EDPB Guidance on Deceptive Patterns in Social Media Interfaces
On 14 March 2022, the European Data Protection Board (EDPB) released guidelines titled Dark Patterns in Social Media Platform Interfaces: How to recognize and avoid them. These Guidelines provided best practice recommendations to designers and social media platform providers on how they can assess and avoid dark / deceptive patterns in social media interfaces that violate the requirements of the GDPR. Subsequently, the EDPB adopted version 2.0 of these Guidelines on 14 February 2023, titled Deceptive design patterns in social media platform interfaces: how to recognise and avoid them.
Deceptive patterns are interfaces and user experiences that lead social media users into making unwilling and potentially harmful choices, which are often geared towards the benefit of a social media platform and the detriment of the user, in relation to the processing of their personal data. Deceptive patterns aim to hinder users’ ability to make a conscious choice with respect to their personal data and ultimately take away users’ control for the protection of their personal data.
The EPDB has recognized six major categories of deceptive patterns
Users are provided with too much information to push them to provide more personal data than necessary. Here, users are pushed to provide unnecessary data by being repeatedly asked about it.
- continuous prompting: repeatedly asking users to provide unnecessary data or consent to a processing purpose,
- privacy maze: making the user navigate through too many pages,
- too many options: too many options to choose from leaving the user to overlook some settings or giving up data protection preferences
Deceptive designs that distract users from worrying about the protection of their personal data. Here, the most invasive features and options are already enabled by default.
- deceptive snugness: most data invasive features are pre-selected by default,
- look over there: distract users.
Wordings or visuals that are presented in a way that influences users’ emotional state to lead them to act against their data protection interests. This deceptive pattern has a higher impact on children and other vulnerable categories of data subjects. For example, users are more likely to overlook or have difficulty reading small font sizes or text written in colors that do not contrast sufficiently.
- emotional steering: patterns, wordings, or visual styles that strongly influence the users’ emotional state and lead them to act against their best interests i.e. by making users feel scared or guilty, or safe or rewarded,
- hidden in plain sight: visual styles that nudge users toward less restrictive and more invasive options.
Providing misleading information to users to either push them to provide unnecessary personal data or influence their decision by holding them up and questioning their initial choices.
- dead end: while users are looking for information or control, they end up not finding it as a redirection link is either not working or not available,
- longer than necessary: unnecessary steps required to activate data protection options,
- misleading information: when social media providers inform users that an action on their part would lead to certain consequences, and the action actually results in a different outcome.
Unclear designs that make it hard for the user to navigate the different data protection control tools or understand the purpose of the processing.
- lacking hierarchy: redundancy of information,
- decontextualising: a data protection control is located on a page that is out of context,
- inconsistent interface: an interface is not consistent across varied contexts or with users’ expectations,
- language discontinuity: information not provided in the official language of the country where users live.
6. Left in the dark
Interfaces that hide information or data protection tools or leave users unsure of how their data is processed and what controls they have regarding the exercise of their rights.
- conflicting information: making the information unclear and unintelligible or misleading users by not matching their expectations.
- ambiguous wording or information: vague wording or making data subjects unsure of how data will be processed or how to have control over their data.
As per the Guidelines, social media platform providers and designers should avoid the use of any deceptive patterns and ensure to provide a clear choice to users with respect to their personal data. The Guidelines further recommend that all data protection principles under the GDPR should be complied with during the design of user interfaces of online applications.
Some of the best practices recommendations as per the Guidelines are:
- Ensure the processing of personal data is not detrimental, discriminatory, unexpected, or misleading to the data subject.
- Ensure to obtain consent as per the requirements of the GDPR, i.e. consent must be freely given, specific, informed, and unambiguous wherever consent is required for data processing.
- Provide information to data subjects about their rights with respect to their personal data or any communication in a concise, transparent, intelligible, and easily accessible form and language.
- Lack of consent should be considered the default state.
- Allow easy consent withdrawal.
- Do not ask for additional and unnecessary personal data that is not required for the particular processing.
- Ensure data protection by design by avoiding the use of any deceptive or manipulative language in designs and presenting all information in an objective and neutral manner.
- Ensure data protection by default by pre-selecting and/or highlighting the least data invasive features and options by default.
- Design a privacy dashboard, allowing users to centralize their privacy settings.
- Be able to demonstrate compliance by documenting consent records.
- Provide relevant links to further information, settings, or actions wherever helpful for users to navigate online interfaces.
- Put options with the same processing purpose together so users can set their desired privacy settings more easily.
- Clearly highlight the identity of the relevant supervisory authority and provide a link to its website.
- Use consistent wordings and definitions.
- Provide definitions for technical words or jargon. Moreover, provide examples to explain different processing purposes.
- Make any data protection related actions or elements conspicuous on an interface that is not directly dedicated to the matter.
- Whenever users create a new account on an online platform, provide them key information on data protection.
- Use notifications to keep users continually aware of all aspects, changes or risks related to the processing of their data.
- Use sticky navigation or provide a ‘return to top’ button to help ease navigation for users.
- Provide neutral explanations for any consequences the users may face for their actions, such as withdrawing consent, or activating or deactivating an account.
- Ensure cross-device consistency in relation to settings and information provision.
- Provide a directory with all data protection related actions and information.
- Use self-explanatory URLs for pages related to data protection settings or information.
- Provide a dedicated form that helps users understand their rights and how to enforce them.
Ask for a demo today to understand how Securiti can help you achieve compliance with the provisions of the GDPR. In today’s digital world, it is important for organizations to implement privacy-compliant user interfaces and website designs and obtain consent as per the applicable legal requirements. Securiti’s Consent Management Solution enables you to design consent banners as per the applicable geographical requirements and avoid the use of deceptive patterns that can manipulate a user’s choice.