An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites

Many websites offer visitors privacy controls and opt-out choices, either to comply with legal requirements or to address consumer privacy concerns. The way these control mechanisms are implemented can significantly affect individuals’ choices and their privacy outcomes. We present an extensive content analysis of a stratified sample of 150 Englishlanguage websites, assessing the usability and interaction paths of their data deletion options and opt-outs for email communications and targeted advertising. This heuristic evaluation identified substantial issues that likely make exercising these privacy choices on many websites difficult and confusing for US-based consumers. Even though the majority of analyzed websites offered privacy choices, they were located inconsistently across websites. Furthermore, some privacy choices were rendered unusable by missing or unhelpful information, or by links that did not lead to the stated choice. Based on our findings, we provide insights for addressing usability issues in the end-to-end interaction required to effectively exercise privacy choices and controls.

[1]  Mark S. Ackerman,et al.  Beyond Concern: Understanding Net Users' Attitudes About Online Privacy , 1999, ArXiv.

[2]  Dear Mr Sotiropoulos ARTICLE 29 Data Protection Working Party , 2013 .

[3]  Timothy Libert,et al.  An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies , 2018, WWW.

[4]  Thorsten Holz,et al.  We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy , 2019, NDSS.

[5]  Hyejin Kim,et al.  Perceived Relevance and Privacy Concern Regarding Online Behavioral Advertising (OBA) and Their Role in Consumer Responses , 2017 .

[6]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[7]  A. Azzouz 2011 , 2020, City.

[8]  Maik Eisenbeiss,et al.  The Importance of Trust for Personalized Online Advertising , 2015 .

[9]  Norman M. Sadeh,et al.  Identifying the Provision of Choices in Privacy Policy Text , 2017, EMNLP.

[10]  Blase Ur,et al.  What do online behavioral advertising privacy disclosures communicate to users? , 2012, WPES '12.

[11]  J. Turow,et al.  Americans Reject Tailored Advertising and Three Activities that Enable It , 2009 .

[12]  Kassem Fawaz,et al.  The Privacy Policy Landscape After the GDPR , 2018, Proc. Priv. Enhancing Technol..

[13]  Benjamin Fabian,et al.  Readability of Privacy Policies of Healthcare Websites , 2015, Wirtschaftsinformatik.

[14]  R. Shay,et al.  Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising , 2012 .

[15]  Alexander De Luca,et al.  "If I press delete, it's gone" - User Understanding of Online Data Deletion and Expiration , 2018, SOUPS @ USENIX Security Symposium.

[16]  Lorrie Faith Cranor,et al.  Americans' attitudes about internet behavioral advertising practices , 2010, WPES '10.

[17]  Martin Degeling,et al.  (Un)informed Consent: Studying GDPR Consent Notices in the Field , 2019, CCS.

[18]  Lorrie Faith Cranor,et al.  Can Users Control Online Behavioral Advertising Effectively? , 2012, IEEE Security & Privacy.

[19]  John A. Rothchild,et al.  Against Notice and Choice: the Manifest Failure of the Proceduralist Paradigm to Protect Privacy Online (or Anywhere Else) , 2018 .

[20]  Blase Ur,et al.  A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices , 2016 .

[21]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[22]  Yang Wang,et al.  Smart, useful, scary, creepy: perceptions of online behavioral advertising , 2012, SOUPS.

[23]  Gabriele Meiselwitz,et al.  Readability Assessment of Policies and Procedures of Social Networking Sites , 2013, HCI.

[24]  Lorrie Faith Cranor,et al.  Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice , 2012, J. Telecommun. High Technol. Law.

[25]  Anja Feldmann,et al.  Annoyed Users: Ads and Ad-Block Usage in the Wild , 2015, Internet Measurement Conference.

[26]  A.,et al.  Cognitive Engineering , 2008, Encyclopedia of GIS.

[27]  M. Crawford The Art of Readable Writing , 1969 .

[28]  Lujo Bauer,et al.  (Do Not) Track Me Sometimes: Users’ Contextual Preferences for Web Tracking , 2016, Proc. Priv. Enhancing Technol..

[29]  L. Cranor,et al.  Are They Worth Reading? An In-Depth Analysis of Online Trackers’ Privacy Policies , 2015 .

[30]  Daniel D. Suthers,et al.  I'm supposed to see that?' AdChoices Usability in the Mobile Environment , 2018, HICSS.

[31]  Lorrie Faith Cranor,et al.  Exploring How Privacy and Security Factor into IoT Device Purchase Behavior , 2019, CHI.

[32]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[33]  Jordi Forné,et al.  Online advertising: Analysis of privacy threats and protection approaches , 2017, Comput. Commun..

[34]  Alessandro Acquisti,et al.  Privacy in electronic commerce and the economics of immediate gratification , 2004, EC '04.

[35]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[36]  Arvind Narayanan,et al.  Characterizing the Use of Browser-Based Blocking Extensions To Prevent Online Tracking , 2018, SOUPS @ USENIX Security Symposium.

[37]  Yang Wang,et al.  Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising , 2012, CHI.

[38]  Benjamin Fabian,et al.  Large-scale readability analysis of privacy policies , 2017, WI.

[39]  Thomas B. Norton,et al.  Privacy Harms and the Effectiveness of the Notice and Choice Framework , 2014 .

[40]  Melanie Volkamer,et al.  What Deters Jane from Preventing Identification and Tracking on the Web? , 2014, WPES.

[41]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[42]  Blase Ur,et al.  Watching Them Watching Me: Browser Extensions Impact on User Privacy Awareness and Concern , 2016 .

[43]  Frederick Liu,et al.  Towards Automatic Classification of Privacy Policy Text , 2017 .

[44]  Sanne Kruikemeier,et al.  Behavioral Advertising : A Literature Review and Research Agenda , 2017 .

[45]  Colin M. Gray,et al.  The Dark (Patterns) Side of UX Design , 2018, CHI.

[46]  L. Cranor,et al.  Nudges for Privacy and Security , 2017, ACM Comput. Surv..

[47]  R. Shay,et al.  AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements. Revised Version , 2011 .

[48]  Bill Fitzgerald,et al.  Tracking the Trackers , 2016 .

[49]  Steven M. Belz,et al.  The user action framework: a reliable foundation for usability engineering support tools , 2001, Int. J. Hum. Comput. Stud..

[50]  Leyla Bilge,et al.  Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control , 2019, AsiaCCS.