California has added new regulations to the CCPA—the state’s Consumer Privacy Act. It now prohibits dark patterns that prevent users opting out of having their personal data sold.
Dark patterns, a term coined a decade ago, continue to be a huge problem for consumers when they try to navigate the murky world of data privacy. (Harry Brignull’s phrase describes a user experience that’s deliberately confusing, hidden, or broken.)
But will the tweaked law work? Opinions are divided—and in Security Blogwatch, that’s exactly how we like it.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Roach Motels and so on.
Switch on the light
What’s the craic? Brianna Provenzano reports—California Passes New Regulation Banning 'Dark Patterns':
Imagine you’re navigating a website or watching an in-app ad when you’re suddenly redirected to a subscription page, even though you have no interest in whatever product is being marketed at you. Such tactics are … more widespread than you’d imagine, and banning them under the CCPA is a step towards ensuring that consumers are protected from deceptive business practices.
…
As it’s written, the legislation currently grants consumers greater control over how the personal information that businesses collect about them is used and shared, and also allows them to delete or opt out of the sale of their personal information in most instances. … The new regulations will also institute the use of a new Privacy Options icon, which internet consumers can use as a visual cue to opt-out.
And James Vincent adds—California bans ‘dark patterns’:
If you’ve ever struggled through a maze of online customer service to cancel a subscription or delete an account, you’ve likely encountered “dark patterns.” … The CCPA gives Californians the right “to say no to the sale of personal information,” but the state government is evidently worried that these options will be buried under byzantine menus.
…
[It’s] one of the toughest consumer privacy laws in the US. … Businesses found not to be in compliance with the CCPA are sent a “notice to cure,” giving them a 30-day window to amend their services.
Sez who? California AG Xavier Becerra “says” words written for him by faceless PR goons—Additional Regulations That Empower Data Privacy:
California is at the cutting edge of online privacy protection. … This newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the [CCPA].
…
These protections ensure that consumers will not be confused or misled when seeking to exercise their … rights. The regulations include an eye-catching Privacy Options icon that guides consumers to where they can opt-out of the sale of their personal information.
Sound good to you? Joce640k should be enough for anybody: [You’re fired—Ed.]
We're getting there, gradually. [But] let's see how long it takes the web sites to figure out ways to subvert this new law.
Duck and discover. Dutch Gun shoots from the tulip:
Sometimes I poke a bit of fun at California for their legislation (like their "everything under the sun causes cancer" labels). But on occasion, they're ahead of the curve.
…
California was one of the first to ban companies from requiring you to call a person on the phone in order to cancel a service that you can sign up for online. That's of course super scummy behavior, and deliberately designed to pressure you into NOT canceling.
…
This seems like the same sort of thing: A ban on scummy behavior that companies do, simply because they're allowed to get away with it.
But random5634 is as mad as hell and not gonna take it any more:
Govt has probably forever burnt their credibility in this space. … Everyone has now been trained to click accept / accept all / OK or whatever on all these pop-ups.
…
If I don't want you to track me using cookies I will clear them, block them or isolate them on MY machine. This doesn't require tons of click throughs.
…
The amount of time wasted on these nightmares—the number of clicks, the horrible impact on user experience—is crazy. Govt really can't seem to get this stuff right—it's mind boggling.
Likewise, KinjaKungen is all, like, meh, whatever:
While a law like this is absolutely in the interest of “consumers” (in of itself a demeaning descriptor intended to take agency away from people), it seems to me at least it will probably be a nightmare to enforce.
And dip your chips in devoutsalsa:
Eventually there will be so much regulation, the only thing you'll be able to post online without violating the law is public domain picture of a brick, and you'll still get a shakedown letter from Getty Images.
Meanwhile, rossdee offers this anti-pattern:
Can you fool them by running your browser in Dark Mode?
The moral of the story?
If you have California users, get ahead of this new regulation.
And finally
Harry Brignull coined the phrase in 2010
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
