Dark Patterns Move Closer to Illegal

Dark patterns – digital interfaces that are designed to manipulate a user’s actions – may come under legal scrutiny, thanks to a new law in California (and maybe Washington).

Dark Patterns

I’ve talked a bit about dark patterns before. The most recent time involved Google’s confusing privacy settings, which were so confusing that even Google employees (including a privacy-focused software engineer) couldn’t understand them.

Dark patterns are more than just confusing UI, though.

A 2019 Princeton survey of more than 11,000 shopping web sites found 15 different types of dark patterns on more than 1,200 of the sites.

Some of the dark pattern categories include:

  • Sneaking: Revealing hidden costs to users right before final purchase. This can be a physical item in a shopping cart, hidden fees, or hidden subscription fees.
  • Misdirection: Using UI (colors, font size, location) to steer users toward (or away from) a specific choice.
  • Obstruction: Making cancelling a service, subscription, or order much more difficult than the initial signup. This often means cancelling requires a phone call at a specific time or an email to a specific address, where signing up can be completed on the website via an always-available form or shopping cart.
  • Forced Action: Requiring an unrelated or tangential action to complete a task. Requiring users to create an account to complete an order, or having the “Accept Terms” and “Receive Promotional Emails” share the same checkbox.

Other dark pattern categories include Urgency, Scarcity, and Social Proof.

You can see samples of all of these on Princeton’s Dark Patterns website. You can also read the paper that found and categorized these UI patterns.

The Laws

The California Privacy Rights Act (CPRA) passed last November as a way to strengthen California’s Consumer Privacy Act (CCPA).

The CCPA turned out to have enormous loopholes, though, which the CPRA was designed to close. One of those specifically mentions dark patterns: “[A]greement obtained through use of dark patterns does not constitute consent.”

Unfortunately, this law doesn’t take full effect until 2023, and it’s not clear exactly which dark patterns will become illegal. The law itself defines a dark pattern somewhat vaguely: “[A] user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.”

In Washington state, there are a couple of privacy bills making their way through the legislature. One of these bills copies California’s dark pattern prohibitions verabtim, while a competing bill doesn’t include the term at all.

While I’m leery of excess or toothless regulations (especially in technology), I feel like this is a (small) step forward. While the wording may be vague, if this law encourages “borderline” businesses to change their behavior, it’s worthwhile.

Apple has already shown that just making users aware of what’s happening with their data can benefit everyone. Hopefully these laws can help users both in and outside of California.