By Jelle Slotman
Introduction
When browsing on the internet you have inevitably encountered a cookie consent notice. The little banners that pop up when visiting a website are used to register user consent for specific processing of personal information that requires user consent in the EU GDPR context. While the processing relies upon informing the user before consent, websites use multiple textual and visual implementations that hamper informed consent in cookie consent notices. This article focuses on examples of Dark Patterns found during research providing the user with the knowledge necessary to recognize and prevent Dark Patterns for future cookie implementations.
What are cookies and what is the problem?
Web services use cookies to track users for various purposes. Cookies are small files that enable user tracking. For example, web shops may use cookies to track a digital shopping cart or (anonymous) analytics about website usage. These cookies are called functional or analytical cookies and may be processed without the consent of the website user. User consent is necessary for all other data processing activities and must therefore be requested by the web service providing the service in line with the Privacy Directive 2002 and General Data Protection Regulation (GDPR).
This could include data processing for marketing activities (e.g., personalized content) or tracking data to provide the user with personalized search results. The key point here is that web services should provide the user with sufficient information without any distractions to make an informed decision about processing the user’s personal data.
Several studies within the practical and scientific domain have shown that many websites apply various visual or textual implementations that nudge the user into clicking the “accept all cookies” as quickly as possible. These implementations are also known as Dark patterns. Dark Patterns make it (virtually) impossible for users to make informed decisions about processing personal data. An example can be found in the figure 1.
Figure 1: cookie consent notice example
Within the example, two pointers can be found forcing the website user to accept all cookies:
- Only one button is displayed. Users only see the choice of the accept all button, while the decline button is hidden in the text field above.
- The accept all button uses a specific presentation that makes it stand out from the rest of the notice. This tricks users into providing their non-informed consent.
Although this is only a small example, eight different Dark patterns in the context of cookie consent design have been found through a literature study (table 1). The presented table shows the result of analyzing and mapping Dark patterns from multiple studies.
The current situation presents an unfair information position for users and a grey area for websites to take advantage of existing legislation. This means that the current legal guidelines do not provide a clear situation for cookie consent design.
Dark pattern | Description |
Presentation | The desired choice is highlighted (e.g., color, text) so that users may oversee other options. |
Forced action and timing | The user is forced into a certain action on the spot. |
Understanding mapping | Mapping information makes it difficult to evaluate familiar evaluation schemes. |
Providing feedback | Feedback is used to steer users into the desired choice. |
Providing incentives | Incentives are used to reward the desired choice. |
Expecting Error/Reversibility | Expecting users to make errors and being as forgiving as possible. |
Overly complex or easy information or structures | Information or information structures are either too simple or complex and hidden so that users are unable to provide their informed consent. |
Bad defaults | Specific defaults are used by the company in the hope users do not decline them. |
Table 1: Cookie Consent specific Dark Patterns
Examples of Cookie consent related Dark Patterns
In the following sections, examples of Dark Pattern usage are shown including the remediations to mitigate unethical behavior. For each of the analyzed Dark Patterns, I will provide you with a general example of the pattern. Note that this is just an example to show how the pattern works. Many other specifications or forms could exist in reality.
Dark Pattern #1: Presentation
The first pattern within the list is the Dark Pattern of the presentation of the consent notice (fig 2). This pattern is generally easy to recognize as the presentation Dark Pattern tries to deceive the user by implementing large and standing out buttons screaming to accept the cookies. However, when looking a little further the user can view and select preferences.
Figure 2: presentation
How to mitigate this Dark Pattern
There is no single-track solution to solve the issue of incorrect presentation. Firstly, the cookie consent should be consistent, meaning that the option to opt-in is as easy as to decline cookie consent and that both buttons have the same size. Secondly, use a coloring scheme that is in line with the coloring scheme of the provided web service. The used color scheme of the cookie consent notice should also not use colors that may reflect that the user has made a bad choice when opting out for consent.
Lastly, the presentation of text also plays a vital role when presenting the cookie consent as neutral as possible.
Dark Pattern #2: Forced action and timing
This Dark Pattern focuses on forcing the users to consent (fig 2). A clear example of forced action is the so-called ‘cookie wall’ where users can only access a web service after accepting all cookies (The Dutch data protection commissioner has already forbidden using cookie walls for website access) (Autoriteit Persoonsgegevens, nd). Forced action is ideally used with proper timing. Think of a situation where a user would like to access a website and a cookie wall is presented or if a user is already on the web service and a cookie consent notice is presented.
Figure 3: Forced action
How to mitigate this Dark Pattern
Ensure that users should not be forced to accept when entering the website. This means that users should be able to access a website even if the user has not consented to the information processing. The best idea to mitigate forced action is to ensure that the user has a choice to accept or decline the consent requests. Users may never be revoked access to a public website if they did not provide their data processing consent.
To mitigate the timing element, it would be best to standardize the moment of presentation in line with other websites. Webservices generally request consent at the moment the user enters the service. This leaves no room for data processing by the web service before opting in or out by the user.
Dark Pattern #3: Understanding mapping
The understanding mapping Dark Pattern is a conscious deviation of the ‘standard’ cookie consent notice setup (fig 4). Let’s say that the standard cookie consent notice consists of three buttons where the left button is used to accept all cookies, the button in the middle is used to decline all cookies, and the button on the right side is used to show and modify preferences. When the user is used to this standard, the user will automatically choose the button of preference without thinking (e.g. decline all). This pattern focuses on the standard and changes the order of buttons so that this unconscious behavior will lead to users clicking the accept all button.
Fig 4: Understanding mapping
How to mitigate this Dark Pattern
The mitigation requires some market search in common cookie consent notice implementations. It would be beneficial to use standard consent frameworks, such as the IAB Transparency and Consent Framework v2.2.
Dark Pattern #4: Providing feedback
The fourth Dark pattern focuses on providing feedback through the cookie consent notice (fig 5). In the provided example, the decline button tries to influence the user by informing the user that if they choose to decline, they will not have an optimal experience.
The web service may also provide feedback to the user through pop-ups or other reactions when the user declines the processing.
Figure 5: Providing feedback
How to mitigate this Dark Pattern
Websites should never provide feedback through the cookie consent notice. It is recommended to leave the text in the consent notice as neutral as possible. By implementing a neutral configuration the user will be enabled to make an informed decision.
Dark Pattern #5: Providing incentives
This pattern comes as easy as described. When encountering the cookie consent notice the user is confronted with incentives to provide consent for the processing of information (fig 6). In the example, the user receives free shipping when accepting all cookies. Asking for incentives influences the users’ ability to make informed decisions about their personal data, therefore making the consent invalid.
Figure 6: Providing incentives
How to mitigate this Dark Pattern
Never provide incentives to users when asking for cookie consent. Ensure that the text and style of the consent notice remains as neutral as possible.
Dark Pattern #6: Expecting Error/reversibility
When designing for errors the consent notice presents the user with an error. Thereafter, the user is represented in the web service where the same error occurs. Therefore, the user will be forced to accept all cookies to get rid of the cookie consent notice.
Figure 7: Expecting error/reversibility
How to mitigate this Dark Pattern
Implement cookie consent notices that do not use pop-ups or other options that enable reversible decisions about a given negative consent. This should not interfere with the right to opt out of the processing of information.
Dark Pattern #7: Overly complex or easy information or structures
Since cookie consent notices are part of legal requirements may be using legal jargon in cookie consent notices (fig 8). For the average user, the jargon may be too complicated diminishing the understandability of the message. In the field, cookie consent notices will use large amounts of text behind the cookie consent notice.
On the contrary, when web services are oversimplifying the message, users will also not be informed of the processing activities. Web services may also bundle multiple cookie consent requests ensuring an easy way to user consent.
Figure 8: Overly complex or easy information or structures
How to mitigate this Dark Pattern
The EU have provided guidelines on how to write clearly. This ensures that plain and clear language shall be used to the user. Webservices should also use separated information requests preferably in line with a market standard notice and consent framework. This ensures that the webservice does not present too many or too little consent requests to the user.
Dark Pattern #8: Bad defaults
The last example from the list is probably one of the more common Dark Patterns (fig 9). When presented, bad defaults will show the category or categories of processing information where the category has been pre-selected to opt-in by the web service provider.
Bad defaults may also be found in other cookie consent notices where web services have opted out of the consent button but have opted in for legitimate purposes (fig 10). Legitimate interest is another ground for the lawful processing of information. However, according to the Dutch Autoriteit Persoonsgegevens processing shall be considered unlawful if the data processing only serves a commercial purpose. This type of implementation may be in a grey area for compliance, but they do provide an unethical presentation to the user.
Figure 9: Bad defaults
Figure 10: Bad defaults through legitimate purposes
How to mitigate this Dark Pattern
This Dark pattern is easily remediated by using no pre-selected consent boxes. In addition, I would also strongly recommend not to use any legitimate purpose in a cookie consent notice as this will only confuse the user of the provided web service.
Conclusion and recommendations
Now all patterns have been laid out on the table it is time to discuss the relevance and applicability of the results. Now the reader is able to understand and recognize Dark Patterns in the ‘wild’, hopefully, organizations will use this knowledge to their benefit. While marketing, personal profiling, or any other commercial activity is important to enhance a provided service, the user should still be able to take ownership of their conscious decision to consent or not to consent. By mitigating this list of Dark Patterns, the user will eventually benefit from informed decision-making in a privacy context which is eventually the goal of privacy legislation in the first place.
About the author
Jelle Slotman
Jelle Slotman MSc is working at Sogeti NL as Senior Security Consultant. Jelle recently graduated with a Master of Informatics at the University of Applied Sciences Utrecht. In his day-to-day, Jelle is working as a specialist in IT governance, risk, and compliance with a specific interest in privacy legislation. For queries or other requests, Jelle can be contacted through LinkedIn.
Disclaimer
The author alone is responsible for the views expressed in this article. The views mentioned do not necessarily represent the views, decisions or policies of the ISACA NL Chapter. The views expressed herein can in no way be taken to reflect the official opinion of the board of ISACA NL Chapter.
All reasonable precautions have been taken by the authors to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material lies with the reader. In no event shall the authors or the board of ISACA NL Chapter be liable for damages arising from its use.
