By Nick Stringer, a global technology, public policy, and regulatory affairs adviser. His extensive experience includes serving as the former Director of Regulatory Affairs at the UK Internet Advertising Bureau (IAB UK).
“By failing to prepare, you are preparing to fail,” Benjamin Franklin, Founding Father of the USA
The European Commission’s (EC) recent ‘Digital Fairness Fitness Check’ report has received relatively little attention, likely due to its substantial detail and complexity. While many legal experts and policy ‘wonks’ are still delving into the report, including the 1000-page supporting documents, it’s important to be aware of its potential implications for many digital businesses. The well-intentioned report – building on a ‘call for evidence’ and public consultation – aims to assess whether existing European Union (EU) consumer protection laws adequately safeguard people in today’s digital world. Although not a final legislative proposal yet, some of the current recommendations could increase regulatory complexity and may significantly impact – and even undermine – current business models.
As part of the ‘ByteWise Insights’ series, this article examines the EC’s initial proposals and highlights their potential significance. Consumer protection, trust and safety should be at the heart of the digital environment we live in, and how it develops. But there is a risk of repeating the experience with the General Data Protection Regulation (GDPR), where many businesses were caught off guard by its agreed requirements until they had to comply. To avoid similar pitfalls, it is crucial to be aware of these emerging developments now.
Let’s begin with some positive news…
In line with the EU’s Digital Single Market ambition, one of the key aims is to harmonise consumer protection laws across the EU, reduce regulatory fragmentation, legal uncertainty, and enhance enforcement. This aligns with other EU-wide legislation, including the Digital Markets Act, Digital Services Act, and Artificial Intelligence (AI) Act (as well as the likes of the GDPR). The report says that it costs businesses €737m each year to comply with existing consumer law regulations. Many pan-EU and global businesses, and start-ups looking to ‘scale up’, are likely to welcome this streamlined approach.
The review’s central focus is to evaluate whether existing EU consumer laws are still relevant in today’s digital world. Specifically, it examines whether the current ‘principles-based’ approach is outdated, given that many countries have already implemented more prescriptive rules in areas like online subscriptions, social commerce and influencer marketing, as well as uncertainty-based rewards (‘loot boxes’) in video games. The general idea is clear and makes sense, but the specifics are crucial: the devil is in the detail.
But there are some ‘problematic practices’
The EC believes that existing consumer laws, while adequate in many respects, fail to address certain ‘problematic practices’. This is despite 76% of the businesses asked believing existing EU consumer law is well-adapted to new technological developments.
Some of these practices are fundamental to many business models, such as advertising and video games. And it is these practices, which – according to the report – are estimated to cost EU consumers €7.9bn annually. They include:
- ‘Dark Patterns’ and deceptive design: The report identifies a growing concern with ‘dark patterns’ – deceptive or manipulative design techniques that mislead consumers into making unwanted choices or purchases. Examples include presenting options in a biassed manner, creating a false sense of urgency with countdown timers, and misleading consent options.
- Addictive design and gaming: Another area of concern is addictive design – the intentional design of digital services to encourage excessive use or spending. Techniques such as auto-play, ‘pull to refresh’ features, and in-app purchases can contribute to addictive behaviour. The report highlights the risks posed by ‘loot boxes’ in video games, which offer randomised rewards and may exploit the psychology of uncertainty.
- Targeted advertising, ranking, and personalised pricing: The report criticises the lack of transparency and control associated with targeted advertising, ranking, and personalised pricing. These practices rely on the collection and use of personal data, which may be exploited to manipulate consumer behaviour. The report expresses particular concern for the vulnerability of children and individuals facing financial difficulties or negative mental states. While the GDPR offers some protections for personal data, the report suggests that more robust measures may be needed.
- Contracts and subscriptions: The report highlights the challenges consumers face when managing digital subscriptions, particularly the difficulty of unsubscribing from unwanted services. The increasing trend towards ‘freemium’ business models underscores the importance of consumer confidence in subscription-based services.
- Social media commerce and ‘influencer advertising’: Despite existing EU-wide regulations, the report criticises the lack of transparency among some ‘influencers’ who promote commercial products or services on social media. The report emphasises the need for clearer disclosure requirements to protect consumers from misleading or deceptive endorsements.
The report also identifies several other emerging technologies that pose potential risks to consumers, such as dropshipping, AI Chatbots and ticket scalper or reseller bots. The report concludes that these practices highlight the need for further action “to create a fair digital environment for consumers”. This includes simplifying existing regulations “without compromising consumer protection” and addressing the emerging challenges posed by new technologies.
A Digital Fairness Act is on the horizon
The EU’s legislative process is long and complex, but this is the early stage of a new EU-wide ‘Digital Fairness Act’. This new legislation is expected to be introduced in late 2025 or early 2026, under the leadership of Commissioner-Designate and Irish politician, Michael McGrath. In her Mission Letter to McGrath on 17 September 2024, re-appointed EC President Ursula von der Leyen said that “a Digital Fairness Act [should be developed] to tackle unethical techniques and commercial practices related to dark patterns, marketing by social media influencers, the addictive design of digital products, and online profiling especially when consumer vulnerabilities are exploited for commercial purposes”. It is clear the EC is pulling no punches.
Get ready: the regulatory storm is coming
The GDPR, a significant EU regulation to revise and update data protection rules, took a total of nine years to become reality, spanning a seven-year framing period and a subsequent two-year implementation phase. Initiated in 2009, the GDPR finally took effect in 2018. Some might argue that this timeline is excessively lengthy, especially considering the rapid pace of technological advancements. However, the impending arrival of a Digital Fairness Act is unavoidable.
Consequently, businesses must proactively act to ensure a balanced and proportionate outcome: a framework that prioritises consumer protection and individual rights without compromising the ability of businesses to deliver valuable services to millions of people around the world.