Deceptive Dark Patterns (“DDPs”) are design choices which, according to the Organisation for Economic Co-operation and Development’s (“OECD”) definition, are commonly found in online user interfaces which “lead consumers to make choices that may not be in their best interests…by exploiting consumer biases”. Examples you may be familiar with include deceptive cookie consent banners (think of the CNIL and its fines for Google and Meta back in 2022), Tik Tok’s fine for age verification processes that combined age and consent for personalised ads leading to confusion, the Norwegian Consumer Council’s action highlighting the difficulty of cancelling an Amazon Prime subscription, as well as countdown timers to receive an offer, seemingly requiring registration to qualify for a discount, or in more serious cases, imagery used to encourage consumers to swipe their screen (e.g. a graphic of a hair on the screen, leading to a swipe that adds a product to a basket or even concludes a purchase before review!).
DDPs have been experiencing an increasing legislative crackdown globally, from the UK's Digital Markets, Competition and Consumers Act 2024, to the EU’s Digital Services Act which prohibits providers of online platforms from developing dark patterns. DDPs have also been attracting regulatory and governmental attention over the last few years with the UK’s Age Appropriate Design Code, widely known as the Children’s Code, the UK’s Information Commissioner’s Office (“ICO”) and Competition and Markets Authority (“CMA”) calling for businesses to stop using harmful website designs and working together to “stop harmful design practices”, the European Data Protection Board (“EDPB”) adopting guidelines on dark patterns in February 2023, the OECD publishing a working paper on “dark commercial patterns” in October 2022 and the USA's Federal Trade Commission report Bringing Dark Patterns to Light in September 2022 - to name but a few!
GPEN’s Sweep
The latest findings have been published by the Global Privacy Enforcement Network (“GPEN”) setting out the results of a study it conducted into the use of deceptive design patterns on websites and apps users visit on a daily basis. The GPEN is a membership organisation made up of privacy regulators, united by the aim to strengthen privacy protections globally. The GPEN conducted a Sweep (“Sweep”) that took place across a 5-day period, with the purpose being to identify DDPs in websites. The GPEN engaged 26 privacy enforcement authorities ("PEA") to participate in the Sweep, including the UK’s ICO, the Privacy Commissioner of Canada (“OPC”) and the California Privacy Protection Agency. The GPEN examined 1,010 websites and apps, and performed the Sweep. The OPC was appointed the Sweep co-ordinator who was responsible for co-ordinating the Sweep and ensuring fair standards were applied by all participating regulators. The OPC were responsible for setting the 5 categories of DDPs which may be present as identified below.
Indicator | Explanation of indicator | |
1. | Complex and Confusing Language | The readability of privacy policies is low, whereby the policy is highly technical or confusing. |
2. | Interface Interference | Design and presentation elements which alters a user’s perception and understanding of their privacy options. |
3. | Nagging | Users are prompted to take a specific action in favour of the organisation’s purposes, which might contravene the user’s privacy interests. |
4. | Obstruction | Actions which need to be completed in order to delete accounts. |
5. | Forced Action | Actions which force or trick users into thinking it is necessary to provide personal information in order to access a service. |
As this Sweep involved both privacy and consumer issues, the Sweep was carried out in co-ordination with the International Consumer Protection and Enforcement Network ("ICPEN") and with 26 PEAs and 27 ICPEN authorities participating, this year’s Sweep represents the most extensive example of cross regulatory co-operation between privacy and consumer protection authorities to date. This expanding co-operation between GPEN and ICPEN is in recognition of the increasing intersection of the two regulatory spheres in the digital economy.
Findings of the Sweep
In 97% of the platforms reviewed, there was at least one DDP that impacted privacy protective decisions or had a bearing on privacy related information that the platform could obtain from the user. Additionally, 65% of privacy policies lacked menus for ease of user navigation. In conclusion, the results of the Sweep suggest that users were encouraged by various DDPs to make decisions which were in the best interests of the platform rather than their own best interests. In the words of GPEN it appears that there is an “extremely high level of deceptive design patterns across websites and apps worldwide”.
Global regulators local reports
In addition to the GPEN report, other regulators have issued their own reports in connection with the Sweep. For example, the OPC published its own sweep report on DDPs, which was separate to the GPEN report. This report examined 145 websites and apps accessible in Canada, as well as 67 websites and apps targeted specifically at children. Complex and confusing language was the most common DDP found in the websites, but overall in 96% of the cases, privacy policies were excessive in length.
The Office of the Privacy Commissioner for Personal Data in Hong Kong and the Baden-Württemberg data protection authority also issued statements and reports on their localised findings from the Sweep. Both echo the GPEN report in that complex and confusing language and issues with design and presentation were present in a large number of cases.
Key takeaways
The privacy enforcement authorities who participated in the Sweep were located across five continents, demonstrating that DDPs are a global issue which users are likely to encounter in their internet browsing.
The GPEN overwhelmingly found that users were often tricked into believing it was “necessary to provide their personal information to access services when it is not necessary”. This shows that the threat posed to users is high, which goes some way to explaining the regulatory focus in this area.
The participation by privacy enforcement authorities shows the presence and use of DDPs are clearly a concern for regulators around the world, highlighting several areas of non-compliance where improvements are needed. It will be interesting to see what, if any, action the various regulators involved take now that they have this information. Looking at the high incidences of complex and confusing language in privacy policies and issues with the design and presentation of elements, it seems likely this is where the focus will be.
For those businesses looking to stay on the right side of the regulators and comply with their obligations this report makes interesting reading and could form the basis for an audit to identify, rectify and mitigate any such risks before a regulator comes knocking on the door! With the highest incidences of non-compliance occurring in the complex and confusing language used in privacy policies and the issues around design and presentation, it would be prudent to review your privacy policies and ensure data protection by design and default is truly embedded in your policies and processes.
If you have any questions about DDPs and how they can be addressed, or would like to review your privacy policy and/or processes, please get in touch with your usual Lewis Silkin contact who would be happy to help.
“The Sweep shows several areas in which organizations could improve the design of their platforms to enable users to better understand and control the use and disclosure of their personal data.”