The “Dark Side” of Your Website Could Work Against You

Article

4.27.23

By: Travis P. Brennan

Many e-commerce sites are still relying on “dark patterns,” and data privacy regulators have had enough. With the enforcement date of the California Privacy Rights Act fast approaching (July 1, 2023), it is high time that any company operating an app or website that collects user data takes stock of their data use practices — especially e-commerce businesses. As we’ve detailed, what’s at issue is much more complex than cookie banners and privacy notices. Much more.

In fact, what might expose your company most to pending enforcement actions are things that aren’t always open and obvious. Some exposures to regulation may be sheer innocent oversights, while others may be intentional actions to enhance the user experience or reinforce a company’s “brand voice.”

Regardless of intent, many websites have “turned to the dark side,” as far as CPRA auditors and enforcement will consider them, creating potentially painful and likely costly remediation efforts and fines. 

Starting immediately, operators of websites and apps that do business in California should work quickly to understand what are known as “dark patterns” — and do their best to avoid them.

What Are Some Common Examples of Dark Patterns?

Though the text of the California Privacy Rights Act contained somewhat vague language with regard to the definition of “dark patterns,” the implementing regulations written by the California Privacy Protection Agency go into great detail with specific examples of dark pattern offenses. This should help to clarify whether your website or app might be in violation (see Sec. 7004 here), but you might be more familiar with dark patterns having experienced them firsthand as a user.

In basic terms, a dark pattern is when a website or app presents a user with a choice in a way that is designed to manipulate the user into making the choice the company prefers. The classic example is a cookie disclosure banner that has an “Accept All” button but no “Decline All” button, with the opt-out choices being buried under another two or three layers of links, or otherwise obscured in some way. The CPRA regulations linked above go into great detail on this, but most websites are still getting the basic procedure wrong.  

Another good example are those pop-ups that offer a user a discount on the first purchase in exchange for providing an email address (which amounts to collecting user data, of course). Sometimes the link to close the window without the user taking further action says something cute and facetious, along the lines of:  “No thanks, I like paying more.” While perhaps clever copywriting and strategic marketing, regulators will consider that a clear-cut example of a dark pattern, and websites that employ such tactics may find themselves subject to enforcement action.

Or perhaps you’ve also experienced the common dark pattern that is something as simple as designing a pop-up so that the “X” button to close the window is difficult  to see because it’s very small or blends into a background or image. Another clear cut-violation.

The new regulations state clearly that when a website or app presents a choice to a user or consumer, that choice has to be symmetrical. In the case of a cookie banner, for example, it would be seen as a violation of CPRA to offer one choice that says something like “Yes to All” to authorize all use of cookies, while the alternative is something vague, like “Cookie Settings.” That is not a symmetrical user choice, and it is one that will be considered to be in service of manipulating that user into taking the action the website operator prefers.

The Risk of Exposing Dark Patterns to Agency Enforcement

What’s at stake is not going to necessarily be a warning, followed by a slap on the wrist, or a small, insignificant fine. And purveyors of dark patterns would be wise not to proceed under that assumption. We won’t know for sure until we start to see enforcement actions being taken, but things could get costly in a hurry for violators. 

In fact, it wouldn’t be out of the question for a regulator to discover a violation on your site or app and send you a notice that says your cookie banner is in violation and subject to enforcement or fine in the tens or hundreds of thousands. Regulators could further deem that every banner on your website is considered to be a single violation. They may want to know how long your banner has been written in such a way, along with how many visitors your site gets per day, week or month. Each impression of that banner on any page that bears it could be considered a unique violation, potentially cited at $2,500 to $7,500 per violation, depending on the determination as to whether said violation was considered “willful.”

Do the math. We’re potentially talking about hundreds of thousands (or even millions) of dollars, simply because a cookie banner either unwittingly, unintentionally, or even purposefully (out of an attempt at humor or creativity) exhibited a forbidden dark pattern.

But let’s look on the bright side of the dark side, if only for a moment. Let’s suppose that a regulator were to only serve you notice, with a grace period during which a violation can be corrected and submitted for secondary audit. What if that grace period is only 30 days, and the time and resources necessary to make the entire website compliant are equally onerous and crippling to the business? For some large ecommerce players, that might equate to a fate just as severe as the fine itself. It should be noted that California regulators are no longer obligated to offer that grace period, so even the hypothetical bright side of dark-pattern remediation is a pretty bleak prospect.

How to Make Sure Your Website Is Not Partaking in Dark Patterns

As we have been urging clients, one should not wait until the enforcement period begins to take action, as there will be, in many cases, much work to be done. Here is how I recommend you proceed to steer clear of any onerous and expensive audits and fines:

1 - Audit your entire website or app.

Preferably in conjunction with or at the direction of legal counsel, conduct a thorough and complete audit of every page of your website or screen within your app to identify potential dark patterns. Keep in mind that websites should be audited on multiple devices — desktop, tablet, mobile — as the user experience will vary across platforms. Information and choices may be presented differently, and data may be collected differently. Be sure to inventory any possible instance that a regulator may flag as a potential dark pattern violation.

2 - Review all third-party plug-ins and gateways to your site or map.

Remember that any third-party platform that provides access to your site or collects data from its users may also make your website subject to regulators’ audits. Even simple protocols, such as allowing users to sign in or create accounts using Facebook or Google is an act of data collection or sharing. Facebook and other platforms offering developers software development kits (SDKs) are gateways between your site and external entities that have access to your user data. Tracking pixels used for marketing and retargeting purposes on Google, social media, and digital advertising are additional examples of this. Be sure to consult with legal counsel or a privacy operations consultant to be certain you are not committing any errors of commission or omission. The expert will also be able to take much of the fact finding and research work off of your team’s plate so personnel can remain focused on their core objectives.

3 - Review audit findings with counsel.

Once everything has been documented and inventoried, share the data-gathering team’s findings with experienced data privacy legal counsel. Not only will such expertise deliver insights into what the law says relative to your data use patterns — dark or otherwise — the very act of conducting the analysis through legal counsel empowers the company to cloak much of the investigation and remediation work in attorney-client confidentiality.

4 - Make adjustments as necessary.

Of course, the next step is to make the necessary changes to the website or app as recommended and directed by the data privacy consultant and attorneys. My personal recommendation here is to err on the side of caution. While the marketing team may deserve kudos for clever copywriting and sly sleight of hand in trying to encourage certain user behaviors, anything in the way of dark patterns that subject the company to audits, infractions and fines is not worth whatever might be gained in sales or customer acquisition. 

5 - Conduct a “final” follow-up audit.

Once the work has been completed to remove or correct any dark pattern behaviors on your website or app, conduct a thorough audit again — again at the direction of, or under the observation of, counsel — to make sure nothing was missed, or that the corrections themselves are not dark pattern violations in their own right.

Turn Away from the Dark Side

Auditing and correcting dark patterns is just one small component of the larger CPRA initiative, and just one piece of the bigger data-use picture. This will likely be a fairly significant area of the new law for which we will see significant regulatory activity come July 1st and thereafter. Dark patterns, now under scrutiny, have actually been fairly commonplace in recent years, and unfortunately, most of this legal framework is entirely new to many businesses in the U.S. that haven’t already had to deal with Europe’s earlier regulations regarding data use. 

It can’t be stressed enough how much of an impact the California Privacy Rights Act will have on companies doing business, or interacting with users, in the state of California. 

Start now, avoid pain later. Move away from the dark…and into the light.