41 comments

[ 5.6 ms ] story [ 101 ms ] thread
This seems like very good news! Wonder if I will have to VPN into CA to benefit though... :/
I might write a tool to fetch webpages from a CA VPN endpoint and a nonCA one - and highlight the diffs...

Maybe even automatically tweet a “hall of shame”.?

One very popular CCPA white-label service cross-checks identity databases and credit reports in order to prove state residency. VPNs won’t help with that.
That sounds sketchy as fuck. Whether I’m a California resident is not the type of fact that can be derived from publicly/commercially available data.

Their business model is to guess, and false negatives deprive Californians of their rights.

>The new regulations will also institute the use of a new Privacy Options icon, which internet consumers can use as a visual cue to opt-out of the sale of their personal information.

What does this actually mean? An extra overlay to click away when I visit a new website for the first time?

The “Do Not Sell My Personal Information” links are awfully wordy. An icon would be nice to have. Why would you make an overlay from it, though?
Is Gizmodo hosting this article in order to give a demonstration of “dark patterns” with their website? Auto playing video ad overlayed inline with the text, article content split and spread over the whole page. What utter garbage.
Not all bad UX is a dark pattern.
True, but you can easily predict when it’s intentionally misleading, there’s still chance of being wrong but people have been burnt too many times by this type of website (usually owned by media holding companies) that it’s safe to assume bad intentions.
They use the term "dark patterns" in the press release, but the actual regulation is very specific, straightforward, and limited to the "Do Not Sell My Personal Information" link that's required by the California Consumer Privacy Act.

  The notice of right to opt-out shall be designed and presented in a way that is easy to read and understandable to consumers. The notice shall:
  a. Use plain, straightforward language and avoid technical or legal jargon.
  b. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.
  c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.
  d. Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.
source: https://oag.ca.gov/system/files/attachments/press-docs/CCPA%...
The press release is specific and limited too:

"The newly-approved regulations ban so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information. Specifically, it prohibits companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out."

https://oag.ca.gov/news/press-releases/attorney-general-bece...

Interesting. Stack Exchange has a truly awful dark pattern in their GDPR banner experience:

You click to customize tracking cookies and get presented with a list of checkboxes, but primary button on the right is "Accept all cookies", whereas the left side (where you'd usually find a "Cancel") is a secondary-looking button that says "Accept changes".

If you don't take the time to actually read the buttons, you end up unchecking a bunch of boxes just to inadvertently accept them all. Real scumbag stuff. From the above, it sounds like tricks like that may not even be covered.

Govt has probably forever burnt their credibility in this space in terms of user friendly / operable approaches with their cookie notice hell.

Everyone has now been trained to click accept / accept all / OK or whatever on all these pop-ups.

Now we are starting to get the even worse GPDR ones with like 6 different options.

If I don't want you to track me using cookies I will clear them, block them or isolate them on MY machine. This doesn't require tons of click throughs. I will chose software that helps me with this.

Can I actually sue some russian website owner hiding behind some dns registration privacy domain if they use a cookie they shouldn't have? Will I collect? Or is this just tail chasing when an actual technical solution to BLOCK cross domain or other forms of cookie use are available to me.

The amount of time wasted on these nightmares, the number of clicks, the horrible impact on user experience is crazy - govt really can't seem to get this stuff right - it's mind boggling.

Let's start with simpler things.

1) Ban regulated entities from selling my info or personalizing ads to me based on my browsing history (cable companies) electric usage (electric companies) phone usage (telecom companies). No opt in or out, these are regulated folks with monopoly or close power - banned.

2) Actually ramp up real investigations of folks committing crimes online. There are billions in harm here waiting for someone to give two sh*ts about someone with their life savings stolen.

3) I have a list that goes on and on.

Forcing companies to have mechanisms for the deletion of user data is absolutely a public good. Frankly, most anything was legal before these laws.
Pretty much none of the cookie notices are legally valid, or we'd all have been trained to just click "no" on all of them (as "no" has to be as easy, or easier, to use than "yes")

And while you may be able to block cookies, are you able to block canvas fingerprinting? IRL tracking? the gdpr also applies to every bit of life, to the third parties a doctor can use to process your medical data, to the third parties having access to surveillance cameras in a parking lot, to the legal notifications required when your covid 19 test data or contact tracing data might be breached.

The cookie notices in the US have nothing to do with GPDR. They are just annoying. They are even more annoying overseas. Someone should do a study on how many people actually care and click no or tailor these? Is it < 50%?
That text was already there in the original version from June 2020. It appears that the newly added text is underlined in the document you linked. Here is the relevant bit:

--

(h) A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out. Illustrative examples follow:

(1) The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt- out is measured from when the consumer clicks on the “Do Not Sell My Personal Information” link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.

(2) A business shall not use confusing language, such as double-negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers the choice to opt-out.

(3) Except as permitted by these regulations, a business shall not require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.

(4) The business’s process for submitting a request to opt-out shall not require the consumer to provide personal information that is not necessary to implement the request.

(5) Upon clicking the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.

Would have loved if an addition was:

(6) The steps to discover and opt-out shall be no more difficult than the original steps to discover and opt-in.

It's the asymmetry of effort in granting consent and attempting to revoke it, or of signing up to a service and attempting to cancel it (hello Economist!) that is a pain.

> (1) The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.

This seems really oddly worded, like wanting to preserve a loophole. This sounds like it would be perfectly compliant to e.g. make you click through half a dozen "show advanced settings" links to opt-out - as long as you put the "re-opt-in" button (that no one outside a marketeer's fantasy would ever want to use) in the same place.

A site could still make opt-out unnecessarily difficult compared to the path they want their users to take: Just dismiss the popup and never opt-out at all.

edit: Then again, the parent paragraph (h) seems stricter. Is (h)(1) then just an "illustrative example" and not legally binding?

Disappointing that they would mandate details about the opt-out process for selling personal information instead of mandating that it be an opt-in process.
That is not within the CA Attorney General's control. The statute (CCPA) specifies opt-out, not opt-in, for most consumers. (The exception is for children under 16, who get an opt-in process.)
How does a website proactively select opt-in without knowing its users’ ages?
I wish they could extend these protections to local software. Imagine if all of your devices had a single "disable telemetry" button.
>"...dark patterns — tricks deployed by websites or apps that seek to frustrate or bamboozle users into doing things they wouldn’t normally do."

Hmm, had not heard the term "dark patterns" -- until now...

Anyway, it's going into my 2021 lexicon...

I knew that there were "attack sites" on the Internet -- that is, websites which openly attacked the browser of any visitor... Maybe "dark patterns" could be thought of as the "lesser version" of that -- instead of attacking your browser -- the website attacks your rights (!)

That is, by railroading you (the user) into "accepting" "agreements" -- that you normally would not have accepted!

Now, the $64,000 question:

Where have I seen that pattern before?

?

Funny, the California Bar Association uses dark patterns in their membership dues section. When you go to pay your dues, you are presented with many options to opt-in and pay extra for various causes.

Then partway through the process, you are presented with other "adjustment" options, which in their default state show "none" in the dropdown selector. Only if you click on "none" do you learn that you can deduct various amounts (ranging up to $40) for each of the various dropdown menus. There is no way to adjust all of these menus with one selection — you have to do it separately for each of them. It took me a couple years of paying inflated dues before realizing that I was doing so. I think opt-outs are bad, but they are especially heinous when camouflaged amongst opt-ins.

If the state ever expands their regulation of dark patterns (which are very narrow, as other commenters have pointed out), they will have to make sure that organizations like the CA Bar Association, which is tasked with setting and enforcing ethical rules related to judges and lawyers, get their houses in order.

California has too many rules and the system is absolutely failing for the basic necessities of life.
I filed my taxes last night through TurboTax. I love the idea of “regulations are bad”, but left unchecked intuit is great example of dark patterns and why there needs to be governing body over private business. Those crooked bastards tried to upsell me or trick me into needing a more expensive product at the start of every section.

Likewise lately I’ve found myself wanting a better general news source and I think NYT is fairly reputable, until some quick research shows you can not unsubribe without calling someone, but sign up yeah absolutely, a few clicks and you’re done

If there was bill addressing the first one, that’s not “failing for the basic necessities of life”. I don’t think it’s unreasonable to demand business not try to F you cause they can. There’s been so much consolidation in the market that “voting with your money” has become nothing more than an untenable aphorism.

You'd think the government could build their own turbotax and let everyone use that for free. I assume a good/simple version would make people more likely to pay their taxes correctly and the profit off of that would more than cover the expense of making it.

Of course, in reality, I know the government would botch it. Still, the system seems really bad.

I'm not sure why you would be so cynical about government abilities. Automated taxes work great in quite many countries worldwide. Do you think US government is somehow especially incompetent?
Perhaps you should do some basic reading about the average length and costs of public infrastructure projects in the US vs. other developed nations.
turboTax utilized regulations to capture the market.
TurboTax also lobbies against the simplification of the tax code
Why does Gizmodo still suck without an ad blocker?
Does this make Micros*t dark-pattern practice to overwrite the bootloader without consent on install (and thus making it extra complicated to setup dualboot with e.g. Linux) illegal?
What’s the fine when the government does it. Oh like say California DMV
Sorry for the negativity but does this matter? Like, at all?

The CANSPAM act was implemented a decade ago and I still receive spam emails without unsubscribe links from salespeople at Fortune 500s. Reporting it does nothing. There is no real enforcement of any of this.

Wish they could do something about Amazon. Every time they "offer" me an Amazon Prime subscription it's an absolute nightmare trying to find the link to continue without it. A tiny little link with absolutely no highlighting hidden in the middle of the page. I did once end up accidentally subscribing and had to cancel. Ever since then I'm really paranoid about that page.
Does it really matter though? In my experience, the CA attorney general fails to enforce even flagrant violations of the CCPA. All you get is a form letter when you report a violation.

Some examples I have collected: non-response to requests, spamming the email address used for a request, failure to disclose specific pieces of personal information, etc. The best one I had was a letter from Experian where they had everything redacted even my address.

Eventually there will be so much regulation, the only thing you'll be able to post online with violating the law is public domain picture of a brick, and you'll still get a shakedown letter from Getty Images that demands tribute.
Has anyone noticed in SF at least that the parking meters now automatically go to the highest-possible time and you have to decrement the meter rather than increment it? Is this a 'Dark Pattern'?