EDPB Guidance on Dark Patterns in Social Media Interfaces

On 14 March 2022, the European Data Protection Board (EDPB) released guidelines titled Dark Patterns in Social Media Platform Interfaces: How to recognize and avoid them. These Guidelines provide best practice recommendations to designers and social media platform providers on how they can assess and avoid dark patterns in social media interfaces that violate the requirements of the GDPR.

Dark patterns are interfaces and user experiences that lead social media users into making unwilling and potentially harmful choices regarding the processing of their personal data. Dark patterns aim to hinder users’ ability to make a conscious choice with respect to their personal data and ultimately take away users’ control for the protection of their personal data.

The EDPB has recognized six major categories of dark patterns

1. Overloading
   Users are provided with too much information to push them to provide more personal data than necessary. Here, users are pushed to provide unnecessary data by being repeatedly asked about it.
   Examples:
   • continuous prompting: repeatedly asking users to provide unnecessary data,
   • privacy maze: making the user navigate through too many pages,
   • too many options: too many options to choose from leaving the user to overlook some settings or giving up data protection preferences
2. Skipping
   Deceptive designs that distract users from worrying about the protection of their personal data. Here, the most invasive features and options are already enabled by default.
   Examples:
   • deceptive snugness: most data invasive features are preselected by default,
   • look over there: distract users.
3. Stirring
   Wordings or visuals that are presented in a way that influences users’ emotional state to lead them to act against their data protection interests. This dark pattern has a higher impact on children and other vulnerable categories of data subjects. For example, users are more likely to overlook or have difficulty reading small font sizes or text written in colors that do not contrast sufficiently.
   Examples:
   • emotional steering: make users feel scared or guilty,
   • hidden in plain sight: visual styles that nudge users toward less restrictive and more invasive options.
4. Hindering
   Providing misleading information to users to either push them to provide unnecessary personal data or influence their decision by holding them up and questioning their initial choices.
   Examples:
   • dead end: while users are looking for information or control, they end up not finding it as a redirection link is either not working or not available,
   • longer than necessary: unnecessary steps required to activate data protection options,
   • misleading information: when a discrepancy between information and action available to users nudges them to do something they do not intend to.
5. Fickle
   Unclear designs that make it hard for the user to navigate the different data protection control tools or understand the purpose of the processing.
   Examples:
   • lacking hierarchy: redundancy of information,
   • Decontextualising: a data protection control is located on a page that is out of context.
6. Left in the dark
   Interfaces that hide information or data protection tools or leave users unsure of how their data is processed and what controls they have regarding the exercise of their rights.
   Examples:
   • language discontinuity: information not provided in the official language of the country where users live,
   • conflicting information: making the information unclear and unintelligible or misleading users by not matching their expectations.
   • ambiguous wording or information: vague wording or making data subjects unsure of how data will be processed or how to have control over their data.

As per the Guidelines, social media platform providers and designers should avoid the use of any dark patterns and ensure to provide a clear choice to users with respect to their personal data.

Some of the best practices recommendations as per the Guidelines are:

• Ensure the processing of personal data is not detrimental, discriminatory, unexpected, or misleading to the data subject.
• Ensure to obtain consent as per the requirements of the GDPR, i.e. consent must be freely given, specific, informed, and unambiguous wherever consent is required for data processing.
• Provide information to data subjects about their rights with respect to their personal data or any communication in a concise, transparent, intelligible, and easily accessible form and language.
• Allow easy consent withdrawal.
• Do not ask for additional and unnecessary personal data that is not required for the particular processing.
• Ensure data protection by design by avoiding the use of any deceptive or manipulative language in designs and presenting all information in an objective and neutral manner.
• Ensure data protection by default by preselecting the least data invasive features and options by default.
• Be able to demonstrate compliance by documenting consent records.

Ask for a DEMO today to understand how Securiti can help you achieve compliance with the provisions of the GDPR. In today’s digital world, it is important for organizations to implement privacy-compliant user interfaces and website designs and obtain consent as per the applicable legal requirements. Securiti’s Consent Management Solution enables you to design consent banners as per the applicable geographical requirements and avoid the use of dark patterns that can manipulate a user’s choice.