• 24 Dec 2024
• •
• 2 min read

Is your website or app breaching data protection laws?

A focus for in-house legal teams

Recent findings by the Information Commissioner’s Office (ICO) reveal that over 75% of websites and apps exhibit some form of harmful design, raising compliance risks for businesses. The findings, published as part of the Global Privacy Enforcement Network (GPEN) sweep, examined more than 1,000 websites and apps.

This follows the ICO’s late 2023 focus on non-compliant cookie banners, which emphasised making it equally straightforward for users to “reject all” non-essential cookies as it is to “accept all.” The ICO is urging organisations to eliminate design practices that undermine individuals’ control over their personal data.

For in-house counsel, this highlights the importance of proactive measures to ensure digital platforms align with UK data protection laws.

Key Compliance Risks Identified

1. Obstruction
Practices that discourage privacy-friendly actions, such as requiring extra steps to reject cookies. The sweep found:

• 40% of websites introduced obstacles to accessing privacy options.
• Examples included hard-to-find privacy settings and complex account deletion processes.

2. Interface Interference
Manipulative user interface designs alter users’ perceptions or decisions about their data. For instance:

• Pre-ticked boxes for cookie consent.
• Unequal prominence of “accept” vs. “reject” cookie buttons.
• Emotionally charged language influencing privacy choices (42% of cases).
• Making less privacy-friendly options the default (57% of cases)

Organisations have been encouraged to review the joint paper by the ICO and Competitions and Markets Authority (CMA) for guidance on eliminating these practices.

3. Cookie Walls
Forcing users to accept cookies as a condition for accessing content remains non-compliant.

4. Unreadable Privacy Notices
Over 89% of privacy notices were deemed too lengthy or complex, hindering users’ ability to make informed decisions.

5. Barriers to Account Deletion
The sweep identified significant issues with account deletion processes:

• 55% of websites lacked a clear account deletion option.
• Many required written requests or introduced unnecessary steps to discourage deletion.
• Best practice now includes offering “guest checkout” options for e-commerce sites, limiting data collection and retention.

GPEN Recommendations
To ensure compliance and user trust, organisations are recommended to adopt

• Privacy-first default settings: Present privacy options clearly and neutrally.
• Streamlined access: Minimise clicks to locate privacy settings, log out or delete accounts.
• Transparent communication: Use simple language in privacy notices and consent requests.
• Just-in-time consent: Provide relevant, contextual prompts for data consent.
  You can read the full GPEN report here.

Disclaimer

This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.