Dark Patterns Regulation in the UK and US

Dark patterns are design elements and practices used in digital interfaces to manipulate users into taking certain actions. These techniques can be used to influence users into making purchases, signing up for services, or sharing additional personal data. In recent years, regulatory bodies in both the UK and US have taken steps to address the issue of dark patterns. In this article, we will explore the relevant regulatory frameworks in both countries and offer tips for businesses on how to mitigate risks associated with the use of dark patterns.

What are dark patterns?

Dark patterns are a range of online design practices that subvert and impair a consumer’s decision making. These techniques can be used in various contexts, including e-commerce, social media, and online services. Dark patterns can take many forms, including:

• Fickling: Designing unclear interfaces that make it hard for users to navigate data protection control tools.
• Hindering: Obstructing or blocking users from becoming informed or managing their choices.
• Misdirection: Focusing user attention on one thing to distract from another.
• Sneaking: Adding items to a user's basket without their knowledge or consent.

Dark patterns can be used to achieve various goals, including increasing sales or collecting personal data. However, they can also have a detrimental impact on users, including financial loss or data exploitation.

The UK

Advertising Standards Authority (ASA)

Businesses considering the use of dark patterns should be mindful that the ASA, the UK’s independent advertising regulator, has enforcement powers against companies that use dark patterns in their advertising. As part of its remit, the ASA has banned a number of adverts that have used dark patterns which have been found to mislead consumers, in contravention of section 3.1 (on misleading advertising) of the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing. Noting the rise in the use of dark patterns, the ASA recently published guidance on the matter, emphasizing the importance of transparency and clarity in online advertising, particularly when it comes to pricing, subscription services, and promotional offers.

Examples of dark patterns that the ASA has addressed in its rulings over the years have included:

• Drip-pricing, which is the addition of costs during the check-out process
• Choice pressure through a false sense of urgency relating to product or promotional availability.
• Promotions displaying the previous or future price of a product which make the current price seem more attractive in that moment.

Information Commissioner’s Office (ICO)

The ICO, the UK’s data privacy regulator, alongside the Competition Markets Authority, has called for businesses to stop using dark patterns which manipulate users into giving up more of their personal data than intended. In particular, the regulators have highlighted the following practices as examples of harmful online choice architecture:

• Overly complicated privacy controls, such as pop-ups that make it more difficult to refuse cookies.
• Default settings that require active steps by the user to change.
• Bundling privacy choices together in ways that make it difficult for users to understand what they are agreeing to.

As dark patterns undermine user choice, they risk breaching UK GDPR principles of fairness, transparency, and data protection by design or default. The ICO enforcement authority enables the regulator to protect people’s data protection rights, particularly where the practices harm vulnerable people.  Of note, the ICO may provide fines of to up to £17.5 million or 4% of a company’s annual worldwide turnover for UK GDPR violations, whichever is higher. The ICO has additional enforcement powers at its disposal, which include publicly available reprimands and warnings that can impact a business’ reputation.  

The USA

Federal Trade Commission (FTC)

Similarly to the UK regulators, the FTC has also issued guidance on dark patterns, advising businesses to avoid implementing design choices that manipulate consumers into making choices they would not otherwise have made.

The FTC guidance identifies four key types of dark patterns to avoid:

• Design elements that induce false beliefs, such as false scarcity claims and misleading language.
• Design elements that hide or delay disclosure of material information that consumers need to make informed decisions.
• Design elements that lead to unauthorized charges, such as pre-checked boxes that add extra fees.
• Design elements that obscure or subvert privacy choices, including default settings that maximize data collection or sharing.

In recent years, the FTC has taken action against a number of businesses over their uses of dark patterns in violation of the Federal Trade Commission Act’s prohibition on unfair or deceptive acts or practices. As a consequence of these enforcement actions, businesses that have been alleged to use dark patterns paid significant sums in settlement or consumer restitution fees. 

Data Privacy Laws

In the US, several states have enacted data privacy laws that impact the use of dark patterns. For example, the California Consumer Privacy Act (CCPA) provides that businesses should:

• Obtain clear and informed consent from users for data collection and processing.
• Provide users with clear and transparent choices.
• Avoid using design patterns that manipulate or deceive users.

Additionally, dark patterns have been explicitly recognized by the Colorado Privacy Act and California Privacy Rights Act (CPRA), which state that agreements obtained through the use of dark patterns do not constitute valid consent. Businesses that deploy the use of dark patterns in violation of these acts risk being subject to civil penalties, which differ from state to state. For example, the penalties for violating California law are a $2,500 fine or $7,500 if it is willful.

Tips for Businesses Relating to Dark Patterns

Ultimately, dark patterns are a pervasive issue in the digital landscape, and regulatory bodies in both the UK and US are taking steps to address the problem. Whilst the regulations and enforcement mechanisms may differ, the practices that are discouraged are similar across both countries.

To avoid the risks associated with dark patterns and ensure compliance with regulatory guidance, businesses should follow these tips:

• Use clear and honest language: Avoid misleading wording, such as creating a false sense of urgency around product availability or promotions.
• Ensure transparency: Clearly explain what users are signing up for and make all mandatory pre-contractual information and material terms of any transaction readily accessible.
• Simplify cancellations: Make it easy, free, and proportionate for users to unsubscribe from services.
• Target responsibly: Ensure that advertising claims and design choices are appropriate for the intended audience.
• Avoid manipulative defaults: Don’t use design elements (e.g., pre-selected options) that steer users toward unnecessary data sharing.
• Obtain informed consent: Collect and process user data only with clear and informed consent.
• Offer meaningful choices: Give users transparent options for data collection and allow them to easily withdraw consent and delete their data.
• Disclose key terms upfront: Do not hide essential purchase information behind links, pop-ups, or dropdown menus.