The manipulation of online user choices through so-called ‘dark patterns’ has become a growing feature of online services and technology products. These design tricks (which are usually significantly more subtle than the choice above) are often embedded in websites and apps to influence users to make choices that benefit the service provider. For example, they may encourage a user (perhaps unwittingly) to sign up for additional product features and provide more information about themself. Often, they are designed so users take the path of least resistance to access the service they want, such as the one requiring the fewest clicks, at the expense of reading legal terms or applying more privacy-friendly settings.
These “dark patterns”, or “nudge techniques”, as they’re also referred to, can have significant
privacy implications. For example, they might be used to make it more difficult for a user to opt out of data collection, obscure privacy-friendly options, or encourage users to share more data than they might have intended. The concern is that this can undermine user choice, make processing less transparent, and make privacy-positive options less easy to recognise or understand.
In August 2023, the ICO and CMA issued a joint position paper highlighting their concerns and outlining the practices they consider potentially harmful. These dark arts include such weird and wonderful concepts as “harmful nudges and sludge,” “confirm shaming,” “biased framing,” “bundled consent,” and “default settings.” The paper aims to guide firms sand designers in creating online interfaces that respect user choice and privacy through using design to empower user choice and control, testing and trialling design choices, and complying with data protection, consumer, and competition laws.
Perhaps the most high-profile element of this renewed regulatory scrutiny is the focus of the ICO over the last year on the use of “reject all” options in cookie pop-ups and banners. For many years, it had been standard practice for websites and apps to offer users the chance to “accept all” through one click in the pop-up but to have to go through a second or third layer of options if they wanted to reject all cookies. In many ways, this is a classic example of a nudge technique designed to improve the user consent conversion rate.
Unsurprisingly, the ICO has started taking action by writing to the UK’s top websites and requiring them to give equal prominence to “accept all” and “reject all” options, warning that enforcement action will follow if these changes are not implemented. Therefore, whilst allowing users to reject all may impact how much targeted advertising websites do, it is already becoming market standard in the UK to present these user choices on an equal footing.
This article is part of our Data Protection Top 10 2024 publication.