--- title: "Dark Patterns: What They Are and How to Avoid Them" description: "When users interact with your website, they assume the interface is working in their interest. Dark patterns break that assumption. These are design choices that can be subtle or brazen, that nudge, pressure, or trick visitors into actions they didn't consciously choose. Think agreeing to data collection, enrolling in a subscription, or accepting terms they never read. The term was coined by London-based UX designer Harry Brignull, who defines a dark pattern as a user interface that appears to have been crafted to trick users into doing things that are not in their interest and is usually at their expense. […]" url: https://www.cookiebot.com/en/dark-patterns/ categories: [Uncategorized] --- # Dark Patterns: What They Are and How to Avoid Them ## At a Glance Key Takeaways - **Definition:** A dark pattern is a user interface deliberately designed to manipulate visitors into decisions that serve the business at the user's expense, exploiting cognitive biases rather than providing genuine choice. - **Common types:** Sneaking, forced continuity, roach motel, misdirection, privacy Zuckering, confirmshaming, bait and switch, disguised ads, hidden costs, trick questions, and relentless repeated requests are among the most widely documented. - **How they work:** Dark patterns exploit predictable cognitive shortcuts, including the default effect, urgency bias, loss aversion, to steer users toward actions they would not freely choose with full information. - **Regulatory exposure:** The GDPR, CCPA/CPRA, COPPA, the EU's Digital Services Act, and active FTC enforcement all create meaningful legal and financial risk for businesses that rely on deceptive design. - **Enforcement:** Amazon's USD 2.5 billion FTC settlement in September 2025 confirms that deceptive UX patterns carry significant financial and reputational consequences. - **What to do:** Transparent consent flows, honest choice architecture, and a cookie consent management platform like Cookiebot by Usercentrics help website owners stay compliant and build lasting user trust. When users interact with your website, they assume the interface is working in their interest. Dark patterns break that assumption. These are design choices that can be subtle or brazen, that nudge, pressure, or trick visitors into actions they didn't consciously choose. Think agreeing to data collection, enrolling in a subscription, or accepting terms they never read. The term was coined by London-based UX designer Harry Brignull, who defines a dark pattern as a user interface that appears to have been crafted to trick users into doing things that are not in their interest and is usually at their expense. What makes them particularly effective is that they work with the grain of human psychology, exploiting the way our brains take shortcuts under information overload. For website owners and marketers, understanding dark patterns and actively avoiding using them is no longer optional. Regulators globally have moved from issuing guidance to levying significant fines. Dark patterns have been frowned upon by data protection authorities for years, and now they are increasingly prohibited by law. This article explains what dark patterns are, how they operate, where enforcement is heading, and, crucially, how to build a transparent UX that protects your users and your business. ## **Common Types of Dark Patterns** Dark patterns appear in many forms across websites, apps, checkout flows, and consent interfaces. Below are the most frequently encountered, each designed to steer users toward outcomes that benefit the company at the expense of genuine informed choice. ### **Sneaking** Sneaking occurs when key information is concealed or obscured to push users toward a particular action. Hidden fees that surface only at checkout, pre-selected checkboxes that enroll users in marketing lists, or automatic signups triggered without explicit consent all fall into this category. The user technically agrees, but only because the relevant facts were buried. ### **Forced Continuity** Many subscription services let users sign up for a free trial but charge them automatically once it ends, often without a meaningful reminder. When cancellation is made deliberately complex and requires multiple confirmation steps or a customer service call, the inconvenience itself becomes the mechanism of retention. ### **Roach Motel** Named for the principle that you can check in but never check out, the roach motel pattern makes joining a service trivially easy while making leaving as difficult as possible. Users may have to navigate multiple menus, send written cancellation requests, or contact support teams. The friction is engineered to discourage departure. ### **Misdirection** Misdirection uses visual hierarchy and design emphasis to steer users away from options they might otherwise choose. A prominent, brightly colored "Accept All" button paired with a small, greyed-out "Manage Preferences" link is a familiar example in the consent banner context. The asymmetry is not accidental. ### **Privacy Zuckering** Named after Facebook's founder, privacy Zuckering describes practices that lead users to share more personal data than they intended. This typically happens through vague or misleading privacy settings, overly broad default permissions, or consent interfaces that conflate different purposes under a single approval. Users believe they have protected their privacy, only to discover later that they consented to far more than they realized. ### **Confirmshaming** Confirmshaming uses emotionally loaded language to make declining an offer feel uncomfortable. Pop-ups that present a "No thanks, I don't want to save money" decline option are a common example. The goal is to create a small but effective sense of guilt or embarrassment that nudges users back toward acceptance. ### **Bait and Switch** In a bait and switch, users expect one outcome but receive another. A button that appears to close a pop-up but instead triggers a subscription signup is a typical implementation. By exploiting habitual user behavior, such as clicking the X to dismiss, the pattern achieves engagement the user never consciously authorized. ### **Disguised Ads** Disguised ads are promotional content styled to look like editorial material, navigation elements, or user-generated content. Because they closely mimic organic content, users interact with them without recognizing them as advertisements. This erodes the distinction between paid promotion and genuine information. ### **Hidden Costs** Hidden costs are additional charges, such as service fees, processing fees, or mandatory add-ons, that appear only at the final step of a transaction. By the time a user discovers the real total, they have already invested time and intent in completing the purchase. That sunk cost makes them more likely to proceed than to start again elsewhere. ### **Trick Questions** Trick questions use confusing or double-negative phrasing to produce unintended responses. A form asking users to "Uncheck this box if you do not wish to receive promotional emails" is a classic example. The grammar is technically correct, but the cognitive load is high enough that many users will make the opposite choice from the one they intended. ### **Relentless Repeated Requests** A more recent and increasingly documented tactic involves offering a meaningfully better experience to users who comply with data requests while subjecting those who decline to persistent, disruptive re-prompting. A user who accepts targeted advertising sees no further interruption while a user who declines may encounter the same consent request on every visit. ## **The Psychology Behind Dark Patterns** Dark patterns are effective precisely because they work with, not against, normal human cognition. Rather than relying on deception that users would immediately recognize, they exploit well-documented cognitive biases. These are the mental shortcuts our brains use to process information quickly. The default effect is one of the most powerful. People are strongly inclined to stick with whatever option is pre-selected, which is why default opt-ins for data sharing, pre-checked newsletter boxes, and permissive cookie settings generate far higher "acceptance" rates than their opt-in equivalents would. Urgency and scarcity triggers work similarly. Countdown timers, "only two remaining" notices, and limited-time offers create artificial time pressure that pushes users toward impulsive decisions. In many cases — particularly in mobile gaming — the scarcity is entirely fabricated: the same offer reappears once the timer expires. The cumulative effect of these tactics is significant. Users may make unintended purchases, share more data than they intended, or remain enrolled in services they wanted to cancel. For businesses, the short-term conversion lift comes at the cost of trust, loyalty, and increasingly, legal exposure. ## **Dark Patterns in Practice: Three Enforcement Cases** Prevalence data makes sobering reading. A [2018 European Commission study](https://op.europa.eu/en/publication-detail/-/publication/606365bc-d58b-11ec-a95f-01aa75ed71a1/language-en/format-PDF/source-257599418https:/op.europa.eu/en/publication-detail/-/publication/606365bc-d58b-11ec-a95f-01aa75ed71a1/language-en/format-PDF/source-257599418) found that 97 percent of the most popular websites and apps deployed at least one deceptive design tactic. A [2024 sweep by the FTC, ICPEN, and GPEN](https://www.fairpatterns.com/post/dark-patterns-are-a-real-threat-from-global-statistics-to-real-life-applications-awareness-is-key) across 642 companies' sites and apps found that 75.7 percent used at least one dark pattern, with 66.8 percent using two or more. A parallel [EU study of 399 retail websites](https://ec.europa.eu/commission/presscorner/detail/en/ip_23_418) found nearly 40 percent relied on manipulative practices. The following cases illustrate what enforcement looks like in practice. ### **Amazon Prime: The "Iliad Flow"** Amazon's Prime cancellation process became one of the defining enforcement cases of the decade. For years, cancelling a Prime subscription required navigating what Amazon employees internally called the "Iliad Flow". This was a multi-page process designed to remind users of Prime benefits, present ambiguous button labels, and repeatedly prompt reconsideration before allowing cancellation to proceed. Internal documents revealed that employees had described unwanted Prime subscriptions as "an unspoken cancer" and acknowledged that simplified cancellation would hurt revenue. On September 25, 2025, [Amazon agreed to pay USD 2.5 billion](https://www.ftc.gov/news-events/news/press-releases/2025/09/ftc-secures-historic-25-billion-settlement-against-amazon) to settle FTC allegations under the Restore Online Shoppers' Confidence Act (ROSCA). The settlement included a USD 1 billion civil penalty — the largest ever for an FTC rule violation — and USD 1.5 billion in consumer redress to an estimated 35 million affected customers. Amazon was required to redesign its enrollment and cancellation flows to include clear upfront disclosures and straightforward cancellation options. ### **Ticketing Platforms and Hidden Fees** Ticketing platforms have long used late-stage fee disclosure as a dark pattern. A ticket advertised at USD 50 may cost USD 80 or more once service charges, facility fees, and processing costs are revealed at the final checkout step — often without clear explanation of what the fees are for. By surfacing these charges only after users have invested time and intent in the purchase, platforms rely on the psychology of sunk cost to discourage abandonment. ### **Mobile Games and Fake Urgency** Many mobile games deploy false urgency through countdown timers attached to in-game offers. The timer creates the impression that a deal will disappear, pressuring players into impulse purchases. In practice, the same or a nearly identical offer typically reappears once the timer expires — the scarcity was never real. This tactic is particularly concerning in games accessible to children, where COPPA-related obligations add an additional regulatory dimension. ## **Regulations and Laws That Address Dark Patterns** Regulatory treatment of dark patterns has moved rapidly from guidance to direct enforcement. The following frameworks are directly relevant to website owners and marketers operating in or targeting U.S. and EU audiences. ### **The General Data Protection Regulation (GDPR)** The GDPR sets out strict requirements for how websites collect personal data from visitors in the European Union. For consent to be valid under the GDPR, it must be freely given, specific, informed, and unambiguous. This means that deceptive design has no place in a compliant consent flow. For website owners, this matters in practical terms. Pre-ticked checkboxes, buried opt-out options, and misleading button labels are not minor UX choices. They are potential GDPR violations. Supervisory authorities have issued significant fines for exactly these practices, and the regulatory appetite for enforcement shows no sign of diminishing. For example, in September 2025, [France’s CNIL fined a subsidiary of fast fashion retailer Shein EUR 150 million](https://www.cnil.fr/en/cookies-placed-without-consent-shein-fined-150-million-euros-cnil). Among other issues, inspectors found the "Reject all" option was buried behind multiple clicks while "Accept all" was prominently displayed, a violation of Article 7's freely given consent requirement. They also found cookies were installed before users gave permission, and that the "Reject all" option didn't always function correctly. ### **EDPB Guidelines on Deceptive Design** In February 2023, the European Data Protection Board finalized [Guidelines 03/2022](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en) on Deceptive Design Patterns in Social Media Platform Interfaces. While the guidelines focus on social media, the EDPB has made clear that the underlying GDPR principles apply across all sectors, particularly the [Art. 5 GDPR](https://gdpr.eu/article-5-how-to-process-personal-data/) requirements for fair and transparent processing. The EDPB provides a taxonomy of six dark pattern categories with direct implications for consent banner design: - **Overloading:** Overwhelming users with requests to prompt data sharing - **Skipping:** Designing interfaces so users bypass data protection considerations - **Stirring:** Using emotional appeals or visual nudges - **Hindering:** Obstructing access to privacy controls - **Fickle interface:** Inconsistent interface design that creates confusion - **Left in the dark:** Concealing privacy information or controls A banner that makes accepting cookies a single click while requiring multiple steps to reject them falls within the "hindering" category. Color choices that make "Reject" visually recessive relative to "Accept" constitute "stirring." ### **The Digital Services Act (DSA)** The [Digital Services Act (DSA)](https://usercentrics.com/knowledge-hub/digital-services-act-dsa-digital-markets-act-dma-us-businesses/) became directly applicable across the EU on February 17, 2024, and for the first time brought explicit, codified prohibitions on dark patterns into EU digital law. Article 25 of the DSA prohibits platform providers from designing or operating online interfaces in ways that deceive, manipulate, or materially impair visitors' ability to make free and informed decisions. For website owners and businesses operating online platforms in the EU, this represents a meaningful addition to the compliance landscape. While the DSA's dark patterns provisions do not duplicate protections already addressed by the GDPR or the Unfair Commercial Practices Directive, they extend the regulatory net and carry significant financial consequences. Fines can reach up to 6 percent of a platform's total global annual turnover. Enforcement to date has concentrated on [Very Large Online Platforms (VLOPs)](https://ec.europa.eu/commission/presscorner/detail/en/ip_23_2413), with active investigations involving Meta, Temu, and X (formerly Twitter). Looking ahead, the European Commission has confirmed plans to propose a [Digital Fairness Act](https://www.digital-fairness-act.com/) in the fourth quarter of 2026, which is expected to further strengthen protections against dark patterns, addictive design, and manipulative personalization practices. ### **The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)** The [California Consumer Privacy Act (CCPA)](https://www.cookiebot.com/en/what-is-ccpa/) requires businesses to be transparent about how they collect and use personal data, and to make it straightforward for California consumers to exercise their privacy rights. Crucially, opting out of data sales and sharing must be no more difficult than opting in. This is a requirement that directly targets consent flows and data-sharing interfaces designed to discourage action. The [California Privacy Rights Act (CPRA)](https://www.cookiebot.com/en/cpra/), which amended and significantly expanded the CCPA, goes further still. It expressly prohibits any interface designed to subvert or impair consumer choices around privacy rights — covering deceptive UI elements that make it harder to opt out of data collection, or that create unnecessary friction when visitors attempt to delete their personal information. Enforcement sits with the [California Privacy Protection Agency (CPPA or CalPrivacy)](https://www.cookiebot.com/en/escalating-cppa-enforcement/), which, along with the Attorney General’s office, has the authority to investigate non-compliance and issue substantial fines. For businesses serving California residents, even those headquartered outside the state, the CCPA and CPRA together represent one of the most consequential U.S. frameworks for addressing manipulative design. ### **California Opt Me Out Act** California's regulatory priorities and enforcement are reinforced by the [California Opt Me Out Act](https://privacy.ca.gov/2026/01/californias-opt-me-out-act-your-privacy-just-got-easier/), which becomes operative on January 1, 2027. The law amends the CCPA to require browser developers to provide consumers with a simple, easy-to-locate setting enabling them to send an opt-out preference signal to all websites they visit — communicating their choice not to have their personal information sold or shared. All businesses subject to the CCPA must detect and honor valid browser opt-out signals. This is relevant to avoiding dark patterns because it shifts the mechanism of opt-out from individual website interfaces to the browser itself. The law directly targets one of the most persistent dark pattern problems in digital privacy: the friction-laden, site-by-site consent experience that makes opting out unnecessarily burdensome for ordinary website visitors. Consent fatigue is real, and unscrupulous website operators have long capitalized on it. ### **The Children's Online Privacy Protection Act (COPPA)** COPPA prohibits companies from collecting personal information from children under 13 without verifiable parental consent. Many dark patterns directly intersect with COPPA obligations, including: - Nudging children into sharing data through gamified interfaces - Enabling in-app purchases through deceptive mechanisms - Using manipulative design to encourage excessive engagement The FTC has been increasingly active in enforcing COPPA, and operators of child-directed platforms should treat dark pattern avoidance as a compliance requirement rather than a design preference. In December 2022, the FTC reached [two simultaneous settlements with Epic Games](https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations), the maker of Fortnite, totalling USD 520 million. At the time it was the largest combined penalty in the agency's history for this category of violation. The first action concerned COPPA violations. Epic had collected personal data from child players without obtaining the required parental consent, and its default settings had exposed children and teens to live voice and text communications with strangers. The resulting civil penalty of USD 275 million was the largest ever obtained for a violation of an FTC rule. The second action concerned dark patterns. Epic had designed its in-game purchasing interface to manipulate players into making unintentional purchases, and had deliberately obscured its cancellation and refund features to make them harder to find. Epic was required to pay USD 245 million in consumer refunds. ### **FTC Enforcement in the United States** The FTC's 2022 staff report [Bringing Dark Patterns to Light](https://www.ftc.gov/system/files/ftc_gov/pdf/P214800+Dark+Patterns+Report+9.14.2022+-+FINAL.pdf) documented a wide range of deceptive design practices and signaled a shift toward active enforcement. The agency's subsequent amendment to its Negative Option Rule — requiring cancellation mechanisms to be at least as easy to use as enrollment — has been followed by a series of enforcement actions. In March 2023, [Epic Games was required to pay USD 245 million](https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations) after using confusing button configurations to trick Fortnite players into unwanted in-game purchases. A separate action settled at the same time involved multiple COPPA violations. In June 2023, [Publishers Clearing House paid USD 18.5 million](https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-takes-action-against-publishers-clearing-house-misleading-consumers-about-sweepstakes-entries) for misleading consumers about sweepstakes entry requirements. The September 2025 Amazon settlement referenced earlier, at USD 2.5 billion, represents a significant escalation. And a parallel [action against Care.com resulted in an USD 8 million settlement](https://www.ftc.gov/news-events/news/press-releases/2025/06/ftc-sends-more-81-million-consumers-harmed-carecoms-deceptive-claims-about-earnings-job-listings) in 2025, with the FTC explicitly citing the platform's "dark pattern" cancellation design. ## **How Website Owners Can Avoid Dark Patterns** With regulators actively enforcing against deceptive UX, compliance is no longer a matter of simply avoiding the worst practices. It requires a genuine commitment to transparent, user-respecting design across every touchpoint, from checkout flows to consent banners. ### **Make Transparency the Default** Transparency is the foundation of ethical design. It’s also a requirement under many data privacy regulations. Individuals who feel informed and in control are more likely to engage with your brand over the long term, and less likely to generate complaints or regulatory attention. In practice, transparency means: - **Pricing and fees:** Display the full cost of any transaction upfront, including taxes, service charges, and recurring fees. Avoid surprise charges at checkout. - **Subscription terms:** Clearly state renewal policies, trial expiry dates, and cancellation procedures before users commit. If a subscription auto-renews, make it explicit and send advance notice. - **Data collection:** Use plain language to explain what data you collect, why, and how it will be used. Do not bury material privacy information in fine print or dense legal text. - **Marketing consent:** Users should know exactly what they are signing up for when they provide their contact details. Avoid pre-checked boxes and ambiguous consent prompts. ### **Design Honest Consent Experiences** Consent interfaces are a particular area of scrutiny, and one where cookie consent management technology can make a material difference. An honest consent experience means: - **Opt-in rather than opt-out:** Users should actively choose to permit marketing, tracking, or data sharing. Default opt-ins are both an ethical problem and a legal compliance risk under the GDPR and similar regulations. - **Visual parity between accept and decline:** "Accept" and "Reject" options should have equivalent visual prominence. Asymmetric button styling that makes declining harder than accepting constitutes "stirring" under the EDPB's taxonomy. - **Easy preference management:** Users should be able to withdraw or modify consent as easily as they gave it. Signal good faith with one-click access to privacy settings, rather than multi-step processes. - **No forced data sharing:** Core functionality should not be contingent on accepting non-essential tracking. Where technically feasible, give users access to basic features without requiring broad consent. ### **Test Your UX for Dark Patterns** Even well-intentioned designs can inadvertently mislead users. Regular testing is the most reliable way to identify and correct problems before they attract regulatory attention: - **User testing and feedback:** A/B testing, usability studies, and structured feedback sessions can surface confusing or manipulative design elements that are invisible to their creators. - **Accessibility audits:** Ethical design includes accessibility. Meeting [WCAG standards](https://www.cookiebot.com/en/accessibility-statement-wcag-compliance/) helps to ensure that your UX is navigable and understandable for users with disabilities — a population particularly vulnerable to complex or confusing interfaces. - **Compliance reviews:** Privacy regulations are updated regularly, and business operations and technologies in use also change often. Build periodic reviews into your development cycle to ensure your UX continues to meet current legal and ethical standards. ## **How Cookiebot by Usercentrics Helps You Avoid Dark Patterns** Dark patterns may appear to offer short-term gains, but the regulatory and reputational costs are increasingly concrete. The USD 2.5 billion Amazon established a concrete financial cost for deceptive design. And the FTC's ongoing enforcement program makes clear that this was not a one-off. Businesses that invest in transparent, user-respecting design do more than avoid fines. They build the kind of trust that drives long-term engagement and customer loyalty: outcomes that deceptive tactics demonstrably undermine. ![Cookiebot bg shield](/wp-content/themes/cookiebot/img/backgrounds/cta-shield.svg)### Build trust before dark patterns build your next fine With Cookiebot™ design consent experiences that are clear and user-friendly. Try it for free. Effective marketing, happy customers, and your business stays on the right side of enforcement. [Start free trial](https://www.cookiebot.com/en/free-trial/)