research-article

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

Authors:

Ilaria Liccardi,

Lalana KagalAuthors Info & Claims

CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

Pages 1 - 13

https://doi.org/10.1145/3313831.3376321

Published: 23 April 2020 Publication History

Abstract

New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its requirements for consent when companies collect and process users' personal data. This work analyses how the most prevalent CMP designs affect people's consent choices. We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.8% meet our minimal requirements based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22-23 percentage points; and providing more granular controls on the first page decreases consent by 8-20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

References

[1]

Alessandro Acquisti and Jens Grossklags. 2005. Privacy and rationality in individual decision making. Security Privacy, IEEE 3, 1 (2005), 26--33.

Digital Library

[2]

Advocate General Szupunar. 2019. Case C-673/17 Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände -- Verbraucherzentrale Bundesverband e.V. ECLI:EU:C:2019:246, Opinion of the Advocate General. (2019).

[3]

Adzerk. 2019. Adtech Insights - August 2019 Report. (2019). https://adzerk.com/assets/reports/AdTechInsights_Aug2019.pdf

[4]

Julio Angulo, Simone Fischer-Hübner, Tobias Pulls, and Erik Wästlund. 2011. Towards Usable Privacy Policy Display & Management for PrimeLife. S. M. Furnell, & N. L. Clarke (Eds.), Proceedings of international symposium on human aspects of information security & assurance (HAISA 2011) (2011), 108 -- 117.

[5]

Article 29 Working Party. 2018. Guidelines on Consent under Regulation 2016/679 (WP259 rev.01). European Union.

[6]

Autoriteit Persoonsgegevens. 2019. Hoe Legt de AP de Juridische Normen Rond Cookiewalls Uit? AP, Den Haag.

[7]

Meinert David B., Dane K. Peterson, John R. Criswell, and Martin D. Crossland. 2006. Towards Usable Privacy Policy Display & Management for PrimeLife. Journal of Electronic Commerce in Organizations (JECO) 4, 1 (2006), 1--17.

[8]

Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfattheicher. 2016. Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies 2016, 4 (2016), 237--254.

[9]

Axel Bruns. 2019. After the 'APIcalypse': Social Media Platforms and Their Fight against Critical Scholarly Research. Information, Communication & Society 22, 11 (2019), 1544--1566.

[10]

Tania Bucher. 2013. Objects of Intense Feeling: The Case of the Twitter API : Computational Culture. Computational Culture: A Journal of Software Studies 3 (2013). http://computationalculture.net/objects-of-intensefeeling-the-case-of-the-twitter-api/

[11]

Fred H Cate. 2010. The limits of notice and choice. IEEE Security & Privacy 8, 2 (2010), 59--62.

Digital Library

[12]

Damian Clifford, Inge Graef, and Peggy Valcke. 2019. Pre-formulated Declarations of Data Subject Consent-Citizen-Consumer Empowerment and the Alignment of Data, Consumer and Competition Law Protections. German Law Journal 20, 5 (2019), 679--721.

[13]

Commission nationale de l'informatique et des libertés (CNIL). 2019. Délibération n° 2019-093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l'application de l'article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d'un utilisateur (notamment aux cookies et autres traceurs) (rectificatif). (2019).

[14]

Gregory Conti and Edward Sobiesk. 2010. Malicious Interface Design: Exploiting the User. In Proceedings of the 19th International Conference on World Wide Web. ACM, 271--280.

Digital Library

[15]

Jake R. Conway, Alexander Lex, and Nils Gehlenborg. 2017. UpSetR: An R Package for the Visualization of Intersecting Sets and Their Properties. Bioinformatics 33, 18 (2017), 2938--2940.

[16]

Court of Justice of the European Union. 2019a. Case C-49/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV. ECLI:EU:C:2019:629. (2019).

[17]

Court of Justice of the European Union. 2019b. Case C-673/17 Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände -- Verbraucherzentrale Bundesverband e.V. ECLI:EU:C:2019:801. (2019).

[18]

Lorrie Cranor. 2002. Web privacy with P3P. O'Reilly Media, Sebastopol, CA.

Digital Library

[19]

Lorrie Faith Cranor. 2012. Necessary but Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice The Economics of Privacy. Journal on Telecommunications and High Technology Law 10, 2 (2012), 273--308.

[20]

Mark R. Warner Deb Fisher. 2019. Deceptive Experiences To Online Users Reduction (DETOUR) Act. https://www.scribd.com/document/405606873/Detour-Act-Final

[21]

Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2018. We Value Your Privacy... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy. arXiv preprint arXiv:1808.05096 (2018).

[22]

European Data Protection Supervisor. EDPS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation), Opinion 6/2017. EDPS, Brussels, BE.

[23]

European Union. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281/31. (1995).

[24]

European Union. 2002. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201. (2002).

[25]

European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1. (2016).

[26]

Brian J Fogg. 2009. A behavior model for persuasive design. In Proceedings of the 4th international Conference on Persuasive Technology. ACM, 40.

Digital Library

[27]

Forbrukerrådet. 2019. Deceived by Design: How tech companies use dark patterns to discourage us from exercising our rights to privacy. (2019). https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06--27-deceived-by-design-final.pdf

[28]

Colin M Gray, Yubo Kou, Bryan Battles, Joseph Hoggatt, and Austin L Toombs. 2018. The dark (patterns) side of UX design. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. ACM, 534.

Digital Library

[29]

Information Commissioner's Office. 2019a. Guidance on the Use of Cookies and Similar Technologies. ICO, Wilmslow, Cheshire.

[30]

Information Commissioner's Office. 2019b. Update Report into Adtech and Real Time Bidding. ICO, Wilmslow, Cheshire.

[31]

Carlos Jensen and Colin Potts. 2004. Privacy policies as decision-making tools: an evaluation of online privacy notices. In Proceedings of the SIGCHI conference on Human Factors in Computing Systems. ACM, 471--478.

Digital Library

[32]

Irene Kamara and Eleni Kosta. 2016. Do Not Track Initiatives: Regaining the Lost User Control. International Data Privacy Law 6, 4 (2016), 276--290.

[33]

Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W Reeder. 2009. A nutrition label for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 4.

Digital Library

[34]

Eleni Kosta. 2013. Peeking into the Cookie Jar: The European Approach towards the Regulation of Cookies. International Journal of Law and Information Technology 21, 4 (2013), 380--406.

[35]

A. Lex, N. Gehlenborg, H. Strobelt, R. Vuillemot, and H. Pfister. 2014. UpSet: Visualization of Intersecting Sets. IEEE Transactions on Visualization and Computer Graphics 20, 12 (2014), 1983--1992.

[36]

Rene Mahieu, Joris van Hoboken, and Hadi Asghari. 2019. Responsibility for Data Protection in a Networked World: On the Question of the Controller, Effective and Complete Protection and Its Application to Data Access Rights in Europe. Journal of Intellectual Property, Information Technology and Electronic Commerce Law 10, 1 (2019), 84--104.

[37]

Arunesh Mathur, Gunes Acar, Michael J Friedman, Elena Lucherini, Jonathan Mayer, Marshini Chetty, and Arvind Narayanan. 2019. Dark patterns at scale: Findings from a crawl of 11K shopping websites. Proceedings of the ACM on Human-Computer Interaction 3, CSCW (2019), 81.

Digital Library

[38]

Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2019. Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework (Under submission). https://arxiv.org/abs/1911.09964v1

[39]

John McCarthy. 2019. Over 90% of users consent to GDPR requests says Quantcast after enabling 1bn of them. https://www.thedrum.com/news/2018/07/31/over-90-users-consentgdpr-requests-says-quantcast-after-enabling-1bn-them. (2019).

[40]

A. M. McDonald and L. F. Cranor. 2008. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society 4 (2008), 540 -- 565.

[41]

H. Nissenbaum. 2011. A contextual approach to privacy online. Daedalus 140, 4 (2011), 32--48.

[42]

Jonathan A. Obar and Anne Oeldorf-Hirsch. 2018. The biggest lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society 0, 0 (2018), 1--20.

[43]

Robert W Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K Reiter, Kelli Bacon, Keisha How, and Heather Strong. 2008. Expandable grids for visualizing and authoring computer security policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1473--1482.

Digital Library

[44]

Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS '19). ACM, NY, NY, USA, 340--351.

Digital Library

[45]

Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 1--17.

Digital Library

[46]

Natasha Singer. 2016. When Websites Won't Take No for an Answer. New York Times (15 5 2016). Retrieved Sept 19, 2019 from https://www.nytimes.com/2016/05/15/technology/personaltech/when-websites-wont-take-no-foran-answer.html?mcubz=0&_r=0

[47]

Jannick Sørensen and Sokol Kosta. 2019. Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites. In The World Wide Web Conference (WWW '19). ACM, NY, NY, USA, 1590--1600.

Digital Library

[48]

European Data Protection Supervisor. 2018. EDPS Opinion on the legislative package "A New Deal for Consumers". https://edps.europa.eu/sites/edp/files/publication/1810-05_opinion_consumer_law_en.pdf

[49]

Richard H Thaler and Cass R Sunstein. 2009. Nudge: Improving decisions about health, wealth, and happiness. Penguin.

[50]

Oisin Tobin. 2019. Cookie consent revisited. Privacy and Data Protection 19 (2019), 11. Issue 5.

[51]

Martino Trevisan, Stefano Traverso, Eleonora Bassi, and Marco Mellia. 2019. 4 Years of EU Cookie Law: Results and Lessons Learned. Proceedings on Privacy Enhancing Technologies 2019, 2 (2019), 126--145.

[52]

Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (Un)Informed Consent: Studying GDPR Consent Notices in the Field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). ACM, NY, NY, USA, 973--990.

Digital Library

[53]

Brendan Van Alsenoy. 2019. Data Protection Law in the EU: Roles, Responsibilities and Liability. Intersentia, Cambridge.

[54]

Tony Vila, Rachel Greenstadt, and David Molnar. 2003. Why We Can'T Be Bothered to Read Privacy Policies Models of Privacy Economics As a Lemons Market. In Proceedings of the 5th International Conference on Electronic Commerce (ICEC '03). 403--407.

Digital Library

[55]

Frederik J Zuiderveen Borgesius, Sanne Kruikemeier, Sophie C Boerman, and Natali Helberger. 2017. Tracking Walls, Take-It-Or-Leave-It Choices, the GDPR, and the ePrivacy Regulation. European Data Protection Law Review 3, 3 (2017), 353--368.

Cited By

Jaber MJaber A(2025)Challenges and Opportunities of Digital Dentistry in Remote EnvironmentsTransforming Dental Health in Rural Communities10.4018/979-8-3693-7165-7.ch009(233-270)Online publication date: 10-Jan-2025
https://doi.org/10.4018/979-8-3693-7165-7.ch009
Singh VVishvakarma NKumar V(2025)Investigating consumer challenges against dark patterns using grey influence analysis (GINA)Marketing Intelligence & Planning10.1108/MIP-08-2024-0538Online publication date: 16-Jan-2025
https://doi.org/10.1108/MIP-08-2024-0538
Singh VVishvakarma NKumar V(2025)Dark patterns, dimmed brands: the erosion of equity through deceptive design in e-commerceInternet Research10.1108/INTR-07-2024-1026Online publication date: 24-Jan-2025
https://doi.org/10.1108/INTR-07-2024-1026
Show More Cited By

Index Terms

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

Recommendations

The Effect of the GDPR on Privacy Policies: Recent Progress and Future Promise
Special Issue on Analytics for Cybersecurity and Privacy, Part 2 and Regular Papers

The General Data Protection Regulation (GDPR) is considered by some to be the most important change in data privacy regulation in 20 years. Effective May 2018, the European Union GDPR privacy law applies to any organization that collects and processes ...
A Study of GDPR Compliance under the Transparency and Consent Framework
WWW '24: Proceedings of the ACM Web Conference 2024

This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users' privacy consent ...
A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile
CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems

Websites implement cookie consent interfaces to obtain users’ permission to use non-essential cookies, as required by privacy regulations. We extend prior research evaluating the impact of interface design on cookie consent through an online behavioral ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

April 2020

10688 pages

ISBN:9781450367080

DOI:10.1145/3313831

General Chairs:
Regina Bernhaupt
Eindhoven University of Technology, Netherlands
,
Florian 'Floyd' Mueller
Monash University, Australia
,
David Verweij
Newcastle University, UK
,
Josh Andres
RMIT, Australia
,
Program Chairs:
Joanna McGrenere
University of British Columbia, Canada
,
Andy Cockburn
University of Canterbury, New Zealand
,
Ignacio Avellino
University of Maryland Baltimore County, USA
,
Alix Goguey
Grenoble Alpes University, France
,
Pernille Bjørn
University of Copenhagen, Denmark
,
Shengdong (Shen) Zhao
National University of Singapore, Singapore
,
Briane Paul Samson
Future University Hakodate, Japan & De La Salle University, Philippines
,
Rafal Kocielnik
University of Washington, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CHI '20

Sponsor:

SIGCHI

CHI '20: CHI Conference on Human Factors in Computing Systems

April 25 - 30, 2020

HI, Honolulu, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

233
Total Citations
View Citations
5,648
Total Downloads

Downloads (Last 12 months)1,083
Downloads (Last 6 weeks)92

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jaber MJaber A(2025)Challenges and Opportunities of Digital Dentistry in Remote EnvironmentsTransforming Dental Health in Rural Communities10.4018/979-8-3693-7165-7.ch009(233-270)Online publication date: 10-Jan-2025
https://doi.org/10.4018/979-8-3693-7165-7.ch009
Singh VVishvakarma NKumar V(2025)Investigating consumer challenges against dark patterns using grey influence analysis (GINA)Marketing Intelligence & Planning10.1108/MIP-08-2024-0538Online publication date: 16-Jan-2025
https://doi.org/10.1108/MIP-08-2024-0538
Singh VVishvakarma NKumar V(2025)Dark patterns, dimmed brands: the erosion of equity through deceptive design in e-commerceInternet Research10.1108/INTR-07-2024-1026Online publication date: 24-Jan-2025
https://doi.org/10.1108/INTR-07-2024-1026
Li WFlatla DArndt F(2025)Divergent deceptions: comparative analysis of Deceptive Patterns in iOS and Android appsBehaviour & Information Technology10.1080/0144929X.2025.2452359(1-30)Online publication date: 16-Jan-2025
https://doi.org/10.1080/0144929X.2025.2452359
Zac AHuang Yvon Moltke ADecker CEzrachi A(2025)Dark patterns and consumer vulnerabilityBehavioural Public Policy10.1017/bpp.2024.49(1-50)Online publication date: 3-Feb-2025
https://doi.org/10.1017/bpp.2024.49
Schütte B(2025)Damage Caused by Emotional AI: Do Existing and Prospective Liability Rules Provide Sufficient Protection?Emotional Data Applications and Regulation of Artificial Intelligence in Society10.1007/978-3-031-80111-2_14(239-259)Online publication date: 23-Jan-2025
https://doi.org/10.1007/978-3-031-80111-2_14
Hasegawa AInoue DAkiyama MBalzarotti DXu W(2024)How WEIRD is usable privacy and security research?Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699082(3241-3258)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699082
Bielova NLitvine LNguyen AChammat MToubiana VHary EBalzarotti DXu W(2024)The effect of design patterns on (present and future) cookie consent decisionsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699058(2813-2830)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699058
Sharma TKyi LWang YBiega ABalzarotti DXu W(2024)"I'm not convinced that they don't collect more than is necessary"Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699057(2797-2812)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699057
Bouhoula AKubicek KZac ACotrini CBasin DBalzarotti DXu W(2024)Automated large-scale analysis of cookie notice complianceProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698997(1723-1739)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698997
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten