"Dark Patterns" and appropriate consent mechanisms online: Are the consumers truly free to choose?

The purpose of these patterns is to influence the users’ behaviour, hindering their ability to effectively protect their personal data and make conscious choices by using cognitive biases. These dark patters can be expressed in many ways, for example, by overwhelming the user with information the site might try and prompt them to share more data or unintentionally allow personal data processing against the expectations of the data subjects. Deceptive patters are present in websites, cookie banners, online shops, video games, social media platforms and many other interfaces where users interact with products and services. 

Multiple CJEU judgements exist explaining the limitations of interfaces and what constitutes a dark pattern. In the case, Bundesverband e.V. v. Planet 49 GmbH, C-673/17, the CJEU found that German companies’ website containing preselected ticked boxes for advertising consent does not constitute valid form of consent. The Court pointed out that Member States are to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, consent being “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”, in accordance with Directive 95/46. The validity of a consent form, as in the case, is void because the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent which does not fulfil the requirement of an active behaviour by freely giving indication of processable data. Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil the lawfulness requirement of data processing. The Court additionally points out that informed consent implies the responsibility of the service provider to include the duration of the operation of cookies and whether or not third parties will have access to those cookies consented to by the website user.

The EDPB adopted a Binding Decision 3/2022 on December 5th 2022, on the dispute submitted by Irish SA on Meta Platforms Ireland Limited and its Facebook service, in accordance with Article 65 of the GDPR in which they found that Meta had breached GDPR principles of fairness and transparency under Article 5(1)(a), 12 and 13(1)(c) of GDPR by processing personal data for behavioural advertising in order to serve personalised ads. Meta considered that by accepting their Terms and Conditions to have access to their programmes the user entered a contract with them, where Meta was allowed to process the users’ personal data to provide personalised services and behavioural advertising based on contractual basis. However, EDPB found that the processing of personal data for the purpose of behavioural advertising in such a way as in the case was unlawful and violated the principle of transparency and fairness because Meta had no reason to rely on contract legal basis in order to process personal data and still required users unambiguous consent, in order to prove that users had sufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR.

In comparison to EU framework, local Latvian privacy peculiarities are governed by laws like the Electronic Communications Law and the Law on Information Society Services. These laws regulate how consent must be obtained for cookies and digital services, aligning with GDPR and ePrivacy Directive standards. Although, no separate Latvian law defines "dark patterns", Latvia relies on EU definitions and guidance, but at the same time local authorities are entitled to issue guidelines or interpretations for businesses operating in the country, especially in Latvian language and cultural context. From a practical point of view, Latvian courts have handled data protection and consumer rights cases, but they typically focus on broader GDPR violations or unfair commercial practices, rather than “dark patterns” as a legal term, thus it is not yet widely used in Latvian case law. Worth mentioning that similar practices may be challenged under local laws like Consumer Rights Protection Law and Unfair Commercial Practices Prohibition Law, as well as based on GDPR, especially Article 7 (conditions for consent).

Considering the above, clarity on matters regarding processing of personal data is important to promote transparency and safety in data processing. Described cases and guidelines outline the requirement of users’ active consent to prove that it wasn’t gained through dark pattern containing interfaces. Each company is to be aware of the rules and regulations as well as case – law requirements regarding website cookies, terms of service and other interfaces needing user consent for functioning.​​