Investigating Deceptive Design in GDPR’s Legitimate Interest

Kyi, Lin; Shivakumar, Sushil Ammanaghatta; Santos, Cristiana; Roesner, Franziska; Zufall, Frederike; Biega, Asia J.

doi:10.1145/3544548.3580637

Cited by 11 publications

(3 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous research has extensively examined the compliance landscape of applications under GDPR and identified common privacy concerns, including complex permission revocation procedures, obscure privacy language, and inadequate data handling. Building upon this body of work, our study explores similar issues prevalent in online platforms within the Chinese context, including inadequate consent revocation mechanisms, deficiencies in implementing the right to copy and transfer data, and shortcomings in obtaining separate individual consent [5,18,34]. While some common privacy concerns align with prior studies, our research also identified unique challenges specific to Chinese platforms, such as the lack of risk assessment and user notification, calling for tailored approaches to enhance privacy protection.…”

Section: Discussionmentioning

confidence: 75%

“…For example, Mohan et al found several general GDPR non-compliance activities that occurred on large-scale cloud services when analyzing the privacy policies of cloud services after GDPR was published [43]. Moreover, Kyi et al focus on the ambiguous design and description in privacy policies, they summarized the deceptive strategies used in privacy notices, such as hiding legitimate privacy information at the end of privacy policies, using complicated procedures to revoke one's permission after it had been granted for access by the data processor, and the use of linguistic tricks when writing privacy policies, such as providing an implicit definition of legitimate interests to users or even do not give any specific explanation [34]. They also found that non-compliant platforms had ambiguous data processing and sharing rules, mentioned a few explicit durations that they would maintain users' personal information, and used inappropriate methods to alert users about privacy policy updates, thus providing users with little power to control their data.…”

Section: Compliance With Gdprmentioning

confidence: 99%

See 1 more Smart Citation

Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)

Zhou,

Qu,

Wan

et al. 2024

Proc. ACM Hum.-Comput. Interact.

View full text Add to dashboard Cite

The Personal Information Protection Law (PIPL) was implemented in November 2021 to safeguard the personal information rights and interests of Internet users in China. However, the impact and existing shortcomings of the PIPL remain unclear, carrying significant implications for policymakers. This study examined privacy policies on 13 online platforms before and after the PIPL. Concurrently, it conducted semi-structured interviews with 30 Chinese Internet users to assess their perceptions of the PIPL. Users were also given tasks to identify non-compliance within the platforms, assessing their ability to address related privacy concerns effectively. The research revealed various instances of non-compliance in post-PIPL privacy policies, especially concerning inadequate risk assessments for sensitive data. Although users identified some non-compliant activities like app eavesdropping, issues related to individual consent proved challenging. Surprisingly, over half of the interviewees believed that the government could access their personal data without explicit consent. Our findings and implications can be valuable for lawmakers, online platforms, users, and future researchers seeking to enhance personal privacy practices both in China and globally.

show abstract

Section: Discussionmentioning

confidence: 75%

Section: Compliance With Gdprmentioning

confidence: 99%

Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)

Zhou,

Qu,

Wan

et al. 2024

Proc. ACM Hum.-Comput. Interact.

View full text Add to dashboard Cite

show abstract

“…One of these topics is "legitimate interests," which is one of the six legal bases of data collection and processing in Article 6 GDPR. What constitutes "legitimate interest" under the GDPR still requires interpretation by European courts and, consequently, still is the subject of recent research about deceptive design and potentially unfaithful data practices [36] five years after the enforcement of the GDPR [40].…”

Section: Topic Changes Over Timementioning

confidence: 99%

A Bilingual Longitudinal Analysis of Privacy Policies Measuring the Impacts of the GDPR and the CCPA/CPRA

Hosseini,

Utz,

Degeling

et al. 2024

PoPETs

View full text Add to dashboard Cite

Privacy policies are the main mechanism for websites to describe their practices in collecting and processing visitors' personal data. Their format and content are subject to legal requirements that have changed due to recent new privacy regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA). Studying how privacy policies are adapted to such regulatory change can help identify shortcomings in implementing the law and inform future legislatory initiatives. Existing work in this area mostly studied effects of the GDPR on privacy policies or the "Do Not Sell My Personal Information" link mandated by the CCPA. Methodologically, insights were mainly drawn from English-language privacy policies using keyword-based analyses or machine learning classifiers. In this work, we address this research gap and conduct a bilingual study of privacy policies in English and German that investigates the effects of the GDPR and CCPA/CPRA on privacy policy content, using established methods from corpus linguistics that are language-independent and do not rely on keyword lists or classifiers that may date quickly. We find that, unlike for the GDPR, the CCPA's requirements were not yet widely implemented when it first became enforceable but only with its amendment, the CPRA. Before that, websites used more than 60 variants of the "Do Not Sell" link instead of the mandated wording and did not prominently reference individual rights granted by the CCPA/CPRA. While companies outside California and the US did adapt their disclosures to the CCPA/CPRA, this was limited to English-language policies and did not spill over to policies in German. For GDPR enforcement, we find websites to increasingly rely on legitimate interests to justify data collection, raising concerns whether individuals' interests in the privacy of their personal information are still sufficiently considered.

show abstract

Access Your Data... if You Can: An Analysis of Dark Patterns Against the Right of Access on Popular Websites

Löbel,

Schäfer,

Püschel

et al. 2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Investigating Deceptive Design in GDPR’s Legitimate Interest

Cited by 11 publications

References 33 publications

Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)

Understanding Chinese Internet Users' Perceptions of, and Online Platforms' Compliance with, the Personal Information Protection Law (PIPL)

A Bilingual Longitudinal Analysis of Privacy Policies Measuring the Impacts of the GDPR and the CCPA/CPRA

Access Your Data... if You Can: An Analysis of Dark Patterns Against the Right of Access on Popular Websites

Contact Info

Product

Resources

About