What is harmful online design and what’s happening in this space?
We have written a few articles about the Competition and Market Authority's Online Choice Architecture (“OCA”) work. OCA consists of tools and techniques used in the online environment to “nudge” consumers into making certain decisions These can be legitimate tools, but they can also exploit or manipulate consumers into making decisions or purchases they did not really want to make.
The CMA has been carrying out a programme of work in this area for some time, and is currently investigating Emma Sleep and Wowcher for their use of OCA.
However, OCA issues cross a number of different regulatory strands and are not just limited to consumer protection issues. For example, OCA issues have been a focus in relation to online safety more broadly (see the EU’s Digital Services Act which bans “Dark Patterns”, a similar concept to OCA). The issues have also long been of interest in the data protection sphere, and most notably crop up in the ICO’s Children’s Code.
It is interesting to see that regulators in different areas now seem to be coming together to tackle the issues in a joined up manner.
What are the ICO and CMA doing?
The ICO and CMA have issued a joint paper which provides an overview of how online design choices can lead to data protection and consumer and competition harms, and the relevant laws regulated by the ICO and CMA that could be infringed by these practices. It also contains practical examples of design practices that are potentially harmful when they are used to present choices about personal data processing. These practices are “harmful nudges and sludge”, “confirmshaming”, “biased framing”, “bundled consent” and “default settings”.
The ICO and CMA say that some of the main design practices which could breach data protection laws include:
- Making it difficult for consumers to refuse personalised advertising by not giving an equal choice to ‘accept all’ or ‘reject all’ cookies;
- Overly complicated privacy controls which confuse consumers or cause them to disengage;
- The use of leading language to influence consumers to hand over personal information;
- Pressuring consumers into signing up for discounts in exchange for personal information; and
- Bundling choices together in a way which encourages consumers to share more data than they would otherwise wish to.
The report states that if consumers lack effective control over how their data is collected and used, this can harm consumers and also weaken competition. These techniques encourage consumers to make decisions over their personal data as soon as they visit a website – from providing their contact information in exchange for discounts, right through to giving up their control over what advertising is targeted at them by accepting cookies.
Lack of consumer control over cookies is a common example of harmful design. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where it believes that harmful design is affecting consumers.
ICO research shows that 90% of people are concerned about their personal information being used without their permission, with 50% not being happy about their personal information being used to suggest adverts to them.
The ICO and CMA want businesses to:
- Put the user at the heart of their design choices: Are firms building their online interfaces around the user’s interests and preferences?
- Use design that empowers user choice and control: Are firms helping users to make effective and informed choices about their personal data, and putting them in control of how their data is collected and used?
- Test and trial design choices: Has testing and trialling been carried out to ensure their design choices are evidence-based?
- Comply with data protection, consumer and competition law: Do firms consider the data protection, consumer protection and competition law implications of the design practices they are employing?
The ICO and CMA expect businesses to make improvements to their design practices in digital markets. If they do not, the ICO may take regulatory action.
The report also refers to the Digital Markets, Competition and Consumers Bill, which sets out changes to how consumer law may be enforced and to certain aspects of substantive consumer law, including proposals about unfair commercial practices which would replace the Consumer Protection from Unfair Trading Regulations. It also makes certain procedural changes to the CMA’s existing competition powers. In addition, it allows the Digital Markets Unit within the CMA to designate firms which meet statutory criteria as having “Strategic Market Status” in respect of a particular digital activity.
“Some of these design practices are so subtle and have gone on for so long, you wouldn’t even realise you’re handing over your personal information until it’s too late – and it’s possible these techniques are embedded into thousands of websites across the UK” Stephen Almond, Executive Director of Regulatory Risk at the ICO