Bailiwick Data Protection Commissioner Brent Homan explains dark patterns and how they were detected in the gambling sector
Last month we announced the results of our participation in the Global Privacy Sweep, carried out alongside 52 data protection and consumer authorities from around the world. Collectively, we examined over a thousand websites and apps for harmful privacy practices of “deceptive design patterns” or “dark patterns”.
In Guernsey we focused on the gambling sector, reviewing 19 online gaming sites and finding indicators of deceptive designs in all sites swept.
So first and foremost, what exactly are “dark patterns”?
In a nutshell, dark patterns involve techniques that drive people down the least privacy-friendly route, leading users to give up more information than they intend or thwarting attempts to delete data.
For example, have you ever felt that you were shamed or chased into sharing your personal information? Have you opted out of marketing emails just to be confronted with pop-up boxes that say, “are you sure you don’t want to save money by hearing about great deals from our company?” When confronted with an online offer is the “YES” button large and flashy while the “no thanks” button is smaller, greyed out and less apparent? - THAT is dark patterns in action.
And for our sweep of the Bailiwick's gambling sector, the following “dark pattern” concerns were raised:
In 42% of cases, the sweeper was unable to find the website or app’s privacy settings. The absence of privacy settings, or difficulty in locating them, prevents users from being in control of their information.
While most sites had a privacy policy, they were generally found to be unnecessarily lengthy and complex. Our law requires that information is provided to individuals in a manner that they can understand. Lengthy documents and complex wording hinder comprehension.
And finally, in many cases it was more difficult to delete an account than it was to create one. Let me elaborate on this important point with stories from our sweep experience:
In one instance during our sweep a request was made through a gambling entity to delete an account that had been created in only a matter of seconds by providing basic details such as name, e-mail address etc.
As a principle, you should be able to delete an account as easily as you have created it. In this instance, that was not the case.
The sweeper seeking to delete the account was later contacted by e-mail detailing that the deletion request had been received and would be processed as an erasure request under the Law.
In addition to explaining the various circumstances where information may be retained, to effect the erasure, the organisation asked that a form be completed and returned to them, along with additional personal information by way of identity verification documents.
Neither the documents nor form were required to collect the personal data in the first instance. The organisation also noted that it may take up to a month to delete that data.
Clearly, we saw this as disproportionate when considering the speed at which the account was created, and we believe that simple changes can be made to improve processes like these, making them more user friendly and expedient.
In a similar instance, a sweeper made their account deletion request through an on-site chatbot, in lieu of not being able to find the ‘delete account’ option on the site.
The chatbot responded to clarify whether the request was: (i) to close the account (which can then be re-opened), (ii) for self-exclusion from gambling, or (iii) for deletion of account.
Upon confirming the deletion request the chatbot indicated that the matter would be handed over to the data protection team who would be in contact about next steps.
Through the sweep we made multiple erasure requests for various sites but only received one response back. Hmmm.
Once more, such convoluted and opaque procedures can be viewed as “barriers to deletion”, creating a situation whereby it is ‘easy to sign up for a gambling site, but hard to leave’.
But in addition to the data protection concerns that this raises you can also consider the potential impact on the individuals themselves.
One could envision a situation where a person decides that they have developed a nasty gambling addiction, and they want to remove themselves from temptation and delete their account.
If this deletion becomes onerous, you can also imagine that same individual, in a moment of weakness returning to the gambling site. If their account is still active, it is easier to pick that addiction back up again.
So, what’s next for the sweep and how do we improve the situation? Firstly, we have been coordinating closely with our regulatory counterparts in the Alderney Gambling Control Commission and appreciate their support on this matter. Secondly, we have reached out to organisations in the gambling industry to share our concerns and called on them to take action to address them. We look forward to hearing from them in the coming months and have already had one encouraging exchange.
Finally, while I have shared our experience on ‘dark patterns’ in examining the gambling sector, I would emphasise that the use of dark patterns remains pervasive and encourage all to pause and reflect on potential implications before clicking on that shiny red button or signing up to that tantalizing new service. Ask yourself: why do I need it, what am I getting, and importantly, what am I giving up.