Many States have recently enacted consumer data protection statutes. Indeed, at this point, almost half of the U.S. States now have such a statute. In reviewing the most recently enacted statutes, one trend that can be seen is the increasing focus on defining the word “consent” to exclude any sort of agreement/consent obtained “through the use of dark patterns.” In this article, the Consumer Data Privacy and Protections Lawyers here at Revision Legal provide a brief explanation — and some examples — of what “dark patterns” mean
As background, most consumer data protection statutes require that data controllers obtain consumer consent before being legally allowed to conduct certain types of data processing. For example, in most U.S. consumer data protection statutes, a data controller cannot sell a consumer’s personal and/or sensitive consumer data without consent or process said data without consent for the purposes of targeted advertising or for profiling with respect to automated decisions that produce legally significant effects concerning the consumer.
All of the consumer data protection statutes define “consent” in traditional terms as some sort of clear and affirmative expression — signature, “click,” etc. — of agreement. However, many of the most recently enacted consumer data protection statutes have also made a point of defining what “consent” is NOT. For example, the Maryland Online Data Privacy Act (“MODPA”) — passed in May 2024 — states that “consent” does NOT include:
(1) acceptance of a general or broad Terms of Use or similar document that contains descriptions of personal data processing along with other unrelated information
(2) hovering over, muting, pausing, or closing a piece of content OR
(3) agreement obtained through the use of dark patterns
MODPA then goes on to define “dark pattern” as a “user interface designed or manipulated with the substantial effect of subverting user autonomy, decision making, or choice.” Unfortunately, that definition is not too helpful. On the other hand, MODPA explicitly allows that any practice deemed a “dark pattern” by the Federal Trade Commission (“FTC”) will be considered a “dark pattern” under MODPA.
In plain language, what are “dark patterns”?
In simple terms, “dark patterns” are any device, method, stratagem, or anything else that nudges, channels, steers, or gently pushes consumers into making choices that are desired by the business/website owner.
Examples of “dark patterns”
One very common example of a dark pattern can be called “easy-accept-hard-revoke.” This is where a consumer’s acceptance of some feature is an “easy-one-click,” but to revoke that acceptance requires 10 difficult and confusing steps. This is a common dark pattern for auto-renewal subscriptions and programs where cancellation is much more difficult than enrollment.
Another example might be called “only one easy choice.” Consumers often see this dark pattern when asked about preferences for website cookies. The consumer is offered only two choices, one is easy (like “accept all cookies”) while the other is not so easy (such as “click here to learn more”). The second option typically takes the consumer to a new webpage. This is obviously less easy than simply clicking on the “accept all cookies” button. Thus, this can be seen as a method that nudges, channels, and gently pushes the consumer to “accept all cookies.”
“Hierarchy ranking” is another common dark pattern. In this pattern, the desired choice is always first or listed at the top of a choice set. To continue our example, note that “accept all cookies” will always appear first on a list.
There are literally hundreds of dark patterns like this. Others include sneaking, preselection, shaming, obstruction, “social proof,” urgency claims, nagging, not-optimal-functioning threats, and more.
Contact the Consumer Data Privacy and Protection Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
