Understanding Deceptive Design Patterns and How to Avoid Them: Insights from the 2024 Privacy Sweep

The Office of the Privacy Commissioner of Canada (“OPC”), in conjunction with its global counterparts, recently conducted a review of over 1,000 websites and apps, and found that nearly all had at least one deceptive design element that potentially violated privacy requirements.

Deceptive design elements (aka “dark patterns”) manipulate users into disclosing more personal information than they would ordinarily do, and are a recent target of privacy enforcement authorities. Businesses should be paying close attention to the design of their customer interfaces as the design (not just the content) of such interfaces may expose companies to privacy enforcement actions.

The results of the sweep showed that compared to the global averages, Canadian privacy policies were longer and more difficult to understand, and Canadian websites and apps more frequently used pre-selected privacy options that were less privacy-protective, and more persistently nagged users to select less privacy-protective options.

With respect to children’s privacy, Canadian websites and apps aimed at children exhibited a higher incidence of manipulative practices, as compared to those targeting the general population.

Background

Each year, the global data protection authorities that make up the Global Privacy Enforcement Network (“GPEN”) conduct a “Privacy Sweep” (“Sweep”), during which privacy enforcement authorities collaborate to examine a particular data protection issue.

This year’s Sweep[1] was coordinated by the OPC and was focused on assessing practices commonly used on websites and apps that impact user privacy. In particular, the Sweep evaluated the prevalence and types of deceptive design patterns (“DDPs”), which are digital interface design elements that mislead users or hinder their ability to protect their personal information.

For the first time, 26 privacy enforcement agencies under GPEN conducted the Sweep in coordination with 27 authorities from the International Consumer Protection and Enforcement Network (ICPEN), highlighting the growing intersection between privacy and consumer protection matters in the digital age.

What the Data Protection Authorities Looked At

The 53 Sweep participants (“sweepers”) engaged with over 1,000 websites and apps in a manner intended to replicate the user experience. The OPC sweepers in particular examined 145 websites and apps that are accessible in Canada, and covered sectors ranging from retail to news and entertainment, including interfaces that appear to be aimed at children.

The sweepers’ use of the websites and apps was guided by a set of questions focused on the following five indicators flowing from the Organisation for Economic Co-operation and Development’s (OECD) taxonomy of DDPs:

1. Complex and Confusing Language: Assessing the readability and clarity of privacy policies. Highly technical or excessively long policies make it difficult for users to understand, leading to decisions that may not align with actual user preferences.
2. Interface Interference: Evaluating design elements such as false hierarchies[2], preselection of privacy-intrusive options, and confirm-shaming,[3] that may influence user decisions by steering users towards less privacy-protective choices.
3. Nagging: Observing repeated prompts that disrupt the user experience and pressure users into making privacy choices that comply with the organization’s desired actions.
4. Obstruction Identifying additional steps that hinder users from making privacy-protective choices, including adding unnecessary steps to access privacy settings and discouraging users from following through.
5. Forced Action: Examining requirements for unnecessary personal information disclosure whereby users are compelled or misled into providing more personal information than necessary to access services.

Key Findings

Sweepers observed at least one DDP in almost every website and app that was examined. The findings illustrate that the majority of online platforms are designed to encourage users to make privacy-related decisions that are in the interest of the platform, rather than aligning with the users’ own interests and goals.

Complex and Confusing Language

Complex and confusing language was the most commonly used DDP observed on the websites and apps included in the sweep. Globally, 89% of reviewed websites and apps had privacy policies that were excessively long (>3,000 words) or used complex language, making them difficult for users to understand. In Canada, the OPC found that 96% of privacy policies were either too long or overly technical, with 83% being particularly hard to read, requiring either a university or graduate education reading level. Additionally, 76% of OPC-reviewed policies were over 3,000 words long, compared to a global average of 55%.

Interface Interference

Globally, 43% of platforms used design elements that nudged users towards less privacy-protective options. In Canada, 65% of reviewed sites used preselected options that favored less privacy, compared to 48% globally. Additionally, the OPC noted that 65% of Canadian sites employed false hierarchies, prominently displaying the least privacy-protective options.

Nagging

Globally, about 14% of websites and apps employed nagging techniques, while in Canada, the OPC found these tactics in 15% of interactions. Furthermore, 30% of Canadian platforms used repeated prompts to influence user decisions, particularly around account deletion.

Obstruction

Globally, 39% of interactions included obstructions that made it harder for users to achieve their privacy goals. In Canada, only 25% of websites and apps allowed users to find the delete option in two clicks or fewer, and for 43% of websites and apps, sweepers could not locate the option to delete their account at all. This is compared to 17% and 55%, respectively, observed in the global sweep.

Forced Action

Around 21% of platforms globally forced users to provide unnecessary personal information. In Canada, the OPC sweepers found forced action designs in 16% of the platforms they swept. The sweeps also observed that 22% of websites and apps had no other option than to “accept” or “accept all” with regard to privacy settings and cookies​.

OPC Sweep observations relating to Children’s Privacy

The OPC collaborated with the Offices of the Privacy Commissioners of Alberta and British Columbia (OIPC-AB and OIPC-BC) to sweep 67 websites and apps that appear to be aimed at children. These sweepers observed a higher incidence of manipulative practices on platforms aimed at children, as compared to those targeting the general population. For example, the OPC and OIPC sweepers found:

• 56% of children’s websites and apps displayed false hierarchies promoting the creation of an account over continuing to use the platform without an account, compared to 24% of websites and apps aimed at the general population;
• 54% of children’s platforms used confirm-shaming, versus 17% of platforms aimed at the general population; and
• 45% of children’s websites and apps used some form of nagging, contrasted with only 15% on platforms aimed at the general population.

Takeaways for business

Website and app design is seldom scrutinized by compliance or privacy professionals. It has long been the domain or marketing professionals, whose goal is generally to increase user engagement, and to collect as much user personal information as possible.

Organizations will now need to include design review as part of their privacy assessment process.

The use of DDPs undermines the privacy by design and privacy by default principles that are considered a best practice by Canada’s federal and provincial privacy commissioners, and which are required by  Quebec’s Act respecting the protection of personal information in the private sector (“Quebec Act“). Given the changing privacy landscape in Canada, including new administrative monetary penalties under the Quebec Act, and the similarly proposed penalties under Bill C-27’s Consumer Privacy Protection Act, businesses should assess whether they too make use of DDPs and, if so, consider ways to minimize their potentially coercive impact on user’s privacy choices.

The OPC identified the following as examples of ways that businesses can proactively limit their DDP use:  

1. Simplify Privacy Policies: The OPC recommends using clear, concise language and avoid overly lengthy documents and providing  short, simple explanations of key information with links to further details for those who want to know more. This can be challenging for privacy officers and lawyers, who typically review the privacy policy as a contract. In Canada, privacy policies are not contracts per se, but perform a notice function and simpler, less legalistic language can be used. A failure to make these policies user friendly can, ironically, end up exposing an organization to legal risk.
2. Fair Design Choices: The OPC recommends that organizations ensure that privacy options are presented neutrally without misleading users, for example by avoiding the use of (i) false hierarchies by making ‘accept all’ and ‘reject all’ buttons the same size and style, (ii) less privacy friendly defaults, and (ii) confirm-shaming techniques when individuals signal their preference for more privacy-protective choices.
3. Limit Pop-ups and Requests: The OPC suggests organizations avoid repeated prompts for personal information, especially if users have already declined.
4. Accessibility of Privacy Settings: The OPC also recommends that businesses make privacy settings and account deletion options easy to find and use, and reduce the number of steps required to complete these actions to prevent ‘click fatigue.’
5. Minimize Personal Information Collection: Canada’s privacy laws require that only personal information necessary to deliver the product or service be collected. For example, organizations should not be encouraging  users to create an account where it does not impact platform useability or functionality, and not force users to provide additional personal information, such as an email address or phone number, in order to delete their account.

The Sweep underscores the pervasive use of DDPs in digital interfaces targeted at both children and the general population. Given the findings, and the changing Canadian privacy landscape, organizations with websites and apps available in Canada should assess their platform interfaces and consider proactively amending their practices.

The GPEN sweeps are not simply information-gathering exercises by data protection authorities. The information gathered typically lays the groundwork for a high-profile enforcement action in the following 12-18 months. In anticipation of future enforcement action by privacy regulators, organizations should evaluate their digital properties now.  

---

For more information on deceptive design elements and privacy risk, please reach out to Jaime Cardy or any member of Dentons’ Privacy and Cybersecurity group. Special thanks to Nikki Bhatia, an articling student in Dentons’ Toronto office, who was a significant contributor to this post.

---

[1]      Global Privacy Enforcement Network, “GPEN Sweep 2024: ‘Deceptive Design Patterns’ Report,” available online: https://www.privacyenforcement.net/system/files/2024-07/GPEN%20Sweep%202024%20-%20%27Deceptive%20Design%20Patterns%27_0.pdf.

Office of the Privacy Commissioner of Canada, “Office of the Privacy Commissioner of Canada Sweep Report 2024, Deceptive Design Patterns,” available online: https://www.priv.gc.ca/media/6299/opc-gpen-2024-eng.pdf.  

[2]      False Hierarchies: Design elements that emphasize certain options, such as making them larger or more colorful, to steer users towards less privacy-protective choices while making more privacy-friendly options less prominent and harder to select.

[3]      Confirm-Shaming: The use of emotive language to guilt or shame users into making decisions that favor the organization, such as accepting less privacy-protective options.