Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

EDPB Guidance on Deceptive Patterns in Social Media Interfaces

EDPB Guidance on Dark Patterns in Social Media Interfaces

By Privacy Research Team

Published on March 8, 2023

On 14 March 2022, the European Data Protection Board (EDPB) released guidelines titled Dark Patterns in Social Media Platform Interfaces: How to recognize and avoid them. These Guidelines provided best practice recommendations to designers and social media platform providers on how they can assess and avoid dark / deceptive patterns in social media interfaces that violate the requirements of the GDPR. Subsequently, the EDPB adopted version 2.0 of these Guidelines on 14 February 2023, titled Deceptive design patterns in social media platform interfaces: how to recognise and avoid them.

Deceptive patterns are interfaces and user experiences that lead social media users into making unwilling and potentially harmful choices, which are often geared towards the benefit of a social media platform and the detriment of the user, in relation to the processing of their personal data. Deceptive patterns aim to hinder users’ ability to make a conscious choice with respect to their personal data and ultimately take away users’ control for the protection of their personal data.

The EPDB has recognized six major categories of deceptive patterns

1. Overloading

Users are provided with too much information to push them to provide more personal data than necessary. Here, users are pushed to provide unnecessary data by being repeatedly asked about it.
Examples:

continuous prompting: repeatedly asking users to provide unnecessary data or consent to a processing purpose,
privacy maze: making the user navigate through too many pages,
too many options: too many options to choose from leaving the user to overlook some settings or giving up data protection preferences

2. Skipping

Deceptive designs that distract users from worrying about the protection of their personal data. Here, the most invasive features and options are already enabled by default.

Examples:

deceptive snugness: most data invasive features are pre-selected by default,
look over there: distract users.

3. Stirring

Wordings or visuals that are presented in a way that influences users’ emotional state to lead them to act against their data protection interests. This deceptive pattern has a higher impact on children and other vulnerable categories of data subjects. For example, users are more likely to overlook or have difficulty reading small font sizes or text written in colors that do not contrast sufficiently.

Examples:

emotional steering: patterns, wordings, or visual styles that strongly influence the users’ emotional state and lead them to act against their best interests i.e. by making users feel scared or guilty, or safe or rewarded,
hidden in plain sight: visual styles that nudge users toward less restrictive and more invasive options.

4. Obstructing

Providing misleading information to users to either push them to provide unnecessary personal data or influence their decision by holding them up and questioning their initial choices.

Examples:

dead end: while users are looking for information or control, they end up not finding it as a redirection link is either not working or not available,
longer than necessary: unnecessary steps required to activate data protection options,
misleading information: when social media providers inform users that an action on their part would lead to certain consequences, and the action actually results in a different outcome.

5. Fickle

Unclear designs that make it hard for the user to navigate the different data protection control tools or understand the purpose of the processing.

Examples:

lacking hierarchy: redundancy of information,
decontextualising: a data protection control is located on a page that is out of context,
inconsistent interface: an interface is not consistent across varied contexts or with users’ expectations,
language discontinuity: information not provided in the official language of the country where users live.

6. Left in the dark

Interfaces that hide information or data protection tools or leave users unsure of how their data is processed and what controls they have regarding the exercise of their rights.

Examples:

conflicting information: making the information unclear and unintelligible or misleading users by not matching their expectations.
ambiguous wording or information: vague wording or making data subjects unsure of how data will be processed or how to have control over their data.

As per the Guidelines, social media platform providers and designers should avoid the use of any deceptive patterns and ensure to provide a clear choice to users with respect to their personal data. The Guidelines further recommend that all data protection principles under the GDPR should be complied with during the design of user interfaces of online applications.

Some of the best practices recommendations as per the Guidelines are:

Ensure the processing of personal data is not detrimental, discriminatory, unexpected, or misleading to the data subject.
Ensure to obtain consent as per the requirements of the GDPR, i.e. consent must be freely given, specific, informed, and unambiguous wherever consent is required for data processing.
Provide information to data subjects about their rights with respect to their personal data or any communication in a concise, transparent, intelligible, and easily accessible form and language.
Lack of consent should be considered the default state.
Allow easy consent withdrawal.
Do not ask for additional and unnecessary personal data that is not required for the particular processing.
Ensure data protection by design by avoiding the use of any deceptive or manipulative language in designs and presenting all information in an objective and neutral manner.
Ensure data protection by default by pre-selecting and/or highlighting the least data invasive features and options by default.
Design a privacy dashboard, allowing users to centralize their privacy settings.
Be able to demonstrate compliance by documenting consent records.
Provide relevant links to further information, settings, or actions wherever helpful for users to navigate online interfaces.
Put options with the same processing purpose together so users can set their desired privacy settings more easily.
Provide an overview of a privacy policy at the top/start of such policy and include hyperlinks to each section. Clearly state the company contact address in the policy. Moreover, whenever any changes are made to the privacy policy, make the previous versions available and highlight the changes in the updated policy.
Clearly highlight the identity of the relevant supervisory authority and provide a link to its website.
Use consistent wordings and definitions.
Provide definitions for technical words or jargon. Moreover, provide examples to explain different processing purposes.
Make any data protection related actions or elements conspicuous on an interface that is not directly dedicated to the matter.
Whenever users create a new account on an online platform, provide them key information on data protection.
Use notifications to keep users continually aware of all aspects, changes or risks related to the processing of their data.
Use sticky navigation or provide a ‘return to top’ button to help ease navigation for users.
Provide neutral explanations for any consequences the users may face for their actions, such as withdrawing consent, or activating or deactivating an account.
Ensure cross-device consistency in relation to settings and information provision.
Provide a directory with all data protection related actions and information.
Use self-explanatory URLs for pages related to data protection settings or information.
Provide a dedicated form that helps users understand their rights and how to enforce them.

Ask for a demo today to understand how Securiti can help you achieve compliance with the provisions of the GDPR. In today’s digital world, it is important for organizations to implement privacy-compliant user interfaces and website designs and obtain consent as per the applicable legal requirements. Securiti’s Consent Management Solution enables you to design consent banners as per the applicable geographical requirements and avoid the use of deceptive patterns that can manipulate a user’s choice.