by David L. Rice and Christopher W. Savage
On September 4, 2024, the California Privacy Protection Agency (“CPPA”) announced that it issued an Enforcement Advisory (“Advisory”) providing guidance on how to avoid using prohibited “Dark Patterns” to obtain consent from consumers. Businesses subject to the California Consumer Privacy Act (CCPA) routinely request consent from consumers related to their personal information and in handling consumer requests to exercise their statutory rights regarding their personal information. The CPPA’s advisory is a strong signal that the time for businesses to identify and remove Dark Patterns in these processes is now—before the CPPA commences enforcement—by reviewing user interfaces to ensure the language and interface design offering consumers privacy choices is clear and symmetrical.
What Is a Dark Pattern?
The CCPA defines a Dark Pattern as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice….”[1] The CPPA’s regulations, in nearly identical language, say that a user interface uses Dark Patterns if the interface has the effect of “substantially subverting or impairing user autonomy, decisionmaking, or choice.”[2] Under the CCPA, in many cases businesses’ ability to lawfully collect and process consumer information depends on obtaining consumers’ consent. The CPPA expressly provides, however, that agreements to process personal information that are obtained through Dark Patterns do not constitute consent.[3]
To avoid creating a Dark Pattern,[4] business processes for consent and exercise of consumer rights must:
- Be easy to understand.
- Use “symmetry in choice,” which means that the path for a consumer to exercise a more privacy-protective option cannot be longer, more difficult, or time-consuming than to exercise a less privacy-protective option.
- Avoid language or interactive elements that are confusing to consumers.
- Avoid “choice architecture” that impairs or interferes with a consumer’s ability to make a choice.
- Be easy for the consumer to execute, without unnecessary burden or friction.[5]
A business’s intent when designing a consumer interface or process is not determinative.[6] According to the press release announcing the Advisory:
“Dark patterns aren’t about intent, they’re about effect,” said Michael Macko, Deputy Director of the CPPA’s Enforcement Division. “The law gives consumers the right to make their privacy choices without jumping through confusing hoops or solving puzzles. Businesses need to ask themselves the right questions about their user interfaces and make sure they aren’t part of the problem.”
Examples of Dark Patterns
The CCPA regulations already contain examples of Dark Patterns.[7] The Advisory reiterates some of those examples as a reminder to businesses:
- Dark Pattern Unequal Choice: A process for opting out of sale or sharing of consumer personal information that requires the consumer to take more steps than the process to opt in.
- Symmetrical or Equal Choice: A website banner seeking consumer consent to use personal information gives the consumer a single step choice for available processing options such as “accept all” or “decline all.”
- Dark Pattern Unequal Choice: The opt-in choice presented to customers for the sale of their personal information consists of only “yes” and “ask me later.”
- Symmetrical or Equal Choice: The opt-in choice presented to customers for the sale of their personal information consists of “yes” and “no.”
The Advisory also contains images of three personal information consent processes that are commonly used across the internet, such as:
- A content preferences box with multiple toggles for various data collection purposes, including the use of cookies for marketing and opting out of the sale of personal information.
- A single “ok” button to acknowledge that a site uses cookies for a range of purposes.
- A cookie banner that says a website will collect and use cookies and gather other “information” and “data” from a user’s device and browser, where the user only has the options of “enhance my experience” and “other choices.”
It is easy to read between the lines to see which of these is—in the CPPA’s view—a Dark Pattern, although the Enforcement Advisory does not expressly say. Instead, it recommends that businesses ask themselves these questions:
- Is the language easy to read and understand?
- Is the language straightforward and does it avoid technical and legal jargon?
- Is the consumer’s path to saying “no” longer than the path to saying “yes?”
- Does the interface make it more difficult to say “no” than “yes?”
- Is it more time consuming for a consumer to make a more privacy-protective choice?
For a business (or the CPPA) to determine whether a process uses a Dark Pattern will require a fact-specific analysis, involving consideration not just of the literal words a business uses but also issues such as the size and color of fonts, the placement of information on a web page, and the specific steps—clicking links or checking boxes—that consumers need to take to opt into or out of permitting the collection and processing of their data. In the Advisory, the CPPA evidently wanted to remind businesses of some bright-line examples to avoid and to recommend a framework businesses can use in evaluating their own processes for obtaining consumer consent.
The Advisory contains a disclaimer saying that, like all CPPA advisories, it does not make law or provide a safe harbor. Enforcement is on a case-by-case basis, and the Advisory’s examples are only hypotheticals that can guide a business’s evaluation of its own processes. Nevertheless, the Advisory provides strong insight into the CPPA’s assessment of what would constitute a Dark Pattern.
It’s Not Just California
As noted above, California law expressly bans the use of Dark Patterns as a valid means of obtaining consumer consent. But it’s not just California. Other states, including Colorado and Connecticut, also expressly call out Dark Patterns as problematic in their privacy statutes. In addition, the Federal Trade Commission has signaled that it intends to make elimination of Dark Patterns an enforcement priority under its general authority to prevent “unfair” or “deceptive” trade practices. So, all businesses with an online presence that collect information from consumers should carefully review their user interfaces in light of the enforcement risks posed by these new and evolving state and federal-level concerns.
Footnotes
[1] Cal. Civ. Code. § 1798.140(l).
[2] 11 CCR § 7004 (c).
[3] Cal. Civ. Code. § 1798.140(h).
[4] 11 CCR § 7004 (b).
[5] 11 CCR § 7004 (a).
[6] 11 CCR § 7004 (c).
[7] 11 CCR § 7004.
David L. Rice and Christopher W. Savage are Partners at Davis Wright Tremaine LLP. This post first appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).