ACM Digital Library home
ACM home
Advanced Search
10.1145/3319535.3354212acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedings
research-article
Open Access

(Un)informed Consent: Studying GDPR Consent Notices in the Field

Publication: CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2019 Pages 973–990https://doi.org/10.1145/3319535.3354212
  • 22citation
  • 1,884
    • Downloads
Metrics
Total Citations22
Total Downloads1,884
Last 12 Months1,884
Last 6 weeks254
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
(Un)informed Consent: Studying GDPR Consent Notices in the Field
Pages 973–990
PreviousChapterNextChapter

ABSTRACT

Since the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and contributed to the rise of both browser extensions that block these banners and demands for a solution that bundles consent across multiple websites or in the browser. In this work, we identify common properties of the graphical user interface of consent notices and conduct three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice, and content framing on consent. We find that users are more likely to interact with a notice shown in the lower (left) part of the screen. Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually. We also show that the wide-spread practice of nudging has a large effect on the choices users make. Our experiments show that seemingly small implementation decisions can substantially impact whether and how people interact with consent notices. Our findings demonstrate the importance for regulation to not just require consent, but also provide clear requirements or guidance for how this consent has to be obtained in order to ensure that users can make free and informed choices.

References

  1. Alessandro Acquisti. 2009. Nudging Privacy: The Behavioral Economics of Personal Information. IEEE Security & Privacy, Vol. 7, 6 (Dec. 2009), 82--85. https://doi.org/10.1109/MSP.2009.163Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Alessandro Acquisti, Idris Adjerid, Rebecca Hunt Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, Yang Wang, and Shomir Wilson. 2017. Nudges for Privacy and Security: Understanding and Assisting Users' Choices Online. Comput. Surveys, Vol. 50, 3 (Aug. 2017). https://doi.org/10.2139/ssrn.2859227Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2015. Privacy and human behavior in the age of information. Science, Vol. 347, 6221 (Jan. 2015), 509--514. https://doi.org/10.1126/science.aaa1465Google ScholarGoogle ScholarCross RefCross Ref
  4. Alexa Internet, Inc. 2019. The top 500 sites on the Web. https://www.alexa.com/topsitesGoogle ScholarGoogle Scholar
  5. Article 29 Data Protection Working Party. 2016. Cookie Sweep Combined Analysis -- Report. Technical Report 14/EN WP 229. European Commission, Brussels, Belgium.Google ScholarGoogle Scholar
  6. Article 29 Data Protection Working Party. 2018. Guidelines on consent under Regulation 2016/679. Technical Report 17/EN WP259 rev.01. European Commission.Google ScholarGoogle Scholar
  7. Sophie C. Boerman, Sanne Kruikemeier, and Frederik J. Zuiderveen Borgesius. 2018. Exploring Motivations for Online Privacy Protection Behavior: Insights From Panel Data. Communication Research, Vol. 0, 0 (2018), 1--25. https://doi.org/10.1177/0093650218800915Google ScholarGoogle Scholar
  8. Matt Burgess. 2018. The tyranny of GDPR popups and the websites failing to adapt. https://www.wired.co.uk/article/gdpr-cookies-eprivacy-regulation-popups Retrieved April 22, 2019 fromGoogle ScholarGoogle Scholar
  9. Virginio Cantoni, Marco Porta, Stefania Ricotti, and Francesca Zanin. 2013. Banner positioning in the masthead area of online newspapers: an eye tracking study. In 14th International Conference on Computer Systems and Technologies (CompSysTech '13). ACM, New York, NY, USA, 145--152. https://doi.org/10.1145/2516775.2516789Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Forbrukerrådet (Norwegian Consumer Council). 2018. Deceived by Design -- How tech companies use dark patterns to discourage us from exercising our rights to privacy. Technical Report. Oslo, Norway.Google ScholarGoogle Scholar
  11. Commission Nationale de l'Informatique et des Libertés (National Commission on Informatics and Liberty). 2018. Décision ntextsuperscripto MED 2018-042 du 30 octobre 2018 mettant en demeure la société VECTAURY (Decision No. MED 2018-042 of 30 October 2018 giving notice to the company VECTAURY). https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000037594451 Retrieved February 18, 2019 fromGoogle ScholarGoogle Scholar
  12. Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2019. We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy. In 26th Annual Network and Distributed System Security Symposium (NDSS '19). Internet Society.Google ScholarGoogle ScholarCross RefCross Ref
  13. Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Conference on Human Factors in Computing Systems (CHI '08). ACM, New York, NY, USA, 1065--1074. https://doi.org/10.1145/1357054.1357219Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Interactive Advertising Bureau Europe. 2019. GDPR Transparency and Consent Framework. https://iabtechlab.com/standards/gdpr-transparency-and-consent-framework/. [Online; accessed 2 May 2019].Google ScholarGoogle Scholar
  15. European Data Protection Board. 2019. Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities. Technical Report 5/2019.Google ScholarGoogle Scholar
  16. Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Helen Bettes, Alan ad Harris, and Jeff Grimes. 2015. Improving SSL Warnings: Comprehension and Adherence. In 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2893--2902. https://doi.org/10.1145/2702123.2702442Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Vitaly Friedman. 2019. Privacy UX: Better Cookie Consent Experiences. https://www.smashingmagazine.com/2019/04/privacy-ux-better-cookie-consent-experiences/ Retrieved May 7, 2019 fromGoogle ScholarGoogle Scholar
  18. Stacia Garlach and Daniel Suthers. 2018. `I'm supposed to see that?' AdChoices Usability in the Mobile Environment. In Hawaii International Conference on System Sciences. University of Hawai`i at M=anoa, Honolulu, HI, USA, 3779--3788. https://doi.org/10.24251/hicss.2018.476Google ScholarGoogle ScholarCross RefCross Ref
  19. Vicki Ha, Kori Inkpen, Farah Al Shaar, and Lina Hdeib. 2006. An Examination of User Perception and Misconception of Internet Cookies. In CHI '06 Extended Abstracts on Human Factors in Computing Systems (CHI EA '06). ACM, New York, NY, USA, 833--838. https://doi.org/10.1145/1125451.1125615Google ScholarGoogle Scholar
  20. Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2019. An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites. In Fifteenth Symposium On Usable Privacy and Security (SOUPS 2019). USENIX Association, 387--406. https://www.usenix.org/conference/soups2019/presentation/habibGoogle ScholarGoogle Scholar
  21. Daniel Kladnik. 2019. I don't care about cookies 3.0.0. https://www.i-dont-care-about-cookies.eu/. [Online; accessed 2 May 2019].Google ScholarGoogle Scholar
  22. Oksana Kulyk, Annika Hilt, Nina Gerber, and Melanie Volkamer. 2018a. “This Website Uses Cookies”: Users' Perceptions and Reactions to the Cookie Disclaimer. In 3rd European Workshop on Usable Security (EuroUSec 2018). London, England, 11.Google ScholarGoogle Scholar
  23. Oksana Kulyk, Peter Mayer, Oliver K"afer, and Melanie Volkamer. 2018b. A Concept and Evaluation of Usable and Fine-Grained Privacy-Friendly Cookie Settings Interface. In 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom 2018). IEEE, Piscataway, NJ, USA.Google ScholarGoogle ScholarCross RefCross Ref
  24. Pedro Leon, Blase Ur, Richard Shay, Yang Wang, Rebecca Balebako, and Lorrie Cranor. 2012. Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising. In Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 589--598. https://doi.org/10.1145/2207676.2207759Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Chao Liu, Ryen W. White, and Susan Dumais. 2010. Understanding Web Browsing Behaviors Through Weibull Analysis of Dwell Time. In 33rd International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR '10). ACM, New York, NY, USA, 379--386. https://doi.org/10.1145/1835449.1835513Google ScholarGoogle Scholar
  26. Manafactory. 2019. Ginger -- EU Cookie Law. https://wordpress.org/plugins/ginger/. [Online; accessed 22 August 2019].Google ScholarGoogle Scholar
  27. Kirsten Martin. 2016. Do Privacy Notices Matter? Comparing the Impact of Violating Formal Privacy Notices and Informal Privacy Norms on Consumer Trust Online. The Journal of Legal Studies, Vol. 45, S2 (June 2016), S191--S215. https://doi.org/10.1086/688488Google ScholarGoogle ScholarCross RefCross Ref
  28. Arunesh Mathur, Gunes Acar, Michael Friedman, Elena Lucherini, Jonathan Mayer, and Marsh Chetty. 2019. Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites. (2019). https://doi.org/10.1007/s12599-016-0453--1Google ScholarGoogle Scholar

Supplemental Material

Available for Download
webm
p973-utz.webm (113 MB)

Index Terms

  1. (Un)informed Consent

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        Get this Publication

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        View Table of Contents
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!