ARTICLE
11 September 2024

Out Of The Shadows: The CPPA's Guide To Avoiding Dark Patterns

FK
Frankfurt Kurnit Klein & Selz

Contributor

Frankfurt Kurnit provides high quality legal services to clients in many industries and disciplines worldwide. With leading practices in entertainment, advertising, IP, technology, litigation, corporate, estate planning, charitable organizations, professional responsibility and other areas — Frankfurt Kurnit helps clients face challenging legal issues and meet their goals with efficient solutions.
On September 4, 2024, the California Privacy Protection Agency's Enforcement Division released its second Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry...
United States Privacy

On September 4, 2024, the California Privacy Protection Agency's Enforcement Division released its second Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice (the "Enforcement Advisory"). This Enforcement Advisory follows April's Applying Data Minimization to Consumer Requests. As with the FTC's business guidance blog, businesses should carefully review the regulatory guidance to better understand CPPA enforcement priorities.

What does the Enforcement Advisory say?

The Enforcement Advisoryreminds businessesthat "agreement obtained through use of dark patterns does not constitute consent." The regulations require businesses to design and implement methods for obtaining consumer consent or submitting CCPA requests, specifically that they must incorporate the following principles:

  • Easy to understand.
  • Symmetry in choice.
  • Avoid language or interactive elements that are confusing to the consumer.
  • Avoid choice architecture that impairs or interferes with the consumer's ability to make a choice.
  • Easy to execute.

Any method of obtaining consumer consent or enabling consumers to submit CCPA requests that does not adhere to these five principles may be considered a dark pattern in violation of the CCPA.

The Advisoryreiterates the illustrative examples from the CCPA regulations and provides three visual samples of dark patterns. It concludes with five questions for a business to assess user interface compliance, including:

  • Is the language used to communicate with consumers easy to read and understandable?
  • Is the language used straightforward and does it avoid technical or legal jargon?
  • Is the consumer's path to saying "no" longer than the path to saying "yes"?
  • Does the user interface make it more difficult to say "no" rather than "yes" to the requested use of personal information?
  • Is it more time-consuming for the consumer to make the more privacy-protective choice?

Takeaways

Start with the samples and questions. Businesses must inspect their methods for obtaining consumer consent and enabling CCPA request submissions to ensure compliance with statutory or regulatory requirements or guidance. The three samples and five questions in the Enforcement Advisoryoffer starting points for a business to analyze its processes and likely reflect what the CCPA Enforcement Division uses to assess user interface compliance and dark patterns.

Cookie banners. While the CCPA does not expressly require a cookie banner, each dark pattern sample in this Enforcement Advisory shows a banner. Businesses should start with their banners and disclosures for internal dark pattern analysis. The CCPA requires businesses to provide users with notice at collection and an opt-out link, and most implement these requirements through a banner pop-up.

Consent management platforms. A business using a service provider, like a CMP, to manage cookie consent pop-ups is responsible for checking for dark patterns. In this Enforcement Advisory and our experience, regulators require a business to monitor all aspects of service provider compliance, including language around cookie usage.

Enforcement clues. The CPPA, unlike the California Attorney General, has not publicly enforced against any business but asserts it is engaged in "double digit" investigations. It would not be surprising to see its first action include allegations of violations in areas raised by one or both advisories released to date.

Scope of CCPA dark patterns. Dark patterns have been in the regulatory spotlight for at least a decade, dating back to the FTC's 2014 report. However, the CPPA's remit is more narrow and only concerns consent and CCPA requests, while the FTC focuses on manipulative design beyond privacy, like in context of subscriptions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More