Deceptive design patterns (also known as “dark patterns” or “dark commercial patterns”) refer to digital practices that can manipulate users’ decision-making, often leading them to make choices that are not in their best interest. In its 2022 policy paper, the Organization for Economic Co-Operation and Development (“OECD”) explained how dark patterns typically fall into one of the following categories:

  1. Forced action: Forcing the disclosure of more personal data than desired or is necessary to access a service (e.g., forced registration or profile creation).
  2. Interface interference: Design elements that provide visual prominence of options favourable to the business (and can influence users’ perception and understanding of their privacy options).
  3. Nagging: Repeated prompts for users to take specific actions (e.g., changing a cookie setting to benefit the business and that may undermine the user’s privacy interests).
  4. Obstruction: Insertion of unnecessary, additional steps in a task flow to dissuade user action (e.g. complex unsubscribe practices that place barriers between users and their privacy-related goals).
  5. Sneaking: Hiding, disguising and/or delaying the divulgence of information relevant to a user’s decision (e.g. hidden fees, forced subscriptions).
  6. Social proof: Attempt to trigger a decision based on observations of other users’ behaviour (e.g., notifications about other user’s purchases).
  7. Urgency: Imposing time or quantity limits to exert pressure on the user (e.g., a countdown timer).

Dark patterns are important not only in the consumer protection context but have considerable privacy implications. In recent years, the conversation surrounding deceptive design patterns has gained traction in Canada, as regulators take a closer look at how businesses are using such practices.

Office of the Privacy Commissioner of Canada takes action

The Office of the Privacy Commissioner of Canada (“OPC”) has been vocal about the negative impacts of deceptive design patterns on privacy. In late 2024, the OPC published a report on dark patterns that reviewed 145 websites and apps in various sectors across Canada using much of the OECD criteria. This was part of a coordinated effort amongst 25 international privacy authorities in the Global Privacy Enforcement Network’s (“GPEN”) sweep on dark patterns.

The Canadian sweep primarily examined retailer websites and apps, which made up 50 per cent of the reviewed platforms, while 11 per cent were from the news, media, gaming, and entertainment sectors. Following the report, the OPC has begun reaching out to organizations whose websites and apps contain dark patterns.

Key findings from the report include:

  • Widespread use of deceptive design: The OPC concluded that 99 per cent of websites and apps reviewed contained at least one indicator of deceptive design (compared to 97 per cent globally). The OPC noted frequent use of obstruction and interface interference tactics.
  • Confusing privacy policies: According to the OPC, the most prevalent dark pattern involved complex and confusing language in privacy policies. 76 per cent of cases (compared to 55 per cent globally) had excessive length at over 3,000 words, while 33 per cent of privacy policies were difficult to read (compared to 20 per cent globally).
  • Defaulting to low privacy settings: The OPC indicated that 65 per cent of websites and apps that provided users with upfront privacy choices defaulted to the least privacy-protective options—significantly higher than global average of 48 per cent.
  • Account deletion barriers: According to the OPC, 43 per cent of websites and apps reviewed did not have a visible option for users to delete their account (compared to 55 per cent globally). In attempting to delete accounts, only 25 per cent of websites and apps had options to delete a user account in two or less clicks (compared to 17 per cent globally).

The OPC’s report signals its concern that dark patterns will operate to obscure meaningful user consent and negate the requirement to ensure that consent be informed and obtained through clear, straightforward user interactions. In the view of the OPC, when dark patterns subvert this process, businesses risk violating privacy laws such as the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and provincial privacy statutes.

How other regulators are addressing deceptive designs

As part of a coordinated effort, the Federal, Provincial and Territorial Information and Privacy Commissioners and Ombuds published a resolution in November 2024 calling on public and private sector organizations to avoid designs and practices that would influence, manipulate or coerce users into making decisions against their privacy interests.

Other regulators are also scrutinizing the ethics behind online design. For example, the Competition Bureau of Canada warns against practices that could mislead consumers, including some deceptive design patterns that foster fake scarcity and urgency, leading individuals to make purchases under false pretenses.

Provincial consumer protection laws similarly prohibit unfair and deceptive business practices, many of which overlap with dark patterns used in digital environments. As the enforcement agency for Canada’s Anti-Spam Legislation (“CASL”), the Canadian Radio-Television and Telecommunications Commission (“CRTC”) also has responsibility for safeguarding against deceptive online marketing practices.

Insights for businesses

For businesses operating in Canada, understanding and complying with regulatory directions on deceptive design patterns is critical to avoiding legal challenges.

The most common dark pattern identified in the OPC’s review was the use of complex and confusing language in privacy policies. The OPC found that the length and readability of these policies created significant barriers to user comprehension, with many requiring a university or graduate-level reading ability. In response to this guidance, organizations are advised to regularly review their privacy policies to ensure they are clear, concise, and written in plain language. This helps users understand how their personal information is collected, used and disclosed, enabling them to make informed privacy decisions. A more streamlined privacy policy can also avoid making hortatory promises or statements that consumers may claim were not adhered to, particularly in the event of a breach or privacy complaint.

Additionally, businesses can enhance user experience and strengthen compliance with privacy laws by minimizing the steps required to adjust privacy settings, offering just-in-time consent options, and defaulting to the most privacy-protective settings. Adopting these practices not only ensures alignment with Canadian privacy laws but fosters greater transparency and user trust.

For help with your organization’s privacy program, please contact the authors or your trusted Gowling WLG professional.