Default settings for privacy -- we need to talk

"Some assembly required" isn't an effective model for protecting your data.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
6 min read

Facebook offers privacy protections, but they're not turned on by default. Industry research shows that the majority of people never change their default settings for privacy.

Jason Cipriani/CNET

When you get a new phone or sign up on a new app, how often do you dig into the privacy settings? If you're like most people, almost never. So while tech giants are giving you more control over privacy, they're counting on you sticking with what you're given.

Over the past couple of years, tech giants have been making changes to privacy settings to give people better options -- whether it's because they've been forced by new laws like California's Consumer Privacy Act or pressure from the public following screw-ups like Facebook's Cambridge Analytica scandal, Amazon's Alexa transcript incidents or Google's location tracking issues

But if the new privacy protections aren't on by default and people must traverse a maze of clicks to actually get those benefits, then little has actually changed.

CNET has a series of guides on how to change your privacy settings on a number of services and devices -- from smart TVs to voice assistants to online accounts. It begs the question, though: Why does something as fundamental as your own privacy need a guide when billion-dollar companies should be ensuring privacy from the get-go?

Privolta, a company that specializes in privacy-focused ads, ran a study in August and found that it takes 17 clicks to opt out of Google's data collection in the United Kingdom, while it only took one click to give the tech giant consent to collect your data. 

The company looked at 50 of the UK's top websites and found that, on average, it would take five times as long to opt out as it did to opt in for data collection. 

"It's designed to wear you down. That's how these patterns work," said Henry Lau, Privolta's co-founder. "They don't want you to make an easy choice between yes and no, they just want you to visit the menu to review your options." 

It's not your default

Default settings have a powerful effect on people, even if you have the option to change them at any time. 

For comparison, studies have found that organ donation increases in countries where it's the default option. In countries where people must sign up to donate their organs, there's a much lower rate. 

The same applies to privacy settings, researchers have found in several studies

"Several possible reasons for not changing the default settings exist: cognitive and physical laziness; perceiving default as correct, perceiving endorsement from the provider; using the default as a justification for choice, lacking transparency of implication, or lacking skill," researchers from the Goethe University Frankfurt and Nelson Mandela Metropolitan University wrote in 2013.

What you get from the tech giants is a decidedly mixed bag. Some recognize that many people don't change default settings and thus turn on privacy protections as the default. Others offer controls, but require people to adjust them. That has a major effect on how much privacy you actually have. 


Google's Rick Osterloh tells an audience in New York that its products are built with privacy "at the core," but many of its protections are not turned on by default.

Sarah Tew / CNET

Both Apple and Google say they take privacy seriously and offer controls for data trackers in their respective browsers, Safari and Chrome. The difference is that Safari offers privacy protections by default while Chrome requires people to change their settings. 

Less than 10 percent of Safari users but more than 80 percent of Chrome users are tracked by third parties, according to statistics from Gibson Research

Mozilla, which makes the Firefox browser, started enabling tracking blockers in its browser by default in June. It has blocked more than 1 trillion third-party requests since then, the company said.  

"At the baseline, we don't think that people should have to jump through hoops and navigate confusing menus to protect their privacy," said Ashley Boyd, Mozilla's vice president of advocacy. "People are busy, they have a bunch of devices, and it would take a tremendous amount of time for individuals to hunt down their buried settings on each of those to create a private experience."

She noted that Mozilla's stance is to shift the burden of protecting privacy from people to tech companies. A handful of tech platforms have followed that model.

When Apple changed its Siri review program, the new default required people to give permission for human reviewers to listen to audio recordings from the digital assistant. Before that, human reviewers listened to a small percentage of people's conversations through Siri in order to help improve the AI.

Google did the same for its voice assistant review program. Amazon's Alexa, however, still requires people to opt out of the review program

That means your privacy comes by default for Siri and Google Assistant, while it takes six taps and a warning from Amazon to do the same for Alexa. 

At Amazon's devices event in September, product chief David Limp boasted that Alexa was the first voice assistant that allowed people to opt out of the listening program -- even though its rivals actually provided better privacy measures. 

Amazon declined to provide statistics on how many of its users have opted out of the Alexa listening program. The company explained that it requires users to opt out, rather than matching Apple's and Google's approach, because it believed this was the proper balance between privacy and the need to improve Alexa's artificial intelligence capabilities. 

"While we also use unsupervised or semi-supervised learning, supervised learning is still the most effective approach for rapid feature development, accuracy and utility for our customers," an Amazon spokesperson said. "We think this is what customers want with the service, but also want to give them the ability to opt out if they like."  

Microsoft leans more toward starting with privacy protections turned off by default, requiring people to alter their settings on their own. 

"More than 25 million people around the world – including over 10 million people in the U.S. – have used our privacy dashboard to understand and control their personal data," Microsoft Chief Privacy Officer Julie Brill said in a blog post in November

The company launched its web-based privacy dashboard in 2017, though the 25 million people who've used it may be a sliver of overall users. The dashboard includes settings for Windows 10, Xbox, Skype, Office, Cortana virtual assistant, Edge web browser, Bing search engine and apps and services. Windows 10 alone runs on more than 900 million devices.  

Google didn't provide statistics on how often its users change their privacy settings. Apple also didn't provide statistics on how many people have adjusted their privacy settings. Facebook declined to share data on how often people changed their privacy settings.

Opt in versus opt out

Tech giants have made efforts to educate people about their privacy settings. For example, Facebook hosted a series of privacy pop-ups around the world, where visitors were greeted by staffers who would show them how to access their privacy settings and change their preferences. 

The education efforts and pop-ups would be unnecessary if tracking was turned off by default to begin with. 

Facebook said that it doesn't offer privacy protections by default because it wants to give people the choice to control their experience on the social network. In focus groups, the company said, it found that people preferred tracking in some cases, noting that participants enjoyed getting relevant ads. 

But people would still have that level of control if it were the other way around -- where strict privacy controls were activated by default and people who enjoyed relevant ads could opt in to turn on data tracking.  


Amazon hardware chief Dave Limp discusses privacy for its Alexa smart speakers at an event in September. Unlike Siri and Google Assistant, you must opt out of Amazon's human reviews listening program.

James Martin/CNET

"It's our position that if people value personalization that tracking provides, they can always opt in to it," Mozilla's Boyd said. "Why not shift the balance to allow for personalization for people who want it?"

Mozilla found that when it turned on tracking protections by default, only about 0.5 percent of Firefox users opted in to sharing their data.

Watch this: Let's talk about why privacy settings are a problem

On Jan. 1, 2020, California's Consumer Privacy Act goes into effect, which has already prompted some tech giants to change privacy settings. But a majority of them are still opt-out. For example, the law requires tech companies to provide a "Do Not Sell My Personal Information" link for users in the state, but people must still click on it to get that protection. 

There's a growing concern that this protection will be difficult to find on websites because the rules around where the link needs to be displayed haven't been released. 

"If it's buried on the site, it effectively neuters the legislation," Privolta's Lau said. 

Boyd agreed.

"It feels like a perpetual swimming against the current for most consumers, and that's why default settings are so important for privacy," Boyd said.  

Until then, you might want to read our guides about changing your privacy settings.