Beware of the Dark: dark patterns and how to avoid them

In a world of clicks and conversions, businesses constantly seek ways to optimise user interactions. However, there's a fine line between persuasion and manipulation. Recently, UK regulators have been cracking down on the use of "dark patterns" in digital domains, bringing this issue into the limelight. Similarly, with the Digital Services Act, the EU has also tightened its grip on dark patterns with Elon Musk’s X (formerly Twitter) becoming the first company under the Act to face investigation for the use of deceptive design practices on its platforms. These manipulative design tactics are not just unethical but can also lead to significant legal repercussions for businesses.

What are Dark Patterns?
Dark patterns,  a term coined by user experience professional Harry Brignull in 2010,  has since become a critical topic in the discussion of digital ethics. It essentially refers to design elements in website and app design that lead users to make choices they wouldn't have made if they had all the information or if they were not misled. These tactics can include disguising ads as content, making it difficult to cancel subscriptions, hiding costs until the last stage of a transaction or using confusing language that leads to unintended purchases. While they may boost certain metrics in the short term, they invariably degrade user trust and satisfaction in the long term.

Classification of Dark Patterns

It's possible that your business is using dark patterns without even realising it. Sometimes what starts as a strategy to enhance user engagement or simplify interfaces can end up misleading users. A lack of awareness, a focus on short-term gains, or internal misalignment can contribute to the use of these deceptive practices. Understanding the different types of dark patterns can help businesses recognise and avoid them:

• Bait and Switch - The user attempts one action, but something else happens. For instance, a button that says “Click here for more information” leads directly to an unintended download or purchase.

• Misdirection - Focusing the user's attention on one thing to distract from another. For instance, highlighting a default permission setting in a way that distracts from privacy-invading options selected by default.

• Hidden Costs - Revealing additional costs only at the final step of a checkout process, such as taxes and shipping charges.

• Forced Continuity - Not clearly disclosing that a free trial will convert to a paid subscription automatically.

• Disguised Ads - Advertisements that are styled to look like genuine navigation or content options, which can mislead users into clicking on them unknowingly.

Cookie Consent Banners: The most common example of Dark Patterns
Cookie consent banners, meant to empower users with data privacy choices, can themselves be vehicles for dark patterns. This includes:

• Unequal Choices: Large, prominent "Accept All" buttons contrasted with small, hard-to-find "Reject" or "Manage Settings" options.

• Manipulative Language: Wording that pressures users into accepting tracking (“Improve your experience”), or guilt-trips them if they don’t.

• Opt-In by default: Menus where the option to accept functional, analytical, marketing or targeting cookies are pre-ticked ( opt-in by default).

A notable example of good practice in cookie banner design is ICO’s (or our own website- “Accept All” and “Reject All” cookies are given equal prominence, ensuring straightforward choice for users). The language used in both the design and the privacy notice is unambiguous, and both functional and targeting cookies are set to off by default.

Data Protection by Design vs. Dark Patterns

The concept of "Data Protection by design and default" as outlined in the GDPR insists on embedding privacy safeguards into the design of digital products from the onset. This proactive approach ensures privacy settings are integral to the user experience, not retrofitted. Dark patterns, however, starkly contrast with this principle. These manipulative design tactics are intentionally created to obscure or withhold information, thus coaxing users into making decisions that may compromise their privacy. By designing interfaces that prioritise business interests over clear and honest user interactions, dark patterns violate the spirit of user empowerment and control over personal data that "data protection by design and default" seeks to uphold. Adhering to these privacy principles is more than a regulatory requirement—it's a commitment to ethical business practices that respect and protect user autonomy.

Latest regulatory actions
Amid growing global emphasis on data protection and privacy, such as GDPR in Europe and CCPA in California, deceptive practices are increasingly under the regulatory microscope. Recent punitive measures against high-profile companies like Google, Facebook, and Amazon underscore the rising enforcement. These firms were fined due to their manipulative digital practices, highlighting the significant repercussions of employing dark patterns.

The Digital Services Act (DSA) in the EU is another significant regulatory development targeting dark patterns. The DSA aims to ensure a safer digital space where users' fundamental rights are protected and requires platforms to design systems that avoid manipulative techniques.

Similarly, in the USA, the proposed  Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to counter such practices with US regulator FTC coming down heavily on the websites adopting dark patterns and their use is explicitly banned in the state of California.

Why should you avoid Dark Patterns?
The use of dark patterns is a short-sighted strategy. While they may lead to temporary gains, the long-term consequences are severe:

• Loss of Trust: Users who feel tricked will lose faith in your brand, harming future interactions.

• Reputational Damage: Negative press and user backlash can tarnish your brand's image.

• Legal Risks: Regulators are on the lookout, and penalties for deploying deceptive practices can be substantial.

Five ways to avoid Dark Patterns
For data-driven businesses looking to steer clear of these unethical practices, here are five actionable ways to avoid the use of dark patterns, and maintain integrity, trust and regulatory compliance:

1. Educate your team: Regularly train your design and marketing teams about the implications of dark patterns. Encourage them to stay updated with the latest legal requirements and ethical standards in user experience design.

2. Transparent communication: Always be clear and upfront about what the user is agreeing to. Avoid hidden terms in fine print and ensure all information is accessible and easy to understand. For instance, a straightforward infographic or a simple worded statement on the sign-up page indicating what data is collected, how it will be used, and who it will be shared with.

3. Ethical design principles: Incorporate ethics into your design process. Evaluate the user experience at every stage from an ethical standpoint to ensure that you're not inadvertently leading users into decisions they wouldn’t otherwise make.

4. Regular audits: Conduct regular audits of your website and apps to identify and rectify any elements that could be construed as dark patterns. This includes reviewing user feedback and behaviour to understand how design elements are being interpreted.

5. Clear opt-outs: Make it easy for users to decline offers or unsubscribe from services. Ensuring a straightforward opt-out process can enhance user trust and prevent accusations of deceptive practices. For instance, streamlining the unsubscribe process by including a clear, one-click “Unsubscribe” link at the top of the email or not hiding the “Opt-out” option behind multiple UI and menu layers.

Maintaining a transparent and honest relationship with users is not just good ethics—it's good business. By avoiding dark patterns and embracing ethical design practices, data-driven businesses can enhance their reputation, comply with regulations, and build a loyal customer base.

As Yoda might say: "Tempting, the ‘dark’ side is, young Padawan. Cross to it, you must not."

This article was authored by Ritesh Katal, CIPP/E. This article is should not be taken as legal advice.

About Trace:

Trace help global companies navigate global data regulations and implement practical steps for a risk-based and pragmatic approach to data governance and global privacy compliance with the relevant laws and frameworks. Looking for support with data governance framework design, data sharing guidance and applied Privacy by Design for your company? Book your free consultancy call now.