TikTok was held liable for nudging children towards privacy-intrusive settings using bold text in two pop-up notifications, hindering neutral and objective choices.
Excerpt
Our analysis
TikTok was found liable for its processing of children's data, particularly in the implementation of dark patterns violating the fairness principle outlined in Article 5(1)(a) of the GDPR.
-The default setting for all new TikTok accounts, including those belonging to children, was public, and
-Child Users were prompted with a pop-up notification to 'Go Private' or 'Skip.' This notification failed to present a neutral and objective choice to users.
-The DPC observed that TikTok employed dark patterns such as Preselection, Visual Interference, and Forced Action.
-The Registration Pop-Up encouraged opting for a public account by emphasizing the "Skip" option, while
- the Video Posting Pop-Up nudged users to select "Post Now" in bold, darker text, making it less apparent and accessible for users to choose privacy settings. The lack of clarity regarding the consequences of different choices further contributed to the infringement of the fairness principle under the GDPR.
Outcome
The Data Protection Commission found TikTok guilty of violating various GDPR articles and has taken corrective measures. TikTok received a reprimand and must bring its data processing in line with regulations within three months. The DPC has also imposed a total of €345 million in fines for the breaches.
Parties
TikTok Technology Limited and Data Protection Commission
Case number
DPC Inquiry Reference : IN-21-9-1
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
There are numerous ways to interfere with the visual design of a page to hide, obscure or disguise information. Visual perception can be manipulated by using small, low contrast text. Comprehension can be manipulated by creating a chaotic or overwhelming interface. User's expectations can be violated by placing important information in styles or location they would not expect.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.