Keypoint: The CPRA and CPA introduce the concept of dark patterns into state consumer data privacy laws although this area has come under increased attention recently with FTC enforcement actions and guidance, state attorneys general lawsuits, and class action litigation.
This is the seventh post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.
In this article, we analyze how each of these laws treats dark patterns. The CPRA and CPA both prohibit use of dark patterns to obtain consumer consent. The basic distinction between the CPRA and CPA is when they require consumer consent. The CPRA generally allows businesses to obtain consumer consent to circumvent certain consumer rights that have already been exercised. In comparison, the CPA requires consumer consent for the processing of sensitive data. The legal landscape will also likely continue to change and develop, as both laws may see additional rulemaking on this issue.
In contrast, the VCDPA does not directly address dark patterns although, in theory, the state Attorney General could still regulate dark patterns through the law’s definition of consent.
Finally, while the concept of dark patterns is new for the CPRA and CPA, it must be understood in the context of Federal Trade Commission (FTC) enforcement and guidance, state attorneys general lawsuits, and class action litigation.
In the below article, we first consider what constitutes a dark pattern and ongoing multi-layered enforcement regarding them. We then analyze the role of dark patterns in each of the three state privacy laws.
What are dark patterns?
At their core, dark patterns are a specific type of choice architecture in website and app design that interfere with user autonomy and choice. Dark patterns modify the presentation of choices available to users or manipulate the flow of information so that users make selections that they would not otherwise have chosen—to their own detriment and to the benefit of the website or app provider. Hallmarks of dark patterns include imposing asymmetric burdens to achieve competing choices, restricting the choices available at the same time (or at all), and hiding information or presenting information deceptively.
Dark patterns can exist when one option is more aesthetically prominent or attractive, or when the alternative is hidden or arduous to select. For example, a website may offer a popup with only a “yes” button, but leave out a “no” button and/or require more clicks to achieve the “no” option. Or, a button may have undesired consequences, as when closing a popup banner functions as acceptance rather than rejection.
Precise definition and regulation of dark patterns is still emerging. For example, researchers in recent years have proposed taxonomies of types and attributes of dark patterns and explored legal remedies to address them. Internationally, the European Data Protection Board recently adopted guidelines on dark patterns in social media platform interfaces. The guidelines “offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called ‘dark patterns’ in social media interfaces that infringe on GDPR requirements.”
In the United States, three areas of enforcement have emerged: federal FTC enforcement, state attorneys general lawsuits, and class action lawsuits.
On the federal level, in April 2021, the FTC invited comments and hosted a workshop on dark patterns and their particular harms to minors and marginalized populations. In October 2021, it released an enforcement policy statement signaling it would increase enforcement attention to use of “trick or trap” dark patterns, which “trick consumers into signing up for subscription programs or trap them when they try to cancel.” While the enforcement policy statement addresses a particular use of dark patterns, in “negative marketing options” where a term (like a subscription) will continue until the consumer takes affirmative action to cancel it, the statement and workshop lay the groundwork for a broader understanding of dark patterns as an unfair and deceptive practice under §5 and, depending on the circumstances, other consumer protection laws as well.
Further, the FTC has pursued settlements against companies for using tactics that renewed memberships without consent and misrepresented to consumers that rent-to-own payments cost the same as a full payment. An advocacy group also recently submitted a request to the FTC, asking it to investigate the difficulty of a company’s subscription cancellation in response to a consumer study on manipulative tactics used to keep a consumer enrolled when they try to cancel a free trial.
At the state level, state attorneys general from Texas, Washington DC, Indiana, and Washington state brought suit against a platform in January 2022, claiming that it uses dark patterns to pressure users to reveal additional location data, obstruct user efforts to decline location data collection, and render user attempts to withhold location data ineffective, all in violation of state consumer protection laws. For example, the Complaint filed by the District of Columbia claims that the use of dark patterns violates the District of Columbia’s Consumer Protection Procedures Act, which prohibits unfair and deceptive trade practices.
Finally, plaintiffs’ attorneys are increasingly bringing suit against use of dark patterns. One recent class action settlement challenged the free trial and auto-enrollment structure of a digital service. Plaintiffs alleged that the service only allowed users to cancel their account through a contact person and that the contact person often did not respond prior to the end of the free trial period or payment period, causing customers to be stuck in a costly auto-enrolled membership for months. Another settlement, back in 2015, arose out of a lawsuit challenging a company’s practice of collecting new members’ email contacts and sending emails that appeared to be from the new member, despite promising it would not email anyone without a member’s permission.
Against this backdrop, we turn to how the CPRA, CPA and VCDPA treat dark patterns.
California Privacy Rights Act (CPRA)
As a starting point, the California Consumer Privacy Act (CCPA) does not specifically address dark patterns; however, the concept did arise during the rulemaking process with respect to the right to opt out. Specifically, the Attorney General’s Final Statement of Reasons notes that CCPA Regulation § 999.315 was “added to require that a business’s methods to submit opt-out requests are easy for consumers to locate and use.” The Office stated that the addition was “necessary to avoid the possibility that some businesses may create confusing or complex mechanisms for consumers to exercise their rights under the CCPA. It would run counter to the intent of the CCPA if websites introduced choices that were unclear or, worse, employed deceptive dark patterns to undermine a consumer’s intended direction.”
The CPRA builds on that work by including dark patterns in the CPRA’s new definition of consent, stating “agreement obtained through use of dark patterns does not constitute consent.” The law defines “dark patterns” as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation.”
Interestingly, while the definition of dark patterns states that it will be “further defined by regulation,” there is no specific topic in § 1798.185 (regulations) that states that the California Privacy Protection Agency (CPPA) must issue regulations on dark patterns. The phrase does come up once in § 1798.185, but in the context of the CPPA issuing rules allowing businesses to seek opt-in consent from users who use an opt out signal. The regulation states that the link to the consent page cannot, among other things, “use any dark patterns.”
At the time of this article, the CPPA has yet to initiate formal rulemaking proceedings. However, in its Invitation for Preliminary Comments on Proposed Rulemaking, the CPPA indicated a willingness to promulgate regulations on dark patterns, listing it as a potential topic for rulemaking.
Given that the CPRA ties dark patterns to its definition of consent, the ultimate operational impact of the CPRA on this issue must be analyzed with respect to how the CPRA approaches consumer consent. The CPRA generally uses consent as a mechanism for businesses to circumvent consumer requests. For example, as discussed in our article on opt-out signals, if a consumer exercises an opt out right, a business may seek consumer consent to circumvent that choice. As a result, dark patterns are most at play in the CPRA when a business wants to restore collection or use of a consumer’s data after exercising a right, not for collection or use of personal information before a consumer has opted out. Although, the exception to this is children’s rights, since the CPRA requires affirmative parental consent for collection of such personal information.
Colorado Privacy Act (CPA)
Dark patterns arguably play a more prominent role in the CPA. Like the CPRA, the CPA’s definition of consent specifically excludes “agreement obtained through dark patterns.” Dark patterns itself is defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.”
The prohibition on use of dark patterns in obtaining consent is arguably more significant in the CPA because the CPA requires consent for collection of sensitive data, which includes several specific categories of data as well as personal data from a known child. (For a closer look at sensitive data, see our prior article examining its application in all three state privacy laws.) As a result, any controller that collects sensitive data in Colorado will be required to comply with this provision and any additional regulations regarding dark patterns.
Finally, in prepared remarks on Privacy Day, the Colorado Attorney General specifically called out dark patterns as a potential topic for its permissive rulemaking activities. As a result, organizations may see both the CPPA and Colorado Attorney General’s office issue regulations on this topic in the coming months.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA does not specifically address dark patterns. It also does not allow for Attorney General rulemaking on this or any topic. However, the Virginia Attorney General’s office could still, theoretically, use the VCDPA’s definition of consent to challenge use of dark patterns. The fact that the VCDPA’s definition does not specifically call-out dark patterns does not mean that dark patterns are not otherwise prohibited under the law. This would be similar to how state attorneys general are using general consumer protection laws to litigate this issue.
Consequence of the Variations
Dark patterns remains an area of compliance that is in early stages, meaning that organizations will need to consistently reevaluate what laws, regulations, and standards apply and whether their website design complies with them. Due to the differing application of consent in the CPRA and CPA, organizations may be subject to dark pattern regulation in some instances under the CPA, but not under the CPRA. For both laws, rulemaking could bring new regulations and compliance obligations, and should be watched closely.
More broadly, however, dark patterns are a recent area of attention in a growing body of law with a clear, holistic prohibition on manipulating consumers on websites or apps. Increasing enforcement attention at all levels means organizations should broadly track the various areas where regulation of dark patterns is developing. Whether under state privacy laws, FTC enforcement and guidance, attorney general lawsuits, or private litigation brought under existing state consumer protection laws and common law, consensus is growing that emphasizes proper website design and compliance with emerging standards.