Dark patterns or fraud: Obtaining customer data by deception

Recently I came across a Croatian news website, which seems to use dark patterns to avoid being GDPR compliant. Dark patterns are design tricks that companies use to make us do something we didn’t want to do while browsing products. For example, forcing us to close a pop up window only for that little x, which is meant to make it disappear, opening a new page. Why do this? Well, there is almost always a purpose. In the case of the pop up window - it is most likely that website gets paid for advertising and a clicking on a advertisement means money. So they trick the user in clicking something on the pop up window.

These practices are extremely annoying for users but can often be more sinister. So I was reading Croatian news recently and came across a website which seems to use dark patterns principles to cheat a user out of their GDPR rights. GDPR stands for General Data Protection Regulations. These regulations give people more power when it comes to what data is collected from them and how it is used. It is mandatory across most of the Europe (EU) but many companies worldwide are adopting it, because it is an ethical way of treating customers’ data respectfully. Croatia is in the European Union and has to adhere to these regulations.

Typically, this means that a user, when they visit a website, will be alerted to use of the cookies and asked if they are OK with that. Often websites break it down to specific data use (how the cookies are used for different purposes) and the user can pick those uses they agree with (e.g., agreeing to let the company use if for site improvement but not sharing with others). Most companies seem to be honest and make these choices visually equal for a user so the two choices - ‘I agree’ and ‘I don’t agree’ are equal in terms of how they appear on the screen - neither choice is trying to influence a decision.

 
Source: pepco.hr

Source: pepco.hr

Other companies use more suggestive format by informing about cookies and presenting one button that says ‘I agree’. However, a user can easily dismiss the banner by clicking the X and use the site without agreeing to data collection.

 

This is certainly persuasive because it makes the ‘Accept’ button the most appealing and in a haste, users will likely click that button.

 
Source: poslovni.hr

Source: poslovni.hr

But I saw something even more suggestive.

Here a user is given a pop up with two buttons and no option to dismiss. The black button says “ Agree and close” and the greyed out button says “Find out more”. The way these two buttons are designed, a user would rightfully think that their only viable option is the black button or agreeing to cookies, because the other button seems inactive. Apart from that, it is almost invisible so those who have vision problems may not even notice it.

 

But it is not inactive. You can click it and it will lead to another pop up - yet another state to persuade you to accept rather than reject their cookies.

The list on the left explains all the ways of sharing your data. Below, a summary of how this data will be shared with partners is given. They offer a list of data sharing partners (very pale font above the buttons), which they obviously don’t want you to check out because the list is very very very long. All these partners will be getting your data and your data will be used to connect your devices to what you browse, read or do online, in order to target you with specific offers.

Companies often sell your data, making a profit. Data = money.

Many companies like you to think data collection is for your own good, to improve the experience, but many companies use it for more nefarious purposes. Customer data is lucrative and there are companies that sell data packages based on some quality, such as whether you buy lots of Christmas decorations, handbags, vitamins etc. These packages are based on the data collected about you online. Data from various sites you visit is connected by your IP address and your computer ID. There are companies specializing in connecting data.

 
Source: poslovni.hr

Source: poslovni.hr

Even on this pop up the ‘I disagree’ button is so pale you can hardly see it. And if you see it, you may think you cannot click it as it is inactive. At least now you can dismiss this pop up without agreeing, as there is a X in the right hand corner. No, you can’t - it leads to the previous pop up, making a loop from which there is no escape.

Source: poslovni.hr

Source: poslovni.hr

This is likely going to frustrate the user who may, after fighting with it for a bit, admit defeat.

 

Data privacy regulations are awesome and they empower people to have more control over their data, but are they useful when companies are allowed to deceive people into giving the rights to their data, especially if this data is then sold to other companies? And is this a type of fraud? Obtaining data by deception.

Fraud definition: ”Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right”.
(Merriam-Webster)

Is this not what is happening here? In this case, users are persuaded to surrender their legal right to data privacy, while the company remains compliant with GDPR specifications. I wonder how many people fall for this technique and how outraged would they be if they found out how their data is used by predatory companies that sell and misuse our data for their gain. Even worse, people can be disadvantaged by the data collected about them. There are cases where customer data collected by the company was used against the customer in court, or led to an arrest (read about it). This is why personal data should be used with care and companies that must abide by the GDPR laws should not be resorting to fraud techniques to get customers to part with their rights on data privacy.