On Feb. 10, 2026, an 18-year-old woman, Jesse Van Rootselaar, killed eight people and herself in a mass shooting in Tumbler Ridge, British Columbia. OpenAI had previously flagged her ChatGPT conversations as having a disturbing fascination with extreme violence, and suspended her account, but reportedly the company did not notify law enforcement.

On Oct. 2, 2025, a young man named Jonathan Gavalas in Jupiter, Florida, took his own life after developing what his father’s lawsuit described as a romantic attachment to Google’s Gemini chatbot. The suit claimed that Gemini coached Gavalas to shed his own body. The suit said Google had flagged Gavalas’s account 38 times over five weeks for sensitive content, but didn’t restrict or cut off the account.

These tragedies and others show that generative AI can potentially play a role in harming people, organizations and the environment. I’m a legal scholar who has focused on AI liability for nearly a decade and explored new ways of analyzing AI companies’ responsibilities. In my view, cases like these force questions the legal community has not come to terms with: If an AI company becomes aware of warning signs about harm, does it have a legal obligation to at least warn the appropriate authorities? And if the company doesn’t intervene, should its failure to act be considered negligence?

A need to raise red flags

U.S. tort law provides a framework for thinking about this type of responsibility. In 1969 a University of California psychiatric patient named Prosenjit Poddar told his therapist he intended to kill a woman named Tatiana Tarasoff. The therapist notified campus police, who briefly detained Poddar but eventually let him go. Nobody warned Tarasoff, and Poddar killed her shortly after.

Her family sued the university, arguing that its lack of warning amounted to negligence. In 1976 the California Supreme Court ruled that when a mental health professional has good reason to believe a client poses a serious danger to an identifiable person, they have a legal duty to take reasonable steps to protect that person, including warning them or notifying law enforcement. Today, most U.S. states recognize some version of the Tarasoff duty to protect or warn.

The logic is simple: If you have special knowledge of a serious threat and are in a position to address it, even if only to warn the authorities or the potential victim, the law may require you to act. But does that logic apply to AI companies?

The argument for yes is appealing. AI platforms interact with millions of users daily, often about deeply personal matters such as mental health struggles, relationship problems and violent thoughts. Most companies have systems to detect conversations that raise red flags.

Requiring a response might be less controversial for AI than for a human therapist. Therapists are bound by strict confidentiality obligations that make warning third parties ethically and legally complicated. AI companies operate under much weaker rules, at least in the U.S., where no comprehensive federal privacy law exists.

That lesser restriction makes it easier to justify requiring AI companies to act when it seems that someone’s life may be at risk. But balancing that with protecting privacy is still important.

Who to warn, and when

The first challenge in applying the Tarasoff framework to the AI world is accuracy. Predicting violence is hard, even for trained mental health professionals. AI systems, or human moderators who review flagged content, are not clinicians. Requiring them to judge who poses a genuine threat could lead to numerous false positives, with real consequences for people whose accounts are suspended or whose information is shared with authorities based on misread signals.

The second challenge is scale. A therapist sees dozens of patients. AI platforms have hundreds of millions of users. Imposing a duty to monitor and act on worrisome content could create perverse incentives. AI companies might reduce their monitoring to avoid acquiring knowledge that would trigger a legal duty, reasoning that what they do not know cannot make them liable.

The third challenge is identifying who is at risk. In the 1969 case, Poddar had named Tarasoff as a potential victim. But in many AI interactions, violent or self-destructive language is diffuse and doesn’t identify a target. Courts will need to develop clear standards for when a threat is specific enough to trigger a duty to warn, and to whom any warning or protective action should be directed.

Growing urgency

The AI industry is expanding rapidly, yet the legal rules governing what AI companies owe their users and the public are deeply unclear. Courts are beginning to grapple with questions case by case, such as whether OpenAI bears any responsibility for a gunman accused of killing two students at Florida State University on April 17, 2025. The gunman in that case was armed with a semi-automatic pistol and allegedly had extensive conversations with ChatGPT about how to use the weapon most effectively .

A narrow, carefully defined duty to warn, triggered only when an AI system flags a user’s behavior and it is reviewed by humans, would be a meaningful step forward. And it could focus initially on the most serious and credible threats.

The practice could also shift the conversation away from thorny technical debates about whether AI chatbots are products, services or media, which complicates legal claims, toward a more human question: Did this company know someone was in danger, and did it do enough to warn them and authorities?

Anat Lior is affiliated with: 1. Mentoring at the Creative Destruction Lab (CDL) at the University of Wisconsin 2. Member of the Montgomery County Advisory Council on Artificial Intelligence for the Public Good/ 3. Consultant with WTW, Relm Insurance, and Testudo. 4. Affiliate research with the Institute of Law & AI. 5. Collaborator with the Vista Institute for AI Policy.

You open a free app to do one simple thing. Before you even start, a full-screen message asks whether you want to try the paid version. The “Start free trial” button is large, bright and hard to miss. The option to keep using the free version is smaller, buried at the bottom. The same prompt appears again tomorrow. And the day after that.

A lot of people look at screens like that and think, “Surely this has to be illegal.” We even have a name for them, “dark patterns.” They feel pushy. They waste time. They seem designed to wear you down. But in most cases, they are perfectly lawful.

“Dark pattern” is not a legal term with a clear boundary. It is a broad label for digital designs that nudge, pressure, confuse or trap users. As a legal scholar who studies consumer protection and digital design, I think the most important thing for readers to understand is that the label “dark pattern” covers a broad spectrum.

Some of that spectrum is just annoying. Some of it is aggressive salesmanship. And some of it crosses the line into deception or coercion. Federal and state consumer protection laws are mostly aimed at that last category. They do not ban every design choice people dislike, only those that trick or coerce.

Annoying isn’t illegal

That reality may sound unsatisfying, but it is not unusual. Offline life is full of things that are irritating but not unlawful. Think of the cashier who asks whether you want to sign up for the store credit card, then points out the discount you are turning down, then asks again. Most people know exactly what is happening. They roll their eyes, say no and try to shop somewhere else next time.

The same is true online. A repeated pop-up can be obnoxious. A guilt-inducing button can be tacky. But consumers recognize ordinary annoyance for what it is. In many cases, the market answer is simple: Close the app, ignore the pitch or take your business elsewhere.

Similarly, law does not ban persuasive sales pitches just because they are effective. A car salesperson who keeps steering you toward the upgraded model is trying to influence your choice. So is the airline clerk who offers travel insurance. So is the restaurant server who asks whether you want dessert. Salesmanship is nothing new. Digital design often borrows from familiar techniques.

That helps explain why lawmakers cannot simply outlaw “manipulation.” And so many interfaces are built to persuade, openly and lawfully.

What crosses the line

What the federal FTC Act and analogous state consumer-deception statutes usually care about is not whether a design is annoying. They focus on whether the design is likely to mislead a reasonable consumer. That is the core idea in modern consumer protection law.

So a design is likelier to be unlawful when it hides key facts, makes an optional choice look mandatory or tricks people about the effect of the button they are pressing. A fake countdown timer, a disguised ad, a misleading one-click purchase button or a cancellation path that looks finished when it is not are all different from ordinary hard selling. Those designs do not just pressure users; they can deceive them.

That is also why the app maker’s intent is not always the key question. In many consumer protection cases, a company does not get a free pass just because no one said, “Let’s trick people.” The legal question is often about effect: What would a reasonable user likely understand from this screen?

Research on dark patterns reinforces that concern. Even relatively mild designs can push people into choices they would not otherwise make. And regulators have increasingly focused on subscription flows, hidden fees and cancellation obstacles for exactly that reason.

Why it feels like dark patterns are everywhere

One reason people might think there are no laws against dark patterns is that they see them so often. But that frequency reflects that the term covers a wide range of conduct, from lawful nagging to outright deception.

It also reflects enforcement limits. Regulators cannot chase every irritating screen on every app and website. They have to prioritize the worst cases. That leaves a lot of borderline conduct in the wild, which makes the whole problem feel bigger and murkier to ordinary users.

So when people ask why there is not a law against dark patterns, the best answer is that there already is, but the law does not prohibit every annoying or high-pressure design. It targets lies, misleading cues and coercive obstacles.

That line can be fuzzy. But the fuzziness is not a mistake. It is what you get when the law tries to separate persuasion from deception in a world full of both.

Gregory M. Dickinson does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.