The European Data Protection Board recently published its draft guidelines on “dark patterns” on social media platforms (“Guidelines“). The EDPB defines “dark patterns” as “…implemented user interfaces and experiences on social media platforms that induce users to make unintended, involuntary and potentially harmful decisions regarding the processing of their personal data. Dark patterns aim to influence user behavior and may impede their ability to effectively protect their personal data and make conscious choices.”

The main objective of the guidelines is to offer practical recommendations to users and operators of social media platforms on how to identify and avoid dark patterns that may violate the General Data Protection Regulation (“GDPR“). The guidelines are open for public consultation until May 2, 2022.

Although the EDPB has a strongly negative view of dark patterns in general, it recognizes that all dark patterns lead to GDPR violation. However, the issues addressed in the guidelines have broader significance than regulation on data protection and social media platforms, as they could demonstrate aspects that additional regulators in various use cases would address when examination of the regulatory impact of dark schemes (such as consumer protection and the Internet). laws).

The dark patterns discussed in these guidelines are divided into six categories:

1. Overload – provide users excessive number requests, information, options or possibilities to invite them to share personal data (for example, repeatedly asking users to provide more personal data, even after they have refused);

2. Jump – design the user interface or experience to make users Forget on any or all aspects of data protection (for example, making the “refuse” button small and unintelligible);

3. Stir – affecting users choices by appealing to their emotions or using nudging techniques (for example, the use of emotional persuasion techniques);

4. Obstructionobstruct or prevent users from being informed about the use of their data and their rights, by making actions or information inaccessible (for example, by using pop-ups with text such as “are you sure?” when users refuse to provide certain personal data);

5. Inconstant – make the design and interface unclear and inconsistentmaking it difficult for users to understand and navigate (for example, by providing conflicting information;

6. Left in the dark – design the user interface for hide material information or data protection controls (e.g. providing (e.g. disseminating information across multiple pages/sections without providing links or connection between pages/sections).

The EDPB states that dark patterns can also be grouped into content based and interface-based templates, differentiating between templates that refer to the actual content of the platform (e.g. privacy policy text), as opposed to templates dealing with design and user interface (e.g. font size, color, etc.)

In his guidelines, the EDPS recalls the importance and applicability of the principles relating to the processing of personal data under Article 5 of the GDPR. The EDPS emphasizes the importance of the principle of loyalty, which serves as an “umbrella principle” that no dark scheme can respect by its nature, regardless of its compliance with other data protection principles. The issue of dark motives needs to be taken into consideration to ensure effective privacy by design and by default, in accordance with Article 25 of the GDPR.

The guidelines analyze the effects of dark schemes throughout the lifecycle of a social media user account, from registration, through breach notifications and the exercise of user rights, to ‘at the exit of the platform.

Specific Examples of Dark Patterns addressed in the Guidelines include: making withdrawing consent more difficult than giving consent, bundling of consents, use of vague words or professional jargon, providing excessive information or options to choose from, broken links dead endsetc Interestingly, in its draft guidelines, the EDPB also discourages the social media platform from requesting users’ phone numbers for two-factor authentication, where email address or other personal data less intrusive can be used.

The EDPB also provides best practices to implement at each stage of the account lifecycle, to ensure GDPR compliance. For example, at the registration stage, the EDPS recommends creating shortcuts to data protection materials and features, including a reducible table of contents to the privacy policy, using consistent wording and definitions, providing contact details of the data controller, using examples, etc.

Notably, the dark patterns didn’t just catch the EDPB’s attention. The EDPB guidelines join a number of regulatory actions in the United States over the past two months. Recently, the Federal Trade Commission released a Dark Model Enforcement Policy Statement and the New York Attorney General announcing a $2.6 million settlement with FarePortal over Dark Models.