Midas Nouwens
Michael Veale
David Karger
ABSTRACT
New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet our minimal requirements based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22-23 percentage points; and providing more granular controls on the first page decreases consent by 8-20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.
- Alessandro Acquisti and Jens Grossklags. 2005. Privacy and rationality in individual decision making. Security Privacy, IEEE 3, 1 (2005), 26--33.Google Scholar
Digital Library
- Advocate General Szupunar. 2019. Case C-673/17 Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände -- Verbraucherzentrale Bundesverband e.V. ECLI:EU:C:2019:246, Opinion of the Advocate General. (2019).Google Scholar
- Adzerk. 2019. Adtech Insights - August 2019 Report. (2019). https://adzerk.com/assets/reports/AdTechInsights_Aug2019.pdfGoogle Scholar
- Julio Angulo, Simone Fischer-Hübner, Tobias Pulls, and Erik Wästlund. 2011. Towards Usable Privacy Policy Display & Management for PrimeLife. S. M. Furnell, & N. L. Clarke (Eds.), Proceedings of international symposium on human aspects of information security & assurance (HAISA 2011) (2011), 108 -- 117.Google Scholar
- Article 29 Working Party. 2018. Guidelines on Consent under Regulation 2016/679 (WP259 rev.01). European Union.Google Scholar
- Autoriteit Persoonsgegevens. 2019. Hoe Legt de AP de Juridische Normen Rond Cookiewalls Uit? AP, Den Haag.Google Scholar
- Meinert David B., Dane K. Peterson, John R. Criswell, and Martin D. Crossland. 2006. Towards Usable Privacy Policy Display & Management for PrimeLife. Journal of Electronic Commerce in Organizations (JECO) 4, 1 (2006), 1--17.Google Scholar
- Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfattheicher. 2016. Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies 2016, 4 (2016), 237--254.Google ScholarCross Ref
- Axel Bruns. 2019. After the 'APIcalypse': Social Media Platforms and Their Fight against Critical Scholarly Research. Information, Communication & Society 22, 11 (2019), 1544--1566. DOI: http://dx.doi.org/10.1080/1369118X.2019.1637447Google ScholarCross Ref
- Tania Bucher. 2013. Objects of Intense Feeling: The Case of the Twitter API : Computational Culture. Computational Culture: A Journal of Software Studies 3 (2013). http://computationalculture.net/objects-of-intensefeeling-the-case-of-the-twitter-api/Google Scholar
- Fred H Cate. 2010. The limits of notice and choice. IEEE Security & Privacy 8, 2 (2010), 59--62.Google ScholarDigital Library
- Damian Clifford, Inge Graef, and Peggy Valcke. 2019. Pre-formulated Declarations of Data Subject Consent-Citizen-Consumer Empowerment and the Alignment of Data, Consumer and Competition Law Protections. German Law Journal 20, 5 (2019), 679--721.Google ScholarCross Ref
- Commission nationale de l'informatique et des libertés (CNIL). 2019. Délibération n° 2019-093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l'application de l'article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d'un utilisateur (notamment aux cookies et autres traceurs) (rectificatif). (2019).Google Scholar
- Gregory Conti and Edward Sobiesk. 2010. Malicious Interface Design: Exploiting the User. In Proceedings of the 19th International Conference on World Wide Web. ACM, 271--280.Google ScholarDigital Library
- Jake R. Conway, Alexander Lex, and Nils Gehlenborg. 2017. UpSetR: An R Package for the Visualization of Intersecting Sets and Their Properties. Bioinformatics 33, 18 (2017), 2938--2940. DOI: http://dx.doi.org/10.1093/bioinformatics/btx364Google ScholarCross Ref
- Court of Justice of the European Union. 2019a. Case C-49/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV. ECLI:EU:C:2019:629. (2019).Google Scholar
- Court of Justice of the European Union. 2019b. Case C-673/17 Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände -- Verbraucherzentrale Bundesverband e.V. ECLI:EU:C:2019:801. (2019).Google Scholar
- Lorrie Cranor. 2002. Web privacy with P3P. O'Reilly Media, Sebastopol, CA.Google ScholarDigital Library
- Lorrie Faith Cranor. 2012. Necessary but Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice The Economics of Privacy. Journal on Telecommunications and High Technology Law 10, 2 (2012), 273--308.Google Scholar
- Mark R. Warner Deb Fisher. 2019. Deceptive Experiences To Online Users Reduction (DETOUR) Act. https://www.scribd.com/document/405606873/Detour-Act-FinalGoogle Scholar
- Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2018. We Value Your Privacy... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy. arXiv preprint arXiv:1808.05096 (2018).Google Scholar
- European Data Protection Supervisor. EDPS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation), Opinion 6/2017. EDPS, Brussels, BE.Google Scholar
- European Union. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31. (1995).Google Scholar
- European Union. 2002. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201. (2002).Google Scholar
- European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1. (2016).Google Scholar
- Brian J Fogg. 2009. A behavior model for persuasive design. In Proceedings of the 4th international Conference on Persuasive Technology. ACM, 40.Google ScholarDigital Library
- Forbrukerrådet. 2019. Deceived by Design: How tech companies use dark patterns to discourage us from exercising our rights to privacy. (2019). https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06--27-deceived-by-design-final.pdfGoogle Scholar
- Colin M Gray, Yubo Kou, Bryan Battles, Joseph Hoggatt, and Austin L Toombs. 2018. The dark (patterns) side of UX design. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. ACM, 534.Google ScholarDigital Library
- Information Commissioner's Office. 2019a. Guidance on the Use of Cookies and Similar Technologies. ICO, Wilmslow, Cheshire.Google Scholar
- Information Commissioner's Office. 2019b. Update Report into Adtech and Real Time Bidding. ICO, Wilmslow, Cheshire.Google Scholar
- Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on Human Factors in Computing Systems. ACM, 471--478.Google ScholarDigital Library
- Irene Kamara and Eleni Kosta. 2016. Do Not Track Initiatives: Regaining the Lost User Control. International Data Privacy Law 6, 4 (2016), 276--290. DOI: http://dx.doi.org/10/gdxwdsGoogle ScholarCross Ref
- Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W Reeder. 2009. A nutrition label for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 4.Google ScholarDigital Library
- Eleni Kosta. 2013. Peeking into the Cookie Jar: The European Approach towards the Regulation of Cookies. International Journal of Law and Information Technology 21, 4 (2013), 380--406. DOI: http://dx.doi.org/10.1093/ijlit/eat011Google ScholarCross Ref
- A. Lex, N. Gehlenborg, H. Strobelt, R. Vuillemot, and H. Pfister. 2014. UpSet: Visualization of Intersecting Sets. IEEE Transactions on Visualization and Computer Graphics 20, 12 (2014), 1983--1992. DOI: http://dx.doi.org/10.1109/TVCG.2014.2346248Google ScholarCross Ref
- Rene Mahieu, Joris van Hoboken, and Hadi Asghari. 2019. Responsibility for Data Protection in a Networked World: On the Question of the Controller, Effective and Complete Protection and Its Application to Data Access Rights in Europe. Journal of Intellectual Property, Information Technology and Electronic Commerce Law 10, 1 (2019), 84--104.Google Scholar
- Arunesh Mathur, Gunes Acar, Michael J Friedman, Elena Lucherini, Jonathan Mayer, Marshini Chetty, and Arvind Narayanan. 2019. Dark patterns at scale: Findings from a crawl of 11K shopping websites. Proceedings of the ACM on Human-Computer Interaction 3, CSCW (2019), 81.Google ScholarDigital Library
- Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2019. Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework (Under submission). https://arxiv.org/abs/1911.09964v1Google Scholar
- John McCarthy. 2019. Over 90% of users consent to GDPR requests says Quantcast after enabling 1bn of them. https://www.thedrum.com/news/2018/07/31/over-90-users-consentgdpr-requests-says-quantcast-after-enabling-1bn-them. (2019).Google Scholar
- A. M. McDonald and L. F. Cranor. 2008. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society 4 (2008), 540 -- 565.Google Scholar
- H. Nissenbaum. 2011. A contextual approach to privacy online. Daedalus 140, 4 (2011), 32--48.Google ScholarCross Ref
- Jonathan A. Obar and Anne Oeldorf-Hirsch. 2018. The biggest lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society 0, 0 (2018), 1--20. DOI: http://dx.doi.org/10.1080/1369118X.2018.1486870Google ScholarCross Ref
- Robert W Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K Reiter, Kelli Bacon, Keisha How, and Heather Strong. 2008. Expandable grids for visualizing and authoring computer security policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1473--1482.Google ScholarDigital Library
- Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS '19). ACM, NY, NY, USA, 340--351. DOI: http://dx.doi.org/10.1145/3321705.3329806Google ScholarDigital Library
- Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 1--17.Google ScholarDigital Library
- Natasha Singer. 2016. When Websites Won't Take No for an Answer. New York Times (15 5 2016). Retrieved Sept 19, 2019 from https://www.nytimes.com/2016/05/15/technology/personaltech/when-websites-wont-take-no-foran-answer.html?mcubz=0&_r=0Google Scholar
- Jannick Sørensen and Sokol Kosta. 2019. Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites. In The World Wide Web Conference (WWW '19). ACM, NY, NY, USA, 1590--1600. DOI: http://dx.doi.org/10.1145/3308558.3313524Google ScholarDigital Library
- European Data Protection Supervisor. 2018. EDPS Opinion on the legislative package "A New Deal for Consumers". https://edps.europa.eu/sites/edp/files/publication/1810-05_opinion_consumer_law_en.pdfGoogle Scholar
- Richard H Thaler and Cass R Sunstein. 2009. Nudge: Improving decisions about health, wealth, and happiness. Penguin.Google Scholar
- Oisin Tobin. 2019. Cookie consent revisited. Privacy and Data Protection 19 (2019), 11. Issue 5.Google Scholar
- Martino Trevisan, Stefano Traverso, Eleonora Bassi, and Marco Mellia. 2019. 4 Years of EU Cookie Law: Results and Lessons Learned. Proceedings on Privacy Enhancing Technologies 2019, 2 (2019), 126--145.Google ScholarCross Ref
- Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (Un)Informed Consent: Studying GDPR Consent Notices in the Field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). ACM, NY, NY, USA, 973--990. DOI: http://dx.doi.org/10.1145/3319535.3354212Google ScholarDigital Library
- Brendan Van Alsenoy. 2019. Data Protection Law in the EU: Roles, Responsibilities and Liability. Intersentia, Cambridge.Google Scholar
- Tony Vila, Rachel Greenstadt, and David Molnar. 2003. Why We Can'T Be Bothered to Read Privacy Policies Models of Privacy Economics As a Lemons Market. In Proceedings of the 5th International Conference on Electronic Commerce (ICEC '03). 403--407.Google ScholarDigital Library
- Frederik J Zuiderveen Borgesius, Sanne Kruikemeier, Sophie C Boerman, and Natali Helberger. 2017. Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and the ePrivacy Regulation. European Data Protection Law Review 3, 3 (2017), 353--368. DOI: http://dx.doi.org/10/gfsh4xGoogle ScholarCross Ref
Index Terms
- Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence
Recommendations
A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile
CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing SystemsWebsites implement cookie consent interfaces to obtain users’ permission to use non-essential cookies, as required by privacy regulations. We extend prior research evaluating the impact of interface design on cookie consent through an online behavioral ...
Circumvention by design - dark patterns in cookie consent for online news outlets
NordiCHI '20: Proceedings of the 11th Nordic Conference on Human-Computer Interaction: Shaping Experiences, Shaping SocietyTo ensure that users of online services understand what data are collected and how they are used in algorithmic decision-making, the European Union’s General Data Protection Regulation (GDPR) specifies informed consent as a minimal requirement. For ...
Opening Privacy Sensitive Microdata Sets in Light of GDPR
dg.o 2019: Proceedings of the 20th Annual International Conference on Digital Government ResearchTo enhance the transparency, accountability and efficiency of the Dutch Ministry of Justice and Security, the ministry has set up an open data program to proactively stimulate sharing its (publicly funded) data sets with the public. Disclosure of ...
Comments