landmark report (.pdf) puts the Commerce Department on record as recognizing that the flow of information is key to the future of business and that U.S. companies need to both adhere to a set of fair information practices and have the confidence that if they do adhere, they won’t be penalized.

“This sense of consumer trust — the expectation that personal information that is collected will be used consistently with clearly stated purposes and protected from misuse, is fundamental to commercial activities on the Internet,” the report said. “Conversely, commenters widely recognized that an erosion of trust will inhibit the adoption of new technologies. The Department of Commerce shares the belief that maintaining consumer trust is vital to the success of the digital economy.”

The so-called green paper, which was developed over the last year with input from consumer watchdog groups and online businesses, seeks to reinforce, not rework, the current patchwork of laws, regulatory authorities and self-regulation that exist in the United States. For instance, there’s no law that requires a company to have a privacy policy, though it’s considered unthinkable for any real online business not to have one, and companies that deal in financial, health and communication data do have certain obligations under federal law.

If a company violates its privacy policy, it can be sued in court by individuals or investigated and fined by the Federal Trade Commission or states attorneys general for breaking its promise.

Under the Commerce Department’s proposal, the sets of standards that companies hold themselves to should be raised voluntarily by industry groups, (and possibly by law), adopting more of what are known as Fair Information Practice Principles (FIPPs), an idea that dates back to the Ford administration.

The Center for Democracy and Technology, one of the more moderate digital rights interests groups, applauded the report, but urged that Congress pass a law setting privacy standards for all U.S. online businesses.

“The Department of Commerce report lays out a creative and flexible approach to develop enforceable privacy protections for consumers,” said Justin Brookman, who heads CDT’s Privacy Project. “Now it’s time for Congress to step up and pass the legislation needed to enact a baseline consumer-privacy law that is built on the strong recommendations contained in the Commerce and FTC privacy reports.”

The FTC’s report, which came out earlier this month, castigated the online ad industry, saying it had failed to police itself, particularly in the area of letting consumers know what information was collected about them and how to opt-out. The FTC backed a “Do Not Track” setting in browsers that would eliminate the need to set cookies in order to prevent online behavioral ad tracking companies from monitoring what they do across the web.

Chris Calbrese, the ACLU’s legislative counsel in D.C., went further, praising the Commerce department for finally recognizing what consumer groups have been saying for year..

“It’s the wild wild west out there and consumers have no privacy online,” Calebrese said. “FIPPS is a good place to start and Congress needs to act and give us an enforceable regime.”

He’s hopeful that consumer privacy legislation can be passed, as there are signs that it’s a bipartisan issue.

“I think the entire behavioral targeting industry is the problem,” Calabrese said. “We are building a private surveillance network over the internet that can be shared with data aggregators, employers and the government. That’s a big problem.”

The Fair Information Practices endorsed in today’s report hold that individuals should get notice when their data is collected, they should have a reasonable choice about whether to allow the collection, they should know how their data is being used and how long it will be kept, and they should be able to see and correct the data collected about them. Organizations that collect data should collect the minimum necessary and destroy data once that purpose has passed.

In practice, this might look something like what Google has recently adopted for it’s display advertising system, where a targeted ad has a clickable icon that tells you how the company decided to present that ad to you, allow you to see what its profile of you is, and let you modify it or opt-out entirely.

A variation of FIPP rules apply to the federal government, which has to put out a notice every time it intends to create or expand a data collection system, but in practice, the notices routinely exempt government agencies from following Fair Information Practices.

The paper also called for a Privacy Policy office inside the Commerce department to help create stronger frameworks without impairing the U.S.’s internet entrepreneurial culture.

The report also calls, surprisingly, for the Congress to create stronger protections for individuals using so-called cloud computing services, such as web-mail, online word processing, and online storage.

The Electronic Communications Protection Act, written in the early 1980s, requires the government to get a warrant to search your hard drive, so that if you download your e-mail it has strong protection. But that same law says criminal investigators can ask any online e-mail service to provide them with any of your e-mails older than 180 days, and in at least one case, the government argued that it had the right to get any e-mail that someone had opened and read, but left in their inbox, without going to a judge and proving they had probable cause to suspect you had committed a crime.

That portion of the law was ruled earlier this week to be unconstitutional by the Sixth Circuit, which covers four Midwestern states, but outside of that circuit, the feds may still press their luck — at least until (and if), the Supreme Court rules on the issue.

Correction: The story originally identified the ACLU’s Calabrese by his previous job title as counsel to its Technology and Liberty Project.

Authors: Ryan Singel

to know more click here