Toggles, Dollar Signs, and Triangles: How to (In)Effectively Convey Privacy Choices with Icons and Link Texts

Increasingly, icons are being proposed to concisely convey privacy-related information and choices to users. However, complex privacy concepts can be difficult to communicate. We investigate which icons effectively signal the presence of privacy choices. In a series of user studies, we designed and evaluated icons and accompanying textual descriptions (link texts) conveying choice, opting-out, and sale of personal information — the latter an opt-out mandated by the California Consumer Privacy Act (CCPA). We identified icon-link text pairings that conveyed the presence of privacy choices without creating misconceptions, with a blue stylized toggle icon paired with “Privacy Options” performing best. The two CCPA-mandated link texts (“Do Not Sell My Personal Information” and “Do Not Sell My Info”) accurately communicated the presence of do-not-sell opt-outs with most icons. Our results provide insights for the design of privacy choice indicators and highlight the necessity of incorporating user testing into policy making.

[1]  Blase Ur,et al.  What do online behavioral advertising privacy disclosures communicate to users? , 2012, WPES '12.

[2]  Serge Egelman,et al.  Is This Thing On?: Crowdsourcing Privacy Indicators for Ubiquitous Sensing Platforms , 2015, CHI.

[3]  Rainer Böhme,et al.  Too Much Choice: End-User Privacy Decisions in the Context of Choice Proliferation , 2014, SOUPS.

[4]  Harald Zwingelberg,et al.  UI prototypes : Policy administration and presentation (version 1) , 2009 .

[5]  Lorrie Faith Cranor,et al.  Exploring How Privacy and Security Factor into IoT Device Purchase Behavior , 2019, CHI.

[6]  Alessandro Acquisti,et al.  Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions , 2016, SOUPS.

[7]  Alessandro Acquisti,et al.  Can Privacy Nudges be Tailored to Individuals' Decision Making and Personality Traits? , 2019, WPES@CCS.

[8]  Lorrie Faith Cranor,et al.  Ask the Experts: What Should Be on an IoT Privacy and Security Label? , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[9]  Blase Ur,et al.  Watching Them Watching Me: Browser Extensions Impact on User Privacy Awareness and Concern , 2016 .

[10]  Peter Salovey,et al.  Targeting or Tailoring? Maximizing Resources to Create Effective Health Communications , 2008 .

[11]  Yang Wang,et al.  Smart, useful, scary, creepy: perceptions of online behavioral advertising , 2012, SOUPS.

[12]  A. Waldman Privacy, Notice, and Design , 2016 .

[13]  Tobias Mahler,et al.  Is a Picture Worth a Thousand Terms? Visualising Contract Terms and Data Protection Requirements for Cloud Computing Users , 2016, ICWE Workshops.

[14]  Manoj Hastak,et al.  Designing Evidence‐based Disclosures: A Case Study of Financial Privacy Notices , 2012 .

[15]  Travis D. Breaux,et al.  A Theory of Vagueness and Privacy Risk Perception , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[16]  Lorrie Faith Cranor,et al.  Power strips, prophylactics, and privacy, oh my! , 2006, SOUPS '06.

[17]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[18]  Joel R. Reidenberg,et al.  Trustworthy Privacy Indicators: Grades, Labels, Certifications and Dashboards , 2019 .

[19]  R. Shay,et al.  Is Your Inseam a Biometric? A Case Study on the Role of Usability Studies in Developing Public Policy , 2014 .

[20]  Daniel D. Suthers,et al.  I'm supposed to see that?' AdChoices Usability in the Mobile Environment , 2018, HICSS.

[21]  Lorrie Faith Cranor,et al.  Standardizing privacy notices: an online study of the nutrition label approach , 2010, CHI.

[22]  Richard A Armstrong,et al.  When to use the Bonferroni correction , 2014, Ophthalmic & physiological optics : the journal of the British College of Ophthalmic Opticians.

[23]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[24]  William K. Horton,et al.  The Icon Book: Visual Symbols for Computer Systems and Documentation , 1994 .

[25]  REGULATION (EU) 2019/518 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL , 2015 .

[26]  J. Murphy The General Data Protection Regulation (GDPR) , 2018, Irish medical journal.

[27]  Susan Wiedenbeck,et al.  The use of icons and labels in an end user application program: An empirical study of learning and retention , 1999, Behav. Inf. Technol..

[28]  Anne Oeldorf-Hirsch,et al.  The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services , 2020 .

[29]  Fabian Hemmert,et al.  Universal and intuitive? Scientific guidelines for icon design , 2020, MuC.

[30]  J. Concato,et al.  A simulation study of the number of events per variable in logistic regression analysis. , 1996, Journal of clinical epidemiology.

[31]  C. Coulton,et al.  Interaction Effects in Multiple Regression , 1993 .

[32]  Paola Benassi,et al.  TRUSTe: an online privacy seal program , 1999, CACM.

[33]  Jessica Colnago,et al.  Informing the Design of a Personalized Privacy Assistant for the Internet of Things , 2020, CHI.

[34]  Anupam Das,et al.  Personalized Privacy Assistants for the Internet of Things: Providing Users with Notice and Choice , 2018, IEEE Pervasive Computing.

[35]  Hana Habib,et al.  Finding a Choice in a Haystack: Automatic Extraction of Opt-Out Statements from Privacy Policy Text , 2020, WWW.

[36]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[37]  L. M. Lieberman,et al.  What If … , 1983, Journal of learning disabilities.

[38]  Sameer Patil,et al.  Why Johnny Can't Unsubscribe: Barriers to Stopping Unwanted Email , 2020, CHI.

[39]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites , 2019, SOUPS @ USENIX Security Symposium.

[40]  Manfredo Massironi,et al.  The Psychology of Graphic Images: Seeing, Drawing, Communicating , 2001 .

[41]  Martin B. Curry,et al.  Icon Identification in Context: The Changing Role of Icon Characteristics With User Experience , 2007, Hum. Factors.

[42]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[43]  David Ma,et al.  Does domain highlighting help people identify phishing sites? , 2011, CHI.

[44]  Lorrie Faith Cranor,et al.  Americans' attitudes about internet behavioral advertising practices , 2010, WPES '10.

[45]  Midas Nouwens,et al.  Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence , 2020, CHI.

[46]  Jeffrey N. Rouder,et al.  Model comparison in ANOVA , 2016, Psychonomic bulletin & review.

[47]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[48]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[49]  Benjamin Fabian,et al.  Large-scale readability analysis of privacy policies , 2017, WI.

[50]  Hana Habib,et al.  "It's a scavenger hunt": Usability of Websites' Opt-Out and Data Deletion Choices , 2020, CHI.

[51]  Lorrie Faith Cranor,et al.  Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration , 2018, Proc. Priv. Enhancing Technol..

[52]  Sherrie Penland,et al.  Terms Of Service , 2014 .

[53]  David A. Wagner,et al.  Somebody's Watching Me?: Assessing the Effectiveness of Webcam Indicator Lights , 2015, CHI.

[54]  D. Tingley,et al.  “Who are these people?” Evaluating the demographic characteristics and political preferences of MTurk survey respondents , 2015 .

[55]  Lorrie Faith Cranor,et al.  Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice , 2012, J. Telecommun. High Technol. Law.

[56]  R. Shay,et al.  AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements. Revised Version , 2011 .

[57]  Mary J. Culnan,et al.  Strategies for reducing online privacy risks: Why consumers read (or don't read) online privacy notices , 2004 .

[58]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[59]  Tuomo Kujala,et al.  Semantic distance as a critical factor in icon design for in-car infotainment systems. , 2017, Applied ergonomics.

[60]  Lorrie Faith Cranor,et al.  A comparative study of online privacy policies and formats , 2009, Privacy Enhancing Technologies.

[61]  Rainer Böhme,et al.  Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR , 2019, Proc. Priv. Enhancing Technol..

[62]  Lorrie Faith Cranor,et al.  Timing is everything?: the effects of timing and placement of online privacy indicators , 2009, CHI.

[63]  Thorsten Holz,et al.  We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy , 2019, NDSS.

[64]  Randolph G. Bias,et al.  Research Methods for Human-Computer Interaction , 2010, J. Assoc. Inf. Sci. Technol..

[65]  Bipin Indurkhya,et al.  Impact of placing icons next to hyperlinks on information-retrieval tasks on the web , 2010 .

[66]  Lauren I. Labrecque,et al.  Addressing Online Behavioral Advertising and Privacy Implications: A Comparison of Passive Versus Active Learning Approaches , 2019, Journal of Marketing Education.

[67]  Kang G. Shin,et al.  Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning , 2018, USENIX Security Symposium.

[68]  Yang Wang,et al.  “What if?” Predicting Individual Users’ Smart Home Privacy Preferences and Their Changes , 2019, Proc. Priv. Enhancing Technol..

[69]  R. Posner The Federal Trade Commission , 1969 .

[70]  Eleanor Birrell,et al.  (Un)clear and (In)conspicuous: The Right to Opt-out of Sale under CCPA , 2020, WPES@CCS.

[71]  Elissa M. Redmiles,et al.  How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk, Web, and Telephone Samples , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[72]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[73]  Martin Degeling,et al.  (Un)informed Consent: Studying GDPR Consent Notices in the Field , 2019, CCS.

[74]  Steven M. Belz,et al.  The user action framework: a reliable foundation for usability engineering support tools , 2001, Int. J. Hum. Comput. Stud..

[75]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[76]  Lorrie Faith Cranor,et al.  Privacy as part of the app decision-making process , 2013, CHI.

[77]  Lorrie Faith Cranor,et al.  Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding , 2014 .

[78]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[79]  Marit Hansen,et al.  Towards Displaying Privacy Information with Icons , 2010, PrimeLife.

[80]  Stefania Passera Beyond the Wall of Text: How Information Design Can Make Contracts User-Friendly , 2015, HCI.

[81]  B. Everitt,et al.  Statistical methods for rates and proportions , 1973 .

[82]  Ftc Staff,et al.  Protecting Consumer Privacy in an Era of Rapid Change–A Proposed Framework for Businesses and Policymakers , 2011 .

[83]  Lorrie Faith Cranor,et al.  Searching for Privacy: Design and Implementation of a P3P-Enabled Search Engine , 2004, Privacy Enhancing Technologies.

[84]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[85]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[86]  Adam J. Berinsky,et al.  Evaluating Online Labor Markets for Experimental Research: Amazon.com's Mechanical Turk , 2012, Political Analysis.