Sean O'Connor
ABSTRACT
The California Consumer Privacy Act (CCPA)---which began enforcement on July 1, 2020---grants California users the right to opt-out of sale of their personal information. In this work, we perform a series of manual observational studies (conducted in July 2020, January 2021, and July 2021) to understand how websites implement this right. We find that the vast majority of sites that implement opt-out mechanisms do so with a Do Not Sell link rather than with a privacy banner, and that many of opt-out controls exhibit features such as nudging and inconvenience factors (e.g., fillable forms). We then perform a pair of user studies with 4357 unique users (recruited from Google Ads and Amazon Mechanical Turk) in which we observe how users interact with different opt-out mechanisms and evaluate how the observed implementation choices---exclusive use of links, nudging, and inconvenience factors---affect the rate at which users exercise their right to opt-out of sale. We find that these design elements significantly deter interactions with opt-out mechanisms---including reducing the opt-out rate for users who are uncomfortable with the sale of their information---and that they reduce users' awareness of their right to opt-out.
- Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lor- rie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, et al. Nudges for privacy and security: Under- standing and assisting users' choices online. ACM Computing Surveys (CSUR), 50(3):1--41, 2017.Google Scholar
- Alessandro Acquisti, Idris Adjerid, and Laura Brandimarte. Gone in 15 seconds: The limits of privacy transparency and control. IEEE Security & Privacy, 11(4):72--74, 2013.Google Scholar
- Pegie Stark Adam, Sara Quinn, and Rick Edmonds. Eyetracking the news: A study of print and online reading. Poynter, 2007.Google Scholar
- Manon Arcand, Jacques Nantel, Mathieu Arles-Dufour, and Anne Vincent. The impact of reading a web site's privacy statement on perceived control over privacy and perceived trust. Online Information Review, 31(5):661--681, 2007.Google ScholarCross Ref
- Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfatthe- icher. Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies, 2016(4):237--254, 2016.Google ScholarCross Ref
- Harry Brignull. Dark patterns. Dark Patterns, 2019.Google Scholar
- Virginio Cantoni, Marco Porta, Stefania Ricotti, and Francesca Zanin. Banner positioning in the masthead area of online newspapers: an eye tracking study. In Proceedings of the 14th International Conference on Computer Systems and Technologies, pages 145--152, 2013.Google ScholarDigital Library
- Gregory Conti and Edward Sobiesk. Malicious interface design: exploiting the user. In Proceedings of the 19th International Conference on World Wide Web, pages 271--280, 2010.Google ScholarDigital Library
- Norwegian Consumer Council. Deceived by design, how tech companies use dark patterns to discourage us from exercising our rights to privacy. Norwegian Consumer Council Report, 2018.Google Scholar
- Lorrie Faith Cranor. Can users control online behavioral advertising effectively? IEEE Security & Privacy, 10(2):93--96, 2012.Google ScholarDigital Library
- Lorrie Faith Cranor. Informing California privacy regulations with evidence from research. Communications of the ACM, 64(3):29--32, 2021.Google ScholarDigital Library
- Lorrie Faith Cranor, Hana Habib, Yixin Zou, Alessandro Acquisti, Joel Reiden- berg, Norman Sadeh, and Florian Schaub. CCPA opt-out icon testing - Phase 2. Submitted to California Office of Attorney General, 2020.Google Scholar
- Lorrie Faith Cranor, Hana Habib, Yixin Zou, Alessandro Acquisti, Joel Reidenberg, Norman Sadeh, and Florian Schaub. Design and evaluation of a usable icon and tagline to signal an opt-out of the sale of personal information as required by CCPA. Submitted to California Office of Attorney General, 2020.Google Scholar
- Lorrie Faith Cranor, Hana Habib, Yixin Zou, Alessandro Acquisti, Joel Reidenberg, Norman Sadeh, and Florian Schaub. User testing of the proposed CCPA do-not-sell icon. Submitted to California Office of Attorney General, 2020.Google Scholar
- Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. We value your privacy... Now take some cookies: Measuring the GDPR's impact on web privacy. arXiv preprint arXiv:1808.05096, 2018.Google Scholar
- Jayati Dev, Emilee Rader, and Sameer Patil. Why Johnny can't unsubscribe: Barriers to stopping unwanted email. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pages 1--12, 2020.Google ScholarDigital Library
- Kim Doyle, Anastasia Minor, and Carolyn Weyrich. Banner ad location effective- ness study. University of Michigan, 1997.Google Scholar
- Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 1065--1074, 2008.Google ScholarDigital Library
- Mario R Garcia, Pegie Stark, and Ed Miller. Eyes on the News. Poynter Institute for Media Studies St. Petersburg, FL, 1991.Google Scholar
- Stacia Garlach and Daniel Suthers. I'm supposed to see that? AdChoices usability in the mobile environment. In Proceedings of the 51st Hawaii International Conference on System Sciences, 2018.Google ScholarCross Ref
- Colin M Gray, Yubo Kou, Bryan Battles, Joseph Hoggatt, and Austin L Toombs. The dark (patterns) side of UX design. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, pages 1--14, 2018.Google Scholar
- Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. ?It's a scavenger hunt": Usability of websites' opt-out and data deletion choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pages 1--12, 2020.Google ScholarDigital Library
- Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. An empirical analysis of data deletion and opt-out choices on 150 websites. In Fifteenth Symposium on Usable Privacy and Security, 2019.Google Scholar
- Carlos Jensen, Colin Potts, and Christian Jensen. Privacy practices of internet users: Self-reports versus observed behavior. International Journal of Human- Computer Studies, 63(1):203--227, 2005.Google ScholarDigital Library
- Bart Piet Knijnenburg and Alfred Kobsa. Increasing sharing tendency without reducing satisfaction: Finding the best privacy-settings user interface for social networks. 2014.Google Scholar
- Stefan Korff and Rainer Böhme. Too much choice: End-user privacy decisions in the context of choice proliferation. In 10th Symposium On Usable Privacy and Security, pages 69--87, 2014.Google Scholar
- Pedro Leon, Blase Ur, Richard Shay, Yang Wang, Rebecca Balebako, and Lorrie Cranor. Why Johnny can't opt out: A usability evaluation of tools to limit online behavioral advertising. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 589--598, 2012.Google ScholarDigital Library
- Raymond W. Lim and Michael S. Wogalter. The position of static and on-off banners in www displays on subsequent recognition. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, volume 44, pages 420--423. SAGE Publications Sage CA: Los Angeles, CA, 2000.Google Scholar
- Dominique Machuletz and Rainer Böhme. Multiple purposes, multiple problems: A user study of consent dialogs after GDPR. Proceedings on Privacy Enhancing Technologies, 2020(2):481--498, 2020.Google ScholarCross Ref
- Maureen Mahoney. California Consumer Privacy Act: Are consumers' digital rights protected? Consumer Reports Digital Lab, 2020.Google Scholar
- Arunesh Mathur, Gunes Acar, Michael J Friedman, Elena Lucherini, Jonathan Mayer, Marshini Chetty, and Arvind Narayanan. Dark patterns at scale: Findings from a crawl of 11k shopping websites. Proceedings of the ACM on Human- Computer Interaction, 3(CSCW):1--32, 2019.Google ScholarDigital Library
- Célestin Matte, Nataliia Bielova, and Cristiana Santos. Do cookie banners re- spect my choice? Measuring legal compliance of banners from IAB Europe's transparency and consent framework. In 2020 IEEE Symposium on Security and Privacy, pages 791--809. IEEE, 2020.Google ScholarCross Ref
- Jakob Nielsen. Banner blindness: Old and new findings. Retrieved November, 11:2014, 2007.Google Scholar
- Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pages 1--13, 2020.Google ScholarDigital Library
- Takahito Sakamoto and Masahiro Matsunaga. After GDPR, still tracking or not? Understanding opt-out states for online behavioral advertising. In 2019 IEEE Security and Privacy Workshops, pages 92--99. IEEE, 2019.Google ScholarCross Ref
- Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. Can i opt out yet? GDPR and the global illusion of cookie control. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pages 340--351, 2019.Google ScholarDigital Library
- Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor. A design space for effective privacy notices. In Eleventh Symposium On Usable Privacy and Security, pages 1--17, 2015.Google Scholar
- H. Jeff Smith, Tamara Dinev, and Heng Xu. Information privacy research: An interdisciplinary review. MIS Quarterly, 35(4):989--1015, 2011.Google ScholarCross Ref
- Karen Tang, Jason Hong, and Dan Siewiorek. The implications of offering more disclosure choices for social location sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 391--394, 2012.Google ScholarDigital Library
- Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. (Un) informed consent: Studying GDPR consent notices in the field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 973--990, 2019.Google ScholarDigital Library
Index Terms
- (Un)clear and (In)conspicuous: The Right to Opt-out of Sale under CCPA
Recommendations
Fighting the Fog: Evaluating the Clarity of Privacy Disclosures in the Age of CCPA
WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic SocietyVagueness and ambiguity in privacy policies threaten the ability of consumers to make informed choices about how businesses collect, use, and share their personal information. The California Consumer Privacy Act (CCPA) of 2018 was intended to provide ...
Privacy Ontology Support for E-Commerce
Privacy is becoming increasingly important due to the advent of e-commerce. E-commerce applications frequently require customers to divulge many personal details about themselves that must be protected carefully in accordance with privacy principles and ...
A middleware architecture for privacy protection
The issue of user privacy is constantly in spotlight since an ever increasing number of online services collects and processes personal information from users, in the context of personalized service provision. In fact, recent advances in mobile ...
Comments