The emergence of dark patterns as a legal concept in case law

Cristiana Santos, University of Utrecht, The Netherlands
Arianna Rossi, LIDER Lab, Scuola Superiore Sant’Anna, Pisa, Italy

PUBLISHED ON: 31 Jul 2023

On the 23 February 2023, the Italian Data Protection Authority (DPA) issued a decision against Ediscom S.p.A. (Garante per la Protezione dei Dati Personali, 2023) explicitly referring to “dark patterns”1, i.e. online design choices that manipulate users’ decision-making to benefit digital services. The imposed fine of 300,000 euros was due because, on some of its websites, the company employed dark patterns (hereafter DPs) to illegally entice data subjects to consent to the processing of their personal data for marketing purposes. This decision is significant as it is the first time in Europe that a DPA directly states that the use of DPs amounts to GDPR infringements, namely of the lawfulness, transparency and fairness principles (Article 5(1.a)), consent requirements (Articles 4(11), 7(2)) and data protection by design and by default (Article 25). So far, case law sanctioned (Brignull et al., 2023) certain design practices without referring explicitly to DPs. This pioneer ruling sets a precedent for further regulatory decisions and case law.

Mentioning dark patterns - a good practice

Even though the term DPs is well known among the professional public, expressly mentioning DPs in decisions is a good practice for four main reasons. First, it can promote the adoption of a common language that is urgently needed to detect, prohibit and sanction this widespread phenomenon. Second, it is particularly important in light of current legislation2 that explicitly defines DPs, e.g. Article 25 and Recital 67 of the Digital Services Act. Thus, in the future, DPs will inevitably be mentioned in legal documents such as decisions and court proceedings. Third, it fosters a systemic approach to DPs, helping avoid fragmentation among different regulators; it connects academics, practitioners and watchdogs working on DPs; and it provides meaningful application to the knowledge, methods and tools developed by the research community. Fourth, it may work as a deterrent for companies3 due to the related sanctions and bad publicity. As a consequence, companies can better assess the risks and the compliance of their designs, while policymakers can raise awareness of the scale of DP use and intensify enforcement.

Another important aspect of the decision is the acknowledgement of the intentional implementation of manipulative consent mechanisms: the specific design of the user interface (for example, the use of different fonts for two options that should be symmetric) was not the result of a random or erroneous application. Moreover, the decision recognises that manipulation in consent interactions can impact and circumvent users’ cognitive abilities, and thus subvert their autonomy and decision-making. As research shows, DPs may lead to several harms (Gunawan et al., 2022), such as privacy harms, cognitive burden, undue unnecessary time and attention spending, among others.

To create the body of evidence for the decision, the DPA took screenshots of the infringing practices. To the best of our knowledge, this decision was the first that contained images in addition to textual descriptions, even if they are unfortunately published online in a low quality that makes them barely readable. Visualisations in legal literature can help demonstrate the presence of DPs and provide evidentiary examples for future decisions on similar types of interfaces.

Limitations of the decision

The decision is the first to make explicit mention to the European Data Protection Board (EDPB)’s Guidelines 3/2022 on the topic (European Data Protection Board, 2023). Yet, it does not use any concrete DP type contained therein. Leveraging the EDPB’s terms, we posit that the DPs identified in Ediscom’s websites correspond to: i) ‘’longer than necessary”: users that refused consent to marketing faced an additional consent pop-up which raises unnecessary complexity in the navigation process; ii) ‘’lacking hierarchy’’: the option to continue without consent was not easily visible but placed at the bottom of the page as a hyperlink outside the pop-up instead of a button, written in a smaller font than the rest of the text; iii) some of the websites included the option “invite a friend” wherein users were enticed to provide contact details of friends who could potentially be interested in subscribing to the service. While the EDPB does not include such a category of DP, scholarly and policy terminology coin it as ‘’social pyramid” (OECD, 2022). This lack of uniformed classification may hinder the recognition of problematic design practices in enforcement cases.

The decision refers to several other practices that could be identified as DPs.4 This omission may be explained by the fact that consent-related DPs, especially in cookie banners, are overly represented in research and decisions as they are more visible and easily inspectable than others. However, other design practices along the user journey of a digital service can also be problematic, even if they have been less scrutinised to date. Regardless of the narrow perspective taken in the decision, we praise the DPA for considering the user journey alongside the user interface, therefore going beyond the limited representation of DPs as static interface elements and more realistically acknowledging online processes where various DPs can be combined.

The need for a common vocabulary about dark patterns

A common, shareable vocabulary must be created by the community with the purpose of detecting and describing a varied set of DP practices to enhance legal certainty and to reliably refer to this emerging domain of practice and research. To date a plethora of siloed DPs classifications exists (often fragmented by domain, context and technology type), instead of a convergence towards a common representation of DP knowledge needed for different sectors (regulation, civil society advocates, academia, business, technologists), disciplines (law, design, computer science, economy, etc.) and goals (sanction, analyse, detect, denounce, etc.). Such vocabulary, following recent efforts (Gray et al., 2023), can raise many opportunities; it is the first step to i) enable information retrieval and traceability, ii) support the detection of DPs (through automated or manual approaches), iii) help coordinate the enforcement of different legislative instruments and reduce the risks of gaps or overlaps. For instance, the Italian DPA has already added the keyword “dark pattern” to the available tags of their online database - a useful effort that should be extended to official and unofficial searchable databases of DPAs’ decisions. Meanwhile, DPAs should adopt the EDPB guidelines’ vocabulary and embed it into their decisions to have a greater impact on the prevention of manipulative practices and to tighten the relation between policy and enforcement.

Acknowledgements

This work was partially funded by the PNRR/NextGenerationEU project "Biorobotics Research and Innovation Engineering Facilities “IR0000036” – CUP J13C22000400007".

Part of this work was carried out while Arianna Rossi was employed at the SnT, University of Luxembourg and funded by the Luxembourg National Research Fund (FNR)’s grant agreement no. IS/14717072 (DECEPTICON: Deceptive patterns online).

References

Brignull, H., Leiser, M., Santos, C., & Doshi, K. (2023). Deceptive patterns database of legal cases [database]. Deceptive Patterns. https://www.deceptive.design/cases

European Commission, Directorate-General for Justice and Consumers, Lupiáñez-Villanueva, F., Boluda, A., & Bogliacino, F. (2022). Behavioural study on unfair commercial practices in the digital environment: Dark patterns and manipulative personalisation: final report [Report]. Publications Office of the European Union. https://data.europa.eu/doi/10.2838/859030

European Data Protection Board. (2023). Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: How to recognise and avoid them. Version 2.0 [Guidelines]. European Data Protection Board. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en

Garante per la Protezione dei Dati Personali. (2023). Provvedimento prescrittivo e sanzionatorio nei confronti di Ediscom S.p.A - 23 febbraio 2023 [9870014] [Prescriptive and sanctioning measure against Ediscom S.p.A- 23 February 2023 [9870014]] [Decision]. Garante Privacy. https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9870014

Gray, C. M., Santos, C., & Bielova, N. (2023). Towards a preliminary ontology of dark patterns knowledge. Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems, 1–9. https://doi.org/10.1145/3544549.3585676

Gunawan, J., Santos, C., & Kamara, I. (2022). Redress for dark patterns privacy harms? A case study on consent interactions. Proceedings of the 2022 Symposium on Computer Science and Law, 181–194. https://doi.org/10.1145/3511265.3550448

OECD. (2022). Dark commercial patterns (Report 336; OECD Digital Economy Papers, Vol. 336). OECD Publishing. https://doi.org/10.1787/44f5e846-en

Footnotes

1. The term dark patterns is also referred to using different nomenclatures, e.g. deceptive design, damaging patterns, manipulative online choice architecture or online misleading influencing techniques. However, dark patterns is now a legal term since it is mentioned in legislative documents.

2. Among others like Recital 70 and Article 13(4) of the Digital Markets Act, and Recital 34 and Article 6(2) of the proposed Data Act.

3. Nowadays, dark patterns are the norm rather than the exception of online services, as shown by a recent study by the European Commission that demonstrates that 95% of the most used websites and applications in Europe contain at least one (European Commission et al., 2022).

4. For example, among other practices, ‘’dead end’’: a website did not show the privacy policy before starting to collect personal data, but the link to the privacy policy was only displayed after the user was asked to consent; ‘’hidden in plain sight’’: Ediscom asked several unnecessary questions unrelated to the service to profile users without consent, wherein the option to ignore or skip them was not clearly visible.

Add new comment