Online privacy continues to be a hot topic in Washington, D.C. A few weeks ago, the Federal Trade Commission (FTC) issued a staff report calling for greater protection of online consumer privacy. A House subcommittee heard testimony on the increasingly popular idea of “do not track” for the Internet. Soon thereafter, Microsoft announced a new tracking protection mechanism for Internet Explorer 9.

Yesterday, the Department of Commerce chimed in with its own “green paper” on online privacy, which echoes many of the concerns we’ve discussed here—in particular, the enormous gap between consumer privacy expectations and business reality in the online environment, where increasingly sophisticated yet largely hidden tracking mechanisms are routinely deployed against the general public. Everyone agrees that there’s a problem.

However, there’s still no agreement on what should be done about it. To its credit, the Commerce Department (and many of the companies that commented on the original notice of inquiry) strongly supported greater adherence to the well-known Fair Information Practice Principles. We were also glad to see that the Commerce Department expressly discussed the need to reform the Electronic Communications Privacy Act given the rise of cloud computing and growing concern about law enforcement access to data traversing or stored by service providers, consistent with the goals of the Digital Due Process coalition that EFF is helping to steer.

But the Commerce Department seems reluctant to endorse enforceable consumer privacy rules, even though many commenting companies (and others) supported broad federal privacy legislation that could fill existing holes in commercial data privacy law. While acknowledging the need for FTC enforcement as a backstop, the green paper instead recommends the creation of a Privacy Policy Office within the Commerce Department that would help develop voluntary privacy codes of conduct within a multi-stakeholder negotiation process.

We think that approach has serious problems. Agency rulemaking is by no means ideal, but it is governed by law and yields legal rules subject to judicial review based on a defined administrative record. Multi-stakeholder negotiation is more political, and such a political consensus may only lead to general principles that are hard to enforce. It’s also less accountable to the facts; we’re concerned about how it would get verifiable information about commercial surveillance technologies, practices and data flows. Nor is it clear that businesses would follow voluntary codes of conduct. Multi-stakeholder negotiation may have a place within agency rulemaking, but it doesn’t strike us as a substitute for enforceable rules.

We expect to comment on the green paper, and encourage others to as well. Comments are due Jan. 28, 2011 and can be submitted to