No, we’re not talking about sinister sewing guides, but rather practices or formats that may manipulate or mislead consumers into taking actions they would not otherwise take.
We untangled the topic of so-called “dark patterns” in two in-depth blogs earlier this year, available here and here. At that time, we noted there was a common thread between practices regulators were calling “dark patterns” and practices that have been core elements of consumer protection law and policy for years. We concluded that, despite the catchy new terminology, it did not appear we’d be seeing a new legal standard.
The FTC’s newly released dark patterns staff report may lead us to pause and reconsider. While the majority of identified practices fall squarely within the FTC’s prior enforcement activities (e.g., hidden fees, improper disclosures, bait-and-switch offers), the report also weaves in a handful of practices that may be more of a stretch under existing law, signaling a possible pivot towards more aggressive enforcement activities. Here are a few of them:
- Using shame to steer users away from certain choices, a concept the California Privacy Protection Agency (led by FTC alum Askhan Soltani) has also proposed to include in the draft CPRA regulations.
- Making the free version of a game so cumbersome and labor-intensive that the player is induced to unlock new features with in-app purchases;
- Making users create an account or share their information to complete a task;
- Asking repeatedly and disruptively if a user wants to take an action;
- Making a request that doesn’t let the user permanently decline – and then repeatedly prompting them with the request.
The report also focuses specifically on dark patterns seeking to obscure or subvert consumers’ privacy choices. These include:
- Asking users to give consent but not informing them in a clear, understandable way what they are agreeing to share, an issue France’s data protection authority has addressed;
- Telling users the site is collecting their information for one purpose but then sharing it with others or using it for other purposes;
- Including default settings that maximize data collection and making it difficult for users to find and change them.
In text on which staff did not elaborate, the report also contends that businesses should use consumer information only for “the service the consumer requested, and nothing more.” Such restrictive purpose limitations are not contemplated by state privacy laws and would foreclose innovation.
As of this writing, the FTC hasn’t announced any cases challenging practices in these more innovative categories. Some of these same categories have also been discussed by State Attorneys General in recent months at meetings such as the NAAG Consumer Protection conference, but similarly, AGs have been reluctant so far to push the boundaries of which of these practices they believe constitute a violation of state law. We will continue to monitor this issue on both the state and federal fronts and post updates as they occur. In the meantime, companies should give serious consideration (both in light of this FTC development and the emerging state law emphasis on dark patterns) in their product interfaces, disclosure and notice design, purchases flows, cancellation methods, and other consumer communications.