New privacy protections, either from industry or government, are needed, because Internet users are often confused about how companies are collecting and using their personal data, Leibowitz said. "Many companies are not disclosing their practices," he said. "Even among the companies that do disclose them, those disclosures are often done in long, incomprehensible privacy policies and user agreements that consumers don't read, let alone understand."
The FTC doesn't have the power to implement a do-not-track mechanism, but Web companies should expect the agency to bring new privacy enforcement actions in coming weeks, Leibowitz said.
A hearing on a possible do-not-track mechanism is scheduled for Thursday morning in the consumer protection subcommittee of the U.S. House Energy and Commerce Committee. There isn't active legislation to create a do-not-track mechanism, however.
Several privacy groups praised the FTC report and its endorsement of a do-not-track list. The report shows that "industry has not done enough quick enough to protect consumers," said Pam Dixon, executive director of the World Privacy Forum.
The FTC has shown that it understands the new ways that Web-based businesses can track and profile customers, added Jeffrey Chester, executive director of the Center for Digital Democracy, a digital rights and privacy group.
"I think the FTC clearly gets it," Chester said at a press conference. "The FTC has shown for the first time that it understands the dramatic changes that have occurred because of online data collection and online advertising."
But Ginger McCall, staff counsel at the Electronic Privacy Information Center (EPIC), questioned whether the report goes far enough. The U.S. needs a dedicated federal privacy agency, a new comprehensive privacy law and an FTC that more aggressively enforces privacy rules, she said.
The FTC report also calls on companies to adopt a so-called "privacy by design" approach by building in privacy protections to their everyday business practices. U.S. businesses should ensure reasonable security for consumer data, limit their collection and retention of personal data, and make reasonable efforts to ensure the data is accurate, the report said.
Companies should also provide customers with choices about how their data is collected and shared, the report said. Those choices should come at the time and in the context of decisions consumers are making -- "not after having to read long, complicated disclosures that they often cannot find," the FTC said in a press release.
Companies should not, however, have to seek consumer permission to collect data for some commonly accepted practices, such as product shipping, internal operations and fraud prevention, the FTC report said.