Our next Data Policy Network event on 14 April will consider how organisations present privacy choices. Our guest speaker, Professor Woodrow Hartzog, argues that privacy by design is too often misused as a marketing slogan. In Privacy’s Blueprint, he makes the case that design is crucial to privacy and that data protection law should have a design agenda. This session will focus on the choice architecture organisations create for users and its impact on user decisions about data and privacy.

How does design influence privacy?

Nudge, a 2008 book by Thaler and Sunstein, shone the spotlight on how choice architecture – the context surrounding a decision – influences our decisions. Nudge was a vision for conscientious choice architecture, in other words helping people to make choices that they would deem to be ‘better’.

However, as organisations wholeheartedly adopted nudge theory Thaler cautioned that the same techniques can be used for “less benevolent purposes”. He describes “evil nudges” as sludge – which makes decision making more difficult and can discourage behaviour in the individual’s best interest.

Harry Brignull coined the term ‘dark patterns’ in 2010 to describe digital sludge. The FTC describes dark patterns as “design features used to deceive, steer or manipulate users into behaviour that is profitable for an online service, but often harmful to users or contrary to their intent”.

Where are we today?

Dark patterns are widespread and effective. This suggests that they harm users though, as we’ll discuss, defining and quantifying harm is challenging. It also suggests that there is room for improvement in the current consumer protection and data protection landscape, including the legal frameworks and/or enforcement.

Hartzog argues that the existing legal mechanisms are insufficient to constrain organisations using dark patterns to influence our choices. He proposes a new duty of loyalty that would oblige data collectors to pursue the best interests of the trusting party with respect to what is exposed and entrusted.

A duty of loyalty could serve as a guiding principle, underpinning and helping organisations to prioritise other duties and obligations, including those arising from data protection laws. Hartzog notes that the duty of loyalty provides a maxim for organisations “when in doubt, be loyal to those who trusted you with their exposure”, which would mean for example “putting the interests of human consumers over those of advertising clients”.

The backlash against Facebook’s recent change to WhatsApp’s privacy notice shows that this is a topical issue. Users didn’t understand the change and were angry at not being given a choice, except during an ‘opt out’ window in 2016. The Italian data protection regulator raised concerns about the announcement’s clarity, including whether it allowed users to make a free, informed choice.

More broadly, US privacy law continues to evolve and the FTC will shortly convene a workshop on the dark patterns. Both present opportunities for lawmakers and regulators to intervene. Studies in Europe highlight challenges for GDPR, including whether dark patterns undermine the quality of consent. It could have wide ranging practical consequences, for example as the ICO restarts its investigation into adtech.

Where should we go next?

  • To what extent would a duty of loyalty deliver better outcomes for data subjects? How would it compare with existing requirements for impact assessments and balancing tests, for instance under ‘legitimate interest’ processing in GDPR.
  • How harmful are dark patterns? What types of harm do they cause and are they harmful enough to merit specific policy, legal or regulatory responses?
  • To what extent have consent and control failed? Without getting bogged down in familiar debates about the high bar for consent in the GDPR, how should we frame consent and control if users are being manipulated by dark patterns?

What’s the plan?

We’ll start with Hartzog’s reflections on the issues. He will speak for around 30 mins before we break into smaller, informal discussion groups around the three questions above. As usual, you’ll be able to move between groups so that you can discuss each of the three questions.

17.30 BST / 12.30 EDT – Welcome
17.35 BST – Reflections from Woodrow Hartzog and Q&A
18.30 BST – Three breakout groups for discussion (each runs for around 30 mins)
19.30 BST – Wrap up and close

Register here to secure your place


Speaker headshot

Woodrow Hartzog

Professor of Law and Computer Science,
Northeastern University

Professor Hartzog is a Professor of Law and Computer Science at Northeastern University, where he teaches privacy and data protection law, policy, and ethics. He holds a joint appointment with the School of Law and the College of Computer and Information Science. His recent work focuses on the complex problems that arise when personal information is collected by powerful new technologies, stored, and disclosed online.

Ready to learn more about Privitar?

Our team of data privacy experts is here to answer your questions and discuss how data privacy can fuel your business.