Why the FTC is inspecting dark patterns in digital data privacy and the NAI is bracing for potential regulations

Illustration of a person looking at a digital version of themself on a computer screen.

Online manipulation is emerging as a new front in the digital privacy battleground.

Researchers say dark patterns — nuanced design elements intended to coerce people into taking certain actions — can be found in the physical environment from the grocery store aisle to casinos. But they’re especially prevalent in the digital world when it comes to things like e-commerce sales tactics and data tracking opt-out notices. And regulators are taking notice.

The latest example of the heightened scrutiny around the use of dark patterns was a Federal Trade Commission workshop yesterday during which researchers called for regulation of the controversial tactics. Meanwhile, at least one digital ad trade group — the Network Advertising Initiative — is already gearing for a fight against any new laws or regulations addressing dark patterns.

Speaking during a panel discussion about how dark patterns affect consumers at the FTC’s Bringing Dark Patterns to Light workshop, Ryan Calo, a University of Washington School of Law professor, suggested that the agency should regulate dark patterns because they amount to the sort of unfair and deceptive practices the agency was established to protect consumers against. 

“A hundred years ago, that is what Congress told the FTC to do: figure out which practices that companies are doing that are just too unfair to let go. They spoke in very overt, moralistic language about it. And so my hope is that dark patterns is a place that we can begin to reclaim that role for this great commission,” he said.

The issue is especially timely in relation to the ways digital media and ad tech firms provide people with notice and solicit their permission to collect and use their personal information. 

Right now in response to privacy laws, including Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), people are presented with notices about use of cookies or other tech for data tracking, often referred to as consent notices. Many of these notices highlight options to agree to accept third-party cookies or other forms of tracking more prominently than links to opt out from data collection and use, practices that privacy researchers consider to be examples of dark patterns. 

Digital ad industry braces for a battle on dark patterns

Already, in California, regulations approved in March to enforce the CCPA specifically ban the use of dark patterns that delay or obscure the process for opting out of the sale of personal information or bombard people with confusing information or excessive steps. Considering the recent California ban and increased interest from the FTC, the digital ad industry sees the writing on the wall and is bracing for a battle with regulators on the dark patterns issue.

In an op-ed published in Morning Consult the morning of the agency’s workshop, the Network Advertising Initiative’s vp of policy David LeDuc wrote that, while it’s important for state and federal law enforcers to understand the use of dark patterns in protecting against marketing scams, “policymakers should resist the urge to legislate around the concept of dark patterns — it’s not necessary, given existing authorities. In addition, new laws could undermine legitimate companies’ best intentions to educate their customers,” he wrote. 

Instead, in addition to supporting a federal privacy law, LeDuc said he wants a continuation of reliance on industry self-regulations. He urged lawmakers “to provide the FTC with more resources to enforce the law under its existing unfairness and deception authorities and educate consumers and businesses, not to enact legislation specific to regulating the use of digital user interfaces.”

Changing coercive privacy opt-out notices to human-centered ones

During the FTC panel discussion, Jennifer King, privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence, identified how dark patterns exist within data collection mechanisms. Default opt-ins to data tracking and requests to gather information that is not necessary for a system to operate — such as asking to track location data in a mobile app or requesting someone’s phone number — are intended to “coerce or manipulate individuals into consenting to the collection or disclosure of their personal information either at all or more than they would actually prefer to disclose,” she said. 

“One area that I’m concerned with in general is that of online consent — and so, those existing mechanisms by which we ask for consent. I think they’re pretty much a complete failure at this point,” King said. For instance, she added, “One of the things we look at is whether the accept button is highlighted in advance; you can argue that’s a dark pattern.” 

Companies within the digital ad industry seem to be incentivized to adopt dark patterns to protect their targeted advertising businesses against regulatory restrictions. Some publishers and ad tech execs have suggested the impact of CCPA-related opt-outs on ad revenues has been minimal in part because consent mechanisms make it easier for people to agree to data tracking enabling targeted ads that deliver higher ad revenues.

However, while data tracking has enabled ad targeting that allows advertisers to aim ads to audiences based on their interactions across the web and apps, King and other researchers are calling for the ad industry to completely revamp its approach to how it tells people about those practices and how it gets the OK from them to continue gathering data.

Instead of employing the current approach of translating legal contract language into a digital interface, she called for a shift to notice-and-consent mechanisms that incorporate “human-centered” approaches that more clearly communicate the terms of the transaction when a person is asked for their data.

“The present mechanism of hitting ‘I accept’ with no attempt to actually inform you in a user-friendly way of what you’re consenting to is potentially inherently manipulative, and I’d really like to see solutions that go further than just giving us kind of new looks on existing interfaces,” she said. 

King added that Apple’s new requirement that app publishers directly ask people whether they want to be tracked across other apps alters this standard framework for notice-and-consent design in a positive way. “This is going to be a very interesting kind of live experiment to see how well this works,” she said of the Apple changes.

https://digiday.com/?p=412762

More in Marketing

Marketing Briefing: Marketers test retail media even more as the third-party cookie crumbles

For marketers who weren’t as keen to spend on retail media networks previously, the first-party data pitch of retail media networks is now more appealing.

Ad execs enter crucial phase of Google’s Privacy Sandbox experimentation

Ad execs are diving into three major areas of the Privacy Sandbox without tweaking a thing. It’s all about tracking outcomes for them.

Special report: The third-party cookie primer

A catch-up on all things third-party cookies.