The Italian Data Protection Authority (DPA), the Garante, has sanctioned the use of dark patterns to collect personal data for the first time under the terms of the GDPR.
What are dark patterns?
Deceptive patterns (also known as “dark patterns”) are tricks used in websites and apps that make you do things that you didn’t mean to, like buying or signing up for something. For example:
- Trick wording
- Sneaking
- Obstruction
What laws govern the use of deceptive patterns?
Many types of deceptive patterns are already illegal in the EU and US, depending on the type and context of use.
- EU – the UCPD, GDPR, DSA, and DMA help ensure a fairer internet for users
- USA – the FTC Act, ROSCA, and CAN-SPAM are major federal laws that pack a punch
The Issue
The company that was the subject of the sanctioning measure is active in digital marketing services. The Italian DPA’s checks revealed that to carry out its targeted promotional campaigns; the company used a database containing data on more than 21 million users, collected directly by the company through its websites and lists purchased from third parties.
The Italian DPA believes that the company obtained part of the data from the company’s websites through dark patterns for the sole purpose of “circumventing the will of the data subject.” This was in particular by adopting “unclear communication patterns with particular regard to the graphic design of the interfaces and how the process of signing up for services was carried out.”
Website Features in Breach of GDPR
- One Purpose, Multiple Processing: Users were required to consent to processing their data for marketing purposes and communicating with third parties for the same purposes.
- Manipulative Button Design: If neither box was flashed, a pop-up highlighted the lack of consent and presented a prominent button to accept the processing. In contrast, the link to continue without accepting was inconspicuous.
- Manipulative Use of Font: The user was asked to provide data from third parties potentially interested in signing up for services. In contrast to invitation messages written in bold type and asterisked fields, the “…or skip” option was shown at the bottom of the page in a much smaller font and with entirely different graphics than the “continue” option.
The Fine
Given the above circumstances, the Italian Data Protection Authority issued a GDPR fine of 300,000 euros, equal to 2 percent of the company’s turnover reported in the latest financial statements.
Conclusion
Legal design is crucial in countering dark patterns, offering an essential solution for promoting ethics and transparency in digital interactions. Marketing and design teams should work with Legal to ensure their design and UI do not use Dark Patterns or any deceptive/manipulative tactic.