back to article California bans website 'dark patterns', confusing language when opting out of having your personal info sold

California has expanded its consumer privacy law to include a prohibition on the use of deceptive messaging and presentation, or "dark patterns," in the limited context of opting out of the sale of personal information. "These protections ensure that consumers will not be confused or misled when seeking to exercise their data …

  1. a_yank_lurker

    Ready, Shot, Aim - It's My Foot

    Privacy rules and laws have come about because many companies have abused their power to detriment of users. They may win this round. As the more become aware of the absolutely despicable of many in Silly Valley and those that ape them they risk getting much worse later. But manglement is not often known for competence, intelligence, and long term planning.

  2. RM Myers
    FAIL

    Confusing Language

    Maybe the next target could be confusing language in laws and regulations, including the tax codes. Oh wait, that might hurt the "full employment for lawyers and accountants" initiative. Legislatures and regulators wouldn't want to do that, since most are lawyers. Never bite the hand that feeds you.

    Besides, if you make them simple to understand, your fat cat political donors, who can afford the lawyers and accountants, will lose their advantage over the rest of us. Worse yet, the voters may realize how many loopholes favor those donors. Again, never bite the hand that feeds you.

    1. Marty McFly Silver badge

      Re: Confusing Language

      Point made about the lawyers & accountants initiative. However, I don't think it applies to these data slurping individuals. They have their used-car sales career to fall back on.

      1. a_yank_lurker

        Re: Confusing Language

        They too unethical to be in used-car sales. Used-car lots usually give a car with a valid title even if it is falling apart.

    2. yetanotheraoc Silver badge

      Re: Confusing Language

      "For example, the Consumer Data Industry Association, which represents credit reporting companies, asked that the ban on confusing language be dropped because it's not clear what constitutes confusing language."

      That explains a lot.

  3. Neil Barnes Silver badge
    Holmes

    adding unnecessary steps purely for the sake of legal compliance

    Er, how many unnecessary steps are there in a couple of tickboxes?

    [x] Do not sell my data

    [x] Do not collect any data beyond that technically necessary to make the site work

    [x] Do not bother asking again

    1. KittenHuffer Silver badge

      Re: adding unnecessary steps purely for the sake of legal compliance

      That last one is one that I really wish would happen.

      I'm so fed up with the "Yes, do the thing that I really don't want" or "Ask me again next time, and every time after that" type choices. I want a "No, and don't ask me again" option.

      I once ended up with a Prime trial after clicking through a purchase too quickly, and then had to struggle to cancel it cos it was well hidden, and that was several years ago. I'd hate to have to try to find the cancel button these days.

      1. Martin an gof Silver badge

        Re: adding unnecessary steps purely for the sake of legal compliance

        Assuming it's not something odd my end, but El Reg itself is guilty of this on the computers I use. The cookies box - which to be fair is quite easy to deal with - seems to pop up at ramdom every month or so on at least one of my browsers, and no, I don't clear cookies.

        I came across an Amazon opt-out clone trying to find the downloads page for Freenas. Bloomin' annoying for a product like that - huge image, big button to 'sign up for our newsletter', tiny text link 'no thanks'.

        And still no link to the actual manual update file I need; I had to find it via search.

        :-/

        M.

        1. Alan Brown Silver badge

          Re: adding unnecessary steps purely for the sake of legal compliance

          What annoys me is the inclusion of 3rd [arty javascript fomr companies we KNOW are not exactly GDPR friendly

          Example: on THIS forum page I can see privacy/personal informatoin slurping javascript from Google Analytcs, Twitter. Facebook and Admedo

          As soon as you're pulling in JS from offsite, you're stepping well outside the boundaries of "informed consent"

          1. Martin an gof Silver badge

            Re: adding unnecessary steps purely for the sake of legal compliance

            Yes, but google analytics, facebook and the like can be blocked very simply by something like NoScript and have absolutely no effect at all on the functioning of the website. The same is true for every site I visit - NoScript is permanently blocking those sites for me.

            There are some things where a site works slightly better if you don't block them - things like fontawesome for example, but it's the ones where the site doesn't work at all without third party scripts that are the real issue...

            M.

      2. Anonymous Coward
        Anonymous Coward

        Re: I once ended up with a Prime trial

        the experience sits alongside the "I once ended up having sex (and so did my wife / partner)". Every little helps! said Bezos, peeking at his bank acc balance.

      3. PerlyKing
        Unhappy

        Re: Cancelling Prime

        I accidentally signed up for Prime in the middle of last year. I like to think I'm fairly savvy and careful, but I still managed to click on the wrong thing at some point during checkout. I think there were three options at one stage, along the lines of a big bright button "Yes, sign me up for Prime and take my firstborn!", a smaller plainer button "No but yeah" and a nondescript link on the other side of the page "Beware of the leopard". I may have misremembered the wording ;-)

        Fortunately it was fairly simple to cancel it after my free month.

        1. Neil Barnes Silver badge

          Re: Cancelling Prime

          I've done that - in spite of trying very hard not to - a total of three times so far.

        2. Michael Wojcik Silver badge

          Re: Cancelling Prime

          I've managed to avoid it so far -- though I also avoid shopping on Amazon as much as I can, these days, and that helps.

          Another obnoxious Amazon quirk: every time I go to check out, they ask if I want a student discount. Every. Damn. Time. I'm not an (enrolled) student, and haven't been since I completed my most recent degree several years ago. Give it the fuck up, Amazon.

      4. jcoc

        Re: adding unnecessary steps purely for the sake of legal compliance

        "I'm so fed up with the "Yes, do the thing that I really don't want" or "Ask me again next time, and every time after that" type choices. I want a "No, and don't ask me again" option."

        The problem is that "don't ask me again" involves tracking you. Cookies expire faster now (ITP for example). So within a few days the cookie that has registered "don't ask me again" has expired, so they aren't asking you (original cookie) again, they are asking you (new cookie) for the first time.

        They could ask for a permanent ID to register your "don't ask me again" but then you'd have to login occasionally (quite often really) to have that work.

        It's what people said they wanted (in response to severe provocation from advertising and marketing abuses). This is the consequence.

        You can obviously say that you just don't want any advertising - that's a reasonable viewpoint. But there is an entire industry built around ads. And companies still want to flog their wares, so they will find some way. And that means the rest of us will have to pay for what we consume in a way we currently do not (in money rather than in data).

        1. KittenHuffer Silver badge

          Re: adding unnecessary steps purely for the sake of legal compliance

          The two specific instances that I'm thinking of are Amazon trying to get me to take out Prime, and Paypal wanting to link my account to my fleaBay account. Both of these happen when I'm logged in, so there is no need for a cookie at all. They know who I am and can easily set a flag against my account not to ask the question again.

        2. Alan Brown Silver badge

          Re: adding unnecessary steps purely for the sake of legal compliance

          > "I'm so fed up with the "Yes, do the thing that I really don't want" or "Ask me again next time, and every time after that" type choices. I want a "No, and don't ask me again" option."

          EU/UK authorities are _supposed_ to prohibit this behaviour (it's also illegal in Australia and NZ)

          Californian privacy legislation should do so too.

          Other countries may vary but complaints to your privacy regulators are the squeaky wheel

        3. Doctor Syntax Silver badge

          Re: adding unnecessary steps purely for the sake of legal compliance

          "And companies still want to flog their wares"

          So why do they persist in pissing off potential customers by shoving unwanted ads in those potential customers' faces?

          Actually I know some of the answers to that. 1. The advertising industry is very good at selling adverts to punters, especially those who think they're such special snowflakes that the populace will actually want those ads shoved in their faces. 2. The advertising industry has willing collaborators in marketing departments whose status is determined by their advertising budget (or vice versa).

  4. Potemkine! Silver badge

    Make it easy: forbid opt-out, make opt-in mandatory instead.

    1. Martin an gof Silver badge

      That is supposed to be the case with cookie consent in the EU / UK but I would say that over half the sites I visit are opt-in by default, and many of those only pay lip service to opt-out by telling you to block a list of a million cookies manually in the browser settings.

      Who is policing this stuff?

      M.

      1. Anonymous Coward
        Anonymous Coward

        Who is policing this stuff?

        I have a vague impression there are bodies in each countries that are supposed to do the policing. And get paid handsomely for their tireless effort, I have no doubt, like ICO. As to real life... nope. As usual, the legal requirement came toothless, i.e. no real accountability / penalties. Charge them 0.1% yearly revenue when they do it first, and 50% when the message wasn't clear, and you get immediate compliance. But hey, let's get back to real life, ok?

      2. Pseu Donyme

        >Who is policing this stuff?

        The DPAs, but in practice this takes time as the cases work their way to the ECJ. There is a complaint with the promise of a relatively speedy resolution though: https://noyb.eu/en/data-transfers-us-and-insufficient-cookie-information-noyb-files-complaint-against-european (This is because cases against EU institutions get fast-tracked to the ECJ; this one is about an internal website the EU Parliament, apparently commissioned from some cowboy outfit who seem to have done it with a template designed to circumvent consent.)

        1. Doctor Syntax Silver badge

          Unfortunately this seems to be set up so that DPAs only act on complaints and even then they're probably limited by resources. They need to be pro-active and to be able to finance additional operations out of the fines.

      3. rafff

        OPt-in vs/ opt-out

        I have given up ever using Youtube, even in a private window, because it is so tedious to click through all their pages of opt-out.

        1. Alan Brown Silver badge

          Re: OPt-in vs/ opt-out

          On the YT front there are a number of YT adblockers you can install

    2. Pseu Donyme

      re opt-in

      Indeed. This is the only sensible solution: it is entirely unreasonable to expect users to deal with professionally set up legalese. For one thing there is an asymmetry at work: the corporations setting these up can afford a team of lawyers and other professionals to do it as the cost /user is reasonable while the cost of an user scrutinizing such a thing to the same level would be about the same and borne by each user individually (i.e. patently prohibitive). Opt-in == no need for this == no cost, not even waste of time (assuming proper, active opt-in where opting out is the default which you get by doing nothing).

  5. Anonymous Coward
    Anonymous Coward

    Recommended

    These dark patterns also need to be removed from a certain well-known computer OS.

    The settings button or slider might say "recommended" but recommended for whom?

  6. ChrisElvidge

    Appeals

    Possibly the appeals process could/should be changed too. Instead of being able to continue with a practice that has been deemed illegal by a "lower" court until the appeals process has been completed, the practice could be banned until/unless the appeal process deems it legal.

  7. Anonymous Coward
    Anonymous Coward

    Also kill off the effort disparity between opt-in and opt-out

    About 90% of the sites I visit sport some for of popup that on the one hand acknowledge my right to privacy, but on the other hand make it as hard as possible to actually exercise that right.

    Maybe I'm just picky, but as long as opting in to all is a one-click brightly marked button and opting out means ticking a lot of "no" boxes (that are by default of course set to "yes") and then doing that AGAIN for all the "(il)legitimate interest boll*cks" (where the flying &^$% did that come from?) and usually a search for a confirmation button that doesn't automagically opts you all in again I don't think my rights are protected all that well.

    Whoever runs these outfits should be convicted to only use web resources that are 90% advertising and 10% usable content, including incoming email and phone conversations. Let's see how long they last.

    1. Alan Brown Silver badge

      Re: Also kill off the effort disparity between opt-in and opt-out

      "Whoever runs these outfits should be convicted to"

      Have all their personal data published and kept in the public eye

  8. Marty McFly Silver badge

    "Don't not sell my data..."

    If that doesn't explain the slimy & deceptive nature of the data business, I don't know what does.

  9. teebie

    adding unnecessary steps

    Currently we have a choice between "opting out is too much work, I'll let them see my stuff" and "opting out isn't worth it, I'll not read the page/kill the popup with developer tools"

    Making the changes doesn't force the nobbers into "opting out isn't worth it" or "opting in isn't worth it". There is the option of adding a user friendly on/off switch. Was this objection written by somebody in a daytime TV advert demonstrating how hard it is to use a vaccum cleaner?

    I'm surprised nobody has made a browser extension for autofilling the forms for the worst offenders.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like