Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. December 2023
  6. Corporate: Deceptive digital design – no clever cookie?

Corporate: Deceptive digital design – no clever cookie?

Businesses should be aware of an increased regulatory focus on digital design practices that steer or pressure website users into choices they might not otherwise have made
11th December 2023 | Emma Arcari

Regulators across the globe are increasing their focus on the user experience (“UX”) for websites, in particular deceptive digital design practices (sometimes called “dark patterns”), which are various means to persuade or make users take certain actions.

We have probably all had experience of not being able to carry out an action we wanted to on a website, whether rejecting cookies or cancelling a subscription. Now regulators are combining their approach, to make it easier to put an end to obstructive behaviour online.

The European Union has announced a raft of legislation. Online interfaces that deceive or manipulate users are already banned in the Digital Services Act, and further legislation on deceptive patterns is proposed in the future AI Act and Data Act. The US has also begun to consider this issue in more detail, including the California Privacy Act which defines “dark patterns”.

In the UK, the Digital Regulation Cooperation Forum (made up of the Competition & Markets Authority (“CMA”), the Information Commissioner (“ICO”), the Financial Conduct Authority and Ofcom) has been established to ensure greater cooperation on online regulatory matters.

Earlier this year the ICO and CMA issued a joint paper, “Harmful design in digital markets: How Online Choice Architecture practices can undermine consumer choice and control over personal information”. Online choice architecture (“OCA”) means the techniques, designs and methods as to how a website developer influences a user’s decision making. The paper details how certain forms of OCA could breach the relevant laws regulated by both offices.

OCA as deceptive practice

Several different types of deceptive patterns were identified by UX expert Harry Brignull some years ago. The joint paper notes certain OCA practices of concern, but also states that they are not a comprehensive list and only intended to demonstrate how the ICO/CMA could consider the data protection, consumer and competition implications. The practices listed include “confirmshaming”, “biased framing”, “bundled consent”, “default settings” and “harmful nudges and sludges”. Although there are various classifications of the different practices, the name given tends to illustrate the type of design that is likely to constitute a deceptive practice: for example “confirmshaming” is where the user is manipulated into a choice by being pressured or shamed.

To expand on “harmful nudges and sludges”, a “nudge” is where an ill-considered or inadvertent decision is made easy, and “sludge” is where unjustified friction stops a user from getting what they want, such as refusing consent to cookies, if “reject all” buttons are less accessible than “allow all” and the user ends up clicking the latter to make the pop-up go away. An example of a justified sludge would be friction or delays to confirm an important decision, such as transferring money.

The ICO considers that reg 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”), as amended, is likely to be infringed if a cookie banner that incorporates these practices is used to obtain consent for placing cookies. If there is an “accept all” button, the ICO wants equivalent ease to “reject all”. The CMA has concerns that use of these nudge/sludge techniques can lead to users disclosing more personal information than they would otherwise want to, which can in turn allow a competitive advantage to larger businesses over smaller ones.

Regulatory action

At the moment, there are no laws which specifically reference deceptive digital practices. However, as detailed by the ICO and CMA, there are a variety of laws which could be breached indirectly. These include:

  • Privacy and data protection legislation and guidance, for example GDPR, Data Protection Act 2018, PECR. Data protection by design is supposed to be a fundamental part of compliance, along with the principle of transparency and valid consent (which “bundled consent” practices are likely to breach given the consent is unlikely to be freely given and informed). The ICO has also for years championed specific guidance and appropriate digital design methods for children (see the Children’s Code).
  • Consumer protection legislation, for example Consumer Rights Act 2015 (“CRA”), Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (“Cancellation Regulations”), and Consumer Protection from Unfair Trading Regulations 2008 (“CPUT”). The CRA could provide a means to find contract terms unfair or invalid, if deceptive patterns are used to manipulate consumers into the contract. The Cancellation Regulations contain a prohibition against additional payments which appear as a default option. CPUT could be breached if a deceptive practice constitutes an unfair commercial practice or is likely to distort the economic behaviour of the average consumer.

Although in the past it has appeared that the ICO has been more focused on enforcement in relation to security breaches and marketing contraventions, the joint paper indicates an increased focus on deceptive practices and an intention to work with other regulators, going forward.

The CMA has been focusing on harmful online practices; its campaign “Online Rip-Off Tip-Off” aims to allow consumers to spot and avoid misleading online sales tactics.

It is also worth noting that the Digital Markets, Competition and Consumers Bill would give the CMA several new statutory powers, including levying fines of up to 10% of global turnover and conducting trials of certain remedies to determine their final format.

Scan the horizon

Certain OCA practices, despite also being deceptive patterns, will provide benefits to consumers and businesses, such as allowing for improvement to their goods/services.

However, if businesses use OCA or digital design practices which could be considered to fall into the dark pattern/deceptive practice ambit, these should be reviewed to make sure that they comply with current law. In particular, marketing and website teams should take care at the outset of any project which could be considered to be a deceptive pattern, particularly in light of the forthcoming increased statutory powers of the CMA and its intention to enforce matters in this area.

The Author

Emma Arcari, senior associate, Wright Johnston & Mackenzie LLP

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • People on the move: December 2023
  • Book reviews: December 2023
  • Reading for pleasure: December 2023

Perspectives

  • Opinion: Emma King
  • President's column: December 2023
  • Profile: Ally Thomson
  • Editorial: Bowing out
  • Viewpoints: December 2023

Features

  • That elusive balance
  • When estates divide
  • Planning by nature
  • Under review: when to challenge
  • After completion: the practical issues
  • Climate action? Start here

Briefings

  • Criminal court: Boundaries of corroboration
  • Corporate: Deceptive digital design – no clever cookie?
  • Agriculture: Ending LDTs in a second short continuation
  • Succession: Attorney as executor?
  • Sport: Is that in the rules?
  • Scottish Solicitors' Discipline Tribunal: December 2023
  • In-house: The real deal
  • Intellectual property: Making your mark with a sound

In practice

  • Public policy highlights: December 2023
  • The Eternal Optimist: We are all going to die...
  • AML: reshaping the landscape
  • Trauma-informed from the outset
  • Can we take down the barriers?
  • Tradecraft tips: December 2023
  • Risk: remotely concerned
  • Appreciation: Doris Littlejohn
  • Ask Ash: The bully above

Online exclusive

  • Corporate directors: a stop-start reform
  • Separation and divorce: child benefit implications
  • No personal service, no employment
  • Let’s chat ChatGPT....
  • What is going on with the MIB?

In this issue

  • Making your charity's cash reserves work harder
  • Executry evolution: from the Wild West to...
  • All change for the Journal in 2024
  • Journal index 2023
Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited