INCREASING UK REGULATORY SCRUTINY OF HARMFUL DESIGNS IN DIGITAL MARKETS – FOCUS ON ONLINE CHOICE ARCHITECTURE

Commerce, particularly business-to-consumer trade, is now increasingly done online. With this evolution, regulators are turning a close eye to the implications that online website design and user interfaces have on data protection, consumer and competition law.

In August 2023, the UK Information Commissioner's Office (ICO) and Competition and Markets Authority (CMA) published a joint paper on so-called "online choice architecture" (OCA), which considers the ways in which businesses present information and choices to users online, with a specific focus on the impact this has on the provision of personal information. In their joint statement, the CMA and ICO call for businesses "to stop using harmful website designs that can trick consumers into giving up more of their personal data than they would like."

The joint paper is the most recent statement of policy in the UK and builds on previously published guidance including:

A CMA discussion paper (April 2022) in which it explored the impact of choice architecture on markets and consumers, without issuing guidance for businesses or specifically calling any regulator to action.

A CMA open letter to businesses (March 2023) focusing on the use of urgency and price reduction claims. The CMA cited examples of non-compliance and asked businesses to consider and re-examine their consumer practices, to ensure that there is internal evidence to justify urgency and price reduction claims and to keep records reflecting selling conditions.

The recent joint paper is an update forming part of the CMA and ICO's work under the Digital Regulation Cooperation Forum (DRCF), which consists of the CMA, ICO, Ofcom and the Financial Conduct Authority. The DRCF was established to ensure a greater level of cooperation between the regulators, given the unique challenges posed by regulation of online platforms. OCA was flagged as a particular area of focus by the DRCF given its potential for direct harm to competition and consumers and breaches of data protection legislation.

It is now more important than ever for businesses to carefully consider their internal policies around OCA, as the enforcement regime for consumer protection in the UK is set to change with the adoption of the Digital Markets, Competition and Consumer Bill (DMCC Bill). The DMCC Bill, which is currently before Parliament and is expected to be adopted in spring 2024, intends to greatly boost the CMA's ability to directly enforce consumer protection provisions and issue penalties that mirror those under its competition enforcement powers.

In this briefing, we summarise the key points from the paper and discuss two recent examples of regulator intervention in the case of harmful OCA. We also consider the impact of the DMCC Bill on these practices.

WHAT IS OCA?

OCA is the design of the user experience and interaction on a website or application. Common examples of choice architecture include:

• The order of products in search results,
• Pop-notifications offering a deal or relating to data collection,
• The number of steps needed to cancel a subscription, or
• Whether an option is selected by default.

The CMA has noted that such elements are shown to affect consumers and markets in significant ways. Choice architecture itself is a neutral term, as the CMA considers that a well-designed website can lead to great efficiencies and consumer benefits, helping consumers to pick suitable products and to make transactions more efficient. Default security settings can help users avoid computer viruses and keep users safe. Effective OCA is also said to empower a user to make intelligent choices regarding how their personal data is collected, which can improve their overall experience. The CMA and the ICO noted in the joint paper that OCA that enables effective user decision-making strengthens incentives for firms to compete fairly.

However, choice architecture can also hide, either purposefully or not, crucial information, set default choices which may not align which consumer preferences, or exploit consumer attention to scarce products. Some OCA practices may undermine users’ control over their personal information and guide their behaviour in ways which do not align with their best interests or preferences.

Such practices could lead to infringements of:

• Competition legislation including the Competition Act 1998 as well as the new regulatory regime for digital markets (DMU regime) introduced under the DMCC Bill for competitors holding strategic market status;
• Data protection legislation including the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2008 and Privacy and Electronic Communications Regulations 2003;
• Consumer law, in particular the Consumer Protection from Unfair Trading Regulations 2008 (CPRs), Consumer Rights Act 2015 and Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 – as well as additional rights and increased enforcement powers for the CMA introduced by the DMCC Bill.

WHAT ARE HARMFUL OCA PRACTICES?

The joint paper provides a non-exhaustive list of harmful practices and explains why these practices are liable to raise competition, data protection and consumer concerns.

Harmful nudges

Harmful nudges make it easy for consumers to make inadvertent or ill-considered choices, for example, pop-ups asking the user to "allow all cookies" (including non-essential ones), without providing an equivalent easy option to refuse all non-essential cookies. Nudges are often accompanied by "sludge", which is the practice of presenting a consumer with excessive difficulty or friction to select the option they desire.

The ICO states that these types of practices discourage users from more conscious consideration of their decisions, particularly where they want to access content quickly or do not have the time or expertise to analyse more detailed settings. Importantly the ICO states that users must therefore be able to refuse non-essential cookies with the same ease as they can accept them, without having to take any additional steps (e.g., “Reject all” and “Accept all” boxes), which must be presented with equal prominence and the user must not be nudged towards one option over the other. Such settings are more likely to be compliant with data protection law, as firms will be better placed to demonstrate that the user was given a genuine free choice.

The CMA raises concerns that harmful nudges and sludge in the design of online services can encourage users to provide more personal information than they would otherwise choose to as part of receiving those services. The CMA has established previously that access to this personal information may confer a competitive advantage to certain large platforms and inhibit entry and expansion by smaller businesses. Where these techniques discourage the user from making more careful choices, this may lead to "ill-considered or inadvertent decisions that may decrease users’ welfare or may not align with their preferences".

Confirmshaming

Confirmshaming pressures consumers into acting a certain way, by making them feel guilty or embarrassed for making one choice over another, by implying that one is "good" or "bad". For example, a website asking you to enter your personal details to receive a discount code or requiring you to click "[No], I hate savings" if you do not enter your personal information.

The ICO notes that whilst the UK GDPR does not prevent firms from offering users incentives to share personal data or agree to processing of their data, using language like the example above is likely to infringe the "fairness" principle in the UK GDPR, as consent provided in this manner is unlikely to be "freely given" and would therefore be invalid and unlawful.  Use of confirmshaming in the manner described above is therefore "almost always likely" to lead to an infringement of data protection law and could lead to firms being subject to regulatory action from the ICO.

The CMA stated that, similar to harmful nudging, confirmshaming moves users towards choices to share more personal data than they might otherwise have done in order to receive the services in question. In certain markets, access to such data may confer a competitive advantage to existing incumbents and inhibit entry by smaller challenger businesses, which could lead to a breach of competition law.

Biased framing

Biased framing occurs when companies present choices in either a particular way, by emphasising the benefits of one option over another, or discourage the user from one choice to the benefit of the firm. For example, a long explanation of the benefits of sharing a user's search history and noting that if they refuse, ads may be less useful or relevant.

The ICO commented that this practice ignores the positive impacts of refusing, e.g. reducing the risk of intrusive processing or allowing the user to retain control over their personal data. Not providing equal weight to the two choices prevents the user from making an informed decision about their personal data which can infringe the "fairness" and "transparency" principles of the UK GDPR. Consent obtained via biased framing that is not fair or transparent (because it misleads and is not open and honest) is also likely to be invalid and therefore infringes the lawfulness requirement under the UK GDPR.

The joint report instructs that this does not mean that users should be overloaded with information. Instead, firms should present users with sufficient information to make an informed decision in a clear, easy to understand and neutral way. Where biased framing is being used in ways that are not fair and transparent, the ICO is likely to consider this as a breach of data protection law.

For its part, the CMA states that businesses may use biased framing to discourage users from reducing the amount of personal information that they share. Incumbent businesses might use these tactics to collect personal data which gives them a competitive advantage and to inhibit entry and expansion by smaller rivals. Biased framing may also be used by firms to preference their own services over those of competing businesses; for example, by framing privacy choices to encourage consumers to opt in to sharing data with the platform’s services and by influencing users to opt out of sharing data with third-party services.

Bundled consent

This occurs when companies use single consent options to obtain consent for multiple types of data processing activities. This may lead consumers to inadvertently consent to data processing which they do not understand or desire (e.g. targeted advertising or direct marketing) and prevents them from exercising granular control over their personal data.

The joint paper states that this type of technique is often used when users are asked to accept terms and conditions, privacy policies or cookie preferences to access other services. For instance, a website might bundle consent for both the terms of use as well as for receiving marketing emails before a user can create an account. However, the ICO states that consent given under the UK GDPR must be "specific" and consent should not be bundled as a condition of service unless it is necessary for that service. Consent provided in this way is more likely to be invalid.

The CMA highlights that bundling can result in poor consumer outcomes by limiting users' freedom of choice. Firms using such practices to bundle first-party services may impede competition, e.g. where this allows businesses with substantial market power that provide multiple services to leverage their existing market position to enter related markets and increase barriers for rivals in those markets.

Default settings

These create a default choice for consumers and require them to update their preferences to adjust those settings. For example, a social network might use a default setting to make a user's posts visible to the entire platform instead of their network only. Automatic renewal of subscriptions by default also falls within this category. The joint paper states that defaults are one of the strongest and most concerning OCA practices. One of the reasons for this is that they require less effort than making an active choice (status quo bias) and users may then use the default as a reference point to form their own preferences.

The joint paper recognises that default settings are not always bad, particularly if they protect a user's privacy (e.g. defaulting optional data sharing to off and requiring the user to positively enable it). The ICO highlights that the UK GDPR does not require business to adopt a "default to off" approach. However firms must consider the circumstances and risks of their processing: it will be more difficult for them to justify why more intrusive settings must be on by default. Consent obtained via default settings is also less likely to be valid.

The CMA, meanwhile, stressed that defaults may lead to consumers making poor choices due to the active effort and difficulty required to change their settings, or that they lead to consumers constructing a preference around a default option. They also restrict users' ability to shop around or explore alternative products/services which may benefit incumbent businesses. In particular, the CMA states that the use of defaults in markets with network externalities (where the value of a product or service changes as the number of users increases/decreases) may make it harder for rivals to compete and may allow businesses to leverage market power to create barriers to entry or expansion for rivals.

GUIDANCE FOR BUSINESSES

Given the potential harms involved in the techniques mentioned above, the CMA and ICO suggest best practices which should be followed when designing and implementing online user interfaces. These are based around the following four questions to be considered by businesses:

Are we building interfaces around the user's interests and preferences?

OCA should be designed in ways which reflect the user's interests and preferences. The joint paper recommends enhancing user control and the ability for the user to exercise privacy preferences.

Are we helping users to make effective and informed choices about their personal information, and putting them in control of how it is collected and used? Is the information clear and not misleading?

The joint paper recommends that OCA design should provide easy to understand, balanced information about what personal data is collected and how it is used, ensuring that consumers can make free and meaningful decisions in relation to personal data processing.

Are we using testing and trialling to ensure OCA design is evidence based?

The ICO and CMA recommend that firms test consumer comprehension, experience and feelings of control to ensure they understand how users can make effective choices. For example, testing could take the form of online experiments, customer surveys, usability testing or interviews. The paper notes that the CMA has proposed statutory powers under the DMCC Bill, which will allow it to order trialling when exercising certain market investigations and digital market functions.

Have we considered the data protection, consumer protection and competition law implications of the OCA practices we are employing?

As outlined above, OCA practices may undermine data protection, consumer choice and reduce competition. In some cases, they may even break the law. Companies should reflect on whether their OCA practices could be unfair to users or anti-competitive (e.g. by providing themselves with an unfair advantage over competitors).

The ICO has the power to take formal regulatory actions against companies which design OCA in ways which violate data protection law. For its part, the CMA has intervened to combat misleading online practices using its consumer enforcement powers, which is further discussed below. In addition, the CMA is likely to gain further direct regulatory enforcement powers through the DMCC Bill, which is also discussed below.

RECENT EXAMPLES OF POTENTIALLY HARMFUL OCA PRACTICES

Prior to the publication of the joint paper, the CMA had already been investigating potentially harmful OCA practices in the following cases where they were concerned that consumers were being misled:

Emma Sleep: In November 2022, the CMA launched a consumer protection investigation into whether Emma Sleep, a mattress retailer, was misleading consumers by using countdown timers and making claims about the duration of sales – so-called "urgency claims". In July 2023, the CMA wrote to Emma Sleep outlining its concerns including that it had found very few advertised Emma Sleep products were actually sold at their full price, so the discounts being offered were not genuine. Additionally, the company's claims relating to sales ending were misleading as new sales were initiated soon afterwards in many cases. Although the press release predates the ICO and CMA's joint paper, it reflects many of the concerns that the CMA had flagged. Emma Sleep is expected to respond to the CMA and adjust its marketing methods to avoid court action. The CMA noted that it will continue to look into misleading online claims across all sectors.

Wowcher case: The CMA launched a similar investigation into Wowcher (an e-commerce website which offers discounted deals) in March 2023 over the use of countdown timers, hidden charges, pre-ticked boxes enrolling customers into VIP memberships and urgency claims. In November 2023, the CMA issued a consultation letter to which Wowcher may respond and it must take steps to remedy the CMA's concerns to prevent court action. If Wowcher fails to offer the CMA satisfactory undertakings, the CMA may apply to court for an order under section 217 of the Enterprise Act 2002 forcing Wowcher to comply with its obligations.

Going forward, it will be interesting to see what OCA trends attract the scrutiny of the CMA. Until now, all action has been focused on commercial tactics, rather than joint consumer and privacy concerns, which is the focus of the joint paper.  As another example, On the Beach, an online retailer of beach holidays in the UK, recently called for the CMA to investigate Ryanair and other low-cost airlines over alleged aggressive online tactics, including scaremongering communications and invasive verification procedures.

PRACTICAL CONSIDERATIONS FOR BUSINESSES GIVEN THE UPCOMING CHANGES IN ENFORCEMENT LEGISLATION

As noted above in the Emma Sleep and Wowcher cases, the CMA currently does not have the ability to conclude on its own that a company has breached consumer law or to impose fines or remedies – this requires a court order to prove an infringement. However, this is intended to change with the adoption of the DMCC Bill, which is currently before Parliament and is due to be adopted in spring 2024.

Under the new direct enforcement regime introduced under the DMCC Bill the CMA will be able to directly investigate suspected infringements and issue enforcement notices, without the need to apply to the courts first. The CMA's new administrative enforcement powers mirror its powers under the Competition Act 1998 and the fines it will be able to impose for breach of the relevant legislation and for failure to comply with its investigations and are also aligned.  Where the CMA concludes that there has been a breach, it will be able to impose fines of up to 10% of an undertaking's global annual turnover. The DMCC Bill also includes a number of changes that are made to the existing consumer protection legislation. The aim is to improve and modernise consumer rights, to ensure they keep pace with market developments, in particular the trend towards online retail.

Incumbent competitors who hold so-called "strategic market status" may also be sanctioned under the new DMU regime  for OCA which is in breach of conduct requirements or pro-competitive interventions – read more about the competition implications of the DMCC Bill here.

These new powers underscore the importance for businesses to engage seriously with how their online practices might conflict with consumer protection legislation – before the Bill becomes law. Alternatively, firms risk swift and direct action from the CMA and potentially, very serious fines.

CONCLUSION

As business-to-consumer goods and services are increasingly provided online, OCA is at the heart of many companies' business models. Carefully designing these systems and the policies applicable to OCA can be complex. However, the joint paper has sought to provide concrete guidance and principles to firms grappling with these issues and to facilitate compliance with a particular focus on the respect of users' privacy. Given the relevance of OCA to the DRCF's agencies, joint guidance on this topic is welcome.

Whilst the joint paper helpfully acknowledges that OCA can be beneficial to consumers and to competition, it notes the main pitfalls for businesses to avoid in the design and deployment of OCA, with a particular emphasis on choice, information and testing OCA designs. Particularly with the expected adoption of the DMCC Bill next year and the creation of direct enforcement powers for the CMA, it is more important than ever for firms to engage with their OCA designs and ensure that these are compliant with competition, data protection and consumer protection rules. Careful design and testing of OCA architecture, as well as clearly defined internal policies, are likely to be a "must" for compliance.

Contacts

[show_profile name ="Susan" surname="Black" jobtitle="Partner, London" phone="+44 7466 2055"]

[show_profile name ="Natalia" surname="Rodriguez" jobtitle="Partner, London" phone="+44 7466 7486"]

[show_profile name ="Helen" surname="Bignall" jobtitle="Of Counsel, London" phone="+44 7466 2936"]

[show_profile name ="Eve" surname="Meurgey" jobtitle="Associate, London" phone="+44 7466 3851"]