1. Introduction

An Overview of Guidelines on Dark Patterns1

Aryan Mamidwar

aryan.mamidwar20@vit.edu 0

Ganesh Bhutkar

ganesh.bhutkar@vit.edu 0 0 Vishwakarma Institute of Technology , Pune , India

Dark patterns have been used to describe design practices that trick or manipulate users into making certain choices. One out of every four internet users experience dark patterns in the digital world. In this paper, all vital guidelines issued by government commissions or authorities across the globe have been studied. These countries include mainly United States of America (USA), South Korea, India, and European Union, along with California, Australia, United Kingdom, Kenya, and Argentina. The comparative analysis of the guidelines for dark patterns from major government commissions or authorities has been performed on basis of national guidelines, types of dark patterns and following norms of guidelines. It is observed that there is a little to no enforcement effort by the required authorities to counter dark patterns. All the countries across the globe should come together to create universal guidelines against dark patterns, with a global authority or commission.

eol>Dark Pattern Guidelines Applicable Laws Government commissions Regulatory Authorities

1. Introduction

There are about 5.35 billion people using the internet across the globe, which is equal to 66.2% of the world’s total population [ 8 ]. Majority of these users may have encountered some dark patterns. Dark patterns have been used to describe design practices that trick or manipulate users into making choices that may cause harm [ 4 ]. This in turn will also affect digital trust of users. One such dark pattern is depicted in Figure 1, which is a dark pattern from an eCommerce website - JustFab.com. They put false countdown timers only to add urgency to a sale.

Another study was conducted by Princeton University, USA in the year 2019. It found 1,818 instances of dark patterns specifically on shopping websites. These instances all together represented 15 types of dark patterns in 7 broad categories. These dark patterns were found on 1,254 out of around 11,000 shopping websites. It amounts to around 11.1 % of the dataset used. It also found that there were 22 third-party entities that provided the shopping websites the services required to create and implement dark patterns. Two of the above entities even publicly advertised that they can help websites to use deceptive messages [ 1 ].

With such a big issue in hand, several national government commissions or authorities have taken initiatives to counter dark patterns as well as spread awareness of the problems caused by dark patterns. A few government commissions or authorities have taken a direct approach by clearly providing guidelines against the dark patterns. Some other government agencies took an indirect approach to restricting some of the dark patterns by creating amendments to their existing privacy or digital laws. A few other government agencies have taken actions against the violators based on interpretation of the existing laws. Hence, this guideline overview discusses the vital guidelines on dark patterns and aims to shed light on the insufficient effort by the government commissions or authorities.

2. Related Work

Following are the four vital national guideline documents or reports on dark patterns. These guideline documents or reports are discussed in chronological order of their publication.

The first document represents a guideline document for dark patterns published in March 2022 by the European Data Protection Board (EDPB) for the countries under the European Union (EU) region. The scope of this document is to recommend developers and give guidance for the design of the interface of social media platforms. The document has categorized the dark patterns into 6 categories and 15 sub-categories along with examples [ 2, 10 ]. This categorization of dark patterns comes with special reference to the principles of lawfulness, fairness, transparency, purpose limitation and data minimization in the design of user-interfaces. The enforcement for the violations of dark patterns is in conjunction with the General Data Protection Regulation (GDPR) - 2016 enforcement.

The second document is a report for dark patterns published in Sept. 2022 by the Federal Trade Commission (FTC) for the USA. This report discusses key topics from the ‘Bringing Dark Patterns to Light’ workshop and academic literature. FTC makes practical recommendations for entities, aiding them when they develop, design, and improve their online interfaces. The report includes the rise of dark patterns in the digital marketplace and 4 common categories of dark patterns with relevant examples [ 11 ]. This report also sends two strong signals. First, customers that the FTC is on their side and will be acting against the violators of dark patterns. Second, businesses that use dark patterns - they are being keenly observed based on their actions.

The third document represents a report published in Aug. 2023 by the Korean Fair-Trade Commission (FKTC) for South Korea. This report establishes a regulatory measure to control online dark patterns. The authorities involved in this process are KFTC, Korean Communication Commission (KCC) and the Personal Information Protection Commission (PIPC). The report has categorized dark patterns into 4 major categories and 19 distinct types and provided recommendations for each of the types [ 13 ]. The KFTC has made a provision of punishment for violation of the dark pattern guidelines, as administrative fines based on the company’s / entity's total sales of that financial year.

The fourth document represents a guideline document that was published in Nov. 2023 by the Central Consumer Protection Authority (CCPA) in India. It states that the guidelines against dark patterns prohibit any person, including platforms, from engaging in any form of dark pattern practice. The report has provided specific types of dark patterns that are prohibited. The report has categorized dark patterns into 13 different types and provided relevant examples [ 12 ]. These dark pattern guidelines were published after receiving the recommendations and reviews from Asia Internet Coalition (AIC) [20]. The dark pattern guidelines are a part of the Consumer Protection Act - 2019 and the punishment for violation of the guidelines is in conjunction with the enforcement of Consumer Protection Act - 2019.

Apart from above given national guideline documents on dark patterns, a few other countries have also taken steps to counter the dark patterns in their online ecosystem. These countries do not have any specific guidelines like the four discussed cases in this section.

In California, the California Consumer Privacy Act (CCPA) - 2018 has regulations implemented to suppress the use of dark patterns. The CCPA prohibits the use of dark patterns that have a substantial effect on the consumer’s choice to opt-out of the schemes that benefit the companies or entities [ 21, 22 ]. They have also defined some examples of such dark patterns which include: Use of confusing language like double-negatives and more. Companies or entities that have violated these guidelines, have a 30-day grace period to make changes to their website / app. Failure to make required changes will result in civil penalties under the CCPA [ 23 ].

In Australia, the Office of the Australian Information Commission (OAIC) has identified some entities operating online using dark patterns that are designed to nudge the users. Dark patterns in trade or commerce are considered as a violation of the Australian Consumer Law (ACL) - 2010. The Australian Competition and Consumer Commission (ACCC) has also released a guide on ‘Online Platforms and the Australian Consumer Law’ in 2019, which has outlined the legal requirements for online platforms for effective consumer protection [ 14 ].

The United Kingdom (UK) has taken steps to address dark patterns. The Competition and Markets Authority (CMA) has a new phase of 'Online Rip-off Tip-off' campaign. This campaign aims to encourage users to ‘spot and avoid misleading online sales tactics’ and to report the organizations involved. The UK government is actively working on reducing the use of dark patterns in online interfaces [ 16 ].

The National Directorate on Consumer Protection and Consumer Arbitration (DNDCYAC) in Argentina has worked with the United Nations Conference on Trade and Development (UNCTAD) on a report ‘Consumer Education and Business Guidance on Dark Commercial Patterns’ [17]. It has recently issued Resolution 994/2021, that forbids some dark patterns or deceptive clauses, for example, sneaking into a basket and presuming a consent from the consumer [18].

In Kenya, the Part VI of the Competition Act No. 12 - 2010, dealing with Consumer Welfare contains provisions such as false or misleading representations and unconscionable conduct [17]. The Competition Authority of Kenya (CAK) relies upon these provisions to deal with dark patterns. These specific provisions are on the supply of products, but they are also used by the government for enforcement against dark patterns [ 19 ].

3. Comparative Discussion of Guidelines on Dark Patterns

This section is mainly focused on a comprehensive comparison among the four guidelines documents of leading G20 countries or regional bodies [ 5 ], on dark patterns. The authorities that have given these guidelines are: CCPA (Central Consumer Protection Authority) for India, EDPB (European Data Protection Board) for European Union, KFTC (Korean Federal Trade Commission) for South Korea and FTC (Federal Trade Commission) for USA.

3.1. Comparison among National Guidelines for Dark Patterns across the Globe Protection Regulation

(GDPR)regulation and compliance Recent Enforcements No enforcement till The Italian Data No enforcement till date Protection Authority date (Garante) issued a EUR 300 k (USD 323 k) fine for the use of dark patterns in breach of the EU General Data Protection Regulation (GDPR) and complaints

consumer

In March 2023, FTC ordered Epic Games to pay USD 245 million for violation of ‘Design elements that lead to unauthorized charges’

The vital observations from the comparative analysis of the guidelines on dark patterns given by different commissions or authorities as depicted in table 1, are as follows: • • • • • • •

All four authorities i.e. CCPA, KFTC, EDPB, KFTC focus on ‘Online Consumer Protection’, while formulating the national guidelines for dark patterns. The FTC and EDPB also focus on ‘Data Protection’ and ‘Consumer Consent Issues’.

The guidelines for dark patterns are issued by a specific regulatory authority, in the case of the CCPA and the KFTC; they are also the enforcement authorities. In the case of the EDPB and the FTC, the guidelines for dark patterns are issued by them as broader regulatory authorities; but they do not look into enforcement. The enforcement is taken care of by the related USA state authorities in case of the FTC. And the national authorities in the EU in case of EDPB as per their respective jurisdictions.

The prohibited practices related to guidelines, show the priorities and concerns of the specific regulatory authorities or commissions. For example, CCPA focuses more on dark patterns related with consumer protection like ‘Basket Sneaking’ and ‘False Urgency’; whereas the EDPB focuses more on data protection and consumer consent issues like ‘Language Discontinuity’ and ‘Conflicting Information’.

The CCPA and the KFTC authorities have not given any specific transparency requirements. The EDPB and the FTC have provided specific transparency requirements, which are specifically targeted towards ‘Consent Issues’ and ‘Data Privacy’.

All the guidelines have a wide range of enforcement mechanisms like administrative fines, legal actions, injunctions, and imprisonment. CCPA is the only authority to include imprisonment as an enforcement mechanism in the guidelines.

The approach on updates and amendments related with guidelines differ significantly. Some authorities like the FTC mentions regular updates on emerging issues, while other authorities focus on periodic reviews of technical advancements and user reviews. The KFTC and the CCPA have not made any updates and amendments to their guidelines as these authorities are the latest to issue guidelines on dark patterns.

In recent times, there have been some enforcements, the FTC where they have fined USD 245 million to Epic Games (the makers of Fortnite video game). In another enforcement, the • •

Italian Data Protection Authority (based on the EDPB guidelines) fined EUR 300 k (USD 323 k) to a marketing agency for breach of the dark pattern guidelines.

UK’s Competition and Markets Authority (CMA) held Microsoft Corp. liable for its unclear upfront terms, difficulty in turning off auto-renewal (Subscription Trap). Their new users were unknowingly paying for unused services in their game pass membership [ 24 ]. This enforcement was conducted based on Consumer Protection from Unfair Trading Regulations - 2008; Part 2 of the Consumer Rights Act (CRA) - 2015; and the Consumer Contracts Regulations (CCRs) - 2013. Microsoft has now made significant improvements following the investigation by CMA [ 25 ].

The Swedish Data Protection Authority (IMY) investigated Klarna Bank AB. It is a multinational company that provides credit and non-credit solutions in 17 countries through various financial services [ 26 ]. Klarna was held liable for misleading and hiding information on data sharing, data storage and data processing from its users. The enforcement was conducted based on several articles from the GDPR. IMY then imposed a fine of SEK 7,500,000 (USD 716 k) [ 27 ].

3.2. Comparison among Guidelines for Dark Patterns on Basis of Their Types

There are a vast variety of dark patterns accessible to companies or entities. All government commissions or authorities do not recognize all the types of dark patterns. Table 2 gives the comparative analysis of the different types of dark patterns defined by regulatory commissions or authorities viz. FTC, EDPB, CCPA and KFTC in their guidelines. The Table 2 is divided into three parts High-Level, Miso-Level and Low-Level Patterns [ 6 ]. This classification could help in both detecting these practices and forming policies to prevent them:

High-Level Patterns: These are the most abstract types of dark patterns. These include general strategies that use manipulative or deceptive elements. These patterns are not confined to any specific context and can be applied across various devices or technologies and application types [ 6 ].

Meso-Level Patterns: This type of dark pattern ties the gap between high- and low-level dark patterns. These include a specific approach at undermining the user’s ability to make an informed decision. These patterns can be interpreted in a way that is required for a specific context [ 6 ].

Low-Level Patterns: These types of dark patterns are very background dependent and include precise execution methods that limits the user’s ability to make decision. These patterns are described in visual or temporal forms or both. These patterns can be detected through various means which include algorithmic, manual or any technical means [ 6 ].

The essential observations from the comparative analysis of the different types of dark patterns given by commissions or authorities as depicted in table 2, are as follows: • • •

Most of the High-Level Patterns are recognized in their reports or guidelines by almost all the government authorities or commission. Some of the patterns are recognized directly and some are them are inferred indirectly in their documents.

It is observed that FTC has the most well-rounded guidelines in their report amongst all. They have recognized the greatest number of patterns compared to other authorities.

EDPB, CCPA and KFTC have recognized almost equal number of types of dark patterns.

The types of dark patterns that are addressed only in report given by the FTC are: ‘Roach Motel’, ‘Immortal Account’ and ‘High Demand’. The number is small because the guidelines given by the FTC are very similar to the guidelines given by EDPB.

The types of dark patterns that are recognized only in guidelines given by the EDPB are: ‘Dead End’, ‘Adding Steps’, ‘Privacy Maze’, ‘Conflicting Information’ and ‘Wrong Language’. The list is sizable because the EDPB also focused on ‘Data Protection’ and ‘Consumer Consent Issues’.

The types of dark patterns that are specifically covered in guidelines given by the CCPA are: ‘Forced Action’.

The types of dark patterns acknowledged only in guidelines given by the KFTC are: ‘Choice Overload’ and ‘False Hierarchy’. The list is small as the guidelines published by KFTC and CCPA are very similar.

3.3. Comparison among Guidelines for dark patterns on basis of Following Norms of Guidelines

It is very important to write effective guidelines of dark patterns. Effective guidelines will always play a pivotal role in helping users and guiding developers towards practices that prioritize user well-being. While writing guidelines for dark patterns, it is important to follow the norms of guidelines given below [ 7 ]. These norms of guidelines have been developed with due consideration to Ben Shneiderman’s Eight Golden Rules of Interface Design [ 4 ].

Start with a Verb: A guideline should start with an actionable verb to convey a specific action or behavior.

Be Concise: A guideline should be brief and to the point, ensuring that it is easy to understand and implement.

One Idea per Guideline: A guideline should focus on a single idea or concept to avoid confusion and maintain clarity.

Use Simple Language: A guideline should use uncomplicated language to enhance accessibility for a diverse audience.

Ensure Actionability: A guideline should be such that it can be easily translated into practical actions.

Length: An ideal guideline should be no more than thirteen words long.

KFTC

Followed Followed Followed

Be Concise

Followed Followed Sometimes Followed

Start with a Verb

Sometimes Followed Sometimes Followed Sometimes Followed

Length (13 words)

Not Followed Not Followed Not Followed

Multi-Language Support Guideline Rank for Compliance

Followed (English

Hindi) 2 + Followed (English Somewhat Followed + 23 EU languages) (Korean + English

Summary) 1 Lacks Compliance

The key observations from the comparative analysis among the guidelines issued by authorities on aspects to keep in mind while writing the regulatory guidelines as depicted in table 3, are as follows:

The rules that are followed by all the guidelines are: ‘Use Simple Language’, ‘One Idea per Guidelines’ and ‘Ensure Accountability’.

None of the guidelines comply with the guideline length which is 13 words.

The EDPB guidelines are the most user friendly as they officially provide the guidelines in English + 23 EU languages, followed by CCPA who provides the guidelines in Hindi + English. KFTC guidelines lack user friendliness as the guidelines are published in Korean and an English summary is available.

EDPB guidelines rank highest in compliance, followed by CCPA guidelines, while KFTC guidelines lack compliance.

4. Conclusion and Future Work

A handful number of countries have published guidelines against dark patterns and these guidelines differ from one another. A few numbers of dark pattern types are recognized in these guidelines. The government commissions or authorities of many countries are still using interpretation of the existing laws to tackle dark patterns. This shows that there has been a limited effort taken by several governments to define suitable guidelines against dark patterns.

The comparative study of dark patterns has highlighted several interesting aspects such as a focus on consumer consent, consumer protection, their transparency requirements and norms of guidelines followed. It is observed that there is a little enforcement effort by the required authorities to counter dark patterns. Companies are still openly using these dark patterns and there have been no enforcement actions against them. The respective authorities must understand that even after defining guidelines; they are required to take some serious enforcement action against the violators.

The variation and dissimilarities among different guidelines proposed by commissions or authorities have made it challenging for the companies / entities to comply with guidelines for dark patterns. All the countries across the globe should come together to create universal guidelines against dark patterns, with a global authority or commission.

UNCTAD Working group on Consumer Protection in e-commerce. https://unctad.org/system/files/informationdocument/ccpb_WG_EC_Report_Dark_commercial_patterns_en.pdf. Accessed February 20, 2024.

[1]

Mathur

Arunesh , Acar Gunes, Friedman Michael J., Lucherini Elena et al. "Dark Patterns at scale: Findings from a crawl of 11K shopping websites." Proceedings of the ACM on HumanComputer Interaction 3 . CSCW, 2019 .

[2]

Pasanen

Valter . "Regulating Dark Patterns through the GDPR and DSA: The potential for a legal loophole?" Master's thesis , 2022 .

[3] Luguri , Jamie, and Lior Jacob Strahilevitz. "Shining a light on Dark Patterns." Journal of Legal Analysis 13 , no. 1 , 2021 .

[4] Shneiderman , Ben. "Shneiderman's" Eight Golden Rules of Interface Design" . 2013 . " Available:(accessed 28-Jul- 2016 ), 2017 .

[5] Cahyadi , Afriyadi, and Róbert Magda . "Digital leadership in the economies of the G20 countries: A secondary research . " Economies 9 , no. 1 : 32 , 2021 .

[6] Gray Colin

, Nataliia

Bielova

, Cristiana Santos, and

Thomas

Mildner . "An Ontology of Dark Patterns: Foundations, Definitions, and a Structure for Transdisciplinary Action . " , 2024 .

[7]

Manchekar

Akshay , Bhutkar Ganesh, and Kurniawan Yohannes. “Overview of Dark Patterns.” in Edited Book - Interactive Media with Next-Gen Technologies and Their Usability Evaluations . CRC Press, 2024 .

[8] Internet

use in

2024 . https://datareportal.com/reports/digital-2024 - deep -dive-the-stateof-internet-adoption . Accessed February 21 , 2024 .

[9]

Asked 500+ People How Brands Deceive Them Online . This is What We Learned . https://www.bluelabellabs.com/blog/deceptive -dark-patterns-stats/ . Accessed February 20 , 2024 .

[10] Dark Patterns in social media platform interfaces: How to recognize and avoid them . https://edpb.europa.eu/system/files/2022-03/edpb_ 03 - 2022 _ guidelines_on_dark_patterns_in_social_media_platform_interfaces_en .pdf. Accessed January 29 , 2024 .

[11] FTC issues illuminating report on digital dark patterns . https://www.ftc.gov/business-guidance/blog/2022/09/ftc-issues -illuminating-reportdigital-dark-patterns . Accessed January 29 , 2024 .

[12] The Guidelines for Prevention and Regulation of Dark Patterns, 2023 . https://consumeraffairs.nic.in/sites/default/files/The%20Guidelines %20for%20Preventi on%20and%20Regulation%20of%20Dark%20Patterns%2C%202023.pdf. Accessed January 19 , 2024 .

[13] Recent Developments in KFTC's Efforts to Regulate Dark Patterns . https://www.kimchang.com/en/insights/detail.kc?sch_ section=4&idx=27534. Accessed February 23 , 2024 .

[14] Dark

Patterns:

User interfaces that make consumers buy and buy more. What are the laws and are dark patterns illegal? https://sharongivoni.com.au/dark-patterns-userinterfaces-that-make-consumers-buy-and-buy-more-what-are-the-laws-and-are-darkpatterns-illegal/ . Accessed February 19 , 2024 .

[15] Worldwide: Demystifying The Dark Patterns . https://www.mondaq.com/india/data-protection/1409018/demystifying-the-darkpatterns. Accessed February 19 , 2024 .

[16] A regulatory deep dive into 'Dark Patterns . https://www.womblebonddickinson.com/sites/default/files/2023- 06 /WBD%20reconnect%20%20A%20regulatory%20deep%20dive%20into%20%27dark %20patterns%27.pdf. Accessed February 19 , 2024 .

[19]

Regulatory

Compendium 2020 -2021 National Directorate of Consumer Protection and Consumer Arbitration . https://www.argentina.gob.ar/sites/default/files/compendio_normativo_dndcac_- _web.pdf. Accessed February 20 , 2024 . COMPETITION ACT No. 12 of 2010. https://www.kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/CompetitionAct_No12of201 0.pdf. Accessed February 20 , 2024 . Asia Internet Coalition (AIC) Industry Submission on Draft Guidelines for Prevention and Regulation of Dark Patterns, 2023 . https://www.google.com/url?sa=t&rct =j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiJj KGnhcuEAxWMSmwGHY11AHoQFnoECBgQAQ&url=https%3A%2F%2Faicasia . org%2Fdo wnload%2F827%2F&usg=AOvVaw01JgeJ4W85YPhV7fkDWpho&opi=89978449. Accessed February 19 , 2024 .

[21]

Dark

Patterns Come to Light in California Data Privacy Laws . https://www.natlawreview.com/article/dark -patterns-come-to-light-california-dataprivacy-laws . Accessed March 20 , 2024 .

[22] California bans 'dark patterns' that trick users into giving away their personal data . https://www.theverge.com/ 2021 /3/16/22333506/california-bans -dark-patternsopt-out-selling-data . Accessed March 20 , 2024 .

[23] Title 11. Law division 6. California Privacy Protection Agency Chapter 1 . California Consumer Privacy Act Regulations. https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf. Accessed March 20 , 2024 .

[24] CMA 's Investigation against Nintendo Switch, PlayStation and Xbox . https://www.deceptive.design/cases/cma-s -investigation-against-nintendo-switchplaystation-and-xbox . Accessed March 20 , 2024 .

[25] CMA secures changes to Xbox subscription practices . https://www.gov.uk/government/news/cma-secures -changes-to-xbox-subscriptionpractices . Accessed March 20 , 2024 .

[26] Swedish

DPA

's Investigation of Klarna Bank AB . https://www.deceptive.design/cases/swedish -dpa-s-investigation-of-klarna-bank-ab . Accessed March 20 , 2024 .

[27] Decisions after supervision in accordance with the General Data Protection Regulation (GDPR) - Klarna Bank AB . https://www.imy.se/globalassets/dokument/beslut/2022/beslut-tillsyn-klarna. pdf. Accessed March 20 , 2024 .

[28] Leiser , M. R. , and

Santos

Cristiana . "Dark Patterns, Enforcement, and the Emerging Digital Design Acquis: Manipulation Beneath the Interface." Enforcement, and the emerging Digital Design Acquis: Manipulation beneath the Interface (April 27, 2023 ), 2023 .