The European Commission's forthcoming Digital Fairness Act (DFA) is shaping up to be the most consequential consumer-protection initiative since the General Data Protection Regulation. In a detailed set of recommendations published on 4 May 2026, the Electronic Frontier Foundation urged Brussels to focus the new law on genuine consumer harms — manipulative dark patterns, addictive design, opaque personalised pricing, and exploitative AI practices — while explicitly warning policymakers not to duplicate provisions already found in the GDPR or the Digital Services Act (DSA), nor to weaken existing data-protection rights in the name of consumer fairness.
EFF's intervention lands at a delicate moment. The Commission's 2025 'Digital Fairness Fitness Check' concluded that existing instruments — the Unfair Commercial Practices Directive (2005/29/EC), the Consumer Rights Directive, and the Unfair Contract Terms Directive — leave meaningful gaps when applied to algorithmically curated online environments. But as we have argued repeatedly on these pages, a gap in coverage is not, by itself, a justification for another layered regulation. The question Brussels must answer is whether the DFA can address those gaps without reproducing the regulatory drag that already complicates compliance for European SMEs and start-ups.
The case for surgical, not sweeping, reform
EFF's recommendations are striking precisely because they come from an organisation usually associated with maximalist consumer protection. The group is explicit: the DFA should not re-legislate consent, lawful basis, or data-subject rights — those belong to the GDPR. Nor should it replicate the DSA's systemic-risk and transparency obligations for very large online platforms. Instead, EFF urges the Commission to address narrowly defined manipulative practices that current law genuinely fails to capture.
That is a position People of Internet endorses. Europe's digital rulebook is already extraordinarily dense. Since 2022 alone, the bloc has finalised the DSA, the Digital Markets Act, the Data Act, the Data Governance Act, the AI Act, and the Cyber Resilience Act. According to the Commission's own estimates published alongside the AI Act, compliance costs for a mid-sized European SaaS company can run into the hundreds of thousands of euros annually before the DFA is even drafted. Adding a sixth or seventh overlapping instrument — without clear demarcation lines — risks turning Europe's digital single market into a compliance maze that only incumbents can navigate.
Dark patterns: where the law genuinely lags
The most defensible part of EFF's proposal concerns dark patterns — interface designs engineered to nudge users into choices against their interest. The European Data Protection Board's 2022 Guidelines 03/2022 on deceptive design patterns and the DSA's Article 25 already prohibit some of these practices, but enforcement has been uneven, and many manipulative patterns sit outside data-protection scope altogether (think confirmshaming on subscription cancellation flows, or pre-ticked add-ons at checkout).
A horizontal prohibition with a clear taxonomy — modelled on California's recent dark-patterns enforcement under the CCPA and the FTC's 2023 'Negative Option Rule' — would offer legal certainty for businesses and meaningful redress for consumers. Crucially, it should be enforced through existing consumer-protection authorities, not by creating yet another European-level supervisory body.
Personalised pricing and addictive design: tread carefully
On personalised pricing, the Commission should resist the temptation to ban a practice that, in many cases, benefits price-sensitive consumers. Dynamic pricing has existed in airlines, hotels, and insurance for decades. The legitimate concern is opacity and discrimination on protected characteristics — both already addressable under the GDPR's automated-decision provisions (Article 22) and the EU Charter. A disclosure obligation is proportionate; a prohibition is not.
Addictive design is the trickiest territory. The empirical evidence on 'platform addiction' remains contested, and prescriptive design mandates risk infringing on legitimate editorial and product-design choices that are themselves expressive activity. Any DFA provision in this area should be limited to minors, evidence-based, and built around user-empowerment tools — chronological feeds, time-management dashboards, default-off recommender systems — rather than blanket prohibitions.
The federal contrast
EFF's separate critique of the US 'SECURE Data Act', published on 6 May 2026, underscores why the EU debate matters globally. As EFF notes, the SECURE Data Act would preempt stronger state laws while offering thin federal protections — a warning that consumer-fairness legislation can easily become a vehicle for regulatory capture if not designed carefully. Europe has the opposite problem: it tends to over-regulate first and assess proportionality second.
What Brussels should do next
The Commission's public consultation on the DFA closes later this year. We urge European policymakers to take three lessons from EFF's recommendations: first, treat the DFA as a targeted gap-filler, not a horizontal consumer-protection code; second, route enforcement through national consumer authorities to avoid yet another Brussels-based supervisor; third, include a sunset clause requiring the Commission to review overlap with the GDPR, DSA, DMA and AI Act within five years.
Done well, the Digital Fairness Act could meaningfully protect European consumers from genuinely manipulative practices while preserving the innovation dividend that the single market depends on. Done badly, it will become a GDPR 2.0 — well-intentioned, broadly drafted, and a permanent moat protecting the largest US and Chinese platforms from European competitors. The choice, as ever, lies in the details.