Privacy Laws, Dark Patterns, and the FTC: Will Cyber Insurance Respond?

New York, N.Y. (July 23, 2024) - In the United States, cyber insurance underwriters have historically been concerned with assessing first-party exposure when a policyholder sustains a data security incident requiring crisis management, remediation, and computer system restoration; or assessing third-party exposure via data breaches or regulatory defenses and fines resulting from financial or health services sectorial privacy regulations. However, the very recent passing of numerous state general privacy laws, as well as the FTC‘s continued dedication toward exercising its Section 5 powers against “unfair or deceptive acts or practices,” may be broadening the scope of exposure to cyber insurance underwriters and forcing them to reconsider future cyber insurance coverage and exclusions. The FTC in particular has recently focused on one particular subcategory of privacy violation: “dark patterns.”

The FTC defines dark patterns as online “design practices that trick or manipulate users into making decisions they would not otherwise have made and that may cause harm.” While dark patterns are generally created by the active design choices of a company, particularly an e-commerce company, these companies are increasingly turning to cyber insurance to cover not only cybersecurity claims, but also privacy claims, including regulatory charges of dark pattern violations. At least eight states’ privacy laws address dark patterns, including laws in California (CPRA), Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA), and this number is expected to increase as many additional states propose their own subtle flavor of privacy laws. 

Four Common Examples of Dark Patterns

Dark patterns are designed to trick or manipulate consumers into making choices that they otherwise would not have made. They can take many different forms, but four common examples are: (i) hidden costs or “drip pricing;” (ii) interfaces that hide important information such as service cancellation options; (iii) pre-selected options or coerced action; and (iv) “confirm-shaming.”

Hidden Costs of Drip Pricing.

Most consumers are familiar with hidden costs in one form or another. They are an intentional design choice and typically manifest themselves immediately before a final checkout on an e-commerce site. Upon reaching a checkout page, additional costs such as convenience fees, service charges, or automatic renewal policies are suddenly revealed, essentially changing the terms of the agreement at the last moment. This tactic relies on the user's reluctance to abandon the purchase after investing time in the selection and checkout process.

Hiding Interfaces.

Another common dark pattern exists when a company intentionally hides material information. The FTC labels this dark pattern type as “Obstruction” and it includes the creation of roadblocks against the cancellation of subscriptions or accounts. One example of this is allowing a customer to create an account or begin a subscription through an on-line portal, but requiring that the customer cancel via written letter or telephone call. This type of obstruction may become more egregious if a company’s contact information is hidden, or the company understaffs its call center, requiring significant time and effort to achieve an otherwise simple task.

Pre-Selected Options/Coerced Actions.

Companies sometimes use design websites or checkout pages with pre-selected checkboxes to automatically select services or subscriptions that the consumer did not explicitly choose. This is also known as forcing a user to “opt-out” rather than asking the user to “opt-in” by requiring that they actively check a box to receive a further service. For example, during the sign-up process for an online service, a checkbox for receiving promotional emails or enrolling in a paid subscription might be pre-checked by default. Consumers who do not notice these check-boxes may inadvertently consent to these additional services, leading to unwanted emails, charges, or sharing of personal data.

Confirm-Shaming.

For our fourth dark pattern example, confirm-shaming is a tactic used to guilt or shame users into making a particular choice. For example, when a user attempts to decline a newsletter subscription or a promotional offer, the decline button might be labeled with a guilt-inducing phrase like "No, I don't want to save money" or "No, I prefer to pay full price." This technique aims to pressure customers into accepting offers or services they might otherwise reject by making them feel bad about their decision. The FTC labels this as a “Coerced Action.” A few other examples of coerced actions are where companies trick consumers into unauthorized transactions, auto-play unwanted or inappropriate videos, or nag a user with repeated requests. These are just a few illustrative examples of the types of conduct the FTC will analyze in their enforcement actions to stop companies from using dark patterns.

FTC Enforcement of Dark Patterns.

In 2022, the FTC authored a 48-page report entitled “Bringing Dark Patterns to Light,” which provided a general overview of the concept of dark patterns, and specific examples of how some companies use them to deceive and trick their customers.

In June 2023, the FTC brought an enforcement action against Amazon.com, Inc., alleging one violation of the FTC Act and four violations of The Restore Online Shoppers Confidence Act (ROSCA). The FTC alleged that the company manipulated customers into enrolling in its Amazon Prime subscription service, and made it difficult for customers to later cancel the subscription. The complaint alleged that Amazon “knowingly duped millions of consumers into knowingly enrolling in its Amazon Prime Service” through “manipulative, coercive, or deceptive user-designs known as ‘dark patterns’ to trick customers into enrolling in automatically-renewing Prime subscriptions.” The complaint also alleged that “[f]or years, Amazon also knowingly complicated the cancellation process for Prime subscribers who sought to end their membership.” Amazon named the cancellation process “Iliad,” likening it to the “long, arduous Trojan War” and allegedly designed it to be an elaborate process, changes to which were allegedly resisted by Amazon leadership.

In early 2024, Amazon filed a motion to dismiss the complaint, arguing that it was not in violation of the FTC Act or ROSCA. Amazon argued that it “clearly and conspicuously disclosed all material terms because the placement and font of the material terms were like disclosures in California Automatic Renewal Law (ARL) cases in which other courts determined that the disclosures were clear and conspicuous.” Amazon also argued that users were required to click a button to enroll in Prime and, furthermore “the cancellation process was simple because a reasonable user could navigate the cancellation process.” 

On May 28, 2024, United States District Judge John H. Chun of the Western District of Washington at Seattle denied Amazon’s motion, allowing the enforcement action to continue. Judge Chun held that Amazon’s disclosures and cancellation policies could be misinterpreted by the average consumer. Judge Chun’s decision spans 49 pages, and he provides extensive factual details of the Amazon Prime signup and cancellation processes, as alleged by the FTC, as well as the alleged violations of the FTC Act and ROSCA. In denying Amazon’s motion, Judge Chun examined factual details such as context, “reasonable consumer,” “cancellation flow,” the timing of the collection of information, “size, color, and location of text,” and visual aspects of disclosures, and terms such as “clear and conspicuous.”

The FTC telegraphed its intentions and is now pursuing a significant test case against Amazon. As is often the case, the general discussion regarding privacy enforcement actions focuses on the alleged offending party and potential fines and penalties; however, if a cyber insurance policy is involved, a potential statutory penalty may be transferred behind the scenes to one or more underwriting insurance carriers. Some comprehensive cyber policies include coverage for attorneys’ fees and costs, as well as the payment of regulatory fines and penalties (sometimes known as “regulatory defense and penalties coverage”). These types of privacy enforcement risks may not have been fully comprehended or appreciated upon the binding of the policy, but could now be a significant risk event since the passing of numerous state privacy laws and the FTC’s recent commitment to prohibiting dark patterns. Policyholders should carefully review and understand the terms of their policies.

Practical Takeaways

• Companies should carefully review current cyber insurance policies for privacy enforcement coverage and consult with their insurance providers to understand the scope of coverage.
   
• Companies, where practical, should also implement privacy policies and audit compliance, and avoid engaging in deceptive behaviors like dark patterns, as relying on cyber insurance to cover the potential consequences of such violations is not a sound risk management strategy.
   
• Cybersecurity carriers may re-evaluate this area as a potential expansion of risk and may react by drafting exclusions for the defense against privacy enforcement actions, including attempts to enjoin dark patterns.
   
• Cyber policyholders should consider the possibility of a future gap in coverage as a part of their general risk assessment.

Of note, the United States is not the only entity pressing forward on the prohibition of dark patters. The concern for consumers is near global, with the European Union’s General Data Protection Regulation, the EU Digital Services Act, EU Data Act, and EU AI Act all addressing and prohibiting the use of dark patterns in their respective purviews. The South Korean E-Commerce Act and Japan’s Specified Commercial Transaction Law are two additional examples of efforts to reign in deceptive designs or practices tricking customers into doing something they would not ordinarily do.

For more information, contact the authors of this alert. Visit our Data Privacy & Cybersecurity Practice page to learn more about our capabilities in this area.

Authors:

Joshua R. Hecker, Partner

Kamran Salour, Partner and Co-Chair of Data Privacy & Cbyse