Good Luck Opting Out: Manipulative Design Patterns in Opt-Out Processes

EPIC’s report Good Luck Opting Out: Manipulative Design Patterns in Opt-Out Processes by Justin Sherman, EPIC Scholar in Residence, and Caroline Kraczon, EPIC Counsel, investigates whether the consumer opt-out processes provided by major online platforms use manipulative design patterns to make it more difficult for consumers to exercise their opt-out rights.

Privacy legislation in twenty-one states includes the right to opt out of the sale and sharing of personal data, and most of these laws require companies to provide clear, easy-to-use opt-out mechanisms for consumers to exercise their rights. However, the report finds that many prominent online platforms’ opt-out processes utilize manipulative design patterns, which are deceptive, manipulative, coercive, or exploitative design choices that undermine consumers’ ability to make choices that reflect their true preference and intentions. 

Specifically, the report highlights the presence of the following eight major manipulative design patterns across the 38 companies’ opt-out processes:

1. Failing to provide a clear mechanism to opt out of sale and sharing of personal information
2. Not clearly linking opt-out form from homepage and/or privacy policy
3. Requiring consumers to submit multiple separate forms
4. Deceptive statements about opt-outs and their success
5. Confusing or scary language
6. Requiring consumers to log in or pay for a subscription before opting out
7. Design elements hiding important opt-out information (including design elements inducing false beliefs, hiding or delaying disclosure of material information, or obscuring or subverting privacy choices)
8. Checkbox options preselected

Policymakers and regulators need to step in to provide real privacy protections for consumers. To that end, the report provides these recommendations:

• Companies should evaluate their opt-out processes and remove manipulative design features; clearly provide opt-out instructions and links in multiple places, including on their website homepage, within the privacy policy, and within other relevant locations and communications to users; make their opt-out processes simple, fast, and clearly described; clearly explain that certain types of data may be exempt from opt-outs, including publicly available data; and state any other limits related to the opt-out request, such as legally required retention timelines for certain data.
• After consumers submit an opt-out request, companies should ensure that they continually honor the opt-out request by conducting ongoing, periodic audits to ensure they are not selling or disclosing data that has been the subject of an opt-out request.
• The FTC should consider using its Section 5 authority (that prohibits unfair and deceptive business acts or practices) to protect consumers from manipulative designs by bringing enforcement actions against companies with manipulative opt-out processes.
• State attorneys general—especially those in the states that have enacted privacy laws that include opt-out rights—should evaluate whether companies selling and disclosing data about their constituents meets legal requirements relating to opt-outs. If state attorneys general find evidence that companies are not providing clear, easy-to-use opt-out processes because of manipulative design tactics, they should bring enforcement actions against violating companies.
• More states should consider following California’s lead to adopt a universal deletion mechanism, which makes it significantly easier for consumers to exercise their rights—especially in the face of manipulative, friction-laden opt-out processes.
• More states should require companies to honor opt-out requests from universal opt-out mechanisms to allow consumers to automatically request to opt out from all websites they visit while they have a universal opt-out mechanism enabled.
• Above all, states should strengthen privacy protections for consumers by passing legislation that includes robust data minimization standards instead of relying on outdated notice-and-choice frameworks. As this report will show, consumers cannot effectively protect their own privacy by exercising opt-out rights. Strong data minimization standards would provide more meaningful privacy protections for consumers.