Last fall, California voters approved Proposition 24, thereby enacting the California Consumer Privacy Rights Act (CPRA). As DWT noted the day after the election, "CPRA amends the California Consumer Privacy Act (CCPA) in subtle and significant ways …."
One "subtle and significant" effect of the new law (when it ultimately takes effect) will be to limit the use of so-called "dark patterns"—user interface designs that subvert or distort consumers' ability to clearly understand data collection and sharing—and truly give informed consent.
[T]echniques and features of interface design meant to manipulate users [and] to nudge [them] towards privacy intrusive options[, including] privacy intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users.
The report tried to demonstrate that several major online entities were using dark patterns to obtain user consent to collect and use personal information.
The idea (though not the term) made its appearance in the United States in April 2019, in the Deceptive Experiences to Online Users Reduction Act (DETOUR Act) introduced by Senators Mark Warner (D-VA) and Joni Ernst (R-IA). As DWT explained when that bill was introduced, it would have made it unlawful for large online operators "to design, modify, or manipulate a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data."
But—like most federal privacy law efforts—the DETOUR Act went nowhere. By adopting the CPRA, however, California has, for the first time in the United States, expressly established that consent obtained through the use of dark patterns is legally no consent at all.
First, the CPRA adds a new definition of "consent" to the CCPA. The new definition explicitly states that "[A]greement obtained through the use of dark patterns does not constitute consent."1 Then, paralleling the definitions from Deceived by Design and the DETOUR Act, the CPRA defines a "dark pattern" as "a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation."2 Finally, the law directs that regulations regarding the sale or sharing of personal information ensure that a business obtaining consumer consent to such sale or sharing "does not make use of any dark patterns."3
At this point, it is not clear what specific aspects of user interface design would be condemned as "dark patterns." That said, it seems likely that the new consumer privacy regulator established by the CPRA will look to consumer-oriented studies like Deceived by Design for at least some initial guidance.
More broadly, the notion that manipulative user interfaces can render consent invalid is based generally on the field of behavioral economics, which shows that—contrary to the underlying assumptions of traditional economic theory—when someone makes marketplace (and other) choices, inherent limits on human cognitive abilities mean that those choices may not reflect the decision-maker's own best interest. So, behavioral economics will likely also inform regulators' and courts' understanding of what constitutes an impermissible "dark pattern."
While the specific concern about dark patterns is new, on some level the idea of dark patterns in online user interfaces is simply a specialized form of the long-established principle in consumer protection law banning "unfair and deceptive" business practices. From this perspective, a dark pattern is just an "unfair and deceptive" practice in the specific context of obtaining online consent.
In past decades, states and the Federal Trade Commission have protected consumers from problematic real-world practices such as bait-and-switch advertising and high-pressure door-to-door sales tactics. Banning dark patterns amounts to updating longstanding concerns about potential exploitation of consumers to apply to the online world, while also taking account of a broader economic and psychological understanding of consumer marketplace behavior than was available in the past.
Moreover, the effort to identify dark patterns will likely not be entirely unbound from existing law. For example, there is a sizable body of case law addressing whether the design of a website or app provides adequate "inquiry notice" for online terms and conditions to be enforceable. In that context, the question is whether the disclosure of the existence of binding terms and conditions is sufficiently conspicuous that a reasonable consumer would notice that they are there and have an opportunity to review them.4
Although not directly parallel, courts' experience in examining website and app user interface design to make judgments of conspicuousness may provide at least some guidance to California regulators in determining whether particular user interfaces are too "dark" to be used to obtain consent to the sale or sharing of consumer information. Moreover, as DWT noted last October, some pending cases directly allege that the use of misleading user experience design violates existing consumer protection law.
At bottom, the obligation on businesses to obtain valid consent to collect, use, share and/or sell consumer information is fundamental to operating in conformity with the new law. (Indeed, the term "consent" appears in the CPRA at least two dozen times.) Furthermore, ensuring compliance with the ban on dark patterns will, at least potentially, affect critical aspects of the design of a business's online presence.
As a result, while the ban on dark patterns is a very small part of a very large and complex new statute, businesses that will be subject to the new law should pay careful attention to the rulemaking proceedings that will address this issue and should strongly consider participating in those proceedings to protect their interests. And when the rules are final, businesses will have to ensure that their lawyers, engineers, and user interface designers work together to ensure compliance.
1 Cal. Civ. Code § 1798.140(h) (emphasis added).
2 Cal. Civ. Code § 1798.140(l).
3 Cal. Civ. Code § 1798.185(a)(20)(C)(iii).
4 See, e.g., Lee v. Ticketmaster L.L.C., 817 Fed. Appx. 393 (9th Cir. 2020).