Consumer protection regulators across a variety of jurisdictions are taking on the challenge of combating online “dark patterns” through targeted enforcement actions and new rulemaking initiatives. Broadly speaking, dark patterns are user interface techniques that benefit an online service by leading users into making decisions they might not otherwise make. Some dark patterns deceive users, while others exploit cognitive biases or shortcuts to manipulate their actions. But businesses complain that authorities’ newly found attention to the issue of dark patterns risks targeting legitimate persuasion techniques that have been long used in the marketplace. Alternatively, they complain that dark patterns are a squishy or amorphous concept and that the lack of standards creates an unacceptable degree of regulatory uncertainty. This article examines the future of dark patterns regulation for the tech industry and explains why the issue is not a passing fad. I argue that businesses should prepare for continued scrutiny of their practices and should develop proactive mechanisms to address regulatory risk.
By Mihir Kshirsagar[1]
I. INTRODUCTION
Consumer protection regulators across a variety of jurisdictions are taking on the challenge of combating online “dark patterns” through targeted enforcement actions and new rulemaking initiatives. Broadly speaking, dark patterns are user interface techniques that benefit an online service by leading users into making decisions they might not otherwise make. Some dark patterns deceive users, while others exploit cognitive biases or shortcuts to manipulate their actions. But businesses complain that authorities’ newly found attention to the issue of dark patterns risks targeting legitimate persuasion techniques that have been long used in the marketplace. Alternatively, they complain that dark patterns are a squishy or amorphous concept and that the lack of standards creates an unacceptable degree of regulatory uncertainty. This article examines the future of dark patterns regulation for the tech industry and explains why the issue is not a passing fad. I argue that businesses should prepare for continued scrutiny of their practices and should develop proactive mechanisms to address regulatory risk.
II. FRICTIONLESS DESIGN PROMOTES INTERESTS OF SERVICES OVER CONSUMER CHOICE
The early days of the Internet promised a marketplace that minimized the cost of price discovery and empowered consumers with information to make rational, intelligent choices. Needless to say, this semi-mythical frictionless world has not come to pass. Instead, online services seized on insights from behavioral researchers to develop digital interfaces to manipulate consumers in a variety of different settings. Harry Brignull, a user experience designer who coined the term dark patterns, used it to name and shame “tricks used in websites and apps that make you do things that you didn’t mean to, like buying or signing up for something.”[2]
Three core drivers inform the strategy of using dark patterns. First, there is a strong incentive for services to protect margins by increasing switching costs. Interface designs that obscure true costs or inhibit price discovery benefit the service at the expense of consumers. Second, designers have the ability to quickly run large-scale micro-experiments that optimize for presenting information that creates the least amount of friction for the choices that benefit the service. For example, studies have shown how the use of A/B testing could introduce dark patterns that inhibit obtaining meaningful consent if the sole metric of performance is the click-through rate. Third, the longevity of the customer relationship for online services is quite short. [X percent of customers switch every y years.] As a result, there are fewer incentives to build long-term loyalty and more incentives for firms to prioritize extracting value early in the relationship.
Several research studies document how dark patterns have proliferated across online services as a profitable strategy. Dark patterns may start with the advertising of a product or service, and can be present across the whole customer path, including sign-up, purchase, and cancellation. And dark patterns are not just limited to purchases. Consumers encounter dark patterns when making choices to consent to the disclosure of personal information or to cookies, or when interacting with services and applications like games or content feeds that seek to capture and extend consumer attention and time spent.
The different types of dark patterns observed by researchers can be separated into two themes that affect the choice architecture facing users: (a) interfaces that modify the set of choices available to users; and (b) interfaces that manipulate the information that is available to users. The main feature of dark patterns is that they take advantage of consumers’ cognitive shortcuts (heuristics and biases) in their decision-making processes. By doing so, dark patterns unfairly influence people’s choices — the core concern of consumer protection laws. When confronted with dark patterns, consumers are manipulated, deceived, or coerced into accepting something that they would not have chosen if that were a free and informed choice.
III. INTERNATIONAL REGULATORY RESPONSES
There are few mechanisms for market self-correction in the use of dark patterns. In some egregious cases, especially across repeated interactions, consumers can become wise to improper influence methods. But this can breed a general distrust of all businesses that hurts honest marketers in the wake. There are also limited incentives for competitors to highlight their advantages of transparent pricing and persuasion tactics. But those instances are few and far between, as many online markets for products and services share attributes that allow them to settle into an equilibrium that thwarts user intentions.
As a result, several jurisdictions around the world are working on regulatory responses to address the problem of proliferating dark patterns online. These responses fall in two categories — privacy regulations that address the use of dark patterns in the context of obtaining consent for the use of personal information, and updating consumer protection regulations to clarify the application of longstanding prohibitions against deceptive or unfair practices in the online context.
In Europe, the new Digital Services Act (“DSA”) imposes restrictions on services that use their online interface (either through structure, design, or functionality), to impair users’ ability to make free, autonomous, and informed decisions or choices (Article 13a). The DSA seeks to empower users to make decisions about critical matters without being subjected to practices which exploit cognitive biases (Recital 39a). The DSA provides specific examples of prohibited practices such as: (a) giving unequal visual prominence to any consent options when asking the user for a decision; (b) repetitively requesting or urging the recipient to make a decision such as repeatedly requesting consents to data processing where consent has previously been refused (especially in the form of a pop-up that interferes with the user experience) or has been refused through the use of automatic refusal configurations; (c) urging a user to change a setting or configuration after the user has already made a choice; or (d) making the procedure to cancel a service significantly more cumbersome than signing up to it.
In China, the regulators have floated various proposals to regulate the use of dark patterns. For example, they have proposed a requirement that there should be a one-click closing button for pop-up advertisements, start-up playback, video insertions, and other such interstitial advertising. They have also suggested requiring companies to collect and maintain data about their algorithmic recommendations for personalized advertising to allow the government to evaluate if those algorithms might be manipulating users.
Meanwhile, the Australian Competition & Consumer Commission (“ACCC”) released its third digital platform services inquiry report that investigate measures to mitigate the use of dark patterns. Separately, on the issue of obtaining meaningful consent, the ACCC is considering more stringent criteria for what constitutes consent to prevent firms from relying on dark patterns to trap unwary consumers.
In the United Kingdom, the regulators are actively studying the impact of dark patterns and online choice architecture more generally. The Competition and Markets Authority (“CMA”) published two papers in April 2022 discussing and summarizing evidence on online choice architecture and how it potentially causes harm to consumers. Common examples of choice architecture include the order of products in search results, the number of steps needed to cancel a subscription, or whether an option is selected by default.
The CMA contrasts well-designed websites, apps or digital services built with consumers’ interests in mind that will help consumers choose between suitable products, make transactions faster, and recommend new relevant products or services, with choice architectures that hide crucial information, set default choices that may not align with consumer preferences, or exploit consumers by drawing attention to scarce products. The CMA has a multi-prong strategy to tackle abuses. First, it will challenge choice architectures that mislead and harm consumers or undermine their trust and confidence in online markets. Second, it will use a combination of behavioral science, data science, and other methods to determine the prevalence of harmful practices. Third, it will engage in bilateral and multilateral engagement with other authorities and regulators to develop effective strategies to regulate harmful conduct. Fourth, it will raise consumer and business awareness of such practices.
IV. UNITED STATES
The United States, home to the largest online markets by value, has been slower to react to problems created by dark patterns. But now the traditional regulatory preference for a wait-and-see approach is giving way to a growing recognition that some type of response is required. At the federal level, the proposed DETOUR Act, aims to regulate the use of dark patterns by large online platforms. The Federal Trade Commission (“FTC”) held a workshop about dark patterns last year and is in the process of updating its online disclosure guidelines that is likely to contain guidance on avoiding dark patterns. It has also brought several cases recently that focus on the use of dark patterns. At the state level, there are a series of enforcement actions by state attorneys general applying their unfair and deceptive practices doctrines to the online context, as well as rulemaking proceedings in the privacy realm that ensure that services are appropriately obtaining consumer consent without resorting to using dark patterns to trick users.
A recent case from the New York Attorney General’s office (“NYAG”) illustrates how enforcement authorities might seek to reign in egregious practices. (Disclosure: I worked in that office from 2016 to 2019.) In 2022, the NYAG obtained a settlement with Fareportal – a large online travel agency — that resolved its use of deceptive practices to manipulate consumers to book online travel. The investigation focused on how Fareportal, which operates under several brands, including CheapOair and OneTravel, used a series of dark patterns to pressure consumers to buy tickets for flights, hotels, and other travel purchases. Specifically, Fareportal exploited the scarcity bias by displaying, next to the top two flight search results, a false and misleading message about the number of tickets left for those flights at the advertised price. It manipulated consumers through adding 1 to the number of tickets the consumer had searched for to show that there were only X+1 tickets left at that price.
Another design feature Fareportal introduced exploited the bandwagon effect by displaying how many other people were looking at the same deal. The site used a computer-generated random number between 28 and 45 to show the number of other people “looking” at the flight. It paired this with a false countdown timer that displayed an arbitrary number that was unrelated to the availability of tickets. Similarly, Fareportal used these false scarcity indicators across its websites and mobile platforms for pitching products such as travel protection and seat upgrades, through inaccurately representing how many other consumers that had purchased the product in question. In addition, the NYAG charged Fareportal with using a pressure tactic described as “confirmshaming” to make consumers accept or decline purchase a travel protection policy to “protect the cost of [their] trip” before completing a purchase. Finally, the NYAG took issue with how Fareportal manipulated price comparisons to suggest it was offering tickets at a discounted price, when in fact, most of the advertised tickets were never offered for sale at the higher comparison price. The findings from this investigation illustrate why dark patterns are difficult for consumers to identify or avoid. As a result, absent firm regulatory action, such tactics risk becoming entrenched across different travel sites who have the incentive to adopt similar practices.
A recent multistate enforcement action against Intuit, which sells the TurboTax service to file taxes, took the service to task for obscuring free filing options to drive traffic to paid product. The investigation documented how Intuit used confusingly similar names for the free and paid products and took active steps to prevent consumers from finding the lower cost option by hiding hid the free site from search engines. Importantly, TurboTax let users make a “choice” to take paid option. But the enforcement authorities cut through that defense by highlight how this was a false choice because it was presented only after users had invested considerable time on their platform entering data, and they were not likely to change their minds after investing that time. Intuit settled the allegations for $141 million that restored funds to 4.4 million duped customers. Another recent multistate action, led by the D.C. Attorney General, is litigation that concerns Google presentation of its location tracking settings that the states allege obscures that information collection and inhibits the ability of consumers to control who has access to sensitive information.
V. COMPETITION ISSUES
The concept of dark patterns is also gaining purchase in competition actions. For example, private plaintiffs have successfully used allegations involving dark patterns in antitrust class actions to advance past the motion to dismiss stage. In Klein v. Facebook (N.D. Cal. 2022), plaintiffs alleged that Facebook’s misleading privacy practices duped users to turn over information and entrench Facebook’s dominant position in the relevant market. Specifically, the plaintiffs argue that Facebook’s “No, Thanks” to information sharing prompt led users to believe that they had control over how Facebook could use their purchasing data when, in reality, Facebook was collecting and selling that data through its use of web beacons. Similarly, they assert that the “Like” button and “view tags” secretly transmitted data to Facebook. The core competition claim rested on the allegation that by selling increased amounts of data to third parties while representing to users that it was keeping data private, Facebook increased its user base and its profits. In other words, Facebook’s deception allowed it to prevent sophisticated rivals from entering the market and thereby avoided competing on the merits. The court found this claim was sufficient to survive the dismissal motion.
The key issue for the competition analysis is to separate tactics that involve legitimate price discrimination from those that discriminate using undisclosed factors to on manipulate the consumer. Indeed, some services have turned to private versions of dark pattern rulemaking by applying anti-discrimination principles to protect their consumers. A prominent example of this tactic is American Express’ anti-steering rules that prevented merchants from steering consumers to lower cost payment systems at checkout. The multistate enforcement action challenging those rules failed at the Supreme Court because the Court found that the authorities had not properly accounted for the benefits to consumers from such rules. (Disclosure: I worked on behalf of American Express in the enforcement action.) This issue resurfaces in the actions challenging the role of the Android and iOS app stores in imposing rules to protect consumers from manipulation by third party services. Apple’s changes to iOS requiring more transparent information collection, for example, has led to significant benefits to consumer welfare as consumers can begin to exercise meaningful choices concerning their privacy.
VI. FUTURE CHALLENGES
As dark patterns regulations progress, there are undoubtedly going to be some difficult line drawing exercises between legitimate persuasion and improper coercion. But this is not that different from the line drawing around unfair and deceptive business practices. Guidelines and settlements can provide the type of clarity legitimate businesses need to avoid running afoul of regulators. Some of the more egregious uses of dark patterns revolve around the need to obtain meaningful consent for data practices. Privacy regulations that go beyond the notice & consent framework should hopefully alleviate the pressure on seeking the initial sign-up as regulators focus more on how data is used and shared.
At a higher level, businesses can protect themselves by using ethical design principles that focus on fair and transparent information disclosures. They can also develop interfaces that account for differences in particular vulnerable users to ensure that they comprehend the choices presented to them. In addition, they should encourage and then respect consumer-focused technological innovations to counteract harmful patterns such as browser-based that send automated signals from users about their information collection preferences.
One key defense that is likely to be litigated extensively rests on the argument that the services have a right under the First Amendment to engage in unfettered promotional activity. Historically, courts have been reluctant to have First Amendment principles override traditional state power to protect consumers, believing that rules that promote an honest and transparent marketplace do not impose a significant cost on protected speech activity. But the current Supreme Court is more willing to credit the free speech interests of corporations. And, because some of the fixes for dark patterns are not simply about requiring more speech by way of additional disclosures, there are likely to be stronger First Amendment arguments. As enforcement authorities litigate these challenges, evidence of actual consumer confusion is pivotal to determining if the regulations are a proportional response to misleading or deceptive speech.
In summary, efforts to reign in dark patterns are likely to be a significant issue in the regulation of the tech industry for many years to come. The enforcement authorities’ core motivation to create a level playing field for businesses to operate in a fair and transparent manner should be a welcome development for businesses interested in developing long-term relationships with their consumers.
[1] Tech Policy Clinic Lead, Center for Information Technology Policy, Princeton University.
[2] Harry Brignull, https://www.deceptive.design/.