With the Guidelines n. 3/2022, definitively adopted on 14 February 2023, theEuropean Data Protection Board (EDPB) offers a number of practical recommendations (in some ways, even educational) – from a perspective of privacy by design and privacy default ex art. 25 of EU Regulation no. 2016/679 (GDPR) (and in compliance with the (key) principles ex art. 5 of the GDPR), and in the context of the so-called economy of attention, now considered a commodity – to the designers and users of social media platforms (by analogy, also in relation to online services, in a general sense) on how to evaluate, recognize, deal with and, also, avoid CDs. “dark patterns”present in the user interfaces of social media (to be understood as a graphic/vocal/behavioural medium with which the user interacts with the related online platform/service: e.g. registration/registration phase; place/method of retrieval of the privacy information; methods of exercising rights; closing an account/online profile), in violation of EU and national legislation on the protection of personal data, as well as, potentially, in violation of consumer legislation.

First of all, it should be noted that the “dark pattern” (o obscure models; or deceptive design patterns) are, in essence, graphical/vocal/behavioural interfaces and experiences, implemented on the social media platform (or, in general, in an online service), which lead the user to make unwanted decisionsinvoluntary or potentially harmful regarding the processing of personal information: specifically, they are able to influence the behavior of a user, to the point of hindering the ability to effectively protect personal data and to make informed choices.

The “dark patterns” can, therefore, be divided into one set of categoriesthus, inter alia, composed:

1) OVERLOADING: the user is faced with a large amount of requests/information/options/possibilities, to the point of prompting him to share more information or to allow, involuntarily, the processing of his personal data, against his (reasonable) expectations. This macro category is internally composed of a series of micro types of “dark patterns”, such as: CONTINUOUS PROMPTING: technique consisting in pushing the user to provide, even after the registration phase on the social platform, more personal information of those necessary for the purpose of treatment pursued or in getting the user to consent, often due to tiredness or release, to another use of their personal data, through a repeated, and sometimes incessant, invitation to provide additional data; PRIVACY MAZE: technique that aims to make it difficult to learn a series of information, by requiring the user to navigate through different pages/documents to obtain more information on the processing of their personal data; TOO MANY OPTIONS: event/technique consisting in inserting (and making available) the privacy settings in different sections, instead of a single clearly visible place. 2) SKIPPING: means designing the user interface or experience in such a way that they forget or do not think about all or some aspects of personal data protection; this macro category is made up, internally, of a series of micro types of “dark patterns”, such as: DECEPTIVE SNUGNESS: technique consisting in enabling, by default, the most invasive personal data processing options for the user; LOOK OVER THERE: combination technique, sometimes obfuscating or distracting, of an action/information relating to the protection of personal data with another aspect connected, or not, with this topic. 3) STIRRING: influences the user’s choice, thanks to the solicitation of his emotions or the use of visual stimuli; this macro category is internally composed of a series of micro types of “dark patterns”, such as: EMOTIONAL STEERING: technique where words or images are used in order to transmit information to the user in a highly positive perspective ( making him feel good and secure) or highly negative (thus making him feel anxious or guilty); HIDDEN IN PLAIN SIGHT: technique that uses small fonts or colors that are not sufficiently contrasting to offer sufficient legibility, in order to increase the difficulty or cause the user to neglect reading the information regarding the processing of their personal data. 4) HINDERING: hinders or blocks the user in his information process or in the management of his personal data, thus making the action impossible or (extremely) difficult to carry out; this macro category is internally composed of a series of micro-typologies of “dark patterns”, such as: DEAD END: technique/event consisting in making, even negligently, a link containing, inside it, non-functional/available information on the processing of a user’s personal data; LONGER THAN NECESSARY: technique that aims, through a multitude of steps/operations/options, to discourage the user from activating one or more controls/rights on their personal data; MISLEADING INFORMATION: discrepancy, even culpable, between the information and the actions available to the user, to the point of pushing the latter to do something unknowingly or against his will. 5) FICKLE: means that the design of the user interface is inconsistent and unclear, thus making it difficult for the latter to navigate between the different personal data protection control tools and understand the purpose of the treatment pursued; this macro category is internally composed of a series of micro types of “dark patterns”, such as: LACKING HIERARCHY: technique consisting in the absence, even partial, of a hierarchy of information on the protection of personal data, so that themselves appear to the user several times and are presented in various and different ways; DECONTEXTUALISING: technique that aims to insert information/control on the processing of personal data in a section/page out of context. 6) LEFT IN THE DARK: means that a user interface is designed in such a way as to hide information or personal data protection control tools, or to leave the user in a state of uncertainty about how their personal data is treated; this macro category is internally composed of a series of micro-typologies of “dark patterns”, such as: LANGUAGE DISCONTINUITY: technique of failed linguistic switch, to the point of making the user unable to understand the information relating to the processing of personal data; CONFLICTING INFORMATIO: technique aimed at providing the user with a series of contradictory information, to the point of leaving the latter uncertain about what he should do and the consequences of his actions; AMBIGUOUS WORDING OR INFORMATION: technique consisting in the use of vague and ambiguous terms to provide information to the user.

Having made this necessary premise, it should now be noted that the EDPB has illustrated the principles, envisaged by the GDPR, applicable (substantially and technically) in the present case, to be kept in mind in order to assess the existence, or otherwise, of a dark pattern.

The first of them is represented by principle of equity ex art. 5, paragraph 1), letter a), of the GDPR (to be read together with the relative Recital n. 39), direct expression of the (macro) principle of correctness of processing operations, which requires that personal data are not processed in harmful, discriminatory, unexpected or misleading way for the data subject. It is inextricably intertwined with the transparency principle (regulated, always, byart. 5paragraph 1), letter a), of the GDPR, to be read, in conjunction with the following articles 12, 13 e 14 ), which requires that the information, to be provided to an interested party, be provided in a concise, (precisely) transparent, intelligible, easily accessible form, and using simple and clear language: in practice, the EDPB requests, for on the one hand, that the social media platform provides the information to the user upon registration in an efficient and succinct manner, as well as clearly differentiated from other information not concerning the protection of personal data; on the other hand, the EDPB recalled that, in order to reach the threshold of one so-called consent informed and free (always to be understood as a clear affirmative act by the user), it is necessary to provide the user with a series of minimal (but not excessive) information, as well as allowing a revocation of the same as easy as the preliminary release, pursuant toart. 7paragraph 3), of the GDPR.

In addition, the EDPB recalled that the principle of privacy by design and privacy by default ex art. 25 of the GDPR must always be kept in mind, in order to provide the user with information (and options) for treatment in an objective and natural way, avoiding any untruthful, deceptive or manipulative language or design: specifically, this principle requires, without ‘other, that the data subject has the highest possible degree of autonomy in determining the use of their personal data, in exercising their personal data and, last but not least, that the processing of personal data corresponds to the reasonable expectations of the relevant interested party.

Taking into account the above, the EDPB concluded by illustrating, albeit only by way of example, a series of user-friendly best practices, aimed at improving the information capacity of the user registered (or intending to register) on a social media platform (or, indeed, online service, in a general sense), such as:

(i) constant presence of links to information/actions/settings aimed at helping the user in the management of their data in a practical way; (ii) specific indication of thecompetent supervisory authorityincluding the link to the relevant website; (iii) insertion, at the end or at the beginning of theprivacy disclaimeran index of its contents; (iv) in case of revision/integration/update of theinformative ex articles 13/14 of the GDPR, also made available in the relative previous version, where the changes that have occurred are highlighted; (v) if you use a highly technical/legal languagemaking available, in parallel, a relative simple and understandable explanation; (vi) alongside the Required Informationinclusion of examples aimed at facilitating the understanding of the information content; (vii) in the case of a service also addressed to users from other countriestranslation of the information also in the relative languages ​​or, in any case, in a universally recognized language (e.g. English).

