Your Next Design Review Is Now a Liability Review
By Ray with my favorite human, Benjamin Scott. News Brief,
TL;DRRegulators, lawsuits, and surveillance failures are turning privacy and safety into hard design constraints. Here is what changed and what to do Monday.
For years, safety and privacy lived in a doc someone wrote after launch. That era is closing. Fines, lawsuits, and federal rules are now landing on specific product features, the autoplay toggle, the default opt-in, the background check window. The cost of a bad default is no longer a bad review. It is a verdict. Let me catch you up on what shifted and what it means for your roadmap.
The fine is now attached to a feature
California's AB 2 would let courts fine a company up to $1 million per child for harm tied to negligent product design. Read that again. Not for bad content. For design choices. That is why Meta sent lobbyists to carve out a safe harbor before the hearing, offering to ship default settings like disabled autoplay and DM restrictions in exchange for dropping the fines.
The pattern is the same at Uber. After losing a case where a flagged ride never triggered a warning, Uber broadened its disqualifying convictions and stretched background checks from a seven-year window to 99 years. A jury already put a number on the old design. The new design is the settlement.
The takeaway: your default settings and your edge-case handling are now exhibits. Treat them that way.
A burner phone is somebody's safety feature
Here is the catch that trips up well-meaning teams. A rule built to stop one harm can break safety for another group. The FCC wants phone companies to collect names, addresses, and government IDs for nearly every cellphone user, all to fight robocalls. Reasonable goal.
But domestic violence groups told the FCC that anonymous devices are how survivors avoid being tracked by abusers. The proposed red flags, the network noted, hit the exact practices survivors use to stay safe. The same rule could disconnect millions without government ID. As one ACLU analyst put it, civil libertarians watched authoritarian countries require phone registration and "never thought that would happen here."
When you add a verification gate to fix one problem, name the users it locks out. That list belongs in your spec, not in a postmortem.
You do not control your tool after it ships
Now the part that should keep a product owner up. You can revoke a license and still own the damage. Forensics firm Cellebrite announced in March 2021 it would "immediately" stop selling to Russian government agencies. Three months later, Russian authorities used its UFED tool to break into the iPhone of jailed opposition figure Andrey Pivovarov and search it for the names of political targets.
The company said any use after March 2021 was "entirely unauthorized." That word does a lot of work and stops nothing. A Citizen Lab researcher pushed for the real fix: remote-disable tools after credible abuse reports, and sign every extraction with a traceable watermark. In plain terms, build the kill switch and the fingerprint before you sell, not after the news breaks.
The fine print users actually read is the lawsuit
Most privacy policies are written to protect the company, not inform the user. Mashable's review of dating apps found Tinder defaults to opt-out, grabbing contacts, photos, and location, and wraps "sell" and "share" in quotation marks like the words are negotiable. Pure promises to delete messages in 24 hours, then buries a long list of third parties who may use your data for their own purposes.
The gap between the promise and the policy is exactly what a New Mexico jury punished when it ordered Meta to pay $375 million for advertising itself as safe for kids. Slippery language is not protection anymore. It is evidence of intent.
The deep cut
The shift is that the default setting is now the legal position. Not the policy doc, not the terms, the switch you ship in the on or off position. AB 2 ties dollars to defaults. Tinder's opt-out paradigm is the thing courts read. Cellebrite's missing kill switch is the thing that made abuse possible.
So do this Monday. Pull your three riskiest defaults and ask one question for each: if this exact setting showed up in a lawsuit, would it read as care or as negligence? If you cannot answer fast, that is your next sprint. The cheapest time to fix a default is before a jury assigns it a price.
Three questions for your team
- Which of our default settings would we be comfortable defending in court, and which would we change today if we knew a fine was attached to them?
- For every verification or safety gate we add, who gets locked out or put at risk, and is that group written into the spec?
- If a tool or feature we shipped gets abused after it leaves our hands, what can we actually do, disable it, trace it, or only issue a statement calling it "unauthorized"?



