How data brokers are trying to discourage you from exercising your right to privacy
On April 29th, 2021 FTC held a workshop called “Bringing light to dark patterns” with the agenda of better defining and understanding the use of dark patterns:
https://www.ftc.gov/news-events/audio-video/video/dark-patterns-workshop (worth a watch if you have a few hours to spare)
And while the discussion had some great points, dark patterns are not just about trying to influence you to sign up, get you to buy more or prevent cancelling a subscription.
Data brokers — companies that collect, aggregate and trade your personal information — use dark patterns to discourage you from exercising your right to privacy and making them remove your personal info.
In this article I’ll try to shed some light onto most common dark patterns employed by data brokers.
Quick recap: what are dark patterns?
“Dark Patterns are tricks used in websites and apps that make you do things that you didn’t mean to, like buying or signing up for something.” — from darkpatterns.org
Or if you prefer a video explanation:
Since data brokers cannot legally refuse to comply with your request for data removal (assuming you live in jurisdictions where GDPR/CCPA or other privacy laws apply), they employ dark patterns to create friction points, hoping that you will get frustrated, discouraged and give up.
We cannot say for sure whether they do it consciously and deliberately or due to other constraints, such as lack of development resources or UX skills.
But what we can do is present you the dark patterns we found most frequently and you can decide what to think for yourself.
LexisNexis: how well do you know our corporate structure?
One of the most intimidating things that can happen when you contact a company to request data removal is to get a reply email the length of a short novella, full of legal-sounding phrases and questions.
We all live busy lives and the natural response to such a reply is to close it, mark it for later and, unless you’re really determined, never come back to it.
Few companies do this better than LexisNexis:
Let’s break it down:
- The request sent was for personal data removal, not disclosing any personal information. Apparently they don’t even bother customizing their replies
- Then comes a set of questions expecting you to know their corporate structure and where they keep the data about you they later resell
- Another tactic they use in the email is try to make you specify what data you want removed, rather than complying to remove all the data they have about you
- And the cherry on top is of course the proof of identity part where they ask you to send them a utility bill, bank statement or confirmation of electoral registration — all documents that should not be shared with random companies reselling personal information. Regardless of whether “private or financial” information is redacted or not.
For context, if you’re wondering maybe this company should have the right to keep your personal information and make you jump through hoops, LexisNexis was affected by a data breach, agreed to pay a $5 million class action settlement for selling DMV data and most recently signed a contract to provide “a giant database” of personal information to ICE.
Definitely a contender to be included in our Privacy Hall of Shame.
Persopo: if you don’t answer our call we’ll cancel your request
Persopo’s reply email to request to remove personal data is a masterclass for anyone who wants to push the boundaries of privacy laws and usage of dark patterns.
- Step one is to do the job for the company and pick out what information they have about you. They even have a video tutorial for that (hint: if your opt out flow requires a tutorial — it’s a terrible opt out flow)
- But even if you do comply with this ridiculous request, you can’t just send over screenshots or links, they make you write it out
- They then request your phone number that they will call to confirm your request — again, completely unnecessary and excessive — and if you fail to take the call/reply to email within 24 hours, they will cancel your request
- As a rotten cherry on top, they then claim that it’s a one time request and your information can be re-added at any time
So you might be thinking, what kind of service requires such extensive and excessive steps just to get your personal data removed?
It’s a people finder service and the lengths they go to create friction points for people to exercise their right to privacy is not okay.
Valassis: we created an account for you
Sometimes the processes companies make for data removal are so ridiculous that it’s hard to decide whether to shout in frustration or mock them publicly.
Valassis is one such case where they reply to requests to remove personal data by creating a Jira account that they then request you to activate to proceed with your request.
But don’t take too long to activate your account or you’ll get this:
NextRoll: I’ll just need you to sign this
Another marketing data broker that exemplifies the “let’s add unneeded extra steps” to the process NextRoll goes a step further and instead asks you to sign DocuSign documents to confirm your data removal request.
In what universe they live to think that it’s a proportionate request to remove your personal information, I do not know.
TowerData: you have been opted out. Just kidding.
When it comes to usage of dark patterns in UX TowerData doesn’t even bother with creating friction points and instead dives straight into being misleading.
After you send a request to remove personal data, TowerData will send you a reply with a promising subject line “You have been opted out”
You might think “Ah, finally a company that actually doesn’t make you jump through hoops” and delete the email.
That would be a mistake because if you read the contents of the email, you quickly learn that the subject line is actually just a misdirection and instead if you want to proceed with the request, you need to fill out a form on their site.
Whitepages: select this if you’re being harassed because of our service
Requesting to fill out forms is another can of worms, but one that we won’t be focusing on in this article.
Just keep in mind that once these companies lure you into their site, many start really flexing their dark pattern muscles.
For example Whitepages form has 12 sections, including a long-form text field to explain your request.
But the reason I wanted to special mention Whitepages is the field asking why you want your information to be removed and one of the predetermined options “I am being harassed or stalked”
Look, if your service is being used for harassment and stalking so much that you need to include it as a common reason for data removal, it’s time to rethink your business practices.
I wonder if it’s the same Whitepages service that was used for identity theft in a recent Vivint scandal.
Small frictions create a broken system
When we look at these practices individually, it might seem like not that big of a deal — why should it matter that it takes a bit longer to process your data removal request.
But we need to step back a bit and remember that there are thousands of data brokers collecting and trading our personal information. For the individual to exercise their right to privacy, they would need to contact dozens if not hundreds of them and those friction points add up making the whole process a herculean effort.
As is, the system is broken by design because privacy laws give too much freedom for companies to set the rules for how they process our requests.
But not all is dark and grim in the privacy land, recently CCPA was amended to ban usage of “dark patterns” and while we can see how effective it’s been so far (note: all our research with examples above were after the the amendment was unveiled), it’s definitely a step in the right direction.
Also kudos to FTC for taking the effort to tackle the topic of dark patterns and my hope is that this piece can help shed a bit more light on the realities of what’s happening after companies acquire our data and the hoops they make us jump through.
In the meanwhile, for a guide on how to turn the tables and what to reply to data brokers to bypass a lot of these dark patterns check out this guide.
