A recent global privacy sweep has uncovered that nearly all of over 1,000 websites and mobile apps examined utilize deceptive design patterns to influence users' privacy decisions. The findings were part of a collaborative effort involving the Office of the Information and Privacy Commissioner (OIPC) of Alberta and 25 other privacy enforcement authorities worldwide.Deceptive design patterns, which steer users towards sharing more personal information, often complicate processes such as accessing privacy policies, logging out, or deleting accounts. These patterns also deploy repetitive prompts to frustrate users into disclosing more information than intended.The Global Privacy Enforcement Network (GPEN) Sweep, conducted from January 29 to February 2, included participants from various privacy authorities, including Alberta's OIPC. "Participation in this project was an important priority for our office," said Diane McLeod, Information and Privacy Commissioner of Alberta. She noted that their focus was on apps used in education, with support from the Calgary and Edmonton school boards.This year's sweep was the first to be coordinated with the International Consumer Protection and Enforcement Network (ICPEN), highlighting the overlap between privacy and consumer protection issues. Both networks published reports on their findings, emphasizing the widespread use of techniques that hinder individuals' ability to protect their privacy or consumer rights.During the sweep, participants engaged with websites and apps to evaluate the ease of making privacy choices, obtaining privacy information, and managing accounts. The OIPC of Alberta collaborated with other Canadian privacy commissioners on a special chapter concerning children's privacy. "We identified several concerning trends," McLeod stated, pointing out that none of the privacy policies reviewed were understandable to children, with many exceeding 10,000 words.The GPEN report assessed sites and apps based on five indicators of deceptive design patterns identified by the Organisation for Economic Co-operation and Development (OECD):Complex and confusing language: Over 89% of privacy policies were lengthy and used complex language suitable for those with a university education.Interface interference: 42% used emotionally-charged language to influence user choice, and 57% made the least privacy-protective option the most obvious.Nagging: 35% repeatedly asked users to reconsider deleting their accounts.Obstruction: Nearly 40% created obstacles to finding privacy settings or deleting accounts.Forced action: 9% required users to disclose more personal information when deleting their account than when creating it.The sweep was not an investigation and did not aim to find confirmed violations of privacy laws. However, issues identified may lead to further outreach and potential enforcement actions by individual GPEN members. GPEN encourages organizations to design platforms that support informed privacy choices, with default settings that protect privacy, neutral language, fewer clicks to access privacy information, and contextually relevant consent options.The Office of the Privacy Commissioner of Canada (OPC), which chaired this year's sweep, along with GPEN and ICPEN, published detailed reports on their findings. The reports highlight the importance of building user trust through transparent and user-friendly privacy practices.For more information, read the OPC news release, the GPEN news release and report, and the ICPEN news release and report.
A recent global privacy sweep has uncovered that nearly all of over 1,000 websites and mobile apps examined utilize deceptive design patterns to influence users' privacy decisions. The findings were part of a collaborative effort involving the Office of the Information and Privacy Commissioner (OIPC) of Alberta and 25 other privacy enforcement authorities worldwide.Deceptive design patterns, which steer users towards sharing more personal information, often complicate processes such as accessing privacy policies, logging out, or deleting accounts. These patterns also deploy repetitive prompts to frustrate users into disclosing more information than intended.The Global Privacy Enforcement Network (GPEN) Sweep, conducted from January 29 to February 2, included participants from various privacy authorities, including Alberta's OIPC. "Participation in this project was an important priority for our office," said Diane McLeod, Information and Privacy Commissioner of Alberta. She noted that their focus was on apps used in education, with support from the Calgary and Edmonton school boards.This year's sweep was the first to be coordinated with the International Consumer Protection and Enforcement Network (ICPEN), highlighting the overlap between privacy and consumer protection issues. Both networks published reports on their findings, emphasizing the widespread use of techniques that hinder individuals' ability to protect their privacy or consumer rights.During the sweep, participants engaged with websites and apps to evaluate the ease of making privacy choices, obtaining privacy information, and managing accounts. The OIPC of Alberta collaborated with other Canadian privacy commissioners on a special chapter concerning children's privacy. "We identified several concerning trends," McLeod stated, pointing out that none of the privacy policies reviewed were understandable to children, with many exceeding 10,000 words.The GPEN report assessed sites and apps based on five indicators of deceptive design patterns identified by the Organisation for Economic Co-operation and Development (OECD):Complex and confusing language: Over 89% of privacy policies were lengthy and used complex language suitable for those with a university education.Interface interference: 42% used emotionally-charged language to influence user choice, and 57% made the least privacy-protective option the most obvious.Nagging: 35% repeatedly asked users to reconsider deleting their accounts.Obstruction: Nearly 40% created obstacles to finding privacy settings or deleting accounts.Forced action: 9% required users to disclose more personal information when deleting their account than when creating it.The sweep was not an investigation and did not aim to find confirmed violations of privacy laws. However, issues identified may lead to further outreach and potential enforcement actions by individual GPEN members. GPEN encourages organizations to design platforms that support informed privacy choices, with default settings that protect privacy, neutral language, fewer clicks to access privacy information, and contextually relevant consent options.The Office of the Privacy Commissioner of Canada (OPC), which chaired this year's sweep, along with GPEN and ICPEN, published detailed reports on their findings. The reports highlight the importance of building user trust through transparent and user-friendly privacy practices.For more information, read the OPC news release, the GPEN news release and report, and the ICPEN news release and report.