Editorial Notes
The authors have requested minor, non-substantive changes to the VoR and, in accordance with ACM policies, a Corrected VoR was published on November 5, 2020. For reference purposes the VoR may still be accessed via the Supplemental Material section on this page.
Abstract
Privacy notices and consent forms are the means of conveying privacy policy information to users. In Europe, a valid consent needs to be confirmed by a clear affirmative action. Despite previous research, it is not yet clear whether user engagement with consent forms via different types of interactions for confirming consent may play a significant role in effectively drawing user attention to the content, even after repeated exposure. We investigate, in a laboratory study, how different types of interactions that engage users with consent forms differ in terms of their effectiveness, efficiency, and user satisfaction. In addition, we examine if and how habituation affects user attention and satisfaction, and the time they spend on giving their consent. We conducted a controlled experiment with 80 participants in four different groups where people either were engaged actively with the policy content via Drag and Drop (DAD), Swipe, or Checkboxes, or were not actively engaged with the content (as the control condition) in a first-exposure phase and in a habituation phase. We measured user attention to consent forms along multiple dimensions, including direct, objective measurements and indirect, self-reported measures. Our results show that the different types of interactions may affect user attention to certain parts of policy information. In particular, the DAD action results in significantly more user attention to the data items compared to other groups. However, with repeated exposure to consent forms, the difference disappears. We conclude that user engagement with policy content needs to be designed with care, so that attention to substantial policy information is increased and not negatively affected.
Supplemental Material
Available for Download
Version of Record for "The Dilemma of User Engagement in Privacy Notices: Effects of Interaction Modes and Habituation on User Attention" by Karegar et al., ACM Transactions on Privacy and Security, Volume 23, Issue 1 (TOPS 23:1)
- Bonnie Brinton Anderson, Jeffrey L. Jenkins, Anthony Vance, C. Brock Kirwan, and David Eargle. 2016. Your memory is working against you: How eye tracking and memory explain habituation to security warnings. Decis. Supp. Syst. 92, C (2016), 3--13.Google Scholar
- Bonnie Brinton Anderson, C. Brock Kirwan, Jeffrey L. Jenkins, David Eargle, Seth Howard, and Anthony Vance. 2015. How polymorphic warnings reduce habituation in the brain: Insights from an fMRI study. In Proceedings of the CHI. ACM.Google Scholar
Digital Library
- Majid Arianezhad, L. Jean Camp, Timothy Kelley, and Douglas Stebila. 2013. Comparative eye tracking of experts and novices in web single sign-on. In Proceedings of the CODASPY. ACM.Google Scholar
Digital Library
- Article 29 Data Protection Working Party. Revised and Adopted on 10 April 2018. Guidelines on consent under Regulation 2016/679. https://ec.europa.eu/newsroom/article29/document.cfm?action=display8doc_id=51030.Google Scholar
- Article 29 Data Protection Working Party. Adopted on 25 November 2004. Opinion 10/2004 on more harmonised information provisions. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2004/wp100_en.pdf.Google Scholar
- Article 29 Data Protection Working Party. Revised and Adopted on 11 April 2018. Guidelines on transparency under Regulation 2016/679. https://ec.europa.eu/newsroom/article29/document.cfm?action=display8doc_id=51030.Google Scholar
- American Psychological Association. 2002. Ethical principles of psychologists and code of conduct. Amer. Psychol. 57, 12 (2002), 1060--1073.Google Scholar
Cross Ref
- Mike Bergmann, Martin Rost, and John Sören Pettersson. 2006. Exploring the feasibility of a spatial user interface paradigm for privacy-enhancing technology. In Advances in Information Systems Development. Springer, Budapest, Hungary.Google Scholar
- Rainer Böhme and Stefan Köpsell. 2010. Trained to accept?: A field experiment on consent dialogs. In Proceedings of the CHI. ACM.Google Scholar
Digital Library
- Aga Bojko. 2013. Eye Tracking the User Experience: A Practical Guide to Research. Rosenfeld Media.Google Scholar
- Cristian Bravo-Lillo, Lorrie Cranor, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. 2014. Harder to ignore? In Proceedings of the SOUPS. USENIX Association, Menlo Park, CA.Google Scholar
- Cristian Bravo-Lillo, Saranga Komanduri, Lorrie Faith Cranor, Robert W. Reeder, Manya Sleeper, Julie Downs, and Stuart Schechter. 2013. Your attention please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the SOUPS. ACM.Google Scholar
Digital Library
- John Brooke et al. 1996. SUS-A Quick and Dirty Usability Scale. Taylor 8 Francis.Google Scholar
- Fred H. Cate. 2010. The limits of notice and choice. IEEE Secur. Privacy 8, 2 (2010), 59--62.Google Scholar
Digital Library
- Lynne Cooke. 2006. Is eye tracking the next step in usability testing? In Proceedings of the IPCC. IEEE.Google Scholar
Cross Ref
- Lorrie Faith Cranor, Praveen Guduru, and Manjula Arjula. 2006. User interfaces for privacy agents. ACM TOCHI 13, 2 (2006), 135--178.Google Scholar
Digital Library
- Steven Cullipher and Hannah Sevian. 2015. Atoms versus bonds: How students look at spectra. J. Chem. Edu. 92, 12 (2015), 1996--2005.Google Scholar
Cross Ref
- Angelika Dimoka, Fred D. Davis, Alok Gupta, Paul A. Pavlou, Rajiv D. Banker, Alan R. Dennis, Anja Ischebeck, Gernot Müller-Putz, Izak Benbasat, David Gefen, et al. 2012. On the use of neurophysiological tools in IS research: Developing a research agenda for NeuroIS. MIS Quart. 36, 3 (2012), 679--702.Google Scholar
Digital Library
- Olive Jean Dunn. 1964. Multiple comparisons using rank sums. Technometrics 6, 3 (1964), 241--252.Google Scholar
Cross Ref
- European Union Agency for Fundamental Rights and Council of Europe. May 2018. Handbook on European data protection law. Retrieved from https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law.Google Scholar
- Susanne Furman and Mary Theofanos. 2014. Preserving privacy--More than reading a message. In Proceedings of the Conference on UAHCI. Springer.Google Scholar
Cross Ref
- Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal. 2016. How short is too short? Implications of length and framing on the effectiveness of privacy notices. In Proceedings of the SOUPS. USENIX Association.Google Scholar
- Jeffrey A. Gray. 1982. Précis of the neuropsychology of anxiety: An enquiry into the functions of the septo-hippocampal system. Behav. Brain Sci. 5, 3 (1982), 469--484.Google Scholar
Cross Ref
- Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. 2014. Using personal examples to improve risk communication for security 8 privacy decisions. In Proceedings of the CHI. ACM.Google Scholar
Digital Library
- Kenneth Holmqvist, Marcus Nyström, Richard Andersson, Richard Dewhurst, Halszka Jarodzka, and Joost Van de Weijer. 2011. Eye Tracking: A Comprehensive Guide to Methods and Measures. Oxford University Press, Oxford.Google Scholar
- Leif-Erik Holtz, Harald Zwingelberg, and Marit Hansen. 2011. Privacy Policy Icons. Springer, 279--285.Google Scholar
- Chris Jay Hoofnagle, Bart van der Sloot, and Frederik Zuiderveen Borgesius. 2019. The European Union general data protection regulation: What it is and what it means. Info. Commun. Technol. Law 28, 1 (2019), 65--98.Google Scholar
Cross Ref
- Robert J. K. Jacob and Keith S. Karn. 2003. Eye tracking in human-computer interaction and usability research: Ready to deliver the promises. Mind’s Eye 2, 3 (2003), 573--605.Google Scholar
- Yousra Javed and Mohamed Shehab. 2016. Investigating the animation of application permission dialogs: A case study of Facebook. In Proceedings of the DPM. Springer.Google Scholar
Cross Ref
- Yousra Javed and Mohamed Shehab. 2017. Look before you authorize: Using eye-tracking to enforce user attention towards application permissions. In Proceedings of the PETS.Google Scholar
Cross Ref
- Farzaneh Karegar, Nina Gerber, Melanie Volkamer, and Simone Fischer-Hübner. 2018. Helping john to make informed decisions on using social login. In Proceedings of the 33rd Annual ACM SAC. ACM.Google Scholar
Digital Library
- Farzaneh Karegar, Daniel Lindegren, John Sören Pettersson, and Simone Fischer-Hübner. 2018. User evaluations of an app interface for cloud-based identity management. In Advances in Information Systems Development. Springer, Larnaca, Cyprus.Google Scholar
- Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. 2010. Standardizing privacy notices: An online study of the nutrition label approach. In Proceedings of the CHI. ACM.Google Scholar
Digital Library
- Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I. Hong. 2014. Modeling users’ mobile app privacy preferences: Restoring usability in a sea of permission settings. In Proceedings of the SOUPS. USENIX Association.Google Scholar
Digital Library
- Daniel Lindegren, Farzaneh Karegar, Bridget Kane, and John Sören Pettersson. 2019. An evaluation of three designs to engage users when providing their consent on smartphones. Behav. Info. Technol. (2019), 1--17. DOI:https://doi.org/10.1080/0144929X.2019.1697898Google Scholar
- Ewa Luger, Stuart Moran, and Tom Rodden. 2013. Consent for all: Revealing the hidden complexity of terms and conditions. In Proceedings of the CHI. ACM.Google Scholar
Digital Library
- Aleecia M. Mcdonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. 2009. A comparative study of online privacy policies and formats. In Proceedings of the PETS. Springer.Google Scholar
- Council of the European Union and European Parliament. 2016. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation). Offic. J. Eur. Union L119 (2016), 1--88.Google Scholar
- Martin T. Orne. 1962. On the social psychology of the psychological experiment: With particular reference to demand characteristics and their implications.Amer. Psychol. 17, 11 (1962), 776--783.Google Scholar
Cross Ref
- Andrew S. Patrick and Steve Kenny. 2003. From privacy legislation to interface design: Implementing information privacy in human-computer interactions. In Proceedings of the PETS. Springer.Google Scholar
- John Sören Pettersson. 2015. A brief evaluation of icons in the first reading of the european parliament on COM (2012) 0011. In Privacy and Identity Management for the Future Internet in the Age of Globalisation. Springer, Patras, Greece.Google Scholar
- John Sören Pettersson, Simone Fischer-Hübner, Ninni Danielsson, Jenny Nilsson, Mike Bergmann, Sebastian Clauss, Thomas Kriegelstein, and Henry Krasemann. 2005. Making PRIME usable. In Proceedings of the SOUPS. ACM.Google Scholar
Digital Library
- Irene Pollach. 2007. What’s wrong with online privacy policies? Commun. ACM 50, 9 (2007), 103--108.Google Scholar
Digital Library
- Catharine H. Rankin, Thomas Abrams, Robert J. Barry, Seema Bhatnagar, David F. Clayton, John Colombo, Gianluca Coppola, Mark A. Geyer, David L. Glanzman, Stephen Marsland, et al. 2009. Habituation revisited: An updated and revised description of the behavioral characteristics of habituation. Neurobiol. Learn. Mem. 92, 2 (2009), 135--138.Google Scholar
Cross Ref
- Keith Rayner. 1998. Eye movements in reading and information processing: 20 years of research.Psychol. Bull. 124, 3 (1998), 372--422.Google Scholar
Cross Ref
- Robert W. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. 2018. An experience sampling study of user reactions to browser warnings in the field. In Proceedings of the CHI. ACM.Google Scholar
Digital Library
- Jennifer D. Ryan, Robert R. Althoff, Stephen Whitlow, and Neal J. Cohen. 2000. Amnesia is a deficit in relational memory. Psychol. Sci. 11, 6 (2000), 454--461.Google Scholar
Cross Ref
- Florian Schaub, Rebecca Balebako, and Lorrie Faith Cranor. 2017. Designing effective privacy notices and controls. IEEE Internet Comput. 21, 3 (2017), 70--77.Google Scholar
Digital Library
- Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In Proceedings of the SOUPS. USENIX Association.Google Scholar
- Bart W. Schermer, Bart Custers, and Simone van der Hof. 2014. The crisis of consent: How stronger legal protection may lead to weaker consent in data protection. Ethics Info. Technol. 16, 2 (2014), 171--182.Google Scholar
Digital Library
- B. Shneiderman. 1996. The eyes have it: A task by data type taxonomy for information visualizations. In Proceedings of the VL/HCC. IEEE.Google Scholar
Cross Ref
- Mike Stieff, Mary Hegarty, and Ghislain Deslongchamps. 2011. Identifying representational competence with multi-representational displays. Cogn, Instruct, 29, 1 (2011), 123--145.Google Scholar
Cross Ref
- S. Shyam Sundar, Saraswathi Bellur, Jeeyun Oh, Qian Xu, and Haiyan Jia. 2014. User experience of on-screen interaction techniques: An experimental investigation of clicking, sliding, zooming, hovering, dragging, and flipping. HCI 29, 2 (2014), 109--152.Google Scholar
Digital Library
- Madiha Tabassum, Abdulmajeed Alqhatani, Marran Aldossari, and Heather Richter Lipford. 2018. Increasing user attention with a comic-based policy. In Proceedings of the CHI. ACM.Google Scholar
Digital Library
- Hui Tang, Elizabeth Day, Lisa Kendhammer, James Moore, Scott Brown, and Norbert Pienta. 2016. Eye movement patterns in solving science ordering problems. J. Eye Move. Res. 9, 3 (2016).Google Scholar
- Richard F. Thompson and William A. Spencer. 1966. Habituation: A model phenomenon for the study of neuronal substrates of behavior. Psychol. Rev. 73, 1 (1966), 16--43.Google Scholar
Cross Ref
- Anthony Vance, Jeffrey L. Jenkins, Bonnie Brinton Anderson, Daniel K. Bjornn, and C. Brock Kirwan. 2018. Tuning out security warnings: A longitudinal examination of habituation through fMRI, eye tracking, and field experiments. MIS Quart. 42, 2 (2018), 355--380.Google Scholar
Digital Library
- Na Wang, Jens Grossklags, and Heng Xu. 2013. An online experiment of privacy authorization dialogues for social applications. In Proceedings of the CSCW. ACM.Google Scholar
Digital Library
- Michael S. Wogalter, Vincent C. Conzola, and Tonya L. Smith-Jackson. 2002. Research-based guidelines for warning design and evaluation. Appl. Ergonom. 33, 3 (2002), 219--230.Google Scholar
Cross Ref
- Qian Xu and S. Shyam Sundar. 2016. Interactivity and memory: Information processing of interactive versus non-interactive content. Comput. Hum. Behav. 63 (2016), 620--629.Google Scholar
Digital Library
Index Terms
The Dilemma of User Engagement in Privacy Notices: Effects of Interaction Modes and Habituation on User Attention
Recommendations
Bolder is Better: Raising User Awareness through Salient and Concise Privacy Notices
CHI '21: Proceedings of the 2021 CHI Conference on Human Factors in Computing SystemsThis paper addresses the question whether the recently proposed approach of concise privacy notices in apps and on websites is effective in raising user awareness. To assess the effectiveness in a realistic setting, we included concise notices in a ...
The Effects of Privacy Awareness and Content Sensitivity on User Engagement
HCI in Business, Government and Organizations. Information Systems and AnalyticsAbstractTo increase user engagement is an important goal and major business model for many web applications and online publishers. An established tool for this purpose is online polling, where user opinions, preferences, attitudes and possibly personal ...
Online consumer privacy concerns and willingness to provide personal data on the internet
Our research examines the manner in which web users choose between participation in the internet economy and protection of their personal data. We study the influence of various contextual elements (e.g., the privacy policies posted on sites) and ...






Comments