WASHINGTON — Although search companies have taken significant steps to improve on consumer privacy protection, “comprehensive” federal legislation still is needed to protect web users from “bad actors,” the Center for Democracy and Technology asserted in a report issued this week.

Although the report acknowledged that several major search engines recently have announced policies that “begin to place control of sensitive information back into the hands of users, limiting the risk that consumers’ personal data will be misused, lost, stolen or otherwise compromised,” the CDT concluded that such self-regulation will never be sufficient by itself.

“No amount of self regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors,” the CDT stated in its report. “With consumers sharing more data than ever before online, the time has come to harmonize our nation’s privacy laws into a simple, flexible framework.”

The report included a chart comparing the privacy practices of five major search engines — Google, Yahoo, MSN (Microsoft), Ask.com and AOL — in terms of how long each engine stores different types of data before it is removed, how such data is removed from each given engine’s logs, and whether the search data is shared with third parties.

As noted by the CDT, even some of the new policies published by search engines that have been stepping up their privacy protections may not be as straightforward as they appear to be at first glance.

Ask.com, for example, gives users the option of storing their personal search logs for as long as they wish; when users choose to delete the stored information from their personal search history, however, that data still remains on the Ask.com servers until the minimum retention time has expired. In the case of Ask.com, that minimum retention time is 18 months. As noted by the CDT report, “this kind of control serves to extend, not limit, the data retained.”

Still, on balance, the CDT said the fact that search engines appear to be trying to one-up each other in creating consumer confidence in their privacy policies is a good sign.

“We hope this signals the emergence of a new competitive marketplace for privacy,” CDT President Leslie Harris said. “By themselves, these recent changes represent only a small step toward providing users the full range of privacy protections they need and deserve, but if this competitive push continues it can only stand to benefit consumers.”

The CDT cautioned, however, that while the revisions to search engine privacy policies show that progress is being made, the revised policies are not a cure-all.

“Some search privacy issues may be addressed, but consumers’ personal information will remain vulnerable in many other contexts,” the CDT stated in its report. “In particular, whatever information is retained is available to the government under a mere subpoena, issued without a judge’s approval. Companies will continue to face the intricacies and loopholes of our nation’s patchwork of privacy laws so long as no federal standard exists.”

Ari Schwartz, deputy director of the CDT, said he’d like to see the federal government follow the lead of the private sector with respect to the privacy issue.

“It’s encouraging to see the nation’s largest Internet companies taking search privacy seriously,” Schwartz said. “Now it’s time for Congress to do its part by passing a robust federal law that brings our consumer privacy protections up to the level that users expect.”