Skip to Main Content

Note: None of the below should be considered legal advice. 

In a recent blog post, we defined what dark patterns are–user interfaces designed to misdirect or force users into doing things they might not otherwise do, such as subscribing to a recurring service or giving up on canceling an account because a website is intentionally confusing for users to navigate. Dark patterns exist to drive sales, conversions, and other business goals at the expense of the user (and long-term company performance).

Until recently, the main deterrents keeping marketers and product managers from using dark patterns were the risks of public shaming and brand damage. Following a recent update to the California Consumer Privacy Act of 2018 (CCPA), we’re seeing more overlap in what’s ethically right and what’s legally required in terms of design and digital experiences.

Below, we’re going to unpack what these updates mean for CCPA compliance, web design best practices, and your conversion rates.

What is the California Consumer Privacy Act?

The CCPA applies to companies that sell consumer data, and is meant to give consumers more control over the personal information that businesses collect about them. This law secures privacy rights for California consumers, whether the business they interact with is based in California or not. Most US states and the Federal Government are expected to follow suit according to legal experts. Similar to the EU General Data Protection Regulation (GDPR), this localized regulation is de facto a global one. Unlike GDPR, CCPA relates to opt-out policies rather than opt-in policies.

The CCPA includes the following consumer rights, as stated on the State of California Department of Justice website:

  • The right to know about the personal information a business collects about them and how it is used and shared
  • The right to delete personal information collected from them (with some exceptions)
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination for exercising their CCPA rights.

Additionally, businesses are required to explain what types of customer data they’re collecting and how that data is being used. This must be explained in a written privacy policy statement and before the data actually gets collected–contributing to the recent spike in pop-ups, notification bars, takeovers, and other prompts asking you to agree to accept tracking cookies.

The CCPA regulations provide clearer insight into how businesses are expected to implement privacy laws.

Does the CCPA Ban Dark Patterns?

To an extent, yes. On March 15, 2021, four additional regulations related to the CCPA were approved to go into effect immediately. These regulations include explicit prohibitions around deceitful user interfaces (Section 999.315h of the new CCPA regulations) when the user exercises their CCPA right to opt-out from the sale of their personal information.

In regards to opt-out policies, Section 999.315h states that, “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”

Sound familiar? That’s because it’s essentially describing a dark pattern, verbatim. The regulations address dark patterns and manipulative UX elsewhere, as well.

Remember that dark patterns are user experiences that take advantage of design principles to manipulate the user into taking an action they might not have otherwise done. Read more about dark patterns.

CCPA regulations begin to address UI and UX design more specifically in Section 999.306. This section provides examples of how a business that sells consumers’ personal information (PI) and interacts with consumers offline should provide notice of the right to opt-out and instructions on how to do so.

For example, Section 999.306(f), provides a recognizable opt-out icon that has been tested and approved for use across platforms. This provides some UI direction for what an acceptable opt-out method can look like.


With the increase in legislation around data privacy from the CCPA, companies have been looking for creative ways to reduce any impact on data quantity or quality. In an effort to disincentivize dark patterns used to reduce opt-outs from users, the CCPA has added additional regulations directly prohibiting some common dark patterns.

Request To Opt-Out

Section 999.315 of the regulations specifically address dark patterns and reiterates that the methods provided for users to opt-out of the sale of their personal information must be easy and not designed to discourage opt-out.

This type of language provides a lot of room for interpretation, so the regulation attempts to provide a little more clarity through the following examples:

  • There cannot be more steps to opt-out than there are to opt-in.
  • The process cannot include messages describing the reasons why opt-out should not be exercised.
  • The language must be clear and without tactics like double negatives.
  • Consumers cannot be required to scroll through lengthy text, like a privacy policy, to locate the opt-out mechanism.

These examples provided in the regulations are also examples of the following textbook dark patterns:

  • The roach motel, which makes it very easy to get into a situation, but very difficult to get out of it.
  • Confirmshaming, which makes the language around opting out overtly negative; essentially, guilting users into not opting out.
  • Trick questions, which makes the language intentionally confusing to decrease the likelihood a user opts out.
  • Misdirection, which de-emphasizes options that are bad for the business, while options that are good for the business are overly emphasized.

Sometimes, these tricks succeed in coercing users into doing exactly what the business intends with no real backlash. However, dark patterns range from being slightly annoying to deal-breaking when it comes to the possibility of a customer making a future purchase. Unfortunately, the gamble is often not enough to discourage businesses from employing dark patterns. The updated CCPA regulations make it so that unethical behavior of this type can get companies into legal trouble as well.

How to Make Your Opt-Out Policy CCPA Compliant

Here are some concrete steps you can take to make sure you’re not violating CCPA. Some of these apply to GDPR compliance, as well.

  • Decouple the on-boarding process for devices and applications from the consent process. The consent process should include clear, straightforward language.
  • Visually display equally weighted opt-in and opt-out options on pages that involve providing consent to data collection, use, and sharing. The option to opt-out should be designed to be clearly accessible to consumers, including those with disabilities.
  • Consumers feel uneasy about privacy and want to have control over their personal data. Include an option for customers to say “no” to giving up their personal data, as consumers have the right to opt-out to the sale of their data at any time under CCPA regulations.
  • Keep in mind that while coercing “consent” for lucrative data bundling may constitute a temporary win, public distrust of your platform will outweigh any gains from unethical design.

What’s Next?

As laws stipulate requirements for things like opt-out policies that arguably impact the user experience (raise your hand if you’re tired of cookie consent pop-ups), companies will try to work around that. Some of these accommodations will be harmful to the user, and eventually, like in the case of recent regulations in CCPA addressing dark patterns, they will be regulated. But that’s rarely the end of the story. It won’t be long until we see another set of dark patterns that help companies slide around the latest CCPA regulations. This situation is an example of adversarial co-evolution between innovation and regulation.

So What Should You Do?

We believe that helping users effectively manage their data is one part of building a strong customer experience.

Addressing consent and privacy is critical, and we need to bring it to the forefront of the discussion on user experience design–not as an afterthought. As consumers ourselves, and as the creators of these platforms, we must continue to demand that more transparency be built into all applications and devices.

ADK is here to help you navigate and integrate good design with the data privacy protection requirements of the CCPA and beyond. We’ll help you clarify your legal obligations and help ensure your compliance will lead to better user experiences and stronger engagement. Email our team of privacy protection-savvy developers, designers, and strategists will be happy to assist.