Partner
Many States have recently enacted consumer data protection statutes. Indeed, at this point, almost half of the U.S. States now have such a statute. In reviewing the most recently enacted statutes, one trend that can be seen is the increasing focus on defining the word “consent” to exclude any sort of agreement/consent obtained “through the use of dark patterns.” In this article, the Consumer Data Privacy and Protections Lawyers here at Revision Legal provide a brief explanation — and some examples — of what “dark patterns” mean
As background, most consumer data protection statutes require that data controllers obtain consumer consent before being legally allowed to conduct certain types of data processing. For example, in most U.S. consumer data protection statutes, a data controller cannot sell a consumer’s personal and/or sensitive consumer data without consent or process said data without consent for the purposes of targeted advertising or for profiling with respect to automated decisions that produce legally significant effects concerning the consumer.
All of the consumer data protection statutes define “consent” in traditional terms as some sort of clear and affirmative expression — signature, “click,” etc. — of agreement. However, many of the most recently enacted consumer data protection statutes have also made a point of defining what “consent” is NOT. For example, the Maryland Online Data Privacy Act (“MODPA”) — passed in May 2024 — states that “consent” does NOT include:
(1) acceptance of a general or broad Terms of Use or similar document that contains descriptions of personal data processing along with other unrelated information
(2) hovering over, muting, pausing, or closing a piece of content OR
(3) agreement obtained through the use of dark patterns
MODPA then goes on to define “dark pattern” as a “user interface designed or manipulated with the substantial effect of subverting user autonomy, decision making, or choice.” Unfortunately, that definition is not too helpful. On the other hand, MODPA explicitly allows that any practice deemed a “dark pattern” by the Federal Trade Commission (“FTC”) will be considered a “dark pattern” under MODPA.
In plain language, what are “dark patterns”?
In simple terms, “dark patterns” are any device, method, stratagem, or anything else that nudges, channels, steers, or gently pushes consumers into making choices that are desired by the business/website owner.
Examples of “dark patterns”
One very common example of a dark pattern can be called “easy-accept-hard-revoke.” This is where a consumer’s acceptance of some feature is an “easy-one-click,” but to revoke that acceptance requires 10 difficult and confusing steps. This is a common dark pattern for auto-renewal subscriptions and programs where cancellation is much more difficult than enrollment.
Another example might be called “only one easy choice.” Consumers often see this dark pattern when asked about preferences for website cookies. The consumer is offered only two choices, one is easy (like “accept all cookies”) while the other is not so easy (such as “click here to learn more”). The second option typically takes the consumer to a new webpage. This is obviously less easy than simply clicking on the “accept all cookies” button. Thus, this can be seen as a method that nudges, channels, and gently pushes the consumer to “accept all cookies.”
“Hierarchy ranking” is another common dark pattern. In this pattern, the desired choice is always first or listed at the top of a choice set. To continue our example, note that “accept all cookies” will always appear first on a list.
There are literally hundreds of dark patterns like this. Others include sneaking, preselection, shaming, obstruction, “social proof,” urgency claims, nagging, not-optimal-functioning threats, and more.
For SaaS companies that process personal data across international borders — particularly from the European Union to the United States — the legal framework for lawful data transfers has been significantly revised in recent years. The EU-U.S. Data Privacy Framework (DPF), which went into effect in July 2023, replaced the invalidated Privacy Shield as the primary mechanism for lawful transfer of personal data from the EU to the U.S. U.S. companies that certify to the DPF can receive EU personal data without the need for additional transfer mechanisms.
Certification to the DPF requires a company to publicly commit to complying with the DPF Principles — which cover notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability. The commitment must be reflected in the company’s privacy policy and the company must register with the International Trade Administration (ITA). Certification must be renewed annually.
For transfers that do not rely on the DPF — such as transfers from the EU to non-U.S. third countries — Standard Contractual Clauses (SCCs) issued by the European Commission remain the primary mechanism. The 2021 version of the SCCs must be used; older versions are no longer valid for new contracts. SCCs must be accompanied by a Transfer Impact Assessment (TIA) that evaluates whether the legal framework of the destination country provides adequate protection for the transferred data.
As discussed above, the use of dark patterns to obtain user consent has emerged as a major focus of data protection regulators globally. The EU’s General Data Protection Regulation (GDPR) requires that consent be freely given, specific, informed and unambiguous. Dark patterns that manipulate or coerce consent violate the GDPR’s consent standard and can render any processing based on that consent unlawful.
The Irish Data Protection Commission (DPC) — which serves as the lead supervisory authority for many large tech companies under the GDPR’s one-stop-shop mechanism — has issued significant fines for dark pattern consent practices. In 2023, the DPC fined Meta €390 million for relying on contractual necessity rather than consent as the legal basis for processing personal data for behavioral advertising, finding that users were not given a genuine choice. In a separate action, the DPC found that Google’s privacy settings used dark patterns that failed to meet GDPR consent standards.
U.S. state data privacy laws are increasingly adopting similar standards. The Colorado Privacy Act (CPA, C.R.S. § 6-1-1301 et seq.) and the Connecticut Data Privacy Act (CTDPA) both explicitly prohibit obtaining consent through dark patterns. The California Privacy Protection Agency (CPPA) has identified dark patterns as an enforcement priority under the California Privacy Rights Act (CPRA).
For SaaS companies acting as data processors under the GDPR — processing EU personal data on behalf of controller customers — a Data Processing Agreement (DPA) is legally required under GDPR Article 28. The DPA must specify: the subject-matter, duration, nature, and purpose of processing; the type of personal data and categories of data subjects; and the obligations and rights of both the controller and processor.
Under U.S. state data privacy laws, similar processor agreements are required by most statutes. While the specific requirements vary by state, most require the processor to: process data only on documented instructions from the controller; assist the controller in meeting its obligations to consumers; delete or return data at the end of the relationship; allow audits; and impose the same obligations on any subprocessors.
SaaS companies should review their standard customer contracts to ensure they include GDPR-compliant DPA provisions and are updated to reflect current U.S. state law requirements. Using a modular DPA that can be attached to existing customer agreements — rather than embedding data processing terms within the main contract — can make updates easier as laws continue to evolve.
Contact the Consumer Data Privacy and Protection Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?