[How] Do Users Benefit From Giving Consent?

Ext. Abstract
Workshop on Technology and Consumer Protection (ConPro) - co-located with IEEE Symposium on Security and Privacy (IEEE S&P)
Harshvardhan J. Pandit* , Soheil Human* , Mandan Kazzazi*
Description: Proposal for research investigating what benefits, if any, do consumers get when consenting
published version 🔓open-access archives: harshp.com , TARA , zenodo
📦resources: [How] Do Users Benefit From Giving Consent?

Abstract

Consent is meant to empower users by giving them a choice regarding the use of their personal data. Thus, organisations have the incentive to provide benefits, whether directly or indirectly, in return for consent. However, recent research has demonstrated the scale and scope of malpractices regarding consent on the web, where users are misled and coerced into giving away their personal data and privacy. In light of this, we call for investigating what benefits, if any, are specified in the context of consent; who benefits from it; and whether they can be observed in reality. We hope our work outlines the need to formally investigate the claims made when requesting consent and empowers users through greater transparency regarding benefits to make better-informed choices.

Introduction

Considering that consent is used as a transaction by the organisation to legitimise collection, use, and sharing of user’s personal data, an important question to ask is who benefits from this [1], and what benefit or value do they provide in return [2]. For websites, notices portray ‘benefits’ such as personalisation of advertisements and content, improvements to experience in a service, and measurement or analytics related to usage and performance metrics [3]. Some are benefits to the organisation, such as analytics to improve services, which can also be an indirect benefit to the user. Others are directed to the user, such as personalisation and recommendations.

Evidence exists for the prevalence of malpractices such as dark patterns and not respecting user’s consent [4][8], and poorly-defined purposes [3], [9][11] regarding consent on the web. However, to date, there has been no critical and methodological analysis investigating whether the purposes used for consent actually translate into any tangible or demonstrable benefits. More specifically, can and do users perceive benefits when consent is given as compared to when it is refused.

Approach

To investigate this, we propose a set of interdisciplinary methodological study in which researchers carefully study: (a) whether benefits exist in return for consenting; (b) how they are formulated or justified by data-controllers (c) whether they are clear and comprehensible; (d) whether they are legally justifiable; (e) can they be seen or demonstrated; (f) what ‘value’ does it provide to the user; and (g) do users perceive the benefit. For example, when websites specify consent for personalisation in ads, can we determine where ads will be shown, their form and manner, and can we distinguish ads influenced by giving consent. Through such analysis, our work will determine what ‘value’ is promised in lieu of consent, if it is actually provided, its scope and form, and if its impact is transparent to the user. We base this work on existing investigations regarding purposes of consent [3], human-centric views on consenting [5], and approaches for empowering users [12], [13] to practice their privacy in pluralist [14] and sustainable [15] manners.

Methods & Potential Approaches

Sources of Information: cookie/consent notices, privacy/other policies, reports, publications, opinions of domain-experts;
Methodologies: surveys, interviews, focus groups, controlled and in-wild experiments, engagement with service providers, auditing, document analysis, data collection, data analysis;
Technological aspects: technological and algorithmic evaluation of benefits and their provision in services;
Legal compliance: conformance with legal frameworks;
Legal rights: rights provided by existing laws regarding benefits and information, e.g. Right to Access (GDPR A.15);
Information transparency: accessibility, availability, comprehensibility of information about benefits and its applicability;
Benefits within/across domains: benefits in the context of their respective domains, e.g. personalisation for retail and for medicine can have different consequences;
Linguistic aspects: quality, formulation, sentiment, readability, and vocabulary used in descriptions;
Users’ perspective towards benefits: knowledge, attitude, preferences in general and specific to domains/services;
Users’ perception when consenting: assess comprehension of benefits when interacting with consent requests, e.g. if a purpose is a benefit, to whom, and in what context;
Users’ perception after consenting: assess (immediate and long-term) comprehension of promised and received benefits;
Service Provider perspective: knowledge, attitude, perception, framing of service providers regarding benefits;
Actors involved: different parties involved and their relations;
Representation: UI/UX aspects, nudging, dark; patterns
Other human-centric aspects: heterogeneity, cognitive, collective, and contextual aspects [5] in relation to benefits.

Funding Acknowledgments

This work is partially supported by the Internet Foundation Austria (IPA) within the NetIdee call (RESPECTeD Project; Grant#prj4625). Harshvardhan J. Pandit is funded by the Irish Research Council Government of Ireland Postdoctoral Fellowship under Grant#GOIPD/2020/790; European Union’s Horizon 2020 research and innovation programme under NGI TRUST Grant#825618 for Project#3.40 Privacy-as-Expected: Consent Gateway; and as part of the ADAPT SFI Centre for Digital Media Technology which is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106_P2.

Dissemination of this Work

For the purpose of Open Access the authors have applied a CC-BY-4.0 public copyright licence to any Author Accepted Manuscript version arising from this submission, and have deposited this article at https://doi.org/10.5281/zenodo.4601141.

References

[1] D. W. Woods and R. Bohme, “The Commodification of Consent,” in 20th Annual Workshop on the Economics of Information Security, WEIS, 2020, p. 25.
[2] G. Malgieri and B. Custers, “Pricing privacy the right to know the value of your personal data,” Computer Law & Security Review, vol. 34, no. 2, pp. 289–303, Apr. 2018, doi: gc7nbt.
[3] C. Matte, C. Santos, and N. Bielova, “Purposes in IAB Europe’s TCF: Which legal basis and how are they used by advertisers?” in Annual Privacy Forum (APF 2020), 2020.
[4] C. M. Gray, C. Santos, N. Bielova, M. Toth, and D. Clifford, “Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective,” arXiv:2009.10194 [cs], Sep. 2020 [Online]. Available: https://arxiv.org/abs/2009.10194
[5] S. Human and F. Cech, “A Human-centric Perspective on Digital Consenting: The Case of GAFAM,” in Human Centred Intelligent Systems 2020, 2020.
[6] D. Machuletz and R. Böhme, “Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR,” Proceedings on Privacy Enhancing Technologies, vol. 2020, no. 2, pp. 481–498, Apr. 2020, doi: ghqdq8. [Online]. Available: https://arxiv.org/abs/1908.10048
[7] C. Matte, N. Bielova, and C. Santos, “Do Cookie Banners Respect my Choice?” in 41st IEEE Symposium on Security and Privacy, 2020, p. 19.
[8] T. H. Soe, O. E. Nordberg, F. Guribye, and M. Slavkovik, “Circumvention by design – dark patterns in cookie consents for online news outlets,” arXiv:2006.13985 [cs], Jun. 2020 [Online]. Available: https://arxiv.org/abs/2006.13985
[9] C. Utz, M. Degeling, S. Fahl, F. Schaub, and T. Holz, “(Un)informed Consent: Studying GDPR Consent Notices in the Field,” in ACM SIGSAC Conference on Computer and Communications Security (CCS’19), 2019, p. 18.
[10] C. Santos, N. Bielova, and C. Matte, “Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners,” Technology and Regulation, pp. 91–135, Dec. 2020, doi: ghtr3n.
[11] I. Fouad, C. Santos, F. A. Kassar, N. Bielova, and S. Calzavara, “On Compliance of Cookie Purposes with the Purpose Specification Principle,” in IWPE, 2020, p. 9.
[12] S. Human, R. Gsenger, and G. Neumann, “End-user empowerment: An interdisciplinary perspective,” in Hawaii international conference on system sciences 2020, 2020, pp. 4102–4111.
[13] S. Human, R. Gesenger, and G. Neumann, “Human-centric end-user empowerment: The case of digital consenting,” 2021.
[14] S. Human, G. Neumann, and M. F. Peschl, “[How] can pluralist approaches to computational cognitive modeling of human needs and values save our democracies?” Intellectica, no. 70, pp. 165–180, 2019.
[15] S. Human, G. Neumann, and R. Alt, “Human-centricity in a sustainable digital economy,” in Hawaii international conference on system sciences 2021, 2021, pp. 4372–4373.