From time to time, businesses make use of controversial techniques to drive up their sales. In some ways, it’s understandable that these tactics could prove tempting; certain markets are extremely competitive, and it can be challenging to stand out and capture the attention of potential customers – especially in digital spaces.
Facing these hurdles, some businesses resort to using certain sales tactics, without realising the potential violation of regulations like the EU’s Digital Services Act (DSA) or the UK’s Digital Markets, Competition and Consumers Act 2024 (DMCCA).
In this article, a team of GDPR and DSAR support experts explore what ‘dark patterns’ are, as well as their impact on consumers and the various considerations businesses need to make in order to ensure compliance with UK and EU privacy laws.
Online Choice Architecture
Online Choice Architecture (OCR) refers to the digital space in which visual and interactive content is created for digital media. Essentially, it refers to the way in which choices are presented to users, for example, how prices are displayed on a website or the order in which options appear during an online purchase.
Dark patterns are related to OCA, but are not the same thing. The term ‘dark patterns’ describes online interface designs made to trick or manipulate users into making unintended and potentially harmful decisions, exploiting cognitive biases and potentially affecting economic outcomes or personal data use. These dark patterns can be found in a broad range of industries and contexts, including e-commerce, cookie consent banners, and even children’s gaming applications.
Types of sales tactics and dark patterns
During a public workshop in April 2021, the Federal Trade Commission (FTC) identified several deceptive design elements aimed at consumers’ purchasing decisions. Common practices included fake “low stock” messages and baseless countdown timers, such as ‘offer ends in 00:59:48’. The aim of these practices is to put pressure on consumers to make an immediate purchase, or risk missing out on a perceived “deal”.
Companies have also been found to use parasocial relationship pressure, whereby children are shown well-known characters to encourage them to make in-app purchases.
Not all dark patterns are related to online sales, and there are many that influence consumers’ decisions about the way their personal information is used. The European Data Protection Board has identified 6 categories for deceptive design patterns relating to data protection:
Rulings against dark patterns
The growing awareness of consumer rights and data protection has led to regulatory authorities adopting a stance of increased scrutiny around dark patterns and exploitative sales tactics. In fact, some of these cases have resulted in significant legal actions against major companies.
In December 2022, Epic Games was ordered to pay $245 million in refunds after it used dark patterns to trick users into making unwanted purchases in Fortnite. The FTC said the company employed counterintuitive and inconsistent button configuration, leading players to make unintentional in-game purchases.
In another significant case, action was taken against Amazon for its use of dark patterns on its user interface. The FTC said the manipulative and deceptive design tricked consumers into enrolling in Prime subscriptions, which automatically renewed.
This example of dark patterns is one that many may have experienced directly; during the online checkout process, customers were repeatedly presented with the option to subscribe to Amazon Prime, while the option to purchase without subscribing was difficult to find. Amazon also knowingly complicated the cancellation process for subscribers wanting to end their Prime membership.
EU and UK data protection and digital laws
Dark patterns or sales tactics aren’t specifically addressed by The General Data Protection Regulation (GDPR), but it does call for transparency, informed consent, and user rights regarding personal data. Given their potential to manipulate users into actions without their full understanding, dark patterns can potentially violate GDPR principles. In an ideal world, any business processing the personal data of UK or EU individuals should align their practices with the EU GDPR and UK GDPR to avoid non-compliance.
Elsewhere, the UK’s Digital Markets, Competition and Consumers Act 2024 (DMCCA) prohibits practices that mislead or coerce consumers, and Earlier this year, the EU’s Digital Services Act (DSA) became applicable to all digital services platforms operating across EU Member States. The DSA aims to prevent illegal and harmful online activities and protect fundamental rights, banning the use of dark patterns and setting stricter standards for transparency, content moderation and user rights.
Avoiding The Use Of Dark Patterns
With these regulations in place, it is clear that organisations must choose their OCA carefully, so as to avoid manipulation of their customer base. There are a number of ways that businesses can ensure compliance with regulations.
Shortcuts
Online platforms should contain shortcuts to important information, settings, or actions to help users manage their data. These could be links to Privacy Notices, data protection settings, password reset pages, and even account deletion pages. It’s also advisable to consider a Consent Management Platform (CPM) to collect and manage user consent for cookies and other data processing activities.
Bulk options
Privacy options with the same processing purpose should be grouped together as bulk options. This allows users to change their data protection settings easily, whilst still providing granular choices.
Explain consequences
When users want to make changes to their privacy settings, it is important to explain the consequences of activating or deactivating certain data protection controls or giving and withdrawing consent.
Cross-device consistency
Platforms accessed across different devices or operating systems must be consistent. Interface elements, including menus and icons, should be the same and privacy settings should be located in the same place across all devices.
Self-explanatory URLs
Self-explanatory URLs clearly reflect the content on each page. For example, the data protection settings page may have a URL such as organisation.com/data-settings.
Exercise rights form
Individuals may wish to contact your organisation to exercise their rights under the GDPR. An electronic form can help users understand their rights and guide them through such requests.
Notifications
Notifications can be used to raise awareness about changes or risks to data processing, as long as consent to receive notifications has been given. These can be in the form of inbox messages, pop-up windows, or website banners.
Contact details
The contact details for your company and the supervisory authority should be clearly stated in your Privacy Notice, in a section where users would expect to find it.
Privacy Notices
There are several ways to make your Privacy Notices more easily accessible for individuals, including::
- Using a collapsible table of contents with headings and subheadings, allowing users to quickly identify and jump to relevant sections
- Adding a ‘jump to’ button, allowing users to jump to another section or return to the top of the notice from within a section
- Ensuring wording and definitions are coherent throughout your notice and website
Conclusion
Understanding the impact of OCA and dark patterns is a vital element of implementing ethical design elements. It is important to provide users with fair and transparent information, to only collect data that is necessary for specified, explicit, and legitimate purposes, and allow users the right to withdraw consent at any time. Ultimately, there’s no need to resort to dark patterns, as a smooth user experience that complies with regulations is wholly achievable through following best practices and supervisory authority guidelines.
