Dark patterns: a way to conflict with the GDPR
Everyday you use apps and services that were carefully designed to deliver the best user experience possible. However, if you’ve ever found it easier to sign up for an account than it is to cancel it, you’ve found a dark pattern.
Beware ‘dark patterns’ – data protection regulators are watching.
Definition of Dark patterns
Term coined in 2010 by Harry Brignull, the UK-based user experience designer, defining dark patterns as “a user interface that has been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills”.
Dark patterns are features of interface design deployed by websites or apps for the purpose of influencing users online behaviour and tricking them into making decisions and doing actions they may not make or do otherwise, which benefits the business in question.
Types of dark patterns tactics
On his website Dark patterns, Harry Brignull describes different types of dark pattern tactics that are commonly used across the internet.
- Price comparison prevention: when a retailer makes comparing the prices of different products/items so difficult for the user, that it limits the possibility to make an informed decision;
- Misdirection: when the UX design purposefully focuses your attention on one thing in order to distract you from something else;
- “Confirmshaming”: the act of guilting you into opting into something. The option to decline is worded in such a way as to shame the user into compliance. A few examples can be found on this website.
- Disguised ads: advertisements that are disguised as other content or navigation in order to get you to click on them;
- “Roach motel”: when you can easily sign up for a service, but the business makes it unreasonably hard for you to cancel.
These are examples of dark patterns that affect the ability of individuals to effectively protect their personal data and make conscious choices.
They show that it is easier to use them than implementing transparent best practices. To avoid the use of dark patterns, regulators and businesses need to adopt a consumer-protection based approach.
Regulating Dark Patterns
Dark patterns are increasingly becoming a focus of regulation.
Under the EU GDPR, the discussion about dark patterns and their effect on consent is a priority. In April 2019, the France’s data protection authority (CNIL)’s digital innovation laboratory, the LINC released a report discussing the importance of user interface design on user empowerment.
The report stressed that the design is critical to help protect privacy. It also discussed how consent that was gathered using dark patterns does not qualify as valid consent freely given, stating, “the fact of using and abusing a strategy to divert attention or dark patterns can lead to invalidating consent”.
The requirement for transparency and informed, voluntary consent is central to the current California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) as well. In fact they ban the use of dark patterns to subvert or impair the process for consumers to opt-out of the sale of personal information. In violation of the regulations, businesses that use dark patterns have a 30-day cure period to revamp their website or app design. Failure to comply may result in civil penalties brought by the California Attorney General under the CCPA and unfair competition laws.
The CPRA, approved by California voters last November and set to take effect January 1, 2023, goes a step further than the CCPA to affirmatively regulate dark patterns, stating that “consent obtained through dark patterns does not constitute consent”.
Regulators as well as companies need to commit to protecting consumers from online manipulation.
Let’s not forget the NOYB initiative to end “cookie banner terror” launched in 2021, with the aim to ensure that users are given a clear yes/no option. This initiative even led to the European Data Protection Board to set up a taskforce to coordinate the response to complaints concerning cookie banners filed with several EEA SAs by NOYB.
In particular, the Taskforce will:
- exchange views on legal analysis and possible infringements also into Dark patterns and deceptive design;
- provide support to activities on the national level;
- streamline communication.
Dark patterns: what’s next?
In addition to privacy policies that need to be complete and in compliance from a legal perspective, it is important not to overlook the implementations and staging of the different moments in which interface designers seek to influence individuals.
As customer and user interfaces are becoming increasingly important element in creating happy, loyal customers for companies, businesses should carefully consider the attention being given to the issue of dark patterns by regulators, lawmakers and researchers as well as the management of valid users consents.
In light of this, it is important that organisations ensure that:
- their data protection teams regularly collaborate with their IT designers to ensure data protection by default and design;
- they integrate trainings of basic data protection knowledge into recruitment and promotion processes for their staff;
- they must be sure to obtain valid users consents for collection and processing of personal data;
- they use Legal design: an innovative way to produce legal documents and to serve the real purpose by: informing users about their rights and giving them the means to actually exercise them.
Dark patterns are increasingly noticed, disliked, and illegal, and consumers are becoming more savvy and legislators more strict.
Start by checking if your website is consumer-friendly and clear about data collection, and find out what your cookie risk is with the GDPR.
Or if you have questions, ask one of our experts. We’re happy to help.
Admeet ensures your cookie banner compliance
At Admeet we are fully committed to ensuring that user rights are respected and that organisations are well aware of, and comply with their data privacy obligations.
Our Consent Management Platform (CMP) allows organisations to easily manage and analyse their users interaction with their cookie banner, and to obtain and prove their clients users valid consent.
If you have a website, you likely need a CMP. A CMP not only helps you be compliant with global privacy regulations, but also sets you up as a trustworthy and transparent brand.
Curious what a CMP could look like?
Want to deliver something unique and on-brand to your audience?
Get creative with our interactive and highly customisable cookie banner and avoid dark patterns!