Reporting from Washington — An Obama administration report calling for an online privacy bill of rights shows a growing recognition that consumers need more protection as they surf the Web.
But the proposal also highlights a lack of consensus among policymakers, businesses and consumer advocates about how best to safeguard personal data without harming an Internet economy built on its ability to serve up ads targeted at people's online behavior.
In an 88-page report, a Commerce Department task force Thursday called for Internet businesses to develop principles to protect consumer data and for a new government office to oversee that and other privacy efforts.
The report, however, stopped short of calling for privacy legislation, which many consumer groups have advocated. Though the task force is open to new laws, the report suggested a policy framework in which companies would voluntarily agree to comply with principles for the use of consumer information.
Companies that failed to live up to those promises could be cited by the Federal Trade Commission with unfair and deceptive practices and fined.
"Self-regulation without stronger enforcement is not enough," Commerce Secretary Gary Locke said.
Businesses such as Google Inc. and Microsoft Corp. like the idea of a voluntary code of conduct backed by FTC enforcement.
But consumer and privacy advocates said self-regulation, even backed by government enforcement, is not enough.
They want tough privacy legislation, including a requirement for a do-not-track mechanism similar to the popular do-not-call list designed to block phone calls from telemarketers. A recent FTC report endorsed creation of such a mechanism, but the Commerce report was lukewarm on the concept.
"It's good that the Department of Commerce recognized we have a privacy problem, but the solution isn't more self-regulation," said Susan Grant, director of consumer protection for the Consumer Federation of America. "We've tried that and it's clearly inadequate. We need a privacy law that sets the rules of the road."
The Commerce report comes amid an increased focus in Washington on protecting consumers' online information. There is bipartisan support in Congress for strengthening privacy protections, and Thursday's report provides added impetus.
The Commerce task force noted that the Internet has developed into an economic force largely through self-regulation, a quicker and more flexible process. The report asks for public comment over the next month about whether legislation is needed.
"Legislation is a major option under discussion," Commerce General Counsel Cameron Kerry said. "We want to look at all options to advance the consumer bill of rights."
The bill of rights would contain what the report labeled "a clear set of principles" about how companies collect and use personal information for commercial purposes. Called Fair Information Practice Principles, the voluntary rules would give consumers more detail about policies for handling consumer data and put clearer limits on its use.
The report recognized limits to such an approach, stating that it was open to legislation that would enshrine certain basic privacy principles in law that all businesses would be required to follow. But such laws also should offer immunity from penalties — so-called safe harbor — for companies that adhere to them, the report said.
"Many businesses really would like … to have a road map to understand what their obligations should be," said Lisa Sotto, who advises companies as head of the privacy and information management practice at the Hunton & Williams law firm. "Safe harbor is a real positive for business to serve as a security blanket."
The report also called for U.S. officials to develop a comprehensive national approach for notifying consumers about data breaches and to work with other countries on creating similar privacy policies.
Google and Facebook said they supported the report's recommendations of flexible approaches to privacy, as well as creating a better global privacy framework.
But Jeff Chester, executive director of the Center for Digital Democracy, said the Commerce Department should not run the administration's privacy efforts because its job is promoting the interests of businesses, not consumers.
"Instead of real laws protecting consumers, we are offered a vague 'multi-stakeholder' process to help develop 'enforceable codes of conduct,' " he said. "Having the Commerce Department play a role in protecting privacy will enable the data collection foxes to run the consumer privacy henhouse."