By using certain website design tricks – so-called dark patterns –, website operators have long tried to nudge website visitors towards taking certain decisions on the processing of their personal data which are more favourable to the website operator. The new Guidelines on dark patterns of the European Data Protection Board (EDPB) provide for in-depth guidance on the admissibility of such practices. In this article, we analyse the stance of the EDPB on this matter, and explain why all website and/or app operators should take note of the Guidelines.
Why were the new Guidelines adopted?
On 14 March 2022, the EDPB issued the draft version of the Guidelines 3/2022 on Dark patterns in social media platform interfaces (the final version of the Guidelines will be published following public consultation). Despite specifically addressing social media companies, the Guidelines provide for useful dos and don’ts for other types of companies as well. In particular, any company operating a website should have a closer look at the Guidelines.
The main objective of the EDPB Guidelines is to provide practical recommendations on the design of user interfaces and the presentation of content on websites. The EDPB underlines that website operators, while in principle being able to freely decide on the elements and the design of their websites, must in doing so comply with the General Data Protection Regulation (GDPR). For website design, the following data protection principles are particularly important:
- lawfulness, fairness and transparency;
- the purpose limitation;
- data minimisation; and
- data protection by design and default.
The EDPB emphasises that data protection authorities are responsible for sanctioning the usage of dark patterns that violate these GDPR principles.
Our data protection experts regularly analyse the EDPB’s guidelines and recommendations in order to present the information relevant to companies in a comprehensible way.
What is a dark pattern?
The Guidelines specifically address dark patterns, which the EDPB defines as
“interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data.”
The aim of dark patterns is to influence users’ behaviour and hinder their ability to effectively protect their personal data and make conscious choices.
What are the typical examples of dark patterns?
For the purposes of the Guidelines, the EDPB divided dark patterns into the following six categories:
Overloading means users are confronted with a large quantity of requests, information, options or possibilities so as to be prompted to share more data or to unintentionally allow the processing of personal data against their expectations. For example, a website might continuously – and even after the initial refusal of a website user – ask a website visitor to provide specific personal data, such as their phone number. After a certain period of time, the users might “give in” and provide their phone number, merely to be left alone in the future. Interestingly, in this context, the EDPB also discourages requesting users’ phone numbers for the purpose of multi-factor authentication, as there are less intrusive means of authentication available (e.g., per e-mail or via a dedicated authentication app).
Skipping means designing the interface or user experience in a way that users forget, or do not think about, relevant data protection aspects. For example, this is the case if a website operator enables the most data invasive options by default, thereby acting contrary to the principle of privacy by default, or if it makes the ‘decline’ button in a cookie banner small and unintelligible.
Another example of skipping is the ‘look over there’ strategy. In this case, a website operator tries to deflect the website visitor from the relevant information and/or options, e.g., by providing an overload of non-relevant information hiding the relevant information, or by otherwise distracting the website visitor. Cookie consent banners asking for consent in a humorous way also fall under this category.
Hindering means obstructing or blocking users in their process of obtaining information or managing their data. A typical and often-seen example is a website operator making consent withdrawal more complicated than giving consent, be it in terms of the time or the number of clicks needed to withdraw consent.
Left in the dark
The EDPB Guidelines on dark patterns can be seen as a part of a broader trend of holding companies accountable for the manipulative and/or deceptive design of their websites. Despite the EDPB’s focus on social media platforms, the above examples clearly demonstrate that the Guidelines are relevant for all companies operating websites and/or mobile apps.
Companies should take note thereof, as the Guidelines provide useful, in-depth, but also very strict recommendations and best practices on how to design a website or an app in a GDPR compliant way. Given the complexity of the matter, companies are well advised to seek professional legal advice on this topic to avoid possible compliance risks.