Why Not Privacy by Default

Abstract

We live in a Track-Me world, one from which opting out is often not possible. Firms collect reams of data about all of us, quietly tracking our mobile devices, our web surfing, and our email for marketing, pricing, product development, and other purposes. Most consumers both oppose tracking and want many of the benefits tracking can provide. In response, policymakers have proposed to give consumers significant control over when, how, and by whom they are tracked through a system of defaults (i.e., “Track-Me” or “Don’t-Track-Me”) from which consumers can opt out. The use of a default scheme is premised on three assumptions. First, that for consumers with weak or conflicted preferences, any default chosen will be “sticky,” meaning that more consumers will stay in the default position than would choose it if reaching the position required an affirmative action. Second, that those consumers with a true preference for the opt-out position—and only those consumers—will opt out. Third, that where firms oppose the default position, convincing consumers to opt out will require the firms to explain the default position, resulting in well-informed decisions by consumers. This Article argues that for tracking defaults, these assumptions may not consistently hold. Past experience with the use of defaults in policymaking teaches that Track-Me defaults are likely to be too sticky, Don’t-Track-Me defaults are likely to be too slippery, and neither are likely to result in well-educated consumers. These conclusions should inform the “Do-Not-Track” policy discussions now taking place in the United States, in the European Union, and at the World Wide Web Consortium. They also cast doubt on the privacy and behavioral economics literatures that advocate the use of “nudges” to improve consumer decisions about privacy. © 2014 Lauren E. Willis. † Robert S. Braucher Visiting Professor of Law, Harvard Law School and Professor of Law, Loyola Law School Los Angeles, lauren.willis@lls.edu. My thanks to Omri BenShahar, James Grimmelmann, Chris Hoofnagle, Paul Ohm, Jules Polonetsky, Paul Schwartz, Chris Soghoian, Lior Strahilevitz, Jessamyn West, Jonathan Zittrain, participants at the 2013 Privacy Law Scholars Conference, research assistant Natalie Kim, and the patient editors at the Berkeley Technology Law Journal. 62 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 29:61