Stopping short of calling directly for specific privacy legislation, the U.S. Commerce Department's report intead recommends a "framework" to protect people from a burgeoning personal data-gathering industry and fragmented U.S. privacy laws that cover certain types of data but not others.
This marks a turning point for federal Internet policy. During the past 15 years of the commercial Internet, Congress and executive branch agencies have largely taken a hands off approach to the Internet out of a concern that a heavy government hand would stifle innovation.
The report cites comments from some major technology companies, including Microsoft Corp. and Google Inc., expressing concerns about the current patchwork of rules and guidelines governing online privacy.
The 88-page Commerce Department report states that the use of personal information has increased so much that privacy laws may now needed to restore consumer trust in the medium.
The report is preliminary and will be completed next year. At that time, the administration is expected to make more specific legislative recommendations.
The report rejects the current state of Internet privacy notices. It says people shouldn't be expected to read and understand the legal jargon contained in privacy policies "that nobody understands, if they say anything about privacy at all."
A better approach, the report suggests, might be for companies to conduct privacy impact assessments that would be available to the public. Such reports "could create consumer awareness of privacy risks in a new technological context," the report said.
The Commerce report says people should be notified when data about them is being used in a way that is different than the reason for which it was collected. "Consumers need to know that when their data are re-used, the re-use will not cause them harm or unwarranted surprise," the report says.
The report also calls for the development of a national data breach law that would make it easier for companies to navigate the current patchwork of state data breach laws.
It also calls for strengthening the existing wiretapping law—written in 1986—to protect more types of data from government surveillance.