a hand holding a guitar

Insights

August 29, 2024

ARTICLE

Sweep on “dark patterns” sheds light on privacy commissioner expectations for obtaining meaningful consent in an online environment

In early 2024, Canadian privacy commissioners participated in the Global Privacy Enforcement Network (the GPEN) annual international privacy sweep (the Sweep). The theme of this year’s sweep was online deceptive design patterns (also known as “dark patterns”).

Deceptive design patterns are described as patterns “used on websites and mobile apps to influence, manipulate, or coerce users to make decisions that are not in their best interests.”1 Further, “[t]hey can prevent users from making informed decisions about the collection, use, and disclosure of their personal information, and cause them to give up more privacy than they would like.”2

On July 9, 2024, the Office of the Privacy Commissioner of Canada (the OPC) published the Sweep Report 2024: Deceptive Design Patterns (the Report) on the results of the Sweep and its key findings.

In conjunction with releasing the Report, the OPC also issued new guidance for individuals on navigating, and for organizations on avoiding, deceptive design patterns (the Guidance). See OPC publications Beware of deceptive design: Tips for individuals when navigating websites and mobile apps and Design with privacy in mind: Five business best practices to avoid deceptive design.

Together, the Report and the Guidance shed light on the OPC’s expectations when it comes to obtaining meaningful consent in an online environment.

Organizations doing business in Canada should assess their online platforms and consider any changes required to meet the OPC’s expectations. While the Report and the Guidance set out best practices, rather than binding rules, they serve as warning signals of the OPC’s priorities for potential future enforcement actions and provide concrete, illustrative examples of what the OPC finds acceptable and unacceptable. Organizations wanting to stay ahead of the curve should consider taking proactive steps to implement the OPC’s recommendations for avoiding deceptive design patterns now, rather than after a formal complaint or investigation.

The Sweep

The Sweep occurred between Jan. 29, 2024 and Feb. 2, 2024 and involved collaboration by the OPC and 25 other privacy enforcement authorities. Over 1,000 websites and mobile apps were examined in the Sweep, including 145 websites and mobile apps examined by the OPC. The Sweep focused on the following five specific deceptive design patterns:

  1. Complex and confusing language: technical and/or excessively long privacy policies that are difficult to understand.
  2. Interface interference: design elements that can influence users’ perception and understanding of their privacy options.
  3. Nagging: repeated prompts for users to take specific actions that may undermine their privacy interests.
  4. Obstruction: the insertion of unnecessary, additional steps between users and their privacy-related goals.
  5. Forced action: requiring or tricking users into disclosing more personal information to access a service than is necessary to provide that service.3

While the use of deceptive design patterns is not specifically prohibited under Canadian privacy laws, their use can increase an organization’s risk of failing to fulfill its personal information protection obligations, such as obtaining consent that is “meaningful”.

The Report and the Guidance urge organizations to ensure their privacy policies and preferences are accessible to their users, and to take into consideration their target audience (e.g., children). In the context of consumer protection legislation, the Supreme Court of Canada has previously applied a legal test on the basis that an “average consumer” is one that is “credulous and inexperienced.” Organizations should be aware of the courts’ perception of the “average consumer” when using deceptive design patterns, as this standard might be relevant in determining whether the design pattern impedes users’ access to, or understanding of, privacy policies and preferences, and accordingly that the organization has failed to fulfill its privacy law obligations.

The Report and the Guidance

Below is a summary of the Report and the Guidance, including examples of each type of deceptive design pattern, the key findings identified in the Report, and the OPC’s recommendations for avoiding each type of deceptive design pattern.

Children’s privacy rights

As part of the Sweep, the OPC, the Office of the Information and Privacy Commissioner of Alberta (the OIPC-AB) and the Office of the Information and Privacy Commissioner of British Columbia (the OIPC-BC) also examined the use of deceptive design patterns in 67 websites and mobile apps targeted at children. The Report highlights the commitments that each of these three information and privacy commissioner offices have recently made to children’s privacy rights and discusses the vulnerability of children in online environments.

The Report states: “While it is important for organizations to avoid deceptive design patterns on their websites and apps so that users can make informed privacy choices free of manipulation, the OPC, OIPC-AB and OIPC-BC wish to emphasise that it is particularly crucial to ensure privacy-protective design by default for websites and apps that may be appealing to children.”4

International collaboration and a potential area for future enforcement

The Sweep exemplifies a trend of increased international collaboration among privacy and other regulatory enforcement authorities. Notably, 2024 was the first year that GPEN coordinated the Sweep with the International Consumer Protection and Enforcement Network. GPEN’s report identified the Sweep as “the most extensive example of cross-regulatory cooperation between privacy and consumer protection authorities, to date”, recognizing “the increasing intersection of the two regulatory spheres in the digital economy.”5

This year’s theme of online deceptive design patterns signals that this might be an area for future increased attention by privacy and other regulatory enforcement authorities in Canada and globally. If deceptive design patterns become a priority for enforcement actions, we may see Canadian privacy commissioner investigations into not only the substance of privacy policies and practices employed on organizations’ websites and mobile apps, but also the form. Accordingly, organizations should be aware of deceptive design patterns and how to avoid implementing these, particularly when seeking to obtain meaningful consent online.

Meaningful consent

Under Canadian privacy laws, private sector organizations must generally obtain meaningful consent for the collection, use and disclosure of personal information. While the specific wording used and obligations vary amongst Canadian personal information protection statutes, this generally means that individuals must be informed of the type of personal information being collected, used and disclosed and the purposes for such collection, use and disclosure. In addition, consent must not be obtained through deception and organizations must not mislead or deceive individuals in connection with obtaining consent.

Canadian privacy commissioners have previously issued guidelines to provide organizations with additional information on how to obtain meaningful consent. See for example Guidelines for obtaining meaningful consent published jointly by the OPC, the OIPC-AB and the OIPC-BC, PIPEDA Fair Information Principle 3 – Consent published by the OPC, and Lignes directrices 2023-1 – Consentement: critères de validité, published by the Québec Commission d’accès à l’information (please see BLG’s unofficial translation for more information).

Canadian privacy commissioners have also previously issued best practices and tips for organizations operating in online environments. See for example OPC publications Seizing opportunity: Good privacy practices for developing mobile apps, Ten tips for a better online privacy policy and improved privacy practice transparency, and Ten tips for communicating privacy practices to your app’s users.

In the Report and the Guidance, the OPC builds upon these previous Canadian privacy commissioner publications and takes an even more hands-on approach by providing organizations with actionable items to implement into the design of their online platforms. Together, the Report and the Guidance emphasize a “privacy by design” and “privacy by default” approach and illustrate the OPC’s expectations when it comes to obtaining meaningful consent in an online environment.

While Canadian personal information protection laws are generally technology-neutral and do not specifically prohibit the use of online design patterns that the OPC has characterized as “deceptive”, organizations risk failing to obtain meaningful consent by implementing these designs in their websites and mobile apps.

Canadian privacy commissioners have previously considered design features such as length (e.g., number of pages and words), means of access (e.g., mobile device), and readability (e.g., font size and links) of online privacy policies, as well as the use of consent toggles, when determining issues around consent. See for example Investigation Report P2021-IR-02 Investigation into Babylon by TELUS Health’s compliance with Alberta’s Personal Information Protection Act.

Key takeaways

Canadian privacy commissioners have signalled that they have online deceptive design patterns on their radars. Organizations should be prepared for examination of both the substance and form of the privacy policies and practices on their websites and mobile apps, in the event of a complaint or an investigation. Additionally, a higher level of scrutiny may be deployed on websites and mobile apps targeted at children.

Organizations should review the Report and the Guidance, as well as their current privacy management policies, procedures and practices with respect to their online platforms and work with their UX design teams to reduce the occurrences of deceptive design patterns. Organizations should ensure that when they are obtaining consent online, that the consent is meaningful and valid in light of the OPC’s expectations around avoiding deceptive design patterns.

1 Canada, Office of the Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada Sweep Report 2024: Deceptive Design Patterns (2024), at p 3.
2 The Report at p 3.
3  The privacy enforcement authorities participating in the Sweep selected the five deceptive design patterns based on criteria set out by the Organisation for Economic Co-operation and Development (OECD) in its Dark Commercial Patterns paper published on Oct. 26, 2022, which set out a working definition of dark commercial patterns.
4  The Report at p 28.
5  Global Privacy Enforcement Network, GPEN Sweep 2024: “Deceptive Design Patterns” Report (2024), at p 3.

Key Contacts