research-article

Cookie Disclaimers: Impact of Design and Users’ Attitude

Authors:

Benjamin Maximilian Berens,

Heike Dietmann,

Melanie VolkamerAuthors Info & Claims

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Article No.: 12, Pages 1 - 20

https://doi.org/10.1145/3538969.3539008

Published: 23 August 2022 Publication History

Abstract

Dark patterns in cookie disclaimers are factors that are used to lead users to accept more cookies than needed and more than they are aware of. The contributions of this paper are (1) evaluating the efficacy of several of these factors while measuring actual behavior; (2) identifying users’ attitude towards cookie disclaimers including how they decide which cookies to accept or reject. We show that different visual representation of the reject/accept option have a significant impact on users’ decision. We also found that the labeling of the reject option has a significant impact. In addition, we confirm previous research regarding biasing text (which has no significant impact on users’ decision). Our results on users’ attitude towards cookie disclaimers indicate that for several user groups the design of the disclaimer only plays a secondary role when it comes to decision making. We provide recommendations on how to improve the situation for the different user groups.

References

[1]

Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, and Yuvraj Agarwal. 2015. Your Location Has Been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (Seoul, Republic of Korea) (CHI ’15). Association for Computing Machinery, New York, NY, USA, 787–796. https://doi.org/10.1145/2702123.2702210

Digital Library

[2]

American Psychological Association 2002. Ethical principles of psychologists and code of conduct. American psychologist 57, 12 (2002), 1060–1073.

[3]

Solon Barocas and Helen Nissenbaum. 2009. On notice: The trouble with Notice and Consent. In Proceedings of the Engaging Data Forum: The First International Forum on the Application and Management of Personal Electronic Information.

[4]

Kristoffer Bergram, Marija Djokovic, Valéry Bezençon, and Adrian Holzer. 2022. The Digital Landscape of Nudging: A Systematic Literature Review of Empirical Research on Digital Nudges. In CHI Conference on Human Factors in Computing Systems (New Orleans, LA, USA) (CHI ’22). Association for Computing Machinery, New York, NY, USA, Article 62, 16 pages. https://doi.org/10.1145/3491102.3517638

Digital Library

[5]

Mohamad Adam Bujang, Nadiah Sa’at, Tg Mohd Ikhwan Tg Abu Bakar, 2018. Sample size guidelines for logistic regression from observational studies with large population: emphasis on the accuracy between statistics and parameters based on real life clinical data. The Malaysian journal of medical sciences: MJMS 25, 4 (2018), 122.

[6]

Danish Data Protection Authority. 2017. Nye retningslinjer om behandling af personoplysninger om hjemmesidebesøgende. https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/feb/nye-retningslinjer-om-behandling-af-personoplysninger-om-hjemmesidebesoegende/, last accessed on 3.10.2020.

[7]

Matthias Fassl, Lea Theresa Gröber, and Katharina Krombholz. 2021. Stop the Consent Theater. In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems. 1–7.

[8]

Paul Grassl, Hanna Schraffenberger, Frederik Zuiderveen Borgesius, and Moniek Buijzen. 2021. Dark and bright patterns in cookie consent requests. Journal of Digital Social Research 3, 1 (2021), 1–38.

[9]

Daniel Kahneman. 2011. Thinking, fast and slow. Macmillan.

[10]

Punam Anand Keller, Bari Harlam, George Loewenstein, and Kevin G. Volpp. 2011. Enhanced active choice: A new method to motivate behavior change. Journal of Consumer Psychology 21, 4 (2011), 376–383. https://doi.org/10.1016/j.jcps.2011.06.003 Special Issue on the Application of Behavioral Decision Theory.

[11]

Oksana Kulyk, Nina Gerber, Annika Hilt, and Melanie Volkamer. 2018. ”This Website Uses Cookies”: Users’ Perceptions and Reactions to the Cookie Disclaimer. In 3rd European Workshop on Usable Security (EuroUSEC), London, England, April 23, 2018. Internet Societa, Reston 8VY).

[12]

Oksana Kulyk, Nina Gerber, Annika Hilt, and Melanie Volkamer. 2020. Has the GDPR hype affected users’ reaction to cookie disclaimers?Journal of Cybersecurity 6, 1 (2020), tyaa022.

[13]

Oksana Kulyk and Karen Renaud. 2021. ”I need to know I’m safe and protected and will check”: Users want cues to signal data custodians’ trustworthiness. In 2021 Workshop on Human Centric Software Engineering and Cyber Security.

[14]

Blake M. DiCosola III and Gina Neff. 2022. Nudging Behavior Change: Using In-Group and Out-Group Social Comparisons to Encourage Healthier Choices. In CHI Conference on Human Factors in Computing Systems (New Orleans, LA, USA) (CHI ’22). Association for Computing Machinery, New York, NY, USA, Article 475, 14 pages. https://doi.org/10.1145/3491102.3502088

Digital Library

[15]

Eryn Ma and Eleanor Birrell. 2022. Prospective Consent: The Effect of Framing on Cookie Consent Decisions. In CHI Conference on Human Factors in Computing Systems Extended Abstracts (New Orleans, LA, USA) (CHI EA ’22). Association for Computing Machinery, New York, NY, USA, Article 400, 6 pages. https://doi.org/10.1145/3491101.3519687

Digital Library

[16]

Dominique Machuletz and Rainer Böhme. 2020. Multiple purposes, multiple problems: A user study of consent dialogs after GDPR. Proceedings on Privacy Enhancing Technologies 2020, 2(2020), 481–498.

[17]

Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. 2020. Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence. arXiv preprint arXiv:2001.02479(2020).

[18]

Karen Renaud and Lynsay A Shepherd. 2018. How to make privacy policies both GDPR-compliant and usable. In 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). IEEE, 1–8.

[19]

Cristiana Santos, Nataliia Bielova, and Célestin Matte. 2020. Are cookie banners indeed compliant with the law?Technology and Regulation(2020), 91–135.

[20]

Florian Schaub, Rebecca Balebako, and Lorrie Faith Cranor. 2017. Designing effective privacy notices and controls. IEEE Internet Computing(2017).

Digital Library

[21]

Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In 11th Symposium On Usable Privacy and Security (SOUPS 2015). 1–17.

[22]

Richard H Thaler and Cass R Sunstein. 2008. Nudge: improving decisions about health. Wealth, and Happiness 6(2008), 14–38.

[23]

Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (Un)informed Consent. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (Nov 2019), 973–990. https://doi.org/10.1145/3319535.3354212

Digital Library

[24]

Verena Zimmermann and Karen Renaud. 2021. The nudge puzzle: matching nudge interventions to cybersecurity decisions. ACM Transactions on Computer-Human Interaction (TOCHI) 28, 1(2021), 1–45.

Digital Library

Cited By

Puhtila PHeino TRauti S(2024)Third-Party Data Leaks and Dark Patterns in Finnish Political WebsitesProceedings of the International Conference on Computer Systems and Technologies 202410.1145/3674912.3675248(43-50)Online publication date: 14-Jun-2024
https://dl.acm.org/doi/10.1145/3674912.3675248
Alberts LLyngs UVan Kleek M(2024)Computers as Bad Social Actors: Dark Patterns and Anti-Patterns in Interfaces that Act SociallyProceedings of the ACM on Human-Computer Interaction10.1145/36536938:CSCW1(1-25)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3653693
Seaborn KItagaki TWatanabe MWang YGeng PFujii TMandai YKojima MYoshida S(2024)Deceptive, Disruptive, No Big Deal: Japanese People React to Simulated Dark Commercial PatternsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3651099(1-8)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3651099
Show More Cited By

Index Terms

Cookie Disclaimers: Impact of Design and Users’ Attitude
1. Computer systems organization
  1. Dependable and fault-tolerant systems and networks
    1. Redundancy
  2. Embedded and cyber-physical systems
    1. Embedded systems
    2. Robotics
2. Networks
  1. Network properties
    1. Network reliability

Recommendations

What Cookie Consent Notices Do Users Prefer: A Study In The Wild
EuroUSEC '22: Proceedings of the 2022 European Symposium on Usable Security

Laws like GDPR in the EU mandated all websites operating in their jurisdiction to obtain users’ informed consent before tracking those users and collecting their data. Today, this is achieved by showing users cookie consent notices. These notices are ...
Cookie disclaimers: Dark patterns and lack of transparency
Abstract
While cookie disclaimers on websites have been proposed to ensure that users make informed decisions regarding consenting to data collection via cookies, such informed consent is hindered by several factors. One of them is the presence of so-...
Cookies That Give You Away: The Surveillance Implications of Web Tracking
WWW '15: Proceedings of the 24th International Conference on World Wide Web

We study the ability of a passive eavesdropper to leverage "third-party" HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which tags the browser with a unique cookie, then the adversary can link visits to those pages ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

August 2022

1371 pages

ISBN:9781450396707

DOI:10.1145/3538969

Copyright © 2022 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2022

ARES 2022: The 17th International Conference on Availability, Reliability and Security

August 23 - 26, 2022

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
348
Total Downloads

Downloads (Last 12 months)137
Downloads (Last 6 weeks)28

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Puhtila PHeino TRauti S(2024)Third-Party Data Leaks and Dark Patterns in Finnish Political WebsitesProceedings of the International Conference on Computer Systems and Technologies 202410.1145/3674912.3675248(43-50)Online publication date: 14-Jun-2024
https://dl.acm.org/doi/10.1145/3674912.3675248
Alberts LLyngs UVan Kleek M(2024)Computers as Bad Social Actors: Dark Patterns and Anti-Patterns in Interfaces that Act SociallyProceedings of the ACM on Human-Computer Interaction10.1145/36536938:CSCW1(1-25)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3653693
Seaborn KItagaki TWatanabe MWang YGeng PFujii TMandai YKojima MYoshida S(2024)Deceptive, Disruptive, No Big Deal: Japanese People React to Simulated Dark Commercial PatternsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3651099(1-8)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3651099
Kyi LMhaidli ASantos CRoesner FBiega A(2024)“It doesn’t tell me anything about how my data is used”: User Perceptions of Data Collection PurposesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642260(1-12)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642260
Forberger SReisch Lvan Gorp PStahl CChristianson LHalimi JDe Santis KMalisoux Lde-Magistris TBohn T(2024)‘Let me recommend… ’: use of digital nudges or recommender systems for overweight and obesity prevention—a scoping review protocolBMJ Open10.1136/bmjopen-2023-08064414:7(e080644)Online publication date: 31-Jul-2024
https://doi.org/10.1136/bmjopen-2023-080644
Bongard-Blanchy KSterckx JRossi ASergeeva AKoenig VRivas SDistler V(2023)Analysing the Influence of Loss-Gain Framing on Data Disclosure Behaviour: A Study on the Use Case of App Permission RequestsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617108(112-125)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617108
Gundelach RHerrmann D(2023)Cookiescanner: An Automated Tool for Detecting and Evaluating GDPR Consent Notices on WebsitesProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605000(1-8)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605000

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents