Beste bezoeker, u bezoekt onze website met Internet Explorer. Deze browser wordt niet meer actief ondersteund door Microsoft en kan voor veiligheids- en weergave problemen zorgen. Voor uw veiligheid raden wij u aan om een courante browser te gebruiken, zoals Google Chrome of Microsoft Edge.
Search
Close this search box.
  • ISACA NL Journal
  • How Dark patterns are taking the ‘informed’ out of informed cookie consent.

How Dark patterns are taking the ‘informed’ out of informed cookie consent.

By Jelle Slotman

Introduction

When browsing on the internet you have inevitably encountered a cookie consent notice. The little banners that pop up when visiting a website are used to register user consent for specific processing of personal information that requires user consent in the EU GDPR context. While the processing relies upon informing the user before consent, websites use multiple textual and visual implementations that hamper informed consent in cookie consent notices. This article focuses on examples of Dark Patterns found during research providing the user with the knowledge necessary to recognize and prevent Dark Patterns for future cookie implementations.

What are cookies and what is the problem?

Web services use cookies to track users for various purposes. Cookies are small files that enable user tracking. For example, web shops may use cookies to track a digital shopping cart or (anonymous) analytics about website usage. These cookies are called functional or analytical cookies and may be processed without the consent of the website user. User consent is necessary for all other data processing activities and must therefore be requested by the web service providing the service in line with the Privacy Directive 2002 and General Data Protection Regulation (GDPR).

This could include data processing for marketing activities (e.g., personalized content) or tracking data to provide the user with personalized search results. The key point here is that web services should provide the user with sufficient information without any distractions to make an informed decision about processing the user’s personal data.

Several studies within the practical and scientific domain have shown that many websites apply various visual or textual implementations that nudge the user into clicking the “accept all cookies” as quickly as possible. These implementations are also known as Dark patterns. Dark Patterns make it (virtually) impossible for users to make informed decisions about processing personal data. An example can be found in the figure 1.

Figure 1: cookie consent notice example

Within the example, two pointers can be found forcing the website user to accept all cookies:

  1. Only one button is displayed. Users only see the choice of the accept all button, while the decline button is hidden in the text field above.
  2. The accept all button uses a specific presentation that makes it stand out from the rest of the notice. This tricks users into providing their non-informed consent.

Although this is only a small example, eight different Dark patterns in the context of cookie consent design have been found through a literature study (table 1). The presented table shows the result of analyzing and mapping Dark patterns from multiple studies.

The current situation presents an unfair information position for users and a grey area for websites to take advantage of existing legislation. This means that the current legal guidelines do not provide a clear situation for cookie consent design.

Dark pattern

Description

Presentation

The desired choice is highlighted (e.g., color, text) so that users may oversee other options.

Forced action and timing

The user is forced into a certain action on the spot.

Understanding mapping

Mapping information makes it difficult to evaluate familiar evaluation schemes.

Providing feedback

Feedback is used to steer users into the desired choice.

Providing incentives

Incentives are used to reward the desired choice.

Expecting Error/Reversibility

Expecting users to make errors and being as forgiving as possible.

Overly complex or easy information or structures

Information or information structures are either too simple or complex and hidden so that users are unable to provide their informed consent.

Bad defaults

Specific defaults are used by the company in the hope users do not decline them.

 

Table 1: Cookie Consent specific Dark Patterns

Examples of Cookie consent related Dark Patterns

In the following sections, examples of Dark Pattern usage are shown including the remediations to mitigate unethical behavior. For each of the analyzed Dark Patterns, I will provide you with a general example of the pattern. Note that this is just an example to show how the pattern works. Many other specifications or forms could exist in reality.

Dark Pattern #1: Presentation

The first pattern within the list is the Dark Pattern of the presentation of the consent notice (fig 2). This pattern is generally easy to recognize as the presentation Dark Pattern tries to deceive the user by implementing large and standing out buttons screaming to accept the cookies. However, when looking a little further the user can view and select preferences.

Figure 2: presentation

How to mitigate this Dark Pattern

There is no single-track solution to solve the issue of incorrect presentation. Firstly, the cookie consent should be consistent, meaning that the option to opt-in is as easy as to decline cookie consent and that both buttons have the same size. Secondly, use a coloring scheme that is in line with the coloring scheme of the provided web service. The used color scheme of the cookie consent notice should also not use colors that may reflect that the user has made a bad choice when opting out for consent.

Lastly, the presentation of text also plays a vital role when presenting the cookie consent as neutral as possible.

Dark Pattern #2: Forced action and timing

This Dark Pattern focuses on forcing the users to consent (fig 2). A clear example of forced action is the so-called ‘cookie wall’ where users can only access a web service after accepting all cookies (The Dutch data protection commissioner has already forbidden using cookie walls for website access) (Autoriteit Persoonsgegevens, nd). Forced action is ideally used with proper timing. Think of a situation where a user would like to access a website and a cookie wall is presented or if a user is already on the web service and a cookie consent notice is presented.

Figure 3: Forced action

How to mitigate this Dark Pattern

Ensure that users should not be forced to accept when entering the website. This means that users should be able to access a website even if the user has not consented to the information processing. The best idea to mitigate forced action is to ensure that the user has a choice to accept or decline the consent requests. Users may never be revoked access to a public website if they did not provide their data processing consent.

To mitigate the timing element, it would be best to standardize the moment of presentation in line with other websites. Webservices generally request consent at the moment the user enters the service. This leaves no room for data processing by the web service before opting in or out by the user.

Dark Pattern #3: Understanding mapping

The understanding mapping Dark Pattern is a conscious deviation of the ‘standard’ cookie consent notice setup (fig 4). Let’s say that the standard cookie consent notice consists of three buttons where the left button is used to accept all cookies, the button in the middle is used to decline all cookies, and the button on the right side is used to show and modify preferences. When the user is used to this standard, the user will automatically choose the button of preference without thinking (e.g. decline all). This pattern focuses on the standard and changes the order of buttons so that this unconscious behavior will lead to users clicking the accept all button.

Fig 4: Understanding mapping

How to mitigate this Dark Pattern

The mitigation requires some market search in common cookie consent notice implementations. It would be beneficial to use standard consent frameworks, such as the IAB Transparency and Consent Framework v2.2.

Dark Pattern #4: Providing feedback

The fourth Dark pattern focuses on providing feedback through the cookie consent notice (fig 5). In the provided example, the decline button tries to influence the user by informing the user that if they choose to decline, they will not have an optimal experience.

The web service may also provide feedback to the user through pop-ups or other reactions when the user declines the processing.

Figure 5: Providing feedback

How to mitigate this Dark Pattern

Websites should never provide feedback through the cookie consent notice. It is recommended to leave the text in the consent notice as neutral as possible. By implementing a neutral configuration the user will be enabled to make an informed decision.

Dark Pattern #5: Providing incentives

This pattern comes as easy as described. When encountering the cookie consent notice the user is confronted with incentives to provide consent for the processing of information (fig 6). In the example, the user receives free shipping when accepting all cookies. Asking for incentives influences the users’ ability to make informed decisions about their personal data, therefore making the consent invalid.

Figure 6: Providing incentives

How to mitigate this Dark Pattern

Never provide incentives to users when asking for cookie consent. Ensure that the text and style of the consent notice remains as neutral as possible.

Dark Pattern #6: Expecting Error/reversibility

When designing for errors the consent notice presents the user with an error. Thereafter, the user is represented in the web service where the same error occurs. Therefore, the user will be forced to accept all cookies to get rid of the cookie consent notice.

Figure 7: Expecting error/reversibility

How to mitigate this Dark Pattern

Implement cookie consent notices that do not use pop-ups or other options that enable reversible decisions about a given negative consent. This should not interfere with the right to opt out of the processing of information.

Dark Pattern #7: Overly complex or easy information or structures

Since cookie consent notices are part of legal requirements may be using legal jargon in cookie consent notices (fig 8). For the average user, the jargon may be too complicated diminishing the understandability of the message. In the field, cookie consent notices will use large amounts of text behind the cookie consent notice.

On the contrary, when web services are oversimplifying the message, users will also not be informed of the processing activities. Web services may also bundle multiple cookie consent requests ensuring an easy way to user consent.

Figure 8: Overly complex or easy information or structures

How to mitigate this Dark Pattern

The EU have provided guidelines on how to write clearly. This ensures that plain and clear language shall be used to the user. Webservices should also use separated information requests preferably in line with a market standard notice and consent framework. This ensures that the webservice does not present too many or too little consent requests to the user.

Dark Pattern #8: Bad defaults

The last example from the list is probably one of the more common Dark Patterns (fig 9). When presented, bad defaults will show the category or categories of processing information where the category has been pre-selected to opt-in by the web service provider.

Bad defaults may also be found in other cookie consent notices where web services have opted out of the consent button but have opted in for legitimate purposes (fig 10). Legitimate interest is another ground for the lawful processing of information. However, according to the Dutch Autoriteit Persoonsgegevens processing shall be considered unlawful if the data processing only serves a commercial purpose. This type of implementation may be in a grey area for compliance, but they do provide an unethical presentation to the user.

Figure 9: Bad defaults

Figure 10: Bad defaults through legitimate purposes

How to mitigate this Dark Pattern

This Dark pattern is easily remediated by using no pre-selected consent boxes. In addition, I would also strongly recommend not to use any legitimate purpose in a cookie consent notice as this will only confuse the user of the provided web service.

Conclusion and recommendations

Now all patterns have been laid out on the table it is time to discuss the relevance and applicability of the results. Now the reader is able to understand and recognize Dark Patterns in the ‘wild’, hopefully, organizations will use this knowledge to their benefit. While marketing, personal profiling, or any other commercial activity is important to enhance a provided service, the user should still be able to take ownership of their conscious decision to consent or not to consent. By mitigating this list of Dark Patterns, the user will eventually benefit from informed decision-making in a privacy context which is eventually the goal of privacy legislation in the first place.

About the author

Jelle Slotman

Jelle Slotman

Jelle Slotman MSc is working at Sogeti NL as Senior Security Consultant. Jelle recently graduated with a Master of Informatics at the University of Applied Sciences Utrecht. In his day-to-day, Jelle is working as a specialist in IT governance, risk, and compliance with a specific interest in privacy legislation. For queries or other requests, Jelle can be contacted through LinkedIn.

Disclaimer

The author alone is responsible for the views expressed in this article. The views mentioned do not necessarily represent the views, decisions or policies of the ISACA NL Chapter. The views expressed herein can in no way be taken to reflect the official opinion of the board of ISACA NL Chapter.

All reasonable precautions have been taken by the authors to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material lies with the reader. In no event shall the authors or the board of ISACA NL Chapter be liable for damages arising from its use.

Gerelateerde berichten

  • ISACA NL Journal ·

Impact of COVID-19 on Cyber Security strategies in the utilities sector

By Laurens Dewit, Bob Leysen & Yuri Bobbert - The utility sector increasingly relies on interconnected industrial control systems and networks to streamline operations. The crucial role these utilities play in our daily lives, ranging from electricity to water and gas supply, underlines the critical significance of robust cybersecurity measures within the sector. With the increase of smart devices and intelligent infrastructure (e.g. Smart Grid), the vulnerability of these systems to cyber threats has intensified, posing potential risks such as data breaches, service disruptions, and even possible sabotage.
  • ISACA NL Journal ·

How to gain more “Bang for the Buck”: Quantifying risk with random simulations

By Vincent van Dijk and Yuri Bobbert - In an era where data breaches are becoming more frequent and expensive, understanding and preparing for the financial implications of such incidents is crucial. This article aims to provide a detailed approach to calculating the costs associated with data breaches, enabling organizations to make informed decisions about their defense strategies and budget allocations.

Plaats een reactie

Deze site gebruikt Akismet om spam te verminderen. Bekijk hoe je reactie-gegevens worden verwerkt.

We gebruiken functionele en analytische cookies om ervoor te zorgen dat de website optimaal presteert. Als u doorgaat met het gebruik van deze site, gaan we ervan uit dat u hiermee akkoord gaat. Meer informatie vindt u in onze Privacyverklaring.