Dark patterns in the online marketing economy


Authors: Camilla Serraiotto, Francesca Tugnoli, Eleonora Margherita Auletta


This article seeks to provide a general overview of the content of the EDPB Guidelines on Dark Patterns without an aim of completeness. Furthermore, it aims to provide an understanding of the existing types of dark patterns and how they can be used in the reality of online marketing.


EDPB Guideline 03/2022: Instructions for recognizing and avoiding dark patterns

The term “dark patterns”, as defined in the recent Guidelines 03/2022 of the EDPB[1] (hereinafter the “Guidelines”), refers to both graphical and voice-controlled interfaces as well as, user experiences[2] that have been implemented on platforms and navigation paths. Some examples of where dark patterns are used include: social platforms, e-commerce, cookie banners and mobile applications. The use of dark patterns is aimed at influencing the ‘online behaviour’ of users and influencing them into making unintentional and potentially harmful decisions which are on the contrary, favourable to the operators of such services[3].

The Guidelines are addressed to social media platform providers, but more generally they are considered applicable to all data controllers and processors of personal data of users. Indeed, its aim is to provide a set of practical recommendations and an illustrative list of case studies, contained in the relevant Annex I that will aid in detecting such illicit mechanisms better and thus avoiding them (see paras. 32 et seq.). They are also addressed to social media users and are intended to help them make informed choices regarding the protection of their personal data.

The Guidelines also provide, in Annex II, best practices to be followed at the design level in order to create interfaces which by design, are compliant with EU Regulation No. 2016/679 (hereinafter “GDPR”).

In terms of classification the EDPB has identified six different types of dark patterns, based on their impacts on user behaviour:

        • overloading: this happens when users are faced with a huge number of requests, information, options or possibilities, which lead them to share as much data as possible and unwillingly consent to its processing.;
        • skipping: this happens when interfaces are designed in such a way that users forget or do not think about aspects related to the protection of their personal data;
        • stirring: this happens when users’ choices are influenced and conditioned by appealing to their emotions or resorting to visual stimuli;
        • obstructing: this happens when users are hindered or blocked in the process of information and awareness about the use and management of their data;
        • fickle: This is when users consent to the processing of their data without understanding its purpose, due to an inconsistent or unclear interface;
        • left in the dark: This is when the interface is designed in such a way as to hide information and privacy control tools from users.


Problem profiles: potential violations of the GDPR

In light of potential conflicts with the GDPR due to the use of dark patterns, it is worth mentioning:

        • the principles contained within Article 5 GDPR (including, lawfulness, fairness, transparency, data minimization and purpose limitation);
        • the rules on the proper acquisition of consent (Art. 6(1)(a) GDPR) and the conditions for granting valid consent (Art. 4(11) and (7) GDPR), which would be violated if systems that prevent the acquisition of truly informed and free consent are in place;
        • the provisions which relate to informing data subjects about the processing of their data in a transparent manner (Articles 12, 13 and 14 GDPR);
        • the principle of privacy by design (Art. 25 GDPR) and, more specifically, the requirements spelled out in EDPB Guidelines 04/2019 on Art. 25 GDPR[4] . These Guidelines address social media providers with regard to the design of the interface or the verification of whether or not dark patterns are present[5]. The requirements to be adopted in relation to users include:
        • granting the data subject autonomy in determining the use of their personal data;
        • granting the data subject the possibility to interact with the data controller;
        • processing in a manner that corresponds to the user’s reasonable expectations;
        • granting the consumer’s choice which may be denied where the possibility of exercising the right to data portability pursuant to Article 20 GDPR is impaired;
        • having a balance of power between the data subject and data controller and, where not possible, the implementation of appropriate countermeasures;
        • the veracity of the information provided by the data controller.

It is important to note that where the user interface is a dark pattern, the resulting processing is, according to the EDPB, “unfair” and, therefore, contrary to Art. 5 of the GDPR. The interface and the user experience, from an accountability perspective, should be used to ascertain and acquire evidence that the user has truly understood the information provided about their personal data and has therefore freely given their consent.


The Ediscom measure as a concrete application of the Guidelines on dark patterns

After a survey on the types of dark patterns, it is appropriate to briefly analyze the prescriptive and sanctioning Measure against Ediscom S.p.A. – 23 February 2023 (“Ediscom Measure“)[6], in order to understand how the Italian Data Protection Authority (“Authority“) applies the Guidelines in assessing dark patterns. In the present case, the Italian Authority held that:

        • the repeated request for consent for marketing activities, the deceptiveness of the link which prompts users to continue without expressing consent due to its small size as compared to the main text, as well as the sharing of data to third parties resulted in a violation in a violation of Articles 5(1)(a), 7(2) and 25 of the GDPR;
        • the collection of information that was unnecessary and not relevant to the service provided was contrary to the principles of lawfulness, fairness and transparency and the principle of minimisation  since it obliged the data subject to provide more information than was actually necessary for the provision of the service. This resulted in a breach of Articles 5(1)(a), (b) and (c), 6 and 7 GDPR;
        • the issuance of the information notice following the collection of the data and not at the same time as the provision of the personal information entailed a breach of Articles 5(1)(a) and 13 of the GDPR;
        • the presence of numerous pre-selected fields, including pre-flagging consents, in stark contrast to the principle of freedom of consent led to a breach of Articles 5(1)(a), 6(1)(a) and 7 of the GDPR; and
        • the lack of specificity and granularity of consent, demonstrated by the provision of a single consent for different purposes including marketing and transfer of data to third parties  also led to a breach of Articles 6(1)(a) and 7 of the GDPR.

Finally, the Italian Authority, in imposing the sanction, emphasized the malicious nature of the practice implemented by the sanctioned company, pointing out that “the intentional choice to graphically implement a given interface also presupposes knowledge of the mechanisms that interact with the user’s cognitive capacities, therefore, even without wishing to give a name to such mechanisms, one cannot but consider that they have been adopted in order to circumvent the users’ will”. The willfulness of the conduct generally has a negative impact on the determination of the amount of sanctions, pursuant to Article 83(2)(b) GDPR.


Conclusion: the difficult balancing act between user rights and economic initiative

A business activity with a profit maximization motive even in the context of their marketing activities, must be conducted in a conscious and fair manner that ensures that there is a balance in its activities and the protection of the rights of the data subject, which are fragile and can easily be “circumvented” in the world of the web. This is in addition to obtaining confirmation in the Ediscom Measure  which  clarified that “it is necessary to prudently assess the above-mentioned criteria, also in order to limit the economic impact of the sanction on the organisational, functional and employment needs of the Company”. This is based on Article 41(2) of the Italian Constitution, which highlights that a business activity “cannot be carried out in […] such a way as to damage freedom and human dignity“.





[1] EDPB – Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them – Version 2.0 Adopted on 14 February 2023.

[2] The term ‘user experience’ refers to perceived usefulness, ease of use and efficiency of interaction.

[3] See also the Data Protection Authority’s information page on ‘Deceptive Design Patterns (Dark Patterns)’. Specifically, the Italian Data Protection Authority (Garante) defines dark patterns as ‘deceptive design patterns that can influence the behaviour of those who surf online and hinder data protection’.

[4] EDPB Guidelines no. 4/2019.

[5] Some examples of dark patterns are given below: (i) repeatedly requesting the provision of the same data, despite previous express refusals by the user; (ii) presenting the request for consent in an appealing way, making the user almost feel rewarded if they gives it and uncomfortable if they do not give it; (iii) using a small font size or color that does not stand out adequately, making it difficult to read; (iv) asking the user to confirm an action already expressed, for example, asking them if they are sure that they do not want to give consent after they have denied it; (v) using default or pre-flagging settings, in respect of which the user out of laziness or carelessness avoids changing the default choice presented; (vi) considering the user’s inactivity as a positive choice to give consent; (vii) making it difficult to find the information protecting personal data by omitting to include the direct link to the notice (viii) using images that offer a sense of tranquility or protection to induce the release of data or consent; (ix) rendering information in a repetitive and conflicting manner that is confusing to users; (x) using equivocal visual information (e.g., selecting in green the option most favorable to the social and unfavorable to the data subject, and in red the option most favorable to the data subject).

[6] Prescriptive and sanctioning Measure against Ediscom S.p.A. – 23 February 2023 [9870014].