← Back to All Patterns
● HIGH#DW-018Data Exploitation

Dark Defaults

System settings configured from day one to maximize data collection, sharing, and engagement — against the user's likely preference.

What Are Dark Defaults?

Dark Defaults are pre-configured settings that prioritize the company's business objectives over the user's interests. Unlike preselection (which involves checkboxes during a flow), dark defaults are baked into the product's initial configuration — users inherit them automatically and most never discover the settings exist, let alone change them.

Research shows that fewer than 5% of users ever modify default settings. Companies know this, and they configure defaults to maximize data collection, ad targeting, engagement, and revenue.

Notable Examples

  • Facebook privacy defaults — Historically defaulted to "Public" for post visibility, shared user activity with apps of friends, and enabled facial recognition. Each setting required individual discovery and opt-out across dozens of settings pages.
  • Windows telemetry — Windows 10/11 defaults to "Full" telemetry, sending usage data, browsing data, and app crash data to Microsoft. The "Required only" option exists but isn't selected during setup.
  • Google Location History — Enabled by default on Android devices. Even when "paused," Google continued collecting location data through other services and app activity, as uncovered by AP investigation.
  • Smart TV tracking — Samsung, Vizio, and LG smart TVs default to ACR (Automatic Content Recognition) — tracking everything displayed on the TV for ad targeting. Vizio paid $2.2M to settle FTC charges.
  • Social media algorithms — Engagement-maximizing feeds enabled by default rather than chronological. Instagram and TikTok only added chronological options after regulatory pressure.

Severity Assessment

8.0

High — Dark defaults affect virtually all users because fewer than 5% change settings. The scale of impact is massive — billions of users unknowingly sharing data, being tracked, or having their attention manipulated. Google's $391.5M Location History settlement and Vizio's FTC action demonstrate the legal liability.

Legal Status

🇪🇺 GDPR Data Protection by Default

Article 25 mandates "data protection by design and by default." Only data necessary for the stated purpose should be processed. Maximum privacy must be the default setting.

🇺🇸 FTC Enforcement

The FTC's actions against Vizio ($2.2M), Google ($391.5M), and Facebook demonstrate that dark defaults in data collection are subject to deceptive practices enforcement.

🇪🇺 DSA

The Digital Services Act requires platforms to offer non-algorithmic (chronological) content feeds and prohibits defaults that profile minors for advertising.

Remediation

  1. Privacy by default — All data sharing, tracking, and targeting should default to OFF.
  2. Progressive disclosure — During onboarding, present key settings and let users make informed choices.
  3. Settings audit — Periodically remind users of their current settings and offer easy changes.
  4. Minimum viable data — Only collect data essential for the core service, not for monetization.

Default settings and privacy audit? Book a UX audit →