The US government should create an online privacy bill of rights and an enforceable code of conduct for Internet firms handling consumer data and tracking Web users, the US Department of Commerce has recommended.
The privacy paper, which represents the policy views of President Barack Obama's administration, would represent a major change in the way the US government looks at regulation of privacy on the Internet. The administrations of former Presidents Bill Clinton and George W. Bush largely allowed Web companies to operate without major privacy rules, allowing them instead to create their own standards in the Internet's infancy.
But the Internet has matured, and Web users need to be confident their personal data is secure and not being misused, said Gary Locke, secretary of the Commerce Department. "Self regulation without stronger enforcement is not enough," he said during a press conference. "Consumers must trust the Internet in order for businesses to succeed online."
"Some uses of personal information are essential to delivering services and applications over the Internet," the report said. "Some commercial data practices, however, may fail to meet consumers’ expectations of privacy; and there is evidence that consumers may lack adequate information about these practices to make informed choices. This misalignment can undermine consumer trust and inhibit the adoption of new services."
The Commerce report follows an online privacy paper from the FTC, which recommended a do-not-track feature in browsers earlier this month. A do-not-track mechanism would be one tool to protect consumers online, said Daniel Weitzner, associate administrator for policy at the National Telecommunications and Information Administration, part of the Commerce Department.
The widespread use of the Internet has created "voluminous and detailed" stores of personal information on a range of devices, the report said.
The proposed policies, open for comment from interested groups, would establish a privacy bill of rights would require companies to be more transparent about their use of online consumer information and to provide more detail about why data is collected and how it is used. The proposed bill of rights would put clearer limits on the use of data and require online companies to increase audits and other accountability mechanisms, the report said.
The report recommends that Congress pass a federal data breach notification law, requiring companies to tell affected consumers when their personal data has been compromised. Several lawmakers have proposed national breach notification laws since 2005, without success, although many states have passed similar laws.
The Obama administration should also look into ways to protect privacy in cloud computing environments, the report recommends. The administration should examine whether changes to the Electronic Communications Privacy Act (ECPA), which allows law enforcement access to electronic communication, are needed, the report said.
Privacy groups gave the Commerce paper mixed reviews. The paper "lays out a creative and flexible approach to develop enforceable privacy protections for consumers," said Justin Brookman, director of Center for Democracy and Technology's Privacy Project, in a statement.
Brookman called on Congress to pass a baseline consumer privacy law.
But the report makes a number of proposals and asks a number of questions instead of taking more concrete action, said Jeffrey Chester, executive director of the Center for Digital Democracy.
"Given the growth of online data collection that threatens our privacy, including when consumers are engaged in financial, health, and other personal transactions (including involving their families), this new report offers us a digital déjà vu," he said in an e-mail. "The time for questions has long passed."
The report offers a "vague multistakeholder process" to develop codes of conduct instead of real laws to protect consumers, Chester added.
"If the Commerce Department really placed the interests of consumers first, it would have been able to better articulate in the report how the current system threatens privacy," he said. "They should have been able to clearly say what practices are right and wrong, such as the extensive system of online behavioral tracking that stealthily shadows consumers, whether on their personal computer or a mobile phone."
The report should have also "rejected outright any role for self-regulation, given its failures in the online data collection marketplace," Chester added.