Earlier this month, the Information Commissioner's Office, alongside the Competitions and Markets Authority, jointly issued a call for an end to website design and practices which "undermine people’s control over their personal information and lead to worse consumer and competition outcomes."
Their recent joint position paper, 'Harmful Design in Digital Markets', discusses how businesses should avoid damaging website design that causes users to provide more personal data than they would ordinarily expect to and makes it harder for users to make informed decisions.
This paper should act as a warning to companies to ensure that their website design is in compliance with data protection, consumer and competition law and guidance. It is clear that the regulators consider that greater responsibility is now owed to users by parties responsible for designing websites – be that the website designers themselves or companies commissioning developers to design such sites on their behalf.
A example cited by the regulators is in relation to consent banners for cookies on website. For some, being presented with adverts for products you browsed three weeks ago may be irritating, but the regulators cite the example of where this could present a more serious concern for a vulnerable user recovering from an addiction who may be presented with adverts for the subject of that addiction despite their best efforts.
Examples of harmful design practices
The paper sets out various specific examples of harmful online architecture where the ICO/CMA consider that their "collective consideration can provide greater regulatory clarity for firms and help to prevent harm for consumer in digital markets."
Various regulations across the world (e.g. in the UK - the UK GDPR, the Privacy and Electronic Communications Regulations) require website owners to inform their users of what data is being collected by tracking cookies, how that data is being processed and provide the right to easily opt-out. In the UK and EU, users must give their prior consent before tracking cookies can be applied.
However, the position paper highlights the use of 'harmful nudges' or 'sludge' in website design, which prompt users to choose options which are inadvertent or ill-considered. These design choices are particularly prevalent in cookie banners.
One highlighted example (which many users can relate to) is the use of "a cookie pop-up [which] may include an option to consent to non-essential cookies with a single click (such as “Allow all”) but not include an equivalent option to refuse consent to non-essential cookies with the same ease."
Both Article 5(1)(a) UK GDPR and Regulation 6 of PECR may be infringed by the use of harmful nudges or sludge, yet such design features seem to be a regular presence on many websites. Best practice would involve providing access to a refusal option which can be selected with the same ease as the acceptance option, and with equal prominence. The ICO has stated it will be assessing the cookie banners of the most frequently used websites in the UK, and action will be taken where necessary.
Other harmful practices identified include 'confirmshaming' which involves the use of suggestive language to direct users to the 'good' or morally acceptable decision (as determined by the website developer/owner). This often involves the use of incentives to obtain user information. Although incentivisation to obtain personal data is not in itself prohibited, the use of phrasing which induces guilt or embarrassment in relation to refusing the incentives is, and would lead to an infringement of the UK GDPR (in particular a lack of fairness, and related consents not having been freely given), and possible enforcement action by the ICO.
'Biased framing' is also discussed, which involves the use of techniques to present choices in a positive or negative light. For example, encouraging users to share their search history to generate a 'tailored' or 'specialised' user experience is positive framing of a decision while neglecting any negative outcomes. This prevents the making of an informed choice when in possession of relevant information. The lack of informed choice infringes both Article 5(1)(a) (lawfulness) and Article 7 of the UK GDPR in terms of associated consents not being valid.
Finally, the use of 'bundled consent' is highlighted, where consents for multiple purposes are compressed into a single option, leaving users with little granular control over where their permissions are given. Companies offering multiple services will often use a single sign-up process to seek consent for multiple processing options, irrespective of whether those options are relevant to the sign-up process. Specific consent for separate processing activities is required by the UK GDPR, and bundled consent is not permitted unless certain exceptions apply (e.g. unless this would be unduly disruptive or confusing or if activities are clearly interdependent). Again, these failures on the part of website owners are likely to increase the risk of infringing 'lawfulness' requirements of Article 5(1)(a) (lawfulness) and PECR Regulation 6, (which requires a user to be provided with clear and comprehensive information and the opportunity to refuse the storage of or access to their information).
The paper encourages firms to consider four questions to inform their online architecture, which will achieve pro-privacy and pro-competition outcomes in digital markets:
- Put the user at the heart of design choices;
- Use design that empowers user choice and control;
- Test and trial design choices; and
- Comply with data protection, consumer and competition law.
The ICO and CMA encourage stakeholders to act on the paper which is based on, and does not supersede, existing guidance.
The regulators make it clear that a failure to respond to these expectations will increase the risk of appropriate regulatory actions from their perspective. The regulators also emphasise that they are willing to work with firms to consider these issues further and how they can be applied in practice, and have invited participation in a workshop with the regulators, scheduled for the autumn of 2023.
Overall the paper provides an interesting insight into the collaboration between the two regulators in combining their respective work in protecting people's data and preventing anti-competitive behaviour, and the resulting combined guidance.
A copy of the ICO and CMA position paper can be found here, and the corresponding blog by Stephen Almond, the ICO’s Executive Director for Regulatory Risk and Will Hayter, the CMA’s Senior Director in the Digital Markets Unit.