Skip to main content

California bans ‘dark patterns’ that trick users into giving away their personal data

California bans ‘dark patterns’ that trick users into giving away their personal data

/

Strengthening the state’s landmark digital privacy legislation

Share this story

Dark Patterns put obstacles between the user and what they want to achieve.
Dark Patterns put obstacles between the user and what they want to achieve.

If you’ve ever struggled through a maze of online customer service to cancel a subscription or delete an account, you’ve likely encountered “dark patterns” — user interfaces that are designed to trick and frustrate users. The concept was coined in 2010 but is slowly being addressed in US legislation, with California this week announcing that it is banning the use of dark patterns that stop users from opting out of the sale of their personal data.

The updated regulation strengthens enforcement of the 2018 California Consumer Privacy Act (CCPA), one of the toughest consumer privacy laws in the US. The CCPA gives Californians the right “to say no to the sale of personal information,” but the state government is evidently worried that these options will be buried under byzantine menus. By banning dark patterns, California will “ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights,” said the state’s Attorney General Xavier Becerra in a press statement.

The newly-approved regulation does not ban all uses of dark patterns, only those that have “the substantial effect of subverting or impairing a consumer’s choice to opt-out” of schemes where their personal data is being sold. The regulation offers a number of examples of such dark patterns, including:

  • Using confusing language like double-negatives (eg “Don’t Not Sell My Personal Information”)
  • Forcing users to “click through or listen to reasons why they should not submit a request to opt-out before confirming their request.”
  • Requiring users to “search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.”
The “Privacy Options Opt-Out Icon.”
The “Privacy Options Opt-Out Icon.”
Image: California Office of Administrative Law

Businesses found not to be in compliance with the CCPA are sent a “notice to cure,” giving them a 30-day window to amend their services. According to Becerra’s office: “Since CCPA enforcement began on July 1, 2020, the Department has seen widespread compliance by companies doing business in California, especially in response to notices to cure.” To help standardize access to these opt-out schemes, the state of California has even designed what it calls an “eye-catching” icon that companies can use to direct users to exercise their rights.

Although this legislation only bans dark patterns in specific scenarios, there have been other attempts to crack down on such deceptive design more generally. In 2019, Sens. Mark Warner (D-VA) and Deb Fischer (R-NE) introduced a bill that would ban internet platforms with more than 100 million users from using any dark patterns that trick users into handing over personal data. The bill, though, never received a vote in congress.