(Un)informed Consent:Studying GDPR Consent Notices in the FieldChristine Utz M

1. (Un)informed Consent:
2. Studying GDPR Consent Notices in the Field
3. Christine Utz Martin Degeling Sascha Fahl
4. Ruhr-Universitit Bochum Ruhr-Universitit Bochum Ruhr-Universitit Bochum
5. Bochum, Germany Bochum, Germany Bochum, Germany
6. christine.utz@rub.de martin.degeling@rub.de sascha. fahl@rub.de
7. Florian Schaub Thorsten Holz
8. University of Michigan Ruhr-Universitit Bochum
9. Ann Arbor, Michigan Bochum, Germany
10. fschaub@umich.edu thorsten.holz@rub.de
11.  
12. ABSTRACT ‘These new laws uphold the idea of informational self-determination
13. After theadoption of the General Data Protection Regulation (GDPR) by increasing transparency requirements for companies’ data col-
14. in May 2018, more than 60 % of popular websites in Europe were ~ lection practices and strengthening individuals’ rights regarding
15. found to display a cookie consent notice. This has quickly led to their personal data. In the European Union, the GDPR's impact
16. users becoming fatigued with privacy notifications and contributed ~ Was twofold. While the number of third-party services on web-
17. to the rise of both browser extensions that block these banners ~ sites barely changed [37], they instead now ask users for consent
18. and demands for a solution that bundles consent across multiple ~ Prior to setting cookies in their browser. An increasing number of
19. websites or in the browser. In this work, we identify common prop- Websites now display (cookie) consent notics, often referred to as
20. erties of the graphical user interface of consent notices and conduct cookie banners”. Their design and complexity greatly vary - the
21. three studies with more than 50,000 unique users on a German Simplest notices merely state that the website uses cookies without
22. website to investigate their influence on consent. We find thatusers ~ any details or options, while the most complex allow visitors to
23. are more likely to interact with a notice shown in the lower (left) individually (de)select cach third-party service used by the website.
24. part of the sereen. Given a binary choice, more users are willing 1 mid-2018, about 627 of popular websites in the EU were found
25. to accept tracking compared to mechanisms that require them to 1o display a consent notice, an increase of up to 45 percentage
26. allow cookie use for cach category or company individually, We ~ Points in some countries [10]. Paired with the fact that consent
27. also show that the practice of nudging is widely uscd and hasalarge ~ otices often cover parts of the website’s main content, this high
28. effect on the choices users make. Our studics have implications for Prevalence hasled website visitors to become fatigued with consent
29. future regulations and the design of consent notices that encourage ~ mechanisms [6]. Consequently, tools have emerged that provide
30. users ta actively make an informed choice. pragmatic workarounds - one example is the ‘I don't care about
31. ACM Reference Format cookies” browser extension [19]. But oftentimes this only leads to
32. Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten dateollection taldng place withutcansent sinde the de fuult i
33. Holz. 2019. (Un)informed Consent: Studying GDPR Consent Notices in the manyweblites 15 {6, employ user Hacking unless the'visitor has
34. Field. In 2019 ACM SIGSAC Conference on Computer and Communications ~ ©Pted out [16], and 80% of popular EU websites do not offer any
35. Security (CCS’19), November 11-15, 2019, London, United Kingdom. ACM, type of opt out at all [10].