The Agency presents a report on the influence of addictive patterns on the internet, and in particular on minors

  • The report shows how, in many cases, providers implement misleading and addictive design patterns to prolong the time users stay in their services or to increase their level of commitment and the amount of personal data collected about them.
  • The impact of addictive strategies is greatest when they are used to process personal data of vulnerable people, such as children and adolescents, influencing children’s preferences and interests and ultimately affecting their autonomy and their right to development.
  • The Agency will promote the inclusion of addictive patterns by the European Data Protection Board in the guidelines being prepared on the interrelationship between the GDPR and the DSA, due to the high impact these practices have on the right to data protection in digital environments.
  • In parallel, the Agency will continue to work together within its remit with CNMC, the coordinating body for digital services in Spain.
     
Patrones adictivos en el tratamiento de datos personales

(10 July 2024). The Spanish Data Protection Agency (AEPD) has presented a report analysing how the processing of users’ personal data in many platforms, applications and services includes addictive patterns to increase their connection time. This presentation took place during the course, New challenges for the protection of people’s rights from the impact of the Internet, as part of the 2024 Summer Activities of the International University Menéndez Pelayo (UIMP) in Santander. 

The report shows how, in many cases, these providers implement misleading and addictive design patterns to prolong the time users stay in their services or to increase their level of commitment and the amount of personal data collected about them. The adverse impact of addictive strategies is significantly higher when they are used to process personal data of vulnerable people, such as children and adolescents, influencing children’s preferences and interests and ultimately affecting their autonomy and their right to development.

The European Data Protection Board (EDPB) addressed misleading patterns in Guidelines 03/2022 on deceptive design patterns on social media platform interfaces: how to recognise and avoid them. The Agency has carried out in the report a review of existing scientific evidence on addictive patterns in different platforms, applications and services (social media, but also video or music platforms, adult content platforms, games, learning environments, health and well-being applications, etc.), which involves addressing, from a complementary perspective, new use cases.

Moreover, the Digital Services Act, known as the Digital Services Act (DSA), provides in its Article 25 that online platforms shall not design, organise or manage their interfaces in a way that deceives or manipulates users, or in a way that distorts or impedes their ability to make free and informed decisions.

The Director of the Agency, Mar Spain, has announced during the presentation of the report that the AEPD will promote the EDPB to include addictive patterns in the guidelines being prepared on the interrelationship between the General Data Protection Regulation and the DSA, due to the high impact these practices have on the right to data protection in digital environments.

The Agency’s report shows how the processing of users’ personal data includes specific operations, all of which are misleading, in a way that influences their decisions and that their personal data are used for this purpose or for generating new data and profiling (referred to in this document as it allows for the careful customisation of addictive strategies).

The document classifies addictive patterns into three levels: high, average and low. So-called high-level patterns are general strategies independent of context and implementation, and four have been identified: forced action, social engineering, interface interference and persistence. Middle-level patterns describe more specific approaches that exploit psychological weaknesses or vulnerabilities of users. Finally, low-level patterns correspond to the specific implementation of different approaches and are often context-specific or application-specific.

Adding addictive patterns to the processing of personal data has important implications for the data protection of users, such as accountability, effective implementation of data protection obligations by design and by default, transparency, lawfulness, fairness, purpose limitation, data minimisation, or the processing of special categories of data. It also entails a risk to the rights and freedoms of all users and, in particular, to the right to the physical and mental integrity of children and adolescents.

Procedures opened by the European Commission

In relation to addictive patterns, the European Commission has two penalty procedures open for possible non-compliance with the above-mentioned DSA (Digital Services Act), against TikTok and Meta. Together with the suspension of TikTok Lite announced by TikTok Lite itself after the Commission made public its intention to impose provisional measures by suspending the function that was financially rewarding the extra time in front of the screen. 

In Spain, the Agency will continue to work together within its remit with the National Commission on Markets and Competition (CNMC), a body designated as the National Digital Services Coordinator.