California Privacy Protection Agency Reminds Us that “Dark Patterns” Are Illegal
Dark Patterns come into focus as the California Privacy Protection Agency (CPPA) issues September 4 Enforcement Advisory.
Recently, I attempted to cancel a digital subscription. While I expected the cancellation function to be buried deep within a labyrinth of settings pages, I did not expect to find a pop-up window that greeted me with two bizarre and confusing button choices: “Yes, continue my subscription” or “No, I want to cancel.” I had to read that more than once - and I’m sure other consumers did too. Most consumers would expect that any “yes” confirmation button after clicking “cancel my subscription” would cancel the subscription. This is a “dark pattern.”
The above example is a particularly deceptive dark pattern, however, dark patterns are not limited to deceptive user interfaces – some try to leverage your emotions. Take an online retail website that offers users a discount on a user’s first purchase by signing up for the retailer’s marketing updates. To close the pop-up window with the offer, the user’s two choices are: “Sign Me Up” or “I hate saving money.” Another dark pattern. And there are countless other examples.
The September 4 CPPA advisory highlights the importance for businesses to review their user interfaces to ensure that they offer symmetrical choices, and use clear, easy-to-understand language offering privacy choices. We break down the advisory’s key points below.
What are “Dark Patterns?”
As noted in the advisory, the California Consumer Privacy Act (CCPA) uses the term “dark patterns” to refer generally to user interfaces that subvert or impair consumers’ autonomy, decision making, or choice when asserting their privacy rights or consenting. The advisory highlights the following example: “When businesses provide choices to consumers, such as the option to opt-out of the sale or sharing of their personal information, businesses must present these choices in a clear and balanced way. If the choices are unclear, they might be considered dark patterns.”
How to Avoid Using Dark Patterns
The CCPA requires businesses to design and implement privacy functions, such as consent and privacy rights requests, using the following principles:
- Easy to understand. The methods shall use language that is easy for consumers to read and understand.
- Communications to consumers shall be easy to read and understandable to consumers. For example, they shall use plain, straightforward language and avoid technical or legal jargon.
- Symmetry in choice. The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice.
Good:
- A website banner seeking the consumer’s consent to use a consumer’s personal information that offers the choices “Accept All” and “Decline All.”
Bad:
- A process to opt-in to the sale of personal information that only gives the choice of “yes” and “ask me later.”
As a reminder, the CCPA provides for penalties of up to $7,500 per violation.
Guidance for Businesses
When determining whether a user interface may amount to a dark pattern, the CPPA recommends that businesses ask the following questions:
- Is the language used to communicate with consumers easy to read and understandable?
- Is the language used straightforward and does it avoid technical or legal jargon?
- Is the consumer’s path to saying “no” longer than the path to saying “yes”?
- Does the user interface make it more difficult to say “no” rather than “yes” to the requested use of personal information?
- Is it more time-consuming for the consumer to make the more privacy-protective choice?
Beyond California
Dark patterns are regulated outside of the California Consumer Privacy Act as well. For example, the Federal Trade Commission (FTC) considers dark patterns to amount to “unfair or deceptive” practices under Section 5 of the FTC Act. In 2022, the FTC released an extensive report showing how companies are increasingly using sophisticated design practices known as “dark patterns” that can trick or manipulate consumers into buying products or services or giving up their privacy.
Notably, in 2023, the FTC announced a $245 million settlement with Epic Games following the FTC’s allegations that Epic Games used dark patterns to trick players into making unwanted purchases.
At the state level, comprehensive consumer privacy laws in states other than California, including Colorado, Connecticut, Texas specifically regulate dark patterns. In addition, state regulators in other states have found enforcement avenues to pursue companies for use of dark patterns.
Takeaways for Businesses
Integrating privacy and dark pattern analysis into your product and user interface design is critical to avoid running afoul of the various laws that prohibit use of dark patterns. This applies across all digital assets – from products and platforms to websites, mobile apps and beyond. As the regulatory landscape in this area expands, and enforcement increases, involving legal counsel proactively to conduct dark pattern analyses before you receive a notice from a regulatory authority is a good idea.