Identifying and mitigating harms from privacy-related deceptive design patterns

Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners and Ombuds with responsibility for privacy oversight

Toronto, Ontario, October 8-10, 2024

Context

In recent years, both international and domestic regulatory authorities have been seized with the issue of deceptive design patterns (or dark patterns), identifying and analysing such practices from angles of competition, consumer protection and privacy. Deceptive design patterns (DDPs) are used on websites and mobile apps to influence, manipulate, or coerce users to make decisions that are not in their best interests.^{Footnote 1} This phenomenon has grown more pronounced, as more and more of the daily lives of Canadians take place online.

Internationally, several regulatory authorities and intergovernmental organizations have published reports on deceptive designs.^{Footnote 2} Most of these reports seek to identify and define design patterns that have effects on a variety of regulatory domains, such as competition policy (e.g. drip pricing^{Footnote 3}), privacy (e.g. default privacy settings) and consumer protection more broadly (e.g. baseless countdown timers^{Footnote 4}). Until recently, there has been a lack of international reports specifically addressing narrower privacy-related DDPs.

In 2024, the Global Privacy Enforcement Network (GPEN) launched a Sweep focused on privacy-related DDPs. The “sweepers”, which included members of the Canadian Federal, Provincial, and Territorial privacy regulators/ombudspersons as well as international privacy authorities, examined over 1000 websites and apps across various sectors, such as retail, social media, news and entertainment, health and fitness, as well as websites and apps that appear to be aimed at children.

In this Sweep, the authorities encountered different DDPs with the potential to affect user privacy, many of which have been seen by Canadian privacy regulators in their work^{Footnote 5}. Examples of DDPs most frequently affecting privacy identified during the Sweep include the following categories^{Footnote 6}:

Inaccessible language – the use of complex and confusing language on websites or apps, often found within highly technical and excessively long privacy policies or terms of service;
Interface interference – where design elements on the website or app can be used to influence a user’s perception and understanding of their privacy options;
Nagging – where repeated prompts for users to take specific actions may undermine their privacy interests;
Obstruction – where a website or app inserts unnecessary, additional steps between users and their privacy-related goals;
Forced action – where a website or app requires or tricks users into providing more personal information to access a service than is necessary to provide that service.

The international report concluded that there is “an extremely high occurrence” of DDPs across websites and apps worldwide, and that “users are likely to encounter, in the vast majority of cases, at least one DDP when interacting with websites and apps.”^{Footnote 7} In the Canadian context, DDPs have become so entrenched in website design that the Sweep team found examples of at least one privacy-related DDP in 99% of the 145 websites and apps it examined.^{Footnote 8} The sweepers also found DDPs to be just as frequent, and at times even more frequent, on the 67 children’s websites and apps that they swept.

These results are concerning, but not surprising, as DDPs have become a regular and normalized practice. There is particular concern related to how DDPs affect children, given the vulnerability of children and young people in the digital world, and the indication that many DDPs appear on websites and apps designed for children^{Footnote 9}. This concern intersects with previous calls from the FPT community for organizations to minimize digital privacy risks to young people and for young people not to be influenced or coerced into making privacy-related choices contrary to their interests.^{Footnote 10}

Given the number of privacy-related DDPs encountered within the digital landscape and the harms that can come from them, it is clear that action must be taken. The signatories believe it is important for businesses and governments to avoid certain practices when designing websites and apps in order to meet fundamental legal obligations and basic privacy principles when collecting personal information online.

Therefore

Canada’s Federal, Provincial and Territorial Privacy Commissioners and Ombuds with responsibility for privacy oversight are calling on public and private sector organizations to avoid platform designs and practices that would influence, manipulate or coerce users into making decisions that go against their privacy interests and to ensure that users can make informed privacy decisions.

More specifically, we collectively expect public and private sector organizations to do the following with respect to websites and apps^{Footnote 11}:

Ensure that privacy is built in by default, using the concept of privacy-by-design as the basis for a design framework, also ensuring that the best interests of young people are built in from the design stage;
Limit personal information collection to that which is necessary for the purposes identified by the organization, as DDPs such as forced action and interface interference are often used to collect more personal information than is necessary for the service;
Promote transparency when collecting personal information using clear and simple language as a way of both complying with privacy laws and fostering trust between the organization and its users;
Examine and test the design architecture and usability in order to determine the prevalence of DDPs and to make improvements to these platforms to limit a user’s exposure to DDPs and support users in making informed privacy decisions;
Choose design elements that adhere to privacy principles as found in Canadian privacy legislation, that take the users’ interests into account and that do not generate negative habits or behaviors in users.^{Footnote 12}

Good privacy design practices include:

Limiting collection of personal information to that which is necessary;
Defaulting websites and apps to their most privacy-protective settings and, in the case of apps, ensuring that this is applied to any subsequent updates made to newer versions;
Using simple, consistent and neutral language and designs to present privacy choices to users;
Ensuring that privacy settings are easily accessible at all times, not only upon the first visit, to make privacy decisions accessible to users when they want to make them;
Reducing the volume of clicks required to navigate and adjust users’ privacy choices; and
Providing just-in-time consent options that allow users to make privacy decisions when they are contextually relevant.

The Federal, Provincial and Territorial Privacy Commissioners and Ombuds with responsibility for privacy oversight commit to engaging at a higher level with government and other stakeholders in the modernization of design architecture for websites and apps that reduces the prevalence of DDPs while promoting privacy-protective design patterns.

Footnotes

Footnote 1

OECD, Dark Commercial Patterns, 2022; EDPB, Guidelines on Deceptive Design Patterns, 2023; OPC, Canada Sweep Report 2024: Deceptive Design Patterns, 2024.

Return to footnote 1

Footnote 2

For example, in 2022, the Organisation for Economic Cooperation and Development (OECD) issued a report on dark commercial patterns. Similarly, the European Commission (EC) published a behavioural study on unfair commercial practices in the digital environment centered on DDPs and the European Data Protection Board (EDPB) issued guidelines on deceptive design patterns in social media platform interfaces. The Federal Trade Commission (FTC) also put forward a report on dark patterns under its role as a consumer protection agency.

Return to footnote 2

Footnote 3

Drip pricing, as per the definition in the FTC’s report on dark patterns, is a DDP “in which firms advertise only part of a product’s total price to lure in consumers, and do not mention other mandatory charges until late in the buying process.”

Return to footnote 3

Footnote 4

Baseless countdown timers, as per the definition in the FTC’s report on dark patterns, are a DDP that create “pressure to buy immediately by showing a fake countdown clock that just goes away or resets when it times out.”

Return to footnote 4

Footnote 5

For example, in 2023, the OPC’s Contributions program provided support to the University of Western Ontario’s project related to Identifying and Responding to Privacy Dark Patterns.

Return to footnote 5

Footnote 6