Dark Patterns, Privacy and the LGPD

Abstract

This article deals with the topic of dark patterns in personal data collection (DPPDC), arguing that they are still under the radar of lawmakers and privacy advocates, and that data protection laws such as the Brazilian Lei Geral de Proteção de Dados (LGPD) do not offer enough protection against it. The article presents the general concept of dark patterns, followed by a legal analysis of DPPDC, highlighting that their prevalence is made possible by the outdated decision making model tacitly endorsed by data protection laws. To illustrate this argument, I examine the recently enacted LGPD, which emphasizes data subjects’ autonomy without offering additional protection against malicious actors’ commonly used techniques. Turning to the legal text, I inquire whether DPPDC can be deemed legal or not given the LGPD’s current provisions regarding lawfulness of data processing. Lastly, after identifying the legal gaps that enable DPPDC to flourish, I argue that data protection law needs a paradigm change, so that data subjects can be guaranteed a fair decision making process and adequate levels of protection of their privacy. Dark Patterns, Data Protection, Brazil, Lei Geral de Proteção de Dados (LGPD), General Data Protection Regulation (GDPR), Fairness, Privacy