Ross Webster is a consultant at The Lucid Privacy Group and NDA’s regular columnist. Lucid provides practical privacy advice and solutions to global enterprises. Previously, Ross held European MD roles at The Weather Company and Foursquare.
It might be expected that a joint announcement in the depths of August from the ‘UK’s independent body set up to uphold information rights’ and the UK Government authority ‘set up to make markets work well for consumers, businesses and the economy’ might fly under the radar.
And so it was with the recent announcement from the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) on the “Harmful design in digital markets: How Online Choice Architecture practices can undermine consumer choice and control over personal information.
While most of the UK digital advertising industry was away for their summer break, much of the commentary was limited to social media sniping at the organizations’ own failure to live up to their own privacy design standards.
Five years hence
Since 2018, both the ICO and the CMA have been warning about the dangers of manipulative website design practices and the lack of transparency in the digital ecosystem that attempts to pull the wool over consumers’ eyes. This new announcement continues to call on businesses to “stop using harmful design practices that could undermine people’s control over their personal information and lead to worse consumer and competition outcomes”.
The CMA is understandably more interested in the competition aspect of fair practices such as truth-in-advertising, and has already prosecuted some businesses for underhand subscription ‘traps’ or misleading ‘deal’ claims that have slanted the competitive playing field.
The ICO’s interest is more focused, however, keen on ensuring that user consent interfaces are fair, clear and accurate. In particular, the blog makes clear that to avoid “distort[ing] users choices…a website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them”.
No real surprise here as GDPR Article 7(3) is pretty clear on the issue…
