Rules regarding online default settings
Perhaps you use default settings on your website or app. If you do, you determine those settings for consumers in advance. Make sure that consumers are not misled into buying something or giving their consent as a result of your default settings. It is important that consumers are able to have confidence in online environments. That is why there are rules in place regarding the use of default settings, such as rules regarding the design of your online environment.
With the way you have set up the default settings, you might try and nudge consumers towards a particular choice. Consumers might benefit from that choice, but it could also be a less favorable choice. Consumers are highly likely to go along with your choice, since most consumers do not change the settings or choices that have already been made for them.
Is the default setting of the options on your app or website a setting that is less favorable to consumers? If so, note that this is very likely an unfair commercial practice. Unfair commercial practices are prohibited. Consumers must be able to have confidence in online environments, and cannot be misled. So be sure to comply with the rules when designing your online environment. ACM enforces compliance with these rules.
One example of unfavorable default settings is the use of pre-ticked boxes. This means that, in ordering processes, one or several of the extra options have been pre-selected for consumers. As such, consumers must consciously unselect the box to exclude the extra option. As a result, consumers may unwittingly agree to additional options or products (for example, unsolicited follow-up shipments, also known as subscription traps). Another example is smartphones on which the default privacy settings are unfavorable to users, or subscriptions that are automatically renewed after the subscription period has ended. These are examples of default settings that can be harmful to consumers.
If you also process personal data as a result of the default settings, you also need to comply with the General Data Protection Regulation (GDPR), such as with the rules on privacy-by-design and privacy-by-default (in Dutch). The Dutch Data Protection Authority (AP) enforces compliance with the GDPR.
What is required and what is not allowed?
Example: Including an opt-out in a newsletter
A consumer just placed an online order with a particular business. The box for receiving the seller’s newsletter had been pre-ticked. That is only allowed if the newsletter is about products similar to what the consumer ordered. The business is allowed to send commercial emails about such products to its customers. This is one of the few cases in which a pre-ticked box is allowed.
However, it would have been better here too, if this box had not been pre-ticked. The business must give the consumer an opportunity to unsubscribe during the ordering process and in every commercial email. Unsubscribing must be as easy as subscribing.
Example: a pre-ticked box for an extra product
A consumer orders an airline ticket. In the booking process, a box saying ‘Yes, I would like to add travel insurance’ has been pre-ticked by default. That is not allowed.
The consumer must consciously agree to an extra product such as travel insurance. You can use a box that is not pre-ticked.
- Title 5, section 2B of the Dutch Civil Code, Book 6 (Provisions regarding distance-selling agreements between traders and consumers) (in Dutch), for example, see Section 6:230m of the Dutch Civil Code, paragraph 3, under a: precontractual information requirements for online marketplaces.
- Title 3, section 3A of the Dutch Civil Code, Book 6 (Unfair commercial practices) (in Dutch), for example, see Section 6:139e of the Dutch Civil Code, paragraph 2 (in Dutch); essential information when ranking search results, and Section 6:139g of the Dutch Civil Code, paragraph x (in Dutch), informing unclearly or failing to inform at all about the fact that the ad has been paid for, or that a business has paid for a higher position in the ranking, is a misleading practice under all circumstances.
- Directive 2005/29/EC (Unfair Commercial Practices Directive)
- Directive 2011/83/EU (Consumer Rights Directive)
- Directive 93/13/EEC on unfair terms in consumer contracts
- Dutch Telecommunications Act, see Section 11.7 (in Dutch) for rules on unsolicited communications. For consent, the Dutch Telecommunications Act refers to Article 4, part 11 of the General Data Protection Regulation (GDPR), see also Article 7(3) of the GDPR about withdrawing consent.
- General Data Protection Regulation (GDPR), see Article 25 (Data protection by design and by default)
- Regulation (EU) 2022/2065 (Digital Services Act). As of 17 February 2024, the Digital Services Act will set boundaries and rules to the use of ads (personalized or otherwise) and recommender systems by online platforms. For example, see Article 26 on transparency obligations regarding online advertising, and Article 27 on transparency obligations regarding recommender systems.
Explanation of regulations
- Guidance on the interpretation and application of the Unfair Commercial Practices Directive, Section 5.2.6 (search engines)
- Guidance on the interpretation and application of the Consumer Rights Directive
- Guidance on the interpretation and application of the Unfair Contract Terms Directive
ACM: Consumer-friendly default settings for purchases in app stores
In 2015, ACM, together with other European regulators, assessed well-known app stores regarding the risk of unwanted purchases made by children. In part because of pressure exerted by ACM, the default settings in the app stores for making purchases were adjusted. Before, consumers were asked to re-enter their passwords 15 or 30 minutes after the last purchase when making a new purchase. Now, consumers are explicitly asked which payment setting they prefer: entering a password for each purchase, once every 15 minutes, or blocking purchases altogether.
ACM: Fine imposed on airline for using misleading default settings
In 2015, ACM imposed a fine on an airline. One of the reasons was that the airline offered additional travel insurance in a misleading manner. The default setting was that consumers had to take out travel insurance. In order not to take out travel insurance, consumers had to tick the option ‘do not insure me’.
Moreover, this option was presented in an unusual location. Consumers had to click on a drop-down menu labeled ‘select your country of residence’. Among the countries was the option ‘do not insure me’. Ryanair filed an objection and appeal against the fine. The court ruled in ACM’s favor.
UK Competition and Markets Authority (CMA): Rules for automatic renewals of subscriptions
Well-known software companies automatically renewed subscriptions for their software. However, the companies did not inform consumers about this. As a result, it was possible that consumers were paying for subscriptions they did not really want or need. The UK consumer authority CMA confronted these companies with its findings. These companies now warn consumers that their subscriptions are about to be automatically renewed, what the costs for renewal are, and when those costs are collected.
In addition, it is now clearer to consumers how they are able to cancel their subscriptions. Additionally, the companies offer consumers the opportunity to get their money back if their subscriptions had been renewed unwantedly.
More info: links and footnotes
- Europese Commission, Directorate-General for Justice and Consumers, Lupiáñez-Villanueva, F., Boluda, A., Bogliacino, F., et al., Behavioural study on unfair commercial practices in the digital environment : dark patterns and manipulative personalisation : final report, Publications Office of the European Union, 2022.
- Lees hier hoe u spam (ongevraagde communicatie) kunt voorkomen
- Read about how you can prevent spam (unsolicited communication) (in Dutch)