The concept of a ‘dark pattern’ is not yet defined in law, although several pieces of legislation touch on the concept.
A dark pattern is a deceptive design tactic, used in an online environment that is engineered to subtly manipulate the end user’s decision.
A dark pattern generally includes the following features:
- A design feature or environment online;
- that distorts, impairs, or subverts the decisions of the end user; and
- causes detriment or harm to the end user, such as compromised privacy or consumer exploitation.
There are a number of different laws that relate to the use of dark patterns or the related outcome of its use. We have looked at three areas: Online Safety; Data Protection; and Consumer Protection.
Online Safety: Digital Services Act, Data Act and AI Act
Digital Services Act
The Digital Services Act (the DSA) explicitly bans the use of dark patterns by online platforms in Article 25, which states that “providers of online platforms shall not design, organise or operate their online interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions”. An “online interface” is defined in Article 3 as “any software, including a website or a part thereof, and applications, including mobile applications.”
The use of dark patterns by online platforms may also violate other legislation, in particular the General Data Protection Regulation (the GDPR) and the Unfair Commercial Practices Directive (2005/29/EC) (amended by Directive 2019/2161) (the UCP Directive) (which are further detailed below). However, the DSA stipulates that it does not apply to practices covered by the GDPR and the UCP Directive, limiting the scope of its application and giving those acts priority. This means that if a given practice (dark pattern) of an online platform provider violates the GDPR, its legality will be assessed by the national data protection authority according to the requirements of the GDPR, not the DSA. Examples of dark pattern practices are included in the European Data Protection Board Guidelines 3/2022 (the EDPB Guidelines). Similarly, if a practice violates national laws implementing the UCP Directive, those laws, enforced by the relevant national consumer protection authorities, will apply. It’s not yet clear how the use of dark patterns will be investigated in practice, whether the Data Protection Commission will initiate the investigation and Coimisiún na Meán will assist it or vice versa.
Data Act
The Data Act describes dark patterns as design techniques or mechanisms that “push or deceive consumers into decisions that have negative consequences for them. These manipulative techniques can be used to persuade users, particularly vulnerable consumers, to engage in unwanted behaviours, and to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service, in a way that subverts and impairs their autonomy, decision making and choice.”
Recital 34 explains that this means that businesses should not rely on dark patterns when designing their digital interfaces, particularly in a way that manipulates consumers to disclose more data. Businesses should therefore comply with the data minimisation principle as defined in the GDPR to ensure that they do not employ dark pattern practices in their interfaces.
AI Act
The AI Act focuses on the ethical use of AI, including how AI-driven tools can perpetuate dark patterns. The Act aims to ensure that AI systems do not exploit user vulnerabilities, maintaining a balance between technological innovation and consumer protection.
The AI Act prohibits the use of dark patterns within AI systems. AI can be used to develop complex dark patterns that are difficult to detect. AI developed with embedded dark patterns (where the AI’s learning capabilities involve dark patterns) intends to alter the user’s behaviour over time to make them think the dark pattern-related decisions are their own, rather than influenced by the AI.
Although dark patterns are not a new concept (which is set out further below), it is a renewed area of focus for regulators at an EU level.
Privacy: EDPB Guidance, General Data Protection Regulation (GDPR) and e-Privacy Directive
The EDPB Guidelines set out behaviours that could be identified as dark patterns. Some of the behaviours mentioned are directly prohibited under the GDPR and e-Privacy Directive (2002/58/EC) (amended by Directive 2006/24/EC, Directive 2009/136/EC). For example, the GDPR mandates that consent for data processing must be informed, freely given, and explicit. However, dark patterns often lead to “forced consent” or “bundled consent”, where users are led to agree to extensive data collection practices. Violations of GDPR principles due to dark patterns can lead to significant penalties, reinforcing the need for compliance. We have seen this recently in the TikTok decision issued by the Irish Data Protection Commission with a fine of €345 million for violations in their processing of children’s data. Among other issues, the DPC found that TikTok had implemented dark patterns by nudging users towards choosing more privacy-intrusive options during the registration process. This infringed the principle of “fairness” outlined in Article 5(1)(a) of the GDPR.
Under the ePrivacy Directive, the EDPB Guidelines focus on the means provided for social media users to give or withdraw their consent for various processing purposes, such as targeted advertising and the types of dark pattern behaviours that can be used to impede the withdrawal of consent.
The EDPB raises concerns around dark patterns such as leading users to “dead ends” by redirecting them to irrelevant pages, providing insufficient or ambiguous disclosures, putting users through a “privacy maze” in order to exercise personal data rights, not providing user-friendly ways to exercise rights (e.g. a direct link to download a copy of their data), and making certain steps longer to action than necessary (e.g. asking users if they are “sure” they wish to take a particular action).
Consumer Protection
Consumer protection laws uphold principles of fairness and transparency and are increasingly relevant in the digital context. The UCP Directive prohibits unfair commercial practices affecting consumers’ economic interests before, during and after the conclusion of a contract. The European Commission has published guidance (available here) that confirms that the UCP Directive covers dark patterns. Article 5 of the UCP Directive includes a general prohibition on unfair commercial practices, Articles 6 and 7 prohibit misleading practices and Articles 8 and 9 prohibit aggressive practices. Examples of this include trick questions, misleading free samples and subscription traps.
The Consumer Rights Act 2022 also offers protection against dark patterns. For example, it prohibits default settings in the form of already activated checkboxes which relate to any extra payment. The enforcement of these laws, however, faces challenges in the digital domain due to the evolving nature of these deceptive practices and the global reach of digital platforms.
Conclusion and Key Actions for Businesses
The regulation of dark patterns is a complex, ever-evolving challenge that requires vigilance from all digital service providers. Businesses are not just dealing with one law or regulation, but multiple. Those operating in the digital environment must:
- Ensure Transparency: Design interfaces that are clear, transparent, and facilitate informed decision-making;
- Uphold Ethical Standards: Avoid deceptive tactics that mislead or exploit user vulnerabilities;
- Stay Informed of Legal Changes: Keep abreast of evolving regulations such as the GDPR, the DSA, and the AI Act and how this may impact their businesses; and
- Conduct Regular Audits: Regularly review and audit digital interfaces to ensure compliance with consumer protection laws.
As a first step, we recommend reviewing your business to ensure dark patterns are not being used or deployed as part of your services.
For further updates, advice and insights on dark patterns, please contact Leo Moore or your usual William Fry contact.