European regulators set to clamp down on 'dark patterns'
Snapshot
- Regulators are closely watching and taking enforcement action on dark patterns so companies need to be aware of not falling foul of bad practices
- It is not always clear what constitutes a dark pattern, so players should monitor accepted practices and consider alternative routes to marketing their products or services
- There is much legislation in the pipeline to tackle this, including the upcoming EU Data Act and AI Act
While the term "dark patterns" sounds rather sinister, it is essentially a recent label given to something that has been commonplace for many years: online retailers and service providers adopting user interface techniques to mislead consumers into making choices that are not in their best interests. But the noise around dark patterns is set to increase in 2023 as legislators, regulators and courts in the EU and UK prepare to clamp down on them.
What exactly are dark patterns and where will we see the regulatory intervention?
Broadening the regulatory net
Regulators have for many years taken enforcement action against dark patterns under consumer laws, such as the Unfair Commercial Practices Directive or the Consumer Rights Directive, although usually without necessarily describing the offending user interface as being an example of dark patterns. Regulators have tended to consider the use of dark patterns as unfair or misleading commercial practices – for example, making it difficult for a user to cancel a subscription or pushing them to share personal data by accepting cookies.
Dark patterns are also regulated (although not explicitly named as such) via data protection laws, such as the General Data Protection Regulation (GDPR); the use of the dark patterns in obtaining users’ consent to cookies or confirming their marketing preferences has been held by various regulators as contravening the GDPR rules on free and valid consent.
The Digital Services Act (which came into force on 1 November 2022 in the European Economic Area) expressly prohibits the design or operation of online interfaces in a way that deceives or manipulates users or that materially distorts or impairs users’ abilities to make free and informed decisions.
But these existing protections are to expand. A host of new legislation, such as the upcoming Data Act and AI Act, looks set to ban dark patterns in certain contexts. Further cross-cutting EU bans are expected as part of the EU's push to ensure digital fairness. In addition, various European countries are introducing, or are planning to introduce, domestic legislation to combat specific forms of dark patterns, for example by mandating cancellation buttons for subscriptions.
European action
The Italian Competition and Markets Authority has a history of enforcement action against practices aimed at manipulating consumers, including the purchase of unsolicited services and the wrongful presentation of a service as free (examples include hidden additional charges, in-game purchases or processing of users' personal data for commercial purposes), which goes back to 2014.
In Poland, the president of the Office of Competition and Consumer Protection (UOKiK) recently accused one of the leading secondhand goods e-commerce platforms of misleading consumers when providing offers, specifically in this case the company did not include the service maintenance fee when setting out price options. The UOKiK confirmed that the price of a product on an e-commerce platform must be made clear to the consumer in advance and include all components. The consumer must also be provided with a clear path to purchase without any additional non-mandatory fees.
The situation in Germany is a little different as, unlike many other EU Member States, its consumer law is mostly enforced via competitors or watchdog groups, rather than by governmental authorities. German watchdog groups are increasingly focusing on dark patterns and have started to assess current market practices and educate consumers (even via gamification). There have also been the first court cases where watchdog groups have explicitly referred to a practice as a dark pattern.
German legislators have recently introduced specific rules on cancellation buttons for websites offering paid subscriptions. These address concerns about the dark patterns known as “roach motels,” where terminating a contract is significantly harder than entering it.
UK enforcement
In addition to the plans for new bans, a number of European regulators are taking enforcement action. The UK’s Competition and Markets Authority (CMA) has recently announced an investigation into Emma Sleep for its use of pressure-selling tactics, such as urgent time-limited offers and countdown timers.
The investigation forms part of the CMA’s new online choice architecture programme aimed at combating dark patterns and is, as the interim chief executive has said, "just the start" of the CMA's work to tackle dark patterns.
The CMA’s online Rip-Off Tip-Off campaign has also been launched as a way to encourage consumers to report dark patterns such as pressure selling, fake reviews, subscription traps and hidden charges. It seems highly likely that more dark patterns enforcement is on its way in the UK.
New regulatory guidance
This general interest in enforcing against dark patterns has resulted in new guidance on the topic. The latest guidance on the updated Unfair Commercial Practices Directive provides a specific section on how dark patterns may amount to an unfair commercial practice or otherwise infringe the directive. There are also draft European Data Protection Board (EDPB) guidelines on dark patterns in the context of social media.
Many European countries have also issued their own guidance on dark patterns or endorsed European guidance. In 2021, the Italian Data Protection Authority issued guidelines on the use of cookies and other tracking tools. These outline the criteria for the design of cookie consent management tools, including requirements for the collection of the relevant consents and the information that must be provided.
Spain's Data Protection Agency (DPA) issued a statement in May 2022, following the draft EDPB guidelines on dark patterns, reminding data controllers that dark patterns are already covered in the DPA’s Guidelines on Data Protection by Default. The Spanish DPA confirmed (among other things) that only the minimum amount of data necessary should be processed and the default use case for data collection should be the most restrictive.
In Poland, the Polish Data Protection Authority has also endorsed the draft EDPB guidelines on dark patterns and encouraged social media platforms to make use of the practical examples therein to guide compliance.
Consumer is king
In summary, the ability of online retailers and service providers to wriggle out of consumer complaints by reference to complex terms and conditions is being substantially reduced. Companies that are slow to adapt risk being made an example of by consumer regulators. So now is a great time for international online retailers and service providers companies to revisit their customer journeys and marketing practices to make them simpler and more transparent.
For a more detailed look at the different types of dark patterns and their names please visit Osborne Clarke's dedicated microsite.
Authors
Katrina Anderson, Lead author Associate Director, UK katrina.anderson@osborneclarke.com +44 207 105 7661
Antonio Racano Senior Lawyer, Italy antonio.racano@osborneclarke.com +39 02 5413 1795
Verity Raeside Associate, UK verity.raeside@osborneclarke.com +44 20 7105 7665
Monika Gaczkowska Senior Associate, Poland monika.gaczkowska@osborneclarke.com +48 503 972 783
Mario Gras Lawyer, Spain mario.gras@osborneclarke.com +34 91 576 44 76
Leonie Schneider Associate, Germany leonie.schneider@osborneclarke.com +49 221 5108 4160