Chapter 26: The crucial role of regulation
Education and codes of ethics are clearly necessary, but they aren’t themselves enough to solve the problem. As long as deceptive patterns are profitable and low-risk, they will continue to be used.
To understand the importance of regulation, we need to put ourselves in the shoes of business owners. CEOs of tech companies don’t wake up in the morning saying to themselves, ‘I want my company to use more deceptive patterns’. Instead, they want more growth and more profit – and deceptive patterns are a by-product. Deceptive patterns are actually a rational response to an under-regulated and under-enforced marketplace. After all, if your company can use a simple UI design technique to deliver more profit and you face little chance of penalties, then why wouldn’t you do it?
Laws that apply to citizens are usually easy to understand because they're based on simple rules or belief systems that we’re taught from childhood – don’t steal, don’t kill, that sort of thing. Commercial laws and regulations are different; they can be really complex, and the wording can be difficult to interpret.
This means that in-house lawyers have to analyse commercial laws and help their employers make decisions in the face of this ambiguity. This is called ‘legal risk management’. There are various fancy methods and tools that companies use to manage risk. The most basic and common is the risk matrix, shown below.
Using this sort of risk matrix, in-house lawyers will consider the probability of negative outcomes from using deceptive patterns (how likely they are to be caught) alongside the severity of the outcome (the size of the financial penalty). If the risk level ends up being very high then they’ll pass on this information to their employer who will see it as a good reason to cease engaging in those risky practices. Of course, some businesses don’t use risk matrixes like this: it’s most popular among compliance-focused industries like finance, healthcare or energy; and less so elsewhere, like e-commerce. Still, businesses that ignore legal risks are likely to land themselves in hot water eventually if sufficient regulations exist.
This leads to an important point about enforcement: regulations on their own are not enough. They need to be enforced, so companies see their competitors getting penalised. This will lead to deceptive patterns moving from the low-risk green area of the risk matrix, into the amber and red areas of higher probability and severity.