The manipulation of people’s personal data happens all over the Internet. We can find it in most online environments, but especially in social media platforms. In order to address this issue, last year the European Data Protection Board (EDPB) released guidelines titled Dark Patterns in Social Media Platform Interfaces: How to recognize and avoid them.
What exactly are dark patterns?
The Guidelines define dark patterns as interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. Dark patterns aim to hinder users’ ability to make a conscious choice with respect to their personal data and ultimately exploit it without the users’ consent.
In the document, The EDPB has recognised six major categories of dark patterns:
1. Overloading occurs when users are confronted with a lot of requests, choices or are bombarded with information to push the user to share more data or to unintentionally allow personal data to be processed against their expectations. Examples of overloading are:
- Continuous prompting – Repeatedly asking users to provide more data than necessary
- Too many options – With too many options to choose from, the user will inevitably overlook some settings or give up data protection preferences, unable to make any choice at all.
2. Skipping happens when the interface has been purposefully designed to distract users from worrying about the protection of their personal data. For example:
- Deceptive snugness – When websites pre-select the most intrusive privacy settings as default settings.
- Look over there – Distracting users from data protection issues using distracting language or presenting irrelevant information.
3. Stirring uses wording and visuals in a way that influences users’ emotional states and leads them to act against their data protection interests. This dark pattern has a higher impact on children and other vulnerable categories of data subjects.
- Emotional steering – conveying information in either highly positive or highly negative ways in order to evoke extreme feelings.
- Hidden in plain sight – visual styles that nudge users toward less restrictive, i.e. more invasive options.
4. Hindering prevents users from obtaining information or managing their data by making these actions excessively difficult or impossible. Examples are:
- Dead end – while looking for information or controls, the user ends up not finding it because a redirection link is missing or doesn’t work at all
- Longer than necessary – making the path to choosing data protections more difficult by adding unnecessary steps, while making the more invasive options more accessible
5. Fickle is based on unreadable and unclear interface design. Consequently, users struggle to understand the mechanisms and purposes of the data processing. This pattern includes:
- Lacking hierarchy – the same data protection information appears several times but is presented differently, effectively confusing users
- Decontextualizing – Important privacy information is located on a page that is out of context, so that users have difficulties finding it
6. Left in the dark refers to interface design which conceals information or data protection controls from users, leaving them unsure what control they have over it
- Linguistic discontinuity – information on privacy protection is not provided in the official language(s) of the country where the user lives.
- Conflicting information – providing the user with contradictory information to push them into keeping the default (invasive) privacy settings.
- Ambiguous wording or information – The terminology used is deliberately vague and ambiguous to confuse users
Dark patterns follow users through all the stages of the life cycle of a social media account. Hence, it’s important to be aware of what tactics big platforms can employ to manipulate us into giving up our personal data. As stressed by the EDPB, dark patterns may not only constitute unlawful interference in the sphere of privacy of social media users, they can also violate consumer protection regulations. Hence, businesses who engage in data collection through