Skip to main content

Today, we’re releasing a new guide explaining how to compel companies employing deceptive design to dodge data protection requests—like those for data deletion or access—to comply. It encapsulates five years of experience from operating and, alongside a unique experiment and extensive research. Here’s the story behind it.

Deceptive design, also known as deceptive patterns or dark patterns, refers to the tactics companies employ through design to manipulate individuals into actions they wouldn’t normally take. For example, websites sometimes use deceptive patterns to manipulate people to purchase expensive products or subscriptions by concealing free or more affordable alternatives:

For a cheaper Google Workspaces subscription, first subscribe to the expensive option and then downgrade (Source:

Similarly, companies employ deceptive tactics to avoid complying with data protection requests. These are legal rights that allow individuals to ask a company to delete or share a copy of their personal data. The encouraging news is that more than five years since the GDPR—the legal framework in the EU that gives individuals the right to access or delete their data—was introduced, most companies now adhere to these data protection requests.

The downside, however, is that some companies continue to resist compliance. Specifically, data-centric enterprises, whose business models hinge on gathering personal data—like data brokers and social networks—resort to deceptive design practices to skirt data protection requests. This is particularly concerning because these entities hold vast amounts of personal data and often use it in the most objectionable ways. As a result, they are the primary targets from whom we seek to erase our data.

In 2022, we embarked on an unconventional experiment. We sent a data deletion request to each of the 600 data brokers listed on to observe their reactions. This experiment allowed us to uncover numerous deceptive patterns and formulate effective countermeasures – strategies to bypass these dark patterns. Often, our countermeasures persuaded the companies to honor our deletion requests. When they didn’t, we escalated the issue to a government regulator (a process can handle for you). Looking back, the effort was worthwhile. We’ve noticed a trend towards better compliance among data-centric businesses. We detailed our findings in a presentation at the 2022 Good Tech Fest for those interested in learning more.

Read the full guide. We hope you find it useful and would appreciate your feedback.

Subscribe To Privacy Alerts!

A monthly email listing the worst privacy-offending companies identified by our research team. Improve your privacy and take back control of your personal information.

Yoav Aviram

Author Yoav Aviram

More posts by Yoav Aviram

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.