Abusive by Design: Part 2. Make Consent Informed Again
Abusive by Design: Part 2. Make Consent Informed Again
In the previous article in the series, I wrote about the pros and cons of regulating design. Some points led to the problems design can create, but it remained unclear what could be wrong with design at all. I made it for a reason: this part of the 'Abusive by Design' series will address the content of requirements to design and gives a few tips on how to create a user-friendly legal framework on a website.
Let me start with the importance of the legal effect of a user agreement, then describe the way how to keep it legally valid, and end with the privacy design requirements.
The major concern for the way how providers design their services is the legal effects they create. When we visit a website or application with some functionality or contact forms, we enter into a contract with the platform controller.
The agreement sets the obligations on how to behave properly on the platform, to not conduct illegal activities, such as piracy, use of malware or hate speech. The platform provider covers its legal risks and tries to exempt itself from any responsibility connected to the possible damages to the end-user.
Also, policies and notices inform on the use of information about us online - how the provider collects data, what the purposes and what our rights regarding this are.
However, ambiguous or unclear policies and design can create a problem for the provider. If the UI/UX and documents were designed poorly, its legal effects can vanish into thin air - no $40,000 check at the end of the day.
Keep It Transparent
The task of keeping user agreement and notices legally enforceable turned out to be challenging. The main legal concerns that UI/UX is dealing with are:
- how a service provider informs us about the services or features. This part deals with the transparency of online platforms and the fairness of its features. Are we aware of acceptable conduct on a platform? Do we know our rights? (Some people do not believe they have rights on websites at all)
- how we conclude an agreement with a services provider and give our consent to its activities. This part deals with checkboxes, location of the section 'Legal' on a website, and verification of the user. The agreement is closely linked to the first concern (information), which serves a core prerequisite for any consent or contract.
The activities we usually consent to can include email newsletters, online tracking by cookies, personalized advertising or downloading unnecessary software on your device
A consent, even if verified by the proper signature, can be held invalid by the court under circumstances of pressure or lack of necessary information. Confirmed by Immanuel Kant back in the 19th century, the consent will be legally valid under two conditions: information and free will.
User must be properly informed about all significant details of the service and its legal consequences.
The digital design should present important information in an easily accessible and intelligible form. Use of clear and plain language, which can be understood even by a child, becomes a core requirement. Unfortunately, there are not many existing Terms or Policies that I could refer to. Vague statements, which do not clearly explain the terms of the agreement and the person's capabilities, won't lead to a valid agreement.
On the other hand, misinformation spoils user consent as much as lack of information or its poor quality. There must be no actual or implied lie about the legal consequences of the agreement.
Often, User Agreements do not fully inform the user on all business intentions of the provider (e.g., to sell the customer data) to prevent users from refusing certain features. Moreover, there are some cases, where online platforms are willing to tell the customers about safeguards which they don't necessarily have.
There was a recent case in the U.S. with four companies targeting EU customers. To facilitate trust in the services, the companies put a specific seal on their websites and mentioned that they either got or underwent a specific data protection certification (EU-U.S. Privacy Shield). In fact, none of these companies actually did that. The case resulted in the enforcement action from the U.S. regulator, negative public attention to the companies and breach of trust between them and the EU customers.
Another difficulty for providers is to keep the information plain and short and avoid misrepresentation or incompleteness at the same time. The severity of the problem increases with small screens of smartphones - you should set out a huge amount of information in a very limited space. In this case, the use of a layered format can help. While giving a user a few lines of the most important points (e.g., purposes of data collection and user rights), the design can provide a link for the full version of the legal statements.
A freely-given consent means there was no physical or moral influence (at least, illegal) on the person's will.
Assume you, as a service provider, collect user data, which is not necessary for running the platform. You consulted a lawyer, and she told you that you had to obtain user consent for that. If you design 'pre-ticked' checkboxes or create a wall 'Agree or Leave' before the user can use your website to increase consent rate, the consent is not likely to be freely given. Especially in the EU, regulators see it as an illegitimate pressure.
A silent behaviour of a person entering the website does not necessarily mean she/he is happy with the legalese that the provider put on the footer. Often it requires an action from the user, an active indication of one's wishes.
At the same time, different service features might require several consents to be obtained from the user. Without a good design solution, this may lead to a catastrophic amount of consent checkboxes. The user will probably be dazed and simply give up the whole process of decision making. As a result, the company has reduced traffic rates and can be punished for failing to be transparent.
Things get more complicated with the use of dark patterns (also known as nudges). By using invisible psychological tricks, design can nudge us to consent to annoying advertising or even pay the subscription fee against our actual will or without reading carefully the conditions. There are several techniques to do that, which I will describe in detail in the next article.
A common business practice can, in fact, be an illegitimate pressure on the user. Don’t you believe me? In its recent guidance on cookies, a British data protection regulator warned, that even emphasizing 'agree' over 'reject' button (e.g. by the contrast of green and grey colours, use of boldface, different font sizes or by hiding the negative option) will be a violation of freely given consent.
Example of the EU
The European Union has a good example to follow: the General Data Protection Regulation (GDPR), one of the complex and detailed legislative acts that concern the digital environment. Digitally oriented, the GDPR creates a framework of robust transparency and accountability with implications for UX:
Fairness and Transparency
Fairness and transparency are entrenched as one of the core principles for customer data collection. In practice, this regulates how the design communicates with its users on legal details of personal data use and user rights regarding it.
Covert data collection practices are prohibited, as well as the use of sophisticated, vague terms or jargon. To facilitate understanding of company's practices, the EU data protection board explicitly suggests the use of icons, graphs, audio, and video forms, and even QR-codes for the cases where it is difficult to present text. It even shares its views on the accessibility of legal documents and data choices - the user should get them in two clicks.
The timing of notification is also important. As you may know, the data collection does not happen only once - it accompanies us through the whole use of the services. The GDPR requires informing the users at the time of collection, which implies an ongoing interaction with them.
Consent and Data Rights
Consent requirements, which are similar to described afore, but are more detailed, and protection of 'data rights' of individuals call companies to develop specific tools for the users.
It can be a 'privacy dashboard' or privacy settings, which allow the user to simply and quickly withdraw his/her consent, access the data collected, adjust the publicly available information or erase unnecessary details.
Finally, Art. 25 of the GDPR requires a provider to apply 'privacy by design' and 'privacy by default' principles. In short, the first principle lies in embedding privacy in the service's DNA from the early stages of service development, using all necessary technical and organizational protection measures.
The second requires that the provider collect only strictly necessary information from the user by default - and for additional activities obtain the user consent. On the example of social networks, this also means that data sharing or publication of user details must be off unless he/she decides otherwise.
Thus, the European community acknowledges that digital design can affect the decisions of individuals - and they want service providers to be fair with its audience.
As we see, digital design directly correspondswithtransparency and fairness, the provider's direct obligations before users. Design of user choices and legal docs must involve a close collaboration of legal and design professionals, which ensures the user-friendly consent collection with a reliable legal back-end.
In the last part of this series, I will aggregate some examples of how design and abusive practices affect our choices - something that the platform provider better refrain from.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.
Vlad Nekrutenko, CIPP/E
Privacy Lawyer at Legal Nodes
Need a lawyer in this area?
3 years in data protection