My weekly technology law column (Toronto Star version, Ottawa Citizen version, Vancouver Sun version, homepage version) focuses on the reaction to iOptOut.ca which includes advice from at least two Canadian associations to their members not to respect the legitimate opt-out requests of thousands of Canadians. I argue that this provides a good sense of what lies ahead this fall when the government-mandated list makes its long awaited debut. The iOptOut.ca site is based on a simple premise, namely that Canadian privacy law already gives Canadians the right to withdraw their consent over the use of their personal information (including phone numbers) for telemarketing calls. Visitors to the site are asked to enter their phone number (and email address if they wish) and to indicate their privacy preferences for nearly 150 organizations.
With a single click, the selected organizations each receive an opt-out request, enforceable for the moment through the complaint process under national privacy law. Once the do-not-call list is up and running, there will be a further enforcement mechanism – complete with financial penalties – for those organizations that do not respect the opt-out request. After only one week online, it has become readily apparent that the site has struck a chord with Canadians. More than 17,000 phone numbers have been registered, resulting in over 1.7 million opt-out requests. Interestingly, many users pick-and-choose their organizations, as over a quarter of all registrants do not check all available options.
Given the public support for the do-not-call list (an Industry Canada study once found over 90 percent of those surveyed favoured a list), the enthusiastic response was predictable. In fact, it suggests that once the official list is launched, millions of numbers will likely be registered in fairly short order. Registration will provide a measure of relief for Canadians tired of unsolicited telemarketing calls; however, the iOptOut.ca experience to date suggests that some challenges will remain.
First, many users have noted the growing number of telemarketing calls that originate from outside Canada, particularly the United States. Canadians are currently unable to register their numbers on the hugely successful U.S. do-not-call list (over 100 million numbers registered) and Canadian privacy law cannot be easily enforced outside domestic borders. This jurisdictional loophole has not attracted much attention, but Canadian and U.S. officials should explore a mutual recognition system that would force U.S. telemarketers to abide by the Canadian list and Canadian telemarketers to respect the U.S. list.
Second, some industry groups have reacted with considerable hostility toward iOptOut.ca. For example, both the Canadian Marketing Association and the Marketing Research and Intelligence Association have advised their members that they may be able to ignore Canadians' opt-out requests since the requests are not "authenticated." There is no requirement under Canadian law for such authentication and the CMA itself runs an opt-out list without authentication. In fact, neither the Canadian nor the U.S. do-not-call list features telephone number authentication. Moreover, the MRIA has deliberately entered false information into iOptOut.ca, presumably in an effort to undermine the site's reliability (less than 1 in 1000 registrations have been demonstrably false). Other organizations have sought to stop opt-out attempts by simply blocking the email requests before they enter their email systems.
While these actions can be challenged before the Privacy Commissioner of Canada, they foreshadow a more troubling concern. The imminent arrival of a Canadian do-not-call list will reshape telemarketing in Canada, forcing thousands of organizations to pay closer attention to the privacy preferences of their customers. There is no right to opt-out of the law, but it would appear that not everyone will welcome the do-not-call list with open arms.