skip to main content
research-article
Open Access

The Dilemma of User Engagement in Privacy Notices: Effects of Interaction Modes and Habituation on User Attention

Published:08 February 2020Publication History
Skip Editorial Notes Section

Editorial Notes

The authors have requested minor, non-substantive changes to the VoR and, in accordance with ACM policies, a Corrected VoR was published on November 5, 2020. For reference purposes the VoR may still be accessed via the Supplemental Material section on this page.

Skip Abstract Section

Abstract

Privacy notices and consent forms are the means of conveying privacy policy information to users. In Europe, a valid consent needs to be confirmed by a clear affirmative action. Despite previous research, it is not yet clear whether user engagement with consent forms via different types of interactions for confirming consent may play a significant role in effectively drawing user attention to the content, even after repeated exposure. We investigate, in a laboratory study, how different types of interactions that engage users with consent forms differ in terms of their effectiveness, efficiency, and user satisfaction. In addition, we examine if and how habituation affects user attention and satisfaction, and the time they spend on giving their consent. We conducted a controlled experiment with 80 participants in four different groups where people either were engaged actively with the policy content via Drag and Drop (DAD), Swipe, or Checkboxes, or were not actively engaged with the content (as the control condition) in a first-exposure phase and in a habituation phase. We measured user attention to consent forms along multiple dimensions, including direct, objective measurements and indirect, self-reported measures. Our results show that the different types of interactions may affect user attention to certain parts of policy information. In particular, the DAD action results in significantly more user attention to the data items compared to other groups. However, with repeated exposure to consent forms, the difference disappears. We conclude that user engagement with policy content needs to be designed with care, so that attention to substantial policy information is increased and not negatively affected.

Skip Supplemental Material Section

Supplemental Material

References

  1. Bonnie Brinton Anderson, Jeffrey L. Jenkins, Anthony Vance, C. Brock Kirwan, and David Eargle. 2016. Your memory is working against you: How eye tracking and memory explain habituation to security warnings. Decis. Supp. Syst. 92, C (2016), 3--13.Google ScholarGoogle Scholar
  2. Bonnie Brinton Anderson, C. Brock Kirwan, Jeffrey L. Jenkins, David Eargle, Seth Howard, and Anthony Vance. 2015. How polymorphic warnings reduce habituation in the brain: Insights from an fMRI study. In Proceedings of the CHI. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Majid Arianezhad, L. Jean Camp, Timothy Kelley, and Douglas Stebila. 2013. Comparative eye tracking of experts and novices in web single sign-on. In Proceedings of the CODASPY. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Article 29 Data Protection Working Party. Revised and Adopted on 10 April 2018. Guidelines on consent under Regulation 2016/679. https://ec.europa.eu/newsroom/article29/document.cfm?action=display8doc_id=51030.Google ScholarGoogle Scholar
  5. Article 29 Data Protection Working Party. Adopted on 25 November 2004. Opinion 10/2004 on more harmonised information provisions. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2004/wp100_en.pdf.Google ScholarGoogle Scholar
  6. Article 29 Data Protection Working Party. Revised and Adopted on 11 April 2018. Guidelines on transparency under Regulation 2016/679. https://ec.europa.eu/newsroom/article29/document.cfm?action=display8doc_id=51030.Google ScholarGoogle Scholar
  7. American Psychological Association. 2002. Ethical principles of psychologists and code of conduct. Amer. Psychol. 57, 12 (2002), 1060--1073.Google ScholarGoogle ScholarCross RefCross Ref
  8. Mike Bergmann, Martin Rost, and John Sören Pettersson. 2006. Exploring the feasibility of a spatial user interface paradigm for privacy-enhancing technology. In Advances in Information Systems Development. Springer, Budapest, Hungary.Google ScholarGoogle Scholar
  9. Rainer Böhme and Stefan Köpsell. 2010. Trained to accept?: A field experiment on consent dialogs. In Proceedings of the CHI. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Aga Bojko. 2013. Eye Tracking the User Experience: A Practical Guide to Research. Rosenfeld Media.Google ScholarGoogle Scholar
  11. Cristian Bravo-Lillo, Lorrie Cranor, Saranga Komanduri, Stuart Schechter, and Manya Sleeper. 2014. Harder to ignore? In Proceedings of the SOUPS. USENIX Association, Menlo Park, CA.Google ScholarGoogle Scholar
  12. Cristian Bravo-Lillo, Saranga Komanduri, Lorrie Faith Cranor, Robert W. Reeder, Manya Sleeper, Julie Downs, and Stuart Schechter. 2013. Your attention please: Designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the SOUPS. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. John Brooke et al. 1996. SUS-A Quick and Dirty Usability Scale. Taylor 8 Francis.Google ScholarGoogle Scholar
  14. Fred H. Cate. 2010. The limits of notice and choice. IEEE Secur. Privacy 8, 2 (2010), 59--62.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Lynne Cooke. 2006. Is eye tracking the next step in usability testing? In Proceedings of the IPCC. IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  16. Lorrie Faith Cranor, Praveen Guduru, and Manjula Arjula. 2006. User interfaces for privacy agents. ACM TOCHI 13, 2 (2006), 135--178.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Steven Cullipher and Hannah Sevian. 2015. Atoms versus bonds: How students look at spectra. J. Chem. Edu. 92, 12 (2015), 1996--2005.Google ScholarGoogle ScholarCross RefCross Ref
  18. Angelika Dimoka, Fred D. Davis, Alok Gupta, Paul A. Pavlou, Rajiv D. Banker, Alan R. Dennis, Anja Ischebeck, Gernot Müller-Putz, Izak Benbasat, David Gefen, et al. 2012. On the use of neurophysiological tools in IS research: Developing a research agenda for NeuroIS. MIS Quart. 36, 3 (2012), 679--702.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Olive Jean Dunn. 1964. Multiple comparisons using rank sums. Technometrics 6, 3 (1964), 241--252.Google ScholarGoogle ScholarCross RefCross Ref
  20. European Union Agency for Fundamental Rights and Council of Europe. May 2018. Handbook on European data protection law. Retrieved from https://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law.Google ScholarGoogle Scholar
  21. Susanne Furman and Mary Theofanos. 2014. Preserving privacy--More than reading a message. In Proceedings of the Conference on UAHCI. Springer.Google ScholarGoogle ScholarCross RefCross Ref
  22. Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal. 2016. How short is too short? Implications of length and framing on the effectiveness of privacy notices. In Proceedings of the SOUPS. USENIX Association.Google ScholarGoogle Scholar
  23. Jeffrey A. Gray. 1982. Précis of the neuropsychology of anxiety: An enquiry into the functions of the septo-hippocampal system. Behav. Brain Sci. 5, 3 (1982), 469--484.Google ScholarGoogle ScholarCross RefCross Ref
  24. Marian Harbach, Markus Hettig, Susanne Weber, and Matthew Smith. 2014. Using personal examples to improve risk communication for security 8 privacy decisions. In Proceedings of the CHI. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Kenneth Holmqvist, Marcus Nyström, Richard Andersson, Richard Dewhurst, Halszka Jarodzka, and Joost Van de Weijer. 2011. Eye Tracking: A Comprehensive Guide to Methods and Measures. Oxford University Press, Oxford.Google ScholarGoogle Scholar
  26. Leif-Erik Holtz, Harald Zwingelberg, and Marit Hansen. 2011. Privacy Policy Icons. Springer, 279--285.Google ScholarGoogle Scholar
  27. Chris Jay Hoofnagle, Bart van der Sloot, and Frederik Zuiderveen Borgesius. 2019. The European Union general data protection regulation: What it is and what it means. Info. Commun. Technol. Law 28, 1 (2019), 65--98.Google ScholarGoogle ScholarCross RefCross Ref
  28. Robert J. K. Jacob and Keith S. Karn. 2003. Eye tracking in human-computer interaction and usability research: Ready to deliver the promises. Mind’s Eye 2, 3 (2003), 573--605.Google ScholarGoogle Scholar
  29. Yousra Javed and Mohamed Shehab. 2016. Investigating the animation of application permission dialogs: A case study of Facebook. In Proceedings of the DPM. Springer.Google ScholarGoogle ScholarCross RefCross Ref
  30. Yousra Javed and Mohamed Shehab. 2017. Look before you authorize: Using eye-tracking to enforce user attention towards application permissions. In Proceedings of the PETS.Google ScholarGoogle ScholarCross RefCross Ref
  31. Farzaneh Karegar, Nina Gerber, Melanie Volkamer, and Simone Fischer-Hübner. 2018. Helping john to make informed decisions on using social login. In Proceedings of the 33rd Annual ACM SAC. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Farzaneh Karegar, Daniel Lindegren, John Sören Pettersson, and Simone Fischer-Hübner. 2018. User evaluations of an app interface for cloud-based identity management. In Advances in Information Systems Development. Springer, Larnaca, Cyprus.Google ScholarGoogle Scholar
  33. Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. 2010. Standardizing privacy notices: An online study of the nutrition label approach. In Proceedings of the CHI. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I. Hong. 2014. Modeling users’ mobile app privacy preferences: Restoring usability in a sea of permission settings. In Proceedings of the SOUPS. USENIX Association.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Daniel Lindegren, Farzaneh Karegar, Bridget Kane, and John Sören Pettersson. 2019. An evaluation of three designs to engage users when providing their consent on smartphones. Behav. Info. Technol. (2019), 1--17. DOI:https://doi.org/10.1080/0144929X.2019.1697898Google ScholarGoogle Scholar
  36. Ewa Luger, Stuart Moran, and Tom Rodden. 2013. Consent for all: Revealing the hidden complexity of terms and conditions. In Proceedings of the CHI. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Aleecia M. Mcdonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. 2009. A comparative study of online privacy policies and formats. In Proceedings of the PETS. Springer.Google ScholarGoogle Scholar
  38. Council of the European Union and European Parliament. 2016. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation). Offic. J. Eur. Union L119 (2016), 1--88.Google ScholarGoogle Scholar
  39. Martin T. Orne. 1962. On the social psychology of the psychological experiment: With particular reference to demand characteristics and their implications.Amer. Psychol. 17, 11 (1962), 776--783.Google ScholarGoogle ScholarCross RefCross Ref
  40. Andrew S. Patrick and Steve Kenny. 2003. From privacy legislation to interface design: Implementing information privacy in human-computer interactions. In Proceedings of the PETS. Springer.Google ScholarGoogle Scholar
  41. John Sören Pettersson. 2015. A brief evaluation of icons in the first reading of the european parliament on COM (2012) 0011. In Privacy and Identity Management for the Future Internet in the Age of Globalisation. Springer, Patras, Greece.Google ScholarGoogle Scholar
  42. John Sören Pettersson, Simone Fischer-Hübner, Ninni Danielsson, Jenny Nilsson, Mike Bergmann, Sebastian Clauss, Thomas Kriegelstein, and Henry Krasemann. 2005. Making PRIME usable. In Proceedings of the SOUPS. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Irene Pollach. 2007. What’s wrong with online privacy policies? Commun. ACM 50, 9 (2007), 103--108.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Catharine H. Rankin, Thomas Abrams, Robert J. Barry, Seema Bhatnagar, David F. Clayton, John Colombo, Gianluca Coppola, Mark A. Geyer, David L. Glanzman, Stephen Marsland, et al. 2009. Habituation revisited: An updated and revised description of the behavioral characteristics of habituation. Neurobiol. Learn. Mem. 92, 2 (2009), 135--138.Google ScholarGoogle ScholarCross RefCross Ref
  45. Keith Rayner. 1998. Eye movements in reading and information processing: 20 years of research.Psychol. Bull. 124, 3 (1998), 372--422.Google ScholarGoogle ScholarCross RefCross Ref
  46. Robert W. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. 2018. An experience sampling study of user reactions to browser warnings in the field. In Proceedings of the CHI. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Jennifer D. Ryan, Robert R. Althoff, Stephen Whitlow, and Neal J. Cohen. 2000. Amnesia is a deficit in relational memory. Psychol. Sci. 11, 6 (2000), 454--461.Google ScholarGoogle ScholarCross RefCross Ref
  48. Florian Schaub, Rebecca Balebako, and Lorrie Faith Cranor. 2017. Designing effective privacy notices and controls. IEEE Internet Comput. 21, 3 (2017), 70--77.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In Proceedings of the SOUPS. USENIX Association.Google ScholarGoogle Scholar
  50. Bart W. Schermer, Bart Custers, and Simone van der Hof. 2014. The crisis of consent: How stronger legal protection may lead to weaker consent in data protection. Ethics Info. Technol. 16, 2 (2014), 171--182.Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. B. Shneiderman. 1996. The eyes have it: A task by data type taxonomy for information visualizations. In Proceedings of the VL/HCC. IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  52. Mike Stieff, Mary Hegarty, and Ghislain Deslongchamps. 2011. Identifying representational competence with multi-representational displays. Cogn, Instruct, 29, 1 (2011), 123--145.Google ScholarGoogle ScholarCross RefCross Ref
  53. S. Shyam Sundar, Saraswathi Bellur, Jeeyun Oh, Qian Xu, and Haiyan Jia. 2014. User experience of on-screen interaction techniques: An experimental investigation of clicking, sliding, zooming, hovering, dragging, and flipping. HCI 29, 2 (2014), 109--152.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Madiha Tabassum, Abdulmajeed Alqhatani, Marran Aldossari, and Heather Richter Lipford. 2018. Increasing user attention with a comic-based policy. In Proceedings of the CHI. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Hui Tang, Elizabeth Day, Lisa Kendhammer, James Moore, Scott Brown, and Norbert Pienta. 2016. Eye movement patterns in solving science ordering problems. J. Eye Move. Res. 9, 3 (2016).Google ScholarGoogle Scholar
  56. Richard F. Thompson and William A. Spencer. 1966. Habituation: A model phenomenon for the study of neuronal substrates of behavior. Psychol. Rev. 73, 1 (1966), 16--43.Google ScholarGoogle ScholarCross RefCross Ref
  57. Anthony Vance, Jeffrey L. Jenkins, Bonnie Brinton Anderson, Daniel K. Bjornn, and C. Brock Kirwan. 2018. Tuning out security warnings: A longitudinal examination of habituation through fMRI, eye tracking, and field experiments. MIS Quart. 42, 2 (2018), 355--380.Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Na Wang, Jens Grossklags, and Heng Xu. 2013. An online experiment of privacy authorization dialogues for social applications. In Proceedings of the CSCW. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Michael S. Wogalter, Vincent C. Conzola, and Tonya L. Smith-Jackson. 2002. Research-based guidelines for warning design and evaluation. Appl. Ergonom. 33, 3 (2002), 219--230.Google ScholarGoogle ScholarCross RefCross Ref
  60. Qian Xu and S. Shyam Sundar. 2016. Interactivity and memory: Information processing of interactive versus non-interactive content. Comput. Hum. Behav. 63 (2016), 620--629.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. The Dilemma of User Engagement in Privacy Notices: Effects of Interaction Modes and Habituation on User Attention

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader

              HTML Format

              View this article in HTML Format .

              View HTML Format
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!