Healthcare writer - Yogesh Verma
By Yogesh Verma
Columnist, July 5, 2021

"We are sorry to see you go. Help us improve the program by answering the survey below." Sound familiar? This is one example of using "dark patterns," which we as customers have become so accustomed to, that we don't even realize what’s behind it. In fact, this is a classic example of consumer manipulation.

On March 15, 2021, new regulations were added and passed under CCPA (California Consumer Privacy Act) that prohibit usage of dark patterns. As part of the press release, California Attorney General Xavier Becerra announced these additional regulations.

"California is at the cutting edge of online privacy protection, and this newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the California Consumer Privacy Act,” said Attorney General Becerra. “These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights. The regulations include an eye-catching Privacy Options icon that guides consumers to where they can opt-out of the sale of their personal information.”

Source: https://bit.ly/3xJC49h

Dark Patterns

So, what are dark patterns? Simply put, they are requests for private data often misperceived as smart marketing design features. Their intent is to deceive or impact user behavior in a way that’s profitable to the marketers or owners of the product/website.

Dark patterns are insidious and are frequently used in designs of web pages, lightboxes and links to unsubscribe

I am sure you have noticed that the unsubscribe link is always hidden at the bottom of the email or page, presented in the smallest possible legible font. Well, that is a dark pattern with the intention to make it as difficult as possible for the reader to find a path to opt-out.

How often do you have to provide your PII (personally identifiable information), like email address, to confirm your intent of un-subscription? Yet again, that is an example of a dark pattern.

CCPA Amended Regulations

The newly amended and approved CCPA regulations do not fully ban all uses of dark patterns, but are definitely a step in the right direction. The regulations offer some of the examples of dark patterns, such as:

  1. Usage of confusing language like double negatives ("Don't not sell my personal information)
  2. Mandating that users must click through multiple screens and read content explaining why they shouldn't opt out
  3. Requiring users to "search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out."

Source: https://oag.ca.gov/system/files/attachments/press-docs/CCPA%20March%2015%20Regs.pdf

The new regulation also provides businesses with an optional “Privacy Options” icon. The blue icon was designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information and tested against other icons to determine the best design for communicating the privacy choices available to consumers.

This will be an easy and universal way for users to find the opt-out function.

Source: https://oag.ca.gov/system/files/attachments/press-docs/CCPA-Privacy-Options-icon.png

How does it impact the current environment?

We often hear the expression, “Ignorance is bliss,” but that’s not true in this case. While companies are currently struggling to implement the law successfully, new regulations are adding to the overall burden. This constant stage of change can make it challenging for companies to reach full compliance either quickly or easily. However, any company collecting information for California users needs to comply with this law and all its amendments. The law requires companies to go through all web assets which they own and carefully review them along with editors, designers and legal teams to determine what modifications are required to remediate dark patterns, if any. This will also apply to email communications sent to users by the company.

What it means to businesses

As per Section 999.315 - Requests to Opt-Out “A business shall comply with a request to opt-out as soon as feasibly possible, but no later than 15 business days from the date the business receives the request. Businesses found to be noncompliant with the CCPA will receive a ‘notice to cure’ that provides a 30-day window to remedy their noncompliance.

It is encouraging seeing how California’s administration is noticing the discomfort and acknowledging the privacy rights of an end user. If a user is intent on unsubscribing, then their decision needs to be respected without any questions or gimmicks.

What is bestowed in future?

State-level momentum for comprehensive privacy bills is at an all-time high after the CCPA passed in 2018. Currently 8 states are actively working on or have already passed consumer privacy legislation. These laws are going to stay and become even more stringent. In order for companies to continue providing services which require user data collection, it is important for them to allocate appropriate budget for investing in privacy and compliance assurance.

We can help

At ENTRADA, we have been experts in healthcare privacy and compliance regulations for over 15 years. The extent of these regulations and frequency of modifications can be overwhelming. Let us help you navigate these rough waters by doing a CCPA gap analysis and implementing remediation to achieve compliance Drop us a note at complianceconsult@thinkentrada.com

Interested in hearing more? Reach us at info@thinkentrada.com