ICO and CMA issue joint report on OCA and data collection practices

August 10, 2023

Online Choice Architecture consists of tools and techniques used on websites to “nudge” consumers into making certain transactional decisions. The CMA is carrying out a programme of work in this area and is currently investigating Emma Sleep and Wowcher for their use of OCA.

The ICO and CMA have now issued a joint report which states that some common online design practices influence consumers’ decision in ways they are not aware of and may not want.

The report contains an overview of how design choices online can lead to data protection, consumer and competition harms, and the relevant laws regulated by the ICO and CMA that could be infringed by these practices. It also contains practical examples of design practices that are potentially harmful under consumer and data protection laws when they are used to present choices about personal data processing. These practices are “harmful nudge and sludge”, “confirmshaming”, “biased framing”, “bundled consent” and “default settings”.

The ICO and CMA say that some of the main design practices which could break data protection laws include:

  • Making it difficult for consumers to refuse personalised advertising by not giving an equal choice to ‘accept all’ or ‘reject all’ cookies;
  • Overly complicated privacy controls which confuse consumers or cause them to disengage;
  • The use of leading language to influence consumers to hand over personal information;
  • Pressuring consumers into signing up for discounts in exchange for personal information; and
  • Bundling choices together in a way which encourages consumers to share more personal data than they would otherwise wish to.

The ICO and CMA want businesses to do the following:

  • Put the user at the heart of design choices.
  • Use design that empowers user choice and control.
  • Test and trial design choices.
  • Comply with data protection, consumer and competition law.

The ICO and CMA expect businesses to make improvements to their design practices in digital markets. If they do not, the ICO may take regulatory action.