California bans website 'dark patterns', confusing language when opting out of having your personal info sold

State privacy rules add pressure on lawmakers to craft national standards

California has expanded its consumer privacy law to include a prohibition on the use of deceptive messaging and presentation, or "dark patterns," in the limited context of opting out of the sale of personal information.

"These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," said California Attorney General Xavier Becerra in a statement on Monday.

The rule amendments [PDF], just approved by the American state’s Office of Administrative Law, were proposed last October after a set of initial rules for enforcing the California Consumer Privacy Act (CCPA) were adopted last August, a month after CCPA enforcement began.

The CCPA amendments:

  • Clarify that businesses operating offline need to provide a way to opt-out of data sales.
  • Establish a standard Opt-Out Icon for notice and consent of data sales.
  • Prohibit designs that impair or subvert a consumer's choice to opt-out.
  • Require that opting out takes no more steps or clicks than opting in.
  • Ban confusing language, like the double negative "Don't not sell my information," when presenting an opt-out choice.
  • Forbid asking for personal information not necessary to carry out an opt-out request.
  • Disallow forcing people to scroll through a privacy policy if they've opted out or to review reasons not to opt-out.

The dark pattern rules went through a public comment period and additional adjustment after California voters approved Proposition 24, the California Privacy Rights Act (CPRA), last November..

The CPRA expands the CCPA by adding a consumer right to limit information usage and disclosure and by establishing a consumer right to request the correction to incorrect data about them that companies have stored. It also shifts privacy enforcement from the State Attorney General, Becerra, to the new California Privacy Protection Agency, while retaining the private right to action put in place by the CCPA. Enforcement of the CPRA begins in 2023.


Industry groups during the comment period objected to many of the proposed CCPA changes [PDF]. For example, the Consumer Data Industry Association, which represents credit reporting companies, asked that the ban on confusing language be dropped because it's not clear what constitutes confusing language.

"Prohibiting an undefined category of language thus raises due process concerns," the group argued. "Similarly, prohibiting an undefined category of speech also raises serious First Amendment concerns."

Another industry group, MPA – the Association of Magazine Media, expressed concern that requiring an equal number of opt-out and opt-in steps would incentivize designs that achieve parity by adding unnecessary steps purely for the sake of legal compliance.

Someone looking at their smartphone shocked

California outlaws wording, webpage buttons designed to hoodwink people into handing over their personal data


Industry reluctance to accept tighter privacy rules coincides with industry affinity for behavior-influencing design.

Research published in 2019 found 22 companies selling manipulative interface design or dark patterns as a service and found 1,841 examples on 1,267 websites employing these dubious techniques out of 11,000 surveyed.

Earlier that year, federal lawmakers from both sides of the aisle proposed the Deceptive Experiences To Online Users Reduction (DETOUR) Act to prohibit large online service providers like Facebook and Google from employing dark patterns to coax online behavior. But the bill languished in committee and hasn't gone anywhere.

In Europe, the Consumer Rights Directive limits some dark patterns. But the practice of steering user behavior through manipulative interface design remains alive and well. Last month, the Electronic Privacy Information Center filed a complaint with the Washington DC Attorney General arguing that "Amazon unlawfully employs manipulative 'dark patterns' in the Amazon Prime subscription cancellation process."

Next month, the US Federal Trade Commission plans to hold a workshop on dark patterns.

In response to Becerra's announcement, US Senator Mark Warner (D-VA), one of the two sponsors of the DETOUR Act, on Tuesday via Twitter urged his colleagues to address the issue on a federal level. ®

Similar topics

Broader topics

Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading

Biting the hand that feeds IT © 1998–2022