Exploring Deceptive Dark Patterns: An Overview of Regulations

June 15, 2023

There has been a spate of recent FTC orders about deceptive dark patterns, namely the following:  

  • Credit Karma was fined $3 million for using dark patterns to misrepresent “pre-approval” for credit cards to consumers (January 2023). 
  • GoodRX was ordered not to use dark patterns when obtaining users’ consent to share sensitive health data with advertisers. GoodRX will also have to pay a $1.5 million penalty (February 2023). 
  • Fortnite was ordered to refund $245 million to consumers, part of which will go to users who were tricked into making purchases by dark patterns (March 2023). 

Given the regulatory focus on dark patterns, we wanted to discuss a common misconception about them – the impact of designer intent.  

(If you’re not sure what dark patterns are, read some of our earlier coverage of dark patterns here and here.) 

Designer Intent and Dark Patterns 

Dark patterns are often described as patterns that “deceive, coerce, or manipulate.” But, it can be hard to determine where the line is – when something is no longer just information or simple persuasion and crosses the line into “dark patterns.”  

Perhaps the best measure we have today to evaluate whether a given design choice is “dark” is whether the effect is that the user was steered into making a choice contrary to their interest.  Notice that under this analysis, it doesn’t matter what the designer’s intent was if the effect is that the user was steered towards the choice that favors the online service.  

Perhaps the best measure we have today to evaluate whether a given design choice is “dark” is whether the effect is that the user was steered into making a choice contrary to their interest. 

This may come as a surprise to many companies, which is why we mention it. But if you look at the most recent legislative proposals that address dark patterns, intent is not a requirement. Lawmakers know that intent can be very hard to prove and design patterns can have a harmful effect without any intent on the designer’s part.  

A Summary of Existing Dark Patterns Regulations 

In The US: 

Federal Law:

The Federal Trade Commission has long had the authority to police “unfair or deceptive acts or practices” under Section 5 of the FTC Act and has historically used that authority to go after businesses that failed to meet the “clear and conspicuous” standard.  

California Law: 

The CPRA states that “. . . consent obtained through dark patterns does not constitute consent” (Cal. Civ. Code Section 1798.140(1)). Thus, if state regulators find that the consent flow you used to collect information in connection with a financial incentive included dark patterns, then it will be treated as if you never collected consent at all.  

Other State Privacy Laws 

You want to keep in mind that some of the other states, Colorado and Virginia, for instance, require affirmative consent in more instances.   

In the EU 

The newly passed Digital Services Act (DSA) introduces the first express prohibition on dark patterns in EU law.  It applies to all online platforms (not just social media platforms), and takes effect January 1, 2024.  

The DSA includes several non-exhaustive examples of specific practices which would be prohibited including:  

  • Giving more prominence to certain choices when asking users for a decision 
  • Repeatedly requesting users make a choice where such a choice has already been made; and  
  • Making the process of terminating a service more difficult than subscribing to it.  

Importantly, the DSA has extraterritorial effect, so if you are based in the US but have EU users, you shouldn’t ignore the EDPB guidance. Fines can range from 3-6% of global turnover.  

Key Takeaways for Companies  

Given that intent likely won’t be a defense, we want to encourage companies to consider a few things:  

  1. Be very careful when using humor at key decision points. Often companies think they’re just being relatable or injecting some personality into their messaging – for instance, showing the cute kitten with the message saying “Don’t go! We’ll miss you!” But those sorts of prompts could be considered ‘confirmshaming’, which means trying to guilt users into making the choice you want them to make. 
  2. You should periodically review your interfaces to identify potential issues. For instance, maybe you don’t intend to continuously prompt users to provide their phone number, but if you have a bug in your interface that results in the phone number prompt displaying every time the user signs ins, that can be considered a dark pattern.  
  3. Focus on your cookie banners. We come across non-compliant cookie banners almost daily. The ‘usual’ non-compliant designs we see include not having a clear “Reject” button on the first layer or the banner using “pre-ticked boxes”. We also regularly see deceptive button colors or button contrasts.  
  4. Review the mechanisms that allow users to exercise their rights. For instance, if you offer Do Not Sell links, are they easy to find?  
  5. Don’t assume third-party designs are compliant. Businesses often assume outsourced web designers and developers “know what they are doing.” In fact, those firms are usually just recycling tools and solutions that are in broad use, but are not necessarily compliant. We see this a lot when working with clients who want to add cookie banners to their website. Review the copy yourself (ideally with the help of counsel). 

If you need assistance with developing and implementing good privacy and data security practices, reach out. Our attorneys would love to help.   


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you