Dark patterns are a Canadian legal problem now

Canada’s privacy regulator checked 145 Canadian websites and apps for manipulative design in 2024. Ninety-nine percent failed. Regulators are now contacting organizations directly.

By the numbers

Office of the Privacy Commissioner of Canada Sweep Report 2024: Deceptive Design Patterns

99%
of Canadian sites reviewed had at least one dark pattern
96%
had privacy policies that were too long, too complex, or both
65%
had the least privacy-protective option selected by default
43%
of sites made it impossible to find the account deletion option
83%
of Canadian privacy policies required a university reading level to understand
more nagging on children’s sites than on general-audience sites

What are dark patterns?

Dark patterns are design choices that steer users toward decisions they would not otherwise make. They are built intentionally, by designers who understand human behaviour well enough to exploit it.

The term was coined by UX designer Harry Brignull in 2010. Privacy and consumer protection regulators now use it as a formal enforcement category.

Dark patterns show up in cookie banners, subscription flows, account deletion paths, and privacy settings. The design benefits the organization.

What the OPC found in Canada

In 2024, the Office of the Privacy Commissioner of Canada (OPC) reviewed 145 Canadian websites and apps as part of a coordinated sweep with 25 international privacy authorities. The sites covered retail, social media, news and entertainment, travel, banking, and children’s platforms.

Canada’s results were worse than the global average on several measures.

Ninety-nine percent of the platforms reviewed contained at least one dark pattern, higher than the global result of 97%. On complex language and default privacy settings, Canada’s numbers were notably worse than the international average.

Following the sweep, Canada’s federal, provincial, and territorial privacy commissioners issued a joint resolution in November 2024. They called on organizations to stop using manipulative design and to build privacy-protective defaults into their platforms. The OPC has since begun contacting organizations whose sites were flagged.

The five patterns regulators are looking for

Complex and confusing language

Privacy policies were the most common offender: too long, too complex, or both.

A privacy policy is a disclosure, not a legal shield. If users cannot read it, they cannot consent meaningfully; and plain language is not optional when consent depends on comprehension. Regulators are treating unreadable policies as manipulation.

Interface interference

Three forms of visual manipulation appeared in the OPC report:

  • False hierarchy makes the privacy-protective option harder to see. The OPC cited Prada’s cookie banner, where “continue without accepting” appeared in light grey against a white background, effectively invisible next to a large “Accept All” button.
  • Preselection sets the most data-collecting option as the default. The OPC cited La-Z-Boy’s website, where data sale was enabled by default under a heading that read “Do Not Sell or Share My Personal Information.”
  • Confirm-shaming uses emotionally loaded language to discourage privacy-protective choices. The OPC cited Sephora’s app, which framed account deletion as losing a long list of perks.

Nagging

Repeated prompts for an action the user has already declined. The OPC cited LinkedIn, which displays a persistent banner urging users to switch from the mobile browser to the app — an app that collects GPS location, contact lists, and camera access. Users who dismiss the banner find it again on the next page.

Obstruction

Want to delete your Ticketmaster account? There is no option on the account page. You search help, follow a link, and find a mailing address where a physical letter is required to cancel a digital account.

Forced action

Requiring more personal information than the service needs. The OPC cited Burger King: account creation requires only an email address, but deletion requires your location. Zara blocks users from doing anything on-site unless they click “Accept” on a privacy policy they cannot open to read while the modal is active.

Who is watching and what they can do

Canada does not yet have a law that specifically names dark patterns. What it does have is overlapping jurisdiction from three regulatory bodies and all three are paying attention.

  • The OPC enforces the Personal Information Protection and Electronic Documents Act (PIPEDA) for private-sector organizations operating federally. Its consent requirements mean that how consent is obtained matters, not just whether it was obtained. A manipulated click does not equal meaningful consent.
  • The CRTC enforces Canada’s Anti-Spam Legislation (CASL). Deceptive design in email opt-ins, subscription traps, and commercial electronic messages falls within its scope.
  • Provincial consumer protection laws add another layer. Quebec’s Law 25 (Act 25) is the most stringent. It requires explicit, informed consent for data collection and gives the Commission d’accès à l’information (CAI) significant enforcement powers. British Columbia and Alberta have their own private-sector privacy legislation with similar teeth.

The OPC cannot issue fines under PIPEDA today. It can investigate, make findings, and refer cases to Federal Court. Privacy reform expected in 2026 will likely add stronger enforcement powers. The current rules are the floor.

What to audit on your own site

  • Language
    Read your privacy policy out loud. If you stumble, your users will give up. Aim for a grade 8 reading level. If you need a lawyer to write it, you need a plain-language writer to translate it.
  • Default settings
    Open your cookie banner as a first-time visitor. What is pre-selected? It should be the most privacy-protective option. If “Accept All” is pre-ticked, that is a problem.
  • Visual hierarchy
    Is “Reject” or “Manage Preferences” as visible as “Accept”? Colour, size, and placement all count. If a user has to hunt for the privacy-protective option, the design is working against them.
  • Account deletion
    Try to delete an account on your own site. Count the clicks. If you cannot find the option in two clicks, or if it requires contacting support, you have an obstruction problem.
  • Data collection at sign-up
    Compare what you ask for at registration against what you ask for at deletion. If deletion requires more information than sign-up, that is a red flag.

The bottom line

Dark patterns have been an ethics conversation for over a decade. In Canada, they are now a compliance conversation. The OPC has the data. It is reaching out to organizations. Federal, provincial, and territorial regulators made their expectations explicit in a joint resolution in 2024.

The data suggests your site probably has dark patterns; the question is whether you fix them before or after a regulator asks you to.

Resources and tools