Dark Patterns: What are They and Why Should You Remove Them From Your Website?
Facebook and Google have received hefty fines from France’s lead data protection authority, the CNIL, for dark patterns on their websites relating to cookie consents. The CNIL fined Google a total of 150 million euros, while Facebook received a fine of 60 million euros for non-compliance with French legislation. So, what are dark patterns? And how can you remove them from your website and apps?
What are dark patterns?
Dark patterns are design features and/or language used on websites and in apps that make it more difficult for users to provide informed consent about or otherwise manage their privacy.
The term ‘dark patterns’ was coined by UX (user experience) designer Harry Brignull in 2010. He outlines (on his website darkpatterns.org) that dark patterns work by taking advantage of the fact that users tend to skim read website pages and apps and tricking them into acting in a certain way that’s likely contrary to how they intended to act.
Here are some common examples of dark patterns (with examples):
Settings that make it more difficult to achieve one outcome than another.
This is the design practice that resulted in the CNIL fining Google and Facebook. The French regulator requires companies to make refusing cookies as easy it is to accept them – and it has determined that Google and Facebook failed to achieve this:
“The restricted committee, the body of the CNIL responsible for issuing sanctions, has noted, following investigations, that the websites facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them.
The restricted committee considered that this process affects the freedom of consent: since, on the Internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent. This constitutes an infringement of Article 82 of the French Data Protection Act.”
(Bold emphasis is ours)
Trick Questions – where you are tricked into giving an answer you didn’t intend, usually via a form.
Source: https://twitter.com/kimeshan_/status/1479190800709955585/photo/1
Users would typically expect subscription settings that appear in this format to be provided on an opt-in basis. In this case, the website asks that you tick the box if you don’t want to receive offers via that medium.
Settings that make it difficult to cancel charges or subscriptions.
See the Norwegian Authority’s report on Amazon’s dark patterns relating to its subscriptions here (in English): https://www.forbrukerradet.no/news-in-english/amazon-manipulates-customers-to-stay-subscribed/
Why should you remove dark patterns from your website?
Dark patterns are unethical.
These design and language features are crafted to intentionally trick or manipulate website visitors into doing something they don’t want to do. The tactics leverage behavioural psychology to benefit businesses at the expense of customer consent, which is an unethical and poor practice.
Dark patterns are annoying.
Beyond the potential legal risk that comes with relying on dark patterns, they are also annoying for your website visitors. As a result, they can damage your brand’s reputation and also turn potential customers off using your website, app, or product.
Hey, @darkpatterns ! Have you seen this neat one from @Apple ? I legit though that I've missed the close button for the first couple of times I tried to close this notification. pic.twitter.com/bK6PUvaeC0
— aerokhin (@alekserokhin) January 17, 2022
Dark patterns are being banned (in some jurisdictions).
In the US, the Federal Trade Commission announced its intention to ramp up enforcement against Illegal Dark Patterns that Trick or Trap Consumers into Subscriptions in October 2021. Meanwhile, California law specifies that consents obtained via dark patterns are not valid and requires businesses to ensure that the number of steps to opt-in cannot be more than the steps to opt-out.
Similarly, France’s CNIL released a report detailing that consent obtained using dark patterns cannot be valid – since they are not freely given. You can read the CNIL’s Shaping Choices in the Digital World’ report here (in English): https://linc.cnil.fr/sites/default/files/atoms/files/cnil_ip_report_06_shaping_choices_in_the_digital_world.pdf
How to remove dark patterns from your website
At a minimum, your business should:
- Obtain and keep records of your users’ clear and unambiguous consent.
- Make it equally easy for users to opt-out as it is to opt-in for any feature on your website – be it a subscription, an email marketing list, or their privacy settings.
- Make it possible for users to see and manage their privacy settings with just one click from within their account dashboard on your website.
- Make it possible for users to delete their data and/or their account from their dashboard within 1-2 clicks. Do not obscure these settings.
- If you charge users a subscription, make sure they can cancel their subscription within 1-2 clicks from their account dashboard. It should be clear where they manage their payments, too.
- Use very clear, plain language when describing your privacy practices.
- Avoid language that tricks or shames users into making a certain decision. This includes avoiding language like “I don’t like discounts” or “I won’t benefit from your help” when a user is selecting to not subscribe to a particular setting.
- Ensure the easy-to-understand privacy practices information is visible and/or easily available whenever a user makes a change that impacts the handling of their personal data or privacy.
Privacy 108’s Resources: Dark Patterns
We’ve referenced dark patterns in some of our earlier blog posts, including:
3 Gamechanging Privacy Resolutions for Businesses in 2022
Digital Privacy in Australia in 2021: Lessons for Australian Businesses from Global Privacy Laws
Privacy-Enhancing Technologies as the Solution to Eroding Trust
Email Marketing Laws in Australia that Direct Marketers Need to Know About
Privacy 108
At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.