What You Need to Know About Digital Dark Patterns and Data Privacy Regulation
The use of dark patterns is a common practice that e-commerce sites have implemented for years, however, it has recently caught the attention of lawmakers and regulators. This now means it should also be on the radar for compliance professionals.
Not only has The Federal Trade Commission (“FTC”) signaled its clear intention to regulate the use of dark patterns through enforcement actions, states such as California and Colorado have included mention of the use of dark patterns in their respective comprehensive privacy bills.
What are Dark Patterns?
The term is derived from the concept of a ‘design pattern’, which is a user interface design element that can be used repeatedly in other interface designs with a measure of success. Design pattern elements fall within two categories: (1) user interface and (2) persuasive.
The first category contains more functional elements that make the interface familiar and easier to work with. For example, a reaction button to a blog post or the navigation tabs on a website are user interface design patterns. The second category includes those elements that are designed to change the user’s perception and/or encourage the user to act.
Issues arise when these patterns are more manipulative than persuasive. User interface expert Harry Brignull first coined the term ‘dark pattern’ in 2010, to describe a broad range of characteristics, practices, and attributes in a user interface that are designed to manipulate or deceive users.
Brignull identified a number of dark patterns, including:
- Roach Motel
As the name implies, this design feature makes it easy for the user to get in, but it is almost impossible to get out. A premium subscription may be easy to sign up for, but the cancellation link may be hidden deep within the website.
- Hidden Costs
Important information, such as fees, is hidden until the user is finished selecting and finalizing the product he or she wishes to purchase.
- Forced Continuity
A user is required to enter credit card information as a condition of a free trial. At the end of the free trial, the user’s credit card is charged the membership fee without notifying the user. This may be further exacerbated by an interface that makes it difficult to cancel the membership.
- Confirm Shaming
The practice of shaming a user for exercising the right to opt-out.
- Friend Spam
An app or service may request the user’s email address for the stated purpose of checking for “friends”. Once the user approves the request, the app sends spam advertising material to the user’s contact list.
These strategies probably sound familiar to you. Those of particular concern to both users and legislators are dark patterns designed to:
- prevent users from exercising their privacy rights,
- trick users into disclosing more personal information than intended,
- or pushing users to consent to disclosures the user is not even aware of.
U.S. Legislative Efforts Regarding Dark Patterns
The CPRA requires that consent be “freely given, specific, informed” and constitute an “unambiguous indication” of the consumer’s intent. The law expressly states that: “agreement obtained through the use of dark patterns does not constitute consent.” A dark pattern is defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
Furthermore, CCPA regulation § 999.315 prohibits the use of dark patterns as a method to subvert the consumer’s choice to opt out. The regulation provides some guidance through the following examples:
- The process for submitting a request to opt-out shall not contain more steps than the process to opt-in to the sale of personal information.
- Do not use confusing language when providing the choice to opt-out, such as double negatives (e.g., “Don’t Not Sell My Personal Information).
- Do not require consumers to click through or listen to reasons why they should not opt-out.
- The opt-out process should not require the consumer to provide more personal information that is not necessary to complete the request.
Please note that the finalized CPRA regulations may provide more guidance.
Colorado: Colorado Privacy Act
Like its California counterpart, the Colorado Privacy Act (“CPA”) expressly prohibits the use of dark patterns as a method to obtain consent. The CPA adopts the same definition of dark pattern as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”
The major difference in the regulations is the penalties. Under California law, a business may be fined up to $7,500 per violation. However, the penalties under the CPA increase to a crushing $20,000 per violation with a maximum penalty of $500,000.
Senator Mark Warner first introduced the Deceptive Experiences to Online Users Reduction Act (“DETOUR Act”) to Congress in 2019 and just reintroduced the bill in December 2021. The Detour Act sets to prohibit large online platforms from (1) using dark patterns for the purpose of manipulating consumers into handing over personal data and (2) from using features that promote compulsive usage by children. The primary goal is to preserve the consumer’s autonomy and legitimate decision-making capabilities in relation to their personal information.
Opposition to Regulating Dark Patterns
Not all agree though that these practices should be illegal. The Vice President of the Network Advertising Alliance, David LeDuc, argues against legislation around dark patterns. LeDuc believes the existing authorities and self-regulatory frameworks are sufficient and instead the FTC should be provided with more resources to bring enforcement actions against unfair and deceptive trade practices.
Regardless of your stance on more or less regulation, businesses should proceed with caution when designing the user interfaces for online platforms, and when considering any of these “dark pattern” strategies.
For more information on this topic or how LevelUP Consulting Group can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at: firstname.lastname@example.org
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; LevelUP Consulting Partners does not recommend or endorse the contents of the third-party sites.