I'm probably navigating in a very goal-directed way, with various efficiency tricks, juggling tabs and windows and thoughts.
As soon as I see the "Accept Cookies" and "Manage Preferences" button pair, I assume one will let me see the page, and the other make me go through a pile of disingenuous, punitive nonsense.
* "The [French] CNIL's guidance reflects the position of the European Data Protection Board (EDPB) and the Court of Justice of the European Union (CJEU)." [1]
* "although the CNIL’s decisions are only binding in France, these decisions should worry any website operators who have adopted similar cookie banner mechanisms to Facebook and Google in other European countries." [2]
Funny, as I scrolled down reading, a pop-up window appeared that obscured the content, advertising a "FREE Trial!". This has almost the same impact for me as a cookie banner --- something that diverts attention. They have a big red button to press versus a smaller X to kill.
The tiny/invisible close control is a plague. Often it's designed to look unlike common "click here to close" convention, making it especially difficult to find.
Now that you mention it, I vaguely remember something like a pop-up window pop up, but I so automatically closed it I didn't even remember there was one!
Still says "Free trial" and "Hide this message" in different-coloured buttons.
Is this in jest ("_ironic_")? If so, I at least am so used to such dark patterns that it did not register as a joke.
If it's meant as a joke, then OK, I can chuckle. But while I'm curious to see what happens, I'm not pressing no buttons, no sir, joke or no joke. I'm jaded like that.
This is not a consent box. Neither choice creates cookies. Nor does it force you to surrender data.
I recognized that using a smaller X close cross button was not fair and could lead, especially on mobile, to undesirable action. Now, the button is equally sized, and this should prevent accident presses for those not interested.
When I am king of the world all cookie banners will have standardized language:
"This site uses cookies if you are logged on. But even if you aren't logged on, we share your browsing details with 6 other companies from around the world. And they sell your details onto other companies and possibly governments. We don't know. But we get $0.0003 for it, so we really want you to say yes to the following question.
When I'm king (that's right, I'm planning a coup!) I will make the browser manufacturers handle this with a standard dialog the site owners can only customize in limited ways. Users will be able to express general preferences and they will be respected (i.e. I can choose to opt in or out of marketing-related cookies in my browser settings, rather than on a per-site basis).
> This site uses cookies if you are logged on. But even if you aren't logged on, we share your browsing details with 6 other companies from around the world.
That's one of the things the GDPR was created for. If your data is being shared, you must be informed of with whom it is being shared, and for what purpose.
And if the only reason the data is being shared is so that you can earn $0.00003 for it, rather than being necessary in order for you to provide the service, than you probably need consent anyway. And at the minimum, you must offers users the option to object to that processing.
The emotional steering pattern always gives me a chuckle...
Choose between:
->Yes, send me the newsletter informing me of your latest charitable initiatives.
->No, I don't care about starving children.
Almost all cookie prompts use at least one of these dark patterns on the websites I visit. Interestingly, Hacker News doesn't prompt for cookies at all.
> Unconscionability (sometimes known as unconscionable dealing/conduct in Australia) is a doctrine in contract law that describes terms that are so extremely unjust, or overwhelmingly one-sided in favor of the party who has the superior bargaining power, that they are contrary to good conscience. Typically, an unconscionable contract is held to be unenforceable because no reasonable or informed person would otherwise agree to it. The perpetrator of the conduct is not allowed to benefit, because the consideration offered is lacking, or is so obviously inadequate, that to enforce the contract would be unfair to the party seeking to escape the contract.
> A statute of frauds is a form of statute requiring that certain kinds of contracts be memorialized in writing, signed by the party against whom they are to be enforced, with sufficient content to evidence the contract. [1][2] […]
> Raising the defense: A defendant in a contract case who wants to use the statute of frauds as a defense must raise it as an affirmative defense in a timely manner. [7] The burden of proving that a written contract exists comes into play only when a statute of frauds defense is raised by the defendant.
> Uniform Commercial Code: In addition to general statutes of frauds, under Article 2 of the Uniform Commercial Code (UCC), every state except Louisiana has adopted an additional statute of frauds that relates to the sale of goods. Pursuant to the UCC, contracts for the sale of goods where the price equals $500 or more fall under the statute of frauds, with the exceptions for professional merchants performing their normal business transactions, and for any custom-made items designed for one specific buyer. [42]
IIUC, that means that if the USD amount of a contract for future performance is over $500 the court would regard a statute of frauds argument as just cause for dismissal? Or just goods?
> Note: This suggestion comes from EDPB guidance, but there wasn’t a unanimous agreement among the regulators. Some data protection authorities believe that the “Reject” button can appear on the second layer of the banner, behind the “Manage Preferences” button.
One nice thing about the cookie consent rules is that they're familiar enough that the UX dark pattern dark arts are more obvious.
"Why is it so hard to find where to cancel my subscription?" is more ambiguous than "Sigh, another 'accept, or go to the preferences department' dialog; what a dumb/jerky site."
11. "Be a real shame if someone scrambled that nice ordered playlist of yours." (cracks knuckles menacingly) - Google
Having a unchecked random button, then randomly skipping about in a playlist anyway, unless you are a youtube premium user, is super dark pattern. Google pulling more and more user hostile shit like this is a gift to their competitors.
I've de-googled most of my life except for YouTube, and sadly, YouTube Music. I'm still grandfathered in on the old Play Music + Premium deal for $9/mo or some shit. Too good of a deal to ever cancel, but man it sure does seem like Google is going out of their way to annoy the shit out of me until I do. Whether it's the dog crap tier STB/Mobile app, or the website, with almost scalpel like efficiency they manage to push me close to snapping every week.
The new pastime, some moron decided either that they should store the choice for "Auto-play on hover" locally, or purposefully write crappy server-side code so the choice just so happens to randomly go back to the default "On" setting. I mean, my god, YouTube can keep track of over 500 channels I subscribe to, all of my stupid large playlists, but can't remember to keep a single boolean value about me? Oh gee whiz we turned auto play back on shucks where did I put your preferences? Can't find em here's a totally unrelated video haha!
So annoying. So many great products end up eaten alive by bean counters and product managers trying to "improve" things.
Just curious, what advantage does YoutubeMusic have over just playing songs & full albums in YouTube, other than the warm glow of being on the right side of copywrite laws?
One not listed that is a mix of "5. No ‘Reject’ Button" and "10. Deceptive Button Contrast" is a big "Accept" button at the bottom, well in sight, and a decline/refuse grey link at the top that you notice if you look somewhat hard.
This post is a list of things to avoid doing, but it could benefit from an example of acceptable examples. It's funny how the language around this kind of thing has grown more convoluted since 'whitelist' and 'blacklist' have been removed from the language, so instead we have 'dark pattern' which, on similar grounds, could inspire another call for language censorship.
Fundamentally, it's just easier to check patterns against an allowed list than against a banned list, because if the pattern is in the acceptable set, you're done, but just because it's not found in the unacceptable set, doesn't mean it's not deceptive.
Very well written, I'm glad to see this topic getting attention. We're about to publish a similar work relating to dark patterns in the way companies respond to data protection requests (data deletion, access etc.): https://consciousdigital.org/wp-content/uploads/2023/04/dark...
Until all web browsers present identical fingerprints and reveal no identifying data about the user, tracking will take place, whether laws mandate consent or not.
Opt-in, opt-out, none of it matters as long as we're browsing the internet with our unique identities on full display to every site we visit. Thinking that the solution is to ask companies nicely to please not use that information is delusional.
Tracking cookie regulation should have defaulted to "Users must opt in" rather than opt out. Opt out will always lead to dark patterns and manipulation like this (try to cancel most "free trials" or subscriptions!).
And why wasn't it? Because "No one would ever opt-in!" Yeah. Exactly. Leave us the fuck alone.
Let's not forget another great one: "accept or subscribe", although that one is somehow sanctioned by the EU. Subscription-based freemium services are apparently ok to ask their users to either accept tracking or pay money.
Many of the folks doing this are news services with great local political power. Coincidence?
The pattern I see most often falls into #9 and #10. Not only is the 'Accept All' button made more prominent, but other design tricks make it the default selected item. Tapping space or enter on a keyboard would click it, making it possible for the user to unintentionally opt-in through a slip of a finger.
Most people don't want the choice, and in anything else, would never consent to the tracking in the first place.
If it was opt-in, who the hell would opt in? What good would it do them?
If there was an annoying person then followed you around the mall, taking note of everything you bought so they could sell that list to the other stores in the mall for a profit, would you let them? What if every time you went into a new store, another, differently dressed person wouldn't let you into the store until you answered some goddamn riddle about whether you want to consent to them following you around? Who would shop at that mall?
I think the GDPR was a step in the right direction, but it should have more heavily regulated respecting the DNT cookie. Let me opt-out, permanently, everywhere unless I decide not to.
> If there was an annoying person then followed you around the mall, taking note of everything you bought so they could sell that list to the other stores in the mall for a profit, would you let them?
I use a credit card instead of cash, so I guess I have to answer yes to this one.
A "nice" thing about these banners is that 80% of the websites I visit use one of the 2-3 big providers of cookie banners, so once you’re used to them you can quickly reject all cookies in 2 seconds thanks to muscle memory.
Whatever the reason may be, and even in the best of cases without dark patterns, the fact that every freakin' site requires a click (positive consent) it simply idiotic.
At least, people asked to implement them will be able to point at this page and say "No, we should not, because it is a well-known dark pattern and doing this would make us look bad which is not good for the business, and that's also not GDPR-friendly and conforming to the GDPR is the whole reason why we are implementing this consent banner in the first place so it makes no sense doing it. If we are doing it, we might as well not display this banner at all".
These cookie banners are so bad. Bad idea, bad regulation, bad execution. The time wasted for all humans in the world dealing with such a bad idea is out of the charts.
If I don't want to be tracked I will use an anonymous tab or configure my browser to not allow any cookies. The solution already existed. The people that care about it already knew it. The companies would come up with something better if there was a real problem, with people being worried about to the point of changing browser.
Ayn Rand was right and still is. We live in the age of envy. Hatred of the good for being the good. Useless waste of time for all human beings to hurt a few big successful companies because of tiny, envious people with the excuse to protect some helpless citizens.
Sadly, it is not so simple. There was and still is a group of people, “The people who did not know it, but would care if they did”.
> The companies would come up with something better if there was a real problem
Company, for the better or the worse, is usually oriented towards benefits of shareholders, not users, customers nor societies. Don't get me wrong, there are companies that are not evil. But how do we know which are?
Luckily, we have laws that prevent escalation beyond certain norms and protect those, who are not shareholders.
Technology companies seem to have a chronic problem with consent. And when regulation drops in, they do everything they can to cry, complain, deceive, work-around, weasel-out, ignore, and fight against consent. If the web was a nightclub, Silicon Valley would be the creepy guy that hits on every woman with "Do you want to dance with me? [Yes] [Ask Me Again In Five Minutes]."
It's embarrassing how out of control the industry is, how toothless regulators are, and how outraged companies are when something finally forces them to simply ask users permission to do things.
While I agree with the consent issue, I think consent to use cookies isn't the problem. I already set my browser to not store cookies by default, and make exceptions for a few websites I need to log into.
For me, consent is enforced at the browser level, not the website level. So I don't really care whether I hit "accept" or "decline". Their cookies aren't going to be stored either way. In fact it's even more ridiculous and annoying that they need to store a goddamn cookie or fingerprint me to remember that I declined, which of course doesn't get stored on my end, and results in the stupid dialog box appearing every time I visit the site.
You know where I really hate tech companies and consent? Asking for phone numbers for SMS confirmations. No thanks. You don't need my phone number to do business with me. Just the other day a goddamn restaurant needed a phone number to order food in person at the restaurant via their abomination of a QR code at the table and a mobile webpage ordering system.
When you instruct your browser to accept cookies for the few websites you log into, your browser is unable to limit acceptance only to the cookies that are strictly mandatory for proper functioning.
Instead, your browser will accept any cookie, including unnecessary ones, because it can't tell the difference.
Therefore, you cannot enforce consent at the browser level.
Session cookies and user accounts are obviously not necessary for the proper functioning of discussion boards - 4chan is one of the most popular in the world. Shall we haul the Hacker News admins off to jail?
I'm not trying to be cheeky here. Who can say what the "necessary" and "proper" functioning of a given website is? You can always imagine a similar-but-different website. I think usually people are talking about ad-related stuff, but then why not regulate that in particular?
Watch out, cookie consent is more than just cookies: it's about keeping and exploitable your personal datas! When you accept cookies, you accept that the provider can use and sell your datas... so even if you automatically erase the cookie, it's only the tip of the iceberg
Part of the problem is that most of their end users don't care. I'm not saying that they shouldn't care, or that there aren't people (like you and me) who care. But when your business model, for logical reasons, tries to please the most amount of people without trying to please everyone then there is a disincentive to prioritize things like privacy.
The cookie banners that came about after GDPR didn't help the culture around privacy and security. All they did was piss off the great masses of end users to the point where some browsers (ex: Brave) now have specialized pop-up blockers just to stop annoying users with something that was [ironically] put in place to safeguard the privacy and rights of the masses who didn't actually ask for that.
When I talk about privacy and security, most people tell me to my face that they prefer convenience and don't care at all, one tiny little bit, about their data or privacy.
And so now we're starting to regulate and consider "digital rights", using the strong arm of the law to force companies to care. I'm not saying that we shouldn't. I have very low trust when it comes to tech companies and online services, particularly in the field of data security and PII. I wish that companies would be held liable for data breaches. But my point is that a huge part of the problem is that there seems to be a major disconnect between what the government is trying to force companies to do (a government that is supposed represent the will of the people) and what the actual people (customers) are telling the companies that they want.
Changing culture is a near impossible feat, but I think this is more of a cultural problem than a lack of legislation problem.
How often do you talk to people about privacy? The general feeling I have, and that I’ve gotten from other people, is that they’ve basically given up, not because they don’t really care, but because it is a totally hopeless fight.
The options are: have your privacy violated, or use some tiny boutique service that isn’t hitting any economies of scale.
These types of things need to be studied with an appropriate methodology, otherwise we're just sharing anecdotes and opinions.
I will share with you one specific anecdote. One of the people I admire most in this world, who taught me everything that I know about software engineering, who - we both suspect - might be on the high-functioning autism spectrum and has the exact personality and knowledge profile typical of someone who cares.
This person straight up told me that "convenience trumps privacy" for them. This is a concrete example of someone telling me that they don't care if companies prioritize privacy or not, they just love the convenience that modern tech offers them.
So those types of experiences make me wonder. If someone who is in the industry and has the personality type typical of someone who usually cares more than most, if THEY don't care ... what does that say about the average every day person?
Again, it's purely anecdotal. I would love for this type of stuff get researched properly at the academic level so that we can get answers.
EDIT: Another anecdotal example is my mother. She has told me that she doesn't value or care about data / online privacy at all. That convenience matters most. Anecdotally, the only times I hear people complain are either tech nerds or on Joe Rogan's podcast. The people I talk to about this in every day situations tend to tell me that it's just not top of mind for them and if they had to sacrifice convenience to get more privacy they would prefer the convenience.
User indifference is not the problem behind dark patterns. Some of these UIs are clearly designed to discourage people who do care, by making non-essential cookie rejection more expensive in terms of user time (one more click, obfuscation, hiding behind a "manage settings" button, walls of legalese...). I'm pretty sure there are orders of magnitude fewer users who want to manage detailed cookie settings at a super granular level, but somehow, as a user who would rather just reject all non-essential cookies, I see a lot of "cookie settings management UI" that I have to "save", when all I could've done with is a "reject all" button. This isn't a user problem.
I've seen how these types of things play out in companies, though. I'm proud to say that I once did refuse to implement something that I thought was unethical. But I can also understand why companies would want to actively discourage users who care and it's not always a matter of being malicious.
It's [usually] a matter of:
- The users affected are in the minority
- Regulations are forcing us to do something to be compliant
- The ROI of doing it "right" is extremely low
- So what can we do to be compliant while getting that tiny minority of users to voluntarily GTFO because genuinely don't want to have to worry about such a small niche market?
The ROI of doing it right is negative; that's an assumed cost of most regulations. But it's not negative because it's more complex to build it right - it's negative because monetization is that much lower even for that so called "tiny minority" that it will materially affect revenue.
In most cases it is much simpler to add a one-click reject-all option than to pretend there are users interested in granular choices that present long lists of toggle controls and put that behind a "Manage cookie settings" button. So the "I" of "ROI of doing it right" is lower than the "I" for doing it in a shady way.
I completely understand the companies' motives. But to the OP, I disagree that these UIs are because users don't care. It's probably because companies care a great deal more about their profit.
Which they should! That's what companies do and that's even why they exist. But let's not pretend users not caring is the problem.
What you are describing is 100% malicious. These companies are intentionally ignoring their legal obligations for their own benefit and to their users' detriment.
Obviously people making the decision are going to try to come up with a justification to make themselves feel okay about doing it, though.
This is an ecosystem problem, not a tech company problem. You see these dark pattern pop-ups on every website, including media sites, mail order, big brands, local shops... The tech companies are thinking about their bottom line, but they're also responding to their customers (advertisers, publishers, merchants).
It is embarrassing indeed. The systemic nature of the problem is a good argument for increased regulation.
You can think of every business as harnessing some sort of "natural resource" and generating value from it by transforming to something more usable and/or selling it. At its core, almost every business is:
1. Acquire resource.
2. Transform or make it into something more usable.
3. Sell it to customers.
All businesses are directly incentivized to have as wide and efficient of a pipe for sucking up the raw materials they build products out of. Fishing boats want to use the biggest nets regardless of bycatch. Mines want to level the whole mountain regardless of what lives on it. Farmers want crop growing on every square inch of the field regardless of biodiversity. You get the idea.
This is not out of any deliberate malice, it's just an emergent property of how the system works. If you have a bunch of companies making widgets out of blobstuff, the company that can get the most blobstuff the cheapest wins.
And, as purchasers of widgets, we benefit from the system and tacitly support it by participating.
For ad-driven tech companies, the natural resource they acquire is human attention. They are structurally incentivized to acquire as much as they can, as cheaply as they can, for as long as they can.
One of the "obstacles" to harvesting human attention which can be then sold to advertisers is that those pesky humans would prefer to place their attention elsewhere. Given that, tech companies are always going to be pushing the boundaries of consent. It's not a strictly zero-sum game, because sometimes humans actually do want to consume ads. But as the amount of attention being sucked up by companies increases and as people get reasonably more and more covetous of their own attention, that game gets less non-zero over time.
Having seen quite a few instances of deliberate malice I beg to differ. It is out of deliberate malice, though there may be a couple of cases where it is an emergent thing. The vast majority of these companies are aware of it, won't change their ways and have a hundred different ways to rationalize their illegal behavior.
Note that the definition says that the "desire"—the intent—is the injury or harm itself.
It's not malice if you steal someone's car because the point isn't to make them feel bad, the point is to acquire a car.
I don't consider depersonalization to imply malice either. Depersonalization can make it easier to maliciously harm someone, but seeing a user as a potential source of revenue isn't malice. The intent isn't to harm them at all, the intent is to generate revenue. The harm is incidental.
This is one of the more annoying ones for me.
I'm probably navigating in a very goal-directed way, with various efficiency tricks, juggling tabs and windows and thoughts.
As soon as I see the "Accept Cookies" and "Manage Preferences" button pair, I assume one will let me see the page, and the other make me go through a pile of disingenuous, punitive nonsense.