Privacy Deceptive Design Dark Pattern Enforcement Sweep Coming

Privacy deceptive design enforcement coming

On January 23, 2024, Italy’s Data Protection Authority released a statement that a deceptive design investigation and enforcement sweep will take place between January 29th and February 2nd, 2024. The purpose of the sweep is to analyze websites and applications for deceptive designs that cause individuals to make unwanted and harmful choices concerning their privacy. Upon completion, the results of the sweep will be used to organize awareness activities, contact website and application owners regarding deceptive design issues and start investigations that can potentially lead to fines. In this article, we will discuss this enforcement sweep as well as the design requirements that businesses must follow to ensure that they are not caught up in the sweep and are not subject to fines.

Which privacy law governs deceptive design?

The privacy law that is at the crux of this investigation is the General Data Protection Regulation (GDPR) which provides certain privacy rights to residents of the European Union. GDPR will apply to you if you: 

• Have an establishment in the European Union;
• Offer goods or services to residents of the European Union (regardless of your location); or
• Monitor the behavior of residents of the European Union (regardless of your location).

GDPR’s Recital 35 states that transparency requires that any information relating to the processing of personal data needs to be easily accessible and easy to understand. If GDPR does apply to you, you need to ensure that you do not use deceptive design practices to “trick” individuals into making privacy choices that are disadvantageous to the individual and advantageous to your business.

What are deceptive design practices?

Deceptive design practices (also called dark patterns) are patterns that aim to influence the behavior of an individual and can hinder the individual’s ability to protect their privacy properly. The European Data Protection Board (EDPB) has released guidance on how to recognize and avoid deceptive design practices. The guidance breaks down deceptive design practices into the following categories:

• Overloading: This practice presents the user with a large number of requests, information, options, or possibilities to prompt the user into sharing more personal data or allow the processing of personal data that the individual usually would not allow were it not for the deceptive design (e.g. asking the user to consent to cookies on every page even if they have already provided their consent);
• Skipping: This practice designs interfaces or user journeys in a way that individuals forget or do not think about all or some of the privacy implications (e.g. the most privacy-intrusive options such as marketing and advertising cookies are enabled by default);
• Stirring: this practice affects the choice users would make by appealing to their emotions or using visual nudges (e.g. the user is presented with an email newsletter sign-up form that states “No, I’m not interested in saving money” or using a green color for the “accept cookies” button and a red color for the “decline cookies” button);
• Obstructing: this practice hinders or blocks users in their process of being informed or managing their privacy by making the action difficult or impossible to achieve (e.g. the Privacy Policy link on a website leads to a 404 error);
• Fickle: this practice designs the interface in a way that is inconsistent and unclear, making it difficult to navigate the privacy controls (providing privacy information on a Terms of Service page or requiring the user to navigate to multiple pages to see their privacy information);
• Left in the dark: this practice designs an interface in a way to hide information or privacy tools or to leave individuals unsure of how their data is processed or what types of controls they have (e.g. providing conflicting information such as “we do not sell your data” in the Privacy Policy where the Privacy Policy states that “we do sell your data” if you scroll further).

Deceptive design practices can affect anything on a website or an application, including:

1. Account registration pages;
2. Cookie consent banners;
3. Privacy Policies;
4. Privacy choices interfaces;
5. Email newsletter sign-up forms;
6. Contact forms;
7. Messages regarding privacy choices.

How to avoid deceptive design violations 

While Italy’s Data Protection Authority has not specifically stated what types of websites and applications it will include in this enforcement sweep, it is best practice to avoid deceptive design violations as these violations can lead to noncompliance with the law and thus fines. To avoid deceptive design violations, the best practice is to review every page of your website or application, as well as the entire user journey to ensure that deceptive designs are not included. Further additional tips may help you avoid these violations as well:

1. Provide shortcuts to privacy information or privacy settings pages and menus so that they can be easily found by individuals;
2. Provide your contact address within your Privacy Policy and on your website so that individuals can contact you if they have questions;
3. Review your Privacy Policy to ensure that it is comprehensive and accurate as to your actual privacy practices;
4. Ensure that you provide adequate choices to consumers on your cookie consent banner (i.e. include an “accept” and a “decline” option);
5. Inform individuals of the consequences of what will happen if they do not provide their personal data;
6. Ensure that privacy settings are located in the same place across different devices.

Hopefully, the above tips will help you ensure that you are not caught up in this enforcement sweep!