Examples of Dark Patterns in Privacy

Subscribe to The Privacy Whisperer and stay up to date with the most important topics in privacy & AI

I have written about dark patterns in privacy on various occasions in this newsletter. Today, I would like to present the taxonomy for dark patterns in privacy that I developed in my academic paper and that was cited by the recent EU and OECD reports on dark patterns. I will also illustrate it with real-life examples of dark patterns in privacy, which I define as follows:

“user experience (UX) practices that manipulate the data subject’s decision-making process in a way detrimental to his or her privacy and beneficial to the service provider”

As you can read in my paper, when dark patterns involve personal data, they exploit cognitive biases and manipulate data subjects into sharing more or more sensitive personal data.

Dark patterns in privacy are part of the study of Privacy UX — or how organizations implement (or do not implement) privacy assurances through the user experience and user interface of their websites and apps.

As I have commented before, many companies neglect Privacy UX and treat it as something tangential to the privacy compliance strategy. This is a bad approach and can lead to high fines, as we have been discussing in this newsletter.

Here are some examples of dark patterns in privacy, according to my taxonomy:

A. Pressure

Pressuring the user to share more (or more in-depth) personal data in order to continue using a product or service. Common cases:

1. Pressure to allow permissions
2. Pressure to receive marketing
3. Pressure to share
4. Pressure to confirm

Here is an example from an e-commerce website. The last sentence is pressuring the user to share their email address by framing them in a distorted light, as “someone who does not like to save money”:

Example of pressure to receive marketing emails

B. Hinder

Delaying, hiding, or making it difficult for the user to adopt privacy-protective actions. Common cases:

1. Difficult rejection
2. Difficult settings
3. Difficult deletion
4. Privacy invasive defaults

Here is an example from Der Spiegel, a major German news outlet. It allows you to continue reading the website with ads, and assures you that you can revoke consent at any time:

Example of Hinder (part 1 of 3)

However, to revoke consent, you need to scroll down to the bottom of the page, find the small “Datenschutz” link and deactivate the consent:

Example of Hinder (part 2 of 3)

And here is the main issue. When you deactivate your consent (orange button on the right), you will not have access to the newspaper, and you are sent again to the first banner. The conclusion is that it is actually impossible to access the newspaper for free without tracking, although this is not clear in the first banner:

Example of Hinder (part 3 of 3)

C. Mislead

Using language, forms, and interface elements in order to mislead the user whilst taking privacy-related actions. Common cases:

1. Ambiguity
2. Double negative
3. Twist
4. Obfuscation
5. Bad visibility
6. Framing

Here is an example from the TikTok app. It asks two questions and has only one button. What if I am above 18 and do not allow personalized ads? There is no real choice here:

Example of Mislead

D. Misrepresent

Misrepresenting facts to induce users to share more or (more sensitive) personal data than intended. Common cases:

1. False necessity
2. False experience improvement
3. False legitimate interest
4. Misrepresentation of strictly necessary cookies

Here is an example from Cool Blue. It says that if the person refuses cookies, they will use “only functional and analytical cookies and similar techniques.” However, functional and analytical cookies are not strictly necessary cookies and should not be used if the individual refuses.

Example of misrepresentation of strictly necessary cookies

You can find more information about this dark patterns in privacy taxonomy and how I developed it in my academic paper.

If you frequently read The Privacy Whisperer, you know that, in my opinion, current laws approaching dark patterns are insufficient and too abstract, and because of that, dark patterns in privacy will continue flourishing.

Interestingly enough, despite insufficient/abstract legislation, regulators and data protection authorities are eager to find and fine dark patterns in privacy, especially through the idea of privacy by design, data protection by design and by default (GDPR Article 25 — see the CNIL vs. Discord case), and privacy promises (see the FTC vs. BetterHelp case).

As dark patterns in privacy are still ubiquitous, fines will keep coming up, and there will be a lot to discuss about them in this newsletter.

💡 Are you interested in diving deeper into dark patterns in privacy and Privacy UX? My course Privacy UX: The Fundamentals is coming soon, sign up for the waitlist and get a 20% discount when it is launched.

—

🎤 Upcoming events

In the next edition of ‘Women Advancing Privacy’, I will discuss with Prof. Nita Farahany her new book “The Battle for Your Brain: Defending the Right to Think Freely in the Age of Neurotechnology,” as well as issues related to the protection of cognitive liberty and privacy in the context of current AI and Neurotechnology challenges.

Prof. Farahany is a leader and pioneer in the field of ethics of neuroscience. This will be a fascinating conversation that you cannot miss. I invite you to sign up for our live session and bring your questions.

To watch our previous events (the latest one was with Dr. Ann Cavoukian on Privacy by Design), check out my YouTube channel.

—

🎧 Podcast

In the latest episode of The Privacy Whisperer Podcast, I spoke with Romain Gauthier, the CEO of Didomi, about:

• His journey as an entrepreneur and the specific challenges of privacy tech
• The evolution of the privacy industry and how individuals and privacy vendors have adapted to new regulations and challenges
• What is his view on current trends and the future of privacy
• Tips for small businesses that want to do privacy right

This was a thought-provoking conversation. If you work in the tech industry, are a privacy professional, or are an entrepreneur, you cannot miss it. Listen now.

—

🔁 Trending on social media

Check out the Twitter thread to see the full list of resources:

—

📌 Privacy & data protection jobs

We have gathered various links from job search platforms and privacy-related organizations on our Privacy Careers page. We are constantly adding new links, so bookmark it and check it once a week for new openings. Wishing you the best of luck!

—

✅ Before you go:

• If you enjoy this newsletter, invite your friends to subscribe to The Privacy Whisperer to get weekly privacy insights and access to early bird discounts.
• For more privacy-related content, check out The Privacy Whisperer Podcast and my Twitter, LinkedIn & YouTube.
• Do you want more in-depth content? At Implement Privacy, I offer professional privacy courses on emerging privacy topics, check them out.

See you next week. All the best, Luiza Jarovsky