“Duped by Design”: websites asking users for unnecessary personal data

The Consumer Policy Research Centre (CPRC) published a report on 8 June 2022 which found 89% of consumers surveyed had experienced being asked for more personal information than was needed to access the relevant product or service.

Why does this matter?

This report shows, overwhelmingly, that organisations are collecting more personal information than they need to – and this is very likely a breach of the Australian Privacy Principles (APPs).

In addition to being a compliance breach, privacy matters uphold strong relationships with your community and stakeholders. Because privacy is a human right which seeks to preserve individuality, identity, and autonomy, practices that breach privacy standards also often concern individuals and reduce trust in your organisation. The following statistics come from the CPRC Duped by Design report and Data and Technology Consumer Survey:

  • 33% of Australians felt they couldn’t trust how the business attempted “data-grabs”, such as by forcing someone to create a profile to browse for products or services.
  • 75% of Australians feel businesses have a high responsibility to provide protection against collection and sharing of personal information.
  • 80% of Australians are uncomfortable with unnecessary sharing of information.

Your privacy obligations online

If your organisation is governed by the APPs, you have an obligation to only collect personal information that is reasonably necessary for one or more of your functions and activities. If the personal information is of a sensitive nature, there are additional restrictions on collection such as consent.

Collecting more than you need to is a breach of APP 3, and could lead to privacy complaints or compliance action from the Office of the Australian Information Commissioner (OAIC). Collecting more information than you need also means you need to handle, use, disclose and store more information in a manner compliant with the APPs. Last year, Moores recorded a free webinar about data breaches. You can watch it here.

Holding more information means more risk of a data breach.

In Victoria, there is an added obligation for health information, or personal information collected by a health service provider, to be collected:

  • fairly, and only by law; and
  • not in an unreasonably intrusive way (HPP 1.2).

A similar obligation of fair and reasonable handling is being considered as part of the Privacy Act Review. The OAIC considers an overarching obligation to handle personal information in a fair and reasonable way is particularly important due to the erosion of valid consent in the online environment.

Duped by Design and “dark patterns”

The CPRC Duped by Design report specifically considered “dark patterns”, where the design of user interfaces intends to confuse users, make it difficult for users to express their actual preferences, or manipulate users into taking certain actions. Many dark patterns aim to collect more personal information and some design features are built specifically for “data-grabs”.

Individuals were asked for more information than was needed by websites in the following instances:

  • having the option to receive marketing communications pre-ticked;
  • being forced to create a profile to browse or purchase a product; and
  • treating the mere use of a website as ‘acceptable’ with regard to data terms and conditions.

In the online space, privacy and consumer law are the two main tools to combat these dark patterns and protect the rights of individuals. More information about dark patterns from the Australian Competition and Consumer Commission is available here.

How we can help

Our Privacy Team can help your organisation understand its information handling processes through a privacy and compliance audit. By building a detailed picture of how and when you collect information, we can support you to identify areas of risk and non-compliance, and propose practical solutions to improve how you collect, use and store information.

For more information about privacy for your organisation, check out our Privacy and Online Safety webinar recording and newly released Privacy Toolkit.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.