The term “dark patterns” has an ominous ring to it. And for a good reason. These website elements have carved away at online users’ experience enough for regulators and insurers to note. Let’s look a little deeper at dark patterns and how they impact data protection.
What Are Dark Patterns?
Dark patterns are website elements that manipulate users into making decisions they aren’t aware of or didn’t want to make. Dark patterns also prevent users from doing what they set out to do. In short, they’re a sneaky way for websites to operate, tricking and confusing users into giving up personal information, not to mention agreeing to legal terms and buying unwanted products or services.
Examples of Dark Patterns
Although dark patterns sound like threats hiding in the shadows, don’t let the name fool you. Dark patterns are everywhere, from ecommerce checkouts to digital advertising to non-renewal functions. The following are examples of standard dark patterns, so let’s see if you recognize any of these dark patterns:
- Countdown time that implies the offer is expiring
- An “only 3 left” banner on an ecommerce website
- Advertising banner that won’t disappear, no matter how many times you close it
- Instructions to click on numerous links to unsubscribe from a service
- Escalating requests to gain access to “free” products (i.e., name, phone number, email address, etc.)
- Forced continuity, such as failing to inform you of free trial ending or fees starting
- Hidden fees and sign-ups, frequently at ecommerce checkouts
- Using double negatives (i.e., “don’t not sell my information)
These dark patterns are part of why users become frustrated on various websites. Most of us have fallen for these dark patterns at some point. What’s more, some dark patterns are more harmful than others. For example, one nefarious dark pattern is an ad design that appears like a speck of dirt on your device screen. When you try to wipe it off, you inevitably click on an unwanted ad link.
Regulations Addressing Dark Patterns
As frustrating and annoying as dark patterns are, their impact isn’t going unnoticed. More regulatory bodies are turning their attention to address these website elements. Here are a few regulations addressing dark patterns.
Unsurprisingly, California is spearheading regulations aimed at dark patterns. The California Privacy Rights Act will take effect at the first of the year in 2023. The Act states that information obtained from using dark patterns doesn’t constitute consent. Further defining dark patterns in the Act, the newly-established California Privacy Protection Agency plans to continue developing regulations. And they’re not messing around. California businesses have 90 days to comply or face up to $75,000 of fines (per user) per intentional violation.
Colorado enhanced the Colorado Privacy Act last year, which is a broad statute to protect the privacy of its residents. In many ways, this Act resembles California’s regime. However, the fines are different. For example, penalties can top $20,000 per violation up to a maximum penalty of $500,000.
Federal Trade Commission
Like Colorado and California, the Federal Trade Commission (FTC) has started to pay attention. According to the FTC, using dark patterns isn’t anything more than a sophisticated version of unfair or deceptive trade practices. Unsurprisingly, the FTC is putting its foot down. In a lawsuit against Age of Learning, Inc. in 2020, the company paid $10 million in a settlement order and changed its practices. The following year, the FTC hosted a public workshop focused on dark pattern threats and future mitigation strategies.
Cyber Liability Insurance
As new statutes and regulations unfold — an excellent place to start — the insurance world also contributes to the battle against dark patterns and the misuse of personal information. Unfortunately, companies can use dark patterns in numerous ways, so identifying or recognizing each abuse is challenging. As a result, we encourage you to become familiar with your cyber liability insurance policy.
Cyber liability insurance protects companies from third-party lawsuits related to electronic activity (i.e., phishing scams, malware, etc.). This coverage also offers many recovery benefits, supporting data restoration and reimbursement for lost income and payroll.
In response to the rise of dark patterns, we see carriers adjusting their cyber policy language. It’s always helpful to team with a trusted commercial insurance broker so that you know precisely what your policy covers. For example, our bench of experts frequently conduct cyber risk assessment, a beneficial tool to pinpoint your precise vulnerability points.
Understanding the details of what coverage your company needs can be confusing. Founder Shield specializes in knowing the risks your industry faces to make sure you have adequate protection. Feel free to reach out to us, and we’ll walk you through the process of finding the right policy for you.