the data collected by telecommunications companies about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and certain other information that appears on the consumer's telephone bill
It's not one-click, or at least it wasn't for me. I clicked the link in the sentence "If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here", and it took me to the Google Fi homepage. I had to then click on Settings, "Privacy & Security", and finally on "Allow CPNI Sharing". Four clicks total.
4 is still far less effort than having to call Amazon to cancel your account (among the many providers that make opt out / cancel incredibly difficult)
I clicked it from my Fi device too - and it automatically opened the Fi app, which doesn't have this setting.
It took a lot more than 4 clicks to figure out I needed to switch chrome to desktop mode AND needed to open the link in a new tab to make it stop opening the app.
Side rant - Wasn't HTML5 supposed to do away with the need for dedicated apps? Interaction with any corp is now split between web, app, and phone, all with different capabilities.
Huh, I did it yesterday and I clicked the 'here' link in the email and it took me to a page that said I was now opted out. I didn't have to do anything additional.
I have a dedicated Google account for Fi, and it took me about 10 minutes to get past the identity verification challenge it threw at me when I tried to log in (for the first time in months) to opt out. I'm opted out now but it was a lot more than one click.
I use a dedicated account for Fi because when Fi first came out I signed up with my main account they removed my access to Google Voice which I use heavily. They have since allowed both Fi and Voice on the same account but I am not bothering with switching my Fi account to my main at this point.
Only if you're already signed in to your Google account in your browser. They are initiating communication in one channel and not accepting a response in that same channel.
The submitted support article doesn't really provide any details about the change. This is the email they sent users today:
--
Notice about your CPNI settings
Google Fi Wireless takes your privacy seriously. The updated Google Fi Privacy Notice provides information about how we collect and use personal information. This includes your Customer Proprietary Network Information (CPNI).
CPNI includes the destination, technical configuration, and location of your calls and information about the type and amount of services that you purchase and use. Your CPNI does not include your name, address, or phone number.
Google Fi uses your CPNI to:
• Provide your Fi service and related features
• Provide Internet access and voicemail
• Provide protection from fraudulent, abusive, or unlawful use
• Bill you for your Fi service
• Provide customer support and troubleshooting when you need it
From time to time, Fi may wish to provide you with additional information about products, services, and offers from our Alphabet affiliates, including Google LLC, that aren’t among the category of services you’re already purchasing from us, such as offers from Google Store on new Pixel devices. Starting today, we will opt you into the sharing with and use of your CPNI by Alphabet affiliates to receive this information. Your opt in will go into effect 30 days from the date you receive this email.
You’re not required to stay opted in. It’s your right and our duty under federal law to protect the confidentiality of your CPNI. If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here or via Fi’s privacy and security settings at any time (instructions here). Opting out of CPNI sharing won’t affect your account or your ability to use any of Google Fi Wireless’ services. If you do not choose to opt-out within 30 days of receiving this notice, Fi will assume your approval to share your CPNI with other Google services and our affiliates.
We have also updated our Fi Terms of Service. These changes will go into effect on 9/28/23. You can review the updated Terms of Service in full here.
> Starting today, we will opt you into the sharing with and use of your CPNI by Alphabet affiliates to receive this information. Your opt in will go into effect 30 days from the date you receive this email.
What a weird, disingenuous use of the term "opt in".
well, i guess this email constitutes "affirmative, express consent" unless user clicks on opt-out. at least this is conclusion of google legal department.
It's not as there's no guarantee the subscriber ever actually received the email much less made it past their spam filter or that they opened it and read it.
there is no guarantee to make sure that subscriber actually delivered notification outside of personal delivery with ID verification.
i guess google legal decided that this is about "reasonable" effort and given that this email sent from google it's above reasonable that it's past spam filter and sufficiently reasonable effort in general.
Affirmative means the user has to take an action to consent. Not doing something for 30 days isn't an affirmative action - it's known as "implicit consent" which is the opposite of "affirmative consent"[1]
Express means they have to specifically consent and can't be implied to consent or consent passively somehow.[2]
This is neither affirmative nor express consent. Also notice that literally nothing that Google (or any company) can do gives affirmative, express consent from the user. The user themselves has to do something for Google to obtain that consent - that's literally the whole point of the wording of "affirmative, express".
I'd be very surprised if google's legal thinks this is actually consent or ok. I think most likely they said it probably wouldn't stand up to challenge and the McKinsey types who run google decided they probably wouldn't be challenged and it was worth the risk.
>I'd be very surprised if google's legal thinks this is actually consent or ok. I think most likely they said it probably wouldn't stand up to challenge and the McKinsey types who run google decided they probably wouldn't be challenged and it was worth the risk.
many of (ex)googler posts mention that legal needs to sign off on everything and looped into everything and they find it frustrating and slowing things down
change of such proportions can't be executed without involvement of multiple legal departments that both approved this decision and scrutinized every letter of this letter.
edit: from cpni itself " Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services. A telecommunications carrier may also permit such persons or entities to obtain access to such CPNI for such purposes."
or in general 64.2007 and 64.2008 describe that it's ok
Can we talk about the dark-pattern in that email body?
- Mention that this doesn't include name/address/phone number, while glossing over that this allows near-GPS level tracking (the "address" part is particularly offensive).
- Talks about what "Google Fi" uses CPNI for, including a bullet list, which is completely irrelevant and not why they're sending this email. It is literally so that you'll skim it, and not read the next paragraph.
- Imply that this is authorizing "Googling LLC" (and other Alphabet companies). But what this is actually doing is authorizing Alphabet's affiliates meaning up to every company in the world.
- They updated the ToS but didn't mention what changed.
Title 47 - Telecommunication. CHAPTER I - FEDERAL COMMUNICATIONS COMMISSION (CONTINUED). SUBCHAPTER B - COMMON CARRIER SERVICES (CONTINUED). PART 64 - MISCELLANEOUS RULES RELATING TO COMMON CARRIERS.
§ 64.2003 Definitions
(k) Opt-in approval. The term “opt-in approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart.
(l) Opt-out approval. The term “opt-out approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart.
§ 64.2007 Approval required for use of customer proprietary network information.
(b) Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. [...] a telecommunications carrier may only use, disclose, or permit access to its customer's individually identifiable CPNI subject to opt-in approval.
No it is not. They clearly provide precise steps to grant or deny access.
(3) The notification must advise the customer of the precise steps the customer must take in order to grant or deny access to CPNI, and must clearly state that a denial of approval will not affect the provision of any services to which the customer subscribes. However, carriers may provide a brief statement, in clear and neutral language, describing consequences directly resulting from the lack of access to CPNI.
You just quoted a random, unrelated part of the regulation. Nobody is claiming that the notice is inadequate because it lacks a description of precise steps. The notice is inadequate because it alleges that Google will use opt-out approval for purposes that are only allowed with explicit opt-in approval.
> Opt-in approval. The term “opt-in approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart.
IANAL, but doesn't the "disclosure, or access after the customer is provided appropriate notification" make this entire "opt-in" definition completely legal?
I mean, it was easy for me to opt-out, but I really hate the fact that I had to do so in the first place.
No "affirmative, express consent allowing the requested CPNI usage, disclosure, or access" was obtained by the carrier after "the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart", so opt-in approval is not present. I don't see a way to parse this that equates notification to express consent.
You use more than one services from Google. You have to have a Google account before you sign up with Fi. Google is allowed to use opt-out.
§ 64.2005 Use of customer proprietary network information without customer approval.
(1) If a telecommunications carrier provides different categories of service, and a customer subscribes to more than one category of service offered by the carrier, the carrier is permitted to share CPNI among the carrier's affiliated entities that provide a service offering to the customer.
(1) I use a dedicated Google account for Fi, which does not subscribe to other services.
(2) Notwithstanding (1), this is not what the regulation contemplates a "category of service" to be. It is contemplating categories of telephony services, as indicated by "(i.e., local, interexchange, and CMRS)"
Considering that Fi is on my "Killed by Google" watch list for about two years now especially after the Sprint/T-Mobile merger (Google sees the writing on the wall) and T-Mobile likely buying Mint Mobile (continuing the death spiral of MVNOs in the process). Maybe this is the excuse they needed to shut Fi down entirely who knows.
> If you do not choose to opt-out within 30 days of receiving this notice, Fi will assume your approval to share your CPNI with other Google services and our affiliates.
Seems like this violates a few of the notice requirements most clearly:
(ii) Carriers must allow customers to reply directly to emails containing CPNI notices in order to opt-out;
As it came from a no reply address.
They have "If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here" text in the email with "here" being a hyperlink that takes me to my main google fi profile page but doesn't even turn off the opt-in.
Looking forward to absolutely nothing happening! Is there even a private right of action?
Interesting - yeah does work for me now but last night just redirected to the home page and was still enabled when I checked privacy settings.
I'd argue a hyperlink 4 paragraphs deep in the middle of a sentence doesn't meet the standard of "reply directly" but I'm sure Google's lawyers feel different.
Surprising how the e-mail message differs from the setting language:
Allow CPNI sharing (toggle on/off)
Let Google Fi Wireless use and share your Customer Proprietary Network Information with Alphabet affiliates, including Google LLC, to offer you additional products, personalized offers, and services.
E-mail reads like CPNI is essential for service:
Google Fi uses your CPNI to:
Provide your Fi service and related features
Provide Internet access and voicemail
Provide protection from fraudulent, abusive, or unlawful use
Bill you for your Fi service
Provide customer support and troubleshooting when you need it
I don't understand why everyone is saying this is illegal unless they are just not reading past §64.2003(k) as (l) provides for a the opt-out method, and §64.2007(b) is clear the providers can use either:
>§64.2003(l) Opt-out approval. The term “opt-out approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart.
>§64.2007(b)(b) Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services.
Don't get me wrong, I think this is pretty shitty, and I already opted out, but everyone in this thread saying it's illegal needs to brush up on how to read the law.
Carriers can only use opt-out consent for a limited subset of the actions that they can use opt-in consent for. The actions that they say they plan to take do not fall under this subset. See § 64.2005.
§ 64.2007 (b): Except for use and disclosure of CPNI that is permitted without customer approval under § 64.2005, or that is described in this paragraph, or as otherwise provided in section 222 of the Communications Act of 1934, as amended, a telecommunications carrier may only use, disclose, or permit access to its customer's individually identifiable CPNI subject to opt-in approval.
§ 64.2005 (a): Any telecommunications carrier may use, disclose, or permit access to CPNI for the purpose of providing or marketing service offerings among the categories of service (i.e., local, interexchange, and CMRS) to which the customer already subscribes from the same carrier, without customer approval.
Today's email: Fi may wish to provide you with additional information about products, services, and offers from our Alphabet affiliates, including Google LLC, that aren’t among the category of services you’re already purchasing from us
Google plans to advertise outside of the user's existing service category. § 64.2005 says that with opt-out consent, they can only do this within the existing service category. Since it doesn't fall under a § 64.2005 exemption, § 64.2007 (b) says that this requires opt-in approval.
You need to read further to § 64.2005(2) which covers other categories of services:
>(2) If a telecommunications carrier provides different categories of service, but a customer does not subscribe to more than one offering by the carrier, the carrier is not permitted to share CPNI with its affiliates, except as provided in § 64.2007(b).
And 64.2007(b) as we've already covered says that carriers can use opt-in or opt-out
Anyone with legal knowledge in this area care to chime in and break the impass?
Interesting argument. This relies on the circular backreference to § 64.2007(b) from § 64.2005(a)(2), and wouldn't seem to apply for the § 64.2005(a)(1) case. Google's messaging uses "opt in", which seems to be at odds with an intent to rely on an opt-out characterization.
I'd also welcome review from a lawyer with experience here.
Google customer communication could say 'unless you take action you will be shanghaied'.
Then it's easier to understand if their approach is allowed by the law -- seems yes.
Their consumer-facing terminology isn't what the law required. The law required one of two approaches, and they implemented the 'they default you in' one.
69 comments
[ 628 ms ] story [ 189 ms ] threadhttps://en.wikipedia.org/wiki/Customer_proprietary_network_i...
Still enjoying my sub $30 bills and bloatware free device
4 is still far less effort than having to call Amazon to cancel your account (among the many providers that make opt out / cancel incredibly difficult)
It took a lot more than 4 clicks to figure out I needed to switch chrome to desktop mode AND needed to open the link in a new tab to make it stop opening the app.
Side rant - Wasn't HTML5 supposed to do away with the need for dedicated apps? Interaction with any corp is now split between web, app, and phone, all with different capabilities.
Or perhaps there's an A-B testing going on to see how they might be able to tire people out by making the "one-click" opt out harder.
--
Notice about your CPNI settings
Google Fi Wireless takes your privacy seriously. The updated Google Fi Privacy Notice provides information about how we collect and use personal information. This includes your Customer Proprietary Network Information (CPNI).
CPNI includes the destination, technical configuration, and location of your calls and information about the type and amount of services that you purchase and use. Your CPNI does not include your name, address, or phone number.
Google Fi uses your CPNI to:
• Provide your Fi service and related features
• Provide Internet access and voicemail
• Provide protection from fraudulent, abusive, or unlawful use
• Bill you for your Fi service
• Provide customer support and troubleshooting when you need it
From time to time, Fi may wish to provide you with additional information about products, services, and offers from our Alphabet affiliates, including Google LLC, that aren’t among the category of services you’re already purchasing from us, such as offers from Google Store on new Pixel devices. Starting today, we will opt you into the sharing with and use of your CPNI by Alphabet affiliates to receive this information. Your opt in will go into effect 30 days from the date you receive this email.
You’re not required to stay opted in. It’s your right and our duty under federal law to protect the confidentiality of your CPNI. If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here or via Fi’s privacy and security settings at any time (instructions here). Opting out of CPNI sharing won’t affect your account or your ability to use any of Google Fi Wireless’ services. If you do not choose to opt-out within 30 days of receiving this notice, Fi will assume your approval to share your CPNI with other Google services and our affiliates.
We have also updated our Fi Terms of Service. These changes will go into effect on 9/28/23. You can review the updated Terms of Service in full here.
Thanks,
Google Fi Wireless team
What a weird, disingenuous use of the term "opt in".
I can't see any way this is "opt-in".
i guess google legal decided that this is about "reasonable" effort and given that this email sent from google it's above reasonable that it's past spam filter and sufficiently reasonable effort in general.
No. That would be (by definition) negative, implicit consent.
Federal law specifically demands "affirmative, express" consent.
Express means they have to specifically consent and can't be implied to consent or consent passively somehow.[2]
This is neither affirmative nor express consent. Also notice that literally nothing that Google (or any company) can do gives affirmative, express consent from the user. The user themselves has to do something for Google to obtain that consent - that's literally the whole point of the wording of "affirmative, express".
I'd be very surprised if google's legal thinks this is actually consent or ok. I think most likely they said it probably wouldn't stand up to challenge and the McKinsey types who run google decided they probably wouldn't be challenged and it was worth the risk.
[1] https://iapp.org/resources/article/consent-2/
[2] https://www.wilsonlaw.com/blog/difference-between-express-an...
many of (ex)googler posts mention that legal needs to sign off on everything and looped into everything and they find it frustrating and slowing things down
change of such proportions can't be executed without involvement of multiple legal departments that both approved this decision and scrutinized every letter of this letter.
edit: from cpni itself " Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services. A telecommunications carrier may also permit such persons or entities to obtain access to such CPNI for such purposes."
or in general 64.2007 and 64.2008 describe that it's ok
- Mention that this doesn't include name/address/phone number, while glossing over that this allows near-GPS level tracking (the "address" part is particularly offensive).
- Talks about what "Google Fi" uses CPNI for, including a bullet list, which is completely irrelevant and not why they're sending this email. It is literally so that you'll skim it, and not read the next paragraph.
- Imply that this is authorizing "Googling LLC" (and other Alphabet companies). But what this is actually doing is authorizing Alphabet's affiliates meaning up to every company in the world.
- They updated the ToS but didn't mention what changed.
No, if you automatically enroll me into sharing my data with 3rd-parties, that is NOT opt-in. That's completely disingenuous.
This should really be illegal.
https://www.govinfo.gov/content/pkg/CFR-2018-title47-vol3/xm...
Title 47 - Telecommunication. CHAPTER I - FEDERAL COMMUNICATIONS COMMISSION (CONTINUED). SUBCHAPTER B - COMMON CARRIER SERVICES (CONTINUED). PART 64 - MISCELLANEOUS RULES RELATING TO COMMON CARRIERS.
§ 64.2003 Definitions
(k) Opt-in approval. The term “opt-in approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart.
(l) Opt-out approval. The term “opt-out approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart.
§ 64.2007 Approval required for use of customer proprietary network information.
(b) Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. [...] a telecommunications carrier may only use, disclose, or permit access to its customer's individually identifiable CPNI subject to opt-in approval.
(3) The notification must advise the customer of the precise steps the customer must take in order to grant or deny access to CPNI, and must clearly state that a denial of approval will not affect the provision of any services to which the customer subscribes. However, carriers may provide a brief statement, in clear and neutral language, describing consequences directly resulting from the lack of access to CPNI.
IANAL, but doesn't the "disclosure, or access after the customer is provided appropriate notification" make this entire "opt-in" definition completely legal?
I mean, it was easy for me to opt-out, but I really hate the fact that I had to do so in the first place.
§ 64.2005 Use of customer proprietary network information without customer approval.
(1) If a telecommunications carrier provides different categories of service, and a customer subscribes to more than one category of service offered by the carrier, the carrier is permitted to share CPNI among the carrier's affiliated entities that provide a service offering to the customer.
(2) Notwithstanding (1), this is not what the regulation contemplates a "category of service" to be. It is contemplating categories of telephony services, as indicated by "(i.e., local, interexchange, and CMRS)"
I assume this is legally questionable?
The complaints link: https://consumercomplaints.fcc.gov/hc/en-us
(ii) Carriers must allow customers to reply directly to emails containing CPNI notices in order to opt-out;
As it came from a no reply address.
They have "If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here" text in the email with "here" being a hyperlink that takes me to my main google fi profile page but doesn't even turn off the opt-in.
Looking forward to absolutely nothing happening! Is there even a private right of action?
I was using Chrome on a Chromebook I was logged into with the account I use for Fi, and the Fi app was installed, though.
I'd argue a hyperlink 4 paragraphs deep in the middle of a sentence doesn't meet the standard of "reply directly" but I'm sure Google's lawyers feel different.
Surprising how the e-mail message differs from the setting language:
Allow CPNI sharing (toggle on/off)
Let Google Fi Wireless use and share your Customer Proprietary Network Information with Alphabet affiliates, including Google LLC, to offer you additional products, personalized offers, and services.
E-mail reads like CPNI is essential for service:
Google Fi uses your CPNI to:
Provide your Fi service and related features Provide Internet access and voicemail Provide protection from fraudulent, abusive, or unlawful use Bill you for your Fi service Provide customer support and troubleshooting when you need it
I’m assuming “no” but appreciate some consensus here.
>§64.2003(l) Opt-out approval. The term “opt-out approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart.
>§64.2007(b)(b) Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services.
Don't get me wrong, I think this is pretty shitty, and I already opted out, but everyone in this thread saying it's illegal needs to brush up on how to read the law.
https://www.govinfo.gov/content/pkg/CFR-2018-title47-vol3/xm...
§ 64.2005 (a): Any telecommunications carrier may use, disclose, or permit access to CPNI for the purpose of providing or marketing service offerings among the categories of service (i.e., local, interexchange, and CMRS) to which the customer already subscribes from the same carrier, without customer approval.
Today's email: Fi may wish to provide you with additional information about products, services, and offers from our Alphabet affiliates, including Google LLC, that aren’t among the category of services you’re already purchasing from us
Google plans to advertise outside of the user's existing service category. § 64.2005 says that with opt-out consent, they can only do this within the existing service category. Since it doesn't fall under a § 64.2005 exemption, § 64.2007 (b) says that this requires opt-in approval.
>(2) If a telecommunications carrier provides different categories of service, but a customer does not subscribe to more than one offering by the carrier, the carrier is not permitted to share CPNI with its affiliates, except as provided in § 64.2007(b).
And 64.2007(b) as we've already covered says that carriers can use opt-in or opt-out
Anyone with legal knowledge in this area care to chime in and break the impass?
I'd also welcome review from a lawyer with experience here.
Then it's easier to understand if their approach is allowed by the law -- seems yes.
Their consumer-facing terminology isn't what the law required. The law required one of two approaches, and they implemented the 'they default you in' one.