Legal cases from around the world that relate to dark patterns
Elevate your business with 10x more data, advanced filters, and exclusive insights.
The Wisconsin Senate passed a law requiring disclosure when political ads use AI-generated "synthetic media." The law mandates a clear label, "Contains content generated by AI," on campaign-related materials, with violators facing a $1,000 penalty per offense. This move reflects a broader trend across states like California, Michigan, Minnesota, Texas, and Washington, to prevent deception in elections in anticipation of the 2024 presidential election.
Florida has passed a law banning anyone 14 and younger from using social media platforms. The law, which could result in fines of up to $50,000 per violation, also requires social media companies to terminate existing accounts of minors and requires proof of age for new account registrations, and imposes parental consent requirements and age-verification. The law has been signed by the Florida governor and is now enacted, with an effective date of January 1, 2025. It includes a list of exceptions, such as email, direct messaging, streaming services, and online shopping sites.
Maryland's legislature is considering a bill, the Maryland Kids Code, that would prohibit companies from spying on minors and using their data for targeted ads or online manipulation. It mandates privacy by design and default for online products and services accessed by children and teens under 18. If passed, companies would be prohibited from profiling children for personalized ads and would be required to enable the highest privacy settings by default. The bill also defines and prohibits the use of dark patterns and other unfair, abusive, or deceptive trade practices.
The Texas Deceptive Trade Practices Act (DTPA) prohibits false, misleading, or deceptive acts or practices in trade or commerce. It also prohibits advertising goods or services without the intent to sell them as advertised and failing to disclose information that would have influenced the consumer's decision to enter into a transaction.
The Ontario Securities Commission (OSC) report delves into the use of dark patterns and other digital engagement practices in investing platforms. The findings indicate that these patterns, which can disguise investing costs, obtain personal information without informed consent, and make it difficult for investors to withdraw funds or close accounts, are prevalent and potentially harmful to investor welfare. The report also addresses other digital engagement practices such as dark nudges, sludge, and targeted advertising. It notes the risks these practices pose, including the difficulty in cancelling subscriptions, the use of complex language within fee schedules, and the removal of process steps in trade execution. The OSC urges for more research in this area and for firms to consider the negative impact of these practices on clients' decision-making.
The New York governor proposed a Buy Now Pay Later legislation, introducing a licensing requirement, limiting charges, and requiring an ability-to-repay analysis for BNPL products. The legislation also prohibits confessions of judgment, misleading advertisements, and excessive penalties or fees. It mandates clear disclosure of terms, costs, and the refund process for goods or services purchased with a BNPL loan.
The District of Columbia Consumer Protection Procedures Act aims to protect consumers from unfair and deceptive business practices. It establishes the right to truthful information from merchants and prohibits false advertising (such as not showing the final price), misleading representations of fact.
In 2023, the Australian government shared a proposed prohibition on unfair trade practices for comment, including a discussion on dark patterns and their regulation under existing law. The results of the consultation, which targets online practices such as dark patterns, hard-to-cancel subscriptions and click wrap consents for tracking and data collection, is expected to be shared this year.
On the 29th of February 2024 the Consumer Financial Protection Bureau (CFPB) issued a circular explaining how comparison-shopping tools can violate the Consumer Financial Protection Act (CFPA) by steering consumers to certain products or lenders. The circular highlights how these tools use algorithms to prioritize recommendations and emphasizes that financial agreements resulting in preferential treatments are considered abusive, because consumers typically rely on the assumption these providers will act in their best interests. The CFPB warns that dark patterns that create the illusion of competition, violate consumer financial protection laws.
The Digital Services Act (DSA) is a legislation in the EU that applies to all digital service providers. It prohibits the use of dark patterns to deceive or bias users and requires platforms used by minors to have high levels of privacy and security. The DSA also prohibits designing online interfaces to manipulate or impair users' decision-making.
The Illinois House of Representatives is considering a new privacy law prohibiting dark patterns. The law defines consent as a clear, freely given, specific, informed, and unambiguous act, and explicitly states that consent does not include agreements obtained through dark patterns or deceptive design patterns. Dark patterns are defined as UI designs that substantially subvert or impair user autonomy, decision-making, or choice.
The Federal Communications Commission (FCC) has banned robocalls that use artificial intelligence (AI) voices to combat scams and misinformation. The decision allows the FCC to fine companies using AI voices in calls, block service providers carrying them, and enables recipients to file lawsuits. Violators face fines up to $23,000 per call, and call recipients can seek damages up to $1,500 per unwanted call.
New Hampshire's Senate Bill 255, a new comprehensive privacy law, was signed and will go into effect on January 1, 2025. The law defines expansive categories of sensitive data and introduces specific definitions of consent, prohibiting the use of dark patterns for obtaining consent. It also introduces key provisions such as individual rights for consumers, privacy by design principles, and obligations for processors. The law provides stronger protections for children's data and restrictions on targeted advertising.
New Jersey has enacted Bill 332, becoming the 14th state to have a comprehensive state privacy law. The law, effective from January 2025, applies to controllers conducting business in New Jersey or targeting New Jersey residents. It includes obligations for controllers such as data minimization, privacy notice requirements (including a reasonably accessible, clear, and meaningful privacy notice), obtaining consumer consent for sensitive data, and implementing data security practices. The law also introduces a universal opt-out mechanism for targeted advertising or data "sale" and standard consumer rights.
Earlier this month, California introduced Assembly Bill 2863, proposing amendments to the state's Automatic Renewal Law (ARL). If passed, the amendments would impose stricter requirements on disclosures, consent, and cancellation processes. Businesses would be mandated to obtain a consumer's affirmative consent separately from other contract terms for any automatic renewal or continuous service offer, and keep records of this consent for at least three years, or one year after contract termination. The amendments would also prohibit businesses from employing dark patterns in contracts and misrepresenting material facts related to the transaction or the underlying goods or services.
The California Privacy Rights Act (CPRA) will now be enforced immediately, rather than waiting until March 29, 2024. The CPRA prohibits dark patterns, especially for consent, and any behavior that substantially subverting or impairing user autonomy, decisionmaking, or choice. Businesses need to comply with existing regulations associated with the California Consumer Privacy Act (CCPA). The CCPA applies to businesses with a gross annual revenue over $25 million, those buying, selling, or sharing personal information of 100,000 or more California residents, or those deriving 50% or more of their annual revenue from selling California residents' personal information.
The Artificial Intelligence Act, one of the world's first binding pieces of legislation on AI, focuses on ethical use, prohibiting the use of dark patterns within AI systems. It aims to ensure AI systems do not exploit user vulnerabilities, balancing technological innovation and consumer protection. The final text was recently updated and fixed to provide further clarification and fix errors.
The Utah Consumer Privacy Act (UCPA) prohibits processing of a resident's personal information without clear notice and an opportunity to opt out. While it shares similarities with laws in California, Virginia, and Colorado, it is more business-friendly and excludes employment or commercial data. It mandates transparency, consent for children's data processing, security measures, and prohibits discrimination. However, it does not provide a private right of action for consumers and is seen as less strict compared to similar laws in other states.
Senate Bill S.289, introduced in Vermont on January 17, 2024, aims to create an age-appropriate design code. The bill applies to entities that collect personal data, operate within Vermont, and meet certain thresholds related to revenue or data collection. The bill mandates processing children's data in their best interest, conducting a Data Protection Impact Assessment for online services accessed by children, and using clear language suited to the age of children. Moreover, it prohibits profiling children by default, unnecessary processing of precise geolocation data, and the use of dark patterns to obtain excessive personal data. If enacted, the bill would take effect on July 1, 2024.
The APRA is a significant bipartisan effort to establish comprehensive data privacy legislation in the United States. Regarding Dark Patterns, the Act would prohibit dark patterns used to distract a consumer from a required notice, impair the ability to access their rights, or get consent. It extends jurisdiction to include nonprofit organizations and common carriers, with exemptions for small businesses. Key provisions include a private right of action, stringent data minimization requirements, and affirmative express consent for sensitive data transfer. The bill prioritizes protection for minors and imposes additional obligations on large data holders, high-impact social media companies, and data brokers. Covered entities must designate qualified privacy and data security officers and undergo annual compliance certification. The FTC will oversee enforcement of the APRA, marking a significant step toward enhancing data privacy rights nationwide.
On the 20th of march 2024, the Ticket Buyer Bill of Rights Coalition endorsed a bipartisan legislation in Colorado aiming to improve consumer protection and transparency in ticketing by fighting dark patterns. The bill prohibits hidden fees, ticket price increases after selection, and the use of deceptive websites, while ensuring refunds for cancelled events. It also promotes competition and fair regulation in both primary and secondary ticket markets. The bill is set to be heard in the Assembly’s Business Affairs and Labor Committee on April 11, 2024.
The Nebraska Data Privacy Act, approved in April 2024, outlines specific coverage thresholds, incorporates explicit language for universal opt-out mechanisms, and prohibits the use of dark patterns to obtain consent from data subjects. The act defines dark patterns as user interfaces designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice.
Virginia's House Bill (HB) 744, effective from July 1, 2024, amends continuity billing regulations. It requires businesses to provide additional notifications to consumers before contracts extend under automatic renewal clauses. The bill applies to both business-to-consumer and business-to-business contracts. Changes include a broader application of continuity billing contracts, additional notifications about the automatic renewal process, and the prohibition of charging a consumer's financial account for an automatic renewal without first obtaining the consumer's affirmative consent.
The Maryland Legislature approved the Maryland Online Data Privacy Act of 2024 (MODPA) on April 6, 2024, which is expected to be signed into law by Governor Wes Moore and come into effect on October 1, 2025. The Act explicitly mentions dark patterns and excludes agreement obtained through the use of dark patterns from the scope of "consent."