OPC’s Deceptive Privacy Practice Report – How TCF Canada Can Help

Last month, the Privacy Commissioner of Canada, together with 25 privacy enforcement authorities from across Canada and internationally, issued findings from a “sweep” conducted earlier this year of more than 1,000 websites and mobile apps. The annual sweep conducted by the Global Privacy Enforcement Network (GPEN) was intended to check on privacy practices that are being implemented online to protect consumers as they browse the web and use apps.  

The report indicated that deceptive design patterns that make it difficult for people to protect their privacy online are prevalent. With a renewed focus on protecting children online, the report also showed that the practices used on children’s’ sites are often among the worst offenders.  

Using a standard internationally applied rubric to assess sites, it was found that we have a lot of work to do in Canada when it comes to disclosure and consent in the context of privacy. 

“Websites and apps should be designed with privacy in mind,” said Privacy Commissioner of Canada Philippe Dufresne. “This includes providing privacy-friendly default settings and making privacy information easy to find.” Emphasizing privacy options, using neutral language, clearly presenting privacy choices, and reducing the number of clicks for a user to find privacy information, log out, or delete an account are all ways in which organizations can help their users better protect their privacy online. “Privacy is a fundamental right. Integrating privacy by design and privacy by default helps to promote the best interests of individuals, and builds trust, by offering individuals online experiences that are free from influence, manipulation, and coercion,” said Commissioner Dufresne. 

This year’s privacy sweep focused on how online deceptive design patterns (also referred to as dark patterns) can be used to move site or app visitors towards options that may result in the unnecessary collection of more of their personal information. Deceptive design can also force individuals into painfully long processes to find a privacy policy, log out, or delete their account. In some cases, this is designed specifically to discourage them to do so. Other forms of deceptive design include presenting users with repetitive prompts that may frustrate them into giving up more of their personal information than they would like. 

Sweepers evaluated the sites and apps based on five indicators that were identified by the Organisation for Economic Co-operation and Development (OECD), as being characteristic of deceptive design patterns. 

For each indicator, the global report found: 

  • Complex and confusing language: More than 89% of privacy policies were found to be long or to use complex, university-level language. 
  • Interface interference: When asking users to make privacy choices, 42% of the websites and apps swept used emotionally charged language to try to influence user decisions, while 57% made the least privacy protective option the most obvious and easiest for users to select. 
  • Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their account. 
  • Obstruction: In nearly 40% of cases, sweep participants faced obstacles in making privacy choices or accessing privacy information, such as trying to find privacy settings or delete their account. 
  • Forced action: 9% of websites and apps forced users to disclose more personal information when trying to delete their account than they had to provide when they created it. 

The OPC offered some advice in the form of five best practices for designing with privacy in mind. These five best practices can support in allowing Canadians to make informed privacy choices that are free of influence, manipulation and coercion: 

  1. Avoid long and complex privacy policies. Privacy information should be easy for individuals to understand. Provide short, simple explanations that include key information, with links to further details for those who wish to learn more. If it is likely that children regularly use your website or mobile app, limit your collection of their personal information, and, where collection is necessary, make sure to explain your data practices in a way that they can easily understand it, for example with short video animations. 
  1. Do not use confusing or leading design, which can interfere with the users’ ability to make privacy choices. For example, avoid false hierarchies by ensuring that the “accept all” and “reject all” buttons are the same size and in the same text, and do not pre-select the less privacy-friendly choice by default. Steer clear of “confirm-shaming” users into going against their instincts by using emotionally charged language like “it would be a shame to see you go” when they try to delete their account. 
  1. Do not nag users to encourage them to provide their personal information. Avoid repeated pop-ups that ask users to give up more personal information than is necessary by signing up for an account, providing their email address, or switching to the app, especially if they have already declined. 
  1. Make it easy to find your website or app’s privacy settings or information about how to delete an account. Avoid discouraging users through “click fatigue”, and therefore limit the number of steps, or clicks, it takes for users to complete a task. 
  1. Do not force users to disclose personal information that is not necessary. In many cases, signing up for an account has no bearing on the functionality of a site or app and should be optional. Moreover, do not force users to provide additional personal information, like an email address or telephone number, just to delete their account. 

IAB Canada has helped the industry to adhere to these principles through the development and launch of the Transparency and Consent Framework (TCF Canada). By standardizing language about choices and purposes, the industry can provide consistent and clear communication through the use of Consent Management Platforms. 

While the industry has struggled with the use of privacy pop-ups and consistent banners designed to inform consumers of their privacy options, we have long supported the strength of clean and concise user experiences as the best option available to provide consumers with notification and clarity. The underpinning of a transparent means to signal consent or no consent across the supply chain provides meaningful and effective adherence to consumer choice. 

As the industry matures along with the realities of responsible disclosures and consent requirements, we must turn our attention now towards the design choices within our solutions. With Consent practices under fire internationally, we must as an industry get ahead and do right by consumers. Where we establish trust with our audiences, we secure return through loyalty. 

Read the OPC Sweep Report here. 

To learn more about TCF Canada, reach out to TCFCanada@iabcanada.com