This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 4 minutes read

Don’t be the architect of your own demise: UK's ICO and CMA fire warning shot on “harmful online design”

In a joint position paper published on 9 August 2023, the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have called on businesses (as well as their technical product / UX designers) to stop designing their online services in ways that may harm user choice, and instead adopt evidence-based design that promotes user choice and control. The paper is focused specifically on online choice architecture (referred to in the report as 'OCA') in relation to consumers’ choice and control over their personal information. 

The paper explains how poor OCA could breach consumer, competition and privacy law, sets out an expectation that firms will make improvements to their OCA as a result of the paper, and makes an explicit threat to “take formal regulatory action” against firms that do not.  

Examples of harmful online design 

The ICO and the CMA are concerned about OCA practices that may harm consumers (particularly children and others in vulnerable situations) and weaken competition. The paper sets out a number of non-exhaustive examples that the regulators consider harmful:

  • Harmful nudges occur when the design of a service makes it easy for users to make decisions which may not align with their preferences or welfare. For example, a cookie pop-up may include an option to consent to non-essential cookies with a single click, while refusing consent may be more difficult by design (‘sludge’). This ‘dark nudge’ influences users to offer more personal data, which may not align with their best interests or preferences.

  • Confirmshaming’ is a design choice that pressures users into a particular action by making them feel guilty or embarrassed to do otherwise. For example, having to click a button that reads “Nahh, I hate savings” in order to decline providing an email address strongly suggests that declining is a ‘bad’ choice.

  • Biased framing emphasises the positive impact and downplays the negative impact of a choice, or vice versa.

  • Bundled consent requires the user to consent to use of their personal information for multiple separate purposes via a single consent option, which may make it harder for users to exercise granular control over their personal information.

  • Default settings can reduce friction but may not always align with user preferences. Firms can use default settings strategically to constrain user choice.

The ICO and the CMA explain they are concerned these practices could lead to:

  • Data protection harms: If widespread, harmful design can undermine free user choice and normalise lower levels of privacy. Under the UK GDPR, these practices may infringe principles of fairness and transparency and may not produce informed or otherwise valid consent.

  • Competition harms: By collecting more consumer data, firms can leverage network effects to strengthen their market position, lock customers in, and create barriers to entry and expansion.

  • Consumer protection harms: Poor OCA practices can distort consumer choice and decrease consumer welfare if the ‘easy’ choices do not align with their preferences or best interests.

What should firms do about it?

The position paper makes clear that the CMA and ICO’s expectation is that firms will make changes to reflect the paper. It sets out four principles which should inform OCA in relation to choices about personal data: (1) put the user at the heart of your design choices; (2) use design that empowers user choice and control; (3) test and trial your design choices; and (4) comply with data protection, consumer and competition law.  

Firms offering services likely to be accessed by children should also follow the guidance in the ICO’s Children’s Code. Stakeholders are also invited to engage further with the CMA and ICO in relation to the paper, including through a workshop in the autumn.

Cooperation between digital regulators 

While the CMA has discussed harmful online design extensively in its 2022 discussion paper (as part of its active programme of work on OCA), and indeed has already taken action using its consumer powers against wider misleading online practices, this joint paper is a good example of collaboration between regulators through the Digital Regulation Cooperation Forum (DRCF) - which also includes two other regulators with digital jurisdictions, Ofcom and the Financial Conduct Authority. 

This type of practical cooperation on technical matters is only set to increase as digital regulators seek to increase productivity and effectiveness by following the DRCF’s Terms of Reference and 2023/24 Workplan.

Digital businesses are used to navigating the frameworks of multiple regulators who each aim to protect consumers but may do so in different, sometimes conflicting ways. Open collaboration between regulators can clarify how these regimes interact and complement each other. In this case, the joint paper emphasises that enabling users to make informed choices about their personal data is common ground between both regulators as it protects competition, consumers, and their personal data.

Where next?

While competition law has historically addressed issues around default options through abuse of dominance enforcement, the paper comes as the CMA is on the verge of being handed a broad new set of powers. As part of the DMCC Bill, firms with 'Strategic Market Status' (SMS) will have to comply with firm-specific codes of conduct and potentially be subject to 'pro-competition interventions' that could give specific direction over how businesses operate. 

It is envisaged these tools will be used to deal with some issues of OCA, for example SMS firms may be obliged to present options or default settings in a way that allows users to “make informed and effective decisions in their own best interests” – a clear reference to OCA practices.

But even firms that are not dominant nor designated as having SMS will have to look out for regulatory action by the ICO and the CMA, potentially coordinated via the DRCF. The ICO of course already has powers to fine firms up to the higher of 4% of global group turnover or £17.5 million and fines under competition law can already be up to 10% of global turnover. In addition, the DMCC will significantly strengthen consumer law by giving the CMA new powers to fine any firm up to 10% of global turnover for breaches.

With OCA clearly front of mind for regulators and likely to be a focus for enforcement going forwards, now is the time to ensure online design complies with the principles set out by the paper and with competition, consumer and privacy law more generally.

Well-designed OCA can guide users towards choices that align with their goals, preferences or best interests... [but] OCA practices can also be used to undermine users’ control over their personal information and steer their behaviour in harmful ways that do not align with their best interests or preferences about its use.


online design, personal information, antitrust & foreign investment, data and cyber