Dark Patterns and Deceptive Design: What Your Terms of Service Must Address in 2026

Home  /  Business Law  /  Dark Patterns and Deceptive Design: What Your Terms of Service Must Address in 2026

A single checkbox worded the wrong way. A cancellation flow buried six pages deep. A pop-up that guilts users into clicking “Yes.” These design choices might seem harmless, but federal and state regulators now treat them as violations that carry nine-figure penalties. If your website or app uses manipulative interfaces to push users toward purchases, subscriptions, or data sharing, your terms of service could be the evidence regulators use against you.

The legal risks around dark patterns terms of service have escalated sharply. In October 2025, the FTC secured a $2.5 billion settlement against Amazon for using deceptive design in its Prime enrollment and cancellation process. California’s privacy agency issued new enforcement guidance treating any consent obtained through dark patterns as legally void. More than 20 states now have comprehensive privacy laws on the books, and many explicitly prohibit manipulative consent mechanisms. For any business operating online, the terms of service you publish are no longer just a legal formality. They are a regulatory target.

This article breaks down what dark patterns are, which laws prohibit them, and the specific language and design choices your terms of service must avoid to stay compliant in 2026.

1. What Counts as a Dark Pattern Under Federal and State Law

A dark pattern is a user interface element designed or manipulated to subvert a person’s ability to make a free, informed choice. The term covers a range of tactics: confirmshaming (guilt-tripping users who try to decline), misdirection (drawing attention away from important options), sneaking (hiding material terms like auto-renewal pricing), and obstruction (making cancellation harder than sign-up).

Under Section 5 of the FTC Act (15 U.S.C. § 45), any unfair or deceptive act or practice in commerce is unlawful. The FTC does not need to prove a company intended to deceive. If the design has the effect of misleading a reasonable consumer, that is enough.

California’s CCPA goes further. Cal. Civ. Code § 1798.140(l) defines a dark pattern as any interface “designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” Section 1798.140(h) states plainly that consent obtained through dark patterns does not constitute valid consent. Intent does not matter. If a business knows about a manipulative interface and fails to fix it, the design still qualifies.

How Regulators Identify Manipulative Consent Flows

The California Privacy Protection Agency (CPPA) published an Enforcement Advisory on September 4, 2024, with specific tests businesses should apply. Opt-out processes must not require more steps than opt-in. Choices must be symmetrical, meaning presenting only “Yes” and “Ask Me Later” without a true “No” option is a prohibited practice. If your terms of service reference a consent mechanism that fails these tests, the agreement itself becomes unenforceable on those points.

2. The Amazon Settlement and What It Signals for Every Online Business

The FTC’s $2.5 billion settlement with Amazon in October 2025 is the largest dark patterns enforcement action in history. The breakdown: $1 billion in civil penalties (the largest ever for an FTC rule violation) and $1.5 billion in consumer restitution.

The complaint centered on Amazon’s Prime subscription program. According to the FTC, Amazon’s internal cancellation flow, code-named “Iliad,” required users to click through up to six pages and 15 separate clicks before they could cancel. The enrollment process used pre-checked boxes and obscured pricing disclosures. The FTC filed the case under both the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA), which requires clear disclosure of material terms and affirmative consent before any charges.

What the Amazon Case Means for Your Cancellation Terms

If your terms of service describe a cancellation process that is more complex than your sign-up flow, you are exposed. Regulators now compare the number of steps, clicks, and screens required for each. A terms and conditions lawyer can audit your cancellation flow against the standards the FTC applied in the Amazon case and flag provisions that create asymmetric friction.

3. Auto-Renewal Language That Triggers Enforcement

Subscription billing is the single most common area where dark patterns appear in terms of service. ROSCA requires businesses to clearly disclose material terms before obtaining billing information and to get express informed consent before charging. State laws add their own requirements. California’s Automatic Renewal Law (Bus. & Prof. Code §§ 17600-17606) mandates that auto-renewal terms be presented in a “clear and conspicuous” manner, separate from the rest of the terms.

If your terms bury auto-renewal disclosures in dense paragraphs, use small font sizes, or rely on pre-checked enrollment boxes, those provisions will not hold up. For a detailed breakdown of what subscription terms must include, see our guide on auto-renewal subscription compliance.

Red-Flag Clauses in Subscription Agreements

Watch for these problems in your own terms:

  • Auto-renewal disclosures placed after the “I agree” button or checkbox, so users consent before seeing them
  • Cancellation instructions that say “contact support” without providing a direct, functional cancellation link
  • Trial-to-paid conversion terms that do not restate the post-trial price at the point of enrollment
  • Language that requires users to cancel a specific number of days before renewal but does not send a reminder

4. Privacy Consent Mechanisms That Regulators Will Challenge

Privacy policies and data consent flows are a second major enforcement target. Under the CCPA’s updated regulations (effective January 1, 2026), businesses must provide opt-out mechanisms that are as easy to use as their opt-in equivalents. Cookie banners that make “Accept All” a large, colorful button while hiding “Reject” in gray text at the bottom of the page are textbook dark patterns.

A privacy policy lawyer can review your consent interfaces to confirm they meet the symmetry requirements now enforced in California, Colorado, and Connecticut. The Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) and the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.) both prohibit obtaining consent through dark patterns, and both are expected to ramp up enforcement activity through 2026.

Cookie Banners and Consent Pop-Ups Under Scrutiny

Your terms of service often reference your cookie policy and data collection practices. If those references point users to a consent flow that uses manipulative design, the terms themselves become part of the problem. Ensure that:

  • Reject and Accept buttons are the same size, color, and prominence
  • Pre-checked consent boxes are removed entirely (the CPPA has flagged these as presumptively deceptive)
  • Users can withdraw consent through the same interface they used to grant it
  • The consent flow does not use countdown timers, urgency language, or warnings about “degraded experience” to pressure acceptance

5. SaaS Agreements and B2B Contracts Are Not Exempt

Some businesses assume that dark pattern regulations only apply to consumer-facing products. That assumption is wrong. The FTC Act covers all commerce, and state privacy laws like the CCPA apply to any business that meets revenue or data-processing thresholds, regardless of whether the end user is a consumer or another business.

SaaS platforms that use tiered pricing, free-trial-to-paid funnels, or automatic seat expansions need to audit their terms carefully. If a SaaS agreement lawyer reviews your contract and finds that the upgrade path is frictionless while the downgrade or cancellation path requires contacting sales, submitting a ticket, and waiting for a confirmation email, that disparity is the kind of asymmetry regulators target.

Platform Design Choices That Create Legal Exposure

B2B SaaS companies should review these areas:

  • Automatic seat additions that trigger billing increases without a separate confirmation step
  • Downgrade flows that warn about data loss without clarifying what data is actually at risk
  • Contract renewal clauses that auto-extend for 12 months but allow cancellation only during a narrow 15-day window
  • Pricing pages that show a low monthly rate but charge annually, with the annual commitment disclosed only in the terms

6. How to Audit Your Terms of Service for Deceptive Design

Fixing dark patterns is not just about rewriting contract language. It requires aligning your terms with the actual user experience on your website or app. Here is a practical audit framework:

Step-by-Step Compliance Review

  • Map every consent point. Identify each place where your website or app asks users to agree to something: account creation, newsletter sign-up, cookie consent, subscription enrollment, data sharing permissions.
  • Count the clicks. For each consent point, count the steps required to say yes and the steps required to say no or cancel. If declining takes more effort, you have an asymmetry problem.
  • Read the language out loud. Confirmshaming often hides in button copy. If your decline button says “No, I don’t want to save money” instead of a neutral “No thanks,” replace it.
  • Check disclosure placement. Material terms (pricing, auto-renewal, data collection scope) must appear before the consent action, not after. If users scroll past a checkbox before reaching the terms it references, the disclosure fails.
  • Test the cancellation path. Complete the full cancellation flow yourself. If it takes more than two screens or requires contacting a human, simplify it.
  • Review with legal counsel. Have a qualified attorney compare your terms against the specific requirements of every jurisdiction where you operate. Federal, California, Colorado, and Connecticut standards each have distinct tests.

7. Penalties and Enforcement Trends to Watch in 2026

The enforcement environment is getting more aggressive, not less. Beyond the Amazon settlement, the FTC fined accessiBe $1 million in April 2025 for deceptive claims about its accessibility overlay product. While that case focused on false advertising rather than traditional dark patterns, the FTC applied the same Section 5 framework, reinforcing that manipulative or misleading business practices face scrutiny regardless of the specific tactic.

The FTC’s Click-to-Cancel rule, finalized in October 2024, was vacated by the Eighth Circuit Court of Appeals in July 2025 on procedural grounds. But the underlying legal authority has not changed. ROSCA, the FTC Act, and state auto-renewal laws still require clear consent and easy cancellation. The FTC has signaled it will pursue revised rulemaking, and existing enforcement tools remain fully available.

At the state level, California, Colorado, and Connecticut are all expected to increase enforcement activity through 2026. The regulatory trend has shifted from writing new privacy laws to enforcing the ones already on the books. Businesses that have not updated their terms of service and consent flows to meet these standards are running out of time.

Frequently Asked Questions

What are dark patterns in terms of service?

Dark patterns are interface design choices that manipulate users into making decisions they would not otherwise make, such as enrolling in a subscription, sharing personal data, or waiving legal rights. When these tactics appear in or are referenced by your terms of service, regulators can treat the terms themselves as deceptive. The FTC and state privacy agencies have enforcement authority to penalize businesses that use them.

Is using dark patterns illegal in the United States?

Yes. The FTC Act prohibits unfair or deceptive practices, and the FTC has used this authority to bring enforcement actions against companies using dark patterns. California, Colorado, Connecticut, and more than 20 other states have privacy laws that explicitly void consent obtained through manipulative design. The $2.5 billion Amazon settlement demonstrates the scale of penalties businesses face.

How do I know if my website uses dark patterns?

Compare the effort required to opt in versus opt out for every consent point on your site. If signing up for a subscription takes one click but canceling takes five, that is a dark pattern. If your cookie banner makes “Accept” prominent and “Reject” hard to find, that qualifies too. A legal review of both your terms and your user interface can identify specific risks.

Can dark patterns void a contract or terms of service?

Under California law, yes. The CCPA explicitly states that consent obtained through dark patterns does not constitute valid consent. This means that any provision in your terms that relies on consent gained through manipulative design may be unenforceable. Other state laws are adopting similar positions.

What happened with the FTC Click-to-Cancel rule?

The FTC finalized the rule in October 2024, requiring cancellation to be as easy as sign-up. The Eighth Circuit vacated it in July 2025 on procedural grounds, but the underlying laws (ROSCA, FTC Act Section 5, and state auto-renewal statutes) still require clear disclosures and easy cancellation. The FTC has indicated it plans to revisit the rulemaking process.

Do dark pattern rules apply to B2B SaaS companies?

Yes. The FTC Act covers all commerce, not just consumer transactions. State privacy laws like the CCPA apply to any business meeting their revenue or data-processing thresholds. SaaS companies that use asymmetric upgrade and downgrade flows, hidden auto-renewal terms, or misleading pricing disclosures face the same enforcement risks as consumer-facing businesses.


Protect Your Business From Dark Pattern Liability

Regulators are no longer issuing warnings. They are issuing penalties. The rules around dark patterns terms of service are clear: consent must be freely given, cancellation must match the ease of sign-up, and material terms must be disclosed before users commit. If your terms of service or user interface fall short of these standards, the cost of inaction is measured in millions.

Hansen Tong at TOS Lawyer works with businesses across the United States to audit terms of service, fix deceptive design risks, and build compliant consent flows. Whether you need a full terms rewrite or a targeted review of your subscription and privacy practices, experienced legal counsel can identify your exposure before a regulator does. Book a consultation to get your terms reviewed.


Comments are closed.