2024
Bielova, Nataliia; Santos, Cristiana; Gray, Colin M
Two worlds apart! Closing the gap between regulating EU consent and user studies Journal Article
In: Harvard Journal of Law & Technology, vol. 37, no. 3, pp. 1295–1333, 2024.
Abstract | BibTeX | Tags: Consent Banners, Dark Patterns, Legal and Policy Perspectives, Regulation, Research Methods, UX Knowledge
@article{Bielova2024-zr,
title = {Two worlds apart! Closing the gap between regulating EU consent and user studies},
author = {Nataliia Bielova and Cristiana Santos and Colin M Gray},
year = {2024},
date = {2024-01-01},
urldate = {2024-01-01},
journal = {Harvard Journal of Law & Technology},
volume = {37},
number = {3},
pages = {1295–1333},
abstract = {The EU ePrivacy Directive requires consent before using cookies
or other tracking technologies, while the EU General Data
Protection Regulation (``GDPR'') sets high-level and
principle-based requirements for such consent to be valid.
However, the translation of such requirements into concrete
design interfaces for consent banners is far from
straightforward. This situation has given rise to the use of
manipulative tactics in user experience (``UX''), commonly known
as dark patterns, which influence users' decision-making and may
violate the GDPR requirements for valid consent. To address this
problem, EU regulators aim to interpret GDPR requirements and to
limit the design space of consent banners within their
guidelines. Academic researchers from various disciplines address
the same problem by performing user studies to evaluate the
impact of design and dark patterns on users' decision making.
Regrettably, the guidelines and user studies rarely impact each
other. In this Essay, we collected and analyzed seventeen
official guidelines issued by EU regulators and the EU Data
Protection Board (``EDPB''), as well as eleven consent-focused
empirical user studies which we thoroughly studied from a User
Interface (``UI'') design perspective. We identified numerous
gaps between consent banner designs recommended by regulators and
those evaluated in user studies. By doing so, we contribute to
both the regulatory discourse and future user studies. We
pinpoint EU regulatory inconsistencies and provide actionable
recommendations for regulators. For academic scholars, we
synthesize insights on design elements discussed by regulators
requiring further user study evaluations. Finally, we recommend
that EDPB and EU regulators, alongside usability, Human-Computer
Interaction (``HCI''), and design researchers, engage in
transdisciplinary dialogue in order to close the gap between EU
guidelines and user studies.},
keywords = {Consent Banners, Dark Patterns, Legal and Policy Perspectives, Regulation, Research Methods, UX Knowledge},
pubstate = {published},
tppubtype = {article}
}
The EU ePrivacy Directive requires consent before using cookies
or other tracking technologies, while the EU General Data
Protection Regulation (``GDPR'') sets high-level and
principle-based requirements for such consent to be valid.
However, the translation of such requirements into concrete
design interfaces for consent banners is far from
straightforward. This situation has given rise to the use of
manipulative tactics in user experience (``UX''), commonly known
as dark patterns, which influence users' decision-making and may
violate the GDPR requirements for valid consent. To address this
problem, EU regulators aim to interpret GDPR requirements and to
limit the design space of consent banners within their
guidelines. Academic researchers from various disciplines address
the same problem by performing user studies to evaluate the
impact of design and dark patterns on users' decision making.
Regrettably, the guidelines and user studies rarely impact each
other. In this Essay, we collected and analyzed seventeen
official guidelines issued by EU regulators and the EU Data
Protection Board (``EDPB''), as well as eleven consent-focused
empirical user studies which we thoroughly studied from a User
Interface (``UI'') design perspective. We identified numerous
gaps between consent banner designs recommended by regulators and
those evaluated in user studies. By doing so, we contribute to
both the regulatory discourse and future user studies. We
pinpoint EU regulatory inconsistencies and provide actionable
recommendations for regulators. For academic scholars, we
synthesize insights on design elements discussed by regulators
requiring further user study evaluations. Finally, we recommend
that EDPB and EU regulators, alongside usability, Human-Computer
Interaction (``HCI''), and design researchers, engage in
transdisciplinary dialogue in order to close the gap between EU
guidelines and user studies.
or other tracking technologies, while the EU General Data
Protection Regulation (``GDPR'') sets high-level and
principle-based requirements for such consent to be valid.
However, the translation of such requirements into concrete
design interfaces for consent banners is far from
straightforward. This situation has given rise to the use of
manipulative tactics in user experience (``UX''), commonly known
as dark patterns, which influence users' decision-making and may
violate the GDPR requirements for valid consent. To address this
problem, EU regulators aim to interpret GDPR requirements and to
limit the design space of consent banners within their
guidelines. Academic researchers from various disciplines address
the same problem by performing user studies to evaluate the
impact of design and dark patterns on users' decision making.
Regrettably, the guidelines and user studies rarely impact each
other. In this Essay, we collected and analyzed seventeen
official guidelines issued by EU regulators and the EU Data
Protection Board (``EDPB''), as well as eleven consent-focused
empirical user studies which we thoroughly studied from a User
Interface (``UI'') design perspective. We identified numerous
gaps between consent banner designs recommended by regulators and
those evaluated in user studies. By doing so, we contribute to
both the regulatory discourse and future user studies. We
pinpoint EU regulatory inconsistencies and provide actionable
recommendations for regulators. For academic scholars, we
synthesize insights on design elements discussed by regulators
requiring further user study evaluations. Finally, we recommend
that EDPB and EU regulators, alongside usability, Human-Computer
Interaction (``HCI''), and design researchers, engage in
transdisciplinary dialogue in order to close the gap between EU
guidelines and user studies.
2021
Gray, Colin M; Santos, Cristiana; Bielova, Nataliia; Toth, Michael; Clifford, Damian
Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective Honorable Mention Proceedings Article
In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, 2021.
Abstract | Links | BibTeX | Tags: Consent Banners, Dark Patterns, Ethics and Values, Legal and Policy Perspectives, Regulation
@inproceedings{Gray2021,
title = {Dark Patterns and the Legal Requirements of Consent Banners: An Interaction Criticism Perspective},
author = {Colin M Gray and Cristiana Santos and Nataliia Bielova and Michael Toth and Damian Clifford},
url = {http://arxiv.org/abs/2009.10194},
doi = {10.1145/3411764.3445779},
year = {2021},
date = {2021-05-01},
urldate = {2021-05-01},
booktitle = {Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems},
abstract = {User engagement with data privacy and security through consent banners has become a ubiquitous part of interacting with internet services. While previous work has addressed consent banners from either interaction design, legal, and ethics-focused perspectives, little research addresses the connections among multiple disciplinary approaches, including tensions and opportunities that transcend disciplinary boundaries. In this paper, we draw together perspectives and commentary from HCI, design, privacy and data protection, and legal research communities, using the language and strategies of "dark patterns" to perform an interaction criticism reading of three different types of consent banners. Our analysis builds upon designer, interface, user, and social context lenses to raise tensions and synergies that arise together in complex, contingent, and conflicting ways in the act of designing consent banners. We conclude with opportunities for transdisciplinary dialogue across legal, ethical, computer science, and interactive systems scholarship to translate matters of ethical concern into public policy.},
keywords = {Consent Banners, Dark Patterns, Ethics and Values, Legal and Policy Perspectives, Regulation},
pubstate = {published},
tppubtype = {inproceedings}
}
User engagement with data privacy and security through consent banners has become a ubiquitous part of interacting with internet services. While previous work has addressed consent banners from either interaction design, legal, and ethics-focused perspectives, little research addresses the connections among multiple disciplinary approaches, including tensions and opportunities that transcend disciplinary boundaries. In this paper, we draw together perspectives and commentary from HCI, design, privacy and data protection, and legal research communities, using the language and strategies of "dark patterns" to perform an interaction criticism reading of three different types of consent banners. Our analysis builds upon designer, interface, user, and social context lenses to raise tensions and synergies that arise together in complex, contingent, and conflicting ways in the act of designing consent banners. We conclude with opportunities for transdisciplinary dialogue across legal, ethical, computer science, and interactive systems scholarship to translate matters of ethical concern into public policy.