On 9 August 2023, the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) published a joint position paper on Harmful Design in Digital Markets (Harmful Designs Paper) that urges businesses to stop using harmful website designs that exploit customers by encouraging them to provide more personal data than necessary. The regulators are calling for businesses to embrace fair and transparent practices, providing users with increased control over their data, and warning that failure to comply could lead to formal enforcement actions.

The Concerning Landscape: Tricky Design Practices

The position paper centres on the way information regarding choice and consent is presented to customers, known as “Online Choice Architecture” (OCA). The ICO and CMA have raised red flags website design practices that compromise user privacy and manipulate their choices. Some examples of harmful designs include:

  1. Harmful Nudges and Sludge: Subtle manipulations that steer users away from privacy-friendly choices. For example, prioritizing one option to be significantly quicker than a time-consuming alternative. The ICO emphasizes that this may infringe upon the “fairness” and “transparency” principles of the GDPR, potentially rendering the collected consent legally non-compliant.
  2. Confirmshaming: Design elements that pressure users into specific choices, such as requesting customer details and consent for marketing in exchange for a discount. The ICO notes that consent obtained through this method might not be considered truly “freely given”. A specific example of this, as recently highlighted by an IOC representative, is failing to include a “reject all” button on cookie consent banners (see here for our blog on this).
  3. Biased Framing: Presenting choices in a manner that steers users toward certain outcomes, heavily favoring one option while downplaying risks. This approach prevents users from making informed decisions.
  4. Bundled Consent: Forcing users to accept multiple services simultaneously, such as cookies, marketing, and account settings, with the provision that individual consents can be adjusted later in account settings.
  5. Default Settings: Designing interfaces that prioritize certain choices as default, influencing user decisions and making it unclear how to choose different options.

Meeting Regulators Expectations

In the Harmful Designs Paper, the ICO and CMA suggest that the primary focus for website design is a user-centred approach that empowers individuals to make well-informed choices and feel in control. Before launching any website, companies are advised to rigorously test and refine their designs and to adhere to the fundamental principles of data protection, consumer rights, and fair competition.

Looking Ahead: Education and Enforcement

As part of their mission, the CMA will expand its Rip Off Tip Off campaign that encourages consumers to report deceitful online sales tactics. This educational initiative aims to raise awareness among users and encourage them to report misleading practices. Simultaneously, the ICO will continue to enforce data protection rights, particularly for vulnerable individuals at risk of harm. With the CMA and ICO focussed on website design and fairness to consumers, it is likely that there will be increased enforcement. The ICO and CMA expect that the position paper will drive businesses to revaluate their website practices to make sure they are compliant with the current laws.

If companies are unsure about whether their website contains harmful designs that don’t respect the fundamental principles of data protection, consumer rights or fair competition, it’s time to think about carrying out an assessment of website design and its operation.