What are deceptive design patterns (DDPs)?
Charlotte Henderson and Kaitlyn Clarke
Interested in understanding the impacts of AI on your business? Looking to understand how these intersect with concerns around privacy? Curious about the impacts of AI on marketing practices?
Join lawyers from our Privacy Group in an upcoming webinar – Tuesday, April 29 at 10amAST – discussing these topics and more.
For more information, and to express an interest in attending, email events@stewartmckelvey.com.
Have you ever received a marketing email with a countdown to the end of the sale, only to get another one after the countdown hits zero saying the sale has been extended? Or maybe you have advertised a product of your own as having a limited number of units, when in reality, there are more to go around? You may have even had a good laugh reviewing website cookie preferences when you noticed that one of the options was “No, I don’t like cookies.”
While these examples are mostly innocuous, sometimes even humorous, they are all examples of deceptive design patterns (“DDPs“) – also known as dark patterns. DDPs are manipulative design practices on websites and apps which attempt to influence or coerce users into making decisions against their best interests, and they are far more common than you might think.
As the use of DDPs in the marketing of goods and services across the globe increases, consumer protection and data privacy agencies are scrambling to regulate what has been deemed to be a growing threat to consumers. In Canada, the Office of the Privacy Commissioner (OPC), in collaboration with provincial and territorial privacy authorities, recently published a joint resolution (the “Resolution“) addressing the use of DDPs in the Canadian marketplace.
Although some DDPs contravene existing laws, most do not, and the Resolution highlights a need for Canadian organizations to re-evaluate their platform designs to minimize liability risks. The urgency is underscored by findings in the OPC’s 2024 Sweep Report, which revealed that 99% of the examined websites and apps accessible in Canada contained at least one DDP.
With DDPs being as prevalent as they are, what should organizations and individuals be on the lookout for? Although there are 16 recognized types of DDPs, they all broadly, fit into one of the five categories of dark commercial practices, as identified by the Organisation for Economic Co-Operation and Development:
- Inaccessible language: the use of overly technical or lengthy terms and conditions that obscure important information.
- Interface interference: design elements that influence a user’s perception and understanding of their privacy options;
- Nagging: persistent prompts that pressure users to take specific;
- Obstruction: unnecessary steps that hinder users from affecting changes to their privacy-related goals; and
- Forced Action: requiring or tricking users into providing unnecessary personal information to access a service.
Specific examples of DDPs include emphasizing some visual elements and selections while obscuring others (ex: “ACCEPT ALL” and “continue without accepting”) to funnel users towards a less privacy-protective option and preselecting more privacy intrusive preferences by default. DDPs also include the use of baseless countdown timers to create a false sense of urgency; using false scarcity (ex: “only 10 units left” when there are more than 10 units left); and using charged emotional language (ex: “No thanks, I’m not into saving”) to push users towards an option preferred by the organization but not necessarily the consumer.
Generally, if it is untrue, then it is probably a DDP. For example, scarcity is a legitimate and perfectly acceptable marketing practice when it is true. It only becomes a DDP when it is false, at which point it becomes a liability of the organization.
There is no doubt that some DDPs involve particularly harmful and manipulative practices, including hidden subscriptions that consumers are unknowingly enrolled in and are hard to cancel or deliberately taking consumers personal information without their knowledge or informed consent. In many cases, these quasi-illegal DDPs can be avoided simply by complying with the relevant legislation, including data protection and anti-spam legislation.
Unfortunately, most DDPs do not rise to the level of legislative non-compliance but rather fall into a gray area between tricks of the marketing trade and dark commercial practices. This is the line that organizations must walk.
International responses to DDPs
The Resolution reflects increasing international concern surrounding DDPs, particularly on website and apps targeting children where DDPs were found in spades.
Already, some countries have begun to punish organizations that engage in dark commercial practices. For instance, Epic Games was recently fined $245 million (USD) for employing DDPs to manipulate users into making unintended purchases. Similarly, Microsoft has been fined €60 million by the French Data Protection Authority for the installation of non-essential cookies without sufficient user consent, a dark commercial practice, but also a violation of the European Union’s widely applicable General Data Protection Regulation (“GDPR“).
In response to the same concern with DDPs, the Australian parliament has approved legislation that would ban children younger than 16 years of age from accessing social media platforms such as X, TikTok, Instagram, and Facebook. Although this ban has yet to come into force, it will see social media companies fined up to AUD $50 million for non-compliance.
Together, these measures signal a growing global intolerance for the use of DDPs on digital platforms, but especially when such DDPs target children.
While it would be easy to look at DDPs in a vacuum, the reality is that they are only one small part of a global shift that is slowly starting to recognize the harms associated with widespread interconnectivity and access, particularly on the most vulnerable groups of online users: children.
Implications for Canadian organizations
In Canada, the Resolution joins a host of changes to the privacy regulatory landscape, including Bill C-27, the Digital Charter Implementation Act (“Bill C-27“) and Quebec’s Law 25, which has fundamentally changed the privacy landscape in Canada over the past couple years.
Although Bill C-27 died with the proroguing of Parliament in early 2025, many believe that it will be re-introduced in short order given the much-needed modernization of Canada’s privacy legislation. Assuming the text of Bill C-27 remains relatively unchanged upon its potential reintroduction, Canada could see a significant increase in the penalties for privacy violations, and therefore certain DDPs. These increases – up to the greater of $10 million or 3% of an organization’s global revenue from the previous financial year – would largely align Canada’s private data privacy regime with that of the GDPR and Quebec.
With these changes, marketing best-practices will likely attract additional legal scrutiny given the weighty consequences. Organizations with websites and mobile apps ought to consider proactive action to limit their exposure to liability while also acting in the best interests of their consumer. The OPC recommends that public and private sector organizations:
- Implement privacy-by-design principles, prioritizing the best interests of young people;
- Limit the collection of personal information to that which is necessary for the purpose of the collection, use, and / or disclosure;
- Promote transparency when collecting personal information to comply with privacy laws and foster trust with their users and consumers;
- Identify and reduce DDPs within their platforms; and
- Adopt privacy focused design elements that align with Canada’s privacy legislation.
The importance of being aware of DDPs cannot be understated. As a consumer, awareness of DDPs is important for safe browsing and helps to ensure that your personal information and your wallet are safe. As an organization that markets its goods and services, the risks posed by using DDPs – even unintentionally – is not only harmful to goodwill but could also see fines into the tens of millions of dollars. The risk of such fines increases exponentially where the DDPs intersect with legislative non-compliance, most acutely with anti-spam and data privacy legislation.
With the digital marketplace always rapidly evolving, it is critical for organizations to stay on top of both legislative changes and best practices. The safety and modernization of our digital landscape falls on the shoulders of organizations who must commit to navigating the often-challenging privacy landscape while continually engaging stakeholders to modernize their marketing practices. Our team of experienced lawyers can assist in navigating these changes, ensuring compliance, reducing liability risks, and aligning digital practices with Canada’s evolving privacy standards and beyond.
Lawyers from our Privacy Group are regional leaders in connecting privacy, AI, and the legal requirements for businesses, and are well positioned to provide strategic advice.
This client update is provided for general information only and does not constitute legal advice. Click to view our team, and contact them today to learn more about deceptive design patterns.
Click here to subscribe to Stewart McKelvey Thought Leadership.