The FTC and the CPRA’s Regulation of Dark Patterns in Cookie Consent Notices
Dark patterns are designed to confuse and manipulate users to select the option preferred by website owners. Dark patterns are especially prevalent in cookie consent notices, which are notices that websites display to inquire users regarding their cookie preferences. Cookies are often used by websites to track and store user information for functional and marketing purposes. Dark patterns exploit various psychological biases, and the interaction among the biases will likely exacerbate their effects. This Article examines 100 cookie consent notices from the most popular e-commerce websites in the United States and offers a set of empirical data on the current landscape of dark patterns in cookie consent notices. Based on our results and analysis, most cookie consent notices we examined are likely considered unfair and deceptive under Section 5 of the FTC Act. Moreover, under the CPRA legal framework, most notices are also considered coercive and manipulative. Future regulators should focus on the design of online consent mechanisms to better protect consumer interest in privacy.
As technology plays a larger role in society, it becomes much easier for internet companies to collect private information from their consumers. Nowadays, consumers often sign away their privacy rights without even reading the provisions. It has become instinctive for internet surfers to click on “consent to tracking” without even realizing what they are giving away. Consumers often face what is called a “privacy paradox,” which refers to a gap between their desired state regarding privacy and their actual state.1
Alessandro Acquisti et al., Privacy and Human Behavior in the Age of Information, 347 Sci. 509, 509–10 (Jan. 30, 2015).
Id.
Michelle Madejski et al., A Study of Privacy Settings Errors in an Online Social Network, in Inst. of Elec. & Elecs. Eng’rs, 2012 Ieee International Conference On Pervasive Computing And Communications Workshops 340, 340–345 (2012).
Moreover, website owners often manipulate their privacy settings to make it harder for consumers to protect their privacy. Recently, there have been efforts to create or update data privacy laws to target a phenomenon called dark patterns, which are user interfaces intentionally designed to confuse and manipulate users into taking certain actions that are not their actual preference.4
See Jamie Luguri & Lior Strahilevitz, Shining a Light on Dark Patterns, 13 J. Legal Analysis 43, 48–51 (2021).
Midas Nouwens et al., Dark Patterns After the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence, Proc. 2020 CHI Conf. on Hum. Factors Computing Sys. 1–13 (2020).
However, no such study of dark patterns has been done on cookie consent notices, an area in which they are especially prevalent.6
See Christine Utz et al., (Un)informed Consent: Studying GDPR Consent Notices in the Field, CCS ‘19: Proc. 2019 ACM SIGSAC Conf. on Comput & Commc’ns Sec. 973, 973–90 (2019).
See Dominique Machuletz & Rainer Böhme, Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs After GDPR, 2 Proc. on Privacy Enhancing Tech. 481, 481–98 (2020).
Id.
See Alessandro Acquisti & Jens Grossklags, What Can Behavioral Economics Teach Us About Privacy?, in Digital Privacy: Theory, Technologies, And Practices 370 (Alessandro Acquisti et al. eds., 2008).
There is currently no specific cookie law in the United States but data privacy law in general can regulate cookies. Data privacy law seeks to protect rights around the commercial use of personal private data, addresses the accessibility of personal data, and reduce the harmful impacts of data breaches.10
See Andraya Flor, The Impact of Schrems II: Next Steps for U.S. Data Privacy Law, 96 Notre Dame L. Rev. 2035, 2039 (2021).
See Bradyn Fairclough, Privacy Piracy: The Shortcomings of the United States’ Data Privacy Regime and How to Fix It, 42 J. Corp. L. 461, 467 (2016).
Id.
See Fed. Trade Comm’n, Enforcement Policy Statement Regarding Negative Option Marketing (Oct. 28, 2021).
Moreover, at the state level, the California Consumer Privacy Act (CCPA) along with the California Privacy Rights Act (CPRA), which will fully replace the CCPA by 2023, aim to protect consumer privacy at the state level.14
California Consumer Privacy Act, Cal. Code Regs. tit. 11, § 999.315(h) (2021) [hereinafter CCPA]; see also Angelique Carson, Data Privacy Laws: What You Need to Know in 2021, Osano (June 24, 2020), https://perma.cc/LZ23-269M.
See Jennifer King & Adriana Stephan, Regulating Privacy Dark Patterns in Practice-Drawing Inspiration from California Privacy Rights Act, 5 Geo. L. Tech. Rev. 251, 259 (2021).
California Privacy Rights Act § 1789.140(1) (amended by 2021 Cal. Legis. Serv. Ch. 525 (A.B. 694) (West)) [hereinafter CPRA].
Id.
This Comment will utilize empirical data collected from the cookie consent notices across 100 e-commerce websites to analyze those websites’ compliance to the requirements of Section 5 of the FTC Act and the cookie consent requirements laid out by the CPRA.
Dark patterns are user interfaces designed to confuse and manipulate users into picking the choice preferred by the designers.18
See Luguri & Strahilevitz, supra note 4, at 48.
See King & Stephan, supra note 15, at 259.
See id.
See id.
Dark patterns can induce users to make irrational choices because they prompt users to use System 1 decision-making, which relies on impulse and heuristics, instead of System 2, which involves deliberate thinking.22
See Daniel Kahneman, Of 2 Minds: How Fast and Slow Thinking Shape Perception and Choice [Excerpt], Sci. Am. (June 15, 2012), https://perma.cc/DE6W-279K.
See id.
See id.
Figure 1

Figure 2

Regarding Cookie Notice Consent, many dark patterns are lurking not only in the structure and design of the notices, but also in the language of the notices. Luguri and Strahilevitz summarized existing dark pattern taxonomies. Many of the dark patterns mentioned are present in online cookie consent notices. Many cookie consent notices use “obstruction,” which creates unnecessary barriers for users to reject cookies.25
Luguri & Strahilevitz, supra note 4, at 53.
Id.
Id.
Id.
Id.
Luguri & Strahilevitz, supra note 4, at 53.
In one study, Luguri and Strahilevitz examined the effects of various dark patterns on users’ decision-making processes.31
See id. at 61.
Id.
Id. at 81.
Based on previous scholarship, consumers are very vulnerable to dark patterns because dark patterns are psychological manipulations designed to induce them to sign away their rights without realizing it, especially when it comes to privacy rights. This Comment will discuss several underlying biases that might be at play when users are affected by the dark patterns in cookie consent notices: framing effects, defaults, Query Theory, nudges, cognitive dissonance, loss aversion, decision fatigue, and ambiguity aversion. These biases interact with each other to further reinforce the negative consequences of the dark patterns.
One of the underlying cognitive biases that might make consumers fall prey to data collection without recognizing it is a framing effect. A framing effect refers to the idea that one’s decision might be affected by the way in which information is presented.34
See Framing Effect, Decision Lab, https://perma.cc/7KMW-WQLM(last visited Feb. 11, 2022).
Saliency and ordering may interact with framing effects to enhance the nudging. People will be more drawn to salient information, which can manifest as larger font or high contrast color; and the order in which people process information will also change how people perceive it as the option first considered will invoke more associative memory, which is the ability to remember the relationship between different objects and items.35
See Alessandro Acquisti et al., Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online, 50 Acm Computing Survs. 44:1, 44:18 (2017).
Default options in cookie consent notice work especially well when there is no option presented (see Figure 2) and users will likely keep scrolling on the website without even recognizing the cookie consent notice. People are more likely to stay with the default setting.36
See id. at 44:21.
See Eric J. Johnson & Daniel G. Goldstein, Do Defaults Save Lives?, 302 Sci. 1338, 1338–1339 (2003).
See Idris Adjerid et al., A Query-Theory Perspective of Privacy Decision Making, 45 J. Legal Stud. S97, S97–S121 (2016).
See id.
Data privacy scholarship has recently focused on how subliminal hints, or “nudges,” affect users.40
Acquisti et al., supra note 35, at 44:25.
Richard H. Thaler & Cass R. Sunstein, Libertarian Paternalism, 93 Am. Econ. Rev. 175 (2003).
See Acquisti et al., supra note 35, at 44:25.
See id. at 44:4.
More importantly, besides nudges and default effect, pre-decision cognitive dissonance might be at play during privacy setting decision-making. Cognitive dissonance refers to the idea that people prefer consistency and are motivated to act to reduce a state of dissonance after a decision that caused a discrepancy between their current state and their ideal state.44
See Leon Festinger, A Theory Of Cognitive Dissonance 25–60 (1957).
S. Oshikawa, Cognitive Pre-Decision Conflict and Post-Decision Dissonance, 15 Behavioral Sci. 132, 132–140 (1970).
See Paul J. Costanzo, Revisiting Cognitive Dissonance Theory: Pre-Decisional Influences and the Relationship to the Consumer Decision-Making Model, 2 Atl. Mktg. J., Apr. 2013, at 42.
See Isha Ghosh & Vivek Singh, Using Cognitive Dissonance Theory to Understand Privacy Behavior, 54 Proc. Ass’n Info. Sci. & Tech. 679, 679–680 (2017).
iRobot, https://perma.cc/36AV-A8MV(last visited Feb. 11, 2022).
Cognitive dissonance is further reinforced by loss aversion and the fear of missing out. Loss aversion refers to the idea that people tend to be more averse to losses than the equivalent gains.49
See Loss Aversion, Decision Lab, https://perma.cc/KBC7-LRNV(last visited Feb. 11, 2022).
See Endowment Effect, Decision Lab, https://perma.cc/U99D-9SVG(last visited Feb. 11, 2022).
See Acquisti et al., supra note 35, at 44:25.
See Ambiguity (Uncertainty) Aversion, BehavioralEconomics.com, https://perma.cc/6LNY-MSUB(last visited Feb. 11, 2022).
Repeated actions will also become habitual due to decision fatigue. When users repeatedly encounter the same decision, they will rely more on heuristics and put less effort into decision-making since making a decision is mentally taxing.53
See Shai Danziger et al., Extraneous Factors in Judicial Decisions, 108 Proc. Nat’l Acad. Scis. 6889, 6889–6892 (2011); Jonathan Levav et al., The Effect of Ordering Decisions by Choice-Set Size on Consumer Search, 39 J. Consumer Rsch. 585, 585–599 (2012).
I conducted a field study of 100 cookie consent notices on top e-commerce websites to investigate the effects of different variables of the notices. These variables include blocking, number of choices available, purpose of the text, privacy policy link, and various formatting elements of the notices. Based on the results of the study, it appears that 80.9% of the cookie consent notices in Binary Options display dark patterns, including confirmshaming and ambiguous language.
To investigate the effects of different properties of cookie consent notices, I conducted a field study of 100 cookie consent notices on top e-commerce websites, ranked by revenues and viewership in the United States.54
ReviewsXP, https://perma.cc/7GEW-HDSJ(last visited Feb. 11, 2022).
See Utz et al., supra note 6, at 973–90.
- Blocking: a cookie consent notice is coded as blocking if it blocks a large part of the website so that without interacting with it, one cannot view the full website. Blocking includes two situations. (1) The website’s content is blurred or dimmed, and the notice prevents the users from interacting with the website without interacting with the notice first. (2) The consent notice is too big (covers more than a quarter of the website) and prevents users from viewing the full website without first interacting with the notice.
- Number of Choices: the cookie consent notices are coded in three types based on how users will interact with the notices. (1) No-option: there is no option to interact with the notice, and the notice only informs the user, such as “This site uses cookies for analytics and to deliver Personalized content. By continuing to browse our site, you agree that you have read and understand our Privacy Policy.”5656(2) Confirmation-only: there is only one option for users to click on such as “OK” or “I agree,” and clicking on that option is perceived as consent to all cookies. 3. Binary Option: there are two forms of binary option: one type displayed as “Accept All Cookies” and “Cookie settings,” and the other displayed as either accept or reject cookies.
APMEX, https://perma.cc/9Q7U-2Y4K(last visited Feb. 11, 2022).
- Purpose of the Text: this parameter is coded based on the purpose of the text of the notice, either “general,” which includes phrases like “to provide best experiences for users” or “specific,” which mentions “advertisement use,” or “marketing purposes.”
- Privacy Policy: this parameter is coded based on whether there is a specific link to the privacy policy. The text has to contain “privacy policy” and only a link of “cookie settings” is not coded as having a link to the privacy policy.
- Format of the Cookie Consent Notice: the format parameter is coded in three types: (1) Banners, which are usually at the bottom of the page and stay consistently visible. (2) Pop-ups, which are windows to the side that appear suddenly, and usually cover less than ¼ of the page. (3) Walls, which are windows that prevent users from interacting with the website until consent is given. When the format is coded as “Wall” it also entails blocking under the Blocking parameter.
- Nudging: a cookie consent notice is coded as nudging when there is aesthetic manipulation in the options to induce users to click on “Accept all cookies.” Typical features include highlighted text, high contrast color, visually framed text, and dimmed advanced settings so that users have a harder time looking for them. Overall, nudging means that the web designer is making the “Accept All Cookies” option easier for users to click on. This is only relevant in the “Binary Option” category under the “Number of Choice” parameter since in the “No-option” and “Confirmation-only” category there is only one option or no option thus no need for aesthetic manipulation.
- The Text: this parameter is different from the previous six as it conducts qualitative analysis on the text of the notices and assesses whether if there is any dark pattern present in the language itself including confirmshaming, or obscure language that confuses users. This parameter will also analyze the frequency of words used and how the language affects consumers’ online consent decisions. This parameter is more subjective in terms of coding.
Our data set contains 100 cookie consent notices from the most popular e-commerce websites. Since there is currently no specific cookie consent law in the United States, many of the popular e-commerce websites do not contain any sort of cookie consent notices. Out of the top 50 most popular e-commerce websites, there are only 9 that have some sort of cookie consent notices. We gathered our data from popular e-commerce websites that contain cookie notices.
For (1) the Blocking parameter, 17% of the cookie consent notices are blocking the websites. For (2) the Number of Choices parameter, 24% of the cookie consent notices are No-option, 29% of the notices are Confirmation-only, and 47% of the notices have Binary Options. For (3) the Purpose of the Text parameter, 62% of the cookie consent notices state general purpose and only 38% of the notices state specific uses like advertising purposes. For (4) the Privacy Policy parameter, 74% of the cookie consent notices have a privacy policy link. For (5) the Format parameter, 66% of the cookie consent notices are in the banner format, 23% of the notices are in the pop-up window format, and 11% of the notices are in the wall format. For the (6) Nudging parameter, 38% of the overall cookie consent notices contain nudging but out of the Binary Option category, 80.9% of the notices that contain binary options have nudging. Only 1% of the notices have opposite nudging, which means that the reject all cookies option is being highlighted instead of the accept all cookies option. (Parameter (1) through (6) are presented in Table 1).
For the (7) the Text parameter, 11% of the cookie consent notices contain language like “we use the cookies to give you the best experience.” 3% of the notices mention giving users a “better experience.” 21% of the notices contain the word “personalize” in phrases such as “to provide you with a personalized experience.” 3% of the notices use the word “customize” in the same sense as the word “personalize.” 18% of the notices use the word “enhance” in phrases like “to enhance user experience.” 6% of the notices state that they use the cookies to “tailor” the content to users’ interests. Only 3% of the notices mention that the user can withdraw their consent to the cookies. Only 2% of the notices mention that the user can reject the cookies. Only 7% of the notices mention the user can opt-out of the cookies. Only 5% of the notices mention that the user can disable the cookies. Only 2% of the notices mention that they will not use other cookies except the strictly necessary ones unless the user opts into them. 20% of the notices mention that the user can manage their cookie preferences. Only 5% of the notices that mention they store user information. Only 8% of the notices mention that the collection of data may be considered a “sale” under certain state laws to alert the users. Only 21% of the notices mention that they “collect” data through cookies (this includes phrases like “collection of data”). 33% of the notices mention “ads” or “ad” or “advertising.”
17% of the notices mention using third-party cookies, 1% of the notices mention using first-party cookies, and 1% of the notices mention both. 27% of the notices refer to an unspecified party cookie, usually by using the phrase “We use cookies . . . .” 5% of the cookie consent notices mention California residents and 4% of the notices mention The California Consumer Privacy Act.
Table 1: Parameters of the graphical user interface of consent notices and their value across a sample of 100 cookie consent notices collected from the most popular websites in the United States
(1) Blocking | Blocking |
17% | |
(2) Number of Choices | No-Option |
24% | |
(3) Purpose of the Text | General Purpose |
62% | |
(4) Privacy Policy | Has a privacy link |
74% | |
(5) Format | Banner |
66% | |
(6) Nudging | Nudging Overall |
38% |
(1) Blocking | No-Blocking |
83% | |
(2) Number of Choices | Confirmation-only |
29% | |
(3) Purpose of the Text | Specific Purpose |
38% | |
(4) Privacy Policy | No privacy link |
26% | |
(5) Format | Pop-up |
23% | |
(6) Nudging | Nudging in Binary Options |
80.9% |
(1) Blocking | |
(2) Number of Choices | Binary Options |
47% | |
(3) Purpose of the Text | |
(4) Privacy Policy | |
(5) Format | Wall |
11% | |
(6) Nudging | Opposite Nudging |
1% |
(1) Blocking | (2) Number of Choices | (3) Purpose of the Text | (4) Privacy Policy | (5) Format | (6) Nudging | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Blocking | 17% | No-Option | 24% | General Purpose | 62% | Has a privacy link | 74% | Banner | 66% | Nudging Overall | 38% |
No-Blocking | 83% | Confirmation-only | 29% | Specific Purpose | 38% | No privacy link | 26% | Pop-up | 23% | Nudging in Binary Options | 80.9% |
Binary Options | 47% | Wall | 11% | Opposite Nudging | 1% |
Based on the result of the empirical study, it appears that 80.9% of the cookie consent notices in Binary Options exhibit dark patterns, including confirmshaming and ambiguous language. This is harmful to users as they are giving out personal data without realizing it. More importantly, these dark patterns are very effective in misleading the users and inducing them to select the option that benefits the website. This section will first introduce the possible legal aspects of regulating cookie consent notices and then analyze the empirical results under the relevant legal framework. Section 5 of the FTC Act authorizes the FTC to regulate any unfair or deceptive trade practices that affect interstate commerce, which arguably include cookie consent notices. The CCPA lists future requirements that specifically target dark patterns. Cookie consent notices that contain dark patterns can be regulated under both regulatory regimes. This Comment will discuss how the FTC and the California legal frameworks could be implemented to curtail the use of dark patterns in the cookie consent notices.
The FTC Act gives the FTC authority over “any person, partnership or corporation engaged in or whose business affects commerce.”57
15 U.S.C. § 46(a).
15 U.S.C. § 45.
405 U.S. 233 (1972).
Id. at 239.
1. The Unfair Standard
An act or practice is “unfair” if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”61
15 U.S.C. § 45(n).
First, there must be a substantial consumer injury. This is an objective test. The Commission requires a real injury—emotional distress is not sufficient. The harm need not be large to any individual, but if it is significant in aggregate it may be substantial harm. The statement also notes that the harm might be small as an absolute matter, but still substantial if it is significantly larger than the benefit. Second, the harm of the practice must not be outweighed by countervailing benefits of that practice. Finally, the harm must not be reasonably avoidable by the consumer. If the consumer could have avoided the harm by choosing differently, the FTC will respect the consumer’s choice.62
62Maureen K. Ohlhausen, Weigh the Label, Not the Tractor: What Goes on the Scale in an FTC Unfairness Cost-Benefit Analysis?, 83 Geo. Wash. L. Rev. 1999, 2006 (2015) (citing Fed. Trade Comm’n., Commission Statement of Policy on the Scope of the Consumer Unfairness Jurisdiction (1980), reprinted in Int’l Harvester Co., 104 F.T.C. 949, 1072–76 (1984)).
Under Section 5 of the FTC Act, in a complaint against DSW, Inc., the FTC held that the company was engaging in an unfair practice when it “failed to provide reasonable and appropriate security for sensitive customer information” 63
DSW Inc. Settles FTC Charges, Fed. Trade Comm’n. (Dec. 1, 2005), https://perma.cc/5GY3-XJJL.
Carolyn Hoang, In the Middle: Creating a Middle Road Between U.S. and EU Data Protection Policies, 32 J. Nat’l Ass’n Admin. L. Judiciary 810, 823 (2012).
See DSW Inc. Settles FTC Charges, supra note 63.
See FTC Cracks Down on Spyware Operation, Fed. Trade Comm’n. (Oct. 12, 2004), https://perma.cc/EV8W-F5V5.
Id.
See id.
The “unfair” standard usually requires monetary harm to satisfy the “substantial injury” prong. However, the FTC notes that an injury may meet the substantiality standard if “it does a small harm to a large number of people.”69
FTC Policy Statement on Unfairness, Fed. Trade Comm’n (Dec. 17, 1980), https://perma.cc/E97V-CAQ6;see 15 U.S.C. § 45(n)).
See DSW Inc. Settles FTC Charges, supra note 63.
See, e.g., United States v. Spears, 729 F.3d 753 (7th Cir. 2013).
Ohlhausen, supra note 62, at 2006.
The next prong of the “unfair” standard addresses whether consumers could have reasonably avoided the injury. Practices that prevent consumers from making free market decisions will satisfy this prong.73
Luguri & Strahilevitz, supra note 4, at 88.
The cost-benefit analysis prong of the unfairness standard recognizes that there might be benefits to certain practices. This prong is only satisfied when there are injurious effects that outweigh the benefits. In the cookie consent context, the benefits of protecting consumer privacy at large will likely outweigh any harm that may incur to the website owners for adjusting their privacy consent regimes. The cost-benefit analysis looks at the costs incurred for consumers as well as larger societal burdens and the cost for remedy. The FTC held in FTC v. FrostWire, LLC that a default preselection (roach motel) in a file-sharing app is both unfair and deceptive.74
Complaint for Permanent Injunction and Other Equitable Relief, FTC v. Frostwire LLC, No. 11–CV–23643 (S.D. Fla. Oct. 12, 2011), 2011 WL 9282853.
Id.
Regarding cookie notice consent, the inquiry should focus on whether the economic benefits of marketing and ads will outweigh the harm to consumers. Although marketing is an important tool for companies to gain sales, it should only be used when there is consumer consent and proper disclosure. Consumers’ interests in privacy in the aggregate should outweigh the conveniences the companies receive for inducing consumers to accept all cookies given that it is much easier for companies to implement changes in their cookie notice regime. While marketing is important for the economy, it should not come at the expense of uninformed sales of consumer data. It is likely unreasonable to ban all cookies that collect consumer information, but it is reasonable to ban just the ones that improperly nudge consumers and are without clear disclosure. Companies should at least change their cookie notice regime to neutral notices without nudging and implement more disclosure-related education campaigns to increase consumers’ awareness of privacy issues.
Overall, the “unfair” standard presents a potential source of authority to regulate cookie consent notices. The FTC can easily apply this test to cookie consent notices given the prevalent dark patterns present in most cookie consent notices. The only difficulty might be proving that the consumers suffered a real injury, which is based on whether the case contains a data breach or third-party involvement in illegal data sale.
2. The Deceptive Standard
On the other hand, acts or practices are “deceptive” if there is “any ‘representation, omission, or practice’ that is (i) material, and (ii) likely to mislead consumers who are acting reasonably under the circumstances.”76
Luguri & Strahilevitz, supra note 4, at 83 (quoting Cliffdale Assocs., Inc., 103 F.T.C. 110 (Mar. 23, 1984)).
See FTC v. Cyberspace.com LLC, 453 F.3d 1196, 1201 (9th Cir. 2006); see also FTC v. Pantron 1 Corp., 33 F.3d 1088 (9th Cir. 1994).
Fanning v. FTC, 821 F.3d 164, 170–171 (1st Cir. 2016).
See Luguri & Strahilevitz, supra note 4, at 83.
FTC v. E.M.A. Nationwide, Inc., 767 F.3d 611, 631 (6th Cir. 2014).
The FTC recently started to utilize its enforcement discretion to bring cases against businesses that made deceptive misrepresentations in their data privacy policy and hid unexpected data policies from consumers.81
See Fairclough, supra note 11, at 467.
No. 00–11341, 2000 WL 34016434 (D. Mass. July 21, 2000).
133 F.T.C. 763 (2002).
More importantly, the Ninth Circuit regarded dark pattern techniques as deceptive practices in FTC v. AMG Capital Management.84
910 F.3d 417, 424 (9th Cir. 2018), rev’d and remanded on other grounds, 141 S. Ct. 1341 (2021).
Id.
Id.
Id. at 422 (quoting FTC v. Cyberspace.com LLC, 453 F.3d 1196, 1201 (9th Cir. 2006)).
The “deceptive” standard is the more applicable standard for cookie consent notices. The FTC has the authority to regulate the notices under this standard. The two requirements of the “deceptive” standard are materiality and the likelihood of misleading reasonable consumers.88
Luguri & Strahilevitz, supra note 4, at 83.
Cyberspace.com LLC, 453 F.3d at 1201.
Lastly, for the Nudging parameter, 38% of the overall cookie consent notices contain nudging, and 80.9% of the notices that contain binary options have nudging. The nudging will affect consumer choice by inducing them to pick the option preferred by the web owner. Moreover, the text of the notices itself is likely manipulative because only 7% of the notices mention the user can opt-out of the cookies and only 5% of the notices mention that the user can disable the cookies. Without disclosing that there are other options available, general notices will signal to users that they can only accept the cookies without other choices. For example, a cookie notice that does not have a privacy policy link and has a Confirmation-only feature could substantially influence consumer choice. The consumer might imply from the notice that they do not have other choices. Thus, the materiality prong is easily satisfied by these dark patterns presented in the notices.
The misleading prong is satisfied if the information’s “overall net impression” is misleading.90
FTC v. E.M.A. Nationwide, Inc., 767 F.3d 611, 631 (6th Cir. 2014).
FTC v. AMG Cap. Mgmt., 910 F.3d 417, 424 (9th Cir. 2018), rev’d and remanded on other grounds, 141 S. Ct. 1341 (2021).
Moreover, some of the ambiguous information included in the text will further mislead reasonable consumers. More than 30% of the notices contain the word “personalize,” “customize,” or “tailor” in phrases like “to provide you with a personalized experience.” While these phrases are often utilized in marketing, in a cookie consent setting they are likely going to mislead users in the sense that they ambiguously state the purpose of the cookies without disclosing the fact that the cookies are actually storing and collecting user information for sale. Thus, it is likely that most of the current cookie consent notices will fall under the “deceptive” standard given that they contain information that will affect user decisions and mislead reasonable users. The regulation of cookie consent notices will be more suitable under the “deceptive standard” than under the “unfair” standard, though both can apply to the cookie consent notices. The current cookie consent notices do not properly inform web users about their rights and the options they have to reject certain cookies. The majority of the cookie consent notices also are not obtaining “real” consent since most users do not pay attention to a consent notice banner that allows one to keep scrolling without engaging with the banner first.
3. The FTC’s Enforcement Policy Statement on Negative Option Marketing
The FTC has recently started to address the problems regarding disclosure and consent. In a recent Enforcement Policy Statement,92
See Fed. Trade Comm’n, supra note 13.
Id. at 1.
Id.
See id. at 2.
Under Section 5 of the FTC Act, the FTC has highlighted four basic requirements regarding negative option marketing. First, there must be clear and obvious disclosure regarding the material key terms of the offer including the existence of the negative option, the total cost, and the cancellation process. Second, the disclosure must happen before consumers agree to purchase the product. Third, the marketers must receive consumers’ explicit informed consent. Lastly, the seller must not create unnecessary barriers to the cancellation or refund process to ensure the effectiveness of the process and must honor the cancellation terms.96
See id. at 4–5.
In the Statement, the FTC also cited the Restore Online Shoppers’ Confidence Act (ROSCA)97
15 U.S.C. §§ 8401–8405.
Id.
The FTC also promulgated the “Use of Prenotification Negative Option Plans” Rule (Prenotification Plan Rule), which requires the sellers to disclose several material terms. These include minimum purchase obligations, right to cancel, timeline to reject a selection, the return process, and the frequency with which announcements and forms will be sent.99
16 C.F.R. Part 425.
Overall, the Policy Statement lists the requirements for disclosure, consent, and cancellation regarding negative option market. Although the Statement does not mention web cookie consent specifically, this Statement will help us establish a guideline for future regulations regarding cookie consent. The Statement requires a “clear and conspicuous” disclosure, and these disclosures should be “easily understandable by ordinary consumers.”100
Fed. Trade Comm’n, supra note 13, at 11.
Id. at 13.
Id. at 14.
There are two regulatory frameworks that can be extended to regulate the cookie consent notices: ROSCA and Prenotification Plan Rule. Under the FTC Section 5 and ROSCA, most of the cookie consent notices are likely not compliant with the requirements listed by the FTC. ROSCA regulates the disclosures, consent, and cancellation of negative option marketing. In the context of cookie consent, the first two areas of disclosures and consent can be directly applied to cookie consent notices; the cancellation policy may provide guidance for the rejection of cookie usage.
Applying the principle of disclosures under ROSCA to cookie consent notices will require clear and conspicuous disclosures from the website owners. This principle, if applied to the cookie consent notices, requires that at minimum that any material terms should be “difficult to miss (i.e., easily noticeable) or unavoidable and easily understandable by ordinary consumers.”103
Id. at 11.
Id.
Moreover, the Statement includes language that can be interpreted to prohibit dark patterns. The Statement specifies that a clear disclosure should not include “any information that interferes with, detracts from, contradicts, or otherwise undermines the ability of consumers to read and understand the disclosures.”105
Id. at 12.
In terms of consent, ROSCA requires “consumers’ express informed consent,” and this requirement applied to cookie consent notices will oblige website owners to inform the consumers and obtain their express consent.106
Id. at 13.
See id. at 14.
The cancellation policy, while not directly applicable, can provide helpful guidance on what the rejection process should look like in the cookie consent context. ROSCA requires the cancellation process to be as easy as the initiation process, and through the same medium.108
See id.
See id.
See id. at 15.
The Prenotification Plan Rule is also helpful in providing a guideline for future cookie regulations even though it does not directly apply to cookie consent notices. The Prenotification Plan Rule targets plans that abuse a consumer’s nonaction and take nonaction as consent to keep subscribing or purchasing. Although this Rule might have limited coverage as it only applies to negative option marketing, it can be interpreted as the FTC’s effort to strike down the manipulative tactic of taking nonaction as consent. Applying it to the cookie consent context will allow the FTC to regulate any cookie consent notices that allow nonaction as a form of consent including the No-Option format notices. This Rule will require the website owners to obtain express consent from consumers.
Under this new Policy Statement, we can clearly see a trend in how the FTC is exercising its authority to restrict more dark patterns in commercial activities online. The FTC is providing more specific guidelines for disclosures, consent, and the rejection process, all of which can be applied to the regulation of cookie consent notices. The FTC should adopt the content of this Policy Statement and use its authority to regulate cookie consent notices.
The CCPA applies when a business “does any amount of business in California and has more than $25 million in revenue, received or shares personal information for commercial purposes of 50,000 or more consumers, or derives fifty percent or more of its annual revenue from selling consumers’ personal information.”111
Kiran K. Jeevanjee, Nice Thought, Poor Execution: Why the Dormant Commerce Clause Precludes California’s CCPA from Setting National Privacy Law, 70 Am. U. L. REV. F. 75 (2020).
Id. at 89.
CCPA, supra note 14.
The CCPA was modified in March of 2021 to “address attempts to subvert or impair Californians’ ability to opt-out of sales of their personal information.”114
Id.; King & Stephan, supra note 15, at 254.
CCPA, supra note 14.
The CPRA will replace the CCPA in 2023 and specifically addresses dark patterns.116
CPRA, supra note 16.
Id.
Regarding obtaining consent, the CPRA addressed two situations where consent may still be invalid, even though a dark pattern is not unfair or deceptive: there cannot be coercive consent or manipulative consent.118
Id.
Coercive consent happens when people think they are constrained by their options and the only rational option “is the one that the coercer intends.”119
Daniel Susser et al., Technology, Autonomy, and Manipulation, 8 Internet Pol’y Rev. 1, 4 (2019).
King & Stephan, supra note 15, at 269.
Id. (quoting Arunesh Mathur et al., What Makes a Dark Pattern . . . Dark?: Design Attributes, Normative Considerations, and Measurement Methods, PROC. 2021 CHI Conf. on Hum. Factors Computing Sys. (2021)).
Id.
See supra Figure 1.
Id.
The CPRA requires that the website allow consumers to “revoke the consent as easily as it is affirmatively provided.”125
CPRA, supra note 16, at § 1798.135(b)(2)(A).
King & Stephan, supra note 15, at 270.
Manipulative consent is different from coercion and deception in that it is often “hidden influence—the covert subversion of another person’s decision-making power.”127
Susser et al., supra note 119, at 3.
CPRA, supra note 16, at § 1798.140(h).
Moreover, clicking “I Agree” on a cookie consent notice often represents multiple layers of consent with a single interaction, which can be problematic under the CPRA.129
King & Stephan, supra note 15, at 271.
Id.
Both manipulative and coercive consent are deemed problematic under the CPRA and the majority of cookie consent notices obtaining consent in a manipulative and coercive manner would likely be considered unlawful. This will have a profound impact on how we think about consent and privacy if the CPRA is adopted as it is right now and it will help protect consumer interest in privacy.
The proliferation of dark patterns online raises important legal and ethical issues in our society today. Dark patterns not only pervade our personal private space online and cause us substantial financial harm,131
See DSW Inc. Settles FTC Charges, supra note 63.
With increased attention on regulating dark patterns, both the FTC and the CPRA have the potential legal authority to provide specific regulations of dark patterns in cookie consent notices. Under Section 5 of the FTC Act, the FTC can regulate dark patterns in cookie consent notices under both the unfairness and deceptiveness standard. Courts have been generally receptive to these causes in a few FTC deception and unfairness cases. The FTC has also issued a new Enforcement Policy Statement on Negative Market Option to provide specific guidelines on disclosure, consent, and cancellation policy, all of which may be adopted to regulate dark patterns in cookie consent notices. Moreover, the CPRA specifically addressed dark patterns, and explicitly prohibited coercive and manipulative consent. Both the FTC Act and the CPRA provide guidance on how to regulate dark patterns in the future.
This Comment contributes to the existing literature by providing a new set of empirical data regarding dark patterns and specifically on cookie consent notices. The empirical study provides insights on the current state of cookie consent notices, which demonstrates the proliferation of dark patterns in the notices. Furthermore, this Comment also explains how various underlying psychological biases affect consumers when they encounter dark patterns online. The interaction among different biases will further exacerbate the effects of dark patterns, and facing online consent choices on a daily basis will likely create decision fatigue and change how people think about their privacy in the long term. Under both the FTC and the CPRA legal framework, most of the cookie consent notices analyzed under our study exhibit potentially unlawful usage of dark patterns.
In thinking about privacy issues, regulators can now target the problem from a new perspective by reconsidering the fundamental design of online consent mechanisms from both legal and psychological aspects. The possibility of future regulations for dark patterns and privacy in general will likely depend on social and empirical studies that assess consumer behaviors in the aggregate. These regulations will move towards a human-centered approach to better protect consumer privacy online.
- 1Alessandro Acquisti et al., Privacy and Human Behavior in the Age of Information, 347 Sci. 509, 509–10 (Jan. 30, 2015).
- 2Id.
- 3Michelle Madejski et al., A Study of Privacy Settings Errors in an Online Social Network, in Inst. of Elec. & Elecs. Eng’rs, 2012 Ieee International Conference On Pervasive Computing And Communications Workshops 340, 340–345 (2012).
- 4See Jamie Luguri & Lior Strahilevitz, Shining a Light on Dark Patterns, 13 J. Legal Analysis 43, 48–51 (2021).
- 5Midas Nouwens et al., Dark Patterns After the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence, Proc. 2020 CHI Conf. on Hum. Factors Computing Sys. 1–13 (2020).
- 6See Christine Utz et al., (Un)informed Consent: Studying GDPR Consent Notices in the Field, CCS ‘19: Proc. 2019 ACM SIGSAC Conf. on Comput & Commc’ns Sec. 973, 973–90 (2019).
- 7See Dominique Machuletz & Rainer Böhme, Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs After GDPR, 2 Proc. on Privacy Enhancing Tech. 481, 481–98 (2020).
- 8Id.
- 9See Alessandro Acquisti & Jens Grossklags, What Can Behavioral Economics Teach Us About Privacy?, in Digital Privacy: Theory, Technologies, And Practices 370 (Alessandro Acquisti et al. eds., 2008).
- 10See Andraya Flor, The Impact of Schrems II: Next Steps for U.S. Data Privacy Law, 96 Notre Dame L. Rev. 2035, 2039 (2021).
- 11See Bradyn Fairclough, Privacy Piracy: The Shortcomings of the United States’ Data Privacy Regime and How to Fix It, 42 J. Corp. L. 461, 467 (2016).
- 12Id.
- 13See Fed. Trade Comm’n, Enforcement Policy Statement Regarding Negative Option Marketing (Oct. 28, 2021).
- 14California Consumer Privacy Act, Cal. Code Regs. tit. 11, § 999.315(h) (2021) [hereinafter CCPA]; see also Angelique Carson, Data Privacy Laws: What You Need to Know in 2021, Osano (June 24, 2020), https://perma.cc/LZ23-269M.
- 15See Jennifer King & Adriana Stephan, Regulating Privacy Dark Patterns in Practice-Drawing Inspiration from California Privacy Rights Act, 5 Geo. L. Tech. Rev. 251, 259 (2021).
- 16California Privacy Rights Act § 1789.140(1) (amended by 2021 Cal. Legis. Serv. Ch. 525 (A.B. 694) (West)) [hereinafter CPRA].
- 17Id.
- 18See Luguri & Strahilevitz, supra note 4, at 48.
- 19See King & Stephan, supra note 15, at 259.
- 20See id.
- 21See id.
- 22See Daniel Kahneman, Of 2 Minds: How Fast and Slow Thinking Shape Perception and Choice [Excerpt], Sci. Am. (June 15, 2012), https://perma.cc/DE6W-279K.
- 23See id.
- 24See id.
- 25Luguri & Strahilevitz, supra note 4, at 53.
- 26Id.
- 27Id.
- 28Id.
- 29Id.
- 30Luguri & Strahilevitz, supra note 4, at 53.
- 31See id. at 61.
- 32Id.
- 33Id. at 81.
- 34See Framing Effect, Decision Lab, https://perma.cc/7KMW-WQLM(last visited Feb. 11, 2022).
- 35See Alessandro Acquisti et al., Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online, 50 Acm Computing Survs. 44:1, 44:18 (2017).
- 36See id. at 44:21.
- 37See Eric J. Johnson & Daniel G. Goldstein, Do Defaults Save Lives?, 302 Sci. 1338, 1338–1339 (2003).
- 38See Idris Adjerid et al., A Query-Theory Perspective of Privacy Decision Making, 45 J. Legal Stud. S97, S97–S121 (2016).
- 39See id.
- 40Acquisti et al., supra note 35, at 44:25.
- 41Richard H. Thaler & Cass R. Sunstein, Libertarian Paternalism, 93 Am. Econ. Rev. 175 (2003).
- 42See Acquisti et al., supra note 35, at 44:25.
- 43See id. at 44:4.
- 44See Leon Festinger, A Theory Of Cognitive Dissonance 25–60 (1957).
- 45S. Oshikawa, Cognitive Pre-Decision Conflict and Post-Decision Dissonance, 15 Behavioral Sci. 132, 132–140 (1970).
- 46See Paul J. Costanzo, Revisiting Cognitive Dissonance Theory: Pre-Decisional Influences and the Relationship to the Consumer Decision-Making Model, 2 Atl. Mktg. J., Apr. 2013, at 42.
- 47See Isha Ghosh & Vivek Singh, Using Cognitive Dissonance Theory to Understand Privacy Behavior, 54 Proc. Ass’n Info. Sci. & Tech. 679, 679–680 (2017).
- 48iRobot, https://perma.cc/36AV-A8MV(last visited Feb. 11, 2022).
- 49See Loss Aversion, Decision Lab, https://perma.cc/KBC7-LRNV(last visited Feb. 11, 2022).
- 50See Endowment Effect, Decision Lab, https://perma.cc/U99D-9SVG(last visited Feb. 11, 2022).
- 51See Acquisti et al., supra note 35, at 44:25.
- 52See Ambiguity (Uncertainty) Aversion, BehavioralEconomics.com, https://perma.cc/6LNY-MSUB(last visited Feb. 11, 2022).
- 53See Shai Danziger et al., Extraneous Factors in Judicial Decisions, 108 Proc. Nat’l Acad. Scis. 6889, 6889–6892 (2011); Jonathan Levav et al., The Effect of Ordering Decisions by Choice-Set Size on Consumer Search, 39 J. Consumer Rsch. 585, 585–599 (2012).
- 54ReviewsXP, https://perma.cc/7GEW-HDSJ(last visited Feb. 11, 2022).
- 55See Utz et al., supra note 6, at 973–90.
- 56APMEX, https://perma.cc/9Q7U-2Y4K(last visited Feb. 11, 2022).
- 5715 U.S.C. § 46(a).
- 5815 U.S.C. § 45.
- 59405 U.S. 233 (1972).
- 60Id. at 239.
- 6115 U.S.C. § 45(n).
- 62Maureen K. Ohlhausen, Weigh the Label, Not the Tractor: What Goes on the Scale in an FTC Unfairness Cost-Benefit Analysis?, 83 Geo. Wash. L. Rev. 1999, 2006 (2015) (citing Fed. Trade Comm’n., Commission Statement of Policy on the Scope of the Consumer Unfairness Jurisdiction (1980), reprinted in Int’l Harvester Co., 104 F.T.C. 949, 1072–76 (1984)).
- 63DSW Inc. Settles FTC Charges, Fed. Trade Comm’n. (Dec. 1, 2005), https://perma.cc/5GY3-XJJL.
- 64Carolyn Hoang, In the Middle: Creating a Middle Road Between U.S. and EU Data Protection Policies, 32 J. Nat’l Ass’n Admin. L. Judiciary 810, 823 (2012).
- 65See DSW Inc. Settles FTC Charges, supra note 63.
- 66See FTC Cracks Down on Spyware Operation, Fed. Trade Comm’n. (Oct. 12, 2004), https://perma.cc/EV8W-F5V5.
- 67Id.
- 68See id.
- 69FTC Policy Statement on Unfairness, Fed. Trade Comm’n (Dec. 17, 1980), https://perma.cc/E97V-CAQ6;see 15 U.S.C. § 45(n)).
- 70See DSW Inc. Settles FTC Charges, supra note 63.
- 71See, e.g., United States v. Spears, 729 F.3d 753 (7th Cir. 2013).
- 72Ohlhausen, supra note 62, at 2006.
- 73Luguri & Strahilevitz, supra note 4, at 88.
- 74Complaint for Permanent Injunction and Other Equitable Relief, FTC v. Frostwire LLC, No. 11–CV–23643 (S.D. Fla. Oct. 12, 2011), 2011 WL 9282853.
- 75Id.
- 76Luguri & Strahilevitz, supra note 4, at 83 (quoting Cliffdale Assocs., Inc., 103 F.T.C. 110 (Mar. 23, 1984)).
- 77See FTC v. Cyberspace.com LLC, 453 F.3d 1196, 1201 (9th Cir. 2006); see also FTC v. Pantron 1 Corp., 33 F.3d 1088 (9th Cir. 1994).
- 78Fanning v. FTC, 821 F.3d 164, 170–171 (1st Cir. 2016).
- 79See Luguri & Strahilevitz, supra note 4, at 83.
- 80FTC v. E.M.A. Nationwide, Inc., 767 F.3d 611, 631 (6th Cir. 2014).
- 81See Fairclough, supra note 11, at 467.
- 82No. 00–11341, 2000 WL 34016434 (D. Mass. July 21, 2000).
- 83133 F.T.C. 763 (2002).
- 84910 F.3d 417, 424 (9th Cir. 2018), rev’d and remanded on other grounds, 141 S. Ct. 1341 (2021).
- 85Id.
- 86Id.
- 87Id. at 422 (quoting FTC v. Cyberspace.com LLC, 453 F.3d 1196, 1201 (9th Cir. 2006)).
- 88Luguri & Strahilevitz, supra note 4, at 83.
- 89Cyberspace.com LLC, 453 F.3d at 1201.
- 90FTC v. E.M.A. Nationwide, Inc., 767 F.3d 611, 631 (6th Cir. 2014).
- 91FTC v. AMG Cap. Mgmt., 910 F.3d 417, 424 (9th Cir. 2018), rev’d and remanded on other grounds, 141 S. Ct. 1341 (2021).
- 92See Fed. Trade Comm’n, supra note 13.
- 93Id. at 1.
- 94Id.
- 95See id. at 2.
- 96See id. at 4–5.
- 9715 U.S.C. §§ 8401–8405.
- 98Id.
- 9916 C.F.R. Part 425.
- 100Fed. Trade Comm’n, supra note 13, at 11.
- 101Id. at 13.
- 102Id. at 14.
- 103Id. at 11.
- 104Id.
- 105Id. at 12.
- 106Id. at 13.
- 107See id. at 14.
- 108See id.
- 109See id.
- 110See id. at 15.
- 111Kiran K. Jeevanjee, Nice Thought, Poor Execution: Why the Dormant Commerce Clause Precludes California’s CCPA from Setting National Privacy Law, 70 Am. U. L. REV. F. 75 (2020).
- 112Id. at 89.
- 113CCPA, supra note 14.
- 114Id.; King & Stephan, supra note 15, at 254.
- 115CCPA, supra note 14.
- 116CPRA, supra note 16.
- 117Id.
- 118Id.
- 119Daniel Susser et al., Technology, Autonomy, and Manipulation, 8 Internet Pol’y Rev. 1, 4 (2019).
- 120King & Stephan, supra note 15, at 269.
- 121Id. (quoting Arunesh Mathur et al., What Makes a Dark Pattern . . . Dark?: Design Attributes, Normative Considerations, and Measurement Methods, PROC. 2021 CHI Conf. on Hum. Factors Computing Sys. (2021)).
- 122Id.
- 123See supra Figure 1.
- 124Id.
- 125CPRA, supra note 16, at § 1798.135(b)(2)(A).
- 126King & Stephan, supra note 15, at 270.
- 127Susser et al., supra note 119, at 3.
- 128CPRA, supra note 16, at § 1798.140(h).
- 129King & Stephan, supra note 15, at 271.
- 130Id.
- 131See DSW Inc. Settles FTC Charges, supra note 63.