Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR
This addresses user privacy and deceptive design in GDPR compliance for website operators and policymakers, but is incremental as it builds on existing theories of choice and defaults.
The study investigated how GDPR-mandated consent dialogs influence user behavior, finding that a highlighted default button increased cookie acceptance by 20% but led to poorer recall and more regret, while the number of purposes had no significant effect.
The European Union's General Data Protection Regulation (GDPR) requires websites to ask for consent to the use of cookies for \emph{specific purposes}. This enlarges the relevant design space for consent dialogs. Websites could try to maximize click-through rates and positive consent decision, even at the risk of users agreeing to more purposes than intended. We evaluate a practice observed on popular websites by conducting an experiment with one control and two treatment groups ($N=150$ university students in two countries). We hypothesize that users' consent decision is influenced by (1) the number of options, connecting to the theory of choice proliferation, and (2) the presence of a highlighted default button (``select all''), connecting to theories of social norms and deception in consumer research. The results show that participants who see a default button accept cookies for more purposes than the control group, while being less able to correctly recall their choice. After being reminded of their choice, they regret it more often and perceive the consent dialog as more deceptive than the control group. Whether users are presented one or three purposes has no significant effect on their decisions and perceptions. We discuss the results and outline policy implications.