Deceptive Patterns: Book by Harry Brignull

Chapter 27: Legislation in the European Union

The Unfair Commercial Practices Directive

The Unfair Commercial Practices Directive (UCPD)1 was adopted back in 2005, and it doesn’t get talked about much, despite its potency. It’s a bit like the elderly grey-haired character in a martial arts movie whom everyone ignores, but in the third act they turn out to be a total powerhouse who packs an incredible punch.

The UCPD applies to all business-to-commercial practices in the EU and UK.2 It covers almost any decision that a consumer has to make while using a digital service or in a physical store. This includes decisions made before a commercial transaction, during it, or after. So that means it covers marketing, advertising, personalisation, choice architecture, and deceptive patterns (although deceptive patterns aren’t explicitly defined in the law). The UCPD also doesn’t require intent, so if a design is shown to be unfair, that’s good enough – it doesn’t need proof that the designers or business owners created it on purpose.

The UCPD contains a number of principles:

  • General prohibition of unfair commercial practices: The UCPD prohibits any commercial practice that is contrary to the requirements of professional diligence and materially distorts or is likely to distort the economic behaviour of the average consumer.
  • Misleading practices: The UCPD prohibits misleading actions and omissions, which involve providing false information or presenting information in a way that deceives or is likely to deceive the average consumer. This includes misleading advertising, false claims about products or services, and other deceptive tactics.
  • Aggressive practices: The UCPD prohibits aggressive commercial practices, which significantly impair the average consumer’s freedom of choice or conduct through harassment, coercion, or undue influence. This includes high-pressure sales tactics, persistent and unwanted solicitations, and exploiting a consumer’s vulnerability or fear.

‘Professional diligence’ is noteworthy because it implies that if an organisation ignores a widely used set of professional conduct guidelines, this could fall under the prohibition. Most of these sorts of guidelines contain provisions about deceptive patterns, either directly or indirectly, such as the ACM’s Code of Ethics and Professional Conduct.3 The UCPD also contains a list of forbidden practices (‘Annex 1: Commercial practices which are in all circumstances considered unfair’). This is probably the most powerful weapon in the UCPD’s arsenal, because it’s so easy to use. The regulator doesn’t have to carry out a detailed analysis that proves deception occurred. All they have to do is show that the banned practice was used by the business, and that’s that. There are 31 forbidden practices. Here’s a summary of the most relevant ones:

  • (2) Fake trust markers: falsely displaying a trust mark, quality mark or similar.
  • (4) Fake endorsements: falsely claiming a trader or product has an endorsement approved, endorsed or authorised by a public or private body.
  • (5) Bait advertising: advertising a certain price when the trader knows they cannot offer that product, or only has a few in stock at that price.
  • (6) Bait and switch: advertising a product at a certain price then refusing to offer it, with the intention of promoting a different product.
  • (7) Fake urgency: falsely stating that a product or terms will only be available for a very limited time, to rush the user and deprive them of the time to make an informed choice.
  • (11) Covert advertising: presenting paid advertorial without disclosing that it is an advertisement.
  • (20) Fake free offers: describing something as free when it’s not.
  • (21) Fake invoices: claiming the user owes a bill when they do not.

In summary, with a combination of the principles and the forbidden practices, the UCPD covers a lot of deceptive patterns – which is really good news. However, the UCPD’s main strength is also its shortcoming. It has an extremely broad scope: if a company engages in a practice that isn’t an exact fit for one of the forbidden practices, then the legal case has to provide a detailed argument regarding how the practice violates the UCPD’s principles (such as, that it’s unfair, misleading or aggressive towards an ‘average consumer’). Consumer protection litigation is naturally very slow. The broad scope of the UCPD is unlikely to help speed it up.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR)4 protects the data of individuals. It forbids certain deceptive patterns that fall within the realm of data and privacy.

  • Data protection by design and default: Under article 25 of GDPR, designers must ensure that the implementation of the ‘data protection by design and default’ principle is not impacted by deceptive patterns. For example, a user interface cannot be designed to have a data-intrusive option as the default, nor can it obscure settings through the use of misdirection (such as visual interference or trick wording). Article 25 also forbids the use of nagging or persistent pestering to manipulate users into giving up their data protection rights.
  • Consent indication: GDPR contains a prohibition on the processing of personal data. Businesses cannot do it unless they follow the rules. One of these rules is to be able to have a legal basis or grounds for the processing of personal data. There are only six grounds for processing personal data, one of which is consent-based. Businesses must also comply with the data protection principles, like fairness, data minimization, accuracy and transparency. Consent gets a lot of attention because it has historically been the easiest to get. However, GDPR raised the consent threshold to the high threshold of ‘freely given, specific, informed, and unambiguous’. Deceptive patterns compromise the transparency principle and the legal standard required to show consent.
  • Transparency principle: Under article 5(1)(a) of GDPR, businesses must ensure that they process data in a ‘transparent manner’, which means means they must communicate to users about their proposed data processing using clear and intelligible language – deceptive patterns are forbidden if they interfere with this.

In summary, if a business uses a deceptive pattern relating to personal data, and the user is an EU or UK citizen, then it’s likely to be forbidden under GDPR. The fines can be very severe, which is one of the reasons why business owners pay such close attention to it – up to €20 million, or up to 4% of the annual worldwide turnover, whichever is greater.

The Consumer Rights Directive

The Consumer Rights Directive (CRD)5 was introduced in 2014 to harmonise consumer protection rules and ensure that consumers have a high level of protection across the EU member states. While the CRD does not explicitly mention deceptive patterns, it does contain a number provisions that address them. For example:

  • Information requirements (articles 5 and 6): The CRD mandates that businesses (termed ‘traders’ in the CRD) must provide consumers with clear and comprehensible information about the main characteristics of a product or service, its price and additional charges. This can be used to regulate deceptive patterns that involve hiding or obscuring essential information, making it difficult for consumers to make informed decisions.
  • Right of withdrawal (article 9): The CRD grants consumers a fourteen-day right of withdrawal for distance and off-premises contracts. This can be used as a safety net, to counteract deceptive patterns that trick users into making purchases or entering contracts without fully understanding the implications.
  • Pre-ticked boxes (article 22): The CRD explicitly prohibits the use of pre-ticked boxes for additional payments – known as the sneaking or ‘sneak into basket’ deceptive pattern. This is commonly employed to increase revenue by adding extra products or services without the explicit consent of the consumer. Businesses must seek active consent from consumers for any additional payments.
  • Prohibition of inertia selling (article 27): The CRD prohibits the practice of sending unsolicited goods or services to consumers and then demanding payment for them. In other words, businesses are not allowed to send products to consumers without their explicit request and then ask for payment. Consumers are not required to pay for or return such unsolicited goods.
  • Contract terms (article 3): The CRD requires that contract terms and conditions must be communicated to consumers in plain and intelligible language. This provision can be helpful in addressing deceptive patterns that use complex or confusing language to deceive or manipulate users into agreeing to unfavourable terms.
  • Additional charges and fees (article 19): The CRD requires traders to clearly and prominently disclose any additional fees or charges before the consumer is bound by the contract. This provision can help regulate deceptive patterns that involve hidden fees or charges, which are added without the user’s knowledge or consent.

These provisions in the Consumer Rights Directive, among others, aim to provide a fair and transparent marketplace for consumers. While the CRD does not explicitly target deceptive patterns, its focus on consumer protection means that it can be used to address them.

Other EU laws

In general, if a deceptive pattern is used to avoid legal obligations or deceive consumers in a way that violates existing laws or regulations, it is usually going to be considered illegal. This means that there are quite a few other laws and regulations that indirectly forbid deceptive patterns. For example:

  • UCTD (1993): The Unfair Contract Terms Directive requires that all contracts between users and businesses must be fair and reasonable. It also has a transparency requirement (article 5) that requires all contracts to be drafted in plain and intelligible language.

These EU laws are enforced by various regulatory authorities and bodies, typically at a national level. In some industries, the regulators create additional rules to improve consumer protection and prevent deceptive patterns. For example, industries that involve complex services, information asymmetries, or that have been prone to market failures in the past (like financial services or telecommunications). These additional rules can be in the form of guidelines, recommendations, or even specific regulations at the national level.

In addition to this, individuals and sometimes groups of citizens can file lawsuits against companies that operate in the EU, although group action (aka class action) is far more common in the US because of different systems, cultural norms and economic factors.

Buy the book...

Since 2010, Harry Brignull has dedicated his career to understanding and exposing the techniques that are employed to exploit users online, known as “deceptive patterns” or “dark patterns”. He is credited with coining a number of the terms that are now popularly used in this research area, and is the founder of the website deceptive.design. He has worked as an expert witness on a number of cases, including Nichols v. Noom Inc. ($56 million settlement), and FTC v. Publishers Clearing House LLC ($18.5 million settlement). Harry is also an accomplished user experience practitioner, having worked for organisations that include Smart Pension, Spotify, Pearson, HMRC, and the Telegraph newspaper.

Buy the book
Inquire about expert witness services
Previous
26. The crucial role of regulation
Next
28. Legislation in the United States