New CPPA Enforcement Priority: Dark Patterns

October 18, 2024

The California Privacy Protection Agency (CPPA) has released its second Enforcement Advisory, putting businesses on notice to avoid dark patterns. The advisory emphasizes that companies should use clear language and offer consumers symmetry in choice when presenting privacy options. We’ve compiled some questions you can ask to help you avoid dark patterns (and hopefully enforcement actions from the CPPA). 

A Refresher: What Are Dark Patterns? 

 Under California law, “dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation.” 

There are a host of different types of dark patterns, such as stirring – which nudges users to take a specific action through wording that may make them feel shame, guilt, or other emotions (think a button for not adding optional insurance that says “No, I prefer to take the risk”).  

The CPPA’s Enforcement Advisory emphasizes that dark patterns are about the effect of the design choice, not the intent behind the choice.  

What’s Covered By The Enforcement Advisory?  

This Enforcement Advisory was issued to encourage businesses to review user interfaces to ensure they offer:  

  • Symmetrical choices; and  
  • Understandable language.  

It notes that these interfaces sometimes use designs, language, or other features to impair a user’s ability to make choices about privacy, and that this is considered a dark pattern under California law. It goes on to note that agreement gained through dark patterns is not valid consent.  

Also of note is that the Enforcement Advisory briefly mentions user interfaces provided by third-party suppliers, including consent management platforms. In this regard, it’s worth highlighting that businesses cannot outsource their obligations to provide symmetry in choice and to get valid (dark-pattern-free) consent. So, businesses should exercise caution when adopting third-party technologies that impact the end user’s privacy choices.  

You can read the CPPA’s Enforcement Advisory here. 

Where To Look For Dark Patterns?  

Common culprits for hiding dark patterns include:  

  • Subscription settings – it should be equally easy for your customers to cancel a subscription as it is for them to start a subscription.  
  • Cookie banners – one common practice is for cookie banners to “Allow all” or require additional steps in order to decline cookies. We would advise against this design given the current enforcement advisory. Instead, adopt this model which, the CPPA’s Enforcement Advisory specifically notes is an example of a symmetrical choice: “A website banner seeking the consumer’s consent to use a consumer’s personal information that offers the choices “Accept All” and “Decline All.” See 11 CCR § 7004(a)(2)(C).” 
  • Privacy notices – these should prioritize easy-to-understand language and formatting that is intuitive.  

Compliance Checklist For Your Website Audit 

We have adapted the CPPA’s questions outlined in its Enforcement Advisory to create this checklist: 

  • Is the language used to communicate with consumers easy to read and neutral? 
  • Does the language used avoid technical or legal jargon? 
  • Does the design obscure any key information? (For instance, does it include small or invisible text, hard-to-see close buttons, broken links, or any other features?) 
  • It is equally easy for the consumer to choose “no” as is it to choose “yes”?  
  • Do you use similar pathways for the consumer to choose “no” as you do for them to choose “yes”?  
  • Are the pathways for the more privacy-protective choice and the less privacy-protective choice the same length?  

Remember to apply this checklist to any notices or user interfaces developed for you by a third-party supplier! If you answered yes to the above questions, your design and privacy notices may be compliant.  

If you need help managing your privacy obligations, reach out. Our attorneys are available to help.  

Disclaimer

The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you