For immediate release
(9 July 2024, Hamilton) - A global privacy sweep that examined more than 1,000 websites and mobile applications (apps) has found that nearly all of them employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions.
This year’s annual Global Privacy Enforcement Network (GPEN) Sweep took place between 29 January and 2 February 2024. It involved participants, or “sweepers,” from 26 privacy enforcement authorities from around the world, including Bermuda’s Office of the Privacy Commissioner for the first time in the history of the sweep.
Deceptive design patterns, also referred to as dark patterns, use features that steer users towards options that may result in the collection of more of their personal information. These patterns may also force users to take multiple steps to find a privacy policy, log out, or delete their account, or present them with repetitive prompts aimed at frustrating them and ultimately pushing them to give up more of their personal information than they would like.
Commissioner Alexander White has said: “Participating in this sweep was an important first step for our office into the phase of conducting active investigations. Credit to Assistant Commissioner Moulder and his team for not only executing the global privacy sweep, but also adding Bermuda-specific sweep questions taking into account many organisations’ early stage of PIPA readiness. We recognise that, with PIPA not yet in effect, some organisations may not yet have their privacy notices where they would like them. The sweep gives our office statistics about what sort of guidance would be useful, and the sweep results provide a baseline by which we can measure our progress as a community in these areas. We encourage organisations not to wait, but to start on the Road to PIPA now.”
The privacy sweep is an annual initiative aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing cooperation between international privacy enforcement authorities. This year’s sweep was chaired by the Office of the Privacy Commissioner of Canada.
Those involved in the privacy sweep replicated the user experience by engaging with websites and apps to assess the ease with which they could make privacy choices, obtain privacy information, and log out of or delete an account. Sweepers evaluated the sites and apps based on five indicators identified by the Organisation for Economic Co-operation and Development (OECD), as being characteristic of deceptive design patterns.
Bermuda
The local sweep took place on 1 February 2024, in which a total of 196 organisations domiciled in Bermuda were examined.
“I believe the sweep went extremely well, as it gave us an opportunity to examine organisations specific to the scope but also provided us with valuable data from an overall PIPA compliance standpoint,” said Christopher Moulder, Assistant Commissioner for Investigation.” The data confirms that there is much work to be done, but I'm hopeful that future sweeps will highlight the steps taken by organisations now towards full PIPA compliance.”
The local sweep only examined organisations websites and did not examine mobile applications (apps). This included websites that either were domained in Bermuda or overseas (e.g., .bm & .com) and all organisations were defined to fit the provided GPEN sectors, as follows:
Sectors | PrivCom Inclusive Sectors |
Banking and financial services | Banking, Financial Services, International Business |
Children | Nursery’s, Primary and High Schools, Dance Academy’s, BDA College |
Health and fitness | Health Clubs, Fitness Studios, Gym’s |
News and entertainment | News, Magazines, Online Ticket Sales, Radio Stations, TV Broadcasting |
Public sector | Government, Non-Governmental, Police, Fire, Airport authority, Post office |
Retail (goods and services) | Consumer stores, Delivery Services, Service providers, Shipping |
Travel and accommodation | Hotels, Guest Apartments, Airport, Airlines, Tourism sites |
Other | Restaurants, Healthcare, Telecommunications, Law firms |
Bearing in mind that the Personal Information Protection Act (PIPA) 2016 will be fully implemented on 1 January 2025, whilst carrying out the overall sweep, PrivCom staff recorded a number of privacy-related aspects specific to PIPA:
The presence of a Privacy Notice (some websites used the term Privacy Policy, although the correct term under PIPA section 9 is Privacy Notice) and/or Terms & Conditions
The designation of a privacy officer or team and the inclusion of their contact information
A reference to PrivCom as the local regulator for Bermuda and the inclusion of PrivCom’s contact information
Whether there is a link (or tab) to a privacy policy, but the actual document is missing or the implementation of a holding page.
The findings of the Local Sweep
Based on the above considerations, PrivCom found that of the total of 196 organisations surveyed:
40% (78) had a privacy notice/policy/T&Cs
22% (44) included the contact information of their privacy officer or team
3% (5) made a reference to PrivCom and included its contact information
7% (13) had a link (or a tab) to a privacy policy/notice but the document was missing.
Additionally, using the Flesch reading ease score, which provides a scientific measure of how accessible written content is, of the 78 websites that did have a privacy notice/policy/T&Cs displayed on their website:
5% (4) used language that was fairly difficult to understand
76% (59) used language that was difficult to understand
18% (14) used language that was very difficult to understand; and
1% (1) used language that was extremely difficult to understand.
The Global Sweep
For the first time, the GPEN sweep was coordinated with the International Consumer Protection and Enforcement Network (ICPEN), which represents consumer protection authorities. The collaboration recognises the growing intersection between privacy and other regulatory spheres. In the case of deceptive design patterns, it was clear to both privacy and consumer protection sweepers that many websites and apps employ techniques that interfere with individuals’ ability to make choices that best protect their privacy or consumer rights. Both GPEN and ICPEN, who are working together to improve privacy and consumer protection for individuals around the world, have published reports today outlining their findings.
For each indicator, the GPEN report found:
Complex and confusing language: More than 89% of privacy policies were found to be long or use complex language suited for those with a university education.
Interface interference: When asking users to make privacy choices, 42% of websites and apps swept used emotionally charged language to influence user decisions, while 57% made the least privacy protective option the most obvious and easiest for users to select.
Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their account.
Obstruction: In nearly 40% of cases, sweepers faced obstacles in making privacy choices or accessing privacy information, such as trying to find privacy settings or delete their account.
Forced action: 9% of websites and apps forced users to disclose more personal information when trying to delete their account than they had to provide when they opened it.
What is next?
The sweep was not an investigation, nor was it intended to generate formal findings regarding confirmed violations of privacy legislation. However, as in previous years, concerns identified during the sweep could not only result in follow-up work such as outreach to organizations but may also lead to the initiation of enforcement action to address identified concerns. Decisions on further specific enforcement action will be made by each GPEN member independently.
GPEN encourages organisations to design their platforms, including associated privacy communications and choices, in a manner that supports users in making informed privacy choices that reflect their preferences. Good design includes default settings that best protect privacy; an emphasis on privacy options; neutral language and design to present privacy choices in a fair and transparent manner; fewer clicks to find privacy information, log out, or delete an account; and ‘just-in-time’ contextually relevant consent options. By offering users online experiences that are free from influence, manipulation, and coercion, organizations can build user trust and make privacy a competitive advantage.
For more information regarding Bermuda’s membership in GPEN, visit this link.