On August 9, 2023, the UK’s Information Commissioner’s Office (ICO) and Competition and Markets Authority (CMA) released a joint position paper (the Paper) focused on “harmful” website design practices that may “trick” consumers into giving more access to their personal information. The Paper is targeted at web designers and developers, and it will be particularly relevant to consumer-facing organizations that target the UK market. It builds on joint work that the ICO and CMA have been engaged in since May 2021, when the regulators issued a joint statement promising a “joined up approach to regulation.” Announcing the Paper’s release, the ICO also revealed that it will be assessing cookie banners of the most frequently used websites in the UK, with a view to taking action against harmful designs.

Harmful Practices Identified in the Paper

In the Paper, the ICO and CMA highlight five common online design practices that can influence consumer decisions, undermining their ability to exercise control over the use of personal information. The Paper notes that these practices can lead to a breach of data protection and consumer protection laws, such that organizations should avoid their use.

  • Harmful nudges and sludges. Making it particularly easy (nudge) or more burdensome (sludge) to select one choice over others can make it more likely that an organization will infringe the UK GDPR’s “fairness” and “transparency” principles. Where this leads to the collection of personal information, the organization may also obtain a competitive advantage. All options concerning the use of personal information should be presented with equal prominence and should be equally easy to select. The Paper notes that when used in cookie banners, harmful nudges and sludges are likely to mean that any consent obtained will be invalid.
  • Confirmshaming. Where organizations encourage individuals to take a particular action on their site, they should avoid designs that may cause visitors to feel guilt, shame, or other pressure. For example, when asking visitors to provide their email address to access a discount code, language such as “Nahhh, I hate savings” may steer individuals towards providing their information. Especially when collecting consent, all language should be neutral, objective, and understandable for the average user.
  • Biased framing. When offering individuals a choice about the use of personal information, organizations should give equal weight to the risks and benefits of the decision in any explanation provided. Highlighting that sharing personal information will result in a better and more personalized service, with no mention of any drawbacks, would be an example of biased framing. The Paper states that consent obtained using biased framing is unlikely to be fully informed and may be invalid as a result.
  • Bundled consent. The Paper notes that bundling multiple consent requests into one single option can make it difficult for individuals to understand what they are agreeing to, making it less likely that consent will be validly obtained. Bundled consents can also appear alongside harmful nudge and sludge techniques, e.g., presenting one consent banner with an “accept all” button for several data processing activities and nonessential cookies. Bundling consents across first-party services can also lead to an organization obtaining excessive market power.
  • Default settings. Default settings are “one of the strongest and most reliable practices that influence user behavior.” When configuring these settings, organizations need to consider the principle of “data protection by design and default,” and be cautious about how consent is collected.

Call to Action

The Paper builds on joint work carried out by the ICO and the CMA as part of the Digital Regulation Cooperation Forum (DRCF). The DRCF brings together the ICO, CMA, Financial Conduct Authority and Office of Communications (known as Ofcom) to promote consistent regulation of digital services and technologies.

An ICO blog accompanying the Paper’s release indicates that the focus of the regulators’ work may now be shifting to enforcement, noting that if the regulator does not see improvements in market practice, it “will be taking enforcement action to protect” individuals’ rights. A press release also states that the ICO will be actively assessing the cookie banners of the most frequently used websites in the UK. The CMA notes in the Paper that it is already taking such action through exercising its consumer protection powers.

Consumer-facing organizations that target the UK market should review their online designs to assess their exposure to the practices outlined above. The Paper sets out four shared “expectations” of the ICO and the CMA:

  1. Put users at the heart of their design choices.
  2. Use design that empowers user choice and control.
  3. Test and trial design choices.
  4. Comply with data protection, consumer, and competition laws.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy, competition and consumer protection issues and investigations. For more information, please contact Yann Padova, Maneesha Mithal, Deirdre Carroll, or Tom Evans.

Hattie Watson contributed to the preparation of this blog post.