Dark patterns have been a recent regulatory focus. The FTC issued an enforcement policy late last year, and the European Data Protection Board followed suit with guidelines this spring. The two have slightly different takes on what constitutes a dark pattern. The European focus is on misleading consumers into providing more information than they would have otherwise, or in providing unwitting consent for use of information. For the FTC, the focus is on programs that “trick” consumers into making purchases, including signing up for ongoing services. For both entities, the concern is on misleading consumers into providing unwilling consent or agreement.
In the U.S., as we have written, dark patterns may violate negative option laws, including the Restore Online Shoppers Confidence Act. In Europe, dark patterns can violate various parts of GDPR, including Articles 4, 5 and 7. Regulators have brought action for dark pattern violations. This includes a recent action by the U.S. Consumer Financial Protection Bureau, as we wrote about on our sister blog.
The term “dark pattern” suggests nefarious activity in which an upstanding corporate citizen would not engage. Companies might therefore be tempted to ignore this guidance. That would be a mistake. The activities over which regulators have expressed concern might be something in which a “normal” company might engage. This is especially true in the privacy realm. On that front, the EDPB provides helpful examples of what activities might be a dark pattern. Examples include repeatedly asking a user to provide information (continuous prompting), sending users through too many pages to find privacy-related information (privacy maze), designing an interface in such a way that a user fails to think about data protection (skipping), or using formatting and other techniques to direct a user towards more privacy-invasive options (hidden in plain sight).
What are some top takeaways from these various regulatory guidance? What can companies do to avoid being viewed as engaging in a dark pattern? The following are a few steps to take:
- Be clear. As the EDPB recommends, keep in mind concepts of deception and fairness. Related to this, make disclosures – especially about data usage – clear and prominent. The EDPB gives case study examples of “mistakes,” including a company with a 70-page, header-less, privacy policy.
- Do not deceive. This is a fundamental tenant for the FTC, enforced under Section 5 of the FTC Act. The EDPB provides case study examples, including in the context of privacy use FAQs. Those FAQs should not negate other disclosures, or contain internal inconsistencies.
- Give options. For negative option programs, the FTC reminds companies that users need a way to opt-out. For privacy use decisions, the EDPB emphasizes giving users ways to modify decisions they have made during a sign-up process.
Putting it into Practice: The term “dark patterns” can cover a variety of activities. Regulators are particularly concerned right now with companies that use formatting, technologies and other mechanisms to guide users into making decisions that they would not have made otherwise. When putting together user interfaces, companies would be well served to keep in mind the concepts of clarity and choice to avoid potential dark pattern allegations.