Dark patterns – where privacy, consumer and competition laws meet

There are a lot of things to consider when designing online interfaces – not least compliance with data protection, consumer and competition laws.


As part of a joint effort to encourage companies to design their online choice architecture (OCA) in a responsible and compliant manner, the UK’s Information Commissioner’s Office (ICO) and Competition & Markets Authority (CMA) published a joint paper on ‘Harmful design in digital markets’ and announced a joint collaboration to tackle harmful practices as part of the Digital Regulation Cooperation Forum.

The paper raises the following concerns:

  1. Data privacy: poor OCA practices may result in: (i) unwarranted intrusion (i.e. manipulating users into making choices that do not align with their preferences), (ii) loss of control or autonomy (i.e. making it difficult to choose how data is being processed) and (iii)  a ‘cost’ for the user when they try to avoid or mitigate harm (i.e. forcing users to spend more time to make informed choices).
  2. Consumer law: poor OCA practices may distort consumer choices by making certain options easier or more desirable over others, which may: (i) discourage conscious deliberation; (ii) misrepresent the choice available to consumers; and (iii) lead consumers to consent to potentially undesirable services or actions.
  3. Competition law: poor OCA practices may result in the collection of more personal data, which may confer a competitive advantage to larger market participants, allowing them to leverage network effects and create barriers to entry.

The paper also notes that positive OCA practices, such as a quick and seamless returns process, or relevant recommendations for further products or services, can benefit both users and competition.

Five key harmful OCA practices

The paper highlights five key harmful OCA practices and provides detailed examples for each.

‘Harmful nudges’ make it easy for users to make unintended decisions or decisions which haven’t been properly thought through, while ‘sludge’ creates an imbalance – making it more difficult for users to get what they want. Together, these practices steer users towards making certain choices. One of the examples provided in the paper is that rejecting an option, such as the setting of cookies, should be as easy as accepting an option. In the context of cookies, the paper explicitly calls out the need for equivalence. Websites that provide an ‘Accept all’ button should also provide an option for users to reject cookies just as easily – through a ‘Reject all’ button. To date, the trend in the market towards using ‘Reject all’ buttons has been mainly driven by EU regulators, so it is interesting to see alignment in this area.

The CMA adds that making certain options easier to choose may distort consumer choices, decrease users’ welfare and/or may not align with their preferences by encouraging users to make bad choices or act in a way that doesn’t align with their best interests.

Those familiar with the topic of dark patterns will recognise the phrase ‘confirmshaming’ from the European Data Protection Board’s practical recommendations on how to avoid deceptive design patterns in social media interfaces. It involves pressuring users into doing something by making them feel guilty or embarrassed for not doing it. The example provided by the paper is labelling the button to decline signing up to a newsletter with ‘Nahh, I hate savings’, making the user feel guilty for not signing up.

The paper also criticises ‘biased framing’, i.e., presenting choices in a way that emphasises either the supposed positive or negative outcomes of a particular option, in each case to make it more or less appealing to the user. This is because biased framing can distort user behaviour and cause them to make decisions which haven’t been properly thought through.

‘Bundled consent’ is also highlighted in the paper, which is a practice that involves asking users to consent to the use of their personal data for multiple purposes or processing activities via a single consent option, making it difficult for users to understand what they are consenting to.

The last issue called out specifically in the paper is applying certain default settings that the user must take active steps to change. This could include pre-selected add-ons or tick-boxes or turning on automatic renewal of subscriptions by default. The latter is under increased regulatory scrutiny and is specifically addressed in the proposed Digital Markets, Competition and Consumers Bill, which targets subscription traps. You can read our update on this here.

Time to take action

The ICO and CMA encourage online operators to re-assess their OCA practice to ensure they empower users to make effective and informed choices about the processing of their personal data and build customer trust.

Harmful online practices have been a focus for the CMA recently (see their Online choice architecture work page) and the ICO has now announced it will take enforcement action to ‘end damaging website design practices that may harm your users’ if it does not see improvements in this area. This collaboration also comes shortly after the decision by the Court of Justice in the EU that competition authorities can assess data protection rules when assessing potential breaches of competition law (see further here), suggesting that we may see further cooperation between competition and data protection authorities in the future.

The paper provides a roadmap for online operators to use OCA responsibly by:

  • Putting users at the heart of design choices;
  • Using design that empowers user choice and control;
  • Testing and trialling design choices;

and last but not least,

  • Complying with data protection, consumer and competition laws.

Finally, the ICO and CMA encourage stakeholders to share their views on the OCA practices highlighted in the joint paper and note their intention to run a workshop this autumn for those interested in further engagement on the issues raised.