The Electronic Privacy Information Center, one of the leading privacy groups in the U.S., makes the case for an opt-in approach, noting that it would better protect consumer privacy and is consistent with many other U.S. privacy statutes. It adds that:
Opt-in is more effective than opt-out because it encourages companies to explain the benefits of information sharing, and to eliminate barriers to exercising choice. Experience with opt-out has shown that companies tend to obfuscate the process of exercising choice, or that exemptions are created to make opt-outimpossible.
In the event that opt-out is adopted, it calls for the exclusion of certain sensitive information and an administrative infrastructure (much like do-not-call) to ensure that opt-outs are respected.
A somewhat surprising source of support for opt-out is Ontario Privacy Commissioner Ann Cavoukian. Cavoukian’s submission includes acceptance of a two-step process based on an opt-out model. The OIPC calls for a clear opportunity to opt-out once the tracking begins and assurances that the opt-out will be respected for future tracking. Cavoukian is reluctant to disrupt current practices, noting:
Where the prevailing norms and industry standards of practice are â€œopt-out,â€ as in the case of online targeted advertising and marketing (which may be based on a variety of tracking technologies), proceeding directly to an â€œopt-inâ€ model would not only be impractical, but perhaps also harmful to the industry involved.
Canada’s Bill C-28, the recently enacted anti-spam legislation, adopts an opt-in approach even where industry standards may have been opt-out, though it does provide a phase-in period of up to two years to give industry the opportunity to adjust. Moreover, challenging industry norms is itself not unusual for privacy regulators – see Canada and Germany on Facebook.