Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet our minimal requirements based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22-23 percentage points; and providing more granular controls on the first page decreases consent by 8-20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

[1]  Cristiana Santos,et al.  Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[2]  Colin M. Gray,et al.  The Dark (Patterns) Side of UX Design , 2018, CHI.

[3]  Sokol Kosta,et al.  Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites , 2019, WWW.

[4]  Hadi Asghari,et al.  Responsibility for Data Protection in a Networked World – On the Question of the Controller, ‘Effective and Complete Protection’ and Its Application to Data Access Rights in Europe , 2019 .

[5]  Alexander Lex,et al.  UpSetR: An R Package for the Visualization of Intersecting Sets and their Properties , 2017 .

[6]  Thorsten Holz,et al.  We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy , 2019, NDSS.

[7]  H. Nissenbaum A Contextual Approach to Privacy Online , 2011, Daedalus.

[8]  Anne Oeldorf-Hirsch,et al.  The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services , 2020 .

[9]  Rachel Greenstadt,et al.  Why we can't be bothered to read privacy policies models of privacy economics as a lemons market , 2003, ICEC '03.

[10]  Axel Bruns,et al.  After the ‘APIcalypse’: social media platforms and their fight against critical scholarly research , 2019, Information, Communication & Society.

[11]  Martino Trevisan,et al.  Uncovering the Flop of the EU Cookie Law , 2017, ArXiv.

[12]  Hanspeter Pfister,et al.  UpSet: Visualization of Intersecting Sets , 2014, IEEE Transactions on Visualization and Computer Graphics.

[13]  Jonathan Mayer,et al.  Dark Patterns at Scale , 2019, Proc. ACM Hum. Comput. Interact..

[14]  Gregory J. Conti,et al.  Malicious interface design: exploiting the user , 2010, WWW '10.

[15]  Brendan Van Alsenoy Data Protection Law in the EU: Roles, Responsibilities and Liability , 2019 .

[16]  Lorrie Faith Cranor,et al.  Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice , 2012, J. Telecommun. High Technol. Law.

[17]  Lejla Vrazalic,et al.  E-Commerce Adoption Barriers in Small Business and the Differential Effects of Gender , 2006 .

[18]  Lorrie Faith Cranor,et al.  Web Privacy with P3p , 2002 .

[19]  Frank Kargl,et al.  Tales from the Dark Side: Privacy Dark Strategies and Privacy Dark Patterns , 2016, Proc. Priv. Enhancing Technol..

[20]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[21]  Fred H. Cate,et al.  The Limits of Notice and Choice , 2010, IEEE Security & Privacy.

[22]  J. Reeve,et al.  Solutions to problematic polypharmacy: learning from the expertise of patients. , 2015, The British journal of general practice : the journal of the Royal College of General Practitioners.

[23]  Martino Trevisan,et al.  4 Years of EU Cookie Law: Results and Lessons Learned , 2017, Proc. Priv. Enhancing Technol..

[24]  Denis Regaud Commission Nationale de l'Informatique et des Libertés , 2016 .

[25]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[26]  Erik Wästlund,et al.  Towards Usable Privacy Policy Display & Management for PrimeLife , 2012, Inf. Manag. Comput. Secur..

[27]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[28]  Martin Degeling,et al.  (Un)informed Consent: Studying GDPR Consent Notices in the Field , 2019, CCS.

[29]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[30]  Chris Arney Nudge: Improving Decisions about Health, Wealth, and Happiness , 2015 .

[31]  Sanne Kruikemeier,et al.  Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and the ePrivacy Regulation , 2017 .

[32]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[33]  B. J. Fogg,et al.  A behavior model for persuasive design , 2009, Persuasive '09.

[34]  Eleni Kosta,et al.  Do Not Track initiatives: regaining the lost user control , 2016 .

[35]  Yang Wang,et al.  Nudges for Privacy and Security , 2017, ACM Comput. Surv..

[36]  Eleni Kosta Peeking into the cookie jar: the European approach towards the regulation of cookies , 2013, Int. J. Law Inf. Technol..

[37]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[38]  Leyla Bilge,et al.  Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control , 2019, AsiaCCS.

[39]  Taina Bucher Objects of Intense Feeling: The Case of the Twitter API , 2013 .

[40]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.