Scared or Naive? An Exploratory Study on Users Perceptions of Online Privacy Disclosures

As a result of various industry regulations service providers such as websites and app developers are required to explain the ways in which they process the personal data of service users. These “privacy disclosures”, which aim to inform users and empower them to control their privacy, take several forms. Among these forms are the privacy policy, the cookie notice and, on smart phones, the app permission request. The interaction problems with these different types of disclosure are relatively well understood – habituation, inattention and cognitive biases undermine the extent to which user consent is truly informed. User understanding of the actual content of these disclosures, and their feelings toward it, are less well understood, though. In this paper we report on a mixed-methods study that explored these three types of privacy disclosure and compare their relative merits as a starting point for the development more meaningful consent interactions. We identify four key findings – heterogeneity of user perceptions and attitudes to privacy disclosures, limited ability of users to infer data processing outputs and risks based on technical explanations of particular practices, suggestions of a naïve model of “cost justification” rather cost-benefit analysis by users, and the possibility that consent interactions are valuable in themselves as a means to improve user perceptions of a service.