- 30 Jul 2024
- •
- 3 min read
Is your website or app breaching data protection law?
The Information Commissioner’s Office (ICO) has recently announced that “there is some form of harmful design found in more than 75% of websites and apps”. This was the outcome of a sweep of over 1,000 websites and apps, the results of which were published by the Global Privacy Enforcement Network (GPEN) of which the ICO is part.
This announcement follows the ICO’s work in relation to non-compliant website cookie banners at the end of 2023, which focused on the need for organisations to make it as easy for users to “reject all” non-essential cookies as it is to “accept all”.
In data protection terms harmful designs are of concern as they can have the effect of data subjects giving up more of their personal data than they otherwise might. In response to these results the ICO is now “calling for businesses to stop using design practices that could undermine people’s control over their personal information”.
Key issues identified by the website / app sweep were:
1. Obstruction – the practice of putting extra steps in place to discourage a certain action. For example more clicks being required to reject cookies than accept them. In nearly 40% of cases, the sweep found obstacles to making privacy choices or accessing privacy information, such as finding privacy settings or deleting accounts.
2. Interface interference – this occurs when there is manipulation of the user interface in a website or app that alters the user’s perception and understanding of their options in relation to their personal data. For example pre-ticked acceptance boxes for all cookies or making an ‘accept’ cookies button more prominent than the ‘reject all’ button by using different button sizes, colours and fonts for the two options. The sweep found 42% of websites and apps used emotionally charged language to influence user decisions relating to privacy and 57% made the least privacy protection option the most obvious and easiest option for users to select.
In relation to these two issues the ICO is encouraging organisations to read this joint paper it published with the Competitions and Markets Authority in 2023.
3. Forcing users to accept cookies if they wanted to access the website or app (known as a ‘cookie wall’).
4. Privacy notices were difficult for data subjects to read and understand. The sweep found that over 89% of privacy notices were too long or used complex language.
5. More than half of websites and apps viewed as part of the sweep had no clear option for people to delete their account. In over 55% of cases, users were unable to locate the option to delete their account and in the remaining cases where users were able to find the option to delete their account, users were often required to submit a written request to have their account deleted. 35% of websites and apps repeatedly asked users to reconsider their intention to delete their accounts and 9% of websites and apps forced users to disclose more personal information when trying to delete their accounts. Generally speaking best practice now for e-commerce sites is to give the user the option of a “guest checkout” which doesn’t require the setting up of an account, which generally means the data subject provides less personal data and the personal data that it does provide shouldn’t be kept for as long.
The GPEN is encouraging organisations to develop design and default settings that protect personal data, including:
- an emphasis on privacy options;
- neutral language and design to present privacy choices in a fair and transparent manner;
- fewer clicks to find privacy information, log out, or delete an account; and
- ‘just in time’ contextually relevant consent options.
You can read the GPEN report here.
Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.
If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].