Cookie banners ?, the bane of every Internet user’s life, right? Intended to give protection to individual users, instead they’ve become an ever-present justification for using site visitors’ personal information and targeted ads. The Information Commissioner and the Competition and Markets Authority aren’t pleased with this practice and they’ve issued a joint blog, statement and position paper warning website owners and developers that they run the risk of falling foul of data protection law and of consumer and competition law if they don’t design their sites so as to provide genuine protection for users.
The blog notes that:
‘Using language that suggests there’s a right or wrong decision on privacy policies. Making certain options easier to find to distort users’ choices. Presenting choices to steer users to pick a particular option. These are just some of the ways that your web design practices could be breaching data protection law and raising concerns from a consumer and competition law perspective.’
On cookies specifically, they say:
‘A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising.’
How often do you see that, in practice?
They also say that:
‘ICO research shows that 90% of people are concerned about their personal information being used without their permission, with 50% of people not happy about their personal information being used to suggest adverts to them.’
From the CMA’s perspective, this is all part of its ‘dark patterns’ campaign but it’s the ICO that currently has the more significant fining powers and cookie banners fall well within its remit. The blog specifically says that the ICO will be reviewing some of the UK’s most used sites and taking action where necessary. The joint statement and position paper say the ICO will take enforcement action:
‘where necessary to protect people’s data protection rights, particularly where the practices lead to harms for people at risk of vulnerability.’
The blog, statement and position paper all give the example of targeting gambling ads at an addict, suggesting they may consider gambling addicts ‘at risk of vulnerability’ and that action in that sector may be imminent.
Not all online choice architecture (OCA) is bad. The position paper gives examples of positive OCA including a quick and seamless returns process and relevant recommendations for further products or services. Design practices that the ICO and CMA regard as potentially harmful under their respective regimes when they are used to present choices about personal data processing include ‘harmful nudges and sludge’, ‘confirmshaming’, ‘biased framing’, ‘bundled consent’ and ‘default settings’. What does all this jargon mean? The position paper explains in detail:
Harmful nudges and sludge are when a site makes it easy (‘nudges’) users to make what the authors of the position paper call ‘inadvertent or ill-considered decisions’. These decisions can also be encouraged by ‘creating excessive or unjustified friction’ (‘sludge’) that makes it difficult for the user to get or do what they want eg the site may make one option much quicker and simpler than the other. Harmful nudges and sludge are often used in cookie permission pop-ups to encourage users to consent to non-essential cookies by including an option to consent to non-essential cookies with a single click (‘Allow all’) but not including an equivalent option to refuse consent to non-essential cookies at the same level (‘Reject all’). Instead, users who don’t want to consent to non-essential cookies, have to go into a settings page and, in some cases, refuse consent to individual cookies. This process is much more time consuming and onerous so users may simply click ‘Accept all’ to make the pop-up go away. To see how cookie consent should be handled, just visit the ICO’s own site.
Confirmshaming involves pressuring or ‘shaming’ someone into doing something by making them feel guilty or embarrassed for not doing it by using language that clearly suggests that there is a ‘good’ and ‘bad’ choice. Confirmshaming can be used in popups asking a user to provide their email address in exchange for a discount eg where the ‘no’ button says ‘Nahh, I hate savings’. This might seem innocuous to the website owner, aiming for a jokey feel but the position paper makes it clear that it isn’t allowed.
Biased framing involves presenting choices in a way that emphasises the supposed benefits or positive outcomes of a particular option to make it more appealing to the user (‘positive framing’) or that emphasises the supposed risks or negative consequences of a particular option to discourage a user from selecting it (‘negative framing’) eg:
‘By sharing your search history with us, we can tailor our services specifically to your needs so you get the information you need exactly when you need it. This will also increase the relevance of the ads you see when you use our other services. If you don’t share your search history with us, the information and ads you see may not be as relevant or useful to you.’
This example involves both positive and negative framing.
Bundled consent involves asking the user to consent to the use of their personal information for multiple separate purposes or processing activities through a single consent option, making it harder for users to understand and exercise complete control over what they do and don’t want their personal information to be used for. Offering an ‘Accept all’ option increases the likelihood that users will consent to all processing, even if they’d rather not. An example in the position paper is a site that offers multiple distinct services to users. As part of its account sign-up process, it asks users to provide a single consent to the processing of their personal data for use in personalising the services they receive (such as personalised recommendations and personalised advertising), as well as to set cookies for various purposes, including some not directly related to the personalisation of the account. The user can therefore consent to all the services being personalised and cookies being set, or refuse consent for all of them. They can’t pick and choose.
When designing default settings, sites offer a predefined choice that the user can only change by taking active steps. This can include default settings (including privacy or security features), default choices (such as automatically selected add-ons or pre-ticked boxes), default brands (like the browsers or other apps that come pre-installed on devices) or automatic renewal of subscriptions by default. The position paper comments that default settings:
‘reduce user friction which may align with user preferences, but can also be used strategically by firms to reduce the ability of users to make effective choices’.
The ICO and CMA lay out their expectations of sites that are using OCA in relation to choices about personal data:
- Put the user at the heart of your design choices: Are you building your online interfaces around the user’s interests and preferences?
- Use design that empowers user choice and control: Are you helping users to make effective and informed choices about their personal data, and putting them in control of how their data is collected and used?
- Test and trial your design choices: Has testing and trialling been carried out to ensure your design choices are evidence-based?
- Comply with data protection, consumer and competition law: Do you consider the data protection, consumer protection and competition law implications of the design practices you are employing?
Further details on all these points are laid out in the position paper.
What does this mean for our clients? We’re always happy to write compliant privacy policies for your website but if the architecture of your site, including its cookie banner, aren’t compliant, the policies we write won’t be enough. It’s important to discuss these issues with your site developer, for example to establish what cookies are genuinely necessary for your business, and to make it easy for users to reject the rest.