Global privacy sweep finds that nearly all of 1,000 websites and mobile apps tested use deceptive design patterns
July 20, 2024 |
The Privacy Commissioner in GPEN Sweep finds majority of websites and mobile apps use deceptive design to influence privacy choices to highlight the results of annual Global Privacy Enforcement Network. The GPEN issued a press release on this with 2024 GPEN Sweep on deceptive design patterns. The sweep highlights the poor design, intentional or not, which frustrates users in either finding out what happens to their personal information or determining their rights via privacy policies. Unfortunately regulators do not take a strong enough position on incomprehensible privacy policies or complex processes designed to thwart individuals which organisations comply with legislation.
The GPEN media statement provides:
A global privacy sweep that examined more than 1,000 websites and mobile applications (apps) has found that nearly all of them employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions.
Deceptive design patterns use features that steer users towards options that may result in the collection of more of their personal information. These patterns may also force users to take multiple steps to find a privacy policy, log out, or delete their account, or present them with repetitive prompts aimed at frustrating them and ultimately pushing them to give up more of their personal information than they would like.
This year’s annual Global Privacy Enforcement Network (GPEN) Sweep took place between January 29 and February 2, 2024. It involved participants, or “sweepers,” from 26 privacy enforcement authorities from around the world.
For the first time, the GPEN sweep was coordinated with the International Consumer Protection and Enforcement Network (ICPEN), which represents consumer protection authorities.
The collaboration recognizes the growing intersection between privacy and other regulatory spheres. In the case of deceptive design patterns, it was clear to both privacy and consumer protection sweepers that many websites and apps employ techniques that interfere with individuals’ ability to make choices that best protect their privacy or consumer rights.
Both GPEN and ICPEN, who are working together to improve privacy and consumer protection for individuals around the world, published reports today outlining their findings.
Those involved in the privacy sweep replicated the user experience by engaging with websites and apps to assess the ease with which they could make privacy choices, obtain privacy information, and log out of or delete an account.
Sweepers evaluated the sites and apps based on five indicators identified by the Organisation for Economic Co-operation and Development (OECD), as being characteristic of deceptive design patterns.
For each indicator, the GPEN report found:
-
- Complex and confusing language: More than 89% of privacy policies were found to be long or use complex language suited for those with a university education.
- Interface interference: When asking users to make privacy choices, 42% of websites and apps swept used emotionally charged language to influence user decisions, while 57% made the least privacy protective option the most obvious and easiest for users to select.
- Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their account.
- Obstruction: In nearly 40% of cases, sweepers faced obstacles in making privacy choices or accessing privacy information, such as trying to find privacy settings or delete their account.
- Forced action: 9% of websites and apps forced users to disclose more personal information when trying to delete their account than they had to provide when they opened it.
What is next?
The Sweep was not an investigation, nor was it intended to generate formal findings regarding confirmed violations of privacy legislation. However, as in previous years, concerns identified during the Sweep could not only result in follow-up work such as outreach to organizations but may also lead to the initiation of enforcement action to address identified concerns. Decisions on further specific enforcement action will be made by each GPEN member independently.
GPEN encourages organizations to design their platforms, including associated privacy communications and choices, in a manner that supports users in making informed privacy choices that reflect their preferences. Good design includes default settings that best protect privacy; an emphasis on privacy options; neutral language and design to present privacy choices in a fair and transparent manner; fewer clicks to find privacy information, log out, or delete an account; and ‘just-in-time’ contextually relevant consent options. By offering users online experiences that are free from influence, manipulation, and coercion, organizations can build user trust and make privacy a competitive advantage.