CLS Blue Sky Blog

Debevoise & Plimpton Discusses “Dark Patterns” and Regulatory Scrutiny

There has been significant regulatory attention recently to “dark patterns,” including FTC guidance, state privacy laws, and state and federal enforcement actions. Some of this activity involves new regulations, and some is based on decades-old consumer protection laws that prohibit unfair and deceptive practices.

There is no single definition for “dark patterns,” but the term generally refers to user interfaces (e.g., websites, apps) that are designed to manipulate a user’s behavior and subvert a consumer’s choices, causing the user to engage in conduct that they did not expect or desire, or impairing individuals’ ability to make an informed decision. Examples of dark patterns include the following:

Legislative and Regulatory Definitions and Examples in the Privacy Context

Dark patterns are addressed by the Colorado, Connecticut, and California privacy laws; part of the current and draft regulations implementing the California Consumer Privacy Protection Act (CCPA); and draft regulations implementing the Colorado Privacy Act (CPA). In the context of privacy statutes, the use of dark patterns is generally prohibited when presenting consumers with opt-out rights (e.g., opt out of sale, use of sensitive data, sharing for targeted advertising) or when obtaining required consents. Dark patterns also negate any otherwise required consent obtained through the use of dark patterns.

The CPRA defines a dark pattern as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, as further defined by regulation.” Colorado and Connecticut law use the same definition, with Connecticut adding that a dark pattern “includes, but is not limited to, any practice the Federal Trade Commission refers to as a ‘dark pattern’.”

Draft regulations issued by the California Privacy Protection Agency define similar techniques as dark patterns and add further color as to how businesses should present choices so as not to be considered a dark pattern, specifically:

Draft regulations issued by the Colorado Attorney General include similar principles for designing a user interface to avoid dark patterns:

Those draft regulations also suggest considering “vulnerabilities or unique characteristics” of the audience targeted to present choice options, such as through the use of font size and space between buttons for elderly audiences.

Enforcement Trends

The FTC and state attorneys general have voiced concerns over dark patterns and recently been bringing enforcement actions relating to dark patterns by treating them as deceptive practices:

Regulatory Guidance

In September, the FTC published a Staff Report titled “Bringing Dark Patterns to Light,” which provides insight into the agency’s concerns and enforcement priorities. The guidance addresses the FTC’s expectations for companies and its recommended best practices and also serves as a notice to companies that the FTC will continue to scrutinize and take action against the use of dark patterns.

The report draws on past enforcement actions and describes examples of common dark patterns, including the following:

Key Takeaways

In light of the increasing regulatory focus on dark patterns, companies that market to consumers online should consider the following risk-mitigation strategies:

This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “Dark Patterns: What Are They and How Can Companies Avoid Regulatory Scrutiny?” date October 12, 2022, and available here.

Exit mobile version