Dark & Deceptive Patterns: Taxonomy & Regulation

Key takeaways

Deceptive patterns fall into five major categories — asymmetric friction, false urgency, hidden costs, interface interference, and nagging — and each is now explicitly targeted by EU DSA, FTC, and CPRA enforcement.
The ethics line between persuasion and manipulation runs through four tests: information symmetry, user benefit, autonomy preservation, and reversibility.
Regulatory exposure is real and growing: FTC actions, DSA audits, and CPPA enforcement have collectively resulted in hundreds of millions of dollars in fines since 2022, and A/B test logs are discoverable evidence.
Auditing your own product means task-analyzing critical flows (especially cancellation and consent), testing with real users, and checking button/copy symmetry — not just reviewing visual designs.
Organizational resistance requires structural changes: ethics checklists in design review, instrumentation that measures cancellation success (not just attempt), and legal involvement in persuasive-flow design.

The full lesson

Deceptive patterns — historically called “dark patterns” — are interface choices engineered to trick users into actions they would not freely choose if they had full information. They range from a barely-visible pre-ticked consent checkbox to a deliberately maze-like cancellation flow.

Understanding these patterns is no longer optional. The EU’s Digital Services Act, the US FTC’s rulemaking, and a wave of state-level consumer-protection laws have made deceptive design a legal liability, not just an ethical concern.

This lesson maps the full taxonomy, draws the line between ethical persuasion and manipulation, and gives you tools to recognize, audit, and push back against these patterns inside your own organization. The goal is not to ban conversion optimization — that is legitimate work. The goal is precision: every nudge must survive three questions. Does it help the user? Does it preserve their ability to choose freely? Would it hold up if a regulator examined the A/B test logs?

A Working Taxonomy

No single taxonomy has become the official standard, but the field has settled on a shared vocabulary. The categories below pull from Harry Brignull’s original research (deceptive.design), the FTC’s 2022 report, and EU regulatory guidance from 2023.

Asymmetric Friction

The product makes desired actions easy and undesired actions deliberately hard.

The classic form is the roach motel: sign up in one click, but cancel only after navigating to a buried settings page, surviving a “pause your subscription” interstitial, waiting through a mandatory phone call, and then receiving a retention offer before a final confirmation button appears. Amazon Prime’s pre-2023 cancellation flow is the most-litigated example in regulatory history — the FTC sued Amazon in 2023 specifically over this pattern.

Variants:

Confirm-shaming: labeling the opt-out with guilt-inducing copy (“No thanks, I prefer paying full price”)
Forced continuity: charging a card without clear disclosure when a free trial ends, often burying the conversion date in fine-print email
Hidden unsubscribe: placing the unsubscribe link below the fold or in light-gray text on a white background

Misdirection and False Urgency

These patterns exploit cognitive shortcuts — scarcity, social proof, authority — by fabricating the signal.

A “Only 2 left!” counter that resets every time you reload the page is not scarcity messaging. It is a lie. A “73 people are viewing this right now” notification that is a static string in the HTML is not social proof. It is fraud.

Variants:

Countdown timers that restart on page reload or after clearing cookies
Fake “sold out” or low-inventory indicators on always-available digital goods
Manufactured social proof (“bestseller” badges applied to every product in a category)
False urgency in email subject lines (“Your cart is about to expire in 2 hours”) when no real expiry exists

Hidden Costs and Information Hiding

The true price or scope of commitment is withheld until late in the checkout flow. By that point the user has already spent time and entered personal data, so revealing the real price at the last step exploits sunk-cost psychology — they are more likely to proceed anyway.

Variants:

Drip pricing: a base price shown in search results, with service fees, resort fees, and processing fees revealed one by one
Bait and switch: advertising one offer, then substituting a worse one at the confirmation step
Privacy zuckering: designing privacy settings to be confusing enough that users share more data than they intend

Interface Interference

Deliberate visual or interaction design choices that steer attention toward the preferred option while suppressing the alternative.

Variants:

Trick questions: ambiguous double-negatives in consent checkboxes (“Uncheck this box if you do not wish to receive offers from our partners”)
Disguised ads: paid search results styled to be visually indistinguishable from organic results
Toying with emotions: progress bars that jump backward, or designs that suggest data loss is imminent if you navigate away

Nagging and Obstruction

Repeated, persistent requests for an action the user has already declined — combined with removing or degrading functionality for users who do not comply.

Variants:

Permission nagging: re-requesting notification or location permissions immediately after a denial (now blocked by iOS and Android OS-level controls)
Cookie wall: blocking content access unless a user accepts tracking, with no genuine opt-out (ruled illegal under GDPR in multiple national court rulings)
Feature gating as coercion: quietly degrading the core product to push users toward a paid upgrade without disclosing the degradation upfront

The Ethics Line: Persuasion vs. Manipulation

Ethical persuasion and deceptive manipulation share many surface-level mechanisms. Both use visual hierarchy, copy framing, and friction reduction. The difference shows up across four dimensions.

Dimension	Ethical nudge	Deceptive pattern
Information symmetry	Accurate, complete information provided	Information withheld, distorted, or fabricated
User benefit	The user is genuinely better off	The company gains at the user’s expense
Autonomy	The alternative is equally accessible	The alternative is hidden, shamed, or obstructed
Reversibility	The action can be undone without penalty	Reversal is deliberately costly or hidden

Run every conversion optimization through this table before shipping. A prominent CTA button is ethical persuasion. A CTA that says “Yes, start my free trial!” next to a dismiss link labeled “No thanks, I hate saving money” fails the autonomy test.

Make cancellation as easy as sign-up: same number of steps, same channel, same response time. Show all fees before the final confirmation step, not after. Use plain, symmetric language for consent options (“Yes” / “No” rather than “Yes” / “No thanks, I don’t care about my privacy”). Test your exit flows with the same rigor as your onboarding flows.

Don't

Pre-check marketing consent boxes and rely on users not noticing. Use countdown timers that are not tied to real inventory or deadline constraints. Bury the unsubscribe or account-deletion path behind support tickets or phone calls. Label the opt-out with copy designed to produce shame or regret. Design “cookie accept” buttons at high contrast while rendering “manage preferences” at low contrast on a background that fails WCAG 2.2 AA (4.5:1 minimum).

Regulatory Landscape (2024–2026)

The legal risk is no longer theoretical. Enforcement has accelerated dramatically since 2022.

European Union

The Digital Services Act (DSA) — fully in force since February 2024 — explicitly prohibits dark patterns for all platforms operating in the EU. Article 25 bans interface designs that “deceive or manipulate users” or “distort or impair the ability of recipients to make free and informed decisions.” Very Large Online Platforms (VLOPs, defined as those with over 45 million monthly EU users) face annual audits and fines of up to 6% of global annual revenue.

The Unfair Commercial Practices Directive (UCPD) guidance, updated in 2022, lists specific dark patterns as unfair commercial practices: drip pricing, fake reviews, disguised advertising, and false urgency claims.

United States

The FTC has pursued deceptive patterns under Section 5 of the FTC Act, which prohibits unfair or deceptive acts, and under the Restore Online Shoppers’ Confidence Act (ROSCA). ROSCA requires clear disclosure and a simple cancellation path for negative-option subscriptions — subscriptions that auto-renew unless the user actively cancels. Enforcement actions from 2022 to 2025 include Amazon ($25M settlement, 2023), Match Group, and several subscription box services.

The California Consumer Privacy Act (CCPA/CPRA) now explicitly prohibits “dark patterns” that have “the purpose or substantial effect of subverting or impairing user choice” in privacy settings. The California Privacy Protection Agency (CPPA) has issued guidance listing specific prohibited patterns, including asymmetric button prominence for consent choices.

United Kingdom

The Competition and Markets Authority (CMA) published its Online Choice Architecture guidance in 2022. It identifies specific patterns that may breach consumer-protection law. Under the Digital Markets, Competition and Consumers Act 2024, the CMA can now impose fines directly without going to court.

Auditing Your Own Product

Regulatory compliance starts with a systematic internal audit. Use this five-step process.

Map the critical user journeys. Focus on sign-up, subscription conversion, free-trial end, cancellation, data-sharing consent, and account deletion. These are the flows most commonly implicated in enforcement actions.
Walk each journey as a task analysis. Count clicks, measure time, and document every piece of copy. At each step, ask: Is all relevant information present? Are the options symmetric? Is the recommended option recommended because it helps the user, or because it helps the metric?
Test with representative users. Give participants a task — “Cancel your subscription” — without navigation assistance. Measure task-completion rate and time on task. If the cancellation success rate is materially lower than the sign-up success rate, you have an asymmetric-friction problem.
Run a visual design check. For every CTA pair (accept/decline, subscribe/skip, share/don’t share), measure the contrast ratios of both options independently. Confirm button sizing is equivalent. Check that dismissal controls meet WCAG 2.2 SC 2.5.8 minimum target size (24 x 24 CSS px, with adequate surrounding space).
Review copy for asymmetry. Confirm-shaming almost always shows up in a copy review. If the negative option carries emotional weight that the positive option does not, rewrite it. Parallel structure — “Accept” / “Decline” — is the correct default.

Building Organizational Resistance

Individual designers spotting a dark pattern is not enough. Commercial pressure to ship patterns that move metrics creates a predictable organizational dynamic: the pattern gets rationalized (“it is just a default”), then tested (“users did not complain in the survey”), and eventually entrenched. Prevention requires structural changes.

Design review checklists. Add an explicit deceptive-patterns check to your design review process, using the taxonomy above as the reference. Require sign-off from a senior designer or design ethics lead on any flow that involves conversion, consent, or cancellation.

Friction budget framing. Reframe conversations about “reducing friction” to be specific about whose friction. Reducing friction for the user — faster checkout, fewer steps — is good. Reducing friction for the business by adding it to the user — harder cancellation — is a dark pattern. This vocabulary shift makes the trade-off explicit.

Instrumentation honesty. Measure cancellation success rate, not just cancellation attempt rate. Report both in product reviews. If the gap is large, name it clearly: “Our cancellation funnel has a 34% abandonment rate, which is a deceptive-friction risk.”

Legal and compliance involvement. Bring legal into design reviews for consent and subscription flows. Regulators look for evidence of good-faith compliance efforts; documented design reviews with legal present is that evidence.

The Outdated Habit vs. Modern Practice

The engagement-maximizing, attention-economy design philosophy of the 2010s produced most of the patterns now being regulated. The model was: maximize time-on-site, daily active users, and notification click-through rate as proxy metrics for value. Deceptive patterns were the inevitable downstream result — they moved those metrics reliably.

Modern practice replaces that model with outcome-tied metrics (task success, Customer Effort Score, retention), ethical nudges tested for user benefit and information symmetry, and legal design reviews on all persuasive flows. The regulatory environment has simply made the cost of the old model visible and quantified.

The specific habits to retire:

Pre-checked consent boxes (non-compliant under GDPR; targeted by CPRA)
Fake scarcity timers and manufactured social proof
Roach-motel cancellation (FTC enforcement, DSA Article 25)
Asymmetric button contrast on consent choices (CPPA guidance)
Notification permission nagging after denial (now partially enforced at OS level)