Exploring “Dark Patterns” and the California Privacy Rights Act of 2020

When you come across an online service that you are considering using, sometimes instead of committing to the service, you decide to sign-up for a 30-day free trial. What could go wrong? Well, when the trial period ends, you are unknowingly charged a subscription fee. You hastily try to cancel but are hampered by endless prompts of checkboxes and pesky acknowledgments. The arduous process makes you wonder whether it is worth the time and effort despite enjoying the free trial. Ultimately, you abandon the cumbersome task and keep paying for the service.[1]

While a single monthly subscription fee is seemingly insignificant, consumers are increasingly shifting towards subscription-based online services. These fees can add up quickly. The obscure and manipulative processes of canceling a subscription-based service, also known as “dark patterns,” are part of a broader online problem that consumers face daily.

Offline and Online Business Practices

A “dark pattern” is described as an “unfair and deceptive” practice in obtaining online consent. Unfortunately, these business practices are nothing new. They closely resemble the 90’s mail-order CD service which promoted a cheap collection of songs in exchange for signing up for a membership subscription. The deceptive practices occur when companies make cancellation of services difficult, despite promising “easy” cancellation upfront. These carefully crafted schemes have become increasingly prevalent as companies have greater access to personal information.

Every aspect of online space is specifically designed to be optimized to drive specific actions. Today, even small online sellers can easily perform A/B testing to refine their online platforms and influence consumer behavior. Since online activity is characterized by impulse and a lack of a slow, rational process, consumers are much more susceptible to coercion and manipulation.

Consumer protection law banning “unfair and deceptive” business practices is a long-established principle. Various laws have been introduced to curtail these practices in the physical world.   For instance, the city of Berkeley enacted a local ordinance in 2021, banning the display of sugary items from grocery store checkout stands to prevent impulsive purchasing decisions.[2]

Due to the lack of broad federal privacy rules, California has spearheaded the campaign to protect data privacy rights. The California Privacy Rights Act of 2020 (“CPRA”), which is intended to strengthen California’s landmark data privacy law, California Consumer Privacy Act (“CCPA”), is the first of its kind to mention “dark patterns.”[3] There, the CPRA added a new definition of “consent” to the CCPA framework. The CPRA noted that agreement obtained through dark patterns does not constitute consent. The newly enacted Colorado Privacy Act (“CPA”) became the second state law to ban “dark patterns” when obtaining consent.[4]

Despite these setbacks, privacy experts predict that regulating “dark patterns” will proliferate, especially as landmark state data privacy laws (CPRA, CPA, and Virginia Consumer Data Protection Act) all go into effect in 2023.

Company’s Responsibility to User Privacy

The scope of “dark pattern” regulation in California is unclear at the present. The rules will be determined by the new California Privacy Protection Agency before the law takes full effect. Because it is unclear what the Agency will craft, businesses face uncertainty in complying with the new law. While past consumer protection laws have generally focused on cases of outright deception, the new law will likely focus on businesses coercing consumers along a pre-specified path.

There already exists a plethora of statutory and case laws in California that protect unfair and deceptive business practices. Thus, the new regulation may end up more notable for the law catching up with privacy concerns, rather than an extensive reach of regulatory authority. However, the California Attorney General’s recent report on examples of CCPA enforcement cases tends to show that the risk of not complying with data privacy law is significant.[5]

As lawmakers define what should be regulated, businesses—particularly those with exposure to large amounts of data and consumer information—will need to evaluate and revise how they communicate their privacy notices and terms on “dark patterns.” Businesses subject to the new law must consider this evolving issue. They are also encouraged to participate in the rulemaking proceedings to minimize risk exposure and ensure compliance.

A team of Gordinier Kang & Kim LLP attorneys has monitored legal developments on the “dark pattern” regulation. If you have questions about this opinion or how it may affect your business, please contact our legal team.

Disclaimer: GKK Insights is not intended as legal advice. Additional facts, facts specific to your situation, or future developments may affect the subjects contained above. Seek the advice of an attorney before acting or relying on any information herein.

©2021 Gordinier Kang & Kim LLP


[1] Finn L. Myrstad, You Can Log Out, But You Can Never Leave, FORBRUKERRÅDET (Jan 14, 2021), https://fil.forbrukerradet.no/wp-content/uploads/2021/01/2021-01-14-you-can-log-out-but-you-can-never-leave-final.pdf.

[2]  Berkeley, Cal. Code § 9.82.060 (2021).

[3]  Cal. Civ. Code § 1798.140(h)

[4]  Colo. C.R.S. § 6-1-1303(5)(c)

[5]  CCPA Enforcement Case Examples, https://oag.ca.gov/privacy/ccpa/enforcement#top.