What are Dark Patterns?

Read Time: 8 minutes

Key Takeaways: Dark patterns are deceptive tools used by online services or businesses to manipulate user behavior to align with the interests and goals of the business. This is a growing area of emphasis for data privacy and consumer protection regulators, as demonstrated by the 2024 Global Privacy Enforcement Network Sweep (the “Sweep”). In the Sweep, 26 enforcement authorities from around the world, including the California Privacy Protection Agency and the Federal Trade Commission (“FTC”), reviewed more than 1,000 websites and apps for dark patterns. The Sweep’s review revealed that nearly 40% of websites created obstacles for users to make privacy choices or access privacy information, and a third of websites repeatedly asked users to reconsider their decision to delete their account. Consumers and businesses alike should be aware of dark patterns, their effects, and the federal and state regulations prohibiting use of dark patterns.

What are “Dark Patterns”?

The term “dark patterns” or “deceptive patterns” generally refers to design practices that are used to deceive, steer, or manipulate users into behavior that is beneficial for an online service, but often harmful to users or contrary to their intent. Dark patterns may appear in any online format, such as an online web page or mobile app, and can be found in a variety of industries and contexts, including e-commerce, cookie banners, video games, subscription services, and more.[1]

Dark patterns are prevalent online and are highly effective at influencing consumer behavior by taking advantage of a consumer’s cognitive bias. In addition to the 2024 Sweep, the FTC participated in the International Consumer Protection and Enforcement Network’s (“ICPEN”) 2024 review which examined the use of possible dark patterns by 642 websites and mobile apps from companies across the globe and in multiple languages. Following the ICPEN review, the FTC announced that 76 percent of the online services were found to use at least one dark pattern and 67 percent used more than one dark pattern.[2] In addition to the growing scrutiny from privacy enforcement agencies, 12 of the current or upcoming state privacy laws prohibit the use of dark patterns to obtain consumers’ consent. In light of the increased analysis and regulation of dark patterns, businesses must consider whether their policies, procedures, and design choices related to consumer privacy may constitute an unlawful dark pattern.

Types of Dark Patterns

The FTC recognizes a wide range of deceptive acts as dark patterns, including, but not limited to:

  • Using design elements that obscure or subvert privacy choices;
  • Preventing customers from canceling services or subscriptions or deleting personal data or accounts through tedious and time-consuming cancellation processes;
  • Hiding material information from consumers, often via fine print or lengthy terms of service;
  • Adding hidden fees or charges without displaying them;
  • Offering a free trial that automatically charges a recurring fee if not affirmatively canceled;
  • Hiding real costs by offering consumers the option to buy items with virtual currency, often in online games;
  • Using style and design to focus users’ attention on one thing with the goal of distracting their attention from another;
  • Using contrasting visual prominence to lead users to choose certain options over others;
  • Asking whether a user wants to take an action in a disruptive or repetitive manner;
  • Using options such as “Not Now” or “Later” instead of “No”;
  • Using ambiguous or confusing language, such as double negatives;
  • Preselecting a default option that is good for the company, but not the user; and
  • Tricking users into sharing more information than they intended by telling them it will be used for one purpose, but then using it for another.

FTC Regulation of Dark Patterns

Section 5 of the FTC Act prohibits the use of unfair or deceptive acts or practices in or affecting commerce. In recent years, the FTC has utilized Section 5 to take a strong stance against dark patterns, holding several major companies liable for their deceptive techniques.[3]

  • In June 2023, the FTC announced an enforcement action requiring Publishers Clearing House to pay $18.5 million after they misled consumers on how to enter into their sweepstakes drawing by falsely stating that a purchase was necessary and that their entry was incomplete without one.
  • In March 2023, the FTC announced an enforcement action requiring Epic Games to pay $245 million after they used confusing and inconsistent button configurations to trick Fortnite players into making unwanted purchases in the game.
  • In September 2020, the FTC announced an enforcement action requiring Age of Learning, Inc. to pay $10 million after tricking customers into signing up for a 12-month subscription that automatically renewed and making it nearly impossible for consumers to cancel such subscription service by forcing consumers to navigate through several pages induced with ambiguous menu options to cancel.

In sum, the FTC is on high alert for uses of dark patterns and is prepared to utilize enforcement actions to combat online services that intend to deceive consumers in their favor, whether through advertising, user interface, page navigation, or other means.

State Regulation of Dark Patterns

Definitions

To date, 19 states have passed comprehensive data privacy laws, with seven of those laws currently in effect.  Of these 19 state privacy laws, the following specifically address the use of dark patterns in obtaining consent:

  • California Consumer Privacy Act (“CCPA”);
  • Colorado Privacy Act (“CPA”);
  • Connecticut Data Privacy Act (“CDPA”);
  • Delaware Personal Privacy Act (“DPPA”);
  • Maryland Online Data Privacy Act (“MODPA”);
  • Minnesota Consumer Data Privacy Act (“MCDPA”);
  • Nebraska Data Privacy Act (“NDPA”);
  • New Hampshire Privacy Act (“NHPA”);
  • New Jersey Data Privacy Act (“NJDPA”);
  • Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”); and
  • Texas Data Privacy and Security Act (“TDPSA”).

Under these laws, consent must be a freely given, specific, and unambiguous indication of a consumer’s wishes in connection to an affirmative action. An agreement obtained through the use of a dark pattern does not constitute valid consent. The laws generally define a “dark pattern” as a user interface designed to manipulate with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as well as any other practice that the FTC refers to as a dark pattern.

Although it does not discuss dark patterns by name, the Oregon Consumer Protection Act (“OCPA”) uses similar language, stating that consent cannot be made with a user interface that has the purpose or substantial effect of obtaining consent by “obscuring, subverting, or impairing the consumer’s autonomy, decision-making, or choice.”

When is consent required?

Except for CCPA, each of these state laws require opt-in consent for the processing of sensitive data. In addition, each of these state laws require opt-in consent for processing of personal data for the purposes of targeted advertising, sale, or profiling in furtherance of automated decisions that produce legal or similarly significant effects on the consumer. A consumer’s silence or failure to take an affirmative action would not constitute valid opt-in consent.

Businesses that process sensitive data or process personal data for the purposes described above must ensure that their opt-in and opt-out procedures do not constitute a dark pattern as defined by applicable state privacy laws or the FTC.

What is required for opt-in and opt-out procedures?

These state laws generally require that an online services’ mechanism for opting out or revoking consent must be as easy to use as the mechanism for providing consent. The opt-out mechanism should:

  • Inform consumers about the choices available to them;
  • Not include a default setting, but rather clearly represent the consumer’s affirmative, freely given and unambiguous choice to opt out of the processing of personal data;
  • Be consumer-friendly, clearly described, and easy to use for the average consumer;
  • Be as consistent as possible with other similar mechanisms required by law; and
  • Permit the online service to accurately authenticate the consumer as a resident of the state and determine the consumer’s legitimate request to opt out of the processing of personal data.

The CCPA specifies that mechanisms for giving or revoking consent may not be presented via a pop up, banner, or other intrusive design, and may not require the consumer to state a preference in order to receive full functionality to the website.

Best Practices Regarding Dark Patterns

The FTC has provided numerous recommendations for businesses to protect themselves from a state or federal enforcement action for the use of dark patterns, including the following:

  • Be honest about why you are collecting personal data and how it will be used and shared;
  • Avoid default settings that lead to the collection, use, or disclosure of personal data in ways consumers do not expect;
  • Present relevant privacy information when asking for consent related to sensitive data;
  • Avoid ambiguous and confusing toggle options;
  • Make consumer choices easy to access and understand;
  • Do not present one option in a more prominent display than another;
  • Consider how design choices affect consumers’ understanding of the material terms of the transaction as opposed to the effects of design choices on click through rates, or other profit-based metrics; and
  • Avoid a blanket consent to more than one type of personal data collection, processing, or disclosure.

As states continue to enact laws regarding consumer data protection and privacy, businesses and consumers alike should be aware of the manner in which consent for personal data collection and processing may be given and revoked. Businesses should take a moment to access their platform from a consumer perspective and consider whether another consent mechanism might increase the likelihood that a consumer’s choice will be respected or implemented.

Koley Jessen will continue to monitor developments related to dark patterns and advise as updates become available. If you have questions on whether your business is compliant with consent requirements related to personal data collection and processing, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.

*Special thanks to summer associate Jenna Stevens for her contributions to this article.

[1] FTC Bringing Dark Patterns to Light Staff Report September 2022

[2] ICPEN Dark Patterns in Subscription Services Sweep Public Report July 2024

[3] FTC Enforcement Policy Statement Regarding Negative Option Marketing

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

View All Insights
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.