Italian Data Protection Authority issues fine for use of dark patterns

The question

How can companies ensure that their websites, apps and other online interfaces comply with regulations restricting the use of dark patterns when collecting consent to the processing of personal data?

The key takeaway

Companies must ensure that their online user interfaces are designed in a way that does not manipulate or push users into making a certain choice, for example, giving consent to the processing of their personal data in a way that they did not intend or understand

The background

The term “dark patterns” describes the techniques used on websites, apps and other online interfaces that impact on a user’s ability to make free and informed choices or decisions. European Data Protection Board (EDPB) guidelines Dark patterns in social media platform interfaces: How to recognise and avoid them, sets out the different categories of dark patterns that are typically used. For example, users may be “overloaded” with a large amount of information, requests or options which nudges them to share more data than they wish, the interface may be “fickle” in that it is hard for the user to navigate the web page and understand the purpose of the data processing, or users may be “left in the dark” on how their data is processed as the online interface is designed in a way that hides or distorts key information. Companies also use dark patterns to manipulate a data subject into giving consent for the processing of their personal data.

Companies may rely upon data subject consent as a lawful basis for processing under the EU GDPR. However, consent must be freely given, specific, informed, and unambiguous and requests for consent must be clearly presented in clear and plain language. Personal data must also be processed lawfully, fairly and in a transparent manner.

The development

The Italian Data Protection Authority (Garante) issued a €300,000 fine for the use of dark patterns in breach of the EU GDPR. The digital marketing services company in question designed its website and other interfaces in such a way that manipulated the consumer into giving consent. For example, if a user did not consent to the use of their data for marketing purposes and to their data being shared with a third party at the same time, a banner would open on screen containing a prominent consent button. The option for the user to continue on the page without providing consent was presented in a much less visible way, on a different part of the web page to the banner. 

Users were also prompted to provide contact details for friends that might be interested in the services the user was signing up for. The font used to attract the user to do so was in bold and highlighted with an asterisk, but the option for the user to skip this stage during sign up was small and in italics. In this case, the Garante found that consent had not been properly obtained with respect to those individuals as neither the users nor their friends were provided adequate information regarding the processing of such data.

Why is this important? 

 This decision highlights the increasing focus on the use of dark patterns online, framed in the broader context of the EU’s drive to improve consumer protections across the single market. In particular, by 17 February 2024 all digital services providers in scope of the Digital Services Act will be prohibited from designing, organising or operating online interfaces which deceive or manipulate the recipients of their service or materially distorts or impairs the ability of the recipients of their service to make free and informed decisions. In a wider context, the UK Competition and Markets Authority has also announced a new programme of enforcement focused on “Online Choice Architecture” ie dark patterns.

Practical tips?

Companies should refer to the EDPB guidelines for helpful best practice recommendations that support EU GDPR compliant interface design on their online platforms. Companies should review their online data gathering and consent processes to ensure requests for consent are clear, not ambiguous and do not push users towards providing consent for use of their personal data.

Be aware also that “dark patterns” are now very much in the sights of consumer regulators also, such as the UK’s Competition and Markets Authority. We anticipate that this may be one of the very first areas hit with fines by the CMA when it obtains its new fining powers proposed under the Digital Markets, Competition and Consumers Bill.

Summer 2023