Christine Utz,Martin Degeling,Sascha Fahl,Florian Schaub,Thorsten Holz

DOI: https://doi.org/10.1145/3319535.3354212

2019-10-22

Abstract:Since the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and contributed to the rise of both browser extensions that block these banners and demands for a solution that bundles consent across multiple websites or in the browser. In this work, we identify common properties of the graphical user interface of consent notices and conduct three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice, and content framing on consent. We find that users are more likely to interact with a notice shown in the lower (left) part of the screen. Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually. We also show that the wide-spread practice of nudging has a large effect on the choices users make. Our experiments show that seemingly small implementation decisions can substantially impact whether and how people interact with consent notices. Our findings demonstrate the importance for regulation to not just require consent, but also provide clear requirements or guidance for how this consent has to be obtained in order to ensure that users can make free and informed choices.

Human-Computer Interaction,Computers and Society

Midas Nouwens,Ilaria Liccardi,Michael Veale,David Karger,Lalana Kagal

DOI: https://doi.org/10.1145/3313831.3376321

2020-04-21

Abstract:New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet our minimal requirements based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22-23 percentage points; and providing more granular controls on the first page decreases consent by 8-20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

Torsha Mazumdar,Daniel Timko,Muhammad Lutfor Rahman

DOI: https://doi.org/10.48550/arXiv.2309.00776

2023-09-02

Abstract:The California Consumer Privacy Act (CCPA) secures the right to Opt-Out for consumers in California. However, websites may implement complex consent mechanisms that potentially do not capture the user's true choices. We investigated the user choices in Cookie Consent Banner of US residents, the plurality of whom were from California, through an online experiment of 257 participants and compared the results with how they perceived to these Cookie Consent Banner. Our results show a contradiction between how often participants self-report their Opt-Out rates and their actual Opt-Out rate when interacting with a complex, CCPA-compliant website. This discrepancy expands the context with which modern websites may implement the CCPA without providing users sufficient information or instruction on how to successfully Opt-Out. We further elaborate on how US residents respond to and perceive the GDPR-like Opt-In model. Our results indicate that even though very few consumers actually exercised their right to Opt-Out, the majority of US consumers desire more transparent privacy policies that the current implementation of CCPA on websites lacks.

Cryptography and Security

Than Htut Soe,Oda Elise Nordberg,Frode Guribye,Marija Slavkovik

DOI: https://doi.org/10.48550/arXiv.2006.13985

2020-06-25

Abstract:To ensure that users of online services understand what data are collected and how they are used in algorithmic decision-making, the European Union's General Data Protection Regulation (GDPR) specifies informed consent as a minimal requirement. For online news outlets consent is commonly elicited through interface design elements in the form of a pop-up. We have manually analyzed 300 data collection consent notices from news outlets that are built to ensure compliance with GDPR. The analysis uncovered a variety of strategies or dark patterns that circumvent the intent of GDPR by design. We further study the presence and variety of these dark patterns in these "cookie consents" and use our observations to specify the concept of dark pattern in the context of consent elicitation.

Human-Computer Interaction

Célestin Matte,Nataliia Bielova,Cristiana Santos

DOI: https://doi.org/10.48550/arXiv.1911.09964

2020-02-21

Abstract:As a result of the GDPR and the ePrivacy Directive, European users encounter cookie banners on almost every website. Many of such banners are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. In this work, we systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 22 949 European websites. With two automatic and semi-automatic crawl campaigns, we detect violations, and we find that: 141 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 27 websites store a positive consent even if the user has explicitly opted out. Performing extensive tests on 560 websites, we find at least one violation in 54% of them. Finally, we provide a browser extension to facilitate manual detection of violations for regular users and Data Protection Authorities.

Cryptography and Security

Harshvardhan J. Pandit

DOI: https://doi.org/10.48550/arXiv.2208.05786

2022-08-10

Abstract:Consent dialogues are a source of annoyance, malicious intent, dark patterns, illegal practices and a plethora of other issues. This work presents known problems based on GDPR requirements grouped into two categories: (i) UI/UX for consenting; and (ii) power imbalance in expressing consent. To resolve this, it presents two proposals: First, the use of automation through privacy signals to better govern consenting processes and to reduce `consent-fatigue'. Second, as generation of consent dialogues on the user side and its practicalities for both websites as well as users and agents (e.g. web browsers). Both proposals are discussed in terms of possibilities for implementation and suitability for stakeholders. The article concludes with a discussion on the difficulties in achieving such solutions owing to the conflicts of interest between `web-enablers' and `web-consumers', and the necessity for the EU to take a direct stance in addressing these in their future laws.

Computers and Society

Cristiana Santos,Arianna Rossi,Lorena Sánchez Chamorro,Kerstin Bongard-Blanchy,Ruba Abu-Salma

DOI: https://doi.org/10.1145/3463676.3485611

2021-10-07

Abstract:A cookie banner pops up when a user visits a website for the first time, requesting consent to the use of cookies and other trackers for a variety of purposes. Unlike prior work that has focused on evaluating the user interface (UI) design of cookie banners, this paper presents an in-depth analysis of what cookie banners say to users to get their consent. We took an interdisciplinary approach to determining what cookie banners should say. Following the legal requirements of the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR), we manually annotated around 400 cookie banners presented on the most popular English-speaking websites visited by users residing in the EU. We focused on analyzing the purposes of cookie banners and how these purposes were expressed (e.g., any misleading or vague language, any use of jargon). We found that 89% of cookie banners violated applicable laws. In particular, 61% of banners violated the purpose specificity requirement by mentioning vague purposes, including "user experience enhancement". Further, 30% of banners used positive framing, breaching the freely given and informed consent requirements. Based on these findings, we provide recommendations that regulators can find useful. We also describe future research directions.

Human-Computer Interaction

Victor Morel,Cristiana Santos,Yvonne Lintao,Soheil Human

DOI: https://doi.org/10.48550/arXiv.2209.09946

2022-09-20

Computers and Society

Abstract:Most websites offer their content for free, though this gratuity often comes with a counterpart: personal data is collected to finance these websites by resorting, mostly, to tracking and thus targeted advertising. Cookie walls and paywalls, used to retrieve consent, recently generated interest from EU DPAs and seemed to have grown in popularity. However, they have been overlooked by scholars. We present in this paper 1) the results of an exploratory study conducted on 2800 Central European websites to measure the presence and practices of cookie paywalls, and 2) a framing of their lawfulness amidst the variety of legal decisions and guidelines.

A R Howarth,C S Estcourt,R E Ashcroft,J A Cassell

DOI: https://doi.org/10.1093/phe/phab030

IF: 2.706

2022-01-11

Public Health Ethics

Abstract:The General Data Protection Regulation (GDPR) was introduced in 2018 to harmonize data privacy and security laws across the European Union (EU). It applies to any organization collecting personal data in the EU. To date, service-level consent has been used as a proportionate approach for clinical trials, which implement low-risk, routine, service-wide interventions for which individual consent is considered inappropriate. In the context of public health research, GDPR now requires that individuals have the option to choose whether their data may be used for research, which presents a challenge when consent has been given by the clinical service and not by individual service users. We report here on development of a pragmatic opt-out solution to this consent paradox in the context of a partner notification intervention trial in sexual health clinics in the UK. Our approach supports the individual's right to withhold their data from trial analysis while routinely offering the same care to all patients.

Colin M. Gray,Cristiana Santos,Nataliia Bielova,Michael Toth,Damian Clifford

DOI: https://doi.org/10.1145/3411764.3445779

2021-02-04

Abstract:User engagement with data privacy and security through consent banners has become a ubiquitous part of interacting with internet services. While previous work has addressed consent banners from either interaction design, legal, and ethics-focused perspectives, little research addresses the connections among multiple disciplinary approaches, including tensions and opportunities that transcend disciplinary boundaries. In this paper, we draw together perspectives and commentary from HCI, design, privacy and data protection, and legal research communities, using the language and strategies of "dark patterns" to perform an interaction criticism reading of three different types of consent banners. Our analysis builds upon designer, interface, user, and social context lenses to raise tensions and synergies that arise together in complex, contingent, and conflicting ways in the act of designing consent banners. We conclude with opportunities for transdisciplinary dialogue across legal, ethical, computer science, and interactive systems scholarship to translate matters of ethical concern into public policy.

Human-Computer Interaction,Computers and Society

Ignacio Cofone

DOI: https://doi.org/10.2139/ssrn.2541215

2014-01-01

SSRN Electronic Journal

Abstract:Limitations on online tracking are object of a regulatory debate that has shifted to the use of default rules to enhance privacy. The European Union implemented this idea with the Cookies Directive. The Directive aims to change the default system for tracking and move to an opt-in system in which data subjects must agree to it beforehand. This article evaluates the Directive’s implementation across Member States and studies the cases of the Netherlands and the UK. It then draws from the behavioural economics literature on default rules to evaluate these regulations and to consider whether it is possible to implement the policy in a way that avoids some of the problems they faced.

Shara Monteleone

Abstract:Information notice and data subject's consent are the current main legal safeguards of data protection and privacy rights: they reflect individuals' instances, such as self-determination and control over one's own private sphere, that have been acknowledged in many jurisdictions. However, the theoretic strength of these safeguards appears frustrated by current online practices that seem suggesting to give-up with their most common form of implementation: privacy notices and request for consent. These measures are proving to be unsuccessful in increasing users' awareness and in fostering a privacy protective-behaviour. As recent studies have shown, although people declare privacy concerns, their actual behaviour diverges from their statements (the "privacy paradox"), as they seem to increasingly disclose personal data and to not even read privacy notices available online; eventually, the current privacy notices are not effective in regulating user's data disclosure. Behaviourally informed approaches to regulatory problems, already applied to different areas of information provision and public policy, helped to clarify the reasons of similar peoples' behaviour that cannot be reduced to a simplistic "users do not care about privacy." Highlighting the regulatory weakness of traditional information notices, applied behavioural science has also demonstrated to be particularly effective in improving users' decision-making and attaining concrete policy objectives if accompanied by ad hoc design interventions to display the relevant, salient information. As users do not read privacy policies or act in contradiction with them, other strategies might be more successful in promoting, "nudging," privacy-protective behaviour. The use of innovative information notices, like salient alerts and nudges, seems to be a promising means of behavioural change also in the area of digital privacy, a possible new area of application of behavioural insights. Building on recent studies in the field ( conducted mainly in the U.S.), this paper considers new forms of privacy notices (like "visceral" 2 Syracuse Journal of International Law and Commerce, Vol. 43, No. 1 [2015], Art. 4 https://surface.syr.edu/jilc/vol43/iss1/4 2015] Addressing the 'Failure' of Informed Consent 71 notices), as alternative or complement to current legal (technical) measures for data protection. For the informed consent approach (or "notice and choice" approach) to work, it needs to be improved with welldesigned, transparent and regulated nudging system, capable to help citizens in their decision-making as regards their privacy. Without disregarding the challenges and limitations of nudging strategies in public policy in general and in the privacy area in particular, and examining their legal grounds, the paper aims also to integrate that branch of legal-policy research that see "nudging" methods as an effective way to gently encourage safer behaviours in the citizens.

Computer Science,Economics,Law

Zengrui Liu,Umar Iqbal,Nitesh Saxena

2023-10-07

Abstract:Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out. In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate four of the most widely deployed CMPs, i.e., Didomi, Quantcast, OneTrust, and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA. Our results indicate that in many cases user data is unfortunately still being collected, processed, and shared even when users opt-out. We also find that some CMPs are better than the others at conveying user consent and that several ad platforms ignore user consent. Our results also indicate that advertiser-offered opt-out are equally ineffective at protecting user privacy.

Cryptography and Security

Xengie Doan,Arianna Rossi,Marietjie Botes,Annika Selzer

DOI: https://doi.org/10.2196/53113

2024-04-30

Abstract:Background: As consent for data sharing evolves with the digital age, plain-text consent is not the only format in which information can be presented. However, designing a good consent form is highly challenging. The addition of graphics, video, and other mediums to use can vary widely in effectiveness; and improper use can be detrimental to users. Objective: This study aims to explore the expectations and experiences of adults toward consent given in infographic, video, text, newsletter, and comic forms in a health data sharing scenario to better understand the appropriateness of different mediums and identify elements of each medium that most affect engagement with the content. Methods: We designed mock consent forms in infographic, video, text, newsletter, and comic versions. Semistructured interviews were conducted with adults who were interviewed about their expectations for consent and were then shown each consent medium and asked about engaging elements across mediums, preferences for consent mediums, and the value of document quality criteria. We transcribed and qualitatively co-coded to identify themes and perform analyses. Results: We interviewed 24 users and identified different thematic archetypes based on participant goals, such as the Trust Seeker, who considered their own understanding and trust in organizations when making decisions. The infographic was ranked first for enhancing understanding, prioritizing information, and maintaining the proper audience fit for serious consent in health data sharing scenarios. In addition, specific elements such as structure, step-by-step organization, and readability were preferred engaging elements. Conclusions: We identified archetypes to better understand user needs and elements that can be targeted to enhance user engagement with consent forms; this can help inform the design of more effective consent in the future. Overall, preferences for mediums are highly contextual, and more research should be done.

Xuehui Hu,Nishanth Sastry

DOI: https://doi.org/10.1145/3292522.3326039

2019-05-04

Abstract:The recently introduced General Data Protection Regulation (GDPR) requires that when obtaining information online that could be used to identify individuals, their consents must be obtained. Among other things, this affects many common forms of cookies, and users in the EU have been presented with notices asking their approvals for data collection. This paper examines the prevalence of third party cookies before and after GDPR by using two datasets: accesses to top 500 websites according to <a class="link-external link-http" href="http://Alexa.com" rel="external noopener nofollow">this http URL</a>, and weekly data of cookies placed in users' browsers by websites accessed by 16 UK and China users across one year. We find that on average the number of third parties dropped by more than 10% after GDPR, but when we examine real users' browsing histories over a year, we find that there is no material reduction in long-term numbers of third party cookies, suggesting that users are not making use of the choices offered by GDPR for increased privacy. Also, among websites which offer users a choice in whether and how they are tracked, accepting the default choices typically ends up storing more cookies on average than on websites which provide a notice of cookies stored but without giving users a choice of which cookies, or those that do not provide a cookie notice at all. We also find that top non-EU websites have fewer cookie notices, suggesting higher levels of tracking when visiting international sites. Our findings have deep implications both for understanding compliance with GDPR as well as understanding the evolution of tracking on the web.

Cryptography and Security,Information Retrieval

Matt Hettche,Dae-Hee Kim,Michael J. Clayton

DOI: https://doi.org/10.33423/jmdc.v17i3.6555

2023-11-23

Journal of Marketing Development and Competitiveness

Abstract:This article provides a theoretical basis for why the notice-and-choice model for protecting consumer information privacy might still be considered a viable policy approach despite evidence that privacy notices are often ignored, difficult to read, and misunderstood by consumers. Drawing from several well-known game-theoretic models that map closely to an online consumer’s notice-and-choice context, we outline a rational choice model for consumer online privacy and discuss its relevance for the EU’s General Data Protection Regulations [GDPR]. We argue that an online consumer’s notice-and-choice privacy gamble is a reasonable bet when constrained by competition and the presence of meaningful regulation.

Lin Kyi,Abraham Mhaidli,Cristiana Santos,Franziska Roesner,Asia Biega

DOI: https://doi.org/10.1145/3613904.3642260

2024-02-06

Abstract:Data collection purposes and their descriptions are presented on almost all privacy notices under the GDPR, yet there is a lack of research focusing on how effective they are at informing users about data practices. We fill this gap by investigating users' perceptions of data collection purposes and their descriptions, a crucial aspect of informed consent. We conducted 23 semi-structured interviews with European users to investigate user perceptions of six common purposes (Strictly Necessary, Statistics and Analytics, Performance and Functionality, Marketing and Advertising, Personalized Advertising, and Personalized Content) and identified elements of an effective purpose name and description. We found that most purpose descriptions do not contain the information users wish to know, and that participants preferred some purpose names over others due to their perceived transparency or ease of understanding. Based on these findings, we suggest how the framing of purposes can be improved toward meaningful informed consent.

Human-Computer Interaction

Gayatri Priyadarsini Kancherla,Nataliia Bielova,Cristiana Santos,Abhishek Bichhawat

2024-11-23

Abstract:The GDPR requires websites to facilitate the right to revoke consent from Web users. While numerous studies measured compliance of consent with the various consent requirements, no prior work has studied consent revocation on the Web. Therefore, it remains unclear how difficult it is to revoke consent on the websites' interfaces, nor whether revoked consent is properly stored and communicated behind the user interface. Our work aims to fill this gap by measuring compliance of consent revocation on the Web on the top-200 websites. We found that 19.87% of websites make it difficult for users to revoke consent throughout different interfaces, 20.5% of websites require more effort than acceptance, and 2.48% do not provide consent revocation at all, thus violating legal requirements for valid consent. 57.5% websites do not delete the cookies after consent revocation enabling continuous illegal processing of users' data. Moreover, we analyzed 281 websites implementing the IAB Europe TCF, and found 22 websites that store a positive consent despite user's revocation. Surprisingly, we found that on 101 websites, third parties that have received consent upon user's acceptance, are not informed of user's revocation, leading to the illegal processing of users' data by such third parties. Our findings emphasise the need for improved legal compliance of consent revocation, and proper, consistent, and uniform implementation of revocation communication and data deletion practices.

Cryptography and Security

Neil M. Richards,Woodrow Hartzog

2019-04-11

Abstract:Consent permeates both our law and our lives — especially in the digital context. Consent is the foundation of the relationships we have with search engines, social networks, commercial web sites, and any one of the dozens of other digitally mediated businesses we interact with regularly. We are frequently asked to consent to terms of service, privacy notices, the use of cookies, and so many other commercial practices. Consent is important, but it’s possible to have too much of a good thing. As a number of scholars have documented, while consent models permeate the digital consumer landscape, the practical conditions of these agreements fall far short of the gold standard of knowing and voluntary consent. Yet as scholars, advocates, and consumers, we lack a common vocabulary for talking about the different ways in which digital consents can be flawed. This article offers four contributions to improve our understanding of consent in the digital world. First, we offer a conceptual vocabulary of “the pathologies of consent” — a framework for talking about different kinds of defects that consent models can suffer, such as unwitting consent, coerced consent, and incapacitated consent. Second, we offer three conditions for when consent will be most valid in the digital context: when choice is infrequent, when the potential harms resulting from that choice are vivid and easy to imagine, and where we have the correct incentives choose consciously and seriously. The further we fall from these conditions, the more a particular consent will be pathological and thus suspect. Third, we argue that out theory of consent pathologies sheds light on the so-called “privacy paradox” — the notion that there is a gap between what consumers say about wanting privacy and what they actually do in practice. Understanding the “privacy paradox” in terms of consent pathologies shows how consumers are not hypocrites who say one thing but do another. On the contrary, the pathologies of consent reveal how consumers can be nudged and manipulated by powerful companies against their actual interests, and that this process is easier when consumer protection law falls far from the gold standard. In light of these findings, we offer a fourth contribution — the theory of consumer trust we have suggested in prior work and which we further elaborate here as an alternative to our over-reliance on consent and its many pathologies.

Computer Science,Psychology,Law

Georgios Kampanos,Siamak F. Shahandashti

DOI: https://doi.org/10.48550/arXiv.2104.05750

2021-04-13

Abstract:Cookie banners are devices implemented by websites to allow users to manage their privacy settings with respect to the use of cookies. They are part of a user's daily web browsing experience since legislation in Europe requires websites to show such notices. In this paper, we carry out a large-scale study of more than 17,000 websites including more than 7,500 cookie banners in Greece and the UK to determine compliance and tracking transparency levels. Our analysis shows that although more than 60% of websites store third-party cookies in both countries, only less than 50% show a cookie notice and hence a substantial proportion do not comply with the law even at the very basic level. We find only a small proportion of the surveyed websites providing a direct opt-out option, with an overwhelming majority either nudging users towards privacy-intrusive choices or making cookie rejection much harder than consent. Our results differ significantly in some cases from previous smaller-scale studies and hence underline the importance of large-scale studies for a better understanding of the big picture in cookie practices.

Cryptography and Security