ICO and CMA clamp down on dark patterns in the UK
Published on 4th Sep 2023
Regulators publish joint paper on harmful online design practices
The UK Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO) have joined forces to provide clarity to publishers of websites and other online services (such as apps), as well as product and user experience (UX) designers, on how online design practices (referred to as "online choice architecture" (OCA)) can influence consumers' decisions about the way their personal information is used, in turn affecting consumer experiences online and competition outcomes.
Where OCA is found to undermine consumers' choice and control over their personal information, this is more likely to infringe data protection or consumer law and, potentially competition regulation, resulting in enforcement action by either the ICO or the CMA (or both).
Potentially harmful OCA practices
The ICO and CMA have set out a list of selected OCA practices where they feel their collective consideration can provide greater regulatory clarity for firms and help to prevent harm for consumers in digital markets.
The specific OCA practices referred to in the joint paper are known as “harmful nudges and sludge”, “confirmshaming”, “biased framing”, “bundled consent” and “default settings”. Whether the use of any of these practices results in an infringement of data protection, consumer or competition laws involves an assessment of the practice in question and all of the relevant facts.
Key examples of such practices, highlighted in the report as potentially harmful, include:
The regulators' view is that such design amounts to a "harmful nudge and sludge” practice, which may infringe fairness and transparency obligations under data protection law, and is likely to infringe the requirement to obtain consent to the use of (most) cookies.
'Biased framing' of the benefits of sharing personal data
The regulators are concerned about the use of "leading language" to emphasise the benefits of sharing personal data (for instance, encouraging consumers to opt-in to sharing to receive "a more relevant and personalised experience") while minimising or ignoring any potential negative impacts and risks.
The ICO says that not giving equal weight to the risks and benefits of a decision about the processing of personal information may again infringe data protection law's fairness and transparency obligations; the CMA highlights that where biased framing is misleading, it may breach consumer protection law.
Intrusive default settings
The regulators consider default settings – where firms apply a predefined choice that a user must take active steps to change – to be one of the strongest practices that influence user behaviour. Their view is that so-called intrusive default settings – such as where, by default, a users' posts on a social network can be viewed by everyone – may not comply with the "data protection by design and default” requirements under Article 25 of the UK General Data Protection Regulation (GDPR).
According to the CMA, default options can also restrict users' ability to shop around or explore alternative products and services, which may benefit incumbent businesses that acquire the least active customers or the most useful data first.
The report highlights that "bundled consent" (where a user is asked to consent to the use of their personal information for multiple separate purposes via a single consent option) makes it more difficult for users to understand exactly what they are agreeing to, and to exercise granular control over what they do and do not wish their personal information to be used for.
Bundled consent is unlikely to meet the requirements for "specific" and "fully informed" consent under the UK GDPR. It can also result in poor consumer outcomes by limiting users' freedom of choice, and competition concerns where certain businesses use such practices to bundle consent for data sharing across all their first-party services, leading to the collection of more personal information.
Use of language which pressures or shames a user into sharing personal data
The regulators share concerns that "confirmshaming" – a practice of pressuring or shaming a user into making a choice by making them feel guilty or embarrassed by the alternative – can ultimately adversely affect users' choices.
The ICO's view is that the use of confirmshaming to obtain consent to the processing of consumers' personal data is "almost always" likely to amount to an infringement of data protection law (on the basis that consent is not "freely given").
OCA's impact on competition
As illustrated by these examples, the use of OCA has the potential to affect competition in certain markets where firms rely on access to personal information to provide their products and services.
The joint position paper indicates that the CMA has concerns around potentially negative impacts on competition and a willingness to intervene where it identifies harmful practices online.
Effective competition takes place when consumers receive greater choice and companies compete on a level playing field, with equal access to the market and equal rights. The CMA considers that the use of practices designed to encourage consumers to impart more personal information than they may want to raises competition concerns where it enables firms to entrench strong market positions, including:
- making it more difficult for consumers to switch providers to get a cheaper or better quality product or service, as firms leverage this personal data to create lock-ins;
- inhibiting the entry and expansion of smaller challengers in the market who do not have access to the same level of personal data held by the more dominant firms; and
- extensively processing consumers' behaviour, preferences, and attitudes, potentially leading to unwarranted intrusion, such as unwanted targeted advertising or profiling.
These are issues the Financial Conduct Authority has examined in its work on Big Tech and competition in financial services markets (see our Insight).
Following the joint paper, the ICO and the CMA are inviting stakeholders to get in touch and plan to hold a workshop in the autumn.
Osborne Clarke comment
The ICO and CMA clearly expect to see improvements to firms’ choice of design practices in digital markets.
The ICO has confirmed that if it does not see improvements in the use of what it deems to be harmful OCA undermining consumers' control over their personal information, it will be taking enforcement action. In particular, the ICO has said that it will be assessing the cookie-banners of the most frequently used websites in the UK and taking action where harmful OCA is affecting consumers.
From the perspective of the CMA, this paper arrives just as it is coming to the end of its first wave of enforcement in relation to OCA. We anticipate that the new issues raised in this paper, and the accompanying industry workshop, are likely to inform the next wave of clamp downs on harmful OCA. While the CMA has already made OCA a priority area for its consumer protection work, the paper suggests it will also be keeping a close eye from a competition perspective.
The increased enforcement risk should be considered in light of the CMA's enhanced enforcement powers under the Digital Markets, Competition and Consumers Bill, including powers to levy civil fines of up to 10% of global turnover. The CMA's view is that it will also be able to use its increased enforcement powers to require companies to undertake tests on their user interfaces to prove that they are not using dark patterns.
Businesses should therefore be alive to the increased enforcement risk and seek to review their compliance in this area.
Julia Smith and Millie Bird, Trainee Solicitors at Osborne Clarke, contributed to this Insight