There has been no shortage of people talking about the General Data Protection Regulation (GDPR) as a big opportunity. Heck, it should be a boon for both consumers and businesses. Imagine that.
Writing in Marketing Week, I even called GDPR the ‘bible of customer centricity’.
The problem, of course, is that until plenty of precedents are set for the enforcement of GDPR it’s not exactly the easiest document for the marketer to interpret.
SecurityScorecard’s vice-president of compliance Fouad Khalil put it best writing for Silicon Republic: “The GDPR is notably light on prescriptive commands compared to previous regulations. This can be a good thing, as it encourages companies to consider the spirit of the law rather than just making it a tick-box exercise. However, it has also made the job of compliance much more difficult.”
I don’t know much about ethics in business, but I think it’s fair to say that embracing the spirit of the law is not exactly what has been going on across Europe and beyond over the past couple of years.
However, there are signs this year that attitudes to privacy and transparency are changing, and that both these issues are becoming more important politically.
There was a €50m (£43m) fine dished out under the GDPR to Google at the start of the year by France’s data regulator, CNIL. Consent for ad personalisation obtained by Google during account creation was found not be valid by CNIL because it is not ‘sufficiently informed’, is not ‘specific’ (relating instead to many Google services) and is not ‘unambiguous’.
Then, this month, two US senators introduced a bill (the Detour Act) that would “prohibit the usage of exploitative and deceptive practices by large online operators and to promote consumer welfare in the use of behavioural research by such providers”.
Democrat Mark Warner of Virginia, explained: “For years, social media platforms have been relying on all sorts of tricks and tools to convince users to hand over their personal data, without really understanding what they are consenting to. Some of the most nefarious strategies rely on ‘dark patterns’ – deceptive interfaces and default settings, drawing on tricks of behavioural psychology, designed to undermine user autonomy and push consumers into doing things they wouldn’t otherwise do, like hand over all of their personal data to be exploited for commercial purposes.”
Notably, the act would also ban large companies from designing user experiences intended to drive compulsive usage among users under the age of 13.
What are dark patterns?
Dark patterns are the antithesis of informed consent – they effectively limit the understanding of the consumer in order to achieve a desired outcome.
Arguably the most famous dark pattern, and one that has been outlawed since 2014, is the ‘sneak into basket’. You may remember trying to buy something online and suddenly finding something extra in your cart, such as a lovely mug or some insurance that you definitely didn’t recall clicking on. The Consumer Rights Directive in the EU banned these sorts of hidden costs or additional payments in ecommerce – anything added to the cart has to be properly explained to the customer.
Other dark patterns can be quite subtle, such as a business ‘hiding’ information in a dropdown or using colour to highlight a particular button which may seem unintuitive to the user.
Online travel aggregators have long been criticised for a particular style of dark pattern – those that appear on product listings pages and product details pages and are used to pressure browsers into buying.
In February, the Competitions and Markets Authority (CMA) took action against Expedia, Booking.com, Agoda, Hotels.com, ebookers and Trivago “due to serious concerns around issues like pressure selling, misleading discount claims, the effect that commission has on how hotels are ordered on sites, and hidden charges”.
Giving a false impression of a room’s popularity is certainly one of the dark patterns that annoys consumers the most and something which most of us are suspicious of, whether we know it to be a false impression or not.
These six websites have not broken the law, but have given firm undertakings not to engage in the practices called out by the CMA, with changes to be made by 1 September.
Is this the beginning of a new era?
Whether it is the CMA action, the GDPR, the Detour Act or simply a raised awareness among the public, it certainly feels like 2019 is a big year for transparency.
As the Information Commissioner’s Office (ICO) advises in its guidance “getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage”.
As digital becomes default for many services, businesses need to reassess whether they are prioritising economics over ethics.
Is it naïve of me to ask marketers to do the right thing? Hopefully the GDPR will bear its teeth, making the right thing to do also the least risky.