California outlaws wording, webpage buttons designed to hoodwink people into handing over their personal data

Sorry not sorry, Facebook

California’s Attorney General has updated the state's data privacy regulations to outlaw shady semantics designed to confuse folks into handing over their data.

In an update to August's California Consumer Privacy Act (CCPA), the rules have now changed again. The modifications deal with so-called dark patterns, where tech companies use misleading language and site designs to push people into choosing options that share more personal data.

Most of the changes revolve around the questions that consumers are given to opt-out of data gathering. Even though some privacy advocates want data gathering turned off by default, the compromise reached by legislators is that people are given the option to turn it off.

But companies whose business models are based on gathering and selling data can make even that choice difficult, putting numerous barriers in the way. The updated regulations make it plain those approaches are not acceptable.

“A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out,” say the revised regs. “A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”

It gives several examples:

  • Requiring consumers to go through multiple steps to opt-out. The updated regulations say simply that that process can have no more steps than the opt-in process. And it even defines when the first click starts, in order to close another potential loophole.
  • Misleading language including double-negatives. It gives the example “Don’t Not Sell My Personal Information.”
  • Forcing consumers to click through or listen to reasons when they shouldn’t opt-out. This is a common tactic where companies give a series of reasonable sounding reasons for why they should stick with the current settings.
  • Requiring consumers to give additional personal information before they can opt-out of their information being stored, which can dissuade people concerned about their privacy from continuing forward.
  • Forcing users to scroll through a page of text after they click the “Do Not Sell My Personal Information” link before finally being able to select a data opt-out.

Of course, the master of dark patterns is Facebook, which bombards users with numerous data privacy options, and uses language to direct people in the direction the social network wants them to go – providing more data.

Intentional confusion

The social media giant also has a tendency to rejig and reword privacy options, requiring users to repeatedly visit privacy settings and decipher what they actually mean. That has led to countless online guides that people go through like a checklist to make sure they get the maximum allowable privacy.

The hope is that Facebook’s record $5bn fine from the FTC for that behavior will force it to behave better, but it and other similar operations are constantly pushing at the envelope of what’s allowed in order to gather as much data as possible.

Online privacy image via Shutterstock

Happy privacy action day in California: If you don't have 'Do not sell my information' in your website footer, you need to read this story right now


The changes to the regulations announced on Monday are going to make that practice harder, but they still require California’s Attorney General to actively police and prosecute companies that break the rules, rather than allow users to go after potential miscreants themselves.

The Attorney General has been lacklustre so far in his efforts to apply the law, sparking a California ballot measure – Proposition 24 – that would take the power out of his hands and pass it to an independent body.

That measure would also strengthen the existing data-privacy laws in California and give consumers more control over their data. However, privacy advocates are split on whether the proposition improves the law or simply embeds some aspects – like opt-out rather than opt-in as the default setting.

These additions by the Attorney General’s office are possibly designed to persuade Californians that it is on top of the situation and getting ahead of tech companies efforts to bypass the law – and so encourage them to vote against Proposition 24, which would be something a lot of tech outfits would be pleased to see. ®

Narrower topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022