MaRBLe Seminar on AI-assisted Consumers: Shedding Light on Dark Patterns

How does EU consumer laws address dark patterns on the Internet? This topic has been part of the scholarly debate during the panel discussion “The AI-assisted consumer”, organized on 6 December 2022 in collaboration with Glaw-Net and IGIR.

What are dark patterns?
Dark pattern designs entice internet users to take certain actions, which are not in their economic interests and detrimental to their personal data protection. These patterns mostly trick users with confusing drop-down menus and buttons to trigger a download. As ‘dark’ patterns suggest, such practices are inconspicuous or hidden to avoid consumer awareness. Encountering these patterns, visitors are nudged into taking an action, which in the absence of these practices, they would not have been taking. Wealth maximization is principal stimulus of commercial enterprises, luring individuals into making a decision against their economic interests.

Six types of dark patterns
The concept of dark patterns is devoid of a legal definition, as an explicit or exhaustive definition is neither desired nor plausible, owing to the accelerated advancement in technology and interface designs. However, what constitutes dark patterns is set out in guidelines by The European Data Protection Board (EDBP), an independent European body, observing the consistent application of data protection rules throughout the EU. The guidelines acknowledge six types of dark patterns.

Six types of dark patterns

The concept of dark patterns is devoid of a legal definition, as an explicit or exhaustive definition is neither desired nor plausible, owing to the accelerated advancement in technology and interface designs. However, what constitutes dark patterns is set out in guidelines by The European Data Protection Board (EDBP), an independent European body, observing the consistent application of data protection rules throughout the EU. The guidelines acknowledge six types of dark patterns.

(1) Overloading: burdening the visitors with profuse amount of information and possibilities to share more of their personal data:

(2) Skipping: manipulative interface design, making the data subject forget or do not think about all aspects of their data protection:

(3) Stirring: emotional nudges that influence users’ decision:

(4) Hindering: as the name suggests, impeding access to relevant information about the protection of personal data:

(5) Fickle: inconsistent and complicated interface design; and

(6) Left in the dark: hiding information or data protection tools, leaving users unsure of how their data being processed.

The EDPB considers this non-exhaustive list to educate online consumers to protect themselves against such practices and data controllers to evade these practices in their relations with online consumers. They are also important for profit-seeking companies to avoid unlawful actions.

Can data protection rules stop dark patterns?
Data protection rules in the EU contain principles that try to tackle these patterns. The General Data Protection Regulation (GDPR) establishes that they mainly infringe the principle of fairness under art. 5(1)(a) and its relation with other provisions of the Regulation. A fair processing is determined to be one in which consumers are informed about their data protection rights for consenting to data processing, including collection, storage, organization and usage of this data. This evidently renders dark patterns unfair under the GDPR. Scholars suggest that the principle of fairness  is intrinsically related to transparency and lawfulness principles. Although the principle of fairness is found to be rather vague, it allows for a broad interpretation and therefore covers potentially several patterns.

How does the Unfair Commercial Practices Directive address dark patterns?
In addition to the GDPR violations, dark patterns have been addressed by the Unfair Commercial Practices Directive (UCPD), regulating business-to-consumer practices before, during and after a commercial transaction. The EU Commission has indicated that dark patterns can be challenged both under the principle of fairness pursuant to art. 5(1)(a) GDPR and art. 5(1) UCDP. In fact, the UCPD has a broader scope than the GDPR, given that the unfair practices prevents a situation where the consumers are “likely to make a transactional decision”, which they would not be making if they were provided relevant information.

Regulating gatekeepers
Two remarkable legislative initiatives by the EU illustrate this: the Digital Services Act (DSA) and the Digital Markets Act (DMA) curb the use of dark patterns by providing an open and fair marketplace. While the DSA strives for enhanced consumer protection, the DMA aspires to promote fair competition by targeting gatekeepers.

Gatekeepers are companies that have 45 million or more monthly active users and an annual turnover of 7.5 billion euros or fulfill certain other conditions. Art. 70 of the DMA ensures that gatekeepers are prevented from recourse to the dark patterns use, where these platforms attempt to circumvent their legal obligations under the DMA. These obligations mainly concern the design and specifically require gatekeepers to avoid any interface design, which can be deceptive to the consumers. Additionally, art. 23a DSA covers three EDPB defined dark patterns – skipping, stirring, and hindering – as the provision forbids:

(a) Emphasizing specific choices more prominently over the other choices in the decision-making of the service-recipient.

(b) Repeatedly requesting a recipient of the service to make a choice, where such a choice has already been made.

(c) Rendering the subscription procedure easier than its termination.

Overall, one can conclude that the EU has recognized the dark pattern practices in the digital single market to constitute harm to the internet users. The govern the matter, it has been developing various strategies under various fields such as data protection, consumer protection and competition law. Although the synergy between data protection and consumer protection can be increased, the DSA and DMA will exhibit whether this synergy is accomplished.

By Esra Kaplan, 3rd year bachelor student European Law and Marble student of the project “The AI-assisted Consumer

Sources
Directive  2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council [2005] OJ L 149/22 (Unfair Commercial Practices Directive)

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119/1 (General Data Protection Regulation – GDPR)

Regulation (EU) 2022/1925 of the European Parliament and of the Council on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828  [2022] OJ L 265/1 (Digital Markets Act)

Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC (Digital Services Act)

European Data Protection Board, ‘Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them’ [2022] European Data Protection Board

King, J. and Mckinnon E., ‘Do the DSA and DMA Have What It Takes to Take on Dark Patterns?’ (Tech Policy Press, 23 June 2022) <https://techpolicy.press/do-the-dsa-and-dma-have-what-it-takes-to-take-on-dark-patterns/> accessed 22 December 2022

Wick, J., ‘Dark Patterns: Ausgetrickst durch Design‘ (HubSpot) <https://blog.hubspot.de/marketing/dark-patterns> accessed 23 December 2022