By using certain website design tricks – so-called dark patterns –, website operators have long tried to nudge website visitors towards taking certain decisions on the processing of their personal data which are more favourable to the website operator.
The new Guidelines on dark patterns of the European Data Protection Board (EDPB) provide for in-depth guidance on the admissibility of such practices. In this article, we analyse the stance of the EDPB on this matter, and explain why all website and/or app operators should take note of the Guidelines.
Why were the new Guidelines adopted?
On 14 February 2023, the EDPB published the final version of its Guidelines 03/2022 on deceptive design patterns in social media platform interfaces. Despite specifically addressing social media companies, the Guidelines provide for useful dos and don’ts for other types of companies as well. In particular, any company operating a website should have a closer look at the Guidelines.
The main objective of the EDPB Guidelines is to provide practical recommendations on the design of user interfaces and the presentation of content on websites. The EDPB underlines that website operators, while in principle being able to freely decide on the elements and the design of their websites, must in doing so comply with the General Data Protection Regulation (GDPR). For website design, the following data protection principles are particularly important:
- lawfulness, fairness and transparency;
- the purpose limitation;
- data minimisation; and
- data protection by design and default.
The EDPB emphasises that data protection authorities are responsible for sanctioning the usage of dark patterns that violate these GDPR principles.
What is a dark pattern?
The Guidelines specifically address dark patterns, which the EDPB defines as
“interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data.”
The aim of dark patterns is to influence users’ behaviour and hinder their ability to effectively protect their personal data and make conscious choices.
EDPB’s guidelines and recommendations explained
Our data protection experts regularly analyse the EDPB’s guidelines and recommendations in order to present the information relevant to companies in a comprehensible way.
What are the typical examples of dark patterns?
For the purposes of the Guidelines, the EDPB divided dark patterns into the following six categories:
Overloading
Overloading means users are confronted with a large quantity of requests, information, options or possibilities so as to be prompted to share more data or to unintentionally allow the processing of personal data against their expectations. For example, a website might continuously – and even after the initial refusal of a website user – ask a website visitor to provide specific personal data, such as their phone number. After a certain period of time, the users might “give in” and provide their phone number, merely to be left alone in the future. Interestingly, in this context, the EDPB also discourages requesting users’ phone numbers for the purpose of multi-factor authentication, as there are less intrusive means of authentication available (e.g., per e-mail or via a dedicated authentication app).
Skipping
Skipping means designing the interface or user experience in a way that users forget, or do not think about, relevant data protection aspects. For example, this is the case if a website operator enables the most data invasive options by default, thereby acting contrary to the principle of privacy by default, or if it makes the ‘decline’ button in a cookie banner small and unintelligible.
Another example of skipping is the ‘look over there’ strategy. In this case, a website operator tries to deflect the website visitor from the relevant information and/or options, e.g., by providing an overload of non-relevant information hiding the relevant information, or by otherwise distracting the website visitor. Cookie consent banners asking for consent in a humorous way also fall under this category.
Stirring
Stirring aims at affecting user choice by appealing to their emotions or using visual nudges. An example of emotional stirring is a website provider describing in detail the supposedly negative consequences of deleting an account or unsubscribing from a newsletter, in an attempt to convince the user to revise their choice. Another example of stirring is providing data protection information in a poorly visible way (e.g., due to the font size or the colours used) so that users either overlook it, or have difficulties reading it. Importantly, the EDPB notes that even if a privacy policy provides all the information required under Art. 13 and/or 14 GDPR, the way this information is presented alone can infringe the principle of transparency, and hence violate the GDPR.
Hindering
Hindering means obstructing or blocking users in their process of obtaining information or managing their data. A typical and often-seen example is a website operator making consent withdrawal more complicated than giving consent, be it in terms of the time or the number of clicks needed to withdraw consent.
Fickle
Fickle is unclear or inconsistent interface design which makes it hard for the user to navigate different data protection control tools and to understand the purpose of the processing. Examples include information on data subject rights being spread across the privacy notice, a lengthy privacy policy not being divided into different sections and hence lacking structure, or a privacy notice provided on a page where an average website visitor would not look for it (e.g., under the submenu Security). In such cases, the website operator infringes the GDPR by not providing the required information in an intelligible, transparent, and easily accessible way.
The EDPB has included three more types of fickle patterns in its updated Guidelines:
- The Information related to data protection is not provided in the official language of the country where users live, whereas the service itself is.
- An inconsistent interface where a data protection related menu does not display the same items on mobile and desktop version.
- An option whose location has been switched with that of another option. A user does not expect this and this can lead to them making a data protection decision the user does not want.
Left in the dark
Left in the dark is a dark pattern where an interface is designed in a way to hide information or data protection control tools, or which leaves users unsure of how their data is processed and what kind of control they might have over it. For example, a website visitor is left in the dark if the privacy policy uses ambiguous or vague wording or provides conflicting information.
Conclusion
The EDPB Guidelines on deceptive design patterns can be seen as a part of a broader trend of holding companies accountable for the manipulative and/or deceptive design of their websites. Despite the EDPB’s focus on social media platforms, the above examples clearly demonstrate that the Guidelines are relevant for all companies operating websites and/or mobile apps.
Companies should take note thereof, as the Guidelines provide useful, in-depth, but also very strict recommendations and best practices on how to design a website or an app in a GDPR compliant way. Given the complexity of the matter, companies are well advised to seek professional legal advice on this topic to avoid possible compliance risks.