Skip to content

Modifications to CCPA Regulations Prohibit “Dark Patterns”

AOL - CyberSecurity

On March 15, 2021, California Attorney General Xavier Becerra announced the approval of modified regulations under the California Consumer Privacy Act of 2018 (“CCPA”) (Cal. Civ. Code §§ 1798.100 to 1798.199) that are effective immediately. The modified regulations ban “dark patterns,” provide an optional Privacy Options icon, and clarify regulations related to offline consumer opt-out notices, authorized agents, and notices to consumers under 16 years of age. A brief summary of these modifications is provided below.

Ban on Dark Patterns

Public comments generally described “dark patterns” as deliberate attempts to subvert or impair a consumer’s choice to opt out. “Dark patterns” may be used to obfuscate the opt-out request process or deceive the consumer into granting knowing consent. The modified regulations ban the use of the following “dark patterns”:

  1. using an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
  2. using confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
  3. requiring consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
  4. requiring a consumer to provide personal information that is unnecessary to implement an opt-out request; or
  5. upon clicking the “Do Not Sell My Personal Information” link, requiring a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request.

Optional Privacy Opt-Out Icon (§ 999.306(f))

As shown below, the modified regulations provide an optional final design for the opt-out icon. The CCPA requires the attorney general to design “a recognizable and uniform opt-out logo or button by all business to promote consumer awareness of the opportunity to opt out of the sale of personal information.”1 The opt-out icon aims to make consumers more aware of their opt-out rights. Notably, use of the icon is in addition to the requirement to post a notice of right to opt-out and a “Do Not Sell My Personal Information” link under Civil Code Section 1798.135 and the previous CCPA regulations.

Modifications to CCPA Regulations Prohibit “Dark Patterns”

Conspicuous Offline Consumer Opt-Out Notices (§ 999.306(b)(3))

An “offline consumer” could be a consumer providing personal information at a brick-and-mortar store or over the phone. Businesses that sell personal information collected from offline consumers must provide an offline notice and instructions to such consumers about their right to opt-out. For example, a business may inform consumers of their right to opt-out on the paper forms that collect personal information or on signage in the area where the information is collected. Similarly, a business could inform offline consumers of their right to opt-out orally before any personal information is collected over the phone. Similar to online notices, the notice should be plain, straightforward, conspicuous, clear, and accessible to consumers with disabilities.

Authorized Agents (§ 999.326(a))

Previously, a business could require a consumer to provide an authorized user with signed permission before the authorized user could submit a request to know or delete on behalf of the consumer. Now, the modified regulations only allow a business to request a signed permission from the authorized user. The business may still require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. However, this modified regulation seems to streamline the process by requiring the authorized agent to obtain signed permission before making the request, which may also reduce fraud perpetrated by fake agents.

Notices to Consumers Under 16 Years of Age (§ 999.332)

Finally, the modified regulations clarified that businesses subject to Section 999.330 (consumers under 13 years of age) and/or Section 999.331 (consumers 13 to 15 years old or both) must include a description of the process set forth in those sections in their privacy policies. Thus, if a business is subject to these sections, its privacy policy should: (1) explain how the business verifies that a minor 13 to 15 years of age or a parent or guardian on behalf of a child under 13 years of age has affirmatively authorized the sale of personal information; (2) inform the minor, parent, or guardian about the right and process to opt-out; and (3) exclusively for Section 999.330, explain the process for verifying that a person submitting a request to know or delete personal information of a child under the age of 13 is the parent or guardian of that child.

What This Means for You

These modified regulations reiterate the importance of establishing, documenting, and implementing reasonable methods to inform, notify, verify, and respond to consumers in both online and offline venues. Businesses that may have used mechanisms now described as “dark patterns” should promptly change those mechanisms and consider using the opt-out icon. Further, businesses interacting with minors under the age of 16 should ensure their privacy policies comply with CCPA by listing the processes outlined in Sections 999.330 and 999.331. Finally, while businesses prepare for compliance with the California Privacy Rights Act, they should continue to keep an eye on additional CCPA regulations and enforcement.

1 Cal. Civ. Code § 1798.185(a)(4)(C).

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.