Dark Patterns Examples & How to Avoid Their Pitfalls

May 17, 2022

Dark patterns and deceptive designs are increasingly being outlawed around the world. In the past years, California, Connecticut, and Colorado’s privacy laws have all specifically prohibited certain dark patterns. Meanwhile in Europe, individual penalties for companies using dark patterns have run into the billions (just ask Grindr). 

In this article, we’re going to dig into what dark patterns are (including dark patterns examples) and outline how and why California companies should avoid them (and it’s not just to reduce the risk of enforcement). 

What are dark patterns?

At the moment, there is no universal legal definition of dark patterns. 

Generally, “dark patterns” are user interface features or designs on websites and mobile apps that trick, manipulate, or confuse visitors into taking an action they didn’t intend and that benefits the organisation that owns the website or app. 

Common Dark Patterns Examples

Some common examples of dark patterns include: 

  • Designing the ‘Accept’ optional cookies button so that it’s green, or larger than the ‘decline’ button. 

Cookies buttons have been making headlines in Europe recently with the French privacy authority fining Google and Facebook for making it more difficult to decline cookies than accept them. 

“The restricted committee, the body of the CNIL responsible for issuing sanctions, has noted, following investigations, that the websites facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them… This constitutes an infringement of Article 82 of the French Data Protection Act.”  – CNIL

 

  • Automatic subscription renewals, where details regarding the automated payments were not made clear (in line with federal requirements). 

The FTC has outlined that it is targeting companies engaging in harmful negative option marketing (or automated subscription renewals) for enforcement actions. European regulators are also bringing enforcement actions against companies for these practices. See, for example the Norwegian Authority’s report on Amazon’s dark patterns relating to its subscriptions.

Read more about dark patterns and automatic subscription renewals

 

  • Having important information load more slowly, or obscuring it with other design features.

 

 

Why are dark patterns problematic? 

Dark patterns are problematic because they take power away from consumers. As a result of deceptive design or language (or both), these features are capable of (amongst other things): 

  • Tricking users into providing personal information, or 
  • Subscribing to services where they may not have otherwise chosen to do so, or 
  • Agreeing to allow a company to sell personal information they may not have otherwise agreed to sell, or
  • Hiding settings that would allow them to control their privacy. 

Dark patterns example: Flo Health Inc. & the harm stemming from dark patterns

The recent FTC enforcement against Flo Health is a strong example of why dark patterns are so problematic. Without delving too far into the specifics, Flo Health conveyed to its users that it would keep their sensitive health information private. However, Flo Health was selling this sensitive health data to third party marketing companies – including Google and Facebook. 

Once news broke about Flo Health selling the data, consumers reported feeling outraged, victimized, and violated. Given that the app requested that they share information about their menstrual cycle, pregnancy planning, and sexual activities, their outrage is unsurprising.

Benefits of Avoiding Dark Patterns on Your Website/Apps

“And there are really no benefits to competition or consumers of sales based on confusion.” – Lauren E Willis, FTC Dark Patterns Workshop

Dark patterns can make it difficult to unsubscribe, change or update information, delete a user account or information, or generally manage and/or limit personal information and data sharing. While your SEO team might advocate for making it more difficult for your users to manage their preferences, there are strong reasons for making it as easy as possible, including:

Transparent data practices build consumer trust.

Making it easy to unsubscribe, opt-out, and change or delete user information is an important step in building transparency and consumer trust.

Increased consumer loyalty.

Consumers are more likely to leave brands that use their data without their permission. Conversely, brands that are transparent with their data practices face fewer barriers for customer retention.

Transparent data practices are (more) future-proof.

Consumers and regulators are demanding better transparency from businesses. By embedding transparent practices and language from the beginning, you’re creating a more future-proof website.

Avoiding dark patterns reduces compliance risk.

Both California and Connecticut have specified that consents obtained via dark patterns are not valid. EU authorities are making similar findings, as we can see in the Grindr enforcement action by Norway’s privacy authority. France’s CNIL has also released a report detailing that consent obtained using dark patterns cannot be valid since the consent is not freely given. 

Global trends indicate that enforcement against companies for embedding dark patterns into apps and websites is going to continue – and will likely increase. As a result, companies that elect to continue to use misleading or deceptive design and language in their website design and apps, particularly as it relates to privacy, are going to be exposed to increasing compliance risk. 

 

Digging Deeper: California’s Dark Patterns Legislation

On March 15 2021, the California Attorney General (AG) published its Final Regulation Text § 999.306. Notice of Right to Opt-Out of Sale of Personal Information (the Regs). The Regs ban businesses from embedding dark patterns into their websites designed to prevent or mislead users trying to exercise their rights under the California Consumer Privacy Act (CCPA). 

The Regs state (in section (a)(2)) that the opt-out notice must be easy to read and understand. Additionally, the notice must use:

  • Plain, straightforward language – without technical or legal jargon;
  • A format that draws a user’s attention to the notice, ensuring that it’s readable across devices;
  • The languages the business ordinarily uses for its contracts, disclaimers, sale announcements, and other information to California consumers; and
  • Reasonable accessibility features for consumers with disabilities.

Further, the Regs require that businesses make accessing these opt-out notices easy. The notice must be directly linked to the business’ “Do Not Sell My Personal Information” link and users cannot be required to click through multiple pages to reach the notice. Apps that collect and sell users’ personal information must also make the notice available via the app, such as through the app’s settings menu.

Requests by users to opt-out of the sale of their personal information must be acted on within 15 days.

Businesses that don’t comply with the Regs may be issued a ‘Notice to Cure’. If this happens to you, you’ll have 30 days to rectify the issues identified.

You can read the Regs here, the AG’s press release here, and our mailout on California’s law on dark patterns here.

 

Some Best Practices for Avoiding Dark Patterns

Make it Easy for Users to Manage Their Privacy Settings. 

Consumer demand for transparent and straightforward management of their personal privacy is growing. To meet this consumer (and regulator) demand, your company should prioritize making privacy management simple for users. Our quick tips for this are as follows: 

  • Collect only what you need from your users. This streamlines the management of that data for the user and your business. 
  • Create a ‘privacy center’ within the user account settings. The ‘privacy center’ should contain a copy of the privacy policy and terms of use, as well as relevant privacy management settings allowing users to access, update, and delete their personal data and opt-out of certain uses of their personal data (such as the sale of their personal data to third parties). It should be clearly visible, marked with reasonably sized font, and easy for users to access in an easily navigable location on the website. The center should be named something clear and jargon-free, like ‘Privacy settings’ or ‘User Privacy’, and it should be accessible within one click once the user has logged into their account.
  • It may be useful to include a user’s subscription settings here if your company sends out marketing emails. Allowing users to unsubscribe in as few clicks as possible and without needing to log into their account is also a good practice. 
  • You may also want to answer some FAQs about your company’s privacy and data security practices to build additional trust with your users. 

Bear in mind that you may be required to provide some of this functionality if you fall within the scope of certain laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA)  and the General Data Protection Right (GDPR). Even if you aren’t covered by these laws though, it can be worthwhile making it easy for users to manage their privacy settings on your website.

 

Make it Easy for Users to Delete Their Data and Their Accounts.

A limited “right to be forgotten” is granted to California consumers under the CCPA but, again, consumers generally expect to be able to manage, update, and delete their data regardless of the company’s legal obligations. 

Under the CCPA, businesses are required to designate at least two methods for users to submit their request to be deleted. This can be a toll-free number, email address, webform, or hard copy form. But we suggest making it simple for users to delete (and manage) their data and accounts via their online settings. It should be possible for users to do so in 2-3 clicks after accessing their privacy settings within their account. The ‘Delete Data’ and/or ‘Delete Account’ functionality should be easy to find, free of jargon, and easy to access for users.

The CCPA outlines that users who do not have an account must be permitted to submit a request to have their personal information deleted without creating an account.  Businesses can achieve compliance here by making any two of the following easily accessible for users: a toll-free number, email address or hard copy form, or webform. Again, digital methods may be most appropriate for businesses with a website. 

 

Make Cancelling a Subscription As Easy As Subscribing. 

If your company charges subscription fees, it needs to be at least as easy to cancel the subscription as it is to subscribe. You should also: 

  • Make the terms of payment very clear and very visible at the time of acceptance. 
  • Require the consumer to confirm their acceptance of the terms of payment in a separate action to other terms of the transaction. 
  • Do not include any information that ‘muddies the waters’ for consumers, making it more difficult for them to understand the subscription payments. 
  • Obtain and record the consumer’s unambiguous consent.
  • Send routine emails asking the consumer to recommit to the subscription payment. Essentially, ask your customers if they still want to subscribe. This can garner goodwill and improve trust with your subscribers. 
  • Send automated emails reminding your subscribers of upcoming subscription payments and include a link that allows them to cancel. 
  • Provide several easy-to-access and easy-to-find options for your consumers to cancel their subscription payments.

 

If you need assistance with privacy compliance, reach out. Our privacy attorneys would be thrilled to help.

Disclaimer

The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you