The European Data Protection Board (EDPB) recently released a GDPR (The General Data Protection Regulation) guidance on how to identify and prevent "dark patterns" on social media.
Background
People use social media to interact with friends and share news and significant events in their lives. However, few users are aware of how these sites process their personal data.
The goal of this guide is to provide advice for both the design and safe use of social media platforms. The EDPB provides GDPR guidance on these topics in order to prevent data breaches and to remind social media companies about the GDPR's importance.
The European Board defines 'dark patterns' as user interfaces that lead to accidental and possibly dangerous processing of personal data.
'Dark Patterns ' categories
- Overloading: users are bombarded with requests for personal information, inquiries, and choices. As a result, they unknowingly consent to the processing of their personal data.
- Skipping: the social media interface has a confusing design that causes users to overlook important details about their personal data.
- Stirring: the interfaces leverage the users' emotions to influence their decisions.
- Hindering: blocking or failing to adequately inform users about the processing of their personal data.
- Fickle: an ambiguous design of the interface that makes controlling the data processing process challenging.
- Left in the dark: an interface designed to hide information regarding personal data manipulation. Sometime these interfaces also leave users confused about how to control how their data is processed.
Additionally, when it comes to social media platforms, the dark patterns might have a significant impact on children. They are far more inclined to reveal personal information without comprehending the risk. As a result, the GDPR has included additional safeguards to protect this particular group of users.
GDPR principles applicable
Online data protection, according to the EDPB, begins with Article 5 of the GDPR. The recognition of 'dark patterns' is based on the principle of fairness. The GDPR's principle is extremely clear. Providers should not process users' personal data in any way that is damaging, unexpected, or confusing.
In the context of this GDPR guidance, the European Board cites a few other key principles.
- Accountability: this principle can be promoted by elements that provide verification of the social media provider's activity. Users should have easily read and considered data protection along their journey through the social media interface. Furthermore, the EDPB suggests to social media operators to explain to users how they can make an informed decision in greater detail. (For example, 'screenshots of interfaces' where users must check a box).
- Transparency: Transparency, like accountability, refers to a user's validation of reading ('consent'), obtained during their journey on the platform. According to this principle, social media providers must make documentation accessible to its users.
- Data protection by design: information and alternatives for data processing should be presented in an objective and neutral manner, with no false or manipulative language or design. There are more relevant elements here that controllers and processors should consider when designing a social media platform, based on EDPB's Guidelines 4/2019 on Article 25. (Examples include autonomy, engagement, expectation, consumer choice etc.)
GDPR guidance when designing a social media platform
The GDPR and its principles apply to a user account's entire life cycle.
Opening a social media account
This is often the first step that users must do in order to gain access to a social media platform. This phase entails providing personal information such as name, surname, and email address.
The social media providers must inform users in plain and straightforward language about their processing. They should understand what they are signing in order to agree to the social networking platform's terms of use and privacy notice. The GDPR's Articles 4 (11) and 7 explain how consent should be given when it is chosen as a legal basis for processing.
Overloading is a dark pattern that can emerge at this point, among others, when social media providers request for more personal information than they actually need. You should use the principle of purpose limitation as a provider. Only use the requested information for the initial purpose.
At this stage, the EDPB recommends the following practices:
- Implement shortcuts. Links to settings that can assist users manage their data and data protection settings in a practical way.
- The privacy policy should clearly state the company's contact address for data protection requests. It should be in a section where users are likely to find it.
- Identifying the supervisory authority and providing a link to its website or a specific website page dedicated to filing a complaint.
- Include a table of contents with headings and subheadings at the top of the privacy policy that illustrates the different sections of the privacy notice.
- When there is an update of the privacy, make previous versions available with the date of release and indicate changes.
- The privacy policy should follow the same formatting as the rest of the site.
- When using new or technical phrases or jargon, providing a plain language definition will aid readers in comprehending the information given.
Staying informed on social media
Staying informed on social media requires conforming to the principles of transparency and fair processing of personal data required by Article 12 (1) GDPR. As controllers and processors provide clear and easy-to-understand information, data processing does not remain a mystery to users. Therefore, they are able to control and exercise their rights in this regard.
Left in the dark is one of the most obvious examples of dark patterns that might arise. This occurs when users receive inconsistent information, leaving them unclear of what they should do and the repercussions of their choices.
Among best practices underlined by the European Board, we mention:
- While reading a data protection page, the table of contents can be continuously on the screen, allowing users to rapidly navigate through the content.
- Add a return to top button to the bottom of the page to make navigation easier for users.
- Provide links to the relevant data protection pages on the social media platform.
- In the case of joint controllership, include additional transparency provisions.
- A controller must notify the competent supervisory authority if a personal data breach occurs, as per Article 33 GDPR. If the data breach poses a significant risk to natural persons' rights and freedoms, the controller must also notify the data subject.
Staying protected on social media
As required by Article 7 (1) GDPR, social media providers must demonstrate that they have correctly gathered users' consent. ''This condition can become a challenge to prove, e.g. if users are supposed to provide consent by accepting cookies''.
The dark pattern of being left in the dark is referenced again, this time in regard to consent. When consent is obtained, the material becomes vague and incoherent. Furthermore, misleading information occurs when there is a mismatch between the knowledge and actions available to users, causing them to perform something they did not plan to do.
Best practices to stay protected on social media:
- When using a social media platform on many devices (e.g., a computer, a smartphone, etc.), data protection settings and information should be in the same places and accessible via the same path (menu, icons, etc.)
- When there is an update of the privacy, make previous versions available with the date of release and indicate changes.
- The privacy policy should follow the same formatting as the rest of the site.
- When using new or technical phrases or jargon, providing a plain language definition will aid readers in comprehending the information given.
- When users choose to activate or deactivate a data protection control, or give or withdraw consent, advise them of the consequences of their actions in a neutral manner.
We recommend that you read the complete set of Guidelines 3/2022 as it contains a useful GDPR guidance for building a compliant social media platform. The EDPB's approach includes visual illustrations of practices for each stage of the user account lifecycle.
Read more: New Guidelines on the Right of Access under Article 15 GDPR
Source: https://edpb.europa.eu/system/files/2022-03/edpb_03-2022_guidelines_on_dark_patterns_in_social_media_platform_interfaces_en.pdf
Last updated: May 18, 2022