The Information Commissioner’s Office (‘ICO’) and the Competition and Markets Authority (‘CMA’) have made clear in a recent report, Harmful design in digital markets, that online choice architecture (‘OCA’) must be designed in such a way that online users are not tricked or ‘nudged’ into giving away more personal data than they would have done otherwise. Harmful OCA has been called out specifically because of the impact that it can have on consumer choice and wellbeing and more broadly, competition. In publishing this report, the ICO and CMA hope to guide website owners and UX/UI designers to put ‘choice and control’ at the centre of their architecture.
Some of the examples of harmful OCA listed in the recent ICO-CMA blog post include steering users towards a particular option by making it easier to find. The design of cookie banners (see photos below) can also lead to reduced autonomy and choice for users; for instance, having an ‘Accept Cookies’ option and a ‘Preferences’ option, or an ‘Accept’ or ‘Decline’ option which are treated differently in terms of colour and shading.
The ICO-CMA report has come in the midst of growing awareness and pushback against these online design practices. For instance, the ICO ‘Rip-off tip-off’ initiative allows users to report harmful online practices, such as fake reviews for a product or a subscription trap.
In relation to cookies, the recent Cookie Pledge launched by the European Commission promises to find solutions to address cookie fatigue and reform advertising models that rely on tracking (see our blog on this here). The ICO has also noted that it may take regulatory action against those who continue to use harmful design practices in a way which contravenes data protection law (e.g. Article 4(11) and 7 GDPR define consent as being ‘freely given, specific, informed and easy to withdraw.’). The European Data Protection Board (‘EDPB’) Cookie Banner Task Force also released a report earlier this year (see here for our previous blog post) highlighting that harmful OCAs, such as pre-ticked boxes or no reject buttons, would contravene the ePrivacy Directive and/or some provisions of the GDPR. All of this highlights the growing regulatory attention that is being paid to OCA and its implications for individuals and competition.
General cookie fatigue, coupled with a growing policy and regulatory awareness of harmful design practices will accordingly lead to tighter enforcement of OCA and, in the not too distant future, reforms as to how ad-tracking services work. For instance, European Commissioner for Justice, Didier Reynders recently suggested the possibility of introducing a ‘Digital ID’ whereby citizens can establish how much personal data they consent to sharing across multiple websites, instead of having to manually select how much personal data for each website that is visited. This is expected to greatly reduce the impact of OCA for specific websites, making cookies and harmful design practices far less effective in tricking or nudging individuals towards specific options.
Please contact Jose Saras and Xavier Prida if you have any questions or concerns regarding the implementation of compliant cookies and consent mechanisms.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.