Abusive by Design: Part 1. Should Design Be Regulated?
UI/UX is about to get a heavy regulation, just as tobacco and food industry did in the 20th century. Why? Regulators insist that digital design creates a substantial margin for ‘nudging’ us to certain points of view and actions, either positively or not.
Digital design shapes our everyday lives and has the potential to gain a benefit from our actions. Just remember the last video you watched on Youtube or online purchase you made - they were probably suggested by platforms' algorithms based on your profile, and it's only a beginning.
However, should the law really tell us how to design the products and services? Or is it an intrusive paternalism?
As the topic of law and design seems interesting to me, I will try my best to figure out some interesting issues of the intersection of digital design and ePrivacy in this series of articles.
In the first part, I give an overview of 'pros' and 'cons' of regulating the digital design and share a few interesting stats on the consequences of the design regulation.
In its recentreport, the Commission Nationale de l'Informatique et des Libertés (CNIL), a French data protection authority stated that more of regulatory attention would be paid to the design of the digital services and products. It also suggested that in soon we could see the specific design-oriented regulations in the IT field.
Cover page of CNIL Report
The topic of regulating the design of digital services doesn't have clear-cut answers. As it usually happens, different stakeholders eventually split between two camps:
- those, who want more protection for the end-user; and
- those advocating more freedom for doing business.
A Bad Idea?
Objections to the regulation of design are derived from rather conservative views. Ari Ezra Waldman, a Professor of Law and the Director of the Innovation Center for Law and Technology at New York Law School presented a compilation of popular cons in his article'Privacy, Notice, and Design' for Stanford Technology Law Review. I chose some of them for the list below (and will mention his work in subsequent posts):
Design regulation is the burden of being art critics. Who will decide whether the design is user-friendly?
Quoting the author of the article:
Strict requirements for the design of the IT services will stifle the growth of the business. If digital commerce become over-regulated, it will be more difficult to acquire new customers and the founders will lose the incentives in the digital economy; and
Setting specific design requirements will infantilize the end-user since she/he will not be able to make an informed decision on whether to opt for certain services.
The problem of the informed consent doctrine, however, is the assumption that the end-user is perfectly rational. In reality, none of such exist. All of us are capable of making many irrational turns and passing the whole process of making informed decisions for the sake of comfort.
The topic of cognitive bias hits an all-time high, and there are some grounds to believe that the design of digital services uses our biases actively, often crossing the line.
The pros of regulating design assume the existence of human irrationality, at least in a limited form:
Design is not neutral. It limits the user’s choices, and nudges us to share the information, buying more unnecessary goods or using certain features;
Certain digital services, such as social networks, abuse our cognitive biases to capture and sell our attention. Most of the time, we are not aware of it.
This story reminds me of the early years of smoking in the 20th century when tobacco companies would popularize smoking with no mention of its health dangers.
Digital services create legal effects for its users. These legal effects are usually not understood because of the poor notice design and information fatigue.
What We Have so Far
From the privacy point of view, the European Union already regulates design. Personal data protection obligations affect the digital design drastically - the increasing number of cookie pop-up windows, numerous checkboxes during the registration, and the emergence of Privacy Settings pages are the evidence. The measures have been reducing the conversion rates for email subscriptions and cookies deployment in the EU since theGDPR (EU's personal data protection regulation) started to apply.
E.g., a survey from the University of Oxfordshows that the use of tracking cookies in the EU was reduced by 22% in the EU since the GDPR.
At the same time, another studypoints to an increasing trust to services (by 36%) in the UK with a reformed privacy protection regulation. Shouldn't a decrease in conversion rates be a fair sacrifice for restoring the balance?
The U.S., famous for its business-oriented approach, also has a few examples of requirements to design and use of plain language:
- The Health Insurance Portability and Accountability Act(HIPAA), a regulation of privacy in healthcare and health insurance sector, addresses the plain language problem of the Privacy Notice.
- The Consumer Financial Protection Bureau (CFPB)requires that credit reports be designed to enhance transparency and readability.
- The U.S. Securities and Exchange Commission has its plain-language requirements for the prospectuses and other documents (Plain English Handbook);
- The California Attorney General’s Officerecommendedthat policies be drafted in “a format that makes the policy readable, such as a layered format.
What would you say? Should we stop the madness of tech giants in shaping our choices or the French regulator became mad by itself?
I’m inclined to the need for robust regulation of dark patterns and nudges in digital design. You can shape the user’s choice but you shouldn’t silently choose for the user, especially when she/he is not aware of it. Thus, there is a need for the balance shift to find the middle ground between business and end-user interests. Dialectics in its pure form.
In the next posts, I will tell more about the existing design requirements for customer data collection and the overall vector of design regulations.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.
Vlad Nekrutenko, Privacy Lawyer at Legal Nodes
Need a lawyer in this area?
3 years in data protection