Announcing the release of PIA Template v2.0! Learn more

GPEN Sweep Reveals Everything is (Not) Awesome

by Meaghan McCluskey

On July 9th, 2024 the Office of the Privacy Commissioner released its own report as part of the Global Privacy Enforcement Network (GPEN) global sweep on deceptive design patterns on websites and apps. The OPC report examined five dark patterns defined by the OECD and found that 99% of websites and apps deployed at least one, with “Complex and Confusing Language” being the most common offense (96%). Findings included 33% of privacy notices were very difficult to read and 76% were over 3,000 words. 

It’s not hard to understand why this statistic was so high: globally, privacy notice content is highly prescribed by legislation that states the topics that must be covered. For example, Article 13 of the GDPR lists 6 mandatory topics and an additional 6 topics that should be addressed in your privacy notice in order to ensure processing is fair. The only reason PIPEDA isn’t prescriptive is because it’s so out-of-date; Bill C-27 takes a GDPR-lite approach of setting out five requirements for privacy notices. That said, given that the privacy laws are putting words in the mouths of companies, of course these documents are going to get long if they are to be comprehensive. 

So how can organizations improve on length? From the OPC’s key takeaways for businesses, you should use layered privacy notices: start high level with key information and provide links to further details. Exercise caution when using pop-up or just-in-time notices, as the OPC’s key takeaways for individuals disparagingly note that these can be just as confusing as long privacy notices. 

The OPC holds LEGO out as a case study of positive design elements. While LEGO’s privacy notice does a good job of using headings and collapsible fields, particularly where it enumerates its purposes for using data, it otherwise doesn’t actually provide a layered privacy notice. With all fields expanded, the word count comes in at over 8,200.

AI Generated Image of a Privacy Policy made out of legos. The policy is on fire, and the fire is also made out of legos. There is a cactus in the background.
Screenshot

The OPC fails to comment on another common practice to mitigate privacy notice length by creating separate policies for different operational areas. Indicators suggest this approach is a valid alternative: LEGO employs separate policies for cookies and for California residents, also, this is a tactic the OPC itself employs. Rather than maintain a single 6,400 word document, the OPC separated its website privacy notice (confusingly called “Terms and conditions of use” even though the only terms are the last few paragraphs around IP and the rest is a privacy notice) and its Privacy Policy, which speaks to the operations of the Office. Within the Website Terms, it provides a link to a Social Media Privacy Policy. The Privacy Policy was the longest of these three policies at 2,400 words, so that can be a good benchmark: approximately 2,000-2,500 words is okay, more than 3,000 is bad, unless well-defined expandable/collapsible fields are used.

As to reading level, the OPC report suggests that a reading level above grade 8 makes it difficult to understand the privacy notice. However, both the LEGO privacy notice and the OPC’s policies are at a level 12, although the LEGO information for children managed to get down to a grade 6 level.

The key takeaway for me was that LEGO made an adorable privacy video, which won the hearts of regulators and won the business of children and parents who saw it and thought “LEGO is so fun!” It’s the main explanation I see for why the OPC would make a statement that users are unlikely to find the Privacy Statement for Poki.com because it is at the bottom of the screen where you have to scroll past colourful, attractive games, but not raise the same concerns for LEGO, where you have to scroll past colourful, attractive toys to reach the policy link at the bottom of the screen. Posting the link to the privacy statement at the bottom of the webpage is industry standard.

The OPC report at times strays into areas that are not privacy: concerns about kids wanting to play video games that are aimed at older audiences because the kids site looks too babyish? Yeah, as a mother of three, I can tell you that it is a fact of life that the younger kids always want to do what the older ones are doing. But setting limits on what games they can play is my concern as a parent, not a privacy concern. The OPC offers no solution to this, but perhaps it is implied that websites should be age-gating? This straying focus may not be surprising given that this is the first time the International Consumer Protection and Enforcement Network (ICPEN) has collaborated in this sweep. This is notable because, whereas privacy laws don’t have a lot of teeth in Canada, the Canadian Competition Bureau does: violations of Canada’s Competition Act can result in criminal penalties including fines of up to $200,000 and imprisonment of up to 14 years, and includes director and officer liability. So if bad cookie banner design is going to land you in the Competition Bureau’s sights, it might be time to take a close look at your webpages for those deceptive design patterns under heightened scrutiny.


Work With The Privacy Pro

Schedule an introductory consultation to discuss your
privacy goals and how The Privacy Pro can help.


This website uses cookies for web analytics, to properly service our customers and for marketing purposes. The cookies may be set by us or by a third party provider whose services we have retained. You can block cookies at any time by changing the settings of your web browser. By continuing to use this website, you consent to our use of cookies on this website. Our Privacy Policy.