Opt-In Mandates Shouldn’t Be Included In Privacy Laws

Executive Summary

  • Many in the United States are pushing for a comprehensive privacy regulation that requires websites to only gather data after individuals’ opt-in, and they contend that an opt-in requirement will better educate people about what companies are doing with their data.
  • An opt-in regime does not give users more information than an opt-out system.
  • Research indicates that most people are aware that their data is being collected and processed, and take steps now to protect their privacy.
  • An opt-in requirement would not fix the problem it is trying to solve while simultaneously imposing burdens on both users and companies.

Making the Case for Opt-in

With Congress likely to consider a comprehensive federal privacy law next year, some are pushing for an opt-in requirement for all forms of data collection, which would require that users affirmatively agree to data collection. Such a requirement could be modeled on Europe’s General Data Protection Regulation (GDPR), which requires opt-in. California Representative Ro Khanna made opt-in a central feature of his Internet Bill of Rights, while Internet rights group Access Now made opt-in an explicit part of their guidelines for lawmakers for the adoption of a new U.S. privacy law.

Eric Null, senior policy counsel at the Open Technology Institute, has articulated one of the more prominent cases for an opt-in regime, saying, “The benefit of opt-in is making sure consumer data isn’t used in ways they didn’t know about, understand, or agree to. Opt-out assumes they know, when in reality we all know they don’t. How do you solve that without opt-in?” The argument from knowledge—or lack thereof—is a primary part of the argument for an opt-in privacy regime. The choice, whatever it may be, should be supported by knowledge about the promises and pitfalls of the service. But because consumers don’t have that knowledge, they cannot make a prudent decision. Until consumers know what they are agreeing to, the default must be no collection, many argue.

But does this argument for an opt-in privacy regime stand up to scrutiny? A brief survey of some basic data points indicates it might be overblown: Many people don’t read the terms of service contracts yet agree to them anyway, and one study suggested that only about one in a thousand people click on a site’s terms of service. Other research confirms this conclusion. An opt-in regime will not solve the knowledge problem. On the whole, people are aware of their privacy options, and they tend to weigh trade-offs when valuing their privacy.

Read more of this American Action Forum article by Will Rinehart by clicking here.