Self-regulation by advertisers has failed to protect Internet users, but regulators alone cannot implement "do not track" rules, the Federal Trade Commission's top consumer protection official said Wednesday.
In a preliminary report on consumer privacy on the Internet, the Federal Trade Commission said that, while companies generally manage consumer information responsibly, not all do.
"Some appear to treat it in an irresponsible or even reckless manner. And while recent announcements of privacy innovations by a range of companies are encouraging, many companies - both online and offline - do not adequately address consumer privacy interests," the FTC said a preliminary staff report on a proposed framework for companies doing business on the Internet.
The agency, whose chairman Jon Leibowitz has long advocated allowing consumers to opt out of being tracked by advertisers, repeated its support for that approach in the report.
"We have to simplify consumer choice and 'do not track' will achieve that goal," added David Vladek, director of the FTC's Consumer Protection Bureau, in a speech before report's release.
"I don't think that, under the FTC authority, we could unilaterally mandate 'do not track."' This means that Congress would have to pass legislation to implement "do not track" regulations and it would face an uncertain future since the tech and advertising sectors would lobby against it ferociously.
Many companies' business models - including search leader Google Inc. - depend on information from consumers to provide their free services.
The report comes as the FTC is under pressure to contain the growing strength and savvy of companies collecting Internet users' personal data and selling it to advertisers.
A recent report by a privacy group found, for example, that some websites that present themselves as a way for ill people to connect with other people with the same ailments were actually created by companies to collect and sell data on those people to market medicines to them.
The FTC staff report also urged that special care be taken with information about sensitive topics such as finances, health, children or an individual's location.
"Before any of this data is collected, used or shared, staff believes that companies should seek affirmative express consent," the report said.
The agency's report urged the development of ways to build privacy into the design of business practices by, for example, collecting only the data that is needed and disposing of it when it is no longer being used.
The agency also proposed that company privacy policies be simpler, clearer and shorter.
"Staff also proposes providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers," the report said.
"In addition, all entities must provide robust notice and obtain affirmative consent for material, retroactive changes to data policies."
A final version of the report will be released next year after taking into account comments from interested parties.