Last year, the Office of the Privacy Commissioner of Canada (the “OPC”), Canada’s federal privacy regulator, joined 25 other global privacy enforcement authorities to conduct a sweep of websites and mobile apps for the use of deceptive design patterns. The OPC then published a report summarizing its findings from the sweep (the “Report”).
Canadian privacy regulators emphasized that organizations’ use of deceptive design patterns is on their radar by subsequently issuing a joint resolution on identifying and mitigating harms from privacy-related deceptive design patterns (the “Resolution”). The Resolution calls on public and private sector organizations to avoid the use of deceptive design patterns and to ensure that website and app users can make informed privacy decisions.
Kristen Pennington and Lyndsay Wasser, Partners in McMillan’s Privacy & Data Protection Group, discuss key findings from the Report and steps organizations can take to prevent the use of deceptive design patterns on their digital properties.
Q: What are deceptive design patterns?
Deceptive design patterns are patterns used online that allegedly influence, manipulate or coerce website and app users into making privacy-related decisions that are not in their best interests.
According to the OPC, these patterns can prevent users from making informed decisions about the collection, use, and disclosure of their personal information, and cause them to give up more of their privacy than they would otherwise like to.
Q: What are some examples of deceptive design patterns?
The Report and Resolution identify 5 types of deceptive design observed during regulators’ sweep of websites and apps:
- Interface interference refers to the use of design elements that distract, confuse or otherwise adversely influence users’ perception and understanding of their privacy options. The Report identifies the following three examples of interface interference:
- A “false hierarchy” emphasizes certain visual elements and obscures others, such as by using larger, more colourful or bolder font, to channel users towards less privacy-protective options;
- “Preselection” occurs where the most privacy-intrusive option is preselected by default, with the hope that many users will simply click to accept the preselected choice for ease; and
- Finally, “confirm-shaming” refers to the use of emotionally charged language to push users towards privacy-related options favoured by the organization.
- Nagging occurs when a website or app repeatedly prompts users to take privacy-related actions they may not normally take, such as signing up for an account or otherwise permitting the collection of more of their personal information than they would want to provide.
- Obstruction refers to the insertion of unnecessary, additional steps between users and their privacy-related goals, potentially frustrating them so they do not make their intended privacy choices. This is also sometimes referred to as “click fatigue”, where an individual has to click an unreasonable number of times to achieve a goal, such as cancelling their account or unsubscribing from a mailing list.
- Forced action design elements require or trick users into disclosing more personal information than is necessary to provide the website’s or app’s service, such as only offering an “accept all” option on a cookie banner, instead of also providing an option to reject non-essential cookies.
- Complex, confusing or inaccessible language is interpreted by the OPC to include the posting of “highly technical” and/or “excessively long” privacy policies or terms of use on websites and apps, which are difficult for users to understand. More specifically, the OPC has suggested that it considers a privacy policy to be “excessive in length” if it is longer than 3,000 words, and “unduly complex” if it is drafted above a grade 12 reading level.
Q: What were the results of the OPC’s sweep for deceptive design patterns?
The Report suggests that the use of deceptive design patterns is widespread. Notably, of the 145 websites and apps reviewed during the sweep, a whopping 99% apparently contained at least one indicator of deceptive design.
The Report indicates that posting an overly technical or excessively long privacy policy or terms of use was the most common type of deceptive design pattern observed during the sweep, occurring on 96% of the digital properties reviewed by the OPC.
The Report is particularly critical of organizations’ use of deceptive design patterns on websites and apps that appear to be aimed towards children. False hierarchies and confirm-shaming with respect to account creation and deletion, as well as nagging, were observed on a number of children’s websites and apps. In that the OPC has identified championing children’s privacy rights as a strategic priority for the coming years, organizations with digital properties aimed at children may be particularly vulnerable to enforcement activity related to the use of deceptive design patterns.
Q: What risks do businesses face if they use deceptive design patterns on their websites or apps?
Unlike a number of other jurisdictions, Canadian private sector privacy legislation relies on valid consent as the primary legal basis to collect, use and disclose personal information in the course of commercial activities.
Canadian privacy laws expressly provide that consent will not be valid if it is obtained through deceptive or misleading practices. The use of deceptive design practices will therefore invalidate any consent that is obtained using a deceptive mechanism, meaning a business may no longer have a valid legal basis to process personal information collected on its website or app.
Using deceptive design patterns can also damage organizations’ relationships with customers, or prospective customers, by leading to user frustration and a lack of trust. This can have a negative, long-term impacts on an organization’s brand and reputation.
Finally, deceptive design patterns may also form the basis of complaints to and/or investigations by privacy regulators, and even individual or class action litigation. Organizations should not ignore correspondence from a regulator or a complaint from an individual alleging that their website or app uses deceptive design patterns. It is possible that one or more Canadian regulators may initiate an investigation regarding such allegations, which can lead to the publication of adverse findings naming the organization.
Q: Does the Resolution contain any practical guidance for businesses about avoiding the use of deceptive design patterns?
The Resolution sets out several expectations from Canadian privacy regulators with respect to the design of online platforms. In particular, the Resolution advocates for the concept of privacy-by-design as the basis for website and app design.
The Resolution also encourages organizations to take steps to (i) ensure that online platforms are defaulted to their most privacy-protective settings; (ii) present privacy choices using simple, consistent and neutral language; (iii) make privacy settings easily accessible at all times (not only upon a user’s first visit to the website and app); (iv) reduce the number of clicks needed to navigate and adjust users’ privacy choices; and (v) provide just-in-time consent options that allow users to make privacy decisions when they are contextually relevant.
Q: What are some other action items that organizations can implement to mitigate the use of deceptive design patterns on their websites and apps?
Organizations should carefully review their existing websites and apps with fresh eyes to consider whether deceptive design patterns are used to potentially influence users’ privacy choices. Common “pain points” for deceptive design patterns include cookie banners, account registration and deletion processes, mailing list registration and “contact us” forms, and check-outs on ecommerce platforms.
Organizations should also develop and implement an appropriate internal review and approval process for the design and implementation of new websites and apps, and updates to existing websites and apps, to ensure that deceptive design patterns are not used. Internal templates for privacy impact assessments and other checklists and compliance tools should be updated to include specific checks for deceptive design patterns.
It is also prudent to develop and deliver role-specific training about spotting and avoiding deceptive design patterns to those members of the organization who are responsible for designing and updating online platforms, such as web design and marketing team members.
Finally, in light of the OPC’s dissatisfaction with the vast majority of the privacy policies it reviewed during its sweep, updating external-facing privacy policies should be a top priority. Organizations should ensure that their privacy policies are written in plain language, use short, easy to understand sentences, are well organized, and are in an easy to navigate format, such as through the use of appropriate headings and hyperlinks to different sections (sometimes referred to as “layering”).
***
Lyndsay A. Wasser (CIPP/C) leads McMillan LLP’s Privacy & Data Protection Group nationally. With nearly two decades of experience, Lyndsay advises on a wide spectrum of privacy and data protection matters, including valid consent protocols, cross-border data transfers, privacy impact assessments, and developing robust compliance and vendor management programs. Lyndsay can be reached at [email protected].
***
Kristen Pennington (CIPP/C) is a Partner in McMillan LLP’s Privacy & Data Protection Group. Kristen counsels clients on the privacy law implications of new products, technologies, initiatives and corporate transactions, helps organizations develop privacy compliance programs, and drafts and negotiates privacy and data protection terms in an array of commercial agreements. Kristen can be reached at [email protected].