§ 7004. Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent.
(a) Except as expressly allowed by the CCPA and these regulations, businesses shall design and implement methods for submitting CCPA requests and obtaining consumer consent that incorporate the following principles:
(1) Easy to understand. The methods shall use language that is easy for consumers to read and understand. When applicable, they shall comply with the requirements for disclosures to consumers set forth in section 7003.
(2) Symmetry in choice. The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice. Illustrative examples follow.
(A) It is not symmetrical when a business’s process for submitting a request to opt-out of sale/sharing requires more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out of sale/sharing is measured from when the consumer clicks on the “Do Not Sell or Share My Personal Information” link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.
(B) A choice to opt-in to the sale of personal information that provides only the two options, “Yes” and “Ask me later,” is not equal or symmetrical because there is no option to decline the opt-in. “Ask me later” implies that the consumer has not declined but delayed the decision and that the business will continue to ask the consumer to opt-in. Framing the consumer’s options in this manner impairs the consumer’s ability to make a choice. An equal or symmetrical choice could be between “Yes” and “No.”
(C) A website banner that provides only the two options, “Accept All” and “More Information,” or, “Accept All” and “Preferences,” when seeking the consumer’s consent to use their personal information is not equal or symmetrical because the method allows the consumer to “Accept All” in one step, but requires the consumer to take additional steps to exercise their rights over their personal information. Framing the consumer’s options in this manner impairs the consumer’s ability to make a choice. An equal or symmetrical choice could be between “Accept All” and “Decline All.”
(3) Avoid language or interactive elements that are confusing to the consumer. The methods should not use double negatives. Toggles or buttons must clearly indicate the consumer’s choice. Illustrative examples follow.
(A) Giving the choice of “Yes” or “No” next to the statement “Do Not Sell or Share My Personal Information” is a double negative and a confusing choice for a consumer.
(B) Toggles or buttons that state “on” or “off” may be confusing to a consumer and may require further clarifying language.
(C) Unintuitive placement of buttons to confirm a consumer’s choice may be confusing to the consumer. For example, it is confusing to the consumer when a business at first consistently offers choices in the order of “Yes,” then “No,” but then offers choices in the opposite order—“No,” then “Yes”—when asking the consumer something that would contravene the consumer’s expectation.
(4) Avoid choice architecture that impairs or interferes with the consumer’s ability to make a choice. Businesses should also not design their methods in a manner that would impair the consumer’s ability to exercise their choice because consent must be freely given, specific, informed, and unambiguous. Illustrative examples follow.
(A) Requiring the consumer to click through disruptive screens before they are able to submit a request to opt-out of sale/sharing is a choice architecture that impairs or interferes with the consumer’s ability to exercise their choice.
(B) Bundling choices so that the consumer is only offered the option to consent to using personal information for purposes that meet the requirements set forth in section 7002, subsection (a), together with purposes that are incompatible with the context in which the personal information was collected is a choice architecture that impairs or interferes with the consumer’s ability to make a choice. For example, a business that provides a location-based service, such as a mobile application that finds gas prices near the consumer’s location, shall not require the consumer to consent to incompatible uses (e.g., sale of the consumer’s geolocation to data brokers) together with a reasonably necessary and proportionate use of geolocation information for providing the location-based services, which does not require consent. This type of choice architecture does not allow consent to be freely given, specific, informed, or unambiguous because itrequires the consumer to consent to incompatible uses in order to obtain the expected service. The business should provide the consumer a separate option to consent to the business’s use of personal information that does not meet the requirements set forth in section 7002, subsection (a).
(5) Easy to execute. The business shall not add unnecessary burden or friction to the process by which the consumer submits a CCPA request. Methods should be tested to ensure that they are functional and do not undermine the consumer’s choice to submit the request. Illustrative examples follow.
(A) Upon clicking the “Do Not Sell or Share My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out of sale/sharing.
(B) A business that knows of, but does not remedy, circular or broken links, or nonfunctional email addresses, such as inboxes that are not monitored or have aggressive filters that screen emails from the public, may be in violation of this regulation.
(C) Businesses that require the consumer to unnecessarily wait on a webpage as the business processes the request may be in violation of this regulation.
(b) A method that does not comply with subsection (a) may be considered a dark pattern. Any agreement obtained through the use of dark patterns shall not constitute consumer consent. For example, a business that uses dark patterns to obtain consent from a consumer to sell their personal information shall be in the position of never having obtained the consumer’s consent to do so.
(c) A user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decisionmaking, or choice. A business’s intent in designing the interface is not determinative in whether the user interface is a dark pattern, but a factor to be considered. If a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business’s deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.