As we covered in our latest recap post, the Boltive team recently spent time in Washington DC for the 2025 IAPP Global Privacy Summit, where we connected with privacy leaders, innovators and practitioners from around the world.  

One notable takeaway we highlighted from this year’s summit was the continued rise in the level of scrutiny toward “manipulative patterns,” from regulators and legislators alike. 

In fact, this was such a big takeaway, I felt it deserved a bit of a deeper dive. 

What are Manipulative Patterns? 

Manipulative patterns are designs in website and app interfaces that nudge or steer consumers into actions that are desired by the company but may result in an undesirable outcome for the consumer themselves (such as giving more personal information than desired or intended).  

Some refer to these tactics as “dark patterns” or “deceptive design;” but here at Boltive we use  "manipulative patterns,” a clearer and more neutral term coined by well-respected privacy lawyer and advisor Jessica B. Lee.  

The Organization for Economic Cooperation and Development uses five indicators as their guiding definition of a manipulative pattern: 

1. Complex and confusing language: Highly technical, complex and/or excessively long privacy policies that make it difficult for consumers to understand how their data is being collected and used and what rights they have. 

2. Interface interference: Visual designs that affect consumers’ understanding of their options and influence the actions they take (a bright, bold one-click “Accept All” button on a consent banner next to a much smaller “Manage Preferences” link requiring multiple steps to opt out of data collection). 

3. Nagging: Repeated requests for consumers to take specific actions. 

4. Obstruction: The addition of extra, unnecessary steps that make it harder for consumers to exercise their rights. 

5. Forced action: Requiring more personal information than is necessary to access the service or perform an action. 

Why do Manipulative Patterns Matter? 

The foundation of a healthy, productive and long-lasting relationship between companies and their consumers is trust. Study after study continues to confirm that consumers care about how companies treat them and their data, and they are increasingly moving away from companies who develop a reputation for manipulative behavior. 

On the legal side, US and international privacy regulators have been talking about – and enforcing against – manipulative patterns for years now. Multiple regulators have published official guidance on what constitutes a manipulative pattern (ex. California Privacy Protection Agency, European Data Protection Board, UK Information Commissioner’s 

Office and the Competition and Markets Authority) and have been codifying specific requirements in their rulemaking (ex. Colorado Attorney General’s Office).  

And still, these design issues remain pervasive across websites. In addition to the issues associated with not taking action in line with privacy laws such as those above, there is an additional risk hiding just below the water: it seems many companies are so focused on the complexities of the patchwork of state-level comprehensive privacy laws, they overlook the fact that manipulative patterns are widely considered an unfair and deceptive trade practice; and all 50 states and the federal government, via the Federal Trade Commission, have laws against unfair and deceptive trade practices. The FTC actively enforces against manipulative patterns and the New York Attorney General’s Office has also recently published guidance in this area. 

Bottom line—increased enforcement is not an “if,” but a “when.” In fact, it’s already happening. 

One of the sessions at this year’s summit presented the findings of the 2024 Global Privacy Enforcement Network (GPEN) and International Consumer Protection and Enforcement Network (ICPEN) joint sweep on manipulative patterns. This sweep took place in early 2024, and included participants from 53 privacy enforcement agencies and consumer protection authorities from 26 countries. They jointly reviewed more than 1000 websites and apps, and found that 97% were using one or more manipulative patterns that made it difficult for consumers to protect their privacy or consumer rights. 

The most common issue the sweep identified was overly complex and confusing language in privacy policies, followed by interface interference and obstruction. 

In our own experience, we concur with the findings of the sweep: we see these issues across the web every day, both in our work helping new clients and partners resolve problems in their privacy programs, as well as in our own experiences as consumers. 

Manipulative patterns remain a blind spot for many companies—unforced errors sitting out there damaging consumer trust and asking for trouble. The good news is these can be some of the easiest problems to correct. 

Time to Get Serious 

Concerned about the legal and regulatory risk of manipulative patterns? Good. Now comes the next steps—reviewing the guidance and rules published by the regulators in the jurisdictions where you do business, consulting counsel, then taking action to review your consumer experiences for the five types of issues described above.  

Here are some things to look for, taken from among the top issues we see: 

1. Review your privacy policies and consent management platform interfaces for complex or confusing language. Ideally, these policies should be written at or below an 8th grade level.  

2. Review your consent banner’s choice mechanisms. Ideally, these will be symmetrical (ex. if you have a one-click Accept All button, consider having an equally weighted one-click Reject All button) and easy to understand (ex. beware confusing toggles).  

3. Review how much work a consumer needs to do to exercise rights such as opt out or deletion. Also consider whether you are asking for too much information from a consumer seeking to exercise these rights. Ideally, the consumer should only need to give as much information as is required to fulfill their request (ex. if a consumer is opting out of data collection on the website, they should not need to submit a photo of their drivers’ license). 

Companies should be sure to regularly review their consumer experience for these and other red flag issues that regulators look for. Technical and organizational complexity are both high in the digital environment, and mistakes will happen. Human errors, bugs or accidental reversions to older versions of banners can all ruin your day if a regulator sees them before you do.  

Remember, Boltive can automate these reviews for you, across any jurisdictions you care about. We’ve built our platform to do the heavy lifting, verifying your consumer experience works exactly as you expect it to, so you can focus on tackling the strategic goals that drive your business forward. 

‍