On the 24th February 2023, the European Data Protection Board (“EDPB”) issued a definitive set of guidelines for the recognition and avoidance of deceptive design patterns (“DDP’s”) on social media platforms (“Guidelines”). This blog post will unpack the content of the Guidelines.
What are DDP’s?
The EDPB defines DDP’s as “interfaces and user journeys implemented on social media platforms that attempt to influence users into making unintended, unwilling and potentially harmful decisions, often toward a decision that is against the users’ best interests and in favour of the social media platforms interests, with regards to the processing of their personal data”. The Guidelines take a systematic approach to identify DDP’s through the life cycle of a social media account and test them against the GDPR standards. Note that although the EDPB has focused its Guidelines on social media platforms, their content is equally relevant to any other website.
Avoid DDP’s on your social media platform/website!
Let us consider the practical importance of the Guidelines with a concrete example.
You have recently launched a social media platform and you have created a user-journey based on your experience of the largest social networks. Adopting similar content and interface design seems like a reasonable choice, given their success. However, as the EDPB points out, several of the most common techniques to incentivise users’ engagement with the services and data sharing can be in blatant breach of the GDPR.
Imagine the following scenario, where Claire is the first person to register on your platform in the Netherlands.
1. Registering an account
Claire has started to register an account. After selecting the preferred option to log-in exclusively with her email address, a pop-up keeps requesting to share her phone number throughout the several stages of registration, notwithstanding her initial choice. According to the EDPB, these kinds of practices fall under the blanket definition of “overloading”, a category of DDP’s. If Claire is “overloaded” during the registration process with continuous prompts to disclose information which is objectively unnecessary to complete her sign-up, this could result in a violation of several basic principles of the GDPR (i.e., data minimisation and purpose limitation). For best practice, the EDPB suggests implementing a single “Data Protection Onboarding”, by inviting users to granularly set their data protection preferences.
2. Obtaining data protection information
3. Managing consent and data protection settings
4. Exercising rights
After finding out about her rights under the GDPR, Claire decides to file a request for an overview of all her personal data processed by your platform. She learns through the Q&A-section that she has to consult the user account settings to initiate the procedure. There she finds a button saying “Your rights under the GDPR”. To her disappointment, she is led to a page of the Dutch version of the website, with no opportunity to consult the same information in English. The EDPB considers such language discontinuity between the regular use of services and the exercise of data subjects rights under another broader category of DDP’s called “fickle”. Accordingly, if a platform provides its services in additional languages (i.e. English), on the basis of which it attracts a certain group of customers, it should make sure that customers can feel as comfortable with exercising their rights as with their regular activities on the platform. An inconsistency of this kind may in fact trigger a violation of the transparency principle under the GDPR. The EDPB here goes as far as recommending the creation of a single dedicated form to facilitate user’s exercise and understanding of their individual rights for best practice.
5. Deletion of an account
After months of delusional experience and having lost trust in your services, Claire decides to leave the platform and clicks on the relevant section saying “Deletion”. A page appears with a large-font title saying: “Do you really want to leave us? We and all your friends would be so sad to see you departing L”, on top of a large colourful “Stay with us!” button and a smaller grey “Leave L” button. Although the content and interface may not individually affect Claire in her decision, the EDPB would consider this undue “stirring”, contrary to the requirement of fair processing under the GDPR. The Guidelines indeed stress that for best practice it is important to maintain a neutral language in such circumstances, in order to provide users with an adequate explanation of the consequences of their account’s deletion.
The EDPB has only provided limited examples of practices which may fall under the definition of a DDP, but the list is open, and the fines can be heavy under the GDPR. Not just for social media platforms, of course.
EU and national watchdogs have started sharpening knives against DDP’s. Not sure whether you are using compliant content and interface design? Get in touch with us!