It is no secret that the California’s privacy regulatory landscape is rapidly transforming, with new laws that impose extensive requirements on information that was largely unregulated in the past.  The existing California Consumer Privacy Act (“CCPA”) will soon be amended by the California Privacy Rights and Enforcement Act (“CPRA”) to provide greater protections to consumers in a variety of ways.  In addition to including more enforcement mechanisms through the creation of an agency, the CPRA increases consumer rights over their information.  Although the CPRA does not go into effect until January 1, 2023, it will apply to all personal information collected on or after January 1, 2022.

This article focuses on California’s new regulations that prohibit “dark patterns” as deceptive and unfair trade practices in obtaining a consumer’s online consent.

WHAT ARE DARK PATTERNS?

The term “dark patterns” broadly refers to the deceptive practices, software mechanisms and design patterns that businesses use to manipulate a user’s online behavior and decision-making.  Dark patterns are problematic because they have the effect, intentionally or unintentionally, of impairing consumer autonomy by subtly steering users into taking actions that they may not have expected or intended to take.  As society becomes increasingly digitalized, dark patterns have become more complex and pervasive.

Common forms of dark patterns include:

• Using a countdown timer that is irrelevant to an offer expiring;
• Using confusing language like double-negatives (e.g. “Don’t Not Sell My Personal Info”);
• Forcing users to click through or listen to reasons why they should not submit a request to opt-out before confirming their request;
• Requiring users to search or scroll through the text of a privacy policy or similar; document or webpage to locate the mechanism for submitting a request to opt-out;
• Being suddenly directed to a subscription page while in the midst of browsing a website or watching something in an app; or
• The gamification of products and other similar techniques.

Under the current CCPA, these techniques are not deemed to be inherently illegal, and have essentially been normalized as a mere annoying aspect of life online.  A study by Princeton University in 2019 analyzed over 50,000 product pages from 11,000 shopping sites. The study identified the use of dark patterns 1,818 times.  Recently, the media has started to shine a brighter light on the use of dark patterns.  On March 16, 2022, a series of leaked internal documents obtained by Business Insider revealed that retail giant Amazon was aware of its use of dark patterns to lure users into signing up for costly Prime memberships without their valid, informed consent.  Most people are familiar with Amazon’s deceptive sign-up process: For example, by simply clicking on the "Get FREE Two-Day Delivery with Prime" tab during the check out process-- with no additional confirmation step – a user automatically gets enrolled into a 30-day free trial with Prime, which later converts to a paid membership unless the user cancels it.  For cancellations, users are forced to jump through a number of pages to end the subscription.  The leaked documents reveal that Amazon had internal concerns and discussions about addressing complaints regarding its confusing sign-up/cancellation process since 2017.   Although Amazon proposed and considered changes to address these issues, those changes were ultimately nixed because they resulted in a drop subscription growth during testing.  The tech giant has been sued previously on related grounds.

HOW DOES CALIFORNIA REGULATE “DARK PATTERNS”?

On March 15, 2021, the CCPA was officially amended to ban deceptive online designs and practices that delay or obscure the process for consumers to opt out of the sale of their personal information. (Cal. Code Regs. tit. 11, § 999.315(h); see California Office of the Attorney General: Press Release: Attorney General Becerra Announces Approval of Additional Regulations That Empower Data Privacy Under the California Consumer Privacy Act (March 15, 2021)). The final text of the regulations offered a few examples to illustrate the types of confusing or misleading designs that are prohibited:

1. Using an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
2. Using confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
3. Requiring consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
4. Requiring a consumer to provide personal information that is unnecessary to implement an opt-out request; or
5. After clicking the “Do Not Sell My Personal Information” link, requiring a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request.

With the passage of the CPRA, California went a step further by becoming the first state to affirmatively regulate the commercial use of dark patterns by defining them as: “[a] user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision‐making, or choice, as further defined by regulation”. (Civ. Code, § 1798.140, subd. (l), effective January 1, 2023.)  Dark patterns are also referenced in the CPRA’s new definition of “consent”, noting that: “agreement obtained through use of dark patterns does not constitute consent.” (Civ. Code, § 1798.140, subd. (h), effective January 1, 2023.)  This means that businesses can no longer obtain a consumer’s valid consent related to the processing of personal information via dark patterns.  While it is clear that certain online interface designs could render any such user “consent” invalid in the future, exactly which dark patterns will negate consent remains somewhat opaque.  Additional regulations created by the new California Privacy Protection Agency (the “Agency”) will likely provide clarity, and while these were originally planned to be finalized by July 1, 2022, the Agency has recently indicated that the regulations will be delayed to the latter half of 2022.

WHY SHOULD BUSINESSES CARE?

Like other violations under the CCPA, businesses that use dark patterns in violation of the regulations have a 30-day cure period to remedy the offending element in their website or app design.  Failure to comply may result in civil penalties up to $7,500 per violation (which, if levied for usage of dark patterns that affects many users, can be devastating).  However, companies should be forewarned that the 30-day cure period will no longer exist when the CPRA takes hold on January 1, 2023 – so compliance must be achieved now.

In addition to avoiding hefty regulatory fines, businesses that fail to disavow their use of dark patterns— rather than opt for transparency in their customer communications and user interfaces— face significant reputational risks.  Any possible short-term data or revenue gains achieved through dark practices are not worth the long-term damage to customer goodwill and brand reputation.  Businesses that prioritize transparency over trickery will be in a better position to build long-term customer relationships through increased consumer trust and loyalty.  Indeed, research shows most consumers would likely be more willing to provide more info about themselves if the company were transparent and honest about their data practices. Furthermore, nearly two in five Americans (38%) expressed that they believe it is worth spending more money with companies that prioritize data privacy.

RECOMMENDED STEPS

This is an emerging area of law, but the CPRA will increase scrutiny on businesses in order to stop manipulative practices and increase consumer choice.  As more regulation comes to fruition both at the federal and state level, businesses need to candidly reexamine elements of their online advertising and user experiences to ensure compliance.  Being aware of website and application design elements that could potentially constitute dark patterns, with a particular emphasis on features that collect personal information or attempt to obtain user consent, is a wise place to begin assessing compliance.  Some specific features to look for include forced continuity, hidden costs and price comparison prevention, as well as mechanisms that create a sense of urgency or scarcity.  Additionally, businesses should work with their development teams and counsel to review existing cancellation procedures for any subscription product or service, and ensure that cancellation is at least as easy as signing up.

Another way to prepare for dark pattern regulations is to monitor legal developments, like the CPRA’s rulemaking proceedings.  Businesses can also keep apprised of pending court actions that accuse businesses of employing dark patterns to deceive consumers.  (See, e.g., Oberstein v. Live Nation Entertainment, Inc. (C.D. Cal., Sept. 20, 2021, No. CV 20-3888-GW-GJSX) 2021 WL 4772885 [alleging, among other things, that defendants purposefully employed “dark patterns” in designing their terms of use to make them less conspicuous to users].)