Privacy regulators from across Canada have issued a joint resolution calling on public and private sector organizations to avoid platform designs and practices that would influence, manipulate, or coerce users into making decisions that go against their privacy interests and to ensure that users can make informed privacy decisions.
Passed at their October annual meeting, hosted by the Information and Privacy Commissioner of Ontario, the resolution outlines key measures for organizations to adopt privacy-first design practices:
- Ensure that privacy is built in by default, using the concept of privacy-by-design as the basis for a design framework, also ensuring that the best interests of young people are built in from the design stage;
- Limit personal information collection to that which is necessary for the purposes identified by the organization, as DDPs such as forced action and interface interference are often used to collect more personal information than is necessary for the service;
- Promote transparency when collecting personal information using clear and simple language as a way of both complying with privacy laws and fostering trust between the organization and its users;
- Examine and test the design architecture and usability in order to determine the prevalence of deceptive design patterns (DDPs) and to make improvements to these platforms to limit a user’s exposure to DDPs and support users in making informed privacy decisions;
- Choose design elements that adhere to privacy principles as found in Canadian privacy legislation, that take the users’ interests into account and that do not generate negative habits or behaviors in users.
Deceptive design patterns, often referred to as dark patterns, manipulate or coerce users into making decisions that may not be in their best interests, particularly children. These patterns are frequently used on websites and mobile apps, and their prevalence is a growing concern for regulators, especially as more of Canadians’ daily activities move online.
In 2024, the Global Privacy Enforcement Network (GPEN) launched a sweep of websites and apps, examining the prevalence of privacy-related DDPs. Some Canadian privacy regulators joined this international effort, which examined over 1,000 websites and apps across multiple sectors, including retail, social media, news, entertainment, health, fitness, and those aimed at children.
The findings were troubling: 99 percent of Canadian digital platforms examined in the sweep included at least one deceptive design pattern, with especially high levels of DDPs on platforms designed for children.
The privacy commissioners and ombuds commit to collaborating with governments and other interested parties to modernize design standards, reduce the presence of DDPs, and champion privacy-friendly design patterns that respect user autonomy.