The National Privacy Commission (“NPC”) recently issued NPC Advisory No. 2023–01 dated 7 November 2023 entitled “Guidelines on Deceptive Design Patterns” (the “Guidelines”). The Guidelines serve to apprise data subjects about the use of Deceptive Design Patterns (“DDPs”), also called Dark Patterns, in order to obtain their consent.
Under the Data Privacy Act (“DPA”), the processing of personal information is allowed when the data subject has freely given his or her consent. Consent is not freely given when there is an element of pressure, intimidation, the possibility of adverse consequences for refusal to give consent, or any other inability to exercise free will.
DDPs refer to design techniques embedded on an analog (offline point of interaction) or digital interface that aim to manipulate or deceive the data subject to perform a specific act relating to the processing of their personal data. DDPs may force or mislead the data subject to consent to the processing of his or her personal information when in fact he or she does not intend to. The consent given may thus be considered vitiated and, therefore, the processing of information is unlawful.
The NPC further categorizes DDPs into either Appearance-Based DDPs or Content-Based DDPs. Appearance-Based DDPs refer to design patterns that manipulate or deceive a data subject through the display or presentation of information. This may take form in the use of an interface that makes it easy for the data subjects to give consent, such as an enormous and bright colored “I Agree” button, while making it hard for them to withdraw their consent, i.e., hidden option to withdraw consent with repeated “Are you sure?” prompts.
Content-Based DDPs, on the other hand, refer to design patterns that manipulate or deceive a data subject through the actual contents, including the language and context, of the information made available to them. An example of this is when data subjects are persuaded to take the “best alternative” which, in fact, is the most prejudicial to their privacy, or those that use ambiguous, complex, or confusing language to obtain their consent.
Children, as well as the elderly, are the most vulnerable to DDPs. In a case before the US Federal Trade Commission (“FTC”), the FTC ordered Epic Games, Inc., the maker of the popular Esports game Fortnite, to pay $245 million for its use of DDPs in Fortnite for deceiving consumers (mostly children) to make unintended purchases. Some of the DDPs reported to the FTC include designs where the checkbox and text are too small, leading the consumer to subscribe to continuous transactions instead of limiting the transaction to a single purchase; the game page design where the notification that in-game purchases are incorporated is discreetly positioned way below the page; and the interface where the refund request is placed in the settings menu which is far removed from the purchase menu as well as requiring several unnecessary steps to process refunds, discouraging consumers from pursuing them.
For the processing of personal information based on the data subject’s consent, what is proper is that the consent must be obtained from, and may be withdrawn by, the data subject through a user interface that provides a concise statement in clear, plain, consistent, and straightforward language with respect to the personal data to be processed, nature, purpose, extent, duration, and scope of processing for which consent is used as basis, risks and safeguards involved, the identity of the Personal Information Controller, the existence of data subject’s rights, and how these rights can be exercised.
At the end of the day, even if data protection safeguards are strictly upheld and remedies are readily available, data subjects must always be extra careful of the transactions that require them to provide personal information, whether such information refer to them or to other people.
This article is for general information and educational purposes only and not offered as legal advice or opinion.
For further information, please contact:
Andrew Stephen S. Lota, ACCRALAW
aslota@accralaw.com