Private lawsuits under the CCPA may become more common. Find out how courts have been interpreting a key provision of California's privacy law.
The California Privacy Protection Agency (CPPA) has given another glimpse into its enforcement priorities. On September 4, 2024, the CPPA released its second enforcement advisory, this time on the subject of dark patterns.
A dark pattern is a “user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.” Common examples include asymmetry in button design, such as making the “accept” button larger or more brightly colored, and confusing language such as double negatives. For more information on dark patterns, read our article on creating a compliant cookie-consent banner.
Under the California Consumer Privacy Act and most other data privacy laws, consent collected via a dark pattern is not considered valid. Further, businesses are prohibited from using dark patterns that interfere with consumers’ ability to submit privacy requests.
Michael Macko, the CPPA’s Deputy Director of Enforcement, emphasized that “dark patterns aren’t about intent, they’re about effect.” The Agency doesn’t have to prove that a business intended to create a dark pattern, it just has to prove that the dark pattern exists and has the effect of subverting or impairing consumers’ privacy rights.
Macko has previously stated that enforcement advisories such as this one will be taken into consideration when determining how lenient the Agency is in its enforcement. That is, if the CPPA has issued an advisory on a certain topic, businesses are considered to be on notice and failure to take any action may lead to harsher punishment.
With that in mind, dark patterns should be high on the list of things to check for in your organization's privacy compliance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.