Adam and I have been pretty hard on the FTC's current leadership for pushing to dramatically expand regulation of online data use with little thought to the impact on ad-supported media, while in the next breath opening the door to dramatic expansion of direct government support of media, and all the while seeking sweeping new regulatory powers from Congress.
After all that complaining (and bashing their Soviet Realist-style statue, "Man Controlling Trade"), you might think we had it in for the agency. But as I've said repeatedly, we're actually big fans of the FTC's core consumer protection mission: holding companies to their promises. (Indeed, we want to make sure they stay focused on that mission, and have the staff, resources and technological tools to pursue it effectively--which might mean, as I've pointed out, increased funding rather than increased powers.) We've also repeatedly praised the FTC's efforts to educate kids, parents, and Internet users in general about things like online privacy, advertising, spyware, user empowerment tools, online scams, etc.
But I don't want to be accused of being only a fair-weather friend of the agency. So I wanted to point out a particularly good concrete example of the FTC doing what we talk about in the abstract: holding companies to their promises. Grant Gross notes that the FTC sent a stern letter earlier this month to the company that is seeking to buy the subscriber info and photos and other assets of the now-defunct XY Magazine, which served primarily gay U.S. teens, warning them that the FTC would hold them to the terms of the privacy policy under which XY collected information from its subscribers.
This is a great example of how the FTC can effectively use its existing authority to protect consumers against clear harms involved in the disclosure of truly sensitive data, sometimes even prophylactically--in this case, outing around 100,000 gay youths and young adults--collected by companies that make unambiguous promises to protect users' data. This incident also illustrates how privacy law can evolve in an organic fashion from a growing body of such well-justified preemptive warnings, enforcement actions brought against truly bad actors, and ultimately court decisions that decide whether the FTC has properly weighed the interests at stake. In other words, just because we don't have a privacy code enforced by a Data Protection Authority as in Europe doesn't mean our legal system doesn't protect privacy!
As Oliver Wendell Holmes Jr., famously described the Common Law in his 1897 article The Path of the Law:
The life of the law has not been logic; it has been experience. The felt necessities of the time, the prevalent moral and political theories, intuitions of public policy, avowed or unconscious, even the prejudices which judges share with their fellow men, have had a good deal more to do than the syllogism in determining the rules by which men should be governed. The law embodies the story of a nation's development through many centuries, and it cannot be dealt with as if it contained only the axioms and corollaries of a book of mathematics.
F.A. Hayek said something very similar:
Until the discovery of Aristotle's Politics in the thirteenth century and the reception of Justinian's code in the fifteenth... WesternEurope passed through... [an] epoch of nearly a thousand yearswhen law was... regarded as something given independently of human will, something to be discovered, not made, and when the conception that law could be deliberately made or altered seemed almost sacrilegious.
I'd much rather see the FTC work to find the law of privacy over time in an iterative, case-by-case process than attempt to make such law in the form of, say, "comprehensive baseline privacy legislation." The XY Magazine case is a great example of what, academic theory aside, the "path of privacy law" (to paraphrase Holmes) really looks like. The FTC may over- or under- enforce in any particular case, but as long as they stick to that noble path, I'll cheer them on from the sidelines--for I know how tedious the path can seem, and how seductive must be the promise of "axioms and corollaries" of privacy law reduced to mathematical precision.