GUIDE 3/2022 on Dark patterns in social media platform interfaces: How to recognize and avoid them
by Mugurel Olariu, RPD protectie date
On 14 March 2022, the EDPB adopted GUIDE 3/2022 on Dark patterns in social media platform interfaces: How to recognize and avoid them*1, a tool in public consultation until May 2, 2022.
The guide provides practical advice to designers and users of social media platforms on how to evaluate and avoid so-called “dark patterns” in social media interfaces that violate GDPR requirements.
Please note that the list of dark patterns and best practices, as well as use cases, are not exhaustive, they are only exemplifying.
We also point out that social network providers remain responsible and accountable for ensuring compliance with the GDPR of their platforms.
According to the guide, “dark patterns” are seen as user interfaces and user experiences implemented on social media platforms that lead users to make unintended, unwanted and potentially harmful decisions regarding the processing of their personal data.
These Dark Patterns are intended to influence user behavior and may impair their ability to effectively protect their personal data and make informed choices. Data protection authorities are responsible for sanctioning the use of dark models if they violate the requirements of the GDPR. The dark patterns addressed in the Guide can be divided into the following six categories: Overloading, Skipping, Stirring, Hindering, Fickle and Left in the dark.
• Overloading means users are confronted with an avalanche/large quantity of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of the data subject. The following three dark pattern types fall into this category: Continuous prompting, Privacy Maze and Too Many Options.
• Skipping means designing the interface or user experience in a way that users forget or do not think about all or some of the data protection aspects. The following two dark pattern types fall into this category: Deceptive Snugness and Look over there.
• Stirring affects the choice users would make by appealing to their emotions or using visual nudges. The following two dark pattern types fall into this category: Emotional Steering and Hidden in plain sight.
• Hindering means obstructing or blocking users in their process of becoming informed or managing their data by making the action hard or impossible to achieve. The following three dark pattern types fall into this category: Dead end, Longer than necessary and Misleading information.
• Fickle means the design of the interface is inconsistent and not clear, making it hard for the user to navigate the different data protection control tools and to understand the purpose of the processing. The following two dark pattern types fall into this category: Lacking hierarchy and Decontextualising.
• Left in the dark means an interface is designed in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights. The following three dark pattern types fall into this category: Language discontinuity, Conflicting information and Ambiguous wording or information.
We appreciate that the Guide is well explained and easy to understand due to the structure pursued by the EDPB, namely: Relevant GDPR provisions, Examples of dark patterns, Best practice recommendations and Checklist of dark pattern.
Relevant GDPR provisions for dark pattern assessments:
Regarding the data protection compliance of user interfaces of online applications within the social media sector, the data protection principles applicable are set out within Article 5 GDPR. The principle of fair processing laid down in Article 5 (1) (a) GDPR serves as a starting point to assess whether a design pattern actually constitutes a “dark pattern”. Further principles playing a role in this assessment are those of transparency, data minimisation and accountability under Article 5 (1) (a), (c) and (2) GDPR, as well as, in some cases, purpose limitation under Article 5 (1) (b) GDPR. In other cases, the legal assessment is also based on conditions of consent under Articles 4 (11) and 7 GDPR or other specific obligations, such as Article 12 GDPR. Evidently, in the context of data subject rights, the third chapter of the GDPR also needs to be taken into account. Finally, the requirements of data protection by design and default under Article 25 GDPR play a vital role, as applying them before launching an interface design would help social media providers avoid dark patterns in the first place.
Examples of dark patterns in use cases of the life cycle of a social media account:
The GDPR’s provisions apply to the entire course of personal data processing as part of the operation of social media platforms, i.e. to the entire life cycle of a user account. The EDPB gives no less than 60 concrete examples of dark pattern types for the following different use cases within this life cycle:
– the sign-up, i.e. registration process;
– the information use cases concerning the privacy notice, joint controller ship and data breach communications;
– consent and data protection management;
– exercise of data subject rights during social media use; and, finally,
– closing a social media account.
Connections to GDPR provisions are explained in two ways:
– firstly, each use case explains in more detail which of the above- mentioned GDPR provisions are particularly relevant to it.
– secondly, the paragraphs surrounding the dark pattern examples explain how these infringe on the GDPR.
Best practice recommendations:
In addition to the examples of dark patterns, the Guidelines also present best practices at the end of each use case. These contain specific recommendations for designing user interfaces that facilitate the effective implementation of the GDPR.
Checklist of dark pattern categories:
A checklist of the 6 categories of dark models is presented in the Annex to these Guidelines. The Annex it provides an overview of the above mentioned categories and the dark pattern types, along with a list of the examples for each dark pattern that are mentioned in the use cases.
In conclusion, the Guidelines is a preventive, control and verification tool useful for industry controllers in establish design and developing social media platforms specific to their activity.