EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Manipulative techniques (also known as “deceptive interfaces” or "dark patterns") used on the Internet violate not only consumer rights, but also data protection laws. A ban on their use will soon become effective.
Recently, consumer rights in digital markets and the protection of personal data online have been exceptionally drawing the attention of bodies upholding the protection of the aforementioned rights at both the national and EU levels. This is a result of the rapid growth of e-commerce and increasing digitization being a consequence of pandemics and the growing incidence of consumer abuse. A key area of interest is the way online platforms are designed and the manipulative practices used on them. According to audits conducted by the European Commission and the CPC (i.e. Consumer Protection Cooperation) network, i.e. consumer protection authorities from 23 EU member states, Norway and Iceland show that up to 40% of online stores use deceptive interfaces (deceptive patterns)[1] .
It should be noted that recently, the Court of Justice of the European Union has established that a consumer protection authority may establish issues relating to personal data protection law breaches in case they have an impact of consumer rights infringements (verdict dated 4 July 2023 Meta Platforms, C‑252/21). This means that the most active and effective administrative organ Poland will be able to establish (or consult with the data protection supervisory authority) also data protection issues and impose fines. It is of utmost importance in case of deceptive patterns that combine consumer and data protection areas.
Direct at your mail
Subscribe EY newsletters
Deceptive interfaces in digital markets
Deceptive interfaces (otherwise known as "dark patterns" or manipulative techniques) are unethical UX methodologies aimed at designing user paths (user journeys) in such a way as to distort or limit the ability of service recipients to make independent and informed choices or decisions. Unfair practices hide or obscure the picture of the user's options and thus limit the user's freedom of action. In practice, such practices are intended to induce users to take unwanted or unintended actions.
Use of manipulative techniques as a violation of consumer rights
The European Commission has carried out an inspection campaign calling on national competition and consumer protection authorities to take appropriate action to eliminate unfair deceptive patterns practices. Therefore, soon, we should expect increased activity from the President of the OCCP (i.e., Office of Competition and Consumer Protection), including informal calls to businesses or formal proceedings related to perceived deceptive patterns practices. Such proceedings have already been and are currently being conducted.[2]
In addition, in February 2023, the President of the OCCP launched a campaign to raise consumers awareness of the possibility of usage of deceptive patterns in apps and websites operated by online stores, for example. The campaign was aimed at reminding consumers to exercise caution when navigating the Internet. At the same time, as part of the action, the President of the OCCP reminded consumers of the possibility of seeking help in case of fraud.
The above shows that consumer rights on the Internet are gaining importance, and the manipulative techniques used by the businesses will receive great amount of focus of the competent authorities.
Sanctioning the use of manipulative techniques is already possible under current laws, although not explicitly. Most often, manipulative practices involve providing information to consumers in a way that may mislead them and thus influence their decisions. Therefore, they may be classified as unfair market practices violating the collective interests of consumers. If the President of the OCCP finds that such a practice has been used, a fine of up to 10% of turnover may be imposed on the entrepreneur.
The use of manipulative techniques against consumers can result not only in liability before the Competition and Consumer Protection Authority, but also before the Data Protection Authority if their rights regarding personal data protection are violated as a result of such practices.
Comment:
The manipulative techniques used can have negative effects in different spheres, depending on the context in which they are used. For example: the use of design on a website that takes advantage of the user's habits and inattention (e.g., by highlighting with a striking color the consent, while dimming the option to opt out or decline consent). Such a practice placed in the user's path in the context of consumer protection, can be considered manipulation leading to an unplanned purchase or not entirely informed consent to data processing.
Data protection and manipulative interfaces
Manipulative practices have repeatedly been the focus of the European Data Protection Board (hereinafter "EDPB"). In early 2022, the EDPB issued its first guidelines on the use of so-called deceptive patterns in social media platforms, which was updated a year later[3] .
In its guidelines, EDPB categorized deceptive practices from the point of view of the effect they have on user behavior. Among them, it distinguished the use of the following types of interfaces:
- Overloading: A user is inundated with a numerous requests, information, or options in order to get the user to share more data or inadvertently allow personal data to be processed against their will.
- Skipping: An interface or user path designed in such a way that the user forgets or does not think about the data protection aspects.
- Stirring: An interface that uses techniques to manipulate user choice by influencing the user's emotions or by using visual incentives.
- "Hindering": Hindering or blocking a user from the process of obtaining information about his or her data or managing the data (including by making it difficult or impossible for the user to exercise his or her right).
- Fickle: An interface design that is inconsistent and unclear, making it difficult for the user to navigate the various data protection control tools and understand the purpose of processing.
- Left in the dark: An interface designed to hide information or data protection controls or to leave the user uncertain about how their data is being processed and the type of control they may have over it.
The above list is not exhaustive and can certainly be expanded as technology develops. Any use of deceptive technology carries the risk of unlawful processing of personal data (and, as a result, an administrative fine of up to €20,000,000 or 4% of annual worldwide turnover). Misrepresentation that leads to lack of transparency, lack of awareness or lack of free nature of consent, processing of excessive data - will always collide with the basic principles of data processing established in Article 5 of the GDPR.
What to pay attention to when designing a user interface?
While any Internet user can get caught up in deceptive technology, EDPB pays special attention to vulnerable groups - children, the elderly, the visually impaired or those without extensive digital skills. Designers of sites intended for or often accessible to such groups should be especially sensitive to possible irregularities.
When designing a user interface, you need to keep in mind the requirements that stem from the current legislation - the GDPR introduces the principle of Privacy by design - taking data protection into account during the design phase (Article 25). This principle essentially involves designing interfaces and other solutions in such a way that they comply with the overall privacy regime of the GDPR. From the perspective of the deceptive practices in question, compliance with the principle of transparency and accountability will play a key role.
Time to verify the practices used
The prohibition of deceptive interfaces does not derive directly from data protection laws or consumer protection laws, but it can easily be derived from the legal principles provided for in these areas of law. The unambiguous prohibition of deceptive practices has also been considered in the design of new regulations aimed at protecting users of online platforms.
The Digital Services Act[4] (hereinafter "DSA") was adopted as part of the European data strategy presented by the European Commission in February 2020. The DSA establishes harmonized rules for the online environment and introduces a number of new obligations for online platform providers.
Providers will need to evaluate their interfaces in view of transparency and fairness to consumers, for under Article 25 of the DSA, interfaces that mislead service recipients, interfaces that manipulate or otherwise interfere with and limit the ability of recipients to make free or informed decisions will be prohibited. At the same time, the European Commission has been given the authority to issue guidelines on specific practices for the design of web interfaces.
The DSA went into effect on November 16, 2022. Although businesses have been given time until February 17, 2024 to comply with the new regulation, it is worth familiarizing with the new requirements today so to plan ahead necessary changes in the business - or take them into account during the design phase.
Comment:
The European legislator takes the approach of not enumerating prohibited practices within a closed catalog. While to some extent such approach may cause concerns for businesses, the guidelines, as well as the DSA regulation, should be viewed positively. The Union seems to recognize that each solution should be judged according to the context in which it is set, which may determine more flexibility for entrepreneurs in creating their products, but also more flexibility for regulations in eliminating unfair practices. By increasing consumer awareness, the regulations will also positively affect the greater competitiveness of entities that take the protection of consumer rights and personal data seriously, which will force further changes in the digital services market and ensure a fair, diverse and consumer-serving market.
Summary
Manipulative techniques (also known as “deceptive interfaces” or "dark patterns") used on the Internet violate not only consumer rights, but also data protection laws. A ban on their use will soon become effective.