The Information Commissioner's Office (ICO) and the Competition and Markets Authority (CMA) have issued a joint paper seeking to put a stop to harmful website design practices. Such practices can deceive consumers into giving up more personal data than they would otherwise wish and by weakening consumer control leading to worse consumer and competitive outcomes.  

The ICO and CMA very much believe that properly designed websites should allow users to make informed and effective choices regarding how their personal information will be used, which will, in turn, build customer trust.

The paper which is addressed to all organisations, web designers and developers involved in the creation of website designs emphasises that organisations must:

  • Place the user at the forefront of every design choice. Online interfaces should be constructed around user interests and preferences.
  • Use designs allowing for customer choice and control. Customers should be in full control of how their personal information is used
  • adopt tested and trialled design choices. This will mean that design choices are evidence-based.
  • Comply with all data protection, consumer and competition laws. The implications of all applicable laws must be assessed in webpage designs.

Cookie banners

In the joint paper, available here, the ICO and CMA note that harmful designs are often contained in cookie consent banners. The paper emphasises that it should be as easy to reject non-essential cookies as it is on some cookie banners to accept cookies. After all, an informed choice is key to using personal information to profile users for targeted advertising. The most used websites in the United Kingdom’s cookie banners will be reviewed by the ICO to target the lack of consumer control and action will be taken if required.

Example of harmful designs

The joint paper provides several examples of harmful website designs and discusses how websites should look instead.  

  • The practice of confirmshaming (the application of pressure or shame into doing something) may mean that users are more inclined to agree to the sharing of personal data than they might otherwise have been. This often happens when language is used that suggests something is a “good” or “bad” choice or morally or socially improper.
  • In an example of harmful design by confirmshaming, a pop-up invites consumers to provide their email address in exchange for a discount. For a customer to decline, they are directed to click a button stating “Nahh, I hate savings”. Whilst there is nothing inherently improper or contrary to data protection law in providing incentives to consumers to share personal data, using such language may put pressure on individuals meaning that their consent will not have been “freely given”. The CMA has concerns regarding the ushering of users to share more personal data than they would otherwise want whilst also noting that it has the ability, in certain markets, to lead to competitive advantage for prior incumbents.

Both bodies intend to actively address the lack of control some consumers have as a result of harmful website designs. The ICO will take enforcement action where appropriate, and the CMA will continue working on its “Rip-Off Tip-Off” campaign (encouraging customers to report online rip-offs) as well as use its powers to address misleading selling practices. They will also continue to collaborate through the Digital Regulation Cooperation Forum to ensure digital markets adequately serve consumers interests.

A stakeholder workshop for those interested in discussing harmful design practices will be held in Autumn. Stakeholders should register their interest by emailing:

Should you require any assistance with the issues raised in this update, please contact a member of our Data Protection & Cyber Security team.

This article was co-written by Arina Yazdi, Trainee Solicitor.