Dark patterns, subscriptions and AI-designed flows: where the law draws the line now

Published: December 5, 2025 • AI

If your SaaS makes money on subscriptions, renewal, or “free trial → paid,” regulators are now looking at your screens as closely as your contracts—especially if AI is optimizing those screens for revenue.

This guide maps where the line is today for:

  • Dark patterns in sign-up and cancellation
  • Subscription/“negative option” offers
  • AI-designed, hyper-tested flows that push users toward “yes” or “don’t cancel”

🧩 What counts as a “dark pattern” now?

Regulators, academics and consumer bodies have converged on a working idea:

Dark patterns = interface designs that trick or unduly steer users into choices they wouldn’t otherwise make, often about money or data. (Federal Trade Commission)

Different agencies use different language—“deceptive design,” “harmful online choice architecture,” “deceptive patterns”—but they’re looking at the same behavior.

Common dark patterns you see in subscription flows

🕶 PatternWhat it looks like in practiceWhy regulators dislike it
Roach motelEasy, brightly colored one-click sign-up; cancellation buried under multiple menus, chat requirements, or phone calls only during business hoursTurns what looks like a simple subscription into a trap; violates “simple cancellation” duties under ROSCA/Negative Option rules and state auto-renewal laws. (Federal Trade Commission)
Obstruction & naggingEndless “Are you sure?” upsell screens when cancelling; forcing users to chat with a “retention specialist” to quitConverts cancellation into a friction maze; FTC and state AGs treat this as an unfair practice, especially in negative option offers. (Federal Register)
Sneak-into-basket / pre-checked boxesFree trial checkbox quietly includes “auto-renew at $39.99/mo after 7 days” or pre-checked add-on servicesDeprives consumers of informed consent; regulators repeatedly call out “pre-checked” as incompatible with meaningful consent and clear disclosure. (Federal Trade Commission)
Ambiguous buttons & copy“Continue” is actually “Agree & subscribe”; “2-day shipping” quietly signs you up for PrimeClassic in the Amazon Prime case: button labels that hide the subscription nature of the action. (Federal Trade Commission)
Asymmetric optionsBig, bright “Try Premium” vs. tiny, grey “No thanks, keep free plan”; hiding “No, continue without” below the foldRegarded by EU/UK enforcers as harmful choice architecture that undermines user autonomy, especially when algorithmically tested for maximum pressure. (eu-digital-services-act.com)

In 2024–25 sweeps, global consumer and privacy networks found the majority of subscription sites and apps still use at least one dark pattern, particularly in sign-up and cancellation flows. (icpen.org)

💳 Subscriptions and “negative options”: the US legal line

In the US, subscriptions are mostly policed under negative option rules: any offer where silence or inaction is treated as consent to be charged.

Core federal tools

⚖️ Rule / statuteWhat it says in practiceHow it touches dark patterns
FTC Act §5 (unfair/deceptive practices)Generic “don’t deceive or unfairly harm consumers” workhorse statuteBasis for nearly all dark-pattern cases: Epic/Fortnite, Amazon Prime, Publishers Clearing House, etc. (Federal Trade Commission)
ROSCA – Restore Online Shoppers’ Confidence Act (2010)For online negative options: requires clear disclosure, express informed consent, and simple cancellationFoundation of the Amazon Prime case; the FTC alleged Amazon hid auto-renew terms and made cancellation unreasonably hard. (Federal Trade Commission)
Negative Option Rule (updated)Final rule (2024) expanded duties: no material misreps, clear pre-billing disclosures, unambiguous consent, simple cancellationThe FTC also issued a “click-to-cancel” requirement in 2024, but an appeals court vacated that rule in July 2025 for procedural reasons, days before it would take effect. Substantive concerns about subscription traps remain, but the rule needs to be redone. (Federal Register)

Even without an operative click-to-cancel rule, FTC enforcement and ROSCA give you a bright line:

You must clearly disclose that something is a subscription, get an affirmative “yes” to that, and give users an easy, straightforward way to stop being charged.

California and the state wave

States have layered on auto-renewal and dark pattern–specific laws, with California leading:

  • California’s Automatic Renewal Law (ARL) already required clear disclosure of renewal terms and an easy online cancellation path. (California Attorney General)
  • AB 2863 (2024) tightens this further:
    • Cancellation must be available in the same medium the consumer used to sign up (phone sign-up → phone cancellation, etc.).
    • The law explicitly references and prohibits dark pattern tactics in contracts and flows that undermine consent and cancellation rights. (Davis Wright Tremaine)

For SaaS, the takeaway is blunt: if you’re selling subscriptions into California, you need a clean, symmetric cancellation experience, not a retention obstacle course.

🎮📦 Case studies: how far is “too far”?

Epic Games (Fortnite): in-game dark patterns

The FTC’s Epic/Fortnite settlements (totaling $520 million) combined COPPA privacy violations with dark pattern allegations: (Federal Trade Commission)

  • The agency said Fortnite used misleading button layouts that caused players to make unintended purchases.
  • Design choices made it easy for children to spend money without parental involvement.
  • Epic is now prohibited from using dark patterns to charge users and must adopt stronger default privacy and consent controls.

This is a reminder that dark patterns are not limited to web forms; game UI and mobile micro-transactions are squarely in scope.

Amazon Prime: the subscription trap at scale

Amazon’s Prime flows were the test case for subscription dark patterns. The FTC alleged that: (Federal Trade Commission)

  • Prime sign-up was bundled into normal checkout, with ambiguous buttons that didn’t clearly say “You are joining a paid subscription.”
  • Internal tests showed consumers accidentally enrolled; Amazon leadership still resisted simplifying the flows.
  • Cancelling Prime required navigating a complex, multi-step “Iliad” flow designed to frustrate cancellations.

In 2025, after trial had begun, Amazon agreed to a $2.5 billion settlement (roughly $1B civil penalty + $1.5B refunds), and must:

  • Clearly disclose subscription terms and costs before collecting billing info.
  • Remove manipulative enrollment/cancellation flows.
  • Submit to oversight by an independent monitor.

For anyone designing subscription UX, the Prime case is now the cautionary exhibit A.

🇪🇺 EU & UK: DSA, GDPR and the coming Digital Fairness Act

In Europe, dark patterns sit at the intersection of consumer, platform, and data protection law.

Digital Services Act (DSA)

The EU’s Digital Services Act (DSA), fully applicable since February 2024, explicitly bans dark patterns on online platforms, particularly those that: (eu-digital-services-act.com)

  • Deceive or manipulate users
  • Distort or impair their ability to make free and informed decisions

Very Large Online Platforms (VLOPs) face strict duties to avoid manipulative interface design. Enforcement examples:

  • The Commission’s preliminary findings against X (Twitter) and Meta cite reporting and complaints systems that use deceptive interface design as potential DSA breaches. (Epthinktank)
  • Fast-fashion platforms Temu and Shein have been ordered to explain how they avoid deceiving consumers via dark patterns in their shopping flows. (Reuters)

GDPR and EDPB guidelines

The European Data Protection Board (EDPB) issued Guidelines 3/2022 on dark patterns in social media interfaces, defining them as designs that: (European Data Protection Board)

  • Lead users into making unintended or harmful decisions about their personal data
  • Undermine GDPR principles like transparency, data minimization, and privacy by design

That means cookie banners, consent prompts, and privacy dashboards that “nudge” users toward maximum data sharing are not just ethically questionable—they may be illegal.

Digital Fairness Act (DFA) and UK “harmful online choice architecture”

The Commission has flagged a future Digital Fairness Act to directly target dark patterns, addictive design, and profiling that exploits vulnerabilities. (Digital Fairness Act)

In the UK, regulators have been using the concept of “harmful online choice architecture”, with the CMA and ICO issuing a joint position and linking it to AI-driven personalisation. (brownejacobson.com)

The EU/UK trend is clear: if your interface uses data and algorithms to steer users, regulators expect you to justify how that design respects autonomy, not just conversion metrics.

🤖 AI-designed flows: when optimization becomes manipulation

What’s new is not the idea of a persuasive interface; it’s AI + experimentation at scale:

  • Multi-armed bandit algorithms and reinforcement learning continually search for the highest-converting variant of copy, placement, or timing.
  • Personalization models match offers, prices, or friction levels to individual user profiles and behavior.

Regulators, scholars and networks (ICPEN, GPEN, CERRE, EU, CMA/ICO) are increasingly treating this as a system-level dark pattern risk, especially when used to: (cerre.eu)

  • Maximize the likelihood that users fail to cancel
  • Push “default” subscription tiers that cost more than users expect
  • Nudge people who look vulnerable (kids, teens, elderly, low-income) into spending or data sharing

The legal frameworks don’t (yet) say “it’s illegal to use AI to design flows,” but they do say:

If your AI-designed flows trick people, obscure material terms, or make it unreasonably hard to exercise rights, you’re on the wrong side of consumer, privacy and platform law.

⚖️ Where the line is, in practice

Here’s a practical red-yellow-green map for subscription and AI-designed flows.

Subscriptions and auto-renewals

ZoneUX behaviorLikely legal view
🔴 Red – high riskSubscription enrollment hidden in generic “Continue” buttons; pre-checked boxes for auto-renew; full price and renewal schedule only shown after billing info; cancellation only via phone or a long chat; repeated efforts to dissuade cancellationTargets of FTC, ROSCA enforcement and state ARL claims; also likely DSA/GDPR issues in the EU when combined with data-driven targeting. (Federal Trade Commission)
🟡 Yellow – watch carefullyClearly labeled subscription, but sign-up flow much shorter than cancellation; modest “are you sure?” page on cancel; data-driven upsell promptsCan be acceptable if disclosures are clear and cancellation is still “simple and easy,” but you’re close to the line. Document your rationale and test for user confusion. (Federal Register)
🟢 Green – safer patternExplicit “Start subscription – $X/month, auto-renews, cancel anytime” language near CTA; key terms above the fold; clear stand-alone “No thanks / one-time purchase” option; cancellation from account page in one or two clicks via the same medium as sign-upAligned with FTC/ROSCA expectations, California ARL, and global enforcement trends on simple cancellation and truthful presentation. (Federal Register)

AI experimentation and personalization

ZoneAI use patternLegal / regulatory risk
🔴 Red – high riskUsing AI to personalize friction – e.g., showing more obstacles to cancel to users predicted to be unlikely to complain; tailoring misleading headlines to user vulnerabilities; dynamic prices or terms that are opaque and non-transparentRegulators increasingly treat this as exploitative, especially for vulnerable users; likely issues under unfair practice standards (US, EU), DSA, unfair commercial practices, and data protection law. (eu-digital-services-act.com)
🟡 Yellow – watch carefullyAI-driven A/B testing of color, copy, and placement where all variants are truthful, but some subtly increase inertia; personalization of discounts and upsells based on behaviorGenerally accepted, but you should still: (a) avoid misleading copy, (b) preserve easy choice, and (c) avoid systematically targeting users likely to be vulnerable.
🟢 Green – safer patternAI used to improve clarity and accessibility (e.g., simplify explanations, adapt text size, predict when users may want reminders); experimentation focused on usability and satisfaction metrics, not just conversionMuch easier to defend if regulators ask “what was your optimization goal?” and your documentation shows a focus on user benefit, not just lock-in. (cerre.eu)

🛠 Compliance blueprint for SaaS flows in 2025

If you’re a SaaS founder with subscriptions and AI in the mix, here’s a pragmatic implementation map.

Map your risk

  • Build a simple catalog of flows: sign-up, upgrades, downgrades, cancellation, trial → paid, “reactivation,” and all privacy/consent screens.
  • Flag any flows where inaction = payment (negative options) or where AI/experimentation is steering user behavior.

Clean up the basics

Use this as a compliance design checklist:

🧹 ItemWhat “good” looks like
Disclosure near the CTAThe button that charges the user is directly next to clear text like: “You are starting a subscription at $X/month, auto-renews until you cancel.”
Affirmative consentNo pre-checked boxes; user must actively click “Start subscription” with key terms visible; no bundling subscription into unrelated actions (like “2-day shipping”) without explicit label.
Cancellation symmetryIf sign-up is online, cancellation is also online, in a few clicks from the account page; no mandatory phone calls or long chats to quit, especially for US/California and EU users.
Data & privacy promptsConsent screens are written in plain language, with equally visible “Accept” and “Decline” options; no “visual cheating” or convoluted privacy dashboards. (European Data Protection Board)

Put AI on a leash

For any AI system optimizing flows:

  • Fix what it is allowed to optimize for: e.g., “higher conversion only among variants that pass a clarity and fairness review” rather than “maximum net revenue at all costs.”
  • Keep experiment logs: variants tested, metrics, and guardrails used.
  • Periodically audit outputs for disparate impact on vulnerable groups or troubling learned patterns (e.g., systematically making it harder for low-spend users to cancel).

📌 Bottom line

Dark patterns are no longer just a UX anti-pattern; they’re a regulatory category with real money on the line:

  • Hundreds of millions in penalties for gaming, tech and subscription giants
  • New federal rules (even if some, like click-to-cancel, have hit procedural roadblocks)
  • Aggressive state auto-renewal statutes and global DSA/GDPR enforcement focused on manipulative design

AI doesn’t change the fundamental rule. It just makes it easier to cross the line at scale.

Design your subscription and consent flows so that, if a regulator screenshots them and holds them up in a courtroom, they look like what they are supposed to be:

Honest, transparent offers that are as easy to leave as they are to join—not AI-designed traps.