Privacy Insider: November 17

Listen, we're all human. We're imperfect. We're persuadable. And I, for one, could only take so much buzz about Ted Lasso, the Apple TV hit, before I finally caved and needed to see the show for myself. And hey, Apple offered me a 30-day trial! Now, I did have to enter my credit card number, so at the end of the 30 days, Apple could auto-charge me unless I set an iPhone reminder and told three friends to remind me to cancel in time.

The great news: I loved Ted Lasso and binged it in two weeks. The bad news: Of course I didn't remember to cancel after 30 days, and I now pay Apple monthly. While this example is relatively benign and only costs me $5 a month, it's technically a dark pattern, a trick to get me to do something I wasn't planning on doing.

The U.S. Federal Trade Commission announced last month it's going to start bringing down the proverbial hammer on the more egregious examples of dark patterns. Will it yell at Apple for charging me $5 a month? Probably not. But here are some examples of what you should avoid doing on your site if you want to play nice with the FTC.

It's not that dark pattern enforcement is new. As NBC News reports, LinkedIn paid $13 million in 2015 to settle a class-action lawsuit over its sign-up process. And look at the California Consumer Privacy Act: The requirement for a "do not sell" button that allows users to easily opt-out is a reflection of lawmakers' understanding that consumers are often duped. 

As WIRED reports, not all dark patterns are deployed maliciously. Sometimes, user-interface designers "might just be doing what works." 

But the problem sometimes is that the company deploying the dark pattern has interests in a different outcome than the consumer. Example: When a user wants to unsubscribe from a service, and the company puts "nevermind, I want to stay" as the default selection while "unsubscribe" is subtle. The button highlighted for me seems to indicate the better choice would be to stay. 

We see this in the guidance from EU privacy regulators increasingly: Don't make it hard for people to do what they want to do. If they want to unsubscribe from your service, allow them to do so in one click rather than getting on the phone with a salesperson who's going to try and convince them otherwise. 

Another tactic companies sometimes employ is to add items to a consumer's "shopping cart" without asking. For example, I rented a ZIP car the other day. As I hurriedly tried to click "yes give me the car now I have to go," it auto-added an insurance plan. I had to take action by pausing to see what the app was doing, then changing the default selection to "No, I do not want that product." 

For more, darkpatterns.org has some real-life examples on its "Hall of Shame" page. 

The FTC says it's coming after companies that "trick or trap" consumers into subscription services. "The number of ongoing cases and high volume of complaints demonstrate there is prevalent, unabated consumer harm in the marketplace," the FTC said in its statement, adding the agency gets thousands of complaints a year about tactics like auto-renewals. 

No, I didn't call them about my Ted Lasso grievance. But that's just because I'm tired. 

But the reason I'm subscribed to Apple TV now is that we're imperfect. We're living busy lives. We don't have time to read the fine print or do a risk/reward analysis on whether giving Apple my credit card under the premise it's "just for safekeeping at this time" is the right move for me, and that's what companies are leaning on when they deploy dark patterns.

But even more important than the looming threat of FTC enforcement might be: Privacy is increasingly becoming a competitive differentiator for brands. If the FTC doesn't scare you, the idea that consumers will start to vote with their feet and move to companies they trust — companies that do what they say they're going to do without tricks and games — probably should.

For now, please enjoy reading this week's top news stories. I've summarized them below, because you're busy. I'll see you next week!

Federal Trade Commission to start clamping down on 'dark patterns'

The Federal Trade Commission recently issued a new enforcement policy statement about dark patterns, which are tricks or design decisions used to encourage a consumer into doing things they didn't necessarily want to do, National Law Review reports. The FTC warned companies against deceptive practices and said any consent should be "express" and "informed." A pre-checked box is not okay, the agency said. 
Read Story 

State privacy laws: A primer on what's happened and what's about to

While U.S. lawmakers have failed to agree on what a data privacy law should look like, the states have decided they're not waiting around. California, Virginia and Colorado have already enacted privacy laws. And there are dozens more waiting in state legislature committees across the country. Learn the must-knows about the three existing state laws and which state proposals to anticipate next in a free webinar with Politico's Alex Levine and Husch Blackwell's David Stauss.

Mozilla's holiday guide rates tech gifts on their privacy practices

Ahead of the holiday season, Mozilla researchers analyzed product and app features, and read through privacy policies as part of its annual "Privacy Not Included" shopping guide. Nearly one-third of the 152 "connected gifts" didn't meet basic standards on security and privacy, CNET reports. Among the worst offenders on the list: Facebook Portal, Amazon Echo and NordicTrack Treadmill. 
Read Story

OnlyFans faces Illinois biometric privacy law class action over ID-verification photos

OnlyFans' system to verify the age and identity of content creators breached the Illinois Biometric Information Privacy Act, according to a potential class action. The subscription-based social media platform has its content creators take a selfie for verification. As a result, it collected face biometrics of more than 2 million people worldwide — without explaining how the data would be used and when it would be destroyed. Some of those users were Illinois residents, the complaint states. It seeks $1,000 - $5,000 per violation, plus attorneys fees. 
Read Story

What IT leaders need to know about the future of privacy

Within two years, more than 60% of the world's population will be able to exercise the privacy rights granted to them by existing or emerging privacy laws. According to Gartner, by 2024, large organizations' average annual budgets for privacy will exceed $2.5 million, "allowing a shift from compliance ethics to competitive differentiation," InformationWeek reports. And through 2026, "organizations that mishandle personal data will suffer three times more financial damage from class actions and mass claims than from enforcement sanctions," the report states.
Read Story