Dark Patterns, New Icons, and Paper Forms – What Companies Need to Know About the New CCPA Regulations
On Monday, March 15, 2021, the California Attorney General announced the approval of additional regulations aimed at bolstering and empowering data privacy protections under the California Consumer Privacy Act (“CCPA”).
Why are there new regulations?
The new regulations appear to be directed at companies that do not provide an easy path for consumers to understand their privacy rights and how to exercise them. Companies that have made it difficult for consumers to exercise their rights should take action – the Attorney General has made it clear that consumers should be able to exercise their rights without facing excessive or confusing obstacles.
What should companies do?
As with any new set of privacy regulations, businesses should first review their current privacy policies and practices to determine how these new regulations apply to them. Particularly, companies should review the ease of consumers’ interactions with their privacy options.
Here are a few potential options for addressing the new regulations – to be reviewed as companies take a fresh look at their privacy practices around their consumer experience and access to their privacy options:
- Stop Using “Dark Patterns”: While this term may be new to many, “dark patterns” practices certainly are not novel efforts – companies have been using them for a long time to try to keep customers from opting out of certain services and data collection. Dark patterns include any activities that:
- May delay or obscure the process for opting out of the sale of personal information
- Burden consumers with confusing language or unnecessary steps when opting out of sale of data or exercising privacy rights
Examples of “dark patterns” include:
- Forcing consumers to click through multiple screens
- Listing reasons why consumers should not proceed with opting-out
- Utilizing trick questions to obtain information the consumer does not intend to share
- Disguising advertising as other content
Where a company finds that it is engaging in the use of “dark patterns” it must immediately take steps to end these practices. This will likely involve the engagement of several different information technology, web development, and information security teams along with the privacy team in order to make these required changes.
- Make Privacy Options Easier to Find: If a company finds, upon reviewing its websites, that some aspects of its privacy options are confusing or it is not clear where to find relevant information, it may want to consider simplifying the process for consumers. The new regulations’ recommended “Privacy Options” icon – a uniform visual representation of where consumers can find additional information about their privacy choices – may be an easy solution to highlight the privacy choices available to consumers.
- Update Processes for “Offline” Collection of Personal Information: Where a company is engaging in “offline” collection of personal information that can then be sold (including collection of personal information at brick-and-mortar businesses or over the phone), the company should create paper forms and/or signage at the location where the personal information is collected to alert consumers of the opt-out information available to them online. For businesses that collect personal information over the phone, this may include changing the scripts customer service representatives or others who interact with consumers use to provide notice of the right to opt-out to consumers directly during the call itself.
- Do Nothing: Some companies will find that they do not need to do anything! There is likely no need to change a company’s processes based on the new guidance if, the company is:
- Not selling any personal information
- Selling personal information, but the opt-out mechanisms do not contain any “dark patterns,” confusing language, or unnecessary steps
- Transparent on its website by highlighting privacy options available to consumers
- Not collecting any personal information through “offline” methods
Other Updates to Note
It is important to note that the new regulations also provide clarity on what a business may require of the consumer or their authorized agent in order to provide proof of the authorized agent’s permission to submit a request to know or a request to delete under CCPA. The new regulations require the authorized agent to provide signed permission to submit the request whereas before the consumer was required to do so. This may also require companies to change their current consumer verification processes.As always, if you have any questions about these new regulations or other CCPA or privacy-related issues, ion, please do not hesitate to contact the Paul Hastings Data Privacy and Cybersecurity Solutions Group for assistance and support.