The California Privacy Protection Agency has issued an advisory to help businesses avoid using Dark Patterns when obtaining consumer consent. These deceptive interfaces subvert user autonomy and invalidate consent under the CCPA. Companies must now ensure their methods for collecting personal information are transparent and fair, or face increasing regulatory scrutiny.
On September 4, 2024, the California Privacy Protection Agency ("CPPA") issued an Enforcement Advisory to businesses covered by the California Consumer Privacy Act (CCPA) on how to avoid prohibited "Dark Patterns" to obtain consent from consumers. The consent in this context refers to consent to collect and use a consumer’s personal information.
Under the CCPA, a Dark Pattern is a user interface (such as a website or mobile app) that is designed to subvert or impairing user autonomy, decision-making, or choice, or that otherwise has that effect.
The CCPA requires covered businesses to obtain consent before they can lawfully collect and process consumer information. However, the statute expressly states that agreements to process personal information that are obtained through the use of Dark Patterns are incapable of securing valid consent.
The CPPA regulations enforcing the CCPA require businesses to design and implement methods for submitting CCPA requests and obtaining consumer consent without using Dark Patterns. These methods must use easy-to-understand language and incorporate the principle of "symmetry in choice."
Easy to Understand: Consent requests should use simple, plain, straightforward language devoid of technical or legal jargon.
Symmetry in Choice: The path for a consumer to select an option to protect their privacy must not be more difficult or time-consuming than the path to allow their information to be used as the business desires. In other words, the process for opting out of the sale or sharing of personal information should not be more difficult or lengthy than the process for agreeing to it.
To illustrate the guidance it offers, the Advisory includes images of three commonly used website personal information consent notices: (1) a content preferences box with multiple toggles for various data collection purposes; (2) a popup window with single "ok" button to confirm the use of cookies to personalize content and other purposes; and (3) a banner informing users that the website uses cookies to collect their information and access their data, and offers them the option to “enhance my experience” or “"other choices."
When reviewing the three examples, businesses should ask themselves the following questions to identify the Dark Pattern:
Whether a website employs Dark Patterns requires an analysis of various factors, including the specific words used, the size and color of fonts, how notices are placed, and the specific steps consumers need to take to opt into or out of the collection and processing of their data.
California is not the only state that prohibits Dark Patterns to obtain consumer consent. Colorado and Connecticut both condemn the use of Dark Patterns in their respective consumer privacy statutes, and the Federal Trade Commission has on multiple occasions targeted the use of Dark Patterns as an unfair or deceptive trade practice, and has made their elimination an enforcement priority.
With the risk of state and federal regulatory enforcement growing ever higher, businesses that collect, share, or sell website visitor data should take the guidance offered by the CPPA’s Advisory into consideration when designing their cookie acceptance disclosures.