Definition of Dark Patterns:
Dark patterns are techniques employed on businesses’ user interfaces (UI) intended to manipulate users/visitors into making choices or dissuade users from making choices – possibly contrary to the user’s preferences - that ultimately benefit the business. These techniques are often subtle and even subliminal, put in place purposefully to confuse or coerce users into actions like sharing more personal data, opting into unwanted communications, or inactions like making it difficult to exercise the user’s privacy rights.Detailed Examples of Dark Patterns:
- Obstruction: This dark pattern occurs when businesses make it deliberately difficult for users to opt out of data collection or delete their accounts. Example: A company buries the "Delete Account" button in multiple layers of menus or requires excessive steps compared to the ease of signing up for the service.
- Preselection of Consent: Automatically opting users into data-sharing agreements without explicit consent or providing confusing consent language. Example: A subscription service pre-checks the box for allowing data sharing with third parties, and the user has to manually uncheck it to opt out.
- “Confirmshaming”: Guilting or shaming users into making certain choices, often framed as making users feel bad for not agreeing to data collection or for opting out of marketing emails. Example: "Are you sure you want to miss out on exclusive offers by opting out?"
- “Sneak into Basket”: Adding additional services or products, often related to data collection, without clear user action. Example: While signing up for an online service, additional permissions for data sharing with affiliates are automatically included in the terms without a clear distinction.
- “Privacy Zuckering”: Leading users to unwittingly share more personal data than intended by burying data-sharing permissions in hard-to-understand terms or privacy policies. Example: Users sign up for a social media platform thinking they are sharing minimal data, but deeper in the privacy settings, extensive data sharing has been pre-selected.
- “Roach Motel”: Making it easy to opt into a service or subscription (and hence into data collection) but extremely difficult to opt out. Example: A company provides a prominent "Sign Up Now" button but requires users to call customer service or go through multiple confirmation emails to unsubscribe.
- Misdirection: A UI intentionally focuses users’ attention on something benign while masking the collection of personal data. Example: When purchasing a product online, the user sees a large, brightly colored "Continue" button but does not easily notice the small print below stating that by clicking "Continue," they consent to data tracking.
Likelihood of CPPA Action on Dark Patterns:
The CPPA has made it clear that businesses using dark patterns are at high risk of facing enforcement actions, with certain factors increasing the likelihood of capturing the CPPA’s attention:- Transparency and Consent Mechanisms: The CPPA likely will determine a business’ consent mechanism(s) designed intentionally to confuse users or hide privacy options to be actions in direct violation of consumers’ privacy rights. The CPPA’s primary focus is ensuring that users are fully informed and given a straightforward, non-coercive choice regarding their privacy.
- Consumer Complaints: Dark patterns often frustrate users and render their user experience (UX) in violation of their privacy rights. Consumer scrutiny of their UX has grown exponentially, and users may find it easy to complain and report violations of their privacy rights. Businesses employing these deceptive designs may receive a heightened number of complaints, which may trigger the CPPA’s investigations.
- Targeted Audits: The CPPA has auditing powers and may target businesses that are repeat offenders or have been flagged for deceptive practices, including the use of dark patterns.
- Prioritization of Children's Data: In 2022, the Federal Trade Commission took action against Epic (the creator of the online game, Fortnite) for violation of the Children’s Online Privacy Protection Act (COPPA) by Epic’s implementation of dark patterns that deceived Fortnite players into making millions of dollars of unintentional purchases. Following suit, the CPPA intends to pay special attention to businesses that use dark patterns in connection with the data of minors. If companies make it difficult for parents or guardians to opt out of data collection on behalf of their children, they face heightened enforcement risks.
- Public Sector Vigilance: Dark patterns are not limited to private companies; public institutions, like government agencies or educational institutions, might also be scrutinized if they employ confusing or manipulative privacy settings.
- Is the language used to communicate with consumers easy to read and understandable?
- Is the language used straightforward and does it avoid technical or legal jargon?
- Is the consumer’s path to saying “no” longer than the path to saying “yes”?
- Does the user interface make it more difficult to say “no” rather than “yes” to the requested use of personal information?
- Is it more time-consuming for the consumer to make the more privacy-protective choice? [footnote 1]