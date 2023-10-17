For years, “dark patterns” were tricking us into clicking where websites were interested. With the arrival of the European Digital Services Act (DSA), this practice has been prohibited, but there is quite a distance from theory to practice. It is still common practice on many websites. Fortunately, it is no longer free.

First fine from the AEPD for ‘dark patterns’. On September 20, the Spanish Data Protection Agency issued a resolution against the Chatwith.IO entity justifying a fine for the use of these dark patterns.

In total, 12,000 euros for various violations of the RGPD. It is divided into three parts: 2,000 euros for a minor offense, 5,000 euros for a very serious offense and another 5,000 euros for a minor offense under the Information Society Services Law (LSSI).

Forcing users to accept the most invasive options. Specifically, the case against this chat application via WhatsApp is that it used these techniques to get users to accept a more invasive privacy policy.

As Expansión describes, on the website the list of companies to which the data was transferred was hidden in a section of the privacy menu. In its own interest of trying to get the user to transfer their personal data to all these companies, the application forced the unwilling user to uncheck the companies one by one.

‘Skipping’ y ‘overloading’. They are the names of the two dark pattern techniques used that have led to the fine. The first derives from the fact of hiding relevant information in a secondary menu. The second comes from overloading the user with a task that is too laborious for them not to do it directly.

1,522 companies appeared in the “supplier list”, of which, according to the estimate made by the claimant, 338 have the “Legitimate interest” box checked by default. If we did not want to share the data with any of these, we had to do it one by one. Without the “uncheck all” button.

The AEPD gets serious against dark bosses. Last July, the AEPD updated its guide to the use of cookies to incorporate guidelines on these deceptive patterns.

The novelty is that the guide incorporates “the obligation that the actions of accepting or rejecting cookies be presented at the same level, without it being more complicated to reject them than to accept them. This implies the need for the reject button to appear on the cookie banner cookies, which was not necessary in the previous guide, which indicated that rejecting cookies could be done through the configuration panel.

Another change is that in personalization cookies (for example, choosing the language of the website or the type of currency), user consent will also be required.

From 2024. These new obligations to stop dark patterns are already active, although the AEPD will leave a six-month window for all websites to implement it. Starting January 1, 2024, those who do not comply with these changes will be fined.

