top of page

Website Design Legal Guideline under ICO and CMA Regulations

Writer: ILLIA PROKOPIEVILLIA PROKOPIEV
Sep 6, 20233 min read

The Information Commissioner's Office (ICO) and the Competitions and Markets Authority (CMA) recently issued a joint position paper titled "Harmful Design in Digital Markets," shedding light on issues arising from harmful website architecture (link below).


This guideline outlines the salient points and legal implications covered in the position paper.


Key Objectives of the ICO and CMA Joint Position Paper


The paper primarily focuses on two aims:

  1. Empower User Control: Ceasing website designs and practices that undermine people's control over their personal information.

  2. Promote Informed Decisions: Making it easier for users to make informed decisions that serve both consumer and competition interests.

Legal Framework: Know Your Regulations

  • UK GDPR (Article 5(1)(a), Article 7): Concerns the lawfulness and consent related to data protection.

  • Privacy and Electronic Communications Regulations (PECR) (Regulation 6): Concerns the consent required for tracking cookies and other data storage mechanisms.

Categories of Harmful Practices


Harmful Nudges and Sludge

  • Definition: Tactics that prompt users to make inadvertent or ill-considered choices, such as misleading cookie consent banners.

  • Legal Violation: Infringes both Article 5(1)(a) of the UK GDPR and Regulation 6 of PECR.

Confirmshaming

  • Definition: Using suggestive language or incentives that induce guilt or embarrassment for not sharing personal information.

  • Legal Violation: Infringement of UK GDPR on the grounds of a lack of fairness and consent not freely given.

Biased Framing

  • Definition: Presenting choices in a skewed light, thereby not providing users with balanced information.

  • Legal Violation: Breaches Article 5(1)(a) (lawfulness) and Article 7 of the UK GDPR for invalid consents.

Bundled Consent

  • Definition: Combining consents for multiple purposes into a single option, thereby restricting user choice.

  • Legal Violation: Violates the 'lawfulness' requirements of Article 5(1)(a) and PECR Regulation 6.

Default Settings

Defaults in digital environments are potent tools that dramatically influence user behavior. A pre-selected default option is 27% more likely to be chosen than if no default option were available. Potential Risks:

  • Infringing on User's Autonomy: Not allowing a user to change defaults easily could lead to a loss of control over their personal data.

  • Data Privacy: Default settings that share user data more widely than the user realizes can lead to violations of privacy laws.

  • Consumer and Competition Law: Misleading or restrictive default settings could also result in violations of competition laws.

Ethical and Behavioral Implications of Default Settings

  • Status Quo Bias: Defaults leverage users' tendency to stick with the current or previous decision.

  • Endowment Effect: Users consider the default as their actual choice, using it as a reference point for future decisions.

  • Implied Endorsement: Defaults might give an impression that it is the recommended or popular option, which could be misleading.

Best Practices for Website Owners and Developers


Four Key Questions to Inform Design Choices

  1. Is the user at the heart of the design choices?

  2. Does the design empower user choice and control?

  3. Have the design choices been rigorously tested and trialed?

  4. Does the design comply with data protection, consumer, and competition law?

Give Users Control

  • Easy to Change: Make sure users can easily change the default settings.

  • Clarity: Clearly indicate what each default setting means for the user's privacy and data.

  • Granular Choices: Offer users more granular control over their options rather than bundling them together.

Testing & Documentation

  • User-Centric Design: Continuously test how users interact with default settings.

  • Documentation: Keep records to show that you’ve considered ethical and legal obligations in your design choices.

Regulatory Implications

  • The ICO will assess the cookie banners of frequently used websites in the UK, taking action where necessary.

  • A failure to respond to these expectations will increase the risk of regulatory actions.

Link to the Position Paper.

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.


Comments

Let's Connect

To learn more about our services get in touch today.

  • LinkedIn
  • X

PLG Consulting LLC 

Main Office: Kyiv, Ukraine

Administrative Operations: Kingstown, Saint Vincent and the Grenadines

admin@prokopievlaw.com

Contact Us

Privacy Policy

© 2024 by Prokopiev Law Group

bottom of page