Last fall, California voters approved Proposition 24, thereby enacting the California Consumer Privacy Rights Act (CPRA). As DWT noted the day after the election, “CPRA amends the California Consumer Privacy Act (CCPA) in subtle and significant ways ….”
One “subtle and significant” effect of the new law (when it ultimately takes effect) will be to limit the use of so-called “dark patterns”—user interface designs that subvert or distort consumers’ ability to clearly understand data collection and sharing—and truly give informed consent.
Dark patterns gained notoriety in privacy policy circles in June 2018 when the term was featured prominently in a European report called “Deceived by Design.” That report defined “dark patterns” as:
[T]echniques and features of interface design meant to manipulate users [and] to nudge [them] towards privacy intrusive options[, including] privacy intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users.
The report tried to demonstrate that several major online entities were using dark patterns to obtain user consent to collect and use personal information.
The idea (though not the term) made its appearance in the United States in April 2019, in the Deceptive Experiences to Online Users Reduction Act (DETOUR Act) introduced by Senators Mark Warner (D-VA) and Joni Ernst (R-IA). As DWT explained when that bill was introduced, it would have made it unlawful for large online operators “to design, modify, or manipulate a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data.”
But—like most federal privacy law efforts—the DETOUR Act went nowhere.