Page 150 - GDPR and US States General Privacy Laws Deskbook
P. 150

c.  Example: Consumers should not be forced to navigate through multiple pop-ups which cover or otherwise disrupt
the content or service they are attempting to interact with because they declined the Consent choice offered.
7.  Consent choice options should not include misleading statements, omissions, affirmative misstatements, or intentionally
confusing language to obtain Consent.
a.  Example: Choices should not be driven by a false sense of urgency. A countdown clock displayed next to a Consent
choice option which states “time is running out to Consent to this data use and receive a limited discount” where the
discount is not actually limited by time or availability would be considered creating a false sense of urgency.
b.  Example: Choices should avoid the use of double negatives when describing Consent choice options to Consumers.
c.  Example: Consent choice options should not be presented with confusing or unexpected syntax. “Please do not
check this box if you wish to Consent to this data use” would be considered confusing syntax.
d.  Example: The language used for choice options should logically follow the question presented to the Consumer.
Offering the options of “Yes” or “No” to the question “Do you wish to provide or decline Consent for the described
purposes” would be considered an illogical choice option. The choice options “provide” and “decline” would be
considered to logically follow the same question.
8.  The vulnerabilities or unique characteristics of the target audience of a product, service, or website should be considered
when deciding how to present Consent choice options.
a.  Example: A website or service that primarily interacts with Consumers under the age of 18 should consider the
simplicity of the language used to explain the choice options or the way in which cartoon imagery or endorsements
might unduly influence their choice.
b.  Example: A website or service that primarily interacts with the elderly should consider font size and space between
buttons to ensure readability and ease of interaction with design elements.
9.  User interface design and Consent choice architecture should operate in a substantially similar manner when accessed
through digital accessibility tools.
a.  Example: If it takes two clicks for a Consumer to Consent through a website, it should take no more than two actions
for a Consumer using a digital accessibility tool to complete the same Consent process.
B. In addition to the principles included in this part 4 CCR 904-3, Rule 7.09(A), Controllers may consider statutes, administrative
rules, and administrative guidance concerning Dark Patterns from other jurisdictions when evaluating the appropriateness
of the user interface or choice architecture used to obtain required Consent.
C.  Controllers shall not use an interface design or choice architecture to obtain required Consent that has been designed or
manipulated with the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly,
fraudulently, or deceptively manipulating or coercing a Consumer into providing Consent.
1.  The principles outlined in 4 CCR 904-3, Rule 7.09(A) and (B) are factors to be considered when determining if a consent
interface design or choice architecture has been designed or manipulated with the substantial effect of subverting or
impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a
Consumer into providing Consent.
D.  Consent obtained in violation of this part 4 CCR 904-3, Rule 7.09(C) may be considered a Dark Pattern, as defined in C.R.S.
§ 6-1-1303(9).
150 | Colorado Privacy Act Rules





























































   148   149   150   151   152