Dark Arts: Top 10 Dark Patterns That Make Collected Consent Invalid
Perhaps everyone who has ever booked tickets for low-cost flights, shopped in online stores, or even read online newspapers has experienced this - manipulative user interface designs, disguised advertisements, or misleading language. These deceitful architecture and design choices often used by websites are known as dark patterns.
Manipulating users into buying more at higher prices is an understandable need for many online services and websites looking into increasing their revenue and growing their business. It wouldn't come as a surprise that similar techniques became a common practice when it came to data collection and consent for data processing. In 2016, the GDPR introduced us to valid consent, making consent for data processing only valid when it was freely given, specific, informed, and unambiguous. Later, the European Data Protection Regulation released some guidelines on how to recognize and avoid dark patterns and a series of recommendations for companies on compliant cookie banners and consent collection practices.
How do regulations treat dark patterns?
While initially the CCPA (California Consumer Privacy Act) didn't specifically address the dark patterns, its later version, the CPRA (California Privacy Rights Act), added a definition of a "dark pattern" and clearly stated that "agreement obtained through use of dark patterns does not constitute consent."
Effective as of July 1, 2023, the CPA (Colorado Privacy Act) brings even more attention to dark patterns, as it not only mentions consent obtained with the use of a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice would be invalid, but it also describes in detail the dark patterns in the CPA rules.
Many other regulations, that specifically do not bring in dark patterns, have restrictions on the validity of consent. Using choice architecture and manipulative design could be considered unfair and, therefore, make consents collected via the website invalid, which may lead to penalties for non-compliance. In order to further clarify this, let's look at some of the dark patterns you should be aware of and should avoid.
Top 10 dark patterns
- Asymmetrical consent choices
"Accept all" and "Decline all" options, when it comes to the collection of data via cookies and scripts, should be presented in a symmetrical way. Presenting multiple choices unequally using a less prominent size, or a more invisible font is an example of a dark pattern.
- Emotionally manipulative language
The way a choice is described and presented can affect behavior. Manipulating users' emotions by bringing in unnecessary guilt when asking for consent for targeted advertisement is a great example of a dark pattern. Using language like "Yes, I accept the terms of processing because I want to help elephants" or "No, I don't care about animals" is emotionally manipulative, and therefore consent obtained in this way would be considered invalid.
- Default setting or lack of action
The fact that users have not changed the settings to opt-out from data processing or closed a pop-up window informing them of data processing without affirmatively consenting to processing does not constitute consent.
- Pre-selected choices
One of the most common mistakes often noticed by Data Protection Authorities in the EU is pre-selected choice and pre-ticked check boxes when it comes to consent collection. A user must make an intentional choice, and such design choices are often considered confusing.
- Cumbersome privacy choices
Choosing a privacy-protective option should be as easy as agreeing to data sharing and disclosure. More difficult, time-consuming, or hidden choices are a dark pattern to avoid if you wish to stay compliant and, more importantly, fair with your users, when it comes to data processing.
- Forced action
Putting pressure on users when looking for consent by asking for consent multiple times, interrupting their navigation through the website, or redirecting them from services they are attempting to interact with is a dark pattern. Users can't be forced to navigate through multiple pop-ups or be forced to provide consent in order to continue browsing the website unless it is critical to collect the information when providing them with the services they've requested.
- Intentionally confusing language
The way you are saying things sometimes is more important than what it is that you are saying. We all know how a false sense of urgency is often used to sell users more items or convince them to check out the basket as soon as possible. Using a false sense of urgency when it comes to consent is a dark pattern. The same goes for using confusing or unexpected syntax or even legal language that your users cannot understand. For example, using syntax like "please do not check this box if you wish to opt out of data processing" or illogical allocation of text towards the check box or radio button.
- Manipulation of user vulnerabilities
Intentionally making consent text unintelligible or unreadable for users is a dark pattern. For example, a website service that targets minors should consider simplifying the language to explain choices in a user-friendly manner. The same applies to elderly people, where it is also worth considering increasing the font size and size of the buttons/checkboxes.
To enter a maze is easy. The challenge is to find a way out. If it takes two clicks to consent, it has to take two clicks to opt out. The architecture and design of opt put mechanisms done in such a way that it overcomplicates the process is a dark pattern.
- Triggering fear
Manipulating a user, and asking them not to opt out because they will suffer inconveniences, such as a decline in the provision of services, is a dark pattern. The only exception is when processing the information is strictly necessary to provide a service, for example, when you cannot keep users up to date with availability in a queue unless you have their phone/email, and you inform them that they won't be able to receive up to date information anymore.
Avoiding dark patterns reduces risks of non-compliance and helps build trust with your users
For the past years, regulators have kept increasing the enforcement of penalties against companies using dark patterns. Staying transparent and fair when it comes to data processing is the initial idea behind data protection regulations. Therefore, the best way is to think of user-friendly designs and provide understandable information to your users about their choices.