(Un)informed Consent: Studying GDPR Consent Notices in the Field

Since the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and contributed to the rise of both browser extensions that block these banners and demands for a solution that bundles consent across multiple websites or in the browser. In this work, we identify common properties of the graphical user interface of consent notices and conduct three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice, and content framing on consent. We find that users are more likely to interact with a notice shown in the lower (left) part of the screen. Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually. We also show that the wide-spread practice of nudging has a large effect on the choices users make. Our experiments show that seemingly small implementation decisions can substantially impact whether and how people interact with consent notices. Our findings demonstrate the importance for regulation to not just require consent, but also provide clear requirements or guidance for how this consent has to be obtained in order to ensure that users can make free and informed choices.

[1]  Philipp Winter,et al.  The Impact of User Location on Cookie Notices (Inside and Outside of the European Union) , 2019 .

[2]  Melanie Volkamer,et al.  "This Website Uses Cookies": Users' Perceptions and Reactions to the Cookie Disclaimer , 2018 .

[3]  Jan vom Brocke,et al.  Digital Nudging , 2016, Business & Information Systems Engineering.

[4]  Thorsten Holz,et al.  We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy , 2019, NDSS.

[5]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Daniel D. Suthers,et al.  I'm supposed to see that?' AdChoices Usability in the Mobile Environment , 2018, HICSS.

[7]  Kori Inkpen Quinn,et al.  An examination of user perception and misconception of internet cookies , 2006, CHI Extended Abstracts.

[8]  Nora A Draper,et al.  Persistent Misperceptions: Americans’ Misplaced Confidence in Privacy Policies, 2003–2015 , 2018, Journal of Broadcasting & Electronic Media.

[9]  Yang Wang,et al.  Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising , 2012, CHI.

[10]  Mario Silic,et al.  Understanding Colour Impact on Warning Messages: Evidence from US and India , 2016, CHI Extended Abstracts.

[11]  Virginio Cantoni,et al.  Banner positioning in the masthead area of online newspapers: an eye tracking study , 2013, CompSysTech '13.

[12]  G. Loewenstein,et al.  Privacy and human behavior in the age of information , 2015, Science.

[13]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[14]  Chris Arney Nudge: Improving Decisions about Health, Wealth, and Happiness , 2015 .

[15]  L. Cranor,et al.  Nudges for Privacy and Security , 2017, ACM Comput. Surv..

[16]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[17]  Alessandro Acquisti,et al.  Nudging Privacy: The Behavioral Economics of Personal Information , 2009, IEEE Security & Privacy.

[18]  Lorrie Faith Cranor,et al.  Americans' attitudes about internet behavioral advertising practices , 2010, WPES '10.

[19]  Sokol Kosta,et al.  Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites , 2019, WWW.

[20]  Sunny Consolvo,et al.  An Experience Sampling Study of User Reactions to Browser Warnings in the Field , 2018, CHI.

[21]  Peter Mayer,et al.  A Concept and Evaluation of Usable and Fine-Grained Privacy-Friendly Cookie Settings Interface , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[22]  Norbert Pohlmann,et al.  "Your hashed IP address: Ubuntu.": perspectives on transparency tools for online advertising , 2019, ACSAC.

[23]  Leyla Bilge,et al.  Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control , 2019, AsiaCCS.

[24]  Dear Mr Sotiropoulos ARTICLE 29 Data Protection Working Party , 2013 .

[25]  Alessandro Acquisti,et al.  Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online , 2016, SOUPS.

[26]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[27]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites , 2019, SOUPS @ USENIX Security Symposium.

[28]  S. C. Boerman,et al.  Exploring Motivations for Online Privacy Protection Behavior: Insights From Panel Data , 2018, Communication Research.

[29]  Ryen W. White,et al.  Understanding web browsing behaviors through Weibull analysis of dwell time , 2010, SIGIR.

[30]  Kirsten E. Martin Do Privacy Notices Matter? Comparing the Impact of Violating Formal Privacy Notices and Informal Privacy Norms on Consumer Trust Online , 2016, The Journal of Legal Studies.