Le interfacce, e le domande, come i quiz agli esami, possono fuorviare ad una lettura superficiale, ma anche ad una lettura attenta.
Queste tecniche sono state censite, le conosciamo soprattutto nei cookie banner.
Semplicemente rendono il trattamento illecito con a sanzioni di 300.000 euro (in Francia).
Taluni traducono il termine in "modelli oscuri". Perde il vero senso.
Patterns sono comportamenti ricorrenti. Dark sono ingannevoli. Deceptive design è il termine da tradurre.
Si potrebbe tradurre in tecniche ricorrenti ingannevoli.
Cioè quegli usi comuni di proporre domande e scelte in modo da alterare la formazione della volontà o della sua espressione: non voglio cliccare, ma cliccando a caso sulla prima scelta che trovo esprimo il consenso. Tutto perchè l'opzione opposta non è ugualmente facile da scegliere
Interessanti le best practices:
The following list provides an overview of best practices described in the Guidelines at the end of each
use case. These can be used to design user interfaces which facilitate the effective implementation of
the GDPR. Such best practices can offer a first step toward a standardised way for users to effectively
control their data and exercise their rights.
Shortcuts: Links to information, actions or settings that can be of practical help to users to manage
their data and their data protection settings should be available wherever they are confronted to
related information or experience (e.g. links redirecting to the relevant parts of the privacy policy; e.g.
in the privacy policy, provide for each data protection information links that directly redirects to the
related data protection pages on the social media platform; provide users with a link to reset their
password; when users are informed about an aspect of the processing, they are invited to set their
related data preferences on the corresponding setting/dashboard page; provide a link to account
deletion in the user account).
Bulk options: Putting options that have the same processing purpose together, so that users can
change them more easily, while still leaving users the possibility to make more granular changes. If
social media platforms present bulk options, these should not contain unexpected or unrelated
elements (for example elements with different purposes). If the processing require consent, the bulk
options must be in line with the EDPB Guidelines on consent, especially para. 42-44.
Contact information: The company contact address for addressing data protection requests should be
clearly stated in the privacy policy. It should be present in a section where users can expect to find it,
such as a section on the identity of the data controller, a rights related section or a contact section.
Reaching the supervisory authority: Stating the specific identity of the supervisory authority and
including a link to its website or the specific website page related to lodging a complaint. This
information should be present in a section where users can expect to find it, such as a rights related
section.
Privacy Policy Overview: At the start / top of the privacy policy, include a (collapsible) table of contents
with headings and sub-headings that shows the different passages the privacy notice contains. The
names of the single passages clearly lead users regarding the exact content and allow them to quickly
identify and jump to the section they are looking for.
Change spotting and comparison: When changes are made to the privacy notice, make previous
versions accessible with date of release and highlight changes.
Coherent wordings: Across the website, the same wording and definition is used for the same data
protection. The wording used in the privacy policy should match the one used on the rest of the
platform.
Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in
plain language will help users understand the information provided to them. The definition can be
given directly into the text, when users hover over the word, as well as be made available in a glossary.
Contrasting Data protection elements: Making data protection related elements or actions visually
striking in an interface that is not directly dedicated to the matter. For example, when posting a public
Adopted 73
message on the platform, controls over association of the geolocation should be directly available and
clearly visible.
Data Protection Onboarding: Just after the creation of an account, include data protection points
within the onboarding experience of the social media provider for users to smoothly discover and set
their preferences. For example, this can be done by inviting them to set their data protection
preferences after adding their first friend or sharing their first post.
Use of examples: In addition to mandatory information clearly and precisely stating the purpose of
processing, examples can be used to illustrate a specific data processing to make it more tangible for
users.
Sticky navigation: While consulting a page related to data protection, the table of contents can be
constantly displayed on the screen allowing users to always situate themselves on the page and to
quickly navigate in the content thanks to anchor links.
Back to top: Include a return to top button at the bottom of the page or as a sticky element at the
bottom of the window to facilitate users’ navigation on a page.
Notifications: Notifications can be used to raise awareness of users on aspects, change or risks related
to personal data processing (e.g. when a data breach occurred). These notifications can be
implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the
top of the webpage, etc.
Explaining consequences: When users want to activate or deactivate a data protection control, or give
or withdraw their consent, inform them in a neutral way on the consequences of such action.
Cross-device consistency: When the social media platform is available through different devices (e.g.
computer, smartphones, etc.), settings and information related to data protection should be located
in the same spaces across the different versions and should be accessible through the same journey
and interface elements (menu, icons, etc.).
Data protection directory: For easy orientation through the different section of the menu, provide
users with an easily accessible page from where all data protection related actions and information
are accessible. This page could be found in the social media provider main navigation menu, the user
account, through the privacy policy, etc.
Contextual information: in addition to an exhaustive privacy policy, bring short bits of information at
the most appropriate time for the user to have a specific and continuous information on how their
data are processed.
Self-explanatory URL: pages related to data protection settings or information should use a web
address that clearly reflects their content. For example, a page centralising data protection control
could have a URL such as [social-network.com]/data-settings.
Exercise of the rights form: to facilitate users in exercising their GDPR rights, provide a dedicated form
that helps users understand their rights and that guides them carry out these kind of requests.
Adopted 74