ShieldPage
← All articles
Regulation Updates · · 7 min read

Dark Patterns Under EU Law: What's Banned and What's Coming

The EU is cracking down on manipulative design. Here's what the Digital Services Act, GDPR, and consumer protection directives say about dark patterns.

Dark patterns — deceptive user interface designs that trick users into actions they didn't intend — are now explicitly targeted by EU regulation. Multiple legal frameworks converge to make manipulative design a compliance risk, not just a UX ethics question.

Where dark patterns are regulated

  • Making certain choices more difficult than others
  • Repeatedly pushing users to reconsider a choice they've already made
  • Making cancellation harder than sign-up
  • Using visual design to steer users toward choices that benefit the platform
  • Pre-checked consent boxes violate "unambiguous" consent (Article 7)
  • Asymmetric accept/reject violates "freely given" consent (Recital 42)
  • Hidden reject options violate the right to withdraw consent (Article 7(3))

Consumer Protection Directives — The Unfair Commercial Practices Directive and Consumer Rights Directive prohibit misleading commercial practices and aggressive sales tactics, which many dark patterns qualify as.

Common dark patterns under fire

  • Confirmshaming — "No, I don't want to save money" as the opt-out text. Manipulative framing of rejection.
  • Roach motel — Easy to subscribe, impossibly hard to cancel. Explicitly targeted by the DSA.
  • Misdirection — Visual emphasis on the option that benefits the company, de-emphasis on the user-friendly option.
  • Hidden costs — Fees revealed only at the final step of checkout.
  • Nagging — Repeatedly asking users to take an action they've already declined.
  • Forced continuity — Free trial to paid subscription with no warning.

Enforcement examples

CNIL's cookie consent enforcement is the most visible: TikTok (€5M), Microsoft (€60M), and dozens of smaller companies fined specifically for dark pattern consent interfaces. The pattern is clear — regulators have moved from guidance to enforcement.

The European Commission's sweep of airline and hotel booking sites in 2023-2024 found dark patterns on 148 of 399 sites inspected. Enforcement actions followed.

What to do

  • Audit your interfaces for asymmetric choices, manipulative copy, and hidden options
  • Make rejection as easy as acceptance — for consent, subscriptions, and any user choice
  • Remove confirmshaming language from opt-out flows
  • Test your cancellation flow — if it takes more clicks than signup, fix it
  • Document design decisions — If a regulator asks why your "accept" button is green and your "reject" button is grey, you need a good answer