On this page
- Definitions
- Taxonomy
- EDPB five-category taxonomy (GDPR context)
- Common ecommerce dark pattern types
- India CCPA 13-pattern taxonomy (as-of 2025-05-28)
- Regulatory framework
- EU — fragmented landscape
- EU — DSA enforcement (Article 25)
- EU — GDPR dark pattern enforcement
- US — FTC enforcement
- US — California CCPA/CPRA enforcement
- India — CCPA enforcement (as-of 2025-05-28)
- Canada — GPEN sweep (as-of 2024)
- Korea — E-Commerce Act enforcement (as-of 2025-10)
- Prevalence benchmarks
- Connection to consent and GDPR
- Key terms
- Next frontier topics
Dark Patterns
Dark Patterns
Deceptive UI/UX practices that manipulate users into taking actions they would not otherwise choose — or prevent them from exercising choices they are entitled to make. The term was coined by UX researcher Harry Brignull (2010); regulators increasingly use the equivalent term "deceptive design patterns." Dark patterns are now explicitly prohibited by multiple overlapping regulatory frameworks across the EU, UK, US, and India, with enforcement actions exceeding billions of dollars as of 2025–2026.
Firewall: every claim is what a source reports. See
../../CONTEXT.mdRule 1.
Definitions
The EU Digital Services Act (DSA) (Article 25) defines dark patterns as:
"practices that materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions." (Ketch, 2026; Goodwin Law, 2025-11)
The EDPB (European Data Protection Board) uses the interchangeable term "deceptive design patterns," defining them as interface patterns that induce unwanted choices, often to facilitate data collection or prolong online interaction. (EDPB Guidelines 3/2022, 2022-03)
The California CPRA/CCPA regulations explicitly classify dark patterns as invalid consent:
"An interface that subverts or impairs a consumer's choice… is a dark pattern and does not constitute valid consent." These regulations went into effect 1 January 2026. (Ketch, 2026)
Taxonomy
EDPB five-category taxonomy (GDPR context)
The EDPB Guidelines 3/2022 identify five prohibited dark pattern categories for interfaces subject to GDPR:
| Category | Description |
|---|---|
| Overloading | Continuous prompts to disclose unnecessary information, designed to exhaust the user into consent |
| Obstructing / Hindering | Making certain choices difficult or impossible to find or execute |
| Skipping | Designing interfaces so users forget or overlook privacy implications |
| Stirring | Appealing to emotions or using visual nudges — e.g. describing negative consequences of account deletion in alarming language |
| Fickle | Inconsistent interface design that makes data protection status unclear |
(EDPB Guidelines 3/2022, edpb.europa.eu, 2022-03)
Common ecommerce dark pattern types
- Roach Motel — easy to enter a situation (e.g. subscribe) but nearly impossible to exit; cancellation options are buried or hidden. (PageAuditors, 2026; confirmed in FTC v Amazon, 2025)
- Drip Pricing — fees revealed incrementally during checkout, anchoring users to a lower price before adding unavoidable charges. Classified as inherently deceptive by the FTC. (PageAuditors, 2026)
- Confirm Shaming — using psychologically manipulative language on opt-out options, e.g. "No, I will take the risk." Cited in CCPA enforcement against IndiGo. (YouTube — India Tonight, 2025-05-28)
- Urgency / False Scarcity — artificial deadlines and false "Only 1 left!" messaging to exploit scarcity bias. E.g. booking platforms displaying limited inventory that is not genuinely limited. (Scalable Path, date unknown)
- Basket Sneaking — adding items to a user's cart without explicit consent. Identified in India's CCPA 13-pattern taxonomy (2023). (India Tonight / CCPA, 2025-05-28)
- Subscription Traps / Forced Continuity — automatically charging users after a free trial ends without adequate notice or an easy cancellation mechanism. (FTC enforcement focus, 2024–2025)
- Hidden Fees — concealing unavoidable fees until late in the checkout flow. (PageAuditors, 2026)
- Deceptive Button Contrast — using colour and visual hierarchy to steer users toward the business-preferred option while making the user-preferred option visually recessive. (PageAuditors, 2026)
- Interface Interference — obscuring opt-out options, pre-checking boxes, or using confusing double-negatives. Named in CCPA/India CCPA frameworks. (India Tonight, 2025-05-28)
India CCPA 13-pattern taxonomy (as-of 2025-05-28)
India's Central Consumer Protection Authority (CCPA) issued Guidelines for Prevention and Regulation of Dark Patterns (November 2023) identifying 13 specific dark pattern types: false urgency, basket sneaking, subscription traps, confirm shaming, drip pricing, disguised advertisements, nagging, trick questions, safelighting (hiding safety-related information), rogue malwares, interface interference, bait and switch, and forced action. (India Tonight / CCPA, 2025-05-28; YouTube FHVl1KxxAoA, 2025-05-28)
Regulatory framework
EU — fragmented landscape
At least 13 pieces of EU and national legislation cover dark patterns as of 2025, including: DSA (Digital Services Act), GDPR in Ecommerce, Unfair Commercial Practices Directive (UCPD), EU AI Act, Consumer Rights Directive, and national implementations. The European Parliament Research Service (EPRS) flagged a risk of under-enforcement due to this fragmentation — different laws apply only to certain market participants or under specific legal conditions. (EPRS, 2025)
Consumer Rights Directive (CRD) amendments banning dark patterns in user interfaces where financial services contracts can be concluded at distance had to be transposed into national law by 19 December 2025, applying from 19 June 2026. (Osborne Clarke, 2025)
Digital Fairness Act (DFA) — the European Commission announced a legislative proposal for Q4 2026, which would introduce a single agreed-upon EU legal definition of dark patterns, and also cover addictive design, misleading influencer marketing, and unfair personalisation. A public consultation ran from 17 July 2025 to 24 October 2025; respondents disagreed on whether further EU regulation is necessary. (Goodwin Law, 2025-11; European Parliament Legislative Train, 2025) (as-of 2025-11)
EU — DSA enforcement (Article 25)
As of November 2025, the DSA Observatory noted no DSA sanctions had been issued, calling the absence "striking," despite preliminary findings against X over a year prior covering dark patterns under Article 25. (DSA Observatory, 2025-11-26) (as-of 2025-11-26)
In December 2025, the European Commission issued its first DSA fine — reported at €120 million against X — covering deceptive verification design, an inadequate ad repository, and researcher access failures. (reported post-DSA Observatory article; primary Commission URL not retrieved)
Documented enforcement actions via deceptive.design enforcement database (as-of 2026-06-29):
- TikTok — held liable under GDPR for nudging children towards privacy-intrusive settings using bold text in pop-up notifications, constituting a dark pattern that hindered neutral and objective choices. (deceptive.design)
- Google — liability for processing user data across services without adequate choice options in selection dialogues. (deceptive.design)
EU — GDPR dark pattern enforcement
When dark patterns reduce user awareness or alter consent, they violate GDPR Article 5(1)(a) principles of lawfulness, fairness, and transparency — making data processing unlawful regardless of formal consent obtained. (EDPB Guidelines 3/2022, 2022-03)
Combined GDPR fines for 2024 and 2025 reportedly topped €1.2 billion, with the GDPR Enforcement Tracker recording 3,186 enforcement actions as of late 2025 (as-of late 2025). (Consentik citing Enforcement Tracker, 2026 — vendor blog, treat as indicative)
US — FTC enforcement
The FTC does not require proof of intent to pursue dark pattern enforcement — if a website's design has the effect of deceiving or manipulating consumers, enforcement can proceed regardless of whether the dark pattern was deliberate. (PageAuditors, 2026; consistent with FTC Section 5 precedent)
FTC civil penalties can reach up to $53,088 per violation (as-of 2025, adjusted annually for inflation). (PageAuditors, 2026)
Click-to-Cancel rule: Finalised October 2024; vacated by the U.S. Court of Appeals for the Eighth Circuit in 2025 on procedural grounds (failure to complete preliminary regulatory analysis under Section 22 of the FTC Act). The FTC stated enforcement continues under existing Section 5 authority. (Pandectes, 2026)
Key FTC enforcement actions:
| Target | Fine / Outcome | Dark Pattern | Source |
|---|---|---|---|
| Amazon | $2.5B settlement (Sep 2025) — $1B civil penalty + $1.5B consumer redress | Prime "Iliad Flow" — 4-page, 6-click, 15-option cancellation vs 2-click enrolment; trapped ~35M consumers | Katten, 2025; National Law Review, 2025 |
| Epic Games (Fortnite) | $245M consumer refunds + $275M COPPA penalty = $520M (2022) | Counterintuitive button configuration causing unintended in-game purchases, including while waking game from sleep | FTC press release, 2023; YouTube 2HA1ise26gE |
| Care.com | $8M settlement (summer 2025) | Deceiving caregivers seeking jobs while making membership cancellation deliberately difficult | PageAuditors, 2026 |
The $2.5B Amazon settlement is the largest dark pattern enforcement action in history and the largest civil penalty in a case involving an FTC rule violation. (Katten, 2025; National Law Review, 2025) (as-of 2025-09)
US — California CCPA/CPRA enforcement
California Consumer Privacy Act regulations explicitly classifying dark patterns as invalid consent went into effect 1 January 2026. (Ketch, 2026) (as-of 2026-01-01)
American Honda Motor Co. — fined $632,500 under the CCPA in 2025 for dark patterns in its consent management processes, including: requiring an extensive multi-field form (name, address, phone number) to submit a data rights request; and asymmetric cookie controls where opt-in was easier than opt-out. (Transcend, 2025) (as-of 2025)
India — CCPA enforcement (as-of 2025-05-28)
India's CCPA issued formal Guidelines for Prevention and Regulation of Dark Patterns (November 2023) and conducted platform compliance audits in 2025:
- A LocalCircles survey found that 11 of 26 platforms claiming to be "dark pattern free" still exhibited drip pricing. (YouTube FHVl1KxxAoA, 2025-05-28)
- Audit findings: Amazon, Flipkart, Tata Neu, Jiomart, and Myntra all exhibited dark patterns; Tata Neu, Amazon, and Flipkart each carried four dark patterns. (YouTube FHVl1KxxAoA, 2025-05-28)
- IndiGo — CCPA compliance order for opaque seat assignment (obscuring skip-paid-seat option) and confirm-shaming language ("No I will take risk"). IndiGo updated its UI per the June 2024 order. (YouTube 8vIQCPTRX14, 2025-05-28; AZB Partners)
- The Indian government summoned major e-commerce and travel firms in May 2025 for continued non-compliance. (YouTube FHVl1KxxAoA, 2025-05-28)
Canada — GPEN sweep (as-of 2024)
A 2024 Global Privacy Enforcement Network (GPEN) sweep examined over 1,000 websites and mobile apps with participation from 26 privacy enforcement authorities. In Canada, 99% of websites and apps reviewed contained at least one indicator of deceptive design. (Gowling WLG, 2025; citing GPEN 2024 sweep)
Korea — E-Commerce Act enforcement (as-of 2025-10)
South Korea's Fair Trade Commission imposed corrective orders and fines on four businesses in October 2025 — the first enforcement cases under dark pattern provisions of the revised E-Commerce Act, which took effect February 2025. (Corroborated by legal commentary; no primary FTC-Korea URL retrieved)
Prevalence benchmarks
- FTC/ICPEN subscription sweep (2024): Examined 642 websites and mobile apps offering subscription services; found 76% employed at least one dark pattern, and 67% used multiple dark patterns. (as-of 2024; FTC/ICPEN, July 2024, reported via YouTube Rehl7KAmjT4, 2025-06-05)
- GPEN global sweep (2024): 1,000+ websites and apps across 26 jurisdictions; Canada: 99% had at least one deceptive design indicator. (Gowling WLG, 2025)
- "Deception at Scale" academic paper (arXiv, 2025-02): Found that deceptive design is reproducible at scale via AI-generated interfaces, raising new concerns for regulators — a 2025 study detecting dark patterns in 1,000 LLM-generated ecommerce components showed systematic pattern reproduction. (arXiv 2502.13499, 2025-02)
Connection to consent and GDPR
Dark patterns are the primary mechanism behind the documented 65% → 42% consent rate swing (23 percentage points) when cookie banners are made fully compliant (symmetric reject button). This explains why dark patterns persist commercially despite regulatory risk — the business incentive to use them is directly quantifiable. (CookieYes, 2025-06-02; r/gdpr 2024-12, referenced in GDPR in Ecommerce)
Shopify's native consent banner does not block scripts — cookies fire before consent without a proper Consent Management Platform (CMP). This is itself a form of dark pattern by-design. (r/ecommerce, 2024-09, referenced in ePrivacy Directive)
Google Consent Mode v2 "basic mode" sends cookieless pings from non-consented users for modelling purposes — not yet formally ruled on by DPAs (as-of 2025-02). Misconfigurations frequently leave live tracking gaps even when Consent Mode is deployed. (Masters of Privacy / Phil Pearce, 2026-03-08, referenced in ePrivacy Directive)
Key terms
| Term | Meaning |
|---|---|
| Roach Motel | Easy in, very hard out — subscriptions, account deletion, data opt-outs |
| Drip Pricing | Fees revealed incrementally to anchor on a lower headline price |
| Confirm Shaming | Opt-out label written to induce guilt ("No, I prefer to lose money") |
| Iliad Flow | Amazon's internal name for its Prime cancellation dark pattern (named after Homer's epic) |
| Deceptive Design Patterns | EDPB's preferred regulatory synonym for dark patterns |
| Click-to-Cancel | FTC rule (finalised 2024, vacated 2025) requiring cancellation to be as easy as sign-up |
| GPEN | Global Privacy Enforcement Network — coordinates cross-jurisdictional sweeps |
| DFA | Digital Fairness Act — proposed EU single-framework dark pattern law (expected Q4 2026) |
Next frontier topics
- Consent Management Platform (CMP) — the tool layer that enforces compliance; race-condition vulnerabilities; Dutch AP audit; highest-link uncreated concept in the GDPR/ePrivacy cluster
- IAB TCF — Transparency and Consent Framework; underpins programmatic advertising consent; Belgian DPA compliance unresolved
- Unfair Commercial Practices Directive (UCPD) — the horizontal EU consumer law prohibition on misleading and aggressive commercial practices that covers dark patterns alongside DSA/GDPR
- Digital Fairness Act (DFA) — the proposed EU single-framework law (Q4 2026 proposal)
- Deceptive Design Patterns — EDPB's taxonomy alias; useful to cross-link as a redirect/stub
- CCPA (California Consumer Privacy Act) — US state law with the strongest current dark pattern provisions (effective 2026-01-01)