|
| What are “dark patterns”? “Dark patterns”, or deceptive design patterns, are interfaces and experiences that lead users into making unintended, unwilling, and potentially harmful decisions regarding the processing of their personal data (Guidelines 3/2022 on Dark patterns in social media platform interfaces by The European Data Protection Board). They are designed to influence users’ behavior and may hinder users from effectively protecting their personal data or making conscious choices. In practice, dark patterns may appear in different forms in privacy consent interfaces used by digital platforms in Vietnam. For example, users may be presented with a prominent “Accept all” button, while the option to reject cookies or tracking is less visible, or only available after several additional clicks. Some platforms may pre-select consent boxes for marketing communications, personalized advertising, or data sharing with partners, leaving users to actively opt out if they do not agree. Dark patterns may also arise after consent has been given, where users can create an account or agree to data processing easily, but face a complicated or unclear process when they wish to withdraw consent, delete their account, or change privacy settings. These practices are problematic because they make the personal data subject’s consent look valid on the surface, while in reality, their choice may be manipulated, uninformed, or unnecessarily difficult to exercise. How does Vietnamese personal data protection legal framework address dark patterns? Although Vietnamese law does not expressly use the term “dark patterns”, the current personal data protection framework already contains several mechanisms that can be used to address this issue. Under Article 9 of Personal Data Protection Law No. 91/2025/QH15 (“PDPL”), consent is only valid when it is given voluntarily and based on full awareness of the following information: the type of personal data to be processed and the purpose of the processing; the personal data controller or the personal data controller and processor; rights and obligations of the personal data subject. Consent must also be specific to each purpose, must not be tied to other unnecessary purposes, and silence or non-response cannot be treated as consent. These requirements directly challenge many common dark patterns, such as bundled consent, pre-ticked boxes, vague privacy wording, or designs that make users believe they have no real choice. Notably, compared with Clause 3, Article 11 of the former Decree 13/2023/ND-CP, which mainly listed the possible forms through which consent could be expressed, Article 6 of Decree 356/2025/ND-CP (“Decree 356”) represents a more meaningful step toward preventing dark patterns in consent interfaces. The new provision no longer focuses only on the external form of consent, such as writing, voice, tick-boxes or technical settings, but also expressly prohibits default consent mechanisms as well as unclear or misleading instructions that may confuse users between consent and non-consent. This provision is particularly significant because it targets the design of the consent interface itself, rather than merely the existence of a consent button. Most importantly, this article places the burden of proving consent on the data controller or controller and processor in case of dispute. By requiring verifiability and proof of consent, Decree 356/2025/ND-CP provides a stronger legal basis to challenge pre-ticked boxes, misleading consent buttons, confusing wording, and other interface designs that undermine the personal data subject’s genuine freedom of choice. Vietnamese law also helps address “easy-in, hard-out” dark patterns. The PDPL gives personal data subjects the right to withdraw consent, request deletion, restrict processing, and object to processing, while requiring organizations to facilitate, and not obstruct, the exercise of these rights. Decree 356 makes this obligation more concrete by requiring clear procedures and forms for data subject requests, together with specific response and implementation timelines. As a result, businesses should not design consent mechanisms where users can agree to data processing easily but must go through unclear, burdensome, or delayed procedures to withdraw consent, delete their data, or modify privacy settings. These sanctions create a strong compliance incentive for businesses to review not only their privacy policies, but also the design of their consent interfaces, cookie banners, privacy settings, advertising preferences, and withdrawal mechanisms. In this sense, avoiding dark patterns should not be treated merely as a matter of good user experience, but as part of a broader legal risk management strategy. | |
| Disclaimer: The article cannot and does not contain any legal advice. The information is provided for general informational purposes only and is not a substitute for professional advice.
Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. The use or reliance on any information contained in this article is solely at your own risk.
CONTACT US For further information or assistance, please contact us at:
Level 18 – 789 Office Tower, No. 147 Hoang Quoc Viet, Nghia Do, Hanoi, Vietnam M: +84 941 236 233 W: vtn-partners.com admin@vtn-partners.com
|
|