Are dark patterns illegal in 2025? Honda, the law, and UX loopholes

It’s no longer a gray area. In 2025, UX decisions are under legal scrutiny, especially when they manipulate users into giving consent or make it harder to refuse.

For years, companies hid “Reject All” behind multiple clicks and claimed technical compliance. But today, regulators have made it clear: that’s not just unethical. It’s illegal.

Are dark patterns illegal?

In the EU, under GDPR, consent must be freely given and informed–so dark patterns that obscure opt-out options or pre-select consent can invalidate it. In the U.S., states like California (under the CCPA/CPRA) explicitly prohibit the use of dark patterns to interfere with privacy choices. Globally, regulators are increasingly cracking down on these practices.

Whether it’s GDPR in Europe, CCPA in California, or FTC enforcement in the U.S., the message is the same:

“Consent must be clear, informed, and as easy to decline as to give.”

So why are dark patterns still in use? And what happens when companies cross the line?

Why do companies still use dark patterns if they’re risky?

Short-term performance pressure is a major driver. Teams often optimize for opt-in rates and data collection without considering user trust or long-term consequences. There’s also a lag in regulatory enforcement and a lack of cross-team alignment, especially between legal, marketing, and UX

Read more: Dark Patterns: Why They Still Work (and How to Spot Them)

Together, let’s unpack:

• The legal frameworks outlawing manipulative UX
• The real meaning of “freely given consent” in 2025
• The landmark Honda case that exposed deceptive consent flows
• The increasing enforcement actions against design-driven privacy violations

Because it’s no longer enough to look compliant on the surface. Consent UX is now a legal artifact—and intent matters.

Any specific video here would be great

What do privacy laws actually say about UX design?

GDPR & ePrivacy: strong principles, weak UX guidance

Under the EU’s General Data Protection Regulation (GDPR): 

• Consent must be freely given, specific, informed, and unambiguous
• “Freely given” means users must have a genuine choice
• Withholding consent must be as easy as giving it

As clarified by the European Data Protection Board (EDPB):

“If the user is faced with a ‘Take it or leave it’ choice or if consenting is easier than refusing, consent is not valid.”

Under the ePrivacy Directive, cookies require prior consent–not coerced consent. Pre-checked boxes, obscured rejection paths, or “Consent Walls” that block access violate these principles.

Key legal interpretation:
If a banner buries opt-out, pre-selects consent, or uses confusing interface hierarchy, it’s likely non-compliant–even if it’s branded as a user-friendly design.

In theory, that leaves little room for dark patterns. But in practice, enforcement has been inconsistent–especially around user interface design.

‍

‍

CCPA/CPRA: California’s push for “symmetry of choice”

California has gone further in directly naming dark patterns as a violation of the law.

Under the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA):

• Businesses must ensure symmetry of choice
• Dark patterns render consent invalid
• “Do Not Sell/Share” must be clearly visible and easily actionable

In 2023–2024, the California Privacy Protection Agency (CPPA)  issued guidance stating that:

“An interface that subverts or impairs a consumer’s choice… is a dark pattern and does not constitute valid consent.”

Examples of illegal design patterns under CPRA:

• “Reject All” hidden under multiple settings menus
• Consent flows that require excessive effort to opt out
• Design elements (color, size, placement) that guide users toward “Accept All”

Takeaway: In California, manipulative UX is not just frowned upon—it’s explicitly illegal.

‍

‍

Digital Services Act (DSA) & Digital Markets Act (DMA) – EU’s broader crackdown

The EU’s DSA and DMA, which came into effect between 2024–2025, expand the focus beyond just cookie banners.

• The DMA prohibits large platforms (gatekeepers) from using dark patterns in any form
• The DSA mandates fair and transparent interface design across digital services

These regulations explicitly require platforms to:

• Avoid manipulative interface choices
• Present options in neutral, non-deceptive formats
• Respect user autonomy throughout their digital experience—not just at the point of consent

 Implication: This widens enforcement from data collection to the entire UX ecosystem.

FTC & state-level enforcement in the U.S.

In the United States, the Federal Trade Commission (FTC) has ramped up its scrutiny of deceptive design. 

• Its 2022 report, Bringing Dark Patterns to Light, called out common manipulations in consent, subscriptions, and data collection.
• In 2023, the FTC took action against Amazon for making it difficult to cancel Prime subscriptions—a dark pattern known as “roach motel,” where entry is easy and exit is hard.

The FTC now considers dark patterns to be a form of deceptive or unfair trade practice under Section 5 of the FTC Act.

The FTC's stance:

If your UX nudges people to act against their interests or makes refusal unnecessarily hard, you’re deceiving users and breaking the law.

‍

‍

Case study: Honda’s consent UX (what crossed the line)

In 2025, American Honda Motor Co. faced scrutiny for employing dark patterns in their consent management processes, leading to significant privacy violations under the California Consumer Privacy Act (CCPA).

What they did

Honda's practices included the following:

• “Accept All” was a single, bright button. “Reject All” required multiple interactions.
• To submit a data rights request, users had to fill out an extensive form—name, address, phone number—just to say “no thanks.”
• Authorized agents acting on users’ behalf had to jump through extra verification steps.

Why it was illegal

According to the California Privacy Protection Agency:

• Honda’s design subverted user choice
• The friction in opting out violated CPRA's symmetry of choice
• Consent obtained through these flows was not valid under the law

Consequences for Honda

• $632,500 penalty
• Mandatory reforms, including:
  
  • A redesigned, user-friendly consent UX
  • Public transparency metrics for 5 years
  • Inclusion of UX experts in future design reviews

The lesson: If your banner relies on confusion, delay, or intimidation, you’re not just losing trust, you’re opening the door to enforcement.

‍

‍

The era of “compliance theater” Is over

For years, companies created consent flows that passed legal review—while intentionally nudging users toward giving up data.

This is what regulators now call “compliance theater”:

Interfaces that technically follow the letter of the law but blatantly violate its intent.

But in 2025, regulators aren’t buying it.

Enforcement bodies are now:

• Auditing interface design and UI hierarchy
• Reviewing click path symmetry
• Evaluating user testing and consent clarity
• Watching social media, where screenshots of shady banners go viral

Bottom line: UX is no longer just a product concern. It’s a legal surface.

A better way forward: From defensive to ethical design

Some brands are already moving beyond minimum compliance:

• Hey.com (Basecamp): No trackers. No cookies. Total transparency.
• Mozilla: Clear toggle-based consent for each purpose.
• The New York Times: Symmetrical, layered, and readable consent flow.

These companies build trust through clarity, not coercion. They show that it’s entirely possible to respect privacy and maintain high-quality UX. In fact, doing so often builds deeper user loyalty and higher engagement over time.

‍

‍

UX legal risk checklist: Is your consent design compliant?

✅ “Reject All” is presented alongside “Accept All”
✅ All consent options are off by default
✅ No vague or euphemistic language
✅ Users can opt out with equal or fewer clicks than opt-in
✅ Data rights requests do not require excessive personal info
✅ Consent UX has been tested with real users for clarity

If you can’t confidently check all of these, your consent UX could:

• Fail under GDPR/CPRA audits
• Trigger user complaints or regulator scrutiny
• Damage your brand’s trust and credibility

‍

Conclusion: UX now carries legal weight—Design accordingly

The legal world is no longer silent about design. If your consent flow tricks users, it doesn’t matter how nice it looks or how many opt-ins it gets—it’s at risk.

From California to Brussels to Washington D.C., the future is clear: Consent UX must prioritize clarity, fairness, and autonomy.

So the question for your team isn’t “Are we compliant on paper?” It’s: “Would a reasonable person feel they had a real choice?”