Thanks to Elena Mandarà for collaborating on this article

With a resolution issued on February 23, 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”), imposed an administrative fine on a company (Ediscom S.p.A., “Ediscom”) for breaching several provisions of Regulation (UE) 679/2016 (“GDPR”) while processing personal data for the purpose of carrying out marketing campaigns on behalf of its clients.

The resolution is particularly significant because for the first time the Garante stated that the use of dark patterns amounts to infringement of the GDPR.

As clarified by the Garante, since 2010 dark patterns have been seen from a consumer law perspective as a mechanism enabling negative influence on consumers’ consent. More recently, it has been established that using dark patterns may also be in violation of the principles of data protection law.

In the case at stake, the Garante sanctioned Ediscom for violation of art. 5, para. 1, lett. A) (accountability principle), art. 7, para. 2 (conditions for consent), and art. 25 (privacy-by-design and privacy-by-default principles) of the GDPR.

More specifically, the Garante argued that Ediscom often used misleading graphic interfaces and unclear submission procedures. For example, if a user did not consent to receive marketing communications or to allow the communication of their personal data to third parties for marketing purposes, a pop-up showed up again and prompted the user to provide consent that had already been denied.

In the Garante’s view, the deceptive character of the interface resulted from the fact that the link to continue submission without providing marketing consent was located outside the pop-up and was smaller and in a different format than the one used for the accept button.

This decision also concerns applicability of “Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: How to recognize and avoid them” (the “Guidelines”), adopted by the European Data Protection Board (“EDPB”) on February 14, 2023. Indeed, the Garante clarified that it had taken the Guidelines into account during the investigative phase, even though the EDPB had not yet adopted the final version when the proceedings began.

In its defense, Ediscom argued that the Guidelines address large social-media platforms rather than SMEs, which may find it challenging and detrimental to implement them. The Garante replied firmly that all data controllers must respect the principles enshrined in the Guidelines, but those principles should be applied in a proportionate manner and not interpreted restrictively. In other words, the right balance must be struck between the interests of data subjects and the interests of enterprises.

Relatedly, note that the final version of the Guidelines focuses solely on deceptive design patterns on social media platforms, despite the fact that the EDPB recognizes that interfaces are present in many other instances where users interact with products and services (e.g., websites, cookie banners, online shops, video games, mobile applications) and may still infringe upon the rights of data subjects and consumers. The EDPB further stated that under the GDPR, national data protection authorities are responsible for sanctioning the use of deceptive design patterns, though there may be some overlap between the powers of data protection authorities and those of national consumer protection, competition, or other authorities.