On 9 August 2023, the Competition and Markets Authority (CMA) and Information Commissioner’s Office (ICO) published a joint position paper on online choice architecture (OCA), titled “Harmful design in digital markets: How Online Choice Architecture practices can undermine consumer choice and control over personal information”.  The paper forms part of the agencies’ work under the Digital Regulation Cooperation Forum, which brings together multiple UK regulatory bodies to advance their combined thinking on regulatory issues in the digital economy.

OCA is an umbrella term used to describe the design of online environments, like apps and websites, that consumers interact with.  The paper summarises the agencies’ concerns over the use of potentially harmful OCA, with a particular focus on data collection.  It also offers practical guidance to firms using design practices in their digital products to maximise their compliance with relevant rules.  The paper welcomes engagement from stakeholders and invites them to participate in a workshop in autumn 2023 regarding good practices for the design of online privacy choices. 

The paper’s publication follows a flurry of interest in OCA from multiple UK regulators, especially the CMA.  For example, it follows the CMA’s April 2022 research paper on OCA (see our blog post here) and recent enforcement action for potential breaches of consumer law involving OCA, against Emma Group and Wowcher Group. 

This blog post summarises the paper and places it in the context of wider interest in—and enforcement action with respect to—OCA.  In particular:

  • Section I summarises the CMA’s and ICO’s concerns about harmful OCA practices and how they might infringe relevant data protection, competition, and consumer laws, as set out in the paper.
  • Section II summarises the CMA’s and ICO’s practical expectations for firms designing OCA. 
  • Section III examines more broadly the role of OCA in recent regulatory policy work, enforcement action, and legislative proposals, with a particular focus on the CMA’s recent activities and future legislative reforms to competition and consumer law. 

I. The CMA’s and ICO’s concerns about harmful OCA practices

The CMA and ICO recognise OCA’s potential to influence consumer decision-making in ways that can cause harm from a competition, consumer, and data protection law perspective.

In particular, the paper explains the ICO’s concern that harmful OCA practices may infringe relevant UK data protection legislation, including the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2008 (DPA 2018), and Privacy and Electronic Communications Regulations 2003 (PECR).  In particular, OCA practices can induce users to make choices against their preferences; reduce user autonomy over their personal data; increase the time users spend making informed choices over personal information processing; use personal information to promote harmful sites through targeted advertising; and undermine users’ fundamental right to privacy. 

The paper also explains the CMA’s concern that certain harmful OCA practices may infringe consumer law, in particular the Consumer Protection from Unfair Trading Regulations 2008 (CPRs), Consumer Rights Act 2015 (CRA), and Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (CCRs).  They may also breach relevant competition laws.  Specifically, harmful OCA practices may steer consumer decision-making in a way that reinforces a firm’s dominant market position (e.g., through the leveraging of network effects of data advantages).  OCA practices can also manipulate consumer decision-making by making certain choices more desirable, potentially leading consumers to consent to less desirable services or actions, or restricting competition. In this context, the paper discusses five examples of potentially harmful OCA practices, and explains why they might raise data protection, consumer, or competition law concerns.  We summarise those practices below.

II. Supporting “good” OCA practices

The paper concludes by setting out four questions that firms should consider when implementing OCA designs in order to “support good practice OCA that can drive pro-privacy and pro-competition outcomes in digital markets”:

  1. Are firms building their interfaces around the user’s interests and preferences?  The paper states that OCA should be designed in a way that reflects users’ interests.  It is generally beneficial for designs to enhance users’ control and ability to exercise their privacy preferences.
  2. Are firms helping users to make effective and informed choices about their personal information, and putting them in control of how it is collected and used?  Is the information clear and not misleading?  The paper states that OCA should be presented in a way that helps users make “meaningful, freely given decisions” about whether to accept terms about personal data processing. 
  3. Do firms use testing and trialling to ensure OCA design is evidence based?  The paper states that OCA design is “best informed through testing of behaviour as well as consumer comprehension, experience and feelings of control.”  It refers to the CMA’s recent publication of its best practices when using field and online experiments.  In addition, under forthcoming statutory amendments the CMA will receive the power to trial remedies it imposes when exercising its market investigation and digital markets functions. 
  4. Have firms considered the data protection, consumer protection, and competition law implications of the OCA practices they are employing?  According to the paper, firms should ask themselves whether their OCA practices could be perceived as unfair, anticompetitive, or otherwise non-compliant with relevant rules. 

III. The role of OCA in the broader regulatory landscape

The paper’s publication follows significant policy, enforcement, and legislative developments regarding OCA.  We summarise the most significant developments below. 

CMA.  The CMA is undertaking a broad programme of work in relation to OCA practices.  In its 2023 Annual Plan, for example, it referred to the need to “[a]ddress pressure selling and false or misleading pricing practices, including through online choice architecture.”  These initiatives have spanned policy work, consumer education initiatives, and enforcement action, as illustrated in the timeline in the Annex below.  In summary: 

  • Policy work.  In April 2022, the CMA published a research paper on OCA accompanied by an evidence review (see our blog post here).  The paper summarises the CMA’s thinking on potentially harmful (and beneficial) OCA practices, and how competition and consumer law might apply to them.
  • Consumer and business education.  In February 2022, the CMA launched its “Rip Off Tip Off” campaign, which aims to make consumers more alert to potential misleading OCA practices, such as pressure selling, hidden charges, subscription traps, and fake reviews.  The CMA launched a new phase of this campaign in March 2023, alongside which it published an open letter to guide businesses through compliance with the law when they present urgency claims and price reduction claims to UK consumers. 
  • Consumer law enforcement action.  The CMA has taken recent enforcement action against Emma Group and Wowcher Group for potential breaches of consumer law.  In July 2023, the CMA set out specific concerns to Emma about potentially misleading practices, including urgency claims (including discount timers), “high demand” claims, and discount claims.  The CMA has also taken recent enforcement action against games console suppliers regarding potential subscription traps, and has an ongoing investigation into Amazon and Google over fake reviews.  
  • Competition law enforcement action.  OCA has been relevant to several CMA competition investigations and market studies/investigations.  For example, its 2020 market study into online platforms and digital advertising investigated concerns about defaults in search engines and data privacy.  Its 2022 market study into mobile ecosystems investigated concerns about pre-installed and default browsers and other apps, Apple’s data privacy prompts to users, and app store designs.  And its ongoing investigation into Amazon concerns conditions of access to the “Buy Box” displayed prominently on Amazon’s UK marketplace website, which, according to the CMA, accounts for 75% of purchases even though other offers are available.

Legislative reforms.  Several reforms to UK competition law included in the Digital Markets, Competition, and Consumer Bill (the Bill), which is currently before Parliament (see our blog post here), touch on OCA issues.  In particular:

  • Digital regulation.  Under the pro-competition regulatory regime for digital markets, the CMA’s Digital Markets Unit will gain the ability to impose firm-specific binding conduct requirements and more intrusive remedies on firms designated as having strategic market status.  The CMA has previously indicated its intention to use its new powers, once they enter into force, to tackle OCA issues it has identified through its previous enforcement work.  For example, in the Bill’s explanatory notes the government mentions that remedying concerns over defaults on smartphones could involve the imposition of “choice screens,” under which users are prompted to set their default from a menu of options. 
  • Direct consumer law enforcement.  The CMA will also gain the power to enforce consumer law directly without having to take court action.  This additional power will bolster the CMA’s ability to bring enforcement action against firms whose OCA practices run afoul of the CPRs.  The CMA will have the ability to fine firms and enforce behavioural remedies directly, including the power to impose “online interface orders” in certain circumstances.  These orders can direct firms to remove or modify online content, disable or restrict access to an online interface, display warnings to users, or delete domain names.
  • Subscription traps.  The Bill contains specific provisions designed to tackle so-called subscription traps, where users find it difficult to cancel subscription contracts.  For example, the Bill would require that firms offering subscription contracts implement “simple processes” for consumers to cancel if they do not want to renew.  The simplicity of such processes will depend in large part on the OCA used to implement them. 

ICO.  In its 2022 “ICO25” plan, the ICO set out its ambition to empower UK consumers to contribute confidently to the UK’s increasingly digital society.  From an OCA perspective, this means—as the ICO described in a 2021 joint statement with the CMA—that OCA should be designed in a way that allows “users to choose freely, and to deploy default settings that are in the user’s interest rather than those of the service provider.”  Such OCA designs “can be highly valuable in supporting both competition and data protection goals.” 

Accordingly, the ICO pays appropriate regard to the potential impact of OCA in its enforcement practice and development of guidance.  Its guidance to firms on UK GDPR compliance, for example, anchors on “privacy by design and default”.  It has issued specific guidance on privacy considerations in interface designs.  And its “Age appropriate design” code of practice advises that settings must usually be “high privacy” by default, and that firms must not use “nudge techniques” to lead or encourage minors to provide unnecessary personal data or turn off privacy protections.

Financial Conduct Authority (FCA).  OCA is also a hot topic in financial services regulation.  For example, the FCA has a policy initiative to “[i]nvestigate digital consumer journeys across priority areas to ensure consumers are empowered to take decisions in their best interest.”  This includes “harms relating to sludge, dark patterns, and gamification of financial services through analysis of large-scale data and experiments.”  In addition, the new “Consumer Duty”, which sets higher and clearer standards for consumer protection across financial services, puts in place several broad obligations impacting OCA design.  For example, firms subject to the duty have to make it easy for consumers to switch or cancel products, provide helpful and accessible support, and provide clear information so that consumers can make good financial decisions. 


OCA is at the core of many digital firms’ business models.  Successfully navigating the patchwork of rules applicable to OCA designs can be challenging for such firms.  The CMA and ICO paper adds to the wealth of material and guidance available to firms planning their compliance with these rules.  Due to the cross-agency relevance of OCA, the Digital Regulation Cooperation Forum’s work to bring together the CMA’s and ICO’s expertise on this topic is welcome. 

Of particular note is the paper’s acknowledgement that OCA practices can be beneficial to competition and consumers, as well as its emphasis on testing and experimenting with OCA designs.  It will be important for the CMA and other agencies to investigate potential breaches of relevant laws based on data and evidence, and consider whether there are any beneficial aspects of particular OCA designs that should be considered.  Engagement with businesses on OCA design and rigorous testing will also be important if the CMA considers imposing OCA-related remedies to ensure they achieve the desired purpose of benefiting or protecting consumers.

Annex: Timeline of Recent Consumer and Competition Developments Related to OCA