ICO and CMA report calls for businesses to stop harmful website designs

Posted on September 1, 2023
Posted by Marion Kennedy

The Information Commissioners Office (ICO) and Competition and Markets Authority (CMA) have published a report calling for businesses to stop using harmful website designs to push customers into providing more of their personal data than they would have otherwise. For example, by pressuring users into giving information or making it difficult to change their default settings, bundling different types of consent into one ‘accept all’ button, or shaming customers into accepting one option over another. These types of harmful tactics can pressure users into decisions they may not want to make, and/or mean that their personal information is held in a way they don’t understand or want. 

The ICO and CMA are urging businesses to design their websites in a way that supports users and allows them to make informed choices and have control over their personal information. By doing this, you’ll not only comply with relevant laws but also provide a better user experience for your customers. Failure to meet the ICO and CMA’s standards for website designs can result in enforcement action being taken against you. 

This blog discusses types of harmful website designs reported by the ICO and CMA that your business should avoid, and provides links to our Q&A and documents which can help you comply with data protection law. 

Data protection law in the UK

As set out in the ICO and CMA’s report, UK data protection law takes a risk-based approach, where businesses need to think about how and why they use personal data, and address the risks of potential harms from processing data. Data protection law is aimed at: 

  • reducing unwarranted intrusion into people’s lives, eg through unwanted targeted advertising or profiling;
  • improving users’ control over their personal data, by making it easier for users to choose freely how their data is used; and
  • making it quicker and easier for users to make informed choices about the use of their personal information. 

The ICO and CMA are particularly concerned about vulnerable users being targeted with ads that could create financial loss or emotional distress. 

For more guidance on how to protect your customers’ personal data, see our Q&A on Using personal data, policies and record keeping. You can also find template data protection policies, which will help you to comply with your data protection obligations, in our Data protection policy toolkit

Harmful website designs 

The ICO and CMA’s report on harmful website designs points out that positive website practices can benefit consumers (eg by making it easier to return goods or recommending other products and services that might help them). However, if businesses are using consumer data to strengthen their market position or lock customers in, this can weaken competition. Giving customers less choice about how their information is used can also make it more difficult for customers to shop around and misrepresent the choices that are available. 

Examples provided by the ICO and CMA of potentially harmful website designs (they call these ‘Online Choice Architecture’) include (but aren’t limited to):

Nudges and sludges

Harmful ‘nudges’ are when a business makes it easy for users to make unintended or ill-considered decisions. They may also create excessive difficulty (‘sludge’) that makes it hard for the user to do what they want. 

For example, making one choice much easier than another can mean consumers make decisions they wouldn’t otherwise have made (eg by accepting a default setting when another setting would be more beneficial to their interests). A specific example would be where a user has to go through several steps to turn off personalisation and targeted advertising on their account, with no option of rejecting personalisation in one step. This ‘nudges’ the user towards accepting all personalisation in one easy step. 

Nudge and sludge tactics are also used often in cookie pop-ups. For example, a cookie pop-up may allow users to consent to non-essential cookies by clicking ‘Accept all’, but require them to reject non-essential cookies individually, or go to a separate webpage to change their settings. This encourages users to simply select ‘Accept all’ to make the pop-up go away. 

The ICO points out that under data protection law, users must be able to refuse non-essential cookies as easily as they can accept them. 


This refers to pressuring someone into doing something by making them feel embarrassed or guilty if they don’t. For example, if a business offers a discount in exchange for a customer providing their contact details, and to decline the offer the customer must click ‘No, I hate saving money’. The ICO says that this breaches the ‘fairness’ principle in the UK GDPR and that in these types of cases, consent to the disclosure of personal information is unlikely to be freely given. 

Biased framing

This is the practice of showing choices to users in a way that highlights the benefits of an action to make it more appealing to the user. For example, if a business tells a user that sharing their search history with the business will increase the relevance of the ads they see, and not sharing their search history will mean the ads they see are less relevant. This approach ignores the risks associated with sharing personal search history, and therefore could be misleading. As a business, you must clearly tell users about the risks and benefits of a decision and allow them to make an informed choice. 

You are still permitted to tell users about choices that benefit them, or guide them away from things that cause harm, but you must be fair and transparent when doing so. 

Bundled consent

Bundled consent means asking a user to consent to the use of their personal data for multiple purposes, using a single consent button. This makes it harder for users to control how their data is being used, and makes it more likely they will ‘accept all’, even if that is not actually their preference. For example, a business might bundle consent for their terms of use and for receiving marketing emails into one button, before the user can create an account. Simply allowing the user to change their settings later in their account settings is not enough, as they are more likely to initially agree to the single bundled option, and less likely to get around to changing their consent or preferences later. 

Under the UK GDPR, consent for separate processing activities needs to be ‘specific’ and not bundled up as a condition of service (unless it is necessary). Otherwise the user may not be fully informed and their consent could be invalid. 

Default settings

Default settings require users to make minimal effort (compared to making an active choice) so they are more likely to simply accept the default settings. Having a default setting may also imply that the business has endorsed that setting, or that most people would choose it. 

Using default settings can encourage users to make choices about the use of their personal data that may not be in their best interests. However, if you use default settings in a way that protects a user’s privacy (by example, by defaulting non-essential cookies to be ‘off’), this can be beneficial for the user and is permitted. Note that under the Age appropriate design code (also known as the Children’s code), services for children should automatically be set to ‘high privacy’ by default, unless the business can show a compelling reason for a different default setting, in consideration of the best interests of the child. 

The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.