§ 7004. Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent.
11 CA ADC § 7004Barclays Official California Code of RegulationsEffective: March 29, 2023
Effective: March 29, 2023
11 CCR § 7004
§ 7004. Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent.
(2) Symmetry in choice. The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer's ability to make a choice. Illustrative examples follow.
(A) It is not symmetrical when a business's process for submitting a request to opt-out of sale/sharing requires more steps than that business's process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out of sale/sharing is measured from when the consumer clicks on the “Do Not Sell or Share My Personal Information” link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.
(B) A choice to opt-in to the sale of personal information that provides only the two options, “Yes” and “Ask me later,” is not equal or symmetrical because there is no option to decline the opt-in. “Ask me later” implies that the consumer has not declined but delayed the decision and that the business will continue to ask the consumer to opt-in. Framing the consumer's options in this manner impairs the consumer's ability to make a choice. An equal or symmetrical choice could be between “Yes” and “No.”
(C) A website banner that provides only the two options, “Accept All” and “More Information,” or, “Accept All” and “Preferences,” when seeking the consumer's consent to use their personal information is not equal or symmetrical because the method allows the consumer to “Accept All” in one step, but requires the consumer to take additional steps to exercise their rights over their personal information. Framing the consumer's options in this manner impairs the consumer's ability to make a choice. An equal or symmetrical choice could be between “Accept All” and “Decline All.”
(C) Unintuitive placement of buttons to confirm a consumer's choice may be confusing to the consumer. For example, it is confusing to the consumer when a business at first consistently offers choices in the order of “Yes,” then “No,” but then offers choices in the opposite order--“No,” then “Yes”--when asking the consumer something that would contravene the consumer's expectation.
(4) Avoid choice architecture that impairs or interferes with the consumer's ability to make a choice. Businesses should also not design their methods in a manner that would impair the consumer's ability to exercise their choice because consent must be freely given, specific, informed, and unambiguous. Illustrative examples follow.
(B) Bundling choices so that the consumer is only offered the option to consent to using personal information for purposes that meet the requirements set forth in section 7002, subsection (a), together with purposes that are incompatible with the context in which the personal information was collected is a choice architecture that impairs or interferes with the consumer's ability to make a choice. For example, a business that provides a location-based service, such as a mobile application that finds gas prices near the consumer's location, shall not require the consumer to consent to incompatible uses (e.g., sale of the consumer's geolocation to data brokers) together with a reasonably necessary and proportionate use of geolocation information for providing the location-based services, which does not require consent. This type of choice architecture does not allow consent to be freely given, specific, informed, or unambiguous because it requires the consumer to consent to incompatible uses in order to obtain the expected service. The business should provide the consumer a separate option to consent to the business's use of personal information that does not meet the requirements set forth in section 7002, subsection (a).
(b) A method that does not comply with subsection (a) may be considered a dark pattern. Any agreement obtained through the use of dark patterns shall not constitute consumer consent. For example, a business that uses dark patterns to obtain consent from a consumer to sell their personal information shall be in the position of never having obtained the consumer's consent to do so.
(c) A user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decisionmaking, or choice. A business's intent in designing the interface is not determinative in whether the user interface is a dark pattern, but a factor to be considered. If a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business's deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.
Credits
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.
History
1. New section filed 3-29-2023; operative 3-29-2023 pursuant to Government Code section 11343.4(b)(3) (Register 2023, No. 13).
This database is current through 5/10/24 Register 2024, No. 19.
Cal. Admin. Code tit. 11, § 7004, 11 CA ADC § 7004
End of Document |