“Click Here”: Shining a spotlight on Dark Patterns

March 31, 2020

It is something that most online shoppers will be familiar with. You are browsing online, when a pop-up informs you that “12 other people have viewed this item in the last 24 hours” and there are “only 3 left at this price”.  

However, in late 2019 a spotlight was shone on this type of practice when cyber-security researcher Ophir Harpaz discovered that in some instances these statements are simply not true. In a tweet that led to significant media coverage she discovered that one flight website she was looking at included code to claim that a random number between 28 and 45 people were viewing a flight at any given time.

For some online shoppers, dark patterns are a mere annoyance. For others, dark patterns create a sense of urgency which induces them to purchase something they may not have otherwise bought. 

So, what are dark patterns?

The interface designs that are behind these prompts or digital nudges are known as dark patterns. The term ‘dark patterns’ was originally conceived in 2010 by Harry Brignull as a way of describing how a user interface can be designed to deceive users into doing things. Brignull broadly categorises these dark patterns into 12 types ranging from the self-explanatory ‘trick questions’ to something Brignull calls ‘confirmshaming’. An ironic example of confirmshaming comes from a well-known publisher. When trying to obtain email addresses from users, it offered these two choices: ‘Unlock the 80 must-reads’; or, ‘I don’t read’.

Although some dark patterns are fairly brazen (automatically adding an item to a shopping basket), many others are not, for example the growing use of pre-ticked check boxes. One of the main problems with surreptitious dark patterns is that they can potentially mislead consumers, causing financial loss. A second, sometimes less obvious, problem is that dark patterns can deceive users into relinquishing substantial amounts of personal data.

Dark patterns in a digital world

A study by Princeton University in 2019 analysed over 50,000 product pages from 11,000 shopping sites. The study identified the use of dark patterns 1,818 times. However, the authors believe the actual number is much higher.

This is concerning when you consider that by 2021, it is predicted that nearly 93% of UK internet users will be engaged in online shopping. According to the Office of National Statistics, 19% of all retail sales in January 2020 were online sales. Indeed whilst online commerce was already experiencing growth year on year, it is likely that the current landscape of Covid-19 will leave an indelible mark on the way we shop. 

A very recent study from Ipsos conducted from the period of 12 to 14 March 2020 suggests that 31% of Italian consumers and 18% of UK consumers used ecommerce ‘more frequently’ than they did in the month preceding. It is likely that consumers will increasingly turn to the internet to shop in the coming months of social distancing and store closures, meaning more consumers (some who may be newer to doing things online) will be exposed to the pitfalls of dark patterns. 

But dark patterns also exist in application. These are often designed to make it difficult to locate things such as privacy related information or information about closing an account. Colours, language and tough-to-find options are frequently used to steer or confuse users. A 2019 study by the Competition and Market Authority (CMA) commented that: “The effect of making navigation towards privacy settings and the selection of alternative options to the default a multi-stepped and partially obfuscated process has been described as a ‘dark pattern’. By relying on the fact that consumers generally do not change default settings, platforms are able to maximise the number of consumers that will share the maximum amount of their personal information, to the benefit of the platform.

Although dark patterns are often unethical, the question remains: Are dark patterns legal?

The Law – fifty shades of grey

There has historically been a number of calls to introduce legal regulation to govern “dark patterns” in online shopping. However, in some instances dark patterns are already illegal in the UK. For example, Brignull’s ‘sneak into basket’ category is already illegal under both the Consumer Rights Directive (CRD) and the Consumer Protection (Distance Selling) Regulations 2000 (CPDSRs) which prohibits misleading or aggressive sales practices. This means that services or goods that a consumer has not specifically ordered cannot be automatically added at checkout (for instance, insurance or a gift card). 

Data protection 

However, other dark patterns are more subtle. Dark patterns are often employed to trick users into handing over personal data. A report entitled ‘Deceived by Design’ by Forbrukerrådet, a Norwegian government agency, revealed that the way Google, Facebook, and Microsoft use dark patterns is “arguably an unethical attempt to push consumers toward choices that benefit the service provider.”  The report further questions whether such practices are “in accordance with important data protection principles in the GDPR” (General Data Protection Regulation 2016/679 (GDPR)).

As many will be all too familiar, GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11) General Data Protection Regulation 2016/679). This begs the question: Can a user freely give their consent when dark patterns nudge them to make particular choices?

On the face of it, the answer seems to be no. A recent study supports this, with researchers saying: “We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK… We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law.” [Emphasis added.]

But if companies are using dark patterns to circumvent the principles of GDPR, what is being done about enforcement?

Arguably, very little. There has been a noticeable lack of consequential GDPR enforcement in relation to dark patterns. The largest GDPR fine to date was levied against Google for €50 million by the French data regulator CNIL; however, this is only a drop in the bucket compared to an estimated $113.26 billion in Google website ad revenues alone.

The absence of meaningful GDPR enforcement in the UK is surprising when considered against the backdrop of attention paid to the safety and storage of personal data. It seems GDPR regulators are less worried about how companies obtain that data in the first place and more focused on what happens when it escapes into the ether. 

Yet, perhaps surprisingly, it seems that competition regulators are starting to pay attention.

The Competition & Markets Authority (CMA) recognised the issue, and following an investigation, published a set of principles for travel booking websites. In February 2019, travel booking websites that employed potentially misleading practices provided the CMA with undertakings to follow the CMA’s principles and cease using such tactics by September 2019.

However, although the CMA is ostensibly clamping down on travel booking sites, it may not go far enough. The consumer protection legislation central to the CMA’s investigation was the Consumer Protection from Unfair Trading Regulations 2008 (CPRs). Despite the CMA’s investigation which raised serious concerns around misleading practices, the CMA did not make a finding on whether consumer laws were breached and did not seek to enforce the legislation through the courts. 

Digital “Whack-a-Mole”

In the age of the internet, regulators will need to catch up with the speed at which site operators are employing different tactics. It seems that some of the offenders the CMA found to be using dark patterns to mislead and exploit consumers are still manipulating consumers via alternative methods. Many patterns arguably breach existing consumer protection and competition regulation; however, regulators seem reluctant to step in. 

Consumer watchdog group Which? published on 3 March 2020 a scathing article which examines how “travellers are paying up to 12% too much for their UK hotel room” because of rate-parity clauses. The purpose of a rate-parity clause is to ensure the online travel agencies (OTAs) do not lose business to the hotels through direct bookings. A rate-parity clause will often prohibit hotels from publishing lower rates on their websites. 

This seems to fly in the face of anti-competition law. Indeed, Which? reports that the practice is banned in France, Italy and Austria. The UK is noticeably not on this list.

But what about the regulators for the advertisers themselves?

Dark patterns and advertising – A legal loophole?

In July 2019, the CMA commenced a market study into online platforms and digital advertising. An interim report estimates that the costs of digital advertising in the UK in 2018 was around £13 billion.

The UK’s regulator of advertising through all media is the Advertising Standards Authority (ASA). The Committee of Advertising Practice (CAP) works in tandem with the ASA and is responsible for writing the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code). Online advertisers are governed by the CPRs and the CAP Code.

However, it is important to remember the ad industry is self-regulated. The ASA website claims:

“The self-regulation system works because it is powered and driven by a sense of corporate social responsibility amongst the advertising industry. Advertisers have an interest in maintaining the system because… Making sure that consumers are not misled, harmed or offended by ads helps to maintain consumer confidence in advertising. Advertising that is welcomed by consumers is good for business” .

This raises the concern that the very industry using dark patterns is self-regulating. But what happens when a marketer breaks the rules it helped write?

Enforcement – A Rare Breed?

The ASA can refer advertisers who repeatedly break the CAP Code to other bodies, although the ASA’s website highlights that “such referrals are rarely necessary, as most advertisers prefer to resolve the matter directly with [them].” [Emphasis added.]

The National Trading Standards (NTS) acts as the legal backstop for the ASA and receives funding from the ASA to deal with referrals. The NTS or local trading authority will then decide whether or not to investigate or take any enforcement actions, although the NTS’ website states there are “rare occasions where some form of Court action is required to resolve the matter.” [Emphasis added.]

Regulation reform needed to upgrade from dial-up

It is clear that tighter regulation is needed to tackle deceptive practices such as dark patterns, but it seems unlikely that this can happen through self-regulation. Without meaningful enforcement and financial punishment from regulators, companies will continue to circumvent the system at the expense of the consumers. Perhaps it is time for the law to speed up the regulatory system to keep up with this digital age.

Jonathan Smart is a partner in the litigation services team at Shoosmiths LLP specialising in technology disputes.

Hadley Zielonka is a fourth seat litigation trainee at Shoosmiths LLP planning to qualify into Commercial Litigation.