🔬 Research Summary by Lin Kyi, a Computer Science Ph.D. student at the Max Planck Institute for Security and Privacy focusing on online consent and the ethical collection of data.
[Original paper by Abraham Mhaidli, Cristiana Santos, Franziska Roesner, and Asia Biega]
NOTE: Conditionally accepted to CHI 2024
Overview: Data collection purposes and their descriptions are presented on almost all privacy notices under the GDPR. Yet, there is a lack of research focusing on how effectively they inform users about data practices. We fill this gap by investigating users’ perceptions of data collection purposes and their descriptions, a crucial aspect of informed consent, by interviewing European users to investigate i) user perceptions of six common purposes and ii) identified elements of an effective purpose name and description.
Introduction
Consent acts as a form of moral magic, allowing otherwise impermissible things to be permissible, in the words of Heidi M. Hurd. The introduction of consent notices (also called “cookie banners,” “privacy notices,” etc.) in online services was meant to be a way for companies to inform and collect user consent before processing user data. These consent notices are omnipresent in modern-day online life, but do we know what we consent to?
In this paper, we investigated i) how users evaluate common data processing purposes and their descriptions and ii) how users prefer data processing purposes to be named and described to be more user-friendly. We conducted 23 semi-structured interviews with European internet users to understand how they perceived six common data collection purposes: Strictly Necessary, Statistics and Analytics, Performance and Functionality, Marketing and Advertising, Personalized Advertising, and Personalized Content purposes.
We found that most purpose descriptions do not contain information that users want to know. Participants preferred some purpose names over other alternatives due to their perceived transparency or ease of understanding. Based on these findings, we suggest improving the framing of purposes to allow for more meaningful consent.
Key Insights
Consent is not necessarily informed
With the enforcement of the European Union’s General Data Protection Regulation (GDPR) in 2018 and the ePrivacy Directive, consent notices have become ubiquitous to inform and collect consent from EU and UK users. Due to the ubiquity of consent dialogs in these locations, users are now generally familiar with this process of consenting to something, but do they actually know what they are consenting to? The UK and EU GDPR mandates that consent be informed, yet many studies have shown that the requirement of users being informed is often simply assumed.
At the core of informed consent are the data collection purposes for which users share their data. Current regulatory guidelines about how data processing purposes should be described or named vary significantly, resulting in variations in purposes, wording, and descriptions between various websites. Through interviews with 23 European users, this paper identifies how we can reframe data collection purposes and descriptions to be more informative and transparent, thereby improving informed consent obtained from consent notices.
Data collection practices are not transparent to users
None of the participants we interviewed felt well-informed about online data practices, even if the law prescribes that information disclosed to users ensures fair and transparent processing (Articles 5(1)(a), 14, Recital 39 GDPR). Almost all participants said they did not know crucial aspects of their data, such as i) what data is being collected, ii) how it is collected, iii) why their data is collected, iv) to whom this data is being sent, nor the v) sensitivity of the data being collected. Additionally, many participants believed that all data collection purposes were being used covertly for advertising in some way.
Improving purpose descriptions
Our findings suggest that purpose descriptions must be more transparent about what organizations do with users’ data. Participants indicated wanting to know more about i) how long their data will be retained, ii) how to go about deleting their data and reversing their previous consent decisions, and iii) the sensitivity of the information organizations are collecting from users. Users want to know how organizations use their data, and more transparency about how personalization works needs to be conveyed to users since many participants received it with skepticism.
Another common theme was that participants wanted reassurance from organizations in their purpose descriptions. For example, this can include providing users with more information to find out more about a technical aspect of data collection if they wanted (through a link or expandable definition), or more commonly, wanting reassurance from organizations that their data would be kept private and secure, such as how it be anonymized, would not be used for profiling, and not shared with third parties, which is a finding in line with previous research. However, companies must be careful with presenting reassurances and make sure it is presenting accurate information.
Improving purpose names
Research in psychology has shown that when various items are grouped, users will often remember the first and/or last items best, a phenomenon known as the serial position effect. To mitigate the effects of this phenomenon, we recommend that organizations only present one purpose to users at a time instead of grouping them.
In our study, we found that participants often preferred one name over another for purposes that were grouped. Therefore, we recommend that organizations consider using the preferred names instead of conjunctions for these purposes:
- Statistics and Analytics. Participants preferred Analytics because it is more straightforward about what is happening to their data, whereas Statistics is vaguer and sounds more technical. Participants felt that saying “statistics” or “analytics” alone without providing context about what organizations were collecting data for was misleading.
- Performance and Functionality. Participants preferred performance because it fit their perceptions of this purpose more, believing it was meant to improve the site experience. Functionality, on the other hand, sounds like a purpose necessary for the website to function, which was deemed misleading.
- Personalized Content. The name was not intuitive for some participants who believed it meant the same as Personalized Advertising because “content” could also refer to advertising content. Therefore, it is recommended that the name be modified to help users better differentiate it from Personalized Advertising, such as Personalized [insert application, e.g., Video/Search] Recommendations.
Between the lines
Focusing on the data collection purposes and identifying the major issues with them are important for three reasons:
First, there will always be a small group of users who want to be informed about their privacy and take their time to make privacy-conscious choices.
Second, research on privacy nutrition labels has shown that when privacy information is presented to users in a digestible manner, users are often more informed without feeling overwhelmed. Therefore, we lay the groundwork for future work on redesigning more user-centric privacy notices.
Third, reframing data collection purposes allows for more efficient management and repurposing of data. Many organizations are unaware of what is happening with the data they collect, which is problematic from the user privacy perspective.
Research on privacy notices is mostly English-based. Therefore, in the future, more research on non-English privacy notices may bring different insights. Non-English privacy notices might present users with different purpose names, descriptions, and language-based nuances. Therefore, these insights on improving the framing of purposes for various languages can help more users make informed consent decisions.