Dark patterns – deceptive interfaces in e-shops against the background of European regulations and an example of a recent penalty imposed by the Office of Competition and Consumer Protection

Recent Penalty imposed for applying dark patterns

Publication date: November 29, 2023

At the beginning of October 2023 a fine of almost PLN 5.2 million was imposed by the Polish Office of Competition and Consumer Protection on the Scandinavian distributor of supplements and PLN 110,000 on its president of the management board for using dark patterns in e-commerce.

The regulator found seven such practices in the activities of the company selling dietary supplements. The regulator assessed that consumers could be misled by the first contact with the company’s offer, boasting “over a million satisfied customers” of a given product, while this information concerned the total number of the entrepreneur’s customers. Some marketing materials also referred to alleged recommendations of the European Food Safety Authority. Above all, the manipulation of the fined company consisted in offering a free sample of a dietary supplement. When the consumer clicked to confirm his willingness to receive it, a new window opened – with a message similar to the previous one in terms of graphic form and content, but it did not concern a free sample, but an annual paid supply of a given product along with a subscription.

After analyzing complaints about this practice, the regulator found that ordering a free sample and being redirected to a paid subscription occurred in direct succession – and could not be distinguished by consumers.

Practices related to redirection and subscription of dietary supplements, including invoking social proof (“a million satisfied…”) to manipulate customers, should be treated as dark patterns (deceptive interfaces) – this is what the regulator said.

What are Dark Patterns?

In the era of universal access to e-shops and the dynamically developing e-commerce market, the issue of ethics and compliance with regulations is becoming a key element of the discussion. One of the challenges that clients and organizations currently have to face to ensure compliance of entrepreneurs’ activities with applicable regulations and protect consumer interests against practices that may violate laws or business ethics are the so-called “dark patterns”. These are subtle yet powerful interface design tools used to mislead consumers and manipulate their decisions.

The concept of dark patterns covers a variety of practices, such as intentionally obstructing service unsubscribe processes, intentionally hiding key information, or using persuasive strategies aimed at persuading customers to make decisions that are not always consistent with their actual preferences. In the context of applicable European regulations, these unfair practices are becoming the subject of increasing attention of regulatory bodies, raising questions about compliance with consumer protection standards and the need to adapt e-commerce market regulations.

In this article, we aim to look at the phenomenon of dark patterns in the context of European legal regulations, analyzing what challenges they pose to entrepreneurs, consumers and regulatory authorities. In the context of the dynamic development of technology and the growing role of e-commerce, this issue becomes particularly important for lawyers dealing with consumer protection and creating regulatory policies adapted to the challenges of the modern digital market.

EU regulations

Research conducted by the European Commission sheds disturbing light on the presence of “dark patterns” in online stores and online services in the European Union. According to confirmed data, as many as 97 percent of platforms use these practices, which not only highlights the significant scale of this phenomenon, but also indicates the growing interest in it at the European level. This issue not only attracts the attention of EU legislators, but also supervisory authorities, especially those dealing with consumer protection. Actions taken at this level suggest that the fight against “dark patterns” is becoming a priority issue on the way to securing the interests and protecting consumer awareness in the European arena.

Digital Services Act

The Digital Services Act (DSA) scheduled to come into force in February 2024, defines “dark patterns” in section 67 as tactics that significantly impact the ability of users of online platforms to make autonomous and informed choices. In short, it is about practices of deliberately misleading or limiting consumers’ ability to make decisions when using digital services, all in order to induce them to act in accordance with the intentions of a given service provider, not always to the benefit of the recipient. In the context of DSA, such manipulative strategies are expressly prohibited, and these regulations are intended to emphasize the need to ensure transparency of the activities of online platforms and respect for the autonomy and awareness of consumers.

Under DSA regulations, the concept of “dark patterns” covers a range of practices, such as deceptive choice design, that are intended to induce service recipients to take actions that benefit the online platform provider, but not necessarily the users. They also include non-neutral presentation of choices by prominence of certain options, intrusive appeals to recipients to re-select, burdensome cancellation procedures and making it difficult and confusing for users to make decisions. It is important that this list is not exhaustive and the European Commission may issue guidelines on specific practices classified as “dark patterns”, adapting to the dynamic nature of the phenomenon (Article 25(3) DSA).

Examples of using deceptive interfaces:

An illustration of the presence of dark patterns may be software that tries to install itself on our computer during the installation of another program. The offer to download or install this additional software appears in the main installation process, and messages regarding additional applications are worded in such a way that the user may get the impression that they are an integral part of the entire process, necessary for the proper functioning of the main product. This subtle trick can lead to unconscious consent to the installation of additional software, which is an example of sophisticated manipulation and the use of dark patterns.

EOD

The European Personal Data Regulatory Authority (EDPB) introduced the first Guidelines 3/2022, focusing on the phenomenon of “dark patterns” in the area of social media platforms. This term refers to sophisticated interface design strategies that are intended to influence users, distorting their ability to make decisions regarding the processing of personal data. The term “dark pattern” has been replaced by a more comprehensive term “deceptive design patterns”, which the EDPB believes better reflects the variety of deceptive practices occurring in the field of interface design.

These practices, identified as potentially harmful to the protection of personal data and the ability to make informed choices, include a variety of techniques. These include overloading users with too much information or options, deliberately omitting data protection aspects, using emotions and visuals to shape decisions, false time counters, hiding important product or service information, and obstructing the data management process. Additionally, the use of inconsistent and unclear interfaces, along with intentional concealment of information about data processing, is another dimension of this problem.

In the face of these challenges, the EDPB emphasizes the need to eliminate “dark patterns” on social media platforms, with the aim of protecting users from manipulation and guaranteeing them full transparency and control over their personal data. This initiative aims to ensure that interface design practices not only respect users’ privacy, but also enable them to make informed decisions about the processing of their data.

GDPR and Dark Patterns

The implementation of these deceptive design patterns may conflict with GDPR provisions such as:

1. The principle of fair and transparent processing of personal data (Article 5(1)(a) of the GDPR).
2. Principle of transparent information (Article 12 of the GDPR): The use of deceptive design patterns may mislead as to the purposes of data processing, constituting a violation of the principle of transparent information.
3. Principle of accountability (Article 5(2) of the GDPR).
4. Principle of data minimization and purpose limitation (Article 5(1)(b) of the GDPR): The use of deceptive design patterns may lead to excessive data collection or processing purposes that are inconsistent with the user’s original intentions.
5. Data protection by design and default requirements (Article 25 GDPR).
6. Consent requirements (Article 4(11) and Article 7 GDPR): Deceptive design patterns may affect the fairness and voluntariness of consent to the processing of personal data.
7. Provisions regarding the exercise of rights by data subjects (in particular Article 21 of the GDPR).

In a situation where the entrepreneur’s actions are considered to violate the collective interests of consumers, the entrepreneur may be punished for using dark trading patterns in online store or website. In such a case, the financial penalty may amount to up to 10% of the turnover for the previous year. If, however, dark patterns violate the provisions of the GDPR, the President of the Personal Data Protection Office may impose on the entrepreneur running a store or website a financial penalty of up to EUR 20,000,000 or 4% of the total annual turnover.

Additionally, the EDPB Guidelines include a list of good practices and specific recommendations on the design of user interfaces aimed at facilitating the effective implementation of GDPR principles. While exploring the page, the use of a constant display of the table of contents on the screen allows users to remain permanently in the content area. Thanks to this, users can easily navigate the website through links, maintaining quick access to specific sections or information. This practical measure not only makes content easier to navigate, but also improves the overall transparency and accessibility of data protection-related information. In the privacy policy, for each information on personal data protection, links should be provided that directly redirect to pages devoted to personal data protection on the platform.

Summary

In the face of the dynamic development of e-commerce and widespread access to online platforms, the issue of “dark patterns” is becoming the central point of the debate on business ethics and compliance with regulations. This is even more urging in the view of recent penalties imposed by the regulatory bodies on entrepreneurs not complying to the prescribed rules in this respect. These subtle yet impactful interface design strategies pose challenges for customers, entrepreneurs and regulators.

In the context of GDPR, the implementation of “dark patterns” may violate principles such as fair data processing, data minimization, and consent requirements. The European Personal Data Regulatory Authority (EDPB) emphasizes the need to eliminate these practices, especially in the area of social media. To sum up, the fight against “dark patterns ” is not only a matter of compliance with regulations, but also of protecting consumers against manipulation. DSA, GDPR and EDPB initiatives aimed at eliminating these practices aim to ensure transparency, autonomy and security in the digital environment of commerce and online interactions.