Definition
The trick wording deceptive pattern takes advantage of user expectations and ambiguous language to mislead and deceive users. It is normal for users to scan-read when they are online, as a way to cope with the sheer volume of information they are faced with. This means they don't read and dwell on every word on every page. Trick wording usually takes advantage of the scan reading strategy, by making a piece of content look like it is saying one thing, when in fact it is saying something else that is not in the user's best interests.
Example
From 2010 to 2013, low-cost airline Ryanair used the trick wording deceptive pattern. During the flight booking process, Ryanair presented users with the instruction "Please select a country of residence" written prominently on a dropdown menu. If read on its own, users were likely to just select their country of residence from the dropdown and continue with their booking process. However, in doing so they would have inadvertently purchased travel insurance.
For a user to choose not to purchase travel insurance, they were required to open the dropdown and scroll down to the label "No travel insurance required" which was nonsensically listed between two countries: Latvia and Lithuania.
As you can see, Ryanair combined trick wording with the visual interference deceptive pattern to confuse and misdirect users.
References
Trick questions (Brignull, 2010, Mathur et al., 2019)
Related laws
Defines the territorial scope of GDPR
Defines the term "main establishment" for controllers and processors operating in multiple EU member states.
Outlines the tasks and powers of the supervisory authorities.
Respondent can remedy alleged infringement while proceedings are pending and complainant must explain why they consider infringement not remedied, otherwise procedure is discontinued.
German is Austria's official language, but its autochthonous ethnic groups and Austrian sign language are recognized, respected, safeguarded, and supported.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Grants individuals the right to access their personal data and receive information on how it is processed.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.
Outlines the use and calculation of administrative fines for violations of privacy laws.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.
Outlines the appointment of a Data Protection Officer (DPO) for certain organizations.
Requires the appointment of a Data Protection Officer (DPO) in certain circumstances.
Outlines the role of the Data Protection Officer (DPO) within organizations.
Prohibits deceptive acts or practices that misrepresent or omit material facts.
Related cases
No fine, partly upheld
€750,000 in fines
€ 3000 in fines
Reprimand issued
€1000 in fines
$3 million in fines