What Is the DSA?

The European Union's platform regulation, known as the Digital Services Act (DSA), took full effect on February 17, 2024. It modernizes the legal framework for digital services across the EU, replacing parts of the E-Commerce Directive with binding rules on platform accountability, content moderation, and interface design.

The DSA altered the regulations for organisations who use clickwrap agreements. It explicitly bans dark patterns, deceptive interface design that manipulates users into making unintended choices, and requires that terms of service be drafted in plain, accessible language users can actually understand.

Who Does DSA Apply To?

DSA applies to all providers of intermediary services offered in the EU, regardless of where the provider is established (Article 2). This means that any non-EU business serving EU users must comply, with obligations scaled to the size and type of service.

The DSA is applicable when you:

  • Provide intermediary services (mere conduit, caching, or hosting) accessible to EU users.
  • Operate an online platform allowing users to upload and share content, reaching EU users.
  • Qualify as a Very Large Online Platform (VLOP) with 45 million or more monthly active EU users, triggering heightened obligations.
  • Provide an online search engine (subject to enhanced VLOSE obligations at scale).

If your clickwrap agreement is presented to EU users on any of the above services, it must comply with the DSA's interface and transparency requirements.

DSA and Clickwrap Agreements

The Digital Services Act introduced the first EU-wide prohibition on dark patterns in online interfaces, alongside binding transparency standards for terms of service. For clickwrap agreements, this represents a fundamental shift: the DSA regulates not just the substance of what users agree to, but the design of the interface through which they agree. Article 25 makes it illegal to structure a consent flow in a way that deceives, manipulates, or materially distorts users' ability to make free and informed decisions, turning interface design choices into matters of legal compliance.

How the DSA Affects Clickwrap Design

Article 25(1) prohibits online platforms from designing, organizing, or operating their online interfaces in a way that deceives or manipulates the recipients of their service, or in a way that otherwise materially distorts or impairs the ability of recipients to make free and informed decisions. This prohibition applies to the entire user interface, but its impact on clickwrap and consent flows is particularly direct.

Visual manipulation is explicitly targeted. Recital 67 lists concrete examples: giving more visual prominence to certain choices, repeatedly requesting a choice already made, making cancellation significantly more cumbersome than signing up, and making certain choices harder or slower than others. In clickwrap design, this means the "Accept" and "Decline" buttons must carry equal visual weight in size, color, and placement, a reject path cannot add friction over the accept path, and confirmshaming language like "No thanks, I don't want to save money" qualifies as manipulation under Article 25.

Article 14 separately requires that terms of service be drafted in clear and unambiguous language and made easily available. Where terms restrict or affect a user's ability to use the service, the relevant provisions must sit in a specific, dedicated section. A clickwrap flow cannot present an opaque wall of legalese and treat a click as meaningful acceptance; the terms themselves, not just the consent mechanism, must be genuinely comprehensible.

Significant changes carry their own obligations. Article 14(3) mandates that where a provider materially affects users' rights through a terms update, affected users must be informed with reasonable advance notice, specifying what changed and when. A clickwrap flow that silently updates terms and captures acceptance on the next login fails this standard.

What Must Be Shown Under the DSA

Articles 14 and 25 define what providers must show users in both their terms of service and the consent interface itself, with implementation details elaborated in the European Commission's DSA guidance. For clickwrap agreements, the following must be disclosed in the terms:

  • Content moderation policies the provider imposes, including content policies, algorithmic tools used, and human review processes.
  • Internal complaint-handling mechanisms available to users who wish to challenge content moderation decisions or other service restrictions.
  • Out-of-court dispute resolution options, including the availability of settlement bodies under Article 21.

Beyond what is disclosed in the terms, Article 25 governs how choices are presented at the point of consent. For online platforms (as opposed to mere hosting services), the interface must be neutral (no option pre-selected or visually favored), comprehensible (the consequences of each choice described in plain language), and non-deceptive (no ambiguous wording, double negatives, or confusing navigation). Very Large Online Platforms (VLOPs) with over 45 million monthly active EU users face heightened obligations under Articles 34-35, including systemic risk assessments that account for how the design of their interfaces may contribute to negative effects on fundamental rights.

What Records You Must Keep Under the DSA

Article 15 requires intermediary service providers to publish annual transparency reports on content moderation activities, with Article 24 extending this to online platforms for automated tooling and dispute outcomes. While these reports focus on content moderation rather than clickwrap acceptance per se, Article 25 creates an indirect recordkeeping imperative for the consent interface itself.

A compliant clickwrap system must capture:

  • UI version archives - Each version of the consent interface, including button labels, color treatment, layout, and the relative prominence of accept/decline options.
  • A/B test documentation - Records showing that no consent-flow variant introduced manipulative design or friction-based nudges.
  • Terms change notification logs - Timestamped evidence that significant terms updates were communicated to affected users with advance notice.
  • Complaint and dispute records - User complaints about the consent interface or terms, and the actions taken in response.

The European Commission's enforcement powers extend to requesting access to algorithms, data, and design documentation from VLOPs and VLOSEs, with equivalent authority held by national Digital Services Coordinators for smaller providers. Organizations must therefore be prepared to produce evidence of compliant interface design on regulatory request.

DSA and Clickwrap Agreements

Key Provisions of DSA

Dark Patterns
Online interfaces designed to deceive, manipulate, or otherwise materially distort users' ability to make free and informed decisions. Explicitly banned for all online platforms operating in the EU (Art. 25).
Transparency of Terms
Providers must draft terms of service in clear, plain, and unambiguous language, and make them easily accessible. Terms must explain content moderation policies, algorithmic decision-making, and complaint mechanisms (Art. 14).
Very Large Online Platform (VLOP)
An online platform with an average of 45 million or more monthly active users in the EU, designated under Article 33. VLOPs face additional obligations including systemic risk assessments (Art. 34) and independent audits (Art. 37).
Intermediary Service
A service that provides mere conduit, caching, or hosting of information provided by a recipient of the service. The DSA applies to all intermediary services offered in the EU regardless of where the provider is established (Art. 3).
Notice and Action
Hosting providers must implement mechanisms allowing anyone to notify them of illegal content. Upon receiving a notice, they must act expeditiously to remove or disable access to the content (Art. 16).
Recommender System Transparency
Platforms using recommender systems must clearly explain in their terms the main parameters used for recommendations and any options for users to modify or influence those parameters (Art. 27).

Penalties for DSA Non-Compliance

Very Large Online Platforms Up to 6% of global annual turnover
VLOPs and very large online search engines face fines of up to 6% of global annual turnover for any DSA violation, enforced directly by the European Commission under Article 74. This includes failures relating to VLOP-specific obligations under Articles 34-43 (systemic risk assessments, audits, transparency reports, recommender system parameters, and researcher data access).
Standard platform violations Up to 6% of annual income or turnover
Online platforms that violate the dark pattern ban, fail to provide transparent terms, or do not comply with notice-and-action obligations face fines imposed by national Digital Services Coordinators.
Periodic penalty payments Up to 5% of average daily turnover per day
For ongoing non-compliance, regulators can impose daily penalty payments until the violation is remedied. This applies to all categories of service providers and creates strong incentives for rapid compliance.

Frequently Asked Questions

The DSA defines dark patterns broadly as any interface design that deceives, manipulates, or materially distorts users' decision-making. Examples include making the reject option harder to find than accept, using confusing double negatives, pre-selecting consent options, or employing visual tricks like color contrast to steer choices.
The DSA applies to all providers of intermediary services in the EU, but obligations are tiered by size. The dark pattern ban (Art. 25) applies specifically to online platforms. However, the plain language terms requirement (Art. 14) applies to all intermediary services, including smaller providers.
The DSA and GDPR work together but address different aspects. GDPR governs how personal data consent must be collected. The DSA governs how the consent interface must be designed: no dark patterns, clear language, equal choice presentation. A clickwrap flow must comply with both simultaneously.

Related Regulations

GDPR
General Data Protection Regulation
EU-wide · Active 2018
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.