back to article California outlaws wording, webpage buttons designed to hoodwink people into handing over their personal data

California’s Attorney General has updated the state's data privacy regulations to outlaw shady semantics designed to confuse folks into handing over their data. In an update to August's California Consumer Privacy Act (CCPA), the rules have now changed again. The modifications deal with so-called dark patterns, where tech …

  1. Blackjack Silver badge

    So.. how does that even work?

    Do you have to have tracking allowed so the site knows you are in California so they give you special treatment?

    1. diodesign (Written by Reg staff) Silver badge

      "how does that even work?"

      When you opt-out, your browser stores a cookie that simply means 'i opt out'. When the cookie is presented, the website should act accordingly.

      Deleting cookies or blocking them means you lose your 'i've opted out' cookie.

      C.

      1. NetBlackOps

        Re: "how does that even work?"

        Yep, in California here and given cookies are wiped for most places, not here of course, I'm constantly having to go through the hoops.

        1. bombastic bob Silver badge
          Pirate

          Re: "how does that even work?"

          NOTE: I believe tracking should be opt-in only, above board, and you should be able to view it and manage it yourself on the tracker's web site, but I doubt any legislation will really help, so I use my own mitigations anyway. it doesn't mean I won't support such legislation, I just don't have any hope in it. That being said...

          For anything other than simple web surfing (including El Reg) I have a special non-priv logon that I use, and the browsers that I run get their caches adn history dumped, every time.

          Firefox is simple, just tell it to delete history on exit.

          Chrome is not so simple, but works better with CAPTCHA [firefox fails a lot for some reason, probably by design] but you can run a script to wipe out everything in the following directories to clear chrome's cache:

          rm -rf ~/.cache/chromium/Default/*

          rm -rf ~/.config/chromium/BrowserMetrics*/*

          etc. - there are others, too - my script is pretty long, and rather thorough

          But as a hint, there are many files in ~/.config/chromium/Default/ that are created by chrome and if you wipe them out, they just re-appear. Some of them have persistent "things" in them. YMMV.

          In any case, getting a handle on how to purge your cache and history (while keeping any important settings 'intact') might make a topic of its own someplace. in the mean time you can experiment a bit.

          What's good about using Linux or FreeBSD: if you set your X server up to allow connections to localhost via the DISPLAY environment variable, you can use a shell to log in to a very unprivileged user account, then run firefox or chromium on the current desktop by setting DISPLAY via 'export' (or similar), and be in a COMPLETELY different user context. It works for video playback, too. then when you are done, wipe away ALL history. Hard to track you with NO history, NO cookies, NO persistent data, yotta yoltta. Other settings like 'private browsing' and whatnot can't hurt, either. And of course THIS would be for any site where script is unavoidable, like the DMV or certain electronics parts retailers that I can't avoid using.

          worth pointing out, windows 7 had 'run as' which could be used in a similar way, so that you have a apecial user context JUST for web surfing that really doesn't do anything else... and you can auto-delete history and cache and so on with no consequence to YOU.

          But... if you EVER log into certain sites, that 'icon' on half the pages you visit is part of their tracking. Its very presence probably tracked you opening up that web page... unless you do NOT have login information stored in a cookie [which is where purging the persistent data comes into play]. So if you did use FB or twitter or reddit or google login, you'd do that from the "web surfing only" user account, or maybe even a special "FB only" user account, and "flush" when you're done, so they don't know it's you.

          and for everything else, on your 'normal surfing' user account, you NEVER log into google, FB, twitter, reddit, or ANY of those other "they will track you" web sites.

      2. alain williams Silver badge

        Re: "how does that even work?"

        So it is broken from the outset. It should be opt in - ie user data only once the web site has got permission.

        I suspect that we will see games played along the lines of "Last week you opted out for purposes x, y, z. This week we are doing a, b, c and you need to opt out of that separately."

  2. RockBurner

    To be frank, any site that has more than 3 clicks to opt-out of the data gathering/cookie storing options simply doesn't get looked at.

    The old 'rule of thumb' for any website was 'no more than 3 clicks to fine the information the user wants', it seems that has fallen completely by the wayside now that users are the product.

    1. Boothy Silver badge

      Quote: "To be frank, any site that has more than 3 clicks to opt-out of the data gathering/cookie storing options simply doesn't get looked at."

      Yup.

      Also any site that when selecting opt-out, tells you to change your browser settings to manage the cookies.

      Any site that disables content unless you opt back in (such as RockPaperShotgun).

      Or sites that have a single opt-in button, but then an opt-out window where you have to scroll down a list and individually opt-out of every single service/3rd party one at a time!

  3. John Jennings

    just do it right and once every 20 years

    A federal GDPR type would be good. Its going to get more difficult to do business in the US. Not because of CCPA - rather because we already have 3 states with slightly different regulations - California, Maine and Nevada - and around 12 more with legislation in state senates.

    Add to that States like Mass which has data protection but no real privacy laws and things get more complicated still.

    Further, most states create laws specific to a technology - so today its the browser - but not necessarially other methods of trawling data - for example, IOT or PAPER..

    The one thing thats clear about the GDPR are the underlying principles - it doesnt go into much detail on the implementation on purpose - its system agnostic

    1. Wade Burchette

      Re: just do it right and once every 20 years

      A federal legislation. That ain't going to happen. 9 out of the 10 riches counties are in the Washington D.C. metro area. The United States has the best government money can buy. When was the last politician you saw who left offer poorer than when he arrived?

      You don't bite the hand that feeds you, so these greedy, selfish politicians will only generate a powerful privacy law if, and only if, it threatens their re-election hopes. There will be no large-scale public outcry over privacy that would threaten their re-election fetish, so these greedy, selfish politicians will not do anything about that. Especially since Facebook and Google just generously "donated" a large amount of money. And no future politician will win on the platform "I kept your personal information away from Google!"

  4. Potemkine! Silver badge

    to make sure they get the maximum allowable privacy.

    First step: delete your facebook account. It's not enough but that's a start.

    1. Charles 9 Silver badge

      And if that's not an option due to communications requirements?

      1. Jimmy2Cows Silver badge
        WTF?

        What kind of dumb shortsighted lazy communications requirements could possible require one to have a Facebook account?

        1. Aussie Doc Bronze badge

          I run a business who's demographic is young mum's with toddlers/pre schoolers or mature (grandparents).

          I rely on Facebook because that's where they are.

          I can control what the Zuk gets to know about me personally but there are plenty of small, home based businesses in the same boat.

          I don't like FB nor do I like doing business on my (rooted) phone but that's where my demographics live - they don't 'do the interwebtubes' because they use facebook instead - that's how they view 'tech'.

          Just because we commantards here are all high and mighty and 'hates the faecesbook' or whatever other childish chant, doesn't mean I need to starve myself and family.

          Sure, I have a website and all but I ignore my market on facebook at my peril.

          Your mileage may vary.

        2. Charles 9 Silver badge

          And I have family in southeast Asia. Facebook basically is the Internet down there, to the point it's part of their feature phones. Think about that; limited capabilities and they still put Facebook in there out of sheer necessity. Facebook pretty much subsidizes Internet access there; a lot of promotions include Facebook time PINs and so on. Let's just say it's the only boat, and the water's full of sharks, so I ain't swimming.

  5. Dave314159ggggdffsdds Silver badge

    This'll be fun

    "The business’s process for submitting a request to opt-out shall not require more

    steps than that business’s process for a consumer to opt-in to the sale of personal

    information after having previously opted out. The number of steps for

    submitting a request to opt-out is measured from when the consumer clicks on the

    “Do Not Sell My Personal Information” link to completion of the request. The

    number of steps for submitting a request to opt-in to the sale of personal

    information is measured from the first indication by the consumer to the business

    of their interest to opt-in to completion of the request. "

    It isn't actually possible to guarantee that, given how the internet works.

    1. Version 1.0 Silver badge

      Re: This'll be fun

      Click OK to opt out of our tracking ...

      OK ... click.

      ... one page down in the privacy agreement : If you have opted out of tracking then we will not track you.

      ... five pages down in the privacy agreement : By visiting our web site you agree that we can sell your data to a third party.

  6. DS999 Silver badge

    What about my least favorite dodge?

    Where they send you something through the mail with their privacy policy, and you have to send a letter to them requesting to be opted out? That's the #1 thing that should be made illegal (and though I don't live in California, hopefully companies give up on doing this in the rest of the US as a result)

    1. ckm5

      Re: What about my least favorite dodge?

      According to this, they would have to take exactly the same steps to opt you in....

      1. Mike 16 Silver badge

        Re: Steps to opt in?

        So, none, then, since default opt-out is apparently not on the table.

  7. Anonymous Coward
    Anonymous Coward

    I hope that law doesn't have an exception for the Equifaxs, Transunions, and Experions.

    1. Charles 9 Silver badge

      I wonder if there will be any talks of moving to Nevada or Arizona with any of these types of firms currently based there. When a major taxpayer threatens to move out of jurisdiction, that tends to get their attention. That's how the oil barons get away with anything: "Would you like 10% of something or 100% of nothing?"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022