Corporate: Deceptive digital design – no clever cookie?

Regulators across the globe are increasing their focus on the user experience (“UX”) for websites, in particular deceptive digital design practices (sometimes called “dark patterns”), which are various means to persuade or make users take certain actions.

We have probably all had experience of not being able to carry out an action we wanted to on a website, whether rejecting cookies or cancelling a subscription. Now regulators are combining their approach, to make it easier to put an end to obstructive behaviour online.

The European Union has announced a raft of legislation. Online interfaces that deceive or manipulate users are already banned in the Digital Services Act, and further legislation on deceptive patterns is proposed in the future AI Act and Data Act. The US has also begun to consider this issue in more detail, including the California Privacy Act which defines “dark patterns”.

In the UK, the Digital Regulation Cooperation Forum (made up of the Competition & Markets Authority (“CMA”), the Information Commissioner (“ICO”), the Financial Conduct Authority and Ofcom) has been established to ensure greater cooperation on online regulatory matters.

Earlier this year the ICO and CMA issued a joint paper, “Harmful design in digital markets: How Online Choice Architecture practices can undermine consumer choice and control over personal information”. Online choice architecture (“OCA”) means the techniques, designs and methods as to how a website developer influences a user’s decision making. The paper details how certain forms of OCA could breach the relevant laws regulated by both offices.

OCA as deceptive practice

Several different types of deceptive patterns were identified by UX expert Harry Brignull some years ago. The joint paper notes certain OCA practices of concern, but also states that they are not a comprehensive list and only intended to demonstrate how the ICO/CMA could consider the data protection, consumer and competition implications. The practices listed include “confirmshaming”, “biased framing”, “bundled consent”, “default settings” and “harmful nudges and sludges”. Although there are various classifications of the different practices, the name given tends to illustrate the type of design that is likely to constitute a deceptive practice: for example “confirmshaming” is where the user is manipulated into a choice by being pressured or shamed.

To expand on “harmful nudges and sludges”, a “nudge” is where an ill-considered or inadvertent decision is made easy, and “sludge” is where unjustified friction stops a user from getting what they want, such as refusing consent to cookies, if “reject all” buttons are less accessible than “allow all” and the user ends up clicking the latter to make the pop-up go away. An example of a justified sludge would be friction or delays to confirm an important decision, such as transferring money.

The ICO considers that reg 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”), as amended, is likely to be infringed if a cookie banner that incorporates these practices is used to obtain consent for placing cookies. If there is an “accept all” button, the ICO wants equivalent ease to “reject all”. The CMA has concerns that use of these nudge/sludge techniques can lead to users disclosing more personal information than they would otherwise want to, which can in turn allow a competitive advantage to larger businesses over smaller ones.

Regulatory action

At the moment, there are no laws which specifically reference deceptive digital practices. However, as detailed by the ICO and CMA, there are a variety of laws which could be breached indirectly. These include:

• Privacy and data protection legislation and guidance, for example GDPR, Data Protection Act 2018, PECR. Data protection by design is supposed to be a fundamental part of compliance, along with the principle of transparency and valid consent (which “bundled consent” practices are likely to breach given the consent is unlikely to be freely given and informed). The ICO has also for years championed specific guidance and appropriate digital design methods for children (see the Children’s Code).
• Consumer protection legislation, for example Consumer Rights Act 2015 (“CRA”), Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (“Cancellation Regulations”), and Consumer Protection from Unfair Trading Regulations 2008 (“CPUT”). The CRA could provide a means to find contract terms unfair or invalid, if deceptive patterns are used to manipulate consumers into the contract. The Cancellation Regulations contain a prohibition against additional payments which appear as a default option. CPUT could be breached if a deceptive practice constitutes an unfair commercial practice or is likely to distort the economic behaviour of the average consumer.

Although in the past it has appeared that the ICO has been more focused on enforcement in relation to security breaches and marketing contraventions, the joint paper indicates an increased focus on deceptive practices and an intention to work with other regulators, going forward.

The CMA has been focusing on harmful online practices; its campaign “Online Rip-Off Tip-Off” aims to allow consumers to spot and avoid misleading online sales tactics.

It is also worth noting that the Digital Markets, Competition and Consumers Bill would give the CMA several new statutory powers, including levying fines of up to 10% of global turnover and conducting trials of certain remedies to determine their final format.

Scan the horizon

Certain OCA practices, despite also being deceptive patterns, will provide benefits to consumers and businesses, such as allowing for improvement to their goods/services.

However, if businesses use OCA or digital design practices which could be considered to fall into the dark pattern/deceptive practice ambit, these should be reviewed to make sure that they comply with current law. In particular, marketing and website teams should take care at the outset of any project which could be considered to be a deceptive pattern, particularly in light of the forthcoming increased statutory powers of the CMA and its intention to enforce matters in this area.