| |

California’s First Dark-Pattern Enforcement

California regulators have opened a new front in CCPA enforcement: “choice asymmetry.” The theory is straightforward — if your opt-out mechanism is meaningfully harder to use than your opt-in, that asymmetry itself is a violation of the CCPA’s consumer rights provisions, regardless of whether the rest of your privacy program is in order.

What “choice asymmetry” looks like in practice

  • Pre-ticked consent toggles — opt-in is automatic; opt-out requires the user to find and uncheck.
  • Visual hierarchy that biases the choice — “Accept All” is a large prominent button; “Reject All” is a small text link.
  • Friction added only to the rejection path — accepting takes one click; rejecting takes three clicks, a multi-page flow, or a re-confirmation.
  • Different cognitive load for symmetric choices — accept is simple language; reject is buried under categories the user has to read and uncheck individually.

Why this matters now

The California AG and the California Privacy Protection Agency are pursuing hundreds of open investigations heading into 2026. The first wave of enforcement on choice asymmetry has signaled that regulators will not accept “technically compliant” opt-out flows that are designed to be operationally unusable. Pre-existing CMP (Consent Management Platform) defaults are not a shield — if your platform’s default deploys an asymmetric flow, that’s your liability, not the platform’s.

Practical fixes

  • Match the visual weight. “Accept” and “Reject” buttons should be equal size, equal contrast, and at equal hierarchy.
  • Match the path length. If accepting is one click, rejecting must be one click. No “manage preferences” gating on the reject path.
  • Audit your CMP defaults. OneTrust, Cookiebot, TrustArc, Termly — all support symmetric flows, but most installations default to asymmetric. Reconfigure.
  • Test on real users. If a typical user can’t find the opt-out within 5 seconds, your design is the violation.

What this means for your business

If your website or app has a cookie banner, a privacy preference center, or any consent mechanism for California residents, you are within scope. The Carlson Firm audits client opt-out flows against the choice-asymmetry standard and works with web teams to remediate. The cost of fixing a banner is hours; the cost of a CCPA enforcement action is multiples of that, plus the reputational damage of being among the first names called out.

Similar Posts