The regulatory enforcement agency for the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the CCPA), the California Privacy Protection Agency (CPPA) announced additional enforcement focuses this week, including an emphasis on dark patterns on businesses’ websites. Michael Macko, Deputy Director of the CPPA, said, “The number of investigations we have is easily in the double digits and it’s growing. We are not slowing down. We are following the facts wherever they lead. We are not limiting ourselves to particular provisions of the law. We are not limiting ourselves to particular practices.”

This announcement comes after last summer’s enforcement focus , now turning to dark patterns. Dark patterns are deceptive designs or deceptive patterns used as a digital design tactic that tricks users into making decisions they would not otherwise make.

Earlier this month, the CPPA began this focus and examined 1,000 websites and apps for these deceptive design patterns -almost all of them have one or more dark patterns.

In addition to a review of websites for dark patterns, the CPPA will also monitor businesses to ensure they honor consumer requests to opt out of the sale and sharing of data. Businesses may also receive notice of a potential CCPA violation if the CPPA determines that the business did not give proper notice of its data sharing and selling activities or if no opt-out mechanism is offered.

Lastly, the CPPA will focus on complaints about business that affect vulnerable populations or groups. Now is the time to confirm your business’ compliance with these and other CCPA requirements.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.