The U.S. FTC is in the midst of considering a proposed Do-Not-Track planthat seeks to address mounting concerns about behavioural tracking of online activities for marketing purposes [the practice became apparentin one of my recent classes when we visited an online dating site to discuss the use of Google advertising only to find that dating site advertisements appeared in subsequent, unrelated browsing]. Yesterday, both Google and Mozilla announced that they would install do-not-track features on the Chrome and Firefoxbrowsers.
The Electronic Privacy Information Center, one of the leading privacy groups in the U.S., makes the case for an opt-in approach, noting that it would better protect consumer privacy and is consistent with many other U.S. privacy statutes. It adds that:
Opt-in is more effective than opt-out because it encourages companies to explain the benefits of information sharing, and to eliminate barriers to exercising choice. Experience with opt-out has shown that companies tend to obfuscate the process of exercising choice, or that exemptions are created to make opt-outimpossible.
In the event that opt-out is adopted, it calls for the exclusion of certain sensitive information and an administrative infrastructure (much like do-not-call) to ensure that opt-outs are respected.
A somewhat surprising source of support for opt-out is Ontario Privacy Commissioner Ann Cavoukian. Cavoukian’s submission includes acceptance of a two-step process based on an opt-out model. The OIPC calls for a clear opportunity to opt-out once the tracking begins and assurances that the opt-out will be respected for future tracking. Cavoukian is reluctant to disrupt current practices, noting:
Where the prevailing norms and industry standards of practice are â€œopt-out,â€ as in the case of online targeted advertising and marketing (which may be based on a variety of tracking technologies), proceeding directly to an â€œopt-inâ€ model would not only be impractical, but perhaps also harmful to the industry involved.
Canada’s Bill C-28, the recently enacted anti-spam legislation, adopts an opt-in approach even where industry standards may have been opt-out, though it does provide a phase-in period of up to two years to give industry the opportunity to adjust. Moreover, challenging industry norms is itself not unusual for privacy regulators – see Canada and Germany on Facebook.