UK ICO & CMA warn against design practices that harm consumer choice

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Ad Industry Stakeholders Weigh In on FTC HBNR Changes

128 stakeholders submitted comments before the August 8, 2023 deadline in response to the FTC’s notice of proposed rulemaking to update the Health Breach Notification Rule (HBNR).

Among others, the Association of National Advertisers (ANA) objected to the FTC’s proposed broadening of the HBNR to require opt-in consent for disclosure of identifiable health information by “a wide swath of online applications and services,” arguing that the changes would “unnecessarily hinder the flow of data that supports consumers’ access to free and low-cost information online” and would impermissibly extend the scope of the HBNR.

The Network Advertising Initiative (NAI), on the other hand, expressed conceptual support for the FTC’s updates, hailing them as consistent in many ways with the NAI’s 2020 Code of Conduct, while recommending further revisions, including to further clarify the definition of “health care services or supplies” to, for example, exclude purely informational health-related websites, while including health-tracking applications.

TAKEAWAY

The FTC’s notice of proposed rulemaking is one step among many demonstrating the FTC focus on protecting the privacy and security of personal health data as “a high priority for the FTC,” as stated by the FTC in its notice.

The notice came on the heels of a wave of enforcement over alleged violations of the HBNR and/or the FTC Act by Premom app provider East Healthcare, online mental health counseling service Betterhelp, and telehealth company GoodRX, all based on allegations the apps shared sensitive health information through the use of third-party tracking technologies without user consent.

The FTC also recently announced that it sent joint letters, with the U.S. Department of Health and Human Services, to 130 hospitals and telehealth providers, warning of the privacy and security risks from use of online tracking technologies, such as the Meta pixel and Google analytics, on their websites and apps. 

EUROPE

UK ICO / CMA Call On Companies To Offer Consumers a Fair Choice

In a joint paper, the UK Information Commissioner’s Office (ICO) and Competition Markets Authority (CMA) set out their shared expectations of how companies should present information and choice to users of digital services about how user personal information is processed, warning that the ICO may take formal regulatory action against companies that continue to engage in practices that contravene data protection law.

The paper lists the following as examples of potentially harmful practices:

• Nudging, or requiring more steps, time or friction to disagree to personal data collection than to agree, such as including an “allow all” button to consent to non-essential cookies without an equivalent “reject all” (or similar) button to refuse consent with the same ease, at the same layer;
• Confirm-shaming, or pressuring or shaming someone by making them feel guilty or embarrassed (e.g., displaying “Nahh, I hate savings” after a user refuses a discount in exchange for providing personal information);
• Biased framing, or not giving equal weight to the risks and benefits of a decision (e.g., “If you don’t share your search history with us, the information and ads you see may not be as relevant or useful to you.“);
• Bundled consent for multiple purposes (e.g., remembering your settings and showing personalized ads) via a single consent action;
• Low-privacy default settings (e.g., “make my posts visible to everyone” as a default setting).

TAKEAWAY

Although not limited to cookie banners, the examples and messaging in and accompanying the paper indicate that cookie banners may be an area of focus for the ICO in its enforcement of harmful design practices.

An announcement on the ICO’s website warned that the ICO will be assessing cookie banners of the most frequently used websites in the UK and taking action where harmful design is affecting consumers. 

Learn more: UK websites urged to add “reject all” button – what that means

GLOBAL

India President Assents to Privacy Bill

 The bill implementing the Digital Personal Data Protection Act passed through India’s lower and upper houses of parliament and received the assent of the President.

The final draft of the bill, published 12th August, 2023, requires free, specific, informed, unconditional, and unambiguous consent with a clear affirmative action (accompanied by a notice of the purpose of processing and the manner of exercising rights or making a complaint) or legitimate use to process personal data.

The Act also requires appropriate technical and organisational measures, reasonable security safeguards, breach notification, honoring user requests, appointment of a Data Protection Officer, and obtaining parent or guardian consent for processing the personal data of a child or person with a disability (who has an appointed guardian) and allows for restrictions by the Central Government on transfers of personal data to countries outside India.

The Act is enforced by the Data Protection Board of India, which is appointed by the Central Government pursuant to the Act. 

TAKEAWAY

The Act will come into force on such date as the Central Government, by notification, appoints. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.