Squire Patton Boggs’ Kyle R. Dull and Julia B. Jacobson recently authored an article published by Competition Policy International in the CPI TechREG Chronical, that details “dark patterns,” which are misleading or otherwise manipulative user experiences intended to influence a consumer’s behavior and prevent them from making fully informed choices. Dark patterns are not merely clever marketing gimmicks; rather, they are designed to cause users to unwittingly act against their personal preferences, such as signing up for services they do not want, purchasing products they do not intend to purchase, sharing personal information. In the article, Kyle and Julia review common dark patterns and how they are used in today’s digital world. They further analyze consumer protection and privacy regulatory developments targeting dark patterns and discuss best practices for digital service operators to help minimize regulatory sanctions, class actions and reputational damage arising from dark pattern practices.

Read the full article here.




The Federal Trade Commission (FTC) has released a staff reportBringing Dark Patterns to Light, which discusses misleading and manipulative design practices—dark patterns—in web and mobile apps. These design choices take advantage of users’ cognitive biases to influence their behavior and prevent them from making fully informed decisions about their data and purchases. Dark patterns are employed to get users to surrender their personal information, unwittingly sign up for services, and purchase products they do not intend to purchase. The consequences of dark patterns have been increasingly noticed in the regulatory and legislative sphere, both in the United States and Europe

Continue Reading Dark Patterns under the Regulatory Spotlight Again

Dark patterns are top of mind for regulators on both sides of the Atlantic. In the United States, federal and state regulators are targeting dark patterns as part of both their privacy and traditional consumer protection remits. Meanwhile, the European Data Protection Board (EDPB) is conducting a consultation on proposed Guidelines (Guidelines) for assessing and avoiding dark pattern practices that violate the EU General Data Protection Directive (GDPR) in the context of social media platforms. In practice, the Guidelines are likely to have broader application to other types of digital platforms as well. Continue Reading “Dark Patterns” Are Focus of Regulatory Scrutiny in the United States and Europe

This month, CPW’s Kyle Fath, Kristin Bryan, Christina Lamoureux & Elizabeth Helpling explained how data privacy and cybersecurity were Federal Trade Commission (“FTC”) priorities.  As they wrote, there were “three key areas of interest to consumer privacy that are now in the FTC’s spotlight, as well as their relation to state privacy legislation and their anticipated impact to civil litigation.”  One area of interest they identified was deceptive and manipulative conduct on the Internet (including so-called “dark patterns”).  Today, the FTC announced that it was going to ramp up enforcement against illegal dark patterns that trick consumers into subscriptions.  Read on to learn more and what it means going forward.

First, some background.  The term “dark patterns” collectively applies manipulative techniques that can impair consumer autonomy and create traps for online shoppers (for instance, think of multi-click unsubscription options).  As CPW previously explained, “[e]arlier this year, the FTC hosted a workshop called “Bringing Dark Patterns to Light,” and sought comments from experts and the public to evaluate how dark patterns impact customers.”  The genesis for this workshop was the FTC’s concern with harms caused by dark patterns, and how dark patterns may take advantage of certain groups of vulnerable consumers.

Notably, the FTC is not alone in its attention to this issue as California’s Attorney General previously announced regulations that banned dark patterns and required disclosure to consumers of the right to opt-out of the sale of personal information collected through online cookies.  Dark patterns has also been targeted in civil litigation.  This year, the weight-loss app Noom faced a class action alleging deceptive acts through Noom’s cancellation policy, automatic renewal schemes, and marketing to consumers.

Building off these prior developments, today, the FTC announced a new enforcement policy statement “warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services.”  As the FTC cautioned, “[t]he agency is ramping up its enforcement in response to a rising number of complaints about the financial harms caused by deceptive sign up tactics, including unauthorized charges or ongoing billing that is impossible cancel.”

As summarized in the FTC’s press release announcing this development, businesses going forward must follow three key requirements in this area or run the risk of an enforcement action (including potential civil penalties):

  • (1) Disclose clearly and conspicuouslyall material terms of the product or service:  This includes disclosing how much a product and/or service costs, “deadlines by which the consumer must act to stop further charges, the amount and frequency of such charges, how to cancel, and information about the product or service itself that is needed to stop consumers from being deceived about the characteristics of the product or service.”
  • (2) Obtain the consumer’s express informed consent before charging them for a product or services: This means “obtaining the consumer’s acceptance of the negative option feature separately from other portions of the entire transaction, not including information that interferes with, detracts from, contradicts, or otherwise undermines the consumer’s ability to provide their express informed consent.”
  • (3) Provide easy and simple cancellation to the consumer: Marketers are also to “provide cancellation mechanisms that are at least as easy to use as the method the consumer used to buy the product or service in the first place.”

This development is likely one of only many anticipated to be rolled out in light of the FTC’s continued focus on data privacy and cybersecurity.  For more on this, stay tuned—CPW will be there to keep you in the loop.

As Rosa BarceloMatus HubaLucia Hartnett and Bethany Simmonds discuss in greater detail here, “[t]he European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organization NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”.  The EDPB taskforce is established in accordance with Art. 70(1)(u) of the GDPR, which states that the EDBP must promote the cooperation and effective bilateral and multilateral exchange of information and best practices between SAs. The aim of this taskforce is to harmonize and coordinate the approach to investigating and responding to cookie banner complaints from NOYB. It remains to be seen how this will actually be done in practice and whether EDPB will limit the harmonization to procedural approach to the complaints, or whether it will also attempt to ensure consistent application of the underlying substantive rules.”

They provide a detailed analysis at the Security Privacy Bytes blog and comment that “the development of the taskforce could have a significant impact in streamlining the handling of the complaints it is set to investigate and could help companies better understand what is an acceptable pan-EU approach to cookie banners.”

The European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organisation NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”. Continue Reading EDPB Establishes Cookie Banner Taskforce, Which Will Also Look Into Dark Patterns and Deceptive Designs

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.

Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

On January 18, during a luncheon fireside chat at the California Lawyers Association’s UCL Institute event in Los Angeles, Federal Trade Commission (“FTC”) Bureau of Consumer Protection Director Samuel Levine shared his insights on what data practices are of concern to him and to the FTC.  Companies should take heed of his comments, the highlights of which include:

For FTC watchers, none of this should come as any surprise.  While the upcoming election could usher in a FTC with very different perspectives and priorities, it is a sure bet that the current FTC will look to advance its agenda this year.  For more information contact the authors or your usual firm contact.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq). Among other things, the law imposes additional registration requirements on top of those that already exist, doubles the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a one-stop shop deletion mechanism that allows consumers to make requests to all registered data brokers, and obligates data brokers to access the mechanism every 45 days and process each and every deletion request made by consumers within a prescribed timeframe (including directing all service providers and contractors of the request).

Continue Reading California Delete Act Imposes New Obligations on Data Brokers

As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?

Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators