ODPA staff took part in the
Global Privacy Enforcement Network (GPEN) ‘privacy sweep’ earlier this year, joining data protection authorities from around the world to shine a light on a key area of privacy concern.
This year’s theme was the use of ‘deceptive design patterns’ also known as ‘dark patterns’ and for the first time the global sweep was carried out alongside consumer protection counterparts from the International Consumer Protection Enforcement Network (ICPEN). Here in the Bailiwick, the ODPA focused its sweep on gambling sites.
The sweep examined the following 5 indicators for dark pattern concerns:
1.
Language use: how complex and/or confusing was the language for users to understand and make decisions about their personal data?
2.
Interface interference: does the design of the app/website steer users to accept the least privacy protective option?
3.
Nagging: does the app/website repeatedly prompt users to select the least privacy protective setting?
4.
Obstruction: are there obstacles that prevent or dissuade users from both understanding how their personal information is used, and/or making privacy-protective decisions?
5.
Forced action: are users tricked into providing their own personal data (or other’s) to use the service?
In all, 19 websites and/or online apps operating under a gambling licence issued by the Alderney Gambling Control Commission (AGCC) were selected and checked against GPEN’s sweep criteria. All sites swept raised concerns about transparency and showed at least one indicator of deceptive design patterns. The key concerns identified locally are:
- In 42% of cases, the sweeper was unable to find the website or app’s privacy settings. The absence of privacy settings, or difficulty in locating them, prevents users from being in control of their data and altering the setting to be more privacy-friendly.
- While most sites had a privacy policy or data processing notice, they were largely found to be unnecessarily lengthy and/or complex. The Bailiwick’s Law requires that information is provided to individuals in a manner that they can understand. Lengthy documents and complex wording hinder comprehension.
- In many cases it was more difficult to delete an account than it was to create one. In some cases, this meant users had to escalate a request to exercise their right to erasure and/or to provide more information than had been required to set an account up.
The local results are consistent with findings of the global privacy sweep across multiple industries with
97% of those sampled containing some form of ‘deceptive design pattern’.
“Dark patterns involve techniques that drive people down the least privacy-friendly route, leading users to give up more information than they may intend or thwarting attempts to delete data. Our sweep of the Bailiwick's gambling sector raised such concerns", Commissioner Brent Homan said. “We are reaching out to organisations in the gambling industry and look forward to hearing from them, with the steps they are taking to address our concerns.”
The ODPA has coordinated closely with the AGCC over the course of the sweep.
“The AGCC supports our regulatory colleagues at the ODPA on taking this valuable initiative to encourage compliance and foster consumer trust,” said Andrew Gellatly, AGCC executive director.
The aims of GPEN’s sweep include broadening public and corporate awareness of privacy rights and responsibilities, encouraging legal compliance and creating greater consumer trust by demonstrating a coordinated domestic and international regulatory presence.
---
About GPEN
GPEN was established in 2010 upon recommendation by the OECD. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members work together to strengthen personal privacy protections in this global context. The informal network is comprised of over 80 privacy enforcement authorities from around the world.
This year, 26 privacy enforcement authorities (“PEAs”) participated in the GPEN Sweep, examining 1,009 websites and apps*. Owing to the relevance of deceptive dark patterns (DDPs) to both privacy and consumer protection, for the first time, GPEN conducted the Sweep in coordination with the International Consumer Protection and Enforcement Network (ICPEN), with each network’s members looking at DDPs from their respective regulatory angle.
GPEN and ICPEN have collaborated previously, such as on the issuance of a joint news release concerning the Google Play Store, and the organisation of a
joint enforcement capacity-building workshop in 2021. However, with a total number of 52 participating authorities (26 PEAs and 26 ICPEN authorities), this year’s Sweep represents the most extensive example of cross-regulatory cooperation between privacy and consumer protection authorities, to date.
This expanding cooperation between GPEN and ICPEN is in recognition of the increasing intersection of the two regulatory spheres in the digital economy.
*
Specifically, participating PEAs reviewed 898 websites and 111 apps, noting that they may have independently examined different versions of websites and/or apps, such that the number of distinct websites and apps swept may be less than 1,009.