Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: GPEN publishes findings on deceptive privacy choices

On July 9, 2024, the Global Privacy Enforcement Network (GPEN) published its findings on the use of deceptive design to influence privacy choices. The GPEN is formed by data protection supervisory authorities including the European Data Protection Supervisor (EDPS), the UK Information Commissioner's Office (ICO), and the U.S. Federal Trade Commission (FTC), among others.

The GPEN conducted a global sweep of 1,000 websites and apps, in cooperation with 26 data protection supervisory authorities globally, alongside the International Consumer Protection and Enforcement Network (ICPEN).

Notably, the GPEN clarified that the sweep did not generate formal findings or confirm violations of privacy legislation, but may lead to the initiation of enforcement actions addressing identified concerns.

What were the GPEN's findings?

The GPEN outlined that deceptive design patterns use features that steer users towards options that may result in the collection of more of their personal information. Patterns may also force users to take multiple steps to find a privacy policy, log out, or delete their account, or present them with repetitive prompts aimed at frustrating them and ultimately pushing users to give more of their personal information.

Specifically, the GPEN found that:

  • more than 89% of privacy policies were found to be long or use complex language;
  • 42% of websites and apps used emotionally charged language to influence user decisions relating to privacy, while 57% made the least privacy protection option the most obvious and easiest option for users to select;
  • 35% of websites and apps repeatedly asked users to reconsider their intention to delete their accounts;
  • in nearly 40% of cases, there were obstacles to making privacy choices or accessing privacy information, such as finding privacy settings or deleting accounts; and
  • 9% of websites and apps forced users to disclose more personal information when trying to delete their accounts.

Regarding forced actions, the GPEN noted that individuals were often tricked into thinking that it is necessary to provide their personal information to access services when it is not necessary. On obstruction, the GPEN found that in over 55% of cases, users were unable to locate the option to delete their account and in the remaining cases where users were able to find the option to delete their account, users were often required to submit a written request to have their account deleted.

The GPEN encourages organizations to develop design and default settings that protect privacy, including:

  • an emphasis on privacy options;
  • neutral language and design to present privacy choices in a fair and transparent manner;
  • fewer clicks to find privacy information, log out, or delete an account; and
  • 'just in time' contextually relevant consent options.

OPC's findings on deceptive design patterns

On the same date, the Office of the Privacy Commissioner of Canada (OPC) published its sweep report 2024 on deceptive design patterns (the OPC report) in addition to the GPEN report. 

In the OPC report, the OPC along with the Office of the Information and Privacy Commissioner of Alberta (OIPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) looked at 145 websites and apps accessible in Canada across various sectors, such as retail, social media, news, and entertainment, as well as websites and apps aimed at children.

The OPC report examined 67 websites and apps targeted at children and found that specific deceptive design patterns, such as false hierarchy, confirm shaming, and nagging occurred significantly more often on children's websites and apps, with the following observations:

  • with respect to the creation or deletion of an account, sweepers found that 56% of children's websites and apps displayed a false hierarchy by making the option to sign up for the service more prominent than the option to continue without an account, compared to 24% for other websites and apps;
  • in 54% of the children's websites and apps reviewed sweepers encountered confirm-shaming, i.e., charged language that may dissuade users from deleting their accounts, compared to 17% for other websites and apps; and
  • sweepers encountered some form of nagging on 45% of interactions on the children's websites and apps, whereby they were repeatedly confronted with the same prompts or requests, three times as many as they encountered for other websites and apps.

Privcom releases local results of 2024 GPEN privacy sweep

On the same date, the Bermuda Office of the Privacy Commissioner (PrivCom) published the local results of the global privacy sweep.

Scope of the sweep

Privcom noted that the local sweep took place on February 1, 2024, in which a total of 196 organizations domiciled in Bermuda were examined. Privcom explained that the local sweep only examined organizations' websites that either were domained in Bermuda or overseas, but did not examine mobile applications.

While carrying out the sweep, PrivCom noted that it examined the following aspects specific to the Personal Information Protection Act (PIPA):

  • the presence of a privacy notice and/or terms and conditions (T&Cs);
  • the designation of a privacy officer or team and the inclusion of their contact information;
  • a reference to PrivCom as the local regulator for Bermuda and the inclusion of PrivCom's contact information; and
  • whether there is a link (or tab) to a privacy policy, but the actual document is missing or the implementation of a holding page.

Findings of the sweep

PrivCom found that of the total of 196 organizations surveyed:

  • 40% (78) had a privacy notice/policy/T&Cs;
  • 22% (44) included the contact information of their privacy officer or team;
  • 3% (5) made a reference to PrivCom and included its contact information; and
  • 7% (13) had a link (or a tab) to a privacy policy/notice but the document was missing.

Additionally, the sweep found that, of the 78 websites that did have a privacy notice/policy/T&Cs displayed on their website:

  • 5% (1) used language that was fairly difficult to understand;
  • 76% (59) used language that was difficult to understand;
  • 18% (14) used language that was very difficult to understand; and
  • 1% (1) used language that was extremely difficult to understand.

You can read the GPEN press release here, the GPEN report here, the ICPEN report here, the OPC press release here, the OPC report here, and PrivCom press release here.

Update: July 11, 2024

Hong Kong: PCPD publishes recommendations on deceptive design patterns for online platforms

On July 10, 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) announced that it had joined the GPEN and participated in the sweep.

The PCPD highlighted that the GPEN participating authorities encouraged businesses to design their online platforms or apps in a manner that enables users to make informed privacy-protective choices by using techniques such as:

  • making the most privacy-protective option as the default choice;
  • emphasizing the provision of privacy options to users;
  • avoiding using biased language and design, and presenting privacy choices in a fair and transparent manner;
  • allowing users to easily find privacy information, log out, or delete an account without the need for multiple clicks; and
  • providing timely and relevant consent options to users.

You can read the press release here.

Baden-Württemberg: LfDI Baden-Württemberg issues statement on GPEN report 

On July 9, 2024, the Baden-Württemberg data protection authority (LfDI Baden-Württemberg) issued a statement on the GPEN report stating that it examined 17 websites, all of which used deceptive design patterns. LfDI Baden-Württemberg noted that anyone who uses deceptive design patterns must explain how they comply with the requirements of the General Data Protection Regulation (GDPR) and the Telecommunications Digital Services Data Protection Act (TDDDG). 

You can read the press release, only available in German, here.

Update: July 12, 2024

ODPA issues findings of privacy sweep

On July 9, 2024, the Office of the Data Protection Authority (ODPA) issued a press release regarding its participation in the GPEN report. The ODPA highlighted that its sweep focused on gambling sites. 

The ODPA stated that 19 websites and/or online apps operating under gambling licenses issued by the Alderney Gambling Control Commission (AGCC) were selected and checked according to the sweep criteria. The ODPA stated that all sites included in the sweep raised concerns about transparency and showed at least one indicator of deceptive design patterns. The ODPA mentioned that concerns resulting from the sweep included: 

  • in 42% of cases, the sweeper could not find the website or application's privacy settings;
  • most privacy policies were found to be unnecessarily lengthy and/or complex; and
  • in many cases, it was more difficult to delete an account than it was to create an account.

You can read the press release here.