Ontario Privacy Commish Sides With Opt-Out on Behavioural Online Tracking

The U.S. FTC is in the midst of considering a proposed Do-Not-Track planthat seeks to address mounting concerns about behavioural tracking of online activities for marketing purposes [the practice became apparentin one of my recent classes when we visited an online dating site to discuss the use of Google advertising only to find that dating site advertisements appeared in subsequent, unrelated browsing]. Yesterday, both Google and Mozilla announced that they would install do-not-track features on the Chrome and Firefoxbrowsers.

The Electronic Privacy Information Center, one of the leading privacy groups in the U.S., makes the case for an opt-in approach, noting that it would better protect consumer  privacy and is consistent with many other U.S. privacy statutes. It adds that:

Opt-in is more effective than opt-out because it encourages companies to explain the benefits of information sharing, and to eliminate barriers to exercising choice. Experience with opt-out has shown that companies tend to obfuscate the process of exercising choice, or that exemptions are created to make opt-outimpossible.

In the event that opt-out is adopted, it calls for the exclusion of certain sensitive information and an administrative infrastructure (much like do-not-call) to ensure that opt-outs are respected.

A somewhat surprising source of support for opt-out is Ontario Privacy Commissioner Ann Cavoukian.  Cavoukian’s submission includes acceptance of a two-step process based on an opt-out model.  The OIPC calls for a clear opportunity to opt-out once the tracking begins and assurances that the opt-out will be respected for future tracking.  Cavoukian is reluctant to disrupt current practices, noting:

Where the prevailing norms and industry standards of practice are “opt-out,” as in the case of online targeted advertising and marketing (which may be based on a variety of tracking technologies), proceeding directly to an “opt-in” model would not only be impractical, but perhaps also harmful to the industry involved.

Canada’s Bill C-28, the recently enacted anti-spam legislation, adopts an opt-in approach even where industry standards may have been opt-out, though it does provide a phase-in period of up to two years to give industry the opportunity to adjust.  Moreover, challenging industry norms is itself not unusual for privacy regulators – see Canada and Germany on Facebook.


  1. tell Ms. Cavoukian what you think
    Make sure y’all e-mail Ms. Cavoukian with your protests on her lack of commitment to your privacy:

  2. Rigo Wenning says:

    Mass-behavior and default revenue
    Rule Nr.1: Users click OK until they get the content! Consequently, given interesting content, there will be not much difference.
    Rule Nr.2: Users do not change default settings of their browser! Consequently, a default opt-in will not mobilize much people, unless confronted with an OK-button. Then Rule Nr.1 applies.

    The difference between opt-in and opt-out is those who will not change anything. This is over 80% of people. Taking into account the market’s dominant advertiser Google revenues of over 50 billion/year, taking into account that targeted ads generate much higher revenue, it is not imprudent to assume a difference of several billion of revenue depending on opt-in vs opt-out.
    A loss of so much money will push the shareholders towards the most reckless that have the least losses. This makes Anne Cavoukian’s position for a US! system understandable. For Canada or the EU, I’m less sure that the step to opt-in is a big step. But citing the brilliant essay of this blog’s author: “is there a there there?”, I may ask whether we can afford two solutions on the Web where the US companies earn more via targeted advertisement and the others can’t really compete.

    Finally let me say that we see frantic hacking by US based browsers without concertation via the IETF (who owns the HTTP-Specification they extend) or via W3C (who claims to be the sheperd of the Web). I think some more coordination would be worthwhile.

  3. Opt out of online tracking and surveillance; opt in to targeted marketing
    My reading of the IPC report is that it discusses opt-out in the context of online tracking, not marketing. Although tracking and marketing can be related, they are quite different contexts.

    The IPC report seems to agree further with FTC proposals that any opt-out of online surveillance should be easy for users to exercise, and be global and persistent. Please explain why this is bad privacy?

    Sure, opt-in is always generally preferable from a user privacy standpoint, but how realistic is such a feature in the current context of online behavioural tracking, where the only current opt-in available to users is their decision to surf the web. Don’t want to be tracked online? Don’t surf the web!

    If the FTC can convince browser and smartphone makers to include an *effective* “STOP TRACKING ME” button in their software and devices that doesn’t “break the internet” (think IP addresses), then this would be a huge privacy advance over the current online status quo. I doubt it will happen, but if it does, I’ll be first in line to hit that opt-out button.


  4. Daniel Haran says:

    conflict of interest
    Some large news outlets are in favour of more regulation. They fail to mention their conflict of interest: by buying audience data (e.g. “interested in online dating”), advertisers can reach the same people on cheaper sites. Advertising to audiences instead of buying placements on marquee sites upsets an old business model. Data availability helps smaller publishers.

    Offline, data and credit bureaus have no qualms about collecting far more extensive and personally identifiable information. Why should the web be subjected to more draconian regulations?

  5. James K. Phillips says:

    I am skeptical.
    If you don’t want to be tacked, you need to disable JavaScript and uninstall Adobe Flash.

    Earlier, the EFF set up a test page to estimate how easily you can be tracked, even with cookies disabled:

    With JavaScript enabled, your browser can communicate things like display resolution, Installed fonts (which can be used to devine if you have Open Office or MS Office installed), and any plugins installed.

    You are actually more anonymous using an hardly-used text browser like ‘lynx’ even though lynx users probably only represent a handful of people for each website.

    Google’s websites for the most part do not work with JavaScript (or even flash) disabled. Any “don’t track me” flag will be about as effective as robots.txt is for webcrawlers: totally optional, but generally followed by the large players.