Unveiling dark patterns: Sales tactics and regulatory compliance sheds light on the controversial techniques businesses can sometimes use to drive sales and the importance of regulatory oversight. We explore what ‘dark patterns’ are, their impact on consumers and the important elements to consider to ensure compliance with UK and EU privacy laws.
In a crowded market, it can be difficult to stand out and capture the attention of potential customers. As a result, some businesses resort to using certain sales tactics, without realising the potential violation of regulations, such as the EU’s Digital Services Act (DSA) or the UK’s Digital Markets, Competition and Consumers Act 2024 (DMCCA).
First, let’s explore in more detail what dark patterns are and how they relate to the online sales environment.
The digital design environment is the space where visual and interactive content is created for digital media, more commonly referred to as Online Choice Architecture (OCR). It is the way in which choices are presented to users, for example, the way prices are displayed on a website, or the order in which options appear during an online purchase.
Dark patterns are related to OCA but they are not the same thing. The term ‘dark patterns’ was coined by user design specialist, Harry Brignull, in 2010. It describes online interface designs that are a subset of OCR practices. They trick or manipulate users into making unintended and potentially harmful decisions, exploiting cognitive biases, potentially affecting economic outcomes or personal dataInformation which relates to an identified or identifiable natural person. use.
Dark patterns can be found in a variety of industries and contexts, including ecommerceThe buying or selling of products or services online., cookie consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. banners, and even children’s gaming applications.
During a public workshop in April 2021, the Federal Trade Commission (FTC) identified several deceptive designs elements aimed at consumers’ purchasing decisions. Common practices included false low stock messages, such as ‘only 1 left in stock’, and baseless countdown timers, such as ‘offer ends in 00:59:48’, both of which put pressure on consumers to make an immediate purchase.
Companies have also been found to use parasocial relationship pressure, whereby children are shown well-known characters to encourage them to make in-app purchases.
However, not all dark patterns are related to online sales. There are many that influence consumers’ decisions about the way their personal information is used.
The growing awareness of consumer rights and data protection has led to an increased scrutiny of dark patterns and exploitative sales tactics by regulatory authorities. Some of these cases have resulted in significant legal actions against major companies, including Epic Games and Amazon.
In December 2022, Epic Games was ordered to pay $245 million in refunds after it used dark patterns to trick users into making unwanted purchases in its videogame, Fortnite. The FTC said the company employed counterintuitive and inconsistent button configuration, leading players to make unintentional in-game purchases.
In another significant case, the FTC brought action against Amazon for its use of dark patterns on its user interface. The FTC said the manipulative and deceptive design tricked consumers into enrolling in Prime subscriptions, which automatically renewed.
During the online checkout processA series of actions or steps taken in order to achieve a particular end., customers were repeatedly presented with the option to subscribe to Amazon Prime at $14.99/month, while the option to complete their purchase without subscribing was difficult to find. Amazon also knowingly complicated the cancellation process for subscribers who sought to end their Prime membership.
The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) doesn’t specifically address dark patterns or sales tactics directly. However, it does emphasise transparency, informed consent, and user rights regarding personal data. Dark patterns, which manipulate users into actions without their full understanding, can potentially violate GDPR principles. Organisations processing the personal data of UK or EU individuals should ensure their business practices align with the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. to ensure compliance.
In addition to the GDPR, the UK’s Digital Markets, Competition and Consumers Act 2024 (DMCCA) prohibits practices that mislead or coerce consumers. Under this regulation, the Competitions and Markets Authority (CMA) has the power to enforce fines of up to 10% of global turnover on non-compliant organisations.
On 17 February 2024, the EU’s Digital Services Act (DSA) became applicable to all digital services platforms operating across EU Member States. The DSA aims to prevent illegal and harmful online activities and protect fundamental rights. The DSA bans the use of dark patterns and sets stricter standards for transparency, content moderation and user rights.
Under Article 23a(1):
‘Providers of online platforms shall not design, organize or operate their online interfaces in a way that deceives, manipulates or otherwise materially distorts or impairs the ability of recipients of their service to make free and informed decisions.’
It is imperative that organisations choose their OCA carefully. The European Data Protection Board sets out user-interface best practices, which facilitate the effective implementation of the GDPR and other data protection regulations.
Online platforms should contain shortcuts to important information, settings, or actions to help users manage their data. These could be links to your organisation’s Privacy NoticeA clear, open and honest explanation of how an organisation processes personal data., data protection settings, password reset page, and even account deletion page.
You should also consider using a Consent Management Platform (CPM) to collect and manage user consent for cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. and other data processing activities.
Privacy options with the same processing purpose should be grouped together as bulk options. This allows users to change their data protection settings easily, whilst still providing granular choices.
When users want to change their privacy settings, it is important to explain the consequences of activating or de-activating certain data protection controls or giving and withdrawing consent.
If your platform is available across different devices, such as laptops, desktops, tablets, and smartphones, and different operating systems, such as Apple or Android, you should ensure cross-device consistency. Interface elements, including menus and icons, should be the same and privacy settings should be located in the same place across all devices.
Self-explanatory URLs clearly reflect the content on each page. For example, the data protection settings page may have a URL such as organisation.com/data-settings.
Individuals may wish to contact your organisation to exercise their rights under the GDPR. An electronic form can help users understand their rights and guide them through such requests.
Notifications can be used to raise awareness about changes or risks to data processing, providing consent to receive notifications has been given. These can be in the form of inbox messages, pop-up windows, or website banners.
The contact details for your company and the supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. should be clearly stated in your Privacy Notice, in a section where users would expect to find it.
There are several ways to make your Privacy Notices more easily accessible for individuals. These include:
Understanding how OCA and dark patterns can affect user decisions is key to implementing ethical design elements. Organisations can ensure a balance between smooth user experiences and regulation compliance by following best practices and supervisory authority guidelines.
It is important that online environments provide users with fair and transparent information. Only collect data that is necessary for specified, explicit, and legitimate purposes, and allow users the right to withdraw consent at any time.
If you require any help with your organisation’s data protection governance please contact The DPO Centre team here.
______________________________________________________________________________________________________________________________
In case you missed it…
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible