By: Alexandra Marlowe

Have you ever purchased an item, such as a plane ticket or a subscription package online, and before checkout, the website nudges you to purchase a more expensive option? If so, you have encountered an all-too-sly “dark pattern.” Likely you have come across hundreds of these designs in your lifetime, particularly if you frequently purchase items online.

A dark pattern is a user interface deliberately designed to trick users into taking specific actions, actions they likely would not take without the trickery. Harry Brignull, an Independent User Experience Consultant, coined the term “dark pattern” in 2010. In describing dark patterns, he explains that “we think of ‘bad design,’ we think of the creator being sloppy or lazy but without intent” however, dark patterns “are not mistakes.” Rather, the intentional design driving these interfaces is human psychology and an understanding of cognitive science.

Typically, the goal for a designer is a good user experience that makes interactions with the website and product satisfying and easy to navigate. The designer has the best interest of the user in mind while trying to achieve this goal, rather than the interest of the company. To create a seamless user experience, the designer studies the user. However, this approach can also be used deceptively to manipulate the user for the benefit of the company. This dishonest tactic emerged long before the e-commerce boom and was not restricted to websites. For example, credit card statements often include language about a “0% balance transfer” but do not clearly explain that the rate will dramatically increase in specified situations that are usually detailed in a long agreement found in small print. Some of us might even remember the old-school pop-up ads that would appear on your computer screen boasting that you won a sweepstake that you never entered. Dark patterns have evolved, becoming more complex, and therefore more difficult for the user to avoid.

Some recent flagrant examples of utilizing dark patterns include TurboTax and Facebook. In the TurboTax case, the platform has its U.S. government-mandated free-tax filing software hidden on its website. The purpose was to push low-income users to purchase TurboTax’s paid tax-filing software, which was easy to find on their website, instead of having low-income users use the free version of the software. Facebook, an all-too-frequent deceiver, implemented a two-factor authentication process to login to Facebook. In doing so, users shared their phone numbers. Rather than using the phone numbers for what appeared to be profile protection, Facebook utilized the phone numbers to send targeted ads to users.

There has been a growing concern among some states, and even the federal government, about the manipulative use of dark patterns, and its impact on Americans. To address this impact, the state of California, as of March 15, 2021, banned the use of dark patterns. This measure bolsters enforcement under the 2018 California Consumer Privacy Act, one of the country’s toughest consumer privacy acts. California’s Attorney General, in a press statement, stated that the regulation will “ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights.”

So what does the new measure regulate? The new regulation, which will take full effect in 2023, prohibits dark patterns that have “the substantial effect of subverting or impairing a consumer’s choice to opt-out of schemes where their personal data is being sold.” Some examples offered by the regulation include: requiring that users “click through or listen to reasons why they should not submit a request to opt-out before confirming their request” or using confusing language such as double-negatives. In terms of enforcement, if a business is not in compliance with the regulation they are sent a “notice to cure,” which provides them with a 30-day timeframe to make the necessary changes. The specific rules and enforcement of the regulation will be determined by a new California Privacy Protection Agency.

No regulation is without its criticisms, and the California regulation is not an exception. Given that the California Privacy Protection Agency is not slated to begin operating until later in 2021, some are wary of the impact the regulations will have on companies, as it is unclear what specific rules the agency will enact. Given the unknown future rules, a law partner specializing in privacy stated that “it’s a little unsettling for businesses trying to comply with the new law.” He further asserts that “clear boundaries on what’s acceptable . . . could benefit both consumers and companies.”

As the California Attorney General stated, “California is at the cutting edge of online privacy protection, and this newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the California Privacy Act.” While the scope of the new regulation may be limited, it does not diminish the notable and potentially far-reaching impact the regulation may have across the country. As Jennifer King, a privacy specialist at the Stanford Institute for Human-Centered Artificial Intelligence points out, the new law is the “first time the term dark patterns has appeared in U.S. law, but likely not the last.” She anticipates that it will likely “proliferate” as a result of California’s action.

King’s predictions may have already been realized, as state senators in Washington state introduced their own state privacy bill to address the use of dark patterns. This is the third attempt to pass a privacy-related bill as a result of the lack of federal privacy regulations. Actions taken by California and Washington, coupled with the Democratic control of the U.S. Senate, might be the push needed for successful federal action to be taken. Efforts to curb deceptive design have been attempted by Congress, however, they were unsuccessful. Take for example, in 2019, bi-partisan Senators Mark Warner and Debra Fischer introduced a bill that would “ban internet platforms with more than 100 million users from using any dark patterns that trick users into handing over personal data.” While the bill was unsuccessful, it indicates that Congress, or at a minimum, some senators, are aware of the manipulative tactics being used by companies to benefit their bottom lines.

California’s new regulation, while it may not address every facet of dark patterns, is a vital step in protecting consumer privacy, and has the potential to spur additional action at both the state and federal levels.

Student Bio: Alexandra Marlowe is a second-year law student at Suffolk University Law School and a Staff Member on the Journal of High Technology Law. She is interested in pursuing a career in employment law. Alexandra holds a B.A. in Political Science and minors in Psychology and Philosophy from Wheaton College (MA).

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.