Key Takeaways: Dark patterns are deceptive tools used by online services or businesses to manipulate user behavior to align with the interests and goals of the business. This is a growing area of emphasis for data privacy and consumer protection regulators, as demonstrated by the 2024 Global Privacy Enforcement Network Sweep (the “Sweep”). In the Sweep, 26 enforcement authorities from around the world, including the California Privacy Protection Agency and the Federal Trade Commission (“FTC”), reviewed more than 1,000 websites and apps for dark patterns. The Sweep’s review revealed that nearly 40% of websites created obstacles for users to make privacy choices or access privacy information, and a third of websites repeatedly asked users to reconsider their decision to delete their account. Consumers and businesses alike should be aware of dark patterns, their effects, and the federal and state regulations prohibiting use of dark patterns.
What are “Dark Patterns”?
The term “dark patterns” or “deceptive patterns” generally refers to design practices that are used to deceive, steer, or manipulate users into behavior that is beneficial for an online service, but often harmful to users or contrary to their intent. Dark patterns may appear in any online format, such as an online web page or mobile app, and can be found in a variety of industries and contexts, including e-commerce, cookie banners, video games, subscription services, and more.[1]
Dark patterns are prevalent online and are highly effective at influencing consumer behavior by taking advantage of a consumer’s cognitive bias. In addition to the 2024 Sweep, the FTC participated in the International Consumer Protection and Enforcement Network’s (“ICPEN”) 2024 review which examined the use of possible dark patterns by 642 websites and mobile apps from companies across the globe and in multiple languages. Following the ICPEN review, the FTC announced that 76 percent of the online services were found to use at least one dark pattern and 67 percent used more than one dark pattern.[2] In addition to the growing scrutiny from privacy enforcement agencies, 12 of the current or upcoming state privacy laws prohibit the use of dark patterns to obtain consumers’ consent. In light of the increased analysis and regulation of dark patterns, businesses must consider whether their policies, procedures, and design choices related to consumer privacy may constitute an unlawful dark pattern.
Types of Dark Patterns
The FTC recognizes a wide range of deceptive acts as dark patterns, including, but not limited to:
- Using design elements that obscure or subvert privacy choices;
- Preventing customers from canceling services or subscriptions or deleting personal data or accounts through tedious and time-consuming cancellation processes;
- Hiding material information from consumers, often via fine print or lengthy terms of service;
- Adding hidden fees or charges without displaying them;
- Offering a free trial that automatically charges a recurring fee if not affirmatively canceled;
- Hiding real costs by offering consumers the option to buy items with virtual currency, often in online games;
- Using style and design to focus users’ attention on one thing with the goal of distracting their attention from another;
- Using contrasting visual prominence to lead users to choose certain options over others;
- Asking whether a user wants to take an action in a disruptive or repetitive manner;
- Using options such as “Not Now” or “Later” instead of “No”;
- Using ambiguous or confusing language, such as double negatives;
- Preselecting a default option that is good for the company, but not the user; and
- Tricking users into sharing more information than they intended by telling them it will be used for one purpose, but then using it for another.
