In brief
On 7 November 2023, the National Privacy Commission (NPC) issued Advisory No. 2023-01 (“Advisory“), which sets out guidance on the nature of deceptive design patterns and how their use by personal information controllers (PICs) and personal information processors (PIPs) when securing consent vitiates the consent of the data subject and consequently renders the data processing to be without lawful basis.
This Advisory supplements the recently issued NPC Circular No. 2023-04, or the comprehensive guidelines on the use of consent as a lawful basis for processing data, which, among others, prohibits the use of deceptive design patterns. For additional information regarding the circular, please check our previous client alert below:
Guidelines against deceptive design patterns, in more detail
The NPC emphasized against the use of deceptive design patterns or those design techniques embedded in an analog (or offline) and/or digital interface that aim to manipulate or deceive a data subject to perform a specific act relating to the processing of their personal data.
PICs and PIPs are reminded to abide by the principle of fairness in securing the consent of their data subjects, such that their analog and/or digital interface must be designed and operated in a way that the processing of information will not be detrimental, discriminatory, unexpected or misleading to the data subjects.
Deceptive design patterns may be appearance-based or content-based. Appearance-based design patterns refer to design patterns that manipulate or deceive a data subject through the display or presentation of information. These include, but are not limited to, patterns that:
- Prohibit a data subject from categorically disallowing the processing of their personal data, or repeatedly prompt a data subject to take an action to share more information than what is necessary or originally intended
- Present control settings that confuse a data subject such that it leads them to inadvertently consent to the processing of their personal data
- Make it easy to consent to the processing of their personal data but make it difficult to withdraw their consent by requiring the data subject to undertake tedious, complex and time-consuming processes
- Accentuate a choice that results in the processing of more personal data, while blurring or obfuscating the option that enables data minimization
- Purposely complicate or muddle a data subject’s choices relating to the processing of their personal data
- Bombard a data subject with excessive information that are not essential to the processing of their personal data
- Present default options that benefit the PIC but may be detrimental to the data subject, such as: (1) maximizing the amount of personal data that will be processed; or (2) unnecessarily bundling the purposes for processing
- Use style and design techniques to distract a data subject from the information provided by a PIC: (1) to acquire the data subject’s consent for the processing of their personal data; or (2) for the data subject to provide more information than what is required or necessary for the specified purpose declared
- Use characters that children know and trust to influence them into providing more information than what is necessary for the declared purpose
On the other hand, content-based deceptive design patterns refer to design patterns that manipulate or deceive a data subject through the actual contents, including the language and context of the information made available to them. Some examples provided in the Advisory are patterns that:
- Use ambiguous, complex or confusing language or sentence structures to steer a data subject into making a choice that is detrimental or violative of their rights as a data subject
- Provide contradicting, fabricated or misleading information, or omitting relevant information when acquiring the data subject’s consent for the processing of their personal data
- Frame choices as better alternatives to shame or steer a data subject from making a choice that better adheres to the general principles of privacy or respects their rights as a data subject
According to the guidelines, the use of deceptive design patterns on analog or digital interfaces violates the fairness principle and may result in the vitiated consent of the data subject, which renders the processing undertaken without a lawful basis. Consequently, PICs and PIPs may be held liable under the Philippine Data Privacy Act and related NPC issuances.
PICs and PIPs are further reminded to comply with their obligation to adopt a Privacy by Design approach1 in the processing of personal data.
Recommended actions
Clients are advised to periodically review the methods by which they secure the consent of their data subjects and ensure compliance with the Advisory and the obligation to adopt a Privacy by Design approach.
* * * * *
Please contact QTInfoDesk@quisumbingtorres.com for inquiries.