A dark pattern is an umbrella term for all deceptive tricks faced by consumers, and it relies on behavioral psychology and human biases in order to make the user act against their own intent, like buying or signing up for something.^[1]

Dark patterns can be found can be found across industries,^[2] but most often in mobile interfaces. A 2022 European Commission report indicated that 97% of popular mobile apps used by EU consumers have them.^[3] And a 2019 study found approximately 1/10th out of 11,000 e-commerce websites have them.^[4]

The term dark patterns was originally defined by Harry Brignull as "design tricks that manipulate users into taking actions they didn't intend to." This wording was later rebranded to the deceptive design.^[1] The Federal Trade Commission (FTC) describes them as "design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm."^[5] benefiting the service provider through manipulation.

Dark patterns trick users by taking advantage of unconscious thoughts. For example, in cookie banners the "Accept All" option is the first option listed and uses a green background. People tend to choose the first option before considering others. Green is associated with good in design. In cookie banners, there is also a "Manage my choices" option that typically involves opting out of each data collection category or website one at a time. It is easier for users to accept all cookies than to decline them, due to using dark patterns.^[6][7]

Research suggest that there are 60+ types of deceptive design, so below are a few examples.^[2]

These designs make desired actions (like rejecting tracking) significantly more difficult than accepting alternatives. A classic example is the Roach Motel pattern, where signing up for a service is straightforward but cancellation is excessively difficult. The FTC highlighted this pattern in their case against ABCmouse, where cancellation was made "extremely difficult" despite promising "Easy Cancellation".^[8]

This category includes designs that manipulate interface elements to steer user behavior. Misdirection focuses user attention on one element to obscure another critical detail. Disguised ads blend advertisements with genuine interface elements, like fake "Download" buttons on software websites.^[5]

These patterns require users to complete unnecessary actions to access desired functionality. Forced registration demands that users create an account to complete a task. Forced continuity involves automatically transitioning users from free trials to paid subscriptions without adequate notification. The FTC alleged that Adobe violated regulations by "tricking customers into enrolling in subscription plans without proper disclosure".^[5][9]

These practices involve concealing or obscuring material information from users, such as

• Hidden costs reveal unexpected fees only at checkout, a practice employed by ticketing platforms
• Drip pricing advertises only part of a product's total price initially and then imposes other mandatory charges later^[5]
• Checking a box by default that installs potentially-unwanted software, such as an "anti-virus" that's actually spyware or a crypto-miner

Main article: Fear of missing out

These patterns exploit social influence and time pressure to manipulate decisions. False activity messages misrepresent site activity or product popularity. False scarcity creates pressure to buy immediately by claiming limited inventory. Baseless countdown timers display fake countdown clocks that reset when expired.

This category includes any form of providing 2 or more "options" or "choices" to the user (each one with pros and cons), but only one or a few of them are reasonable and/or pragmatic. A more specific subset of this category, consists on providing extremely coarse ("all or nothing") choices. Examples:

• Cookie prompts where the only choices are "Accept all" and "Reject all". If the user clicks "Reject", they have to login everytime they switch to a different page, and none of their settings/preferences are saved. If the user clicks "Accept", they get tracked by several third-parties.
• Android doesn't consider INTERNET as a "dangerous" permission, so users can only enable or disable internet access for all apps. In contrast, GrapheneOS supports setting internet-access on a per-app basis. There's speculation that Google hasn't implemented this granularity because it would decrease their ad-revenue, as users could simply block internet for any app with ads while still having internet on the apps they care about.^[10] See also Google#Banning domain-blockers from Play Store.

Like many other types of dark patterns, there is malicious compliance at play. This happens when a company is faced with legal pressure to comply with pro-consumer regulations, but only did so in the letter of the law, not the spirit of the law. Which means in practice they still manipulate users to act according to the way that benefits the company.

In the United States, regulation occurs primarily through existing consumer protection statutes. The FTC Act empowers the Federal Trade Commission to take action against "unfair or deceptive acts or practices in or affecting commerce".^[11]

In October 2024, the FTC amended its Negative Option Rule to include specific requirements for cancellation mechanisms, implementing a "Click-to-Cancel" provision.^[12] The FTC later voted on 9 May 2025 to extend the original 14 May 2025 compliance deadline by sixty days.^[13][14]

On 8 July 2025, the Eighth Circuit Court of Appeals vacated the entire 2024 change to the Negative Option Rule on procedural grounds in Custom Communications, Inc. v. Federal Trade Commission.^[15][16] Despite the legal setback, the FTC carried out findings against Match.com, Chegg Inc., Cleo AI and Amazon based on the Restore Online Shoppers' Confidence Act (ROSCA) and Section 5 of the FTC Act.^[17]

On 30 January 2026, the FTC indicated renewed interest in updating the Negative Option Rule by submitting a draft Advance Notice of Proposed Rulemaking (ANPRM) to the Office of Management and Budget (OMB) for review.^[18][19] It was opened to public comment on 11 Mar 2026.^[20]

The European approach combines general consumer protection laws with data privacy-specific regulations. While the General Data Protection Regulation (GDPR) doesn't explicitly mention dark patterns, its requirements for valid consent effectively prohibit many deceptive designs.^[21]

The Digital Services Act (DSA) and Digital Markets Act (DMA) further address dark patterns by prohibiting practices that "deceive or manipulate" users.^[22]

Recent years have seen significant enforcement actions:

• Epic Games paid $245 million to settle charges related to deceptive patterns in Fortnite.^[23]
• Noom paid $62 million to settle charges regarding deceptive subscription practices.^[24]
• TikTok received a €345 million fine for failing to protect children's data through manipulative consent practices.^[25]

The base motivation of deceptive design is to create more benefits for the company. But there are several indirect harms done in the process, some of them listed below.

A dark pattern is harmful to consumers in many ways, often leading to financial loss and emotional distress.^{[citation needed - Needs some study or news site here]}

They could also be used violate the consumers privacy by hiding information on what data a service collects and how that data is used, and hiding or excluding options to stop data collection or delete already collected data.

Dark patterns attempt to frustrate the consumer enough to accept what patterns are being used against them, and stop looking for any in-site settings or other methods to bypass the patterns.^[5][21] This can train up a feeling of hopelessness or cynisim over time.

The most vulnerable consumers are those who are unfamiliar with computers and the internet, and those with mental or physical disabilities that impair them from either recognizing dark patterns or avoiding them if possible. People with anxiety disorders are also easier victims of deceptive design, especially because fear some types of deceptive design directly rely on injecting fear and stress.

Despite consumer backlash being unlikely to lead to immediate change in business practices, many dark patterns that violate consumer protection laws could lead to heavy lawsuits against businesses^[5] People can also start to avoid a brand based on a deceptive experience with a particular product, because they have lost trust with them. And the more companies do these kinds of practices the more this causes the erosion of trust in businesses in general. A societal effect like this can have significant business and economic implications.

Consumer education plays a crucial role. Initiatives like the Dark Patterns Tip Line allow users to report deceptive designs they encounter. Advocacy organizations provide resources to help identify and avoid dark patterns.^[1]

Designers should implement neutral default settings that don't assume consent.^[7] And companies should provide honest explanations of data practices and costs in clear, understandable language.

Efforts to automatically detect dark patterns are evolving but face significant challenges. A comprehensive study found that existing tools could only identify 31 of 68 identified dark pattern types, a coverage rate of just 45.5%.^[2] The study proposed a Dark Pattern Analysis Framework (DPAF) to address existing gaps.

Examples of dark patterns, with notes.

• 
  An example of manipulating the user by minimizing the noticeability of the "More" option while emphasizing only the "Accept" button.
• 
  Diving deeper shows Marketing enabled by default and using a color to match the font text. The "Deny" option is dark text and uses a light-gray color border that is both harder to see and generally associated with denial of action.
• 
  Mixpanel is labeled as "essential", but hidden within the collapsed section is an explanation that it's a tracker. MyCarly may genuinely consider it necessary, but a tracker is still a tracker. Google Tag Manager is also enabled by default, with the same issue as the previous image.

• 
  The message that appears on user's visit to the website. Cookie management is located closely above the bright Continue button.
• 
  "Do not sell or share" is enabled by default, but comes with a disclaimer. (See file page for further notes.)