Colorado recently passed a privacy law that not only requires companies to get people's permission before collecting or using sensitive information such as data about race, religious or health conditions, but also prohibits companies from using "dark patterns" to obtain consent.
Lawmakers broadly defined "dark pattern" as interfaces that are designed to thwart users' choices, and tasked the state attorney general with fleshing out the term. Now, newly proposed regulations offer details on the kinds of tactics that could be considered prohibited dark patterns.
Among other strategies, the potential regulations would ban companies from using "emotionally manipulative" language -- such as by attempting to make people feel guilty for refusing to share data.
For example, the proposed regulations state, an interface that presents consumers with two choices -- "I accept, I want to help endangered species" or "No, I don’t care about animals" -- would be considered emotionally manipulative.
Another example involves a mobile app that says it "helps save lives."
“Explaining that a mobile application 'helps save lives' when asking for consent to collect sensitive data for targeted advertising may be considered emotionally manipulative if the targeted advertising is not critical to the lifesaving functionality of the application.”
The proposal would also outlaw interfaces that create a "false sense of urgency," such as by showing a countdown clock next to the phrase "time is running out to consent to this data use and receive a limited discount."
In addition, the proposed rules would require companies to present options "in a symmetrical way" -- meaning that options to grant or decline permission use similar fonts and are comparably designed.
"Presenting an 'I accept' button in a larger size than the 'I do not accept' button would not be considered equal or symmetrical," the proposal states.
Companies would also have to make it "equally easy" for consumers to accept or reject all options.
"Presenting the option to 'accept all' when offering a consumer the choice to consent to the use of sensitive data for multiple purposes without an option to 'reject all' would not be considered equal or symmetrical," the proposal states.
Colorado's privacy law, signed last year by Governor Jared Polis, also requires companies to honor people's requests to opt out of targeted advertising -- including requests people make through browser settings or other global mechanisms.
The bulk of the law is slated to take effect July 1, 2023, but the provisions regarding universal opt-out settings won't take effect until the following year.
The Colorado attorney general is accepting comments on the proposed regulations from October 10 through February 1 of 2023.