Do we really know how our data is used? How privacy notice language can exploit user’s cognitive biases

The European Union and the United Kingdom mandate via the General Data Protection Regulation (GDPR) that users of web services must give their informed consent for their data to be collected and used. To this end, each time a user visits a new website, they are presented with a privacy notice.

A new study conducted by scientists at the Max Planck Institute for Security and Privacy, in collaboration with Utrecht University, University of Michigan, and the University of Washington, discovered that the language used by the privacy notices often exploits user’s cognitive biases and fails to provide information deemed important by the users. The study is published in the journal Proceedings of the CHI Conference on Human Factors in Computing Systems.

To understand the users’ perceptions of data collection purposes, scientists conducted semi-structured interviews with European web users. At the beginning of the interviews, most of the participants reported finding the privacy notices “annoying” and trying to get rid of them quickly.

During the study, they were asked to go through several examples of privacy notices in detail. A puzzling discovery is that at the end of the interview, none of the participants felt well-informed about online data practices.

The main findings of this study highlight the lack of transparency in the purpose descriptions: for example, users expressed their wish to see information about how long their data is stored and how to request their data to be deleted. Additionally, most participants voiced their conviction that organizations would still find ways to collect their information, even if they explicitly declined to share their data.

This concern was echoed in circumstances where privacy notices claimed that some services would not be available to users unless they gave access to their data. Some participants wanted to know more about what services they would miss out on, while others reported feeling threatened by such messages, with some participants claiming they felt “manipulated” into sharing their data in this way.

Language used in privacy notices often unclear to users

When asked about the language used by companies to explain the data collection purposes, the study reveals a lack of user knowledge as to what some terms mean. For example, participants did not consider there is any difference between the purpose termed “Advertising” (which focuses on delivering generic advertisements) and the one called “Personalized Advertising” (which delivers targeted ads). Moreover, the participants reported they were not comfortable sharing their data for any advertising purposes.

This study proposes several solutions to the problems discovered. To offset the lack of interaction with privacy notices, users could be provided with a “consent nutrition label.”

By using better UI design, icons, and colors in the privacy notices, companies could make the information-finding process more accessible and less time-consuming for the users. To make data handling and processing information clearer to the users, companies could take inspiration from more established fields that use informed consent forms such as human subject research or health care.

“Our study has shown that consent notices in their current form are not an effective way of collecting informed consent. In our future work, we intend to further investigate the needs and motivations of different stakeholder groups (users, companies, etc.) to understand how to make consent more seamless and truly informed, and potentially come up with solutions moving away from this typical ‘notice-and-consent‘ model,” says Lin Kyi, the first author of the study.