GPEN Sweep finds majority of websites and mobile apps use deceptive design to influence privacy choices

July 9, 2024

Information and Privacy Commissioner of Alberta participated in research that led to today’s conclusions

A global privacy sweep that examined more than 1,000 websites and mobile applications (apps) has found that nearly all of them employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions. The Office of the Information and Privacy Commissioner (OIPC) of Alberta was one of the organizations that participated in the work that led to the reports being released today.

Deceptive design patterns use features that steer users toward options that may result in the collection of more of their personal information. These patterns may also force users to take multiple steps to find a privacy policy, log out, or delete their account. The patterns may also present users with repetitive prompts aimed at frustrating them and ultimately pushing them to give up more personal information than they would like.

This year’s annual Global Privacy Enforcement Network (GPEN) Sweep took place between January 29 and February 2, 2024. It involved participants, or “sweepers,” from 26 privacy enforcement authorities from around the world, including Alberta’s OIPC.

“Participation in this project was an important priority for our office,” said Information and Privacy Commissioner of Alberta, Diane McLeod. “As stated in our 2024-27 Business Plan, one of our key priorities is to provide information and support to improve the protection of personal and health information, including opportunities to enhance education and protections for children and youth. Our role in this project was to focus on scanning apps used in education and educational games, including apps suggested by the Calgary and Edmonton school boards.”

For the first time, the GPEN Sweep was coordinated with the International Consumer Protection and Enforcement Network (ICPEN), which represents consumer protection authorities. The collaboration recognizes the growing intersection between privacy and other regulatory spheres. In the case of deceptive design patterns, it was clear to both privacy and consumer protection sweepers that many websites and apps employ techniques that interfere with individuals’ ability to make choices that best protect their privacy or consumer rights.

Both GPEN and ICPEN, who are working together to improve privacy and consumer protection for individuals around the world, published reports today outlining their findings.

Those involved in the privacy sweep replicated the user experience by engaging with websites and apps to assess the ease with which they could make privacy choices, obtain privacy information, and log out of or delete an account.

“Our office worked with the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia on a special chapter on children’s privacy, added McLeod. “We identified a number of concerning trends. For example, not a single privacy policy found in our part of the scan is likely to be understandable to children. They all scored as having high complexity and being exceedingly lengthy, sometimes as long as 10,000 words. Also, most apps that we scanned had third party/social media log-in functions, which are convenient for the app developer and for the person logging in, but it is worth noting that the third party/social media organization comes to know a lot about the user over time.”

Sweepers evaluated the sites and apps based on five indicators identified by the Organisation for Economic Co-operation and Development (OECD) as being characteristic of deceptive design patterns.

For each indicator, the GPEN report found:

  • Complex and confusing language: More than 89% of privacy policies of the websites and apps swept were found to be long or use complex language suited for those with a university education.
  • Interface interference: 42% of the websites and apps swept used emotionally-charged language to influence user choice, while 57% made the least privacy-protective option the most obvious.
  • Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their account.
  • Obstruction: In nearly 40% of cases, sweepers faced obstacles in trying to find privacy settings or delete their account.
  • Forced action: 9% of the websites and apps forced users to disclose more personal information when trying to delete their account than they had to provide when they opened it.

What is next?

The sweep was not an investigation, nor was it intended to generate formal findings regarding confirmed violations of privacy legislation. However, as in previous years, concerns identified during the sweep could result in follow-up work such as outreach to organizations and may also lead to the initiation of enforcement action to address identified concerns. Decisions on further specific enforcement action will be made by each GPEN member independently.

GPEN encourages organizations to design their platforms, including associated privacy communications and choices, in a manner that supports users in making informed privacy choices that reflect their preferences. Good design includes default settings that best protect privacy; an emphasis on privacy options; neutral language and design to present privacy choices in a fair and transparent manner; fewer clicks to find privacy information, log out, or delete an account; and ‘just-in-time’ contextually-relevant consent options. By offering users online experiences that are free from influence, manipulation, and coercion, organizations can build user trust and make privacy a competitive advantage.

Read the news release from the Office of the Privacy Commissioner of Canada (OPC) here.
This includes references to the sweep work done by the OPC, the OIPC of Alberta and the OIPC for British Columbia, as well as a link to the OPC Sweep Report.

Read the GPEN news release and report here.

Read the ICPEN news release and report here.

About GPEN

GPEN was established in 2010 upon recommendation by the OECD. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members work together to strengthen personal privacy protections in this global context. The informal network is comprised of over 80 privacy enforcement authorities from around the world.

The privacy sweep is an annual initiative aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing cooperation between international privacy enforcement authorities. This year’s sweep was chaired by the Office of the Privacy Commissioner of Canada.

About the OIPC of Alberta

The Office of the Information and Privacy Commissioner of Alberta is a member of GPEN. The office performs the responsibilities set out in the Personal Information Protection Act (PIPA), the Health Information Act and the Freedom of Information and Protection of Privacy Act. The Commissioner operates independent of government.

For more information:

Elaine Schiman
Communications Manager
Office of the Information and Privacy Commissioner of Alberta
Mobile: (587) 983-8766