Website design and user experience aren’t just about making things look good or improving conversion rates; it’s about trust, honesty, and compliance.
Legal regulations like the Digital Services Act (DSA) and GDPR set clear rules that require you to carefully consider how your site lays out content and guides users through certain choices.
Despite the Digital Services Act being in place for a few years now, there are still plenty of design and content practices used across various types of sites and content that go against the DSA’s rules.
To help you understand the DSA and ensure your website is compliant, we’ve broken down common practices to avoid and how to keep your website clear and easy to use, and how to build and maintain trust with your users.
To start, let’s go over what the Digital Service Act covers…
What is the Digital Services Act (DSA)?
The Digital Services Act is meant to protect people’s rights online and make sure companies follow clear, fair rules.
The DSA focuses on how online platforms behave, especially how their interfaces are designed, and aims to limit designs that trick or pressure users.
The Digital Services Act also works alongside GDPR to protect your personal data. The DSA and GDPR focus on different parts of the same issue: how online platforms are designed and how your data is used within them.
Proposed by the European Commission in December 2020, the Digital Services Act was formally put into force in November 2022, with a compliance deadline for larger organisations in 2023 and a final rollout to all applicable businesses on 17th February 2024.
Which businesses does the DSA apply to?
The Digital Services Act applies to any business that offers digital services to people in the EU.
This includes companies based outside the EU if their websites, apps, or platforms are used by EU users. If you sell online, collect user data, run sign-up forms, or allow users to interact with your service, the DSA may apply to you.
The rules cover websites, eCommerce stores, apps, marketplaces, and online platforms of all sizes, meaning even small businesses are expected to follow fair design practices.
If your design influences user choices, consent, or behaviour, the DSA is relevant to how your service is built and presented.
Large online platforms, like social media sites and search engines, are subject to the strictest controls and earlier enforcement that fit into specific tiers.
Tiers of the Digital Services Act
These tiers are the stricter rules that large online platforms, ISPs, and very large online platforms (VLOPs) and very large online search engines (VLOSEs) must follow.
| Tiers | Who It Covers | Examples | What’s Required |
| Tier 1 | Internet providers, VPNs, and domain name services | Internet providers, VPNs, and domain name services | • Follow basic rules to protect users’ rights • Work with authorities to deal with illegal content • Provide a clear contact point for users • Publish a yearly report explaining how they manage content |
| Tier 2 | Services that store or deliver content | Cloud storage, web hosting, and content delivery networks | • All Tier 1 duties • Provide a clear way for people to report illegal content • Remove content when required • Explain why content is removed • Report suspected serious crimes |
| Tier 3 | Platforms where users share content | Social media, forums, app stores | • All Tier 1 and 2 duties • Stop using misleading or manipulative design tricks • Offer systems for user complaints and disputes • Do not show targeted ads to children |
| Tier 4 | Very large online platforms (VLOPs) and very large online search engines (VLOSEs) | Google, Amazon, Meta | • All Tier 1, 2, and 3 duties • Regularly assess and reduce risks to users and society • Undergo yearly independent checks • Share data with regulators to prove they are following the rules |
What happens if your designs break DSA rules?
If a platform uses a misleading design to get your information, that data collection may break GDPR rules. Interfaces are most likely to violate the GDPR when they use deception to influence decisions about personal data.
Companies that don’t follow these rules can be fined up to 6% of their worldwide annual revenue or even have their services stopped in the EU.
The biggest platforms, like large social networks and search engines, face the harshest penalties. For example, X (formerly Twitter) was recently fined €120 million by the European Commission for breaching their transparency requirements under the DSA.
Common design practices that are illegal under DSA rules
Illegal Practice #1: Manipulative “Dark Patterns”
Have you ever visited a website and seen countdown timers or pressure tactics pushing you to buy something quickly? Well, those pressure tactics tricks are actually banned under the Digital Services Act (DSA).
The DSA stops “dark pattern” designs like these that are meant to trick or mislead you, so you can’t make clear decisions. For example, fake countdown timers or stock counters create a false sense of urgency, making you rush to buy something because you’re afraid of missing out.
Despite these practices being banned, it’s surprising to see many eCommerce websites still using designs like this, even in 2026.
Here are some other common dark patterns that you may have come across:
| Dark Pattern | What It Is | Example |
| Roach Motels | Subscription services or newsletter lists that are easy to sign up to but hard to cancel. | Signing up quickly via a website, but needing to contact them via phone call or email to cancel or opt-out. |
| Confirmshaming | Messaging that makes you feel guilty. | “No thanks, I don’t want to save money.” |
| Hidden Costs | Important information that only appears at the last minute. | Hiding automatic subscription renewals and additional fees until the final checkout window or in the small print. |
Illegal Practice #2: Exploitative UX
Repetitive, pushy questions
The DSA also bans something called Exploitative User Experience (UX).
This is when websites keep asking you to do something, like sign up for a newsletter or allow cookie tracking, even after you’ve already said no.
Have you ever been shopping online and kept seeing the same pop-up offering 10% off, even though you clicked “No” before? That annoying practice is now illegal under the DSA.
These repeated pop-ups tire people out and make it hard to use the site, forcing you to keep making the same choice over and over.
Misleading choices
Another example of an exploitative user experience is intentionally misleading choices.
You know when a pop-up asks you to accept cookies, and the “Accept All” button is big and bright, but the “Decline” button is much lighter, hidden, or hard to find?
Or the colour coding of buttons is swapped round unexpectedly to make you accidentally ‘Accept’ instead of ‘Decline’.
This kind of design trick gets people to click “Accept” without really knowing what they’re agreeing to. It makes it hard to make a clear choice because the buttons are confusing or tricky to use.
And that’s a practice that’s banned under the DSA.
Sneaking in extra costs or options
Another trick some websites use is sneaking extra items into your shopping basket without asking you first. For example, they might automatically add additional products or premium options, and you only notice later when you check your basket.
You’ve probably experienced this before; I know I have. When you’re going through the checkout process with the ‘subtotal’ right there at the bottom throughout multiple steps, only to find that right at the end, the price has increased because of some extra fee, unwanted upgrade, or previously unmentioned shipping cost.
This trick is not only unfair but also makes things harder for people with disabilities, like those who have trouble seeing or understanding things, because it makes using the site more confusing.
Illegal Practice #3: Deceptive Privacy & Data Settings
Deceptive privacy and data settings break the DSA’s rule that users must give explicit permission for how their data is used.
Some platforms trick users into sharing more personal information than they want by hiding options or using confusing designs. This is called “forced action”, where users have to give personal data to use a service.
Other examples of deception in relation to privacy and data include:
- Using confusing or tricky language and visuals to get consent
- Hiding privacy settings behind several screens while keeping the accept option visible upfront
- Using pre-selected checkboxes that share data by default
- Grouping multiple types of consent into a single “agree” button
- Forcing account creation before explaining how personal data will be used
- Making it more difficult for users to withdraw consent than it was to agree
This is where the Digital Services Act and GDPR overlap, ensuring that websites and online platforms’ designs are clear and explicit when dealing with privacy, data, and consent.
Other design practices you should avoid
While these next few design practices aren’t directly against the Digital Services Act (DSA), they are definitely high risk, ethically questionable, and likely to annoy your users, so it’s a good idea to avoid using these on your website.
Emotional pressure
Emotional pressure is when a website uses guilt, social pressure, or an implied obligation to influence a decision without directly lying to the user. The message may be true, but the intent is to push the user toward a specific action rather than help them make a clear choice.
Some examples you might have seen are:
- “People like you usually choose this”
- “No thanks. I hate saving money”
- “We rely on people like you to help keep our service free”
- “Give your loved one the gift they deserve”
- “Stop settling for less”
Using calls-to-action like this can be risky, because they nudge users emotionally, rather than letting them decide freely.
While this doesn’t technically break the DSA’s rules, if users feel manipulated or pressured, especially when it comes to payments, consent, or data sharing, it could harm your reputation and drive users away from your site.
Ambiguous terminology
Ambiguous terminology is when a site uses vague or friendly wording that softens what is really happening in the background. The language may sound harmless, but it can mask the actual impact of the user’s choice and erode trust, especially in sales and data decisions.
Some examples include:
- “Personalisation” instead of “behavioural profiling”
- “Improving your experience” instead of “sharing data with third parties”
- “Recommended for you” instead of “ranked by an algorithm using your data”
- “Service updates” instead of “marketing emails”
Being transparent in your copy is so important, especially when it comes to pricing, complex settings, and data consent. Using plain, direct language helps your users understand what they’re agreeing to, reduces the risk of complaints, and strengthens trust.
Long-winded opt-out or cancellation processes
This relates to the ‘roach motel’ dark pattern point we covered earlier.
So many websites still use long-winded opt-out processes, where opting out, cancelling, or changing a setting takes more effort than it did to join.
The option is there, but the journey is deliberately slow or frustrating.
Some frequent examples include:
- Cancelling a subscription only available via email or phone
- Multiple confirmation screens to opt out, with warnings at each step
- Requiring users to log in again to change basic preferences
- Hiding account deletion behind account support pages
- Offering discounts or guilt messages before allowing cancellation
While some of the above practices don’t necessarily go against the DSA, it’s a very thin line to walk.
Ultimately, if a user wants to cancel because they’re unhappy, making it more difficult for them will only increase their frustration and further damage trust, making them far less likely to use you in the future.
When it comes to user retention, let the quality of your products, services, and customer service do the heavy lifting, because complex, annoying opt-out processes will do the opposite.
Simple tips for making your designs compliant
Good design practices aren’t just about compliance; they’re about building trust with your users, encouraging engagement, and increasing returning visitors. Below are some helpful tips for keeping your designs compliant while maintaining conversion rates.
Use plain language over confusing copy
Using plain language means saying exactly what happens when a user clicks a button or agrees to an option. Vague or polished wording may sound safer, but it often hides the real impact of the user’s choice.
This applies to pricing, features, actions, and outcomes. If the wording hides or confuses what actually happens when users interact on your site, they’re more likely to feel misled.
Some examples to avoid include:
- “Advanced functionality” instead of “Extra features that cost more”
- “Add [Feature]” buttons that automatically upgrade your plan and charge you
- “Free trial” options that require an immediate payment
- “Watch now” video CTAs that take you to an account creation page
- Using ‘Learn more’ or ‘Sign up’ without a clear connection to what the user will learn more about or sign up for
Clear wording tells users what to expect and eliminates false expectations. If users think they’re taking a small step or just exploring options when they’re actually committing to payments or giving consent without knowing, it’s
This matters because unclear wording creates false expectations. Users think they are taking a small step when they are actually committing to payment, restrictions, or extra effort.
When writing calls-to-action, button text, or privacy and consent options, you should ask yourself: Does the button or label accurately describe the outcome? If the answer is no, then rewrite it.
Avoid default or pre-ticked boxes
Default opt-ins or pre-selected boxes, like pre-ticked privacy policy acceptance, can pose a significant risk to your DSA compliance.
It all depends on how they’re used.
If default or pre-ticked boxes push users towards a choice that benefits the platform, reduce real choice or control, or rely on users not understanding the option, it absolutely violates the DSA rules.
It can be acceptable in some instances where the choice is neutral, it doesn’t unfairly benefit the platform, the option is easy to change, and the impact is clearly explained, such as language or location settings.
Make acceptance and rejection easy
Users should be able to accept or decline something easily and clearly.
Keep options for accepting or declining simple; don’t hide them in secondary windows, especially if these choices affect privacy, payments, or what content is shown to the user.
If you’re considering directing the user to ‘advanced settings’ to decline cookies or make other simple choices, you may end up in breach of the DSA and GDPR.
You can give users an ‘advanced settings’ option to control which cookies they accept or decline, but there must be an explicit ‘decline’ option clearly visible in the pop-up banner.
Get tailored website advice & guidance from our specialists
If you’re looking for support with a web design or user experience project, then our team can help.
Our experienced specialists have 20+ years of expertise helping clients such as Armorgard and Imperial Homes create modern, user-friendly websites that follow UX, SEO, and data best practices.
To speak with a specialist about your website project, get in touch.
