Download the Gartner Market Guide for Consent and Preference Management
Access now
Skip to content

EU regulators’ ‘dark patterns’ guidance: How to recognize and avoid them

Posted: March 6, 2023

European data protection regulators have released new guidelines on recognising and avoiding “dark patterns” (Guidelines 03/2022). 

Dark patterns are a type of manipulative design. We’ve all seen them online: pop-ups that make it harder to reject cookies than to accept them, confusing privacy notices, or emotionally-charged language imploring you to click something you might not want to click. 

Let’s look at the six types of dark patterns that could violate data protection law and harm your users’ trust. 

 

Six Types of Dark Patterns 

The European Data Protection Board (EDPB) hates dark patterns, and there are many recent examples of companies receiving large fines for allegedly manipulative design tricks (Microsoft, TikTok, and Google, to name a few). 

While the chances of getting a multi-million euro fine are relatively low, avoiding manipulative design can benefit your company in other ways. Giving your users genuine privacy choices can help build trust and enhance customer relationships. 

The EDPB guidance is aimed at social media platforms, but it provides some solid tips that apply to any online service. These dark patterns might also be present in: 

  • Cookie banners 
  • Privacy notices 
  • Data subject rights portals 
  • Account setup processes 
  • Settings menus 
  • Email marketing forms 

The EDPB identifies six broad types of dark patterns, each with several sub-types. Here’s an overview of the guidance. 

 

1. Overloading 

Overloading users with requests, notices, or options to stop them from doing something or to ensure they continue doing something. 

  • Continuous Prompting: Repeatedly requesting more personal data than needed 
  • Privacy Maze: Using difficult-to-navigate interfaces that make it harder to exercise rights or limit data collection. 
  • Too Many Options: Providing unnecessary or excessive options that might discourage users from making a free choice.

 

 2. Skipping 

Designing an interface that might lead users to miss important privacy-related settings. 

  • Deceptive Snugness: Enabling intrusive or unnecessary settings by default. 
  • Look Over There: Placing privacy-related choices next to non-privacy-related choices in a way that might distract the user. 

 

3. Stirring 

Using emotive or “nudging” language or design options. 

  • Emotional Steering: Using emotive wording or bright colors to make one option appear more attractive than another. 
  • Hidden in Plain Sight: Designing an interface to hide or de-emphasize privacy settings. 

 

Gartner Market Guide for Consent and Preference Management for Marketers

Gartner Market Guide for Consent and Preference Management for Marketers

Central to most privacy laws is the challenge of providing users with clarity and control over their personal information and its use.

Digital marketing leaders need a clear overview of the consent and preference management ecosystem to design experiences that meet this challenge.

Read the full report by following the below:

Gartner® Market Guide for Consent and Preference Management for Marketers

4. Obstructing 

Making it unnecessarily difficult for users to enable privacy-preserving settings. 

  • Dead End: Using an interface that does not provide access to privacy controls (whether intentionally or not). 
  • Longer Than Necessary: Forcing the user to take more steps than are necessary to activate privacy settings. 
  • Misleading Action: Using misleading language or design prompts so that users do not get the outcome that they reasonably expect. 

 

5. Fickle 

Deploying an inconsistent or unstable interface that makes it harder for the user to make privacy-related choices. 

  • Lacking Hierarchy: Using a confusing or overly complex interface that provides redundant or repetitive choices. 
  • Decontextualising: Locating privacy-related settings in unexpected places. 
  • Inconsistent Interface: Deploying a different settings menu in different contexts (e.g. mobile and desktop). 
  • Language Discontinuity: Failing to provide privacy information in the user’s native language. 

 

6. Left in the dark 

Using unclear or confusing language (including “legalese”) that prevents users from making a properly-informed choice. 

  • Conflicting Information: Providing contradictory or conflicting privacy information to users. 
  • Ambiguous Wording or Information: Using vague or confusing language that users will be unlikely to understand. 

You might also like to read:

The future of AI marketing: Balancing privacy and efficiency

The future of AI marketing: Balancing privacy and efficiency

The future of AI marketing: Balancing privacy and efficiency

Explore how data protection and privacy risks can arise across five AI marketing use cases and considerations for how to overcome them.

The future of AI marketing: Balancing privacy and efficiency
Global Privacy Control

What is the Global Privacy Control (GPC)?

What is the Global Privacy Control (GPC)?

The Global Privacy Control (GPC) is a technical specification that allows users to signal their cookie preferences across websites.

What is the Global Privacy Control (GPC)?