Proposed CPRA Rules

Proposed CPRA Rules and ‘Dark Patterns’: Data Privacy Trends

Hard to believe that the California Privacy Rights Act (CPRA) is going into effect in about six months. A list of proposed CPRA rules released by California offers a hint at where privacy trends might be headed.

As discussed in Legaltech News® (Proposed CPRA Rules Show ‘Dark Patterns’ a Growing Focus for State Privacy Laws, written by Isha Marathe), the five draft provisions the California Privacy Protection Agency released on May 28 include mandatory global privacy controls, broad enforcement authority, and enhanced expectations to prevent dark patterns, among other issues.

What are “dark patterns”, you say?

The term “dark patterns” describes a web or digital interface that “has the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of the business’s intent,” according to the draft text. Essentially, a “dark pattern” is an online marketing technique that tricks or subtly coerces a user for the benefit of the business. In the case of data privacy, it could mean having to search for hidden opt-in or opt-out buttons or spending a long time to find data request pathways tucked away at the bottom of the webpage, for instance.

The draft provisions seek to ban any web design that might interfere with a user’s ability to make clear decisions about their data.

As the author notes, “draft” is the operative word, and the text will likely go through several revisions subject to public comments before enforcement. As of now, however, privacy attorneys say most companies will have to get their web designers and legal departments together to begin adjusting web and app interfaces to avoid violating regulations around dark patterns given that other states are likely to follow suit.

According to the draft proposed CPRA rules, businesses will need to take into account five measures regarding their web and app interfaces to avoid dark patterns. Those include: ease in use of language; ensuring that the same amount of time is taken to choose a less privacy-protective option as the more privacy-protective one; avoiding elements and language that is confusing; avoiding manipulative language; and ease of execution to submit a data subject access request (DSAR).


The article has reactions from a couple of experts regarding the draft proposed CPRA rules and how restrictive they are regarding dark patterns (very much so), among other things. Check it out here.

So, what do you think? Is your organization prepared for CPRA? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

One comment

  1. Doug, thanks for this. We need to take this very seriously. As a lifelong California resident, I’ve recently witnessed state agencies aggressively interpreting legislation.

Leave a Reply