The Hidden Compliance Risks in Your Design

Most product teams think of compliance as a legal review — a checkbox before launch where a lawyer reads the terms of service. But regulators increasingly evaluate the user experience itself. The FTC's enforcement actions against dark patterns. The CFPB's focus on "effective disclosure." The DOJ's push on ADA-compliant digital experiences. These agencies don't just read your policies. They use your product.

Designers optimize for conversion. That's their job. The problem is that conversion optimization and compliance can pull in opposite directions. Making the "Accept" button bigger and the "Decline" button smaller increases opt-in rates. It also creates FTC exposure.

Most design teams don't have a compliance expert reviewing mockups. Legal reviews the copy, not the visual hierarchy. QA tests functionality, not regulatory risk. The gap between "this design works" and "this design is defensible" is where violations grow.

The most insidious part: these issues are invisible in standard design reviews. Nobody in the room is evaluating whether the fee disclosure at the bottom of the checkout screen meets CFPB's "clear and conspicuous" standard. They're debating button colors.

The solution isn't to slow down your design process with lengthy legal reviews. It's to build compliance awareness into the design evaluation itself.

When Prior.Run analyzes a design, it flags compliance concerns alongside usability feedback. Not as a legal opinion — we're not lawyers — but as a signal that says "this disclosure may not be prominent enough" or "this consent flow has patterns that regulators have targeted." It surfaces the question so your team can make an informed decision before shipping, not after a regulator makes it for you.

For teams in fintech, healthcare, and e-commerce — where the regulatory surface area is largest — this isn't a nice-to-have. It's the difference between a pre-launch fix that costs an hour and a post-launch enforcement action that costs millions.

Even without tooling, every team shipping in a regulated space should review these four questions before launch:

Compliance risk isn't evenly distributed across industries. The regulatory surface area — and the cost of getting it wrong — varies dramatically depending on what you're building and who uses it. Here's what matters most in the three industries where design-level compliance violations are most common.

Financial services is the most heavily regulated design environment in software. The CFPB's "clear and conspicuous" standard doesn't just mean the information is on the page — it means the information is presented in a way that a reasonable consumer would actually notice and understand it. Font size, color contrast, placement relative to the action button, and even the reading flow of the page all factor into whether a disclosure is considered effective.

The Truth in Lending Act (TILA) requires specific disclosures for credit products — APR, total cost of credit, payment schedules — to be presented with specific visual prominence. The Dodd-Frank Act gives the CFPB authority to pursue unfair, deceptive, or abusive acts and practices (UDAAP), which increasingly includes design patterns. A "skip" button that's styled to look like it advances the application when it actually enrolls you in a service has been the subject of multiple enforcement actions.

Common fintech design violations include: fee disclosures that appear only after a user has entered personal information (creating sunk-cost pressure to continue), APR displays that use a smaller font size than the promotional rate, auto-enrollment in features through pre-checked boxes during onboarding, and cancellation flows that require significantly more steps than signup. In 2024 alone, CFPB enforcement actions related to design practices exceeded $200 million in total penalties across the industry.

Healthcare applications face a unique compliance challenge: the intersection of HIPAA privacy requirements and usability. A telehealth platform that displays patient information on a screen needs to consider not just data encryption, but visual privacy — what happens if someone is using the app in a public waiting room.

The HHS Office for Civil Rights has increasingly scrutinized digital health experiences for compliance with the HIPAA Privacy Rule's minimum necessary standard. Design decisions like pre-populating health conditions in dropdown menus, displaying diagnosis information in push notifications, and using analytics tracking pixels on pages that contain protected health information (PHI) have all been subjects of regulatory action.

Beyond HIPAA, healthcare UX faces Section 508 accessibility requirements (for any product touching federal programs), FDA regulations for Software as a Medical Device (SaMD), and state-level telehealth consent requirements that vary significantly. A consent flow that's compliant in California may violate requirements in Texas. Design teams building healthcare products need compliance review not just at launch, but at every state expansion.

E-commerce faces the broadest regulatory attention because it has the largest consumer surface area. The FTC has been particularly aggressive in targeting dark patterns — design choices that manipulate users into unintended actions. The agency's 2022 enforcement policy statement specifically called out: countdown timers that reset or display false urgency, "confirmshaming" (using guilt-inducing language on decline buttons like "No thanks, I don't want to save money"), hidden subscription enrollments, and checkout flows that add items or services the user didn't select.

The EU's Digital Services Act and the UK's consumer protection framework go further, requiring that cancellation must be as easy as signup — a standard that many subscription e-commerce companies still violate through multi-step cancellation funnels designed to create friction. Under California's automatic renewal laws, the consequences for non-compliant cancellation flows include full refunds of all charges collected during the non-compliant period — which for a large e-commerce operation can represent millions in liability.

For global e-commerce, GDPR's consent requirements add another layer. Cookie consent banners that make "Accept All" a bright primary button and "Manage Preferences" a small text link have been the subject of enforcement actions in France, Italy, and Austria, with fines reaching into the tens of millions of euros. The design of the consent interface itself — not just its existence — determines compliance.

Compliance isn't abstract. It's shaped by specific enforcement actions that set precedent for what regulators consider acceptable design. Understanding these precedents helps teams avoid the patterns that are most likely to attract scrutiny.

The FTC's actions against several major technology companies for dark pattern violations established that design choices can constitute deceptive practices even when the underlying disclosures are technically accurate. A disclosure that's accurate but buried in a flow that users predictably skip is, from a regulatory perspective, functionally equivalent to no disclosure at all.

The DOJ's increasing focus on ADA compliance for digital experiences — building on case law from website accessibility lawsuits — has established that commercial websites are places of public accommodation under Title III. The practical implication: a checkout flow that can't be completed with a screen reader isn't just a usability problem — it's a potential civil rights violation. Federal courts have consistently held that websites must be accessible, and the volume of ADA digital accessibility lawsuits has grown steadily, averaging over 3,000 per year in recent years.

For teams shipping products in regulated industries, the takeaway is that design review isn't just a product quality exercise — it's a risk management function. The cost of a pre-launch design fix is measured in hours. The cost of a post-launch enforcement action is measured in millions, plus the reputational damage that no amount of money can fix.