Search results for: dark patterns

Squire Patton Boggs’ Kyle R. Dull and Julia B. Jacobson recently authored an article published by Competition Policy International in the CPI TechREG Chronical, that details “dark patterns,” which are misleading or otherwise manipulative user experiences intended to influence a consumer’s behavior and prevent them from making fully informed choices. Dark patterns are not merely clever marketing gimmicks; rather, they are designed to cause users to unwittingly act against their personal preferences, such as signing up for services they do not want, purchasing products they do not intend to purchase, sharing personal information. In the article, Kyle and Julia review common dark patterns and how they are used in today’s digital world. They further analyze consumer protection and privacy regulatory developments targeting dark patterns and discuss best practices for digital service operators to help minimize regulatory sanctions, class actions and reputational damage arising from dark pattern practices.

Read the full article here.

 

 

 

The Federal Trade Commission (FTC) has released a staff reportBringing Dark Patterns to Light, which discusses misleading and manipulative design practices—dark patterns—in web and mobile apps. These design choices take advantage of users’ cognitive biases to influence their behavior and prevent them from making fully informed decisions about their data and purchases. Dark patterns are employed to get users to surrender their personal information, unwittingly sign up for services, and purchase products they do not intend to purchase. The consequences of dark patterns have been increasingly noticed in the regulatory and legislative sphere, both in the United States and Europe

Continue Reading Dark Patterns under the Regulatory Spotlight Again

Dark patterns are top of mind for regulators on both sides of the Atlantic. In the United States, federal and state regulators are targeting dark patterns as part of both their privacy and traditional consumer protection remits. Meanwhile, the European Data Protection Board (EDPB) is conducting a consultation on proposed Guidelines (Guidelines) for assessing and avoiding dark pattern practices that violate the EU General Data Protection Directive (GDPR) in the context of social media platforms. In practice, the Guidelines are likely to have broader application to other types of digital platforms as well. Continue Reading “Dark Patterns” Are Focus of Regulatory Scrutiny in the United States and Europe

This month, CPW’s Kyle Fath, Kristin Bryan, Christina Lamoureux & Elizabeth Helpling explained how data privacy and cybersecurity were Federal Trade Commission (“FTC”) priorities.  As they wrote, there were “three key areas of interest to consumer privacy that are now in the FTC’s spotlight, as well as their relation to state privacy legislation and their anticipated impact to civil litigation.”  One area of interest they identified was deceptive and manipulative conduct on the Internet (including so-called “dark patterns”).  Today, the FTC announced that it was going to ramp up enforcement against illegal dark patterns that trick consumers into subscriptions.  Read on to learn more and what it means going forward.

First, some background.  The term “dark patterns” collectively applies manipulative techniques that can impair consumer autonomy and create traps for online shoppers (for instance, think of multi-click unsubscription options).  As CPW previously explained, “[e]arlier this year, the FTC hosted a workshop called “Bringing Dark Patterns to Light,” and sought comments from experts and the public to evaluate how dark patterns impact customers.”  The genesis for this workshop was the FTC’s concern with harms caused by dark patterns, and how dark patterns may take advantage of certain groups of vulnerable consumers.

Notably, the FTC is not alone in its attention to this issue as California’s Attorney General previously announced regulations that banned dark patterns and required disclosure to consumers of the right to opt-out of the sale of personal information collected through online cookies.  Dark patterns has also been targeted in civil litigation.  This year, the weight-loss app Noom faced a class action alleging deceptive acts through Noom’s cancellation policy, automatic renewal schemes, and marketing to consumers.

Building off these prior developments, today, the FTC announced a new enforcement policy statement “warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services.”  As the FTC cautioned, “[t]he agency is ramping up its enforcement in response to a rising number of complaints about the financial harms caused by deceptive sign up tactics, including unauthorized charges or ongoing billing that is impossible cancel.”

As summarized in the FTC’s press release announcing this development, businesses going forward must follow three key requirements in this area or run the risk of an enforcement action (including potential civil penalties):

  • (1) Disclose clearly and conspicuouslyall material terms of the product or service:  This includes disclosing how much a product and/or service costs, “deadlines by which the consumer must act to stop further charges, the amount and frequency of such charges, how to cancel, and information about the product or service itself that is needed to stop consumers from being deceived about the characteristics of the product or service.”
  • (2) Obtain the consumer’s express informed consent before charging them for a product or services: This means “obtaining the consumer’s acceptance of the negative option feature separately from other portions of the entire transaction, not including information that interferes with, detracts from, contradicts, or otherwise undermines the consumer’s ability to provide their express informed consent.”
  • (3) Provide easy and simple cancellation to the consumer: Marketers are also to “provide cancellation mechanisms that are at least as easy to use as the method the consumer used to buy the product or service in the first place.”

This development is likely one of only many anticipated to be rolled out in light of the FTC’s continued focus on data privacy and cybersecurity.  For more on this, stay tuned—CPW will be there to keep you in the loop.

As Rosa BarceloMatus HubaLucia Hartnett and Bethany Simmonds discuss in greater detail here, “[t]he European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organization NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”.  The EDPB taskforce is established in accordance with Art. 70(1)(u) of the GDPR, which states that the EDBP must promote the cooperation and effective bilateral and multilateral exchange of information and best practices between SAs. The aim of this taskforce is to harmonize and coordinate the approach to investigating and responding to cookie banner complaints from NOYB. It remains to be seen how this will actually be done in practice and whether EDPB will limit the harmonization to procedural approach to the complaints, or whether it will also attempt to ensure consistent application of the underlying substantive rules.”

They provide a detailed analysis at the Security Privacy Bytes blog and comment that “the development of the taskforce could have a significant impact in streamlining the handling of the complaints it is set to investigate and could help companies better understand what is an acceptable pan-EU approach to cookie banners.”

The European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organisation NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”. Continue Reading EDPB Establishes Cookie Banner Taskforce, Which Will Also Look Into Dark Patterns and Deceptive Designs

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and FTC Final Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.

Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

As we predicted a year ago, the Plaintiffs’ Bar continues to test new legal theories attacking the use of Artificial Intelligence (AI) technology in courtrooms across the country. Many of the complaints filed to date have included the proverbial kitchen sink: copyright infringement; privacy law violations; unfair competition; deceptive and acts and practices; negligence; right of publicity, invasion of privacy and intrusion upon seclusion; unjust enrichment; larceny; receipt of stolen property; and failure to warn (typically, a strict liability tort).

A case recently filed in Florida federal court, Garcia v. Character Techs., Inc., No. 6:24-CV-01903 (M.D. Fla. filed Oct. 22, 2024) (Character Tech) is one to watch. Character Tech pulls from the product liability tort playbook in an effort to hold a business liable for its AI technology. While product liability is governed by statute, case law or both, the tort playbook generally involves a defective, unreasonably dangerous “product” that is sold and causes physical harm to a person or property. In Character Tech, the complaint alleges (among other claims discussed below) that the Character.AI software was designed in a way that was not reasonably safe for minors, parents were not warned of the foreseeable harms arising from their children’s use of the Character.AI software, and as a result a minor committed suicide. Whether and how Character Tech evolves past a motion to dismiss will offer valuable insights for developers of AI technologies.

Continue Reading Artificial Intelligence and the Rise of Product Liability Tort Litigation: Novel Action Alleges AI Chatbot Caused Minor’s Suicide

SPB’s Julia Jacobson and Kyle Dull are offering insights at three webinars next week. Details are below or please reach out for more information.

The Evolving Role of the Privacy Officer: Challenges and Preparation (PrivacyConnect Live Webinar)

Tuesday, November 12 at 11 a.m. ET

Join Julia Jacobson a discussion with three experienced privacy officers who will share their insights on how the role of privacy officers has evolved and the new challenges privacy officers face today.

Learn more here.

Simulate This: Generative AI (Part 1)

Wednesday, November 13 at 4:30 p.m. ET

On Wednesday, November 13, Julia Jacobson will lead a discussion on compliance considerations around businesses’ use and procurement of generative AI for the New England Corporate Counsel Association.

Learn more here.

Legal Liabilities Related to Dark Patterns: Common Types, Recent Legal Cases, Enforcement Actions, and Proactive Measures to Avoid Dark Patterns (myLawCLE Live Webinar)

Thursday, November 14 at 1 p.m. ET

Julia Jacobson and Kyle Dull will explore the latest regulatory trends, compliance issues, legal risks and proactive measures to avoid dark patterns. Register using our free access code: DarkPatterns24

For more information, please feel free to reach out directly to Juila and Kyle.

We have previously reported on the requirements, including mandatory risk assessments, of the California Age Appropriate Design Code Act, (CAADCA or Act) and that the Act was enjoined by a federal District Court as likely a violation of the publisher’s free speech rights under the First Amendment of the U.S. Constitution.  The 9th Circuit has upheld that decision, but only as to Data Protection Impact Assessments (DPIAs), and gone further to find that such assessments are subject to strict scrutiny and are facially unconstitutional.  See Netchoice, LLC v Rob Bonta, Atty General of the State of California (9th Cir., August 16, 2024) – a copy of the opinion is here.  The Court, however, overruled the District Court as to the injunction of other provisions of CAADCA, such as restrictions on the collection, use, and sale of minor’s personal data and how data practices are communicated.  Today, we will focus on what the decision means for DPIA requirements under consumer protection laws, including the 18 (out of 20) state consumer privacy laws that mandate DPIAs for certain “high-risk” processing activities.

Continue Reading Are Data Practice Risk Assessments at Risk in the US?