Published:

What are dark patterns and does your website have them? 

General

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

What are dark patterns and does your website have them featured image

Let’s address the spooky elephant in the room. Saying a website is full of “Dark Patterns” sounds like we’re talking about paranormal activity.

Good news. Your website probably isn’t haunted by ancient demons who waited thousands of years to travel to your domain just to flicker some lights.

Bad news. If your website shows signs of dark patterns, it is haunted by the lawsuits and fines associated with deceptive design practices.

In this blog, we talk about dark patterns, what laws govern them, and provide examples of commonly-used design practices that are deceptive by nature. No Ouija Board needed.

What are dark patterns? 


Dark patterns (also called deceptive design practices) are website design choices that aim to influence an individual’s behavior to hinder their ability to protect their privacy. The European Data Protection Board (EDPB) created guidelines on how to recognize and avoid dark patterns. This guide breaks dark patterns into the following categories (which we will dig deeper into later):

  • Overloading
  • Skipping
  • Stirring
  • Obstructing
  • Fickle
  • Left in the dark

These practices can be used on any part of a website or application, but are commonly used to manipulate people’s behavior when they’re using the following:

  • Registration pages
  • Cookie consent banners
  • Privacy Policies
  • Privacy choice interfaces
  • Marketing email sign-up forms
  • Email newsletter sign-ups forms
  • Contact forms
  • Messages regarding privacy choices

Are dark patterns illegal? 


Yes, several privacy laws (e.g. GDPR, UK DPA, CPRA) address deceptive design practices, but the General Data Protection Regulation (GDPR) has been one of the strongest enforcers keeping dark patterns in check. GDPR has been at the crux of investigations – like the one earlier this year by Italy’s Data Protection Authority – that sweeps websites and applications of all sizes to look for dark patterns.

GDPR’s Recital 35 states that transparency requires that any information relating to the processing of personal data needs to be easily accessible and easy to understand. If GDPR does apply to you, you need to ensure that you do not use deceptive design practices to “trick” individuals into making privacy choices that are disadvantageous to the individual and advantageous to your business.

Examples of Dark Patterns 

Example 1: Overloading

This practice presents the user with a large number of requests, information, options, or possibilities to prompt the user into sharing more personal data or allow the processing of personal data that the individual usually would not allow were it not for the deceptive design.

This could be asking people for consent on every web page they visit (even if they’ve already provided it) or putting too much information on a cookie consent banner like the one below to try and overwhelm the user.



Or this could be constant interruptions to try and get you to download an app or sign up for something: 

Example 2: Skipping

This practice designs interfaces or user journeys in a way that individuals forget or do not think about all or some of the privacy implications.

A common one is having non-essential cookies like marketing cookies set to “opt-in” or “accept” by default. 

Or, making ‘the cookie’ joke… you know the one. This wording makes it sound like there’s no privacy implications:

Example 3: Stirring

This practice affects the choice users would make by appealing to their emotions or using visual nudges.

The example below is common, where – when trying to opt out of a subscription service – a button pops up that says “skip and keep benefits” instead of “stay subscribed.”


Or, maybe an app will ‘shame’ you by saying something like “I hate saving money” or “No thanks, I don’t want to look my best.”

Example 4: Obstructing

This practice hinders or blocks users in their process of being informed or managing their privacy by making the action difficult or impossible to achieve. 

This might be a Privacy Policy link leads to a 404 error page instead of the actual policy.

Or, leaving out a ‘decline’ option that would allow people to withhold their consent. 

Example 5: Fickle

This practice designs the interface in a way that is inconsistent and unclear, making it difficult to navigate the privacy controls.

This would be like instead of having a “Privacy Policy” page and a “Terms of Service” page, you hide the Privacy Policy in something like this:

Or, maybe designing one button to blend in with the background while the other button (that you want people to select) stands out.

Example 6: Left in the dark

This practice designs an interface in a way to hide information or privacy tools or to leave individuals unsure of how their data is processed or what types of controls they have.
One example is using toggle switches that make it very unclear as to which side/color does what: 

Or maybe using extremely confusing language and checkboxes to make it hard to realize if you are/are not opting in.

How to avoid dark pattern violations


The best way to avoid deceptive design on your website is to review every page on your website/app, as well as the entire user journey to ensure that deceptive designs are not included. You can also use the following checklist:

  • Provide shortcuts to privacy information or privacy settings pages and menus so that they can be easily found by individuals;
  • Provide your contact address within your Privacy Policy and on your website so that individuals can contact you if they have questions;
  • Review your Privacy Policy to ensure that it is comprehensive and accurate as to your actual privacy practices;
  • Ensure that you provide adequate choices to consumers on your cookie consent banner (i.e. include an “accept” and a “decline” option);
  • Inform individuals of the consequences of what will happen if they do not provide their personal data;
  • Ensure that privacy settings are located in the same place across different devices.

Conclusion

Dark patterns aren’t just illegal, they’re also  poor business practices. More than ever, consumers are starting to take their privacy seriously. Not only are they becoming more aware of dark patterns, but an Axios study found that 94% of Americans say they’d switch to a company that prioritizes privacy on its website.

Plus, you’ve got websites like HallofShame.design calling out businesses left and right for using deceptive designs. That’s not an accolade you want to receive.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates