As the previous chapter has shown, the principle-based, technologically neutral regulation of unfair commercial practices and disclosure requirements that do not engage with the presentation of information leave a lot of room for interpretation when it comes to their translation into user interface (UI) design requirements. This interpretative room means that the law is future-proof and applicable across the full spectrum of sites of socio-technical harms, as well as to analogue commercial practices. It also means that it may be open to attempts to weaponise its interpretative potential by resourceful regulatees, and to unintentional breaches by the smaller market players. Some dark patterns may also not be caught by the current regime in light of its preoccupation with average consumers. Something in the current consumer protection framework may have to change if we are to effectively address consumer harms in digital environments, including harms arising from the use of dark patterns.
In spring 2022, the Commission launched a Digital Fairness Fitness Check of EU consumer legislation – the Unfair Commercial Practices Directive (UCPD), the Consumer Rights Directive (CRD) and the Unfair Contract Terms Directive (UCTD). The aim of the Fitness Check is to ‘analyse whether additional action is needed to ensure an equal level of fairness online and offline’,1 and dark patterns are one of the central points on the Commission’s to-do list.2 The majority (62.9%) of the respondents to the public consultation conducted in the context of the Fitness Check agreed that there may be a need for stronger consumer protection against traders’ use of dark patterns in digital environments,3 and an overwhelming majority (82.4%) expressed a desire for uniform legislation across the EU.4
The Fitness Check is set to conclude in the second quarter of 2024. In the context of the Fitness Check, a wide array of possible ways forward for EU consumer policy have been formulated by various stakeholders,5 i.e. Member State governments,6 consumer protection authorities,7 consumer organisations8 and academics.9 Further, shortly after the Fitness Check was announced, the Commission published the results of a study it had commissioned on the use of problematic commercial practices in digital environments;10 the findings of this study are likely to inform the outcome of the Fitness Check. This chapter provides an overview of the policy options articulated in these policy documents for the future regulation of dark patterns and provides some reflections on them in light of the theoretical framework developed in Chapter 4.11 The analysis starts with a review of the more general proposals touching upon the core, technology-neutral provisions of the UCPD and how they may be amended to protect consumers in digital environments (7.2), and then looks at proposals that touch upon the regulation of dark patterns specifically (7.3). Section 7.4 reflects on the role of (effective) infringement detection and enforcement in guaranteeing the effectiveness of consumer rights online.
General policy proposals concern the review of the core, technology-neutral provisions of the UCPD, and in particular its consumer benchmarks (7.2.1), the notion of professional diligence (7.2.2) and the burden of proof under the UCPD (7.2.3).
The consumer benchmarks used by the UCPD have been a frequent target of scholarly criticism since the early days of the Directive.12 As the previous chapter has shown, the UCPD casts a wide net when it comes to the range of commercial practices it may prohibit. However, where these practices exploit cognitive vulnerabilities, the application of the average consumer test, which is ‘the measure of all things’ in the UCPD,13 may render them fair. The Commission’s Fitness Check questionnaire therefore asks stakeholders whether the ‘[t]he concept of the “average consumer” or “vulnerable consumer” could be adapted or complemented by additional benchmarks or factors’.14 Before delving into the specifics of the policy options outlined by the respondents, it will be worthwhile to take a step back and ask ourselves whether a recalibration of consumer images is something the current Fitness Check could and should achieve.
The adjustment of consumer benchmarks necessitates, in my opinion, a more thorough review of EU consumer acquis than the current Fitness Check envisages, as a revision could have ripple effects throughout a multitude of consumer protection instruments, and beyond.15
First, consumer benchmarks play a role in EU consumer safety regulation. The General Product Safety Directive refers to the elderly and children as vulnerable consumers.16 The average consumer is explicitly mentioned in several food safety instruments – the Regulation on Nutritional and Health Claims17 and the Regulation on Food Information to Consumers (FIR).18 Admittedly, it could be argued that the FIR refers to a more realistic consumer image,19 or at the very least mandates the use of behavioural evidence in assessing consumers’ understanding of the form and presentation of nutrition declarations.20 This different consumer image may be based on the fact that, as Purnhagen puts it, ‘[f]ood marketing law is geared much more to the realisation of consumer rights compared with general marketing law’21 due to its concern with, amongst others, consumers’ health.
Second, the UCPD seems to be the backbone of EU consumer protection in the Court’s view, as it has drawn inspiration from it and transplanted the average consumer benchmark to other consumer protection directives of general scope.22 The average consumer benchmark now appears to have a role in the assessment of the transparency of mandatory disclosures under the CRD23 (despite the Directive’s only explicitly borrowing UCPD’s vulnerable consumer standard)24 and terms and conditions under the UCTD.25 The use of the benchmark in relation to transparency measures is arguably less controversial than its insertion into the assessment of consumers’ legitimate expectations under the (old) Consumer Sales Directive:26 in Fülla, the Court ruled that the average consumer benchmark ought to be used to determine whether the location of and transport costs for bringing goods into conformity may significantly inconvenience the consumer.27 Neither have sectoral instruments that do not refer to any consumer standards been spared from what Luzak calls the ‘steady creep’ of the average consumer benchmark.28 In Romano,29 the Court held that the average consumer’s perception is ‘all that is relevant’ in assessing whether a financial services provider has complied with their obligation to provide clear and comprehensible information on the right of withdrawal under the Distance Marketing of Consumer Financial Services Directive.30
The third reason why the current Fitness Check may be ill placed to address the consumer benchmark question is that the consumer benchmarks, as they are currently fleshed out, form an integral part of the information paradigm, which is the logic underlying the EU approach to consumer protection. The consumer image is important for the choice of regulatory instruments,31 and, given that for an average consumer more information is always better than less or no information, the consumer acquis has, as discussed in Chapter 5, chiefly relied on informational remedies (information duties and cooling-off periods) to ensure the protection of (average) consumers. This approach transcends consumer protection instruments sensu stricto, as it is also the logic underlying the EU data protection regime, which relies on the notice and consent model to legitimise and enable personal data processing, for which information is key.32 Once the law acknowledges that even when provided with information consumers may not use it to their best interest, it will also acknowledge that its past (over-)reliance on informational remedies may not make for an effective consumer protection framework. What ought to be done about the current vast body of informational remedies is a crucial question that any attempt to reconsider consumer images should thoroughly engage with. It cannot be ruled out that an overhaul of the entire consumer-empowerment-via-the-information-paradigm approach to consumer protection that permeates throughout the broader EU consumer acquis – i.e. a regulatory reform – may be called for. In other words (as Brownsword would term it), we may be dealing with a normative disconnect when it comes to the suitability of the goals and logic of the current consumer protection regime to ensure effective consumer protection, particularly in digital environments. Conducting a regulatory update in circumstances where a regulatory reform may be called for ‘might leave regulation in a worse state than initially’.33 The scope of the current Fitness Check is a relatively narrow exercise; that review may therefore not be the best place to tackle these questions. That being said, not adding more information duties (especially to address concerns arising from behavioural exploitation) unless there are good reasons to believe these may be effective is something that can be readily achieved in the present Fitness Check.
Against this background, while it is indeed desirable for the legislator (rather than the Court) to review consumer benchmarks in order to ensure their uniform use where such use is called for,34 that exercise would, in my opinion, necessitate a more thorough review of the consumer acquis, and possibly of the entire information paradigm.
Turning to the policy options outlined by various stakeholders, these can, broadly speaking, be subdivided into two main adaptations to the current regime: lowering the expectations of the average consumer and redefining consumer vulnerability.
Several stakeholders are of the view that the ‘average consumer’ should be redefined with reference to actual consumer behaviour.35 How a more realistic image of the average consumer may be operationalised is a difficult question. As we saw in Chapter 4, the field of behavioural economics has provided us with a greater understanding of the kinds of harms actual consumers may face in the market. What it has not provided to date, however, is an alternative (to the rational choice) theory of consumer behaviour;36 some scholars question whether this should be a priority for behavioural research, and yet others question whether it is possible at all.37 One option would be to, as the Danish government and the European Law Institute (ELI) suggest, adjust the definition of the average consumer to refer to cognitive biases as described in behavioural studies.38 However, not all consumers always experience the same biases to the same extent. The findings of behavioural studies are therefore highly context specific. Being mindful of this in any potential review of UCPD’s consumer benchmarks is especially important in light of the ongoing debate in the behavioural sciences community as to the effectiveness of nudging.39 In late 2021, a meta-analysis by Maier et al. of the effects of widely used choice architecture interventions found that nudging techniques are effective on average.40 A follow-up study published in the summer of 2022 re-analysed the studies included in Maier et al.’s review and found that, once publication bias is accounted for, there is no evidence of the effect of nudges.41 Rather than siding with one of the radical sides in this debate, perhaps we could acknowledge that heterogeneity amongst people and decisional contexts matters for behavioural insights,42 and that we are unlikely to find a one-size-fits-all solution to correcting or tackling the exploitation of cognitive biases. Every behaviourally informed intervention needs to be context specific.
Another option could be to draw inspiration from the more lenient pre-UCPD consumer benchmarks employed by some Member States: Germany used to protect the ‘casually observing and uncritical average consumer’,43 whereas Nordic law referred to a ‘passive glancer’ who makes decisions based on an overall impression and not a thorough reading of commercial messages.44 However, while both of these standards are arguably more realistic than the status quo, the extent to which they are in line with the latest behavioural insights ought to be investigated further.
The second line of recommendations centres around adopting a more granular understanding of consumer vulnerability, and possibly collapsing the distinction between average and vulnerable consumers (in digital environments) in order to achieve that. BEUC has been the main advocate for this option in recent years, but the possibility that UCPD’s definition of vulnerability with reference to a limited set of personal characteristics may be too narrow is old news – scholarly criticism of the artificiality of distinguishing between average and vulnerable consumers dates back to at least 2013.45 In its Fitness Check response, BEUC states that ‘vulnerability must not be restricted to “traditionally protected” groups (e.g. young, old and persons with disabilities) but include all consumers’.46 Instead, in BEUC’s view, the UCPD ought to recognise digital vulnerability, i.e. ‘a universal state of susceptibility to the exploitation of differences in power in the trader-consumer relationship that results from internal and external factors beyond the control of the consumer’.47 The document goes on to list examples of internal (low digital literacy, cognitive biases and plain information overload) and external (digitally mediated relationship, unilaterally configured digital choice environments, limited control over personal data and information asymmetries) factors causing digital vulnerability.48 What a recognition of ‘digital vulnerability’ means in practical terms (changes to be made to the law) is not further outlined in the document. Some additional details in this respect can be found in BEUC’s 2022 paper on protecting fairness and consumer choice in a digital economy. In this document, BEUC states that digital vulnerability should be introduced in the recitals to the UCPD.49
Not restricting consumer vulnerability to pre-defined groups of consumers could introduce even more legal uncertainty into the application of the Directive, and could also undermine the UCPD’s harmonisation goal. The current definitions of the average and vulnerable consumer benchmarks are best seen as a compromise between the need to ‘navigate a course between the rich diversity of actual consumer behaviour and the need for an operational regulatory benchmark’, as Weatherill puts it.50 Accordingly, other advocates of a conception of consumer vulnerability that is closer to reality are more sceptical about the possibility of achieving this via legislative amendments.51 Further, when it comes to the revision of fundamental concepts under the UCPD, we may want to approach technology specificity with great caution. Consumers are not only vulnerable in ways the UCPD does not currently deem relevant online. Admittedly, the concept of digital vulnerability was born of concerns about pervasive personalisation in digital environments, which may entail manipulation based on individual and contextual vulnerabilities that traders could identify based on collected personal data.52 While there is close to no evidence of manipulative personalisation – and personalisation may also benefit consumers – to the extent that it is deemed desirable to curb it, addressing the ineffectiveness of the EU data protection regime could also pave a way forward.53 The question still remains of whether it is desirable to have different images of the consumer in digital and brick-and-mortar environments when it comes to commercial practices that do not target particular groups of consumers or an individual consumer, such as dark patterns. Having lower expectations of consumers in digital settings says something about the boundaries of acceptable persuasion (although it does not outline them more clearly). We do not take issue with well-known behaviourally exploitative techniques in offline settings: supermarkets are free to place chewing gum at checkout counters and pricier wines at eye level, and IKEA has designed its stores as mazes full of physical obstructions. The question is whether the law should now care about these practices, and that is, once again, a matter of normative disconnection, which should be approached with great caution. In the meantime, the UCPD already has a tool to protect consumers from the exploitation of their (cognitive) vulnerabilities: Annex I. Section 7.3 explores how this tool can be used to protect consumers from specific dark patterns.
In any case, recalibrating the expectations the law has of average consumers, or collapsing the distinction between average and vulnerable consumers, however either goal may be achieved, in no way changes the fact that the current regime governing dark patterns is made up of vague prohibitions and prescriptions that do not ensure a sufficient level of legal certainty for technologists who seek to comply with the law or to comply with it creatively.
Before we proceed with analysis of the other policy options, it is worth noting that it cannot be ruled out that the average consumer benchmark will undergo a judicial review before the Commission finalises its Fitness Check. In January 2023, Consiglio di Stato, the Italian supreme administrative court, referred a leading preliminary question to the CJEU in Compass Banca,54 asking whether the ‘average consumer’ concept is, or perhaps suggesting it should be:
[...] worded according to the best science and experience and thus refer not only to the classic concept of homo economicus, but also to the findings of the latest theories on bounded rationality [...] findings that impose a need for greater consumer protection where – as is increasingly the case in modern market dynamics – there is a risk of cognitive influence?
This question has stimulated animated scholarly discussion as to the significance of this case.55 Ultimately, however, as the fifth referred question tells us, this is a case about whether the Autorità Garante della Concorrenza e del Mercato (AGCM)56 has, by requiring Compass Banca to introduce a seven-day cooling-off period in between consumers taking out loans and signing unrelated insurance contracts, introduced a general prohibition of bundling these types of products, a practice the authority deemed aggressive. Should this question be answered in the affirmative, the Court could very well avoid pronouncing itself on or follow Consiglio di Stato’s suggestions as to the consumer image the UCPD enshrines. Even if the Court does address the question, it is perfectly possible that, as Goanta suggests,57 it will restate its extensive case law on the ‘reasonably well-informed and reasonably observant and circumspect’ average consumer, a test that is not statistical. Either way, as I argued above, this is a question that is best left to the legislator, and perhaps for another day.
In the Fitness Check questionnaire, the Commission asks whether ‘[t]he concept of the trader’s “professional diligence” towards consumers should be further clarified in the digital context’.58 As seen in the previous chapters (5 and 6), the current definition of ‘professional diligence’ under the UCPD refers to the standard of skill and care that honest market practice or the principle of good faith would demand of the trader in their field of activity.59 The Directive does not, however, define ‘good faith’ or ‘honest market practice’. As Chapter 5 explains, the Commission expected that traders in different business sectors would develop codes of conduct that could shed light on the requirements of professional diligence in different sectors.60 EU-wide attempts at self-regulation never emerged. Professional diligence was and remains a vague, circular notion that is a testament to the fact that some attempts at future-proofing regulation will come at a cost to legal certainty and result in meaningless provisions.61 The law of everything and the law of nothing are the same law.62
Several policy recommendations formulated in response to the Fitness Check suggest that a duty of fairness or non-manipulation by design should be introduced into the UCPD as a way to further specify the notion of ‘professional diligence’.63 This idea had taken root amongst some European consumer law scholars prior to the announcement of the Fitness Check.64 The Commission’s 2022 behavioural study on dark patterns also lists the introduction of such a duty amongst its recommendations.65 The inspiration for this recommendation66 seems to be Art. 25(1) of the General Data Protection Regulation (GDPR), which obliges data controllers to ensure data protection by design (hereafter DPbD) through appropriate and effective, state-of-the-art technical and organisational means.
What stands out in the majority of the current proposals to introduce a duty of fairness by design is the failure to specify a standard of commercial conduct that would be more concrete than ‘professional diligence’. The Autoriteit Consument & Markt (ACM) in the Netherlands and the Danish Ministry of Justice envision a duty to create digital commercial environments that do not feature ‘any dark patterns or deceptive designs’67 or ‘any manipulative online choice architecture or deceptive designs, which might mislead or influence users through website interfaces’,68 respectively. What are ‘dark patterns’, ‘deceptive designs’ and ‘manipulative choice architecture’? Admittedly, the ACM does refer to Art. 25 of the Digital Services Act (DSA), prohibiting online platform providers from using dark patterns, in its proposal. Whether Art. 25 DSA provides a workable definition of dark patterns is discussed at length in section 7.3; for now it is sufficient to briefly state that, in my opinion, it does not. BEUC, the chief advocate of the introduction of a duty of fair design, has defined it as a duty to ensure ‘that the consumer’s decision autonomy is not impacted’.69 What is ‘decision autonomy’? Is it a reference to the UCPD’s implicit goal of protecting consumer’s transactional autonomy by ensuring that they may take free and informed decisions in the market? What, then, is new about ‘fairness by design’, and what could this duty achieve that a well-designed anti-circumvention clause (discussed in 7.3) would not? There are some other aspects of BEUC’s proposal that lead me to think that the organisation is hinting at a different conception of autonomy from that which is currently embedded in the UCPD – such as its explicit call to address harms ‘reaching beyond the lens of protection of economic interests which currently permeates European consumer law’ and its plea to reconsider the ‘consumer-citizen dimension’.70 A new definition of autonomy may very well be called for.
Ultimately, what BEUC seems to want to achieve with this duty is neutrality in online choice architectures: according to that organisation, ‘fairness by design’ requires ‘a lack of direct and indirect interference with the decision-making process’, as well as ‘enabling consumers to see, understand, and exercise their capacity for making different choices’.71 The recommendations in the Commission’s behavioural study on dark patterns also refer to a duty of ‘fair/neutral design’.72 Design neutrality is an impossible demand. All marketing practices, offline or online, attempt to influence consumers.73 Some do so in an acceptable, others in an unacceptable manner. The key is drawing a dividing line between legitimate persuasion and undesirable influences, however we may want to term them; BEUC’s proposal does not take us any further in this respect. Without delving into whether we should always desire neutrality and therefore also restrict design choices that may be beneficial to consumers,74 assuming that we do in some cases, until the law establishes in no uncertain terms what a ‘neutral’ user interface ought to look like, online choice architectures will not be neutral. As seen in the previous chapters, user interface design is a process that entails making choices that embed values. While some of its outcomes will be bad and others good, they will certainly not be neutral.75
The current proposals for a duty of ‘fairness by design’ are particularly worrisome against the backdrop of the extensive academic criticism that its source of inspiration, Art. 25(1) GDPR, has faced since its adoption. Many scholars have pointed out that the circularity of Art. 25(1)’s aim – ‘data protection’, which is defined by reference to the other obligations the GDPR imposes on data controllers (with additional uncertainty stemming from its failure to clarify which obligations it covers aside from the principle of data minimisation)76 – has led to the provision’s losing a lot of potential in the absence of a stand-alone definition, with some calling it a ‘hollow’77 and ‘meaningless’ norm.78 This ‘hollowness’ is reinforced by the very limited guidance the GDPR offers on how exactly the aims of the provision, whatever they are, ought to be achieved technologically and organisationally. The GDPR itself refers to one technological measure, pseudonymisation, which, remarkably, was not ‘state-of-the-art’ in terms of privacy engineering practices when the GDPR was adopted in 2016.79 Admittedly, in 2020 the European Data Protection Board (EDPB) provided some guidance on how data controllers ought to achieve DPbD.80 However, as Bygrave explains, the guidelines maintain ‘a relatively high level of abstraction, and they arguably underutilise the language and technical insights offered by privacy- and security-related engineering standards’.81
The fate of DPbD underscores that an effective requirement of ‘fairness by design’ or ‘non-manipulation by design’ seems to need much clearer specifications as to what kind of commercial behaviour is deemed unfair;82 the general provisions of the UCPD, as the previous chapter has shown, leave much to be desired in this respect. This requirement would also need to provide some guidance to traders on what measures, technical or otherwise, they ought to adopt to measure and root out ‘unfairness’ in their online choice architectures. In its current iterations, it is, however, hard to see how an obligation to ensure fairness or non-manipulation by design would have a different fate to Art. 25(1) GDPR or, if we were to look closer to home, Art. 5 UCPD and its requirement of professional diligence. If anything, it could add an additional layer of legal uncertainty to the already very uncertain regulation of unfair commercial practices.
Currently, the UCPD leaves procedural issues like determining the burden of proof to the Member States,83 requiring them only to:
confer upon the [competent] courts or administrative authorities powers [...] to require the trader to furnish evidence as to the accuracy of factual claims in relation to a commercial practice if [...] such a requirement appears appropriate on the basis of the circumstances of the particular case and [...] to consider factual claims as inaccurate if the evidence [...] is not furnished or is deemed insufficient [...]84
Informational asymmetries do not affect just consumers; they also affect enforcers, and these effects are arguably exacerbated in digital environments, where potentially unlawful innovation happens at unprecedented scale and speed. Against this background, in the Fitness Check questionnaire, the Commission asks whether ‘the burden of proof of compliance with legal requirements should be shifted to the trader in certain circumstances (e.g. when only the company knows the complexities of how their digital service works)’.85 Most of the surveyed stakeholders’ responses answer this question in the affirmative;86 the authors of the Commission’s study on dark patterns also state that ‘the distribution of the burden of proof or argumentation may have to be rethought’.87 In recent years, BEUC has been the central proponent of a reversal of the burden of proof under the UCPD,88 based on the recommendations of a study of the fitness of the current regime in addressing digital consumer harms, which was carried out by Helberger et al. for the organisation.89
Reversing the burden of proof could doubtless alleviate the knowledge gap between traders and enforcement authorities. At the same time, given the vague nature of UCPD’s prohibitions, a reversal of the burden of proof, especially if coupled with the introduction of a duty of fairness/non-manipulation by design, could also send the compliance burden through the roof, which invites questions about the legitimacy of such a regulatory move. How could a trader disprove a breach of ‘professional diligence’ or prove ‘fairness’/’non-manipulation’? There is a very real risk of arbitrary enforcement, even more so in view of the vague description the Commission provides of the circumstances in which the burden of proof would shift to the trader. What are ‘complexities’ – genuinely hard-to-detect unfair digital commercial practices, such as harmful personalisation, or an excuse for some authorities’ insufficient digital literacy? Further, ‘complexities’ are a two-way street. The shift of the burden of proof assumes that traders have complete influence over and understanding of the functioning of their online interfaces. As discussed in Chapter 2, it would be erroneous to assume that this is always the case, especially insofar as SMEs are concerned. As Chapter 2 shows, the platformisation and servitisation of web development and web design mean that smaller, less-resourced market players may unknowingly use non-compliant design elements and may not be fully able to adjust these design elements because of a lack of either technical know-how or control over third-party resources. Under the current legal framework, third-party suppliers of dark patterns are unlikely to be liable for the infringements they create or facilitate. In the interests of effectiveness and legitimacy, something the Commission could consider instead of reversing the burden of proof would be to extend the scope of the UCPD to cover third-party facilitators of unfair commercial practices, as suggested by the ACM in the Netherlands90 and by the Danish Ministry of Justice.91
To sum up, for the reversal of the burden of proof to have (some) legitimacy, it appears necessary for the UCPD prohibitions of unfair commercial practices to be further specified. The original proponents of a reversal of the burden of proof under the UCPD – Helberger et al. in their 2021 study for BEUC – would not disagree: they envisaged the shift in the burden of proof as part of a larger reform that would also ‘concretise what is meant by aggressive practices and what exactly professional diligence implies’ in digital environments.92 Ways to achieve that (insofar as dark patterns are concerned) are discussed in the next sections.
The policy proposals that specifically deal with dark patterns either propose the introduction of a general prohibition of dark patterns in digital environments (7.3.1) or advocate for the regulation of particular practices (7.3.2). This section will show that a general ban on the use of dark patterns may not be the best policy direction for the EU consumer acquis, and will put forward policy recommendations for the regulation of specific dark patterns. I will also address means to ensure the adaptability of the EU consumer acquis to changing landscapes of consumer harms; as we saw in Chapter 4, adaptability is a key aspect of ensuring the (continued) effectiveness of socio-technical regulation.
The Commission asks in the Fitness Check questionnaire whether there is a need for ‘stronger protection against digital practices that unfairly influence consumer decision-making (eg manipulative website/app designs such as misleading presentation of ‘yes’ and ‘no’ choices; or creating multiple obstacles before reaching a cancellation/unsubscribing link)’.94 In their replies to this question, some stakeholders have called for a general ban of dark patterns in the UCPD,95 as well as elsewhere in EU consumer acquis where information duties are being used.96 To illustrate why a general ban may not be the best way forward, we do not need to look further than the DSA, which contains a broad prohibition of dark patterns on the interfaces of online platforms in Art. 25(1), and which could serve as a source of inspiration for the legislator if further general bans were to be introduced.97 The uncertainties surrounding the interaction between the DSA and the UCPD (and GDPR) make this solution even more likely. The personal scopes of the DSA and the UCPD overlap insofar as online platforms, including online marketplaces, are concerned, albeit Art. 25 seeks to protect both business and consumer users of online platforms.98 Art. 25 (2) DSA states that its prohibition of dark patterns does not apply to practices ‘covered by [the UCPD] or [the GDPR]’. This provision suggests that the legislator envisaged a subsidiary, safety-net role for the DSA in this respect. At the same time, the provision excluding practices covered under the other two instruments stands awkwardly in relation to the lex specialis principle, as neither the UCPD nor the GDPR deal explicitly with dark patterns. Further, the DSA prohibition has a narrower personal scope of application, as it only concerns online platforms, so we could construe the DSA as a sectoral regulation. Art. 3(4) UCPD provides that in cases of conflict between the UCPD and other EU laws regulating specific aspects of unfair commercial practices, the latter ought to prevail. This provision could give way to the application of the DSA’s ex ante, explicit, sectoral prohibition of dark patterns on online platforms.99 Even if we were to discount that, it is still not clear what it means for a practice not to be covered by other instruments. Does it mean that a case could only be brought under the DSA after an authority or a court establishes that there is no infringement under the UCPD or the GDPR?100 Or could it be that the material scope of the instruments in question is different? If so, in what respect is it different – would the DSA, for instance, only apply to non-commercial or B2B practices?101 Answering these questions will be essential to ensuring the effective enforcement of all three instruments.
Turning to the substance of the prohibition, Art. 25(1) DSA requires online platforms not to ‘design, organise or operate their online interfaces in a way that deceives or manipulates (emphasis added) the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions’. Art. 25(3) goes on to state that the Commission may issue guidelines on how the first paragraph applies to three practices: ‘(a) giving more prominence to certain choices when asking the recipient of the service for a decision [Visual Interference/Aesthetic Manipulation]; (b) repeatedly requesting that the recipient of the service make a choice where that choice has already been made, especially by presenting pop-ups that interfere with the user experience [Nagging]; (c) making the procedure for terminating a service more difficult than subscribing to it [Hard to Cancel/Roach Motel]’. A literal reading of Art. 25(3) suggests that the listed practices are not caught by the first paragraph in all circumstances. The DSA Preamble seems to point us in the same direction. Recital 67, which refers directly to dark patterns, clarifies the legislator’s intent to clear online platforms of user interface design choices that ‘direct the recipient to actions that benefit the provider of online platforms, but which may not be in the recipients’ interests’. This is not an entirely unwise legislative choice. Making certain courses of action more prominent is not necessarily a harmful UI design choice. What should interest us is the end that is being pursued – is it an end that benefits the consumer or the online platform? For example, consider cookie banners: either one of the buttons to accept and reject cookies can be made more prominent, yet clearly one of these options will benefit the consumer, and the other the service provider. Similarly, in an e-commerce context, Amazon’s 1-click checkout102 could be deemed to make proceeding with a purchase a more prominent course of action, yet we may find that consumers who are not prone to impulse purchasing consider this a matter of convenience rather than manipulation.103 The Commission’s guidelines could help with the drawing of dividing lines for such practices. Line-drawing is also an important exercise for the other practices listed in Art. 25(3). Nagging a consumer towards a certain choice may, for example, cause consumer detriment where that choice entails succumbing to privacy-intrusive settings; in other instances, nagging may be merely annoying. Introducing some friction into a service termination procedure (Roach Motel/Hard to Cancel) may prevent accidental termination,104 yet introducing a lot of friction may keep users trapped in recurring subscriptions or prevent them from deleting their accounts. It is not, however, entirely clear why the EU legislator has singled out these particular practices in Art. 25(3).105 It is also not clear why lines could not be drawn in the DSA directly.106 This legislative approach is therefore not, at this time, helpful in establishing what is and what is not a dark pattern, as this remains to be clarified in guidelines. This undermines the interpretative potential of Art. 25(3), which is unfortunate, seeing how the general ban on dark patterns in Art. 25(1), to which I now turn, will likely require a great deal of interpretation.
Art. 25(1) DSA ventures into previously unexplored legislative territory by listing manipulation as a source of consumer harm. ‘Manipulation’ is not defined in the regulation. As we have seen in Chapter 4, many philosophers have reflected on the meaning of manipulation and how it manifests in digital environments, and the jury is still out on this question. The problem with regulating manipulation, and the reason why so far manipulation has not featured in legislative acts either in the EU or elsewhere, is that, however conceived, it is a very broad term, and drawing the boundaries between immoral manipulation and acceptable persuasion is a difficult task.107 As Sunstein puts it, ‘it [manipulation] has at least fifty shades’.108 Which one of these does the DSA refer to? We will likely only find out once the CJEU gets to express its views on the matter. However, it may not be too early to state that this legislative approach of embracing vague legal terms that are not given concrete meaning risks watering down the effectiveness of the DSA prohibition, much like the way in which the general fairness test under the UCPD has lost much of its bite by referring to ‘professional diligence’. Admittedly, deception, and material distortion or impairment of a consumer’s ability to make free and informed decisions, are more common-sense EU legal terms. The UCPD prohibits misleading actions that involve false information as well as practices that are ‘in any way, including overall presentation [...] likely to deceive the average consumer, even if the information is factually correct’, insofar as these may influence an average consumer’s transactional decision.109 The UCPD’s general unfairness test prohibits breaches of professional diligence requirements that are likely to materially distort consumers’ behaviour;110 a material distortion means ‘using a commercial practice to appreciably impair the consumer's ability to make an informed decision, thereby causing the consumer to take a transactional decision that he would not have taken otherwise’.111 Crucially, however, as opposed to the UCPD, the DSA does not seem concerned with potential distortions of behaviour (something a court can assess without empirical proof as to consumers’ reactions to a practice): it seems to be concerned with actual deception/manipulation/distortion/impairment. This raises the bar for establishing that a practice is a dark pattern prohibited by the DSA. If we seek guidance on the interpretation of the forms of influence prohibited by the DSA from its Preamble, we may end up more confused. Recital 67 provides us with an additional definition of ‘dark patterns’: ‘practices that materially distort or impair, either on purpose or in effect [emphasis added], the ability of recipients of the service to make autonomous and informed choices or decisions’. That UI design choices have to ‘in purpose or effect’ distort or impair consumers’ ability to take autonomous and informed decisions may be interpreted as not requiring actual impairment, as it suffices that the purpose may have been impairment, but the reference to the purpose of a practice can also be taken to mean that enforcement authorities have to be concerned with the online platform providers’ intention, something the UCPD does not require. The main question that we need to ask in this context is whether we ought to interpret the DSA’s terminology in light of its ‘regulatory siblings’ in the UCPD and vice versa.112 This question is left open by the co-legislators. Especially the second option (interpreting the UCPD in light of the DSA) seems undesirable, as it could lower the level of protection offered by UCPD’s faultless prohibitions of potential distortions of consumer behaviour. As Goanta explains, regulatory siblings have the potential to contribute to greater conceptual cohesion in the law, but can also be ‘too much of a good thing’ when their overlapping scope of application and unclear boundaries of interaction lead to additional legal uncertainty.113
Trying to discern what is not a dark pattern caught by Art. 25(1) does not take us very far either. Recital 67 DSA states that:
[...] However, rules preventing dark patterns should not be understood as preventing providers to interact directly with recipients of the service and to offer new or additional services to them. Legitimate practices, for example in advertising, that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. Those rules on dark patterns should be interpreted as covering prohibited practices falling within the scope of this Regulation to the extent that those practices are not already covered under Directive 2005/29/EC or Regulation (EU) 2016/679.
Recital 67 suggests that legitimate practices that are not prohibited by the UCPD will likely not be caught by the DSA either. This apparent assumption that the UCPD draws clear dividing lines between manipulation and persuasion could be where the DSA clips its wings the most. Alas, as the previous chapter has shown, the UCPD is far from clear on this point. We are back to square one. In my opinion, the circularity that the DSA introduces in terms of distinguishing dark patterns from legitimate practices is likely to severely undermine its effectiveness.
One lesson we can extract from the breadth and vagueness of the DSA’s general prohibition of dark patterns is that for as long as the current situation holds – in that the dark patterns literature has still not agreed on a common definition and more conceptual and empirical work is necessary to link dark patterns to consumer harms – trying to enact a general prohibition of dark patterns is bound to be a challenging and likely unfruitful legislative endeavour.114 Vague prohibitions may be doomed to neither serve the interests of those they are supposed to protect nor provide legal certainty to those who have to comply with them. As Goanta and Santos put it, ‘if everything is a dark pattern, then nothing is a dark pattern’.115 It is not, however, too early to regulate (some) specific dark patterns, which is a policy option I discuss in the next sub-section.
Before proceeding, we ought to note another development that could further undermine legal certainty in the EU regulation of dark patterns – legislative inflation. Aside from the DSA, there are currently several adopted and proposed legal instruments that touch upon dark patterns. In the area of competition law, the Digital Markets Act (DMA)116 prohibits gatekeepers that provide core online services from using dark patterns to circumvent other obligations they owe to business users and end users under the regulation.117 In the field of data protection, the current version of the Data Act proposal as amended by the European Parliament118 prohibits the use of dark patterns by data holders119 and data recipients.120 Beyond policy efforts aimed at economic and privacy harms, some scholars121 argue that the proposed AI Act122 may, if adopted in its current iteration, take issue with dark patterns that cause psychological and/or physical harms. If we look closer to home, in May 2023 the European Parliament voted in favour of adding a general ban on dark patterns inspired by the Art. 25 DSA to UCPD’s prohibition of misleading actions (Art. 6), as proposed by the IMCO Committee in the context of amending the Commission’s proposal for a directive empowering consumers for the green transition.123 It might be that the European Parliament has caught on to the fact that the DSA prohibition may be lex specialis to the UCPD insofar as online platforms’ use of dark patterns is concerned; however, if it wants to close that leak in the regulatory roof, it would be well advised to move the prohibition to Art. 5 UCPD, as the DSA does not merely deal with misleading practices, as opposed to Art. 6 UCPD. Fragments of the DSA prohibition and its recitals, albeit also not word-for-word transfers, can also be found in the Commission’s proposal for a new directive concerning financial services contracts concluded at a distance, which would amend the CRD.124 Transferring the DSA prohibition to consumer protection instruments transfers its vagueness; not transferring the definition in exact terms creates additional legal uncertainty, as does the piecemeal regulation of dark patterns elsewhere in the digital acquis. Any further attempts to regulate dark patterns generally may therefore be well advised to seriously engage with the relationship between the various existing and proposed prohibitions.
If we agree that a general ban on dark patterns may not be the best way forward for the EU consumer acquis at present, what we could do instead is regulate specific dark patterns. The Commission’s behavioural study on dark patterns also recommends ‘prohibition of the most harmful practices’,125 although these are not further specified.
In my opinion, there are some dark patterns that are ripe for this exercise. As the OECD points out, prior research and enforcement actions have revealed substantial financial detriment resulting from Hidden Costs, Hidden Subscriptions and Hard to Cancel.126 An experiment by Blake et al. found that the use of Hidden Costs on a secondary ticket-purchase platform resulted in consumers spending approximately 21% more than otherwise and being approximately 14% more likely to complete a purchase compared to a dark-pattern-free environment.127 A 2010 study conducted for the Office of Fair Trading in the UK compared the effects of various price-framing techniques on consumer behaviour, and found that Hidden Costs was the most detrimental to consumers.128 Subscription traps, which rely on Hidden Subscriptions and Hard to Cancel, can lead to substantial and long-term financial detriment for consumers. A 2017 study by the ECC Sweden found that 3.5 million consumers in six MS have been trapped in unwanted subscriptions over the course of the previous three years, incurring average costs of approximately €115.129 In 2021, as part of a consumer and competition policy reform, the UK government prepared an impact assessment which estimated that UK consumers may be spending as much as £1.8 billion yearly on subscriptions they do not want.130 In the USA, the Federal Trade Commission reached a US$10 million settlement with ABCmouse, a provider of educational content for children, in 2020; this was in response to the company’s making misrepresentations about cancellations and failing to disclose important information about subscriptions to consumers.131
In terms of regulatory design, Chapter 4 shows that there are reasons to doubt that generally applicable information requirements and principles-based provisions are fit for the job of regulating dark patterns. Instead, we may want to engage more seriously with the possibility of regulating user interface design (more) directly. This could be achieved by means of prescribing quality standards (so-called ‘design duties’)132 for some aspects of online choice architecture, or enacting prohibitions. There is some emerging evidence that clear-cut, direct regulation of specific online practices may prove effective in digital environments: the ACM in the Netherlands reported that, in its experience, it was only once the Omnibus Directive introduced an explicit prohibition of fake reviews into the UCPD that the Dutch business community started adjusting its practices.133 Some drafting inspiration and lessons in this regard can be drawn from the responses submitted in the context of the ongoing Fitness Check as well as sectoral consumer protection instruments, and some legislative proposals that are currently in the pipeline: the proposal for a directive on empowering consumers for the green transition134 and the proposal for a new directive concerning financial services contracts concluded at a distance.135 It may also be helpful to look at the national law of EU Member States, as well as how dark patterns are being regulated across the Atlantic.
While the Commission seems to be well aware of Hidden Costs and the potential they carry for financial detriment – it discussed the practice in the 2016136 and 2021 UCPD Guidance documents –137 its suggestions for revisions to the current legal framework in the context of the ongoing Fitness Check do not touch upon this issue. Both the ACM in the Netherlands138 and the Danish government consider that Hidden Costs ought to be tackled in the current Fitness Check.139 The Danish government has formulated a concrete policy proposal to that effect, suggesting that the following should be added to the list of per se prohibitions in Annex I UCPD: ‘Adding new and potentially significant non-optional charges to the total price when a consumer is about to complete a purchase (Drip pricing)’.140 This proposal has two shortcomings. The first one is its reference to ‘potentially significant’ charges: it is unclear whether this is an additional criterion (to the charges being ‘new’) or is meant to merely emphasise the problematic nature of the practice. If it is indeed read as an additional criterion, how is the significance of the charges to be assessed? While a criterion of this sort would align with the Court’s case law on the matter (discussed in Chapter 6), it is unlikely to imbue the prohibition with (more) legal certainty. Second, a prohibition of charge disclosures late in the process is unlikely to be an effective measure on its own; the way the additional costs are presented and the precise timing of disclosure also matters. Traders may disclose the charges at the right time, but rely on other design techniques to make them less noticeable – e.g. by adding a link to a different webpage where the charges are disclosed, visually obscuring them by manipulating the font colour or size or disclosing the information at any earlier point in the purchasing process but after the initial offer presentation, when the consumer is already invested in it. The prohibition ought to therefore be accompanied with design requirements for the disclosure of price information. The CRD could be amended to require complete price information to be visible and prominent throughout the ordering process. This is the approach taken by the Air Services Regulation,141 Art. 23(1) of which requires air services providers to indicate the ‘final price to be paid [...] at all times and [...] include the applicable air fare [...] as well as all applicable [...] charges which are unavoidable and foreseeable at the time of publication’. Some additional requirements as to the presentation of information could be imposed, too, and not just for price information, but possibly for all material information under the CRD: as seen in Chapter 3, dark patterns may be used to modify the flow of relevant information to the user, including mandated information. For instance, in the proposal for a new directive concerning financial services contracts concluded at a distance, the Commission acknowledges that font sizes and colours can either promote or hinder information legibility.142 The IMCO Committee proposes to specify in the recitals to this instrument that ‘overly lengthy and complex descriptions, small print, and extensive use of hyperlinks should be avoided as much as possible [when providing pre-contractual information via electronic means], as these are methods that worsen the understanding of consumers’.143 Both the Commission’s and the IMCO’s information presentation requirements are welcome developments, albeit they would only be applicable to financial services contracts. Further, merely referring to some specific design vectors of obscuring information is a technology-specific approach that opens the door to circumvention. To avoid that, any specification of information disclosure design requirements could be coupled with an anti-circumvention clause prohibiting traders from deploying technical, behavioural or any other means to bypass their obligations under the CRD, as proposed by BEUC.144 A more far-reaching alternative is the complete standardisation of text and design requirements, as proposed by the ACM in the Netherlands145 and the Danish Ministry of Justice.146 Standardisation in this regard is not just capable of promoting compliance; it could also help protect consumers from themselves by making material items of information more salient. The Konkurrence- og Forbrugerstyrelsen147 in Denmark conducted a behavioural experiment in 2018 testing the effectiveness of standardised online disclosure presentations in an e-commerce setting, and found that the visibility and comparability of key contractual terms could have a significant impact on consumer choice and improve consumers’ abilities to understand and navigate digital spaces.148 Based on the results of an experiment testing multimodal (i.e. pertaining to text, visuals and document design) disclosure optimisation measures, Luzak et al. suggest that ‘a short, simplified, visually rich disclosure may perform best in the low-attention pre-purchase setting’.149
The EU itself is no stranger to standardising the form of disclosures. Annex I(A) CRD contains model withdrawal instructions that traders could make available to consumers, but the form only standardises textual requirements on a voluntary basis. The failure of the current approach to curb the obfuscation of material information through UI design vectors leads me to suggest that making standardised information design requirements mandatory could lead to (more) effective regulation. This is the road taken by the European Electronic Communications Code (EECC).150 Art. 102(3) EECC requires providers of public available electronic communications services to provide consumers with a contract summary; the design parameters of these contract summaries are laid down in a Commission Implementing Regulation.151
Admittedly, what counts as material information is context-dependent, as ELI points out,152 whereas the CRD is a horizontal, cross-sectoral instrument. It may therefore be necessary to provide several design options for various sectors;153 another option would be to delegate the concrete design specification to standard-setting organisations.154 I return to this option in sub-section D.
When it comes to regulating subscriptions, as pointed out by Busch, distinct issues arise (and could be tackled) at different points in the lifetime of a subscription contract: the pre-contractual stage, during the duration of the contract and at the termination stage.155 This sub-section deals with the first two of these stages. The following sub-section will discuss policy options at the termination stage.
Before proceeding with the policy options for the regulation of the pre-contractual and in-contract stages, we could ask whether we want (some of) these contracts to be available at all. As we saw in Chapter 6, Hidden Subscriptions often arise in the context of free trials. One of the policy options the Commission is considering is giving consumers the right to a truly free trial by prohibiting traders from requesting payment details.156 Amongst consultation respondents, BEUC,157 ECC-Net158 and ELI159 have expressed support for this policy option.
There are several reasons to worry that the nuclear policy option of banning free trials may backfire. First, while automatic conversion (to a paid subscription) could indeed lead to detrimental results for consumers in the long(er) run, in the short run, the consumers who have enjoyed their free trial experience may want the convenience of an automatic conversion. Second, it may be financially unsustainable for small(er) businesses to offer free trials without any strings attached. This could lead to less use of (genuine) free trials, with consumers ultimately footing the bill for having to sign up for a service, possibly a long-running one, without first experiencing it. The same could be said about a requirement of express consent to transition from a free trial to a paid subscription that the Commission is considering and that BEUC,160 ECC-Net,161 the Danish Ministry of Justice162 and ELI163 are in favour of. The added friction of this intervention could too be disagreeable for some consumers. Consumer heterogeneity therefore seems to point to a narrower, more tailored scope for interventions of this sort, such as giving consumers the option to opt into or out of the automatic transition to a paid subscription or auto-renewals. The (user interface) design of this option is something the legislator may want to pay attention to in order to tackle UI designs that could pose impediments to consumers expressing their preferences.164 Further, it might still prove worthwhile to appraise the costs of this approach to businesses, as any loss of subscribers arising out of opt-ins may translate into higher subscription costs for consumers.165
On the softer end of the range of policy options, at the pre-contractual stage, information disclosure can be improved along the lines of the recommendations outlined in the previous sub-section. Prohibiting some common vectors of visual information manipulation and/or prescribing forms of standardised, visually salient disclosure could ensure that information about contract duration and renewal does actually reach consumers. Some MS already impose stricter presentation requirements for auto-renewal clauses in consumer contracts. For example, Belgium requires these clauses to be presented on the first page of a contract in bold characters and in a separate frame from the rest of the text, whereas Portugal prohibits contractual provisions which are written in a smaller font size than 11 or 2.5 mm and with less spacing than 1.15 mm.166 While these national requirements apply to the actual contract rather than the presentation of pre-contractual information, we could envisage similar solutions for the latter.
We could also reappraise the timeliness of disclosures about subscription renewal or transition to a paid subscription. As De Streel and Sibony point out, this information is most helpful to consumers before renewal, i.e. after the contract is concluded.167 The Commission is considering the introduction of mandated reminders before the automatic renewal of digital subscriptions.168 This is arguably a low-cost policy option, as traders can automate these communications.169 Timely reminders about (auto-)renewals are required elsewhere in EU law; Art. 105(3) EECC requires providers of publicly available electronic communications services to inform end users in a prominent and timely manner of the end of the contract and how they may terminate it. As Busch points out, it may be desirable to engage with what ‘timeliness’ means in order to further legal certainty.170 Further, even if timely (however we measure that) reminders are mandated, the risk that behavioural inertia beats consumers to the punch and that the reminder will be ineffective remains. As ELI points out, we may want reminders to be accompanied with straightforward, immediately accessible technical means of cancellation.171 Once more, the design of these means is something the legislator may want to concern itself with to ensure the effectiveness of consumers’ right to termination. What (UI) means of cancellation could look like is discussed in the next sub-section.
Hard to Cancel, especially when coupled with Hidden Subscriptions, poses the highest risk of financial detriment of all Shopping dark patterns. This practice has not gone unnoticed at EU level: as we saw earlier in this section, the DSA lists the practice of ‘making the procedure for terminating a service more difficult than subscribing to it’ as a possible (prohibited) dark pattern, subject to further elaboration in the Commission’s guidelines. Prohibiting all instances in which the termination procedure is ‘more difficult’ is arguably too restrictive: there may be good reasons for a contract-cancellation process to require more steps than subscribing, such as preventing accidental cancellation. Another reason we may not want an unqualified prohibition phrased in these terms is that it would require a case-by-case assessment of unfairness – a trader’s cancellation process would only be deemed to be designed in an illegal manner if that trader’s subscription process were easier. A prohibition in these terms could easily be avoided if a subscription process were made equally lengthy.
In May 2023, the European Parliament voted in favour of an amendment to the UCPD proposed by the IMCO Committee that would, if adopted, introduce to Annex I UCPD a prohibition of ‘making the procedure of terminating a service significantly more burdensome than signing up to it’.172 While a word-for-word transposition of the DSA provision into Annex I UCPD would have been too restrictive, IMCO’s phrasing leaves too much to the imagination. How many more clicks amount to a burdensome cancellation process – one, five or 10? Would requiring a consumer to call/e-mail customer service in order to cancel a subscription amount to a slightly or significantly more burdensome termination process? What if termination via an app is not possible, but can be easily done via a desktop/mobile browser? Lines need to be drawn. The list of per se prohibitions in Annex I is meant to provide traders with legal certainty. The proposed amendments could, in my opinion, do more to serve that purpose.
The solution the Commission is exploring in the context of the ongoing Fitness Check could provide the required level of legal certainty, depending on how it is implemented. The Commission asked stakeholders whether ‘a clear technical means (e.g. a prominent cancellation button) would help consumers to cancel [a contract] more easily’. In recent years, some Member States have already opted for this solution. In Germany, the 2021 Fair Consumer Contracts Act amended the German Civil Code to require businesses that offer subscription options on their websites to implement a two-step cancellation procedure.173 The trader’s website needs to have a prominent button labelled with the words ‘cancel contracts here’, or similar wording to that effect, which leads a consumer to a confirmation page where they can input the information required to terminate the contract. The confirmation page ought to have a confirmation button legibly labelled with the words ‘cancel now’, or an equivalent phrasing.174 The amendment took effect in July 2022. In France, an amendment to the Consumer Code that was set to take effect in June 2023175 requires businesses that allow consumers to take out subscriptions online to also make termination possible online.176 Merely adopting a principle that an online subscription requires online termination is, however, unlikely to be effective: as we saw in Chapter 6, traders can allow online cancellations, yet still make consumers jump through numerous online interface design hoops that may lead them closer to desperation than termination of the contract. The French legislator is aware of this: the concrete technical steps traders need to implement are spelled out in a separate decree. The decree detailing the cancellation procedure for all consumer contracts is yet to be published, but we can get a taste of what’s to come from the decree laying down the cancellation procedure for insurance contracts.177 Traders need to provide a ‘functionality’ for consumers to terminate contracts that is directly and easily accessible, displayed in readable characters and labelled with something along the lines of ‘terminate your contract’. The consumer will then input their information and be taken to a confirmation page, where they can double-check the information and then click a ‘function’ labelled with the words ‘confirm my request for termination’ or the like. At EU level, in its proposal for a new directive concerning financial services contracts concluded at a distance, along the lines of the German approach, the Commission proposed the introduction of a ‘withdrawal button’ to facilitate the exercise of consumers’ right to withdrawal.178 The amendments to the Commission proposal made by the IMCO Committee are leaning towards the French approach – all references to the button have been replaced with references to a ‘withdrawal function’.179
A key difference between the German and French cancellation-procedure design requirements is the level of technology specificity: the German provision requires traders to allow cancellation via a website, whereas the French provision refers to online interfaces generally, which means that consumers can cancel via their preferred modality of interaction with a service where the trader supports more than one modality. The German provision is more technology specific in that it requires a button, whereas the French decree refers to a ‘functionality’, which could also be a link. The regulatory method is also different: in Germany, the cancellation procedure is laid down in the Civil Code, whereas in France the concrete requirements are to be spelled out in executive decrees, allowing for faster adjustments if necessary in the future.
It remains to be seen how effective the French solution will be, but there is some evidence on the effectiveness of the German approach and, as ELI points out, the implementation of the button leaves (for now) a lot to be desired.180 An inspection of 840 websites conducted in October 2022 by Verbraucherzentrale Bundesverband (VZBV), the federation of German consumer organisations, revealed that only 32.5% of the analysed websites were compliant; the rest of the websites either had no cancellation button altogether, hid it in a maze of other webpages or labelled it wrongly.181 A follow-up analysis of 3000 websites by VZBV using a crawler found that only 28% of the analysed websites were compliant. In other cases, either no button could be identified or the traders employed various creative ways to hide it, by using confusing labelling, colours that were in low contrast to the background or burying it in other pages.182
The German experience with the cancellation button teaches us two valuable lessons. In terms of good news, the automated sweep conducted by VZBV illustrates that standardising the cancellation procedure allows the scaling of infringement detection and so could contribute to more effective enforcement in digital markets (as detection is a precondition for enforcement). I will elaborate further on this point in the next chapter. The second lesson is that there is room for improvement: avoiding circumvention may require even stricter design requirements, such as the precise specification of the place on an online interface where the button is to be found, and perhaps even providing a mandatory design for a button in the law. This is something the Californian lawmakers opted for in a recent amendment to the California Consumer Protection Act (CCPA). The CCPA allows consumers to opt out of the sale of their personal data by clicking on a direct link on either a website homepage or the download or landing pages of a mobile app. Clicking this link ought to lead consumers to a notice of their right to opt out, where they may see an ‘Opt-Out Icon’.183 The icon is depicted in Fig.1.
Fig. 1: The Californian Opt-Out Icon
While the icon is not a clickable button – it is meant to draw consumers’ attention to privacy choices – it is nevertheless a good illustration of how standardised design requirements could be implemented in the law.
Whichever option is opted for, it is clear that some design requirements for termination procedures at EU level appear necessary to ensure effective consumer protection. At this stage, they may also be necessary in order to avoid legal fragmentation in light of the divergent national solutions that are starting to emerge, and which may lead to less legal certainty for traders that operate cross-border, as ELI points out.184
The previous sub-section has explored ways in which specific dark patterns may be regulated using the approach that this study has identified as possibly more effective for the regulation of socio-technical consumer harms: direct regulation of user interface design. However, as we have seen in Chapter 4, there is more to effective socio-technical regulation than this: it requires adaptability, as new harmful practices will continue emerging in old and new digital environments, and this is not the last time we will face regulatory disconnection.
The most straightforward way to ensure adaptability would be to subject relevant instruments, for example the UCPD and the CRD, to periodic review. Periodic review is a measure that has been used elsewhere in the EU digital acquis. Art. 53(1) DMA obliges the Commission to evaluate the effectiveness of the regulation and to communicate the results of its assessment to the Parliament, the Council and the European Economic and Social Committee by 3 May 2026, and every three years thereafter. The evaluation ought to establish whether some of the core rules of the DMA, including the gatekeepers’ obligations, need to be modified. Towards this end, the Commission may put forward legislative proposals.185 In a similar vein, Art. 91(2) DSA requires the Commission to evaluate and report on the effectiveness of the DSA to the Parliament and Council by 17 November 2027, and every five years after that. The report may be accompanied by a legislative proposal.186 However, where revisions to a EU legal act are to be carried out via the ordinary legislative procedure, this is bound to be a lengthy process. The EU legal toolbox offers some mechanisms for speeding up targeted changes to legislative acts: delegating the power to supplement or amend non-essential elements of a legislative act to the Commission via delegated acts,187 and empowering the Commission to adopt implementing acts to further specify EU-wide, uniform aspects of legislative acts.188 In terms of design prohibitions, the DSA prohibition of dark patterns at one point envisaged a longer list of categorical prohibitions which could be amended by the Commission via delegated acts.189 In this vein, the Commission could, for example, be empowered to amend Annex I UCPD via delegated acts. Whether or not this is a feasible solution depends on how we interpret ‘essential elements’ and whether Annex I UCPD is deemed essential. Determining what are essential elements of an act in advance is a rather unpredictable affair, however. The treaties are silent on this question, and, as Chamon explains, the Court has merely explained that this ought to be determined based on objective factors, such as the characteristics and particularities of the domain concerned, and on a case-by-case basis; the Court has also specified that what is essential is political, but that insight does not lead us very far either.190 In principle, Annex I UCPD could be seen as a mere specification of the prohibitions of misleading and aggressive commercial practices. It can therefore be argued that it is not essential. Another possibility would be to empower the Commission to adopt implementing acts to further specify legal design requirements for certain regulated dark patterns at EU level. For example, implementing acts could be used to further specify the requirements for compliant cancellation procedures once these are introduced, or, following the approach of the EECC, to specify standardised pre-contractual information design requirements. Expecting the Commission and the co-legislators to keep abreast of new harmful practices and how they manifest in all digital environments is hardly the most efficient solution, however. This approach may also not lead to the most effective socio-technical regulation. As we saw in Chapter 4, information asymmetries do not only manifest in consumer–trader relationships; but also plague regulators. In digital markets characterised by an unprecedented speed and scale of innovation, these information imbalances are exacerbated. The industry has a better understanding of the underlying technology and changes therein and the needs of various sectors, as well as what the concrete bottlenecks are in terms of translating legal requirements into technological design. Involving the industry in regulation may therefore make it less likely that socio-technical regulation will miss its mark.
Against this background, some EU legal scholars191 and consumer organisations192 see co-regulation as a viable regulatory solution in digital consumer markets. As suggested by Busch, one possible co-regulatory solution in this space is recourse to the ‘New Approach’ to harmonisation.193 The New Approach entails that framework legislation spells out only ‘essential requirements’. The technical specifications that products and services ought to meet in order to adhere to the essential requirements are to be elaborated by European standardisation organisations (CEN, CENELEC and ETSI) in European standards at the request of the Commission. If the Commission deems the standard compliant with the request, it publishes a reference to it in the Official Journal. Products and services that comply with the harmonised standard are presumed to be in conformity with the essential requirements of the relevant framework legal act.194 Harmonised standards have a long history of use in the field of product safety.195 Before the UCPD was adopted, some scholars argued that some form of co-regulation ought to be considered in the field of unfair trading,196 but because the legal compliance of commercial communication and market behaviour could not be as easily measured and controlled, the implementation of the presumption-of-conformity rule that is the hallmark of the New Approach was deemed unfeasible.197 Now that compliance with unfair trading law requires the translation of legal requirements into online choice architectures, as Busch argues, that reasoning is not as persuasive, at least with regard to the regulation of digital environments.198 A turn to the New Approach could help strike a balance between technology neutrality and technology specificity in the law: while the UCPD would establish technology-neutral, essential requirements, European standardisation organisations would translate essential legal requirements into the sector-specific technical requirements various types of interfaces and traders need to meet. This means that the general legal framework can be future-proof yet provide legal certainty to traders. It is also the kind of change in the socio-techno-legal landscape that could imbue the EU regulation of digital unfair commercial practices with the level of adaptability that socio-technical regulation requires; technical standards undergo faster development processes than legislation does.199
It should be noted, however, that while standardisation would score well on the requirements this study has identified as essential to ‘good’ socio-technical regulation, it may score worse on a more comprehensive view of ‘good’ regulation. Once the industry has a formal role in the legal order, problems of democratic control and legitimacy arise.200 Indeed, EU legal scholars have produced an ample body of contributions on these shortcomings of the New Approach.201 Against this background, some other stakeholders and legal scholars that support the introduction of co-regulation in the regulation of digital unfair commercial practices suggest devising some alternative framework for the development of standards that ensures that they are not developed by industry bodies alone and that grants civil society organisations a formal role in the process.202
Both of these options are worth exploring further in the context of revising the digital consumer acquis. Unfortunately, at the time of writing, the Commission does not appear to be considering the extension of the New Approach or the introduction of any other form of co-regulation into the UCPD.
Whatever amendments are made to the EU digital consumer acquis, the overall effectiveness of the regime will ultimately rest on the question of effective enforcement. This is something some stakeholders, like BEUC203 and the Danish Ministry of Justice,204 have also pointed out in their responses to the Digital Fairness Fitness Check. In parallel to this evaluation, the Commission also launched a public consultation to gather feedback on how effectively the Consumer Protection Cooperation (CPC) Regulation, which was last reviewed in 2017, contributes to enforcing EU consumer laws.205 Following the public consultation, the Commission announced that it was considering making targeted changes to the CPC Regulation. The Commission’s call for evidence in this regard states that it is concerned, amongst other matters, about ‘the deterrence, cost-effectiveness and the rapidity of action under the CPC Regulation [in ensuring] that national consumer protection authorities and the Commission can effectively respond to consumer threats online’.206 A legislative proposal amending the CPC Regulation was expected to follow in mid-2023, but it is not yet on the table.207
Until the procedural framework is reformed, when and if that happens, authorities might want to think about arming up with technology to fight the (mis-)use of technology to the detriment of consumers, such as the use of unlawful dark patterns, to match the scale of their investigative efforts with the scale of digital consumer harms. The next chapter explores the technical feasibility of developing computational methods for the detection of unlawful dark patterns and shows how the technology neutrality of substantive rules may pose obstacles to this exercise.