News

Regulation of dark patterns in the European Union

Introduction

Use of nudge and dark patterns are prohibited within the territory of the European Union (EU). Fake countdown timers, web interfaces designed to lead consumers to purchases, subscriptions or other choices, and hidden information are most popular examples of dark patterns. However, its use outside EU territory still leaves EU consumers vulnerable.

1. What is a dark pattern

To start with the consumer shall have a possibility to make a free decision on whether to buy a product or not. If the trader tries to persuade a consumer to buy a product, he may put a higher level of pressure than it is required or allowed. When consumer buys a product or a service on online platform, he inevitably sees some design (picture) of the platform or a shop – shapes, colors, buttons, information written in a text, pictures, icons, flickering, moving elements, etc. And all this complex of visual design is what makes an online platform for distributing products and services different from onsite (offline) shopping experience.

So, the mere compilation of design, colors and shapes is a matter of legal consideration with regard to communication of information, placing marketing tools with the help of which the sellers would like to increase their sales. Here are some examples of nudge and dark patterns which may be found, as outlined by the EDBP in its Guidance on social media[1], but which generally may be applicable also to online shops (especially when they are located withing the social media):

• Overloading - large quantity of requests, information, options or possibilities;
• Skipping - designing the interface or user journey in a way that users forget or do not think about all or some of the data protection aspects;
• Stirring - affects the choice users would make by appealing to their emotions;
• Obstructing - hindering or blocking users by making the action hard or impossible (Dead end, Longer than necessary and Misleading action);
• Fickle - the design of the interface making it hard for the user to navigate control tools;
• Left in the dark - an interface designed to hide information or data protection control tools.

All these deceptive design patterns aim to influence users’ behavior and can hinder their ability to effectively protect their personal data and make conscious choices, which is prohibited by EU legislation.

Another classification mentions the following dark patterns[2]:

1. Pressure – repeatedly being asked to act or confronted with alleged norms or scarcity of goods;

2. Force – users are de facto forced to take action or acquiesce to do something;

3. Obstacles – users face various obstacles to dissuade them from taking certain actions, e.g. from cancelling subscription;

4. Sneaking – additional purchases or goods or services are imposed on users;

5. Deception and misdirection – design is created to distract from relevant information or to frustrate the usual expectations;

6. Confirm-shaming - where user interface attempts the user feel guilty for selecting their preferred option (cheaper subscription plan or service of lesser time period);

7. Pre-selection of advantageous choices – user need to tick off the preselected options requiring money payment, sending of marketing materials, expensive delivery, adding additional goods to cart;

8. False timers – countdown of the minutes left before end of the discount, when in fact there is no time limit.

2. European Union’ regulatory framework on dark patterns

The dark patterns EU framework regulation generally consists of:

(1) Unfair Commercial Practices Directive (Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market, the UCPD);

(2) General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the GDPR); and, the newly introduced

(3) Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services, the DSA).

General provisions and sanctions regime could also be found in the Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 as regards the better enforcement and modernization of Union consumer protection rules (the Directive (EU) 2019/2161).

2.1. Digital law overview (DSA)

Before DSA was enacted, UCPD and the GDPR were the main regulatory acts and, now with the DSA's explicit ban on dark patterns, it should close a loop as it catches any use of dark patterns that is not in breach of the UCPD and the GDPR.

In para (67) of DSA’ preamble dark patterns are defined as online interfaces of online platforms and practices that materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions. Similarly, EU proposal for the Data Act[3] views dark patterns as design techniques that push or deceive consumers into decisions that have negative consequences for them.

Those practices can be used to persuade the recipients of the service to engage in unwanted behaviors or into undesired decisions which have negative consequences for them. Providers of online platforms should therefore be prohibited from deceiving or nudging recipients of the service and from distorting or impairing the autonomy, decision-making, or choice of the recipients of the service via the structure, design or functionalities of an online interface or a part thereof. This should include, but not be limited to, exploitative design choices to direct the recipient to actions that benefit the provider of online platforms, but which may not be in the recipients’ interests, presenting choices in a non-neutral manner, such as giving more prominence to certain choices through visual, auditory, or other components, when asking the recipient of the service for a decision.

However, rules preventing dark patterns should not be understood as preventing providers to interact directly with recipients of the service and to offer new or additional services to them. Legitimate practices, for example in advertising, that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. Those rules on dark patterns should be interpreted as covering prohibited practices falling within the scope of this Regulation to the extent that those practices are not already covered under UCPD or GDPR (Art.25 DSA).

More specifically, Article 25 of DSA on online interface design states that providers shall not design, organize or operate their online interfaces in a way that deceives or manipulates the recipients of their service.

2.2. Consumer laws overview

UCPD in its Article 5 prohibits unfair commercial practices (para.1) and states that it is unfair, and contrary to the requirements of professional diligence, and materially distorts the economic behavior of the average consumer (para 2). Article 6 UCPD prohibits misleading actions, i.e. containing false information or in any way deceiving average consumer. Article 7 UCPD covers misleading omissions, being omitting material information that the average consumer needs to take an informed transactional decision. Article 8 UCPD defines aggressive commercial practices by harassment, coercion or undue influence if it significantly impairs consumer’s freedom of choice. So, all those guidelines shall be taken into account while making design on online platforms or making promotions and advertising of products and services.

Further consumer protection rules are contained in the Directive (EU) 2019/2161. It provides that digital services and content, as well as all goods and services, are covered by the term ‘product’ and defines online marketplaces and product rankings (Art.3). It also states the need for penalties for unfair contract terms and encourages Member States to lay down the rules on penalties for infringements (Art.1). Article 2 contains specific provisions on price reductions (the previous price before the reduction must be indicated).

2.3. Data protection law overview (GDPR)

Generally speaking, GDPR is concerned with the protection of consumer data that is collected, processed and stored when a consumer visits a platform and makes a purchase, provides an address or other details for delivery, or provides further personal details (e.g. weight, height and other physical parameters, photos for fitness applications). Articles 5 and 6 of the GDPR, on the principles of processing personal data and its lawfulness, provide for not collecting excessive data and obtaining consent (free, informed and unambiguous), while processing data fairly and transparently.

Article 25 of the GDPR further imposes an obligation on data controllers to practice data protection by design as a default, with options provided in an objective manner, without manipulative language or design. Confirm-shaming, when e.g. the user is forced to feel upset for his unsubscription, could undermine Article 25 requirements. Based on the EU Court of Justice's practice, pre-ticking boxes with choices for the consumer that are beneficial to a trader is also a breach of the GRPR, an "obstacle" dark pattern.

3. Regulation of dark patterns outside EU territory

The regulation of dark patterns in other countries may be different depending on the national legislation. It is reasonable to assume that regulation in most countries is poor, simply because this is a new area and not all countries have had enough time to react, especially taking into account the specificity of the regulation and the overlap of consumer protection laws.

However, dark patterns are banned in the United Kingdom. Recently, the UK's Consumer and Markets Authority identified 21 potentially harmful forms of ‘online choice architecture’ (the term it uses for dark patterns) practices, divided into three categories:

1. those affecting choice structure (the design and presentation of options),
2. choice information (the content and framing of information provided), and
3. choice pressure (through indirect influence of choices) [4].

Dark patterns are named as «almost always harmful» and «choice overload and decoys», «sensory manipulation», «sludge», «dark nudge», «forced outcomes», «drip pricing», «complex language» and «information overload».

In fact, for the EU’ citizens there is no great need to look in details at the rules of foreign jurisdictions, as they enjoy the EU level of consumer protection under the Rome I Regulation (Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations). According to Art. 6 (consumer contracts), the EU rules should be applied if a person is domiciled in the EU (a contract is governed by the law of the country where the consumer has his habitual residence), even if the contract of sale or other rules of jurisdiction state otherwise. This means that wherever the online shop is located, it should be subject to the EU regulation on dark patterns (i.e. prohibition of nudge) if its activity is directed to EU consumers. Thus, online platforms selling services and products to the EU must comply with all restrictions on dark patterns and be aware of the EU framework. In this sense, EU customers have a strong protection of their interests as they do not have to worry about being deprived of the rights and remedies granted by the UCPD, GDPR and DSA.

Similarly, if there is a need to resolve a dispute through legal proceedings, the EU citizen is entitled to bring an action before his or her national court under the Brussels I recast (Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters). Article 18 states that in matters relating to a consumer contract, a consumer may bring an action in the courts of the Member State in which he or she is domiciled.

However, EU citizens are still vulnerable to dark patterns used by foreign online platforms, e.g. when buying goods from Chinese shops with delivery to EU territory. This is because they have to protect their interests against a counterparty in a stronger contractual position (the trader already has the consumer's money and may not be willing to return it). EU citizens would have to spend a lot of time and money to protect their interests in out-of-court procedures (by asking for a price reduction and negotiating) and also money, time and effort in further remedies (returning a poor-quality product, going to court and hiring lawyers). Perhaps the consumer would not be able to take all these actions, especially if the price of the product is not very high, which is the most common case in the average consumer situation (the cost of EU lawyers and court expenses would be higher than the price of the product).

4. Sanctions for dark patters

Member States are required to introduce effective, proportionate and dissuasive sanctions to punish traders who infringe national rules on unfair commercial practices. The amendment to Directive (EU) 2019/2161 aims to ensure that consumers who have been harmed by unfair commercial practices have the right to individual remedies (e.g. compensation for the damage suffered, price reduction, termination of the contract - Article 3.5).

The amendment to Directive (EU) 2019/2161 also sets out criteria for the imposition of fines and requires EU countries to provide for fines of up to at least 4% of the trader's turnover, or €2 million if information on turnover is not available, when national authorities of several countries cooperate on major cross-border infringements affecting consumers in several EU countries.

Conclusion

Dark patterns within the EU territory are generally prohibited by the current legislation (UCPD, GDPR, DSA). Each case of advertising, data collection and misleading design must be carefully considered within the active framework and EDPB guidelines in order not to be penalised for breaking the laws. If the online platform operates outside the EU territory but targets EU citizens, it will still be subject to the EU prohibition of unfair commercial practices and misleading design, as EU citizens will have the same level of protection and remedies as if the online platform were located in the EU territory (including in terms of jurisdiction and law applicable to consumer contracts). Fair and full information on data protection and processing rules must be provided to the consumer at the pre-sale, sale and post-sale stages. Nudge and dark patterns in user interface design should be avoided.

[1] European Data Protection Board Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognize and avoid them, https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en 

[2] Anderson Katrina & Johnson Nick. (2023). Dark Patterns – a European Regulatory Perspective. Competition Policy International, TechREG Chronicle, May 2023, pp. 3-10. Available at: https://www.competitionpolicyinternational.com/wp-content/uploads/2023/05/3-DARK-PATTERNS-A-EUROPEAN-REGULATORY-PERSPECTIVE-Katrina-Anderson-Nick-Johnson.pdf [Accessed 18 Jan. 2024].

[3] Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN

[4] Anderson Katrina & Johnson Nick. (2023). Dark Patterns – a European Regulatory Perspective. Competition Policy International, TechREG Chronicle, May 2023, p.3.

By

Darina Shamatonova