Mitigation of risks arising from the design of recommender systems
Chapter 3|Additional Obligations for Very Large Platforms|📖 12 min read
Providers of very large online platforms that use recommender systems shall provide at least one option for each of their recommender systems which is not based on profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679.
Very large online platforms shall make that option easily accessible and shall present each option in an easily understandable and user-friendly manner when offering or modifying those settings. Users shall be informed of the option referred to in the first paragraph in a clear and comprehensible manner and shall be able to easily and promptly select it when they first use a very large online platform with recommender systems.
This Article shall not apply where profiling is strictly necessary for the very large online platform to provide its service. If a very large online platform claims that condition is fulfilled, the Digital Services Coordinator of establishment shall assess that claim and shall, at the request of the Commission, communicate its assessment thereof.
Understanding This Article
Article 40 addresses risks arising from recommender systems - algorithms determining what content, products, or information users see. Personalized recommender systems using 'profiling' (GDPR's term for automated analysis of personal characteristics, preferences, behaviors) can create filter bubbles, amplify harmful content, exploit vulnerabilities, and limit user autonomy over information exposure. Article 40 doesn't prohibit personalized recommendations but requires VLOPs offer meaningful alternative: at least one recommender option 'not based on profiling' giving users control over algorithmic curation.
The requirement applies specifically to 'very large online platforms' (not VLOSEs) 'that use recommender systems'. Most social media and content platforms fall into this category - Facebook News Feed, Instagram Feed, TikTok For You page, YouTube recommendations, Twitter timeline all use recommender algorithms. The obligation: provide 'at least one option' not based on profiling. This could be chronological feed (showing content in time order without personalization), geographic feed (showing content from user's location), most-popular feed (showing content with highest engagement regardless of personal profile), topical feed based on explicit user selections rather than inferred preferences, or other non-profiling approaches.
The critical distinction is 'profiling' as defined in GDPR Article 4(4): 'any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.' In recommender context, profiling includes: analyzing user's past content interactions to predict future preferences, building profile of user interests from browsing history, categorizing users into demographic/behavioral segments, predicting what content will maximize engagement for specific user. Non-profiling recommendations avoid this individualized analysis - showing content based on factors other than predicted personal preferences.
Example: Chronological feed showing posts from accounts user follows in time order is non-profiling (user explicitly chose to follow accounts; feed orders by objective timestamp without analyzing personal characteristics). Most-popular feed showing most-engaged content globally is non-profiling (ranking based on aggregate popularity, not individual user prediction). Personalized feed analyzing user's past likes, watch time, engagement patterns to predict and prioritize content matching inferred preferences is profiling-based.
Paragraph 2 sets usability requirements preventing platforms from offering non-profiling option in name only while making it practically inaccessible. Requirements: (1) 'Easily accessible' - option must not be buried in settings or require extensive navigation; should be reachable with minimal clicks from main interface. (2) 'Easily understandable and user-friendly manner' - presentation must explain options clearly without technical jargon; user should understand what each option does and why they might choose it. (3) Clear and comprehensible information - platform must explain non-profiling option exists and what it offers. (4) 'Easily and promptly select' at first use - when user first uses platform (or first uses after Article 40 implementation), platform must present choice between profiling and non-profiling recommendations, allowing selection without obstacles.
This prevents circumvention through dark patterns: platform can't present personalized feed by default with non-profiling option hidden in advanced settings accessible only through obscure menu path. Article 39 (anti-dark patterns) reinforces Article 40 - choice presentation must not manipulate users toward platform-preferred personalization. If platform frames choice as 'Exciting personalized feed [large button] vs. Basic chronological feed [small grey text]', violates both Article 40's usability requirements and Article 39's manipulation prohibition.
Paragraph 3 creates narrow exception: Article 40 doesn't apply 'where profiling is strictly necessary for the very large online platform to provide its service'. This exception is deliberately narrow ('strictly necessary', not merely useful or beneficial) and subject to regulatory oversight (DSC assesses claims, Commission can request assessment). Platform claiming exception must demonstrate: service cannot function without profiling-based recommendations. This might apply to platforms whose entire service consists of personalized recommendations with no meaningful alternative (e.g., hyper-personalized news aggregator with no fixed content sources). It wouldn't apply to general social platforms where chronological or non-personalized feeds are technically feasible alternatives. DSC evaluates whether claim is legitimate or attempt to avoid obligation, potentially requiring platform to demonstrate technical necessity.
Article 40 works with Article 27 (recommender system transparency), which requires platforms explain recommendation parameters and make them easily modifiable. Article 27 applies to all hosting providers; Article 40's non-profiling option requirement applies only to VLOPs, recognizing their systemic risk. Together, they give users transparency about how recommendations work and choice to opt out of personalized curation.
Compliance verification occurs through Article 36 audits: auditors test whether non-profiling option exists and functions properly, assess accessibility and usability of option selection interface, review user uptake rates and reasons for low adoption (poor implementation vs. user preference?), examine whether non-profiling feed provides genuine functional alternative, verify platform isn't degrading non-profiling experience to pressure users toward personalized option.
Key Points
VLOPs using recommender systems must provide at least one non-profiling-based option
Non-profiling option must be easily accessible through user-friendly interface
Users must be informed clearly and comprehensibly about non-profiling option
Option selection must be easy and prompt, presented when users first use platform
Exception: if profiling is strictly necessary for platform to provide service (subject to DSC assessment)
Does not prohibit personalized recommendations, but requires alternative
Enforcement through Article 36 audits verifying non-profiling options function effectively
Practical Application
For Instagram (Chronological Feed Option): Instagram's main feed historically used algorithmic personalization showing posts predicted to maximize engagement. Article 40 requires offering non-profiling alternative. Implementation: Instagram introduced 'Following' and 'Favorites' feeds alongside default 'Home' feed. Following feed shows posts from followed accounts in chronological order without algorithmic ranking (non-profiling). Favorites feed shows posts from user-selected favorite accounts chronologically (also non-profiling based on explicit user choices, not inferred preferences). Article 40 compliance requirements: (1) Accessibility - feed options must be easily switchable, not buried in settings. Instagram places feed selector at top of app ('Following' and 'Favorites' accessible via top menu). (2) User-friendly presentation - when user first opens app post-implementation, Instagram should present: 'Choose Your Feed: Home (Personalized based on your interests), Following (Chronological posts from accounts you follow), Favorites (Posts from selected favorites).' Clear explanation without manipulative framing. (3) Maintaining selection - if user selects Following feed, Instagram must remember this choice; can't reset to personalized Home feed each session (that would be Article 39 nagging violation). (4) Functionality parity - Following feed must function properly; Instagram can't artificially degrade it (e.g., by loading slower, hiding features) to pressure users toward personalized feed. Audit verification: test feed switching, measure load times comparing feeds, analyze user experience quality parity, review complaint rates about non-profiling feed functionality.
For TikTok (Non-Profiling For You Alternative): TikTok's For You page is paradigmatic profiling-based recommender - analyzes user watch time, likes, shares, completion rates building detailed preference profile to select videos maximizing engagement. Article 40 requires non-profiling alternative. Implementation options: (1) Following feed showing videos from accounts user follows in chronological order. (2) Trending feed showing most popular videos globally without personalization. (3) Geographic feed showing popular content from user's region. (4) Category feeds based on explicit topic selection (user chooses 'cooking' category; sees popular cooking videos without personalized profiling). TikTok must ensure whichever non-profiling option implemented is genuinely accessible and functional. Compliance challenges: TikTok's core experience is For You personalization; shifting to non-profiling feed significantly changes experience. However, Article 40 doesn't prohibit personalized default - only requires offering accessible alternative. TikTok can default to For You if: (1) User clearly informed and chooses personalization at onboarding. (2) Non-profiling Following/Trending feed easily accessible with single tap from main interface. (3) Choice presentation is neutral, not manipulative. Audit focus: Does non-profiling feed provide meaningful content? Is switching genuinely easy? Do users know option exists? Is presentation neutral?
For YouTube (Recommendations Without Watch History): YouTube recommendations heavily rely on watch history profiling. Article 40 compliance: YouTube offers 'Turn off watch history' feature which, when enabled, disables personalized recommendations (though remains logged in for subscriptions, likes, etc.). This satisfies Article 40 if: (1) Turning off watch history is easily accessible from settings - currently requires navigating to History settings. YouTube should enhance accessibility, perhaps adding 'Recommendation Settings' with clear option: 'Personalized Recommendations (based on watch history) [toggle] vs. General Recommendations (popular content, not personalized)'. (2) When watch history off, recommendations genuinely non-profiling - should show: trending videos, popular content in user's country/language, videos from subscribed channels, recently uploaded content. Should not use other personal data (age, gender, device type) for profiling. (3) User clearly informed about choice and implications. (4) Selecting non-profiling mode doesn't break core functionality (subscriptions still work, search still functions, channel access maintained). YouTube must ensure turning off watch history doesn't create so many functionality losses that it's impractical alternative - Article 40 requires genuine usable option, not technically-existing-but-effectively-unusable setting.
For Twitter/X (Chronological Following Feed): Twitter/X offers 'For You' algorithmic timeline and 'Following' chronological timeline. Article 40 analysis: Following feed is non-profiling (shows tweets from followed accounts chronologically without algorithmic reordering based on predicted engagement). Compliance status: Generally compliant if: (1) Following feed easily accessible - currently available by tapping feed selector at top. Meets accessibility requirement. (2) User can set Following as default - if platform keeps resetting to For You despite user preference for Following, violates Article 40's usability requirement and Article 39's nagging prohibition. Twitter must remember user's feed choice across sessions. (3) Following feed fully functional - all features (replies, retweets, quote tweets, media) appear equally in both feeds without degradation. (4) Initial presentation is neutral - new users should be shown choice between feeds with balanced explanation: 'For You: Tweets selected based on your interests; Following: Tweets from accounts you follow, newest first.' If presentation manipulates toward For You through language or visual hierarchy, violates Article 39 alongside Article 40 usability requirements. Audit verification: test feed persistence, measure feature parity, review onboarding choice presentation.
For LinkedIn (Feed Options for Professional Network): LinkedIn feed shows posts from connections, posts you're likely to engage with, sponsored content. Article 40 implementation: LinkedIn should offer: (1) 'Top' feed (current algorithmic feed using profiling to predict engaging posts). (2) 'Recent' feed showing posts from connections chronologically without algorithmic ranking (non-profiling). Both accessible from feed top selector. User informed at first use: 'Choose feed: Top (Posts selected for you) or Recent (Newest posts from connections).' User choice remembered. LinkedIn must ensure Recent feed isn't degraded - same post detail, commenting ability, media display. Cannot artificially reduce Recent feed quality to drive users to algorithmic Top feed. Additional consideration: Sponsored content (ads) can appear in both feeds - Article 40 applies to content recommendations, not commercial advertising which is separately regulated by Article 26 (ad transparency). LinkedIn's algorithmic ad targeting remains permissible; Article 40 requires non-profiling option for organic content recommendations.
For Reddit (Algorithmic vs. Chronological Sorting): Reddit offers multiple sorting options for feeds: Hot (algorithmic based on upvotes and timing), New (chronological), Top (most upvoted), Rising (gaining traction), Controversial. Article 40 analysis: New, Top, and Rising are non-profiling (sort by objective criteria - timestamp, vote count - not personal user profiling). Hot uses algorithm but primarily based on post characteristics (upvotes, comments, timing), not individual user profiling. If Hot algorithm doesn't incorporate personal user data beyond subreddit subscriptions (explicit user choices), may qualify as non-profiling. If Hot uses personal browsing history, engagement patterns, or demographic profiling to personalize ranking, it's profiling-based and Reddit must ensure alternative sorts (New, Top) meet Article 40 accessibility requirements. Currently, Reddit prominently displays sort options at feed top, meeting accessibility standard. Compliance strength: Reddit's design already facilitates user choice among recommendation algorithms, many of which don't use profiling. This demonstrates Article 40 compliance possible without eliminating personalization - platform can offer personalized options alongside non-profiling alternatives, giving users control.
For Amazon (Product Recommendations - If Designated VLOP): If Amazon's marketplace were designated VLOP (depends on whether marketplace qualifies as 'online platform' under DSA and reaches 45M EU users), Article 40 would apply to product recommendation systems. Amazon extensively uses profiling: analyzing purchase history, browsing behavior, wish lists, demographic data to recommend products. Article 40 compliance would require: Product listing pages offering 'Recommended for You' (profiling-based) alongside 'Best Sellers' (non-profiling popularity-based), 'New Arrivals' (non-profiling chronological), or 'Top Rated' (non-profiling rating-based) with equally accessible switching. Homepage recommendations could offer toggle: 'Show personalized recommendations [based on your shopping] or Show popular products [best sellers in your region]'. Search results ranking based on search term relevance is non-profiling (unless ranking personalized based on user profile, which it often is - Amazon would need non-personalized search ranking option). Challenge: Amazon's competitive advantage relies heavily on personalization. Article 40 doesn't prohibit this but requires offering choice - significant business model impact if users broadly adopt non-profiling options. However, data suggests most users prefer personalization when clearly understood and consented to; Article 40 ensures it's choice, not imposition.
For Streaming Services (Netflix, Spotify - If Designated VLOPs): Major streaming services like Netflix and Spotify extensively use profiling-based recommendations. If designated VLOPs, Article 40 compliance requires: Netflix offering alongside 'Recommended for You' personalized row, non-profiling rows like 'Trending Now' (popular content globally), 'New Releases' (chronological), 'Top 10 in [Country]' (geographic popularity), 'Award Winners' (objective editorial criteria). Homepage could allow user to select default view: 'Personalized Homepage' or 'Browse Categories' (genre-based browsing without personalized ranking). Spotify similarly offering: 'Made for You' playlists (profiling) alongside 'Top Charts' (non-profiling popularity), 'New Releases' (chronological), 'Genres & Moods' (user-selected category browsing). Critical requirement: non-profiling options must be genuinely functional and accessible, not afterthoughts - if user selects non-profiling mode, they can still effectively discover content, just through non-personalized mechanisms. Article 40 shifts streaming services from 'personalization only' to 'personalization by default with alternatives available', respecting user autonomy over information diet.