Dark Patterns in Cookies and Consent Management
The term “dark patterns” was first coined by UX specialist Harry Brignull to describe attempts by software to manipulate users into behaving as companies intended. A good example of this would be an “Unsubscribe” button that is very small and is placed at the bottom of an email with the intention to discourage users from unsubscribing. Brignull identified many types of dark patterns, including:
1. "Roach motel," where a user signs up for a service with ease but finds it difficult to cancel
2. "Price comparison prevention," where a website makes comparing the prices and features of two products difficult
3. "Misdirection," where the website design intentionally draws the user’s attention to a specific area to distract from another area
Regulations such as General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) mandate websites and apps display cookie banners and obtain users’ consent before collecting their data. While a step in the right direction, cookie banners, and consent management has not worked very well for most of the users. It has been difficult to find an appropriate cookie consent banner. The presence of dark patterns has made informed cookie consent a myth for most.
The dark patterns found in these consent management tools, while unintentional, result in consent fatigue. The options presented in these banners are hard to understand and difficult to choose from, often making users provide consent without reviewing them properly. Once consented, the user has limited control over how the collected data can be used. This has further increased angst and suspicion amongst users about the actual intentions of the companies.
What are some of the reasons that contribute to these dark patterns in consent management?
A majority of the cookie banners are based on how the companies interpret the rules and their legal obligations, which vary from one website to another. A number of Supervisory Authorities have recently published guidance (Belgium, France, etc.), but the guidance is not consistent, resulting in different interpretations. These variations in laws/guidance regarding the implementation of cookie consent have led to further complexities for businesses operating across regions.
Some of the most common rules that companies fail to comply with are the inclusion of both accept and reject options in the first layer (81%), the use of contrasting colors for the accept and reject buttons (73%), and the provision of a one-click button for refusing consent (51%). (Source: GDPR-Compliant Cookie Banners - Free Privacy Policy)
The website should provide details regarding the data that is being collected and the purpose in order to be compliant with the GDPR. But if the cookie banners mislead the users and don’t help them in making an informed decision, then it doesn’t serve the purpose of seeking consent.
The companies find it difficult to explain in a clear and concise manner all the data that is being collected and the purpose for which this data is being collected. A study conducted by researchers at the Massachusetts Institute of Technology, University College London, and Aarhus University found that the majority of cookie-consent tools do not adhere to the EU General Data Protection Regulation.
The Regulatory Landscape Around Dark Patterns
A 2019 research found that 57.4% of the 1,000 websites surveyed used a form of the dark pattern called "nudging" to prompt the user towards giving consent. These numbers show that it is a relatively common practice among businesses.
Max Schrems-led privacy group, NOYB, is focusing on dark patterns and deceptive designs with an aim to have at least 10,000 European websites comply with the GDPR within a year. The group has developed a tool to identify the different types of unlawful cookie banners and report them automatically. NOYB sent a written warning and a “draft complaint” to more than 500 companies 42% of the violations in the complaint were remedied within 30 days. NOYB found 82% of the companies were still in violation and filed 422 complaints with ten data protection authorities a few months later.
The above chart summarizes the list of issues NOYB identified, and the most common issue was that withdrawing consent is significantly onerous than providing consent. Other issues include deceptive button colors, scrolling as a form of consent, pre-ticked consent options in the second layer, no “refuse all” button in the first layer. The EDPB has established a taskforce with an intention to coordinate and respond to complaints raised by NOYB.
Though the US lacks a federal privacy law, some states are taking cookie consent seriously. In March 2021, California (as part of the CCPA) prohibited the use of dark patterns that make it difficult for users to opt-out of the sale of their personal data. In addition, both the Colorado Privacy Act (CPA) and the California Privacy Rights Act (CPRA) state that user consent obtained using dark patterns is not valid.
The Federal Trade Commission’s (FTC) “Bringing Dark Patterns to Light” workshop also drew attention to the subject and discussed its effects on consumer autonomy and decision-making. FTC took comments on topics related to the use of digital “dark patterns,” a range of potentially deceptive or unfair user interface designs used on websites and mobile apps, and these comments were discussed at the agency’s workshop. Jennifer King, one of the panellists and privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence, said, “The present mechanism of hitting ‘I accept’ with no attempt to actually inform you in a user-friendly way of what you’re consenting to is potentially inherently manipulative, and I’d really like to see solutions that go further than just giving us kind of new looks on existing interfaces.”
The newly approved regulations under the CCPA ban dark patterns or practices that have a substantial impact on impairing a consumer’s ability to opt out. The rules provide the following as examples of dark patterns:
1. Process of opt-out requiring more steps than the process for a consumer to opt back into the sale of personal information after having previously opted out;
2. Using confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
3. Requiring consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
4. Request to opt-out requiring consumers to provide personal information that is not necessary to implement the request
5. Requiring a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request.
Consumer Reports hosts an online platform that allows people to submit and highlight deceptive design patterns they see in everyday products and services.
Meru recently hosted Odia Kagan on its “Simplify for Success” podcast series, where she spoke about cookie banners and ways to operationalize them to provide control and choice to the users.
Conclusion
The choices around user privacy are reflective of a company’s business ethics. Privacy-centric organizations that value consumer privacy provide user-friendly features at every step of the design process. Many leading businesses currently follow this approach for building a brand around privacy. However, it may be difficult to distinguish between bad design choices and intentional dark patterns.
Companies should be cognizant and proactively avoid dark patterns or risk exposure of FTC and other regulatory enforcement actions and legal liabilities.
Comments