Privacy Zuckering – Dark Patterns #1

March 30, 2021

by Ito Onojeghuo | LLM, FIP

Top 5 Dark Patterns

Dark patterns are schemes used by websites and apps to manipulate users into giving up information or signing up for something that was unintended. In this article, we will identify some dark patterns and discuss why it is necessary to avoid them.

#1 Privacy Zuckering

Privacy Zuckering takes #1 place in our list of dark patterns. Users are tricked into publicly sharing more information about yourself than intended.

Have you ever been zuckered?

This dark pattern was named after Facebook CEO Mark Zuckerburg and refers to Facebook’s early privacy settings, which in general made it difficult for users to find and as a result made it easy for users to ‘overshare’ information, including profile photos, telephone numbers and more. Having a complex and often obscure Terms and Conditions and Privacy Policies, is another common method of getting users ‘zuckered’ into giving away their information towards different data brokerage industries, through a third party.

The practice of ‘zuckering’ is an infringement of the GDPR ‘Transparency’ Principle.

#2 Bad default

A Bad Default is having a default setting that ease or encourage the sharing of personal information.

Having default settings that allow for easy collection of more information than required, if not changed by the user is classified as a ‘bad default’. Do you use a device that is automatically set to record all your meetings; set to monitor your activities or even monitor your colleagues? Default settings and processing that ease the collection of information, where not deemed necessary are unlawful and are specifically prohibited under the GDPR – Article 25, Privacy by Design and Default.

Data Protection by Default requires adopting a ‘privacy-first’ approach with any default settings of systems and applications as well as providing individuals with sufficient controls and options to exercise their rights.

#3 Address Book Leeching (Friend Spam)

Urges users to share their contacts to access a site function or the product asks for email or social media permissions under the pretence it will be used for a desirable outcome (e.g. finding friends), but then spams all your contacts in a message that claims to be from you.

Such unauthorised purposes are unlawful under the GDPR and specifically and infringement of the Principles of ‘Transparency’ and ‘Purpose Limitation’.

A class action was filed against LinkedIn for this form of dark pattern. The 2015 payout in spam settlement was $13 million. Read more>

#4 Immortal accounts (Forced Continuity)

Preventing or complicating a user’s decision to delete an account. This pattern makes it very easy for users to get into a certain situation but then makes it hard for them to get out of it.

For example:

  • When subscribing to a service is easy to purchase, but when the user wants to close their account or delete a profile, the company makes it difficult or impossible.
  • When a free trial with a service comes to an end and the customer’s credit card starts getting charged without any warning. In some cases this is made even worse by making it difficult to cancel the membership.

#5 Forced registrations

Forcing individuals to register for an account to use a service when it is not technically necessary.

Why Avoid Dark Patterns?

Using these dark patterns is not encouraged. Too often, clients become disillusioned by the entrapping nature of company websites or apps that incorporate dark patterns. dark patterns erode trust and very importantly in most cases would be in breach of the principles of Data Protection.

Technologists and designers should understand and avoid these patterns but implement strategies that allow users to be better informed and have greater control over their information.

(See for more examples of dark patterns)