by Aleksandra Dymacz

Dark patterns are the elements of the interface that tend to trick consumers into making certain choices. Examples include the use of pre-ticked boxes, drop-down menus and pop-up windows or buttons that tend to be hard to shut down by the platform users. They can be considered to be a common element of the modern-day design of websites. Given their prevalence, the impact that dark patterns can have on consumers is considerable. This blog post will discuss examples of popular dark patterns and turn to the legal perspectives - of the Unfair Commercial Practices Directive and the General Data Protection Regulation to analyse in which situations can such designs be deemed illegal.

Perhaps the best way to understand what dark patterns constitute is to look at concrete examples. A website that is notoriously known for using dark patterns is booking com, a website that facilitates research and booking of accommodation around the world. In December 2019, the platform committed itself, following dialogues with the European Commission, to align its practices of presenting offers, with EU law standards. The examples that sparked controversy included a lack of transparency regarding the sponsoring of search results as well as using different techniques of creating a sense of urgency. These methods included the use of fake timers, phrases stating that someone has just booked accommodation, appearing after a while and in red colours to trigger emotional responses from the users. The Commission has imposed inter alia that the platform increases the transparency of the ranking of search results, not presenting offers as time-limited if that is not the case. The Booking com case can serve as an example of a practice that is widely known across different platforms. Hence, now that the presence of designs has been established, one should take a look at the relevant legal frameworks.

The Unfair Commercial Practices Directive (UCPD) Perspective

It should be highlighted that not all dark patterns are illegal. They can however be treated as such, both within the fields of consumer and data protection laws. When it comes to consumer protection laws, there are examples of commercial practices that are explicitly forbidden in Annex I of the Unfair Commercial Practices Directive (UCPD). One such example includes the use of timers that count down the time in order to stimulate a feeling of urgency to make a certain purchasing behaviour, which is listed as item No 7 of the Annex. Similarly, a practice involving supplying false information on market conditions by limiting the option to find alternatives is banned under No 18 of the Annex. Also, misleading free trials and subscriptions which demand unreasonable cancellation efforts can be described as misleading practices, therefore illegal under the UCPD framework. Thus, the UCPD creates regimes for assessing the illegality of dark patterns. However, the main issue remains that the designs develop very quickly - which makes it hard for the EU legislator to create the necessary frameworks of protection that would match the tempo of such developments.

The General Data Protection Regulation (GDPR) Perspective

When it comes to the General Data Protection Regulation perspective, there is an elaborate set of guidelines issued by the European Data Protection Board on avoiding dark patterns on social media platforms that could infringe upon the GDPR. The focus is placed on interfaces that can nudge users into making potentially harmful decisions related to the processing of their personal data. The European Data Protection Board divided dark patterns into several categories.

One of them is ‘overloading’, an example of which is a website sending repetitive prompts to do a certain act. The GDPR violation can relate to the fact that a user is nudged into sharing personal data by being faced with a large number of pieces of information presented to them. Another category is ‘stirring’ which relies on emotional or visual nudging. ‘Skipping’ implies creating an interface or user experience so that users will not consider certain aspects of data protection. ‘Hindering’ refers to making it difficult for users to become informed or manage their data, for example by supplying misleading information. The ‘fickle’ category includes all types of deceptive interfaces that are not clear or consistent, which in turn makes it difficult for users to understand the purpose of the processing. Last, the ‘left in the dark’ refers to an interface that hides tools which would enable users to understand how their data is being processed.

When assessing the illegality of dark patterns under the GDPR, focus should be put on the principles set out in Art.5 GDPR. The assessment can begin with the principle of fair processing under Art.5 (1) GDPR. Later on, other key principles such as those of data minimisation, transparency and accountability should be looked into (Art.5 (1) (a)(c) (2) GDPR). Should an interface be contrary to one of these principles, it can be considered to be a dark pattern not allowed under this regulation.

Thus, it can be concluded that dark patterns are misleading elements of the interface that tend to be used by almost all popular websites. Given their nudging character, they can manipulate individuals into making choices that affect their purchasing decisions as well as choices related to the management of personal data. This affects the protection frameworks as established by the UCPD as well as the GDPR. Nevertheless, despite the acknowledgement of the existence of dark patterns by the EU institutions and bodies, the sheer number of patterns in use across websites makes it difficult to enforce the removal of illegal designs. Time will show how will the EU legislator address such concerns to protect EU citizens in a more efficient manner.

Sources

Commission, ‘Guidance on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market’ (2021) OJ C 526 102.

Commission, ‘Booking.com commits to align practices presenting offers and prices with EU law following EU action’ (20 December 2019) <https://ec.europa.eu/commission/presscorner/detail/es/ip_19_6812> accessed 9 February 2023.

European Data Protection Board, ‘Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them’ (14 March 2022).