Important lawsuits, fines, and settlements from Dark Patterns cases
Nearly half the fines issued in 2022 came from dark patterns cases. Dark patterns are practices used by companies to manipulate users into interacting with the website in ways that they did not intend and/or are not aware of.
There is a growing trend of regulatory bodies taking a keen interest in these practices and having businesses under a microscope to detect them. Massive fines have already been imposed on companies and can be expected to continue in 2023.
There is a lot that we can learn from such cases to help us understand more about regulatory bodies and areas of concern. Below are summaries of Dark Patterns cases, fines, and settlements that stood out and can serve as a reference for companies and data privacy and information governance professionals.
1. Amazon | Federal Trade Commission | June 2023
The Federal Trade Commission takes action against Amazon for its deceptive practices in enrolling consumers in their Prime subscription and making the cancellation process lengthy and difficult.
Summary: The FTC filed a complaint against Amazon for their use of dark patterns, which led consumers to enroll in Amazon Prime without their affirmative express consent and further sabotaged their attempts to cancel their subscription. Some examples of the alleged dark patterns used include opportunities to subscribe during checkout, difficulty making purchases without a subscription, and misleading buttons that served as a recurring Prime subscription button. The cancellation process was excessive, difficult, and lengthy.
Outcome: The complaint was recently filed in U.S. District Court for the Western District of Washington. The case will be decided by the court. Updates will be available here accordingly.
2. Publishers Clearing House | Federal Trade Commission | June 2023
Publishers Clearing House was fined $18.5 million for using dark patterns in their sweepstakes entry processes.
Outcome: In addition to the $18.5 million fine, which would be used to refund consumers, PCH is required to:
Cease the use of dark patterns surrounding purchases and sweepstakes
Separate Sweepstakes from Sales
Clearly state that purchases will not affect sweepstakes in any way
Refrain from charging surprising fees
Refrain from sending deceptive emails
Delete consumer data collected prior to January 2019
Key Takeaways: Deceptive methods and misleading communications that manipulate consumers into making unnecessary purchases should be avoided. Consumers should be provided with clear and accurate information to make their choices.
3. TikTok | CNIL | January 2023
French data protection authority imposed €5 million on social media platform TikTok for their unlawful practices around cookie collection
Summary: Following investigations carried out by CNIL on TikTok’s website, the French data protection authority found that TikTok UK and TikTok Ireland had violated the French Data Protection Act by
No sufficient information on the purpose of cookie collection was provided to users
Outcome: Based on the breaches found, the volume of people concerned, and the intimations from the CNIL on this issue, the fine amount of €5 million was imposed on TikTok
Link to full resource: Cookies: the CNIL fines TIKTOK 5 million euros | CNIL
4. Epic Games | FTC | December 2022
Fortnite maker Epic Games was fined $520 million for violating children’s privacy rights by using deceptive measures to encourage users to make purchases.
Summary: The Federal Trade Commission found Epic Games in violation of the Children’s Online Privacy Protection Act (COPPA) for employing dark patterns and billing practices to trick users into making unintentional purchases. Fortnite’s confusing button configuration caused unwanted charges. Further, the FTC addressed the Epic Games’ live text and voice communication features that exposed children to online harassment and abuse.
Outcome: The $520 million fine imposed was divided into two settlements. The COPPA fine amounted to $275 million, and the FTC fine amounted to $245 million for ‘dark patterns and billing practices.’
Key Takeaways: Processes employed should be clear, informed, and transparent. Dark patterns should be avoided at all costs. Strong practices should be put in place to safeguard the rights of children.
Link to further resource: FTC fines Fortnite maker Epic Games $520M over children’s privacy and item shop charges | TechCrunch
5. Google | Washington DC AG | December 2022
Google is to pay $9.5 million in settlement for utilizing dark patterns to deceive users and violate their privacy.
Summary: Washington DC Attorney General Karl Racine made accusations against Google for using deceiving methods to manipulate users into sharing their geolocation data. This was done, in some cases, by communicating to users that certain features wouldn’t function properly without switching on their location when it was not needed. More importantly, certain design choices were used to convince users that they had successfully disabled sharing their location data when it was, in fact, being tracked.
Outcome: According to the settlement, Google will implement changes that include a ‘pop-up’ notification to users who have allowed location services which will contain information on the kind of data being collected and how it can be disallowed.
Key Takeaways: Sufficient and explicit information should be provided to users regarding their data privacy rights, with specific importance on areas like precise geolocation, which is considered sensitive data by some regulations.
Link to further resource: Google to pay DC $9.5M over location-tracking claims - Top Class Actions
6. Google | CNIL | January 2022
Google LLC and Google Ireland were fined €150 million by the CNIL for the difficulty users experienced in refusing cookies.
A further penalty of €100,000 per day would be imposed should the issue not be remedied for users located in France.
Link to full resource: Cookies: GOOGLE fined 150 million euros | CNIL
7. Twitter | AEPD | June 2020
A €30 thousand fine was imposed on Twitter by the Spanish DPA, AEPD, for their unlawful cookie banner.
Outcome: A €30 thousand fine was imposed on Twitter for violating Spanish data protection laws, and a month’s period was given from the date of the decision to Twitter to make the necessary changes
Link to further resource: Spain: AEPD issues €30,000 fine against Twitter for unlawful cookie banner | DataGuidance
8. Facebook | CNIL | December 2021
9. Amazon | CNIL | December 2020
The CNIL issued €35 million against Amazon for their dark patterns employed regarding the use of marketing cookies.
Summary: Investigations done on amazon.fr by the CNIL found that
Cookies were automatically placed on users’ devices when they opened the website
The pop-up cookie banner did not provide sufficient information on cookies and their purpose or how they could be refused, or the fact that they could be refused in the first place.
Further, the language and format of the banner were confusing and did not convey that cookies are used primarily for personalized advertising.
Outcome: Considering the amount of time that the unlawful cookie practices were used and the number of French individuals affected, a fine of €35 million was imposed on Amazon.
Link to further resource: Amazon fined €35M by CNIL for violating cookie rules - Cookie Information
10. Google | ACCC | April 2021
Australia’s Competition & Consumer Commission (ACCC) sanctioned a $60 million fine on Google for using dark patterns to mislead users about their geolocation data collection.
Summary: The ACCC found that Google and its Australian Subsidiary deceptively informed users that the collection and usage of their location data was controlled only by the ‘Location History’ setting. However, another setting, ‘Web & App Activity,’ also enabled Google to collect, use, and store location data, which is considered personally identifiable. Further, this setting was turned on by default. Whenever users exercised their rights by turning off the option to collect and use location data via the ‘Location History’ setting, they were not informed of the continued collection, storage, and usage of their data since the ‘Web & App Activity’ setting was switched on.
Outcome: In addition to the $60 million fine imposed, Google was ordered by the court to commit to compliance and train their staff about the applicable laws, especially within the country. Google stated that the findings were not true and considered an appeal; however, in the case that it was, the company took measures to remedy the situation.
Key takeaways: Users should not be misinformed about the collection, storage, and use of their personal data. Processes that are deceiving, such as collection settings that are switched on by default, should be avoided.
Link to further resource: Google fined $40M+ for misleading location-tracking settings on Android | TechCrunch