June 12, 2020
Finding privacy choices on websites is hard for average users—but experts also find it difficult
In a study published last year, a group of CyLab researchers found that many websites make it difficult for people to find privacy settings or opt out of targeted advertising. Those findings were based on expert opinion, so the researchers wondered how hard it might be for actual users to access these choices.
The answer is obvious, but worth documenting in a scientific manner: very hard.
"It's what I call a scavenger hunt," said one participant in a new study presented at this year's ACM CHI conference.
In their study, the researchers invited 24 people into their lab—13 women and 11 men with a variety of educational backgrounds and occupations. The researchers assigned each participant to find privacy choices and policies in the account settings of popular websites, including nytimes.com, foodandwine.com and others. The tasks were presented to the participants as the following scenarios:
- You just got the 10th update email from [website] today, and now you want to stop receiving them.
- You've been seeing advertisements on [website] for a pair of shoes that you searched for last month, and now you want to stop seeing them.
- You're uncomfortable with [website] keeping a record of your location and want to remove all of your data from the company's databases.
Opting out of email marketing proved to be a relatively easy task for participants, as most of them looked for or used an unsubscribe link in an email sent by the website. This may be thanks to the 2003 Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, which requires companies to provide clear explanations for opting out of email marketing.
"We see regulation having a really great impact on usability, since it standardized the location and look of email opt-outs," says Hana Habib, a societal computing Ph.D. student and lead author of the study. "Since the law is now 17 years old, people have formed expectations."
That's about where the good news ended and the scavenger hunt began. Almost all participants required assistance finding privacy choices in the account settings and privacy policies of the websites.
"People really struggled," says Habib. "But it would be wrong to blame the participants themselves."
On one website's help page focused on assisting people in deleting their data, a box displayed the message "Delete your data." The box appeared clickable, but was not.
"People tried clicking the box but were left confused when nothing happened," says Habib. "Much of the difficulty in making these privacy choices is due to poor design and formatting."
Many participants gave up and resorted to visiting the website's help page, scrolling through support pages related to their task. Some even found a contact on the website and asked them directly via email or chat how they could delete their data.
Overall, participants had an easier time finding privacy choices in websites' account settings versus the typically long, jargon-filled privacy policies. But the key is that they only found it easier, not always easy.
As a result, the researchers have made a set of recommendations to companies to make privacy choices easier to find and use. Just as "unsubscribe" links were standardized to appear in the same locations in email footers, privacy choices could also appear in standard locations on websites. They also recommend creating multiple paths from pages on the website that lead to a standard location containing privacy choices.
"The pressure is building up for companies to make these choices easier for people to use," says Habib. "It's up to us as academics to communicate our findings with external stakeholders like regulators or companies themselves."