FTC vs. deceptive design in privacy
Another multi-million dollar fine against deceptive design in privacy
Last week, the Federal Trade Commission (FTC) issued a proposed order banning BetterHelp, a company offering online counseling services, from sharing consumers’ health data with advertisers. The company will also have to pay $7.8 million in restitution to customers.
At the core of the FTC’s complaint was BetterHelp’s engagement in deceptive and unfair practices regarding health information from Jan/2013 to Dec/2020. These practices harmed consumers financially (some consumers paid a premium price based on BetterHelp’s privacy assurances) and emotionally (people who had sensitive information disclosed without their consent).
The aspect that I want to highlight from this case is the FTC’s focus on BetterHelp’s deceptive design practices. In the FTC complaint, they added screenshots, such as the one below, to show that BetterHelp assured customers that their health information would remain private:
Another screenshot highlights how BetterHelp’s privacy policy was shown “in small, low-contrast writing that is barely visible at the bottom of the page”:
The FTC also highlighted, in a third screenshot, that “despite including a link to the privacy policy, the banner effectively dissuaded Visitors from reading the privacy policy by stating, until October 2020, that Respondent (BetterHelp) would ‘never sell or rent any information you share with us.’”
This FTC complaint makes clear that having a well-drafted privacy policy is not enough to fulfill compliance requirements. Design matters. A company’s website’s interface, pop-ups, notifications, and interface-mediated communications with customers can reflect privacy commitments (or the absence thereof).
The fact that the FTC is interested in tackling deceptive design is not new. Last year, they held a workshop and issued a report called Bringing Dark Patterns to Light, “showing how companies are increasingly using sophisticated design practices known as 'dark patterns' that can trick or manipulate consumers into buying products or services or giving up their privacy.”
Deceptive design / dark patterns in privacy have now been expressly mentioned in US (e.g., CCPA/CPRA) and EU (DSA) privacy-related laws with global influence. There are various reports and guidelines around the globe dealing with the topic. There have been various multi-million dollar fines. In my view, these recent developments are positive and welcome. We are ubiquitously surrounded by data-intensive business models, which end up intermediating, at some point, almost the entirety of our online and offline activities. As I wrote last week, our autonomy is at risk, as organizations are constantly attempting to bypass it and make us share more (or more sensitive) personal data with them — through interface tricks such as dark patterns.
Companies should not be only required to have comprehensive, transparent, and usable privacy policies (which, realistically, only very few customers will read). They should also be required to implement privacy in their design, code, culture, strategy, and all interactions with their customers and partners. Companies sometimes forget that behind the data, there are human beings, and they are the focus of privacy laws’ provisions.
—
✅ Did you enjoy this article? Subscribe to The Privacy Whisperer. See you next week. All the best, Luiza Jarovsky
