Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

News release

Privacy Sweep finds majority of apps and websites use deceptive design to influence privacy choices, including sites targeting children

GATINEAU, QC, July 9, 2024 – The Privacy Commissioner of Canada, along with 25 privacy enforcement authorities from across Canada and around the world, is today issuing findings following a sweep conducted earlier this year of more than 1,000 websites and mobile apps.

The sweep enabled authorities to conclude that deceptive design patterns that make it difficult for people to protect their privacy online are not only prevalent, but also often worse among websites and apps that are geared towards children.

This global privacy sweep found that 97% of websites and apps reviewed were using one or more deceptive design patterns that may influence individuals into giving away more of their personal information online.

“Websites and apps should be designed with privacy in mind,” said Privacy Commissioner of Canada Philippe Dufresne. “This includes providing privacy-friendly default settings and making privacy information easy to find.”

Emphasizing privacy options, using neutral language, clearly presenting privacy choices, and reducing the number of clicks for a user to find privacy information, log out, or delete an account are all ways in which organizations can help their users better protect their privacy online.

“Privacy is a fundamental right. Integrating privacy by design and privacy by default helps to promote the best interests of individuals, and builds trust, by offering individuals online experiences that are free from influence, manipulation, and coercion,” said Commissioner Dufresne.

The Commissioner also encouraged individuals to be aware of deceptive design patterns, so that they can better protect their privacy and personal information online.

An annual initiative of the Global Privacy Enforcement Network (GPEN), this year’s privacy sweep focused on how online deceptive design patterns can be used to steer users towards options that may result in the unnecessary collection of more of their personal information. In other cases, deceptive design may force individuals to take multiple steps to find a privacy policy, log out, or delete their account to discourage them to do so. Other forms of deceptive design include presenting users with repetitive prompts that may frustrate them into giving up more of their personal information than they would like.

Sweep participants sought to replicate the user experience by engaging with websites and apps to assess the ease with which they could make privacy choices. They evaluated the sites and apps based on five indicators that were identified by the Organisation for Economic Co-operation and Development (OECD), as being characteristic of deceptive design patterns.

For each indicator, the global report found:

  • Complex and confusing language: More than 89% of privacy policies were found to be long or to use complex, university-level language level.
  • Interface interference: When asking users to make privacy choices, 42% of the websites and apps swept used emotionally charged language to try to influence user decisions, while 57% made the least privacy protective option the most obvious and easiest for users to select.
  • Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their account.
  • Obstruction: In nearly 40% of cases, sweep participants faced obstacles in making privacy choices or accessing privacy information, such as trying to find privacy settings or delete their account.
  • Forced action: 9% of websites and apps forced users to disclose more personal information when trying to delete their account than they had to provide when they created it.

Focus on children’s sites

The OPC, along with sweep participants from the Office of the Information and Privacy Commissioner of Alberta, and the Office of the Information and Privacy Commissioner for British Columbia, looked specifically at 67 websites and apps targeted at children.

Sweep participants found that websites and apps aimed at children used, more often than websites and apps targeted at the general population, emotive language or nagging to manipulate users into making less privacy-friendly choices.

This part of the sweep supports championing children’s privacy rights, which is one of the Privacy Commissioner of Canada’s three strategic privacy priorities that will guide the OPC’s work through 2027.

“With children spending more and more of their lives online, it is critical that the spaces that they visit are safe, especially those targeted directly at them either deliberately or by their very nature,” said Commissioner Dufresne.

“Organizations should put the best interests of young people first when designing websites and apps. This includes limiting the collection of young people’s personal information, clearly explaining privacy information, making privacy protective settings the default, and empowering young people and their parents or guardians to make informed privacy protectives choices.”

Cross-sectoral regulatory cooperation

For the first time, the GPEN sweep was coordinated with the International Consumer Protection and Enforcement Network (ICPEN), which represents consumer protection authorities from around the world, including Canada’s Competition Bureau.

The collaboration recognizes the growing intersection between privacy and other regulatory spheres. In the case of deceptive design patterns, it was clear to both privacy and consumer protection sweep participants that many websites and apps employ techniques that interfere with individuals’ ability to make choices that are in their best interests.

Both GPEN and ICPEN, which are working together to improve privacy and consumer protection for individuals around the world, published reports today outlining their findings.

Further reading

GPEN Global Sweep Report

  • Summary of key observations related to a sweep by 26 privacy enforcement authorities of more than 1,000 websites and apps.

OPC Sweep Report

  • Summary of key observations related to 145 apps and sites examined by the OPC and a review of websites and apps that appear to be aimed at children.

ICPEN Report

Key takeaways for organizations

Key takeaways for individuals

Video – Commissioner Dufresne discusses deceptive design patterns

For more information

Office of the Privacy Commissioner of Canada
communications@priv.gc.ca

 

Date modified: