Citing the recent breach at Sony Pictures, Obama said Internet insecurity “creates enormous vulnerabilities for us as a nation, and for our economy and for individual families.”

In a speech at the Federal Trade Commission, he proposed a nationwide requirement that businesses report thefts of customers’ personal information; a “bill of rights” to give people more control over their data; and strict protections for personal information about children collected by their schools.

In the run-up to next week’s State of the Union address, President Obama on Monday called for major federal legislation to protect Americans’ online privacy.

Privacy activists expressed cautious optimism about the proposals.


“It could be great. But it’s very difficult to know that without seeing any of the details,” said John Simpson, director of the privacy project at Consumer Watchdog, a California advocacy group.

One of the president’s proposals, the Student Digital Privacy Act, is similar to a law recently passed in California that forbids companies from reselling student data to third parties not involved in educational activities. Companies would also be banned from using the collected data to target students with advertisements.

“Data collected on students in the classroom should only be used for educational purposes, to teach our children, not to market to our children,” Obama said.

Efforts to use advanced data-collection techniques in schools have foundered, because many parents fear the systems are too intrusive. For example, inBloom, a nonprofit funded by Microsoft Corp.’s billionaire cofounder Bill Gates, shut its doors last year when its efforts to build a nationwide education data network encountered ferocious parental opposition.

“It is absolutely unfortunate,” said Thomas Stella, assistant superintendent of public schools in Everett, who had hoped to use the inBloom system. Stella said the ability to collect large amounts of student data in a single database would have made it far easier to evaluate student performance.


The shutdown of inBloom was a major victory for Josh Golin, associate director of the Campaign for a Commercial-Free Childhood, a Boston group that campaigned against the company. Golin said Obama’s proposal might resolve some of his concerns about collecting personal data about children. “A lot of it is going to depend on the details,” Golin said, “and we’re not at the detail stage yet.”

Obama would also require companies to notify customers within 30 days from the time a data breach is discovered. Already, 47 states have similar laws, some of which are stricter than what Obama has called for. In California, any company involved in health care has just 15 days to report data breaches.

Simpson said a federal version should not override tougher standards issued by states. “If particular states want to enact something stronger, they ought to be able to do it,” he said. “I’m afraid that may not happen in the current environment in Washington.”

Obama also called for a data privacy bill of rights, a concept he first put forward in 2012. It would ensure that citizens could find out what information online vendors and companies such as Google are collecting about them, and what it’s being used for. Consumers could demand the data be used only for the original purpose, and companies would be required to use secure systems to store personal data.


Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him on Twitter @GlobeTechLab.