The use of "dark patterns" has drawn increasing scrutiny from state legislatures, the Federal Trade Commission (FTC), state attorneys general, and consumer advocates. While the FTC has long targeted deceptive online practices, a growing number of U.S. state comprehensive privacy laws, such as the California Consumer Privacy Act (CCPA), Colorado Privacy Act, and the Texas Data Privacy and Security Act now expressly prohibit using dark patterns to obtain consumer consent. This expansion, as well as the 6+ figure settlements with regulators resulting from a business’s noncompliance, significantly heightens the compliance burden and legal risks for companies operating online and demonstrates regulators’ focus on protecting consumers against technology advances (e.g., advertising cookies, artificial intelligence) and other business techniques that may prevent consumers from asserting their rights.
This Reed Smith alert will focus on dark patterns and outline key considerations for businesses.
Examples of dark patterns
A "dark pattern" is commonly defined by laws, regulations, and regulators as a user interface design method on a website, portal, or mobile application that results in a substantial number of users making choices that they otherwise would not make that benefit the provider of the website, portal, or application rather than the users. The FTC calls them manipulative design tricks and psychological tactics, and the agency stated that dark patterns are "found in a variety of industries and contexts, including ecommerce, cookie consent banners, children's apps, subscription sales, and more." Likewise, the California Privacy Protection Agency (CalPrivacy) seeks to protect consumers against “jumping through confusing hoops or solving puzzles” to exercise their privacy choices.
Examples of design methods that regulators may deem to be dark patterns:
- use company-preferred pre-checked boxes, default settings and prominent options
- require scrolling to see material terms
- use confusing toggle settings
- display material terms in normal unbolded text in the middle of bolded text that does not contain material terms
- implement long/difficult subscription cancellation process
- display countdown timers on offers that are not truly time-limited
- delay disclosure of fees until late in the application / purchase process (e.g., drip pricing)
- falsely claim that others are looking at, or recently bought, the same products
- use double negatives
- repeatedly prompt users to re-make choices already made
- falsely suggest affiliation with reputable organizations
- bury key limitations of a product or service in dense terms of service documents
- give illusory choices
- use nondescript or small icons tooltips, hyperlinks, pop-ups or drop-down menus that require a hover or click to view material terms
- deceptively offer free trials, hiding cancellation terms
- bury settings and use vague setting names
- display hard-to-find or hard-to-read disclosures
- use poor color contrast
- falsely claim that a product is almost sold out
- disguise purchases as part of game play
- deceptively format advertisements to appear as independent, editorial content
- deceptively format as a neutral comparison-shopping site, but rank by compensation
Enforcement activity
Enforcement activity focused on dark pattern usage has ramped up and will undoubtedly increase in numbers as more state privacy and AI laws come into effect.
In September 2024, CalPrivacy issued guidance cautioning businesses to review their user interfaces for the existence of dark patterns. Additionally, over the last few years, state and federal government authorities such as the CalPrivacy and the FTC have brought enforcement actions related to the following alleged dark patterns:
- Making it easy to sign up for services but unreasonably difficult to cancel (e.g., requiring consumers to click through multiple screens, call customer service, or navigate confusing cancellation flows)
- Designing interfaces where privacy-invasive options are prominently displayed with a single click, while privacy-protective choices require multiple steps, smaller text, or harder-to-find locations
- Pre-checked boxes for data collection or marketing
- Confusing double negatives or misleading language that obscures what consumers are agreeing to
- Adding unnecessary friction to privacy rights requests (such as opt-out or deletion requests)
- Requiring excessive personal information verification beyond what is necessary to make a privacy rights request
- Using color, size, and placement to steer consumers toward options that benefit the business rather than the consumer
Businesses, especially those with substantial tracking technologies deploying on their websites and those that allow users to enroll in auto-renewing subscriptions and services, should closely examine their consent and cancellation flows and user interfaces. Doing so helps minimize financial and reputational risk of non-compliance with the evolving state law and FTC requirements and to avoid significant regulatory penalties.
Recommendations for compliance
Companies using website, portal, and mobile application design practices to deceive or manipulate consumers may face scrutiny from regulators. Companies that operate a direct-to-consumer (D2C) business model are likely at greater risk given these are consumer protection laws and regulators. However, companies that operate business-to-business (B2B) also may consider any consumer-facing aspects of their website, portals, or mobile applications. For example, D2C and B2B companies that deploy advertising technologies on their websites and that are subject to certain state privacy laws may be required to implement cookie banners and preference centers that offer equal and symmetrical choices to consumers to opt out of such technologies.
To mitigate this risk, companies should avoid design methods that could be considered dark patterns that violate the FTC Act, state privacy laws, or other consumer protection laws.
Companies should review the following actions that may to mitigate the risk of implementing a dark pattern:
- consider the steps taken to ensure the accountholder is consenting to an online purchase
- review mandatory fee information so it is accurately reflected in an "upfront, advertised price"
- multiple dark patterns can allegedly have a cumulative effect, so consider design elements as a whole
- potentially reduce the complexity and number of screens of a subscription cancellation process
- as part of testing alternative interface designs, consider whether higher conversion using one interface design is due to potentially manipulative design elements
- evaluate how personal information is collected to determine whether designs could manipulate or trick users into providing more personal information than necessary
- look at whether pricing practices could treat consumers differently based on race, national origin or other protected characteristics
- review default settings, the steps consumers must follow to make choices, the clarity and prominence of toggle options, and the use of just-in-time notices and choices related to the collection and use of sensitive personal information to make sure they are clear
- disclaimers may not overcome a deceptive design
- consider how design choices will be viewed by specifically targeted audiences (e.g., children)
- review policies and procedures that apply to answering customer cancellations by telephone calls during normal business hours so there is a low wait time
Takeaways
The proliferation of state privacy laws that expressly prohibit dark patterns significantly increases compliance risk for companies. Regulators in numerous states, along with the FTC, are holding companies accountable for manipulative design practices.
In addition to the regulatory compliance risk, companies that use dark patterns in the process of obtaining any legal agreement with consumers could risk future claims that consent was not freely given or an agreement was not formed or is voidable because there was no acceptance or meeting of the minds with respect to that agreement.
Companies should consider reviewing the user interface design of their websites, portals, and mobile applications to determine whether any of the techniques described in this alert are used to obtain consent or agreement from users. If so, the business can evaluate whether the use of the techniques constitutes a dark pattern and take steps to mitigate compliance risk.
Client Alert 2026-040