Recently, the German Federal Financial Supervisory Authority (BaFin) issued guidance that investment firms are not allowed to use dark patterns in trading apps or trading portals and announced that it will promptly intervene on already-identified use of dark patterns. In addition, other existing and upcoming EU legislation restricts the use of dark patterns and applies to businesses beyond investment firms. Most EU businesses will be affected by at least some dark pattern rules, and the use of dark patterns in online interfaces such as those of apps or homepages can violate multiple laws. Against this backdrop, businesses should review their current practices and digital interfaces immediately. This Legal Update provides further detail on the various prohibitions and possible sanctions.
Dark patterns are design elements (e.g., the size and color of buttons) or processes (e.g., unsubscribing from a service) that may obscure, mislead or deceive users into making unintended choices in online interfaces.
For example, two of the dark patterns BaFin has criticized, based on its review of trading apps, are having no or a barely perceptible button to cancel a transaction while having a strikingly designed button to conclude a transaction. Similar discussions revolve around cookie banners that require website users to click on multiple buttons, for example, to avoid having to accept all cookies.
Relevance of BaFin Guidance for Investment Firms Outside of Germany
Other investment firms operating in the EU should take note of the BaFin guidance. It is based on Section 63 (6) sentence 1 of the German Securities Trading Act (WpHG), which is part of the code of conduct for investment firms and implements Article 24 (3) sentence 1 of the European Directive 2014/65/EU (MiFID II) into national law. Other European supervisory authorities could also see the use of dark patterns as unfair and misleading in the sense of Article 24 (3) sentence 1 MiFID II.
Other Prohibitions Under EU Law and Applying Beyond Investment Firms
Other existing and upcoming EU legislation focuses on the use of dark patterns and applies to more businesses than just investment firms.
For example, the European Data Protection Board (EDPB) stipulates in its "Guidelines on Dark Patterns in Social Media Platform Interfaces" of March 2022 that the use of dark patterns may violate data processing requirements under the GDPR such as the principles of fairness and transparency (Art. 5 (1) (a) GDPR) and information obligations under Art. 12 (1) sentence 1 GDPR. Furthermore, consent to data processing may be invalid if it was induced by manipulative design choices. This may also apply to consent to online marketing or online tracking methods (e.g., tracking pixels) under the e-Privacy Directive (2002/58/EC) as the requirements for consent are identical to the provisions related to consent in GDPR.
In a B2C e-commerce context, the use of dark patterns may further be restricted by the Consumer Rights Directive (2011/83/EU) and the Directive on Unfair Commercial Practices (2005/29/EC), as the Commission clarified in its "Guidelines Concerning Unfair Business-to-Consumer Commercial Practices" of December 2021. According to the Commission, any manipulative practice that is likely to distort the economic behavior of an average consumer could breach the trader’s professional diligence requirements or amount to a misleading practice, depending on the specific dark pattern applied.
Moreover, the recently adopted Digital Services Act (DSA) takes a broader perspective, addressing in particular interfaces of online platforms. It prohibits platform providers such as social networks and marketplaces from designing, organizing or operating their online interfaces in a way that materially distorts or impairs, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions (cf. Art. 25). The DSA entered into force on November 16, 2022, and will apply from February 17, 2024.
Beyond the EU – Dark Patterns in the US
EU legislators and regulators are not alone in their focus on dark patterns. In the US, regulators such as the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) have announced guidance and enforcement actions related to dark patterns, which are a species of “deceptive” practices under US laws. For example, the FTC released a report in September 2022 outlining various practices the agency believes to be “dark patterns,” including practices like providing a list of “best products” but not disclosing that rankings are based on payments from the product manufacturers, burying key terms in places consumers are not likely to look, and design elements that lead to unauthorized charges. Enforcement actions involving dark patterns also have resulted in large fines, including a December 2022 action against a game manufacturer resulting in a $245 million penalty, where the company did not sufficiently disclose that consumers could be charged for in-app purchases when the game, often played by children, was marketed as free.
The use of dark patterns could expose businesses to severe sanctions under multiple laws. For example:
- WpHG: Sanctions for violating Section 63 (6) sentence 1 WpHG could lead to fines of up to 5 million Euros, or 10% of the total annual turnover (for legal persons/associations) or twice the amount of the benefit derived from the infringement.
- GDPR: Violating Art. 5 or 12 of the GDPR can lead to fines of up to EUR 20 million or 4% of an undertaking’s total worldwide annual turnover, whichever is higher.
- DSA: A failure to comply with any obligation under the DSA could result in a fine of up to 6% of the annual worldwide turnover of the platform provider.