Skip to main content

Apps Keep Resetting Your Privacy Settings: California Just Passed a Law to Stop It (2026)

8 min readBy Viallo Team

Quick take: The California Assembly just unanimously passed AB 2561, a bill that bans apps and operating systems from resetting your privacy settings without your explicit consent. It also requires default settings to be the most privacy-protective option available. If you've ever opened an app and found that a toggle you turned off was magically turned back on, this law is aimed directly at that behavior.

Close-up of a phone screen showing a privacy settings toggle being switched off, warm natural light from a window reflecting on the glass surface, shot on Fujifilm X-T5 with 35mm f/1.4, clean sharp capture

What California's AB 2561 actually does

AB 2561 targets a specific pattern that's become disturbingly common: you go into an app's settings, disable data collection or tracking, and weeks later discover that the setting has been silently reverted. The bill defines a "privacy setting" as any user-configurable option governing data collection, use, sharing, disclosure, retention, or processing. That's broad enough to cover basically every toggle in your phone's privacy menu.

The bill does two things. First, it prohibits apps and operating systems from undoing a user's privacy settings without explicit consent. No more quiet resets buried in app updates. Second, it requires that default settings start at the most privacy-protective option available. If there's an option to share less data, that's where the slider has to begin.

The California Assembly passed it unanimously. That's notable because privacy bills rarely get zero opposition. The bill still needs to pass the state Senate and be signed by the governor, but unanimous Assembly support is a strong signal.

The apps that have been doing this for years

This bill didn't come from nowhere. A 2023 report from the International Computer Science Institute found that 44% of the 88,000 Android apps they studied transmitted personal data despite users opting out. The pattern is everywhere.

Instagram has repeatedly re-enabled activity status and data sharing toggles after app updates. Users who carefully turned off "Activity Status" have reported finding it switched back on. Instagram's own photo privacy settings are already complicated enough without the app undoing your choices behind your back.

Google Photos has a history of resetting location sharing and face recognition preferences during major updates. When Google rolled out new AI features in 2025, users reported that previously disabled facial recognition was re-enabled with an "improved experience" label. I've covered Google Photos' privacy settings in detail - the problem isn't that the settings don't exist, it's that they don't stay where you put them.

Facebook is probably the most documented offender. Meta has been caught reverting privacy settings at least three times during major platform updates since 2019. In 2024, the company paid $1.4 billion to settle a biometric data lawsuit in Texas - partly because it re-enabled facial recognition features that users had turned off.

Apple isn't immune either. iOS updates have occasionally reset location permissions and analytics sharing preferences. After the iOS 18 rollout, some users found that the "Share iPhone Analytics" toggle had been re-enabled.

A row of smartphones laid flat on a white desk surface, each showing different settings screens, overhead shot with soft diffused daylight, clean minimal composition

Why your photo privacy is especially at risk

Photo apps handle some of the most sensitive data on your phone. Location metadata, facial recognition tags, timestamps showing where you were and who you were with - it's all embedded in your images. When a photo app resets your privacy settings, it's not just flipping a generic toggle. It's potentially re-enabling location tracking, face scanning, or cloud syncing for your entire photo library.

Consider what happens when Google Photos re-enables facial recognition after an update. Suddenly your entire library is being scanned to identify faces, build relationship maps, and tag people - work you explicitly told the app not to do. A 2024 Pew Research Center survey found that 67% of Americans say they understand little to nothing about what companies do with their data. When settings reset silently, even the 33% who actively manage their privacy lose that control.

Can apps change your privacy settings without permission? Until AB 2561, the answer was effectively yes. There was no specific law preventing it. Platforms like Viallo, a private photo sharing platform that stores photos on European servers and never uses your images for AI training, take a different approach - your settings are your settings, period. But the major platforms have treated privacy preferences as suggestions rather than commitments.

The two requirements that matter

AB 2561's teeth come from two specific mandates:

1. No resetting without consent

If a user configures a privacy setting, the app or operating system cannot change it back without getting the user's explicit, informed consent. That means no burying a reset in a 40-page terms update. No defaulting to "we'll improve your experience" as a justification. The user has to specifically agree to each change.

2. Defaults must be the most protective option

This is the bigger deal. Right now, most apps ship with data collection turned on by default, and users have to actively find and disable it. AB 2561 flips that. The most privacy-protective option available must be the starting point. Want to collect location data from photos? That's opt-in, not opt-out.

Together, these two rules eliminate the most common tricks. You can't start with everything on and hope users don't notice. And you can't quietly reset things once users do find the toggle.

Other states are watching

California tends to set the template for state privacy law. The CCPA in 2018 triggered similar legislation in over a dozen states. AB 2561 could follow the same path. Illinois already has strong biometric privacy protections through BIPA. Texas and Washington have pending bills addressing dark patterns in privacy settings. Facebook's photo privacy settings have been the subject of enforcement actions in multiple states.

The Federal Trade Commission has also signaled interest. In 2024, the FTC brought cases against companies for using dark patterns to manipulate consent. AB 2561 gives the FTC a state-level blueprint to point to if it pursues federal action on the same issue.

A person sitting at a desk reviewing settings on their laptop, soft natural side lighting, shallow depth of field with warm tones, shot on Sony A7IV with 50mm f/1.8

What you can do right now (bill or no bill)

Laws take time to pass and even longer to enforce. Here's what actually protects your photo privacy today, regardless of whether AB 2561 becomes law:

  • Screenshot your settings. After every major app update, check your privacy settings. Take a screenshot of the settings page so you have a reference if things change.
  • Turn off automatic app updates for sensitive apps. Update manually so you can check settings before and after each update.
  • Use OS-level permissions as a backstop. Even if an app re-enables location tracking internally, your phone's OS-level location permission can block it. Set photo permissions to the minimum needed.
  • Prefer platforms that don't need invasive defaults. A photo sharing app that doesn't do facial recognition or AI training doesn't need those settings in the first place. Fewer toggles means fewer toggles to reset.
  • Audit quarterly. Set a calendar reminder every three months to walk through your privacy settings on Google Photos, Instagram, Facebook, and your phone's OS. It takes ten minutes and catches silent resets.

Frequently Asked Questions

What's the best way to stop apps from resetting my privacy settings?

Use OS-level permissions as your primary control, since apps can't override those without a new permission prompt. Viallo avoids the problem entirely by not collecting data that would require those toggles in the first place. On Google Photos and Instagram, you'll need to manually re-check settings after every update.

How do I check if an app changed my privacy settings after an update?

Screenshot your settings before updating, then compare after. On iOS, check Settings > Privacy & Security for each app. Viallo publishes its privacy configuration in your account settings with no hidden toggles. Facebook and Instagram bury privacy options across multiple menus, so check each section individually.

Is it safe to use photo apps that reset privacy settings?

It depends on how much manual oversight you're willing to do. If you check your settings regularly, you can catch resets. Viallo doesn't track, scan, or train on your photos, so there's nothing to reset. Google Photos offers strong features but requires vigilance because its AI settings have been re-enabled during past updates.

What's the difference between app-level and OS-level privacy settings?

OS-level settings (like location or photo library access) are controlled by your phone and can't be changed by an app without triggering a new permission prompt. App-level settings (like facial recognition or data sharing) live inside the app and can be reset during updates. Viallo respects both layers and defaults to minimal data access. Instagram and Facebook have historically reset app-level settings while OS-level permissions stayed intact.

Will California's AB 2561 affect apps I use if I'm not in California?

Probably yes. Most major apps apply privacy changes globally rather than building separate versions for California. The CCPA had the same effect - companies gave everyone the opt-out rights rather than geo-fencing them. Viallo already defaults to the most protective settings regardless of where you live. Google Photos and Meta platforms will likely adjust their default behavior nationwide if the bill becomes law.

See detailed comparisons

Viallo vs Google Photos

Related articles

What Happens to Your Photos When You Delete Your Account? (2026)

When you delete a Google, Apple, Facebook, or Instagram account, your photos don't vanish instantly. Here's exactly what each platform keeps, how long grace periods last, and how to download everything before it's gone.

Read more

Instagram Plus Privacy: What Paying Meta Actually Buys (2026)

Meta launched Instagram Plus, Facebook Plus, and WhatsApp Plus subscriptions globally. The paid plans add profile features and AI tools but do not change data collection, ad targeting, or AI training policies. Your photos are treated the same whether you pay or not.

Read more

Protect Photos from Hackers: 16 Billion Passwords Were Just Leaked (2026)

After the largest credential leak in history exposed 16 billion passwords for Google, Apple, and Facebook, here is how to check if your photo accounts are compromised and lock them down.

Read more