The Office of the Privacy Commissioner of Canada (OPC) recently coordinated and participated in a global sweep of more than 1,000 websites and mobile applications to look for deceptive design patterns that hinder users from making informed decisions about their privacy. OPC sweepers found deceptive design patterns in almost all of the Canadian websites and apps they examined. This bulletin describes the findings from the privacy sweep and highlights key takeaways for businesses to consider when designing digital user interfaces.
The Privacy Sweep
The privacy sweep was an international effort by the Global Privacy Enforcement Network (GPEN), an informal network of privacy enforcement authorities that support information sharing, capacity building, and cross-border cooperation on matters related to privacy enforcement. Twenty-five privacy enforcement authorities from around the world participated in this year's privacy sweep, including the OPC, the Office of the Information and Privacy Commissioner of Alberta, and the Office of the Information and Privacy Commissioner for British Columbia.
The privacy sweep was coordinated with the International Consumer Protection and Enforcement Network (ICPEN), which represents consumer protection authorities from around the world, including Canada's Competition Bureau. This collaboration recognizes the growing intersection between privacy and consumer protection.
The Privacy Sweep Findings
The OPC's Sweep Report 2024: Deceptive Design Patterns summarizes the results of the OPC's examination of 145 Canadian websites and apps across various sectors, including retail, news and entertainment, social media and dating, travel and accommodation, and banking and financial services. Alongside the report, the OPC published Design with privacy in mind: Five business best practices to avoid deceptive design, which provides tips on how to avoid the deceptive design patterns that were so frequently identified in the privacy sweep.
The OPC's report and guidance are intended to help organizations support their customers in making informed privacy choices that are free of influence, manipulation and coercion. Avoiding deceptive design patterns can help organizations ensure they are meeting their obligations under Canadian privacy laws. For example, eliminating deceptive design patterns makes it more likely that an organization is obtaining meaningful consent, limiting its collection of personal information to that which is necessary for the purposes for which it is collected, and providing individuals with information about its privacy policies and practices.
Deceptive Design Patterns to Avoid
The OPC's privacy sweep focused on five types of deceptive design patterns that are used to influence, manipulate, or coerce users to make decisions that are not in their best interests. These deceptive design patterns can prevent users from making informed decisions about the collection, use, and disclosure of their personal information.
The vast majority of websites and apps reviewed contained at least one of the following indicators of deceptive design.
1. Complex and Confusing Language
The most common type of deceptive design pattern identified in the privacy sweep was the use of complex and confusing language, particularly in privacy policies. Of the websites and apps examined, 96% employed excessively technical language or lengthy privacy policies that were over 3,000 words. Additionally, 83% of the privacy policies reviewed by the OPC were difficult to read and required either a university or graduate education reading comprehension level to understand.
2. Interface Interference
Interface interference design patterns are distracting or conflicting elements that result in disruption or confusion to the user. The privacy sweep focused on three types of interface interference:
- "False hierarchies", where certain visual elements are emphasized to direct users towards less privacy-protective options.
- "Preselection", where the most privacy-intrusive option is preselected by default.
- "Confirm-shaming", which uses emotionally charged language to push users towards options that are preferred by the organization.
These types of deceptive design patterns are often found in combination, for example, where a confusing title misleads users into thinking that the preselected choice is the more privacy-protective choice.
3. Nagging
The tactic of "nagging" involves repeated prompts or actions to steer users towards a particular choice. The privacy sweep discovered nagging in 15% of user interactions with platforms. Nagging was prevalent around the account registration and deletion process. For example, some websites repeatedly prompted users to switch to their app, which enables the collection and use of more personal information than just a website, rather than continue with the web version.
4. Obstruction
"Obstruction" creates unnecessary obstacles for users who wish to protect their privacy. A common type of obstruction is "click fatigue," where a user must navigate through a maze of steps to find privacy settings or delete their account. The privacy sweep found that only 25% of websites and apps allowed account deletion with two clicks or fewer.
5. Forced Action
Forced action is a design pattern that requires users to complete a specific action to achieve their objective. For example, some websites required users to provide more personal information when trying to delete their account than was initially required when they created the account. This deceptive design pattern was identified in 16% of the websites and apps that were surveyed as part of the privacy sweep.
Deceptive Design and Children's Privacy
The OPC's privacy sweep specifically examined the use of deceptive design patterns on websites and apps that are aimed at children and found that deceptive design patterns are even more prevalent on children's platforms. The OPC suggests that if a website or app is likely to be appealing to children, organizations should avoid or minimize the collection of personal information from users.
Where the collection of personal information about children is necessary, there are certain good design patterns that can be employed to help protect children's privacy. The OPC's report highlights how one toymaker has done so by incorporating short, child-friendly videos into its privacy policy so that "Captain Safety" can explain to children how cookies are used.
Conclusion
The privacy sweep confirms that the overwhelming majority of websites and mobile apps use deceptive design patterns to manipulate user choices and possibly compromise individual privacy. This practice not only undermines consumer trust but also poses significant legal and reputational risks for organizations. In the face of these findings, organizations should reassess their digital interfaces to ensure they respect user privacy by default.
If you have any questions, please contact the Fasken Privacy and Cybersecurity team.
About Fasken's Privacy and Cybersecurity Group
As one of the longest-standing and leading practices in privacy and cybersecurity, our dedicated national privacy team of 36 lawyers offers a wide range of services. From managing complex privacy issues and data breaches to advising on the EU General Data Protection Regulation and emerging legal regimes, we provide comprehensive legal advisory services across all industry sectors. Our group is recognized as a leader in the field, earning accolades such as the PICCASO 'Privacy Team of the Year' award and recognition from Chambers Canada and Best Lawyers in Canada. For more information, please visit our website.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.