Addictive patterns and data protection: an analysis of current practices
In the digital age, online platforms have become an integral part of our lives. However, behind the convenience and entertainment they offer, lie design tactics aimed at keeping us increasingly engaged. Addictive patterns, designed to prolong the time we spend on these platforms, pose a significant challenge to data protection.
Next, we will analyze the recent report by the AEPD that reveals how many platforms, applications, and services use their users’ personal data to foster addiction and increase connection time.
Definition and examples of paterns
The AEPD, in its report Addictive Patterns in Personal Data Processing. Implications for Data Protection from July 2024, defines an addictive pattern as a characteristic, attribute, or design practice that determines a specific way of using platforms, applications, or digital services, aimed at ensuring that users spend much more time using them or with a higher degree of engagement than expected, convenient, or healthy for them.
Addictive patterns can be analyzed from a hierarchical perspective, divided into three levels: high, medium, and low. High-level patterns represent general and abstract strategies, independent of the specific context. Four high-level patterns have been identified: forced action, social engineering, interface interference, and persistence.
While high-level patterns lay the foundation for addictive strategies, medium and low-level patterns focus on their concretization. Medium-level patterns focus on identifying and exploiting users’ psychological weaknesses, while low-level patterns handle the technical execution of these strategies in specific contexts.
These levels may involve the collection, generation, or use of personal data to achieve their goals.
Some common examples of these patterns include:
- Intermittent reward systems: the random release of rewards (such as “likes” or notifications) creates a constant cycle of seeking gratification.
- Infinite design: the presentation of seemingly endless content (such as on social media) makes it difficult for users to set time limits.
- Gamification: incorporating game elements (scores, levels, challenges) encourages competition and the need to keep advancing.
- Excessive personalization: creating highly personalized experiences based on user data can lead to a deep sense of connection with the platform.
Current context
Today, the proliferation of connected devices and constant internet access has intensified people’s exposure to these addictive patterns. Big tech companies have perfected these techniques to keep users hooked on their platforms, generating enormous economic benefits.
However, this situation has generated growing concern about the negative consequences of such practices. In addition to the impact on mental health, social relationships, or individual productivity, the massive collection of personal data associated with these patterns raises serious concerns about privacy and information security.
The AEPD study highlights that the more time we spend online, the more personal data providers collect, which is used to influence our behavior and offer increasingly personalized content.
This poses a danger, especially for underage users, who often are not aware of the amount of personal data they are providing to platform providers.
The use of personal data to foster these addictive patterns can undermine our ability to act independently and limit our individual freedom.
Regulation and protection
In response to this scenario, at the European level, the European Data Protection Board published the document Guidelines 03/2022 on Deceptive Design Patterns in Social Media Platforms’ Interfaces: How to Recognise and Avoid Them, in which the Board focuses on social media and addresses their implications for loyalty, transparency, accountability, data protection by design, and GDPR compliance. It also establishes that data protection authorities are responsible for sanctioning the use of deceptive design patterns if they violate GDPR requirements.
Among these possible violations are proactive responsibility, data protection by design and by default, transparency, lawfulness, purpose limitation, or data minimization.
In this regard, the European Commission has initiated two sanctioning procedures against TikTok and Meta for violations in this area.
Furthermore, the European Parliament adopted a resolution in December 2023, banning addictive practices such as infinite scrolling or autoplay that encourage prolonged connection.
Protecting oneself from digital addictive patterns requires a comprehensive approach involving both user awareness and limit-setting, as well as compliance with regulations and transparency by companies.