Deceptive Design Patterns – Turning the Lights Out on Privacy
The Office of the Privacy Commissioner (OPC) and the Global Privacy Enforcement Network (GPEN) recently embarked on a sweep focusing on “Deceptive Design Patterns” (DDPs, also known as “Dark Patterns”) in websites and mobile apps, hunting for manipulative and deceptive designs that undermine users’ privacy.
DDPs can take several forms, the most common of which are listed below:
Complex and confusing language; where policies are excessively long and written at a reading level that would require a university-level education to comprehend.
Interface interference; where sites emphasise specific visual elements while obscuring others to steers users away from more privacy protective measures, preselect privacy-intrusive settings, or use emotive language to discourage users from selecting privacy-centric options.
Obstructive design; where the user experience has unnecessary hurdles in finding and understanding privacy settings or removing accounts.
Forced action; where users are forced to provide more information than necessary to access services.
Nagging; where sites nag users to perform an action such as downloading an app, which shares more information with the site.
Out of the 1,010 websites and apps analyzed, a staggering 97% of sites and apps analysed revealed these practices. Some examples of the practices encountered include:
“Accept All Cookies” buttons being much more prominent than any options to the contrary or to configure. As a good practice, your site or app should give the same visibility to all the options available to a user.
Pre-selecting checkboxes regarding the sharing of information. In terms of consent, it is best practice to have the users perform an action to opt-in, rather than having to perform an action to opt-out.
“Shaming” language should the user select privacy-centric options or attempting to delete the account. A site or app should not denigrate its users for selecting an option that protects their privacy, nor should it threaten its users with reduced functionality for doing so.
Making it extremely difficult to enable privacy settings by burying the features deep in the user interface, or by requiring users to send in physical letters or providing more information than was initially collected to close an account. Your privacy settings should be easily accessible, and the exercise of rights should not require a user to send in more information than you had already collected.
Building a misleading interface that could attract underage minors to a site that is designed for content that is aimed at an older demographic. Your interface should not attract users that are not the required demographic.
The GPEN called for immediate action from organizations to prioritize Privacy by Design (PbD) practices from the outset. Conducting Privacy Impact Assessments early on can highlight features that may be of concern, allowing for addressing these early on and in a privacy-focused manner.
Additional actions include employing transparent and user-friendly design in sites and apps, focusing on concise language, easily accessible privacy settings, and the avoidance of manipulative design practices. Extra care should be taken to protect the privacy of children, particularly by limiting data collection, implementing parental controls, and incorporating age-appropriate design.
