June 26, 2022

Volume XII, Number 177

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

What’s the Big Deal About Dark Patterns?

Dark patterns have been a recent regulatory focus. The FTC issued an enforcement policy late last year, and the European Data Protection Board followed suit with guidelines this spring. The two have slightly different takes on what constitutes a dark pattern. The European focus is on misleading consumers into providing more information than they would have otherwise, or in providing unwitting consent for use of information. For the FTC, the focus is on programs that “trick” consumers into making purchases, including signing up for ongoing services. For both entities, the concern is on misleading consumers into providing unwilling consent or agreement.

In the U.S., as we have written, dark patterns may violate negative option laws, including the Restore Online Shoppers Confidence Act. In Europe, dark patterns can violate various parts of GDPR, including Articles 4, 5 and 7. Regulators have brought action for dark pattern violations. This includes a recent action by the U.S. Consumer Financial Protection Bureau, as we wrote about on our sister blog.

The term “dark pattern” suggests nefarious activity in which an upstanding corporate citizen would not engage. Companies might therefore be tempted to ignore this guidance. That would be a mistake. The activities over which regulators have expressed concern might be something in which a “normal” company might engage. This is especially true in the privacy realm. On that front, the EDPB provides helpful examples of what activities might be a dark pattern. Examples include repeatedly asking a user to provide information (continuous prompting), sending users through too many pages to find privacy-related information (privacy maze), designing an interface in such a way that a user fails to think about data protection (skipping), or using formatting and other techniques to direct a user towards more privacy-invasive options (hidden in plain sight).

What are some top takeaways from these various regulatory guidance? What can companies do to avoid being viewed as engaging in a dark pattern? The following are a few steps to take:

  • Be clear. As the EDPB recommends, keep in mind concepts of deception and fairness. Related to this, make disclosures – especially about data usage – clear and prominent. The EDPB gives case study examples of “mistakes,” including a company with a 70-page, header-less, privacy policy.

  • Do not deceive. This is a fundamental tenant for the FTC, enforced under Section 5 of the FTC Act. The EDPB provides case study examples, including in the context of privacy use FAQs. Those FAQs should not negate other disclosures, or contain internal inconsistencies.

  • Give options. For negative option programs, the FTC reminds companies that users need a way to opt-out. For privacy use decisions, the EDPB emphasizes giving users ways to modify decisions they have made during a sign-up process.

Putting it into Practice:  The term “dark patterns” can cover a variety of activities. Regulators are particularly concerned right now with companies that use formatting, technologies and other mechanisms to guide users into making decisions that they would not have made otherwise. When putting together user interfaces, companies would be well served to keep in mind the concepts of clarity and choice to avoid potential dark pattern allegations.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 145
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
James Fazio Intellectual Property Attorney Sheppard Mullin Law Firm
Special Counsel

James Fazio is special counsel in the Intellectual Property Practice Group in the firm's San Diego (Del Mar) office.

Areas of Practice

James focuses on intellectual property and business litigation. He represents public and private companies in disputes such as those involving patent and trademark infringement, theft of trade secrets, fraud, breach of contract, unfair competition, false advertising and various business tort claims. James has more than 24 years of litigation experience and was selected by his peers among the top ten intellectual property...

858.720.7418
Advertisement
Advertisement
Advertisement