Dark Patterns: Will Your Website Be CPRA Compliant?


In May, the California Privacy Protection Agency released draft regulations scheduled to take effect on next January. While that enforcement date may be delayed, the regulations offer insight into what the Agency finds most critical. Among other topics, Dark Patterns have emerged as a critical area for enforcement. This post, which is part of a series of posts on the CCPA and CPRA, breaks down the new regulations and how they may affect business with on online presence.

The CPRA defines dark patterns as user interfaces “designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice ….” The most egregious of these dark patterns have been under attack for years. And most legitimate businesses no longer employ dark patterns to manipulate users. However, with the publication of the CPPA’s draft regulations, many businesses will find they are out of compliance with the CPRA, even if they have not intentionally employed dark patterns to obtain user consent. That failure may be critical, because under Section 7004, businesses may only obtain enforceable consent from consumers if their websites incorporate five principles.

  1. Easy to understand.

The “easy to understand” requirement is straightforward. It requires the use of plain, straightforward language and precludes the use of technical or legal jargon. Other requirements are similar to those required under the CCPA for a few years already.

  1. Symmetry in choice.

The “symmetry in choice” is more interesting. Critically, businesses may not require consumers to take more steps to opt out of selling personal information than are required to opt in to selling personal information. For that reason, businesses may not provide the options of “Yes” and “Ask Me Later” when asking users about whether to sell their personal information. Similarly, “Accept All” and “More Information” are not symmetrical choices.

  1. No confusing language or elements.

Among examples the regulations provide of “confusing language” are double negatives, like “Do not share my personal information,” with the choices “Yes” or “No.” “Confusing elements” include toggles labelled “on” and “off,” when the precise meaning those two choices are not clear from the context, and buttons that follow a predictable pattern but then switch when doing so would benefit the business.

  1. No manipulative language or complex architecture.

“Manipulative language” can be something as simple as pairing consent to the sale of data with a financial reward and then offering the choices “Yes” and “No, I don’t want to save money.” “Complex architecture” includes pairing consent to use data for an expected purpose with consent to use data for unrelated purposes. The example given in the draft regulations is a gas price aggregator pairing consent to access users’ geolocation information with consent to sell that information to data brokers.

  1. Easy to execute.

A website fails the “easy to execute” requirement if it forces users to track down the “Do not sell my personal information” link. Circular or broken links are also outlawed.

If the CCPA/CPRA apply to your business, the guidance provided by the CPPA in these regulations should be concerning. A recent tour around both large and small business websites reveals that many businesses are not compliant with these regulations. For instance, many businesses that have previously adopted CCPA-compliant opt-out options have not yet updated them to ensure that they are symmetrical. Many opt-outs on company websites remain more onerous than opt-ins. Companies also need to ensure that website updates have not inadvertently invalidated their opt-out links. For example, as of the date of writing, Walmart’s “Do Not Sell My Information” link takes users to a general “Error” page. At $7,500 per violation, compliance issues can quickly become expensive.

If you would like to speak with an attorney about how your business can ensure it is compliant with these regulations, please reach out to the authors of this blog or another attorney at Boutin Jones.