The European Data Protection Board recently published its draft guidelines on ‘Dark Patterns’ in social media platforms (“Guidelines“). The EDPB defines “dark patterns” as “…interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. Dark patterns aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.”

The main objective of the Guidelines is to offer practical recommendations for users and operators of social media platforms on how to identify and avoid dark patterns that may infringe the General Data Protection Regulations (“GDPR“). The Guidelines are open to public consultation until 2 May 2022.

While the EDPB takes a strongly negative view of dark patterns in general, it recognizes that not all dark patterns lead to an infringement of the GDPR. However, the issues discussed in the Guidelines have wider importance than data protection regulation and social media platforms, as they could demonstrate aspects that additional regulators in various use-cases would address when considering the regulatory impact of dark patterns (such as consumer protection and internet laws).

The dark patterns addressed in these Guidelines are divided into six categories:

1. Overloading – providing users with excessive number of requests, information, option or possibilities to prompt them to share personal data (e.g. repeatedly asking users to provide more personal data, even after they refused);

2. Skipping – designing the user interface or experience to make the users forget about all or some of the data protection aspects (e.g. making the “decline” button small and unintelligible);

3. Stirring – affecting the users’ choices by appealing to their emotions or using nudging techniques (e.g. use of emotional persuasion techniques);

4. Hindering – obstructing or preventing users from becoming informed about the use of their data and their rights, by making the actions or information inaccessible (e.g. using pop-ups with text like “are you sure?” when users refuse to provide certain personal data);

5. Fickle – making the design and interface unclear and inconsistent, making it hard for users to understand and navigate (e.g. providing conflicting information;

6. Left in the dark – designing the user interface to hide material information or data protection controls (e.g. providing (e.g. spreading information on multiple pages/sections without providing links or connecting between the pages/section).

The EDPB states that dark patterns can also be grouped into content-based and interface-based patterns, differentiating between patterns that refer to the actual content of the platform (e.g. the text of the privacy policy), opposed to patterns addressing the design and user interface (e.g. font size, color etc.)

In its Guidelines, the EDPB reiterates the importance and the applicability of the principles relating to processing of personal under Article 5 of the GDPR. The EDPB emphasizes the importance of the principle of fairness, which serves as an ‘umbrella principle’ that no dark pattern can comply with by its nature, irrespective of its compliance with other data protection principles. The issue of dark patterns should be taken into consideration to ensure effective privacy by design and by default, under Article 25 of the GDPR.

The Guidelines analyze the effects of dark patters across the entire lifecycle of a social media user account, from registration, through breach notifications and exercising of user rights, to leaving the platform.

Specific examples of dark patterns addressed in the Guidelines include: making withdrawal of consent more difficult than providing consent, bundling of consents, use of vague words or professional jargon, providing excessive information or options to choose from, broken links dead ends, etc. Interestingly, in its draft Guidelines, the EDPB also discourages social media platform from requesting users’ phone numbers for two-factor authentication, where email address, or other less intrusive personal data, can be used.

The EDPB also provides best practices to be implemented at each stage of the account lifecycle, to ensure compliance with the GDPR. For example, at the registration stage, the EDPB recommends creating shortcuts to data protection materials and features, including a collapsible table of contents to the privacy policy, using coherent wordings and definitions, providing the controller’s contact information, using examples  etc.

Notably, dark patterns have not only caught the attention of the EDPB. The EDPB Guidelines join a number of regulatory actions in the US in the last couple of months. Recently, the Federal Trade Commission published an enforcement policy statement on dark patterns and the New York Attorney General announcing a $2.6M settlement with FarePortal over dark patterns.

We encourage our clients and friends to review their marketing and use engagement practices to ensure compliance with the evolving standards.

Kind regards,

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation