Media Statements
Privacy Commissioner’s Office Joins Global Privacy Enforcement Network in Completing Global Privacy Protection Sweep on Deceptive Design Patterns
Date: 10 July 2024
Privacy Commissioner’s Office Joins Global Privacy Enforcement Network in Completing Global Privacy Protection Sweep on Deceptive Design Patterns
The Office of the Privacy Commissioner for Personal Data (PCPD) joined the Global Privacy Enforcement Network (GPEN) earlier to conduct a global privacy protection sweep (Sweep) on more than 1,000 websites and mobile applications (apps) from around the world under the theme of “Deceptive Design Patterns” and a global joint report was issued today upon completion of the Sweep. A total of 52 authorities, including 26 privacy or data protection enforcement authorities and 26 consumer protection authorities participated in the Sweep, which was coordinated jointly by GPEN and the International Consumer Protection and Enforcement Network (ICPEN). The privacy or data protection enforcement authorities included the authorities from Australia, Canada, the United Kingdom, the United States of America, Japan, Singapore, Macao SAR China and Hong Kong SAR China, to name a few.
During the Sweep period between 29 January and 2 February 2024, participating authorities examined more than 1,000 websites and mobile apps from around the world across multiple industries (including retail, health and fitness, travel and accommodation, and social media and dating) on the frequency and types of deceptive design patterns used by these websites and apps. The Sweep revealed that nearly all (97%) of the websites and apps reviewed employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions.
Deceptive design patterns typically employ features that steer users towards options that may result in the collection of more of their personal data. These patterns may also force users to take multiple steps to find the privacy policy, log out or delete their account. They may also present users with repetitive prompts aimed at frustrating them and ultimately pushing them towards sharing more personal data than they initially wish.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “Websites and apps should strive to present clear and simple privacy-protective options in their designs. I recommend that organisations carefully review the designs of their websites and/or apps to enable users to better understand and control how their personal data is to be used, so that they can exercise their privacy-protective choices more easily. By offering users an online experience that is under their control, free from influence, manipulation or coercion, businesses can build trust with users and turn privacy protection into a competitive advantage.”
According to the findings of the Sweep, issues relating to design patterns include:
The participating enforcement authorities encourage businesses to design their online platforms or apps in a manner that enables users to make informed privacy-protective choices that reflect their preferences. Good privacy-protective designs include:
(i) make the most privacy-protective option as the default choice;
(ii) emphasise the provision of privacy options to users;
(iii) avoid using biased language and design, and present privacy choices in a fair and transparent manner;
(iv) allow users to easily find privacy information, log out, or delete an account without the need for multiple clicks; and
(v) provide timely relevant consent options to users.
Download the Sweep report (available in English and French):
https://www.privacyenforcement.net/content/2024-gpen-sweep-deceptive-design-patterns-reports-english-and-french
During the Sweep period between 29 January and 2 February 2024, participating authorities examined more than 1,000 websites and mobile apps from around the world across multiple industries (including retail, health and fitness, travel and accommodation, and social media and dating) on the frequency and types of deceptive design patterns used by these websites and apps. The Sweep revealed that nearly all (97%) of the websites and apps reviewed employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions.
Deceptive design patterns typically employ features that steer users towards options that may result in the collection of more of their personal data. These patterns may also force users to take multiple steps to find the privacy policy, log out or delete their account. They may also present users with repetitive prompts aimed at frustrating them and ultimately pushing them towards sharing more personal data than they initially wish.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “Websites and apps should strive to present clear and simple privacy-protective options in their designs. I recommend that organisations carefully review the designs of their websites and/or apps to enable users to better understand and control how their personal data is to be used, so that they can exercise their privacy-protective choices more easily. By offering users an online experience that is under their control, free from influence, manipulation or coercion, businesses can build trust with users and turn privacy protection into a competitive advantage.”
According to the findings of the Sweep, issues relating to design patterns include:
- Complex and confusing language: More than 89% of privacy policies were found to be too long or have used complex language;
- Interface interference: When asking users to make privacy choices, 42% of websites and apps used emotionally charged language to influence user decisions (e.g. “Are you really certain you want to delete your account? It would be a shame to see you go!”, “If you click “Delete User Account”, you will immediately lose all your VIP privileges.”), while 57% made the least privacy protective option the most obvious;
- Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their accounts;
- Obstruction: In nearly 40% of cases, users encountered obstacles when they made privacy choices or accessed privacy information, such as trying to find privacy settings or to delete accounts; and
- Forced action: 9% of websites and apps forced users to disclose more personal data when they tried to delete their accounts than they had to provide when they opened the accounts.
The participating enforcement authorities encourage businesses to design their online platforms or apps in a manner that enables users to make informed privacy-protective choices that reflect their preferences. Good privacy-protective designs include:
(i) make the most privacy-protective option as the default choice;
(ii) emphasise the provision of privacy options to users;
(iii) avoid using biased language and design, and present privacy choices in a fair and transparent manner;
(iv) allow users to easily find privacy information, log out, or delete an account without the need for multiple clicks; and
(v) provide timely relevant consent options to users.
Download the Sweep report (available in English and French):
https://www.privacyenforcement.net/content/2024-gpen-sweep-deceptive-design-patterns-reports-english-and-french
The PCPD participated in a joint operation of the
Global Privacy Enforcement Network (GPEN), and a global joint report was issued.
Global Privacy Enforcement Network (GPEN), and a global joint report was issued.
-End-