California bans website 'dark patterns', confusing language when opting out of having your personal info sold

State privacy rules add pressure on lawmakers to craft national standards


California has expanded its consumer privacy law to include a prohibition on the use of deceptive messaging and presentation, or "dark patterns," in the limited context of opting out of the sale of personal information.

"These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," said California Attorney General Xavier Becerra in a statement on Monday.

The rule amendments [PDF], just approved by the American state’s Office of Administrative Law, were proposed last October after a set of initial rules for enforcing the California Consumer Privacy Act (CCPA) were adopted last August, a month after CCPA enforcement began.

The CCPA amendments:

  • Clarify that businesses operating offline need to provide a way to opt-out of data sales.
  • Establish a standard Opt-Out Icon for notice and consent of data sales.
  • Prohibit designs that impair or subvert a consumer's choice to opt-out.
  • Require that opting out takes no more steps or clicks than opting in.
  • Ban confusing language, like the double negative "Don't not sell my information," when presenting an opt-out choice.
  • Forbid asking for personal information not necessary to carry out an opt-out request.
  • Disallow forcing people to scroll through a privacy policy if they've opted out or to review reasons not to opt-out.

The dark pattern rules went through a public comment period and additional adjustment after California voters approved Proposition 24, the California Privacy Rights Act (CPRA), last November..

The CPRA expands the CCPA by adding a consumer right to limit information usage and disclosure and by establishing a consumer right to request the correction to incorrect data about them that companies have stored. It also shifts privacy enforcement from the State Attorney General, Becerra, to the new California Privacy Protection Agency, while retaining the private right to action put in place by the CCPA. Enforcement of the CPRA begins in 2023.

Unless...

Industry groups during the comment period objected to many of the proposed CCPA changes [PDF]. For example, the Consumer Data Industry Association, which represents credit reporting companies, asked that the ban on confusing language be dropped because it's not clear what constitutes confusing language.

"Prohibiting an undefined category of language thus raises due process concerns," the group argued. "Similarly, prohibiting an undefined category of speech also raises serious First Amendment concerns."

Another industry group, MPA – the Association of Magazine Media, expressed concern that requiring an equal number of opt-out and opt-in steps would incentivize designs that achieve parity by adding unnecessary steps purely for the sake of legal compliance.

Someone looking at their smartphone shocked

California outlaws wording, webpage buttons designed to hoodwink people into handing over their personal data

READ MORE

Industry reluctance to accept tighter privacy rules coincides with industry affinity for behavior-influencing design.

Research published in 2019 found 22 companies selling manipulative interface design or dark patterns as a service and found 1,841 examples on 1,267 websites employing these dubious techniques out of 11,000 surveyed.

Earlier that year, federal lawmakers from both sides of the aisle proposed the Deceptive Experiences To Online Users Reduction (DETOUR) Act to prohibit large online service providers like Facebook and Google from employing dark patterns to coax online behavior. But the bill languished in committee and hasn't gone anywhere.

In Europe, the Consumer Rights Directive limits some dark patterns. But the practice of steering user behavior through manipulative interface design remains alive and well. Last month, the Electronic Privacy Information Center filed a complaint with the Washington DC Attorney General arguing that "Amazon unlawfully employs manipulative 'dark patterns' in the Amazon Prime subscription cancellation process."

Next month, the US Federal Trade Commission plans to hold a workshop on dark patterns.

In response to Becerra's announcement, US Senator Mark Warner (D-VA), one of the two sponsors of the DETOUR Act, on Tuesday via Twitter urged his colleagues to address the issue on a federal level. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021