Current through Register Vol. 47, No. 17, September 10, 2024
A. The
following principles should be considered when designing a user interface or a
choice architecture used to obtain Consent when required under C.R.S.
§§
6-1-1303(5),
6-1-1306(1)(a)(IV)(C),
6-1-1308(4), and
6-1-1308(7):
1. Consent choice options should be presented
to Consumers in a symmetrical way that does not impose unequal weight or focus
on one available choice over another such that a Consumer's ability to consent
is impaired or subverted.
a. Example: One
choice should not be presented with less prominent size, font, or styling than
the other choice. Presenting an "I accept" button in a larger size than the "I
do not accept" button would not be considered equal or symmetrical. Presenting
an "I do not accept" button in a greyed-out color while the "I accept" button
is presented in a bright or obvious color would not be considered equal or
symmetrical.
b. Example: If
multiple choices are offered to a Consumer, it should be equally easy to accept
or reject all options. Presenting the option to "accept all" when offering a
Consumer the choice to Consent to the use of Sensitive Data for multiple
purposes without an option to "reject all" would not be considered equal or
symmetrical.
2. Consent
choice options should avoid the use of emotionally manipulative language or
visuals to unfairly, fraudulently, or deceptively coerce or steer Consumer
choice or Consent.
a. Example: One choice
should not be presented in a way that creates unnecessary guilt or shames the
user into selecting a specific choice. Presenting the choices "I accept, I want
to help endangered species" vs "No, I don't care about animals" may be
considered unfairly emotionally manipulative.
b. Example: The explanation of the choice to
Consumers should not include gratuitous information to emotionally manipulate
Consumers. Explaining that a mobile application "helps save lives" when asking
for Consent to collect Sensitive Data for Targeted Advertising may be
considered deceptively emotionally manipulative if the Targeted Advertising is
not critical to the lifesaving functionality of the application.
3. A Consumer's silence or failure
to take an affirmative action should not be interpreted as acceptance or
Consent.
a. Example: A Consumer closing a
pop-up window which requests Consent without first affirmatively selecting the
equivalent of an "I accept" button should not be interpreted as
Consent.
b. Example: A Consumer
navigating forward on a webpage after a Consent choice has been presented
without selecting the equivalent of an "I accept" button should not be
interpreted as affirmative Consent.
c. Example: A Consumer continuing to use a
Smart TV without replying "I accept" or "I consent" in reply to a verbal
request for Consent should not be interpreted as affirmative Consent.
4. Consent choice options should
not be presented with a preselected or default option.
a. Example: Checkboxes or radio buttons
should not be selected automatically when presented to a Consumer.
5. A Consumer should be able to
select either Consent choice option within a similar number of steps. A
Consumer's ability to exercise a more privacy-protective option shall not be
unduly longer, more difficult, or time-consuming than the path to exercise a
less privacy-protective option.
a. Example:
Consumers should be presented with all choices at the same time. Presenting an
"I accept" button next to a "Learn More" button which requires Consumers to
take an extra step before they are given the option of an "I do not accept"
button could be considered an unnecessary restriction.
b. Example: Describing the choice before
Consumers and placing both the "I accept" and "I do not accept" buttons after a
"select preferences" button would not be considered an unnecessary
restriction.
6. A
Consumer's expected interaction with a website, application, or product should
not be unnecessarily interrupted or intruded upon to request Consent.
a. Example: Consumers should not be
interrupted multiple times in one visit to a website to Consent if they have
declined the Consent choice offered when they arrived at the page.
b. Example: Consumers should not be
redirected away from the content or service they are attempting to interact
with because they declined the Consent choice offered, unless Consent to
process the requested data is strictly necessary to provide the website or
application content or experience.
c. Example: Consumers should not be forced to
navigate through multiple pop-ups which cover or otherwise disrupt the content
or service they are attempting to interact with because they declined the
Consent choice offered.
7. Consent choice options should not include
misleading statements, omissions, affirmative misstatements, or intentionally
confusing language to obtain Consent.
a.
Example: Choices should not be driven by a false sense of urgency. A countdown
clock displayed next to a Consent choice option which states "time is running
out to Consent to this data use and receive a limited discount" where the
discount is not actually limited by time or availability would be considered
creating a false sense of urgency.
b. Example: Choices should avoid the use of
double negatives when describing Consent choice options to Consumers.
c. Example: Consent choice options should not
be presented with confusing or unexpected syntax. "Please do not check this box
if you wish to Consent to this data use" would be considered confusing
syntax.
d. Example: The language
used for choice options should logically follow the question presented to the
Consumer. Offering the options of "Yes" or "No" to the question "Do you wish to
provide or decline Consent for the described purposes" would be considered an
illogical choice option. The choice options "provide" and "decline" would be
considered to logically follow the same question.
8. The vulnerabilities or unique
characteristics of the target audience of a product, service, or website should
be considered when deciding how to present Consent choice options.
a. Example: A website or service that
primarily interacts with Consumers under the age of 18 should consider the
simplicity of the language used to explain the choice options or the way in
which cartoon imagery or endorsements might unduly influence their
choice.
b. Example: A website or
service that primarily interacts with the elderly should consider font size and
space between buttons to ensure readability and ease of interaction with design
elements.
9. User
interface design and Consent choice architecture should operate in a
substantially similar manner when accessed through digital accessibility tools.
a. Example: If it takes two clicks for a
Consumer to Consent through a website, it should take no more than two actions
for a Consumer using a digital accessibility tool to complete the same Consent
process.
B.
In addition to the principles included in this part
4 CCR 904-3, Rule
7.09 , Controllers may
consider statutes, administrative rules, and administrative guidance concerning
Dark Patterns from other jurisdictions when evaluating the appropriateness of
the user interface or choice architecture used to obtain required
Consent.
C. Controllers shall not
use an interface design or choice architecture to obtain required Consent that
has been designed or manipulated with the substantial effect of subverting or
impairing user autonomy, decision making or choice, or unfairly, fraudulently,
or deceptively manipulating or coercing a Consumer into providing Consent.
1. The principles outlined in
4 CCR 904-3, Rule
7.09 are factors to be
considered when determining if a consent interface design or choice
architecture has been designed or manipulated with the substantial effect of
subverting or impairing user autonomy, decision making or choice, or unfairly,
fraudulently, or deceptively manipulating or coercing a Consumer into providing
Consent.
D. Consent
obtained in violation of this part
4 CCR 904-3, Rule
7.09 may be considered a Dark
Pattern, as defined in C.R.S. §
6-1-1303(9).
E. The fact that a design or practice is
commonly used is not, alone, enough to demonstrate that any particular design
or practice is not a Dark Pattern.
F. Consent obtained through Dark Patterns
does not constitute valid Consent in compliance with C.R.S. §§
6-1-1303,
6-1-1306, and
6-1-1308.