I Agree: Customize Your Personal Data Processing with the CoRe User Interface

The General Data Protection Regulation (GDPR) requires, except for some predefined scenarios (e.g., contract performance, legal obligations, vital interests, etc.), obtaining consent from the data subjects for the processing of their personal data. Companies that want to process personal data of the European Union (EU) citizens but are located outside the EU also have to comply with the GDPR. Existing mechanisms for obtaining consent involve presenting the data subject with a document where all possible data processing, done by the entire service, is described in very general terms. Such consent is neither specific nor informed. In order to address this challenge, we introduce a consent request (CoRe) user interface (UI) with maximum control over the data processing and a simplified CoRe UI with reduced control options. Our CoRe UI not only gives users more control over the processing of their personal data but also, according to the usability evaluations reported in the paper, improves their comprehension of consent requests.

[1]  Thomas S. Tullis,et al.  An Empirical Comparison of Lab and Remote Usability Testing of Web Sites , 2002 .

[2]  T. Oko Interviewing as Qualitative Research: A Guide for Researchers in Education and the Social Sciences. , 1992 .

[3]  Jenifer Tidwell,et al.  Designing interfaces - patterns for effective interaction design , 2019 .

[4]  Ilaria Liccardi,et al.  Improving Mobile App Selection through T ransparency and Better Permission Analysis , 2013 .

[5]  Frederik Zuiderveen Borgesius,et al.  Informed Consent: We Can Do Better to Defend Privacy , 2015, IEEE Security & Privacy.

[6]  Batya Friedman,et al.  Informed consent in the Mozilla browser: implementing value-sensitive design , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[7]  David A. Wagner,et al.  The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[9]  M. Brewer,et al.  Research Design and Issues of Validity , 2000 .

[10]  Marti A. Hearst,et al.  The state of the art in automating usability evaluation of user interfaces , 2001, CSUR.

[11]  Lorrie Faith Cranor,et al.  A Comparative Study of Online Privacy Policies and Formats , 2009, Privacy Enhancing Technologies.

[12]  K. Hambridge Action research. , 2000, Professional nurse.

[13]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[14]  Jakob Nielsen,et al.  Enhancing the explanatory power of usability heuristics , 1994, CHI '94.

[15]  J. Reeve,et al.  Solutions to problematic polypharmacy: learning from the expertise of patients. , 2015, The British journal of general practice : the journal of the Royal College of General Practitioners.

[16]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[17]  K. Steinsbekk,et al.  Broad consent versus dynamic consent in biobank research: Is passive participation an ethical problem? , 2013, European Journal of Human Genetics.

[18]  Jerry den Hartog,et al.  A machine learning solution to assess privacy policy completeness: (short paper) , 2012, WPES '12.

[19]  E. Charters The Use of Think-aloud Methods in Qualitative Research An Introduction to Think-aloud Methods , 2003 .

[20]  John T. Kelso,et al.  Remote evaluation: the network as an extension of the usability laboratory , 1996, CHI.

[21]  Alessandro Acquisti,et al.  Gone in 15 Seconds: The Limits of Privacy Transparency and Control , 2013, IEEE Security & Privacy.

[22]  I. Scott MacKenzie User studies and usability evaluations: from research to products , 2015, Graphics Interface.