Adam and I have been pretty hard on the FTC’s current leadership for pushing to dramatically expand regulation of online data use with little thought to the impact on ad-supported media, while in the next breath opening the door to dramatic expansion of direct government support of media, and all the while seeking sweeping new regulatory powers from Congress.

After all that complaining (and bashing their Soviet Realist-style statue, “Man Controlling Trade”), you might think we had it in for the agency. But as I’ve said repeatedly, we’re actually big fans of the FTC’s core consumer protection mission: holding companies to their promises. (Indeed, we want to make sure they stay focused on that mission, and have the staff, resources and technological tools to pursue it effectively—which might mean, as I’ve pointed out, increased funding rather than increased powers.) We’ve also repeatedly praised the FTC’s efforts to educate kids, parents, and Internet users in general about things like online privacy, advertising, spyware, user empowerment tools, online scams, etc.

But I don’t want to be accused of being only a fair-weather friend of the agency. So I wanted to point out a particularly good concrete example of the FTC doing what we talk about in the abstract: holding companies to their promises.  Grant Gross notes that the FTC sent a stern letter earlier this month to the company that is seeking to buy the subscriber info and photos and other assets of the now-defunct XY Magazine, which served primarily gay U.S. teens, warning them that the FTC would hold them to the terms of the privacy policy under which XY collected information from its subscribers.

This is a great example of how the FTC can effectively use its existing authority to protect consumers against clear harms involved in the disclosure of truly sensitive data, sometimes even prophylactically—in this case, outing around 100,000 gay youths and young adults—collected by companies that make unambiguous promises to protect users’ data. This incident also illustrates how privacy law can evolve in an organic fashion from a growing body of such well-justified preemptive warnings, enforcement actions brought against truly bad actors, and ultimately court decisions that decide whether the FTC has properly weighed the interests at stake. In other words, just because we don’t have a privacy code enforced by a Data Protection Authority as in Europe doesn’t mean our legal system doesn’t protect privacy!

As Oliver Wendell Holmes Jr., famously described the Common Law in his 1897 article The Path of the Law:

The life of the law has not been logic; it has been experience. The felt necessities of the time, the prevalent moral and political theories, intuitions of public policy, avowed or unconscious, even the prejudices which judges share with their fellow men, have had a good deal more to do than the syllogism in determining the rules by which men should be governed. The law embodies the story of a nation’s development through many centuries, and it cannot be dealt with as if it contained only the axioms and corollaries of a book of mathematics.

F.A. Hayek said something very similar:

Until the discovery of Aristotle’s Politics in the thirteenth century and the reception of Justinian’s code in the fifteenth… WesternEurope passed through… [an] epoch of nearly a thousand yearswhen law was… regarded as something given independently of human will, something to be discovered, not made, and when the conception that law could be deliberately made or altered seemed almost sacrilegious.

I’d much rather see the FTC work to find the law of privacy over time in an iterative, case-by-case process than attempt to make such law in the form of, say, “comprehensive baseline privacy legislation.” The XY Magazine case is a great example of what, academic theory aside, the “path of privacy law” (to paraphrase Holmes) really looks like.  The FTC may over- or under- enforce in any particular case, but as long as they stick to that noble path, I’ll cheer them on from the sidelines—for I know how tedious the path can seem, and how seductive must be the promise of “axioms and corollaries” of privacy law reduced to mathematical precision.

The Gawker offers a fascinating discussion of the legal right to anonymity:

“There is clearly a moral case that some people should be able to join the public debate and retain their anonymity,” Tench told Gawker. “And I think this will have a chilling effect. Blogs like this can only exist anonymously, and I imagine that anyone who wanted to set one up is thinking about this case.” As well they should. But the notion that anonymous publishers have a right, in perpetuity, to keep their identities a secret—or that people who learn their identities are honor-bound not to reveal them—is nonsense.

Amen! One can resist, fiercely, government efforts to reduce online anonymity through age verification or identity authentication mandates, as Adam Thierer have argued most recently in our work about efforts to expand COPPA to cover adolescents (“COPPA 2.0,” which would indirectly mandate age verification for large numbers of adults for the first time).  One might even argue that there are moral reasons to resist the urge to out pseudonymous/anonymous bloggers (just as one might avoid outing closeted gays out of respect for their privacy).   But one need not accept the pernicious idea that the government should punish the outing of peusodonymous/anonymous writers, which is simply a restraint on legitimate free speech.

This exchange, cited by the Gawker article, is particularly interesting, and demonstrates how one can distinguish the question of whether outing is “right” or “appropriate” from the question of whether it should be punished by law:

When the National Review‘s Ed Whelan revealed Publius, who writes for Obsidian Wings, to be a professor of law at the South Texas College of Law named John F. Blevins earlier this month, the palpable online outrage forced Whelan to apologize.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.