Definition of dark patterns sheds light on concerns including exiting subscriptions easily while raising applicability questions
The Digital Services Act (DSA) is now in almost final form and expected to become law in the European Union in the autumn. As a result of an amendment proposed by the Greens-European Free Alliance in the European Parliament, legislation will now include the first express prohibition on "dark patterns" in EU law.
The prohibition gives some insight into the core concerns of EU legislators in relation to dark patterns and hints on where the wider dark-patterns legislative and enforcement agenda may go in the future.
The definition of dark patterns limits the practice to online interfaces (as opposed to more general concepts that relate more broadly to design within the digital environment). However, the definition is otherwise very broad in that it simply says it is something that deceives, manipulates or otherwise materially distorts a user's ability to make free and informed decisions.
It only covers dark patterns that fall outside of the Unfair Commercial Practices Directive (UCPD) and General Data Protection Regulation (GDPR). This raises the question of what, in effect, the DSA prohibition will actually catch; particularly, in light of the fact that the EU has published a report setting out how most dark patterns would be caught by one or other of these pieces of legislation
The definition includes (non-exhaustive) examples of specific practices, which may be specific guidance that suggests that these are of particular concern. This includes:
- giving more prominence to certain choices when asking the recipient of the service for a decision;
- repeatedly requesting a recipient of the service to make a choice where such a choice has already been made, especially by presenting a pop-up that interferes with user experience; and
- making the procedure of terminating a service more difficult than subscribing to it.
Dark patterns have been a growing concern for legislators, regulators and courts in the EU and UK for some time. One of the main issues has been identifying what amounts to a dark pattern in practice and when this amounts to an issue of sufficient seriousness to constitute a breach of existing legislation such as the UCPD or GDPR – particularly as neither piece of legislation has any express reference to dark patterns.
In theory, the fact that the DSA provides an actual definition of a dark pattern should help to identify the issues. However, in reality, applying a test of something that deceives, manipulates or otherwise materially distorts usability to make an informed decision will be well-nigh impossible without guidance on how this is expected to be practically applied.
Clearly, the intention is to provide guidance on specific areas that should help to facilitate this; but, unfortunately, this will not happen immediately. In the meantime, companies looking to comply will need to rely on other sources such as the existing guidance under the UCPD, the European Data Protection Board draft guidance on dark patterns on social media and the EU's recent report into the issue.
The list of areas where guidance is going to be forthcoming does give an insight into where legislators have specific concerns. Unsurprisingly, cancellation buttons are included in the list. Enabling consumers to exit subscriptions easily has been identified as a particular issue in a number of European jurisdictions, including Germany, where there is specific legislation, and the UK, where there are proposals to introduce a requirement to have cancellation buttons (though existing national legislation seems to be limited to paid contracts, contrary to the new provisions in the DSA).
However, it is intriguing that it made the list in light of the fact that the prohibition only applies if the UCPD does not apply. According to the EU's report, "roach motel" (where there is an asymmetry between signing up and cancelling) dark patterns are already a breach of the UCPD. There are examples of enforcement on this basis by the EU's Consumer Protection Cooperation Regulation, the Norwegian Consumer Council and the UK's Competition and Markets Authority, which recently required gaming companies to give undertakings in this regard.
Given that there is an established practice of enforcement already under the UCPD it is unclear why this is a particular focus of the DSA; that said, from the perspective of a company suffering potential enforcement, it is likely that the fines for breach of the UCPD, which are typically between up to 4-10% of annual turnover in the Member State concerned, are still preferable to DSA fines, which are up to 6% of worldwide turnover.
The carveout for practices already covered by the UCPD and GDPR is likely to mean that the prohibition under the DSA has less practical effect than might be anticipated. According to the EU’s report, the only currently identified dark patterns that are not definitely caught by one or the other of these pieces of legislation are "infinite scroll" and "auto play"; although the report does note that next-generation dark patterns and dark patterns in the metaverse may take on new forms that are not currently caught by existing legislation.
In the meantime, the only other obvious area where the DSA could apply immediately is in relation to business-to-business activity, which would not be governed by either the UCPD or GDPR as they are consumer legislation.