Data Privacy Brings Dark Patterns to Light

Data Privacy Brings Dark Patterns to Light

Intuitive designs are marketing machines that make websites and apps more interactive, which can sometimes verge into regulatory risks when dark patterns are used to prompt consent and purchases from consumers contrary to their wishes and interests.

Navigating this fine line demands that data management and data security perspectives be incorporated into UX design. Designers bent on creating user experiences that generate the highest number of clicks may resist this change.

Yet insidious dark patterns drive users away, and it will be difficult for businesses to rebuild the relationship once the trust is broken, writes Paige Bartley, senior analyst covering data management at 451 Research.

How Fraud Impacts the Digital Customer Experience

Between the lines

Dark patterns do not always have a nefarious side. At its benign level, the ‘positive’ design in dark patterns such as purchase history can make online shopping a pleasant experience. UX designers have also perfected the art of organizing content according to eye movements to lift engagement for brands.

Increasingly, however, businesses are after data that will be leveraged for more intuitive designs and profit for companies.

The practice becomes manipulative when it plays into human frustration and fatigue. For instance, opt-out options for information sharing may be designed to obfuscate users, leading them to grant consent that they would otherwise not have given.

Such tricks go against the EU’s General Data Protection Regulation, which spells out that sensitive personal data requires explicit consent that must be freely given under specific, informed and unambiguous indication of the subject’s wishes.

In March California became the first US state to regulate this practice after amending its consumer privacy act to ban companies from using dark patterns to manipulate customers into selling their personal information. The law called out subversive tactics such as complicated click-through forms, confusing double-negative language and multi-page legal documents that deter users from making informed decisions on their data privacy.  

Giving consent

Unfortunately, consent data that has been historically collected via dark patterns is typically retained as the default option in the absence of avenues to seek consumer consent in more ethical ways.

Even in jurisdictions that regulate dark patterns, it is often unclear if the rules are retroactive. It is a best practice for a business to store only data that it has a legal basis for processing and is relevant to its business purposes.

The data management team will have its work cut out to ensure the appropriate data lifecycle and uphold data minimization. Whenever possible, businesses should re-engage consumers to collect consent using an ethical method and invalidate the previous consent.

The process can be outsourced to third-party consent management providers that may be better placed to design embedded and consumer-facing consent-collection web interfaces. It is often enough that the internal UX/UI design and data management units are split into two camps when it comes to matters of user privacy, due to diverging objectives.

Acting fast

Only 18.1% of respondents surveyed by 451 Alliance agreed that ‘achieving regulatory compliance’ was a top security objective for 2021, ranking far below other priorities, such as anti-phishing training. Businesses must wake up to the shifting tide of privacy.


Want insights on information security delivered to your inbox? Join the 451 Alliance.