Insights Header image
Insights Header image
Insights Header image

Canadian Privacy Regulators Issue Resolution about Deceptive Design Patterns

November 14, 2024 Privacy & Data Protection Bulletin 5 minute read

Earlier this year, the Office of the Privacy Commissioner of Canada (“OPC”) joined 25 other global privacy enforcement authorities to conduct a sweep of websites and mobile apps (together, “Platforms”) for the use of deceptive design patterns (the “Sweep”).

The OPC subsequently published a report summarizing its findings from the Sweep (the “Report”).[1] Notably, of the 145 Platforms reviewed by the OPC, a whopping 99% apparently contained at least one indicator of deceptive design.

On November 13th, 2024, Canadian privacy regulators issued a joint resolution addressing what they consider to be “the growing use of deceptive design patterns that undermine privacy rights” (the “Resolution”).[2] The Resolution calls on public and private sector organizations to avoid the use of deceptive design patterns and to ensure that users can make informed privacy decisions.

What are deceptive design patterns?

The OPC defines deceptive design patterns as patterns commonly used on Platforms to influence, manipulate or coerce users into making privacy-related decisions that are not in their best interests. More specifically, these patterns can prevent users from making fully informed decisions about the collection, use, and disclosure of their personal information, and cause them to give up more of their privacy than they would like.

The Report focuses on the following five categories of deceptive design patterns:

  1. Interface Interference. These design elements may distract, confuse or otherwise adversely influence users’ perception and understanding of their privacy options. For example, a “false hierarchy” emphasizes certain visual elements and obscures others, to channel users towards less privacy-protective options. “Preselection” occurs where the most privacy intrusive option is preselected by default, with the hope that many users will simply click to accept the preselected choice for ease. Finally, “confirm-shaming” refers to the use of emotionally charged language to push users towards privacy-related options favoured by the organization.
  2. Nagging. These design elements repeatedly prompt users to take specific actions that may undermine their privacy interests. The OPC perceives nagging as an attempt by organizations to annoy users into taking actions they would not normally take, like signing up for an account, switching from a website to a mobile app platform or otherwise permitting the collection of more of their personal information.
  3. Obstruction. These design elements involve inserting unnecessary, additional steps between users and their privacy-related goals, potentially frustrating them so they do not make their intended privacy choices. This is also referred to as “click fatigue”, where an individual has to click an unreasonable number of times to achieve a goal, such as cancelling their account.
  4. Forced Action. These design elements require or trick users into disclosing more personal information than is necessary to provide the Platform’s service, such as only offering an “accept all” option on a cookie banner, instead of also providing an option to reject non-essential cookies.
  5. Inaccessible Language. The OPC considers the posting of overly technical or excessively long privacy policies or terms of use on Platforms to be a deceptive design pattern. In fact, the Report indicates that this was the most common type of deceptive design pattern observed during the Sweep, occurring on 96% of the digital properties reviewed by the OPC. The Report suggests that the OPC considers a privacy policy to be excessive in length if it is longer than 3,000 words and unduly complex if it is drafted above a grade 12 reading level according to the Flesch Reading Ease Score.

Potential Risks to Businesses

Under Canadian private sector privacy legislation, the primary legal basis to collect, use and disclose personal information is consent. However, the legislation expressly provides that consent will not be valid if it is obtained through deceptive or misleading practices. The use of deceptive design practices will therefore invalidate any consent that is obtained using a deceptive mechanism, meaning a business may no longer have a valid legal basis to process personal information collected on a Platform.

Using deceptive design patterns can also damage organizations’ relationships with customers, or prospective customers, by leading to user frustration and a lack of trust. These can have negative, long-term impacts on an organization’s brand and reputation.

Finally, deceptive design patterns may also form the basis of complaints to and/or investigations by privacy regulators, and even individual or class action litigation.

Privacy Regulators’ Expectations

The Resolution sets out Canadian privacy regulators’ expectations for public and private sector organizations with respect to their Platforms, including:

  • Using the concept of privacy-by-design as the basis for Platform design;
  • If applicable, ensuring that the best interests of young people are taken into account during the design stage;
  • Limiting personal information collection to what is necessary for the purposes identified by the organization;
  • Promoting transparency by using clear and simple language;
  • Examining and testing the design architecture and usability of Platforms to determine and limit the prevalence of deceptive design patterns; and
  • Choosing design elements that comply with applicable privacy legislation, take users’ interests into account, and do not generate negative habits or behaviours in users.

Action Items for Businesses

Businesses should ensure that an appropriate internal review and approval process is in place for the design and implementation of new Platforms, and updates to existing Platforms, to ensure that deceptive design patterns are not used. This review and approval process should include input from the person responsible for the organization’s compliance with privacy laws, such as the privacy officer.

In addition to following the steps set out in the Resolution, businesses may also consider taking the following steps:

  • Updating Privacy Policies. In light of the OPC’s dissatisfaction with 96% of the privacy policies it reviewed during the Sweep, updating external-facing privacy policies should be a top priority. Organizations should ensure that privacy policies are written in plain language, use short, easy to understand sentences, are well organized, and are in an easy to navigate format, such as through the use of appropriate headings and hyperlinks to different sections.
  • Reviewing Existing Platforms. Businesses should carefully review existing Platforms with fresh eyes to consider whether deceptive design patterns are used to influence users’ privacy choices. Common “pain points” for deceptive design patterns include cookie banners, account registration and deletion processes, and check-outs on ecommerce platforms. In particular, the Resolution encourages organizations to take steps to (i) ensure Platforms are defaulted to their most privacy-protective settings; (ii) present privacy choices using simple, consistent and neutral language; (iii) make privacy settings easily accessible at all times (not only upon a user’s first visit); (iv) reduce the number of clicks needed to navigate and adjust users’ privacy choices; and (v) provide just-in-time consent options that allow users to make privacy decisions when they are contextually relevant.
  • Implementing Internal Vetting Processes. Businesses should also consider designing and implementing internal processes to avoid the introduction of deceptive design patterns on future Platforms. For example, organizations may develop and deliver regular, role-specific training about spotting and avoiding deceptive design patterns to those members of the organization who are responsible for designing Platforms, such as web design and marketing team members. Templates for privacy impact assessments and other internal checklists and compliance tools can also be updated to include checks for deceptive design patterns.

McMillan’s Privacy and Data Protection team can help your organization to implement the action items outlined above. Contact your McMillan representative to obtain the support your organization needs to ensure compliance with this critical privacy compliance issue.

[1] Office of the Privacy Commissioner of Canada Sweep Report 2024: Deceptive Design Patterns (July 9, 2024).
[2] Identifying and mitigating harms from privacy-related deceptive design patterns, Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners and Ombuds with responsibility for privacy oversight (published November 13, 2024).

by Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Reminder: New Lower Criminal Interest Rate Now in Effect

As of January 1, 2025, the criminal interest rate was reduced to a cap of 35% annual percentage rate (APR).

Read More
Jan 14, 2025
Featured Insight

Alberta Rate Filing Requirements for Motor Vehicle Protection Products

Overview of the Alberta Insurance Rate Board's bulletin outlining rate filing requirements for automobile insurance on vehicle protection products in Alberta.

Read More
Jan 14, 2025
Featured Insight

Alberta’s Captive Insurers Gain Reinsurance Flexibility for Third-Party Risks

Overview of Alberta's updated rules for captive insurance companies.

Read More
Jan 14, 2025
Featured Insight

CSSB Releases Final Canadian Sustainability Disclosure Standards: Mandatory Disclosure Rules are on the Horizon

The CSSB has released the final Canadian Sustainability Disclosure Standards, with sustainability-related disclosure and climate-specific requirements.

Read More
Jan 14, 2025