CPPA Provides Guidance for Businesses to Avoid Dark Patterns

On September 4, 2024, the California Privacy Protection Agency ("CPPA") issued an Enforcement Advisory to businesses covered by the California Consumer Privacy Act (CCPA) on how to avoid prohibited "Dark Patterns" to obtain consent from consumers. The consent in this context refers to consent to collect and use a consumer’s personal information.

What Is a Dark Pattern?

Under the CCPA, a Dark Pattern is a user interface (such as a website or mobile app) that is designed to subvert or impairing user autonomy, decision-making, or choice, or that otherwise has that effect.

The CCPA requires covered businesses to obtain consent before they can lawfully collect and process consumer information. However, the statute expressly states that agreements to process personal information that are obtained through the use of Dark Patterns are incapable of securing valid consent.

Avoiding Dark Patterns

The CPPA regulations enforcing the CCPA require businesses to design and implement methods for submitting CCPA requests and obtaining consumer consent without using Dark Patterns. These methods must use easy-to-understand language and incorporate the principle of "symmetry in choice."

Easy to Understand: Consent requests should use simple, plain, straightforward language devoid of technical or legal jargon.

Symmetry in Choice: The path for a consumer to select an option to protect their privacy must not be more difficult or time-consuming than the path to allow their information to be used as the business desires. In other words, the process for opting out of the sale or sharing of personal information should not be more difficult or lengthy than the process for agreeing to it.

To illustrate the guidance it offers, the Advisory includes images of three commonly used website personal information consent notices: (1) a content preferences box with multiple toggles for various data collection purposes; (2) a popup window with single "ok" button to confirm the use of cookies to personalize content and other purposes; and (3) a banner informing users that the website uses cookies to collect their information and access their data, and offers them the option to “enhance my experience” or “"other choices."

When reviewing the three examples, businesses should ask themselves the following questions to identify the Dark Pattern:

• Is the language easy to read and understand, with no technical or legal jargon?
• Is it more difficult to say "no" than it is to say "yes?"
• Is it more time consuming for a consumer to make a more privacy-protective choice?

Whether a website employs Dark Patterns requires an analysis of various factors, including the specific words used, the size and color of fonts, how notices are placed, and the specific steps consumers need to take to opt into or out of the collection and processing of their data.

Dark Patterns Prohibitions are Not Limited to California

California is not the only state that prohibits Dark Patterns to obtain consumer consent. Colorado and Connecticut both condemn the use of Dark Patterns in their respective consumer privacy statutes, and the Federal Trade Commission has on multiple occasions targeted the use of Dark Patterns as an unfair or deceptive trade practice, and has made their elimination an enforcement priority.

With the risk of state and federal regulatory enforcement growing ever higher, businesses that collect, share, or sell website visitor data should take the guidance offered by the CPPA’s Advisory into consideration when designing their cookie acceptance disclosures.