Cookie consent: 5 harmful designs from UK Regulators’ guidance

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), and consumer protection regulator, the Competition and Markets Authority (CMA), have published a joint position paper on “harmful design in digital markets”.

The paper provides an insight into how these two regulators interpret the law in areas such as cookie consent banners, online interfaces, and other aspects of what they call “choice architecture”.

This article explores five design techniques deemed “harmful” by these two UK regulators.

Five types of harmful design

The ICO and CMA identify five broad types of harmful design:

1. Harmful nudges and sludge: Making it easier or harder for the user to make a given choice.
2. Confirmshaming: Pressuring or “guilt-tripping” the user into making a particular choice.
3. Biased framing: Presenting choices in a way that emphasises one choice over another.
4. Bundled consent: Requesting consent for multiple separate purposes at once.
5. Default settings: Forcing the user to opt out of predetermined choices.

These types of design choices are often called “dark patterns”.

The common factor among each of the above design choices is that they can result in harm or increased risks to the user’s privacy or financial situation.

Let’s look in more detail at each of these five types of harmful design.

1. Harmful nudges and sludge

• Harmful nudges: Making it easy to make a “bad” choice: A choice that is potentially beneficial to the company but detrimental to the user.
• Sludge: Making it hard to make a “good” choice: A choice that is potentially detrimental to the company but beneficial to the user.

“When harmful nudge or sludge techniques are used, consumers may make choices they wouldn’t otherwise have made and that do not align with their best interests or preferences…”

ICO and CMA ‘Harmful Designs’ Position Paper, p. 12

Example

A user visits a website. A cookie banner asks the user to choose their preferred cookies.

The choice to “Accept all cookies” requires one click. The choice to “Reject all cookies” is hidden behind a “Settings” button and requires multiple clicks.

Accepting all cookies reveals information about the user’s browsing habits and preferences—benefitting the company but potentially harming the user’s privacy.

Key Takeaway

Make it as easy to reject cookies as it is to reject cookies.

2. Confirmshaming

Offering a supposed choice, but making the user feel guilty, embarrassed, or foolish if they select the “wrong” option.

“Confirmshaming practices can ultimately adversely affect users’ choices, for example, by causing them to agree to the use of their personal information in a way that they would not otherwise agree to.”

ICO and CMA ‘Harmful Designs’ Position Paper, p. 17

Example

A user visits a website. A popup invites the user to subscribe to the website operator’s newsletter, which will provide access to discounts. To dismiss the popup, the user can either:

• Provide their email address and click “Subscribe”, or
• Click a text button that reads: “No thanks, I don’t want to save money”.

Present choices in a way that lets the user make an informed and objective decision.

3. Biased framing

Attempting to influence a user’s choices by presenting options in a positive or negative light.

• Positive framing: Presenting one or more option more favorably than others.
• Negative framing: Presenting one or more option less favorably than others.

“The misuse of positive and negative framing techniques can lead users to make ill-informed choices, distorting their decision-making by nudging them towards the more favorably framed choice (or away from the unfavorably framed choice).”

ICO and CMA ‘Harmful Designs’ Position Paper, p. 18

Example

A user visits a website. A cookie banner requests the user’s consent for marketing cookies.

The banner states that clicking “Accept” will result in “tiny, harmless files called ‘cookies’” being set on the user’s device in order to “make the website better”, while clicking “Reject” might result “less relevant, more annoying ads”.

Key takeaway

Use a neutral tone and be honest when offering users choices.

4. Bundled consent

Using one consent request to ask a user’s permission to use their personal data for multiple, separate purposes.

“Bundling multiple personal data processing activities or purposes into a single consent request can make it difficult for users to understand exactly what they are agreeing to and can make it more difficult for them to exercise granular control over their personal information.”

ICO and CMA ‘Harmful Designs’ Position Paper, p. 21

Example

A user visits a website. A cookie popup asks the user to “Confirm (their) account settings”.

The user has two choices:

• “Reject”: Set essential cookies only.
• “Accept”: Set cookies for analytics, first-party marketing, third-party marketing, and user-interface preferences.

Key takeaway

Get consent for each purpose separately.

5. Default settings

Applying potentially harmful settings by default, requiring the user to adjust their settings in order to opt out.

“A user can be dissuaded from changing the default setting because they need to dig deep into a service’s settings to make adjustments, or even need to contact the service via a different means…”

ICO and CMA ‘Harmful Designs’ Position Paper, p. 24

Example

A fitness app allows users to track their workouts. The app provides an option to publicly post personal records and running routes.

“Public post” option is enabled by default, exposing the user’s personal data. Users must adjust their settings to use “Private” mode.

Key takeaway

Apply the most privacy-protective settings by default.