The UK’s data protection regulator, the Information Commissioner’s Office (ICO), and consumer protection regulator, the Competition and Markets Authority (CMA), have published a joint position paper on “harmful design in digital markets”.
The paper provides an insight into how these two regulators interpret the law in areas such as cookie consent banners, online interfaces, and other aspects of what they call “choice architecture”.
This article explores five design techniques deemed “harmful” by these two UK regulators.
Five types of harmful design
The ICO and CMA identify five broad types of harmful design:
- Harmful nudges and sludge: Making it easier or harder for the user to make a given choice.
- Confirmshaming: Pressuring or “guilt-tripping” the user into making a particular choice.
- Biased framing: Presenting choices in a way that emphasises one choice over another.
- Bundled consent: Requesting consent for multiple separate purposes at once.
- Default settings: Forcing the user to opt out of predetermined choices.
These types of design choices are often called “dark patterns”.
The common factor among each of the above design choices is that they can result in harm or increased risks to the user’s privacy or financial situation.
Let’s look in more detail at each of these five types of harmful design.
1. Harmful nudges and sludge
- Harmful nudges: Making it easy to make a “bad” choice: A choice that is potentially beneficial to the company but detrimental to the user.
- Sludge: Making it hard to make a “good” choice: A choice that is potentially detrimental to the company but beneficial to the user.
“When harmful nudge or sludge techniques are used, consumers may make choices they wouldn’t otherwise have made and that do not align with their best interests or preferences…”
ICO and CMA ‘Harmful Designs’ Position Paper, p. 12
Example
A user visits a website. A cookie banner asks the user to choose their preferred cookies.
The choice to “Accept all cookies” requires one click. The choice to “Reject all cookies” is hidden behind a “Settings” button and requires multiple clicks.
Accepting all cookies reveals information about the user’s browsing habits and preferences—benefitting the company but potentially harming the user’s privacy.
Key Takeaway
Make it as easy to reject cookies as it is to reject cookies.
2. Confirmshaming
Offering a supposed choice, but making the user feel guilty, embarrassed, or foolish if they select the “wrong” option.
“Confirmshaming practices can ultimately adversely affect users’ choices, for example, by causing them to agree to the use of their personal information in a way that they would not otherwise agree to.”
ICO and CMA ‘Harmful Designs’ Position Paper, p. 17
Example
A user visits a website. A popup invites the user to subscribe to the website operator’s newsletter, which will provide access to discounts. To dismiss the popup, the user can either:
- Provide their email address and click “Subscribe”, or
- Click a text button that reads: “No thanks, I don’t want to save money”.
Present choices in a way that lets the user make an informed and objective decision.
3. Biased framing…
California delays CPRA regulations
The California Privacy Protection Agency (CPPA) was supposed to finalize new pri…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
