California Law, Following Europe, Introduces a New Privacy Rights Wrinkle

Dark patterns – deceptive user-interface design elements that subtly coerce users into making choices against their best interests – have emerged as a threat to privacy rights across company websites and consent interfaces. Regulators are taking action to discourage the use of such dark patterns.

With the release of the California Privacy Rights Act (CPRA), which came into effect on July 1, 2023, businesses are required to provide more transparency around how consumers’ personal information is collected and will be used. Further, businesses must include consent mechanisms that allow consumers to opt out of the collection, processing, sale, and sharing of their personal information.

Naturally, new regulations allotting more choices to consumers are highly susceptible to dark patterns.

 Kasey Pukys

To counter these practices, the California Privacy Protection Agency (CPPA), created by and for the enforcement of the CPRA, established consumer consent regulations on dark patterns. Separately, the European Data Protection Board (EDPB), which publishes guidance for the application of the EU’s globally influential General Data Protection Regulation (GDPR), has issued Guidelines on deceptive design patterns in social media platform interfaces.

Combining guidance from both the CPPA and EDPB, the following examines some of the most prevalent dark patterns in consent interfaces and the best ways to avoid them.

Make Consent Choices Fair and Consistent

The California agency requires businesses to implement consent mechanisms that are easy for consumers to understand and must offer “symmetry in choice.” Simply stated, the path to more privacy-protective choices for the consumer cannot be more difficult or take longer to select than less privacy-protective choices.

Andy Soodek

As businesses design consent interfaces to give users the ability to opt out of cookies and the sale or sharing of personal information, businesses are often tempted to make these options more complicated than a simple ‘opt in’ to allow them to continue to collect and process personal information. Nonetheless, adhering to the symmetry-in-choice principle is crucial to prevent the use of deceptive design techniques, which can lead to regulatory fines and disciplinary actions for businesses.

Common dark patterns to avoid that fall under this category include:

• Offering an “Accept All” cookies button without a “Reject All” button or replacing it with an “Ask Me Later” option.
• Forcing the consumer to opt out of each individual category of cookies, rather than offering a single button for opting out of all but essential cookies.
• Privacy-protective choices that take the user to an entirely different web page to opt out.

To avoid such dark patterns, the creators of consent interfaces should explore the symmetry of their designs through the lens of a user journey.

Avoid Deceptive Language and Design

It may seem obvious, but the CPPA requires that consumer consent interfaces avoid using language or other interactive elements that confuse the user. These elements can manifest in many ways, but the EDPB defines one such pattern as “stirring,” which “affects the choice users would make by appealing to their emotions or using visual nudges.”

Examples of dark patterns commonly found through language or interactive design elements include:

• Emotionally steering language to persuade the user into making less privacy-protective choices (i.e., rather than a simple “Accept” or “Decline,” the buttons might playfully display “Yes, enhance my experience!” or “Don’t elevate my experience”).
• Convoluted language that will confuse the user (i.e., “Yes” or “No” buttons are displayed under the phrase “Do not process my sensitive personal information,” which creates a double negative).
• Deceptive colors and color contrasts that make less privacy-protective choices stand out more than “reject all” and other more privacy-protective choices.
• Presenting buttons of different sizes to encourage making less privacy-protective choices (i.e., “Accept All” is displayed in a nice, bold style, while “Reject All” is displayed in smaller text and visually looks like a hyperlink).

Deceptive language and design choices such as these can be crafted intentionally or unintentionally. So long as the typical user is misled in such a way that they cannot effectively make fair consent choices, the design constitutes a dark pattern and should be corrected swiftly.

Categorize Choices Accurately

The CPPA asks that businesses avoid ambiguous patterns or methods in consent architecture that impair the user’s ability to make informed decisions about their consent. This type of dark pattern may manifest itself in the presence of conflicting or ambiguous language, or the bundling of privacy-protective choices that should not fall under the same category. In this instance, a consent interface may be participating in a “left in the dark” deceptive design tactic, which the EDPB defines as hiding information or data protection controls that confuse users about their opt-ins and how their data will be processed.

This type of dark pattern differs from other manipulative design tactics because it is often difficult to detect, or even overlooked in the design stages of building consent interfaces. Some examples:

• Bundling consent choices into one opt-in that does not explicitly correlate with its parts (i.e., opting in to a location-based service with a business AND granting the business “permission” to sell geolocation data to outside parties is bundled under one opt-in rather than two separate choices).
• An “Accept Some” option is made available for cookie consent, but it is not made clear what cookie categories fall under “some.”
• Cookies are not categorized in good faith, misconstruing the user’s opt-in choices (i.e., analytics cookies are often categorized as essential by organizations that wish to track activity of visitors on their websites, although visitors may choose not to be tracked).

In this instance, design and technical teams should work closely together to ensure cookies and other consent-based services are categorized appropriately.

Looking Ahead

Dark patterns in user consent and preferences are concerning because they undermine the principles of informed consent. Regulatory violations, skepticism surrounding consent choices, and loss of consumer trust resulting from poor user experience are all potential consequences of deceptive user interfaces.

Moving forward, businesses should incorporate digital consent-management interfaces that offer clear and easily accessible choices to meet regulatory requirements and enhance the digital experience for consumers. To avoid dark patterns, businesses must identify them in the design and testing phases of consent interfaces and consult privacy professionals familiar with the principles of privacy-by-design.

Kasey Pukys is an Associate Consultant, and Andy Soodek is a Managing Principal, for Capco’s Data Security & Privacy Practice.