Our next Data Policy Network event on 14 April will consider how organisations present privacy choices. Our guest speaker, Professor Woodrow Hartzog, argues that privacy by design is too often misused as a marketing slogan. In Privacy’s Blueprint, he makes the case that design is crucial to privacy and that data protection law should have a design agenda. This session will focus on the choice architecture organisations create for users and its impact on user decisions about data and privacy.
Nudge, a 2008 book by Thaler and Sunstein, shone the spotlight on how choice architecture – the context surrounding a decision – influences our decisions. Nudge was a vision for conscientious choice architecture, in other words helping people to make choices that they would deem to be ‘better’.
However, as organisations wholeheartedly adopted nudge theory Thaler cautioned that the same techniques can be used for “less benevolent purposes”. He describes “evil nudges” as sludge – which makes decision making more difficult and can discourage behaviour in the individual’s best interest.
Harry Brignull coined the term ‘dark patterns’ in 2010 to describe digital sludge. The FTC describes dark patterns as “design features used to deceive, steer or manipulate users into behaviour that is profitable for an online service, but often harmful to users or contrary to their intent”.
Dark patterns are widespread and effective. This suggests that they harm users though, as we’ll discuss, defining and quantifying harm is challenging. It also suggests that there is room for improvement in the current consumer protection and data protection landscape, including the legal frameworks and/or enforcement.
Hartzog argues that the existing legal mechanisms are insufficient to constrain organisations using dark patterns to influence our choices. He proposes a new duty of loyalty that would oblige data collectors to pursue the best interests of the trusting party with respect to what is exposed and entrusted.
A duty of loyalty could serve as a guiding principle, underpinning and helping organisations to prioritise other duties and obligations, including those arising from data protection laws. Hartzog notes that the duty of loyalty provides a maxim for organisations “when in doubt, be loyal to those who trusted you with their exposure”, which would mean for example “putting the interests of human consumers over those of advertising clients”.
The backlash against Facebook’s recent change to WhatsApp’s privacy notice shows that this is a topical issue. Users didn’t understand the change and were angry at not being given a choice, except during an ‘opt out’ window in 2016. The Italian data protection regulator raised concerns about the announcement’s clarity, including whether it allowed users to make a free, informed choice.
More broadly, US privacy law continues to evolve and the FTC will shortly convene a workshop on the dark patterns. Both present opportunities for lawmakers and regulators to intervene. Studies in Europe highlight challenges for GDPR, including whether dark patterns undermine the quality of consent. It could have wide ranging practical consequences, for example as the ICO restarts its investigation into adtech.
We’ll start with Hartzog’s reflections on the issues. He will speak for around 30 mins before we break into smaller, informal discussion groups around the three questions above. As usual, you’ll be able to move between groups so that you can discuss each of the three questions.
17.30 BST / 12.30 EDT – Welcome
17.35 BST – Reflections from Woodrow Hartzog and Q&A
18.30 BST – Three breakout groups for discussion (each runs for around 30 mins)
19.30 BST – Wrap up and close
Professor Hartzog is a Professor of Law and Computer Science at Northeastern University, where he teaches privacy and data protection law, policy, and ethics. He holds a joint appointment with the School of Law and the College of Computer and Information Science. His recent work focuses on the complex problems that arise when personal information is collected by powerful new technologies, stored, and disclosed online.