Dark and Bright Patterns in Cookie Consent Requests
DOI:
https://doi.org/10.33621/jdsr.v3i1.54Keywords:
dark patterns, privacy, design nudges, cookie consent requests, GDPR, ePrivacy RegulationAbstract
Dark patterns are (evil) design nudges that steer people’s behaviour through persuasive interface design. Increasingly found in cookie consent requests, they possibly undermine principles of EU privacy law. In two preregistered online experiments we investigated the effects of three common design nudges (default, aesthetic manipulation, obstruction) on users’ consent decisions and their perception of control over their personal data in these situations. In the first experiment (N = 228) we explored the effects of design nudges towards the privacy-unfriendly option (dark patterns). The experiment revealed that most participants agreed to all consent requests regardless of dark design nudges. Unexpectedly, despite generally low levels of perceived control, obstructing the privacy-friendly option led to more rather than less perceived control. In the second experiment (N = 255) we reversed the direction of the design nudges towards the privacy-friendly option, which we title “bright patterns”. This time the obstruction and default nudges swayed people effectively towards the privacy-friendly option, while the result regarding perceived control stayed the same compared to Experiment 1. Overall, our findings suggest that many current implementations of cookie consent requests do not enable meaningful choices by internet users, and are thus not in line with the intention of the EU policymakers. We also explore how policymakers could address the problem.
References
Acquisti, A., Sleeper, M., Wang, Y., Wilson, S., Adjerid, I., Balebako, R., … Schaub, F. (2017). Nudges for privacy and security. ACM Computing Surveys, 50(3), 1–41. https://doi.org/10.1145/3054926
Albar, F. M., & Jetter, A. J. (2009). Heuristics in decision making. In PICMET ’09 - 2009 Portland International Conference on Management of Engineering & Technology (pp. 578–584). IEEE. https://doi.org/10.1109/PICMET.2009.5262123
An, N. Z. (2019). Multi-step modals for Bootstrap. Retrieved from https://github.com/ngzhian/multi-step-modal
Archer, M. S. (2013). Rational choice theory. Routledge. https://doi.org/10.4324/9780203133897
Auguie, B. (2017). GridExtra: Miscellaneous functions for "grid" graphics. Retrieved from https://CRAN.R-project.org/package=gridExtra
Aust, F., & Barth, M. (2020). papaja: Create APA manuscripts with R Markdown. Retrieved from https://github.com/crsh/papaja
Awad, N. F., & Krishnan, M. S. (2006). The personalization privacy paradox: An empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Quarterly, 1328.
Barr, D. J., Levy, R., Scheepers, C., & Tily, H. J. (2013). Random effects structure for confirmatory hypothesis testing: Keep it maximal. Journal of Memory and Language, 68(3), 255–278. https://doi.org/10.1016/j.jml.2012.11.001
BEUC. (2020). The long and winding road. Two years of the GDPR: A cross-border data protection enforcement case from a consumer perspective. Retrieved from https://www.beuc.eu/publications/beuc-x-2020-074_two_years_of_the_gdpr_a_cross-border_data_protection_enforcement_case_from_a_consumer_perspective.pdf
Böhme, R., & Köpsell, S. (2010). Trained to accept?: A field experiment on consent dialogs. In Proceedings of the 28th international conference on Human factors in computing systems - CHI ’10 (p. 2403). Atlanta, Georgia, USA: ACM Press. https://doi.org/10.1145/1753326.1753689
Bösch, C., Erb, B., Kargl, F., Kopp, H., & Pfattheicher, S. (2016). Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies, 2016(4), 237–254. https://doi.org/10.1515/popets-2016-0038
Brignull, H. (n.d.). Dark patterns. Retrieved from https://darkpatterns.org/
Brooke, B. (2011). Browser back button detection. Retrieved from http://www.bajb.net/2010/02/browser-back-button-detection/
Browne, W. J., & Draper, D. (2006). A comparison of Bayesian and likelihood-based methods for fitting multilevel models. Bayesian Analysis, 1(3), 473–514. https://doi.org/10.1214/06-BA117
Bryan, M. L., & Jenkins, S. P. (2016). Multilevel modelling of country effects: A cautionary tale. European Sociological Review, 32(1), 3–22. https://doi.org/10.1093/esr/jcv059
Bürkner, P.-C. (2017). brms: An R package for Bayesian multilevel models using Stan. Journal of Statistical Software, 80(1), 1–28. https://doi.org/10.18637/jss.v080.i01
Bürkner, P.-C. (2018). Advanced Bayesian multilevel modeling with the R package brms. The R Journal, 10(1), 395–411. https://doi.org/10.32614/RJ-2018-017
Carpenter, B., Gelman, A., Hoffman, M., Lee, D., Goodrich, B., Betancourt, M., … Riddell, A. (2017). Stan: A probabilistic programming language. Journal of Statistical Software, Articles, 76(1), 1–32. https://doi.org/10.18637/jss.v076.i01
Choi, H., Park, J., & Jung, Y. (2018). The role of privacy fatigue in online privacy behavior. Computers in Human Behavior, 81, 42–51. https://doi.org/10.1016/j.chb.2017.12.001
Colorbib. (2019). 28 best free news website templates 2019. Colorlib. Retrieved from https://colorlib.com/wp/free-news-website-templates/
Dijksterhuis, A., Bos, M. W., Nordgren, L. F., & van Baaren, R. B. (2006). On making the right choice: The deliberation-without-attention effect. Science, 311(5763), 1005–1007. https://doi.org/10.1126/science.1121629
Eddelbuettel, D., & Balamuta, J. J. (2017). Extending extitR with extitC++: A Brief Introduction to extitRcpp. PeerJ Preprints, 5, e3188v1. https://doi.org/10.7287/peerj.preprints.3188v1
Eddelbuettel, D., & François, R. (2011). Rcpp: Seamless R and C++ integration. Journal of Statistical Software, 40(8), 1–18. https://doi.org/10.18637/jss.v040.i08
ePrivacy Directive. (2009). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications), last amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ L 337 11). Retrieved from https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19
European Commission. (2017). Proposal for a regulation of the European Parliament and of the Council, concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (No. COM/2017/010 final - 2017/03 (COD)). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52017PC0010
European Data Protection Board. (2020). Guidelines 4/2019 on Article 25 data protection by design and by default version 2.0, adopted on 20 October 2020. Retrieved from https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf
European Parliament. (2017). Draft European Parliament Legislative Resolution on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (No. COM(2017)0010 C8-0009/2017 2017/0003(COD)). Retrieved from https://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html
Fansher, M., Chivukula, S. S., & Gray, C. M. (2018). #Darkpatterns. In R. Mandryk, M. Hancock, M. Perry, & A. Cox (Eds.), Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18 (pp. 1–6). New York, New York, USA: ACM Press. https://doi.org/10.1145/3170427.3188553
Ferrari, S., & Cribari-Neto, F. (2004). Beta regression for modelling rates and proportions. Journal of Applied Statistics, 31(7), 799–815. https://doi.org/10.1080/0266476042000214501
Forbrukerrådet. (2018). Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy. Retrieved from https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/
GDPR. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal L, 119, 1–88. Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj
Gray, C. M., Kou, Y., Battles, B., Hoggatt, J., & Toombs, A. L. (2018). The dark (patterns) side of UX design. In R. Mandryk, M. Hancock, M. Perry, & A. Cox (Eds.), Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18 (pp. 1–14). New York, New York, USA: ACM Press. https://doi.org/10.1145/3173574.3174108
Grosjean, P., & Ibanez, F. (2018). Pastecs: Package for analysis of space-time ecological series. Retrieved from https://CRAN.R-project.org/package=pastecs
Gürses, S. (2014). Attitudes towards “Spiny CACTOS”. Retrieved from https://vous-etes-ici.net/next-week-spiny-cactos-at-usec-2014/
Hertwig, R. (2017). When to consider boosting: Some rules for policy-makers. Behavioural Public Policy, 1(02), 143–161. https://doi.org/10.1017/bpp.2016.14
Hertwig, R., & Grüne-Yanoff, T. (2017). Nudging and boosting: Steering or empowering good decisions. Perspectives on Psychological Science : A Journal of the Association for Psychological Science, 12(6), 973–986. https://doi.org/10.1177/1745691617702496
Kahneman, D. (2011). Thinking, fast and slow (1st ed). New York: Farrar, Straus and Giroux.
Kay, M. (2020). tidybayes: Tidy data and geoms for Bayesian models. https://doi.org/10.5281/zenodo.1308151
Kowarik, A., & Templ, M. (2016). Imputation with the R package VIM. Journal of Statistical Software, 74(7), 1–16. https://doi.org/10.18637/jss.v074.i07
Lai, Y.-L., & Hui, K.-L. (2006). Internet opt-in and opt-out: Investigating the roles of frames, defaults and privacy concerns. In Proceedings of the 2006 ACM SIGMIS CPR conference on computer personnel research Forty four years of computer personnel research: Achievements, challenges & the future - SIGMIS CPR ’06 (p. 253). Claremont, California, USA: ACM Press. https://doi.org/10.1145/1125170.1125230
Laufer, R. S., & Wolfe, M. (1977). Privacy as a concept and a social issue: A multidimensional developmental theory. Journal of Social Issues, 33(3), 22–42. https://doi.org/10.1111/j.1540-4560.1977.tb01880.x
Legislative Train Schedule. (2020). Proposal for a regulation on privacy and electronic communications. Retrieved from https://www.europarl.europa.eu/legislative-train/theme-connected-digital-single-market/file-jd-e-privacy-reform
Lord, D., Mönnich, A., Ronacher, A., & Unterwaditzer, M. (2010). Flask (a Python microframework). Retrieved from http://flask.pocoo.org/
Luguri, J., & Strahilevitz, L. (2019). Shining a light on dark patterns. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3431205
Machuletz, D., & Böhme, R. (2019). Multiple purposes, multiple problems: A user study of consent dialogs after GDPR. arXiv:1908.10048 [Cs]. Retrieved from http://arxiv.org/abs/1908.10048
MacKenzie, I. S. (1992). Fitts’ Law as a research and design tool in Human-Computer Interaction. HumanComputer Interaction, 7(1), 91–139. https://doi.org/10.1207/s15327051hci0701_3
Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information Systems Research, 15(4), 336–355. https://doi.org/10.1287/isre.1040.0032
Morey, R. D., Hoekstra, R., Rouder, J. N., Lee, M. D., & Wagenmakers, E.-J. (2016). The fallacy of placing confidence in confidence intervals. Psychonomic Bulletin & Review, 23(1), 103–123. https://doi.org/10.3758/s13423-015-0947-8
Mullen, L. A., Benoit, K., Keyes, O., Selivanov, D., & Arnold, J. (2018). Fast, consistent tokenization of natural language text. Journal of Open Source Software, 3(23), 655. https://doi.org/10.21105/joss.00655
Müller, K. (2017). Here: A simpler way to find your files. Retrieved from https://CRAN.R-project.org/package=here
Nouwens, M., Liccardi, I., Veale, M., Karger, D., & Kagal, L. (2020). Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence. arXiv:2001.02479 [Cs]. https://doi.org/10.1145/3313831.3376321
R Core Team. (2020). R: A language and environment for statistical computing. Vienna, Austria: R Foundation for Statistical Computing. Retrieved from https://www.R-project.org/
Revelle, W. (2019). Psych: Procedures for psychological, psychometric, and personality research. Evanston, Illinois: Northwestern University. Retrieved from https://CRAN.R-project.org/package=psych
Schubert, C. (2015). On the ethics of public nudging: Autonomy and agency. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2672970
Simon, H. A. (1957). Models of man, social and rational: Mathematical essays on rational human behavior in a social setting. New York, NY, USA: Wiley.
Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An interdisciplinary review. MIS Quarterly, 35(4), 989–1015.
Stauffer, R., Mayr, G. J., Dabernig, M., & Zeileis, A. (2009). Somewhere over the rainbow: How to make effective use of colors in meteorological visualizations. Bulletin of the American Meteorological Society, 96(2), 203–216. https://doi.org/10.1175/BAMS-D-13-00155.1
Sunstein, C. R. (2016a). People prefer system 2 nudges (kind of). SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2731868
Sunstein, C. R. (2016b). The ethics of influence: Government in the age of behavioral science. Cambridge University Press.
Terpstra, A., Schouten, A. P., Rooij, A. de, & Leenes, R. E. (2019). Improving privacy choice through design: How designing for reflection could support privacy self-management. First Monday, 24(7). https://doi.org/10.5210/fm.v24i7.9358
Thaler, R. H. (2018). Nudge, not sludge. Science, 361(6401), 431–431. https://doi.org/10.1126/science.aau9241
Thaler, R. H., & Sunstein, C. R. (2009). Nudge: Improving decisions about health, wealth, and happiness (Rev. and expanded ed). New York: Penguin Books.
Utz, C., Degeling, M., Fahl, S., Schaub, F., & Holz, T. (2019). (Un)Informed consent: Studying GDPR consent notices in the field. In ACM SIGSAC Conference on Computer and CommunicationsSecurity (CCS ’19) (p. 18). London, United Kingdom. Retrieved from https://arxiv.org/pdf/1909.02638.pdf
Wakefield, A., & Fleming, J. (2009). The Sage dictionary of policing. Los Angeles; London: SAGE. Retrieved from http://www.dawsonera.com/depp/reader/protected/external/AbstractView/S9781446207017
Wickham, H. (2011). The split-apply-combine strategy for data analysis. Journal of Statistical Software, 40(1), 1–29. Retrieved from http://www.jstatsoft.org/v40/i01/
Wickham, H. (2016). Ggplot2: Elegant graphics for data analysis. Springer-Verlag New York. Retrieved from https://ggplot2.tidyverse.org
Wickham, H. (2019). Stringr: Simple, consistent wrappers for common string operations. Retrieved from https://CRAN.R-project.org/package=stringr
Wickham, H., François, R., Henry, L., & Müller, K. (2020). Dplyr: A grammar of data manipulation. Retrieved from https://CRAN.R-project.org/package=dplyr
Wickham, H., & Henry, L. (2020). Tidyr: Tidy messy data. Retrieved from https://CRAN.R-project.org/package=tidyr
Willis, L. E. (2014). Why not privacy by default. Berkeley Technology Law Journal, 29, 61. Retrieved from https://heinonline.org/HOL/Page?handle=hein.journals/berktech29&id=71&div=&collection=
Xie, Y. (2015). Dynamic documents with R and knitr (2nd ed.). Boca Raton, Florida: Chapman; Hall/CRC. Retrieved from https://yihui.org/knitr/
Xie, Y., Allaire, J. J., & Grolemund, G. (2018). R markdown: The definitive guide. Boca Raton, Florida: Chapman; Hall/CRC. Retrieved from https://bookdown.org/yihui/rmarkdown
Xu, H. (2007). The effects of self-construal and perceived control on privacy concerns. ICIS 2007 Proceedings, 1–14.
Zeileis, A., Hornik, K., & Murrell, P. (2009). Escaping RGBland: Selecting colors for statistical graphics. Computational Statistics & Data Analysis, 53(9), 3259–3270. https://doi.org/10.1016/j.csda.2008.11.033
Zhu, H. (2019). KableExtra: Construct complex table with ’kable’ and pipe syntax. Retrieved from https://CRAN.R-project.org/package=kableExtra
Zuiderveen Borgesius, F. (2015). Behavioural sciences and the regulation of privacy on the internet. OxfordHart. Retrieved from https://dare.uva.nl/search?identifier=b0052c52-9815-4782-b4b0-b1cabb3624d0
Zuiderveen Borgesius, F. (2015a). Improving privacy protection in the area of behavioural targeting. Kluwer Law International. Retrieved from https://hdl.handle.net/11245/1.434236
Zuiderveen Borgesius, F., Hoboken, J. van, Fahy, R., Irion, K., Rozendaal, M., (2017). An assessment of the Commission’s proposal on privacy and electronic communications: Study. European Parliament, Committee on Civil Liberties Retrieved from http://www.europarl.europa.eu/RegData/etudes/STUD/2017/583152/IPOL_STU(2017)583152_EN.pdf
Zuiderveen Borgesius, F., Kruikemeier, S., Boerman, S. C., & Helberger, N. (2017a). Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy Regulation. European Data Protection Law Review, 3. https://doi.org/10.21552/edpl/2017/3/9
Downloads
Published
Issue
Section
License
Copyright (c) 2021 The Authors
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
