Deceptive design under global spotlight – GPEN and country reports

On July 9, 2024, the Global Privacy Enforcement Network (GPEN) released a comprehensive report on the pervasive use of deceptive design practices that manipulate privacy choices. This report, based on a global sweep of 1,000 websites and apps with the collaboration of 26 international data protection authorities and the International Consumer Protection and Enforcement Network (ICPEN), sheds light on the critical global issue of privacy manipulation.

Key Findings

The GPEN’s investigation uncovered several troubling trends:

• Complex Privacy Policies: Over 89% of privacy policies were lengthy and difficult to understand.
• Manipulative Language: 42% of sites used emotionally charged language to sway user decisions.
• Least Protective Options: 57% made the least privacy-protective options the most prominent and easiest to select.
• Account Deletion Obstacles: 35% of websites and apps persistently asked users to reconsider deleting accounts.
• Access Barriers: Nearly 40% presented obstacles to making privacy choices or accessing information, with 9% requiring additional personal information to delete accounts.

Country-Specific Reports

Canada

The Office of the Privacy Commissioner (OPC) of Canada, alongside provincial counterparts, scrutinized 145 websites and apps, including 67 aimed at children. The findings revealed that deceptive design patterns such as false hierarchy, confirm shaming, and nagging were significantly more common on children’s platforms. For example:

• False Hierarchy: 56% of children’s sites emphasized account creation, compared to 24% for other sites.
• Confirm Shaming: 54% used charged language to deter account deletion, versus 17% for other sites.
• Nagging: Repeated prompts were found in 45% of children’s sites, triple that of other sites.

Bermuda

The Bermuda Office of the Privacy Commissioner (PrivCom) assessed 196 organizations. Key findings included (source):

• Privacy Notices: Only 40% had a privacy notice or terms and conditions.
• Privacy Officer Contacts: 22% provided contact details for a privacy officer.
• Regulatory References: A mere 3% referenced PrivCom.
• Missing Policies: 7% had non-functional links to privacy policies.

Hong Kong

The Office of the Privacy Commissioner for Personal Data (PCPD) joined the GPEN sweep and emphasized the need for businesses to enable informed privacy-protective choices by making the most protective options default and avoiding biased language and design (source).

Germany

The Baden-Württemberg data protection authority (LfDI Baden-Württemberg) examined 17 websites, all employing deceptive design patterns. The authority stressed compliance with the General Data Protection Regulation (GDPR) and the Telecommunications Digital Services Data Protection Act (TDDDG).

Guernsey

The Office of the Data Protection Authority (ODPA) in Guernsey focused on 19 gambling sites. Findings included (source):

• Hidden Privacy Settings: 42% of sites obscured privacy settings.
• Complex Policies: Most privacy policies were excessively lengthy.
• Account Deletion Barriers: Deleting an account was often more challenging than creating one.

Malta

The Office of the Information and Data Protection Commissioner (IDPC) in Malta participated in the sweep, focusing on the websites of banks. The IDPC identified common deceptive design patterns aimed at collecting more personal information and complicating privacy choices.

United States

The Federal Trade Commission (FTC) has examined dark patterns in 642 websites and subscription-based mobile apps in 26 countries. between 29 January and 2 February 2024. The audit discovered that 76% of the reviewed sites and apps used at least one dark pattern, and 67% employed multiple dark patterns. These involve hiding or delaying critical information that could impact consumers’ purchasing decisions, as well as techniques that obscure essential information or preselect options to nudge consumers toward decisions that benefit businesses.

The FTC’s review did not conclude whether these practices violated laws in the 26 countries involved. However, the findings highlight the significant influence of dark patterns on both consumer finances and privacy choices.

GPEN’s Recommendations

GPEN calls on organizations to adopt ethical design practices, including:

• Emphasizing privacy options.
• Using neutral language to present choices transparently.
• Simplifying steps to find privacy information, log out, or delete accounts.
• Providing contextually relevant consent options.