Skip to main navigation menu Skip to main content Skip to site footer

Articles

Vol. 3 No. 1 (2021)

Dark and Bright Patterns in Cookie Consent Requests

DOI
https://doi.org/10.33621/jdsr.v3i1.54
Submitted
August 12, 2020
Published
2021-02-08

Abstract

Dark patterns are (evil) design nudges that steer people’s behaviour through persuasive interface design. Increasingly found in cookie consent requests, they possibly undermine principles of EU privacy law. In two preregistered online experiments we investigated the effects of three common design nudges (default, aesthetic manipulation, obstruction) on users’ consent decisions and their perception of control over their personal data in these situations. In the first experiment (N = 228) we explored the effects of design nudges towards the privacy-unfriendly option (dark patterns). The experiment revealed that most participants agreed to all consent requests regardless of dark design nudges. Unexpectedly, despite generally low levels of perceived control, obstructing the privacy-friendly option led to more rather than less perceived control. In the second experiment (N = 255) we reversed the direction of the design nudges towards the privacy-friendly option, which we title “bright patterns”. This time the obstruction and default nudges swayed people effectively towards the privacy-friendly option, while the result regarding perceived control stayed the same compared to Experiment 1. Overall, our findings suggest that many current implementations of cookie consent requests do not enable meaningful choices by internet users, and are thus not in line with the intention of the EU policymakers. We also explore how policymakers could address the problem.

References

  1. Acquisti, A., Sleeper, M., Wang, Y., Wilson, S., Adjerid, I., Balebako, R., … Schaub, F. (2017). Nudges for privacy and security. ACM Computing Surveys, 50(3), 1–41. https://doi.org/10.1145/3054926
  2. Albar, F. M., & Jetter, A. J. (2009). Heuristics in decision making. In PICMET ’09 - 2009 Portland International Conference on Management of Engineering & Technology (pp. 578–584). IEEE. https://doi.org/10.1109/PICMET.2009.5262123
  3. An, N. Z. (2019). Multi-step modals for Bootstrap. Retrieved from https://github.com/ngzhian/multi-step-modal
  4. Archer, M. S. (2013). Rational choice theory. Routledge. https://doi.org/10.4324/9780203133897
  5. Auguie, B. (2017). GridExtra: Miscellaneous functions for "grid" graphics. Retrieved from https://CRAN.R-project.org/package=gridExtra
  6. Aust, F., & Barth, M. (2020). papaja: Create APA manuscripts with R Markdown. Retrieved from https://github.com/crsh/papaja
  7. Awad, N. F., & Krishnan, M. S. (2006). The personalization privacy paradox: An empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Quarterly, 1328.
  8. Barr, D. J., Levy, R., Scheepers, C., & Tily, H. J. (2013). Random effects structure for confirmatory hypothesis testing: Keep it maximal. Journal of Memory and Language, 68(3), 255–278. https://doi.org/10.1016/j.jml.2012.11.001
  9. BEUC. (2020). The long and winding road. Two years of the GDPR: A cross-border data protection enforcement case from a consumer perspective. Retrieved from https://www.beuc.eu/publications/beuc-x-2020-074_two_years_of_the_gdpr_a_cross-border_data_protection_enforcement_case_from_a_consumer_perspective.pdf
  10. Böhme, R., & Köpsell, S. (2010). Trained to accept?: A field experiment on consent dialogs. In Proceedings of the 28th international conference on Human factors in computing systems - CHI ’10 (p. 2403). Atlanta, Georgia, USA: ACM Press. https://doi.org/10.1145/1753326.1753689
  11. Bösch, C., Erb, B., Kargl, F., Kopp, H., & Pfattheicher, S. (2016). Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies, 2016(4), 237–254. https://doi.org/10.1515/popets-2016-0038
  12. Brignull, H. (n.d.). Dark patterns. Retrieved from https://darkpatterns.org/
  13. Brooke, B. (2011). Browser back button detection. Retrieved from http://www.bajb.net/2010/02/browser-back-button-detection/
  14. Browne, W. J., & Draper, D. (2006). A comparison of Bayesian and likelihood-based methods for fitting multilevel models. Bayesian Analysis, 1(3), 473–514. https://doi.org/10.1214/06-BA117
  15. Bryan, M. L., & Jenkins, S. P. (2016). Multilevel modelling of country effects: A cautionary tale. European Sociological Review, 32(1), 3–22. https://doi.org/10.1093/esr/jcv059
  16. Bürkner, P.-C. (2017). brms: An R package for Bayesian multilevel models using Stan. Journal of Statistical Software, 80(1), 1–28. https://doi.org/10.18637/jss.v080.i01
  17. Bürkner, P.-C. (2018). Advanced Bayesian multilevel modeling with the R package brms. The R Journal, 10(1), 395–411. https://doi.org/10.32614/RJ-2018-017
  18. Carpenter, B., Gelman, A., Hoffman, M., Lee, D., Goodrich, B., Betancourt, M., … Riddell, A. (2017). Stan: A probabilistic programming language. Journal of Statistical Software, Articles, 76(1), 1–32. https://doi.org/10.18637/jss.v076.i01
  19. Choi, H., Park, J., & Jung, Y. (2018). The role of privacy fatigue in online privacy behavior. Computers in Human Behavior, 81, 42–51. https://doi.org/10.1016/j.chb.2017.12.001
  20. Colorbib. (2019). 28 best free news website templates 2019. Colorlib. Retrieved from https://colorlib.com/wp/free-news-website-templates/
  21. Dijksterhuis, A., Bos, M. W., Nordgren, L. F., & van Baaren, R. B. (2006). On making the right choice: The deliberation-without-attention effect. Science, 311(5763), 1005–1007. https://doi.org/10.1126/science.1121629
  22. Eddelbuettel, D., & Balamuta, J. J. (2017). Extending extitR with extitC++: A Brief Introduction to extitRcpp. PeerJ Preprints, 5, e3188v1. https://doi.org/10.7287/peerj.preprints.3188v1
  23. Eddelbuettel, D., & François, R. (2011). Rcpp: Seamless R and C++ integration. Journal of Statistical Software, 40(8), 1–18. https://doi.org/10.18637/jss.v040.i08
  24. ePrivacy Directive. (2009). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications), last amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ L 337 11). Retrieved from https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19
  25. European Commission. (2017). Proposal for a regulation of the European Parliament and of the Council, concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (No. COM/2017/010 final - 2017/03 (COD)). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52017PC0010
  26. European Data Protection Board. (2020). Guidelines 4/2019 on Article 25 data protection by design and by default version 2.0, adopted on 20 October 2020. Retrieved from https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf
  27. European Parliament. (2017). Draft European Parliament Legislative Resolution on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (No. COM(2017)0010 C8-0009/2017 2017/0003(COD)). Retrieved from https://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html
  28. Fansher, M., Chivukula, S. S., & Gray, C. M. (2018). #Darkpatterns. In R. Mandryk, M. Hancock, M. Perry, & A. Cox (Eds.), Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18 (pp. 1–6). New York, New York, USA: ACM Press. https://doi.org/10.1145/3170427.3188553
  29. Ferrari, S., & Cribari-Neto, F. (2004). Beta regression for modelling rates and proportions. Journal of Applied Statistics, 31(7), 799–815. https://doi.org/10.1080/0266476042000214501
  30. Forbrukerrådet. (2018). Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy. Retrieved from https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/
  31. GDPR. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal L, 119, 1–88. Retrieved from https://eur-lex.europa.eu/eli/reg/2016/679/oj
  32. Gray, C. M., Kou, Y., Battles, B., Hoggatt, J., & Toombs, A. L. (2018). The dark (patterns) side of UX design. In R. Mandryk, M. Hancock, M. Perry, & A. Cox (Eds.), Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18 (pp. 1–14). New York, New York, USA: ACM Press. https://doi.org/10.1145/3173574.3174108
  33. Grosjean, P., & Ibanez, F. (2018). Pastecs: Package for analysis of space-time ecological series. Retrieved from https://CRAN.R-project.org/package=pastecs
  34. Gürses, S. (2014). Attitudes towards “Spiny CACTOS”. Retrieved from https://vous-etes-ici.net/next-week-spiny-cactos-at-usec-2014/
  35. Hertwig, R. (2017). When to consider boosting: Some rules for policy-makers. Behavioural Public Policy, 1(02), 143–161. https://doi.org/10.1017/bpp.2016.14
  36. Hertwig, R., & Grüne-Yanoff, T. (2017). Nudging and boosting: Steering or empowering good decisions. Perspectives on Psychological Science : A Journal of the Association for Psychological Science, 12(6), 973–986. https://doi.org/10.1177/1745691617702496
  37. Kahneman, D. (2011). Thinking, fast and slow (1st ed). New York: Farrar, Straus and Giroux.
  38. Kay, M. (2020). tidybayes: Tidy data and geoms for Bayesian models. https://doi.org/10.5281/zenodo.1308151
  39. Kowarik, A., & Templ, M. (2016). Imputation with the R package VIM. Journal of Statistical Software, 74(7), 1–16. https://doi.org/10.18637/jss.v074.i07
  40. Lai, Y.-L., & Hui, K.-L. (2006). Internet opt-in and opt-out: Investigating the roles of frames, defaults and privacy concerns. In Proceedings of the 2006 ACM SIGMIS CPR conference on computer personnel research Forty four years of computer personnel research: Achievements, challenges & the future - SIGMIS CPR ’06 (p. 253). Claremont, California, USA: ACM Press. https://doi.org/10.1145/1125170.1125230
  41. Laufer, R. S., & Wolfe, M. (1977). Privacy as a concept and a social issue: A multidimensional developmental theory. Journal of Social Issues, 33(3), 22–42. https://doi.org/10.1111/j.1540-4560.1977.tb01880.x
  42. Legislative Train Schedule. (2020). Proposal for a regulation on privacy and electronic communications. Retrieved from https://www.europarl.europa.eu/legislative-train/theme-connected-digital-single-market/file-jd-e-privacy-reform
  43. Lord, D., Mönnich, A., Ronacher, A., & Unterwaditzer, M. (2010). Flask (a Python microframework). Retrieved from http://flask.pocoo.org/
  44. Luguri, J., & Strahilevitz, L. (2019). Shining a light on dark patterns. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3431205
  45. Machuletz, D., & Böhme, R. (2019). Multiple purposes, multiple problems: A user study of consent dialogs after GDPR. arXiv:1908.10048 [Cs]. Retrieved from http://arxiv.org/abs/1908.10048
  46. MacKenzie, I. S. (1992). Fitts’ Law as a research and design tool in Human-Computer Interaction. HumanComputer Interaction, 7(1), 91–139. https://doi.org/10.1207/s15327051hci0701_3
  47. Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information Systems Research, 15(4), 336–355. https://doi.org/10.1287/isre.1040.0032
  48. Morey, R. D., Hoekstra, R., Rouder, J. N., Lee, M. D., & Wagenmakers, E.-J. (2016). The fallacy of placing confidence in confidence intervals. Psychonomic Bulletin & Review, 23(1), 103–123. https://doi.org/10.3758/s13423-015-0947-8
  49. Mullen, L. A., Benoit, K., Keyes, O., Selivanov, D., & Arnold, J. (2018). Fast, consistent tokenization of natural language text. Journal of Open Source Software, 3(23), 655. https://doi.org/10.21105/joss.00655
  50. Müller, K. (2017). Here: A simpler way to find your files. Retrieved from https://CRAN.R-project.org/package=here
  51. Nouwens, M., Liccardi, I., Veale, M., Karger, D., & Kagal, L. (2020). Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence. arXiv:2001.02479 [Cs]. https://doi.org/10.1145/3313831.3376321
  52. R Core Team. (2020). R: A language and environment for statistical computing. Vienna, Austria: R Foundation for Statistical Computing. Retrieved from https://www.R-project.org/
  53. Revelle, W. (2019). Psych: Procedures for psychological, psychometric, and personality research. Evanston, Illinois: Northwestern University. Retrieved from https://CRAN.R-project.org/package=psych
  54. Schubert, C. (2015). On the ethics of public nudging: Autonomy and agency. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2672970
  55. Simon, H. A. (1957). Models of man, social and rational: Mathematical essays on rational human behavior in a social setting. New York, NY, USA: Wiley.
  56. Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An interdisciplinary review. MIS Quarterly, 35(4), 989–1015.
  57. Stauffer, R., Mayr, G. J., Dabernig, M., & Zeileis, A. (2009). Somewhere over the rainbow: How to make effective use of colors in meteorological visualizations. Bulletin of the American Meteorological Society, 96(2), 203–216. https://doi.org/10.1175/BAMS-D-13-00155.1
  58. Sunstein, C. R. (2016a). People prefer system 2 nudges (kind of). SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2731868
  59. Sunstein, C. R. (2016b). The ethics of influence: Government in the age of behavioral science. Cambridge University Press.
  60. Terpstra, A., Schouten, A. P., Rooij, A. de, & Leenes, R. E. (2019). Improving privacy choice through design: How designing for reflection could support privacy self-management. First Monday, 24(7). https://doi.org/10.5210/fm.v24i7.9358
  61. Thaler, R. H. (2018). Nudge, not sludge. Science, 361(6401), 431–431. https://doi.org/10.1126/science.aau9241
  62. Thaler, R. H., & Sunstein, C. R. (2009). Nudge: Improving decisions about health, wealth, and happiness (Rev. and expanded ed). New York: Penguin Books.
  63. Utz, C., Degeling, M., Fahl, S., Schaub, F., & Holz, T. (2019). (Un)Informed consent: Studying GDPR consent notices in the field. In ACM SIGSAC Conference on Computer and CommunicationsSecurity (CCS ’19) (p. 18). London, United Kingdom. Retrieved from https://arxiv.org/pdf/1909.02638.pdf
  64. Wakefield, A., & Fleming, J. (2009). The Sage dictionary of policing. Los Angeles; London: SAGE. Retrieved from http://www.dawsonera.com/depp/reader/protected/external/AbstractView/S9781446207017
  65. Wickham, H. (2011). The split-apply-combine strategy for data analysis. Journal of Statistical Software, 40(1), 1–29. Retrieved from http://www.jstatsoft.org/v40/i01/
  66. Wickham, H. (2016). Ggplot2: Elegant graphics for data analysis. Springer-Verlag New York. Retrieved from https://ggplot2.tidyverse.org
  67. Wickham, H. (2019). Stringr: Simple, consistent wrappers for common string operations. Retrieved from https://CRAN.R-project.org/package=stringr
  68. Wickham, H., François, R., Henry, L., & Müller, K. (2020). Dplyr: A grammar of data manipulation. Retrieved from https://CRAN.R-project.org/package=dplyr
  69. Wickham, H., & Henry, L. (2020). Tidyr: Tidy messy data. Retrieved from https://CRAN.R-project.org/package=tidyr
  70. Willis, L. E. (2014). Why not privacy by default. Berkeley Technology Law Journal, 29, 61. Retrieved from https://heinonline.org/HOL/Page?handle=hein.journals/berktech29&id=71&div=&collection=
  71. Xie, Y. (2015). Dynamic documents with R and knitr (2nd ed.). Boca Raton, Florida: Chapman; Hall/CRC. Retrieved from https://yihui.org/knitr/
  72. Xie, Y., Allaire, J. J., & Grolemund, G. (2018). R markdown: The definitive guide. Boca Raton, Florida: Chapman; Hall/CRC. Retrieved from https://bookdown.org/yihui/rmarkdown
  73. Xu, H. (2007). The effects of self-construal and perceived control on privacy concerns. ICIS 2007 Proceedings, 1–14.
  74. Zeileis, A., Hornik, K., & Murrell, P. (2009). Escaping RGBland: Selecting colors for statistical graphics. Computational Statistics & Data Analysis, 53(9), 3259–3270. https://doi.org/10.1016/j.csda.2008.11.033
  75. Zhu, H. (2019). KableExtra: Construct complex table with ’kable’ and pipe syntax. Retrieved from https://CRAN.R-project.org/package=kableExtra
  76. Zuiderveen Borgesius, F. (2015). Behavioural sciences and the regulation of privacy on the internet. OxfordHart. Retrieved from https://dare.uva.nl/search?identifier=b0052c52-9815-4782-b4b0-b1cabb3624d0
  77. Zuiderveen Borgesius, F. (2015a). Improving privacy protection in the area of behavioural targeting. Kluwer Law International. Retrieved from https://hdl.handle.net/11245/1.434236
  78. Zuiderveen Borgesius, F., Hoboken, J. van, Fahy, R., Irion, K., Rozendaal, M., (2017). An assessment of the Commission’s proposal on privacy and electronic communications: Study. European Parliament, Committee on Civil Liberties Retrieved from http://www.europarl.europa.eu/RegData/etudes/STUD/2017/583152/IPOL_STU(2017)583152_EN.pdf
  79. Zuiderveen Borgesius, F., Kruikemeier, S., Boerman, S. C., & Helberger, N. (2017a). Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy Regulation. European Data Protection Law Review, 3. https://doi.org/10.21552/edpl/2017/3/9