The UK Information Commissioner's Office (ICO) and Competition and Markets Authority (CMA) have recently warned businesses to stop using harmful website and app design that violates data protection and consumer protection laws.

The UK regulators issued the warning alongside publication of a joint position paper on harmful design in digital markets. In particular, the position paper provides examples of design practices which the ICO and CMA consider potentially harmful. It also sets out the ICO's and CMA's expectations as to how businesses should present information and choices to users of digital services. Both regulators stressed their commitment to take formal enforcement action where necessary to protect consumers.

Businesses should proactively review the design of their websites and apps to ensure they do not contain harmful online designs which do not comply with the applicable data protection and customer protection laws in the United Kingdom. The position paper also recommends businesses to test their design choices (such as through A/B testing or customer surveys) to help businesses mitigate the risks of consumer harm. Businesses should also consider what steps they can take to ensure that developers of new websites and/or mobile apps comply with the regulatory expectations set out in the position paper.

Harmful online designs

The ICO and CMA included five categories of practices which could be potentially harmful:

  1. Harmful nudges and sludge: Incentivising users (nudge) to make ill-considered decisions or creating excessive friction (sludge) that makes it difficult for users to achieve what they want to do. An example of such harmful practice is a cookie banner which does not include an option to refuse non-essential cookies (such as through a "Reject all" button) with the same ease as accepting the use of non-essential cookies (such as through "Allow all" button).
  2. Confirmsharing: Pressuring or shaming users into doing something by making them guilty or embarrassed, e.g. by suggesting there is a "good" and "bad" choice.
  3. Biased framing: Presenting choices in a way that overly emphasises the benefits of a particular choice to make it more appealing for users or the negative consequences of a particular choice to discourage users from selecting it.
  4. Bundled consent: Asking users to consent to the use of their personal data for multiple separate purposes or processing activities via a single consent option.
  5. Default settings: Applying a pre-defined choice that the user must take active steps to change (such as the use of pre-ticked boxes for receiving marketing materials or automatic renewal of subscriptions by default). While default settings can reduce user friction and align with user preferences, the ICO and CMA noted that such setting can also be used strategically to reduce the ability of users to make effective choices.

While the examples presented in the joint paper are illustrative only and do not contain a comprehensive list of practices which could be of concern to the ICO and CMA, businesses may find the description of ICO and CMA concerns for each of the examples helpful when assessing their own websites and mobile applications.

Enforcement by regulators

The joint paper makes clear that businesses face an increased risk of regulatory action from the ICO and/or the CMA where they do not meet the regulators' expectations and there is a potential for harm to consumers. This builds on the significant work to date already undertaken by the ICO and the CMA. For example, last year, the CMA published detailed studies in the area of online choice architecture.1 It has also taken enforcement action on the basis of its existing powers against businesses for using misleading online practices.2 In future, under the Digital Markets, Competition and Consumers Bill introduced to Parliament by the UK Government in April 2023, the CMA will (if the legislation is adopted in its proposed form) gain new powers to impose sanctions directly for breaches of certain consumer protection laws for the first time – without having to go to court. Under the draft legislation, the CMA would be able to impose fines for breaching consumer protection law of up to 10% of annual global turnover (if any) or £300,000 (whichever is higher).3 It might well be the case that the CMA is using the period before implementation of the new legislation to urge businesses to bring their houses in order before the CMA starts to exercise its strengthened enforcement powers, potentially in the course of next year.

The ICO previously indicated that it would be assessing cookie banners of the most frequently visited websites and take action, where necessary, under its enforcement powers to ensure compliance with cookie rules and UK data protection legislation.4 In the joint paper, the ICO also stressed that it will take formal enforcement action where necessary to protect people's information and privacy rights, particularly where design practices lead to risks or harm in the case of potentially vulnerable people.

More regulatory collaboration to come

The collaboration of the ICO and the CMA to produce the joint position paper is an example of the increased coordination among UK regulators under the umbrella of the Digital Regulation Cooperation Forum (DRCF).

We are likely to see more such joint guidance from UK regulators in the future, especially in areas with significant regulatory overlaps, for example the regulation of the use of artificial intelligence as set out in the UK Government's AI White Paper. Interestingly, in the CMA's initial report into AI foundation models published on 18 September 2023,5 the CMA has proposed "principles which aim to ensure consumer protection and healthy competition are at the heart of responsible development and use of foundation models". In its press release, the CMA acknowledges that this is only the start of its work in this area and that one topic into which it needs to delve further is the relationship between AI and data protection and security. No doubt this work will involve close partnership with the ICO.

These UK developments come in parallel with a step up in regulation of the online space in the European Union, most notably with the coming into force of the EU Digital Markets Act and its sister legislation, the EU Digital Services Act, which seek to ensure fair and safe online markets for consumers6. The regulatory landscape for online businesses is looking increasingly complex and multi-faceted on both sides of the channel.

Footnotes

Originally published 27 September, 2023

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.