Skip to content

Harmful Design in Digital Markets

24 August 2023

On 9 August 2023, the UK’s Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) published a joint position paper1 discussing harmful design in digital markets. The paper, which was accompanied by a joint blog2 post between the ICO and CMA, explores how “Online Choice Architecture” (OCA) practices can undermine consumer choice and control over personal information.

Such practices can include the way prices are displayed to consumers, how information is presented about goods and services, and any other behaviour across digital markets which can influence consumers.

We summarise in this briefing the ICO and CMA’s description of respectively harmful and good practices, the EU’s position, and next steps.

The intention of the ICO and CMA is to promote a digital landscape in which OCA is aligned with consumers’ best interests, ensuring that personal data is collected and used in a manner which improves consumers’ digital experience, such as providing greater protection against online viruses. This not only makes digital interfaces easier for consumers to use, but also enables strengthened decision-making which in turn incentivises firms to compete fairly within the market.3

The ICO and CMA have committed to work together to prevent firms from using harmful website designs to mislead consumers into providing more personal data than they would like or is necessary. The CMA has had an ongoing commitment to good OCA practices, having published a discussion paper in 2022 exploring how digital design can harm consumers and competition.4 In its “Rip-Off Tip-Off” campaign5, the CMA also raises consumer awareness around harmful online practices including fake reviews and pressure selling, whilst encouraging greater consumer education and reporting mechanisms. In its position paper, the ICO has committed to carrying out an assessment of cookie banners, which frequently use default settings to misinform or influence consumers’ online habits.

The ICO and CMA are aligned in their concerns on how certain OCA practices contravene data protection law and have invited stakeholders to participate in further engagement on this programme.

Harmful Practices

Harmful nudges and sludges

The ICO and CMA seek to provide greater regulatory clarity for firms to help prevent them from participating in harmful practices. One such practice is “harmful nudges”, whereby a firm makes it easy for consumers to make inadvertent decisions by way of, for example, making one consumer option easier and less time consuming than another. This can often be accompanied by a “sludge”, whereby a difficult or time-consuming option is presented as an alternative. By influencing consumer choices in this way, decision making power is distorted which may lead to an ill-considered decision being made, that may not align with the consumers’ intended preference. Subtle manipulation may result in consumers making choices which are not privacy-friendly, which the ICO has emphasized may infringe the General Data Protection Regulation’s (GDPR) principles of “fairness” and “transparency”.


Confirmshaming refers to an OCA practice of shaming or pressuring consumers to make a particular choice online by presenting one option as inherently better than the other, and by doing so, inducing guilt in the consumer for choosing the “bad” option. This is common practice when firms are attempting to encourage a consumer to sign up to a discount or engage in a promotion, in return for sharing personal data such as an email address. Use of confirmshaming can distort a consumer’s ability freely to choose whether to provide personal data which they may have otherwise not given. Whilst the UK GDPR does not prevent firms from offering consumer incentives, pressurising or guilt-inducing language is likely to infringe the ability for consumers to “freely give” consent in accordance with Article 4(11).

Biased Framing

Firms which present choices in a manner which emphasises the supposed benefits to make the choice sound the most appealing may be engaging in “biased framing”. It may also be used to highlight the supposed negative consequences of a choice to dissuade consumers from selecting it. Whilst appropriately informing consumers of the benefits and risks of certain commercial choices is encouraged, biased framing can lead consumers to make choices which are influenced by the firm as opposed to their own decision making. In digital markets, this practice is seen frequently by firms which offer to collect more consumer personal data or track consumer search history in order to tailor services and adverts and filter out unwanted marketing material. The ICO has expressed concern that by not giving equal weight to the risks and benefits of a decision, consumers experience difficulty in properly assessing the information and making an informed choice. The CMA has also noted that if information given to consumers is misleading, it may breach consumer protection law.

Bundled Consent

Bundled consent occurs where a firm presents consumers with an opportunity to consent to the use of their personal data for multiple purposes via a single consent option. This is often in the form of an “accept all” option which can be presented as an easier option than manually consenting to each separate purpose. However, bundled consent can make it difficult for consumers to understand exactly what they are consenting to which can undermine their decision-making power. It may also be used in connection with other OCA such as nudge and sludge to make it easier to consent to the processing of all personal data than a more granular consideration of the scope of their consent. The UK GDPR stipulates that consent for separate processing activities needs to be “specific” so as not to breach data protection laws and limit consumer choices. The CMA has echoed this, noting in the position paper that bundled consent by large companies can lead to unfair leverage of a firm’s existing market position by providing bundled services. In doing so, such firms can enter related markets and increase barriers for rivals in those markets, which in turn may distort competition.

Default Settings

Default settings are interfaces which provide certain choices as standard which the consumer must take active, and sometimes cumbersome steps to change. These settings may be, for example, privacy or security features, automatic renewal of a subscription service, or pre-selected filters. These settings may be strategically used by a firm to influence consumers, whilst under the guise of a helpful tool. Consumers may be dissuaded from changing the default settings because the means of doing so may be very difficult, and it is often easier to keep the settings which have been chosen for them, particularly if they have been determined based on personalised data.

The ICO has raised concerns about the problematic nature of default settings, emphasising that Article 25 of the UK GDPR requires a “data protection by design and default” approach to personal data processing. Firms must therefore consider the consequences of default settings on consumers. It is also difficult to obtain consent via default settings, because the GDPR requires individuals to take positive action to indicate consent. The CMA has considered the risks of default settings which are particularly prevalent in online video gaming, search engines and mobile browsers6. It is worth noting, however, that default settings which seek to protect consumers, for example by defaulting data sharing “off”, are a positive use of default settings, and can be particularly useful for digital services which are designed for children.

Good Practices

In their joint position paper, the ICO and CMA emphasise the harmful nature of certain OCA practices, and the necessity for firms to be offered appropriate support in maintaining good OCA practices. Not only can this protect consumers, but it also reduces a firm’s risk of falling afoul of its legal obligations.

The ICO and CMA outlined the considerations firms must deploy when assessing their OCA practices
as follows:

  1. Put the user at the heart of design choices: OCA should be designed in a manner which reflects the consumers’ preferences and be customised accordingly;
  2. Use design that empowers user choice and control: Firms should present information in a clear, balanced, and easy to understand format to enable consumers to consider appropriately the decisions they are making about their personal data;
  3. Test and trial design choices: Firms should conduct testing of consumer behaviour and comprehension of OCA practices to help understand how harmful practices can occur and mitigate the risks of poor outcomes; and
  4. Comply with data protection, consumer and competition law: Firms should consider the legal implications of their OCA practices, paying particular attention to data protection, consumer and competition law. They should keep abreast of legal developments in this area.

EU Position and Next Steps

Enforcement of harmful OCA practices is expected to become stricter in the coming months. The Digital Markets, Competition and Consumers Bill is due to be passed by the UK parliament in 20247, which would empower the CMA to determine whether consumer laws have been broken and punish firms accordingly. EU policymakers have also recognised the potential harm from digital design practices, which they refer to as “dark patterns”. In 2022, the European Commission issued a “sweep” whereby a set of checks was carried out on websites simultaneously to identify dark patterns which constitute a breach of EU consumer law. The findings of this sweep showed that many websites engage in misleading and influential tactics, potentially violating the Unfair Commercial Practices Directive. The EU Digital Services Act acknowledges dark patterns, noting that firms must not “design, organise or operate their online interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions”.

The ICO and CMA may publish further guidance following the results of any stakeholder feedback on OCA practices. A joint ICO-CMA workshop on good practices for the design of privacy choices online will be held in Autumn 2023, which stakeholders are invited to join. Through its Digital Regulation Cooperation Forum, the ICO and CMA, alongside the Financial Conduct Authority and Ofcom (Office of Communications) , will continue to work on regulating the rapid developments in technology and its associated complexities. New and revised responsibilities are expected to emerge as the metaverse of financial, legal, and commercial digital paths overlap.


  1. Harmful-Design-in-Digital-Markets-ICO-CMA-joint-position-paper.pdf (
  2. It’s time to end damaging website design practices that may harm your users | ICO
  3. Harmful-Design-in-Digital-Markets-ICO-CMA-joint-position-paper.pdf (
  5. The Online Rip-off Tip-off – Avoid sneaky sales tactics (

Download Briefing

Download a PDF version of ‘Harmful Design in Digital Markets’