Canadian privacy regulators pass resolution to address privacy-related harms resulting from deceptive design patterns

TORONTO, ON, November 13, 2024 – Privacy regulators from across Canada have issued a joint resolution calling for action on the growing use of deceptive design patterns (DDPs) that undermine privacy rights. Passed at their October annual meeting, hosted by the Information and Privacy Commissioner of Ontario, the resolution outlines key measures for organizations to adopt privacy-first design practices.

Deceptive design patterns, often referred to as dark patterns, manipulate or coerce users into making decisions that may not be in their best interests, particularly children. These patterns are frequently used on websites and mobile apps, and their prevalence is a growing concern for regulators, especially as more of Canadians' daily activities move online. 

In 2024, the Global Privacy Enforcement Network (GPEN) launched a sweep of websites and apps, examining the prevalence of privacy-related DDPs. Some Canadian privacy regulators joined this international effort, which examined over 1,000 websites and apps across multiple sectors, including retail, social media, news, entertainment, health, fitness, and those aimed at children. 

The findings were troubling: 99 percent of Canadian digital platforms examined in the sweep included at least one deceptive design pattern, with especially high levels of DDPs on platforms designed for children.

In response to the widespread use of and potential harm from privacy-related DDPs, Canada’s privacy commissioners and ombuds are calling on organizations in the public and private sectors to prioritize users’ privacy and support their informed and autonomous choices by avoiding deceptive design practices. The resolution urges organizations to:

• build privacy and the best interests of young people into the design framework using privacy-by-design principles
• limit the collection of personal information to only what is necessary for a specific purpose
• use clear, accessible language that complies with privacy laws, enhances transparency and builds trust
• regularly review and improve design elements of websites and apps to reduce exposure to deceptive design patterns and support informed privacy choices
• choose design elements that adhere to privacy principles and do not generate negative habits or behaviors in users

The privacy commissioners and ombuds commit to collaborating with governments and other interested parties to modernize design standards, reduce the presence of DDPs, and champion privacy-friendly design patterns that respect user autonomy. 

“As a society, we have a shared responsibility to address the privacy risks posed by deceptive design patterns on websites and in apps. Such deceptive tactics should never be allowed to trick, manipulate, or nudge users, and children in particular, into making poor privacy decisions,” said Patricia Kosseim, Information and Privacy Commissioner of Ontario. “With this joint resolution, we are urging organizations to build privacy and transparency into their designs from the start, by making privacy options clearer, more readily accessible, and actionable for users. Giving users the chance to make meaningful choices of their own volition is an essential part of protecting privacy and providing a safer, more positive online experience for adults and kids alike.” 

Learn more:

• Resolution: Identifying and mitigating harms from privacy-related deceptive design patterns
• Information and Privacy Commissioner of Ontario hosts annual meeting of federal, provincial, and territorial information and privacy commissioners and ombuds

For more information:
@email