Data, privacy and the consumer

Historically, lawmakers have sought to control Digital Platforms’ collection and use of personal data through privacy laws, which require the Digital Platforms to disclose to consumers (usually in a privacy policy or collection statement) the kinds of information it collects and the purposes for collecting the data. Given the increasing value of data as a valuable business asset, there are still significant limitations to this historical approach. What is concerning to regulators and consumers is the desire for businesses to gain access to large consumer data sets, driving some businesses to engage in conduct that is unfair to consumers and potentially illegal: known as ‘dark patterns’.

Regulating ‘dark patterns’

Coined by Harry Brignull, dark patterns are a collection of techniques used in web design which prompt, mislead or force consumers to provide their personal data or cause them to sign up to services, often without the consumer realising. Dark patterns take advantage of very real and universal habits and behaviours of online consumers, such as the tendency to skim read text on screens, and their Pavlovian conditioning by well-established consumer interface design conventions, to procure either money or data from consumers, often without their awareness or consent. At best, dark patterns constitute conduct by Digital Platforms that subtly nudge or lead consumers down a desired path (usually causing the consumer to unknowingly provide personal data or agree to its use). At worst, the conduct is outright misleading, deceptive and unfair.

Trick questions and misdirection

Trick questions, misdirection and fine print, often containing hidden costs, are used by Digital Platforms to take advantage of the tendency of consumers to skim read text that appears on their screens, as well as their conditioned expectations when it comes to filling in online forms. For example, a consumer expects that the purpose of a checkbox is to opt-in, consent or affirm something, but the Digital Platforms can instead use confusing questions, cleverly disguised double negatives and lack of clarity as to different available options to cause a consumer to unintentionally opt-in or consent to a service that they did not actually want.

In the below example, all of these expectations are subverted, as the Digital Platform is effectively presenting consumers with the misleading appearance of two choices (due to the options being displayed adjacent to one another and one displayed more prominently using a highlighted button).

Trick questions and misdirection can also be used by Digital Platforms to misrepresent or obscure the actual cost of goods and services. In these circumstances, the conduct would constitute misleading and deceptive conduct under the Australian Consumer Law. If charges are subsequently levied by the Digital Platform, then it might also amount to demanding payment for an unsolicited good or a service, which is a separate offence under the ACL.

Hidden costs and pricing

Travel and hotel booking websites are notorious for advertising prices which often do not represent the real price payable at checkout. They also often use trick questions and misdirection to get consumers to purchase unintended extras, like insurance or extra baggage. A good example can be seen below, where a Digital Platform is representing to consumers the available savings by comparing different hotel rooms available through different Platforms. This conduct could be misleading if the price of a standard room available from one platform is being compared to (for instance) the price of a luxury room.

Advertising which states only a portion of the overall price of a product or service, and does not include all relevant charges applicable to the product, is misleading and deceptive and may also breach the separate provision of the ACL that requires the prominent display of the total price of the good or service in such circumstances. In 2018, the ACCC commenced proceedings against Trivago for allegedly engaging in misleading and deceptive conduct in connection with the sale of hotel rooms – the proceedings are ongoing and are being defended.

Roach motel

The 'Roach Motel' is an example of a Digital Platform makes it easy for a consumer to sign up for a service (or uses another dark pattern to trick or force the consumer to sign up to the service) and then makes it disproportionately (and unnecessarily) burdensome to cancel the service. Amazon, for example, does not have a simple ‘delete my account’ button or link in their ‘Your Account’ page. Instead, it is

buried deep within the website. A consumer has to know to click on the ‘Help’ link at the bottom of their website, then know to click the ‘Need more help?’, then ‘Contact Us’. On the ‘Contact Us’ page, a consumer has to find the right combination of options that will reveal the ‘close my account’ option in the second drop down menu, and then a consumer is forced to either call, email or use the chat function to tell Amazon to close their account.

A more egregious dark pattern is ‘forced continuity’ that tricks consumers into signing up to a service and then charges the consumer’s credit card without warning or notice.

There is no immediate obvious provision in the ACL that consumers or the ACCC could rely on to target ‘Roach Motel’ designs. It is not necessarily illegal to make it easier to sign up to a service than to cancel the service, as long as no misleading or deceptive representations are made to induce entering into the service (for example, saying “cancel at any time”). However, it’s possible that such a practice may fall within the prohibition in the ACL against unfair contract terms, if this isn’t clear at the time of signing up and the process requires the consumer to take steps that aren’t reasonably necessary to protect the legitimate interests of the Platform.

Sneaky items

This dark pattern involves Digital Platforms adding products to consumers’ shopping carts without them realising. Sometimes, this is achieved with trick questions and misdirection, other times, by outright deception and without any action by the consumer.

As noted above, the ACL prohibits suppliers from asserting a right to payment for unsolicited goods or services, unless the supplier has a reasonable cause to believe there is a right to the payment. The ACL also protects a recipient of unsolicited goods or services from liability to pay for the unsolicited goods or services, and liability for any loss or damage to the goods (except where the damage is a result of a wilful and unlawful act by the recipient). However, these protections are not particularly fit to deal with this dark pattern, because of the uncertainty created by the customer unwillingly agreeing to buy the goods or services.

It is possible that the practice of sneaking an item into a consumer’s basket might also be considered misleading and deceptive conduct, but (once again) the consumer’s act of buying the items might weaken a claim based on this section (depending on the circumstances). Importantly, merely engaging in misleading and deceptive conduct does not attract a civil or pecuniary penalty and so, it appears that this dark practice doesn’t fall neatly within one of the sections of the ACL that attract a penalty.

Bait and switch

‘Bait and switch’ involves businesses advertising cheap deals on products or services that capture a consumer’s attention, but when the consumer tries to purchase the product they discover that the product or deal is unavailable, and are redirected or prompted to purchase a much more expensive product or service. By way of example, Dell was sued in 2005 by the New York Attorney-General for advertising promotions to the general public that, in reality, were only available to well qualified or best qualified customers.

The ACL prohibits bait advertising, which has been a common unlawful practice utilised in the retail sector for many years. Businesses are required to consider whether the quantities of goods or services available, as well as the period in which they are available for purchase at the advertised price, are reasonable. If there are no reasonable grounds for the business to believe that the quantities available and the period it is available for are reasonable, then the business is engaging in bait advertising. The 'bait and switch' is also likely to be misleading and deceptive conduct as the Digital Platform would be regarded as impliedly representing that it had sufficient amount of the product to meet anticipated demand.

Forced continuity

Some subscription services offer free trials of their services or products, but silently charge the consumers after the free trial is over and make it difficult for the consumer to cancel automatic payments (either contractually, or by making the process disproportionately difficult). After signing up for a free trial (usually for a subscription to a service or for products), the provider forces the consumer to pay for the service (or deducts it from their credit card without notice) at the end of the ‘free’ trial period.

A particularly notorious example of a business which engaged in this conduct is Affinion Group, who has paid tens of millions dollars in settlements and fines in the USA. Affinion Group ran a scheme in which it partnered with reputable companies to provide discounts and loyalty programs to consumers under the more reputable brands. After the consumer purchased a product from a partner company, Affinion would use the consumer’s credit or debit card account information obtained from the partner company. Affinion would sign the consumer up to a ‘free trial’ period of an Affinion membership program and periodically charge the consumer’s credit card until the consumer noticed the unexplained charges and cancelled the ‘membership’.

Just as in the United States, the conduct of Affinion Group would be considered illegal in Australia. The conduct is not only misleading and deceptive, it is also likely that any contract terms requiring continued payment for unsolicited goods and services would be considered unfair contract terms, which would invalidate the entire contract with the Platform. As noted above, this conduct could also amount to demanding payment for an unsolicited good or service, which is a separate offence under the ACL.

Privacy Zuckering

Named after Mark Zuckerberg and the controversy surrounding Facebook’s privacy controls, this dark pattern involves making it difficult for consumers to control and review their privacy settings. Poor consumer interface designs, fine print on ‘free’ apps or services, and deliberate deception are some of the practices that are used by Digital Platforms to collect data (or more data) about a consumer, often without the consumer knowing what data they have consented to provide.

In the recent action brought by the ACCC against Google (mentioned in the introduction), the ACCC is alleging that Google has engaged in precisely this kind of conduct. The ACCC alleges that Google did not properly disclose to its consumers that both the ‘Location History’ setting and the ‘Web & App Activity’ setting had to be switched off to prevent Google from collecting, keeping and using the location data of its consumers. The ACCC will argue that Google’s conduct, as well as on-screen representations it made regarding both settings, was conduct that was likely to mislead and deceive consumers into believing that ‘Location History’ was the only setting that had to be switched off if consumers did not want Google to collect its location data. Google denies that it has acted unlawful and is defending the proceedings.

Friend spamming

Friend spamming occurs when a Digital Platform tricks or convinces a consumer into allowing the Platform to use their personal contacts for one purpose and then using them for another purpose. One of the most prominent examples of this conduct involved LinkedIn, when it used its customers contact information to spam those contacts with invitations to join LinkedIn. During the sign up process, LinkedIn users would be prompted to click an ‘add to network’ button, ostensibly so the platform could recommend to the user’s email contacts that they join LinkedIn. Instead, by clicking the ‘add to network’ button, LinkedIn users inadvertently gave permission for the platform to send to all of the user’s email contacts spam emails that appeared to have been sent by the user themselves. This practice not only earnt the professional networking site online ridicule, but it cost US$13 million in 2015 in a class action settlement.

The representations used by Digital Platforms to obtain consent from consumers to send messages on their behalf could (if false or misleading) constitute misleading and deceptive conduct. However, if no misrepresentations are made by the platform, there is a risk that the ACCC does not have an effective tool under the ACL to address this kind of conduct.

Key Takeaways

The value of data has clearly led Digital Platforms to use techniques that have the highest probability of successfully procuring consumers to provide their personal data. The conduct engaged in by Digital Platforms often breaches consumer protections. However, there are a number of dark practices that don’t appear to fit neatly within the prohibitions in the ACL, which suggests that the ACCC may need to consider new prohibitions against them. There is also no effective or easily accessible remedy for consumers, which obviously can be problematic. Given the increasing value of data and the susceptibility of consumers to this type of conduct, it strongly suggests that the ACL isn’t fit for purpose and new ‘tailored made’ prohibitions may be required to stamp out these unfair practices.