“Dark patterns” used by online platform providers have been controversial for some time, but recently there has been a growing buzz about them, in particular due to actions undertaken by EU and national data protection and consumer protection authorities. (For an overview of cases and decisions by EU and national authorities, see the European Commission’s “Behavioural study on unfair commercial practices in the digital environment: Dark patterns and manipulative personalisation, Final Report,” pp. 61–70.) Primarily, these measures are intended to combat deceptive practices in the digital environment, but also to educate consumers and draw their attention to the most common types of practices.

The harmfulness and prevalence of dark patterns has also been noticed by EU lawmakers, who expressly banned such practices by online platform providers in Art. 25(1) of the Digital Services Act (Regulation (EU) 2022/2065 on a Single Market for Digital Services—DSA). The DSA entered into force on 16 November 2022, but most of the obligations in the regulation will apply from 17 February 2024. Therefore, the application of dark patterns may violate not only data protection laws (especially the General Data Protection Regulation) and consumer protection laws, but also (from February 2024) the Digital Services Act.

Last year regulators in the EU devoted a lot of attention to cookie files and other tracking technologies used on websites. This interest was generated among other sources by numerous complaints filed by NOYB—European Center for Digital Rights in the last year with data protection authorities, and has resulted in guidance and several decisions issued by regulators in recent months (e.g. in Austria, Belgium and France). Because they may shape the future approach of regulators to the use of cookies, it is worth discussing some of the main conclusions flowing from these decisions.