CCPA Enforcement Advisory Issued for Dark Patterns

The California Privacy Protection Agency (CPPA) issued an Enforcement Advisory on dark patterns. In the California Consumer Privacy Act (CCPA), dark patterns refer to user interfaces that subvert or impair consumers’ autonomy, decision-making, or choice when asserting their privacy rights or providing consent. An example of a dark pattern would be a business presenting consumers with confusing options for opting out of the sale or sharing of their personal information.

The advisory emphasizes the importance of businesses reviewing their user interfaces to ensure they offer symmetrical choices and use clear, easy-to-understand language offering privacy choices.

“Dark patterns aren’t about intent, they’re about effect,” said Michael Macko, Deputy Director of the CPPA’s Enforcement Division. “The law gives consumers the right to make their privacy choices without jumping through confusing hoops or solving puzzles. Businesses need to ask themselves the right questions about their user interfaces and make sure they aren’t part of the problem.”

How to Comply with the CCPA

Below are some steps businesses can take to avoid presenting dark patterns to consumers:

• Communicating with consumers with language that is easy to read and understand.
• Avoid technical or legal jargon.
• Providing consumers with a path to saying “no” that is no longer than the path to saying “yes.”
• Designing and using an interface that makes saying “no” as easy as saying “yes” to the requested use of personal information.
• Allow consumers to make the privacy-protective choice quickly.

Website privacy controls and functions have been in the spotlight recently. The New York Attorney General published a privacy controls guidance website to help businesses better comply with the state’s consumer protection laws.

Listen to the Website Privacy Functions and Controls episode of Compliance Pointers to dive deeper into this topic.

Enforcement Advisories

The CPPA issues advisories on aspects of the CCPA. These advisories provide observations from the Enforcement Division to help educate the public and businesses about their rights and responsibilities. Advisories do not provide any options for alternative relief or safe harbor from potential violations.

In April 2024, the CPPA issued its first enforcement advisory on data minimization.

CompliancePoint has a team of consultants devoted to helping organizations comply with privacy regulations, including the CCPA, GDPR, and all other applicable state laws. Reach out to us at connect@compliancepoint.com to learn more about how we can help.