Skip to content Skip to footer




UX designers often inherit principles of psychology and other human behavioural and cognitive sciences while designing and the said practice is naturally aimed at improving seamless, visceral escapade to the users of the website. One such practice is known in the designer community as dark patterns or deceptive design as these design tricks shall deceive the users to indulge in certain actions without unambiguous manoeuver resulting in the accomplishment of events desirable to the website owners. In terms of data protection, this deceptive trick has been used as an exploitative tool to obtain user consent for data processing and other related functions.

After the inception of the GDPR directive and other data rights-oriented legislations in developed nations, this unethical practice has been tamed and has been constantly under the legal scrutinisation of relevant national authorities.

This article has tried to explain the nexus of the said dark patterns and the current relevancy of the said patterns after the introduction of GDPR.



This unethical practice has been first identified by Harry brignull an experienced consultant in product design, user research and user experience and a PhD holder in cognitive science, according to him Dark pattern is “a well-designed user interface that deceives customers into taking certain actions, such purchasing insurance along with their purchase or enrolling in recurring billing“.[1] He further explains that dark patterns have been carefully designed with a prior consideration of human psychology with a motive of commercial exploitation or with an intention of not taking the user’s interest as a first-hand priority[2].  To understand more formally section 6-1-1303 subsection 9 defines the dark pattern as a “user interface designed or being manipulated with the substantial effect of subverting or impairing the users’ autonomy, choice or decision making power.

European data protection board and Dark patterns:

On a positive note, the act of dark pattern per se is not an evil user interface practice, it is being evolved and inherently used as a good interaction design pattern for increasing the efficiency of user experience.

On the legal stance, the said dark pattern practice is not an illegal one and no legislation per se restricts the use of dark patterns since it is extremely quixotic to distinguish the said practice from normal user interface design implementations.

Very recently on March 14, 2022, the European data protection board (“ENPB”) released a guideline titled “Dark patterns in the social media platform interfaces”, in this guideline the

Board tried to provide certain binding guidelines to the designers and the users on social media to assess and avoid the dark patterns which infringe the provisions of General data protection regulation.

According to the said guidelines the term dark patterns has been defined as an interface and social media user interfaces and user experiences that influences the users of the said media to make unintentional, unwilling, unwelcome and potentially harmful decisions concerning their personal data and processing[3]. The commission further contends that such dark patterns will attempt to manipulate users’ behavior and thereby impeding their ability to make efficacious, conscious decisions w.r.t to the protection of their personal data. The guideline further classified the said patterns into six different headings including:

Fickling – inconsistent interface design which difficult the process accessing the data protection control tools and hinders the users to understand the purpose of data processing

Hindering –, the word is self-explanatory; it blocks the users from becoming informed about managing their data. It is further divided into 3 types: Dead end, longer than necessary and misleading information

Stirring – influencing the choice of users by emotions or visual coax. It is further divided into 2 types: Emotional Steering and Hidden in plain sight.

Skipping – Designing the user interface in a cunning way that the users shall be deceived to skip the data protection aspects of the website. It is being further divided into 2 types: Deceptive Snugness and Look over there

Overloading – As the word is self-explanatory, the said techniques are being used to discommode the users with an unusual and large number of information’s, requests which in turn shall force the user to submit a large number of unnecessary personal and shall necessarily force them to accept most of the unwanted data processing request by the user. It is being further divided into 3 types: Continuous prompting, Privacy Maze and Too Many Options

Left in the dark – It is an act of hiding the data protection control tool which will let the users an ambivalent position about their data processing activities and their concerned rights. It is further divided into 3 types: Language discontinuity, Conflicting information and Ambiguous wording or information.


GDPR and dark pattern:

As mentioned earlier dark pattern per se is not illegal, but the main desirability of dark patterns will conflict with the provisions of GDPR. Firstly the term consent has been defined under article 4 (11) as any freely given, informed, specific, unambiguous indication of the rights of the data subjects by the way of a statement or by a clear and affirmative action which signifies a data processing agreement.

For instance, GDPR speaks and mandates the importance of consent in Article 6 sub-clause 1 (a) which enumerates that consent is necessary for processing personal data and in art 7 which mentions the conditions for consent,

Accor to sub clause 3[4] states that the data subject has the right to withdraw consent at any time and the process of withdrawing the consent should be easy and simple. But with the above-mentioned process, for instance, most companies will force the users to follow unnecessary procedures to withdraw their consent and in most cases, the said consent removal option will be hidden or stirred.

Ex: in the case of newsletter emails when a person wants to unsubscribe, instead of explicitly mentioning the unsubscribe button the website will either name those buttons like “ stop caring about your career growth ( internship websites ) “ or “ back to being ignorant ( in case of informative newsletters ) “. This set of practices shall stir the emotions of users which will influence them to continue the subscription services.

Apart from articles 4, 6, 7 Recital 42 of GDPR which specifies the burden of requirements of consent states that in accordance with the EU council directive 93/13/EEC a consent declaration should be provided in an intelligible and easily accessible form with the usage of plain and clear language and it should not contain any unfair terms.[5] This directive is being openly violated when websites cunningly employ certain color palettes and design patterns which will cozen the users to bestow consent where the terms for processing will be unfair or excess in nature. It also mentions that consent will not be regarded as free consent if the data subjects have no free choice or are refused to withdraw consent without any detriment.

In addition recital 39 of GDPR specifies the fairness principle in data processing and mentions that the data which is being processed cannot be collected through unfair methods, deception or without the data subject’s knowledge.

Even after the enactment of privacy-oriented legislations including LGPD, GDPR, CCPA, PDPA, and PIPEDA which regimentally speak about the nature and the importance of free and uninfluenced consent for data processing and elevate the existing autonomy and privacy rights the Colorado privacy act which defines about the dark patterns in legal terms specifically mentions about invalid consent where it explicitly states that any consent that has been obtained through the usage of dark patterns will not amount to a valid consent and thereby it indirectly places a restriction on the usage of dark patterns in the websites.[6]

After discussing the legal definitions of dark patterns, the next immediate problem is the lack of pre-defined technical procedures to conclude whether a UX design is using dark patterns or not. The solution to this problem can be inferred from the decisions of various data protection supervisory authorities. It is important to remind the readers that dark pattern per se is not illegal under EU law, so the presence of dark patterns on EU-based websites shall be attributed to the extent of deceiving nature which shall or which has a probability to influence the consent of the said users for data processing or other relevant activities. So the supervisory authorities will be forced to rule upon the abstract definition of decisiveness experienced by the users and it is too important to note that even the six definitions mentioned in the e-privacy directive for social media intermediaries never tried to narrow down the classification of problematic dark pattern UX designs which shall cause injury to both the consumers and a prolonged confusion among designers which autonomic them to cross the thin line of non-ethical – legal practice to illegal norms since there is no one draw the distinctive line or the line is invisible.



This article never intended to accuse designers or discourage them to use dark patterns, every person with a primary business knowledge can understand the truth that there is a valid reason behind designing those tools in deceptive manner, not every consumers will care about the privacy protection tools or legal notices to be mentioned in the opening side of the website, their purpose to visit the site gains more attraction and the UX design nudging based on the metrics of behavioral economics and human psychology is a marketing skill where business achieve their ultimate sales motive irrespective of ethical grounds rather with a strong caution of legal grounds, so it is being believed that the complete ban on usage of data patterns will restricts the innovative talents of designers which in turn destroys the heart of the business and usage of vague and abstract definitions or classifications even accompanied with examples is of no use, rather a perspicuous and pragmatic regulations will be efficacious in regulating the dark pattern without crumbling the creative wings of the designers.

[1] Arushi Jaiswal, Dark patterns in UX: how designers should be responsible for their actions, UX collective , ( Apr 16, 2018 ),

[2] DECEPTIVE DESIGN , ( last visited Aug 23, 2022 ;8: 27 PM)

[3]European data protection board, ( last visited Aug 24 ; 7: 30 PM)

[4] General Data Protection Regulation, 2016, Art.7 , European Parliament 2016 ( European union )

[5] European data protection board , ( last accessed Aug 30 ; 10 : 20 PM )

[6] Colorado privacy act , 2021 ,sec  6-1-1303., Colorado General Assembly, 2021  ( Colorado , USA )

Leave a comment


Subscribe to the updates!

[mc4wp_form id="461" element_id="style-11"]