6 minute read
EXECUTIVE SUMMARY
EXECUTIVE SUM M ARY
These Guidelines o ffer practical recomm endatio ns to designers and users o f so cial m edia platfo rm s o n ho w to assess and avo id so-called dark patterns in so cial media interfaces that infringe o n GDP R requirements. It is im po rtant to note that the list o f dark patterns and best practices, as well as the use cases, are no t exhaustive. So cial media providers rem ain respo nsible and acco untable fo r ensuring the GDPR com pliance o f their platfo rm s.
Advertisement
Dark patterns in soc ial media platform interfac es
In the co ntext of these Guidelines, dark patterns are co nsidered as interfaces and user experiences im plem ented o n so cial media platfo rm s that lead users into m aking unintended, unwilling and po tentially harm ful decisions regarding the pro cessing o f their perso nal data. Dark patterns aim to influence users behavio ur and can hinder their ability to effectively protect their perso nal data and m ake co nscio us cho ices. Data pro tectio n autho rities are respo nsible fo r sanctioning the use o f dark patterns if these breach GDP R requirements. The dark patterns addressed within these Guidelines can be divided into the fo llowing categories:
Overloading m eans users are co nfro nted with an avalanche/ large quantity o f requests, info rm atio n, o ptio ns o r po ssibilities in o rder to pro m pt them to share m o re data o r unintentio nally allow personal data processing against the expectatio ns o f the data subject.
The fo llowing three dark pattern types fall into this catego ry: Continuous prompting, Privacy
Maze and Too Many Options
Skipping m eans designing the interface o r user experience in a way that users fo rget o r do no t think abo ut all o r so me o f the data pro tection aspects.
The fo llo wing two dark pattern types fall into this catego ry: Deceptive Snugness and Look over
there
Stirring affects the cho ice users wo uld m ake by appealing to their emo tio ns o r using visual nudges.
The fo llowing two dark pattern types fall into this catego ry: Emotional Steering and Hidden in
plain sight
Hindering m eans o bstructing o r blo cking users in their process o f beco m ing info rmed o r m anaging their data by m aking the actio n hard o r im po ssible to achieve.
The fo llo wing three dark pattern types fall into this catego ry: Dead end, Longer than necessary and Misleading information
Fickle means the design o f the interface is inco nsistent and not clear, m aking it hard fo r the user to navigate the different data protectio n co ntro l to o ls and to understand the purpo se o f the processing.
The fo llo wing two dark pattern types fall into this catego ry: Lacking hierarchy and
Decontextualising
Left in the dark means an interface is designed in a way to hide informatio n o r data pro tectio n co ntro l too ls o r to leave users unsure o f how their data is pro cessed and what kind o f co ntro l they m ight have over it regarding the exercise o f their rights.
The fo llo wing three dark pattern types fall into this catego ry: Language discontinuity, Conflicting information and Ambiguous wording or information
Relev ant GDPR provisions for dark pattern assessments
Regarding the data pro tectio n com pliance o f user interfaces o f o nline applicatio ns within the so cial m edia secto r, the data protectio n principles applicable are set o ut within Article 5 GDPR. The principle o f fair pro cessing laid do wn in Article 5 (1) (a) GDP R serves as a starting po int to assess whether a design pattern actually co nstitutes a dark pattern . Further principles playing a ro le in this assessment are tho se o f transparency, data m inim isatio n and acco untability under Article 5 (1) (a), (c) and (2) GDPR, as well as, in som e cases, purpo se lim itatio n under Article 5 (1) (b) GDPR. In o ther cases, the legal assessment is also based o n co nditio ns o f co nsent under Articles 4 (11) and 7 GDP R o r o ther specific o bligatio ns, such as Article 12 GDPR. Evidently, in the co ntext o f data subject rights, the third chapter o f the GDP R also needs to be taken into account. Finally, the requirem ents o f data pro tectio n by design and default under Article 25 GDP R play a vital ro le, as applying them befo re launching an interface design wo uld help so cial media providers avo id dark patterns in the first place.
Examples of dark patterns in use c ases of the life cycle of a soc ial media acc ount
The GDP R s provisio ns apply to the entire co urse o f perso nal data pro cessing as part o f the o peratio n o f so cial m edia platfo rms, i.e. to the entire life cycle o f a user acco unt. The EDPB gives co ncrete exam ples o f dark pattern types for the fo llowing different use cases within this life cycle: the sign-up, i.e. registratio n process; the info rm atio n use cases concerning the privacy no tice, jo int co ntro llership and data breach co mm unicatio ns; co nsent and data pro tectio n m anagem ent; exercise o f data subject rights during so cial media use; and, finally, clo sing a so cial media acco unt. Co nnectio ns to GDPR pro visio ns are explained in two ways: firstly, each use case explains in mo re detail which o f the abo vem entio ned GDP R pro visio ns are particularly relevant to it. Seco ndly, the paragraphs surro unding the dark pattern exam ples explain ho w these infringe o n the GDP R.
Best prac tic e rec ommendations
In additio n to the exam ples o f dark patterns, the Guidelines also present best practices at the end o f each use case. These co ntain specific recomm endatio ns fo r designing user interfaces that facilitate the effective im plementatio n of the GDPR.
Chec klist of dark pattern categories
A checklist o f dark pattern catego ries can be fo und in the Annex to these Guidelines. It provides an o verview of the abovem entio ned catego ries and the dark pattern types, along with a list o f the exam ples fo r each dark pattern that are mentio ned in the use cases. Som e readers m ay find it useful to use the checklist as a starting po int to discover these Guidelines.
