Note: None of the below should be considered legal advice.
In a recent blog post, we defined what dark patterns are–user interfaces designed to misdirect or force users into doing things they might not otherwise do, such as subscribing to a recurring service or giving up on canceling an account because a website is intentionally confusing for users to navigate. Dark patterns exist to drive sales, conversions, and other business goals at the expense of the user (and long-term company performance).
Until recently, the main deterrents keeping marketers and product managers from using dark patterns were the risks of public shaming and brand damage. Following a recent update to the California Consumer Privacy Act of 2018 (CCPA), we’re seeing more overlap in what’s ethically right and what’s legally required in terms of design and digital experiences.
Below, we’re going to unpack what these updates mean for CCPA compliance, web design best practices, and your conversion rates.
The CCPA applies to companies that sell consumer data, and is meant to give consumers more control over the personal information that businesses collect about them. This law secures privacy rights for California consumers, whether the business they interact with is based in California or not. Most US states and the Federal Government are expected to follow suit according to legal experts. Similar to the EU General Data Protection Regulation (GDPR), this localized regulation is de facto a global one. Unlike GDPR, CCPA relates to opt-out policies rather than opt-in policies.
The CCPA includes the following consumer rights, as stated on the State of California Department of Justice website:
The CCPA regulations provide clearer insight into how businesses are expected to implement privacy laws.
To an extent, yes. On March 15, 2021, four additional regulations related to the CCPA were approved to go into effect immediately. These regulations include explicit prohibitions around deceitful user interfaces (Section 999.315h of the new CCPA regulations) when the user exercises their CCPA right to opt-out from the sale of their personal information.
In regards to opt-out policies, Section 999.315h states that, “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”
Sound familiar? That’s because it’s essentially describing a dark pattern, verbatim. The regulations address dark patterns and manipulative UX elsewhere, as well.
Remember that dark patterns are user experiences that take advantage of design principles to manipulate the user into taking an action they might not have otherwise done. Read more about dark patterns.
CCPA regulations begin to address UI and UX design more specifically in Section 999.306. This section provides examples of how a business that sells consumers’ personal information (PI) and interacts with consumers offline should provide notice of the right to opt-out and instructions on how to do so.
For example, Section 999.306(f), provides a recognizable opt-out icon that has been tested and approved for use across platforms. This provides some UI direction for what an acceptable opt-out method can look like.
With the increase in legislation around data privacy from the CCPA, companies have been looking for creative ways to reduce any impact on data quantity or quality. In an effort to disincentivize dark patterns used to reduce opt-outs from users, the CCPA has added additional regulations directly prohibiting some common dark patterns.
Section 999.315 of the regulations specifically addresses dark patterns and reiterates that the methods provided for users to opt-out of sale of their personal information must be easy and not designed to discourage opt-out.
This type of language provides a lot of room for interpretation, so the regulation attempts to provide a little more clarity through the following examples:
These examples provided in the regulations are also examples of the following textbook dark patterns:
Sometimes, these tricks succeed in coercing users into doing exactly what the business intends with no real backlash. However, dark patterns range from being slightly annoying to deal-breaking when it comes to the possibility of a customer making a future purchase. Unfortunately, the gamble is often not enough to discourage businesses from employing dark patterns. The updated CCPA regulations make it so that unethical behavior of this type can get companies into legal trouble as well.
Here are some concrete steps you can take to make sure you’re not violating CCPA. Some of these apply to GDPR compliance, as well.
As laws stipulate requirements for things like opt-out policies that arguably impact the user experience (raise your hand if you’re tired of cookie consent pop-ups), companies will try to work around that. Some of these accommodations will be harmful to the user, and eventually, like in the case of recent regulations in CCPA addressing dark patterns, they will be regulated. But that’s rarely the end of the story. It won’t be long until we see another set of dark patterns that help companies slide around the latest CCPA regulations. This situation is an example of adversarial co-evolution between innovation and regulation.
We believe that helping users effectively manage their data is one part of building a strong customer experience.
Addressing consent and privacy is critical, and we need to bring it to the forefront of the discussion on user experience design–not as an afterthought. As consumers ourselves, and as the creators of these platforms, we must continue to demand that more transparency be built into all applications and devices.
ADK is here to help you navigate and integrate good design with the data privacy protection requirements of the CCPA and beyond. We’ll help you clarify your legal obligations and help ensure your compliance will lead to better user experiences and stronger engagement. Email our team of privacy protection-savvy developers, designers, and strategists will be happy to assist.