How to avoid UX dark patterns (when asking people for their data)

Thanks to the General Data Protection Regulation (GDPR) we’ve seen an overwhelming proliferation of dark patterns recently. Why? Organisations desire access to as much customer data as possible. This is misguided.

These patterns need to die. Trust and the future of your business is what’s on the line.

In this article I will;

  1. Introduce the concept of dark patterns
  2. Briefly explain how and why they’re being used to coerce people into sharing data
  3. Describe in detail how to avoid designing these patterns
  4. Provide examples to help guide the way forward

You should read this post if;

  1. You’re a designer sick of the crap
  2. You’re a decision-maker trying to figure out how to get closer to your customers
  3. You’re a person that actually cares about other people, respects their agency and wants to do the right thing

Okay, let’s kick off.

WTF are dark patterns?

Dark patterns aim to manipulate behaviour for the gain of the ‘designer’ (read: organisation offering said product or service).

The term was coined back in 2010 by Harry Brignall and has become a popular discussion point in the design community.

Harry’s site, is a great resource. It even describes the series of specific manipulative tactics and offers real examples to support.

There are a heap of great resources available on the subject already. I’d suggest reviewing some of them for clarity, education and of course, comedy.

That way we can get to the part of the discussion I can contribute some real value to; data sharing.

Dark patterns and your data

Up until May 25th this year, customer data sharing was mostly an implicit activity. Organisations would gain access to a plethora of data without informing, empowering and enabling the people they served as customers to make choices. In fact, data sharing activities were deliberately ‘design away’.

Over time these types of activities established a power imbalance. The companies who controlled the data had (and still have) the power.

*By the way, I very much dislike the “data is the new oil” rhetoric. It’s misguided. More on that in another post.

The individuals the data related to, however, were largely disregarded from the picture. Although you won’t hear corporate executives articulate this explicitly, people’s data (not actually the people) has become the product of the personal information economy. It’s in the bloody name!

As all of this happened consumer trust decreased, a lot. New regulations have emerged. There’s also a variety of differentiated approaches to data processing, both centralised and decentralised, that are more human centric than the ways of old. This has organisations grappling for competitive edge. Or rather, continued access to the data.

Because there’s a lack of ‘data trust’ maturity within most organisations, desperate measures have led to desperate design. Rather than getting better with the GDPR, many of the design patterns we’re experiencing are perhaps worse.

What the GDPR has done is direct our focus towards unethical, manipulative and cognitively distressing practices. Confirmsharing, misdirection and ‘Privacy Zuckering’ are continually employed to confuse, coerce and convince people to share their personal information.

So, how can you, as a ‘designer’ avoid this?

… by embedding Data Trust by Design

By now you’re probably quite familiar with Privacy (and Security) by Design. PbD is an approach to organisation design (projects, systems, work flows, business units etc.) that embeds privacy, security and person-centricity into the design of systems, products, services and business models from the outset. It’s proactive not reactive. It’s also well established.

But PbD faces internally. It’s something organisations do, and although it has massive potential to positively impact people’s experiences with a brand, it doesn’t explicitly advise how to go about bringing those approaches to customer-facing activities.

With this in mind, Data Trust by Design was born.

Data Trust by Design is the practice of designing experiences that give people the ability to make free and easy choices about how their data is and isn’t used. Although it could never replace PSbD, we believe it can compliment it.

It’s an attempt to respect people’s agency in a way that complements, rather than hinders the experience they are having. It’s driven by 6 principles and supported by a series of patterns and practices.

The principles

Principle 1

First contact: Define shared objectives

People and organisations have stuff to achieve — stuff they’re motivated by. For a person:organisation relationship to really work, objectives need to be clearly stated by both parties upfront. If common ground is reached, proceed. If common ground can’t be reached, maybe it’s not meant to be. In either case the upside is that you may have just won yourself a brand advocate. Remember, people value transparency.

In practical terms, this means truly practicing data minimisation. Simply communicate your objective whilst finding ways for your potential customer to do the same. At this point in time there is no need for identity or any unnecessary attributes to be exchanged. KISS and decide whether it’s worth proceeding with further data processing quickly.

Principle 2

Before every interaction: Make the purpose clear

To make use of people’s data to fulfil a value proposition, your purpose has to be explicit. It has to be understood. People need to be informed, and only once they’ve made a choice in your favour do you proceed.

In practical terms this means catering to the context. If the interaction is simple and transactional, give people the most important information first. But give them the ability to drill down deeper if they feel it’s necessary. If specific requirements have to be met, ensure these are communicated explicitly. People need to understand the context if they are to assess it.

If you can explain your purpose in a sentence, picture or simple interaction, do it. If it requires more granularity and support, you’ve got to be willing to go the extra mile. Remember, people need to be informed and empowered so they can make a choice.

Principle 3

Establish a baseline: You are equals

The most successful relationships are built on a foundation of mutual respect and trust. Mutual respect starts with attitude, behaviour follows.

In practical terms, clearly state the control and access rights the person you’re building a relationship with has and relate it to your data processing purpose. Just like you, people need ways to make use of their data, withdraw your right to use that data and take their data to other relationships.

If you can do it, so can they. In this new world, people and organisations exchange value as equals.

Principle 4

Take your time: Trust has to be earned

Trust compounds over time. It’s the sum of radical transparency, consistent value delivery and a willingness to accept consequence.

Data trust relies on a show, don’t tell model. Give people the opportunity to try before they buy. Give them simple, light touch ways to engage with your brand. Show them that you do what you say, and you’re willing to own the consequence of your actions.

Design for the long game. Quarterly reporting isn’t the metric that matters most. Sustained customer value creation is.

Principle 5

Mutual success: Share in the value you co-create

They call it value exchange for a reason. By focusing on the value you create, rather than the value you take, it’s very likely you’ll begin delivering superior outcomes to the people you serve. If you do this consistently people will trust you to deliver.

Practically this means evolving your design practice and business metrics. It means focusing on the value, meaning and engagement you create for the people you serve, not just the metrics of old like CAC to LTV ratio.

When utilising people’s data to create value for them, make sure they understand how their data is being used to create that value. Magic tricks are great but feeling like the magician is much more rewarding.

Principle 6

Say goodbye: Make endings matter

Even the best relationships must end. The trusting relationships you have with the people you serve are no exemption. When the time is right, regardless of who activates the ending, make it simple and easy for both parties to get out on the best of terms.

Practically this means giving people options. It means giving them ways to get all of their data, and helping them use that in whatever comes next for them. Think beyond people’s right to portability. Endings are contextual to each relationship. Some people might want assistance enforcing their right to be forgotten. If so, make this happen seamlessly. Give them visibility of tangible progress and show them clearly you’ve done exactly what they’ve asked you to do.

The patterns

To date we’ve released two distinct design patterns; upfront terms and conditions and consent-based data sharing. We’ve got plenty more on the way.

We started with upfront terms and conditions because this impacts basically every person accessing the internet. Right now T&Cs are a nightmare to navigate, they’re designed to mitigate risk and limit liability (for the organisation), and are hidden so far in the background of most experiences we couldn’t even meaningfully engage if we tried.

In essence, terms and conditions haven’t been designed. By applying the principles and engaging in the practices of DTbD, we believe terms and conditions can become an empowering part of people’s digital experience. Of course it helps that this is necessity.

We followed up T&Cs with consent because it was causing a stir. There’s a lot of misinformation out there right now. In fact, consent is just one of six lawful bases for processing data.

Regardless of this reality, we stuck to our guns and went for it.

Rather fortunately many of the same considerations we highlight in this post can be applied to a variety of data sharing contexts. The only real requirement to take advantage of these patterns and considerations is that the people the data relates to (your customers or users) actually have control of what you’re asking them to share.

Once you set that foundation making it real is a whole lot easier.

The practices

In 2017 we worked on a program, together with Data Transparency Lab, that was eventually turned into a practical playbook. The intention was to provide simple, practical guidance that supported people, teams and organisations in developing trustworthy data-driven experiences for their customers.

Two of the three practices we advocate most strongly are well represented in the playbook. The first is data trust experience mapping.

The second is data trust design experiments.

We’ve observed these practices fundamentally change the way organisations operate.

But something more is needed. Something we observe far too infrequently today; cross-functional collaboration.

“Building trust by design affects all parts of the organization: from product and strategy to legal and engineering. So naturally, one of the most important aspects a company needs is collaboration. >X was critical in helping us to bring in the right people at the right time, and create the right foundation for cross-functional working going forward.”

— Emily Stott, Go-to-Market Manager at Telefónica Alpha Health

When was the last time you pair designed with a lawyer? If you’re like most people I’ve ever come into contact with your answer will be a firm, “never”. It’s unfortunate because this is an amazing pairing — one we’ve observed produces output that nails an organisations legal point of view in a way that actually benefits customers.

Without this ongoing, diverse collaboration, bringing DTbD to life is harder than it should be.

An example

Imagine you’re designing a personal financial management product. You might like to think of this as a ‘Neo Bank’.

If we assume upfront that some customer data is required (e.g. KYC/AML) and some customer data is a value add, then we can break down a progressive onboarding experience that brings to life DTbD in the context of the experience. Here’s how it could work.

It starts off real simple. It’s all about the value. Any and all data processing is explicit and communicated in a variety of ways (that you’ve ideally put to the test prior to deploying!).

You’re guided through a layered terms and conditions experience that enables to stay up top or dive deep into detail. Either way it’s clear what you’re signing up to.

A basic sign up flow comes next. If you work in FSI you’ll note this is super light and would actually incorporate a few other steps. Onwards!

You’re then guided through a simple, action oriented onboarding process. Getting stuff done is a great way to learn.

You notice a feature called “My Life”. It’s an optional thing. You’re interested, so decide to check it out.

If you choose to activate the feature, you’re guided through a progressive process to share information.

You get a receipt of the information you’ve shared. What you’ve shared is easily accessible. Revoking what you’ve shared is as simple (or simpler!) as sharing it in the first place.

But let’s say you don’t revoke consent. Let’s say you’ve been using the feature for a little while.

Then, one fine, sunny morning, you’re on your way to work…

MyLife starts to come to life. An offer for something you’ve expressed explicit interest in comes your way. Awesome coffee, cheap price, on the way to work… Could it get any better?

A simple, consent-based data share experience follows.

You get the outcome you want. Everyone is happy :) Well, at least you, the bank and the cafe are off to a good start for that day.

This example serves the purpose of showcasing how DTbD can be brought to life. It balances appropriate friction with control and utility. It’s trustworthy data sharing in practice.

So, what do you do now?

I’ve got three suggestions;

  1. Read our content. Share it with you colleagues. Challenge our thinking and challenge yourselves to put your very own version of Data Trust by Design to the test.
  2. Build a case. Get support. Conduct an experiment and prove to the powers that be trustworthy data (+ design) practices are good for your customer’s and for your business.
  3. Share what you’ve learned. Today there’s far too little out there about teams really investing heavily in data trust. We could all benefit from smart people sharing insights.

If you want to talk more, get in touch. If you want to keep reading, we’ve got a heap more content covering this space.

A nerdy way to sign off, but here it is… To data trust and beyond!