The use of dark patterns is a common practice that e-commerce sites have implemented for years, however, it has recently caught the attention of lawmakers and regulators. This now means it should also be on the radar for compliance professionals.
Not only has The Federal Trade Commission (“FTC”) signaled its clear intention to regulate the use of dark patterns through enforcement actions, states such as California and Colorado have included mention of the use of dark patterns in their respective comprehensive privacy bills.
The term is derived from the concept of a ‘design pattern’, which is a user interface design element that can be used repeatedly in other interface designs with a measure of success. Design pattern elements fall within two categories: (1) user interface and (2) persuasive.
The first category contains more functional elements that make the interface familiar and easier to work with. For example, a reaction button to a blog post or the navigation tabs on a website are user interface design patterns. The second category includes those elements that are designed to change the user’s perception and/or encourage the user to act.
Issues arise when these patterns are more manipulative than persuasive. User interface expert Harry Brignull first coined the term ‘dark pattern’ in 2010, to describe a broad range of characteristics, practices, and attributes in a user interface that are designed to manipulate or deceive users.
Brignull identified a number of dark patterns, including:
These strategies probably sound familiar to you. Those of particular concern to both users and legislators are dark patterns designed to:
The CPRA requires that consent be “freely given, specific, informed” and constitute an “unambiguous indication” of the consumer’s intent. The law expressly states that: “agreement obtained through the use of dark patterns does not constitute consent.” A dark pattern is defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
Furthermore, CCPA regulation § 999.315 prohibits the use of dark patterns as a method to subvert the consumer’s choice to opt out. The regulation provides some guidance through the following examples:
Please note that the finalized CPRA regulations may provide more guidance.
Colorado: Colorado Privacy Act
Like its California counterpart, the Colorado Privacy Act (“CPA”) expressly prohibits the use of dark patterns as a method to obtain consent. The CPA adopts the same definition of dark pattern as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
The major difference in the regulations is the penalties. Under California law, a business may be fined up to $7,500 per violation. However, the penalties under the CPA increase to a crushing $20,000 per violation with a maximum penalty of $500,000.
Senator Mark Warner first introduced the Deceptive Experiences to Online Users Reduction Act (“DETOUR Act”) to Congress in 2019 and just reintroduced the bill in December 2021. The Detour Act sets to prohibit large online platforms from (1) using dark patterns for the purpose of manipulating consumers into handing over personal data and (2) from using features that promote compulsive usage by children. The primary goal is to preserve the consumer’s autonomy and legitimate decision-making capabilities in relation to their personal information.
Not all agree though that these practices should be illegal. The Vice President of the Network Advertising Alliance, David LeDuc, argues against legislation around dark patterns. LeDuc believes the existing authorities and self-regulatory frameworks are sufficient and instead the FTC should be provided with more resources to bring enforcement actions against unfair and deceptive trade practices.
Regardless of your stance on more or less regulation, businesses should proceed with caution when designing the user interfaces for online platforms, and when considering any of these “dark pattern” strategies.
For more information on this topic or how LevelUP Consulting Group can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at: firstname.lastname@example.org
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; LevelUP Consulting Partners does not recommend or endorse the contents of the third-party sites.
We provide specialized consulting services focused on managing risk in an efficient, scalable manner so you can grow your business confidently.
Eric Dieterich, Managing PartnerEmail: email@example.comPhone: 786-390-1490
LevelUP Consulting Partners100 SE Third Avenue, Suite 1000Fort Lauderdale, FL 33394
Copyright © LevelUP Consulting Partners. All Rights Reserved