How often should you audit your website for dark patterns?

At minimum, quarterly. More frequently if your site changes regularly. Ideally, run automated scans after every major deployment and conduct a thorough manual audit every 6 months.

Who should conduct a dark pattern compliance audit?

Someone who isn't responsible for conversion metrics. The conflict of interest is real. Use an independent team — internal compliance, external consultants, or automated tools that don't have a stake in your conversion rate.

What should you do if you find a dark pattern you cannot fix immediately?

Document it, assign a remediation date, and implement an interim mitigation. Demonstrating that you identified the issue and had a plan to fix it is far better than demonstrating you never looked.

Is a compliance audit enough to legally protect an Australian business?

An audit alone isn't a legal defence. But a proactive audit plus documented remediation plus ongoing monitoring demonstrates the kind of compliance culture the ACCC looks for.

How to Audit Your Website for Unfair Trading Practices Before July 2027

The Unfair Trading Practices Bill 2026 introduces penalties of up to $50 million per breach. The ACCC has already prosecuted companies affecting over 100,000 consumers under existing law. Commencement date: 1 July 2027.

The question isn't whether your website has dark patterns. It almost certainly does — most businesses have accumulated manipulative design elements over years of A/B testing and conversion optimisation without realising they've crossed a legal line.

The question is whether you find them before the ACCC does.

This is the practical, step-by-step guide to auditing your website for unfair trading practices under Australian Consumer Law.

Why Audit Now? The Law Already Covers You

A common misconception: “The new law doesn't start until July 2027, so I have time.”

Wrong. The ACCC is enforcing against dark patterns today using existing ACL provisions:

Section 18 — Misleading or deceptive conduct (covers drip pricing, false urgency, misdirection)
Section 21 — Unconscionable conduct (covers obstruction, excessive cancellation friction)
Section 29 — False or misleading representations (covers fake reviews, false scarcity, misleading pricing)

The 2026 Bill adds explicit prohibitions and higher penalties. But the enforcement cases against HelloFresh, Microsoft, JustAnswer, and Coles were all brought under the existing law. You're already exposed.

There's also a practical reason: compliance changes take time. If your audit reveals problems in your subscription flow, pricing display, or consent mechanisms, fixing them requires design changes, development sprints, QA testing, and deployment. A typical compliance remediation timeline is 3–6 months. Start in early 2027 and you'll be scrambling. Start now and you'll be done before the law takes effect.

What the ACCC Looks For

Before diving into the audit process, understand what the ACCC's enforcement lens looks like. Based on their 2026–27 enforcement priorities and recent case law, here's what triggers investigation:

Consumer Complaints at Scale

The ACCC acts when patterns of complaints emerge. HelloFresh didn't get sued for one failed cancellation — they got sued because 62,061 consumers were affected. The threshold isn't perfection; it's systemic harm.

Asymmetric Friction

The single biggest red flag: it's easy to do what profits the business (sign up, upgrade, add services) but hard to do what costs the business (cancel, downgrade, get a refund). If your sign-up takes 3 clicks and cancellation takes 12, that asymmetry is the first thing an investigator notices.

Hidden Information

Any material information that a consumer needs to make an informed decision — total price, recurring charges, contract terms, cancellation conditions — that isn't prominently displayed at the point of decision.

Fabricated Psychological Pressure

Countdown timers that reset, “Only 2 left!” warnings on items that aren't scarce, “15 people are looking at this” notifications that are fabricated. Real urgency is fine. Manufactured urgency is a dark pattern.

Senior Executive Awareness

The ACCC has signalled it will pursue senior executive accountability where there are indications of poor compliance culture. If executives know about dark patterns and don't fix them, that's an aggravating factor.

The 7-Point Unfair Trading Practices Audit

Here's the structured audit framework. Work through each point systematically. Document findings with screenshots and flow recordings — this documentation becomes your compliance evidence if the ACCC ever comes knocking.

1. Pricing Transparency Audit

What to check: Every page where a price is displayed, from the landing page through to checkout confirmation.

Specific tests:

Is the total price visible at first glance, or does it change during checkout? (Drip pricing)
Are there mandatory fees (booking fees, service charges, processing fees) that only appear after the consumer has started the purchase process?
Do prices include GST? Is this clear?
Are promotional prices clearly marked with the full price after promotion?
If there's a subscription, is the recurring total cost displayed at the point where payment details are entered?

Red flags:

Any fee that appears for the first time at checkout
Price that changes between product page and payment page
“From $X” pricing where most consumers pay significantly more
Promotional price displayed without the post-promotion price

The law: The 2026 Bill introduces explicit drip pricing prohibitions. Any transaction-based charge must be prominently disclosed whenever a base price is displayed. Under existing law, section 18 (misleading conduct) and section 29 (false representations about price) already apply.

2. Subscription Flow Audit

What to check: The complete lifecycle — sign-up, billing, renewal, and cancellation.

Specific tests:

Count clicks from landing page to active subscription (sign-up flow)
Count clicks from account dashboard to confirmed cancellation (cancel flow)
Can the consumer cancel through the same channel they signed up? (If sign-up was online, can they cancel online?)
Are there retention screens? How many? Do they use guilt-tripping language?
After cancellation, is the next billing cycle actually stopped?
Is there a pre-renewal reminder sent before auto-renewal?
For free trials: is there a clear notice before trial-to-paid conversion?

Red flags:

Cancel flow has more steps than sign-up flow
Cancel requires a different channel (phone/email for an online sign-up)
Retention screens that obscure or delay the cancel button
No pre-renewal or pre-conversion reminder email
Consumer charged after completing the cancellation process

The law: The 2026 Bill mandates cancellation symmetry, limited exit steps, and renewal reminders.

For a detailed subscription compliance checklist, see our ACCC Subscription Trap Compliance guide.

3. Consent and Default Settings Audit

What to check: Every point where the consumer makes a choice — opt-ins, consent checkboxes, plan selections, add-ons.

Specific tests:

Are any consent boxes pre-checked? (Newsletter opt-in, marketing consent, add-on services)
Is the most expensive option pre-selected, or does the consumer actively choose?
Are add-ons automatically included in the cart?
Is “Accept All” (cookies, terms) visually dominant while “Manage” or “Decline” is minimised?
Do default settings favour the business (e.g., auto-renewal ON by default with no clear disclosure)?

Red flags:

Pre-checked boxes for anything that costs money or shares data
Visual design that makes one option dramatically more prominent than alternatives
Add-ons that appear in the cart without the consumer adding them
“Agree to all” that bundles unrelated consents

The law: The 2026 Bill targets conduct that “unreasonably distorts the environment” in which a consumer makes a decision. Interface interference — pre-selected checkboxes, confusing menus, omitting key information — is explicitly identified in Treasury's consultation paper.

4. Urgency and Scarcity Audit

What to check: Any element on your site that creates time pressure or scarcity pressure.

Specific tests:

Are there countdown timers? Do they reflect real deadlines, or do they reset?
Are there “limited stock” or “only X left” messages? Are they accurate?
Are there “X people viewing this” notifications? Are they real?
Do sale prices have genuine end dates, or do sales roll continuously?
Are there “last chance” or “offer expires” messages? Do the offers actually expire?

Red flags:

Countdown timers at checkout that reset when the page is refreshed
Scarcity claims that never change (always “3 left” regardless of actual stock)
Fabricated activity notifications (“15 people are looking at this”)
Sales that end on Sunday and restart on Monday

The law: Section 18 (misleading conduct), section 29(1)(i) (false representations regarding need for goods). Treasury's consultation paper specifically identifies “countdown clocks at order stage” and false scarcity as target practices.

5. Cancellation and Refund Path Audit

What to check: How consumers access their right to cancel, return, or get a refund — separate from the subscription-specific audit in Point 2.

Specific tests:

Is the refund/return policy easy to find? (Not buried in Terms and Conditions)
Can consumers initiate a refund through the same channel they purchased?
Is the process for exercising consumer guarantees (ACL Part 3-2, Division 1) clearly described?
Are there unreasonable barriers to returns (e.g., requiring original packaging for a defective product)?
Does the complaints process work? (Submit a test complaint and track it)

Red flags:

No visible refund policy on the website
Refund requires contacting a specific email address with no response SLA
“No refund” policies that override statutory consumer guarantees
Complaint forms that don't result in any response

The law: Consumer guarantees under ACL Part 3-2 cannot be excluded. Any interface that makes exercising these rights unreasonably difficult may constitute unconscionable conduct (section 21).

6. Review and Social Proof Audit

What to check: All testimonials, reviews, ratings, and trust signals on your site.

Specific tests:

Are reviews from real, verified customers?
Are negative reviews displayed alongside positive ones, or filtered out?
Are “Bestseller” or “Most Popular” tags based on actual sales data?
Are star ratings aggregated from genuine reviews, or manually set?
Do trust badges (security seals, award logos) link to verifiable sources?
Are influencer/paid testimonials disclosed as sponsored content?

Red flags:

Only 5-star reviews displayed; lower ratings hidden
Reviews from accounts that don't match genuine purchase records
“As seen in” logos without verifiable media coverage
Testimonials without attribution or with fabricated names

The law: Section 18 (misleading conduct), section 29(1)(e) (false representations about testimonials). While the 2026 Bill doesn't add new review-specific provisions, existing ACL protections are well-established and actively enforced.

7. Visual Design and Information Architecture Audit

What to check: The overall design of your interface — how colour, size, placement, and hierarchy influence consumer decisions.

Specific tests:

Is the “buy/upgrade/accept” button visually dominant (large, bright) while the “decline/cancel/skip” option is minimised (small, grey, text link)?
Are material terms visible without scrolling, expanding accordions, or hovering over tooltips?
Is the information a consumer needs to make an informed decision on the same screen as the decision point?
Do pop-ups or modals obscure the underlying page in a way that steers consumers toward a specific action?
Is the visual design consistent — or does it change to become more aggressive at conversion-critical points?

Red flags:

“Accept” button is 4× the size of “Decline” and in a contrasting colour
Key terms hidden behind “Show more” expandable sections at the point of purchase
Modal pop-ups that can only be dismissed by clicking the option the business prefers
Different design language at checkout vs. browsing (higher urgency, more friction to leave)

The law: The 2026 Bill prohibits conduct that “unreasonably distorts the environment” in which consumers make decisions. Visual misdirection is specifically identified in both Treasury's consultation paper and international regulatory precedent (EU Digital Services Act, Article 25).

How to Document Your Audit

Documentation is your evidence. If the ACCC investigates, a well-documented audit that led to remediation demonstrates good faith compliance — even if some issues remained.

For each finding:

Screenshot the issue (with date stamp)
Describe the potential violation and the ACL provision it maps to
Classify severity: Critical (likely illegal now), High (likely illegal under 2026 Bill), Medium (grey area, fix proactively), Low (best practice improvement)
Assign a remediation owner and deadline
Verify the fix after deployment

Save everything. Audit reports, remediation plans, before/after screenshots, testing records. If the ACCC asks “what have you done to address dark patterns?”, you want a comprehensive answer.

Automate What You Can

Manual audits are essential for nuance — understanding the full user experience, catching context-dependent issues, and assessing overall impression. But they're slow, expensive, and point-in-time.

Between manual audits, automated compliance scanning fills the gap:

Continuous monitoring catches new dark patterns introduced by design updates, A/B tests, or third-party scripts
Consistent methodology — the same checklist applied every time, no human variation
ACL mapping — automated tools can flag specific practices and map them to relevant ACL provisions
Baseline reporting — get a compliance snapshot before your manual audit to focus human effort on the highest-risk areas

Get your free compliance baseline — scan your site in minutes

Common Questions

How often should we audit?

At minimum, quarterly. More frequently if your site changes regularly (e-commerce with seasonal promotions, SaaS with frequent UI updates). Ideally, run automated scans after every major deployment and conduct a thorough manual audit every 6 months.

Who should conduct the audit?

Someone who isn't responsible for conversion metrics. The conflict of interest is real: the people optimising for conversion are often the people who introduced dark patterns. Use an independent team — internal compliance, external consultants, or automated tools that don't have a stake in your conversion rate.

We use third-party tools (payment processors, chat widgets, cookie consent platforms). Are we responsible for their dark patterns?

Generally, yes. Under ACL section 18, the overall impression of your website matters — including third-party components. If your cookie consent platform uses a dark pattern (e.g., “Accept All” is prominent while “Reject” is hidden), that's your compliance problem. Audit third-party tools as part of your site.

What if we find a dark pattern we can't fix immediately?

Document it, assign a remediation date, and implement an interim mitigation where possible. If the ACCC investigates, demonstrating that you identified the issue and had a plan to fix it is far better than demonstrating you never looked.

Is a compliance audit enough to protect us legally?

An audit alone isn't a legal defence. But it's the foundation of one. A proactive audit + documented remediation + ongoing monitoring demonstrates the kind of compliance culture the ACCC looks for — and the kind of negligence it punishes.

The Bottom Line

Every website has dark patterns. Most of them were introduced incrementally — a pre-checked box here, a more aggressive checkout flow there, a countdown timer someone added during a growth sprint. They accumulated over years, and now they're a legal liability.

The unfair trading practices audit isn't optional. The ACCC is already prosecuting under existing law, and the 2026 Bill makes the obligations explicit and the penalties severe.

Audit now. Document everything. Fix the worst issues first. Set up ongoing monitoring.

Or wait for an ACCC letter and wish you hadn't.