21 August 2023
Why Online Choice Architecture is a data protection priority
Recent global studies indicate that the average individual spends about 6 hours online. While there are a whole host of reasons why individuals are online, one of the most prominent is to research and purchase products and services. Just as in the offline world consumers benefit from protections and safeguards, so as in the digital world. But, in the digital world, the opportunities to craft a world for the consumer and the related ability to collect data about the consumer's interactions are multiplied. As websites and apps have become more sophisticated in their dealings with consumers, regulators have upped their scrutiny.
In particular, the recent joint position paper from the Information Commissioner's Office (ICO) and the Competition and Markets Authority (CMA) sets out their concerns about 'Harmful design in digital markets' and 'How Online Choice Architecture practices can undermine consumer choice and control over personal information'.For some time, regulators and courts have identified the overlap between data protection, consumer protection and competition law when it comes to digital activity. UK regulators are alive to the need for cooperation in the digital environment which is why, in 2020, several regulators came together to set up the Digital Regulation Cooperation Forum (DRCF).The recent paper on Online Choice Architecture (OCA) from the ICO and CMA (under the DRCF brand) is one example of how the regulators are applying their combined mandates to a similar concern and consequently setting out their joint approach.
OCA is defined as the way that companies present information and choices to users of websites and other online services. It can include the way prices are displayed on a website, personal recommendations presented to consumers and the options available to consumers. OCA practices can also be used to exploit behavioural biases of consumers and lead them to make riskier decisions. OCA has an impact on individual's privacy rights, an impact on how businesses compete and how consumers are treated. For the ICO, the concern is principally where design practices steer individuals to decisions that do not reflect their privacy preferences and make it harder for them to choose more privacy-friendly options.
The focus in the paper is on design. Where an online interface is designed to undermine consumers' choice and control over their personal data, it is more likely that data protection and consumer law obligations will not be met and harm to individuals will result. The paper gives examples of design practices that are potentially harmful including harmful nudges and sludge, confirm shaming, biased framing, bundled consent and default settings. All of these can influence consumers in the choices they make online, including how their share their personal data.
A quick guide to the OCA practices that the paper addresses:
| Practice | Meaning |
|---|---|
| Harmful nudges or dark nudges | When a company makes it easy for users to make inadvertent or ill-considered decisions |
| Sludge | Where a company encourages a nudge decision by creating excessive or unjustified friction to do the opposite eg making one choice much more cumbersome than another |
| Confirm shaming | Where a company pressurises or shames someone into doing something by making them feel guilty or embarrassed for not doing it. So, using language which suggests there is a 'good' and 'bad' choice. |
| Biased framing | 'Positive framing' is where a company presents choices in a way that emphasises the supposed benefits or positive outcomes of a particular option in order to make it more appealing. On the other side, 'negative framing' is where a company emphasises the risks or negative consequences to discourage users. |
| Bundled consent | Bundled consent is a familiar concept under the GDPR and refers to asking a consumer to consent to the use of their personal data for multiple separate purposes via a single consent option. Bundled consent makes it harder for a consumer to exercise granular control over the processing of their personal data. The offer of an 'accept all' button increases pressure on the consumer especially where the tools to specify separate consents is complex and hard to navigate. |
| Default settings | Companies can apply a predefined choice in the default settings that the consumer must take active steps to change. Default settings can reduce consumer friction but can also be used to reduce the ability of consumers to make effective choices. A website can make it hard for consumers to exercise their choice to change default settings by using 'sludge' techniques. Default settings can take advantage of consumers who are in a hurry or less focussed on examining the set up of the website and the implications of the defaults for their privacy. |
Where these OCA practices are followed, they can lead to harm to consumers since consumers may make choices they wouldn't otherwise have made and which do not align with their best interests. These practices can lead consumers to agree to the use of their personal data in ways that they would not otherwise agree to.
Some of these design harms have a read across to specific areas of privacy compliance such as cookie notices and cookie settings. So while it's pretty well established that websites need to provide up front and simple ways for users to indicate they reject all non-essential cookies, many websites still don't adhere to this requirement. The lack of enforcement by the ICO concerning cookies could be said to be one reason for the widespread lack of compliance. Could this be about to change? The ICO's press release issued on 9 August to accompany the DRCF paper indicates that the ICO will be assessing cookie banners of the most frequently used websites in the UK and taking action where harmful design is affecting consumers. In the past, the ICO has participated in cookie sweeps and written to companies that are non-compliant but no fines or other enforcement notices have been issued.
Throughout the paper, the ICO links the requirement for good OCA practices to the fairness and transparency requirements under the UK GDPR. There are obvious reasons why poor design practices are unfair to consumers, can confuse consumers about what choices they are making (and so are not transparent) and can lead consumers to lose control of their personal data. Likewise, from a data protection perspective, designing systems with data protection compliance at the centre is now required under the UK GDPR (Article 25) so that, any OCA that fails to do this, is likely in breach of GDPR requirements.
The paper underlines that both the ICO and CMA are keen to support firms to adopt and maintain good OCA practices. As part of this, firms should consider certain questions to help inform their OCA design. These are:
- Put the user at the heart of design choices
Are firms building their interfaces around the user's interests and preferences? - Use design that empowers user choice and control
Are firms helping users to make effective and informed choices about their personal information, and putting them in control of how it is collected and used? Is the information clear and not misleading? - Test and trial design choices
Do firms use testing and trialling to ensure OCA design is evidence-based? - Comply with data protection, consumer and competition law
Have firms considered the data protection, consumer protection and competition law implications of the OCA practices they are employing?
The ICO and CMA invites stakeholders to contact them if they are interested to participate in further engagement on the paper. There are plans for a joint ICO-CMA workshop in the autumn to discuss good OCA practices. If you are interested, you should contact digitalregulationcooperation@ico.org.uk.
What are the implications?
Companies should review their websites and online services to consider whether any aspect of their OCA could fall foul of the principles set out in the paper. Additionally, when engaging website designers, companies should ensure that the designers build websites with these requirements in mind to avoid having to remediate in the future. In particular, interactive websites and online services that engage with more vulnerable groups – children and those with health conditions or addictions, for instance – or those websites with a wide UK reach should expect to be under closer scrutiny from regulators.
