The European Data Protection Board Having regard to Article 70 and (1e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,1 Having regard to Article 12 and Article 22 of its Rules of Procedure,
HAS ADOPTED THE FOLLOWING GUIDELINES
1 SCOPE The aim of these guidelines is to provide recommendations and guidance for the design of the interfaces of social media platforms. They are aimed at social media providers as controllers of social media, who have the responsibility for the design and operation of social media platforms. With reference to the social media providers, these Guidelines aim to recall the obligations coming from the GDPR, with special reference to the principles of lawfulness, fairness, transparency, purpose limitation and data minimisation in the design of user-interfaces and content presentation of their web services and apps. The aforementioned principles have to be implemented in a substantial way and, from a technical perspective, they constitute requirements for the design of software and services, including user interfaces. An in-depth study is made on the GDPR’s requirement when applied to user interfaces and content presentation, and it is going to be clarified what should be considered a “dark pattern”, a way of designing and presenting content which substantially violates those requirements, while still pretending to formally comply. These Guidelines are also suitable for increasing the awareness of users regarding their rights, and the risks possibly coming from sharing too many data or sharing their data in an uncontrolled way. These Guidelines aim to educate users to recognize “dark patterns” (as defined in the following), and how to face them to protect their privacy in a conscious way. As part of the analysis, the life cycle of a social media account was examined on the basis of five use cases: “Opening a social media account (use case 1), “Staying informed on social media” (use case 2), “Staying protected on social media” (use case 3), “Staying right on social media: data subject rights” (use case 4) and “So long and farewell: leaving a social media account” (use case 5). In these Guidelines, the term “user interface” corresponds to the means for people to interact with social media platforms. The document focuses on graphical user interfaces (e.g. used for computer and smartphone interfaces), but some of the observations made may also apply to voice-controlled interfaces (e.g. used for smart speakers) or gesture-based interfaces (e.g. used in virtual reality). The term “user experience” corresponds to the overall experience users have with social media References to “Member States” made throughout this document should be understood as references to “EEA Member States”. 1
Adopted - version for public consultation
6
