Dark patterns in the DSA

The EU legislator's interest in deceptive interfaces reflects the growing importance of individual rights online.

What is the Digital Services Act?

The Digital Services Act (DSA) is a new EU regulation whose primary aim is to create a safer online environment for users and digital businesses.

The DSA is part of a package of legal acts regulating the digital services economy in the EU, which also includes the Digital Markets Act.

We wrote more about this here.

The DSA imposes a range of obligations on providers of intermediary services, which include: "mere conduit" services, that is, the transmission of information provided by a recipient of the service in a telecommunications network, or the provision of access to a telecommunications network; caching services, that is, the transmission of information provided by a recipient of the service in a telecommunications network, involving the automatic, intermediate and temporary storage of that information solely for the purpose of making the onward transmission of the information to other recipients upon their request more efficient; hosting services, that is, the storage of information provided by a recipient of the service at the recipient's request; hosting services include, among others, services provided through online platforms, which enable a recipient of the service to store and publicly disseminate information upon request (Facebook and YouTube, for example, can be considered online platforms).

What are dark patterns?

Deceptive interfaces (known as dark patterns) are methods or design patterns in the digital environment intended to influence a user so that they navigate within the interface along a specific path or make particular decisions that are not necessarily in their own interest.

In other words, deceptive interfaces limit a user's ability to make informed and independent choices by obscuring or hiding the full picture of the options available to them.

Examples of such practices include: coercing consent, for instance by omitting or hiding the option to refuse consent, or by pre-ticking a consent checkbox; triggering negative emotions (nagging), that is, encouraging users toward a particular choice by phrasing the refusal option in a way that casts the user in a bad light if they use it; imposing additional charges (drip pricing), that is, "slipping" new items into the user's basket that were not known to the user when the order was started; making it harder to cancel an order, that is, designing the user journey so as to hide the option to cancel the service from the user (a practice once used by Amazon on the Prime platform); hidden advertising, for instance placing ads on social media in a way that blends them into the platform's interface.

Why do we have deceptive interfaces, and what makes them work?

Deceptive interfaces most often rely on cognitive biases and exploit certain vulnerabilities of the human brain.

For example, you can create a false sense of urgency or limited availability in a buyer and push them toward a compulsive purchase by placing a countdown timer to the end of the offer on the online store's page.

Going further, if we overwhelm a user with various pieces of information while simultaneously drawing their attention to a specific place or field, the user will very likely focus their attention and click on precisely that field (this vulnerability is often exploited when designing cookie banners).

The use of deceptive interfaces can bring tangible and measurable benefits to the entities that employ them.

They make it possible to induce a consumer to share more information about themselves or to spend more money.

This in turn translates (directly or indirectly) into increased profits for the owner of the platform, store, or online service.

Dark patterns under the European Commission's scrutiny. Unfortunately, the economic benefits associated with the use of dark patterns have made their presence widespread in online stores and other types of online platforms.

According to a sweep conducted in 2022 by the European Commission, manipulative practices that exploit consumers' vulnerabilities or outright deceive them are used on nearly 40% of websites that allow online shopping.

The sweep was carried out in cooperation with the consumer protection authorities of various Member States and covered 399 online stores from different industries.

The interest in deceptive interfaces shown by the European Commission and the authorities responsible for enforcing EU consumer protection rules reflects the growing importance of consumer rights online.

The legal framework around dark patterns to date. Before the DSA entered into force, there were no provisions that explicitly prohibited the use of deceptive interfaces.

This does not mean, however, that they went entirely unsanctioned; restrictions on their use could be derived from consumer protection statutes and personal data protection rules.

Existing examples of provisions sanctioning the use of dark patterns: provision / content of the provision / application of the provision to dark patterns. Article 4(1) of the Act on Counteracting Unfair Market Practices (UPNPR): a market practice is unfair if it is contrary to good morals and materially distorts or may distort the market behavior of the average consumer; the use of dark patterns may undermine good morals and materially distort consumer behavior, and thus be regarded as an unfair market practice. Article 24 of the Act on Competition and Consumer Protection: it is prohibited to use practices that harm the collective interests of consumers; a practice infringing the collective interests of consumers is understood to include, among others, unfair market practices; the use of dark patterns, as an unfair market practice, may also be regarded as a practice harming the collective interests of consumers. Article 5(1)(a) GDPR: personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject; the use of dark patterns, where it involves the processing of personal data, may breach the principle of transparency of processing. Article 4 GDPR: the data subject's consent to the processing of their personal data must, among other things, be freely given and informed; the use of dark patterns, where it involves the processing of personal data, may breach the requirements for consent to data processing (as regards it being freely given and informed). Article 25 GDPR: the controller is obliged to take data protection into account at the design stage of solutions whose use entails data processing; the use of dark patterns, where it involves the processing of personal data, may breach the obligation to take data protection into account at the design stage (privacy by design). The owner of the TikTok platform recently learned the hard way that the use of manipulative practices in the user journey can constitute a breach of the GDPR.

In September, the Irish Data Protection Commission imposed an administrative fine of EUR 345 million on the Chinese corporation ByteDance.

According to the Commission's findings, the default privacy settings on minor users' profiles were designed so that content posted by those users was publicly accessible.

At the same time, information about the public nature of the accounts was not communicated to users in a transparent manner, and changing the privacy settings was made difficult (the service used dark patterns to induce users to choose options that compromised their privacy).

The authority regarded such practices as a breach of, among others, the principle of transparency (Article 5(1)(a) GDPR), data minimization (Article 5(1)(c) GDPR), and the obligation to take data protection into account at the design stage (Article 25 GDPR).

Dark patterns in the eyes of the EDPB. Deceptive interfaces have also been a subject of interest for the European Data Protection Board (EDPB); in 2022 the EDPB published guidelines on so-called dark patterns in social media platform interfaces.

Although the guidelines concern only the use of deceptive interfaces on social media, they may serve as a valuable interpretive reference for similar practices on other types of platforms or services as well.

In its guidelines, the EDPB distinguishes the following types of deceptive interfaces: overloading: those in which the user is flooded with a large number of requests, pieces of information, or options in order to induce them to share more data or to unintentionally allow the processing of personal data against their will. skipping: those in which the interface or user journey is designed so that the user forgets or does not think about data protection aspects. stirring: those that influence the user's choice by appealing to their emotions, including through the use of visual cues. obstructing: those that hinder or block the user from obtaining information about their data or managing that data. fickle: those in which the interface design is inconsistent and unclear, making it hard for the user to navigate the various data protection controls and understand the purpose of processing. left in the dark: those designed to hide information or data protection controls, or to leave the user uncertain about how their data is processed and the type of control they can exercise over it.

Dark patterns and the DSA provisions. Article 25 of the DSA explicitly prohibits the use of deceptive interfaces.

It is worth noting, however, that under the DSA this prohibition applies only to providers of online platforms, leaving out the other types of intermediary service providers. 1.

Providers of online platforms shall not design, organize, or operate their online interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions. 2.

The prohibition in paragraph 1 shall not apply to practices covered by Directive 2005/29/EC or Regulation (EU) 2016/679. 3.

The Commission may issue guidelines on how paragraph 1 applies to specific practices, in particular: (a) giving more prominence to certain choices when the recipient of the service is asked for a decision; (b) repeatedly requesting that the recipient of the service make a choice where such a choice has already been made, in particular by presenting pop-ups that interfere with the user's experience; (c) making the procedure for terminating a service more difficult than subscribing to it.

Moreover, the prohibition does not apply to practices covered by Directive 2005/29/EC (the Unfair Commercial Practices Directive, implemented in Poland through the UPNPR) or Regulation 2016/679 (GDPR).

This means that a given practice can be sanctioned under Article 25 only if it is not classified as a breach of the UPNPR or the GDPR.

In practice. The clear separation of the DSA's legal regime from the UPNPR and the GDPR means that, in reality, the scope of application of Article 25 of the DSA may be very narrow.

In practice, dark patterns are most often used precisely in order to deceive either the consumer or the data subject.

The DSA could, however, apply, for example, to practices used on online platforms that handle transactions between professional entities (B2B).

At the time of this article's publication (November 2023), it had still not been officially decided which Polish authority would be tasked with supervising the application of the DSA provisions, as there is no statute addressing this and other technical matters related to the application of the DSA.

Regardless of the above, the introduction of the DSA by the EU legislator, as well as the European Commission's interest in the topic of dark patterns, reflect the growing importance of individual rights online.

The DSA entered into force in November 2022, but businesses have until 17 February 2024 to bring their practices into line with the new regulation.

That is why it is worth familiarizing yourself with the upcoming changes now and adapting your operations to the new legal reality.

Have a question?

Let's talk. A 20-minute conversation.

No briefs, no forms.

We'll answer directly.

Book a call → See more articles