Answer given by Ms Jourová on behalf of the European Commission

11.4.2019

The term ‘dark pattern’ is not legally defined but it refers to practices used in websites and apps that influence users to take steps that they would otherwise not take[1].

Under Article 5(3) of the ePrivacy Directive[2], storing of information (such as placement of cookies) in the terminal equipment of a subscriber or user requires consent which is to be understood the same way as under the General Data Protection Regulation (GDPR)[3].

If consent is given based on misleading information, the consent will not be valid. In particular, pursuant to Article 4(11) of the GDPR, consent must be freely given, specific, informed and unambiguous by a clear affirmative action signifying agreement to the processing of personal data.

Article 7 of the GDPR further requires that the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. It must also be as easy to withdraw consent as to give it.

If a consumer is misled by false or deceptive information to take a transactional decision he or she would not have taken otherwise, such as buying a product, national authorities or courts may regard this as an unfair commercial practice prohibited by Directive 2005/29/EC (UCPD)[4] and grant redress according to national rules.

EC law prohibits specific practices, such as using pre-ticked boxes[5], describing a product as ‘free’ if the consumer has to pay for it[6], making it difficult to unsubscribe after a free trial period and ‘baiting and switching’[7].

Data subjects or consumers who have been misled can submit complaints to the relevant authorities or bodies in the Member States tasked with the enforcement of the GDPR or the UCPD, or bring claims to national courts, either individually or collectively.

• [1] https://darkpatterns.org/.
• [2] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37-47.
• [3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
• [4] Directive 2005/29/EC concerning unfair business-to-consumers commercial practices, OJ L 149, 11.6.2005, p. 22.
• [5] Article 22 of Directive 2011/83/EU on consumer rights.
• [6] No 20 of the Annex I to Directive 2005/29/EC concerning unfair business-to-consumers commercial practices.
• [7] No 6 of the Annex I to Directive 2005/29/EC concerning unfair business-to-consumers commercial practices.