Here’s a recap of the recent data and privacy law changes in California.
On March 15, 2021, the California Attorney General (“AG”) approved additional CA privacy regulation. The new addition to the state privacy law prohibits companies from confusing or misleading consumers seeking to exercise their data privacy rights. More specifically, the amendment says that methods for consumer opt-out requests may not be designed with the purpose of, or have the substantial effect of, “subverting or impairing” a consumer’s choice to opt-out.
What does it mean? Here are a few examples to help illustrate:
Have you ever gone to a website and signed up or bought something you didn’t want to? Sometimes it happens even without you realizing that you purchased something. Or let’s say you have an account and you want to delete it. You go to your account settings, start searching for it, but you cannot find that delete option.
Another example can be a marketing email with a required “unsubscribe” link that is hard to see because it is blended in with the overall text. Other tactics include displaying countdown timers for expiring deals, sneaking items into checkout carts, or “shaming” customers into making choices that benefit the company.
“California is the first state to ban dark patterns.”
These are all examples of dark pattern user interfaces that are designed to trick and frustrate users that the new CA law prohibits. According to a 2019 research study by Princeton and the University of Chicago, about one out of every 10 e-commerce websites used dark patterns. It is hard to legislate around psychological tricks or poor design, so not much has been done to combat the problem at this point. California is the first state to ban dark patterns.
The newly approved regulation does not ban all uses of dark patterns, only those that have “the substantial effect of subverting or impairing a consumer’s choice to opt-out.” How can companies determine if dark patterns are being used since sometimes they may not even realize they’re using them? Where is the line between intentional malice and a simple matter of poor web or mobile design? To provide further guidance, CA regulation included a few examples for companies, such as:
1. The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. Companies need to count the number of steps for opt-in and opt-out to make sure all are equal.
2. A business can’t use confusing language such as double-negatives (e.g., “Don’t Not Sell My Personal Information”) when providing consumers the choice to opt-out.
3. A business cannot require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.
4. The business cannot require the consumer to provide personal information that is not necessary to implement the request.
Right now, businesses found not to comply with the CCPA are sent a “notice to cure,” giving them a 30-day window to amend their services. With CPRA, it will change. The CPRA removes the notice to cure period.
What are the main takeaways?
A business’s methods for submitting requests to opt-out need to be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.
Look at your sites and mobile apps and review your process for consumers to opt-out to see if it may be misleading or confusing to consumers.
Look at AG requirements and talk to your UX and developer teams to make necessary changes.
If you have questions for us about dark patterns or anything else regarding your company’s data and privacy, don’t hesitate to reach out via phone or email today. We would love to hear from you.
*** This is a Security Bloggers Network syndicated blog from "Ask Aleada" Blog - Aleada Consulting authored by Elena Elkina. Read the original post at: https://www.aleada.co/ask-aleada-blog/2021/4/15/important-changes-to-california-privacy-regulations