In April, the Consumer Protection Financial Bureau (CFPB) announced that it filed a lawsuit against TransUnion, two of its subsidiaries, and one of its longtime executives for violating a 2017 Order regarding deceptive marketing of TransUnion’s credit monitoring and other services. In the new lawsuit, the CFPB alleged that, notwithstanding the Order, TransUnion continued its unlawful behavior “and continued employing deceitful digital dark patterns to profit from customers.”  The “dark pattern” at issue here?  Tricking consumers into subscribing to TransUnion’s service and making it difficult for consumers to cancel.

Although I usually blog about the FTC’s and the states’ activities in the auto-renew space, this CFPB action caught my eye because of the alleged “dark patterns” at issue, ones that may be recognizable to consumers of all kinds, not just purchasers of credit monitoring services.  As noted in Director Chopra’s prepared remarks about the lawsuit, “Dark patterns are hidden tricks or trapdoors companies build into their websites to get consumers to inadvertently click links, sign up for subscriptions, or purchase products or services. Dark patterns can complicate or hide information, such as making it difficult for consumers to cancel a subscription service.”

Here, the complaint describes TransUnion’s enrollment process for credit monitoring as designed in such a way as to make consumers believe that they were providing information to confirm their identity and obtain information, when it was actually used to process payment.  The complaint states that the web interface used large font calls-to-action labeled “VERIFY MY IDENTITY” and “GET MY CREDIT SCORE” and that “[t]he only indication in the enrollment process that consumers [were] making some sort of purchase is through a fine print, low contrast disclosure, located off to the side of the enrollment form. The disclosure is inside an image that can take up to 30 seconds longer to load than the rest of the material in the form.”  In other words, according to the allegations, consumers were led to believe they were doing something other than agreeing to subscribe to a service and have their credit card charged on an ongoing basis. 

Further, the complaint alleges, TransUnion makes it very difficult for consumers to cancel their subscriptions: the cancellation mechanism is difficult to find on the website, and takes consumers on a long and confusing journey “designed to keep the consumer enrolled”.  The journey includes a number of retention effort screens, such as a recitation of the benefits the consumer would lose by cancelling, and ends with a screen with a confusing choice of buttons, one highly visible that would terminate the consumer’s cancellation attempt, the other, less visible, that would effectuate the cancellation.  Further, according to the complaint, consumers who cancel receive an email warning them that if they do not re-enroll their data will be at risk.

Lessons to be learned here, even if you’re not in the financial services industry and subject to the jurisdiction of the CFPB?

First, everyone, but everyone is looking a negative option/automatic renewal programs.  You’re collecting consumers’ credit card info and charging them on an ongoing basis for whatever it is you’re selling?  Make sure you do it right: there’s SOME regulator out there who can and will call you to task if you’re engaging in “dark patterns” with your subscription onboarding (or cancellation) process.

Also, pay a lot of attention to your actual order flow.  If you’ve been reading this blog (or otherwise keeping abreast of changes to the laws), you know that the key issues for compliance with both federal and state auto-renew laws are clear disclosures, affirmative consent, and easy cancellation.  If your web interface is directing attention, through visuals, fonts, color, or misleading labels, AWAY from the real action (sign-up), it is vulnerable to attack by regulators and by private plaintiffs. 

Same with your cancellation process. You may have an online method of cancellation available on your site, but if it’s hidden, requires a lot of steps, or the language is confusing, it will not be considered “easy,” as required.

Making sure your UX design team is engaging in compliance by design has never been more important.