On March 15, amendments to the California Consumer Privacy Act (CCPA) banned companies from using “dark patterns” that confuse or delay consumers trying to opt out of the sale of their personal information.
Online businesses that sell the personal information of consumers must exhibit a “Do Not Sell My Personal Information” link on their website homepage and notify consumers of their right to opt out. Consumers must be able to opt out in a manner that is easy to execute and requires minimal steps. A business may not use “dark patterns” (methods designed with the purpose or effect of impairing a consumer’s choice to opt out), including:
- Using confusing language when providing customers the choice to opt out;
- Requiring consumer to click through or listen to reasons why they should not opt out; and
- Requiring consumers to provide personal information not necessary to opt out.
California Attorney General Xavier Becerra announced the new regulations in a press release and stated that “[t]hese protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights.”
Research conducted in 2019 found that about one in 10 websites employed dark patterns. Businesses found to be out of compliance with the new CCPA regulations will receive a “notice to cure” and 30 days to remedy such noncompliance. The Office of the Attorney General stated that since CCPA enforcement began in July 2020, the California Department of Justice has seen widespread compliance by companies doing business in California, especially in response to notices to cure.
As a result of COVID-19-related stay-at-home orders, social distancing and working from home, the drastic increase in e-commerce over the last year makes it especially important for companies to stay abreast of consumer privacy regulations when conducting business online. The CCPA was passed in 2018 as one of the most robust data privacy laws in the country. It grants California consumers the right to know, delete and opt out of the sale of personal information; giving them greater control over how their personal information is collected, used and shared.
More recently, on March 17, the board members of the new California Privacy Protection Agency were named. This agency is charged with enforcing the CCPA as well as the California Privacy Rights Act (CPRA), which will go live in 2023. As part of its intended responsibilities, the new agency will take over for the attorney general and put into effect regulations interpreting both the CCPA and CPRA. The forthcoming regulations are said to be broader in scope than the existing attorney general regulations implementing the CCPA and must be finalized by July 1, 2022. For example, the regulations are expected to address opt-outs for advertising, opt-outs for automated decision-making technologies, and additional restrictions on dark patterns.
In today’s world where an online presence is critical for many businesses and the general public is becoming more reliant on the safety and security of the internet, states are more inclined to protect the privacy interests of their constituents. Internet regulatory agencies and the ever-evolving restrictions imposed on companies are undoubtedly worth watching as society continues adjusting to life online.