On September 4, 2024, the California Privacy Protection Agency’s Enforcement Division released its second Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice (the “Enforcement Advisory”). This Enforcement Advisory follows April’s Applying Data Minimization to Consumer Requests. As with the FTC’s business guidance blog, businesses should carefully review the regulatory guidance to better understand CPPA enforcement priorities.

What does the Enforcement Advisory say?

The Enforcement Advisory reminds businesses that “agreement obtained through use of dark patterns does not constitute consent.” The regulations require businesses to design and implement methods for obtaining consumer consent or submitting CCPA requests, specifically that they must incorporate the following principles:

  • Easy to understand.
  • Symmetry in choice.
  • Avoid language or interactive elements that are confusing to the consumer.
  • Avoid choice architecture that impairs or interferes with the consumer’s ability to make a choice.
  • Easy to execute.

Any method of obtaining consumer consent or enabling consumers to submit CCPA requests that does not adhere to these five principles may be considered a dark pattern in violation of the CCPA.

The Advisory reiterates the illustrative examples from the CCPA regulations and provides three visual samples of dark patterns. It concludes with five questions for a business to assess user interface compliance, including:

  • Is the language used to communicate with consumers easy to read and understandable?
  • Is the language used straightforward and does it avoid technical or legal jargon?
  • Is the consumer’s path to saying “no” longer than the path to saying “yes”?
  • Does the user interface make it more difficult to say “no” rather than “yes” to the requested use of personal information?
  • Is it more time-consuming for the consumer to make the more privacy-protective choice?

Takeaways

Start with the samples and questions. Businesses must inspect their methods for obtaining consumer consent and enabling CCPA request submissions to ensure compliance with statutory or regulatory requirements or guidance. The three samples and five questions in the Enforcement Advisory offer starting points for a business to analyze its processes and likely reflect what the CCPA Enforcement Division uses to assess user interface compliance and dark patterns.

Cookie banners. While the CCPA does not expressly require a cookie banner, each dark pattern sample in this Enforcement Advisory shows a banner. Businesses should start with their banners and disclosures for internal dark pattern analysis. The CCPA requires businesses to provide users with notice at collection and an opt-out link, and most implement these requirements through a banner pop-up.

Consent management platforms. A business using a service provider, like a CMP, to manage cookie consent pop-ups is responsible for checking for dark patterns. In this Enforcement Advisory and our experience, regulators require a business to monitor all aspects of service provider compliance, including language around cookie usage.

Enforcement clues. The CPPA, unlike the California Attorney General, has not publicly enforced against any business but asserts it is engaged in “double digit” investigations. It would not be surprising to see its first action include allegations of violations in areas raised by one or both advisories released to date.

Scope of CCPA dark patterns. Dark patterns have been in the regulatory spotlight for at least a decade, dating back to the FTC’s 2014 report. However, the CPPA’s remit is more narrow and only concerns consent and CCPA requests, while the FTC focuses on manipulative design beyond privacy, like in context of subscriptions.