California Privacy Protection Agency (CPPA) to Businesses: Avoid Dark Patterns

On September 4, 2024, the California Privacy Protection Agency (CPPA) issued an Enforcement Advisory on the importance of avoiding dark patterns. As we have previously written, dark patterns were first addressed in detail in early revisions to the California Consumer Privacy Act (CCPA) Final Regulations. The CCPA specifically defines a “dark pattern” as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, as further defined by regulation. Dark patterns include any activities that may delay or obscure the process for opting out of the sale, or sharing of personal information or otherwise burden consumers with confusing language or unnecessary steps when exercising their privacy rights.

The Enforcement Advisory highlights the CPPA’s focus on ensuring consumer autonomy and choice by advising businesses to “review and assess their user interfaces to ensure that they are offering symmetrical choices and using language that is easy for consumers to understand when offering privacy choices.” More specifically, the Enforcement Advisory provides a list of questions for businesses to ask when reviewing and updating these interfaces:

• Is the language used to communicate with consumers easy to read and understandable?
• Is the language used straightforward and does it avoid technical or legal jargon?
• Is the consumer’s path to saying “no” longer than the path to saying “yes”?
• Does the user interface make it more difficult to say “no” rather than “yes” to the requested use of personal information?
• Is it more time-consuming for the consumer to make the more privacy-protective choice?

The Enforcement Announcement also directs consumers to report uses of dark patterns through the CPPA’s complaint form. The form lists out various CCPA violations for such complaints, including “[a] business is trying to get my consent unlawfully (such as using confusing or tricky language or dark patterns).”

Our Data Privacy and Cybersecurity Practice regularly works with clients to address these concerns and to overall assess the compliance requirements and risks of the public-facing websites and mobile applications, offering practical and implementable solutions that address these questions. If you have any questions, please do not hesitate to contact any member of our team.