unwarranted, however. Far from fostering a world of “perfect control,” code and cyberspace have proven remarkably difficult to regulate, but nonetheless has generally benefited consumers and citizens without centralized direction.^[19] Still, Lessig, Sunstein, and others of this ilk persist in their advocacy of “nudges” of many varieties to impose their will on cyberspace through mandates from above.

But while it might be possible to define “better decisions” and argue that poor choice architecture leads people to choose things they clearly don’t want in contexts like investment decisions and mortgages, how can elites know what other people really want in highly subjective contexts like privacy and speech? Should they rely on opinion polls—the highly subjective results of which depend heavily on “choice architecture” of question-crafting—to guess what the right default should be?^[20] Was the Chinese proposal to mandate deployment of “Green Dam” just a harmless “nudge” because users weren’t barred from uninstalling the filtering software that must accompany their computers (i.e., “opting-out”)? The problem becomes even more difficult where trade-offs among competing values are inevitable. For example, data collection about Internet users raises privacy concerns for some but benefits all, creating more funding for “free” content (i.e., speech) and services users prefer by making more valuable the advertising that supports online publishers. In short, regulations of speech and privacy are likely to be pure paternalism, even when billed as “libertarian paternalism as Thaler and Sunstein label their approach.^[21]

What might be called “regulatory blackmail” is also a time-honored tradition among both advocates of speech controls and privacy regulation. When censorship advocates have previously been impeded by the First Amendment, they have worked behind the scenes with lawmakers or regulatory agencies to use indirect pressure and strong-arming tactics to extract “voluntary concessions” from companies or others.^[22] For example, in 2004, the FCC strong-armed radio giant Clear Channel into agreeing to a “voluntary” consent decree that involved taking Howard Stern off the air.^[23] Similarly, in 2008, XM and Sirius Satellite Radio finally agreed to set aside 4% of their system capacity for use by politically favored racial minorities (a kind of speech control) as a “voluntary condition” of their merger—after the FCC had sat on their application for nearly 16 months.^[24] This race-based preference would have been unconstitutional if the FCC had imposed it directly.^[25] While the FTC has been far less prone to such abuse and actually plays a key role in holding companies to their promises, its current Chairman, Jon Leibowitz, has hung the “regulatory sword of Damocles” over the heads of the online advertising industry, threatening them with a “day of reckoning” if he doesn’t get what he wants from industry self-regulatory efforts.”^[26] The sword could actually fall if the FTC turns self-regulation into the European model of “co-regulation,” where the government steers and industry simply rows.^[27]

V. The Crisis Mentality that Drives Regulation

Speech and privacy regulatory advocates share another trait in common: an affinity for the use of a crisis mentality as a method of spurring political action. In his 1995 book The Vision of the Anointed: Self-Congratulation as a Basis for Social Policy, political philosopher and economist Thomas Sowell formulated a model that he argued drives ideological crusades to expand government power over our lives and economy. “The great ideological crusades of the twentieth-century intellectuals have ranged across the most disparate fields,” noted Sowell. But what they all had in common, he argued, was “their moral exaltation of the anointed above others, who are to have their different views nullified and superseded by the views of the anointed, imposed via the power of government.”^[28] These government-expanding crusades shared several key elements, which Sowell identified as follows:

1. Assertion of a great danger to the whole society, a danger to which the masses of people are oblivious.
2. An urgent need for government action to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many, in response to the prescient conclusions of the few.
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes.

We see this model at work on a daily basis today with our government’s various efforts to reshape our economy, but the model is equally applicable to debates over speech controls and privacy regulation. In particular, the various “technopanics”^[29] we have witnessed in recent years fit this model. For example, consider how this model plays out in the debate over online social networking:

1. Assertion of a great danger to the whole society [online sexual predators], a danger to which the masses of people are oblivious.
2. An urgent need for government action [such as mandatory online age verification ^[30] or the Deleting Online Predators Act ^[31]] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [must stop kids and adults from being online together on same sites], in response to the prescient conclusions of the few [some state Attorneys General].^[32]
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [child safety researchers and others are told that their research is meaningless or offbase].^[33]

We also see this model in play in other debates, such as efforts to regulate “excessively violent” video games and television programming.^[34] And consider how this model plays out on the privacy front:

1. Assertion of a great danger to the whole society [amorphous privacy violations], a danger to which the masses of people are oblivious.
2. An urgent need for government action [“baseline federal privacy regulation”] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [anyone who shares information online], in response to the prescient conclusions of the few [a handful of privacy advocacy groups].
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [any suggestion that privacy concerns are being overblown and that most information-sharing is socially beneficial is dismissed out-of-hand].

Worse yet, regulatory intervention in these cases simply begets more and more intervention to correct the inevitable failures of, or dissatisfaction with, previous interventions.^[35] Thus, the “crisis” cycle never ends.

VI. Third-Person Effect Hypothesis as an Explanation

Something more profound than simple political elitism seems to be at work here, however. A phenomenon psychologists refer to as the “third-person effect hypothesis” can explain many calls for government intervention, especially in the media world.^[36] Simply stated, speech and privacy critics sometimes seem to only see and hear in media or communications what they want to see and hear—or what they don’t want to see or hear. When they encounter perspectives or preferences that are at odds with their own, they are more likely to be concerned about the impact of those things on others throughout society and come to believe that government must “do something” to correct those perspectives. Many people desire regulation because they think it will be good for others, not necessarily for themselves. The regulation they desire has a very specific purpose in mind: “re-tilting” speech or market behavior in their desired direction.

The third-person effect hypothesis was first formulated by W. Phillips Davison in a seminal 1983 article:

In its broadest formulation, this hypothesis predicts that people will tend to overestimate the influence that mass communications have on the attitudes and behavior of others. More specifically, individuals who are members of an audience that is exposed to a persuasive communication (whether or not this communication is intended to be persuasive) will expect the communication to have a greater effect on others than on themselves.^[37]

Davison used this hypothesis to explain how media critics on both the Left and Right seemed to simultaneously find “bias” in the same content or reports when they couldn’t possibly both be correct. In reality, their own personal preferences were biasing their ability to fairly evaluate that content. Davison’s article prompted further research by many other psychologists, social scientists, and public opinion experts to test just how powerful this phenomenon was in explaining calls for censorship and other social phenomena.^[38] In these studies, third-person effect has been shown to be the primary explanation for why many people fear—or even want to ban—various types of speech or expression, including news,^[39] misogynistic rap lyrics,^[40] television violence,^[41] video games,^[42] and pornography.^[43] In each case, the subjects surveyed expressed strong misgivings about allowing others to see or hear too much of the speech or expression in question, but greatly discounted the impact of that speech on themselves. Such studies thus reveal the strong paternalistic instinct behind proposals to regulate speech. As Davison notes:

Insofar as faith and morals are concerned… it is difficult to find a censor who will admit to having been adversely affected by the information whose dissemination is to be prohibited. Even the censor’s friends are usually safe from the pollution. It is the general public that must be protected. Or else, it is youthful members of the general public, or those with impressionable minds.^[44]

It’s easy to see how this same phenomenon is at work in debates about privacy. Regulatory advocates imagine their preferences are “correct” (right for everyone) and that the masses are being duped by external forces beyond their control or comprehension, even though the advocates themselves are somehow immune from the brain-washing and privy to some higher truth that the hoi polloi simply cannot fathom. Again, this is Sowell’s “Vision of the Anointed” at work.

Consider the flare-up in 2004 over the introduction of Gmail, Google’s free email service. At a time when Yahoo! mail (then as now the leading webmail provider) offered customers less than 10 megabytes of email storage, Gmail offered an astounding gigabyte of storage that would grow over time (now over 7 GB). Rather than charging some users for more storage or special features, Google paid for the service by showing advertisements next to each email “contextually” targeted to keywords in that email—a far more profitable form of advertising than “dumb banner” ads previously used by other webmail providers.^[45] Self-appointed (or, to extend Sowell’s framework, “self-anointed”) privacy advocates howled that Google was going to “read users’ email,” and led a crusade to ban such algorithmic contextual targeting.^[46] Thierer responded to these critics by pointing out that the service was purely voluntary and noted:

you don’t speak for me and a lot of other people in this world who will be more than happy to cut this deal with Google. So do us a favor and don’t ask the government to shut down a service just because you don’t like it. Privacy is a subjective condition and your value preferences are not representative of everyone else’s values in our diverse nation. Stop trying to coercively force your values and choices on others. We can decide these things on our own, thank you very much.^[47]

Interestingly, however, the frenzy of hysterical indignation about Gmail was followed by a collective cyber-yawn: Users increasingly understood that algorithms, not humans, were doing the “reading” and that, if they didn’t like it, they didn’t have to use it. Today, nearly 150 million of people around the world use Gmail, and it has a steadily growing share of the webmail market. Even though cyber-consumers have embraced the service, some privacy advocates persist in their effort to shut down Gmail. They appear determined to stop at nothing to impose their will on others—the essence of political elitism—even if that means cutting off free email service for 150 million people!^[48]

A similar debate has played out more recently regarding targeted online advertising in general. Advertising on search engines is, much like Gmail, targeted “contextually” based on search terms entered by users and most advertising on other websites is based on the nature of content on a site or page. But certain data is collected about users as they browse to make that advertising more effective—by measuring its performance, reducing fraud, preventing over-exposure, etc. Some privacy advocates have insisted that industry self-regulation of such practices (even if enforced by the FTC) is inadequate and have called for preemptive regulation. They are even more offended by “behavioral advertising” which allows publishers whose content would have little value as the basis for contextually targeting advertising on their own sites to compete for more highly valued advertising by showing ads to users based on other sites they’ve visited. In both cases, data collection can increase the funding available to publishers to produce more of the content and services preferred by users, thus conferring an enormous indirect benefit on users, but also directly benefits users by increasing the relevance of the advertising they see.^[49] For some of the more extreme advocates of privacy regulation, however, there are no trade-offs, only absolutist “solutions:” To them, privacy is so obviously desirable that they feel at ease in deciding what’s best for everyone else. Such absolutists often respond with righteous indignation and conspiratorial fulmination when challenged to identify the harm against which they’re protecting consumers, while disdainfully dismissing all talk of the benefits of online advertising as self-serving industry propaganda.^[50]

VII. The Principled Alternative: Trust People & Empower Them

There is an alternative to this elitist mentality: freedom and personal responsibility. Individuals should be permitted to live a life of their own, even if they sometimes make mistakes or choices that are at odds with what elites think is best for them. ^[51]

Of course, the world isn’t perfect. In an ideal world, adults would be fully empowered to tailor speech and privacy decisions to their own values and preferences. Specifically, in an ideal world, adults (and parents) would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information. Importantly, those tools and methods would give them the ability to not only block the things they don’t like—objectionable content, annoying ads or the collection of data about them—while also finding the things they want.

Achieving that ideal is likely impossible, but the good news is that we are moving closer to it with each passing day. Citizens have more tools and methods at their disposal than ever before which enable them to make decisions for themselves and their families. And this is true for both parental controls ^[52] and privacy controls.^[53]

Of course, some speech and privacy elitists will argue that we can’t trust empowerment tools ( e.g., filters, rating systems, or other controls) that are created by companies or other affected parties. But rather than trying to enhance those tools and educate users about how to use them, these elitists skip right past user empowerment and channel their energies into regulations that would impose a top-down, one-size-fits all standard on all adults and families—or even into trying to craft the perfect “nudge” that will help users make what elites believe to be the “right” decisions. Of course, these tools can, and should, be improved. Those groups worried about speech/content and privacy issues should focus on how we might drive such protections from the bottom-up by empowering individuals instead of government bureaucrats. The goal in both cases should be a “let-a-thousand-flowers-bloom” approach, which offers diverse tools and strategies for our diverse citizenry.^[54] We need not accept “one-size-fits” all approaches, whether they be regulatory mandates or “nudges,” based on the presumption that elites know best.

Finally, it is vital not to lose sight of what’s ultimately at stake here. If regulatory approaches trump the empowerment agenda we have described, the future of a free and open Internet—indeed, as technology converges, the future of all media—is at risk.^[55] By imposing technological solutions from the top-down that can never keep pace with technological change, regulation necessarily forecloses freedom and innovation.^[56] By contrast, individual empowerment allows innovation to flourish. The better approach across the board is education, not regulation.^[57] Empowerment, not elitism, is the path forward. The digital elite should be leading this effort by developing and promoting technologies of empowerment, not crafting regulatory mandates to force their will upon us.^[58]

#

Adam Thierer is a Senior Fellow with The Progress & Freedom Foundation and the director of its Center for Digital Media Freedom. Berin Szoka  is a Senior Fellow with PFF and the Director of PFF’s Center for Internet Freedom.

[1] . William A. Henry, In Defense of Elitism (1995) at 2-3.

[2] . See Adam Thierer, The Progress & Freedom Foundation, Congress, Content Regulation, and Child Protection: The Expanding Legislative Agenda, Progress Snapshot 4.4, Feb. 2008, www.pff.org/issues-pubs/ps/2008/ps4.4childprotection.html. Like American courts, we use the term “speech” as a broad catch-all for communications, including both actual speaking as well as other forms of transmitting, as well as receiving, information (“content”).

[3] . See generally Adam Thierer, Don’t Scapegoat Media, USA Today, Dec. 4, 2008, www.pff.org/issues-pubs/ps/2008/ps4.24scapegoatmedia.html; Marjorie Heins, Not in Front of the Children, “Indecency,” Censorship, and the Innocence of Youth (2001); Karen Sternheimer, It’s Not the Media: The Truth about Pop Culture’s Influence on Children (2003); Karen Sternheimer, Kids These Days: Facts and Fictions about Today’s Youth (2006).

[4] . See Adam Thierer, The Progress & Freedom Foundation, FCC Violence Report Concludes that Parenting Doesn’t Work, PFF Blog, Apr. 26, 2007, http://blog.pff.org/archives/2007/04/fcc_violence_re.html.

[5] . See Adam Thierer, The Progress & Freedom Foundation, Sen. Rockefeller Gives Up on Parenting at Senate Violence Hearing, PFF Blog, June 26, 2007, blog.pff.org/archives/2007/06/sen_rockefeller_1.html.

[6] . Adam Thierer, Conservatives, Porn, and “Community Standards,” The Technology Liberation Front, March 2, 2009, http://techliberation.com/2009/03/02/conservatives-porn-and-community-standards.

[7] . Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, Online Advertising & User Privacy: Principles to Guide the Debate, Progress Snapshot 4.19, Sept. 2008, www.pff.org/issues-pubs/ps/2008/ps4.19onlinetargeting.html.

[8] . Jeff Chester, for decades the great gadfly of American advertising, has decried “the system … developed to track each and every one of us and our behavior for one-on-one marketing efforts” as “manipulative, intrusive and un-democratic.” Wendy Melillo, Q&A: Chester Writes the Book on Privacy, Dec. 11, 2007, www.gfem.org/node/227. For instance, Chester and other leading “privacy advocates” ridicule the idea of smart phones as a “liberating technology” and insist that,

Despite the glowing words about customization and personalized service, what marketers and advertisers are increasingly offering consumers is merely the illusion of free choice. Mobile operators offer their various options and services, not on an individual basis, but preconfigured according to segmented demographic profiles.

Center for Digital Democracy and U.S. Public Interest Research Group, Complaint and Request for Inquiry and Injunctive Relief Concerning Unfair and Deceptive Mobile Marketing Practices, Jan. 13, 2009 (emphasis original), www.democraticmedia.org/files/FTCmobile_complaint0109.pdf. See generally Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, Targeted Online Advertising: What’s the Harm & Where Are We Heading?, Progress on Point 16.2, Feb. 2009, www.pff.org/issues-pubs/pops/2009/pop16.2targetonlinead.pdf.

[9] . Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, Progress on Point 16.11, May 2009, www.pff.org/issues-pubs/pops/2009/pop16.11-COPPA-and-age-verification.pdf.

[10] . The Supreme Court has used a “right to privacy” to strike down laws against the use of contraception by married couples, Griswold v Connecticut, 381 U.S. 479 (1965), and abortion, Roe v. Wade, 410 U.S. 113 (1973).

[11] . Eugene Volokh, Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People From Speaking About You, 52 Stanford L. Rev. 1049 (2000), available at www.pff.org/issues-pubs/pops/pop7.15freedomofspeech.pdf.

[12] . See , Amicus Brief for Association Of National Advertisers, Cato Institute, Coalition For Healthcare Communication, Pacific Legal Foundation And The Progress & Freedom Foundation In Support Of Appellants, IMS Health v. Sorrell, No. 09-1913-cv(L), 09-2056-cv(CON) (2nd Cir. 2009), available at www.pff.org/issues-pubs/filings/2009/071309-Brief-Amici-Curiae-ANA-et-al-Second-Circuit-(09-1913-cv).pdf.

[13] . See Adam Thierer, The Progress & Freedom Foundation, Social Networking and Age Verification: Many Hard Questions; No Easy Solutions, Progress on Point No. 14.5, March 2007, www.pff.org/issues-pubs/ pops/pop14.8ageverificationtranscript.pdf; www.pff.org/issues-pubs/pops/pop14.5ageverification.pdfAdam Thierer, The Progress & Freedom Foundation, Statement Regarding the Internet Safety Technical Task Force’s Final Report to the Attorneys General, Jan. 14, 2008, www.pff.org/issues-pubs/other/090114ISTTFthiererclosingstatement.pdf; Nancy Willard, Why Age and Identity Verification Will Not Work—And is a Really Bad Idea, Jan. 26, 2009, www.csriu.org/PDFs/digitalidnot.pdf; Jeff Schmidt, Online Child Safety: A Security Professional’s Take, The Guardian, Spring 2007, www.jschmidt.org/AgeVerification/Gardian_JSchmidt.pdf.

[14] . Adam Thierer, The Progress & Freedom Foundation, Mandatory Data Retention: How Much is Appropriate, PFF Blog, June 26, 2006, http://blog.pff.org/archives/2006/06/mandatory_data.html

[15] . Adam Thierer, The Progress & Freedom Foundation, The Perils of Mandatory Parental Controls and Restrictive Defaults, Progress on Point 14.4, Apr. 11, 2008, www.pff.org/issues-pubs/pops/2008/pop15.4defaultdanger.pdf.

[16] . Adam Thierer, China’s Green Dam Filter and the Threat of Rising Global Censorship, PFF Blog, June 17, 2009, http://blog.pff.org/archives/2009/06/chinas_green_dam_filter_and_threat_of_rising_globa.html

[17] . They define choice architecture as follows: “A structure designed by a choice architect(s) to improve the quality of decisions made by homo sapiens. Often invisible, choice architecture is the specific user-friendly shape of an organization’s policy or physical building when homo sapiens come into contact with it. Examples of choice architecture include a voter ballot, a procedure for handling well-meaning people who forget a deadline, or a skyscraper.” Nudge Glossary of Terms, www.nudges.org/glossary.cfm.

[18] . Lawrence Lessig, Code and Other Laws of Cyberspace (1999) at 6.

[19] . See Adam Thierer, Code, Pessimism, and the Illusion of “Perfect Control,” Cato Unbound, May 2009, www.cato-unbound.org/2009/05/08/adam-thierer/code-pessimism-and-the-illusion-of-perfect-control

[20] . See Solveig Singleton & Jim Harper, With A Grain of Salt: What Consumer Privacy Surveys Don’t Tell Us, 2001, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=299930.

[21] . As Cato Institute scholar Will Wilkinson has argued, the book’s “agreeably banal doctrine of choice-preserving helpfulness” blurs the lines between paternalism and libertarianism, and thus “the thrust of the conceptual renovation behind the term libertarian paternalism is to empower, not limit, political elites.” Why Opting Out Is No “Third Way,” Reason, October 2008, www.reason.com/news/show/128916.html. See also Adam Thierer, The Progress & Freedom Foundation, Sunstein’s “Libertarian Paternalism” is Really Just Paternalism, PFF Blog, April 7, 2008, http://blog.pff.org/archives/2008/04/sunsteins_liber.html.

[22] . See Robert Corn-Revere, “’Voluntary’ Self-Regulation and the Triumph of Euphemism,” in Rationales & Rationalizations: Regulating the Electronic Media (Robert Corn-Revere, ed., 1997), at 183-208.

[23] . Telecom Policy Report, Commission Settles Indecency Charges, But At What Cost?, June 30, 2004, http://findarticles.com/p/articles/mi_m0PJR/is_25_2/ai_n6091525.

[24] . See Adam Thierer, XM-Sirius, Regulatory Blackmail, and Diversity, June 17, 2008, http://blog.pff.org/archives/2008/06/xmsirius_regula.html.

[25] . See Comments of W. Kenneth Ferree on Implementation of Sirius-XM Merger Condition, The Progress & Freedom Foundation, MB Docket No. 07-57, March 30, 2009, www.pff.org/issues-pubs/filings/2009/033009siriusXMconditionfiling.pdf.

[26] . See Szoka & Adam Thierer, supra note 8 at 3.

[27] . See id. at 2.

[28] . Thomas Sowell, The Vision of the Anointed: Self-Congratulation as a Basis for Social Policy (1995) at 5.

[29] . Alice Marwick, To Catch a Predator? The MySpace Moral Panic, First Monday, Vol. 13, No. 6-2, June 2008, www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2152/1966; Wade Roush, The Moral Panic over Social Networking Sites, Technology Review, Aug. 7, 2006, www.technologyreview.com/communications/17266; Anne Collier, Why Techopanics are Bad, Net Family News, April 23, 2009, www.netfamilynews.org/2009/04/why-technopanics-are-bad.html; Adam Thierer, Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics,’ Inside ALEC, July 2009, at 16-17, www.alec.org/am/pdf/Inside_July09.pdf; Adam Thierer, Progress & Freedom Foundation, Technopanics and the Great Social Networking Scare, PFF Blog, June 10, 2008, http://techliberation.com/2008/07/10/technopanics-and-the-great-social-networking-scare.

[30] . Supra note 13.

[31] . In the 109th Congress, former Rep. Michael Fitzpatrick (R-PA) introduced the Deleting Online Predators Act (DOPA), which proposed a ban on social networking sites in public schools and libraries. DOPA passed the House of Representatives shortly thereafter by a lopsided 410-15 vote, but failed to pass the Senate. The measure was reintroduced just a few weeks into the 110th Congress by Senator Ted Stevens (R-AK), the ranking minority member and former chairman of the Senate Commerce Committee. It was section 2 of a bill that Sen. Stevens sponsored titled the “Protecting Children in the 21st Century Act” (S. 49), but was later removed from the bill. See Declan McCullagh, Chat Rooms Could Face Expulsion, CNet News.com, July 28, 2006, http://news.com.com/2100-1028_3-6099414.html?part=rss&tag=6099414&subj=news.

[32] . See Emily Steel & Julia Angwin, MySpace Receives More Pressure to Limit Children’s Access to Site, Wall Street Journal, June 23, 2006, online.wsj.com/public/article/SB115102268445288250-YRxkt0rTsyyf1QiQf2EPBYSf7iU_20070624.html; Susan Haigh, Conn. Bill Would Force MySpace Age Check, Yahoo News.com, March 7, 2007, www.msnbc.msn.com/id/17502005.

[33] . See, e.g., Letter of Henry McMaster, Attorney General, South Carolina to Attorney General Richard Blumenthal and Attorney General Roy Cooper Regarding Internet Safety Task Force (“ISTTF”) Report, January 14, 2009, www.scag.gov/newsroom/pdf/2009/internetsafetyreport.pdf

[34] . See Adam Thierer, The Progress & Freedom Foundation, Video Games and “Moral Panic,” PFF Blog, Jan. 23, 2009, http://blog.pff.org/archives/2009/01/video_games_and_moral_panic.html ; Adam Thierer, The Progress & Freedom Foundation, Fact and Fiction in the Debate over Video Game Regulation, Progress Snapshot 13.7, March 2006, www.pff.org/issues-pubs/pops/pop13.7videogames.pdf.

[35] . “All varieties of interference with the market phenomena not only fail to achieve the ends aimed at by their authors and supporters, but bring about a state of affairs which—from the point of view of their authors’ and advocates’ valuations—is less desirable than the previous state affairs which they were designed to alter. If one wants to correct their manifest unsuitableness and preposterousness by supplementing the first acts of intervention with more and more of such acts, one must go farther and farther until the market economy has been entirely destroyed and socialism has been substituted for it.” Ludwig von Mises, Human Action, at 858 (3rd ed. 1963) (1949).

[36] . See generally Adam Thierer, The Progress & Freedom Foundation, Media Myths: Making Sense of the Debate over Media Ownership (2005) at 119-123, www.pff.org/issues-pubs/books/050610mediamyths.pdf (Explaining how the third-person effect serves as a powerful explanation for the heated backlash that followed an FCC effort to moderately liberalize media ownership rules in 2003-04).

[37] . W. Phillips Davison, The Third-Person Effect in Communication, 47 Public Opinion Quarterly 1, Spring 1983, at 3.

[38] . For the best overview of third-person effect research, see Douglas M. McLeod, Benjamin H. Detenber, and William P. Eveland., Jr., Behind the Third-Person Effect: Differentiating Perceptual Processes for Self and Other, 51 Journal of Communication, Vol. 51, No. 4, 2001, at 678-695.

[39] . Vincent Price, David H. Tewksbury & Li-Ning Huang, Third-person Effects of News Coverage: Orientations Toward Media, Journalism & Mass Communications Quarterly, Vol. 74, at 525-540.

[40] . Douglas M. McLeod, William P. Eveland & Amy I. Nathanson, Support for Censorship of Violent and Misogynic Rap Lyrics: And Analysis of the Third-Person Effect, Communications Research, Vol. 24, 1997, at 153-174.

[41] . Hernando Rojas, Dhavan V. Shah, and Ronald J. Faber, For the Good of Others: Censorship and the Third-Person Effect, International Journal of Public Opinion Research, Vol. 8, 1996, at 163-186.

[42] . James D. Ivory, Addictive, But Not For Me: The Third-Person Effect and Electronic Game Players’ Views Toward the Medium’s Potential for Dependency and Addiction, University of North Carolina at Chapel Hill, School of Journalism and Mass Communication, Aug. 2002.

[43] . Albert C. Gunther, Overrating the X-rating: The Third-person Perception and Support for Censorship of Pornography, Journal of Communication, Vol. 45, No. 1, 1995, at 27-38

[44] . Supra note 37 at 14. Along these lines, a December 2004 Washington Post article documented the process by which the Parents Television Council, a vociferous censorship advocacy group, screens various television programming. One of the PTC screeners interviewed for the story talked about the societal dangers of various broadcast and cable programs she rates, but then also noted how much she personally enjoys HBO’s “The Sopranos” and “Sex and the City,” as well as ABC’s “Desperate Housewives.” Apparently, in her opinion, what’s good for the goose is not good for the gander! See Bob Thompson, Fighting Indecency, One Bleep at a Time, The Washington Post, Dec. 9, 2004, at C1, www.washingtonpost.com/wp-dyn/articles/A49907-2004Dec8.html.

[45] . See Chris Anderson, Free: The Future of a Radical Price at 112-118 (2009).

[46] . See Letter from Chris Jay Hoofnagle, Electronic Privacy Information Center, Beth Givens, Privacy Rights Clearinghouse, Pam Dixon, World Privacy Forum, to California Attorney General Lockyer, May 3, 2004, http://epic.org/privacy/gmail/agltr5.3.04.html.

[47] . See email from Adam Thierer to Declan McCullaugh on Politech Email discussion group, April 30, 2004, http://lists.jammed.com/politech/2004/04/0083.html (emphasis added).

[48] . See Complaint and Request for Injunction of the Electronic Privacy Information Center against Google, Inc., March 17, 2009, http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf; see also Ryan Radia, Should the FTC Shut Down Gmail and Google Docs Because of an Already-Fixed Bug?, Technology Liberation Front Blog, March 18, 2009, http://techliberation.com/2009/03/18/should-the-ftc-shut-down-gmail-and-google-docs-because-of-an-already-fixed-bug/.

[49] . See Berin Szoka & Mark Adams, The Progress & Freedom Foundation, The Benefits of Online Advertising & the Costs of Regulation, PFF Working Paper, forthcoming.

[50] . Anti-advertising crusader Jeff Chester often resorts to questioning the motives of those who question whether his regulatory prescriptions would actually benefit consumers, see, e.g., http://techliberation.com/2009/06/17/behavioral-advertising-industry-practices-hearing-some-issues-that-need-to-be-discussed/#comment-11698840. See generally Jeff Chester, Digital Destiny: New Media and the Future of Democracy (2007).

[51] . “The only freedom which deserves the name is that of pursuing our own good in our own way, so long as we do not attempt to deprive others of theirs or impede their efforts to obtain it. Each is the proper guardian of his own health, whether bodily or mental and spiritual.” John Stuart Mill, On Liberty (Penguin Classics, 1859, 1986) at 72.

[52] . Adam Thierer, The Progress & Freedom Foundation, Parental Controls & Online Child Protection, Special Report, Version 4.0, Summer 2009, www.pff.org/parentalcontrols.

[53] . Adam Thierer, Berin Szoka & Adam Marcus, The Progress & Freedom Foundation, Privacy Solutions, PFF Blog, Ongoing Series, http://blog.pff.org/archives/ongoing_series/privacy_solutions.

[54] . Comments of Adam Thierer, The Progress & Freedom Foundation, In the Matter of Implementation of the Child Save Viewing Act; Examination of Parental Control Technologies for Video or Audio Programming; MB Docket No. 09-26, April 16, 2009, www.pff.org/issues-pubs/filings/2009/041509-%5bFCC-FILING%5d-Adam-Thierer-PFF-re-FCC-Child-Safe-Viewing-Act-NOI-(MB-09-26).pdf.

[55] . See Adam Thierer, FCC v. Fox and the Future of the First Amendment in the Information Age, Engage, Feb. 20, 2009, www.fed-soc.org/doclib/20090216_ThiererEngage101.pdf

[56] . “To act on the belief that we possess the knowledge and the power which enable us to shape the processes of society entirely to our liking, knowledge which in fact we do not possess, is likely to make us do much harm.” Friedrich von Hayek, “The Pretence of Knowledge,” in The Essence of Hayek, (Hoover Inst., 1984), at 276.

[57] . Adam Thierer, The Progress & Freedom Foundation, Two Sensible, Education-Based Legislative Approaches to Online Child safety, Progress Snapshot 3.10, Sept. 2007, www.pff.org/issues-pubs/ps/2007/ps3.10safetyeducationbills.pdf.

[58] . See, e.g., Berin Szoka, Google, CDT, Online Advertising & Preserving Persistent User Choice Across Ad Networks Through Plug-ins, Technology Liberation Front Blog, March 13, 2009, http://techliberation.com/2009/ 03/13/google-cdt-online-advertising-preserving-persistent-user-choice-across-ad-networks-through-plug-ins/.

The new Maine law I blogged about on Sunday is much worse than I thought based on my initial reading. If allowed to stand, it would constitute a sweeping age verification mandate introduced through the back door of “child protection.”

The law, which goes into effect in September, would extend the approach of the Children’s Online Privacy Protection Act (COPPA) of 1998 by requiring “verifiable parental consent” before the collection of kids “personal information” about kids, not just those under 13, but also adolescents age 13-17.  Unlike other state-level proposals in New Jersey, Illinois, Georgia and North Carolina, Maine’s “COPPA 2.0” law would also cover health information, but would only govern the collection and use of  data for marketing purposes (while the FTC has interpreted COPPA to cover to essentially any capability for communicating personal information among users).

But the Maine law would go much further than these proposals or COPPA itself by banning transfer or use of such data in anything other than de-identified, aggregate form. Still I took some comfort in the fact that the Maine law, unlike COPPA or these other proposals, lacked the second of COPPA’s two prongs: (i) collection from kids and (ii) collection on sites that are directed at kids. It’s because of the second prong that COPPA applies not only when a site operator knows that it’s collecting information from kids (or merely allowing them to share information with other users), but also when the operator’s site is (like, say, Club Penguin) targeted to kids in terms of its subject matter, branding, interface, etc. Because I initially concluded that the Maine law would apply only to knowing collection, I supposed that it would be less likely to require age verification of all users, as other COPPA 2.0 proposals would—something that would be unlikely to survive a First Amendment challenge based on the harm to online anonymity.

But I was quite wrong. During the PFF Capitol Hill briefing Adam and I held on Monday, Jim Halpert, one of our panelists, noted that the bill imposed “strict liability.” When I re-read the law, two small provisions with enormous consequences jumped out at me.  First, this section:

Unlawful collection. It is unlawful for a person to knowingly collect or receive health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent of that minor’s parent or legal guardian.

The knowledge requirement above pertains to whether the collection is done “knowingly,” not whether the operator “has actual knowledge that it is collecting personal information from a child” (COPPA’s language). It’s possible that the Maine legislature meant to require that operators know that they’re collecting information from kids, not merely that the collection is intentional and not inadvertent, but if so, they either didn’t read COPPA or don’t understand statutory drafting.

But even if operators could be held liable if they had actual knowledge that they were collecting personal or health information without parental consent, the other operative language of the bill has no knowledge requirement at all. Thus, if an operator truly had no idea it was collecting information from a kid—kids commonly lie about their age to gain access to age-restricted sites—the operator would still be strictly liable for transferring or using that data under the other operative provisions of the law:

Unlawful use. A person may not sell, offer for sale or otherwise transfer to another person health-related information or personal information about a minor if that information: A. Was unlawfully collected pursuant to subsection 1; B. Individually identifies the minor; or C. Will be used… for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.

Thus, the only way affected site operators ( e.g., anyone who asks for user’s names as part of a profile and also uses personal information in marketing) could protect themselves under the law would be to age verify all users. Thus, the Maine law is, like other COPPA 2.0 proposals, simply an age verification mandate imposed on all adult users of sites with increasingly prevalent social networking functionality dressed up as a child protection measure. Again, unlike other COPPA 2.0 proposals, the Maine law would not apply to all sites that collect personal information for marketing purposes, but for those that do, it would have the same consequence as other COPPA 2.0 proposals.  As we argue in our paper (p.24), COPPA 2.0 proposals in general are very likely to be struck down on the same grounds as the Child Online Protection Act (COPA), COPPA’s evil twin sister, which would have required age verification for all content deemed “harmful to minors” and which the courts have struck down as blatantly unconstitutional.

Although one might argue that the Maine law does less harm to speech because it applies only to sites that collect and use/transfer data for marketing purposes, while COPPA’s reach is far broader, the Dormant Commerce Clause argument against the law would also probably succeed: the law unduly burdens interstate commerce by imposing Maine’s standards on the rest of the country. Under the law’s strict liability regime, efforts to geo-target users in Maine (themselves a significant burden on website operators) would not protect out-of-state site operators from liability for collecting data from some users in Maine because geo-targeting is necessarily imperfect.

But wait; there’s more! Other COPPA 2.0 proposals would have this consequence because they would apply either to all social networking sites with a certain functionality (Illinois) or to collection of information through sites “directed at” adolescents (New Jersey), which could apply to sites used by large numbers of adults. But for most sites, such laws would only apply where the operator had “actual knowledge” that the user was a kid, thus recognizing (for those sites) that perfect age verification is impossible and that some kids will inevitably circumvent any age verification system imposed. By contrast, the Maine law would hold sites liable for “predatory marketing” for every collection, use, or transfer of a kid’s personal information whether or not the operator knew (or even had reason to know) that they were collecting information from kids at a rate of $10-20k for the first offense and $20k+ (with no upper bound at all) for each subsequent offense. Since offense here could mean each individual act of collection, and since large social networking websites have tens of millions of users, operators might theoretically be subject to fines in the hundreds of billions of dollars!

If this law survives constitutional challenge, I’ll eat the HTML in which this post is written! More likely, the legislature will back down at the first whiff of a legal challenge and go back to finding other, less obviously unconstitutional ways to impress their constituents with how much they care about “Protecting the Children” (or how little they care about free speech or know about how the Internet works).

Maine has just enacted a law severely restricting marketing to kids: the Act To Prevent Predatory Marketing Practices against Minors, summarized by Covington & Burling. Adam and I released a major paper in June about such laws: COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech. Maine is following the lead of several other states that have tried to expand the Children’s Online Privacy Protection Act (COPPA) of 1998 to cover nost just kids under 13 but adolescents as well and potentially all social networking sites. We discussed at length the problems such laws create, particularly the possibility that large numbers of adults would, for the first time, be subject to age verification mandates before accessing (or participating in) the growing range of sites with social networking capabilities.  This, in turn, would significantly “chill” free speech online by undermining anonymity.

Like COPPA 2.0 proposals in New Jersey (simply extending COPPA to cover adolescents) and Illinois (applying COPPA to most social networking sites), the Maine law tries to build on COPPA’s “verifiable parental consent” requirement for the 13-17 audience as well as those under 13.

On the one hand, the Maine law goes much further than these other COPPA 2.0 proposals. While the original bill was limited to the Internet and wireless communications, the final bill’s scope applies to all communications.  The bill also covers “health-related” information (HRI) as well as “personal information” (PI). On the other hand, the Maine law is thus somewhat narrower than other COPPA 2.0 proposals and COPPA itself in that it applies only to “marketing or advertising products, goods or services.” While COPPA is commonly misunderstood to cover only marketing, it actually covers essentially any “collection” (broadly defined) of personal information from kids for any purpose—including merely giving kids access to communications functionality that might let them share personal information with other users (even if the site itself is not “collecting” that information in the commonly understood sense).

Verifiable parental consent is required for collection of HRI or PI (§ 9552(1)). So far, the Maine law is clearly trying to stick to the basic COPPA model while expanding its application to adolescents, health information and the offline world. (Indeed, the law concludes by authorizing the state AG to bring enforcement actions for violations of COPPA, as COPPA itself allows.) But the Maine law goes much further by banning:

• The transfer of HRI/PI to third parties if it “individually identifies the minor” (§ 9552(2)); and
• The use of HRI/PI “for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product” (§ 9553).

It’s unclear what either prohibition will mean in practice. Obviously, if the law imposed a complete ban on the use of HRI/PI, there would be no point to obtaining verifiable parental consent in the first place! Thus, the law seems to contemplate that the prohibition on transferring individually identifying information would leave data-collectors free to transfer de-identified data once they’ve obtained verifiable parental consent for the initial collection. I’m no marketing expert but I imagine that Maine legislators were trying to ban the sale of lists that identify individual kids, while allowing the use of de-identified data for, say, analyzing patterns of interests among kids.

It’s less clear what the use-prohibition (§ 9553) actually means. Would it allow kids-oriented marketing based on aggregated de-identified information? If so, what would that actually mean in the real world? Would that be a distinction without a difference by effectively shutting down legitimate marketing most people would find unobjectionable, harmless, or even very helpful? If the law wouldn’t even allow such use of aggregate data, why, again, would any company ever bother obtaining parental consent?

Indeed, the Association of National Advertisers has interpreted this provision as amounting to an outright ban, regardless of parental permission, and points out that the bill:

would seemingly cut off “minors”‘… from being marketed to about colleges and universities, testing services such as the SAT and ACT, test prep services, class rings, among many other potential categories.

ANA vows to “have the law abrogated or modified so that it will not continue to place such extraordinarily broad restrictions on marketers, when the legislature reconvenes” in January—even though the law goes into effect in mid-September. They could challenge the law on a number of grounds in the courts.

While the First Amendment analysis of commercial free speech rights doubtless be complicated, a simpler argument could be brought on Dormant Commerce Clause grounds: Under the Supreme Court’s 1970 decision in  Pike v. Bruce Church, if “the burden imposed . . . is clearly excessive in relation to the putative local benefit, and if the local interest can be promoted by other regulations that have a lesser impact on interstate activities,” the court may strike down a state law that burdens interstate commerce. Indeed, the courts have struck down a number of Internet-related state laws on such grounds.

Insofar as Maine’s law affects online communications, it could be struck down on Dormant Commerce Clause grounds by forcing out-of-state websites to treat users in Maine differently—or to treat all users as if they were in Maine. To some extent, this will depend on how the statute is actually construed. COPPA applies both to knowing collection and to collection through child-oriented sites like Club Penguin (because the operator should know that they are collecting information from a child), but the Maine law applies only to knowing collection. If the statute is narrowly construed, this would mean that only websites that ask user for their age (say, in setting up a social networking profile) would generally be affected. A broader reading might affect websites that are oriented towards, or simply popular among, minors, in which case sites would essentially be forced to age verify all users (as with other COPPA 2.0 proposals). While this seems unlikely given the meaning generally attached to the word “knowing” in American law, even the narrow reading would affect many social networking sites.

The other major unanswered question lies in how broadly the term “individually identifiable information” would be construed. Like COPPA, the Maine law covers all such information, but rather than define this term exhaustively, the laws simply provide a few more specific categories of examples. Maine’s list differs from COPPA’s in that it does not include e-mail addresses, telephone numbers, screen names, or other contact information. But the list does include names, and this is enough to implicate profile-basedsocial networks like Facebook. If construed more broadly, the Maine law could affect other website operators.

In any event, if websites have to try to accomodate Maine’s law, they might have to track user location to ensure that they comply with Maine law.  As we noted in our paper:

If a site relied only on location information provided by the user, adolescents would quickly learn to lie about what state they live in just as children have learned to lie about how old they are to avoid triggering COPPA’s “actual knowledge” requirement.  Alternatively, websites could attempt to determine a user’s location automatically based on their IP address, but such “IP geocoding” is not always accurate and can be subverted by use of a proxy.

Finally, in case you were wondering where this bill came from, here’s the purpose statement for the original bill:

This bill addresses the current practices of persons using the Internet and other wireless communications devices, with or without promotional incentives, to acquire health-related information about minors and then using that information unscrupulously. Under this bill, it is unlawful to solicit or collect health-related information about a minor who is not emancipated without the express written consent of the minor’s parent or guardian, to transfer any health-related information that identifies a minor or to use any of that information to market a product or service to a minor regardless of whether or not the information was lawfully obtained. Unlawful marketing includes promoting a course of action relating to a product.

If a challenge is brought in court, the state will have to be a lot more specific about defining the harm at issue than merely asserting that information is being collected and might be unsed “unscrupulously.” As the Supreme Court declared in the 1993 case of Edenfield v. Fane, the government’s burden in justifying a restrictions on even commercial speech (which is accorded less protection than non-commercial speech):

is not satisfied by mere speculation or conjecture; rather a governmental body seeking to sustain a restriction on commercial speech must demonstrate that the harms it recites are real and that its restriction will in fact alleviate them to a material degree.

In short, this new law raises many legal and practical questions. I’ll be watching closely to see how any effort have the law amended or challenged in court plays out.  I suspect we’ll see more states following Maine’s lead if this law stands in its current form.

In an earlier post, I mentioned an important new online child safety task force report that has just been released from the “Point Smart. Click Safe.” Blue Ribbon Working Group. It’s a great report and I encourage you to read the whole thing. It was my great pleasure to serve on this task force, and as we started finalizing our conclusions and recommendations, I started thinking about how much of what we were finding and recommending was consistent with what past online safety task forces had also concluded.

By way of background, over the past decade, five major online safety task forces or blue ribbon commissions have been convened to study online safety issues. Two of these task forces were convened in the United States and issued reports in 2000 (“COPA Commission”) and 2002 (“Thornburgh Commission“). Another was commissioned by the British government in 2007 and issued in a major report in March 2008 (“Byron Review“). Finally, two additional online safety task forces were formed in the U.S. in 2008 and concluded their work, respectively, in January (“Internet Safety Technical Task Force“) and July (“Point Smart. Click Safe.“) of 2009. [And yet another task force — the Online Safety Technology Working Group — was recently formed and has now gotten underway.]

In a new PFF white paper, ” Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer,” I walk through a chronological summary of each of these past task forces [click on covers of each report below to read them in their entirety] and highlight some of the similar themes and recommendations from them.

Altogether, these five task forces heard from hundreds of experts and produced thousands of pages of testimony and reports on a wide variety of issues related to online child safety. While each of these task forces had different origins and unique membership, what is striking about them is the general unanimity of their conclusions. Among the common themes or recommendations of these five task forces:

• Education is the primary solution to most online child safety concerns. These task forces consistently stressed the importance of media literacy, awareness-building efforts, public service announcements, targeted intervention techniques, and better mentoring and parenting strategies.
• There is no single “silver-bullet” solution or technological “quick-fix” to child safety concerns. That is especially the case in light of the rapid pace of change in the digital world.
• Empowering parents and guardians with a diverse array of tools, however, can help families, caretakers, and schools to exercise more control over online content and communications.
• Technological tools and parental controls are most effective as part of a “layered” approach to child safety that views them as one of many strategies or solutions.
• The best technical control measures are those that work in tandem with educational strategies and approaches to better guide and mentor children to make wise choices. Thus, technical solutions can supplement, but can never supplant, the educational and mentoring role.
• Industry should formulate best practices and self-regulatory systems to empower users with more information and tools so they can make appropriate decisions for themselves and their families. And those best practices, which often take the form of an industry code of conduct or default control settings, should constantly be refined to take into account new social concerns, cultural norms, and technological developments.
• Government should avoid inflexible, top-down technological mandates. Instead, policymakers should focus on encouraging collaborative, multifaceted, multi-stakeholder initiatives and approaches to enhance online safety. Additional resources for education and awareness-building efforts are also crucial. Finally, governments should ensure appropriate penalties are in place to punish serious crimes against children and also make sure law enforcement agencies have adequate resources to police crimes and punish wrong-doers.

The consistency of these findings from those five previous task forces is important and it should guide future discussions among policymakers, the press, and the general public regarding online child safety.  As I note in the paper, the findings are particularly relevant today since Congress and the Obama Administration — including 3 federal agencies (NTIA, FCC, & FTC) are actively studying these issues. So, in light of all that, I hope this short paper can shed some light on the collective wisdom of the past task forces. While more study of online child safety issues is always welcome — including additional task forces or working groups if policymakers deem them necessary — thanks to the work of these five task forces, we now have better vision of what is needed to address online safety concerns.

Five Online Safety Task Forces Agree [PFF – Adam Thierer] http://d.scribd.com/ScribdViewer.swf?document_id=17181137&access_key=key-z6cxfgrjkqaqtxbix&page=1&version=1&viewMode=

The painful issue of cyberbullying has recently taken center stage in the ongoing debate about online child safety. Last week I wrote about Lori Drew’s acquittal on charges related to Megan Meier’s tragic suicide, suggesting that the judge in the case was right to overturn her conviction on a very expansive reading of the federal anti-hacking statute. While I think that decision was necessary on legal grounds, it’s sure to add “fuel to the fire” of calls for “action” in Congress.  Thus, I emphasized that observers of the case need to separate their understandable outrage from the from the questions of (1) whether that statute was properly applied and (2) how the law should treat such cases in the future.

On the second question, Adam and I recently released a major entitled, “Cyberbullying Legislation: Why Education is Preferable to Regulation.”  We distinguish among:

1. Cyberbullying: kid-on-kid abuse online
2. Cyberharassment generally: people of all ages using the Internet to harass each other
3. Adult-on-kid cyberharassment: For example, Lori Drew’s alleged (but still unclear) role in the Megan Meier case

In a nutshell, we argue that education is the better approach to cyberbullying (Problem #1)—an approach taken by a bill introduced in the Senate by Sen. Robert Menendez (D-NJ) and in the House by Rep. Debbie Wasserman Schultz (D-FL) .  We go on to argue that, while it would be difficult to create criminal sanctions for cyberharassment generally (Problem #2) without infringing free speech and due process rights, it might be possible to craft laws narrowly tailored to cyberharassment of kids by adults (Problem #3).

By contrast, Rep. Linda Sánchez has proposed the “Megan Meier Cyberbullying Prevention Act, which by its title purports to deal with that problem (#3) but would actually create a sweeping Federal felony for all cyberharassment (#2). We noted the potential Commerce Clause problems with states trying to regulate Internet speech, and emphasized education as a superior approach at both the federal and state level that avoids constitutional problems, but suggested that, if Congress does ultimately conclude a criminal law is needed for Problem #3, it would well to do look to how the states craft cyberharassment laws before creating any federal penalty.

Just about the time we finished our paper, Tennessee enacted a new law (PDF) that makes it a misdemeanor (up to 1 year in prison and a $2,500 fine) for making threats made online (cyberstalking) as well as certain instances of cyberharassment, defined as communications:

1. Made with “the malicious intent to frighten, intimidate or cause emotional distress”;
2. Made in a “manner the defendant knows, or reasonably should know, would frighten, intimidate or cause emotional distress to a similarly situated person of reasonable sensibilities; and
3. That actually result in making that person “frightened, intimidated or emotionally distressed.”

Prong #1 is essentially the same as the Sánchez bill (with the addition of the word “malicious”), while Prongs #2 and 3 somewhat increase the evidentiary burden faced by any prosecution under the law. So the bill suffers from many of the same problems that the Sánchez bill suffers from, which we discuss in our paper—most importantly, the bill would chill protected online speech because it is unclear when it would apply, and some online speakers would fear prosecution under the bill.

But what’s really disappointing here is that the original Tennessee bill at least recognized the critical importance of drawing distinctions by age.  It would have applied to specifically to harassing communications “with another person who is, or purports to be, less than 18 years of age” or to communications that cause “another person to be frightened, intimidated, or emotionally distressed, provided that the person’s response is one of a person of average sensibilities considering the age of the person.” While neither approach is quite what we recommend in our paper—if we’re going to criminalize anything, it should be adult-on-kid harassment—the original legislation was certainly better to what finally passed, which would likely fail to pass constitutional muster.

In a related context, Adam and I recently released another major paper detailing the serious consequences for online free speech of well-intentioned efforts to expand COPPA’s privacy protections for kids under 13 to cover all adolescents. There as here, while children under a certain age might be uniquely vulnerable and therefore require special protection (such as special penalties for cyberharassment by adults), we can’t treat everyone like small children without severely compromising freedom of expression online and the future vitality of the Internet itself. Again, this is why education is generally a better approach than criminalization.

The Gawker offers a fascinating discussion of the legal right to anonymity:

“There is clearly a moral case that some people should be able to join the public debate and retain their anonymity,” Tench told Gawker. “And I think this will have a chilling effect. Blogs like this can only exist anonymously, and I imagine that anyone who wanted to set one up is thinking about this case.” As well they should. But the notion that anonymous publishers have a right, in perpetuity, to keep their identities a secret—or that people who learn their identities are honor-bound not to reveal them—is nonsense.

Amen! One can resist, fiercely, government efforts to reduce online anonymity through age verification or identity authentication mandates, as Adam Thierer have argued most recently in our work about efforts to expand COPPA to cover adolescents (“COPPA 2.0,” which would indirectly mandate age verification for large numbers of adults for the first time).  One might even argue that there are moral reasons to resist the urge to out pseudonymous/anonymous bloggers (just as one might avoid outing closeted gays out of respect for their privacy).   But one need not accept the pernicious idea that the government should punish the outing of peusodonymous/anonymous writers, which is simply a restraint on legitimate free speech.

This exchange, cited by the Gawker article, is particularly interesting, and demonstrates how one can distinguish the question of whether outing is “right” or “appropriate” from the question of whether it should be punished by law:

When the National Review‘s Ed Whelan revealed Publius, who writes for Obsidian Wings, to be a professor of law at the South Texas College of Law named John F. Blevins earlier this month, the palpable online outrage forced Whelan to apologize.