4 Years of EU Cookie Law: Results and Lessons Learned

Trevisan, Martino; Traverso, Stefano; Bassi, Eleonora; Mellia, Marco

doi:10.2478/popets-2019-0023

Cited by 48 publications

(50 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Various studies have tried to chart the impact of European privacy regulation on the collection and processing of personal data on the web, both within its territorial scope and globally. A longitudinal 4-year study of the impact of the revised ePrivacy directive on cookie placement shows that 1) 49% of websites placed cookies before receiving consent; 2) 28% of websites did not provide any consent mechanism; and 3) the percentage of websites violating the directive stayed constant over the course of 4 years, indicating the policy to be ineffective [48].…”

Section: Empirical Studies Of Eu Privacy Regulationmentioning

confidence: 99%

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

Nouwens

Liccardi

Veale

et al. 2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

268

230

View full text Add to dashboard Cite

New consent management platforms (CMPs) have been introduced to the web to conform with the EU's General Data Protection Regulation, particularly its stronger requirements for consent when companies collect and process users personal data. This work analyses the most prevalent CMP designs and measures their effect on people's consent choices. First, we scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK (n=680). We found that dark patterns and implied consent are ubiquitous; only 11.7% meet the minimal requirements we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent rates. We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22-23 percentage points; and providing more granular controls on the first page decreases consent by 8-20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an efficient way to increase compliance.

show abstract

Section: Empirical Studies Of Eu Privacy Regulationmentioning

confidence: 99%

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

Nouwens

Liccardi

Veale

et al. 2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

268

230

View full text Add to dashboard Cite

show abstract

“…All construct items are reported in Table 1. Answers were collected on 5point rating scales with semantic anchors "strongly disagree" (1) and "strongly agree" (5). Perceived deception (PDE) is assessed using three (of originally four) items by Román [44], adapted to the context of our study.…”

Section: Pde2mentioning

confidence: 99%

“…6.3 below). However, our choice of stimulus was not driven by the most prevalent design, which we and other researchers [5,9,10] suspect to trivially violate the GDPR. Instead, we set out to study elementary design options of multi-purpose dialogs, the novel and most under-researched aspect of consent dialogs.…”

Section: Validity and Limitationsmentioning

confidence: 99%

“…It is understandable that the industry finds cookie banners disadvantageous as they add fric-1 The principles of consent and purpose binding appear in data protection laws since the 1970s. The specific case for web cookies was harmonized in the EU through the 2009 update of the ePrivacy Directive [2][3][4], but respected by only one in two websites, according to a recent measurement study [5].…”

mentioning

confidence: 99%

See 1 more Smart Citation

Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR

Machuletz

Böhme

2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

The European Union’s General Data Protection Regulation (GDPR) requires websites to ask for consent to the use of cookies for specific purposes. This enlarges the relevant design space for consent dialogs. Websites could try to maximize click-through rates and positive consent decision, even at the risk of users agreeing to more purposes than intended. We evaluate a practice observed on popular websites by conducting an experiment with one control and two treatment groups (N = 150 university students in two countries). We hypothesize that users’ consent decision is influenced by (1) the number of options, connecting to the theory of choice proliferation, and (2) the presence of a highlighted default button (“select all”), connecting to theories of social norms and deception in consumer research. The results show that participants who see a default button accept cookies for more purposes than the control group, while being less able to correctly recall their choice. After being reminded of their choice, they regret it more often and perceive the consent dialog as more deceptive than the control group. Whether users are presented one or three purposes has no significant effect on their decisions and perceptions. We discuss the results and outline policy implications.

show abstract

“…Since 2000, disclosure towards the users about cookie usage has increased (Miyazaki, 2008), and we can say that the GDPR regulation that came in 2018 was a natural continuity of this trend of transparency on how personal data is used on the internet. User's rights to privacy is not necessarily a value for the most websites, as in 2017, in Europe, 49% of them did not respect the European Union Directive that introduced a first set of regulations in 2002 (Trevisan, Traverso, Bassi & Mellia 2019). A study regarding the GDPR cookie consent compliance found out that 54% of the websites violate in a way or another the GDPR regulation (Matte, Bielova & Santos, 2019).…”

Section: Literature Reviewmentioning

confidence: 99%

GDPR consent pop-ups. How are we thinking about them? An Elaboration Likelihood perspective

2020

JIBM

View full text Add to dashboard Cite

4 Years of EU Cookie Law: Results and Lessons Learned

Cited by 48 publications

References 21 publications

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR

GDPR consent pop-ups. How are we thinking about them? An Elaboration Likelihood perspective

Contact Info

Product

Resources

About