EDPB deceptive design patterns in social media guidelines
The European Data Protection Board (EDPB) adopted these guidelines on 14 February 2023. They apply General Data Protection Regulation (GDPR) principles to the entire life cycle of a social-media account, including privacy settings, the exercise of data-subject rights, account pausing, and permanent account deletion.
The guidelines say that permanently leaving a social-media service is accompanied by the Article 17(1)(a) right to erasure. Providers must avoid unnecessary procedural hurdles, keep any grace period proportionate, and not use interface design to steer a person from deletion into mere deactivation.
Some data may remain under an Article 17(3) exception, including a necessary freedom-of-expression, legal-retention, or legal-claims purpose. The EDPB says such remaining data should be kept internally and the exception does not permit the provider to keep the public account running.
The guidance also treats changing or deleting a particular profile field as a possible exercise of rectification or erasure rights. It recommends placing related controls together and keeping the number of steps as low as possible.
This is regulatory guidance rather than a platform-specific audit. Whether Article 17 requires erasure in a particular case still depends on the processing purpose, legal basis, the request, and any applicable exception.