(Un)informed Consent: Studying GDPR Consent Notices in the Field

Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11-15, 2019
PDF Abstract Bibtex DOI

Abstract

Since the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60% of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and contributed to the rise of both browser extensions that block these banners and demands for a solution that bundles consent across multiple websites or in the browser.

In this work, we identify common properties of the graphical user interface of consent notices and conduct three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice,and content framing on consent.

We find that users are more likely to interact with a notice shown in the lower (left) part of the screen. Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually. We also show that the widespread practice of nudging has a large effect on the choices users make. Our experiments show that seemingly small implementation decisions can substantially impact whether and how people interact with consent notices. Our findings demonstrate the importance for regulation to not just require consent, but also provide clear requirements or guidance for how this consent has to be obtained in order to ensure that users can make free and informed choices

Reference

@inproceedings{DBLP:conf/ccs/UtzDFSH19,
 author = {Christine Utz and
Martin Degeling and
Sascha Fahl and
Florian Schaub and
Thorsten Holz},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/bib/conf/ccs/UtzDFSH19},
 booktitle = {Proceedings of the 2019 ACM SIGSAC Conference on Computer and
Communications Security, CCS 2019, London, UK, November 11-15, 2019},
 doi = {10.1145/3319535.3354212},
 month = {Nov},
 pages = {973--990},
 title = {(Un)informed Consent: Studying GDPR Consent Notices in the Field},
 url = {https://doi.org/10.1145/3319535.3354212},
 year = {2019}
}