To protect consumer privacy, the California Consumer Privacy Act (CCPA) requires businesses to provide consumers with a straightforward way to opt out of the sale and sharing of their personal information. However, the control that businesses enjoy over the opt-out process allows them to impose hurdles on consumers aiming to opt out, including by employing dark patterns. Motivated by the enactment of the California Privacy Rights Act (CPRA), which strengthens the CCPA and explicitly forbids certain dark patterns in the opt-out process, we investigate how dark patterns are used in opt-out processes and assess their compliance with CCPA regulations. Our research on 330 CCPA-subject websites reveals that these websites employ a variety of dark patterns. Some of these patterns are explicitly prohibited under the CCPA; others seem to take advantage of legal loopholes.
https://dl.acm.org/doi/10.1145/3706598.3714138
The ACM CHI Conference on Human Factors in Computing Systems (https://chi2025.acm.org/)