Universal Opt-Out Mechanisms: Empowering Consumers or Creating a New Digital Divide?

What if you could opt out of the collection of your sensitive personal data with a single click? No more tediously unsubscribing from hundreds of email lists and navigating the constant barrage of confusing—and often intentionally deceptive—cookie consent pop-ups on every website you visit. A solitary click and data brokers—companies that profit from the collection and sale of consumers' personal data—can no longer collect or sell yours. This is the future promised by Universal Opt-Out Mechanisms (UOOMs), like California’s forthcoming Delete Request and Opt-out Platform (DROP) tool and the Global Privacy Control.

UOOMs have immense potential to empower consumers by simplifying the management of their personal information. These mechanisms centralize the opt-out process, allowing users to prevent their data from being collected without navigating a maze of privacy settings on countless websites. In doing so, UOOMs are designed to reduce the effort required to protect privacy, increase consumer control over which companies can access their information, and give users autonomy and agency over their personal data.

As promising as UOOMs seem in theory, their practical implementation could introduce new consumer vulnerabilities. One significant concern is the potential shift in how society views consent. Under the common “Notice and Opt-In” framework, such as the EU’s General Data Protection Regulation (GDPR), a user must take the affirmative step of providing their express consent to data collection before any data can be shared. Requiring consent before data is shared creates a default presumption that data brokers do not have the right to use consumers’ data unless or until the consumer allows them to do so.

However, UOOMs by their very nature create a “Notice and Opt-Out” framework, as seen in the California Consumer Privacy Act (CCPA), where consumers must affirmatively act to withdraw consent by opting out. Under such a system, the default presumption is that users who fail to opt out have consented to that data collection. This passive consent allows data brokers to exploit consumers by making it more difficult for consumers to exercise their opt-out rights. In the ongoing lawsuit against facial recognition company Clearview AI, for example, Clearview AI asserts that users who did not explicitly opt out of their surreptitious data gathering practices had no grounds to challenge the facial recognition product they built off of it, relying on the CCPA’s opt-out regime for support.

Consumers also remain vulnerable to data brokers’ coercive tactics that undermine the protections provided by UOOMs. These tactics force consumers to compromise by trading their privacy rights for access to online services, effectively demanding consent through necessity. Businesses, for example, may circumvent UOOMs by implementing dark patterns–deceptive design choices that manipulate users into permitting data collection. In a lawsuit against Google, Arizona Attorney General Mark Brnovich alleged that Google used dark patterns to track user locations despite their location sharing being turned off. Google also allegedly made access to Android privacy settings difficult to locate, so users could not properly opt out of location tracking.

Even where UOOMs are in place, companies have found ways to hide their privacy settings from these mechanisms and ignore opt-out requests. In 2022, for example, the California AG fined Sephora $1.2 million after discovering that the company was covertly collecting data in violation of the CCPA, despite receiving opt-out requests from the Global Privacy Control UOOM tool.

Also troubling is the increase in scrutiny that may arise for those who opt out of data collection. Because UOOMs create the default presumption of opting in, UOOMs risk normalizing surveillance and cementing data sharing as the societal norm. Under this framework, opting out becomes a norm-violating anomaly, potentially signaling to organizations that an individual who opts out has something to hide. As a result, entities like landlords, employers, government agencies, or financial institutions may resort to more extensive data surveillance methods, such as invasive background checks, credit checks, social media monitoring, or even neighborhood monitoring, to fill in the gaps left by users’ opt-outs.

There is also a concern that some may lose access to essential services or online content because they protect their data by opting out. Government institutions, healthcare providers, and news agencies increasingly rely on social media platforms, mobile applications, and AI tools that require data collection to use these services. Local governments, for example, routinely turn to X (formerly known as Twitter) and Facebook to disseminate vital, real-time emergency information during natural disasters and weather events, such as Hurricane Harvey, Hurricane Sandy, and the 2009 Red River Valley flood. Additionally, in Nevada, the state has partnered with Google to create a generative artificial intelligence system to help determine the outcome of unemployment appeals, granting Google’s AI tool access to unemployed Nevadans’ sensitive personal data including tax information, social security numbers, and "information about a claimant’s health, family, and finances.”

If platforms and institutions build services around the presumption that users are sharing data, opting out might render essential services less accessible or effective. A person who opts out of data collection to protect their privacy might find themselves unable to access news, healthcare apps, or government services that require data sharing for personalized services or eligibility checks. Under such a system, individuals would be forced to choose between (a) a lack of access to essential services or (b) use of that service while under constant surveillance, exploitation, and data commodification without any realistic way to protect themselves, undermining the consumer empowerment that the UOOM intended to create.

Finally, UOOMs, if not strategically implemented, have the potential to exacerbate cultural and socioeconomic exclusion. In a world with global opt-out, companies might adapt their business models to either require consent to access their services or move to a “pay or consent” model, as Meta attempted to do in the EU. Under a “pay and consent” model, companies could require that consumers consent to data sharing in exchange for “free” access to their services, but allow those who wish to opt out of data sharing the option to pay for access to avoid data collection.

Affluent, tech-savvy individuals would thus be able to opt out of data collection while maintaining access to these services or benefit from a landscape where data is used to offer individualized, tailored experiences without sacrificing their privacy. However, those without the ability to engage with these systems due to a lack of resources, technological access, or digital literacy may experience growing cultural and social isolation. A person who opts out of digital platforms could be left out of important conversations, events, or campaigns happening primarily online, thus widening the divide in political participation or social engagement.

To narrow this emerging digital privacy divide, policymakers must adopt a balanced approach that ensures privacy protection while minimizing the risk of exacerbating existing inequalities. Universal opt-out mechanisms are potentially a valuable tool for consumers to control their personal data, but they must be carefully implemented, as they could unintentionally deepen the digital divide if not paired with broader systemic solutions. 

Regulators should mandate that consent for data collection is genuinely informed and freely given, with companies making clear, transparent disclosures about data practices and the consequences of opting out, ensuring there is no coercion or manipulation. Governments should provide the public with stronger privacy rights and introduce more universal restrictions on data collection and use, such as prohibiting 1) the abuse of user opt-out data, 2) discrimination against individuals who opt out of data collection, 3) the implementation of “pay or consent” models, and 4) the degradation or loss of essential services for individuals who choose to opt out of data collection, safeguarding access to critical resources like news outlets and government services.

A potential model for such regulation could be the anti-steering obligations in Article 5(2) of the EU’s Digital Markets Act (DMA). Under the DMA, platforms are required to provide users who do not consent to data collection “less personalized but equivalent” services to those provided to users who consent to targeted advertisements and “without making the use of the core platform service… conditional upon the end user’s consent.”

Finally, there should be stronger protections and enforcement against covert data collection practices and manipulative tactics, such as dark patterns, that undermine user autonomy. By adopting these measures, regulators can create a more equitable digital landscape where privacy is protected for all.