Beware Dark Patterns – What are They and What Should Your Business Do About Them?

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints

While the term “dark patterns” is not new, it has recently been getting a more attention, not least because the newly passed California Privacy Rights Act (“CPRA”) will regulate dark patterns. In this article, we will focus on what dark patterns are, how your business should be thinking about them, and how CPRA is approaching this issue.

  1. What are Dark Patterns?

The term dark patterns stems back to comments made by user interface expert Harry Brignull on or around 2010, which he described as mechanisms that could be employed within software to discourage users from taking actions that the entity employing the mechanism did not want the user to take, such as unsubscribing from a mailing list, or completing actions that they would not otherwise take, such as sharing personal information.

Effectively, dark patterns can be thought of generically as using insidious methods within the user interface portion of an offering to influence user behavior in ways that the user would not expect or desire. Of course, there is not always malicious intent, and exactly what does or does not constitute a dark pattern is up for debate.

  1. What does the CPRA say about Dark Patterns?

The CPRA approach to dark patterns gives regulated entities some less than clear guidance.

  • Dark patterns as defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.”
  • The CPRA has added a newly defined “consent” such that “agreement obtained through the use of dark patterns does not constitute consent.”
  • Implementing regulations involving the sale or sharing of personal information will be required to ensure that a business obtaining consumer consent for sale or sharing of personal information “does not make use of any dark patterns.”

Thus, while it is clear that certain user interface designs could render any such “consent” invalid in the future, exactly what will constitute dark patterns remains somewhat opaque.

  1. Given the uncertainty, what steps should regulated entities take?

Here are a few steps regulated entities can take to reduce their dark pattern risk:

  • Be cognizant of the issue generally. Consider working with your user interface design colleagues to inform them of the contours of the issue, and ask them if they think any of their design decisions could be considered dark patterns. Pay particular attention to information collection elements, or areas where the system is attempting to obtain effective user consent.
  • The space is evolving. Consider attending a workshop such as this one, being held by the FTC on dark patterns.
  • As part of your own internal privacy by design process, institute a review process for your entity’s information collection surfaces, such that important user interface areas are reviewed by neutral members of your organization or a third party.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.