Examples of Dark Patterns in Privacy
I have written about dark patterns in privacy on various occasions in this newsletter. Today, I would like to present the taxonomy for dark patterns in privacy that I developed in my academic paper, and that was cited by the recent EU and OECD reports on dark patterns. I will also illustrate it with real-life examples of dark patterns in privacy, which I define as follows:
“user experience (UX) practices that manipulate the data subject’s decision-making process in a way detrimental to his or her privacy and beneficial to the service provider”
As you can read in my paper, when dark patterns involve personal data, they exploit cognitive biases and manipulate data subjects into sharing more or more sensitive personal data.
Dark patterns in privacy are part of the study of Privacy UX - or how organizations implement (or do not implement) privacy assurances through the user experience and user interface of their websites and apps.
As I have commented before, many companies neglect Privacy UX and treat it as something tangential to the privacy compliance strategy. This is a bad approach and can lead to high fines, as we have been discussing in this newsletter.
Here are some examples of dark patterns in privacy, according to my taxonomy:
Pressuring the user to share more (or more in-depth) personal data in order to continue using a product or service. Common cases:
Pressure to allow permissions
Pressure to receive marketing
Pressure to share
Pressure to confirm
Here is an example from an e-commerce website. The last sentence is pressuring the user to share their email address by framing them in a distorted light as "someone who does not like to save money":
Delaying, hiding, or making it difficult for the user to adopt privacy-protective actions. Common cases:
Privacy invasive defaults
Here is an example from Der Spiegel, a major German news outlet. It allows you to continue reading the website with ads and assures you that you can revoke consent at any time:
However, to revoke consent, you need to scroll down to the bottom of the page, find the small "Datenschutz" link, and deactivate the consent:
And here is the main issue. When you deactivate your consent (orange button on the right), you will not have access to the newspaper, and you are sent again to the first banner. The conclusion is that it is actually impossible to access the newspaper for free without tracking, although this is not clear in the first banner:
Using language, forms, and interface elements in order to mislead the user whilst taking privacy-related actions. Common cases:
Here is an example from the TikTok app. It asks two questions and has only one button. What if I am above 18 and do not allow personalized ads? There is no real choice here:
Misrepresenting facts to induce users to share more or (more sensitive) personal data than intended. Common cases:
False experience improvement
False legitimate interest
Misrepresentation of strictly necessary cookies
You can find more information about these dark patterns in privacy taxonomy and how I developed it in my academic paper.
If you frequently read The Privacy Whisperer, you know that, in my opinion, current laws approaching dark patterns are insufficient and too abstract, and because of that, dark patterns in privacy will continue flourishing.
Interestingly enough, despite insufficient/abstract legislation, regulators and data protection authorities are eager to find and fine dark patterns in privacy, especially through the idea of privacy by design, data protection by design and by default (GDPR Article 25 - see the CNIL vs. Discord case), and privacy promises (see the FTC vs. BetterHelp case).
As dark patterns in privacy are still ubiquitous, fines will keep coming up, and there will be a lot to discuss about them in this newsletter.
💡 Are you interested in diving deeper into dark patterns in privacy and Privacy UX? My course Privacy UX: The Fundamentals is coming soon, sign up for the waitlist and get a 20% discount when it is launched.
🎤 Upcoming events
In the next edition of 'Women Advancing Privacy', I will discuss with Prof. Nita Farahany her new book "The Battle for Your Brain: Defending the Right to Think Freely in the Age of Neurotechnology," as well as issues related to the protection of cognitive liberty and privacy in the context of current AI and Neurotechnology challenges.
Prof. Farahany is a leader and pioneer in the field of ethics of neuroscience. This will be a fascinating conversation that you cannot miss. I invite you to sign up for our live session and bring your questions.
To watch our previous events (the latest one was with Dr. Ann Cavoukian on Privacy by Design), check out my YouTube channel.
In the latest episode of The Privacy Whisperer Podcast, I spoke with Romain Gauthier, the CEO of Didomi, about:
His journey as an entrepreneur and the specific challenges of privacy tech
The evolution of the privacy industry and how individuals and privacy vendors have adapted to new regulations and challenges
What is his view on current trends and the future of privacy
Tips for small businesses that want to do privacy right
This was a thought-provoking conversation. If you work in the tech industry, are a privacy professional, or are an entrepreneur, you cannot miss it. Listen now.
🔁 Trending on social media
Check out the Twitter thread to see the full list of resources:
📌 Privacy & data protection jobs
We have gathered various links from job search platforms and privacy-related organizations on our Privacy Careers page. We are constantly adding new links, so bookmark it and check it once a week for new openings. Wishing you the best of luck!
✅ Before you go:
If you enjoy this newsletter, invite your friends to subscribe to The Privacy Whisperer to get weekly privacy insights and access to early bird discounts.
Do you want more in-depth content? At Implement Privacy, I offer professional privacy courses on emerging privacy topics, check them out.
See you next week. All the best, Luiza Jarovsky