EU’s digital rule-book reboot could fumble dark patterns ban and trader checks, warns BEUC

When the European Commission presented its Digital Services Act (DSA) proposal in December 2020, it listed beefed up consumer protections as a headline goal for the flagship update to the bloc’s rules for digital services. But now, as negotiations over the draft law are in the final stretch, where EU co-legislators hash out the detail and seek to reach a compromise between differing positions, consumer protection organizations are warning that key provisions risk being fatally weakened or even dropped entirely.

In a letter sent by the European consumer organization BEUC to the French presidency of the European Council, which is leading the DSA trilogue negotiations with the European Parliament and the Commission, the umbrella group for 46 consumer organizations across 32 countries has urged the EU’s co-legislators not to water down key measures to tackle trader traceability, prohibit so-called “dark patterns” (aka, deceptive design), and ban the use of children’s data and sensitive data for ad targeting.

The bloc is often criticized over the opacity of its lawmaking. And these closed door, three-way trilogue negotiations — where a compromise is hammered out between previously stated public positions of the Council and the Parliament on a Commission proposal, with the process led by a Council presidency that rotates between Member States every six months — are certainly one of the least transparent components of EU lawmaking, with the risk that lobbyists can exert unaccountable, last minute influence over the shape of pan-EU law. So fears of late stage stitch-ups to dilute or gut policy proposals are not unwarranted.

The current holder of the rotating Council presidency is France — hence that’s where BEUC’s concerns are being addressed.

“It is with concern that we have seen important consumer relevant provisions watered down in recent compromise proposals put forward by the French Presidency, notably in relation to the obligations of online marketplaces, online advertising, and dark patterns,” it writes in the letter addressed to Fabrice Dubreuil, the deputy permanent representative of France to the European Union. “The co-legislators must be ambitious in their approach on these three key issues, or the DSA will not meet its stated objective of better protecting consumers and their fundamental rights online.”

Traceability of traders

On online marketplaces, BEUC’s concerns focus on traceability of traders — where it is worried that the final DSA text won’t include robust obligations to verify traders’ information and conduct sporadic “mystery shopping” style exercises to carry out checks that goods are as claimed.

BEUC had wanted a much broader liability regime to be brought in for marketplaces. However that did not make it into the Commission proposal. But now it’s worried that even what it describes as “a bare minimum” of checks will be flushed out of the regulation through the trilogue process.

“In the absence of a strengthened liability regime, the due diligence obligations introduced by the DSA regarding the traceability of traders (Article 22) should also include a clear obligation for online marketplaces to conduct periodical, random checks on the services and products they offer,” BEUC argues in the letter.

“Online marketplaces should be required to conduct periodical mystery shopping exercises, in addition to requesting and verifying all necessary trader information as appropriate, to ensure that only legitimate traders are present on their platforms. These periodical random checks would greatly help consumer protection and should be a relatively easy and affordable measure for online marketplaces to enact.”

BEUC’s legal officer, Cláudio Teixeira, who has been leading its work on the regulation, also told us: “We wanted a regime for a clear liability mechanism for marketplaces where the products they offer on their platforms. We didn’t get that. The least we could have had is at least they have the obligation to check very clearly who their traders are and at least randomly keep a peek on the product that they’re selling and just have an idea to test the waters and see they’re not selling anything too dangerous. For us that’s the bare minimum and if there is no ambition for that then what is the DSA for?”

“The DSA is a unique opportunity to stop the problem uphill,” he adds. “Downhill — after the things have already happened, after the damage has been done — sure we could have more redress but we really hope that this opportunity it taken to stop these issues at the source. And the source is rogue traders that come in these platforms, especially from third countries … Most of these products come from China, and a lot of traders are selling from China and most of the time they do not comply with EU regulations and there is absolutely no control. And in these cases, in third countries, there isn’t even the possibility of redress.”

It’s not entirely clear why EU Member States might be less than enthusiastic about placing consumer-centric requirements on marketplaces to check traders and good.

Lobbying from European marketplaces may be one factor — and an EU source we spoke to flagged up the influence of EU retailers on Member States, suggesting homegrown e-commerce giants such as Zalando are afraid of this provision. Although in a response the company disputed that — with a spokesperson telling us it has been “fully supportive of stricter KYBC obligations such as those proposed under Article 22”, and also asserting: “We believe that Article 22 will create a necessary level-playing field vis-a-vis our competitors and in fact, we have even proposed to widen the scope of KYBC obligations to cover social networks when selling goods online.”

Another source suggested there could be wider concern about infringing on the legal principle that prohibits putting a general monitoring obligation on digital services — although it’s hard to see how random checks could be construed as general monitoring.

Teixeira argues that slimmed down trader information requirements would undermine the ability of the DSA to deliver on a core consumer protection promise. “Council I know is also proposing to get rid of some of the information that is to be required,” he says, suggesting that if a less extensive list of information is required it’ll be easier for rogue traders to dodge any ban and just re-spawn under a new account where they can keep selling the same dodgy products and ripping off consumers.

“Hopefully with the final deal that may not be the case — so we’ll have to see — but Council is definitely pushing for a less stringent amount of information to be requested,” he adds, also warning that any move to downgrade random checks of products to asking traders to submit product documentation and conducting random checks of those documents would amount to little more than consumer protection theatre.

“At the end of the day, for us it still doesn’t solve the issue. Because if you want to do random checks of compliance with EU law by checking documentation not the products itself well you’ll have the same situation [as there can be mismatch between documents and products],” he tells TechCrunch.

“One of the problems we have in the market is that we have products that are sold that are advertised and then the product that the consumer gets is something really different. Or it doesn’t match expectations. Or it’s too big. Or it’s too small. Or it’s a different model. Or the safety requirements do not match. Or it’s not certified. So if you provide that same information that you’ve already provided online, just with added documentation, that’s very fine and nice but at the end of the day if you don’t get the product that was actually advertised or in the same conditions then you have the same problem.”

Dark pattern ban

On dark patterns — aka, widely despised UX designs that deploy a range of tricks to try to deceive and manipulate consumers into making choices likely to be counter to their interests, whether by getting them to give up more data than they would like or to spend more money than they intended — the European Parliament was very clear in its backing for a fulsome prohibition, voting overwhelmingly in January for a ban on such techniques when MEPs set their negotiating position ahead of the trilogues.

BEUC’s concern here is that the French presidency itself is blocking a broader prohibition across digital services by seeking to limit the ban to only “online platforms” or even a smaller subset of very large online platforms (aka VLOPs) — as its letter suggests a “significant number” of Member States are actually open to extending the “dark patterns” prohibition to all providers of intermediation services and would also support stricter measures to protect minors.

Despite BEUC’s belief that there is scope for a majority in Council for more meaningful action to prohibit dark patterns, compromise texts put forward by the French presidency — which TechCrunch has reviewed — have fallen short of that so far.

“Digital services should not use interface design to distort users’ ability to make informed choices, regardless of the nature of the service,” BEUC writes in the letter. “The prohibition on the use of ‘dark patterns’ should not be limited to online platforms or very large online platforms. It should apply to all intermediaries falling under the scope of the DSA. We would also like to echo the concerns of children’s rights organisations regarding the weakening of the provisions regarding the protection of minors, which would be unacceptable.”

“Right now when it comes to dark patterns the scope is still pretty much out in the open,” Teixeira tells us, discussing BEUC’s understanding of the state of negotiations on this issue. “Council initially only wanted it for VLOPs. Now it appears that maybe they are trying for a compromise with online platforms but still when it comes to this we have an issue which is that dark patterns isn’t something that only concerns online platforms. And when it comes to the definition of online platforms there’s another issue there — but the essential point is that dark patterns are a constant across the internet and … the studies we’ve conducted show that dark patterns predominantly exist even more so outside of the platforms. So when we actually want to tackle the issue of dark patterns and institute a ban just tackling online platforms will not do.”

“We have a very strong position which is backed by a substantial number of other Member States and when we have this it’s very, very, very disconcerting to see Council setting a red line,” he adds. “Because now we see it’s not a red line for Council. In fact a big number of Member States — if not the outright majority — would actually support a wider scope. And we’re very fearful that we’re not going to get this — not because Council doesn’t want this but because the presidency doesn’t want it.

TechCrunch reached out to the French mission to the EU for a response to BEUC’s concerns but at the time of writing it had not responded.

Teixeira also voiced concern that even the current mooted compromise of banning dark patterns on “online platforms” could be further squeezed through trilogue to just “online marketplaces.” And — based on the current definition in the text — his assessment is it wouldn’t be clear if that would cover myriad popular services such as TikTok, or Booking.com, or Yelp, or even marketplaces run on Facebook or Instagram. (Plus he warns that a French presidency compromise could further push to limit the ban to only VLOPs — “which would be even more disastrous.”)

If it’s true there is more widespread support for meaningful restrictions on dark patterns in the Council it’s baffling why that’s not making it into compromises proposed by the French.

There is also growing awareness of and momentum to reform dark patterns so if EU lawmakers end up dropping the ball on a proper ban it will be a huge missed opportunity — and one that would leave European consumers at the mercy of exploitative design choices for years to come.

Ad targeting limits

BEUC’s letter also presses the French presidency to live up to an earlier stated obligation to include a prohibition in the DSA on the use of children’s data and sensitive data for targeted online advertising.

That had looked like a done deal after a political agreement was reached last month in a sister regulation to the DSA — the Digital Markets Act (DMA), which will only apply to the biggest and most powerful Internet gatekeepers.

Under the DMA agreement reached through trilogue talks, tech giants must gain explicit consent from users to combine their personal data for advertising. But at a press conference on March 24 announcing a political agreement that France’s digital minister Cédric O dubbed a “historic step,” he went on to highlight the fact that the co-legislators had taken a further step and agreed complementary provisions to limit tracking ads would also be included in the text of the DSA — telling journalists “with the trust of the negotiators there were certain points connected with advertising where we reached agreement and the agreement that they would appear in the DSA and DMA.”

“The DMA will let us strengthen the requirement for consent — we know that’s very important for the parliament — and then the targeted adversing for the minors and the use of sensitive information for using targeting [advertising] — we find agreement on those points and that they will be included in the DSA so you can show how much trust there was between us to be able to move forward and to take the most logical approach,” O also stipulated at the time.

Yet TechCrunch understands that a compromise text of the DSA initially proposed by the French presidency during the DSA trilogues suggested removing restrictions on the use of minors data and sensitive data for targeted advertising from the text — in favor of inserting a less robustly worded version into the recitals. So, er, so much for trust!

Despite that, EU sources we spoke to for this report suggested that negotiations on this issue are moving in the previously agreed direction — and one source suggested the French “switcheroo” may just have been a “hardball” bargaining tactic rather than a genuine U-turn on what O had promised in public.

We also understand that last week a new (“strong”) article text was proposed by the parliament’s negotiating team — which the Council was set to discuss this week.

Still, as EU lawmakers often like to observe of their own sphinx-like processes, nothing is agreed until everything is agreed — so the two (agreed) restrictions on ad targeting will only be (actually) confirmed at the end of the process.

Evidently, BEUC doesn’t want to take any chances: Its letter also puts pressure on the French presidency not to row back on the previously negotiated bans on processing minors’ data and sensitive data for ad targeting. Again, this is a bare minimum provision in the consumer protection group’s view — BEUC continues to advocate for a complete ban on tracking-based ad targeting. But, in the meanwhile, its point is that the least EU lawmakers can do is adopt the restrictions they already agreed.

“Commercial surveillance is one of the main problems that consumers and our society face in the digital world. Online targeted advertising based on the pervasive tracking and profiling of consumers, also referred to as ‘surveillance advertising,’ lies at the heart of commercial surveillance business models. This type of advertising thrives on the exploitation of consumers’ privacy and personal data. It facilitates systemic manipulation and discrimination and fosters disinformation,” it writes in the letter.

“It is imperative to adopt strong measures to create a fairer and safer online environment. As a minimum, the DSA must include the prohibition on the processing of personal data of minors and data of sensitive nature for the purposes of behavioural targeted advertising. Such prohibitions should apply to all intermediary services. This would be an essential step forward to address some of the most harmful elements of the on-line environment for consumers.”

There’s one more DSA trilogue discussion planned — due to take place at the end of this month — so there’s not much time left to hash out agreement on any remaining disputed elements. Assuming agreement can be reached (a long planned update to the EU’s ePrivacy rules is still pending that, for example).

As well as these core consumer protection issues that BEUC is most concerned with, the regulation covers wide-ranging content moderation and transparency provisions too, and will pile even more enforcement duties on the Commission (i.e., to oversee VLOPs’ compliance), so there is no shortage of complex topics for negotiators to clash over.

But as they do that they would do well to remember the consumer-centric purpose claimed for the original proposal — which the Commission summarized at the end of 2020 by saying: “It will give better protection to consumers and to fundamental rights online, establish a powerful transparency and accountability framework for online platforms and lead to fairer and more open digital markets.”

This report was updated with comment from Zalando