Skip to main content
SpringerLink
Log in

Privacy CURE: Consent Comprehension Made Easy

  • Conference paper
  • First Online:
ICT Systems Security and Privacy Protection (SEC 2020)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 580))

Abstract

Although the General Data Protection Regulation (GDPR) defines several potential legal bases for personal data processing, in many cases data controllers, even when they are located outside the European Union (EU), will need to obtain consent from EU citizens for the processing of their personal data. Unfortunately, existing approaches for obtaining consent, such as pages of text followed by an agreement/disagreement mechanism, are neither specific nor informed. In order to address this challenge, we introduce our Consent reqUest useR intErface (CURE) prototype, which is based on the GDPR requirements and the interpretation of those requirements by the Article 29 Working Party (i.e., the predecessor of the European Data Protection Board). The CURE prototype provides transparency regarding personal data processing, more control via a customization, and, based on the results of our usability evaluation, improves user comprehension with respect to what data subjects actually consent to. Although the CURE prototype is based on the GDPR requirements, it could potentially be used in other jurisdictions also.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 129.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    GDPR Art. 6(1)(b–f).

  2. 2.

    For the lawful personal data processing data subject’s consent is not required.

  3. 3.

    GDPR Art. 6(1)(a).

  4. 4.

    Art. 4(11) is complemented by Art. 7 that provides information on conditions for consent.

  5. 5.

    Article 29 Working Party Guidelines on consent under Regulation 2016/6791 are available at https://bit.ly/2BdQs08.

  6. 6.

    Article 29 Working Party was an independent European working party that dealt with data protection issues. On 25.05.2018 it was replaced by the European Data Protection Board under the GDPR.

  7. 7.

    A Privacy Finder is a search engine service that informs users whether the privacy policies of the displayed search results coincide with users’ privacy preferences. It also generates a privacy report for each search result, providing users with the core information from the privacy policy.

  8. 8.

    Compliance tools are offered by various companies, e.g., ShareThis Inc., eccenca GmbH, etc.

  9. 9.

    Usercentrics’ consent request can be viewed at https://usercentrics.com.

  10. 10.

    Norwegian Consumer Council Report is available at https://bit.ly/2N1TRRC.

  11. 11.

    Our questionnaire is available at https://bit.ly/2DNOGC3.

  12. 12.

    The prototype is available in two languages: English (http://cr-slider.soft.cafe/en/) and German (http://cr-slider.soft.cafe/de/).

  13. 13.

    The source code is available at https://bit.ly/2GErFC7.

  14. 14.

    Scalable Policy-awarE linked data arChitecture for prIvacy, trAnsparency and compLiance (SPECIAL) project is described in detail on https://www.specialprivacy.eu/.

References

  1. Acquisti, A., Adjerid, I., Brandimarte, L.: Gone in 15 seconds: the limits of privacy transparency and control. IEEE Secur. Priv. 11(4), 72–74 (2013)

    Article  Google Scholar 

  2. Angulo, J., Fischer-Hübner, S., Pulls, T., Wästlund, E.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1803–1808. ACM (2015)

    Google Scholar 

  3. Bastien, J.C.: Usability testing: a review of some methodological and technical aspects of the method. Int. J. Med. Inform. 79, e18–e23 (2010)

    Article  Google Scholar 

  4. Benedek, J., Miner, T.: Measuring desirability: new methods for evaluating desirability in a usability lab setting. Proc. Usability Prof. Assoc. 2003(8–12), 57 (2002)

    Google Scholar 

  5. Bier, C., Kühne, K., Beyerer, J.: PrivacyInsight: the next generation privacy dashboard. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 135–152. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_9

    Chapter  Google Scholar 

  6. Borgesius, F.Z.: Informed consent: we can do better to defend privacy. IEEE Secur. Priv. 13(2), 103–107 (2015)

    Article  Google Scholar 

  7. Brewer, M.B., Crano, W.D.: Research design and issues of validity. In: Reis, H.T., Judd, C.M. (eds.) Handbook of Research Methods in Social and Personality Psychology, pp. 3–16. Cambridge University Press, Cambridge (2000)

    Google Scholar 

  8. Charters, E.: The use of think-aloud methods in qualitative research: an introduction to think-aloud methods. Brock Educ. J. 12(2), 68–82 (2003)

    Article  Google Scholar 

  9. Checkland, P., Holwell, S.: Action research. In: Kock, N. (ed.) Information Systems Action Research. Integrated Series in Information Systems, vol. 13, pp. 3–17. Springer, Boston (2007). https://doi.org/10.1007/978-0-387-36060-7_1

    Chapter  Google Scholar 

  10. Costante, E., Sun, Y., Petković, M., den Hartog, J.: A machine learning solution to assess privacy policy completeness: (short paper). In: Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society, pp. 91–96. ACM (2012)

    Google Scholar 

  11. Drozd, O., Kirrane, S.: I agree: customize your personal data processing with the core user interface. In: Gritzalis, S., Weippl, E.R., Katsikas, S.K., Anderst-Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 17–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_2

    Chapter  Google Scholar 

  12. Friedman, B., Howe, D.C., Felten, E.: Informed consent in the mozilla browser: implementing value-sensitive design. In: Proceedings of the 35th Annual Hawaii International Conference on System Sciences, p. 10. IEEE (2002)

    Google Scholar 

  13. Hartson, H.R., Castillo, J.C., Kelso, J., Neale, W.C.: Remote evaluation: the network as an extension of the usability laboratory. In: Proceedings of the SIGCHI. ACM (1996)

    Google Scholar 

  14. Ivory, M.Y., Hearst, M.A.: The state of the art in automating usability evaluation of user interfaces. ACM Comput. Surv. (CSUR) 33(4), 470–516 (2001)

    Article  Google Scholar 

  15. Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W.: A nutrition label for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security, p. 4. ACM (2009)

    Google Scholar 

  16. Kirrane, S., et al.: A scalable consent, transparency and compliance architecture. In: Gangemi, A., et al. (eds.) ESWC 2018. LNCS, vol. 11155, pp. 131–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98192-5_25

    Chapter  Google Scholar 

  17. Kumar, P.: Privacy policies and their lack of clear disclosure regarding the life cycle of user information. In: 2016 AAAI Fall Symposium Series (2016)

    Google Scholar 

  18. Liccardi, I., Pato, J., Weitzner, D.J.: Improving mobile app selection through transparency and better permission analysis. J. Priv. Confid. 5(2), 1–55 (2014)

    Google Scholar 

  19. MacKenzie, I.S.: User studies and usability evaluations: from research to products. In: Proceedings of the 41st Graphics Interface Conference, pp. 1–8. CIPS (2015)

    Google Scholar 

  20. McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. ISJLP 4, 543 (2008)

    Google Scholar 

  21. McDonald, A.M., Reeder, R.W., Kelley, P.G., Cranor, L.F.: A comparative study of online privacy policies and formats. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 37–55. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03168-7_3

    Chapter  Google Scholar 

  22. Mont, M.C., Sharma, V., Pearson, S.: Encore: dynamic consent, policy enforcement and accountable information sharing within and across organisations. Technical report, HP Laboratories HPL-2012-36 (2012)

    Google Scholar 

  23. Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. JMIS 24(3), 45–77 (2007)

    Google Scholar 

  24. Piras, L., et al.: Defend architecture: a privacy by design platform for GDPR compliance. In: Gritzalis, S., et al. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 78–93. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_6

    Chapter  Google Scholar 

  25. Railean, A., Reinhardt, D.: Let there be lite: design and evaluation of a label for IoT transparency enhancement. In: Proceedings of the 20th International Conference on Human-Computer Interaction with Mobile Devices and Services Adjunct, pp. 103–110. ACM (2018)

    Google Scholar 

  26. Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-92925-5_14

    Chapter  Google Scholar 

  27. Reeder, R.W., et al.: Expandable grids for visualizing and authoring computer security policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1473–1482. ACM (2008)

    Google Scholar 

  28. Schaub, F., Balebako, R., Durity, A.L., Cranor, L.F.: A design space for effective privacy notices. In: Eleventh Symposium on Usable Privacy and Security, pp. 1–17 (2015)

    Google Scholar 

  29. Seidman, I.: Interviewing as Qualitative Research: A Guide for Researchers in Education and the Social Sciences. Teachers College Press, New York (2013)

    Google Scholar 

  30. Steinsbekk, K.S., Myskja, B.K., Solberg, B.: Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? EJHG 21(9), 897 (2013)

    Article  Google Scholar 

  31. Tidwell, J.: Designing Interfaces: Patterns for Effective Interaction Design. O’Reilly Media, Inc., Sebastopol (2010)

    Google Scholar 

  32. Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. arXiv preprint arXiv:1909.02638 (2019)

  33. Van Someren, M., Barnard, Y., Sandberg, J.: The Think Aloud Method: A Practical Approach to Modelling Cognitive Processes. Academic Press, London (1994)

    Google Scholar 

  34. Weitzner, D.J., et al.: Transparent accountable data mining: new strategies for privacy protection (2006)

    Google Scholar 

  35. Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1077–1093. IEEE (2017)

    Google Scholar 

Download references

Acknowledgments

This paper is supported by the European Union’s Horizon 2020 research and innovation programme under grant 731601. We would like to thank our colleagues from SPECIAL and WU for their legal support and help with the user studies.

Author information

Authors and Affiliations

  1. Vienna University of Economics and Business, Vienna, Austria

    Olha Drozd & Sabrina Kirrane

Authors
  1. Olha Drozd
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sabrina Kirrane
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Olha Drozd .

Editor information

Editors and Affiliations

  1. University of Maribor, Maribor, Slovenia

    Marko Hölbl

  2. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  3. University of Maribor, Maribor, Slovenia

    Tatjana Welzer

Rights and permissions

Reprints and permissions

Copyright information

© 2020 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Drozd, O., Kirrane, S. (2020). Privacy CURE: Consent Comprehension Made Easy. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58201-2_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58200-5

  • Online ISBN: 978-3-030-58201-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation