What Are Dark Patterns?
A dark pattern (also called a "deceptive design pattern") is a user interface design choice that tricks or manipulates users into taking actions they didn't intend β or prevents them from taking actions they want to take, like opting out of data collection.
The term was coined by UX designer Harry Brignull in 2010, who began cataloging examples at darkpatterns.org. Since then, the study of dark patterns has become a legitimate area of academic research, regulatory scrutiny, and β increasingly β legal enforcement.
In the context of privacy, dark patterns are design choices specifically intended to discourage users from exercising their privacy rights: making opt-out buttons harder to find than opt-in buttons, using confusing language that makes consent seem like it's about something else, pre-checking consent boxes, creating unnecessary friction for data requests, and using emotional manipulation to discourage privacy-protective choices.
The Most Common Privacy Dark Patterns
1. The Labyrinthine Settings Menu: Opt-out settings buried 5+ clicks deep in settings menus, while opt-in is available with one click. Research has shown that reducing the number of steps required to opt out dramatically increases opt-out rates β which is exactly why companies don't reduce those steps.
2. Confirmshaming: Making the opt-out button say something like "No thanks, I don't want to protect my privacy" β using language that makes declining feel like a negative statement about yourself rather than a neutral choice.
3. The Privacy Paradox Layout: Showing the "Accept All Cookies" button in a prominent, brightly colored button while making "Reject All" or "Manage Preferences" harder to find, smaller, and less visually prominent.
4. Endless Cookie Banners: Cookie consent tools that allow you to click "Reject All" for one category but require individually unchecking hundreds of pre-checked partner boxes for other categories. Some consent management platforms have been documented to have hundreds of advertising partners listed in a scrollable list that takes significant time to opt out of individually.
5. The Misleading "Opt Out" That Doesn't Really Opt You Out: Opting out of one type of data use (like "personalized ads") while other categories of data collection continue unchanged β without clearly communicating this to the user.
6. The "Functional" Catch-All: Categorizing all data collection as "strictly necessary" or "functional" β categories that can be exempt from consent requirements β even when the data collection clearly isn't necessary to deliver the service.
What the Law Says About Dark Patterns
Privacy regulators have increasingly targeted dark patterns as independently illegal, separate from any other data processing violations:
FTC Act Section 5: The Federal Trade Commission has used its authority under Section 5 (which prohibits "unfair or deceptive acts or practices") to pursue dark pattern cases. The FTC's 2022 report "Bringing Dark Patterns to Light" specifically identified privacy dark patterns as an enforcement priority.
California CPRA: The CPRA explicitly prohibits using "dark patterns" that have the purpose or substantial effect of impeding or subverting the privacy choices of consumers. The California Privacy Protection Agency has identified specific dark pattern types that violate the law.
Colorado Privacy Act: Similarly prohibits the use of dark patterns in obtaining consent, defining dark patterns as "user interfaces designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice."
GDPR (EU): The EU's GDPR has been actively enforced against dark patterns β with the Irish DPC levying a β¬390 million fine against Meta for forcing users to "consent" to targeted advertising as a condition of using Facebook and Instagram.
How to Recognize and Defeat Dark Patterns
Awareness is the first defense. When exercising your privacy rights, watch for these red flags:
Color contrast manipulation: If the opt-out button is gray and the opt-in button is bright blue or green, that's a visual dark pattern. The color choice is designed to make one action feel more "correct" than another.
Language asymmetry: Compare the language used for accepting vs. declining. "Yes, send me great offers!" vs. "No, I don't want to save money" is a classic confirmshaming pattern.
Pre-checked boxes: Always scroll through privacy settings and consent forms looking for pre-checked boxes that enroll you in data collection by default. In California, pre-checked boxes cannot constitute valid consent for sensitive data processing.
False urgency: "You must decide now or lose access" messaging on privacy consent banners is often fake β you can usually close the browser and return later, or decline with no consequence.
Infinite scrolling partner lists: Cookie consent tools that show you a list of 400 advertising partners, all pre-checked, and require you to uncheck each one individually. The correct response is to look for a "Reject All" or "Object to All" button at the top or bottom of the list β and if there isn't one, consider whether this website deserves your data.
Reporting Dark Patterns
If you encounter dark patterns that you believe violate your privacy rights, you have several reporting options:
California residents: Report to the California Privacy Protection Agency at cppa.ca.gov/consumers/. The CPPA actively investigates dark pattern complaints and has enforcement authority over CCPA/CPRA violations.
All U.S. residents: Report to the FTC at reportfraud.ftc.gov. While the FTC rarely acts on individual complaints, patterns of complaints do inform enforcement priorities.
Document everything: Before reporting, take screenshots of the dark pattern interface β including the date, the website, and the specific UI element. This documentation strengthens any complaint.
Academic research: Princeton's Center for Information Technology Policy (CITP) and other academic groups actively research and document dark patterns. Submitting examples to researchers at darkpatterns.org helps inform future regulatory guidance.