Dark Pattern: the pitfalls of the web 👾
Cliquez ici pour lire en français
“Dark Patterns” are a subject that concerns us all. Far from being dark, dark patterns are nevertheless designed to operate in the shadows and without your knowledge.
Dark patterns, what are they ?
If you go online, you’ve probably come across popups like this one:
The website tells you how they use cookies and other data. Even though you don’t always have to accept these terms it will seem like you do, simply because most websites design their notifications to make you click on what they want without you really realising it: this is called « Dark Patterns ». In January 2019, the CNIL Innovation Laboratory ( abbreviated as LINC) published a study on dark patterns in its IP notebook n°6: The shape of choices. According to this report, some of these practices may remain compliant from the point of view of the RGPD, but depending on the case, the manner and the techniques involved, they may either raise ethical questions or become non-compliant and « when the various [dark pattern] techniques are implemented with the aim of accumulating more data than necessary on individuals, When the various [dark pattern] techniques are implemented with the aim of accumulating more data than necessary on individuals, customers or citizens, they no longer only raise questions of ethics and the responsibility of digital services with regard to attention-grabbing in particular, but they also come up against the basic principles of the RGPD, which gives individuals greater rights with regard to the use made of their data » (page 27)
Source: the shape of the choices
The CNIL identifies four objectives for dark patterns:
- « Push the individual to share more than is strictly necessary »
- « To influence consent
- « Create friction to data protection actions
- « Distract the individual ».
The Dark Pattern Detection Project has identified 20 different types of dark patterns, which it has grouped into 5 categories (which we will illustrate in a later article): pressure tactics, obligations, obstacles, secrecy and tricks designed to achieve the objectives mentioned above.
Today, we will focus on the third point, which in other words, aims to discourage the user from exercising his or her privacy rights, and we will highlight the most visible types of dark patterns.
Privacy rights
Since the advent of GDPR, a new privacy regulation in Europe implemented in May 2018, companies are obliged to ask for users’ consent before using their confidential and other data. This is of course a hindrance for most companies that make money from processing user data (like Google and Facebook for example). These websites therefore rely on the consent of their users in order to process their data. This is highly unlikely to happen on the part of the users.
To increase their chances of getting consent, websites use Dark Patterns and design their forms so that it is very easy to validate consent.
Too much reading? Let’s go to a concrete case!
Example 1: the dark pattern in everyday life
Companies use designs, symbols and warnings to influence users’ decisions
Very often notifications appear when the user is in a hurry and wants to use a service immediately. This is not a coincidence. This puts pressure on the user to make a decision in a hurry so that they can use the services quickly: you guessed it, this is a pressure technique.
Example: trying to access websites.
Only the validation buttons are highlighted and when we are pressured, we feel we have no choice but to accept.
Before March 2021
Example 2: WhatsApp and GDPR
Have you ever tried to object to the use of your personal data by WhatsApp? This is not even an option on the app. You have to go to the WhatsApp website under the help centre. The video below will show you where to find this informations :
The CNIL intervenes to regulate certain dark patterns
- Activating or pre-ticking a consent box
- The continuation of activity on a website or application as a sign of consent to the deposit of cookies or the use of tracers
- The absence of the possibility of refusing in a single action all the data processing carried out by the service on the basis of consent (« Refuse all » button)
- A more complex action to refuse the deposit of cookies or the use of trackers than to accept it