Skip to content
Blog

How Dark Patterns on Websites influence us and what this has to do with Data Protection

Cyber Security & Data Protection
  • Cyber Security
  • Data Protection
  • Digital Transformation
Markus Geist

November 16, 2022

Triad Dark Patterns

Share this article

Misleading “cookie” consent banners, complicated and lengthy processes for deleting accounts, or well-hidden privacy settings – such practices can be summarized under the term “dark patterns”. Website operators use these specifically to persuade users to make a decision that they do not actually want to make. But what does all this have to do with data protection? This blog post aims to shed some light on the subject.

What are Dark Patterns?

Before we address the question of what dark patterns have to do with data protection in concrete terms, we first need an explanation of the term. Dark patterns are design elements (e.g., the size and color of buttons) or processes on websites (e.g., changing settings and deleting the account) that do not present information objectively or make it difficult to find. The user interface of a website is often intuitive only because its structure and design are based on findings from behavioral psychology. By visiting websites, for example, we have learned that a colored button triggers an action when pressed. Dark patterns are based on exactly these behavioral patterns and lead to actions that may not be beneficial for users. One such action could be clicking a green button that says “Accept all cookies” within a Consent banner. By accepting cookies, we have unrestricted access to the content of the website, but we consent to the processing of our personal data by all third-party services integrated into the website, even if this is not desired by the user.  

Other types of dark patterns hide desired information so well that it can no longer be found or is difficult to find. This is often the case, for example, with unsubscribing from certain services or deleting user accounts, which are either vaguely named or do not exist on the website at all. The online shipping giant Amazon serves as a negative example here: While only a few clicks are required to sign up for its paid Prime subscription, when users try to cancel, they are confronted with numerous warnings, manipulative language, lists of supposed benefits, and irritating buttons and menu structures that send users back to the beginning of the process.

Furthermore, there are special techniques that specifically exploit our perceptions and reactions. It has been scientifically proven that people are less likely to make conscious decisions when they are flooded with information. Consent banners are again a suitable example here: If the selection of content settings is very extensive and detailed, it can be assumed that technically inexperienced users in particular will select the (default) settings preferred by the provider.

So what do Dark Patterns have to do with Data Protection?

A paper published by the European Data Protection Board (EDPB)² on dark patterns on social media platforms makes it clear that the practices described above are not compatible with the General Data Protection Regulation (GDPR). For example, dark patterns violate the principles of fairness and transparency pursuant to Article 5 (1)(a) of the GDPR or the principles of privacy by design and privacy by default pursuant to Article 25 of the GDPR. Furthermore, consent obtained with the help of consent banners may be invalid if data protection information is withheld from users, thus violating the requirements of voluntariness and informedness pursuant to Art. 7 (2) of the GDPR and Art. 7 (4) of the GDPR. However, the EDPB’s guidelines do not leave the operators of social media platforms alone and use concrete examples to show how to recognize and prevent dark patterns. These guidelines can also be applied to websites without explicit reference to them by the EDPB. As on social media platforms, we often encounter the same manifestations of dark patterns here.

What do Operators of Websites that use Dark Patterns (consciously or unconsciously) have to fear from a Data Protection Perspective?

It is no secret that dark patterns are a thorn in the side of data protection and privacy regulators. While regulators do not usually take action on their own initiative, they are increasingly receiving complaints from privacy organizations or consumers. The NGO “noyb” (which stands for “none of your business”) led by data protection activist Max Schrems, for example, has issued warnings to a large number of website operators who have designed the consent tool of the manufacturer “OneTrust” on their website in a misleading manner. The supervisory authorities have also received numerous complaints from private individuals, for example due to misleading consent banners. The regulatory authorities are taking this as an opportunity to impose fines on website operators, some of which are high.

portrait of a happy young businessman working at his office desk

Our Data Protection Website Check helps companies to reduce the risk of regulatory fines and claims for damages

With the valantic Data Protection Website Check, your website is checked for GDPR compliance. We help you to present your company online – professionally and trustworthily.

Learn more Learn more

Conclusion

Dark patterns on websites are undoubtedly associated with data protection risks. In order to reduce the risk of warnings and fines to a minimum, it is therefore essential to identify and eliminate dark patterns. The data protection experts from valantic use the data protection website check to find out, among other things, whether dark patterns are contained on your website and give you concrete recommendations for action to eliminate them.

If a website contains content from third-party providers that is not required for the operation of a website (e.g. marketing or tracking services), users must first obtain consent for the processing of their data by these services. This is currently done with the help of consent banners that appear the first time a website is called up:

Privacy Settings

Do you need support with your Website Audit? Let’s get into conversation.

Consultant, valantic Management Consulting GmbH

Markus Geist

Consultant

valantic

More on this topic

Diverse group of businesspeople discussing work while standing together in a bright modern office corridor

Cyber Security & Data Protection May 22, 2025

FinmadiG & DORA: Impact on Leasing and Factoring Companies

Financial Market Digitalization Act (FinmadiG) and Digital Operational Resilience Act (DORA) – what do these new regulations mean for leasing and factoring companies? In this blog article, we explain why DORA will also become binding for leasing and factoring companies as a result of FinmadiG, which requirements will apply from January 2025 and January 2027 and how you can prepare now.

FinmadiG & DORA: Impact on Leasing and Factoring Companies
business woman presenting financial results

Cyber Security & Data Protection March 17, 2025

National Supervisory Programme 2025-2027: Focus on Cyber Resilience and DORA

In 2025, banks and their service providers will face a multitude of new challenges: Cyberattacks are on the rise, digital dependencies are growing and DORA is bringing profound changes. But which aspects will the supervisory authorities be monitoring most critically in 2025?

National Supervisory Programme 2025-2027: Focus on Cyber Resilience and DORA
Image of Giulia Vaccaro, Cyber Researcher in Cyber Security at valantic

#valanticworld December 6, 2022

Cybersecurity on the Darknet – How do I become a Professional Hacker?

Giulia Vaccaro lives in Berlin and has been a part of the valantic team since September 2022. In an interview, she takes us along on her journey to becoming a professional hacker and tells us what the latest cyber security trends are.

Cybersecurity on the Darknet – How do I become a Professional Hacker?

Don't miss a thing.
Subscribe to our latest blog articles.

Register