Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Dark Patterns: Increasing presence on websites and apps. What are the impacts on GDPR and Data Act?

PrintMailRate-it

​​​​​​​​​​published on 23 October 2024 | reading time approx. 4 minutes


"There are still too many obstacles that users encounter on websites and apps when trying to manage cookies or delete their accounts", concludes an analysis conducted by the Italian Data Protection Authority (the "Garante”) in collaboration with 25 other privacy authorities. This investigation, part of the Global Privacy Enforcement Network (GPEN) Privacy Sweep, examined the widespread use of dark patterns online. The issue is gaining attention not only for its privacy implications but also due to the upcoming Data Act, which will take effect in September 2025.

Dark patterns refer to deceptive design techniques intended to influence, manipulate, or coerce users into making decisions online that are against their interests or give an unfair competitive advantage to companies that use them.

In privacy contexts, dark patterns can take several forms, which may appear individually or in combination:
  • Encouraging users to provide more information than necessary (violating data minimization principle under Article 5 of the GDPR);
  • Preventing users from getting clear information about how their data is handled (violating transparency principle under Article 5 of the GDPR);
  • Manipulating or coercing users into accepting less privacy-friendly options or make it harder for them to adopt measures to protect their data (violating principles of fairness under Article 5 and privacy by default under Article 25 of the GDPR).

The Garante, together with 25 other international privacy authorities, examined 1,010 websites and apps to assess the presence of dark pattern. The GPEN's final report revealed an extremely high occurrence of dark patterns. In fact, in 97 per cent of cases, at least one type of dark pattern was detected.

For example, an interesting observation from the websites and apps verified (ranging from retailers' websites offering goods or services to end-users, travel and booking sites, news and media platforms, and automotive and IoT websites) is the continued mismanagement of cookies.

Over 60 per cent of cookie banners analyzed emphasized the less privacy-friendly option, and in almost 40 per cent of cases, rejecting this option required more steps.

This analysis clearly shows that many companies still haven't fully implemented the 2021 guidelines on cookies and tracking tools published by the Garante, as shown by by the Garante's 2024 inspection plan where the proper implementation of cookies remains a priority for the authority.

Another widespread issue was account deletion. The 55 per cent of websites did not provide a clear option to delete accounts, and when deletion was possible, users were often discouraged through excessive steps or manipulative language.

These dark patterns, often categorized as "obstruction," are designed to alter users' perception and understanding of the options available to them. These practices create barriers between users and their objectives, for example, by using emotionally manipulative language or introducing additional steps to dissuade users from completing the account deletion process.

For these reasons, companies need to design platforms that allow users to make informed decisions, especially in sectors like automotive and the Internet of Things (areas already analyzed in the report), where data-driven services are key in light of the upcoming of the Data Act.

As is well known, the Data Act (European Regulation No. 2023/2854), coming into force in September 2025, introduces strict rules on data sharing of personal and non-personal data to promote a data-driven economy. However, it raises concerns about how companies will address the issue of avoiding dark patterns in order to comply with the Data Act.

Dark patterns represent a significant threat to the correct and transparent application of the Data Act, as they could impede users' understanding of their rights, such as the right to access and the portability of data generated by connected devices, and how to exercise these rights.

The Data Act specifically prohibits dark patterns. Article 4, paragraph 4, states that data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.

Like the difficulties seen with account deletion, the Data Act could encounter similar issues if users find it hard to access or download data from connected products. This would be a violation of Articles 3 and 4, which clearly state that users must be able to access their data either directly from the connected product or service or by submitting a request to the data holder.

The use of complex technical language or intentionally confusing interfaces not only compromises the user experience but may also lead to significant violations of current data protection regulations, as well as the upcoming Data Act.

Companies must therefore ensure their platforms comply with existing cookie guidelines to avoid fines and facilitate proper consent management, a topic that remains a priority in light of the Garante's inspection plan. They must also prepare for the challenges posed by the Data Act by rethink and improve the design of their digital platforms to give individuals clear and transparent control over their data.​​​

 DATA PROTECTION BITES

​​​Read all releases »​​

author

Contact Person Picture

Stefano Foffani

Avvocato

Associate

+39 049 8046 911

Invia richiesta

Profilo

Contact Person Picture

Chiara Benvenuto

Avvocato

Senior Associate

+39 02 6328 841

Invia richiesta

Profilo

 RÖDL & PARTNER ITALY

​​​Discover more about our offices in Italy. Read more »
Deutschland Weltweit Search Menu