Between January 29 and February 2, 2024, the Global Privacy Enforcement Network (GPEN) conducted its annual study to assess the prevalence and types of so-called “deceptive design” mechanisms on websites and mobile applications.
More concretely, “deceptive design” mechanisms are those that have the effect of influencing or manipulating users to make decisions contrary to their privacy interests.
Which, let’s not forget, is completely contrary to the two (sometimes forgotten) principles of the famous European data protection regulation (the RGPD): privacy by design and privacy by default.
The study involved no fewer than 26 privacy authorities and 27 consumer protection authorities, making a total of 53 participants.
Together, they examined over 1,000 websites and applications to assess how users can:
- make privacy choices,
- access their privacy information,
- log out or delete their accounts.
The results show – ho, surprise – that the majority of websites and apps use “deceptive designs” to trick users into sharing more personal information than they wish, or into making decisions that are not optimal for their privacy.
GPEN calls for increased vigilance and measures to make privacy choices more transparent and accessible.
In practice, the three most frequently noted behaviors are as follows:
- Complex and confusing language: 89% of privacy policies were too long or used technical terms, making them difficult to understand.
For example :
- 55% of privacy policies were over 3,000 words long;
- 65% of privacy policies did not include a summary or table of contents;
Even worse, 76% of privacy policies surveyed required undergraduate reading ability or higher, and 20% required graduate reading ability, at a minimum.
- Interface interference (defined in the GPEN study as “the use of design elements and presentation methods that alter users’ perception and understanding of privacy options”): in 43% of cases, the presentation of information about privacy options influences users to choose less privacy-protective options.
Interface interference occurs, for example, when the presentation emphasizes one choice over another, notably through the use of bright colors (e.g. the famous cookie acceptance banner highlighting the “I accept all cookies” option), or when users are preselected or emotionally manipulated (“What? You’re leaving us already?!”).
- Obstruction: In 39% of cases, users encounter obstacles to achieving their privacy goals. For example, deleting an account is often more complex than creating one.
- On the French coast, our national supervisory authority (the CNIL) has analyzed the practices of no fewer than 18 websites in their mobile versions.
Of these 18 sites: 6 have an online sales activity, 6 are press publishers and 6 are audiovisual media.
This analysis enabled the CNIL to note the following:
“Privacy policies: on 72% of the sites studied, the privacy policy is accessible in two clicks or less from the home page. While, as in other countries, 88% of privacy policies surveyed are long (over 3,000 words), 70% have a menu or table of contents to facilitate navigation.
Influence of the interface: on half the sites studied, it’s easier to select the setting that least protects privacy. In most cases, this is because the least privacy-protective option is the most obvious (45% of sites visited in France versus 56% internationally).
Logout path: on more than 75% of sites allowing users to create an account, it is possible to log out with a single click, and in 95% of cases it is possible to log out with two clicks or less.
De-registration process: deleting an account is sometimes much more complex. In 29% of cases, it takes at least 4 clicks to delete your account, and in 17% of cases, raters haven’t found an option to delete their account from the mobile website.”
This report by the Global Privacy Enforcement Network (GPEN), in addition to drawing an unsatisfactory picture of the way in which platforms handle the protection of their users’ privacy, points to the items on which the CNIL should be particularly vigilant during its next remote controls.