Cristiana Santos
Arianna Rossi
Ruba Abu-Salma
ABSTRACT
A cookie banner pops up when a user visits a website for the first time, requesting consent to the use of cookies and other trackers for a variety of purposes. Unlike prior work that has focused on evaluating the user interface (UI) design of cookie banners, this paper presents an in-depth analysis of what cookie banners say to users to get their consent. We took an interdisciplinary approach to determiningwhat cookie banners should say. Following the legal requirements of the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR), we manually annotated around 400 cookie banners presented on the most popular English-speaking websites visited by users residing in the EU. We focused on analyzing the purposes of cookie banners and how these purposes were expressed (e.g., any misleading or vague language, any use of jargon). We found that 89% of cookie banners violated applicable laws. In particular, 61% of banners violated the purpose specificity requirement by mentioning vague purposes, including "\emphuser experience enhancement ''. Further, 30% of banners used positive framing, breaching the freely given and informed consent requirements. Based on these findings, we provide recommendations that regulators can find useful. We also describe future research directions.
Supplemental Material
- Ruba Abu-Salma. 2020. Designing User-Centered Privacy-Enhancing Technologies. Ph.D. Dissertation. UCL (University College London).Google Scholar
- Ruba Abu-Salma and Benjamin Livshits. 2020. Evaluating the End-User Experience of Private Browsing Mode. In Proc. Conference on Human Factors in Computing Systems (CHI).Google ScholarDigital Library
- Alessandro Acquisti, Idris Adjerid, Rebecca Balebako, Laura Brandimarte, Lorrie Faith Cranor, Saranga Komanduri, Pedro Giovanni Leon, Norman Sadeh, Florian Schaub, Manya Sleeper, et al. 2017. Nudges for Privacy and Security: Understanding and Assisting Users' Choices Online. ACM Computing Surveys (CSUR) 50, 3 (Aug 2017), 1--41. https://doi.org/10.1145/3054926Google ScholarDigital Library
- Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice inWarningland: A Large- Scale Field Study of Browser Security Warning Effectiveness. In Proc. USENIX Security Symposium.Google Scholar
- Rami Al-Rfou. 2015. Polyglot Natural Language Processor. (2015). http://polyglot. readthedocs.org/.Google Scholar
- Article 29 Working Party. 2013. Opinion 03/2013 on Purpose Limitation (WP203). Technical Report.Google Scholar
- Article 29 Working Party. 2018. Guidelines on Consent under Regulation 2016/679 (WP259 rev.01). Technical Report. https://ec.europa.eu/newsroom/article29/itemdetail. cfm?item_id=623051.Google Scholar
- Autorité de Protection des Données (Data Protection Commission). 2020. Guidance on Cookies and Other Tracking Technologies. Technical Report. https: //www.autoriteprotectiondonnees.be/cookies.Google Scholar
- Jan M. Bauer, Regitze Bergstrøm, and Rune Foss-Madsen. 2021. Are You Sure, You Want A Cookie? -- The Effects of Choice Architecture on Users' Decisions About Sharing Private Online Data. (2021). https://doi.org/10.1016/j.chb.2021.106729Google ScholarDigital Library
- Ingolf Becker, Alice Hutchings, Ruba Abu-Salma, Ross Anderson, Nicholas Bohm, Steven J Murdoch, M Angela Sasse, and Gianluca Stringhini. 2017. International Comparison of Bank Fraud Reimbursement: Customer Perceptions and Contractual Terms. Journal of Cybersecurity 3, 2 (2017), 109--125.Google ScholarCross Ref
- Omri Ben-Shahar and Carl E Schneider. 2011. The Failure of Mandated Disclosure. University of Pennsylvania Law Review (2011), 647--749.Google Scholar
- European Data Protection Board. 2018. EDPS Opinion 8/2018 on the Legislative Package "A New Deal for Consumers". (2018). https://edps.europa.eu/sites/edp/ files/publication/18--10-05_opinion_consumer_law_en.pdf.Google Scholar
- European Data Protection Board. 2020. Guidelines 05/2020 on Consent under Regulation 2016/679. Technical Report. https://edpb.europa.eu/sites/edpb/files/ files/file1/edpb_guidelines_202005_consent_en.pdf.Google Scholar
- European Data Protection Board. 2020. Guidelines 4/2019 on Article 25 Data Protection by Design and by Default. Technical Report. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_ dataprotection_by_design_and_by_default_v2.0_en.pdf.Google Scholar
- Kerstin Bongard-Blanchy, Arianna Rossi, Salvador Rivas, Sophie Doublet, Vincent Koenig, and Gabriele Lenzini. 2021. "I am definitely manipulated, even when I am aware of it. It's ridiculous!" - Dark Patterns from the End-User Perspective. Proc. ACM Conference on Designing Interactive Systems (DIS) (2021). https://doi. org/10.1145/3461778.3462086Google ScholarDigital Library
- Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfattheicher. 2016. Tales from the Dark Side: Privacy Dark Strategies and Privacy Dark Patterns. In Proc. Privacy Enhancing Technologies (PoPETs). 237--254.Google ScholarCross Ref
- David M. Boush, Marian Friestad, and Peter Wright. 2009. Deception in the Marketplace: The Psychology of Deceptive Persuasion and Consumer Self-Protection. Rouledge.Google Scholar
- Harry Brignull. 2010. Dark Patterns. (2010). https://www.darkpatterns.org.Google Scholar
- Régis Chatellier, Geoffrey Delcroix, Estelle Hary, and Camille Girard- Chanudet. 2019. Shaping Choices in the Digital World. (2019). https://linc.cnil.fr/sites/default/files/atoms/files/cnil_ip_report_06_shaping_ choices_in_the_digital_world.pdf.Google Scholar
- Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority). 2019. Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 Pronouncing a Financial Sanction against GOOGLE LLC. (2019). https://www.cnil.fr/sites/default/files/atoms/files/san-2019-001.pdf.Google Scholar
- Commission Nationale de l'Informatique et des Libertés. 2020. CNIL: Délibération de la Formation Restreinte n° SAN-2020-008 du 18 Novembre 2020 Concernant la Société. (2020). https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756.Google Scholar
- Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority). 2020. Deliberation of the Restricted Committee n° SAN-2020-013 of 7 December 2020 Concerning AMAZON EUROPE CORE. (2020). https://www. cnil.fr/sites/default/files/atoms/files/deliberation_of_restricted_committee_ san-2020-013_of_7_december_2020_concerning_amazon_europe_core.pdf.Google Scholar
- Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority). 2020. On the Practical Procedures for Collecting the Consent Provided for in Article 82 of the French Data Protection Act, Concerning Operations of Storing or Gaining Access to Information in the Terminal Equipment of a User (Recommendation "Cookies and Other trackers"). (2020). https://www.cnil.fr/sites/default/files/atoms/files/draft_recommendation_ cookies_and_other_trackers_en.pdf.Google Scholar
- Agencia Española de Protección de Datos. 2020. Guía Sobre El Uso De Las Cookies. Technical Report. https://www.aepd.es/sites/default/files/2020-07/guia-cookies. pdfGoogle Scholar
- Rachna Dhamija, J. Doug Tygar, and Marti Hearst. 2006. Why Phishing Works. In Proc. Conference on Human Factors in Computing Systems (CHI).Google ScholarDigital Library
- Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proc. Conference on Human Factors in Computing Systems (CHI).Google ScholarDigital Library
- Serge Egelman and Stuart Schechter. 2013. The Importance of Being Earnest [In Security Warnings]. In Proc. Conference on Financial Cryptography and Data Security.Google ScholarCross Ref
- Steven Englehardt, Chris Eubank, Peter Zimmerman, Dillon Reisman, and Arvind Narayanan. 2015. OpenWPM: An Automated Platform for Web Privacy Measurement. Manuscript. March (2015).Google Scholar
- ePD-09 2009. Directive 2009/136/EC of the European Parliament and of the Council. (2009). https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L: 2009:337:0011:0036:En:PDF.Google Scholar
- Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL Warnings: Comprehension and Adherence. In Proc. Conference on Human Factors in Computing Systems (CHI).Google ScholarDigital Library
- Adrienne Porter Felt, RobertW. Reeder, Hazim Almuhimedi, and Sunny Consolvo. 2014. Experimenting At Scale With Google Chrome's SSL Warning. In Proc. Conference on Human Factors in Computing Systems (CHI).Google ScholarDigital Library
- Hamburg Commissioner for Data Protection and Freedom of Information. 2021. Cross-Border Check: Consents to Websites of Media Companies Are Mostly Ineffective - Improvements Are Required. Technical Report. https://datenschutzhamburg. de/pressemitteilungen/2021/06/2021-06--30-medienwebsites.Google Scholar
- Imane Fouad, Cristiana Santos, Feras Al Kassar, Nataliia Bielova, and Stefano Calzavara. 2020. On Compliance of Cookie Purposes with the Purpose Specification Principle. In Proc. International Workshop on Privacy Engineering (IWPE). https://hal.inria.fr/hal-02567022.Google ScholarCross Ref
- Frobrukerrådet. 2018. Deceived by Design: How Tech Companies Use Dark Patterns to Discourage Us from Exercising Our Rights to Privacy. (2018). https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/ deceived-by-design.Google Scholar
- GDPR 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/ec (General Data Protection Regulation). (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679.Google Scholar
- Colin M. Gray, Yubo Kou, Bryan Battles, Joseph Hoggatt, and Austin L. Toombs. 2018. The Dark (Patterns) Side of UX Design. In Proc. Conference on Human Factors in Computing Systems (CHI). Article 534, 14 pages.Google Scholar
- Colin M. Gray, Cristiana Santos, Nataliia Bielova, Michael Toth, and Damian Clifford. 2021. Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective. In Proc. Conference on Human Factors in Computing Systems (CHI). Article 172, 1--18 pages. https://doi.org/10.1145/3411764. 3445779Google ScholarDigital Library
- Paul Graßl, Hanna Schraffenberger, Frederik Zuiderveen Borgesius, and Moniek Buijzen. 2021. Dark and Bright Patterns in Cookie Consent Requests. Journal of Digital Social Research 3, 1 (Feb 2021), 1--38. https://doi.org/10.33621/jdsr.v3i1.54Google ScholarCross Ref
- Philip Hausner and Michael Gertz. 2021. Dark Patterns in the Interaction with Cookie Banners. In Proc. CHI Workshop on "What Can CHI Do About Dark Patterns?".Google Scholar
- Hellenic Data Protection Authority (HDPA). 2020. Recommendations on Controllers' Compliance with the Specific Legislation on Electronic Communications. Technical Report. [English translation by Katerina Tassi] https://iapp.org/media/ pdf/resource_center/Greek_DPA_Cookie_Guidance_IAPP.pdf.Google Scholar
- Georgios Kampanos and Siamak F. Shahandashti. 2021. Accept All: The Landscape of Cookie Banners in Greece and the UK. (2021). arXiv:cs.CR/2104.05750Google Scholar
- Farzaneh Karegar, John Sören Pettersson, and Simone Fischer-Hübner. 2020. The Dilemma of User Engagement in Privacy Notices: Effects of Interaction Modes and Habituation on User Attention. ACM Trans. Priv. Secur. 23, Article 5 (2020).Google Scholar
- Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy'ski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proc. Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Arunesh Mathur, Gunes Acar, Michael Friedman, Elena Lucherini, Jonathan R. Mayer, Marshini Chetty, and Arvind Narayanan. 2019. Dark Patterns at Scale: Findings from a Crawl of 11K ShoppingWebsites. Proc. ACM on Human-Computer Interaction.Google ScholarDigital Library
- Célestin Matte, Cristiana Santos, and Nataliia Bielova. 2020. Do Cookie Banners Respect My Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework. In Proc. IEEE Symposium on Security and Privacy. 791--809.Google ScholarCross Ref
- Célestin Matte, Cristiana Santos, and Nataliia Bielova. 2020. Purposes in IAB Europe's TCF: Which Legal Basis and How Are They Used by Advertisers?. In Annual Privacy Forum (APF) (Lecture Notes in Computer Science). https: //hal.inria.fr/hal-02566891.Google Scholar
- Aleecia M. McDonald and Lorrie Faith Cranor. 2009. The Cost of Reading Privacy Policies. Journal of Law and Policy for the Information Society (2009).Google Scholar
- Steven J. Murdoch, Ingolf Becker, Ruba Abu-Salma, Ross Anderson, Nicholas Bohm, Alice Hutchings, M Angela Sasse, and Gianluca Stringhini. 2016. Are Payment Card Contracts Unfair?. In Proc. International Conference on Financial Cryptography and Data Security. Springer, 600--608.Google Scholar
- Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. 2020. Dark Patterns After the GDPR: Scraping Consent Pop-ups and Demonstrating Their Influence. In Proc. Conference on Human Factors in Computing Systems (CHI). 1--13. https://doi.org/10.1145/3313831.3376321Google ScholarDigital Library
- Court of Justice of the European Union. 2019. Judgment in Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände -- Verbraucherzentrale Bundesverband eV v Planet49 GmbH. (2019). http://curia. europa.eu/juris/documents.jsf?num=C-673/17.Google Scholar
- Information Commissioner's Office. 2019. Guidance on the Use of Cookies and Similar Technologies. Technical Report. https://ico.org.uk/media/fororganisations/ guide-to-pecr/guidance-on-the-use-of-cookies-and-similartechnologies- 1-0.pdf.Google Scholar
- Office of the Data Protection Ombudsman. 2019. Guidelines on Confidential Communications. Technical Report. https://www.kyberturvallisuuskeskus.fi/en/ our-activities/regulation-and-supervision/confidential-communications.Google Scholar
- Article 29 Data Protection Working Party. 2013. Working Document 02/2013 Providing Guidance on Obtaining Consent for Cookies. Technical Report. https://ec.europa.eu/justice/article-29/documentation/opinionrecommendation/ files/2013/wp208_en.pdf.Google Scholar
- Article 29Working Party. 2012. Opinion 04/2012 on Cookie Consent Exemption (WP 194). Technical Report. https://ec.europa.eu/justice/article-29/documentation/ opinion-recommendation/files/2012/wp194_en.pdf.Google Scholar
- Article 29 Working Party. 2018. Guidelines on Transparency Under Regulation 2016/679 (WP260). Technical Report.Google Scholar
- Garante per la Protezione Dei Dati Personali. 2020. Provvedimento Correttivo e Sanzionatorio nei Confronti di Tim S.p.A. [9256486]. (2020). https://www.garanteprivacy.it/web/guest/home/docweb/-/docwebdisplay/ docweb/9256486?Google Scholar
- Irene Pollach. 2005. A Typology of Communicative Strategies in Online Privacy Policies: Ethics, Power and Informed Consent. Journal of Business Ethics 62, 3 (2005), 221.Google ScholarCross Ref
- Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. 2020. A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. In Proc. USENIX Security Symposium. 89--108.Google Scholar
- Joel R. Reidenberg, Jaspreet Bhatia, Travis D. Breaux, and Thomas B. Norton. 2016. Ambiguity in Privacy Policies and the Impact of Regulation. Journal of Legal Studies 45, 2 Supplement (2016), S163--S190.Google Scholar
- Nancy Richter, Paul Jackson, and Thomas Schildhauer. 2018. Entrepreneurial Innovation and Leadership: Preparing for a Digital Future. Springer.Google Scholar
- Arianna Rossi, Rossana Ducato, Helena Haapio, and Stefania Passera. 2019. When Design Met Law: Design Patterns for Information Transparency. Droit de la Consommation = Consumenterecht: DCCR 122--123 (2019), 79--121.Google Scholar
- Cristiana Santos, Nataliia Bielova, and Célestin Matte. 2020. Are Cookie Banners Indeed Compliant with the Law? Deciphering EU Legal Requirements on Consent and Technical Means to Verify Compliance of Cookie Banners. Technology and Regulation (2020), 91--135. https://doi.org/10.26116/techreg.2020.009Google Scholar
- Cristiana Santos, Aldo Gangemi, and Mehwish Alam. 2017. Detecting and Editing Privacy Policy Pitfalls on the Web. In Proc. Workshop on Technologies for Regulatory Compliance.Google Scholar
- Selenium. 2020. Selenium Browser Automation Tool. (2020). https://www. selenium.dev/.Google Scholar
- Daniel J. Solove. 2013. Privacy Self-management and the Consent Dilemma. Harward Law Review 126, 1880 (2013).Google Scholar
- Andreas Sotirakopoulos, Kirstie Hawkey, and Konstantin Beznosov. 2011. On the Challenges in Usable Security Lab Studies: Lessons Learned From Replicating a Study on SSL Warnings. In Proc. Symposium On Usable Privacy and Security (SOUPS).Google ScholarDigital Library
- Joanna Strycharz, Edith Smit, Natali Helberger, and Guda van Noort. 2021. No to Cookies: Empowering Impact of Technical and Legal Knowledge on Rejecting Tracking Cookies. Computers in Human Behavior 120 (2021), 106750. https: //doi.org/10.1016/j.chb.2021.106750Google ScholarDigital Library
- Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proc. USENIX Security Symposium.Google Scholar
- Janice Y. Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti. 2011. The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. Information Systems Research (2011).Google ScholarDigital Library
- Joseph Turow, Michael Hennessy, and Nora Draper. 2018. Persistent Misperceptions: Americans' Misplaced Confidence in Privacy Policies, 2003--2015. Journal of Broadcasting & Electronic Media 62, 3 (2018), 461--478. https://doi.org/10.1080/ 08838151.2018.1451867Google ScholarCross Ref
- Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (Un)informed Consent: Studying GDPR Consent Notices in the Field. In Proc. Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Shomir Wilson, Florian Schaub, Rohan Ramanath, Norman Sadeh, Fei Liu, Noah A. Smith, and Frederick Liu. 2016. Crowdsourcing Annotations forWebsites' Privacy Policies: Can It Really Work?. In Proc. World Wide Web Conference (WWW).Google ScholarDigital Library
Index Terms
- Cookie Banners, What's the Purpose?: Analyzing Cookie Banner Text Through a Legal Lens
Recommendations
Your Consent Is Worth 75 Euros A Year - Measurement and Lawfulness of Cookie Paywalls
WPES'22: Proceedings of the 21st Workshop on Privacy in the Electronic SocietyMost websites offer their content for free, though this gratuity often comes with a counterpart: personal data is collected to finance these websites by resorting, mostly, to tracking and thus targeted advertising. Cookie walls and paywalls, used to ...
CSChecker: Revisiting GDPR and CCPA Compliance of Cookie Banners on the Web
ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software EngineeringPrivacy regulations like GDPR and CCPA have greatly affected online advertising and tracking strategies. To comply with the regulations, websites need to display consent management UIs (i.e., cookie banners) implemented under the corresponding technical ...
Exploring the Associations between Website Trustworthiness, Cookie Consent and Taking an Online Survey
EICC '22: Proceedings of the 2022 European Interdisciplinary Cybersecurity ConferenceAlthough HTTP cookie consent prompts are considered ordinary by internet users browsing the internet from the European Union, little is known about how people behave online concerning HTTP cookies. By focusing on an online research survey scenario, we ...
Comments