Dark patterns and the EU digital services act: Mapping autonomy violations and design factors

Summary

This paper builds a “law-to-design” framework bridging HCI dark patterns research and Article 25 of the EU Digital Services Act, which prohibits interfaces that deceive, manipulate, or distort/impair user autonomy. Working in the reverse direction of most prior work, the authors start from legal categories and ask which design properties trigger them. Through iterative qualitative coding of the 59 meso- and low-level dark patterns in Gray et al.’s unified ontology, they map each pattern onto the three autonomy-violation types from Santos et al. and inductively derive eight underlying design factors split across an “Information Space” and a “Choice Space.” They argue this vocabulary equips regulators, designers, and HCI researchers to reason concretely about why a given interface violates Article 25, and demonstrate extensibility on attention-capture patterns and the EU Commission’s case against X over paid blue checkmarks.

Key Contributions

• A comprehensive mapping of 59 dark patterns from the Gray et al. ontology to the three DSA Article 25 autonomy-violation types (deception, manipulation, distortion/impairment).
• An eight-factor design vocabulary organized into an Information Space (Availability, Correctness, Framing, Presentation) and a Choice Space (Availability, Effort, Simplification, Presentation).
• Structured natural-language reasoning templates for each pattern, released as appendix and CSV, that articulate why a pattern constitutes a particular violation.
• Demonstrations of external applicability: extension to attention-capture damaging patterns and analysis of the EU Commission’s enforcement case against X’s paid verification checkmarks.
• A translational contribution arguing that HCI methods can underpin a new practice of regulatory design auditing and compliance-by-design.

Methods

The authors used the Gray et al. (2024) unified hierarchical ontology as their corpus and Santos et al.’s legal interpretation of Article 25 as their codebook. Two authors independently coded each pattern for autonomy violations in AirTable, reconciling disagreements over three consensus rounds. Design factors were then inductively derived from coders’ rationale memos and deductively re-applied to 34 low-level patterns, achieving substantial inter-rater agreement (Cohen’s κ = 0.679). Third and fourth authors refined labels and reasoning. External validity was tested by applying the framework to 11 attention-capture damaging patterns from Monge Roffarello et al. and to a live regulatory case.

Findings

• 17 of 59 patterns map to a single autonomy violation, while 42 implicate multiple types and 11 trigger all three.
• Deception–manipulation co-occurs most often (22 patterns), suggesting these violations lie on a continuum; manipulation–distortion is rare (only 2 patterns).
• High-level strategies show internal consistency: Sneaking always involves deception, Obstruction always involves distortion/impairment, Social Engineering always involves manipulation; Forced Action is the most heterogeneous.
• Violations co-occur in three modes: as alternatives, through temporal progression (e.g., drip pricing shifting from deception to manipulation), or by mutual reinforcement (e.g., Sneak into Basket).
• Information Availability and Correctness drive deception; Framing, Presentation, Choice Simplification, and Choice Presentation drive manipulation; Choice Availability and Effort drive distortion/impairment.
• Meso-level patterns sometimes carry fewer violation labels than their constituent low-level patterns, because low-level definitions encode additional execution detail.
• Applied to X’s paid blue checkmarks, the framework supports a deception finding under Article 25.

Connections

No other papers have been registered under shared topics, so there are no genuine intellectual connections to link at this time.

Podcast

A research-radio episode discusses this paper: Listen