The ICO exists to empower you through information.

The Information Commissioner’s Office (ICO) and Competition and Markets Authority (CMA) are calling for businesses to stop using harmful website designs that can trick consumers into giving up more of their personal data than they would like.

Practices include overly complicated privacy controls, default settings that give less control over personal information and bundling privacy choices together in ways that push consumers to share more data than they would otherwise wish to do. Where consumers lack effective control over how their data is collected and used, this can harm consumers and also weaken competition.

These techniques encourage consumers to make decisions over their personal data as soon as they visit a website – from providing their contact information in exchange for discounts, right through to giving up their control over what advertising is targeted at them through accepting cookies, tiny files that are downloaded onto web users’ computers.

Lack of consumer control over cookies is a common example of harmful design. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.

ICO research shows that 90% of people are concerned about their personal information being used without their permission, with 50% of people not happy about their personal information being used to suggest adverts to them.

Stephen Almond, Executive Director of Regulatory Risk at the ICO, said: 

“Some of these design practices are so subtle and have gone on for so long, you wouldn’t even realise you’re handing over your personal information until it’s too late – and it’s possible these techniques are embedded into thousands of websites across the UK.

“These website design tricks can have real and negative impacts on consumers’ lives. For example, if someone is recovering from a gambling problem, being steered to ‘accept all’ cookies can mean being continually bombarded with betting adverts, which could be incredibly harmful.

“We want to make consumers aware of these potentially harmful techniques to help them protect their data online – and, if necessary, make informed choices about which websites they choose to frequent.

“Businesses should take note that if they deliberately and persistently choose to design their websites in an unfair and dishonest way, the ICO will not hesitate to take necessary enforcement action.”

Will Hayter, Senior Director in the CMA’s Digital Markets Unit, said:

“Online, people routinely hand out their contact details, transaction history and even more sensitive personal data in exchange for ‘free’ things whereas, in person, they might be more likely to turn such deals down. People must be able to choose the data they share and make informed decisions, which is good for privacy and competition. Businesses that stand in the way of that risk action from the CMA or ICO.”

The ICO and CMA are working together for the benefit of consumers to stop harmful design practices.

The CMA will be building on its Rip Off Tip Off campaign that supports consumers by educating and encouraging them to report sneaky online sales tactics. Alongside that campaign, the CMA will continue to use its full range of powers to ensure that misleading selling practices are tackled from all angles, including as part of its Online Choice Architecture work.

The ICO will take enforcement action where necessary to protect people’s data protection rights, particularly where the practices lead to harms for people at risk of vulnerability. There is guidance for the public using services online on the ICO’s website.

Notes to editors
  • The ICO is the UK’s independent regulator for data protection and information rights law. It can take action to address and change the behaviour of organisations and people that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement, and audit.
  • The CMA helps people, businesses and the UK economy by promoting competitive markets and tackling unfair behaviour. It is an independent non-ministerial department. The CMA’s Online Choice Architecture work is an ongoing programme of work to address problems caused by harmful online design practices which includes raising consumer awareness and consumer enforcement work for tackling harmful online selling practices such as misleading urgency and price reduction claims. For more information of the CMA’s Online Choice Architecture work, visit here.
  • Harmful design choices: ICO–CMA position paper on Online Choice Architecture in choices about personal data in digital markets - a joint paper was published on Wednesday 9 August on the Digital Regulation Cooperation Forum (DRFC) website. The DRCF is a collaboration between the UK’s four digital regulators (ICO, CMA, Ofcom and FCA), which seeks to promote coherence on digital regulation for the benefit of people and businesses online.
  • The paper sets out a call to organisations to end harmful design practices and states that they should offer consumers a fair and informed choice when parting with their personal information. Some of the main design practices which could break data protection laws include:
    • Making it difficult for consumers to refuse personalised advertising by not giving an equal choice to ‘accept all’ or ‘reject all’ cookies;
    • Overly complicated privacy controls which confuse consumers or cause them to disengage;
    • The use of leading language to influence consumers to hand over personal information;
    • Pressuring consumers into signing up for discounts in exchange for personal information;
    • Bundling choices together in a way which encourages consumers to share more data than they would otherwise wish to.