Access Your Data… If You Can: An Analysis of Dark Patterns Against the Right of Access on Popular Websites

Various regulations including the GDPR empower users with the right to request a copy of their personal data processed by data holders. This right of access can serve as the foundation of exercising other data subject rights, including erasure, rectification, and objection of the processed data. Like other regulations, the GDPR does not prescribe any specific procedure data holders need to implement to handle data subject access requests but requires them not to erect any material or formal hurdles in the assertions of their rights. In this paper, we focus on popular online service providers as data holders and investigate in which form they allow users to make data access requests directly on their websites and whether they use any strategies to impede such requests. Our systematical analysis of the process of submitting access requests on 166 account-based websites from the top 500 entries of the Tranco list reveals 238 instances of dark patterns impeding the submission of data subject access requests on 113 (68%) of the examined websites.