Nearly half the fines issued in 2022 came from dark patterns cases. Dark patterns are practices used by companies to manipulate users into interacting with the website in ways that they did not intend and/or are not aware of.

There is a growing trend of regulatory bodies taking a keen interest in these practices and having businesses under a microscope to detect them. Massive fines have already been imposed on companies and can be expected to continue in 2023.

There is a lot that we can learn from such cases to help us understand more about regulatory bodies and areas of concern. Below are summaries of Dark Patterns cases, fines, and settlements that stood out and can serve as a reference for companies and data privacy and information governance professionals.

1. Amazon | Federal Trade Commission | June 2023

The Federal Trade Commission takes action against Amazon for its deceptive practices in enrolling consumers in their Prime subscription and making the cancellation process lengthy and difficult.

Summary: The FTC filed a complaint against Amazon for their use of dark patterns, which led consumers to enroll in Amazon Prime without their affirmative express consent and further sabotaged their attempts to cancel their subscription. Some examples of the alleged dark patterns used include opportunities to subscribe during checkout, difficulty making purchases without a subscription, and misleading buttons that served as a recurring Prime subscription button. The cancellation process was excessive, difficult, and lengthy.

Outcome: The complaint was recently filed in U.S. District Court for the Western District of Washington. The case will be decided by the court. Updates will be available here accordingly.

Link to full resource: FTC Takes Action Against Amazon for Enrolling Consumers in Amazon Prime Without Consent and Sabotaging Their Attempts to Cancel | Federal Trade Commission

2. Publishers Clearing House | Federal Trade Commission | June 2023

Publishers Clearing House was fined $18.5 million for using dark patterns in their sweepstakes entry processes.

Summary: Digital Marketing Company Publishers Clearing House, PCH used deceptive practices to manipulate users into making unnecessary purchases while entering sweepstakes drawings. Users were not entered into the drawing until they navigated through numerous advertising pages containing confusing wording that led consumers to believe that making a purchase was necessary to enter or that purchasing would increase their chances of winning. Emails creating a false sense of urgency were also sent to consumers leading them back to sales pitch pages. It was also found that the true prices of items were not disclosed, surprise shipping amounts were charged, and their privacy policy contained misleading statements. Many affected by these deceiving practices were older in age and of lower income.

Outcome: In addition to the $18.5 million fine, which would be used to refund consumers, PCH is required to:

• Cease the use of dark patterns surrounding purchases and sweepstakes

• Separate Sweepstakes from Sales

• Clearly state that purchases will not affect sweepstakes in any way

• Refrain from charging surprising fees

• Refrain from sending deceptive emails

• Delete consumer data collected prior to January 2019

Key Takeaways: Deceptive methods and misleading communications that manipulate consumers into making unnecessary purchases should be avoided. Consumers should be provided with clear and accurate information to make their choices.

Link to full resource: FTC Takes Action Against Publishers Clearing House for Misleading Consumers About Sweepstakes Entries | Federal Trade Commission

3. TikTok | CNIL | January 2023

French data protection authority imposed €5 million on social media platform TikTok for their unlawful practices around cookie collection

Summary: Following investigations carried out by CNIL on TikTok’s website, the French data protection authority found that TikTok UK and TikTok Ireland had violated the French Data Protection Act by

1. Not having an easy and straightforward process to refuse cookies (however, a button to immediately accept cookies was present). Multiple clicks and steps were to be utilized to refuse cookies

2. No sufficient information on the purpose of cookie collection was provided to users

Outcome: Based on the breaches found, the volume of people concerned, and the intimations from the CNIL on this issue, the fine amount of €5 million was imposed on TikTok

Key Takeaways: Users should be able to refuse cookies just as easily as they are able to accept them. Refusal of cookies should be easy and straightforward. Information on the purpose of cookie collection should be explicitly provided.

Link to full resource: Cookies: the CNIL fines TIKTOK 5 million euros | CNIL

4. Epic Games | FTC | December 2022

Fortnite maker Epic Games was fined $520 million for violating children’s privacy rights by using deceptive measures to encourage users to make purchases.

Summary: The Federal Trade Commission found Epic Games in violation of the Children’s Online Privacy Protection Act (COPPA) for employing dark patterns and billing practices to trick users into making unintentional purchases. Fortnite’s confusing button configuration caused unwanted charges. Further, the FTC addressed the Epic Games’ live text and voice communication features that exposed children to online harassment and abuse.

Outcome: The $520 million fine imposed was divided into two settlements. The COPPA fine amounted to $275 million, and the FTC fine amounted to $245 million for ‘dark patterns and billing practices.’

Key Takeaways: Processes employed should be clear, informed, and transparent. Dark patterns should be avoided at all costs. Strong practices should be put in place to safeguard the rights of children.

Link to further resource: FTC fines Fortnite maker Epic Games $520M over children’s privacy and item shop charges | TechCrunch

5. Google | Washington DC AG | December 2022

Google is to pay $9.5 million in settlement for utilizing dark patterns to deceive users and violate their privacy.

Summary: Washington DC Attorney General Karl Racine made accusations against Google for using deceiving methods to manipulate users into sharing their geolocation data. This was done, in some cases, by communicating to users that certain features wouldn’t function properly without switching on their location when it was not needed. More importantly, certain design choices were used to convince users that they had successfully disabled sharing their location data when it was, in fact, being tracked.

Outcome: According to the settlement, Google will implement changes that include a ‘pop-up’ notification to users who have allowed location services which will contain information on the kind of data being collected and how it can be disallowed.

Key Takeaways: Sufficient and explicit information should be provided to users regarding their data privacy rights, with specific importance on areas like precise geolocation, which is considered sensitive data by some regulations.

Link to further resource: Google to pay DC $9.5M over location-tracking claims - Top Class Actions

6. Google | CNIL | January 2022

Google LLC and Google Ireland were fined €150 million by the CNIL for the difficulty users experienced in refusing cookies.

Summary: Multiple complaints from users about the dark patterns adopted by Google (google.fr and youtube.com) sparked the investigation by the CNIL on these websites, which brought to light the violation. While there was an easily accessible button to accept cookies, the equivalent feature to refuse cookies was not available readily. Several steps were required to refuse all cookies, compared to the single one that accepted them. This encouraged users to accept cookies and discouraged them from refusing the same.

Outcome: Considering the advertising profits earned by the company because of cookies and the number of affected individuals, a fine of €90 million and €60 million were imposed on Google LLC and Google Ireland Limited, respectively.

A further penalty of €100,000 per day would be imposed should the issue not be remedied for users located in France.

Key Takeaways: Users should be able to refuse cookies just as easily as they are able to accept them. Refusal of cookies should be easy and straightforward.

Link to full resource: Cookies: GOOGLE fined 150 million euros | CNIL

7. Twitter | AEPD | June 2020

A €30 thousand fine was imposed on Twitter by the Spanish DPA, AEPD, for their unlawful cookie banner.

Summary: The AEPD found that the cookie policy was automatically accepted by any user who used Twitter’s services. The banner did not provide to option to reject the cookies or further manage or configure the same. The option to manage cookies was not found readily on the banner but instead at the bottom of the page.

Outcome: A €30 thousand fine was imposed on Twitter for violating Spanish data protection laws, and a month’s period was given from the date of the decision to Twitter to make the necessary changes

Key Takeaways: The option to refuse cookies should be as readily available to users as the option to accept the same. Cookies should only be placed on user devices after clear and informed consent has been provided

Link to further resource: Spain: AEPD issues €30,000 fine against Twitter for unlawful cookie banner | DataGuidance

8. Facebook | CNIL | December 2021

The CNIL issued a €60 million fine against Facebook for their unlawful use of dark patterns to obtain cookie consent from users. Summary: The online investigation into Facebook Ireland Limited by CNIL, sparked by user complaints, found violations of Article 82 of the French Data Protection Act. The data protection authority found that on the website facebook.com, while there was an easily accessible button to accept cookies, the equivalent feature to refuse cookies was not available readily. Several steps were required to refuse all cookies, compared to the single one that accepted them.

Further, the ‘refuse cookies’ button was deceptively placed at the bottom of the Second Window and was entitled ‘Accept Cookies,’ which further confused users and hindered their ability to exercise their rights. Outcome: Considering the advertising profits earned by the company because of cookies and the number of affected individuals, a fine of €60 million was imposed on Facebook Key Takeaways: Deceptive methods that discourage users from exercising their rights should be avoided. Users should be provided with all information and processes, and options upfront to make their decisions. Actions should be titled correctly. Link to full resource: Cookies: FACEBOOK IRELAND LIMITED fined 60 million euros | CNIL

9. Amazon | CNIL | December 2020

The CNIL issued €35 million against Amazon for their dark patterns employed regarding the use of marketing cookies.

Summary: Investigations done on amazon.fr by the CNIL found that

1. Cookies were automatically placed on users’ devices when they opened the website

2. The pop-up cookie banner did not provide sufficient information on cookies and their purpose or how they could be refused, or the fact that they could be refused in the first place.

Further, the language and format of the banner were confusing and did not convey that cookies are used primarily for personalized advertising.

Outcome: Considering the amount of time that the unlawful cookie practices were used and the number of French individuals affected, a fine of €35 million was imposed on Amazon.

Key Takeaways: Sufficient and explicit information should be provided to users regarding their data privacy rights. The option to refuse cookies should be readily and easily available.

Link to further resource: Amazon fined €35M by CNIL for violating cookie rules - Cookie Information

10. Google | ACCC | April 2021

Australia’s Competition & Consumer Commission (ACCC) sanctioned a $60 million fine on Google for using dark patterns to mislead users about their geolocation data collection.

Summary: The ACCC found that Google and its Australian Subsidiary deceptively informed users that the collection and usage of their location data was controlled only by the ‘Location History’ setting. However, another setting, ‘Web & App Activity,’ also enabled Google to collect, use, and store location data, which is considered personally identifiable. Further, this setting was turned on by default. Whenever users exercised their rights by turning off the option to collect and use location data via the ‘Location History’ setting, they were not informed of the continued collection, storage, and usage of their data since the ‘Web & App Activity’ setting was switched on.

Outcome: In addition to the $60 million fine imposed, Google was ordered by the court to commit to compliance and train their staff about the applicable laws, especially within the country. Google stated that the findings were not true and considered an appeal; however, in the case that it was, the company took measures to remedy the situation.

Key takeaways: Users should not be misinformed about the collection, storage, and use of their personal data. Processes that are deceiving, such as collection settings that are switched on by default, should be avoided.

Link to further resource: Google fined $40M+ for misleading location-tracking settings on Android | TechCrunch