From Compliance To Privacy UX: Regulators Come For Dark Patterns
The French data protection authority hit Facebook and Google with multimillion-dollar fines yesterday for their use of deceptive design in their cookie consent banners. Commonly known as dark patterns, these design choices threaten or trick people into doing things that are in conflict with their own interests.
We’ve all encountered these deceptive designs — where users are presented with a big “accept all cookies” button — but rejecting cookies takes multiple clicks, menus, submenus, confusing toggles, and so on. In fact, there’s even a whole Twitter account dedicated to coercive and deceptive design.
This isn’t a run-of-the-mill compliance story. Technically, Facebook and Google are compliant with the ePrivacy Directive — users can opt out if they want to. The issue, according to the data protection authority, is that opting out of cookies is confusing and unclear.
For privacy leaders and their teams:
- Ensure you are “ePrivacy ready.” The ePrivacy Directive — also known as the “Cookie Directive” — has been under revision for over five years, and agreement on a final version may still take time. But make no mistake: European regulators keep leveraging these rules, together with the General Data Protection Regulation, to protect individuals’ privacy rights. Ensure you are familiar with the ePrivacy Directive and are able to meaningfully comply.
- Design and implement better privacy experiences. This is not the first time that the French regulator has evaluated the privacy experience as part of its investigation and decisions. In another case involving a French retailer, it wrote that “the privacy language used was tedious, even for an enlightened user” and the numerous clicks required to get to relevant privacy content undermined privacy rights. Ensure you involve your customer experience (CX) and UX peers when implementing your privacy program, and monitor and improve continuously the quality of CX across privacy touchpoints.
- Refine your privacy practices for the present and future state of cookies. Some might assume that privacy concerns will ease with the demise of third-party cookies. But a cookieless world will still contain privacy risks. Meanwhile, requirements for traditional cookies still apply. While you explore how you must adapt your privacy strategy for a future without third-party cookies, make sure you remain compliant with current requirements.
This isn’t merely a regulatory issue, though. Marketers and UX designers should also take note:
- Marketers: Transparency and choice aren’t mere buzzwords. In light of data deprecation, the industry is abuzz, finding opportunities to capture customer data in ways that are more transparent and giving consumers options to exercise their rights. As this fine shows, though, the choices presented to consumers need to be clear, and opting out should be as intuitive of a process as opting in. This also ups the ante for the advertising ecosystem, whose track record of capturing informed consent and honoring it has been highly problematic.
- UX designers: Keep standing up for your users. Many designers know their companies use coercive and deceptive design but struggle to stop it. Our research has shown that strategies like 1) invoking company principles, 2) activating critical thinking among peers, 3) highlighting risk, and 4) humanizing the people affected can be effective. Even if an individual “battle” isn’t won, the debate can often improve future decisions. You might have leverage: During the Great Resignation, many designers sought out jobs that aligned with their personal values.
Meanwhile in the US, the Federal Trade Commission (FTC) recently announced plans to “ramp up enforcement against illegal dark patterns.” In a November speech, FTC commissioner Rebecca Kelly Slaughter explained notice and choice as a way to offer user protections, but it has since become a less effective approach where “neither notice nor choice is meaningful for most users.”
Ultimately, businesses must evolve their thinking beyond complying with the letter of the law and incorporate decisions on how to do right by their customers — who are increasingly privacy aware. Forrester’s data shows that 67% of European online adults are worried companies will share their personal information without their knowledge or consent. Remember that cookie banners are often the first impression a customer or prospect gets from your website, so make careful decisions about how to put the best foot forward, and start building customer trust through thoughtful design choices.