This article is more than 1 year old

California outlaws wording, webpage buttons designed to hoodwink people into handing over their personal data

Sorry not sorry, Facebook

California’s Attorney General has updated the state's data privacy regulations to outlaw shady semantics designed to confuse folks into handing over their data.

In an update to August's California Consumer Privacy Act (CCPA), the rules have now changed again. The modifications deal with so-called dark patterns, where tech companies use misleading language and site designs to push people into choosing options that share more personal data.

Most of the changes revolve around the questions that consumers are given to opt-out of data gathering. Even though some privacy advocates want data gathering turned off by default, the compromise reached by legislators is that people are given the option to turn it off.

But companies whose business models are based on gathering and selling data can make even that choice difficult, putting numerous barriers in the way. The updated regulations make it plain those approaches are not acceptable.

“A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out,” say the revised regs. “A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”

It gives several examples:

  • Requiring consumers to go through multiple steps to opt-out. The updated regulations say simply that that process can have no more steps than the opt-in process. And it even defines when the first click starts, in order to close another potential loophole.
  • Misleading language including double-negatives. It gives the example “Don’t Not Sell My Personal Information.”
  • Forcing consumers to click through or listen to reasons when they shouldn’t opt-out. This is a common tactic where companies give a series of reasonable sounding reasons for why they should stick with the current settings.
  • Requiring consumers to give additional personal information before they can opt-out of their information being stored, which can dissuade people concerned about their privacy from continuing forward.
  • Forcing users to scroll through a page of text after they click the “Do Not Sell My Personal Information” link before finally being able to select a data opt-out.

Of course, the master of dark patterns is Facebook, which bombards users with numerous data privacy options, and uses language to direct people in the direction the social network wants them to go – providing more data.

Intentional confusion

The social media giant also has a tendency to rejig and reword privacy options, requiring users to repeatedly visit privacy settings and decipher what they actually mean. That has led to countless online guides that people go through like a checklist to make sure they get the maximum allowable privacy.

The hope is that Facebook’s record $5bn fine from the FTC for that behavior will force it to behave better, but it and other similar operations are constantly pushing at the envelope of what’s allowed in order to gather as much data as possible.

Online privacy image via Shutterstock

Happy privacy action day in California: If you don't have 'Do not sell my information' in your website footer, you need to read this story right now


The changes to the regulations announced on Monday are going to make that practice harder, but they still require California’s Attorney General to actively police and prosecute companies that break the rules, rather than allow users to go after potential miscreants themselves.

The Attorney General has been lacklustre so far in his efforts to apply the law, sparking a California ballot measure – Proposition 24 – that would take the power out of his hands and pass it to an independent body.

That measure would also strengthen the existing data-privacy laws in California and give consumers more control over their data. However, privacy advocates are split on whether the proposition improves the law or simply embeds some aspects – like opt-out rather than opt-in as the default setting.

These additions by the Attorney General’s office are possibly designed to persuade Californians that it is on top of the situation and getting ahead of tech companies efforts to bypass the law – and so encourage them to vote against Proposition 24, which would be something a lot of tech outfits would be pleased to see. ®

More about


Send us news

Other stories you might like