There is something satisfying for consumers about signing up for a new online subscription service in a few quick, easy clicks. To cancel, though, it takes multiple clicks across many web pages to arrive at the hard-to-find unsubscribe button (if you can even cancel online). Ending the subscription is sometimes much more difficult than signing up for it; welcome to the practice of dark patterns.
Manipulative tactics like this are increasing with the rise of online commerce. Although dark patterns may be lucrative for businesses, they can also cause consumer harm, invade consumer privacy, and disintegrate public trust in the business and online market. With growing concern of these harms, lawmakers and consumer protection agencies are leveraging federal and state laws with staggering penalties to stop businesses from using illegal dark patterns. Dark patterns can be hard to spot, even for those enforcing them, so education is key to understanding dark pattern evolution and the emerging enforcement trends.
The Rise of Dark Patterns
The term “dark patterns” was coined in 2010 by user-design researcher Harry Brignull to describe a user interface carefully designed to trick or manipulate consumer psychology. Confusing purchase language, hidden fees or terms and conditions, pre-checked purchase or consent boxes, and inaccessible cancellation and opt-out methods are just a few of the dark patterns you have likely come across.
Retailers have long used coercive tactics, like psychological pricing, to influence consumer decisions. However, dark patterns are so pervasive now because businesses gather substantial online user-interaction information, which helps designers craft interfaces that play on consumer cognitive biases or emphasize emotional response over rational judgment. While the use of dark patterns may secure additional revenue for businesses, it can also subvert consumer privacy choices and run afoul of state and federal consumer protection laws.
Anatomy of Dark Patterns
Both the target audience and the medium in which the business and consumer interact play a significant role in the development of dark patterns. Generally, businesses design websites and applications with their target audience in mind; however, some go so far as to exploit audience weaknesses, like when a business that attracts older users designs purchase pathways with small icons and hard-to-see font sizes and colors for important information that, if known, could affect consumers’ decisions.
Although they frequently appear on websites, mobile applications are especially susceptible to dark pattern practices because they are typically viewed on smaller screens where pertinent information is harder to extract and options are tougher to evaluate. A 2020 University of Zurich experiment found that, out of 240 mobile applications on the Google Play store analyzed, 95% contained one or more dark patterns.
Dark patterns appear in multiple forms to achieve diverse goals. They may be used to induce false beliefs, such as a countdown timer that pressures consumers to purchase when in reality, the offer is not time-limited. They may be used to hide material information, like burying fees in the middle of a dense service agreement that requires much scrolling to find. They may also be used to conceal consumer privacy choices, such as an app that forces users to accept location tracking before access is granted or a cookie banner that shows a prominent accept button but no or significantly smaller decline button. The varied uses of dark patterns can make them hard to spot for businesses using them, consumers harmed by them, and enforcers seeking to end them.
The Fight to Curb Illegal Dark Patterns
As the use of dark patterns continues to grow, lawmakers are determined to rein them in. Federal legislators have introduced numerous bills to crack down on dark patterns, such as the Deceptive Experiences to Online Users Reduction (DETOUR) Act that prohibits the use of online dark patterns to get consumers’ personal information. Although no specific dark pattern law has been enacted yet, legislative and enforcement activity suggests that it is only a matter of time.
The Federal Trade Commission is the primary federal regulator of dark patterns via its enforcement of Section 5 of the FTC Act, which protects consumers from unfair and deceptive business acts. The FTC also uses other statutes to stop dark pattern practices, including the Retail Online Shoppers’ Confidence Act, which prohibits harmful negative option practices, and the Children’s Online Privacy Protection Act, which requires businesses to get clear and concise parental consent before collecting certain types of information from children.
The FTC is well-equipped to stop businesses from harming consumers via dark patterns and has released a new enforcement policy statement warning companies against deploying dark patterns that trick consumers into subscription services, as well as a staff report showing how companies use dark patterns to manipulate consumers. The agency also plans to amend its Dot Com Disclosures to add measures to prevent dark pattern use in digital advertising. Along its journey, the FTC has sued several businesses for illegal dark practices, including a record-breaking court order in 2022 that required internet phone service provider Vonage to refund $100 million to consumers for surprise, unauthorized negative option fees, stop using dark patterns, be upfront with consumers about subscription plans, and simplify its cancellation processes.
State lawmakers have also joined the fight to prevent illegal dark practices through specific provisions in state laws and enacting new privacy laws. The California Privacy Rights Act (CPRA), the first law in the country to define dark patterns, prevents businesses from using these practices to obtain consumer consent to collect certain types of data and requires “symmetry in choice,” i.e., the path for a consumer to exercise more privacy protection must be as easy, or easier than, the path to exercise less protection. The Colorado Privacy Act implements similar protections as the CPRA but goes further by outright prohibiting the use of dark patterns in interface design. The Connecticut Data Privacy Act also prohibits dark patterns to obtain consent. Several states have automatic renewal laws that require businesses to offer an easy, immediate cancellation method for subscriptions. State enforcers now have increased methods to weed out illegal dark patterns to protect consumers.
On top of federal and state guidance, industry organizations are helping to educate businesses about dark patterns and the consumer harms that arise from using them. For example, the National Advertising Initiative released “Best Practices for User Choice and Transparency” as a means of setting industry expectations. Other industry-led initiatives help spell out the reputational damage businesses face if they get caught in the act. Several studies have found that consumers are not happy with dark patterns because they feel they are misled and taken advantage of, resulting in lost trust in businesses that use them. The reputational pitfalls that accompany dark pattern violations provide a great reason alone (notwithstanding legal ramifications and penalties) for businesses to educate employees about dark pattern prevention.
Avoiding Dark Patterns
Perhaps the best way for businesses to create a consumer-friendly interface and avoid dark patterns is to implement privacy by design, which means integrating default data privacy principles into designs and business processes and practices. There are seven widely accepted foundational privacy by-design principles, which are:
- Proactive, not reactive; preventative, not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality: positive-sum, not zero-sum
- End-to-end security: full life cycle protection
- Visibility and transparency: keep it open
- Respect for user privacy: keep it user-centric
Adhering to these principles can help businesses steer clear of dark patterns, spot inadvertent dark patterns in their online spaces, and can also help with complying with data privacy laws.
Businesses should also stay atop of best practices to avoid dark patterns and promote consumer transparency. These 10 practical considerations will help you map your plan:
- Ensure your marketing is free from deceptive advertisements or endorsements, including fee and cost structures. All advertising claims must be capable of substantiation.
- Refrain from using untrue availability, urgency, and pressure claims.
- Use accurate, concise, and easy-to-understand language, especially in consumer notices.
- Avoid confusing icons or buttons and make accept/reject buttons the same.
- Completely disclose all material terms and conditions before finalizing purchases or obtaining consent to collect personal information.
- Make cancellation and consent withdrawal as easy as, or easier than, signing up or giving consent.
- Implement symmetry in choice so consumers can exercise their privacy rights as easily as they can relinquish them.
- Avoid coercive and trick-and-trap tactics.
- Ensure user interfaces clarify the consequences of action clicks.
- Use font and size type, buttons, and icons that are easily visible for all options presented to the consumer.
The legal framework surrounding dark patterns is continuing to shake out, but the ramifications for offenders are already hitting hard, with businesses facing huge penalties and loss of consumer trust for dark pattern violations. It takes hard work to build a brand and appeal to consumers, making your dark pattern prevention policy as important as ever. Businesses should work with experienced counsel to align policies with state and federal laws. Further, businesses should ensure their internal departments have adequate tools and resources to efficiently address consumer requests, concerns, and complaints. And as always, keeping up to date on dark pattern education, legislative developments, and enforcement is the first line of defense.
Aaron works across numerous highly-regulated industries, helping them comply with state and federal laws related to privacy and data security, cannabis, marketing, teleservices, and other consumer protection matters.