research-article

Dark Patterns in the Wild: Review of Cookie Disclaimer Designs on Top 500 German Websites

Authors:

Heike Dietmann,

Melanie Volkamer,

Oksana KulykAuthors Info & Claims

EuroUSEC '21: Proceedings of the 2021 European Symposium on Usable Security

Pages 1 - 8

https://doi.org/10.1145/3481357.3481516

Published: 11 December 2021 Publication History

Abstract

Cookie disclaimers are these days an indispensable part of surfing and working on the Internet. In this work, we report on examining and classifying the cookie disclaimers on the 500 most popular websites in Germany, based on the presented information about data collection via cookies and the provided choices at the cookie disclaimer. Our analysis results in 13 categories of cookie disclaimers, consisting of six main categories and additional subcategories. Our findings include that dark pattern based categories were prevalent among the cookie disclaimers: e.g. (1) more than 85% of the investigated websites providing a cookie disclaimer and giving the option to reject cookies are visually nudging users towards accepting all cookies; (2) Only 21.5% of those providing a cookie disclaimer offer a reject-all option with a single click. We discuss our results and conclude that both raising user awareness as well as addressing dark patterns from a legal point of view is needed.

References

[1]

Inc.1996 2021 Alexa Internet. 2021. Alexa - Top Sites in Germany. https://www.alexa.com/topsites/countries/DE, retrieved from November 17, 2020.

[2]

Claude-Etienne Armingaud and Lucile Rolinet. 2020. French Data Protection: French Supervisory Authority Publishes Updated Guidance on Cookie and Other Tracking Technologies. The National Law Review: https://www.natlawreview.com/article/french-data-protection-french-supervisory-authority-publishes-updated-guidance, last accessed on 25.02.2021.

[3]

Caudio Carpineto, Davide Lo Re, and Giovanni Romano. 2016. Automatic Assessment of Website Compliance to the European Cookie Law with CooLCheck. In Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society (Vienna, Austria) (WPES ’16). Association for Computing Machinery, New York, NY, USA, 135–138. https://doi.org/10.1145/2994620.2994622

Digital Library

[4]

Court of Justice of the European Union. 2019. Judgement of the court (grand chamer), case C-673/17, Planet49.

[5]

Court of Justice of the European Union. 2020. PRESS RELEASE No 125/19. Judgment in Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV v Planet49 GmbH. https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-10/cp190125en.pdf, last accessed on 25.02.2021.

[6]

Danish Data Protection Authority. 2017. Nye retningslinjer om behandling af personoplysninger om hjemmesidebesøgende. https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/feb/nye-retningslinjer-om-behandling-af-personoplysninger-om-hjemmesidebesoegende/, last accessed on 3.10.2020.

[7]

Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. 2019. We Value Your Privacy... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy. Proceedings 2019 Network and Distributed System Security Symposium (2019). https://doi.org/10.14722/ndss.2019.23378

[8]

German Federal Court of Justice. 2020. IZR 673/16, Cookie-Einwilligung II.

[9]

Paul Grassl, Hanna Schraffenberger, Frederik Zuiderveen Borgesius, and Moniek Buijzen. 2021. Dark and bright patterns in cookie consent requests. Journal of Digital Social Research 3, 1 (2021), 1–38.

[10]

Colin M. Gray, Yubo Kou, Bryan Battles, Joseph Hoggatt, and Austin L. Toombs. 2018. The Dark (Patterns) Side of UX Design. Association for Computing Machinery, New York, NY, USA, 1–14. https://doi.org/10.1145/3173574.3174108

Digital Library

[11]

Colin M. Gray, Cristiana Santos, Nataliia Bielova, Michael Toth, and Damian Clifford. 2021. Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective. Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems (May 2021), 1–18. https://doi.org/10.1145/3411764.3445779

Digital Library

[12]

Georgios Kampanos and Siamak F Shahandashti. 2021. Accept All: The Landscape of Cookie Banners in Greece and the UK. arXiv preprint arXiv:2104.05750(2021), 213–227.

[13]

Oksana Kulyk, Nina Gerber, Annika Hilt, and Melanie Volkamer. 2018. ”This Website Uses Cookies”: Users’ Perceptions and Reactions to the Cookie Disclaimer. In 3rd European Workshop on Usable Security (EuroUSEC), London, England, April 23, 2018. Internet Societa, Reston 8VY).

[14]

Oksana Kulyk, Nina Gerber, Annika Hilt, and Melanie Volkamer. 2020. Has the GDPR hype affected users’ reaction to cookie disclaimers?Journal of Cybersecurity 6, 1 (2020), tyaa022.

[15]

Ronald Leenes and Eleni Kosta. 2015. Taming the cookie monster with dutch law–a tale of regulatory failure. Computer Law & Security Review 31, 3 (2015), 317–335.

[16]

Dominique Machuletz and Rainer Böhme. 2020. Multiple purposes, multiple problems: A user study of consent dialogs after GDPR. Proceedings on Privacy Enhancing Technologies 2020, 2(2020), 481–498.

[17]

Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2020. Do Cookie Banners Respect my Choice?: Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework. (2020), 791–809.

[18]

Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. 2020. Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence. arXiv preprint arXiv:2001.02479(2020).

[19]

Council of the EU. 2021. Confidentiality of electronic communications: Council agrees its position on ePrivacy rules. https://www.consilium.europa.eu/en/press/press-releases/2021/02/10/confidentiality-of-electronic-communications-council-agrees-its-position-on-eprivacy-rules/, retrieved from February 26, 2021.

[20]

Cristiana Santos, Nataliia Bielova, and Célestin Matte. 2020. Are cookie banners indeed compliant with the law?Technology and Regulation(2020), 91–135.

[21]

The European Parliament and of the Council of European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj, last accessed on 25.02.2021.

[22]

Martino Trevisan, Stefano Traverso, Eleonora Bassi, and Marco Mellia. 2019. 4 years of EU cookie law: Results and lessons learned. Proceedings on Privacy Enhancing Technologies 2019, 2(2019), 126–145.

[23]

Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. 2019. (Un)informed Consent. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (Nov 2019), 973–990. https://doi.org/10.1145/3319535.3354212

Digital Library

[24]

Rob Van Eijk, Hadi Asghari, Philipp Winter, and Arvind Narayanan. 2019. The impact of user location on cookie notices (inside and outside of the European Union). In Workshop on Technology and Consumer Protection (ConPro’19). IEEE. IEEE, United States, 6.

Cited By

Beauvisage TMellet K(2024)Réguler le marché par le consentement ? Les professionnels de la publicité face au Règlement général sur la protection des données (RGPD)Revue Française de Socio-Économie10.3917/rfse.032.0153n° 32:1(153-172)Online publication date: 22-May-2024
https://doi.org/10.3917/rfse.032.0153
Calero Valdez AHeine MFranke TJochems NJetter HSchrills T(2024)The European commitment to human-centered technology: the integral role of HCI in the EU AI Act’s successi-com10.1515/icom-2024-001423:2(249-261)Online publication date: 15-Jul-2024
https://doi.org/10.1515/icom-2024-0014
Puhtila PHeino TRauti S(2024)Third-Party Data Leaks and Dark Patterns in Finnish Political WebsitesProceedings of the International Conference on Computer Systems and Technologies 202410.1145/3674912.3675248(43-50)Online publication date: 14-Jun-2024
https://dl.acm.org/doi/10.1145/3674912.3675248
Show More Cited By

Recommendations

Cross Cookie: A Cookie Protocol for Web Mashups
ISECS '08: Proceedings of the 2008 International Symposium on Electronic Commerce and Security

In this paper, HTTP cookies, especially when they are used in Web mashups, are studied. A new cookie protocol named Cross Cookie is proposed. In a Cross Cookie, both information of where the cookie is originated and where the cookie is used on client-...
Overcoming browser cookie churn with clustering
WSDM '12: Proceedings of the fifth ACM international conference on Web search and data mining

Many large Internet websites are accessed by users anonymously, without requiring registration or logging-in. However, to provide personalized service these sites build anonymous, yet persistent, user models based on repeated user visits. Cookies, ...
Accurate and efficient crawling for relevant websites
VLDB '04: Proceedings of the Thirtieth international conference on Very large data bases - Volume 30

Focused web crawlers have recently emerged as an alternative to the well-established web search engines. While the well-known focused crawlers retrieve relevant webpages, there are various applications which target whole websites instead of single ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

EuroUSEC '21: Proceedings of the 2021 European Symposium on Usable Security

October 2021

241 pages

ISBN:9781450384230

DOI:10.1145/3481357

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

EuroUSEC '21

EuroUSEC '21: European Symposium on Usable Security 2021

October 11 - 12, 2021

Karlsruhe, Germany

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
685
Total Downloads

Downloads (Last 12 months)210
Downloads (Last 6 weeks)36

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Beauvisage TMellet K(2024)Réguler le marché par le consentement ? Les professionnels de la publicité face au Règlement général sur la protection des données (RGPD)Revue Française de Socio-Économie10.3917/rfse.032.0153n° 32:1(153-172)Online publication date: 22-May-2024
https://doi.org/10.3917/rfse.032.0153
Calero Valdez AHeine MFranke TJochems NJetter HSchrills T(2024)The European commitment to human-centered technology: the integral role of HCI in the EU AI Act’s successi-com10.1515/icom-2024-001423:2(249-261)Online publication date: 15-Jul-2024
https://doi.org/10.1515/icom-2024-0014
Puhtila PHeino TRauti S(2024)Third-Party Data Leaks and Dark Patterns in Finnish Political WebsitesProceedings of the International Conference on Computer Systems and Technologies 202410.1145/3674912.3675248(43-50)Online publication date: 14-Jun-2024
https://dl.acm.org/doi/10.1145/3674912.3675248
Krauß VSaeghe PBoden AKhamis MMcGill MGugenheimer JNebeling M(2024)What Makes XR Dark? Examining Emerging Dark Patterns in Augmented and Virtual Reality through Expert Co-DesignACM Transactions on Computer-Human Interaction10.1145/366034031:3(1-39)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3660340
Sanchez Chamorro LLallemand CGray C(2024)"My Mother Told Me These Things are Always Fake" - Understanding Teenagers' Experiences with Manipulative DesignsProceedings of the 2024 ACM Designing Interactive Systems Conference10.1145/3643834.3660704(1469-1482)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3643834.3660704
Fitton DMacKenzie SRead J(2024)Investigating the Impact of Monetization on Children’s Experience With Mobile GamesProceedings of the 23rd Annual ACM Interaction Design and Children Conference10.1145/3628516.3655794(248-258)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1145/3628516.3655794
Markert PLassak LGolla MDürmuth M(2024)Understanding Users' Interaction with Login NotificationsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642823(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642823
Kyi LMhaidli ASantos CRoesner FBiega A(2024)“It doesn’t tell me anything about how my data is used”: User Perceptions of Data Collection PurposesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642260(1-12)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642260
Singh VVishvakarma NKumar V(2024)Unveiling Digital Manipulation and Persuasion in e-Commerce: A Systematic Literature Review of Dark Patterns and Digital NudgingJournal of Internet Commerce10.1080/15332861.2024.233081323:2(144-171)Online publication date: 25-Mar-2024
https://doi.org/10.1080/15332861.2024.2330813
Löbel ASchäfer RPüschel HGüney EMeyer U(2024)Access Your Data... if You Can: An Analysis of Dark Patterns Against the Right of Access on Popular WebsitesPrivacy Technologies and Policy10.1007/978-3-031-68024-3_2(23-47)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-68024-3_2
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents