In 2019, a research team at Princeton's Center for Information Technology Policy did something nobody had done at scale before. They built a crawler that visited 11,000 shopping websites and looked for one specific thing: design patterns deliberately structured to manipulate users against their own interests. The result, Dark Patterns at Scale, found that roughly one in nine of those sites used at least one dark pattern. They cataloged 1,841 instances across the dataset.
The numbers were specific enough that policymakers paid attention. The Federal Trade Commission cited similar research in its case against Amazon. The European Union, in Article 25 of the Digital Services Act, directly named dark patterns as a regulated category for the first time in major legislation. California's Consumer Privacy Act regulations followed.
For more than a decade, the term "dark pattern" lived on the edge of the design profession — a critique used by ethics-minded UX writers, mostly ignored by the people shipping product. Today it is a compliance category, a brand risk, and an increasingly common cause of class action lawsuits.
If you are building, optimizing, or shipping any digital product touching subscriptions, signups, or payments, you need to know the taxonomy. Not because the patterns are subtle — most are obvious once named — but because the cost of accidentally shipping one has changed.
I work with growth teams who do not realize their conversion-optimized cancellation flow is now legally indefensible. That cost does not show up on their funnel. It shows up in the unmeasured cost of bad UX — the brand, legal, and word-of-mouth damage your dashboard cannot see. This article is the field guide.
A brief history of the term
Harry Brignull, a UK-based UX researcher, coined "dark patterns" in 2010 and built the first public catalog at deceptive.design (originally darkpatterns.org). For most of the next decade, his taxonomy was the working reference for designers who wanted to identify and avoid manipulative design.
Princeton's 2019 paper formalized the academic taxonomy. Mathur et al. organized observed patterns into seven high-level categories with fifteen sub-categories, mapped to five cognitive mechanisms by which they manipulate user behavior. That paper became the most-cited piece of dark-patterns research in subsequent regulatory rulemaking.
The regulatory wave followed quickly:
- 2022. FTC settles _FTC v. Epic Games_ for $245 million on dark-pattern billing practices inside Fortnite, with an additional $275 million COPPA penalty.
- 2023. FTC files _FTC v. Amazon.com, Inc._ alleging that the Prime cancellation flow — internally nicknamed the "Iliad Flow" — violated the Restore Online Shoppers' Confidence Act.
- 2024. EU Digital Services Act becomes fully applicable; Article 25 explicitly bans dark patterns on online platforms. The FTC finalizes the Click-to-Cancel rule, requiring cancellation to be at least as easy as signup.
- 2025. Amazon settles the ROSCA case for $2.5 billion total — $1 billion civil penalty plus $1.5 billion in consumer refunds. The largest ROSCA settlement on record and the new benchmark for dark-pattern enforcement cost.
In four years, dark patterns went from "designer ethics topic" to "named federal violation." Most product teams have not updated their mental models accordingly.
The 12-pattern taxonomy
The list below is the consolidated working taxonomy I use in client audits. It draws on Brignull's original twelve, Princeton's seven categories, and recent enforcement-action language. For each, I give the definition, the canonical example, and what it currently costs to ship.
1. Roach Motel
Definition: Easy to get into; hard to get out. The signup flow is one click; the cancellation flow is six pages.
Example: Amazon's "Iliad Flow," documented in the 2023 FTC complaint.
Cost to ship: This is the single most legally exposed pattern in the catalog after the FTC's Click-to-Cancel rule. If your cancellation friction exceeds your signup friction, your product is now potentially out of compliance.
2. Confirmshaming
Definition: Guilt-tripping the user into staying or paying. The "no thanks" option is worded to make the user feel foolish for declining.
Example: A modal that offers "Save 20% on a year" with a decline link reading "No thanks, I don't care about saving money."
Cost to ship: Mostly brand damage. Increasingly cited in trauma-informed-design critiques and accessibility audits. Not directly regulated but a classic word-of-mouth liability — these screenshots get shared.
3. Disguised ads
Definition: Advertising visually framed to look like editorial content, organic search results, or app functionality.
Example: A "Sponsored" label so faint it disappears against the background; a fake "X" close button that opens a new tab to the advertiser.
Cost to ship: FTC has long-standing enforcement authority on undisclosed advertising. App store policies (Apple and Google) prohibit several variants outright.
4. Forced Continuity
Definition: A free trial that auto-converts to a paid subscription without active consent.
Example: "Start your free 14-day trial — credit card required" with no reminder before the charge hits.
Cost to ship: Now squarely under the FTC Click-to-Cancel rule. Required disclosures and pre-charge reminders are no longer optional. Most subscription consumer brands have already adapted; many SaaS products have not.
5. Friend Spam
Definition: Tricking users into granting access to their contact list, then sending invitations under the user's name.
Example: LinkedIn's contact-import flow, which led to a $13 million class-action settlement in 2015.
Cost to ship: Consent-and-disclosure law has tightened in every major jurisdiction. Modern friend-spam attempts almost always trigger CCPA, GDPR, or state-level privacy violations.
6. Hidden Costs
Definition: Surprise fees that appear only at the final checkout step, after the user has invested effort in the flow.
Example: Shipping, "convenience fees," "service fees," "regulatory recovery fees" — added late and presented as non-negotiable.
Cost to ship: State-level "drip pricing" enforcement has accelerated since 2023. California, New York, and Minnesota have all introduced or enforced laws requiring all-in pricing disclosure upfront.
7. Misdirection
Definition: Visual hierarchy or motion designed to draw attention away from the choice the user actually wants to make.
Example: A bright "Continue" button next to a tiny gray "Skip" link of the same hierarchy.
Cost to ship: Difficult to regulate directly because misdirection is a matter of degree. But it is the most-discussed pattern in regulatory guidance documents (FTC, EU DSA) as the connective tissue between other patterns.
8. Privacy Zuckering
Definition: Tricking users into sharing more information than they intended, named for Mark Zuckerberg after Facebook's mid-2010s consent flows.
Example: Settings buried multiple clicks deep, defaults that opt users into sharing, consent flows that present "Accept all" prominently and "Manage preferences" as a secondary action.
Cost to ship: Norwegian Consumer Council's 2018 Deceived by Design report, on Facebook, Google, and Microsoft consent flows, was used directly in subsequent EU enforcement. The DSA Article 25 prohibition makes most variants explicitly illegal in the EU.
9. Price Comparison Prevention
Definition: Making it artificially difficult to compare prices across competitors or across plans within the same product.
Example: Pricing pages that hide annual-vs-monthly comparisons; subscription tiers presented in different units; products sold in non-standard sizes that make per-unit comparison hard.
Cost to ship: Less regulated than other patterns but increasingly cited as anti-competitive behavior. Brand cost is real — sophisticated buyers recognize and remember this pattern.
10. Sneak into Basket
Definition: Adding items to the user's cart that the user did not select, usually as add-ons or "recommended" extras pre-checked at checkout.
Example: Pre-selected travel insurance on an airline checkout; pre-selected donations to charity at retail checkout; pre-selected extended warranties.
Cost to ship: ROSCA (Restore Online Shoppers' Confidence Act) explicitly prohibits unauthorized billing. Class actions on this pattern are common.
11. Trick Questions
Definition: Form fields phrased to confuse users into the opposite answer they intend.
Example: "Do not uncheck this box if you do not want to not receive marketing emails." Triple negatives by design.
Cost to ship: Mostly brand and legal cost. Consent obtained through trick questions is regularly invalidated under GDPR Article 7.
12. Bait and Switch
Definition: Promising one outcome and delivering another after the user has committed.
Example: "Free download" buttons that lead to paywalls; "1-click signup" that requires a credit card; "free shipping" headlines that exclude most products.
Cost to ship: Generally covered under existing unfair-and-deceptive-practice statutes. Standard FTC enforcement category.
SHADOW check: Dark patterns are unusually visible across multiple SHADOW proxies. Help-desk ticket clusters around "where is the cancel button" or "I didn't sign up for this" indicate roach motel and forced continuity. Defection free-text frequently surfaces hidden-cost and bait-and-switch language. Outside reviews on G2 and App Store often name specific dark patterns by canonical example. The legal exposure under Audits has shifted dramatically since 2022. If you are running a quarterly SHADOW audit, dark patterns will tend to show up across multiple proxies before they show up on the funnel.
What you can no longer get away with
The legal landscape has shifted enough that I now divide the twelve patterns into three risk tiers when I run client audits.
Tier 1: Currently illegal in major jurisdictions. Roach Motel (US under Click-to-Cancel), Forced Continuity without disclosure (US under ROSCA, EU under DSA), Privacy Zuckering (EU under DSA + GDPR), Sneak into Basket (US under ROSCA), Trick Questions for consent (EU under GDPR Article 7).
Tier 2: Increasingly enforced. Hidden Costs (state-level drip-pricing laws), Friend Spam (CCPA + state privacy laws), Bait and Switch (FTC unfair-deception authority).
Tier 3: Brand cost only, for now. Confirmshaming, Misdirection, Disguised Ads (where disclosures exist), Price Comparison Prevention.
This list will tighten further. The trajectory of every pattern in Tier 3 in 2026 is toward Tier 2 by 2030. If you are designing on the assumption that "regulation has not caught up to this yet" is a durable strategic position, you are pricing the legal half-life wrong.
How to audit your own product
The audit I run with growth teams takes about two days for a single product surface. The shape:
Day 1: Surface the patterns. Walk through every flow on the product — signup, onboarding, checkout, cancellation, account-deletion, marketing-email-unsubscribe, plan-change. For each step, ask: is the user's preferred outcome easier to reach than the company's preferred outcome? When the answer is no, name the pattern from the taxonomy above.
Day 2: Score the cost. For each pattern found, determine the tier (1, 2, or 3 above) and estimate the legal half-life — how soon current Tier-3 patterns will become Tier-2 in your jurisdiction. Map remediation against business priority. Tier-1 patterns require immediate fixes; Tier-2 patterns require a 90-day plan; Tier-3 patterns require a deliberate strategic decision.
The output is a remediation roadmap that the legal, growth, and design teams can co-own. The conversation usually shifts from "should we change this?" to "in what order do we change these, and who funds it?"
A practical heuristic from Krug's _Don't Make Me Think_ that holds up under regulatory pressure: the product's job is to remove friction from the user's intent, not to add friction to the company's loss. Every dark pattern violates this rule by design. The taxonomy is just a list of the specific ways the violation gets shipped.
What to do if you find them
I have run this audit at companies that found nothing and at companies that found seven of the twelve patterns active in production. The pattern in how they responded predicts how the next two years will go for them.
The companies that found nothing usually had a designer or engineer who had been quietly removing them as they appeared, often without naming the pattern explicitly. The companies that found seven usually had growth teams who had optimized the flows in question without anyone with dark-pattern fluency on the review committee.
The fix is not technically hard. The fix is organizational: dark-pattern fluency needs to live somewhere in the review process for any flow that touches subscriptions, payments, consent, or account state. That can be design, can be legal, can be product, can be a recurring audit. It cannot be nowhere.
Don't trust blindly. Test the alternatives — the bright patterns versions of these flows. The companies that have done this work tend to find that the bright-pattern variant performs as well or better in the long run, once the brand half-life is correctly priced into the test framework.
Run a dark-patterns audit on your product
If your product touches subscriptions, signups, or payments and you have not run a dark-patterns audit since 2023, the legal landscape has changed under you. The taxonomy above is the starting checklist.
I run this audit alongside CRO programs for a small number of growth teams every quarter. The conversation usually surfaces three or four patterns the team did not realize they had shipped. Book a strategy call and we can walk through your flows together.
FAQ
What is the difference between a dark pattern and an A/B test winner?
An A/B test winner is a design choice that produced better measured outcomes against the test's metric. A dark pattern is a design choice deliberately structured to manipulate users against their interests. The two can overlap: a confirmshaming variant often "wins" against a neutral variant in a short-term funnel test, because guilt is an effective short-term motivator. The dark-pattern critique is that the test was measuring the wrong thing — the unmeasured cost of the manipulation showed up later in brand sentiment, churn free-text, and regulatory exposure. Tests are not exempt from the taxonomy. They surface patterns; they do not justify them.
How is the FTC Click-to-Cancel rule different from prior law?
The Click-to-Cancel rule, finalized by the FTC in October 2024, codifies a specific symmetric standard: cancellation must be at least as easy as signup. Prior subscription-billing law (ROSCA, state-level auto-renewal laws) required disclosures and authorization, but did not specify cancellation parity. The new rule means a one-click signup paired with a five-page cancellation flow is presumptively non-compliant.
Are dark patterns the same as deceptive advertising?
Overlapping but distinct. Deceptive advertising is content-based — false claims, misleading testimonials, hidden material terms. Dark patterns are interaction-based — design choices that manipulate user behavior even when the underlying claims are accurate. The FTC's recent enforcement language treats them as related categories under the same unfair-or-deceptive-practice authority.
Can a single dark pattern actually cost a meaningful amount?
The FTC's _Epic Games_ settlement was $520 million across two related cases, primarily for billing dark patterns in Fortnite. The Amazon Prime ROSCA case settled in September 2025 for $2.5 billion total — $1 billion civil penalty plus $1.5 billion in consumer refunds — establishing a new benchmark for single-case dark-pattern enforcement cost. State and class actions add to these. For most companies, the more material cost is the one your dashboard cannot see — the brand and word-of-mouth degradation that compounds for years after a viral exposure of the pattern. A widely-shared screenshot of a confirmshaming modal can move acquisition cost more than any direct fine.
What if a dark pattern actually improves user outcomes?
This is the harder question and it deserves an honest answer. Some patterns the taxonomy names — a default opt-in for a security feature, a friction-adding confirmation step before an irreversible action — can be designed manipulatively or beneficially depending on intent and execution. The rule of thumb I use: if the user, fully informed of the design choice, would still consent to it, the pattern is defensible. If the design depends on the user not understanding the choice, it is a dark pattern regardless of outcome. This is the test the EU DSA implicitly applies in Article 25.
Related reading in the cluster
- Keystone: The Unmeasured Cost of Bad UX — Why dark patterns cost more than your funnel can measure
- Bright Patterns: The Ethical Alternative — What good versions of these flows look like
- Cancellation Friction: The Click-to-Cancel Rule in Practice — Implementation guide for compliance
- Cookie Consent: Legal Exposure for SMBs — Why law firms are systematically targeting small businesses