Misleading “cookie” consent banners, complicated and lengthy processes for deleting accounts, or well-hidden privacy settings – such practices can be summarized under the term “dark patterns”. Website operators use these specifically to persuade users to make a decision that they do not actually want to make. But what does all this have to do with data protection? This blog post aims to shed some light on the subject.
What are dark patterns?
Before we address the question of what dark patterns have to do with data protection in concrete terms, we first need an explanation of the term. Dark patterns are design elements (e.g., the size and color of buttons) or processes on websites (e.g., changing settings and deleting the account) that do not present information objectively or make it difficult to find. The user interface of a website is often intuitive only because its structure and design are based on findings from behavioral psychology. By visiting websites, for example, we have learned that a colored button triggers an action when pressed. Dark patterns are based on exactly these behavioral patterns and lead to actions that may not be beneficial for users. One such action could be clicking a green button that says “Accept all cookies” within a Consent banner. By accepting cookies, we have unrestricted access to the content of the website, but we consent to the processing of our personal data by all third-party services integrated into the website, even if this is not desired by the user.
Other types of dark patterns hide desired information so well that it can no longer be found or is difficult to find. This is often the case, for example, with unsubscribing from certain services or deleting user accounts, which are either vaguely named or do not exist on the website at all. The online shipping giant Amazon serves as a negative example here: While only a few clicks are required to sign up for its paid Prime subscription, when users try to cancel, they are confronted with numerous warnings, manipulative language, lists of supposed benefits, and irritating buttons and menu structures that send users back to the beginning of the process.
Furthermore, there are special techniques that specifically exploit our perceptions and reactions. It has been scientifically proven that people are less likely to make conscious decisions when they are flooded with information. Consent banners are again a suitable example here: If the selection of content settings is very extensive and detailed, it can be assumed that technically inexperienced users in particular will select the (default) settings preferred by the provider.
So what do dark patterns have to do with data protection?
A paper published by the European Data Protection Board (EDPB)² on dark patterns on social media platforms makes it clear that the practices described above are not compatible with the General Data Protection Regulation (GDPR). For example, dark patterns violate the principles of fairness and transparency pursuant to Article 5 (1)(a) of the GDPR or the principles of privacy by design and privacy by default pursuant to Article 25 of the GDPR. Furthermore, consent obtained with the help of consent banners may be invalid if data protection information is withheld from users, thus violating the requirements of voluntariness and informedness pursuant to Art. 7 (2) of the GDPR and Art. 7 (4) of the GDPR. However, the EDPB’s guidelines do not leave the operators of social media platforms alone and use concrete examples to show how to recognize and prevent dark patterns. These guidelines can also be applied to websites without explicit reference to them by the EDPB. As on social media platforms, we often encounter the same manifestations of dark patterns here.
What do operators of websites that use dark patterns (consciously or unconsciously) have to fear from a data protection perspective?
It is no secret that dark patterns are a thorn in the side of data protection and privacy regulators. While regulators do not usually take action on their own initiative, they are increasingly receiving complaints from privacy organizations or consumers. The NGO “noyb” (which stands for “none of your business”) led by data protection activist Max Schrems, for example, has issued warnings to a large number of website operators who have designed the consent tool of the manufacturer “OneTrust” on their website in a misleading manner. The supervisory authorities have also received numerous complaints from private individuals, for example due to misleading consent banners. The regulatory authorities are taking this as an opportunity to impose fines on website operators, some of which are high.
Dark patterns on websites are undoubtedly associated with data protection risks. In order to reduce the risk of warnings and fines to a minimum, it is therefore essential to identify and eliminate dark patterns. The data protection experts from INTARGIA Managementberatung GmbH – a valantic company – use the data protection website audit to find out, among other things, whether dark patterns are contained on your website and give you concrete recommendations for action to eliminate them.
Infobox Consent banner:
If a website contains content from third-party providers that is not required for the operation of a website (e.g. marketing or tracking services), users must first obtain consent for the processing of their data by these services. This is currently done with the help of consent banners that appear the first time a website is called up (see illustration for an example).