Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Government Privacy Advertising United States

California Bans 'Dark Patterns' That Trick Users Into Giving Away Their Personal Data (theverge.com) 56

Posted by EditorDavid from the tricky-clicks dept.
The Verge writes: If you've ever struggled through a maze of online customer service to cancel a subscription or delete an account, you've likely encountered "dark patterns" — user interfaces that are designed to trick and frustrate users. The concept was coined in 2010 but is slowly being addressed in U.S. legislation, with California this week announcing that it is banning the use of dark patterns that stop users from opting out of the sale of their personal data.

The updated regulation strengthens enforcement of the 2018 California Consumer Privacy Act (CCPA), one of the toughest consumer privacy laws in the US. The CCPA gives Californians the right "to say no to the sale of personal information," but the state government is evidently worried that these options will be buried under byzantine menus. By banning dark patterns, California will "ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," said the state's Attorney General Xavier Becerra in a press statement.

The newly-approved regulation does not ban all uses of dark patterns, only those that have "the substantial effect of subverting or impairing a consumer's choice to opt-out" of schemes where their personal data is being sold...

Businesses found not to be in compliance with the CCPA are sent a "notice to cure," giving them a 30-day window to amend their services.
This discussion has been archived. No new comments can be posted.

California Bans 'Dark Patterns' That Trick Users Into Giving Away Their Personal Data More

California Bans 'Dark Patterns' That Trick Users Into Giving Away Their Personal Data

Comments Filter:

  • Getting there (Score:4, Insightful)

    by Joce640k ( 829181 ) on Sunday March 21, 2021 @09:41AM (#61182044) Homepage

    We're getting there, gradually.

    It won't stop them trying though, let's see how long it takes the web sites to figure out ways to subvert this new law.

    • Re:Getting there (Score:5, Insightful)

      by olsmeister ( 1488789 ) on Sunday March 21, 2021 @09:50AM (#61182100)
      Laws are a start. What we need are some prosecutions.

      • Re:Getting there (Score:5, Insightful)

        by Joce640k ( 829181 ) on Sunday March 21, 2021 @09:51AM (#61182104) Homepage

        That, too.

        And I mean jail time, not just corporate fines that will be seen as "the price of doing business".

        • Re:Getting there (Score:4, Interesting)

          by SkonkersBeDonkers ( 6780818 ) on Sunday March 21, 2021 @10:16AM (#61182182)

          That, too.

          And I mean jail time, not just corporate fines that will be seen as "the price of doing business".

          ^ this exactly

          A related thing I hate are services that make signing up as easy as falling off a log, i.e., you can do online or over the phone with automated response system 24/7 with minimum effort, but when you want to cancel, oh now it's you gotta talk to a live person who's only available for limited hours of the day and there is constantly a huge backup and/or you gotta send something postal mail including possibly requiring notarization and/or registered mail.

          • Comment removed based on user account deletion

            • Oddly enough, some of the worst offenders in this department are *newspapers*-- I'm specifically calling out the Chicago Tribune, the New York Times, and the Wall Street Journal. I want to support traditional journalism, I really do. But it's always the same dodge: I have to sign up with a recurring credit card payment, and if I ever want to cancel, I have to call customer service (during office hours of course) and be put on hold for some unknown length of time.

              Then, of course, there's the obligatory co

            • Re: (Score:3)

              by rtb61 ( 674572 )

              How about the same page. The choice, subscribe or unsubscribe, the same page. The law simple the same page should be used to start or cancel a subscription.

        • Re:Getting there (Score:4, Insightful)

          by arQon ( 447508 ) on Sunday March 21, 2021 @12:43PM (#61182600)

          I love the optimism, but it just isn't happening.

          I'd bet real money that sometime this year we'll be reading a story here about how a "bug" in G/FB/YT/etc "accidentally" meant that even people who had opted out under the CCPA (or GDPR, etc) were being processed exactly the same way as those who hadn't, with all their activity tracked and all their data sold or otherwise monetised, just like everybody else.
          The "bug" (which will of course be discovered by a third party) will be "fixed", the company will promise it won't happen again, will MAYBE get hit with a fine for a few thousand dollars, if that; there'll be a class-action lawsuit settled for a few 100K, all of which will go into the pockets of lawyers, and life will carry on completely unchanged.

          You can keep slapping scotch tape over this mess as much as you want, but until the law is opt-IN you'll be lucky to get even a 1% reduction in tracking and selling user data.

          The stupid thing is that this enormous spyware network still doesn't even produce good results in the first place. Literally everybody would benefit from it simply vanishing: users wouldn't constantly be stalked, the web as a whole would use ~1/4 of the traffic per page load that it currently does, G/FB/YT/etc would sell exactly as many ads as they do today, and advertisers would get a BETTER hit rate than they do right now.

          Still, at least CA is trying, even if it's failing. That's still better than all the legislative bodies that aren't doing anything about this at all.

        • Jail time only if the accompanying fines are enough to offset the cost of incarceration. Otherwise just fine them for what they are worth. Let them go bust to set an example.

    • Re:Getting there (Score:4, Insightful)

      by Dutch Gun ( 899105 ) on Sunday March 21, 2021 @10:10AM (#61182164)

      You know, sometimes I poke a bit of fun at California for their legislation (like their "everything under the sun causes cancer" labels). But on occasion, they're ahead of the curve in a good way.

      I also recall California was one of the first to ban companies from requiring you to call a person on the phone in order to cancel a service that you can sign up for online. That's of course super scummy behavior, and deliberately designed to pressure you into NOT cancelling. I recall one such interaction with EA, trying to cancel an MMO subscription, and it was such an annoying experience that I vowed I'd never sign up for another EA service ever again.

      This seems like the same sort of thing, a ban on scummy behavior that companies do, simply because they're allowed to get away with it.

      • I think a national law that makes everyone start opted-out, then you need to opt-in before they can use your data. You would see companies trading things like premium access or product discounts for opting-in which puts the control back in the hands of the user. It needs to be national to have a chance at working.

      • Pretty much everything under the sun can cause cancer, given high enough concentrations, a long enough time span, and if can get to the correct cells to cause cancerous mutations.

  • Opt-out? (Score:3)

    by nagora ( 177841 ) on Sunday March 21, 2021 @09:42AM (#61182050)

    Surely the easiest thing would be to ban the selling of the data unless you give specific permission in writing signed in front of witnesses (and a judge)?

    I think that would sort the whole problem out pretty quickly.

    • Obviously, service providers want to sell your data, and they (and everyone) believe that if they start with you opted out and require you to opt-in, that exactly zero people would opt in and a significant part of their business model would fall apart.

      So, if they can (after this ban) no longer trick/frustrate you into staying opted-in when you are trying to go out of your way to opt-out, at least they can still rely on your laziness to opt you in when you first sign up.

      I think this is an effort at balancing

    • They have a right to make money from their web sites.

      If you want a sweeping law that "sorts things out" then just ban profile-based advertising.

      (Does it even increase sales by that much anyway? Surely you can tell 90% of a person's profile just from the name of the web site, eg. "Gizmodo" can just advertise fashionable electronic toys and get it right nearly every time)

      • No, they don't. They have a _desire_ to make money from their web sites. Your thinking (along with millions of others) that that gives them the right just because they want it is a major part of why privacy laws are so shit in US.

        • No, they don't. They have a _desire_ to make money from their web sites. Your thinking (along with millions of others) that that gives them the right just because they want it is a major part of why privacy laws are so shit in US.

          It's their site, they have a right to reserve admission.

          The only problem is the way they're going about it at the moment - no transparency, no user control, no right to be forgotten.

          • Re: (Score:2)

            by sjames ( 1099 )

            So they have a right to TRY to make money from their website by charging admission. As I said before they do NOT have a right to claim it's free admission and pick your pocket.

            If the admission price is set higher than the perceived value of the website, they won't make money because everyone else has a right to say it's too expensive and move on.

            Other questionable practices can in some way be connected to false advertising (advertise it as free then demand admission once you get there) or bait and switch (m

      • They should not have a right to sell someone else's "proprietary information" (consumer profile, data whatever) to people unknown in a secret shadow economy that said person could not even get information about if they asked. Who are they selling it to? What is the purpose? Oh you're not allowed to know. Bullshit.

      • Re: (Score:2)

        by nagora ( 177841 )

        They have a right to make money from their web sites.

        No such thing as "rights". There's just laws and enforcement; everything else is hot air. If the law says that they must have permission and enforcement is effective, then permission they must have business plan or no.

        Does it even increase sales by that much anyway?

        No. That's the stupid thing about it all - antagonising people who have come to your site for no real benefit.

      • Re: (Score:2)

        by sjames ( 1099 )

        But they do not have a right to pick your pocket while telling you it's absolutely free. They do not have the right to convince you they won't sell your data while using dirty tricks to get you to "agree" to let them sell your data.

        They don't want to be up-front and above board about it because THEY believe that the value they offer isn't worth it for the value the user would give in exchange for access.

  • By running your browser in Dark Mode?

  • Difficult (Score:3)

    by Carewolf ( 581105 ) on Sunday March 21, 2021 @09:45AM (#61182076) Homepage

    Those tactics are illegal in the EU as well, and still they are used everywhere. Having to go to court and prove a new scheme is deliberately designed to confuse the consumer and make them do as the business wants.

    Still it does mean the case law is constantly growing and how blatant the tricks are, is decreasing.

    • GDPR has a loophole known as "legitimate interests" [ico.org.uk] which means you will be opted-out by default but then opted-in again based upon a different system for determining legitimacy of data processing, thus forcing you to manually object to each data use case per website in order not to be tracked. You'll notice that many websites will lead you to believe you are opted out, when there's a small link to an options screen for you to click on to be able to select which types of processing you object to.

      As per

      • Re: (Score:1)

        by mvdwege ( 243851 )

        That's...not what legitimate interest means. But trust a libertard to get it wrong.

        And of course your link disproves your post. Quelle surprise.

        • That's...not what legitimate interest means. But trust a libertard to get it wrong.

          And of course your link disproves your post. Quelle surprise.

          First of all I'm British not American. Second of all, here are some [imgur.com] obvious real world [imgur.com] examples where this provision is being abused [imgur.com] to opt people into tracking by default anyway.

          Notice how legitimate interest purposes are separated from consent-based ones, meaning you need to object to their claims of "legitimate interests" in processing to completely opt-out, despite the fact the GDPR is meant to make companies obtain your consent before any processing of PII can occur. If you block the annoying dia

  • High on the list, Microsoft needs to be forced to change the "initial startup" process for Windows 10. The byzantine process you need to go through to set up a PC without using a Microsoft Account is unacceptable.

  • This sounds awfully subjective to em, Is thee a standard for how to present this? Or is judging if it is clear as subjective as it sounds? How about differences in various peoples perceptions caused by such things a "color blindness"?
    • Yes you are missing something here, dumbass. "Dark" has no implied relationship to colors in this context. The button or mechanism you use to do the non-scammy option is obscured and less prominent than the "easy" option that will forfeit your rights. It could be placement, size, or they hide it behind a "additional options" submenu or something like that. Very relevant point in case today: for windows 10, you now have to set the machine up /before/ connecting to the internet to even be presented with t
  • Businesses found not to be in compliance with the CCPA are sent a "notice to cure," giving them a 30-day window to amend their services.

    I think the evidence is sending cruise missiles works better

  • I would like to know what the law considers a dark pattern over just a terrible design.

    I've worked with all types of web designers. Some are large teams, some are folks off fivver. I've seen good and bad designs come from both of them. I've seen features never added to sites for a variety of reasons. Some planned, some never planned. I've seen sites without any way to contact the owners, broken links, broken email systems, broken forms.

    When I'm on Amazon, and can't find the link I need, I assume that

    • Re: (Score:2)

      by mvdwege ( 243851 )

      I would like to know what the law considers a dark pattern over just a terrible design.

      Whatever triggers complaints from the public, duh. Intent is irrelevant, whether it is deliberate use of a Dark Pattern to mislead someone or terrible design that misleads them, the end result is a customer that feels misled and complains. And then you have to fix it.

    • A lot of big tech has turned up the dark pattern shit over time. Go back, check an old version of the site/installer/whatever. It is clear the direction they're pushing us.

  • just call them "confusing patterns". It's clearer to newbies anyhow.

  • But California! In that case such a ban will fail and have myriad dire side-effects.

    • No, they'll just cite google $300 per infraction on the 1/1000000 cases of the infraction for an activity that generates them $30 per user, the risk:reward will be 10000x, and those responsible will get annual performance bonuses at the end of the year...

  • Calling them "dark" is racism.

    • One need not wholly trash one's native language to avoid racist speech. In this case "dark" simply means "absent of illumination", just as the term "black hole" is not racist but descriptive.

      I'd suggest that the white power folks pick up the fight against the term "white dwarf" (also known as a "degenerate dwarf") to fully cement their claim to intelligent discourse.

      • No, no, "white dwarf" and "degenerate dwarf" is racist against dwarfs. Geeze, intersectionality 101.

        • Ah, but the correlation is "white" = "degenerate" my friend. "Dwarf" can be easily replaced by any other group, e.g., "men".

          We're on a slippery slope here, aren't we, friend?

  • "The newly-approved regulation does not ban all uses of dark patterns, only those that have "the substantial effect of subverting or impairing a consumer's choice to opt-out" of schemes where their personal data is being sold"

    Something as arbitrary and subjective as "substantial" will be unenforceable.

Slashdot Top Deals

"It might help if we ran the MBA's out of Washington." -- Admiral Grace Hopper

Close