On this page
concept

Dark Patterns

Created 2026-06-29 37 connections

Dark Patterns

Deceptive UI/UX practices that manipulate users into taking actions they would not otherwise choose — or prevent them from exercising choices they are entitled to make. The term was coined by UX researcher Harry Brignull (2010); regulators increasingly use the equivalent term "deceptive design patterns." Dark patterns are now explicitly prohibited by multiple overlapping regulatory frameworks across the EU, UK, US, and India, with enforcement actions exceeding billions of dollars as of 2025–2026.

Firewall: every claim is what a source reports. See ../../CONTEXT.md Rule 1.


Definitions

The EU Digital Services Act (DSA) (Article 25) defines dark patterns as:

"practices that materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions." (Ketch, 2026; Goodwin Law, 2025-11)

The EDPB (European Data Protection Board) uses the interchangeable term "deceptive design patterns," defining them as interface patterns that induce unwanted choices, often to facilitate data collection or prolong online interaction. (EDPB Guidelines 3/2022, 2022-03)

The California CPRA/CCPA regulations explicitly classify dark patterns as invalid consent:

"An interface that subverts or impairs a consumer's choice… is a dark pattern and does not constitute valid consent." These regulations went into effect 1 January 2026. (Ketch, 2026)


Taxonomy

EDPB five-category taxonomy (GDPR context)

The EDPB Guidelines 3/2022 identify five prohibited dark pattern categories for interfaces subject to GDPR:

CategoryDescription
OverloadingContinuous prompts to disclose unnecessary information, designed to exhaust the user into consent
Obstructing / HinderingMaking certain choices difficult or impossible to find or execute
SkippingDesigning interfaces so users forget or overlook privacy implications
StirringAppealing to emotions or using visual nudges — e.g. describing negative consequences of account deletion in alarming language
FickleInconsistent interface design that makes data protection status unclear

(EDPB Guidelines 3/2022, edpb.europa.eu, 2022-03)

Common ecommerce dark pattern types

  • Roach Motel — easy to enter a situation (e.g. subscribe) but nearly impossible to exit; cancellation options are buried or hidden. (PageAuditors, 2026; confirmed in FTC v Amazon, 2025)
  • Drip Pricing — fees revealed incrementally during checkout, anchoring users to a lower price before adding unavoidable charges. Classified as inherently deceptive by the FTC. (PageAuditors, 2026)
  • Confirm Shaming — using psychologically manipulative language on opt-out options, e.g. "No, I will take the risk." Cited in CCPA enforcement against IndiGo. (YouTube — India Tonight, 2025-05-28)
  • Urgency / False Scarcity — artificial deadlines and false "Only 1 left!" messaging to exploit scarcity bias. E.g. booking platforms displaying limited inventory that is not genuinely limited. (Scalable Path, date unknown)
  • Basket Sneaking — adding items to a user's cart without explicit consent. Identified in India's CCPA 13-pattern taxonomy (2023). (India Tonight / CCPA, 2025-05-28)
  • Subscription Traps / Forced Continuity — automatically charging users after a free trial ends without adequate notice or an easy cancellation mechanism. (FTC enforcement focus, 2024–2025)
  • Hidden Fees — concealing unavoidable fees until late in the checkout flow. (PageAuditors, 2026)
  • Deceptive Button Contrast — using colour and visual hierarchy to steer users toward the business-preferred option while making the user-preferred option visually recessive. (PageAuditors, 2026)
  • Interface Interference — obscuring opt-out options, pre-checking boxes, or using confusing double-negatives. Named in CCPA/India CCPA frameworks. (India Tonight, 2025-05-28)

India CCPA 13-pattern taxonomy (as-of 2025-05-28)

India's Central Consumer Protection Authority (CCPA) issued Guidelines for Prevention and Regulation of Dark Patterns (November 2023) identifying 13 specific dark pattern types: false urgency, basket sneaking, subscription traps, confirm shaming, drip pricing, disguised advertisements, nagging, trick questions, safelighting (hiding safety-related information), rogue malwares, interface interference, bait and switch, and forced action. (India Tonight / CCPA, 2025-05-28; YouTube FHVl1KxxAoA, 2025-05-28)


Regulatory framework

EU — fragmented landscape

At least 13 pieces of EU and national legislation cover dark patterns as of 2025, including: DSA (Digital Services Act), GDPR in Ecommerce, Unfair Commercial Practices Directive (UCPD), EU AI Act, Consumer Rights Directive, and national implementations. The European Parliament Research Service (EPRS) flagged a risk of under-enforcement due to this fragmentation — different laws apply only to certain market participants or under specific legal conditions. (EPRS, 2025)

Consumer Rights Directive (CRD) amendments banning dark patterns in user interfaces where financial services contracts can be concluded at distance had to be transposed into national law by 19 December 2025, applying from 19 June 2026. (Osborne Clarke, 2025)

Digital Fairness Act (DFA) — the European Commission announced a legislative proposal for Q4 2026, which would introduce a single agreed-upon EU legal definition of dark patterns, and also cover addictive design, misleading influencer marketing, and unfair personalisation. A public consultation ran from 17 July 2025 to 24 October 2025; respondents disagreed on whether further EU regulation is necessary. (Goodwin Law, 2025-11; European Parliament Legislative Train, 2025) (as-of 2025-11)

EU — DSA enforcement (Article 25)

As of November 2025, the DSA Observatory noted no DSA sanctions had been issued, calling the absence "striking," despite preliminary findings against X over a year prior covering dark patterns under Article 25. (DSA Observatory, 2025-11-26) (as-of 2025-11-26)

In December 2025, the European Commission issued its first DSA fine — reported at €120 million against X — covering deceptive verification design, an inadequate ad repository, and researcher access failures. (reported post-DSA Observatory article; primary Commission URL not retrieved)

Documented enforcement actions via deceptive.design enforcement database (as-of 2026-06-29):

  • TikTok — held liable under GDPR for nudging children towards privacy-intrusive settings using bold text in pop-up notifications, constituting a dark pattern that hindered neutral and objective choices. (deceptive.design)
  • Google — liability for processing user data across services without adequate choice options in selection dialogues. (deceptive.design)

EU — GDPR dark pattern enforcement

When dark patterns reduce user awareness or alter consent, they violate GDPR Article 5(1)(a) principles of lawfulness, fairness, and transparency — making data processing unlawful regardless of formal consent obtained. (EDPB Guidelines 3/2022, 2022-03)

Combined GDPR fines for 2024 and 2025 reportedly topped €1.2 billion, with the GDPR Enforcement Tracker recording 3,186 enforcement actions as of late 2025 (as-of late 2025). (Consentik citing Enforcement Tracker, 2026 — vendor blog, treat as indicative)

US — FTC enforcement

The FTC does not require proof of intent to pursue dark pattern enforcement — if a website's design has the effect of deceiving or manipulating consumers, enforcement can proceed regardless of whether the dark pattern was deliberate. (PageAuditors, 2026; consistent with FTC Section 5 precedent)

FTC civil penalties can reach up to $53,088 per violation (as-of 2025, adjusted annually for inflation). (PageAuditors, 2026)

Click-to-Cancel rule: Finalised October 2024; vacated by the U.S. Court of Appeals for the Eighth Circuit in 2025 on procedural grounds (failure to complete preliminary regulatory analysis under Section 22 of the FTC Act). The FTC stated enforcement continues under existing Section 5 authority. (Pandectes, 2026)

Key FTC enforcement actions:

TargetFine / OutcomeDark PatternSource
Amazon$2.5B settlement (Sep 2025) — $1B civil penalty + $1.5B consumer redressPrime "Iliad Flow" — 4-page, 6-click, 15-option cancellation vs 2-click enrolment; trapped ~35M consumersKatten, 2025; National Law Review, 2025
Epic Games (Fortnite)$245M consumer refunds + $275M COPPA penalty = $520M (2022)Counterintuitive button configuration causing unintended in-game purchases, including while waking game from sleepFTC press release, 2023; YouTube 2HA1ise26gE
Care.com$8M settlement (summer 2025)Deceiving caregivers seeking jobs while making membership cancellation deliberately difficultPageAuditors, 2026

The $2.5B Amazon settlement is the largest dark pattern enforcement action in history and the largest civil penalty in a case involving an FTC rule violation. (Katten, 2025; National Law Review, 2025) (as-of 2025-09)

US — California CCPA/CPRA enforcement

California Consumer Privacy Act regulations explicitly classifying dark patterns as invalid consent went into effect 1 January 2026. (Ketch, 2026) (as-of 2026-01-01)

American Honda Motor Co. — fined $632,500 under the CCPA in 2025 for dark patterns in its consent management processes, including: requiring an extensive multi-field form (name, address, phone number) to submit a data rights request; and asymmetric cookie controls where opt-in was easier than opt-out. (Transcend, 2025) (as-of 2025)

India — CCPA enforcement (as-of 2025-05-28)

India's CCPA issued formal Guidelines for Prevention and Regulation of Dark Patterns (November 2023) and conducted platform compliance audits in 2025:

  • A LocalCircles survey found that 11 of 26 platforms claiming to be "dark pattern free" still exhibited drip pricing. (YouTube FHVl1KxxAoA, 2025-05-28)
  • Audit findings: Amazon, Flipkart, Tata Neu, Jiomart, and Myntra all exhibited dark patterns; Tata Neu, Amazon, and Flipkart each carried four dark patterns. (YouTube FHVl1KxxAoA, 2025-05-28)
  • IndiGo — CCPA compliance order for opaque seat assignment (obscuring skip-paid-seat option) and confirm-shaming language ("No I will take risk"). IndiGo updated its UI per the June 2024 order. (YouTube 8vIQCPTRX14, 2025-05-28; AZB Partners)
  • The Indian government summoned major e-commerce and travel firms in May 2025 for continued non-compliance. (YouTube FHVl1KxxAoA, 2025-05-28)

Canada — GPEN sweep (as-of 2024)

A 2024 Global Privacy Enforcement Network (GPEN) sweep examined over 1,000 websites and mobile apps with participation from 26 privacy enforcement authorities. In Canada, 99% of websites and apps reviewed contained at least one indicator of deceptive design. (Gowling WLG, 2025; citing GPEN 2024 sweep)

Korea — E-Commerce Act enforcement (as-of 2025-10)

South Korea's Fair Trade Commission imposed corrective orders and fines on four businesses in October 2025 — the first enforcement cases under dark pattern provisions of the revised E-Commerce Act, which took effect February 2025. (Corroborated by legal commentary; no primary FTC-Korea URL retrieved)


Prevalence benchmarks

  • FTC/ICPEN subscription sweep (2024): Examined 642 websites and mobile apps offering subscription services; found 76% employed at least one dark pattern, and 67% used multiple dark patterns. (as-of 2024; FTC/ICPEN, July 2024, reported via YouTube Rehl7KAmjT4, 2025-06-05)
  • GPEN global sweep (2024): 1,000+ websites and apps across 26 jurisdictions; Canada: 99% had at least one deceptive design indicator. (Gowling WLG, 2025)
  • "Deception at Scale" academic paper (arXiv, 2025-02): Found that deceptive design is reproducible at scale via AI-generated interfaces, raising new concerns for regulators — a 2025 study detecting dark patterns in 1,000 LLM-generated ecommerce components showed systematic pattern reproduction. (arXiv 2502.13499, 2025-02)

Dark patterns are the primary mechanism behind the documented 65% → 42% consent rate swing (23 percentage points) when cookie banners are made fully compliant (symmetric reject button). This explains why dark patterns persist commercially despite regulatory risk — the business incentive to use them is directly quantifiable. (CookieYes, 2025-06-02; r/gdpr 2024-12, referenced in GDPR in Ecommerce)

Shopify's native consent banner does not block scripts — cookies fire before consent without a proper Consent Management Platform (CMP). This is itself a form of dark pattern by-design. (r/ecommerce, 2024-09, referenced in ePrivacy Directive)

Google Consent Mode v2 "basic mode" sends cookieless pings from non-consented users for modelling purposes — not yet formally ruled on by DPAs (as-of 2025-02). Misconfigurations frequently leave live tracking gaps even when Consent Mode is deployed. (Masters of Privacy / Phil Pearce, 2026-03-08, referenced in ePrivacy Directive)


Key terms

TermMeaning
Roach MotelEasy in, very hard out — subscriptions, account deletion, data opt-outs
Drip PricingFees revealed incrementally to anchor on a lower headline price
Confirm ShamingOpt-out label written to induce guilt ("No, I prefer to lose money")
Iliad FlowAmazon's internal name for its Prime cancellation dark pattern (named after Homer's epic)
Deceptive Design PatternsEDPB's preferred regulatory synonym for dark patterns
Click-to-CancelFTC rule (finalised 2024, vacated 2025) requiring cancellation to be as easy as sign-up
GPENGlobal Privacy Enforcement Network — coordinates cross-jurisdictional sweeps
DFADigital Fairness Act — proposed EU single-framework dark pattern law (expected Q4 2026)

Next frontier topics

Research agent · 2026-06-29