Dark Patterns in User Interface Design

In the intricate dance of law and technology, regulatory agencies often lag behind the pace of change that private sector tech giants constantly seem to be accelerating. Since the meteoric rise of companies like Facebook (now Meta), Apple, Amazon, Netflix, and Google, digital revenue streams have exploded in value and become some of the most important facilitators of economic growth for the global economy. These changes have been largely a benefit to human society, but the maturation of the modern tech sector comes with a growing recognition and concern about the impact of common user interface design practices on consumer autonomy and decision-making – the “dark pattern.” Dark patterns refer to design elements in websites and apps that manipulate user decisions, often leading to unintentional outcomes like unwanted purchases or subscriptions.

The term “dark pattern” was coined in 2010, to describe how certain deceptively simple elements of user interface design, often overlooked, encourage users to make decisions that benefit digital service providers without considering the ramifications of that choice. The concept of “dark patterns” emerged in the legal context for the first time with a decision by the Italian Data Protection Authority (DPA) in February 2023. This decision explicitly referred to “dark patterns” as online design choices that manipulate users’ decision-making to benefit digital services. The Italian DPA’s decision was significant as it included images alongside textual descriptions to demonstrate the presence of dark patterns, a practice not commonly seen in legal literature at the time.

Dark patterns have now attracted the formidable gaze of the American legal system. Recent litigation led by the Federal Trade Commission (FTC) against giants like Meta and Amazon have thrust these cunning design choices into the harsh light of legal scrutiny. While the European legal framework, as exemplified by the Italian DPA’s decision, has begun to explicitly recognize and address dark patterns, the American legal system’s response has been more gradual, primarily evolving through case law and regulatory action. 

Although the explicit use of the term “dark pattern” is fairly new to the US legal system, there is a longstanding precedent of legal action against practitioners of misleading or deceptive business practices that can be considered foundational to the FTC’s campaign to reign in the Tech industry. The FTC’s headline grabbing victories against Google and Publishers Clearing House targeted design elements that made it difficult for consumers to cancel subscriptions digitally, employed small and light fonts for legal disclosures, bombarded customers with misleading emails, or manipulated users into disclosing data without providing adequate opportunity to decline. 

These concepts may seem unique to the tech industry, but they share important thematic elements with prior FTC enforcement action against businesses that employed misleading business practices in other sectors such as telecommunications, financial services, healthcare and retail.

The FTC’s enforcement actions against telemarketing agencies are particularly illustrative of the  similarities in their legal approach in the tech sector, particularly of the commission’s focus on consumer protection and the prohibition of deceptive practices. In both contexts, the FTC has consistently targeted deceptive or misleading practices that exploit consumer vulnerabilities. 

Despite the Supreme Court’s decision to limit the FTC’s enforcement authority in AMG Capital Management, LLC v. FTC, which ruled that the FTC cannot obtain equitable monetary relief such as restitution or disgorgement, the agency has wielded trade regulations that allow for civil penalties to great effect. A significant portion of the FTC’s post-AMG actions have revolved around data security, online subscriptions, deceptive practices regarding user reviews, and violations related to children’s data privacy (COPPA). This demonstrates a clear priority on digital privacy and the prevention of deceptive online practices​.

Returning to the telemarketing comparison, the FTC has employed the Telemarketing Sales Rule (TSR) to combat deceptive and abusive telemarketing acts. This includes practices like unauthorized billing, misleading representations, robocalls, and “lead generation” services that purportedly obtain the consumer’s consent to receive further communications from other telemarketing agencies. The FTC’s recent settlement with a lead generation telemarketing company and its actions in the tech context both emphasize the importance of informed consent. In both scenarios, the FTC aims to protect consumers from deceptive practices that can lead to unintended commitments or loss of privacy.

The TransUnion v. Ramirez (2021) Supreme Court case marked a significant legal development for the handling of consumer data, which may prove crucial for the future of the FTC’s crusade against dark patterns. The case focused on the accuracy of consumer credit reports and the rights of consumers under the Fair Credit Reporting Act (FCRA). The Supreme Court’s decision emphasized the need for concrete harm for plaintiffs to have standing in federal court. Although this ruling has nothing to do with user interface design, this decision means that for the FTC to bring successful suits, it must demonstrate concrete, tangible harm to consumers resulting from these dark patterns.

The TransUnion decision disrupted the precedent established in Spokeo v. Robins (2016) by further clarifying and refining the concept of “concrete harm.” In Spokeo, the Supreme Court emphasized that a plaintiff must demonstrate concrete and particularized injury to establish standing. However, in TransUnion, the Court went a step further, underscoring that not all plaintiffs in a class-action lawsuit who are subjected to a statutory violation (such as a breach of the Fair Credit Reporting Act, as in this case) automatically meet the concrete harm requirement. TransUnion thus set a higher bar for proving actual, real-world harm, rather than relying on statutory violations alone to establish injury-in-fact.

Proving that the consumer suffered a concrete harm might involve showing financial loss, privacy violations, or other significant negative impacts directly attributable to deceptive design practices. This requires a clear connection between the dark pattern and the harm experienced by the consumer, which could include unauthorized charges, misleading subscription enrollments, or misuse of personal data. This emphasis on concrete harm underscores the need for robust evidence and clear articulation of damages in legal challenges against deceptive tech practices.

TransUnion may complicate the FTC’s attempts to prosecute tech companies that employ dark patterns, but it may also provide a roadmap for compliance that businesses can use to preempt potential legal action related to user interface design in the first place by aligning design decisions with the concrete harm standard. Tech companies must diligently assess how their products and services could potentially cause real, tangible harm to consumers. 

While it is relatively easy to quantify the concrete harm that a recurring subscription with an obtuse cancellation process may cause, it is not so straightforward to calculate the harm of the misuse of user data. In the context of establishing concrete harm due to the misuse of user data, the legal landscape remains somewhat varied post the TransUnion decision. One key development is the Third Circuit’s ruling in Clemens v. ExecuPharm Inc., where the court identified concrete injury based on factors like intentional data access by threat actors, data misuse, and the types of data exposed. This approach suggests that for a data breach to constitute concrete harm, there needs to be a clear, immediate risk of substantial harm, such as identity theft or fraud, particularly when sensitive personal information is involved. The circuit courts, however, still show divergent views on what constitutes concrete harm in the wake of data breaches, with some circuits requiring actual or attempted misuse of personal information for standing, while others consider the risk of future harm under specific conditions. This split indicates that the context and nature of the data breach, alongside the actions of the threat actors and the types of data involved, are crucial in determining whether concrete harm has occurred.

The importance of transparency in privacy policies is another key takeaway from the recent legal trends around dark patterns and data privacy. A clear, concise, and transparent privacy policy is not just a legal requirement but also a vital element of consumer trust. It should accurately reflect a company’s data collection, usage, and sharing practices, ensuring users can make informed decisions. This transparency is crucial in the context of the FTC’s focus on informed consent and the court’s emphasis on concrete harm, as seen in cases like TransUnion v. Ramirez. A well-crafted privacy policy can serve as a foundational element in demonstrating a company’s commitment to ethical practices and compliance with consumer protection laws.

The FTC’s emphasis is on shifting tech firms towards ethical design that prioritizes user autonomy and clear, informed choices. Transparency in data collection and usage is paramount, requiring designs that make consent explicit and unambiguous. Despite the potential defenses that the concrete harm standard may provide, tech companies may be able to avoid costly litigation altogether by proactively facilitating collaboration with legal experts, designers, and developers to reassess revenue strategies, particularly those involving auto-renewals or in-app purchases, to avoid deceptive practices.

Back