INOM
EXAMENSARBETE MEDIETEKNIK, AVANCERAD NIVÅ, 30 HP
STOCKHOLM SVERIGE 2020 ,
Public knowledge of digital cookies:
Exploring the design of cookie consent forms LOUISE GRÖNDAHL
KTH
Abstract
Forms for consent regarding the use of digital cookies are currently used by websites to convey the information about the use of digital cookies on the visited website. However, the design of these consent forms is not entirely right according to the directives of the General Data Protection Regulation and also not optimal seen from a user's perspective. They often lack options and the informational text is often too brief within the form. As a user, that might make it difficult to understand what it is you accept and what the consequences could be for your personal data.
Based on the directives given for the digital cookie consent form, it becomes clear that many do not meet the requirements. The question therefore arise, which factors make a cookie consent form successful, concerning how well a user understands the content and is aware of his/her choice of action? To answer that question, a quantitative- and a qualitative study was conducted. The quantitative study examined people's current understanding and perception about digital cookie forms. The results of that study were then used in the qualitative study to develop prototypes producing new cookie consent forms which were then examined with a usability test.
The study presents five factors that contribute to a cookie consent form to be considered
successful from the user's perspective in understanding the content and making an active
choice. These factors are text, options, full-page consent form, active choice and
trustworthiness. These five factors can independently increase the user experience of a form,
although, all should be accounted for for better results. The various factors together
contribute to a form that complies with different directives and laws, but above all, helps
users get a better experience of understanding what they approve of and the feeling of making
an active choice.
Sammanfattning
Formulär för samtycke till användandet av digitala kakor (cookies) används idag av hemsidor för att förmedla informationen om användningen av digitala kakor på den besökta hemsidan.
Utformningen av dessa samtyckesformulär är däremot inte alltid helt korrekta enligt direktiven från the General Data Protection Regulation och inte heller optimala sett utifrån en användares perspektiv. De saknas ofta valmöjligheter och information är ofta kortfattad inom formuläret. Som användare, kan det därför vara svårt att förstå vad det är man godkänner och vilka konsekvenser det innebär för ens personliga data.
Utifrån de direktiv som ges för utformningen av formulären för samtycke till användandet av digitala kakor blir det tydligt att många inte uppnår kraven. Frågan blir därför vilka faktorer som gör att ett formulär blir framgångsrikt i den aspekt att användaren förstår innehållet och är medveten om sitt val? För att svara på denna fråga gjordes en kvantitativ studie och en kvalitativ studie. Den kvantitativa studien undersökte människors nuvarande förståelse och känsla om formulär för digitala kakor. Resultatet användes denna studie använde sedan i den kvalitativa studien i form av prototyper föreställande nya formulär som sedan undersöktes i ett användartest.
Studien resulterade i att fem faktorer visade sig vara avgörande för att ett samtyckesformulär
för digitala kakor ska anses framgångsrikt utifrån användarens perspektiv med att förstå
innehållet och göra ett aktivt val. Dessa faktorer är, text, alternativ, heltäckande sida av
formulär, aktivt val och pålitlighet. Dessa fem faktorer kan enskilt förhöja
användarupplevelsen av ett formulär, dock bör man ta hänsyn till alla för ett bästa resultat. De
olika faktorerna bidrar tillsammans till ett formulär som följer olika direktiv och lagar men
framförallt bidrar till att användarna får en bättre upplevelse med att förstå vad de godkänner
och känslan av att göra ett medvetet val.
Public knowledge of digital cookies:
Exploring the design of cookie consent forms
Louise Gröndahl
KTH Royal Institute of Technology Stockholm, Sweden
lougro@kth.se
ABSTRACT
Forms for consent regarding the use of digital cookies are currently used by websites to convey the information about the use of digital cookies on the visited website. However, the design of these consent forms is not entirely right according to the directives of the General Data Protection Regulation and also not optimal seen from a user's perspective. They often lack options and the informational text is often too brief within the form. As a user, that might make it difficult to understand what it is you accept and what the consequences could be for your personal data.
Based on the directives given for the digital cookie consent form, it becomes clear that many do not meet the requirements. The question therefore arise, which factors make a cookie consent form successful, concerning how well a user understands the content and is aware of his/her choice of action? To answer that question, a quantitative- and a qualitative study was conducted.
The quantitative study examined people's current understanding and perception about digital cookie forms. The results of that study were then used in the qualitative study to develop prototypes producing new cookie consent forms which were then examined with a usability test.
The study presents five factors that contribute to a cookie consent form to be considered successful from the user's perspective in understanding the content and making an active choice. These factors are text, options, full-page consent form, active choice and trustworthiness. These five factors can independently increase the user experience of a form, although, all should be accounted for for better results. The various factors together contribute to a form that complies with different directives and laws, but above all, helps users get a better experience of understanding what they approve of and the feeling of making an active choice.
Keywords
Cookie Consent Forms; Usability; Data Privacy; GDPR
1. INTRODUCTION
Over the last couple of years, regulations and transformations have been made regarding the management of digital information.
In May 2018 the General Data Protection Regulation (GDPR) came in action, which purpose was to protect users’ private and personal data online[1][2]. This regulation had major impact on
the use and execution of different types of digital consent forms.
For media businesses today, it is crucial to use digital cookies to store data about the user that make it possible for the company to track and personalize websites[3]. The content of a personalized website is adjusted after a user's interest. For the media industry, this means that advertisements can be personalized for a specific user, which also means that companies can buy specific advertising spots for specific target groups.
Today, the use of pre-checked consent forms, so-called opt-out forms, are the most common. An opt-out consent form means that you actively must choose to say no to digital cookies. But these do not comply with the GDPR and might soon be illegal [4, 5]. The opt-out consent form often informs the user that the website uses digital cookies, however, without giving the user an alternative whether they consent or not like in an opt-in form. Opt-in forms, on the other hand, mean that the user must actively choose to accept cookies, giving the user the opportunity to choose how the website should handle the users’ digital data[5]. However, GDPR places a great deal of responsibility on each individual user. This is because the various data privacy texts often are long and difficult to interpret.
This study aims to investigate the knowledge around and impact of digital cookies and users’ data privacy through providing guidelines of which factors are important when designing digital cookie consent forms, using the following research questions.
[RQ] Which factors make a cookie consent form successful, concerning how well a user understands the content and is aware of his/her choice of action?
The more knowledge and information there is about these consent forms and how they are perceived, the better opportunity digital designers and developers have to make a difference. Greater knowledge about users’ perceptions of digital cookie consent forms are central for future design implementations, which is where this study aims to contribute.
2. BACKGROUND
In the background section, information about digital cookies, legal aspects in regards to consent and different types of consent forms are presented and explained.
2.1 Digital Cookies
Digital cookies (also known simply as cookies), are small text files that are used and stored when visiting a website in the browser. Cookies make it possible for the device to store and save information such as login and saved settings until next time the user is browsing the website [6,7]. In other words, cookies can store a large range of data which, in some circumstances, can be seen as personal data and therefore has to be carefully considered due to the GDPR.
As stated in Recital 30 of the GDPR, “Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.“ [2].
The data stored by the cookies fulfills a variety of functions, depending on what type of cookie that is used. There are session cookies, which only store information while the user is on the website and are then deleted when the user closes the page.
Persistent cookies are the unifying word for cookies that stay a long time. They should have a closing date and be deleted by the browser after a certain time. These can be deleted by the user at any time in the browser. There are first-party cookies, which come from the website that you are visiting.Third-party cookies come from a third-party website and are used on the device rather than the website. These could, for instance, be used for advertising or social media. Some cookies are necessary for the website to function as intended or to simplify the user experience. It can be about storing the user's shopping cart, preferred language or login details [7].
Finally, there are cookies that are used to personalize pages. These are often calledmarketing cookies. They keep track of how the user interacts with the website, collecting data such as clicks and time spent on each section. This means that websites can be personalized by, for example, selecting specific advertisements that fit users' needs according to what is read or clicked [3, 7].
2.2 GDPR and the ePrivacy Directive
In May 2018 the GDPR, a new and condensed data regulation [2]
replaced an earlier directive. This directive was the Data Protection Directive 95 [8]. The GDPR is mainly based upon three major directives, the Data Protection Directive (95/46 / EC) [8], the ePrivacy Directive 2009/2002 [9], and the laws of European Union countries. The aim to create a single regulation about “the protection of natural persons with regard to the processing of personal data and on the free movement of such data” [2].
Alongside the GDPR, the ePrivacy Directive presents more detailed information about certain digital areas, for instance, digital cookies. The ePrivacy Directive was initialized in 2002 and amended in 2009 [9]. A new ePrivacy Regulation would be
enforced at the same time as the GDPR, aiming to develop and expand the current ePrivacy Directive 2002/2009 [9].
The ePrivacy Directive is known for being a more detailed source about digital cookie. The ePrivacy Directive 2009/1367EC clearly states that users must be informed about the use and storing of personal information and that the user must give consent for such storing.“The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purpose of the processing.” (Article 5 (3))[9] This regulation highlights that users have to be informed about cookies that are not considered as necessary for the website. No cookies can be used unless the user has consent to it.
GDPR states that it should be as easy to give consent as it should be to withdraw it (Article 7 (3)) [2]. The importance of accessibility and understanding within the consent forms is also stated. The consent should be clear and understandable. It should be clearly visualized if needed and be drafted using normal language (Recital 58) [2] .
2.3 Opt-in and Opt-out consent forms
Opt-out consent forms (also known as implicit, indirect consent) state that the user must actively choose to withdraw consent.
Initially the user has given consent and to withdraw it; the user actively needs to change it. The opt-in consent form also known as explicit consent, has the opposite function as opt-out. Opt-in means that the user must give consent when entering a website to use cookies [6, 10].
The GDPR states “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”. This means that consent forms that have chosen a setting (e.g. opt-out) for you in any way or simply do not provide the information required by the regulation, do not qualify as correct consent. Consequently, opt-out forms in any way are not in compliance with the regulation.
2.4 Dark Patterns
The ethical part of guiding a user through design has been discussed by many designers. The phenomenondark patterns is the common name when talking about this interface guidance. The designer has the possibility to affect the user’s actions and choices which may benefit the website in different ways[11].
This type of persuasive design has been highlighted in related research such as the study by Nouwens, et al (2020) “Dark patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”. The author/authors draw the link between dark patterns such as persuasive design and GDPR’s cookie laws. Dark patterns mean that the feeling of free choice and non-influential choices goes unnoticed though the choices are already limited or chosen for you due to the design. The design is already well-conceived to make the user make the choices the designer wants. The design can thus be seen as a dark pattern [10].
The focus around cookie consent form is not only about legal aspects but also the ethical aspects.
2.5 State-of-the-Art Analysis
Fig 1. Cookie Consent form at Aftonbladet, Schibsted.
The four major media companies in Sweden today - Bonnier News, MTG, Schibsted and SVT - all have similar designs on their cookie consent forms. The consent form is often designed as a banner, placed at the very top or at the bottom of the page. They all consist of a small text about the use of cookies, data privacy with the choice: "I understand" / "OK" / "close" and "More information." See Figure 1 as an example.
.
The cookie consent forms used by these four media companies do not fulfill the requirements of the GDPR since they are using opt-out forms in different ways. There is also a question if the text they provide is easy and understandable for all users. Since the requirements presented by GDPR in how a consent form should be structured is subjectively formatted, it is understandably hard to interpret it. What is the most efficient way of constructing a consent form, and how can companies know that the information presented is clear? The design decisions should simply be made by each company separately, because each company has its own user group with different needs.
3. METHOD
This section of the report will explain and present the methods used during the study aiming to answer the research question. The methodology consisted of three parts: a quantitative study, prototyping and a qualitative study. The three method parts are based on each other in the order mentioned. The results of the quantitative study laid the foundation for the prototype design and the prototypes in turn were used in the qualitative study.
3.1 Quantitative study
The quantitative study consists of a comprehensive survey that aimed to get an idea of people's current understanding and emotions about digital cookie consent forms. The results from the quantitative study were then used for the next part of the study when creating a prototype.
3.1.1 Survey
The survey created with Google Forms consisted of 26 questions in total but varies for each individual user, as the form was tailored to the user's response.
The test consisted of a link to a website with a screenshot of a fake cookie consent form, see Figure 2. After the interaction with the fake cookie consent form, the user was forwarded to the survey. The survey was distributed through social media. This website was coded in HTML and published through GitHub with
the goal of getting the most natural user interaction possible with the consent form before answering the survey.
The survey was divided into four parts. The first part consisted of demographic information and participant consent. The second part was about consent forms, what the user's had chosen within the fake cookie consent form and about consent forms in general.
Depending on their choice within the consent form different questions were asked. Two central topics that were included into the survey were the perceived feeling towards digital consent forms and the perceived level of control when interacting with it.
The third part focused on digital cookies and contained questions regarding to what degree the participants understood the use and the effect of them. Questions regarding the corresponding emotions towards cookie consent were also included into the survey. To investigate the corresponding emotions Robert Plutchik's eight basic emotions joy, trust, fear, surprise, sadness, anticipation, anger, and disgust, the Wheel of Emotion[12] were used. As a result of the pilot study conducted before this, two other emotions were also added to the list, annoyed and indifference. The final part of the survey was about data privacy.
Here, questions were asked about the user behaviour and if data privacy texts ever were read by the user and if the user felt concerned about their personal data.
The survey primarily used multiple choices and free text as a response option within the survey. Likert scales were also used within the survey, likert scales are useful when measuring users’
attitude towards something [13]. Which several questions focused on.
Fig 2. Fake cookie consent form before survey.
3.2 Prototype
Based on the results from the survey and the state-of-the-art analysis, two different mobile prototypes were created with the purpose of being able to examine differences among them and with the state of the art in the qualitative user study.
The design process for the prototypes began with low fidelity paper sketches. The idea was to produce two different types of cookie consent forms, including content of importance based on the knowledge gathered during the previous quantitative part of the study. The purpose of the prototypes was not to create a
solution but rather to highlight the functionalities and features that were brought up in the results of the survey.
Fig 3. To the left prototype 1 with its consent form and to the right prototype 2 .
Once the design was established for the different prototypes, the low fidelity paper sketches were digitized into a high fidelity prototype using the design program Figma . The idea with each1 prototype was to create an experience where the user would be exposed to the cookie consent form without knowing it. The goal of the prototypes was to simulate a natural interaction between user and website. Images of the two consent forms are presented below, see Figure 3.
The two prototypes differ in content design in terms of amount of informational text and setting options. Prototype 1 contains a short summarized informational text about the use of cookies and several options regarding cookie settings. The user got the option to accept specific cookies, all or only the necessary ones.
Prototype 2 contained a longer summarized text about the use of cookies followed by two options regarding agreement of the use of cookies, yes or no.
3.3 Qualitative study
The qualitative part of the study was based on the results from the quantitative study. The content of the interviews was summarized and analysed using the method Thematic Analysis by Braun and Clarke [15]. Which involved categorizing interviews and analyzing according to different themes. None of the participants within the qualitative study had participated in the quantitative study and was therefore not aware of the investigated subject.
3.3.1 Remote Usability Test
The usability test was conducted remotely using a computer and the participants own mobile phone. The test took about 30
1https://www.figma.com/
minutes and was conducted through a video conference. Each participant received an email with instructions of preparations and a scheduled time slot. Just before the scheduled test time, an email was sent with a link to the prototype and a survey to be answered after the interaction. The email explicitly states that the links may only be used when said so.
Before the usability test began, the Think Aloud[14] user research method was explained to the user. This method is based on what the user sees and thinks and the idea is that The user explains throughout the test what they see and their thoughts about it. This enables constant feedback from the user about the prototype, when interacting with it. [14].
The entire usability test session was screen and sound recorded, capturing the interactions between the user and the prototype. This was done in order to be able to go back and analyze the content at a later stage. To capture the physical interaction, the users were to make sure that the interaction steps done on the phone were visible for the camera, see fig 4 for picture of method.
Fig 4. Remote Usability Method
After the usability test interacting with the prototype, each participant answered a shorter version of the survey that was used in the quantitative study 3.1.1. The survey consisted of 18 questions which was considered relevant for the usability test. The results gathered could then be used and compared with the previous quantitative study gathered data. After the survey, the test ended with a short open interview where answers from the survey were discussed further and additional thoughts were raised.
4. RESULTS 4.1 Survey
In this section, the most important issues and their results will be presented, covering each part of the survey. The respondents who agree and strongly agree were combined into one group, and the respondents who disagree and strongly disagree were merged into another group [16]. A method used to more easily present and analyze the result.
4.1.1 Survey Part 1
The survey was answered by 235 people. 69.8% were women and 30.2% men. The age range was between 18 and 66 years. The mean age was 32 and standard deviation for age was 12,27.
4.1.1 Survey Part 2
Before interacting with the survey and answering questions, the participant interacted with a fake cookie consent form, see fig 2.
Out of the 235 participants only 24.3% read the text within the consent form. The majority, 80% selected I understand where only 1.7% selected Read more on the cookie consent form. 18.3%
of the participants tried to ignore the consent form and continue to the survey without interacting with the consent form. Of those who selected I understand, only 17.6% said that they understood what they consented to, 43.1% said that they did not understand, and 39.4% said that they might have understood what they consented to.
When asked about the feeling of having a choice in regards to interacting with a consent form and if they felt that they had several options within consent forms, the majority of the answers were negative. 61.7% did not agree that they had a choice of how to interact with the consent form. 69.8% also felt that they did not have multiple choices to choose from within the form. The survey also showed that the trustworthiness of a website plays a role of how the user chooses to interact with the consent form. 81.3% of the participants said that the trustworthiness of the website had an effect on how the user chooses to interact with the form.
4.1.2 Survey Part 3
The third part of the survey consisted of questions regarding digital cookies. In the introduction, a short text was presented with an explanation of what a digital cookie is. The first question asked about if the user knew before reading the introduction what a digital cookie did and 88.1% stated that they knew. 58.3% did also know how to handle their cookie settings. When asked about the emotions that represent their feeling about giving consent to digital cookies, annoyance (57%) and indifference (51%) were the emotions mentioned the most. The percentage of each emotion is presented in Figure 5 below.
Fig 5. Result of the question “What emotion (s) represent your feeling about giving consent to digital cookies”.
4.1.3 Survey Part 4
The fourth and last part of the survey consisted of questions regarding data privacy text, which often is found within the consent form or under the read more button commonly present.
As for the question about the represented emotion in regards to data privacy texts the participant could choose one or several emotions from a list. The emotion annoyed (47.7%) and indifference (38.7%) were the two emotions that represented the users feeling about data privacy texts. The emotion of fear (20%) was also highly rated in this question in regards to data privacy texts.
The feeling of fear was also evident in other issues. In the question “How concerned are you about sharing personal information digitally?” The result is presented below in Figure 6 where the majority responded that they were concerned in some form as opposed to not being concerned.
Fig 6. Percentual result from question “How concerned are you about sharing personal information digitally?”. Where 1
= Not at all concerned and 5 = Very concerned.
It also becomes clear that the uncertainty exists regarding the feeling of having control over one's personal data. On a 5 degree Likert scale, the user had to answer the question “To what degree do you feel that you are in power of your personal data?”. As the results show in fig 7, none of the users answered that they feel that they are in power over their personal data to a high degree.
Instead, the results showed the opposite. The majority, corresponding to 63%, leaned against having no control over their data where 29.4% answered neutrally to the question.
Fig 7. Percentual result from question “To what degree do you feel that you are in power of your personal data?”. Where 1 =
To no degree and 5 = To a high degree
4.2 Usability Test
In this section the report, the results from the qualitative evaluation will be presented. The result is divided into three sections. The usability test consisted of 14 participants in total, 7 for each test. Of the 14 participants 6 were men and 8 females.
The age range was between 20 and 65, the mean age was 36 years with the standard deviation 13.8.
4.2.1 Choice of action / interaction
Within prototype 1, see Figure 3 two actions were made by the users. “Approve and Continue” and “Reject all non necessary”.
Four out of seven users pressed “Approve and continue” and did not activate any settings for specific digital cookies. The remaining three participants chose to “reject all non necessary”.
For prototype 2 all seven participants pressed “Yes” to accept the terms given in the prototype.
4.2.2 Survey
For the sake of our analysis, those who agree and strongly agree will be combined into one group, and the respondents who disagree and strongly disagree will be merged into another group [16].
In this section, the most important issues and their results will be addressed from each part of the survey. The first part of the survey contained general questions about the user. The second part consisted of questions regarding consent forms. The first question about the prototype was “Did you read the text within the consent form?” For Prototype 1, 28.57% answered “Ye”s and 71.42% “No”. For prototype 2 the difference was slightly higher, 14.28% answered “Yes” and 85.71% answered ”No”. The second question was whether the participant understood what they consented to. Only 14.28% for each prototype understood what they consented to. For prototype 1, 57.14% did not understand what they consented to and 28.57% was unsure and answered
“Maybe” to the question. For prototype 2, 42.85% answered “No”
and 42.85% “Maybe”. The distribution is presented in Figure 8.
Fig 8. Percentual result from the question “Did you understand what you consented to?”
Regarding the feeling of choice within the form, the result differs between the two prototypes. For the question “I feel that I had several answer options within the consent form” 57.14% felt that they had several answer options within Prototype 1 and 42.85%
disagreed. For Prototype 2, 71.42% felt that they had options with the consent form and 28.7% disagreed.
As shown in the quantitative results in section 4.1.1, the trustworthiness of a website affects the choice of consent, this is also clearly indicated in this survey. For both prototypes 85.71%
agreed that the trustworthiness of the website affected their choice of consent. In relation to 14.28% who did not think the website affected the choice. Six different categories to why a website is seen as trustworthy was presented and each participant had the choice to choose one or several and add their own explanation.
The result from the six categories and all 14 participants are presented in Figure 9. One participant also added that a well-established company influences their perception of the trustworthiness of the website.
Fig 9. Percentual result from the question “Which of the following statements influence the trustworthiness of the
website?” for all 14 participants.
The last question about consent form was about the represented emotion the consent form had in regards to each prototype. Each participant was presented with 10 different emotions and had the choice to choose one, several and add their own emotion if needed. The emotion mentioned the most wasannoyance with 71% for Prototype 1 and 85% for Prototype 2. Indifference (57%)
was also mentioned a lot but only for Prototype 2. For Prototype 1, one participant added the feeling of fatigue. The result from the question is presented in Figure 10.
Fig 10. Percentual result form the question “What emotion(s) represent your feeling about the consent form?”
The second part of the survey consisted of questions regarding digital cookies. A short explanation of what digital cookies are was presented in the beginning of the form. Based on that, the convenience that the participant felt was questioned about the effects of digital cookies. The results for Prototype 1 showed that 28.57% felt “Uncomfortable” in regards how digital cookies affect them. 57.14% felt “Neither comfortable or uncomfortable”.
14.28% felt “Very comfortable”. For Prototype 2, 28.57% felt
“Uncomfortable”, 42.85% “Neither comfortable or uncomfortable“ and 28.57% felt ”Comfortable” how digital cookies affect them.
In regards to how the use of cookies on the website was explained for each prototype the result for Prototype 1 was that 42.85 agreed that the use was explained. 28.57% was neutral to the question and 28.57% disagreed that the meaning and use of digital cookies of the website was explained. The majority (71.42%) of the participant for Prototype 2 agreed that the meaning and use of digital cookies was explained within the consent form. 28.57%
was neutral to the question.
When asked about the emotions that represent their feeling about giving consent to digital cookies, trust, fear, anger, anticipation, annoyedand indifferences was mention at least one time. See the distribution of emotions in Figure 11. Annoyedwas the emotion mentioned the most for both prototypes with 42.85% for Prototype 1 and 57.14% for Prototype 2.
Fig 11. Percentual result of the question “What emotion (s) represent your feeling about giving consent to digital cookies”
The last part of the survey was about data privacy and sharing of personal information. When asked how concerned each participant is about sharing personal information digitally, 57.14%
of all 14 participants felt concerned about sharing personal information digitally. 35.71% stood neutral to the question and 21.42% was not concerned.
The last question in the survey was “With this consent form, To what degree do you feel that you are in power of your personal data?” The result was similar for both Prototype 1 and 2. The majority felt that they did not have any power of their personal data within the consent form. Only one participant using Prototype 1 felt that they had power over its personal data. See the full distribution of the result in Figure 12.
The statistical analysis with unpaired t-test between prototype 1 and 2 shows that the comparisons between the two are not significant, however, this could be caused by the limited number of participants. Careful conclusions between differences and similarities can nevertheless be drawn from the results of the survey within the qualitative study when they are combined with statements from participants.
Fig 12. Precentual result of the question “With this consent form, To what degree do you feel that you are in power of your personal data?” Where 1 = To no degree and 5 = To a
high degree.
4.2.3 Thematic Analysis Results
The interviews were categorized and analyzed according to different content themes in order to obtain clear results [15].
Quotes from the participants are presented in this section and the prototypes are categorized as prototype 1 (A) and prototype 2 (B) with associated participant number. The instructions during the test and the interview was mainly done in Swedish and the result from it was translated afterwards to English. For the thematic analysis, it is important to keep in mind that statements can often be very personal, being based on past experiences and personal preferences. However, this gives a good insight into the participants' emotions and many answers and statements could be used in combination with the results of the survey.
During the usability test participants were free to express their thoughts out loud. Several participants expressed frustration when confronted with the consent form. Many negative thoughts were said within the interaction.
“ Uhh noo, got no time for this” (A1)
The usability test aimed to create such a normal interaction as possible between users and cookie consent form and can be considered a success. All participants were surprised when it turned out that the test was over after the interaction, expressing that they did not understand that the consent form was the actual test. They were all so focused on the task, finding the article and reading it.
4.2.3.1 Theme: Options
The amount of options within a consent form was raised by several participants. Many were positive about the various options and that there was an opportunity to choose at all. But it was consistent that the amount of options could have been more.
I have seen better consent forms who had more alternatives. (B4) This was said by a participant who was exposed to two options.
Participants from the other group were more positive towards the options but still expressed an unsatisfied feeling.
It is better to have any kind of influence than none. This type of consent form is better than those that exist today. But I would
have liked more options. (A4)
One of the options for prototype 1 was reject all non necessary cookies. An option that was much appreciated by one participant.
Good that there were options and especially only the most necessary. I do not want third-party cookies. (A1) However, many of the Prototype 1(A) participants were skeptical of the expression of necessary cookies. What does “necessary cookies” stand for?
For some, it will ultimately only be about two options, even if more are given. Accept or reject, yes or no and this because of
different factors. It could be laziness, incomprehensibility, intrepidity it often comes down to how much the user cares.
I think yes or no would have been more relevant than lots of choices. Short text. Just having yes and no is enough for the feeling that I have choices. provided you are allowed to proceed
even if you say no. (A7)
4.2.3.2 Theme: Text
The second theme is text content. The text content for each prototype highlights two perspectives, the amount of text and the quality of the content. Many of the participants expressed that the amount of text was too much to handle, which resulted in them simply not reading it all.
Participants who were exposed to prototype 2 (B) also came with the proposal to divide the long text into several parts for a more easily readable text.
Too much information, so I did not read it. Would have liked to split the information, so I know what I agree on. (B2) However many participants from both groups also expressed that the amount of information was enough. Neither too much or too little, but this after interacting with the consent form again in the survey. In the first interaction most participant who expressed this feeling did not read the text but stated that they normally do.
Reasonable amount of text but I did not read. In normal cases, I'd probably read. (A5)
It wasn’t so much text and i liked it I did not read it in the test but normally do. (B5)
Only a few individuals expressed that there was too little information provided within the consent form. Mainly within prototype 1 (A).
In the end, many of the thoughts resulted in participants thinking the quality and content of the text could be improved.
Highlighting the importance of a good and understandable description of what cookies are, what they do, why the website needs it and what the different choices mean for the user. What the different actions mean and how it will affect the use of the website.
Bad description of what cookies do. If it had been clearly described, people would not give consent I believe. Unclear what
kind of data that is collected. (A2)
4.2.3.3 Theme: Data Collection
The feeling of being cheated, sold out and monitored is a recurring feeling in about half of the participants, and the majority of them are men.
That I understand is not the same as saying that I think it is okay to save my information. It would have been really interesting to
choose different cookies but I do not think you have the time to choose, and what is it you approve really? (B7)
It becomes clear that the relationship between users and websites is questionable. Do you, as a user, dare to trust the website that they present the truth? As one participant describes it as being given an opportunity of freedom, but who knows if they imprison you in another way without knowing it.
It goes so far that some users feel monitored. Who knows what is saved and can be used against one at a later stage?
I feel uncomfortable with the whole situation. They use this to sell information about me not to give me a better experience on the
site. I feel monitored. (A3)
4.2.3.4 Theme: Active Choice
The feeling of making an active choice in regards to accepting terms or choosing specific setting options within the consent form was a highly rated and spoken feeling. The words to make an
"active choice" were the most widely used words throughout the study. Here one participant describes the interaction with the consent form within prototype 1.
It was very annoying, I just wanted to get access to the content.
But on the other hand with cookie banners I might not make an active choice. Maybe it is good that I get annoyed so that I
actually read. (A1)
The full screen consent form was a new experience for many of the participants. The annoying feeling of consent form became evident during the interaction, but the reflection afterwards by the participant was often positive. Several of the participants felt that the large form made them stop longer and observe the content.
More time was spent on the form than they usually do, for example, compared to a banner cookie consent form.
I like this type of consent form that forces you to make a choice.
Better that than nothing. (A4)
I prefer a big consent form, the small ones have a tendency to just be in the way. With this new kind you get the feeling that you
finish after one interaction. (B3)
The tendency that a consent form feels in the way when interacting on a website disappears with the fullscreen consent form. However not all participants were positive against fullscreen consent forms. The opportunity to ignore is for instance gone. Some participants seem to find that they sometimes do not want to interact with the form at all, especially on websites they do not feel comfortable with.
Hate that it took up a full screen. Annoying, I would have preferred several options and banner since I then have the
opportunity to ignore it. (B2)
I like today’s consent forms like banner more on a website that I do not visit so often. On the other hand, it is good with bigger
ones where I am forced to answer. (B4)
The active choice is, for many, another way of expressing the feeling of control: the control of your personal data and settings, making you feel safe as a user.
Banners have a small bandwidth to make a decision. The advantage of the prototype is that you feel you have some control.
Because I had the availability of an active choice. A little more control over what happened. (A6)
Only a few individuals expressed the opposite feeling: that the website had more control over them as users, or that they got bogged down by making choices. Some users simply did not want to make a choice at all.
5. DISCUSSION
This study aimed to understand which factors are important for a greater user understanding and awareness within cookie consent forms. The method consisted of both quantitative and qualitative study. Evaluating the current state-of-the-art design, the new design proposals derived from the quantitative study and comparing these by surveys and interviews. This section will discuss the presented results above and what it means for digital cookie consent forms. The foundation in this discussion is the research question Which factors make a cookie consent form successful, concerning how well a user understands the content and is aware of his/her choice of action?
5.1 Factors 5.1.1 Text
The amount of informational text in a cookie consent form is of great importance both for the website to meet its information requirements but also for the user to have access to the information needed. With too much text, the user can lose focus and not read the content, whereas with too little text, the user gets insufficient information to make a well-founded choice.
It is clear from the thematic analysis that prototype 1 had too little text in general and prototype 2 had too much. Prototype 1 had a good structure with divided text, on the other hand, the text was overall too short. An optimal text could thus have been prototype 2 length but divided into different sections for different areas of information. The visual part of informing is at least as important.
A wall of text is difficult to manage as a user. It is important to use visual tricks such as paragraphs and colors.
If a user now pauses and reads the text, it is of great importance that the quality and content of the text is good. It should, as expressed in the GDPR, be a normal language that the user understands and clearly visualized [2]. Many expressed that the description of what the website wanted with the approval, what cookies do and how it will affect the user, is too poorly described.
What happens if a user for instance chooses not to accept the terms? Will there be no access at all to the website, access but without any visual styling, or just normal access but only with necessary cookies? The questions are many and these are important aspects that should be clearly stated in every cookie consent form.
This leads us to the description that is stated within the GDPR of having a clear text that the user understands [2]. What is really a
clear and understandable text? One user may think that a text is clear, but that does not mean that the next user feels the same.
Who decides what a clear text is? Can the website itself decide if it is a clear text or not, or is that biased? The question remains, who decides if it is an approved text according to the GDPR and related directives.
5.1.2 Options
Giving a user options within a cookie consent form is complicated. In the quantitative study with the state-of-the-art as background, the majority felt that they had no options within the form, something that was quite contradictory within the prototypes in the qualitative study. There was a significant statistical difference between prototype 2 and the state-of-the-art (unpaired t-test yields p-value of 0.017), which leads us to the balance between quantity and quality for options within the form.
Prototype 1 had several options and prototype 2 had two options.
Too many options can make the user feel overwhelmed with information, however some users could of course prefer this.
Having slightly fewer options but with clear directives on what they mean is preferable. The important thing to highlight is that the feeling of options is what affects the user. It is not really about giving the user 10 different options, it is enough with two but the user must feel that it has options to choose from and a choice to make.
5.1.3 Full-page consent form
By giving the user the feeling of options, it was also given a sense of choice which in turn contributes to an increased sense of control. Full-screen consent forms - such as those used in the usability test - force the user to make a choice before accessing the website. While this is something that some users may find annoying and time-consuming, it also contributes to an active participation by the user. Without any kind of interaction, the user does not have access. The user must therefore pause and focus on the content, read and make an active choice. It is the latter that is most important, as it leads to the user making a conscious, active choice.
5.1.4 Active Choice
An active choice contributes to much more than just a decision.
From what we can see from the results, the feeling of making an active choice can in many cases also lead to an increased sense of control. An increased feeling that the user himself has had little more power over the choice and how it affects one's experience and personal data. However, it does not contribute to a feeling of full control which we could also see from the results of the survey. Compared to previous consent forms where the user could ignore the form or be forced to make a passive choice, this increased feeling is important. As highlighted in the results from participants, it is better to make some kind of choice than nothing, thus it leads to some kind of control which in turn increases the sense of security. The user becomes more confident and feels safer with their choice.
5.1.5 Trustworthiness
One of the greater aspects of acceptance to cookies is the trustworthiness of the website. As seen from the result of both surveys, 81.3% within the quantitative study and 87.71% from
the usability test expressed that the trustworthiness of the website affects their choice of interaction.
As we can see from the results, well-known, well-established and popular websites often enjoy a high level of trust. This can cause the user to blindly trust the website without doing a more thorough review of the consent form. This became clear during the usability test when many expressed that they trusted Svenska Dagbladet and Schibsted, that the company would not do anything that could damage their reputation. However, this is an aspect that the user should be vigilant about. The fact that a website has a high level of trust can make it easier to mislead users through so-called dark patterns for instance [11]. There is nothing that states that a well-known website won't use whatever measures to get the users approval for cookies. If we look at the perspective of a large media company, it is clear that they want to use marketing cookies so that they can build a picture of what the user might think is interesting advertising and thus sell advertising spots to suitable companies. That's what the business plan is about for many. But where does the ethical limit go from misleading the user into approving maybe unnecessary cookies for the user so that the company can make a profit?
The state-of-the-art consent forms in Sweden gives the user an opportunity to turn off certain types of cookies, but the way to do it is not as easy as it should be. It is often required that the user himself searches into settings, reads a lot of text and clicks out different checkboxes. The website has simply made it difficult for the user to withdraw their approval, which the user never really gave because the choice was made passively when the user searched into the website.
It is no wonder that users feel that digital cookie consent forms are annoying. It takes up a lot of space, it is often difficult to understand, it affects your personal data and so on. Annoying was the emotion mentioned the most during this study. A feeling that existed regardless of the type of design for the consent form. The feeling against consent forms is so integrated in people that it probably will be difficult to change.
5.2 Future Work
It would be interesting to learn more about the effects and content of an active choice. What is considered an active choice for different types of users and what other ways than those suggested here can be done to get the user to make an active choice?
Another interesting aspect to investigate further is the design of the consent form. It would be interesting to have another round of usability tests with a large amount of participants. This time examining details within the consent form. Exploring different text types and options in detail. Exactly what should be in the text and how it should be formulated for the best user understanding
5.3 Method Discussion
This study aimed to investigate the knowledge around and impact of digital cookies and users’ data privacy through providing guidelines of which factors are important when designing digital cookie consent forms. The study is based upon quantitative and
qualitative results in the form of surveys and interviews. The data from the quantitative study is assumed to be of sufficient quantity thus the large number of participants. The qualitative study did not meet the same amount of participants as within the quantitative study. The survey within the qualitative study would have benefited with a larger number of participants, though it might have amplified the data in differences and similarities.
However, in combination with the qualitative data in the form of interviews, the results were to be enhanced with well-founded statements. The result between the prototypes probably could have been validated statistically with a higher number of participants. The statistical analysis, on the other hand, could be made against quantitative study.
The usability test was structured to be physically held from the beginning. Due to the outbreak of the covid-19 pandemic, the qualitative part of the study had to be redesigned to work completely digitally. The idea was initially not to use a survey, but since many of the questions from the first survey proved to be of great importance, it was decided to reuse many of the questions and not in an interview format. Why it was decided to use the survey again was also because it was an easy way to get the needed data that could be compared with the previous survey.
Since it was how difficult it could be to interview and do the usability test online, it was decided to re-use the survey to facilitate it. The result is based on the assumption that the user expressed their thoughts aloud during the test. Given the nonetheless small amount of statements expressed, one can assume that they may not say as much as if the instructor would have been sitting in the same room. It is difficult to determine if the result would have been different if the test had been performed as intended initially. It would probably have been easier at least in terms of instructions and help.
6. CONCLUSION
This study includes a quantitative study and a qualitative study investigating the research questionWhich factors make a cookie consent form successful, concerning how well a user understands the content and is aware of his/her choice of action? The results of the quantitative study that examined the state-of-the-art consent forms showed that users were not satisfied and that many did not meet the functional requirements of GDPR. The qualitative study with its usability test presented many important findings regarding digital cookie consent forms. This study presents five factors that are important for a cookie consent form to be successful. These are text, options, full-page consent form, active choice and trustworthiness. This study shows that that full page consent forms can contribute to an active choice which can contribute to a feeling of more control which in turn can contribute to a greater feeling of safety. The text is of high importance and the quality of options is greater than the amount of options and the feeling of having options within the consent forms also contributes to a greater feeling of control within the cookie consent form. By using these factors when creating the design for the cookie consent form we raise the real purpose and functions of the form.
The user is also given a greater opportunity to understand the content and make an active choice.
ACKNOWLEDGMENTS
A big thank you to my supervisor at the institution, Adrian Benigno Latupeirissa, for all the support and continuous feedback during this process. Another thank you to my supervisor at Schibsted, Martin Bystedt for welcoming me into Schibsted where I gained access to valuable knowledge and help from people within this field of work. Finally a big thank you to all who participated in the study.
REFERENCES
[1] The General Data Protection Regulation (GDPR) - Datainspektionen. (n.d.). Retrieved February 3, 2020, from https://www.datainspektionen.se/other-lang/in-english/the-general -data-protection-regulation-gdpr/
[2] I (Legislative acts) REGULATIONS REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
(n.d.).
[3] Definition of cookie | PCMag. (n.d.). Retrieved February 3, 2020, from https://www.pcmag.com/encyclopedia/term/cookie [4] På förhand ikryssade cookie-rutor på en websida utgör inte giltigt samtycke enligt EU-domstolen – Brann. (n.d.). Retrieved
February 3, 2020, from
https://www.brann.se/2019/10/10/pa-forhand-ikryssade-cookie-rut or-pa-en-websida-utgor-inte-giltigt-samtycke-enligt-eu-domstolen /
[5] Johnson, E. J., Bellman, S., & Lohse, G. L. (2002). Defaults, Framing and Privacy: Why Opting In-Opting Out 1. In Marketing Letters (Vol. 13).
[6] Kulyk, O., Hilt, A., Gerber, N., & Volkamer, M. (n.d.). “This Website Uses Cookies”: Users’ Perceptions and Reactions to the Cookie Disclaimer. https://doi.org/10.14722/eurousec.2018.23012 [7] Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu.
(n.d.). Retrieved February 11, 2020, from https://gdpr.eu/cookies/
[8] Council, O. F. T. H. E. (1996). Directive 95/ /EC of the European parliament and of the council: Of on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Studies in Health Technology
and Informatics, 27(L), 83–118.
https://doi.org/10.3233/978-1-60750-871-7-83
[9] The Council of the European Union. (2009). Citizen’s Rights Directive 2009/136/EC. Official Journal of the European Union, 2009(May), 11–36.
[10] Nouwens, M., Liccardi, I., Veale, M., Karger, D., & Kagal, L. (2020). Dark Patterns after the GDPR: Scraping Consent
Pop-ups and Demonstrating their Influence.
https://doi.org/10.1145/3313831.3376321
[11] Gray, C. M., Kou, Y., Toombs, A., Battles, B., Hoggatt, J., &
Toombs, A. L. (2018). The Dark (Patterns) Side of UX Design.
https://doi.org/10.1145/3173574.3174108
[12] Plutchik, R. (2001). The Nature of Emotions: Human emotions have deep evolutionary roots, a fact that may explain their complexity and provide tools for clinical practice. American Scientist, 89(4), 344-350. Retrieved May 17, 2020, from www.jstor.org/stable/27857503
[13] Likert, R. (1932). A technique for the measurement of attitudes. Archives of Psychology, 22 140, 55.
[14] Lazar, J., Feng, J. H., & Hochheiser, H. (2017). Research Methods in Human-Computer Interaction. In Research Methods in
Human-Computer Interaction.
https://doi.org/10.1016/b978-0-444-70536-5.50047-6
[15] Braun, V., & Clarke, V. (2012). Thematic analysis, APA Handbook of Research Methods in Psychology. In APA handbook of research methods in psychology, Vol 2: Research designs:
Quantitative, qualitative, neuropsychological, and biological.
(Vol. 2, pp. 57–71). https://doi.org/10.1037/13620-004
[16] Jamieson, S. (2004). Likert scales: How to (ab)use them.
Medical Education, 38(12), 1217–1218.
https://doi.org/10.1111/j.1365-2929.2004.02012.x
