Remarks on the Relevance of Privacy Expectations for Default Opt-out Settings

TL;DR

This paper discusses how privacy laws regarding default opt-out settings should consider consumer privacy expectations, especially in pre-installed software, to align legal compliance with user intent and promote better privacy practices.

Contribution

It proposes that enabling UOOMs by default in pre-installed software aligns with consumer expectations and legal principles, challenging current restrictions based on the notion of affirmative choice.

Findings

Default UOOMs in pre-installed software can reflect consumer expectations.

Prohibiting default UOOMs may lead to unfair practices under FTC and state laws.

Aligning default UOOMs with consumer expectations supports better privacy and legal compliance.

Abstract

Over the past few years an increasing number of states in the US have adopted new privacy laws. The majority of these laws require compliance with universal opt-out mechanisms (UOOMs), which allow consumers to send legally binding opt-out signals. However, a number of laws generally do not allow UOOMs to be enabled by default. While some laws exempt privacy-protective software from this prohibition, the exemption does not apply to pre-installed software, e.g., a privacy-protective web browser bundled with an operating system. The reason for not allowing default opt-out settings for pre-installed software is to ensure that settings reflect consumers' "affirmative, freely given, and unambiguous choice," as, for example, the Colorado Privacy Act (CPA) is putting it. However, prohibiting vendors of privacy-protective software from turning on UOOMs by default can force them into committing unfair or deceptive acts or practices under the FTC Act and equivalent state laws. Thus, whether UOOMs can be turned on by default on pre-installed software should depend on consumers' privacy expectations. For pre-installed software that is creating a reasonable expectation for consumers that their privacy will be protected, the simple use of such software should be considered a valid choice for enabling UOOMs. In such software a turned-on UOOM is not a "default setting" but rather the software's inherent behavior that a consumer expects and chooses through its use. This interpretation of consumer choice is preferable under the CPA and similar laws as it grounds the notice and choice principle in the privacy expectations of consumers and enables companies to compete on better privacy for consumers.