European Data Protection Board’s spotlight on dark patterns in social media

On the 24th February 2023, the European Data Protection Board (“EDPB”) issued a definitive set of guidelines for the recognition and avoidance of deceptive design patterns (“DDP’s”) on social media platforms (“Guidelines”). This blog post will unpack the content of the Guidelines. 

What are DDP’s?

The EDPB defines DDP’s as “interfaces and user journeys implemented on social media platforms that attempt to influence users into making unintended, unwilling and potentially harmful decisions, often toward a decision that is against the users’ best interests and in favour of the social media platforms interests, with regards to the processing of their personal data”. The Guidelines take a systematic approach to identify DDP’s through the life cycle of a social media account and test them against the GDPR standards. Note that although the EDPB has focused its Guidelines on social media platforms, their content is equally relevant to any other website.

Avoid DDP’s on your social media platform/website! 

Let us consider the practical importance of the Guidelines with a concrete example. 

You have recently launched a social media platform and you have created a user-journey based on your experience of the largest social networks. Adopting similar content and interface design seems like a reasonable choice, given their success. However, as the EDPB points out, several of the most common techniques to incentivise users’ engagement with the services and data sharing can be in blatant breach of the GDPR.   

Imagine the following scenario, where Claire is the first person to register on your platform in the Netherlands.

1. Registering an account

Claire has started to register an account. After selecting the preferred option to log-in exclusively with her email address, a pop-up keeps requesting to share her phone number throughout the several stages of registration, notwithstanding her initial choice.  According to the EDPB, these kinds of practices fall under the blanket definition of “overloading”, a category of DDP’s. If Claire is “overloaded” during the registration process with continuous prompts to disclose information which is objectively unnecessary to complete her sign-up, this could result in a violation of several basic principles of the GDPR (i.e., data minimisation and purpose limitation). For best practice, the EDPB suggests implementing a single “Data Protection Onboarding”, by inviting users to granularly set their data protection preferences.

2. Obtaining data protection information

Once registered, Claire may wish to access privacy-related information of her account. She clicks on the button saying “Privacy”, that you have inserted on the homepage.  She is redirected to a vague description of your platform’s privacy policy, which makes mostly general statements and refers to other options to access further information, without however mentioning where or how to find it. The EDPB condemns these DDP’s “obstructing” user’s access to information as outright violations of transparency requirements and data protection rights under the GDPR. In this case, besides requiring exhaustive information in the privacy policy, the EDPB also invites social media providers to implement shortcut links in their privacy policies to redirect users to the relevant data protection action/information on the platform. 

3. Managing consent and data protection settings

Your platform displays a cookie banner through which it informs Claire of the use of certain cookies in grey small-font text. The banner contains also a large hyperlink statingOh Yum, cookies! Summer is almost there, want to learn a new cookie-gelato recipe for the hot days?”, next to the consent button. Claire clicks on the link and thoroughly reads the instructions for the recipe. She then goes back to the banner and clicks on the “Okay” button, accepting the use of cookies. The EDPB prohibits these “skipping” patterns, because by juxtaposing a data protection related action or information to another unrelated or irrelevant element, there is a risk that the user’s focus may be absorbed by the latter and completely skip the former. In this case specifically, the humorous recipe link contributed to distract Claire from providing valid consent in the meaning of the GDPR for the use of cookies. The optimal approach recommended in the Guidelines would be to design a cookie banner devoid of distractions. The banner should be drafted with coherent wording, including possible definitions of technical terminology also using examples. It should also provide clear explanations as to the consequences of both accepting and refusing to give consent.

4. Exercising rights 

After finding out about her rights under the GDPR, Claire decides to file a request for an overview of all her personal data processed by your platform. She learns through the Q&A-section that she has to consult the user account settings to initiate the procedure. There she finds a button saying “Your rights under the GDPR”. To her disappointment, she is led to a page of the Dutch version of the website, with no opportunity to consult the same information in English. The EDPB considers such language discontinuity between the regular use of services and the exercise of data subjects rights under another broader category of DDP’s called “fickle”. Accordingly, if a platform provides its services in additional languages (i.e. English), on the basis of which it attracts a certain group of customers, it should make sure that customers can feel as comfortable with exercising their rights as with their regular activities on the platform. An inconsistency of this kind may in fact trigger a violation of the transparency principle under the GDPR. The EDPB here goes as far as recommending the creation of a single dedicated form to facilitate user’s exercise and understanding of their individual rights for best practice. 

5. Deletion of an account

After months of delusional experience and having lost trust in your services, Claire decides to leave the platform and clicks on the relevant section saying “Deletion”. A page appears with a large-font title saying: “Do you really want to leave us? We and all your friends would be so sad to see you departing L”, on top of a large colourful “Stay with us!” button and a smaller grey “Leave L” button. Although the content and interface may not individually affect Claire in her decision, the EDPB would consider this undue “stirring”, contrary to the requirement of fair processing under the GDPR. The Guidelines indeed stress that for best practice it is important to maintain a  neutral language in such circumstances, in order to provide users with an adequate explanation of the consequences of their account’s deletion. 

The EDPB has only provided limited examples of practices which may fall under the definition of a DDP, but the list is open, and the fines can be heavy under the GDPR. Not just for social media platforms, of course. 

EU and national watchdogs have started sharpening knives against DDP’s. Not sure whether you are using compliant content and interface design? Get in touch with us! 

Back to overview