Guide to Dark Patterns – Terms and examples from the CCPA and the CPA
The use of dark patterns, as we are coming to realise, have become an increasingly popular practise online. Harry Brignull, who coined the term, defined it as practices that “trick or manipulate users into making choices they would not otherwise have made and that may cause harm.”
The growing popularity of dark patterns has naturally attracted the attention of regulatory bodies. The U.S Federal Trade Commission has even stated that they have been “ramping up enforcement” against companies that employ dark patterns as can be seen with the $520 million imposed on Fortnite creator, Epic Games. In the EU, the fines have been piling up against the violating companies, with TikTok and Facebook facing a €5 million fine and €60 million fine respectively, both imposed by French DPA, the CNIL.
The FTC, in its endeavour to combat the use of dark patterns and protect consumer privacy, even conducted a workshop and released a report on the topic, titled Bringing Dark Patterns to Light. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection stated, “This report—and our cases—send a clear message that these traps will not be tolerated.” FTC Report Shows Rise in Sophisticated Dark Patterns Designed to Trick and Trap Consumers | Federal Trade Commission
With the upcoming state privacy regulations in the U.S and given the growing strength of the enforcement around dark patterns, it is important to know the terms that address dark patterns under the existing regulations.
Both the existing state privacy regulations address dark patterns in a detailed fashion, which can be found below.
Under the CCPA, § 7004. Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent.
Except as expressly allowed by the CCPA and these regulations, businesses shall design and implement methods for submitting CCPA requests and obtaining consumer consent that incorporate the following principles:
“Easy to understand” The language used should be simple and easy to read and comprehend
“Symmetry in choice”. It should be as easy and quick to exercise a more privacy protective option as it is to exercise a less privacy protective option. - The process to submit a request to opt-out of sale/sharing of personal information should not require more time than the process to opt-in to the sale of PI after having previously opted out. - “Yes” and “Ask me later” as the ONLY two options to decline the option to opt-in to the sale is not appropriate. “Ask me later” does not imply that the consumer has denied the decision but delayed it. Businesses will continue asking the consumer to opt-in. “Yes” and “No” are the options that should be provided. - “Accept All” and “Preferences” or “Accept All and “More information” as choices to provide consent to the use of consumers personal information is not appropriate as the choice can be accepted in one step but additional steps are required to exercise their rights. “Accept all” and “Decline all” should be used.
Confusing language should be avoided. Consumers choices should be clearly provided. Double negatives should not be used. - Confusing options such as the choice of “Yes” or “No” next to the statement “Do Not Sell or Share My Personal Information” is a double negative and should be avoided. - “On” or “off” toggles or buttons may require further clarification - If at first, the options are presented in the order “Yes” and then “No”, it should not be changed then to the opposite order of “No” and then “Yes” as is this unintuitive and confusing.
The design and architecture should not impair the consumers ability to make choices. Consent should be “freely given, specific, informed and unambiguous” - Consumers should not be made to click through disruptive screens before submitting an opt-out request. - The option to consent to using PI for purposes that meet the requirements should not be combined with the option to consent to using PI for purposes that are “incompatible with the context” For example, a business that uses location data for its services such as a mobile app that delivers food to users’ locations should not ask for consent to “incompatible uses” (sale of geolocation data to third parties) along with the “reasonably necessary and proportionate use of geolocation date” that is needed for the apps services. This requires consent to “incompatible uses” to use the apps’ expected services
Using dark patterns (practices stated above) to obtain consent is not considered as consent. Obtaining consent using dark patterns can be considered has having never obtained consumer consent.
Should the user interface unintentionally impair the user’s choice and with this knowledge, the business does not remedy the issue, it could be considered a dark pattern. “Deliberate ignorance” if the faulty, impairing designs may be considered a dark pattern.
Under the CPA, Rule 7.09 USER INTERFACE DESIGN, CHOICE ARCHITECTURE, AND DARK PATTERNS
There should be symmetry in presentation of choices. No one option should be given more focus over others. - All options should use the same font, size, and style. “I accept” being in a larger size or in a brighter more attention-grabbing colour over the “I do not accept” is not considered symmetrical. - All choices should be equally easy to accept or reject. The option to “accept all” to consent the use of Sensitive data should be presented without the option to “reject all”
Manipulative language and/or visuals that coerce or steer consumers choices should be avoided. - Consumers should not be guilted or shamed into any choice. “I accept. I care about the planet” vs “I reject, I don’t care about the planet” can be considered - “Gratuitous information to emotionally manipulate consumers” should be avoided. Stating that the mobile application “Promotes animal welfare” when asking for consent to collect sensitive data for Targeted Advertising can be considered “deceptively emotionally manipulative” if the reason for collection is not actually critical to promoting animal welfare.
Silence or ‘failure to take an affirmative action’ is not equal to Consent or acceptance. - Closing a Consent request pop-up window without first affirmatively making a choice cannot be interpreted as consent. - Going through the webpage without affirmatively providing consent cannot on the banner provided cannot be interpreted as consent. - Using a Smart device without verbal consent; “I accept”, “I consent” cannot be considered affirmative consent.
Avoid preselected or default options - Checkboxes or radial buttons cannot be preselected
It should be as easy and quick to exercise a more privacy protective option as it is to exercise a less privacy protective option. There should be equal number of steps all options. - All choices should be presented at the same time. “I accept” and “Learn more” as the two choices presents a greater number of steps for the latter and is an unnecessary restriction. - However, preceding both the “I accept” and “I do not accept” buttons with the “select preferences” button would not be considered an unnecessary restriction.
Consent requests should not unnecessarily interrupt a consumer’s activity on the website, application, product. - Repeated consent requests should not appear after the consumer declined consent - Unless consent to process data is strictly necessary, consumers should not be redirected away from their activity if they declined consent - Multiple inconvenient consent request pop-ups should be avoided if they declined consent initially.
“Misleading statements, omissions, affirmative misstatements, or intentionally confusing language to obtain Consent” should be avoided - A false sense of urgency, such as a ticking clock on the consent request should be avoided. - Double negatives should be avoided on the consent request - Confusing language should be avoided such as “Please do not check this box if you wish to Consent to this data use” - Illogical choices like the options of “Yes” or “No” to the question “Do you wish to provide or decline Consent for the described purposes” should be avoided.
Target audience factors and characteristics should be considered - Simplicity of language should be considered for websites or services whose target audience is under the age of 18 - Big size, spacing, and readability should be considered for websites or services whose target audience is elderly people.
User interface design and Consent choice architecture should be similar when accessed through digital accessibility tools. - The same number of steps to exercise consent should be provided on the website whether it is accessed using a digital accessibility tool or without.