Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
In 2015, LinkedIn used forced action as part of their website registration process. In one of the steps, users were shown a harmless looking page titled "Get stated by adding your email address". Below this was a text field for their email address, and a prominent "Continue" button. This appeared to be mandatory, and users most likely felt it was harmless as almost all websites require an email address during registration. However, the true function of this was to access the user's email inbox and extract all of the email addresses it could find. Although the page did provide a description of this function, the text was grey on a blue background, making it relatively low contrast and hard to notice, and the textual content did not clearly state the consequences. Although the user could reject the request to continue, this was also unclear. The "skip this step" link was relatively small and hard to notice, positioned at the bottom right. Dan Schlosser provides further details in his article Linkedin Dark Patterns.
Forced disclosure (Brignull, 2010), privacy zuckering (Brignull, 2010), friend spam (Brignull, 2010), forced registration (Bösch et al, 2016), forced action (Gray et al., 2018), forced enrollment (Mathur et al., 2019).
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Consent should be specific, informed, unambiguous, cover all processing activities, and not inferred from silence or pre-ticked boxes, must be clear, concise and non-disruptive.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.
Requires website operators to obtain user consent before storing or accessing information on the user's device through cookies or similar technologies.
Outlines data processors' responsibilities, including implementing appropriate security measures, processing data based on controller instructions, and maintaining records of processing activities.
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.
Gives individuals the right to object to the processing of their personal data in certain situations.
Establishes the principles of lawfulness, fairness, and transparency in the processing of personal data.
Related to transparency and information to the affected party, and it requires the controller to provide certain information to data subjects when collecting their personal data.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.
Prohibits the use of automated calling and communication systems for unsolicited promotional purposes, except with the prior consent of the data subject or for legitimate interest of the data controller.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.
Provides definitions of various terms used in the Privacy and Electronic Communications
Regulates the use of electronic communications for direct marketing purposes, including requirements for consent, opt-out options, and cookie disclosure.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.
Grants individuals the right to access their personal data and receive information on how it is processed.
Grants individuals the right to have their personal data erased under certain circumstances.
Covers various aspects of consumer transactions, including the sale of goods and services, digital content, unfair contract terms, and remedies for faulty goods.
Outlines the appointment of a Data Protection Officer (DPO) for certain organizations.
Requires the appointment of a Data Protection Officer (DPO) in certain circumstances.
Mentions certification bodies as a potential entity to provide accreditation and certification for data protection compliance.
Prohibits unsolicited electronic marketing communication without prior consent, except in certain circumstances.
Outlines the rules and restrictions surrounding the processing of sensitive personal data.
Implementing a new consent based solution.
1 month to comply with GDPR requirements