A global privacy enforcement sweep, involving Jersey’s data protection regulator, has examined over 1,000 websites and mobile applications.
Nearly all of the websites and apps examined were found to employ one or more deceptive design patterns, complicating users’ ability to make privacy-protective choices.
The annual Global Privacy Enforcement Network (GPEN) Sweep took place earlier this year and involved participants or ‘sweepers,’ from 26 privacy enforcement authorities worldwide, including the Jersey Office of the Information Commissioner (JOIC). The sweep is aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation and enhancing cooperation between international privacy enforcement authorities. This year’s sweep was chaired by the Office of the Privacy Commissioner of Canada and saw the JOIC review the websites of local businesses ranging from construction to retail and health and beauty.
Both GPEN and the International Consumer Protection and Enforcement Network (ICPEN), who are working together to improve privacy and consumer protection for individuals around the world, published reports today outlining their findings.
Those involved in the privacy sweep replicated the user experience by engaging with websites and apps to assess the ease with which they could make privacy choices, obtain privacy information, and log out of or delete an account.
Sweepers evaluated the sites and apps based on five indicators identified by the Organisation for Economic Co-operation and Development (OECD), as being characteristic of deceptive design patterns.
For each indicator, the GPEN report found:
- Complex and confusing language: More than 89% of privacy policies were found to be long or use complex language suited for those with a university education.
- Interface interference: When asking users to make privacy choices, 42% of websites and apps swept used emotionally charged language to influence user decisions, while 56% made the least privacy protective option the most obvious and easiest for users to select.
- Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their account.
- Obstruction: In nearly 40% of cases, sweepers faced obstacles in making privacy choices or accessing privacy information, such as trying to find privacy settings or delete their account.
- Forced action: 9% of websites and apps forced users to disclose more personal information when trying to delete their account than they had to provide when they opened it.
JOIC Operations Director Anne King (pictured) said: “We support this collaboration with our international counterparts to broaden our understanding of global privacy trends and learn from the findings. When designing websites, data protection and privacy should be considered from the outset using a ‘Data Protection by Design’ approach, ensuring data protection and privacy issues are considered at the design phase of any system, service, product or process. This culture of privacy awareness should also take into account user experience, ensuring consumers are equipped to make privacy informed decisions, easily.”