(Un)informed Consent: Studying GDPR Consent Notices in the Field

@article{Utz2019UninformedCS,
  title={(Un)informed Consent: Studying GDPR Consent Notices in the Field},
  author={Christine Utz and Martin Degeling and Sascha Fahl and Florian Schaub and Thorsten Holz},
  journal={Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security},
  year={2019}
}
Since the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and contributed to the rise of both browser extensions that block these banners and demands for a solution that bundles consent across multiple websites or in the browser. In this work, we identify common properties of the graphical user interface… 

Figures and Tables from this paper

Dark Patterns Post-GDPR: Scraping Consent Interface Designs and Demonstrating their Influence
TLDR
This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an efficient way to increase compliance.
This Website Uses Nudging: MTurk Workers' Behaviour on Cookie Consent Notices
TLDR
It is shown that the nudging designs used in the different cookie consent notices have a large effect on the choices user make, and color-based nudging bars can significantly impact the participants' decisions to change the default cookie settings, despite using dark patterns.
Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence
TLDR
This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.
Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR
TLDR
The results show that participants who see a default button accept cookies for more purposes than the control group, while being less able to correctly recall their choice, and regret it more often and perceive the consent dialog as more deceptive than thecontrol group.
Analyzing Cookies Compliance with the GDPR
TLDR
A browser extension that can locally enforce a user’s cookie consent choices regardless of how the website behaves is developed, providing a fully client-side approach to enforcing cookie consent.
Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web
TLDR
It is summarized that online services more often provide means for their users to opt out of data processing, but regularly obstruct convenient access to such means through unnecessarily complex and sometimes illegitimate interface design.
Consent for targeted advertising: the case of Facebook
TLDR
This paper identifies the features, originating from GDPR requirements, of consent mechanisms of Facebook, and examines the Ad Consent Mechanism of Facebook that is based on processing of user activity data off Facebook Company Products provided by third parties with respect to these features.
Has the GDPR hype affected users' reaction to cookie disclaimers?
TLDR
The results suggest that users did not change their attitude towards cookie use in favour of privacy protection, but got even more accustomed to the use of cookies, also by third parties.
Privacy CURE: Consent Comprehension Made Easy
TLDR
The Consent reqUest useR intErface (CURE) prototype is introduced, which is based on the GDPR requirements and the interpretation of those requirements by the Article 29 Working Party (i.e., the predecessor of the European Data Protection Board).
A Cross-Platform Evaluation of Privacy Notices and Tracking Practices
  • M. Mehrnezhad
  • Computer Science
    2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
  • 2020
TLDR
The results show that the privacy consent banner is presented to the user in various and inconsistent ways across websites, browsers, and mobile apps, where the majority of these consent notices do not comply with the GDPR.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 52 REFERENCES
Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control
TLDR
It is found that the GDPR has impacted website behavior in a truly global way, both directly and indirectly: USA-based websites behave similarly to EU-based ones, while third-party opt-out services reduce the amount of tracking even for websites which do not put any effort in respecting the new law.
The Impact of User Location on Cookie Notices (Inside and Outside of the European Union)
TLDR
Using a series of regression models, it is found that the website’s Top Level Domain explains a substantial portion of the variance in cookie notice metrics, but the users vantage point does not, which suggests that websites follow one set of privacy rules for all their users.
"Your hashed IP address: Ubuntu.": perspectives on transparency tools for online advertising
TLDR
It is found that newly created transparency tools present a variety of information to users, from detailed technical logs to high-level interest segment information, which indicates that users do not know what to learn from the data and mistrust the accuracy of the information shown to them.
We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy
TLDR
It is concluded that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.
Exploring Motivations for Online Privacy Protection Behavior: Insights From Panel Data
Personally managing and protecting online privacy has become an essential part of everyday life. This research draws on the protection motivation theory (PMT) to investigate privacy protective
"This Website Uses Cookies": Users' Perceptions and Reactions to the Cookie Disclaimer
TLDR
An explorative user study is conducted in order to investigate the users’ perceptions of cookies when seeing the cookie disclaimer, the users' reactions to such a disclaimer and different factors that influence the Users’ decision to leave or continue using the website.
A Design Space for Effective Privacy Notices
TLDR
This paper surveys the existing literature on privacy notices and identifies challenges, requirements, and best practices for privacy notice design, and mapping out the design space for privacy notices by identifying relevant dimensions provides a taxonomy and consistent terminology of notice approaches.
Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites
TLDR
A mapping of the subtle shifts in the third party topology before and after May 25, 2018 is presented, finding that it is quite difficult to draw conclusions on cause-effect relationships in such a complex environment with many impacting factors.
Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online
TLDR
It is suggested that focusing on mismatches between actual practices and a user’s expectations could help design privacy notice interfaces that significantly reduce user burden.
An Experience Sampling Study of User Reactions to Browser Warnings in the Field
TLDR
It is concluded that further improvements to warnings will require solving a range of smaller contextual misunderstandings, including a single dominant failure in modern warning design---like habituation---that prevents effective decisions.
...
1
2
3
4
5
...