Website trickery in focus as EU content law enters final negotiations

The Digital Services Act is heading into the final stage of the EU’s lawmaking process, with the broad outline becoming clear but several key clauses — on behavioral manipulation, paying for anonymity, and free expression — still up for negotiation.

The European Parliament agreed its unified stance on the DSA last week, while governments in the Council of the EU reached agreement in November. The two institutions must now negotiate with each other, with the European Commission mediating, to settle on a final version.

The first round of talks is confirmed for next Monday, Jan. 31, MLex understands.

The "trilogue" meetings, as they’re known in Brussels, are perhaps the most obscure stage in EU lawmaking, not least because they’re held behind closed doors and often go on right through the night, having started at inexplicably late hours in the evening.

As is often the case with new EU regulations, the parliament’s proposal on the DSA is more restrictive than that of the bloc’s 27 governments, each of which is being lobbied by its own industries. But despite some major differences, the two chambers are not poles apart, and will likely spend most of their time on a few big topics.

One is the legislature’s proposal to ban “dark patterns”: web-design tricks intended to steer users towards particular decisions, such as accepting cookies for advertising or keeping a subscription they were about to cancel.

The parliament is also pushing for stricter requirements to allow users to pay for a service rather than being tracked; and to respect freedom of expression and media pluralism.

Dark patterns

The most striking difference between the two negotiating texts is the parliament’s proposed ban on a specified list of dark patterns, and powers for the European Commission to define more.

The ban would make it illegal for websites to ask users to accept tracking cookies after they’ve already been refused. That includes situations where a browser’s blanket “Do Not Track” setting is enabled, even if the user has never visited that particular website before.

The adtech industry isn’t happy. Lobbyists say the provisions are tantamount to a ban on behavioral advertising, because as more people turn on “Do Not Track” — maybe prompted by a viral campaign — the market for microtargeted ads will shrink permanently.

Supporters of the amendment retort that if users choose to reject tracking cookies, that’s a result of individuals exercising their rights to privacy, not a top-down ban.

The council’s DSA text does not deal with dark patterns as such, though it does forbid online marketplaces from using design quirks that deceive or manipulate users. That makes it hard to predict how government negotiators will approach the parliament’s position. On the one hand, they may feel that businesses relying on targeted advertising — which include small European online retailers as well as US tech giants — might be harmed by too strict an approach.

On the other, national data protection authorities have already objected to dark patterns, and national negotiators tell MLex that there’s a general sense among their governments that dark patterns are a problem. The council has so far discussed the matter only briefly, they say.

Some sort of restriction on dark patterns therefore looks likely, with negotiators likely to haggle over the details. National governments are generally more skeptical than the legislature of handing new powers to the commission, and may push back against that part of the provision. It might also try to water down the list of dark patterns, to give companies a bit more room to obtain meaningful consent from users.

Paying for anonymity

Lawmakers in the parliament also backed amendments requiring websites to allow users to pay for access to websites and online services as an alternative to being tracked for behavioral advertising. Sites must “make reasonable efforts to enable the use of and payment for that service without collecting personal data of the recipient,” their proposed amendment says.

The European Data Protection Board and France’s CNIL have already interpreted existing law as implying a similar requirement, meaning that governments may accept the broad outlines of this amendment — even though no such thing is mentioned in their own negotiating text.

But under the parliament's text, the method of payment itself would also have to be anonymous if the user so desired. Since cash isn’t used online, that would seem to require websites to accept something more obscure than an everyday credit or debit card payment, such as prepaid cards, vouchers, or cryptocurrency. That provision is perhaps more likely to draw governments’ opposition.

Free expression

The parliament also backed an amendment requiring platforms’ terms of service to be clear and to respect freedom of expression and media pluralism, as enshrined in the EU’s Charter of Fundamental Rights.

The amendment is a leftover of a failed attempt to give media companies specific protection against unfair takedowns on social media, but proposals for such a “media exemption” were rejected in both the legislature and the council.

At first glance, a requirement to “respect” these freedoms might look like an empty platitude that will be easy to work around. But by placing it in a legally binding article, rather than a non-binding “recital,” lawmakers are ensuring that every word can be litigated over in court. That means the right to free expression under the DSA could potentially be used as the basis for a legal challenge of a platform’s moderation policies.

If member states read the amendment the same way, some may push back on the grounds that it could undermine platforms’ ability to curtail disinformation and misinformation that usually falls well within the legal boundaries of free expression and press freedom.

Governments may also resist the parliament’s attempts to curtail their own powers to order intermediaries to remove content. In the parliament’s version of the DSA, member states would only be able to issue such orders to companies on their own territory; cross-border requests would be limited to violations of EU law specifically.