Dark Patterns Defined: Examining FTC Enforcement and Developing Best Practices

The Federal Trade Commission is ramping up its enforcement of so-called dark patterns, with $350 million in settlements announced in late 2022. Many businesses may be uncertain what dark patterns are, or may think they do not need to worry. This Article argues that the FTC’s enforcement practices are industry-agnostic and derived from previous enforcement actions over the last decade. By examining these current and past enforcement actions, it is possible to develop a set of best practices around robust user notice and choice and user interface designs that do not present unnecessary hurdles to consumers.

By Ryan C. Smith^[1]

 

In late 2022, the Federal Trade Commission (“FTC”) announced settlements with two different businesses over the use of so-called “dark patterns.” Defining dark patterns is complicated; the FTC’s definition (“design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm”) does not provide much enlightenment.^[2] But using dark patterns can be costly: the first settlement in 2022 was a $100 million settlement with Vonage Holdings, a cloud communications provider.^[3] The second was a $245 million settlement with Epic Games, Inc., maker of the popular video game Fortnite.^[4] While these two enforcement actions represented the first time the FTC specifically named dark patterns in a complaint, they were not harbingers of an unexpected sea change. In 2021, the FTC held a workshop on “Bringing Dark Patterns to Light,” signaling an interest in dark patterns.^[5] The complaints against both Vonage and Epic are also not treading new ground; while the FTC names dark patterns in both complaints, the foundations of the FTC’s arguments can be found in other, older enforcement actions.

The FTC is not the only enforcement agency eyeing dark patterns. Eighteen state attorneys general wrote to the FTC in August 2022, urging more action be taken on dark patterns.^[6] The State of California, with its expansive California Privacy Rights Act (“CPRA”), outlaws the use of dark patterns when obtaining consumer consent for the collection of personal information.^[7] Colorado, in the Colorado Privacy Act (“CPA”), and Connecticut, in the Connecticut Data Privacy Act (“CTDPA”) do as well.^[8] With $345 million in settlement payments (and counting), every business that interacts with consumers ought to be aware of dark patterns and how to avoid them.

One hurdle businesses face, beyond assessing their consumer-facing communications and interactions, is defining what dark patterns are. The FTC’s definition asks more questions than it answers. The CPRA is likewise not forthcoming (“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation”).^[9] The definitions found in the California Privacy Protection Agency’s proposed regulations can only define dark patterns by what they are not.^[10] Colorado’s definition largely mirror’s the FTC’s.^[11] Connecticut, meanwhile, just defers to the FTC.^[12]

Companies across a diverse array of industries are scrambling to ensure compliance with vague directives in state law and in federal regulations. Without much guidance, it almost seems easier for legal teams to shrug their shoulders. But it is possible to discern patterns in previous FTC enforcement actions that can guide businesses as they carefully scrutinize their interactions with consumers. The FTC’s dark patterns jurisprudence (if it can be called that) is not only identifiable but is easy to distill. This Article gives a brief overview of the FTC’s enforcement actions against both Vonage and Epic Games, and then examines previous enforcement actions dating back to the mid-2010s to develop a set of recommended best practices that are agnostic to industry and business model and focus on straightforward interactions with consumers online.

 

I. ANALYZING VONAGE AND EPIC GAMES

For a company that serves digital ads on online publications, or a company that makes a weather app, it can seem unintuitive to look at enforcement actions against a cloud telecommunications provider or a video game designer and see how it applies to your business. While Vonage and Epic Games are dramatically different companies, the practices at issue are common in any business that interacts with consumers. Both companies struggled with presenting consumer choice, and both companies did not mirror their enrollment and cancellation processes. By examining the FTC’s complaints in Vonage and in Epic Games, it becomes apparent that the throughlines in the FTC’s enforcement are not industry-specific and can, in fact, serve as a touchstone for any business that interacts with consumers.

A. Analyzing Vonage

Vonage markets Voice over Internet Protocol (“VoIP”) phone services products to residential and business consumers. Prices for Vonage’s service range from $4.99 to over $50 a month.^[13] Vonage offers a variety of enrollment methods, including a 24/7 website or through a toll-free telephone number.^[14] However, the cancellation process is more difficult to navigate than the enrollment process. Between 2017 and 2022, Vonage only allowed customers to cancel their enrollment by speaking with a live “retention” agent over the phone.^[15] Vonage did not present this requirement to consumers when they enrolled in Vonage’s services; rather, it was buried in a lengthy terms of service document.^[16] Even finding the telephone number for reaching the retention agents was a hurdle for consumers; while Vonage prominently displayed its main customer service telephone number on its website, the special cancellation number was not presented to consumers in an immediately obvious manner.^[17]

For customers whose plans were billed at less than $60 a month, the cancellation process was even more obtuse: first, they had to request a cancellation via online chat and wait to be connected with a live chat agent; then, the live chat agent would have to transfer their call to a live retention agent, requiring an additional wait.^[18] Additionally, Vonage put in place “Early Termination Fees” for customers who wanted to cancel before the end of their contract period–but did not conspicuously disclose these terms.^[19] Vonage presented the disclosure in a small, unbolded font against a gray background, in contrast to the bolded, larger font disclosing the benefits of signing up for Vonage.^[20] For customers signing up over the phone, Vonage instructed its employees to not “proactively” offer information about the Early Termination Fees.^[21]

There are two key things to note about Vonage’s business practices that resulted in the FTC action. First, their consumer choice presentations were not accurate. Material information was obscured in such a way that only a particularly vigilant consumer would be aware of it. The average consumer would not find an accurate disclosure for the service they were signing up for. Likewise, the “consumer journey” (the process a consumer takes to consent to enroll in a service, and the process taken to revoke that consent) to cancel their Vonage account was circuitous and frustrating, designed more to ensure customers continued to pay for a Vonage account instead of allowing them to cancel their membership at their will.

Vonage eventually agreed to a $100 million settlement with the FTC.^[22] While Vonage is a cloud telecommunications service and Epic Games is a video game designer, many of the problems Vonage encountered were similar to the practices the FTC would cite in its complaint against Epic Games.

B. Analyzing Epic Games

Epic Games develops and distributes the video game Fortnite. Part of Fortnite’s appeal is that it is free to download and play, although like many games it offers certain in-game benefits that must be purchased with actual money. Fortnite is incredibly popular, with over 400 million players worldwide.^[23] For in-game purchases, Epic would save consumers’ payment information by default and use it to bill consumers for future charges.^[24] Despite this, Epic prominently advertises Fortnite as free; if a consumer were to download Fortnite on a personal computer, they would only find a small disclosure stating “In-Game Purchases” at the very bottom of the download page.^[25]

Once Epic had saved a consumer’s credit card information, players – many of them children and teenagers – could make in-app purchases “simply by pressing buttons with no parental or card holder action or consent.”^[26] There were no safeguards to prevent children from making purchases without parental consent – much to the surprise of parents reviewing their credit card bills.^[27] Epic knew this, and internal documentation noted that “Unrecognized and Fraudulent Charges” was among the top five reasons customers complained to Epic Games.^[28] In response to these complaints, Epic gave consumers the option not to have their credit card information saved – but only in a small checkbox in the checkout page, with a small print notice to “[m]ake this a one-time payment.”^[29] Indeed, Epic never informed consumers that the default option was to automatically bill saved credit card information, and it was aware consumers typically did not check the small checkbox.^[30]

The in-game purchase flow for Fortnite was also designed in such a way that it was easy for consumers (particularly children) to make accidental or unwanted purchases. For example, in the “Cosmetics” store (where players could preview popular costume changes for their in-game avatars), Epic would automatically charge consumers if they pressed a certain button, without requiring any further action from consumers, such as asking them to confirm their purchase.^[31] In contrast, players wishing to cancel an unwanted purchase had to press and hold the button in addition to confirming their request for a refund.^[32]

Epic did not even offer an option to cancel certain charges until June 2019. Initially, the “Undo” option was presented in a visually identical manner as the purchase option.^[33] However, Epic soon reduced its prominence, changing its name to “Cancel Purchase,” reducing its size, moving it to the bottom of the screen (away from the “Purchase” button), and requiring consumers to push and hold a button to cancel.^[34] Once these changes were made, Epic “observed a roughly 35% decline” in the number of consumers undoing their purchases.^[35]

Even requesting refunds was a convoluted process compared to the simple purchase procedures. To find the link to request a refund, consumers had to go to a “Settings” tab on the Fortnite app menu, “far removed from the purchase screen,” despite the fact that requesting a refund is not a game or device setting.^[36] The designer even admitted that he put the link there in an “attempt to obfuscate the existence of the feature” and “add[ing] friction for friction’s sake.”^[37]

Epic deliberately advertised its product as free, and then concealed the nature of its in-game purchase policies. It made the purchase process frictionless but went out of its way to make the refund process cumbersome. By hiding the nature of its in-game purchase policies, Epic tricked consumers into making choices they might not have otherwise made by saving their credit cards. By making its refund process burdensome–with the stated goal of curtailing user refund requests–it was preventing consumers from revoking their consent. Epic Games wound up settling with the FTC for $245 million.^[38] Epic was aware that its policies were hindering consumer choice, but rather than addressing these consumer hurdles, they doubled down and wound up paying a substantial fine for it.

 

II. DEVELOPING BEST PRACTICES

By analyzing Vonage and Epic Games, certain commonalities in enforcement emerge, allowing us to begin to define what a dark pattern is. The way material information is presented – or hidden – is relevant in the FTC’s analysis. Likewise, the consumer journey – the process a consumer takes to consent to enroll in a service, and the process taken to revoke that consent – is closely scrutinized. To borrow a phrase from the Epic Games engineer, “friction for friction’s sake” is highly suspect. These general best practices were derived from an analysis of enforcement actions the FTC has taken over the last decade, up to and including Vonage and Epic Games. They can be divided into two categories: Considerations for Robust User Notice and Choice, and Considerations for User Interface Design.

A. Considerations for Robust User Notice and Choice

When determining how to present consumers with notice and choice, the three topline concerns for any business looking to avoid dark patterns should be accurate disclosures, seamless revocation processes, and the use of straightforward language.

1. 1. Accuracy

In order for a disclosure to be accurate, all material terms and conditions should be included when obtaining consumer consent. Terms and conditions should be stated in an easy to understand way that is unlikely to deceive consumers.^[39] In particular, a business should avoid employing “negative options,” provisions “under which the customer’s silence or failure to take affirmative action to reject goods or services or to cancel the agreement is interpreted” as consent.^[40] Businesses should also avoid telling consumers their data is needed for a service to operate when in actuality it is not.^[41]

The FTC has been clear about this need for accuracy for many years. For example, in 2015, the FTC brought an action against PaymentsMD, LLC, a medical billing provider, alleging the company failed to inform consumers that it would be collecting sensitive health information from third parties.^[42] In 2018, the FTC sued PayPal, Inc., over disclosures in its mobile payment app Venmo.^[43] The FTC alleged that PayPal failed to provide conspicuous disclosures of material terms to consumers when first signing up for the app, in violation of the Gramm-Leach-Bliley Act and subsequent FTC regulations.^[44] And in 2019, the FTC sued Office Depot, Inc., in a case alleging that a service Office Depot advertised as a free PC checkup program was actually a tool to sell diagnostic and repair services to unsuspecting consumers.^[45]

The subversion of consumer choice in these examples is plain. When a consumer is not given all the material information, they need to make a decision – whether it is a decision to opt out of tailored advertising, to download an app, or to sign up for a service–the consumer’s consent is not informed. When disclosures are not conspicuous, or hidden away on other parts of a platform, an unknowing consumer could reasonably determine they have been given all the material information they need to make a decision. Likewise, when a disclosure is dishonest about what a consumer needs to know, especially when there is a cost (monetary or otherwise) the consumer must pay when they make their decision, it could influence the consumer’s choice in an unlawful way.

1. 2. Seamless Revocation

The revocation of consent can take several forms, including canceling a purchase, unsubscribing, or opting out. The revocation process should be seamless; that is, it should be easy for a consumer to do while also providing the consumer with complete information about the revocation process.^[46] The number of steps in the  “consumer journey” to revoke consent (i.e. the discrete actions a consumer must take) should be equal to the consumer journey to sign up for a service.^[47]

Providing all material information is critical. In 2016, the FTC reached a settlement with NutraClick, a company that sold nutritional supplements and beauty products, over its cancellation practices.^[48] NutraClick enrolled consumers into a recurring monthly program when they ordered a “free trial” of NutraClick’s products, and failed to disclose the enrollment.^[49] After settling with the FTC, NutraClick continued to employ dark patterns in its business practices by failing to conspicuously disclose that consumers must cancel their free trial at least one day before the end of the trial period, or else they would be automatically charged for enrollment.^[50]

In 2020, the FTC sued Age of Learning, Inc., which operated the online children’s education platform ABCmouse.com. On the signup page for ABCmouse.com, Age of Learning represented that it had “Easy Cancellation” (in bold, red text) promising that consumers could “cancel at any time.”^[51] Enrollment in ABCmouse.com could be done on one page with a single form.^[52] Cancellation, however, was a more circuitous process. Consumers could not cancel by telephone, email, or by web form, like they could for signing up. Instead, they had to go through four separate pages of ABCmouse.com for a link labeled “Cancellation Policy,” which in actuality was the cancellation mechanism.^[53]

By making the revocation process onerous, the offending companies were effectively trapping consumers into continuing to pay for services they did not want to receive. The longer the consumer journey was, the less likely consumers were to actually revoke their consent. Even before the enactment of laws specifically prohibiting the use of dark patterns, the FTC was able to enforce against these practices with its authority under the FTC Act.

1. 3. Straightforward Language

Notice presented to a consumer should be as clear and straightforward as possible. As a matter of California law, businesses cannot use double negatives (e.g. “Don’t not sell my personal information”), nor can they require consumers to click through or listen to a list of reasons for why they should not revoke their consent.^[54] In the Age of Learning enforcement matter, the FTC noted that ABCmouse.com also required consumers to scroll through a list of reasons why they should not cancel their membership, including a list of ways to “upgrade” their membership.^[55] While businesses have a First Amendment right to inform consumers about the products they offer or the services they provide, it is important to deploy neutral language that does not pressure consumers into making a particular choice.

For companies that rely on technologies such as cookies to remember user settings, these settings can be reset when a consumer clears their cookies or they expire, or they are browsing on a new, unrecognized device or from a different IP address. In these instances, companies should be aware of this situation and should notify consumers and provide them with the opportunity to reestablish their privacy settings.

By using straightforward, concise language, a business interacting with a consumer can ensure that it has provided all material information necessary for a consumer to make an informed choice.

B. Considerations for User Interface Designs

In designing the user interfaces for consumer choice mechanisms, many of the considerations that businesses must take in presenting consumer choice are present. Businesses should avoid using unnecessarily confusing language, and they should avoid an overly long consumer journey. They should also ensure that in consumer interactions actually present a choice and do not infer one; for example, in a banner notifying consumer that a website uses cookies to collect information for personalized advertisements, the banner should have an “Accept” and “Deny” button as opposed to just an “Accept” button, or indeed, no button at all, just a means of closing the banner.

In 2019, the FTC brought an action against AH Media Group, a company that sold personal care and dietary supplements online. In its complaint against AH Media, the FTC noted AH Media’s relevant terms and conditions for free trial offers were often obscured on their websites, using small, hard to read fonts that blended in with the background color of the website.^[56]

When presenting any notice to consumers, businesses should ensure that the text is legible on both desktop and mobile devices, and that instructions for revoking consent are not hidden in a place consumers would not think to look. If the goal is to avoid dark patterns, the business should state all material terms in a single, easy to find location, displayed in a visually neutral manner.

 

III. CONCLUSION

The practices the FTC cited in its complaint against Epic Games are nearly identical to the practices the FTC cited in its complaint against Vonage. They are practicing the FTC has cited in complaints against a variety of businesses over the last decade, practices that cut across industry. They are practices that any business that interacts with consumers – whether it’s an ad tech company collecting consumer data online or the manufacturer of personal hygiene products marketing a monthly subscription service – must bear in mind.

The FTC has begun to name dark patterns for what they are, but in many ways this is just giving old enforcement practices a rebrand. By specifically calling these practices dark patterns, the FTC is making its priorities plain. As the FTC continues to enforce against dark patterns, buttressed by state attorneys general with specific authority over the use of dark patterns, companies should ensure their interactions with consumers and the design choices they make are straightforward and neutral.

---

[1] Ryan Smith is Counsel for Compliance and Policy at the Network Advertising Initiative, the leading self-regulatory organization for the ad tech industry. He regularly counsels member organizations on best practices for data privacy and consumer choice.

[2] Fᴇᴅ. Tʀᴀᴅᴇ Cᴏᴍᴍ’ɴ, Bʀɪɴɢɪɴɢ Dᴀʀᴋ Pᴀᴛᴛᴇʀɴs ᴛᴏ Lɪɢʜᴛ (Sept. 2022) at 2.

[3] Press Release, Federal Trade Commission, FTC Action Against Vonage Results in $100 Million to Customers Trapped by Illegal Dark Patterns and Junk Fees When Trying to Cancel Service (Nov. 3, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/11/ftc-action-against-vonage-results-100-million-customers-trapped-illegal-dark-patterns-junk-fees-when-trying-cancel-service.

[4] Press Release, Federal Trade Commission, Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Dec. 19, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations.

[5] Lesley Fair, Bringing Dark Patterns to Light, Bᴜsɪɴᴇss Bʟᴏɢ (Feb. 24, 2021), https://www.ftc.gov/business-guidance/blog/2021/02/bringing-dark-patterns-light.

[6] See Letter from Kwame Raoul, Illinois Attorney General, to Matthew Ostheimer, Bureau of Consumer Protection, Fed. Trade Comm’n (Aug. 22, 2022) https://illinoisattorneygeneral.gov/pressroom/2022_08/17%20Attorneys%20General%20Hawaii%20OCP%20Digital%20Advertising%20P114506%20FTC%202022-0035-0001.pdf.

[7] See Cᴀʟ. Cɪᴠ. Cᴏᴅᴇ § 1798.140(h) (2023) (“[A]greement obtained through the use of dark patterns does not constitute consent.”).

[8] See Cᴏʟ. Rᴇᴠ. Sᴛᴀᴛ. § 6-1-1303(5)(c) (2023); Cᴏɴɴ. Gᴇɴ. Sᴛᴀᴛ. § 42-515(6)(C) (2023).

[9] Cᴀʟ. Cɪᴠ. Cᴏᴅᴇ § 1798.140(l) (2023).

[10] Cᴀʟ. Cᴏᴅᴇ Rᴇɢs. tit. 11, § 7004(b) (2023) (proposed).

[11] See Cᴏʟ. Rᴇᴠ. Sᴛᴀᴛ. § 6-1-1303(9) (2023).

[12] See Cᴏɴɴ. Gᴇɴ. Sᴛᴀᴛ. § 42-515(11) (2023) (“‘Dark pattern’… includes, but is not limited to, any practice the Federal Trade Commission refers to as a ‘dark pattern.’”).

[13] See Compl., Fed. Trade Comm’n v. Vonage Holdings Corp., Case No. 3:22-cv-6435, ECF No. 1 (D.N.J. Nov. 3, 2022).

[14] Id. at 5-6.

[15] Id. at 6.

[16] Id. at 7.

[17] Id. at 7-8.

[18] Id. at 9.

[19] Id. at 11-12.

[20] Id.

[21] Id.

[22] Press Release, Federal Trade Commission, FTC Action Against Vonage Results in $100 Million to Customers Trapped by Illegal Dark Patterns and Junk Fees When Trying to Cancel Service (Nov. 3, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/11/ftc-action-against-vonage-results-100-million-customers-trapped-illegal-dark-patterns-junk-fees-when-trying-cancel-service.

[23] See Natasha Singer, Epic Games to Pay $520 Million Over Children’s Privacy and Trickery Charges, N.Y. Tɪᴍᴇs (Dec. 19, 2022), https://www.nytimes.com/2022/12/19/business/ftc-epic-games-settlement.html.

[24] See In re Epic Games, Inc., F.T.C. File No. 192-3203 (Dec. 19, 2022) at 2.

[25] Id. at 3.

[26] Id. at 4.

[27] Id.

[28] Id.

[29] Id. at 5.

[30] Id.

[31] Id. at 7.

[32] Id.

[33] Id. at 10.

[34] Id.

[35] Id. at 11.

[36] Id.

[37] Id.

[38] Press Release, Federal Trade Commission, Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Dec. 19, 2022) (https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations).

[39] See, e.g. In re PayPal, Inc., F.T.C. File No. 162 3102 (May 23, 2018); In re PaymentsMD, LLC, F.T.C. File No. 132 3088 (Jan. 27, 2015).

[40] Telemarketing Sales Rule, 16 C.F.R. § 310.2(w) (2023).

[41] See Compl., Fed. Trade Comm’n v. Office Depot, Inc., No. 9:19-cv-80431, ECF No. 1 (S.D. Fla. Mar. 27, 2019).

[42] See PaymentsMD, LLC, F.T.C. File No. 132 3088 at 2.

[43] See PayPal, Inc., F.T.C. File No. 162 3102  at 11.

[44] Id.

[45] See Compl., Office Depot, No. 9:19-cv-80431, at 2.

[46] See Compl., Fed. Trade Comm’n v. NutraClick, LLC, No. 2:20-cv-08612, ECF No. 1 (C.D. Cal. Sept. 21, 2020) (NutraClick II).

[47] See Compl., Fed. Trade Comm’n v. Age of Learning, Inc., No. 2:20-cv-7996, ECF No. 1 (C.D. Cal. Sept. 1, 2020).

[48] See Compl., Fed. Trade Comm’n v. NutraClick, LLC, No. 2:16-cv-06819, ECF No. 1 (C.D. Cal. Sept. 12, 2016) (NutraClick I).

[49] Id. at 3.

[50] See NutraClick II at 5.

[51] Compl., Fed. Trade Comm’n v. Age of Learning, Inc., No. 2:20-cv-7996, ECF No. 1 (C.D. Cal. Sept. 1, 2020).

[52] Id. at 6.

[53] Id. at 11.

[54] Cᴀʟ. Cᴏᴅᴇ Rᴇɢs. tit. 11, § 999.315(h)(2)-(3) (2023).

[55] See Compl., Age of Learning, Inc., No. 2:20-cv-7996 at 14.

[56] See First Am. Compl., Fed. Trade Comm’n v. AH Media Group, LLC, No. 19-cv-04022-JD, ECF No. 74 (N.D. Cal. Oct. 23, 2019) at 14.