Privacy (GDPR)

Abusive by Design: Part 1. Should Design Be Regulated?

UI/UX is about to get a heavy regulation, just as tobacco and food industry did in the 20th century. Why? Regulators insist that digital design creates a substantial margin for ‘nudging’ us to certain points of view and actions, either positively or not.

Digital design shapes our everyday lives and has the potential to gain a benefit from our actions. Just remember the last video you watched on Youtube or online purchase you made - they were probably suggested by platforms' algorithms based on your profile, and it's only a beginning.

However, should the law really tell us how to design the products and services? Or is it an intrusive paternalism?

As the topic of law and design seems interesting to me, I will try my best to figure out some interesting issues of the intersection of digital design and ePrivacy in this series of articles.

In the first part, I give an overview of 'pros' and 'cons' of regulating the digital design and share a few interesting stats on the consequences of the design regulation.

Darkening Clouds

In its recentreport, the Commission Nationale de l'Informatique et des Libertés (CNIL), a French data protection authority stated that more of regulatory attention would be paid to the design of the digital services and products. It also suggested that in soon we could see the specific design-oriented regulations in the IT field.


Cover page of CNIL Report

The topic of regulating the design of digital services doesn't have clear-cut answers. As it usually happens, different stakeholders eventually split between two camps:

-        those, who want more protection for the end-user; and

-        those advocating more freedom for doing business.

A Bad Idea?

Objections to the regulation of design are derived from rather conservative views. Ari Ezra Waldman, a Professor of Law and the Director of the Innovation Center for Law and Technology at New York Law School presented a compilation of popular cons in his article'Privacy, Notice, and Design' for Stanford Technology Law Review. I chose some of them for the list below (and will mention his work in subsequent posts):

  1. Design regulation is the burden of being art critics. Who will decide whether the design is user-friendly?
      Quoting the author of the article:
      ‘...a rather unrepresentative cadre of regulators or judges determine whether designs are user friendly or not will unfairly narrow the artistic options open to privacy policy designers.’

  2. Strict requirements for the design of the IT services will stifle the growth of the business. If digital commerce become over-regulated, it will be more difficult to acquire new customers and the founders will lose the incentives in the digital economy; and



  1. Setting specific design requirements will infantilize the end-user since she/he will not be able to make an informed decision on whether to opt for certain services.

(ir)Rational Humans

The problem of the informed consent doctrine, however, is the assumption that the end-user is perfectly rational. In reality, none of such exist. All of us are capable of making many irrational turns and passing the whole process of making informed decisions for the sake of comfort.

The topic of cognitive bias hits an all-time high, and there are some grounds to believe that the design of digital services uses our biases actively, often crossing the line.

The pros of regulating design assume the existence of human irrationality, at least in a limited form:

  1. Design is not neutral. It limits the user’s choices, and nudges us to share the information, buying more unnecessary goods or using certain features;

  2. Certain digital services, such as social networks, abuse our cognitive biases to capture and sell our attention. Most of the time, we are not aware of it.
    This story reminds me of the early years of smoking in the 20th century when tobacco companies would popularize smoking with no mention of its health dangers.

  3. Digital services create legal effects for its users. These legal effects are usually not understood because of the poor notice design and information fatigue.
      Just remember the 20-page policies on many websites. Have you ever tried to read them from the beginning to the end? Try to read, at least, a small paragraph from the Terms of Use below.


An excerpt from a popular online Platform’s Terms of Use

  1. As a result, focusing only on the content of Privacy Policies/Terms of Use creates Policies designed by lawyers and for lawyers. The end-user is missing from this vicious circle.


What We Have so Far

From the privacy point of view, the European Union already regulates design. Personal data protection obligations affect the digital design drastically - the increasing number of cookie pop-up windows, numerous checkboxes during the registration, and the emergence of Privacy Settings pages are the evidence. The measures have been reducing the conversion rates for email subscriptions and cookies deployment in the EU since theGDPR (EU's personal data protection regulation) started to apply.

E.g., a survey from the University of Oxfordshows that the use of tracking cookies in the EU was reduced by 22% in the EU since the GDPR.

At the same time, another studypoints to an increasing trust to services (by 36%) in the UK with a reformed privacy protection regulation. Shouldn't a decrease in conversion rates be a fair sacrifice for restoring the balance?

The U.S., famous for its business-oriented approach, also has a few examples of requirements to design and use of plain language:

-       The Health Insurance Portability and Accountability Act(HIPAA), a regulation of privacy in healthcare and health insurance sector, addresses the plain language problem of the Privacy Notice.

-       The Consumer Financial Protection Bureau (CFPB)requires that credit reports be designed to enhance transparency and readability.

-       The U.S. Securities and Exchange Commission has its plain-language requirements for the prospectuses and other documents (Plain English Handbook);

-       The California Attorney General’s Officerecommendedthat policies be drafted in “a format that makes the policy readable, such as a layered format.

What would you say? Should we stop the madness of tech giants in shaping our choices or the French regulator became mad by itself?

I’m inclined to the need for robust regulation of dark patterns and nudges in digital design. You can shape the user’s choice but you shouldn’t silently choose for the user, especially when she/he is not aware of it. Thus, there is a need for the balance shift to find the middle ground between business and end-user interests. Dialectics in its pure form.

In the next posts, I will tell more about the existing design requirements for customer data collection and the overall vector of design regulations.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Vlad Nekrutenko, Privacy Lawyer at Legal Nodes

Need a lawyer in this area?




3 years in data protection

Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills