The concept of dark patterns

“Dark patterns” are defined as interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling, and potentially harmful decisions regarding the processing of their personal data. Dark patterns aim to influence users’ behaviour and manipulate users to do something (such as give their consent) or prevent them from taking actions (such as exercising their rights). Therefore, they can hinder users’ ability to effectively protect their personal data and make conscious choices.

Although the list of dark patters provided by the EDPB is not exhaustive, the EDPB divides dark patterns into several main categories:

• Overloading – Users are provided with a mass of requests, information, options, or possibilities in order to make them keep or accept personal data practice preferable to the social media platform.
• Skipping – User interface/experience is designed in such a way that the user forgets or does not think about all or some of the personal data protection aspects.
• Stirring – Affecting the choice users would make by appealing to their emotions or using visual nudges.
• Hindering – Users are hindered or blocked in the process of obtaining information or managing their personal data by making the action difficult or impossible to achieve.
• Fickle – The design of the interface is unstable and inconsistent, making it hard for users to find controls related to personal data protection and information relating to the personal data processing.
• Left in the dark – The interface is designed in a way to hide information or controls related to personal data protection or to leave users unsure of how their personal data is processed and what kind of controls they might have over it.

Best practice recommendations for designing user interfaces

In addition to the categorization of dark patterns, provision of examples for each category and explanation how these infringe on the GDPR, the guidelines also present best practices at the end of each use case. These contain specific recommendations for designing user interfaces which facilitate the effective implementation of the GDPR, such as using shortcuts, coherent wordings or providing examples and definitions.

EDPB does not conclude that all dark patterns are illegal. The answer to the question whether their use is illegal will always depend on the circumstances of the case. The guidelines highlight common practices which are considered by the EDPB to be a violation of the GDPR. However, the EDPB’s considerations may be also applicable to use cases other than those related to social media platforms.

Step by step: Reconsider your practices

What should do social media companies, but also other personal data controllers?

1. Review their current practices and user interfaces.
2. Identify and stop using potentially problematic practices in the light of the taxonomy of dark patterns provided by the EDPB.
3. Implement best practice recommendations into user interfaces.

Although the published version of new guidelines is currently in a public consultation phase and is not final, it is likely that the published version of guidelines will trigger specific regulatory interest of data protection supervisory authorities into the use of dark patterns in the future. Imposition of high fines cannot be excluded depending on the circumstances of the case. Furthermore, apart from a violation of data protection regulations, dark patterns can also violate other regulations, such as consumer protection regulations.