Exposed and vulnerable: Pregnancy and the dark patterns of the web

Emily Booth HOLDING REDLICH

Are you ever more vulnerable to the dark patterns of the web, targeting and the misuse of your personal information than while trying to get pregnant, during pregnancy and becoming a new parent?

• You might be spending a ridiculous amount of time online researching the latest and greatest baby products and be subject to “price comparison prevention”, where a retailer makes comparing the prices of different products so difficult that you cannot make an informed decision.
• You are overloaded with information and new material and could accidentally click on “disguised ads”, which are advertisements disguised as other content, such as baby blogs or navigation.
• In googling for completely new information around what to do if your baby is experiencing certain symptoms, you might be prone to “misdirection”, where the user experience (UX) design deliberately focuses your attention on one thing in order to distract you from something else.
• You are constantly subject to guilt about what you should and shouldn’t be doing or consuming and might become the victim of “confirm-shaming” — the act of guilting you into opting into a service or providing information.
• There are numerous subscription services targeted at pregnancy and parenting available to you, related to fertility, health, vitamins and supplements. You might then become sucked into the infamous “roach motel” where you can easily sign up for a service, but the business makes it unreasonably complicated to cancel.

The above are all examples of “dark patterns” as provided by Harry Brignull, the UK-based UX designer who coined the term in 2010. And in many contexts, the use of these tactics is disturbing, unethical and potentially in breach of several laws in place to protect consumer rights and personal data.

This article comes from the experts behind the Internet Law Bulletin. This bulletin was created to address the range of legal issues posed by the internet and online services: issues as diverse as copyright, defamation, online dispute resolution, privacy, trade practices and criminal law.

Subscribers to the Internet Law Bulletin can read the full article HERE.

This article explores how dark patterns can give rise to legal issues, namely misleading and deceptive practices or breaches of consumer protection and privacy laws, as well as raise questions of data ethics, especially for a vulnerable cohort. Lawyers have an important role to play but the legal issues might not always be obvious. For example, you may need to:

• ask further questions to understand what and how personal information is being collected
• ask what the agreements are with media buyers and ad platforms
• check how functional unsubscribe mechanisms are
• review not just the text of the term and conditions but how they will be presented to and agreed by customers to ensure they are providing informed consent

In incorporating data ethics into their products, clients may need to be advised to be transparent in their design and marketing practices so that users can make informed decisions without being misled or manipulated, and clients may need to be encouraged to adopt fair business practices and avoid deceptive tactics that could also lead to legal claims.

The internet’s insatiable appetite for personal information

From potentially years before your pregnancy is confirmed, you might start having conversations with friends or googling various information about becoming pregnant. Your phone listens to these conversations and “absorbs” your messages, emails and Google searches. You increasingly see ads for pregnancy planning and fertility clinics. You might wonder, how did that happen?

At no other time are you more conscious or paranoid about your health. What could be more opportunistic than the internet preying upon this heightened sensitivity by showing you endless ads delivering products to “assist”? For instance, you buy your pregnancy vitamins online and it continues to serve flashy, garish ads for this brand even though you’ve already made a purchase.

The internet even knows how far along you are and serves you ads for voluntary participation in health-related studies (which may be socially beneficial, but can still be disturbing). You discuss sleep issues with friends and endless ads for pregnancy pillows appear in your feed, preying upon your fear of sleeping on your back. Your friend texts you to generously offer you their luxury brand bassinet and streams of ads for that product appear for months afterwards, including blogs disguised as “helpful information” but are designed to advertise the product or a seller.

Health information targeted in data breaches

Health information centred around pregnancy is becoming increasingly more exposed in data breaches. In the recent Medibank Private breach, hackers published lists of data on the dark web of members who had abortions. The ramifications of this in a country like the US with the recent Supreme Court decision are sickening.

Speaking of privacy, you sign up for a fertility tracking app. Do you check their privacy policy? What third parties do they share your information with? Regardless of what information they can share, how secure are their databases storing your highly confidential health information?

In 2021, a settlement was reached in the US with Flo Health, a popular fertility app that people use to track ovulation and input a range of sensitive information. The Federal Trade Commission (FTC) found the app had misled consumers about a range of claims it had made to protect personal information. As far back as 2016, the app included tools, called software development kits (SDKs), from numerous third-party marketing and analytics firms, including Facebook, Flurry, Fabric, AppsFlyer and Google. These tools gathered app users’ sensitive health information. If an app user entered pregnancy-related information, Flo Health disclosed App Events with the word “pregnancy” in the title to the analytics divisions of those third parties. According to the complaint considered by the FTC, Flo Health’s disclosures of sensitive information about users’ pregnancies or periods broke its privacy assurances to its users and violated several of the third parties’ own terms of service.

Under the settlement reached with the FTC, Flo Health:

• is prohibited from making false or deceptive statements about:
• the purposes for which it collects, uses or discloses the user’s information
• the extent to which consumers can control how the company collects, uses or discloses that information and
• how Flo Health complies with any privacy, security or compliance program
• is prohibited from making any misrepresentation about how the company collects, uses or discloses the user’s information and the extent to which it protects the confidentiality of that data
• must ask third parties to delete health information obtained from users of the app
• must obtain the user’s express affirmative consent including clearly telling the person the categories of information to be disclosed, to whom it will be disclosed, and how it will be used, before disclosing any consumer’s health information to a third party
• is required to undergo a compliance review conducted by a qualified external organisation to verify the company is honouring its privacy promises to its users

In the UK in 2019, the Information Commissioner’s Office (ICO) imposed a £400,000 on Bounty UK Ltd (Bounty), a pregnancy “club”. The organisation collected data via registering members on its website and mobile application, as well as from new mothers while they were still in hospital through merchandise claiming cards, free samples and vouchers. The ICO launched an investigation into Bounty and found that the company was not just gathering data for the purposes of the club. They were, in fact, also operating as a data broker service which supplied this information to third parties for direct electronic marketing purposes. It had illegally shared and sold personal data relating to pregnancy, new mothers, mothers-to-be and the birth dates and gender information of children belonging to 14 million individuals without their explicit consent.

Legal protection in Australia

Do we have similar laws to protect us against situations like Flo Health and Bounty happening in Australia? Absolutely yes, we do, including offences against making false and misleading statements contained within the Australian Consumer Law and used by the Australian Competition and Consumer Commission (ACCC) against Google LLC in relation to its privacy statements.

In August 2022, the Australian Federal Court ordered Google to pay $60 million in penalties for making misleading representations to consumers about the collection and use of their personal location data on Android phones. ACCC Chair, Gina Cass-Gottlieb, said at the time:

“This significant penalty imposed by the Court … sends a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their data is being collected and used”.

There is also a requirement for consent to collect, use and disclose sensitive information, such as health information, under the Australian Privacy Principles in Sch 1 of the Privacy Act 1988 (Cth). The government’s recent Privacy Review has touted these consent requirements will only become stricter. The third-party terms referenced to have been breached in the FTC decision would also apply in Australia.

The penalties for privacy breaches are at an all-time high, and for serious or repeated breaches of privacy, corporations can be fined an amount not exceeding the greater of:

• $50,000,000 or
• three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate, that is reasonably attributable to the conduct constituting the contravention or
• if the court cannot determine the value of the benefit, 30% of the body corporate’s adjusted turnover during the breach turnover period for the contravention

The laws available to individuals and regulators in Australia would make many of the dark patterns referenced above actionable in the more egregious cases. But the difficulty of recognising the dark patterns and enforcing these laws is likely an issue as to why we do not see breaches pursued very often.

In Australia, individuals certainly need more power over how they are profiled and when they can switch off. For instance, consider pregnancy loss. There would not be much that is more painful than experiencing loss and continuing to be shown ads every time you open your socials that presumes everything is still fine. Is the internet smart enough to know when to turn everything off if something like this happens? Probably not yet. The silence around an event like this might be too much for the internet to register.

No doubt there are a lot of brands and agencies in Australia that do the right thing and employ data ethics in their product design and advertising campaigns. Some may argue that the targeted delivery of information from reputable sources is actually helpful to them and not overwhelming. Additionally, our browser options increasingly allow us to specify what we do and don’t want to see (if we can work out how). But the ramifications of dark patterns over this vulnerable group cannot be underestimated and there is no doubt policymakers are looking at ways to ensure these tactics are more actionable under the law.