Dark Patterns in the Privacy Domain, according to the EDPB

Dark Patterns and privacy explained by the EDPB. Last March 14, the European Data Protection Board (EDPB) published the Guidelines 3/2022. The title is quite self-explanatory: “Dark patterns in social media platform interfaces: How to recognise and avoid them“. You can reach it (in English) through this link. It’s the version for public consultation; don’t be shy and have your say!

Although the text mentions expressly the use of Dark Patterns in the Social Media Platforms (name here your favorite…), in my opinion those patterns are applicable to how your entity should not write the Privacy Notices. Therefore, all these examples are applicable to both cases: online platforms and Web pages privacy notices.

Let’s define the term Dark Patterns. They are the tricks implemented on online platforms that lead users into making decisions not in line with their real will. To illustrate this concept, we will list them and apply them to the Privacy Notices.

Privacy manager

Privacy managers don’t use dark patterns

Privacy Overloading

This dark pattern appears when the Privacy Notice is a zillion-page long. Actually, the data controller redacts the text with tons of legalese terms, requests and options to scare the users. Too much information could violate the art. 5, GDPR (transparency principle).

The Dark Pattern of Skipping

For instance, we have a “skipping” dark pattern when the text is so confusing that the user forgets what he/she was looking for. The user ends up giving up his/her privacy rights in order to continue with the use of the Web or social media platform.

Stirring as a Dark Pattern

Do you really want to leave us?“. “Why don’t you stay with us a little more?“. Once the users decide to leave a specific Web, they could find messages like these, appealing to their emotions. Even visual nudges could be used to grab the attention of the escaping user.

Hindering Privacy Rights

This pattern describes all those unnecessary steps preventing users exercising their privacy rights. Be careful! The data controller shall always balance the need for verifying the users’ identity without charging them with too many steps, documents, requests, etc. Don’t hesitate to contact your Privacy Manager in Spain, Europe: we have the right solution for you!

The “Fickle” Dark Pattern

In the similar fashion, we have a fickle dark pattern when the privacy notice is inconsistent and not clear. The users can’t easily understand the purpose of the processing and they “accept all”, without reading.

Left in the Dark

Lastly, the most annoying dark pattern (IMHO). Everything is designed to hide data privacy controls. Users are unsure about the processing of their data and are left in the dark.


Audit your Privacy Notices and be sure that they are not affected by those dark patterns. We’ll be more than happy to help you!