Chapter 29: Enforcement challenges

When you look at the pervasiveness of deceptive patterns today, it may seem like today’s laws and regulations aren’t working, but that’s not strictly true. They’re kind of working. The current state of affairs is a bit like a spluttering kitchen tap with low water pressure – a lot of waiting around and frustration. We are at a transitory point where we have old laws that weren’t written with deceptive patterns in mind, and new laws coming in that haven’t fully bedded in yet.

The problem with enforcing consumer law is that it’s slow and expensive, even at the best of times. Deceptive patterns are often designed to be subtle and intricate, making them difficult to identify and prove in a legal context. Consumer protection law is complex, and the wording of the law can be ambiguous, leading to battles over interpretation. Then, of course, you’ve got the differences between the member states: the EU is made up of countries that may have different enforcement strategies; while the US is made up of states that may create their own laws. This creates even more complexity. Let’s look at the reasons for slowness more closely.

Resource constraints

To effectively monitor and enforce existing laws, agencies require a combination of technically proficient staff, efficient systems and sufficient personnel. To do this, they need money. Budget allocation comes from politicians who have to make difficult choices about where public money goes. Sometimes agencies just don’t get the money they need to do their jobs properly.

Question of motivation

Another barrier to effective enforcement of regulations is the lack of motivation in some agencies. For instance, some critics accuse the Irish Data Protection Commissioner of being slow to enforce GDPR. In a 2019 Politico article titled ‘How one country blocks the world on data privacy’ Nicholas Vinocur scathingly commented, ‘Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters’.¹

In its defence, the Irish Data Protection Commissioner has stepped up the pace recently, fining Meta €390 million in January 2023² and then €1.2 billion just a few months later in May.³ Still, it seems that under-budgeting an agency can potentially be politically motivated. After all, it’s understandable that a government might want to attract large international businesses by making the environment more appealing.

Nature of principle-based laws

Consumer protection laws are generally principle-based. This characteristic is a double-edged sword. While it lends these laws the flexibility to adapt to new practices, making them somewhat future-proof, it also inherently slows their responsiveness. Each case has to be meticulously worked through the legal system, a time-consuming process that allows companies to exploit existing loopholes.

Forbidden practices and penalties

In the EU, forbidden practices were added to the Unfair Commercial Practices Directive to ban outright certain deceptive patterns (aka a blacklist). This is helpful, but it has only been updated once since it was created in 2005, and it doesn’t provide any real detail about punitive measures.⁴ This raises the obvious question of whether such an approach would work better if there was a faster way to update the list of forbidden practices, and stronger punitive measures if those practices are used (for example, higher fines).

What it’s like being an expert witness in lawsuits

Here’s a summary of my experience as an expert witness on deceptive patterns in various legal cases in the United States.

First, I get contacted by a law firm. The initial conversations can be quite cryptic – they often don’t like putting anything in writing in case a poorly worded off-the-cuff statement gets used against them in the future. Once they’ve established trust, they tell me what the case is about.

Many of these sorts of law firms spend their time hunting for weaknesses in legal armour, targeting high-value tech companies and searching endlessly for ways in which to find a case that can lead to a payday for them – and relatively little money for the individual plaintiffs. This is rather different to the Hollywood image of class action suits where the story starts with a group of wronged individuals and a plucky lawyer steps up to help them. Still, even though the class action model has downsides, the lure of a big payday for the lawyers attracts many energetic and capable firms to fight on behalf of users, and the threat of these sorts of lawsuits can deter businesses from breaking the law.

In the initial call, I’m typically asked to give my opinion on a few screenshots of a user journey: ‘Are there any deceptive patterns at play here?’, for instance. When my answer is no, the conversation is over and they either go off looking for a different expert or a different case. When my answer is yes or maybe, I get engaged by the law firm. Every case I’ve worked on so far has started with a preliminary analysis where I capture extensive screenshots of the user journey and look closely at every step using an expert evaluation method.

I typically use a mystery shopper method in which I’ll define a persona with certain characteristics and a goal in mind. For example, if it’s a sports ticket sales e-commerce journey then the characteristics and goals will relate to sport events. Then I document the steps such a user is likely to go through, taking a screenshot at each step. To use academic HCI terminology, this is a type of lightweight persona-based⁵ ‘cognitive walkthrough’ method,⁶ though instead of aiming to evaluate usability, it aims to identify the presence of deceptive patterns, the mechanics of how they work, and the ways in which a reasonable user may experience negative consequences as a result...