Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

@article{Nouwens2020DarkPA,
  title={Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence},
  author={Midas Nouwens and Ilaria Liccardi and Michael Veale and David R Karger and Lalana Kagal},
  journal={Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems},
  year={2020}
}
New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet… 

Figures and Tables from this paper

On dark patterns and manipulation of website publishers by CMPs
TLDR
The importance of CMPs and design space offered to website publishers is demonstrated, and concerns around the privileged position of C MPs and their strategies influencing website publishers are raised.
GDPR consent pop-ups. How are we thinking about them? An Elaboration Likelihood perspective
TLDR
It is found that Cognitive Engagement is not a significant variable for predicting the behaviour of changing the defaults of the cookie consent pop-ups, while Interest and Awareness about the subject are significant predictors.
Rationalizing Dark Patterns: Examining the Process of Designing Privacy UX Through Speculative Enactments
TLDR
This work examines the process of designing privacy-oriented interfaces in terms of compliance, ethics, and creativity, and specifically how designers weigh competing interests in resolving an ethical conflict through a speculative enactment, ChoiceBox.
Measuring the Emergence of Consent Management on the Web
TLDR
It is estimated that CMP adoption doubled from June 2018 to June 2019 and then doubled again until June 2020 and a long tail exists, showing how privacy aware users incur a significant time cost.
Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web
TLDR
It is summarized that online services more often provide means for their users to opt out of data processing, but regularly obstruct convenient access to such means through unnecessarily complex and sometimes illegitimate interface design.
Consent Management Platforms under the GDPR: processors and/or controllers?
TLDR
It is concluded that CMPs process personal data, and two major CMP providers in the EU: Quantcast and OneTrust are paired with a legal analysis, and multiple scenarios wherein C MPs are controllers are identified.
Dark and Bright Patterns in Cookie Consent Requests
TLDR
Overall, the findings suggest that many current implementations of cookie consent requests do not enable meaningful choices by internet users, and are thus not in line with the intention of the EU policymakers.
Drivers and Obstacles for the Adoption of Consent Management Solutions by Ad-Tech Providers
  • P. Pesch
  • Business
    2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
  • 2021
TLDR
This paper reveals drivers and obstacles for the adoption of the Transparency & Consent Framework (TCF) by ad-tech-vendors, gained in semi-structured interviews with representatives of Global Vendors List (GVL) members.
The Impact of the Transparency Consent Framework on Current Programmatic Advertising Practices
TLDR
The impact of the new framework from a programmatic advertising campaign perspective is reflected from a practitioner point of view and implications of missing user consent in five typical techniques which are applied in programmatic campaigns are addressed.
Measuring the Emergence ofConsent Management on the Web
TLDR
It is estimated that CMP adoption doubled from June 2018 to June 2019 and then doubled again until June 2020 and a long tail exists, showing how privacy aware users incur a significant time cost.
...
...

References

SHOWING 1-10 OF 79 REFERENCES
(Un)informed Consent: Studying GDPR Consent Notices in the Field
TLDR
This work identifies common properties of the graphical user interface of consent notices and conducts three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice, and content framing on consent.
Uncovering the Flop of the EU Cookie Law
TLDR
CookieCheck is engineer, a simple tool that makes this check automatic on whether a website respects the ePrivacy Directive, and results depict a dramatic picture: 65% of websites do not respect the Directive and install tracking cookies before the user is even offered the accept button.
Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control
TLDR
It is found that the GDPR has impacted website behavior in a truly global way, both directly and indirectly: USA-based websites behave similarly to EU-based ones, while third-party opt-out services reduce the amount of tracking even for websites which do not put any effort in respecting the new law.
A Contextual Approach to Privacy Online
TLDR
In developing this approach, the paper warns that the current bias in conceiving of the Net as a predominantly commercial enterprise seriously limits the privacy agenda, and proposes an alternative approach, rooted in the theory of contextual integrity.
Tales from the Dark Side: Privacy Dark Strategies and Privacy Dark Patterns
TLDR
This paper introduces the concept of privacy dark strategies and privacy dark patterns and presents a framework that collects, documents, and analyzes such malicious concepts, allowing for a better understanding of these dark concepts, fosters awareness, and supports the development of countermeasures.
Dark Patterns at Scale
TLDR
This work presents automated techniques that enable experts to identify dark patterns on a large set of websites, and develops a taxonomy of dark pattern characteristics that describes the underlying influence of the dark patterns and their potential harm on user decision-making.
We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy
TLDR
It is concluded that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.
Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework
TLDR
This work analyzes the GDPR and the ePrivacy Directive to identify potential legal violations in implementations of cookie banners based on the storage of consent and detects such suspected violations by crawling 1 426 websites that contains TCF banners.
Peeking into the cookie jar: the European approach towards the regulation of cookies
  • E. Kosta
  • Law
    Int. J. Law Inf. Technol.
  • 2013
TLDR
This article will study the new requirements set out in Article 5(3) of the ePrivacy Directive, as well as the background leading to their adoption, and discuss how the consent of the user can be given in relation to cookies in a valid way.
Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and the ePrivacy Regulation
TLDR
A list of circumstances to assess when a tracking wall makes consent invalid is provided, and how the EU lawmaker could regulate tracking walls is explored, for instance in the ePrivacy Regulation.
...
...