Share This Article
The Italian Privacy Authority, the Garante, has sanctioned the use of dark patterns to collect personal data for the first time under the terms of the GDPR.
On February. 23, 2023, the first ruling of the Italian data protection authority sanctioning the use of dark patterns for personal data collection purposes was adopted in Italy.ย The decision constitutes a benchmark in the field of personal data protection.ย It provides an opportunity to reflect on recent developments in legal design techniques that, if used correctly, help facilitate transparent data collection.
What are dark patterns?
Dark patterns refer to those interfaces and user experiences implemented on online platforms that cause users to make potentially harmful and unintended decisions regarding the processing of personal data.ย What primarily influences user behavior is the ability to control the activities performed with their data effectively.
The Garantie’s challenge against dark patterns
The company that was the subject of the sanctioning measure is active in digital marketing services.ย The Italian Privacy Authority’s checks revealed that to carry out its targeted promotional campaigns; the latter used a database containing data on more than 21 million users, collected directly by the company through its websites and lists purchased from third parties.
Garante believes that the latter obtained part of the data from the company’s websites through dark patterns for the sole purpose of “circumventing the will of the data subject.” This was in particular by adopting “unclear communication patterns with particular regard to the graphic design of the interfaces and how the process of signing up for services was carried out.”
In particular, the Italian data protection authority found dark patterns in the following practices:
- Users were required to consent to processing their data for marketing purposes and communicating with third parties for the same purposes.ย If neither box was flashed, a pop-up highlighted the lack of consent and presented a prominent button to accept the processing. In contrast, the link to continue without accepting was inconspicuous.
- The user was asked to provide data from third parties potentially interested in signing up for services. In contrast to invitation messages written in bold type and asterisked fields, the “…or skip” option was shown at the bottom of the page in a much smaller font and with entirely different graphics than the “continue” option.
The Garante found in both cases that the graphic evidence given to the data collection forms “had no utility for the conduct of the process […] but represented an attempt to collect the user’s consent.” In the first case, this was aggravated by the fact that the user had already clearly expressed his will to the contrary on the previous screen.
The Garante clarified that implementing such techniques disrupts the freedom and the awareness with which the data subject can express their will and makes the collection unlawful.
Given the above circumstances, the Italian data protection authority issued a GDPR fine of 300,000 euros, equal to 2 percent of the turnover reported in the latest financial statements.
Considerations for companies and the need for a legal design-style approach
Legal design is crucial in countering dark patterns, offering an essential solution for promoting ethics and transparency in digital interactions.ย As mentioned, dark patterns are deceptive practices that influence user behavior, which no longer goes unnoticed.
Indeed, with this measure, the Italian privacy authority seems to be retracing the path already taken with its Cookie Guidelines adopted in July 2021, probably also prompted by the recent adoption of the EDPB’s 3/2022 Dark Patterns Guidelines, which places particular obligations on among other things, the design of cookie banners (e.g., the need to place an ‘X’ in the upper right corner and make the actions executable by users of the same graphic relevance).
But that’s not all.ย Obligations of transparency towards users and the prohibition of the use of deceptive techniques such as dark patterns are not only given by the GDPR (which, let’s remember, requires consent to be free, informed, specific, and unambiguously expressed) but also by consumer law, also in the light of the recent changes due to the Omnibus Directive: the unfairness profiles could be traced back to the misleading omissions under Art. 22(2) of the Italian Consumer Code, insofar as the obscure presentation of information and options relevant to the consumer induces the consumer to make a decision (i.e., to give consent) that they would otherwise, in all likelihood, not make.
Therefore, the approach offered by legal design is essential to avoid challenges such as those made by the Guarantor concerning this measure, not least to promote adherence to the principles of the Italian Consumer Code.ย By designing clear, understandable, and accessible interfaces and communications, companies can ensure that stakeholders (as well as consumers) are adequately informed about their choices, rights, and obligations and avoid sanctions from authorities.
On a similar topic, the article “Are you ready for the new Italian privacy guidelines on cookies of the Garante” may be interesting.
Authors: Enila Elezi and Chiara Fiore
Photo by Marija Zaric on Unsplash
