Remarks on the Relevance of Privacy Expectations for Default Opt-out Settings

A new legal analysis by researcher Sebastian Zimmeck, published on arXiv, tackles a growing conflict between emerging state privacy laws and consumer protection statutes. The paper, titled 'Remarks on the Relevance of Privacy Expectations for Default Opt-out Settings,' focuses on Universal Opt-Out Mechanisms (UOOMs)—signals that allow users to automatically opt out of data sales and targeted advertising across websites. While many new state laws mandate support for these UOOMs, several, including the Colorado Privacy Act (CPA), explicitly forbid enabling them by default, especially in pre-installed software like a web browser bundled with an operating system. The stated legal intent is to ensure settings reflect an 'affirmative, freely given, and unambiguous choice' by the consumer.

Zimmeck argues this prohibition creates a legal trap for companies building privacy-protective software. By preventing them from turning on strong privacy features by default, the law may force them into committing 'unfair or deceptive acts or practices' under the broader FTC Act and state equivalents. The core of his proposal is a shift in interpreting 'choice.' He contends that for software marketed and understood as privacy-protective, the simple act of a consumer using that software should be considered a valid, affirmative choice to enable UOOMs. In this view, a turned-on UOOM is not an arbitrary 'default setting' but the inherent, expected behavior of the product the user selected. This interpretation, he concludes, better grounds privacy law in real consumer expectations and allows companies to genuinely compete on providing stronger privacy out of the box.