Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
In 2021, the Trump campaign famously used this deceptive pattern. A preselected checkbox for "Make this a monthly recurring donation" was included, tricking many donors into unintentional recurring payments. Then, later in the campaign they added a second preselected checkbox that tricked users into an additional donation. Numerous deceptive patterns were used in the Trump campaign, documented by Shane Goldmacher in the New York Times.
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Consent should be specific, informed, unambiguous, cover all processing activities, and not inferred from silence or pre-ticked boxes, must be clear, concise and non-disruptive.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.
Gives individuals the right to object to the processing of their personal data in certain situations.
Establishes the principles of lawfulness, fairness, and transparency in the processing of personal data.
Related to transparency and information to the affected party, and it requires the controller to provide certain information to data subjects when collecting their personal data.
Grants individuals the right to access their personal data and receive information on how it is processed.
Prohibits unfair commercial practices, including misleading and aggressive practices, and provides remedies for consumers who have been harmed by such practices.
Imposes fines ranging from 10 million to 250 million ROL for contraventions involving the processing of personal data in breach of specific provisions.
Defines "data subject's consent" as freely given, specific, and informed indication of agreement to personal data processing.
Outlines the basic principles of fair and lawful personal data processing, including specified and legitimate purposes, adequacy, accuracy, and appropriate safeguards.
Sets out the legal grounds for processing personal data, including consent, contract, legal obligations, vital interests, public interest, and legitimate interests, while protecting the rights of the data subject.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.
Response to request for a preliminary ruling