Photo of Peter Craddock

“Dark patterns” – social media platform interfaces that can lead users to make unintended and potentially harmful decisions regarding the processing of their personal data – are a subject of increasing scrutiny in the EU. New guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm the focus of EU authorities on such practices. The guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t always like it when dry legal language is made catchier or dull interfaces more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). In another example, the EDPB criticises a cookie banner with a humourous link to a bakery’s cookie recipe that incidentally says “we also use cookies,” stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term ‘cookies.’” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to common sense as a result of a newly started public consultation process.

Click here for our analysis of what useful lessons – or warnings – can be drawn from the EDPB’s new guidelines.