Compliance
Friday, February 23, 2024
By Kasey Pukys and Andy Soodek
Dark patterns – deceptive user-interface design elements that subtly coerce users into making choices against their best interests – have emerged as a threat to privacy rights across company websites and consent interfaces. Regulators are taking action to discourage the use of such dark patterns.
With the release of the California Privacy Rights Act (CPRA), which came into effect on July 1, 2023, businesses are required to provide more transparency around how consumers’ personal information is collected and will be used. Further, businesses must include consent mechanisms that allow consumers to opt out of the collection, processing, sale, and sharing of their personal information.
Naturally, new regulations allotting more choices to consumers are highly susceptible to dark patterns.
Kasey Pukys
To counter these practices, the California Privacy Protection Agency (CPPA), created by and for the enforcement of the CPRA, established consumer consent regulations on dark patterns. Separately, the European Data Protection Board (EDPB), which publishes guidance for the application of the EU’s globally influential General Data Protection Regulation (GDPR), has issued Guidelines on deceptive design patterns in social media platform interfaces.
Combining guidance from both the CPPA and EDPB, the following examines some of the most prevalent dark patterns in consent interfaces and the best ways to avoid them.
Make Consent Choices Fair and Consistent
The California agency requires businesses to implement consent mechanisms that are easy for consumers to understand and must offer “symmetry in choice.” Simply stated, the path to more privacy-protective choices for the consumer cannot be more difficult or take longer to select than less privacy-protective choices.
Andy Soodek
As businesses design consent interfaces to give users the ability to opt out of cookies and the sale or sharing of personal information, businesses are often tempted to make these options more complicated than a simple ‘opt in’ to allow them to continue to collect and process personal information. Nonetheless, adhering to the symmetry-in-choice principle is crucial to prevent the use of deceptive design techniques, which can lead to regulatory fines and disciplinary actions for businesses.
Common dark patterns to avoid that fall under this category include:
To avoid such dark patterns, the creators of consent interfaces should explore the symmetry of their designs through the lens of a user journey.
Avoid Deceptive Language and Design
It may seem obvious, but the CPPA requires that consumer consent interfaces avoid using language or other interactive elements that confuse the user. These elements can manifest in many ways, but the EDPB defines one such pattern as “stirring,” which “affects the choice users would make by appealing to their emotions or using visual nudges.”
Examples of dark patterns commonly found through language or interactive design elements include:
Deceptive language and design choices such as these can be crafted intentionally or unintentionally. So long as the typical user is misled in such a way that they cannot effectively make fair consent choices, the design constitutes a dark pattern and should be corrected swiftly.
Categorize Choices Accurately
The CPPA asks that businesses avoid ambiguous patterns or methods in consent architecture that impair the user’s ability to make informed decisions about their consent. This type of dark pattern may manifest itself in the presence of conflicting or ambiguous language, or the bundling of privacy-protective choices that should not fall under the same category. In this instance, a consent interface may be participating in a “left in the dark” deceptive design tactic, which the EDPB defines as hiding information or data protection controls that confuse users about their opt-ins and how their data will be processed.
This type of dark pattern differs from other manipulative design tactics because it is often difficult to detect, or even overlooked in the design stages of building consent interfaces. Some examples:
In this instance, design and technical teams should work closely together to ensure cookies and other consent-based services are categorized appropriately.
Looking Ahead
Dark patterns in user consent and preferences are concerning because they undermine the principles of informed consent. Regulatory violations, skepticism surrounding consent choices, and loss of consumer trust resulting from poor user experience are all potential consequences of deceptive user interfaces.
Moving forward, businesses should incorporate digital consent-management interfaces that offer clear and easily accessible choices to meet regulatory requirements and enhance the digital experience for consumers. To avoid dark patterns, businesses must identify them in the design and testing phases of consent interfaces and consult privacy professionals familiar with the principles of privacy-by-design.
Kasey Pukys is an Associate Consultant, and Andy Soodek is a Managing Principal, for Capco’s Data Security & Privacy Practice.
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals