Italy

[IT] The Italian Data Protection Authority adopts first decision on deceptive design patterns (s.c. “dark patterns”)

IRIS 2023-6:1/13

Laura Liguori & Eugenio Foco

Portolano Cavallo

Through Resolution No. 51 of 23 February 2023, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali – the Garante) adopted its first ever decision on deceptive design patterns, also known as “dark patterns” (the Decision).

Deceptive design patterns are defined by the European Data Protection Board in its Guidelines 03/2022 (the Guidelines), adopted on 14 February 2023, as “interfaces and user journeys implemented on social media platforms that attempt to influence users into making unintended, unwilling and potentially harmful decisions, often toward a decision that is against the users’ best interests and in favour of the social media platforms' interests, regarding the processing of their personal data”.

Interestingly, the Garante expressly recalls having taken the Guidelines into consideration in reaching its Decision, albeit a version of said Guidelines that was still subject to public consultation at the time. Indeed, the final version of the Guidelines was adopted only one week prior to the publication of the Decision.

The Decision stems from investigative activities undertaken by the Garante in the context of its role as the Italian Data Protection Authority as well as from certain reports received by data subjects against Ediscom S.p.A (Ediscom), in its capacity as a data controller. Ediscom is an Italian based company offering promotional campaigns for medium to large customers via text message and e-mail as well as, more recently, via automated calls.

According to the Garante’s findings, the various websites used by Ediscom to collect the personal data of data subjects, and their corresponding consent to receiving marketing communications, presented deceptive and misleading interfaces which led to unclear submission procedures. According to the Garante, an example of such practices was represented by the interfaces shown to data subjects when the latter had not provided consent to receiving marketing communications. In particular, when the data subjects did not consent to receiving marketing communications and/or did not consent to their personal data being communicated to third parties for the same purpose, the data subjects would be presented with a pop-up further requesting their consent. The Garante deemed this practice to be misleading since the link that would allow users to continue the submission procedure without providing said consents, was not placed inside the pop-up but, rather, in another section of the web page in a different format and in a smaller font, thereby deceiving the data subjects.

The Garante found such practices to be in violation of Article 5(1)(a) (lawfulness, fairness and transparency), Article 7(2) (conditions for consent) and Article 25 (principles of privacy by design and privacy by default) of the GDPR.

In light of the foregoing, the Garante issued an administrative pecuniary sanction in the amount of 2% of Ediscom’s turnover, as resulting from the last financial statements, i.e. EUR 300 000. The Decision highlights the overlap between data protection and consumer protection compliance. While there have been many decisions by the Italian Consumer Protection Authority deeming certain data processing activities to be unfair commercial practices, this is the Garante's first decision focusing on deceptive behaviour and sanctioning it as a violation of data protection law.