19 May 2023

Digesting the (Not So) Free Lunches of Social Media

‘Dark Patterns’ and Party Autonomy

Popularized by Milton Friedman, it has become common wisdom that “there is no such thing as free lunch.” Social media shows us daily how true this provocative observation remains until today. We are all accustomed to using platforms such as Facebook, Instagram, YouTube and others – seemingly – for free. The ‘conventional’ business model of these platforms focusses on data exploitation, with companies financing themselves via advertising proceeds. There is a recent tendency, however, to pursue direct payments – via ‘freemium’ models (free basic subscription – charges for premium services) or via ‘in-app-sales’, where the customer can pay to get certain additional featur

Academics and lawmakers have turned their attention to business practices surrounding social media and other digital services and have discovered ‘dark patterns’, a term used to identify objectionable conduct by service providers. In response, the potential for new legal action is being considered. While it is obviously worthwhile to explore objectionable business practices in e-commerce and on social media, this contribution suggests that the discourse on ‘dark patterns’ is somewhat sketchy and incomplete – and in need of more specificity.

Background Observations

To approach the discussion on ‘dark patterns’, it is worth noting three general observations, on free elements of services, on the relevance of specific autonomy deficits and on market mechanisms.

‘Gratuitous’ Elements

The aspect of ‘freedom of charge’ is not only non-existent but also legally irrelevant. The commercial quality of everyday digital services is obvious. Everybody knows that providers pursue commercial interests, be it at least through advertising and data exploitation. In consequence, it is not justified to presume lesser customer awareness in such ‘gratuitous’ contexts. In the absence of genuine gratuity, it is clear that providers are not entitled to privileges (liability or otherwise) granted by law to genuinely gratuitous contracts.

Searching for Material Autonomy Deficits

The potential trigger for legal intervention should be the imbalance caused by the algorithmic power of the providers – by their unilateral dominance in terms of access to algorithmic tools. The flipside of this dominance is an inevitable ignorance on the side of the customer, not only of the respective algorithmic tools employed, but also of the potential relevance of these algorithmic tools for their decision-making.

This imbalance is ubiquitous, essentially familiar from conventional commerce and innocuous by itself. It should only be qualified as legally relevant if the algorithm design causes an autonomy deficit by misleading the customer or by exercising undue psychological influence. The autonomy deficit must be material in so far as its significance clearly exceeds that of conventional marketing and promotion tactics.

Market Mechanisms

The significance of autonomy deficits is largely controlled by market mechanisms. It appears that continuous success in e-commerce is strongly related to continuous customer satisfaction and not so much to enforcing maximized profits on each single transaction. Rather than the current transaction, the follow-up transactions drive the success of the business. One may find this trend embodied in what Amazon has defined as its core principle no. 1: “customer obsession”. Whatever counts as a ‘dark pattern’ may arguably not strengthen customer satisfaction and the reputation of the provider.

It is quite surprising how little attention is paid to these counter-effects in the current discourse on ‘dark patterns’. Legal intervention is costly. It is sensible only where there is a clear market failure, that is, where an autonomy deficit cannot be expected to be resolved by market mechanisms. In this assessment, ‘pre-existing’ protection tools, such as withdrawal rights, termination rights, et cetera, should be taken into account when calling for legal action.

Shaping the Issues

The focus can be further narrowed by separating out certain issues that clearly relate to relevant autonomy deficits and market failures, but need to be addressed by specific tools. In these areas, the label ‘dark patterns’ has a particularly obscuring tendency.

Protection of Minors

This holds true firstly for the protection of minors. Some questionable practices target minors, which consequently should be addressed by specific instruments of minor protection. Conventional contract law already provides for the voidness of transactions and the restitution of payments. This is supplemented by specific rules for the digital sphere, such as Art. 28 of the Digital Services Act (2022/2065/EU, ‘DSA’).

Data Protection

Data protection is another field that deserves legal attention. Besides the trend towards monetary considerations, exploitation of customer data continues to provide a source of proceeds for providers. Consequently, data protection issues remain. Particularly worrisome, from a customer perspective, is the lack of clarity about the extent of data exploitation. Current legal tools like the provisions of the General Data Protection Regulation (2016/679/EU) are not very specific and little targeted; especially the consent model is ridiculously ineffective while being enormously costly. Much more research is therefore needed on data exploitation, both from a technical and a normative perspective.


Also clearly outside the scope of market mechanisms are providers who do not seek to establish an ongoing business-customer relationship from the outset and try to evade legal action. Such hit-and-run enterprises may well engage in objectionable practices that can rightly be described as ‘dark patterns’. The crucial issue here is the effectiveness of public enforcement, which by itself depends upon resources and on international cooperation. If enforcement can be ensured, hit-and-run enterprises do not require subtle new conduct requirements, but can be tackled on the basis of existing coarse principles, such as fraud, usury, unconscionability, et cetera.

Searching for ‘Dark Patterns’

While the discourse on ‘dark patterns’ refers to many marketing practices that may fall short of the threshold of material autonomy deficits (see above), some practices are certainly worthy of more legal scrutiny.

Gaming – Abusing Addictive Patterns

In the case of online gaming, legal concerns may arise from the abuse of addictive tendencies, which impede reliably autonomous decisions.

Potentially exploitative practices include ‘pay2win’ games, where players who purchase virtual items – usually through microtransactions – gain a competitive advantage. Player autonomy may be compromised by artificially creating frustration that can only be resolved by microtransactions. The abuse of addictive tendencies in gaming is aggravated by ‘loot boxes’ that give players a random selection of in-game items. Characteristically, the content of the loot box is selected at the free discretion of the game provider and probabilities are not disclosed. Exploitative potential particularly arises from the combination of elements of chance with incentives for incalculable financial investment in a potentially addictive gaming setting. Similarly, online games often provide for an in-game currency, which is used to purchase in-game content. Typically, in-game currencies obscure the outflow of real-world money and are therefore another exacerbating factor in the field of gaming. Some gaming structures even combine all the above-mentioned practices.

From the legal perspective, online games may be addressed by (conventional) gambling regulations. Gambling is commonly defined as wagering a stake with monetary value in games of chance. In online gaming, loot boxes are based on chance and can thus possibly be classified as gambling if in-game contents can be resold on a secondary market. In many countries, providing gambling without a license by a public authority is legally prohibited or a criminal offence (e.g. Germany, sec. 284 German Criminal Code), causing restitution claims in case of infringement.

It is worth considering expanding the restrictive scope of gambling regulations to include extreme cases of exploitation in online gaming practices. For less significant misconduct outside the scope of gambling regulation, exploiting addictive behavior of online gamers should call for legal action, particularly where a lack of transparency and predictability can be identified. This is the case with loot boxes, in-game currencies and pay2win games. Potential legal tools of low intensity include mandatory transparency requirements of different sorts.

Luring into Financial Commitments and Impeding Termination

Other business patterns, which are widely and rightly criticized, relate to mechanisms surrounding the initiation and retention of enduring financial commitments. Prominent examples are subscription models that automatically converse from free trial periods to paid subscriptions. As such mechanisms neutralize the alert resulting from the pay threshold, customers are lured into continuous payments. Therefore, express consent should be required for the conversion and it should be prohibited to make free trial periods dependent upon payment details suitable for ‘automatic withdrawals’.

Similar issues arise from models relying on impeding termination for long term subscriptions that may even fall below the attention threshold of the customers due to the insignificant      volume of the charge. Providers should be required to facilitate termination through an easily accessible and clearly visible termination button (as mandatory according to sec. 312k German Civil Code), and to issue reminders before auto renewal.

Not so Dark Patterns

In contrast to the above-mentioned positive cases of exploitative practices, there are many areas where ‘dark patterns’ are suggested by the current discourse but where, on closer examination, there is little need for complex new regulation. A prominent example that causes excessive noise in the legal discourse are influencers, who may make misleading statements and commercialize the personal affections of their followers. As the commercial background of influencers activity is usually obvious, disclosure requirements – as they are laid down in many jurisdictions – are somewhat formalistic and presumably futile. The only effective tool to tackle influencers’ misconduct is to establish and strictly enforce liability for (culpably) false and misleading statements.

One More (Meaningless?) General Standard?

It is characteristic for the discourse on ‘dark patterns’ that this term is referred to as if it were a new general clause directed at different types of objectionable conduct. On the one hand, its central metaphor – ‘darkness’ – resonates with the general sentiment that customers are helplessly misled by businesses in online transactions. On the other hand, the use of the term ‘dark patterns’ masks its own obscurity and the inability to specifically define what exactly qualifies business conduct as objectionable in such a material way that it triggers the need for legal control (see above).

Further obscurity results from some of the definitions that are presented to specify ‘dark patterns’. An illustrative example is the definition of dark patterns presented by Martini et al: “Dark patterns are digital design choices which deliberately mislead users to act in a certain way, which is contrary to their ‘actual’ interests or to carry out actions that they would have not carried out if it were not for dark patterns.” A behavioral study by Lupiáñez-Villanueva et al. refers (among others) – to (1) hidden information/false hierarchy, (2) preselection/nudging, and (3) nagging. The ELI Response Paper by Sørensen et al. identifies abuse of “cognitive biases” that exist across all population demographics as the legal challenge.

Any move towards new general clauses must take account of two considerations: First, a general clause amounts to a delegation of legislative power from the legislature to the judiciary. Secondly, there are already numerous general clauses in force to protect customers and e-commerce from objectionable business practices. Any new general clause must therefore be thoroughly justified in the light of the legal status quo.

As to the status quo of general clauses, one can on the European level relate to the most recent Art. 25 par. 1 DSA (“[…] deceives or manipulates […] [or] materially distorts or impairs the ability […] to make free and informed decisions”). The scope of application of this prohibition is basically focused on b2b-transactions, as the Unfair Commercial Practices Directive (2005/29/EC, ‘UCPD’), with its own general standards, takes priority according to Art. 25 par. 2 DSA. Further protective clauses are provided by the Unfair Contract Terms Directive (93/13/EEC) and the Consumer Rights Directive (2011/83/EU). At the level of national private laws there are – more or less in all member states – additional general protective standards, for instance concerning unconscionable contract terms, breach of good faith, abuse of rights et cetera.

Fine-tuning of Sanctions

Sanctions are characteristic for rules of law. They are critical for the quality of lawmaking. Without the specification of sanctions, the demand for protection against ‘dark patterns’ remains speculative and nonsensical.

At the heart of the sanctions issue lies the choice between public and private enforcement. At the level of EU law, public enforcement has been the dominant choice, as provided for in consumer contract law by the Representative Actions Directive (2020/1828/EU), by the UCPD and, recently, by the DSA. By contrast, the relevant EU legal acts do generally not provide for private law sanctions. However, there are some exceptions. Most notably, the DSA establishes a damages claim for customers against providers, if the customers have suffered losses from DSA-violations (Art. 54 DSA). Even more notably, the ECJ has held that, in the absence of explicit EU-provisions, damages claims might be based upon the principle of effectiveness, if the EU legal act in question is designed to protect individual interests (see recently ECJ, Mercedes-Benz Group, C‑100/21). It is obvious that on the level of European member state laws, various sorts of private law sanctions might be connected to whatever qualifies as relevant ‘dark pattern’-prohibitions (e.g., invalidity of contract, restitution, damages).

Both public and private enforcement have relative advantages and disadvantages. From the perspective of maximum prevention and deterrence, it may seem desirable to combine the relative advantages and to open up both public enforcement and private law tools, in particular, damages claims. However, among other considerations, it is essential to take into account the litigation costs potentially arising from private enforcement and damages claims. This is particularly relevant where claims can be based on vague general standards – as we see in the discussion on ‘dark patterns’: The more vague the elements of the claim are, the greater the leeway for opportunistic rent-seeking by the ‘litigation industry’ and the greater the risk of social harm through overdeterrence. By the same token, public entities committed to the ‘common good’ may be better placed to initiate the enforcement of vague general standards, thereby flexibly controlling the ‘if’ and ‘how’ of fine-tuned sanctions.

Concluding Remarks

Picking up on the conference theme: It may be comforting and tempting to be radical in obscurity. But in a legal context, it is preferable to pursue specificity – in taking account of the context, defining conduct requirements and in linking them to sanctions. The discourse on ‘dark patterns’ may remind us to avoid bringing too much fairness into social media contracts:

(1) In a legal context, ‘dark patterns’ need to be specified taking into account the algorithmic power imbalance on the one hand and the protective effects warranted by market mechanisms on the other.

(2) Some of the issues raised under the slogan ‘dark patterns’ are already addressed by specific sets of rules.

(3) It might be worthwhile to direct legal attention

  • to exploitation of addictive behavior in gaming – especially, where elements of opacity are involved, and
  • to luring customers into subscriptions and impeding their attention for termination.

(4) The relevance of ‘dark patterns’ should be determined in the context of the numerous general standards already in force.

(5) Sanctions must be specified in line with specific conduct requirements.

(6) With regard to vague conduct requirements – as we see them in the discussion on ‘dark patterns’ –, it is essential to consider the litigation costs that may arise from private enforcement.