EDPD PR of 14 March 2022
EDPD adopts “Guidelines on Dark patterns in social media platform interface: How to recognise and avoid them”
The European Data Protection Board (EDPD) on 14 March 2022 adopted the "Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them". These Guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements.
It is important to note that the list of dark patterns and best practices, as well as the use cases, are not exhaustive. Social media providers remain responsible and accountable for ensuring the GDPR compliance of their platforms.
Dark patterns in social media platform interfaces
In the context of these Guidelines, “dark patterns” are considered as interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. Dark patterns aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices. Data protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements. The dark patterns addressed within these Guidelines can be divided into the following categories:
- Overloading means users are confronted with an avalanche/large quantity of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of the data subject. The following three dark pattern types fall into this category: Continuous prompting, Privacy Maze and Too Many Options
- Skipping means designing the interface or user experience in a way that users forget or do not think about all or some of the data protection aspects. The following two dark pattern types fall into this category: Deceptive Snugness and Look over there
- Stirring affects the choice users would make by appealing to their emotions or using visual nudges. The following two dark pattern types fall into this category: Emotional Steering and Hidden in plain sight
- Hindering means obstructing or blocking users in their process of becoming informed or managing their data by making the action hard or impossible to achieve. The following three dark pattern types fall into this category: Dead end, Longer than necessary and Misleading information
- Fickle means the design of the interface is inconsistent and not clear, making it hard for the user to navigate the different data protection control tools and to understand the purpose of the processing. The following two dark pattern types fall into this category: Lacking hierarchy and Decontextualising
- Left in the dark means an interface is designed in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights. The following three dark pattern types fall into this category: Language discontinuity, Conflicting information and Ambiguous wording or information
Relevant GDPR provisions for dark pattern assessments
Regarding the data protection compliance of user interfaces of online applications within the social media sector, the data protection principles applicable are set out within Article 5 GDPR. The principle of fair processing laid down in Article 5 (1) (a) GDPR serves as a starting point to assess whether a design pattern actually constitutes a “dark pattern”. Further principles playing a role in this assessment are those of transparency, data minimisation and accountability under Article 5 (1) (a), (c) and (2) GDPR, as well as, in some cases, purpose limitation under Article 5 (1) (b) GDPR. In other cases, the legal assessment is also based on conditions of consent under Articles 4 (11) and 7 GDPR or other specific obligations, such as Article 12 GDPR. Evidently, in the context of data subject rights, the third chapter of the GDPR also needs to be taken into account. Finally, the requirements of data protection by design and default under Article 25 GDPR play a vital role, as applying them before launching an interface design would help social media providers avoid dark patterns in the first place.
Examples of dark patterns in use cases of the life cycle of a social media account
The GDPR’s provisions apply to the entire course of personal data processing as part of the operation of social media platforms, i.e. to the entire life cycle of a user account. The EDPB gives concrete examples of dark pattern types for the following different use cases within this life cycle: the sign-up, i.e. registration process; the information use cases concerning the privacy notice, joint controllership and data breach communications; consent and data protection management; exercise of data subject rights during social media use; and, finally, closing a social media account. Connections to GDPR provisions are explained in two ways: firstly, each use case explains in more detail which of the above- mentioned GDPR provisions are particularly relevant to it. Secondly, the paragraphs surrounding the dark pattern examples explain how these infringe on the GDPR.
Best practice recommendations
In addition to the examples of dark patterns, the Guidelines also present best practices at the end of each use case. These contain specific recommendations for designing user interfaces that facilitate the effective implementation of the GDPR.
Checklist of dark pattern categories
A checklist of dark pattern categories can be found in the Annex to these Guidelines. It provides an overview of the abovementioned categories and the dark pattern types, along with a list of the examples for each dark pattern that are mentioned in the use cases. Some readers may find it useful to use the checklist as a starting point to discover these Guidelines.
