The European Data Protection Board (EDPB) published guidelines relating to dark patterns on social media platforms. If social media platforms designers don’t follow the guidelines, they could infringe the EU General Data Protection Regulation (GDPR). The guidelines provide designers with tools to understand what a dark pattern is and address them on their social media platforms so that they can avoid infringing the GDPR.

What are “dark patterns”?

Dark patterns refer to interfaces and user experiences that a designer implements on social media platforms. These dark patterns can lead users into making unintended, unwilling, and potentially harmful decisions regarding the processing of their personal data.

Who do the guidelines apply to?

The guidelines impact designers of social media platforms by providing practical recommendations on how to avoid:

  • dark patterns in social media interfaces, and
  • infringements of GDPR requirements.

What do the guidelines cover?

The guidelines outline principles for transparency, accountability (Article 5), and data protection by design (Article 25 of the GDPR). It also covers GDPR provisions that can help designers with dark pattern assessments.  The guidelines list six categories of dark patterns:

  1. Overloading means users are faced with extensive requests, information, options, or possibilities to:
    • prompt them to share more data, or
    • unintentionally allow personal data processing against the data subject’s expectations.
  2. Skipping means designing the interface or user experience in a way that users forget or do not think about the data protection aspects.
  3. Stirring affects the choice users would make by appealing to their emotions or using visual
    nudges.
  4. Hindering means obstructing or blocking users in their process of becoming informed or managing their data by making the action hard or impossible to achieve.
  5. Fickle means the design of the interface is inconsistent and not clear, making it hard for the user to:
    • navigate the different data protection control tools, and
    • understand the purpose of the processing.
  6. Left in the dark means an interface is designed in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control
    they might have over it regarding the exercise of their rights.

The EDPB also provided designers with a checklist for identifying certain dark patterns. The checklist is available as an annexure to the guidelines. It provides an overview of:

  • the categories of dark patterns explained above,
  • the dark pattern types, and
  • a list of examples for each dark pattern.

What are the possible GDPR infringements?

Dark patterns can lead to a violation of data protection regulations and consumer protection regulations. Because of the overlap between infringements that data protection authorities and national consumer protection authorities can enforce, the guidelines provide best practices that designers can use to ensure that they use compliant user interfaces.

Additionally, data protection authorities can sanction the use of dark patterns if it does not comply with data protection standards and the GDPR. Organisations must address GDPR breaches individually. The guidelines also present best practices that designers can use to design user interfaces which facilitate effective GDPR implementation.

Examples of dark pattern infringements

Leaving a data subject in the dark

Social media platforms can infringe data subject rights by ambiguous wording or too much information. For example, if a social media platform does not explicitly state that users in the EU have the right to lodge a complaint with a supervisory authority. The platform must list all countries that will facilitate complaints from social media users.

If social media platforms give their users vague information that leaves them unsure of how:

  • their data will be processed, or
  • to have control over their data, and
  • to exercise their rights,

then the social media platform will be deemed to be going against the principle of transparency. The platform could also be said to be providing data subjects with incomplete information. (Article 12 (1) and 13 of the GDPR).

Emotionally stirring a data subject

Social media platform designers must be weary of emotionally stirring data subjects if they choose to delete their account. For example, adding in pop-up messages like “you won’t be able to reactivate your account” is an infringement of the data subject’s rights under Article 12 (2) of the GDPR. It is also an infringement on the principle of fairness under Article 5 (1)(a) GDPR.

Actions you can take

  • Learn about emerging technologies (like dark patterns, AI, the metaverse, and virtual reality) by attending our Lexverse conference.
  • You can dive into the details of the EDPB’s guidelines by downloading them.
  • Find out how you can implement these guidelines by getting our advice.