The UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO) have warned online businesses against harmful design practices that could undermine people's control over their personal information, and lead to worse consumer and competition outcomes.

A joint paper published by both regulators sets out their concerns under data protection, consumer and competition law, gives practical examples of potentially harmful design practices, and establishes best practice principles for businesses' "Online Choice Architecture". Those principles include putting users at the heart of design choice, using design that empowers user choice and control, testing and trialling design choices, and ensuring that design choices comply with relevant laws.

The regulators have stated that if they don't see improvements, they will take enforcement action against businesses.

Examples of potentially harmful practices

The joint paper sets out examples of perceived harmful practices, including:

  • Nudging / sludging (i.e. when a firm makes it easy for users to make inadvertent or ill-considered decisions, or harder for users to take certain decisions). For example, allowing the user to turn all personalisation on in a single step, but requiring several steps to be taken to turn personalisation off.
  • Confirm shaming (i.e. pressuring users into a particular option by making them feel guilty or embarrassed). For example, offering users a discount in exchange for providing their contact details so they can be used to send the user direct marketing, but in order to decline this, requiring users to click a button that says 'naah I hate savings'.
  • Biased framing (i.e. emphasising the supposed benefits of a particular option, while minimising or ignoring the potential risks or negative impacts). For example, asking users if they are willing to share their search history in the following way, as opposed to a more neutral / balanced manner: 'By sharing your search history with us, we can tailor our services specifically to your needs so you get the information you need exactly when you need it. This will also increase the relevance of the ads you see when you use our other services. If you don't share your search history with us, the information and ads you see may not be as relevant or useful to you'.
  • Bundled consent (i.e. bundling different choices into a single consent). For example, as part of an account sign-up process, asking users to provide a single consent to the processing of their personal data for various purposes, including some not directly related to the personalisation of the account.
  • Default settings (i.e. imposing default privacy settings, default choice of software, or automatic renewals). For example, including a default setting on a social media network that users' content is visible to everyone, rather than a restricted set of people. The CMA / ICO consider that the use of defaults can lead users to make choices about their personal data that may not be in their best interests, for example, sharing more data than they would like to when receiving services or inadvertently enrolling into automatically renewing subscription plans.

Competition and consumer law concerns arising from harmful design practices

In the last few years, the CMA has focused on what it considers to be the consumer law concerns arising from online design practices, such as the impact of defaults / automatic renewal terms in areas such as online video gaming and anti-virus software subscriptions. It considers that design practices can be used to distort consumer choices and lead them to consent to potentially undesirable services or actions, in contravention of legislation such as the Consumer Protection from Unfair Trading Regulations.

The joint paper extends these theories of harm to suggest that such practices may be liable to lead to data protection and competition law infringements. The latter are largely said to arise in the context of digital firms with market power using consumer data to leverage network effects and: (a) strengthen their market position, without necessarily doing so based on the merits of their product or service (e.g. by using this additional personal data to target advertising), (b) create lock-ins that make it difficult for consumers to switch from current providers, and (c) ultimately make it harder for rivals to compete e.g. creating barriers to entry and expansion.

This approach arguably has precedent in the European Commission's Google Search (Shopping) case, in which the Commission found that the more favourable positioning and display by Google in its general search results pages of its own comparison shopping service compared to competing comparison shopping services, was an abuse of dominance. It is nonetheless relatively novel – and seemingly tenuous – to suggest that practices like nudging or confirm shaming could have serious implications from a competition law perspective. Most likely, we expect that any competition enforcement action against businesses will manifest in the CMA imposing conduct obligations (and particularly "fairness by design" principles) on large digital firms, once the relevant enforcement powers against such firms in the Digital Markets, Competition and Consumers (DMCC) Bill come into force.

What should your business do?

Online design practices are high on regulators' agendas, with multiple ongoing investigations into allegedly non-compliant businesses (the CMA is already conducting ongoing consumer protection cases against Wowcher and Emma Group in relation to relevant issues), and co-ordination taking place between different authorities. The CMA's annual plan for 2023/24 also focuses on tackling misleading online practices, including through exercising its consumer enforcement powers. The risk to businesses will be heightened once the DMCC Bill is enacted next year, with the CMA receiving powers for the first time to fine any business for breaches of consumer protection law.

Businesses should consider whether their online design practices expose them to unwanted risks, assessing these in particular against the CMA / ICO's examples of harmful practices, the principles set out in the joint paper, as well as the standards of data protection, competition and consumer law more generally.

The CMA and ICO have invited stakeholders to get in touch if interested in engaging further on the issues discussed in the joint paper. If you have any queries or would like any further assistance with these matters, please do not hesitate to reach out to us.

Originally published 18/09/2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.