Cookies and trust
A qualitative study of cookie policy impact on trust
Authors: Hana Azeri, Joakim Holm and Sebastian Strid (Date of birth – 960215, 910708, 701121)
HT 2020
Informatik med systemvetenskaplig inriktning, kandidatkurs. Delkurs 3 – Uppsatsarbete 15 hp.
Subject: Informatics
Handelshögskolan vid Örebro universitet Supervisor: Wipawee Victoria Paulsson Examiner: Kai Wistrand
Preface
We would like to first and foremost thank our supervisor Wipawee Victoria Paulsson who has helped and guided us throughout the entire study. We also want to thank everyone that has been involved and given us valuable feedback. Our respondents' answers made our study possible and we want to thank them for their participation.
Abstract
We are all exposed to cookies and cookie policies on a daily basis when browsing the internet on a mobile device or a computer. Our aim with this study is to examine how cookie disclosure can be implemented to increase users' trust for a website. To answer our research questions, we
implemented a qualitative method in which we conducted semi-structured interviews with Swedish university students. Furthermore, the Privacy-trust framework was used as a foundation for our research. When analyzing the interviews we identified five consistent themes: text layout, information content, linguistics, interaction design and overall approach. Our conclusion is that trust is positively affected by a text layout that is perceived as easy to read and when a correct amount of information with relevant content is provided. Furthermore a language must be comprehensible and appropriate, and a possibility to make choices directly on the web page, in contrast to not being provided any choice or referred to somewhere else and to have banners that do not block the content of the web page.
Central concepts
Access - One of the four dimensions in the Privacy-trust framework. Access gives people the ability to configure, delete and review personal information about themselves.
Choice - One of the four dimensions in the Privacy-trust framework. This dimension provides users with a choice to allow a website to use or share their personal information.
Cookie consent - Information about how a website uses cookies. Providing users with the ability to agree to the terms.
Cookie disclaimer - See cookie consent. Cookie disclosure - See cookie consent.
Cookie policy - The statement made by the website to inform users about their policy regarding cookies.
Cookies - Also referred to as web cookies or HTTP cookies, a technology that facilitates data collection.
Notice - One of the four dimensions in the Privacy-trust framework. This dimension provides users notice that their personal data is collected by the website. The users should be informed of this prior to collecting any information about them.
Security - One of the four dimensions in the Privacy-trust framework. Security means that the users must be informed that their information is kept safe from unauthorized access. The users should be given assurance about this as well.
Abbreviations
FIPP - Fair Information Privacy Principles FTC - Federal Trade Commission
GDPR - General Data Protection Regulation RQ - Research question
1. Introduction 1
1.1 Background 1
1.2 Research gap 1
1.3 Purpose and research questions 2
1.3.1 Stakeholders 2 1.4 Limitations 3 2. Literature review 4 2.1 Key concepts 4 2.2 Framework 6 2.2.1 Notice 8 2.2.2 Access 8 2.2.3 Choice 8 2.2.4 Security 8 2.2.5 Trust 8 3. Method 10
3.1 Literature research process 10
3.2 Source criticism 11
3.3 Qualitative approach and semi-structured interviews 12
3.3.1 Method Criticism 13
3.3.2 Minor web page case study 14
3.3.3 Conducting interviews 14
3.3.4 Data analysis method 16
3.3.5 Ethics 17
4. Analysis and result 18
4.1 Descriptive statistics 19 4.2 Text layout 20 4.3 Information content 21 4.4 Linguistics 23 4.5 Interaction Design 23 4.6 Overall approach 24 5. Discussion 26
5.1 Readability - text layout and linguistics 26
5.2 Information content 26
5.3 Interaction design and overall approach 27
6. Conclusion and contribution 29
6.1 Contribution 30
6.2 Future research 30
8. Appendix 35
(1) Information letter (Translated from Swedish) 35
(2) Interview guide (Translated from Swedish) 37
1
1. Introduction
In this initial section the background of the study, the purpose and research questions are addressed. Problems within the topic area will be discussed and the limitations are presented. 1.1 Background
Have you ever visited a webshop or an entertainment website and later found things that you clicked on in these sites to appear on different websites?
The concern for online privacy has become more and more of a problem with the rapid growth of online activity (Miyazaki, 2008). With the increased online activity organizations have seen the value of information, which has led to an increased amount of data being collected about the users (Liu, Marchewka, Lu & Yu, 2005; Schiefermair & Staubauer, 2020).
A result from the implementation of General Data Protection Regulation (GDPR) is that an increasing number of websites in Europe display some sort of notice to their visitors regarding the use of cookies (Utz, Degeling, Fahl, Schaub & Holz, 2019). However, while many of these notices are very similar there is reason to believe that these are made with little or no real reasoning and consideration, but only to satisfy the regulation (Schiefermair & Staubauer, 2020).
Users’ personal information is being collected with cookies whenever they visit different websites on the internet. Cookies is a bit of information that a server can send to a user and later be saved on a device that is used when browsing the internet, for example computers. Once a cookie has been stored on a user's computer a server can simply identify users easier. This technique can benefit the websites as it enables the site to store personal information about the users
(Kierkgaard, 2005).
Recent regulations such as GDPR are aimed at controlling how businesses inform and let the user decide about data collection (Bornschein, Schmidt & Maier, 2020). While the effects of these regulations have been shown in the form of increased disclosure to the users, there is still some uncertainty whether the users' concern or distrust regarding data collection is satisfied (Utz et al. 2019; Machuletz & Böhme, 2020).
The concept of trust has been studied in many scientific fields and has been defined in lots of different ways (Sherchan, Nepal & Paris, 2013). In this study, no informatics-specific definition of trust is needed, therefore we use a more universal definition introduced by Lynn, van der Werff and Fox (2021, p. 2) who describes that trust is generally defined as a “willingness to accept vulnerability based on positive expectations of another party”.
1.2 Research gap
Earlier research indicates a focus on behavioral intentions in regard to cookie notices and tends to collect empirical data through either a quantitative approach (Miyazaki, 2008; Noort, Smit &
2 Voorveld, 2014) or a mixed methodology (Utz et al., 2019; Marreiros, Gomer, Vlassopoulos & Tonin, 2015). Conducting experiments and providing surveys seems to be the most commonly used research method for collecting data (Schiefermair & Stabauer, 2020; Machuletz & Böhme, 2020). From our understanding a qualitative approach with interviews has never been used to research online privacy and trust with regard to cookies.
We posit that this is a gap in the research, therefore, we believe that our approach to conduct interviews brings a new perspective on this research area and contributes knowledge to the existing research. While we agree that the experimental approach is justified when it comes to studying behavioral intentions we argue that knowledge about users’ trust can be obtained through studying the reasoning behind the user’s feeling of trust. Kulyk, Hilt, Gerber and Volkamer (2018, p. 10) also points at a research gap as they state that: “As future work, further investigations into the effects of cookie disclaimers on users are necessary.” This statement indicates that a focus on the effects on the users is needed in further research. With this in mind, our study will focus on the trust effect of cookie disclaimers.
To conclude, we have identified the following research gaps:
First, the lack of a focus on cookie disclaimers' effect on users’ trust. Second, the absence of a qualitative approach with interviews.
1.3 Purpose and research questions
The purpose of this paper is to describe and explain factors that promote a user´s trust in a website that is collecting data using cookies.
Four research questions were formulated in order to create a connection to the four privacy dimensions of our theoretical framework (see section 2.2).
Research questions:
I. How can a cookie notice be implemented to increase a user’s trust in a website?
II. How can information regarding accessibility be implemented to increase a user’s trust in a website?
III. How can choice regarding cookies be implemented to increase a user’s trust in a website? IV. How can information about security measures be implemented to increase a user’s trust in a website?
1.3.1 Stakeholders
By studying the user’s perspective on this matter, we believe this knowledge can be of value to website developers, decision makers in organizations and policy makers. With the understanding of what amplifies a user’s trust in a website's privacy disclosures there is a possibility to make informed choices.
3 1.4 Limitations
The thesis has the following limitations:
Firstly, our study featured Swedish websites only since the interviews were conducted in Swedish, and we did not want to mix languages or present material in a language that the interviewees did not fully master. Another reason for not mixing examples from different countries is that the legislation might differ.
Secondly, we did not go into details about the legal aspects of a cookie disclosure. We understand that legal instances such as GDPR have an overall impact on the user’s trust. The fact that there are legalities to support the issues presented in this paper are thus important to take into
consideration. However, the details of the legalities are excluded for the reason that it is beyond our expertise.
Thirdly, we did not take into account any technical aspects of cookie disclosure implementations. For example, we will not be concerned with how to programme cookie disclosure on a web page. For further limitations with this thesis, specifically for the interviews, see section 3.3.
4
2. Literature review
In this chapter on literature review, key concepts as well as a framework are presented. This framework will be used to determine what type of data that should be collected and how this collected data should be analyzed.
2.1 Key concepts
Web cookies are an early concept and have been on the web and used for different purposes ever since they were invented in 1994 (Cahn, Alfeld, Barford & Muthukrishnan, 2016). The reason why cookies were implemented in the first place was because communication was necessary between clients and servers. The Mosaic browser was the first browser to have support for web cookies and the purpose behind the browser was for cookies to be used all over the internet. Although the initial purpose of web cookies was to enable better communication over the internet and to provide users better experience on the internet, they have some disadvantages in our daily lives as well. One effect of this can be that the users' privacy can be at risk and have severe
problems which is also not a new concern as it has been brought up frequently (Cahn et al., 2016). The disadvantages and the problems regarding web cookies are grounded in not having enough knowledge but also being uncertain about how personal data is collected by the websites.
Uncertainty seems to come from not being precisely informed about what a web cookie is, which is a concern for the users. Furthermore, users feel that they do not have enough control over the web cookies and do not always understand for what purpose they are being used to gather personal information. How cookies are going to be used by the website is also a concern for the users (Luzak, 2014).
Cookies were explained by Kierkegaard (2005, p. 315) as “simple text files” that cannot be harmful for users, however, users should be aware that their personal information can be used maliciously by organizations to harm them. Furthermore, she also mentioned that companies do this so that they can, for example, record the user’s personal information that can then be sold for marketing purposes. According to Miyazaki (2008) web cookies that are placed by the website can be stored on users’ devices and can last for only a couple of days, some months or even a lifetime. There are different types of web cookies described in the literature and they are all used for
different purposes. Common types of cookies are first-party cookies and third-party cookies. First-party cookies are usually set by the website and are used to enable websites to remember users’ activities for example shopping carts continued existence (Cahn et al., 2016). A lot of online shopping websites implement first-party cookies in order to store things in shopping carts. In order for this to be done the website needs to place a cookie on the individual shopper’s
computer or other devices so that the website can recognize and store the things the user placed in their shopping cart (Miyazaki, 2008). Third-party cookies are placed by a different entity than the website that is being visited by for example by advertising companies whose main job is to collect as much data about users' online behavior as possible. This has stirred concerns over users' online privacy that has led to laws that direct user privacy (Cahn et al., 2016).
5 Privacy was defined by Warren and Brandeis (1890, p. 194 ) as “the right of an individual to be left alone and able to control the release of his or her personal information”. Furthermore,
Schiefermair and Stabauer (2020) states that users take their privacy seriously and have demands on how it should be protected and are unlikely to purchase items or even surf on a website if their demands are not met by the website. They also reach the conclusion that the presence of a cookie notice has a positive impact on perceived privacy as well as on e-trust, which according to their definition consists of integrity, ability, benevolence and predictability.
Luzak (2014) states that a privacy notice must be available to captivate the user's attention so that they will take their time to read the privacy notice. They should be in an appropriate amount and easy to understand which means that the privacy notice should be written in a language that is logical and simple so that everyone should be able to obtain it. Furthermore, privacy concerns seem to be important to users, but it does not constantly mirror a user's need for privacy, which is stated by Miyazaki (2008).
From the outset, authorities and legislators have shown interest in privacy issues originated from the internet. An early example are the guidelines produced by the Federal Trade Commission (FTC) that suggested that just information use consists of four dimensions: notice, access, choice and security (Miyazaki, 2008). A more recent example is the General Data Protection Regulation (GDPR) which regulates data protection and privacy in the European Union (EUR-Lex, n.d.). GDPR requires websites to let their users know what types of private information they collect through cookies. However, there has been some concerns about the regulation because it only states overall principles and not how these principles should be adhered to (Bornschein et al., 2020).
The literature uses different concepts to describe how a web page informs a user about cookies - cookie consent, cookie disclaimer, cookie disclosure, cookie notice and cookie banner are the most common. (Machuletz & Böhme, 2020; Kulyk et al., 2018; Marreiros et al., 2015; Bornschein et al., 2020; Matte, Bielova & Santos, 2020; ) They do however depict the same meaning and henceforth we will use the concept cookie notice.
In addition to cookie notice the literature also describes cookie policy or privacy policy. Vail, Earp and Antón (2008, p. 443) define privacy policies as “Notices that are posted on a Web site,
accessible to the public, and describe an organization’s information practices - how they collect, use, and disclose information”. In our research we have seen that some web pages have both a cookie policy as well as a privacy policy whilst others only have one of the two. We have not seen any substantive difference other than the only distinction being that a web page that collects personal information by other means than cookies, for example, an e-commerce site where the customer provides personal information such as name, address etc., refers to a privacy policy, whilst a web page that only collects personal information with the help of cookies often refers to a cookie policy. Henceforth we will use the concept cookie policy.
6 Cookie notice informs the user about its privacy and allows users to give their consent, which enables websites to place a cookie on the users’ device and by so getting access to their personal data. Users should have a choice to decide whether and how cookies can be used to track their behavior (Bornschein et al., 2020).
Machuletz and Böhme (2020) mentions that different designs tend to nudge users' privacy decision makings. Some websites present choices in a way to nudge users and almost force them to make a decision. Examples of this is to color highlight an “I agree”-button and at the same time have a “No thanks”-button plainly colored or to present checkboxes preselected with the choices you would rather the user to choose.
Utz et al. (2019) argues in line with Coventry, Jeske, Blythe, Turland and Briggs (2016) who mentions that consent notices that are used on websites often use a particular design to steer users to accept choices that are privacy unfriendly.
Utz et al. (2019) describes the difference between blocking and unblocking cookie banners where blocking banners are defined as banners that hinder the user from further reading of the webpage before making a choice over cookie use. In their study, Kulyk et al. (2018, p. 6) states that
blocking banners were perceived as “a large nuisance” and that the consequence could be that the user leaves the webpage.
Two studies made by Ermakova, Baumann, Fabian and Krasnova (2014) as well as Ermakova, Krasnova and Fabian (2016) focuses on the readability of privacy policies. They argue that the readability of privacy policies has an effect on trust and test this hypothesis by conducting an online questionnaire and a survey. The results from their research indicates a positive relationship between readability of privacy policies and trust. With their results they come to the conclusion that improving the readability of privacy policies and establishing trust among users are important for companies.
2.2 Framework
We are basing our study on the Privacy-trust-behavioral intention model described and used by Liu et al. (2005) to describe privacy and trust in an e-commerce setting, but we are adapting the model to better suit our defined research area. The objective of the proposed model by Liu et al. (2005) was to explain how trust is influenced by privacy and the influence trust has on behavioral intention. More specifically the intention for online transactions (Liu et al. 2005). Our study is to some extent considering the behavioral intentions as an outcome of trust, however, our main focus lies on the relationship between privacy and trust. To better fit our point of view, the model
proposed by Liu et al.(2005) is configured by excluding the Behavioral intention part. The privacy part of the model has four dimensions, described by Liu et al. (2005, p. 292) as:
- “Notice: providing people notice that personal information is being collected prior to the collection of that information.
- Access: providing people with access to the data that is collected about them. - Choice: providing people with a choice to allow an organization to use or share
information that is collected about them.
7 In their model, trust only has one dimension, level or degree of trust.
Figure 1. Privacy-trust model
These dimensions are based on the fair information privacy principles (FIPP’s) proposed by the Federal Trade Commission (FTC) (Liu et al., 2005). While there are many principles suggested with regard to information privacy, the ones proposed by the FTC is considered most concise and widely accepted (Yang, Chen & Hu, 2017). We used the model because the amount of information in cookie notices can be extensive and we utilized the four dimensions to help us categorize the information, choose appropriate examples to show the respondents and to create an interview guide based upon this categorized information. The Privacy-trust model was also used when we analyzed the interviews. To keep the common thread, we also used the dimensions when
analyzing the result. We considered other frameworks before this was selected. Mayer, Davis and Schoorman (1995) describes an integrative model of organizational trust where trust consists of three factors of perceived trustworthiness: ability, benevolence and integrity. These factors, as well as trust directly, are affected by the trustor's propensity. The model also includes perceived risk which influences risk taking in a relationship. The model ends with outcomes which in turn reverberates on the factors of perceived trustworthiness.
Schiefermair and Stabauer (2020) uses a model including perceived privacy and trust where e-trust consists of ability, benevolence and integrity - just like the aforementioned framework - as well as predictability. They use this model to examine if the presence of a cookie notice on a web page has an effect on perceived privacy and trust.
We choose the framework presented by Liu et al. (2005) since their definition of privacy offered us the best possibilities to categorize cookie notices and cookie policies. In addition, their model was the easiest to adapt to our setting. We were also attracted by its simplicity which suited our schedule.
8 2.2.1 Notice
Notice is a principle that is required to be available on websites. According to Yang et al. (2017) notice is fundamental and a requirement to implement other principles such as Choice and Access. A website needs to be clear and specific to users about how they collect personal information on their site before any information is collected about them. The notice principle encompasses more than just the disclaimer about how data is collected. What information is being collected and how it will be used is also for the users to be made aware of. Furthermore, on the account of
information sharing the users are expected to be given notice if and to whom data is being shared (Yang et al., 2017). In the case of cookies, this latter part is categorized as third-party cookies (see section 2.1). If the users are not informed about the fact that a collection of data is being
performed, the following dimensions described later in this section lacks meaning or the appropriate prerequisites to be acknowledged.
2.2.2 Access
Users must have the possibility to review and correct the information that the website collects about them (Sheehan, 2005). Access is essential to improve any kind of necessary correctness that benefits the website but also the user. The reason for this is because if incorrect data is collected about the users the websites will have to rely on data that is incorrect which can harm their business but also affect the user as well (Yang et al., 2017).
2.2.3 Choice
Websites should give users an opportunity to consent or not consent if their personal information is to be used for other purposes, such as shared with other websites and parties (Sheehan, 2005). Research on consumers has been conducted where results show that consumers feel more powerful and in control if they are given more choices (Bornschein et al., 2020).
2.2.4 Security
Websites should reassure users that their personal information is kept secure from unauthorized use. But this is not enough, they should also be informed on how their information is kept secure. With this in mind users need to be informed what steps and actions the website takes into
consideration to secure the users’ personal data. For example that they use a specific software or hardware to protect personal data or that information is encrypted when the website receives it (Yang et al., 2017).
2.2.5 Trust
As mentioned earlier, trust is a word that is commonly used and is a complex concept that can mean different things to different people. In other words, trust can affect people differently and whether someone trusts in something depends solely on that person. Lynn et al. (2021, p. 2) defines trust as a “willingness to accept vulnerability based on positive expectations of another party”. Vulnerability in the context of cookies could be seen as submitting to the use of private information and positive expectations could for example be a more user-friendly experience. The framework suggests that trust is measured in degrees or levels which means that it is not definitive but occurs on a scale and that it is therefore measurable.
9 Privacy concerns and injured reputation can lead to less perception of trust. Earlier research has investigated how cookie notices have an influence on trust, and Miyazaki (2008) states that cookie disclosure weakens the negative effect of cookie detection. Furthermore, Schiefermair and
Stabauer (2020) argues that website owners need to consider trust in an online environment in order to make use of their website. Liu et al. (2005) argues in a similar way and describes that trust is fundamental in an online environment and argues that it is the primary reason why people do not easily share their personal information with different websites.
10
3. Method
This section describes the methods that have been used to conduct the study. The ethical perspective is also addressed here.
The purpose of this research was to investigate how a website's use of cookies influences users' trust. To do this we used a qualitative method by performing semi structured interviews. We also conducted a survey of the largest Swedish websites with the aim to produce representative examples of cookie pop ups and cookie policies that were presented to the interviewees. To familiarize ourselves with the research area we conducted a literature review.
3.1 Literature research process
The purpose of the literature review was to gather knowledge about the research area and, as Oates (2006) points out, identify where research is lacking to support a claim that new knowledge is created. This helped us to get a feel for the subject area as well as defining a new research problem just as Oates (2006) mentions. To find relevant literature we initially used three different online databases accessed through the Örebro University library: Scopus, Web of science and IEEE Xplore. Our reasons for using the internet to search for literature are because it is time efficient and convenient. Using the internet as a method for searching literature does however emphasize a need for rigorousness because the restrictions for publishing information online are scarce (Oates, 2006). This is discussed in detail in the source criticism section of this paper.
The search phrases were defined through trial and error. If a phrase resulted in an overwhelming number of hits, we reframed it until the amount was adequate. Reframing was done through filtering by literature published in the recent ten years, English language, subject areas related to informatics or by using different words related to our research area and in different combinations. These filtrations were used to narrow down the results to the most recent and relevant publications because we wanted the most updated findings and to stay within our limited area of focus. Table 1 describes the search terms, keywords, databases and the number of hits from our initial search of literature. The table is a result of documentation during the literature search which was done to prevent repeating searches and to help us be methodical in our approach (Oates, 2006). We did however use the same search words for different databases which resulted in duplicate results but a smaller risk of missing relevant publications.
11 Table 1. Representation of number of hits for each search in different databases.
From our search results we chose articles relevant to our area of research by reading the titles and abstracts first to get an overview of the whole and then look at the introductions and conclusions (Oates, 2006). Relevant articles in this search were chosen and read thoroughly.
Our initial review resulted in 13 articles that we found relevant, these were read in order to identify gaps and to increase our knowledge in our chosen area of research. Further literature searches during the research were done when a specific theory, concept or subject needed to be studied in greater detail. We did this to see if and to what extent our concepts appeared in the articles to see the importance and relation to the area. We also cross searched the most interesting and relevant articles in the result by reviewing the references.
3.2 Source criticism
As mentioned earlier we used the internet to obtain literature for our study of previous work in the research area, which according to Oates (2006) means that increased attention in assessing the credibility of the publications is needed.
12 For an online publication to be considered as a reference for our paper we checked whether it was reviewed or not. As mentioned by Oates (2006), focus should be on articles that are peer-reviewed because it increases the credibility of the paper. To determine if a paper had been reviewed we filtered our database searches to only show peer-reviewed publications if possible, Ulrichsweb was used to see if the publication media was refereed and review descriptions in journals and conferences was in some cases read through to ensure the presence of a review process. To some extent we looked at the number of citations the papers had, this was however taken in contrast to the date of publication. If a paper was recently published and had none or few citations, we evaluated the content of the paper, specifically the method, results and conclusions. Even papers considered of high value need to be critically evaluated by examining whether the results are justified by the method and the conclusion is justified by the results (Oates, 2006). The formalities of the papers were also taken into consideration, the IMRAD (Intro, method, result and discussion) structure is commonly used in scientific writing to guide authors in presenting key parts when it comes to research (Wu, 2011).
3.3 Qualitative approach and semi-structured interviews
As far as we know there is a gap in the research area where no qualitative approach with interviews has been conducted before when exploring online privacy and trust with regard to cookies. We wanted our interviewees to be able to give us as detailed and in-depth answers as possible and therefore we decided to choose a qualitative approach. We considered that we would get more information from this qualitative method instead of for example questionnaires or surveys, where there is less interest in knowing what another person sincerely thinks about a certain topic. This is in line with what was stated by Bryman (2012) where he mentioned that a qualitative approach has deeper interest in the interviewees point of view. In qualitative research words are more of a concern than measurements in the data collection, this is rather more
important in quantitative research. According to Bryman (2012) clarifications about how things are less substantial in quantitative research and with this in mind we would not be able to explain or describe factors that promote a user’s trust if we chose a quantitative approach.
Semi-structured interviews are the method we conducted for this research. This method was chosen because semi-structured interviews give an opportunity to know more about the
interviewees' reasonings as they get to speak their minds and are able to talk more openly about their thoughts and feelings towards any given topic (Oates, 2006). She also mentioned that when conducting interviews, it is sometimes easy to influence and affect the interviewees in a direction that they tend to answer questions in a way that they usually would not. We were aware of this and took this into consideration, when interviewing our respondents. It was therefore decided to make sure that we asked questions to the interviewees in a neutral way as possible with little or no influence on the answers.
Being neutral when asking questions might lead to more unplanned and in-depth answers from the interviewees. Moreover, it could be an opportunity for the interviewees to address what they themselves feel are relevant and important to bring up during the interview. As opposed to structured interviews where the interviewer asks prearranged questions to the interviewees and does not engage in the conversation, in contrast to semi-structured interviews (Oates, 2006).
13 Semi-structured interviews are constructed so that different themes and questions can be prepared. Even though questions can be prepared, it is not similar to a structured interview where no
questions could be added during the interview or that the interviewer does not engage in the conversation. A semi-structured interview is more similar to an inviting conversation between the interviewer and the interviewee where new questions or follow up questions can be brought up by the interviewer based on what the interviewee mentions. This can also raise something new and interesting that was not expected to be brought up, which makes more room for a valuable and helpful conversation that can lead to a more detailed analysis (Oates, 2006).
To make our interviews as detailed as possible we used a technique to make our conversations more comprehensive with the interviewees. This technique can be seen as different types of ways to push the interviewees into a certain direction, a direction they might not take themselves. Oates (2006) describes this as nudging and states that it is the interviewer’s responsibility to push the interviewee in the right direction or to capture the interviewees attention. As mentioned earlier there are different types of ways to push the interviewee in a certain direction and our aim was not to influence the interviewees answers, instead our aim was to nudge them into our limited area of study.
Prompts were used to encourage our interviewees to say more by remaining silent so that the interviewee would fill in the silence when it was believed that more could be said. Checks was used during the interview to make sure that we understood the interviewees reasoning and thoughts by asking follow-up questions. Probes was used as well, where our interviewees were sometimes asked to stop during the interview to tell us more specifically about a certain detail (Oates, 2006).
Something worth mentioning is that we have some limitations with our interviews. One of them is that we did not interview more than six candidates and the reasoning for this was due to time deficiency. A consequence of this is that conclusions for the general public might not be validated because of this limitation. Six candidates’ answers does not cover all Swedish students potential answers and that is something we are fully aware of. However, the purpose of this research is to provide in-depth explanations and meanings rather than generalizing findings. Another limitation is that we could not arrange any face- to face interviews due to Covid-19, and instead we
conducted our interviews through a tool for online conversations and a consequence of this is that we were not able to obtain any facial expression or body language and in this way we lose
important gestures as mentioned by Oates (2006). Moreover, we did only interview students from Swedish universities, and the main reason being that a “majority of students are familiar with cookie notices, privacy policies and app permissions” (Marreiros et al., 2015, p. 5) compared to for example pensioners. This makes our results limited to our focus group and the evidence is not sufficient to draw conclusions for other groups without the same prior knowledge and experience. 3.3.1 Method Criticism
Even though we chose a qualitative approach for our research we were fully aware that there are some criticisms to this approach. Qualitative studies have been criticized for being difficult to use
14 in other studies. In other words, they are too hard to replicate because it is only the researcher or researchers themselves that decide what they have observed, felt or heard when collecting data as stated by Bryman (2012).
Furthermore, there is a lack of structure with the qualitative approach and they have often been criticized for not providing enough information on how the data was analyzed and how to draw conclusions from the data that was collected by the researcher as mentioned by Bryman (2012). We believe this is important to take in consideration when analyzing the data we have collected. Therefore, it is necessary for us to be as detailed as possible so that we are able to draw relevant and fair conclusions from the material that has been composed.
Moreover, qualitative studies have been criticized because they are quite demanding for the researcher because they easily can for example take their one assumptions and thoughts as well as beliefs when analyzing the data they collected (Oates, 2006). This can affect the reliability of the research and we must therefore think outside the “scope” when analyzing the material.
3.3.2 Minor web page case study
We decided not to show examples of real web pages during the interviews since the prejudices of the interviewees could affect their opinion. Instead we performed a limited case study to obtain representative examples based on the four dimensions in our framework to show during the interviews. We examined the 50 largest Swedish web pages (Alexa Internet, Inc, 2020), focusing on only .se domains and pages written in Swedish. Web pages with inappropriate content were excluded. We analyzed the remaining 28 web pages focusing on the similarities and differences between them and selected representative examples. These were then structured according to the four dimensions of privacy in our framework.
3.3.3 Conducting interviews
After getting in touch with students from Swedish universities who were willing to participate for an interview, we quickly wanted to book interviews with them. The students that we reached out to were friends and acquaintances that were currently studying at Swedish universities. They were contacted by phone or through Facebook and email which was the easiest way to get a fast
response. The only criteria for participation were that they should currently be studying at a Swedish university. The reasoning for this is that we believe that students have encountered cookie notices and banners on a daily basis.
We conducted six interviews and we were also able to book the interviews so that all of them could be carried out during the same week. An information letter was sent to the interviewees and the reason for this was that we wanted the interviewees to be informed about the agenda of the interview, our aim with the study as well as the ethical aspects that we follow (see appendix 1). The interviewees who participated were interviewed one at the time through a tool for online conversations. Every interview lasted about 45 minutes and two interviews were conducted per day. The reason for this is that interviews can be long and demanding and a good rule is to schedule not more than three interviews a day as stated by Oates (2006).
15 Time is precious and the interviewees should not be expected to make themselves available for more than two hours as mentioned by Oates (2006). For that reason, we limited the time to no more than an hour for each interview. Worth mentioning is that the interviews were conducted on different times during the day. This was decided so that there was some space between the
interview sessions and for that reason we decided to schedule one interview in the morning and one in the afternoon. This was done so that we could be as responsive and alert as possible during the interview.
A PowerPoint presentation that was going to be shown during the interview was sent in advance to the interviewees. The logic behind this was that the interviewees could prepare for the interview by looking at the examples and read them at their own pace without any distractions. The reason why the PowerPoint presentation was shown in the first place was because we tried to find and implement as many examples as we could for each dimension in our framework. In addition, an interview guide was created before the interviews took place and was shown during the interview as a guideline for what topics that were going to be mentioned during the interview. We believe that an interview guide is suitable for our semi-structured interviews because it is less specific and more flexible than a structured interview approach, which is in line with what was stated by Bryman (2012).
Furthermore, Bryman (2012) describes the interview guide as a list of questions or specific topics to be covered. With this in mind we tried to include topics that we wanted to cover as well as initial questions that were asked to all of our interviewees. The topics that were brought up reflected on the different dimensions that are presented in our framework. During the interview questions that were not included in the interview guide were asked, and this was flexible which also happened whenever we picked upon something that was said by the interviewees that caught our attention. The questions from the interview guide that were answered by the interviewees were based on the Privacy-trust framework. Moreover, we chose to audio record all interviews, because this is in line with what Oates (2006) states, that we should not fully trust our memory at the risk of including our own judgements when analyzing the interviewees answers.
We also had notes ready during the interview in case an interviewee did not approve of audio recording or if there was something that could not be recorded. Writing notes according to Oates (2006) is a way to capture a general impression of the interview. Furthermore, there are some disadvantages with audio recording, one of them is that the interviewee can be nervous when their voice is being recorded and they might answer questions in a certain way for example that they do not use words or expressions that they normally would because their voice is being recorded. There are some advantages to audio recording the interviews, and one of them is that the interviewee can take part in the recording and listen through the material after the interview, which was also something that is mentioned by Oates (2006). She mentions that the interviewee can return to the transcription with feedback, if for example the interviewee said something they do not want to be included in the transcription or if the interviewee formulated something incorrectly. We took this into consideration and informed all of our interviewees about the possibility to access the transcribed material so that they can control their answers and correct them when needed (see appendix 1). We also informed the interviewees that they had the right to
16 change or delete answers until the day that the study is completed (see appendix 1). Furthermore, we believe that audio recordings will allow us to focus more on the process of the interview
because it provides us with everything said during the interview. With this in mind it will also help us to transcribe our content easier and in a more structured way. All of the interviews were
transcribed into textual data so that we could start analyzing our conducted interviews. We tried to transcribe everything that was said during the interview and to be as accurate as possible but also be able to capture correct formulations. Filler words like “Mhm”, “Ehh”, “ Öhm”, “Haha” and “Hmm” were to some extent removed from our transcription. The reasoning for this was that these words lack significance for our analysis and we therefore decided to
exclude them. The execution of the transcription took approximately two days and the transcribed data that was collected was written down in word documents. These documents were saved in our own computers in a folder and the reason for this was that no personal information that could be connected to the interviewees was specified in the documents. We referred to our interviewees as respondent 1, 2, 3, 4 and so on to make sure that they were anonymized.
3.3.4 Data analysis method
We used the computer-assisted qualitative data analysis software NVivo, recommended by Bryman (2012) since it facilitates the data analysis process. We used a thematic analysis method where the four dimensions of the Privacy-trust framework were connected to relevant text segments of the transcribed interviews. We started analyzing all of the interviews together by discussing and summarizing the transcriptions. We identified five different themes that will be presented in chapter 4.
For something in the data to be considered a theme Bryman (2012) recommends looking at repetitions. If something was mentioned multiple times in the same interview or across multiple interviews, we noted it down as a possible theme. However, Bryman (2012) means that repetition is not sufficient enough. The proposed theme has to be relevant to the research questions and the focus area of the study (Oates, 2006). For example, we mentioned earlier that our focus to some extent excluded the behavioral part of the original framework used in this study. Our data had parts related to behavior, these were excluded if our interpretation could not see a strong connection to trust in the behavioral intention.
In addition to the themes we also noticed sentiment of the text segments. The sentiments were pre-programmed in NVivo in four levels: very positive, moderately positive, moderately negative and very negative. The dimension of trust presented in our framework is aimed at determining a level or degree of trust. The four levels of sentiments are used to evaluate and connect the text segments to the framework.
One question for each dimension requested a graded answer on a 1-10 scale and this quantitative answer was converted into a graph (or a table). This was also used to determine a level or degree of trust. For the themes we discussed and compared the respondents’ answers and inferred illations from these discussions.
Our approach using thematic analysis felt most appropriate for our study, we did however
17 The back and forth between data collection and analysis suggested in grounded theory could take a considerable amount of time (Bryman, 2012). Since our study had a relatively short time constraint, we felt that grounded theory was not as suitable as thematic analysis. According to Oates, grounded theory is “concerned with generating theories – research that leads only to a descriptive account of the subject matter would not be classified as a grounded theory approach” (2006, p. 274). Since our purpose of this paper is about describing factors affecting trust, and not to evolve a new theory, we dismissed this approach.
3.3.5 Ethics
We informed the interviewees that the interview was voluntary and the purpose of our study was explained. The ethical aspects that we follow as well as information about our interviews are presented in the information letter. According to Oates (2006) interviewees should be treated with not only dignity but also with respect, they should also feel that they are important for the study. Therefore, it was decided to make sure that we mentioned in every interview that we were grateful for their participation. It was also mentioned in the information letter (see appendix 1) that the interviewees had the right to withdraw from the interview at any time. By informing them about this we showed our interviewees respect and that they were not forced to participate.
Besides this, the interviewees were informed that they were not obligated to answer a question if they did not want to. The reasoning behind this is because we did not want our interviewees to answer a question that might make them feel uncomfortable. The information letter did also mention that all data that was collected from the interviewees were anonymized. This was done so that their identity will be protected, and in the information letter (see appendix 1) we did also mention that the data that is collected will be placed in a secure location on our computer in a confidential way. Furthermore, we suggested different times and dates that the interview could take place and the interviewees could decide which date and time that suited them.
All of our respondents were flexible, and we were able to conduct all of the interviews in one week. During the interviews we were also careful to keep a neutral tone and not show too much expression to the answers by not sounding surprised nor giving any comments. This is in line with Oates (2006) reasoning that by speaking in a neutral tone and not being judgmental towards the interviewees, there is lower risk that they will answer the questions in a way they think are right or believe they should answer.
18
4. Analysis and result
In this section we present and analyze the result from our interviews.
When analyzing the interviews five themes were identified and are defined as followed: ● Text layout - We characterized layout where parts such as text and links are set on a
website in a certain way. An example of this can be how information is presented to the users by the website.
● Information content - We have defined information content as the amount, detail and relevance of information that the website provides to their users.
● Linguistics - Linguistics are defined as the choice of words and how the sentences are formulated.
● Interaction design - We define interaction design as a way for organizations to design their website. Using highlighted buttons or links on the webpage are some examples of
interaction design.
● Overall approach - We characterize the overall approach as the strategic choices that the organization has taken before constructing its website. A hypothetical example could be whether to use cookies or not.
The different themes occurred in different dimensions presented as a matrix (see table 2). It would have been optimal to present analysis and results based on the four dimensions of the framework but since the themes existed in the majority of the dimensions it would have meant repetition. In other words, that text layout would have been analyzed four times. Instead, the presentation will first summarize the connection between the dimensions and the themes, thereafter the analysis will emanate from the themes.
Table 2. The occurrence of themes in each dimension.
Notice is the most fundamental dimension of the four dimensions of privacy (see 2.2.1) which could explain why it is affected by all five themes.
Choice on the other hand did not have any substantial comments regarding information content or linguistics. As mentioned in the framework section of this paper (see 2.2.3), the opportunity to make choices is the purpose of this dimension. This indicates that the interaction by making choices is what affects trust the most in this dimension and could explain why information content and linguistics were less noted by the respondents.
Our examples regarding security mostly contained plain text with only a few interactive elements. As mentioned in chapter 2.2.4, when it comes to the security dimension, the users should be
19 informed about how their personal data is kept secure which emphasizes information content and linguistics over interaction design for example.
Access is affected by all five dimensions. The definition of access in the framework (see 2.2.2) demands interaction, through the fact that users should be able to review, correct and delete personal data. Since the examples we found mostly contain textual description, all of the themes are present in the interviewees’ comments in regard to this dimension.
4.1 Descriptive statistics
In this part we present an overall descriptive statistic regarding the information we received from our interviews. Table 3 presents the average rating of each dimension for each example shown and table 4 presents the specific ratings of each respondent for each example.
Our examination of cookie consent notices and cookie policies of the largest Swedish websites indicates that there is a large dispersion in how to formulate and design cookie pop ups and banners, cookie consent and cookie disclosure. In this chapter we analyze the answers from our interviews which were conducted using a qualitative method. We did however have a quantitative element in the form of rating of the different examples. The respondents were asked to rate each example with a number between 1 and 10, where 1 was lowest grade and 10 was highest grade. The results of these are presented in the tables below. The examples referred to in this chapter are presented in appendix (3).
20 Table 4. Specific ratings of each respondent for each example.
4.2 Text layout
We characterized layout where parts such as text and links are set on a website in a certain way. An example of this can be how information is presented to users by the website. The respondents highlighted both positive and negative aspects that affected their trust. It appears that when websites provide respondents with a block of text, or unstructured text it affects the respondents trust negatively. The respondents pointed out these negative aspects as they appeared in all dimensions but for the most part in access and security. Respondent A commented on example (5.1) that is related to the access dimension in our framework: “The one on the left feels more like a wall, I cannot be bothered to read it because it is so uninteresting in some kind of way”. The respondent referred to examples that can be related to how users can access their personal
information, which was similar to what respondent D pointed out when reviewing example (5.1):” It does not seem to be that much reflection on how they have written this, but this is just like someone has hammered on the keyboard just because this information must be there”. The same respondent mentioned that this type of unstructured text layout that can be seen on example (5.1) is more likely to be ignored by others. “It's quite likely that you just skip it”.
Respondent D pointed out that: ”The first one has long, long paragraphs that give a little too much information”. This seems to be an aspect that other respondents experience as respondent C commented on this in a similar way: “It is just a lump of text which is difficult to read ”. This comment was, however, related to example (5.1) of the security dimension. Respondent D
continued to identify how text blocks affect trust in a negative way: “The text is a bit blocking , it is not something you directly read through and even if you were it is written in such a way that you can easily misunderstand if you don't read through thoroughly”. Respondent D gave example (4.2) that is related to the security dimension a low rating. The reason for this was because the amount of text did not make the respondent want to read through the whole block of text when it
21 is unstructured, unless it is read in detail. However, the respondents did point out aspects that promoted their trust in a positive way as well. Respondent A mentioned that a structured text layout promotes trust: “All of them start with right to, right to therefore it becomes… I don't know, it just feels more structured and therefore it feels more serious”.
All of our respondents mentioned how important text layout is and reasoned in a similar way when it comes to trust. Respondent C reviewed example (5.2) that is related to the access dimension: “Punctual form and when they say right to register, what right you have is quickly pointed out in punctual form feels very smooth”. The respondent also mentioned that this is easier to read and “easier to navigate reading” when the text is structured. Respondent D pointed out that the example had an appealing text size (5.3) that is related to the access dimension: “Big text size makes you look there”. The same respondent also pointed out that the way websites present links promotes trust as well and this was commented on example (5.3): “It's also good that they have the links in that way, that they do not just copy paste a link instead they use a hyperlink”. The respondent meant that the link is descriptive and does not simply consist of a webpage address. Respondent E mentioned that it is “digestible” when the text layout is presented in a structured way in the choice dimension example (3.1): “The information is displayed in a way that can be digested”. Respondent F argued similarly when reviewing the same example: “The one on the far right got the most points, it is very clear and divided so you can easily find what you are looking for”.
4.3 Information content
We have defined information content as the amount, detail and relevance of information that the website provides to their users. An example of this can be if the website provides clear or a sufficient amount of textual content to their users. The respondents' comments focused on all of the dimensions in the Privacy-trust model, however, notice and security dimension were more commented on by the respondents. More text and less relevant informational text seem to affect respondent F in a negative way when it comes to trust: ”Because it has more text and less relevant information, I think.” This was commented in example (5.1) that is related to the access
dimension. Respondent E mentioned this aspect as well, however, in example (2.1) that is related to the notice dimension. “It feels like they are giving irrelevant information in the beginning and leaving the most important information to the end where some do not even read it”. The
respondent meant that providing a lot of text with information is critical, but it needs to be relevant to the users otherwise it might be ignored by them. Furthermore, if too little information is given or if information is unclear, it could also affect trust negatively. One of the respondents mentioned that this aspect is affecting their trust in a negative way as well. Respondent C expressed, when reviewing example (4.3), that is related to the security dimension: ”If you're going to talk about security then maybe it is better to not even mention it at all if you're going to write this little.”. The same respondent mentioned that not being clear enough can cause some kind of confusion as well: “We use one range of safety techniques and methods, what does that even mean? It is a bit like, I know so much more than you.” Another respondent pointed out that when the information content is unclear it makes respondent E less interested in reading the information that is related to the security dimension: “We use a range of security techniques, do they need to mention that. Not
22 really. I haven't read everything but from a first glance I do not like it. I lose interest quickly and the information I read is not really helpful either“.
The respondents also pointed out aspects that promoted their trust in a positive way. When websites provide users with a substantial amount of information with relevant content it seems to promote the respondent’s trust. Moreover, when the website provides clear information content it also seems to promote trust. Respondent E commented on example (1.2) that is related to the notice dimension: “I feel that they are specific, they provide specific information about what cookies should be used for. I feel that I am not bombarded with information because I only get relevant information for myself”. Respondent D mentioned that providing a certain amount of information promotes trust. This was commented when the respondent viewed example (1.2) that is related to the access dimension: “All information is there without the need to click on...but there is like a... substantial amount of information to get already there, and it is appreciated”.
Respondent F viewed example (1.2) that is related to the notice dimension and mentioned that it is important that the information content is short but clear and concise which is discussed in a similar way by the other respondents: “Because it is short and concise, i feel that the first example is great in many ways but can be hard to understand”.
Certain details can affect users' trust in both negative and positive ways. Respondent E mentioned that a certain detail made it easier to understand the information as well as what to do: “They are also specific, in the lower paragraph, where they show “This is how you do” it feels like I have received the information”. The respondent refers to example (1.1) of the notice dimension. Respondent B expressed that a certain detail in the access dimension when reviewing example (3.3) would promote trust in a positive way: “Had there been a button that said no thank you or yes thank you down there it would've been perfect”. The respondent meant that if the alternative with a choice to approve or not approve would have been a detail in the information that would have affected the respondent in a positive way.
All of the respondents rated example (3.3) the lowest (see table 2 & 3) when reviewing the choice examples. Respondents C and F argue in a similar way that the amount of information given in this example is not sufficient: “I don’t know, it is just so little information in example 3”, “And the one at the bottom has very little information”. In contrast respondent E points out in reference to example (3.2) that: “It feels like they give me the information and that increases my trust”. However, the same respondent means that some phrases in the last-mentioned example are hard to understand which relates to the linguistics theme (see chapter 4.4).
Apart from the choice dimension, the examples presented in the security dimensions had a similar rating (see table 2 & 3) and reasoning for one of the examples. Respondent A explains that: “But, the one at the bottom feels like it, I can say that I thought I would like the ones that had less text more but it gives me no trust whatsoever. Less text almost feels frivolous in some way”.
23 4.4 Linguistics
More than one of our respondents expressed that linguistics had an affect on their trust. This did somewhat appear across the four dimensions but especially in the two dimensions Notice and Security. One of the respondents noted: “The fact that they use the word store... the information, that is what discourages me a little”. Another respondent states that: “The left example feels more in-depth about what it is being used for[...] It feels better to write personalized ads and content and so forth, rather than just writing marketing”. This statement relates to the notice dimension through the fact that the respondent brings up the topic of informing the user about the purpose of the data collection. However, the language used matters when informing the user, this is because there is a possibility for misunderstanding. Respondent D: “[...] use cookies and other
technologies, where other technologies are very diffuse and could mean just about anything”. When reviewing the examples of the security dimension respondent A points to specific words that promote trust when it comes to security: “Encryption feels so, it is a very good word that works on me. As soon as I see that something is encrypted, I believe it is secure, even if it probably isn't”. Respondent C considers that the presentation of security measures should in general have a language that sounds professional, when motivating a low rating of one of the examples
respondent C mentions: “They use a language that makes me believe they are very unprofessional”.
4.5 Interaction Design
We define interaction design as a way for organizations to design their website. Using highlighted buttons or links on the webpage are some examples of interaction design. The respondents had comments regarding interaction design and their answers did not only focus on one specific dimension. Instead they focused on different dimensions in the Privacy-trust model, such as access, notice and choice. Linking to other pages or not giving users alternatives to opt out seems to affect respondents' trust for a website in a negative way. Two of the respondents expressed their views on the examples that were shown during the interview that can be related to the access dimension. Respondent E reviewed example (5.3) and mentioned: “You know what I think about links, that's bad stuff”. The respondent meant that linking to another page is not something that is appreciated. Linking to another webpage seemed to affect respondent F negatively as well, when the respondent looked at example (5.3): “Instead of including relevant information there, they link instead and I can imagine that there is a lot of text when you click on these links. Which also makes it difficult to find what you want to know”.
Respondents E & F gave this example (5.3) lower rating (see table 3) than the other examples in the access dimension and the reason for this was that the link that appeared on the website. The choice dimension was also commented on and respondent A mentioned opting out when the respondent was reviewing example (3.3): “What makes me have no trust is that there are no alternatives to opt out at once. Had there been a button like ‘No, thank you’ or ‘Yes, thank you’ it would have been perfect”. However, there were some aspects that affected the respondents' trust in a positive way. Websites that provide their users the choice to press the accept button to be on or off seems to affect respondent A when examining example (3.1) that is related to the choice dimension: “I like when you just can press them like that”. Respondent E mentioned when
24 reviewing example (3.1): “It is clear for what options I have; I can approve or not approve. It also feels simple and efficient”.
Respondent A voiced that when all of the buttons come off on the website it affects the respondent positively when it comes to trust. This was brought up by the respondent when example (3.2) was shown that is related to the choice dimension: “Does everything just toggle off?”. Here the
respondent is not sure if it is and one of us that conducted the interview informed respondent A that it does. The respondent answered: “Then it gives me the most trust”. However, the same respondent expressed that it is important to make sure that people do not miss the opportunity to opt out by making the design of buttons or links more user friendly and visible. Respondent A pointed out: “I think people do not see it that much, of course”. This statement was expressed when the respondent reviewed notice example (1.3). Respondent E pointed out that this choice was unique because it did not appear in the other website examples that were shown in the interview: “...But now that I have looked at it a little more carefully, there is a certain part that I like, which I do not think the others had. If you do not approve, we will only use important cookies, unfortunately you will not get custom content.”.
During the interviews we explained the nudging concept for the respondents and asked about their opinion. Their attitudes towards this were essentially negative. Respondent C: “I think everything feels like that, it feels like I trust them less” and “nudging is some form of attempt to manipulate but in a pretty ugly way really”. Some were more neutral and referred to the widespread
occurrence, respondent A commented: “Now it feels like it's so common that I do not even react to it anymore”.
4.6 Overall approach
We define the overall approach as the strategic choices that the organization has taken before constructing its website. A hypothetical example could be whether to use cookies or not.
Comments from the respondents were focused on the notice dimension but occurred in the access and choice dimension as well. The existence of a blocking cookie banner, examples (1.1) and (1.2), distinctly affected trust in a negative direction. None of the respondents liked the banner to be blocking, respondent A expressed: “If I'm out on the internet [...] then if it comes up like this, it will be like everything that stops me from getting the information that I want in just a few seconds is extremely frustrating in some way, and if there is something that makes me unable to scroll on the page and I kind of get stuck because I have to sit and make settings on cookies for just like this five seconds it feels as an eternity”.
Most of the respondents preferred to be given multiple alternatives directly in the cookie notice banner, examples (1.1), (1.2) and (1.3), opposed to only be given one alternative, example (1.4), i.e. “I accept”, “I agree” or “I understand”. One of the comments from respondent A on the most simplistic banner, example (1.4), was: “it does not even have an option to set wishes or change settings or anything like that, it is just I understand”.
On the other hand, respondent A appreciated the feature of possibility to decline cookies by just clicking a button or link displayed in example (1.3): “That's great! But I didn't even see it when I looked at it because it is too much text”. Respondents also preferred to be given specific
