Concept illustration of a website design with a user standing in front of it to show dark patterns

What Privacy Professionals Need to Know About Dark Patterns Regulation

Dark patterns regulation has emerged as a focus in both the US and EU over the past years. Consider these regulatory activities from around the globe:  

  • In 2021, the US Federal Trade Commission issued a dark patterns enforcement policy. More recently, it began the process of seeking public input to modernize its disclosure guidance to address the ubiquitous use of dark patterns, noting that this is just one of a number of initiatives geared toward tackling dark patterns and digital deception.  
  • The California Privacy Protection Authority released its draft regulations in May 2022, which (if enacted) would mean any agreement obtained using dark patterns shall not constitute valid consent.  
  • The European Data Protection Board (EDPB) released its guidelines on dark patterns in social media platform interfaces.  

Read on to discover what Australian privacy professionals can take away from these global regulatory changes: 

EDPB Guidance About Dark Patterns 

While the EDPB’s guidance is for social media platforms operating in Europe, the guidelines offer plenty of guidance Australian organisations could implement as best practices – particularly when it comes to avoiding common dark patterns.  

The EDPB has categorised dark patterns and provided examples of each type, as follows:  

Dark Pattern Category 

Dark Pattern Examples

Overloading 

  • Continuous or repeated prompts and requests. 
  • Privacy mazes, which make it difficult to navigate to privacy settings.  
  • Too many options. 

Skipping 

  • Automatically selecting the most data invasive features or options (known as deceptive snugness).  
  • Look over there tactics, which puts data protection information or functionality in competition with other features.  

Stirring 

  • Emotional steering – or appeals that play to a user’s emotions.  
  • Hidden in plain sight features that nudge users towards more invasive privacy settings.  

Hindering 

  • Dead ends. 
  • Longer than necessary navigation to privacy settings.  

Fickle 

  • Unstructured or illogically structured information that lacks heirarchy.  
  • Decontextualizing privacy information.  

Left in the Dark 

  • Language discontinuity.  
  • Providing conflicting or unclear information.  
  • Ambiguous wording or information.  

Australian organisations could adopt these categories and implement policies that require designers to avoid them as a best practice.  

Dark Patterns Regulation in California

California’s draft regulations require that consents meet certain requirements to be considered a valid consent. The regulations go on to outline 5 requirements, alongside examples of poor practices.  

Requirement 

Examples of Dark Patterns/Poor Practices to Avoid 

Easy to understand   
Symmetry in choice 
  • Requiring a consumer to take more steps to opt-out of more invasive privacy settings than to opt-in.  
  • Making it impossible or difficult for users to decline in one step by providing options like “Yes” and “Ask me later” or “Accept all” and “More Information”.  
  • Offering a choice where the more data invasive option is more prominent.  
Avoiding confusing language or design elements 
  • Giving the choice of “Yes” or “No” to the statement “Do Not Sell My Personal Information” is confusing because it creates a double negative.  
  • Toggles that state “on” or “off”.  
  • Unintuitive placement of buttons, for instance, moving the order of the “Yes” and “No” buttons between choices to try to trick the user into giving consent for the more privacy-invasive option.   
Avoid manipulative language or choice architecture 
  • Providing options such as “No, I like paying full price” or “No, I don’t want to save money”.  
  • Requiring users to click through reasons why submitting a request to opt-out.  
  • Bundling consents in a way that requires users to consent to both reasonably expected data usage as well as more invasive uses or uses that are unexpected.  
Easy to execute 
  • Circular or broken links. 
  • Non-functional email addresses. 
  • Unnecessarily slow loading times for out-opt functionality. 

   

Again, Australian organisations could take cues from these draft regulations and implement policies that instruct designers to not use these tactics in their designs.  

Avoid Dark Patterns with Privacy 108 

Ensuring dark patterns aren’t included in the design of new products and applications is part of your Privacy by Design approach. If you’re interested in better organisational privacy by implementing PbD, reach out.  

  • This field is for validation purposes and should be left unchanged.