Dark patterns and your website: are you breaching California privacy law?

April 9, 2021

In 2019, a study revealed that about 11% of websites in its data set contained deceptive dark patterns. “Dark patterns” refer to user interface features or designs on websites and mobile apps that trick, manipulate, or confuse visitors. They are problematic because they are capable of tricking users into providing personal information where they may not have otherwise chosen to do so or hiding settings that would allow them to control their privacy .

New Regulations in California

On March 15, the California Attorney General (AG) published its Final Regulation Text § 999.306. Notice of Right to Opt-Out of Sale of Personal Information (the Regs). The Regs ban businesses from embedding dark patterns into their websites designed to prevent or mislead users trying to exercise their rights under the California Consumer Privacy Act (CCPA).Specifically, the Regs require businesses to offer users at least two methods for submitting requests to opt-out of the sale of their personal information and prescribe how opt-out notices appear on websites.

The Regs state (in section (a)(2)) that the opt-out notice must be easy to read and understand. Additionally, the notice must use:

  • Plain, straightforward language – without technical or legal jargon;
  • A format that draws a user’s attention to the notice, ensuring that it’s readable across devices;
  • The languages the business ordinarily uses for its contracts, disclaimers, sale announcements, and other information to California consumers; and
  • Reasonable accessibility features for consumers with disabilities.

Further, the Regs require that businesses make accessing these opt-out notices easy. The notice must be directly linked to the business’ “Do Not Sell My Personal Information” link and users cannot be required to click through multiple pages to reach the notice. Apps that collect and sell users’ personal information must also make the notice available via the app, such as through the app’s settings menu.

Requests by users to opt-out of the sale of their personal information must be acted on within 15 days.

Businesses that don’t comply with the Regs may be issued a ‘Notice to Cure’. If this happens to you, you’ll have 30 days to rectify the issues identified.

You can read the Regs here and the AG’s press release here.

Reducing Dark Patterns on Your Website

Dark patterns can also make it difficult to unsubscribe, change or update information, or delete a user account or information. While your SEO team might advocate for making it more difficult for your users to unsubscribe, there are strong reasons for making it as easy as possible, including:

Transparent data practices build consumer trust.

Making it easy to unsubscribe, opt-out, and change or delete user information is an important step in building transparency and consumer trust.

Increased consumer loyalty.

Consumers are more likely to leave brands which use their data without their permission. Conversely, brands that are transparent with their data practices face fewer barriers for customer retention.

Transparent data practices are (more) future-proof.

Consumers and regulators are demanding better transparency from businesses. By embedding transparent practices and language from the beginning, you’re creating a more future-proof website.

If you need assistance with your privacy policies or practices, reach out. We’re here to help!

You can find more of our privacy insights here. 


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you