1-16
SCARED OR NAÏVE? AN EXPLORATORY STUDY OF USER PERCEPTIONS OF ONLINE PRIVACY DISCLOSURES
Authors: Helia Marreiros, Richard Gomer, Michael Vlassopoulos, Mirco Tonin and M.C. schraefel
Number of views: 519
Online service providers offer “free” services in exchange for the personal data of its users. In the last
few years there has been an increase of online industry regulations requiring service providers, such as
websites and app developers, to disclosure the ways in which they collect, process and use the personal
data of service users. These “privacy disclosures,” such as the privacy policy, the cookie notice and, on
smart phones, the app permission request, are designed with the purpose of informing users and
empowering them to control their privacy. The interaction problems with these different types of
disclosure are relatively well understood – habituation, inattention and cognitive biases undermine the
extent to which user consent is truly informed. Users understanding of the actual content of these
disclosures, and their feelings toward it, are less well understood, though. In this paper we report the
results of a mixed-method exploratory study of the privacy disclosures and compare their relative merits
as a starting point for the development of more meaningful consent interactions. First, we conducted a
focus group study, with 21 students from the University of Southampton, to understand behavior and
privacy concerns of Millenials (those born between 1982 and 2004) in response to the these three most
common types of privacy disclosure. Second, we conducted an online survey, with 100 students from the
University of Southampton, to study perception and feelings towards the content of the privacy
disclosures. We identify three key findings. Firstly, we find heterogeneity of user perceptions and
attitudes to privacy disclosures in both studies. The results of the focus groups suggests three types of
users: the scared and worried about their online privacy, who think there is an option out; the naïve, who
do not understand how their personal data is collected and processed by the online service providers; and
the meh, who understand the tradeoff but are not worried about their privacy. Secondly, we find limited
ability of users to infer data processing outputs and risks based on technical explanations of particular
practices, suggestions of a naïve model of “cost justification” rather cost-benefit analysis by users.
Finally, we show evidence of the possibility that consent interactions are valuable in themselves as a
mean to improve user perceptions of a service.