In this second post in our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on issues surrounding consumer choice:

  • Dark patterns. Businesses are provided a set of principles to follow in how they allow consumers to submit requests and obtain consent where required. A violation of these principles could be considered a “dark pattern” under the draft regulations and as such, would not constitute valid consent. The inclusion of “dark patterns” follows other regulators’ concerns about the practice, including the FTC. (More information about dark patterns is included in this post.)
  • Opt-out links. The draft regulations permit businesses to offer a single opt-out link instead of both a “Do Not Sell or Share My Personal Information” and a separate “Limit the Use of My Sensitive Personal Information” link. The so-called “alternative opt-out link” may be titled either “Your Privacy Choices” or “Your California Privacy Choices,” and must be accompanied by a specific opt-out icon to the right or left of the link.
    • Unlike the statute, the proposed CPRA regulations arguably suggest that honoring opt-out preference signals are mandatory. This despite global opt-out signals being optional in the CPRA. As proposed, an opt-out preference signal would be sent by a platform, technology, or mechanism on behalf of a consumer. The point is to signal a consumer’s choice to opt-out of the sale and sharing of personal information with all businesses they interact with online instead of making individualized requests with each business. There are no technical specifications for these signals in the draft regulations. The requirements for handling of signals is likely to be subject to much debate and receive significant commentary during the public comment period
  • Right to limit use and disclosure of sensitive personal information. Businesses that collect sensitive personal information must, under the draft regulations, provide consumers a right to limit such use. This may be done through an interactive form accessible via a “Limit the Use of My Sensitive Personal Information” link, an alternative opt-out link, or the privacy policy. A business has 15 days to comply with the request, including notifying service providers, contractors, and third parties. There are instances where a business may use or disclose sensitive personal information without offering a right to limit the use.

Putting it into practice. Companies can review the draft regulations to understand expectations around consent (and how to avoid processes that could be viewed as a dark pattern). They can also begin thinking about how they will handle requirements around opt-out links and preference signals.