The UK’s Information Commissioner’s Office (ICO) has called for an end to website design practices that it claims could harm users.
The regulator has singled out cookie consent banners as an example of where it will take action if it believes that consumers are being affected by harmful design. It went on to state that it would take enforcement action where it felt design choices would leak to risk or harm.
It said: “The ICO will be assessing cookie banners of the most frequently used websites in the UK and taking action where harmful design is affecting consumers”.
Cookie consent banners made an appearance in response to GDPR requirements. Their purpose is to give users a choice regarding the usage of cookies on a website.
A joint paper, set out in conjunction with the Competition Markets Authority (CMA), has documented how design practices can affect choice and control over personal information.
The design practices worrying the authorities include default settings - where a user must take active steps to change a predefined choice - and bundled consent - where a user is asked for consent for multiple purposes via a single option.
Defaults are among the strongest practices influencing user behavior, according to the ICO and CMA. This is due to the fact that they require less effort from the user compared to making an active choice and implies a recommendation by the company or an indication that most users would choose them.
The ICOs’ concerns relate to Article 25 of the UK GDPR, which requires a ‘data protection by design’ approach to the processing of personal data. Although a ‘default off’ approach is not mandated, not requiring the user to actively consent to more intrusive behavior will likely attract attention.
RELATED RESOURCE
The five pillars of personalization at scale
Personalization can lead to higher revenue. Start delivering experiences that will delight and entice your customers.
Similarly, the CMA worries that the use of defaults could lead to users making choices not in their best interests, for example, inadvertently enrolling into auto-renewing subscription plans.
Other practices causing concern include “harmful nudges,” where it is made easy for a user to make a poor choice, alongside “sludge,” where sites make it difficult for a user to select the option they wish.
The ICO warned that the practice infringed fairness and transparency regulations, although accepted that “nudges” could also be beneficial to users in steering them through to good decisions, with friction or “sludge” also being useful if implemented to ensure a user understands the consequences of their action - for example, validating a bank transfer.
Finally, ‘confirmshaming’ and ‘biased framing’ were also singled out for criticism.
Confirmshaming is where 'good' and 'bad' choices are presented, and the user is therefore made to feel guilty or embarrassed for not choosing the company’s preferred option. Biased framing is where choices are presented in a manner that emphasizes the supposedly positive outcome of a given selection.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
