Canada’s privacy regulator checked 145 Canadian websites and apps for manipulative design in 2024. Ninety-nine percent failed. Regulators are now contacting organizations directly.
What this article covers
By the numbers
Office of the Privacy Commissioner of Canada Sweep Report 2024: Deceptive Design Patterns
What are dark patterns?
Dark patterns are design choices that steer users toward decisions they would not otherwise make. They are built intentionally, by designers who understand human behaviour well enough to exploit it.
The term was coined by UX designer Harry Brignull in 2010. Privacy and consumer protection regulators now use it as a formal enforcement category.
Dark patterns show up in cookie banners, subscription flows, account deletion paths, and privacy settings. The design benefits the organization.
What the OPC found in Canada
In 2024, the Office of the Privacy Commissioner of Canada (OPC) reviewed 145 Canadian websites and apps as part of a coordinated sweep with 25 international privacy authorities. The sites covered retail, social media, news and entertainment, travel, banking, and children’s platforms.
Canada’s results were worse than the global average on several measures.
Ninety-nine percent of the platforms reviewed contained at least one dark pattern, higher than the global result of 97%. On complex language and default privacy settings, Canada’s numbers were notably worse than the international average.
Following the sweep, Canada’s federal, provincial, and territorial privacy commissioners issued a joint resolution in November 2024. They called on organizations to stop using manipulative design and to build privacy-protective defaults into their platforms. The OPC has since begun contacting organizations whose sites were flagged.
The five patterns regulators are looking for
Complex and confusing language
Privacy policies were the most common offender: too long, too complex, or both.
A privacy policy is a disclosure, not a legal shield. If users cannot read it, they cannot consent meaningfully; and plain language is not optional when consent depends on comprehension. Regulators are treating unreadable policies as manipulation.
Complex and confusing language appeared on 96% of Canadian sites, higher than the global average of 89%. Seventy-six percent of policies exceeded 3,000 words. Eighty-three percent required a university reading level to understand.
Interface interference
Three forms of visual manipulation appeared in the OPC report:
- False hierarchy makes the privacy-protective option harder to see. The OPC cited Prada’s cookie banner, where “continue without accepting” appeared in light grey against a white background, effectively invisible next to a large “Accept All” button.
- Preselection sets the most data-collecting option as the default. The OPC cited La-Z-Boy’s website, where data sale was enabled by default under a heading that read “Do Not Sell or Share My Personal Information.”
- Confirm-shaming uses emotionally loaded language to discourage privacy-protective choices. The OPC cited Sephora’s app, which framed account deletion as losing a long list of perks.
Interface interference appeared on 65% of Canadian sites reviewed.
Nagging
Repeated prompts for an action the user has already declined. The OPC cited LinkedIn, which displays a persistent banner urging users to switch from the mobile browser to the app — an app that collects GPS location, contact lists, and camera access. Users who dismiss the banner find it again on the next page.
Nagging appeared on 30% of Canadian sites during account registration or deletion flows.
Obstruction
Want to delete your Ticketmaster account? There is no option on the account page. You search help, follow a link, and find a mailing address where a physical letter is required to cancel a digital account.
Obstruction appeared on 43% of Canadian sites, where the OPC could not find a delete account option at all. On only 25% of sites could it be found in two clicks or fewer.
Forced action
Requiring more personal information than the service needs. The OPC cited Burger King: account creation requires only an email address, but deletion requires your location. Zara blocks users from doing anything on-site unless they click “Accept” on a privacy policy they cannot open to read while the modal is active.
Forced action appeared on 16% of Canadian sites, with 22% offering no option other than “accept all” for cookies.
Who is watching and what they can do
Canada does not yet have a law that specifically names dark patterns. What it does have is overlapping jurisdiction from three regulatory bodies and all three are paying attention.
- The OPC enforces the Personal Information Protection and Electronic Documents Act (PIPEDA) for private-sector organizations operating federally. Its consent requirements mean that how consent is obtained matters, not just whether it was obtained. A manipulated click does not equal meaningful consent.
- The CRTC enforces Canada’s Anti-Spam Legislation (CASL). Deceptive design in email opt-ins, subscription traps, and commercial electronic messages falls within its scope.
- Provincial consumer protection laws add another layer. Quebec’s Law 25 (Act 25) is the most stringent. It requires explicit, informed consent for data collection and gives the Commission d’accès à l’information (CAI) significant enforcement powers. British Columbia and Alberta have their own private-sector privacy legislation with similar teeth.
The OPC cannot issue fines under PIPEDA today. It can investigate, make findings, and refer cases to Federal Court. Privacy reform expected in 2026 will likely add stronger enforcement powers. The current rules are the floor.
What to audit on your own site
- Language
Read your privacy policy out loud. If you stumble, your users will give up. Aim for a grade 8 reading level. If you need a lawyer to write it, you need a plain-language writer to translate it. - Default settings
Open your cookie banner as a first-time visitor. What is pre-selected? It should be the most privacy-protective option. If “Accept All” is pre-ticked, that is a problem. - Visual hierarchy
Is “Reject” or “Manage Preferences” as visible as “Accept”? Colour, size, and placement all count. If a user has to hunt for the privacy-protective option, the design is working against them. - Account deletion
Try to delete an account on your own site. Count the clicks. If you cannot find the option in two clicks, or if it requires contacting support, you have an obstruction problem. - Data collection at sign-up
Compare what you ask for at registration against what you ask for at deletion. If deletion requires more information than sign-up, that is a red flag.
The bottom line
Dark patterns have been an ethics conversation for over a decade. In Canada, they are now a compliance conversation. The OPC has the data. It is reaching out to organizations. Federal, provincial, and territorial regulators made their expectations explicit in a joint resolution in 2024.
The data suggests your site probably has dark patterns; the question is whether you fix them before or after a regulator asks you to.
Resources and tools
- OPC Sweep Report 2024: Deceptive Design Patterns (Office of the Privacy Commissioner of Canada)
- Joint Resolution on Deceptive Design Patterns (November 2024) (Federal, Provincial and Territorial Privacy Commissioners)
- Deceptive Design Patterns in Canada: A Growing Concern for Privacy Regulators (Gowling WLG)
- Learn about deceptive design patterns (OPC resource for individuals and organizations)
- Privacy Dark Patterns: A Case for Regulatory Reform in Canada (Canadian Bar Association)
- Readability checks for Canada (HMD Publishing)
- Communicate clearly with plain language (Canada Style Guide)
- Plain Language (Accessibility Standards Canada)
- Collecting personal information and consent (Office of the Privacy Commissioner of Canada)
- Deceptive design (Office of the Privacy Commissioner of Canada)