Dark Patterns and You

by

Over the past two years, privacy legislation and regulation has focused on a variety of issues.  How companies can collect and use sensitive information (healthcare data, geolocation, financial data and the like) and how they respond to consumer requests often take top billing.  But “dark patterns” can impact not only a company’s disclosures, but its business operations generally.

What are Dark Patterns? 

Dark patterns are usually defined as user interfaces that trick or manipulate consumers into making choices that they would not otherwise have made. The California Consumer Privacy Act (CCPA) defines dark patterns as user interfaces that “subvert or impair consumers’ autonomy, decision making, or choice”.  Similarly, the Federal Trade Commission (FTC) defines unlawful dark patterns to include any online “design practices that trick or manipulate users into making decisions they would not otherwise have made and that may cause harm” and considers the use of dark patterns to be an unfair and deceptive trade practice.

Examples of dark patterns include:

  • Unclear choices – Customer choices that are not presented in a clear and balanced way. For example, if a business offers an option to opt-out of sharing personal information, the option should be clear and easy to find.
  • Confusing language – Choices that a business presents in technical or difficult language.
  • Hidden information – Information and key terms buried in fine print or in unexpected places.
  • Making it hard to cancel Businesses should not make it difficult for consumers to cancel subscriptions or charges.

What are the Penalties for using Dark Patterns?

Federal and state regulators have adopted laws and regulations that prohibit businesses from using dark patterns, and companies that violate those prohibitions can be subject to legal and regulatory action and financial penalties.

Section 5 of the FTC Act prohibits the use of unfair or deceptive acts or practices in or affecting commerce.  In June 2023, the FTC filed a complaint in the US District Court for the Western District of Washington alleging that Amazon violated Section 5 by using manipulative, coercive, or deceptive user interface designs to trick consumers into enrolling in its Amazon Prime subscription service.  Among other things, the FTC alleged that Amazon’s use of dark patterns was a violation of the Restore Online Shoppers’ Confidence Act (ROSCA), which generally bars the sale of goods or services on the internet through negative option marketing without meeting certain requirements for disclosure, consent, and cancellation to protect consumers.

The Amazon case followed a 2023 settlement between the FTC and EPIC Games, the maker of the popular video game Fortnite, to refund $245 million to customers. The FTC claimed that the design layout of Fortnite, which included counterintuitive, inconsistent, and confusing button placements, facilitated inadvertent charges with a single button press. At the same time, Epic relocated and minimized the “cancel purchase” button and designed a confusing process for consumers to request refunds through the Fortnite app.

The CCPA prohibits the use of dark patterns to obtain consent for privacy-related choices. The CCPA’s regulations require consent to be freely given, specific, informed, and unambiguous.  On September 4, 2024, the California Privacy Protection Agency (the CPPA, which was established to implement the CCPA) issued an enforcement advisory regarding “choice architectures that have the substantial effect of subverting or impairing a consumer’s autonomy, decision-making, or choice” – in other words, dark patterns. The advisory gave notice that the CPPA is closely scrutinizing consents for dark patterns and will consider such consents invalid. If the CPPA finds that a company uses dark patterns to obtain consent, the agency may seek civil penalties of up to $2,500 per violation, and up to $7,500 for willful violations.

California isn’t the only state to act.  Both Colorado, through the Colorado Privacy Act, and Connecticut, through the Connecticut Data Privacy Act, provide that agreements obtained through dark patterns do not constitute valid consent.  Violations can lead to penalties of $5,000 per violation in Connecticut and $20,000 per violation in Colorado.

Click to Cancel

At a minimum, any company doing businesses online should review their user interfaces to ensure they offer symmetrical choices and use clear, easy-to-understand language.  Particular attention should be paid to the FTC’s new “Click to Cancel” Rule. The rule requires companies to make it as easy for people to withdraw from a program or subscription as it was to sign up. That means people must be able to the cancellation method quickly and easily. It should be offered through the same medium (online, phone, etc.) people used to sign up, and it shouldn’t be overly burdensome. Some key considerations:

  • A company can’t require people to talk to a live or virtual representative to cancel if they didn’t have to do that to sign up.
  • Companies can’t charge extra for that service and must answer the phone or take a message during normal business hours. Messages must receive a prompt response.
  • If a customer originally subscribed in person, the company must offer them the opportunity to cancel in person and by other means, such as online or on the phone.

The Click to Cancel Rule, together with other FTC and state actions, points to one other issue:  the concept of dark patterns isn’t limited to online transactions.  Companies need to consider whether their actions constitute unfair or deceptive trade practices generally, whether undertaken online, by phone, by mail, or in person.

 

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in artificial intelligence implementation and other new technologies, development of cybersecurity strategies, creation of data security and privacy policies and procedures, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their privacy and cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.