Dark patterns – or deceptive user interface design elements that subtly coerce users into making choices against their best interests — have emerged as a threat to privacy rights across company websites and consent interfaces. Regulators are taking action to discourage the use of such dark patterns. With the release of the California Privacy Rights Act (CPRA), which came into effect on July 1, 2023, businesses are required to provide more transparency around how consumers’ personal information is collected and will be used. Further, businesses must include consent mechanisms that allow consumers to opt out of the collection, processing, sale, and sharing of their personal information.

Naturally, new regulations allotting more choices to consumers are highly susceptible to dark patterns. To counter these practices, the California Privacy Protection Agency (CPPA), created by and for the enforcement of the CPRA, established regulations on dark patterns under their Requirements for obtaining consumer consent¹. Separately, the European Data Protection Board (EDPB) that publishes guidance for the application of the EU’s General Data Protection Regulation (GDPR) has issued Guidelines on deceptive design patterns in social media platform interfaces: how to recognize and avoid them². 

Combining guidance from both the CPPA and EDPB, this blog examines some of the most prevalent dark patterns in consent interfaces and the best ways to avoid them.

Make your consent choices fair and consistent

In California, the CPPA requires businesses to implement mechanisms to obtain consumer consent that are easy for consumers to understand and must offer “symmetry in choice”¹. Simply stated, the path to more privacy-protective choices for the consumer cannot be more difficult or take longer to select than less privacy-protective choices.

As businesses design consent interfaces to give users the ability to opt-out of cookies and the sale or sharing of personal information, businesses are often tempted to make these options more complicated than a simple ‘opt-in’ to allow them to continue to collect and process personal information. Nonetheless, adhering to the principle of symmetry in choice is crucial to prevent the use of deceptive design techniques, which can lead to regulatory fines and disciplinary actions for businesses.

Common dark patterns to avoid that fall under this category include:

• Offering an ‘Accept All’ cookies button without a ‘Reject All’ button or replacing it with an ‘Ask Me Later’ button
  
• Forcing the consumer to opt-out of each individual category of cookies rather than offering a single button that opts-out of all but essential cookies
  
• Privacy-protective choices that take the user to an entirely different webpage to opt-out.

To avoid such dark patterns, the creators of consent interfaces should explore the symmetry of their designs through the lens of a user journey.

Avoid deceptive language and design

It may seem obvious, but the CPPA requires that consumer consent interfaces avoid using language or other interactive elements that confuse the user. These elements can manifest in many ways, but the EDPB defines one such pattern as “stirring”², which “affects the choice users would make by appealing to their emotions or using visual nudges”. 

Examples of dark patterns commonly found through language or interactive design elements include:

• Emotionally steering language to persuade the user into making less privacy-protective choices (i.e., rather than a simple “Accept” or “Decline”, the buttons playfully display “Yes, enhance my experience!” or “Don’t elevate my experience.”)
  
• Convoluted language that will confuse the user (i.e., “Yes” or “No” buttons are displayed under the phrase “Do not process my sensitive personal information”, which creates a double negative)
  
• Deceptive colors and color contrasts that make less privacy-protective choices stand out to the user more so than “reject all” and other more privacy-protective choices
  
• Presenting buttons of different sizes to encourage users to make less privacy-protective choices (i.e., “Accept All” is displayed in a nice, bold button, while “Reject All” is displayed in smaller text and visually looks like a hyperlink).

Deceptive language and design choices such as those listed above can be crafted intentionally or unintentionally. So long as the typical user is misled in such a way that they cannot effectively make fair consent choices, the design constitutes a dark pattern and should be corrected swiftly.

Categorize consumer choices accurately

The CPPA asks that businesses avoid ambiguous patterns or methods in consent architecture that impair the user’s ability to make informed decisions about their consent. This type of dark pattern may manifest itself in the presence of conflicting or ambiguous language, or the bundling of privacy-protective choices that should not fall under the same category. In this instance, a consent interface may be participating in a “left in the dark”² deceptive design tactic, which the EDPB defines as methods that hide information or data protection controls that confuse users about their opt-ins and how their data will be processed.

This type of dark pattern differs from other manipulative design tactics because it is often difficult to detect, or even overlooked in the design stages of building consent interfaces. Some examples include:

• Bundling consent choices into one opt-in that does not explicitly correlate with its parts (i.e., opting into a location-based service with a business AND granting the business ‘permission’ to sell geolocation data to outside parties is bundled under one opt-in rather than two separate choices).
  
• An “Accept Some” option is made available for cookie consent, but it is not made clear what cookie categories fall under “some”.
  
• Cookies are not categorized in good faith, misconstruing the user’s opt-in choices (i.e., analytics cookies are often categorized as essential by organizations that wish track activity of visitors on their websites, although visitors may choose not to be tracked).

In this instance, design and technical teams should work closely together to ensure cookies and other consent-based services are categorized appropriately.

Looking ahead

Dark patterns in user consent and preferences are concerning because they undermine the principles of informed consent. Regulatory violations, skepticism surrounding consent choices, and loss of consumer trust resulting from poor user experience are all potential consequences of deceptive user interfaces. 

Moving forward, businesses should incorporate digital consent-management interfaces that offer clear and easily accessible choices to meet regulatory requirements and enhance the digital experience for their consumers. To avoid dark patterns, businesses must identify them in the design and testing phases of consent interfaces and consult privacy professionals familiar with the principles of privacy-by-design.

Capco partners with financial services firms to design and build security and privacy solutions aligned to each firm’s unique business objectives and regulatory obligations. Whether your organization needs tactical advice to overhaul your privacy UX practices, or a long-term strategy and technological implementation to manage data use and protection across the enterprise, Capco experts in business, data, and security across financial services can support your vision and goals. 

References 

¹ §7004 - https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf 
² https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en