U.S. businesses that collect personal data would be required to describe their privacy and security practices and give consumers control over their personal information under a proposed privacy bill of rights released Friday by the Obama administration.
The proposal would also require companies and nonprofit groups to collect and retain only the personal data they need to operate.
However, the proposal allows industry groups to submit their own codes of conduct to the Federal Trade Commission that would shield companies that follow those codes from FTC enforcement actions.
Organizations adopting codes of conduct "shall have a complete defense to each alleged violation" of the privacy rules if they demonstrate compliance with the industry-developed codes, according to the draft bill's language.
That drew criticism from privacy advocates.
The White House plan is "riddled with problems," even after discussions with privacy groups in recent weeks, said Jeffrey Chester, executive director of the Center for Digital Democracy.
The proposal limits the FTC's authority to enforce privacy standards through its codes of conduct provision, Chester said via email. The FTC has only 90 to 120 days to decide whether to approve a proposed code of conduct, for example.
The proposed bill of rights, based on a 2012 Obama administration proposal, is needed because companies are collecting more and more personal data, the White House said.
"Even though responsible companies provide us with tools to control privacy settings and decide how our personal information is used, too many Americans still feel they have lost control over their data," the White House said. "Fears about identity theft, discrimination, and the trade in sensitive data without permission could erode trust in the very companies and services that have made us better connected, empowered, and informed."
The privacy draft, a proposal for Congress to consider, would require companies collecting personal data to regularly assess their security risks and establish safeguards. It would also require companies holding personal data give consumers access to it.
But the draft bill allows companies to deny customers access to their personal information if their requests are "frivolous or vexatious." This provision allows "a company to determine whether the data should be available," Chester said.
U.S. Sen. Edward Markey, a Massachusetts Democrat and longtime privacy advocate, raised concerns that the proposal would preempt many state privacy laws.
The draft bill "falls far short of what is needed to ensure consumers and families are squarely in control of their personal data," Markey said in a statement. "Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally enforceable rules that companies must abide by and consumers can rely upon."
On the other side, some industry groups said the proposal isn't needed and sends the wrong message about U.S. business practices. The proposal "says to state legislators and foreign governments that American online businesses have a privacy problem," Steve DelBianco, executive director of e-commerce trade group NetChoice, said via email.
Before passing legislation, Congress should run a cost-benefit analysis to determine the impact on U.S. businesses, he added.
The proposal "casts a needlessly imprecise net" in policing online business practices, according to the Internet Association, another trade group.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is firstname.lastname@example.org.