Implement Interactive Consent Forms for Enhanced User Engagement

Problem Summary

Permission or Authorization Dialogues are commonly used to obtain user consent for collecting and using personal data, allowing users to choose the information they consent to share. These dialogues are typically used during account creation or when accessing a service. According to GDPR Art. 4(11), consent must be freely given, sspecific, informed and unambiguous, requiring affirmative action. Traditional static dialogues often fail to ensure users fully understand and consider their data-sharing choices, necessitating more interactive approaches to achieve true informed consent.

Rationale

The intention is to engage users more actively in the consent process, ensuring they reflect on the information they are selecting to share. By implementing interactive elements such as drag-and-drop interfaces and knowledge testing, users are encouraged to carefully consider their data-sharing choices, leading to more informed and transparent consent. This approach aims to enhance user engagement and ensure compliance with legal requirements.

Solution

Interactive user interfaces, such as drag-and-drop and question-and-answer formats, are designed and validated to allow users to select personal information they consent to share. These methods have been shown to improve user engagement, understanding, and recall of the data-sharing terms, ensuring more informed and transparent consent.

Lindegren et al. [1] conducted a study evaluating three different designs for engaging users when providing their consent on smartphones. The study compared the usability and effectiveness of three interaction designs: checkboxes, drag-and-drop (DAD), and swiping. The results showed that the DAD and swiping methods improved user recall of the information they shared, although they took longer to complete than checkboxes. The study concluded that more interactive methods like DAD and swiping could enhance user engagement and awareness in permission dialogues.

Karegar et al. [2] proposed innovative user interface (UI) designs to enhance informed decision-making in social login contexts, ensuring compliance with GDPR requirements. They introduce 'Drag and Drop' (DAD) and 'Question and Answer' (Q&A) interfaces to engage users in the consent process actively. The DAD interface allows users to select and drag personal information they consent to share, while the Q&A interface involves users in answering questions to confirm their understanding of the data-sharing terms. These methods are designed to improve user awareness and recall of shared information, ultimately leading to more informed and transparent consent.

Platforms: personal computers, mobile devices

Example

Drag-and-drop interface for selecting personal information to share <a href="#section1">[1]</a>.

Drag-and-drop interface for selecting personal information to share [1]. (See enlarged)

Q&A interface <a href="#section2">[2]</a>.

Q&A interface [2]. (See enlarged)

Drag&Drop interface <a href="#section2">[2]</a>.

Drag&Drop interface [2]. (See enlarged)

Use cases
  • Enhancing user engagement and understanding when creating accounts on websites or mobile apps.
  • Providing users with clear, understandable choices about their privacy preferences, enhancing user satisfaction and compliance with privacy laws like GDPR.
  • Enabling users to make informed decisions about data sharing, increasing transparency and control over their personal data, and thus helping organisations meet GDPR compliance by ensuring users give specific and informed consent.
Pros

  • A between-subject user study found that the new UIs, including 'Drag and Drop' (DAD) and interactive knowledge testing, significantly enhance users' ability to provide informed consent compared to traditional social network authorization dialogues. Users had higher satisfaction and better recall with DAD than with swiping and checkboxes, ensuring they actively engage with and understand their data-sharing choices [1][2].

Cons

  • It takes more time for users to complete the sharing/consent activity with the new UIs, and the robustness of the method against habituation needs further testing. Bridging the gap between legally compliant authorization dialogues and user-friendly ones is a work in progress, involving the exploration of various affirmative actions to enhance user attention to disclosed information, improving methods to prevent habituation, and clearly presenting data processing purposes [1][2].

Privacy Choices

Privacy choices give people control over certain aspects of data practices. Considering the design space for privacy choices [3], this guideline can be applied in the following dimensions:

  • Binary choices > Opt-in/out
    The guideline supports moving beyond simple binary choices (e.g., notice and consent) by offering more interactive and granular options. However, it still incorporates elements of binary choice, specifically the opt-in/opt-out model. The proposed design defaults to opt-out (Privacy as the default setting), meaning users must actively opt-in to data practices, thereby ensuring more deliberate and informed consent.
  • Privacy rights-based choices
    The guideline can support choices related to access, rectification, erasure, and portability by integrating these options into the interactive consent forms.
  • Multiple choices
    The guideline suggests implementing interactive elements like drag-and-drop, allowing for multiple privacy options rather than a single binary choice.

  • Just in time
    The interactive forms can be presented to users when specific data practices are about to happen, ensuring decisions are made just in time.
  • At Setup
    The proposed design presents to the user the privacy choice at set up, when they first interact with the system, specifically during the registration processes for online services.

  • Visual
    The guideline primarily focuses on visual methods (e.g., drag-and-drop interfaces) to present privacy choices.

  • Feedback
    Feedback can be provided as a confirmation message, a notification, or a change in the interface. For example, in the proposed design by Lindegren et al. [1], the feedback is provided in the form of a change in the value of the "Accept" option.
  • Presentation
    The guideline emphasises the need for a clear and engaging presentation of privacy choices, making it easy for users to understand and decide on their preferences.

  • Secondary
    The guideline could also support secondary channels, like a dedicated privacy settings page accessible via a website or mobile app.
  • Primary
    The guideline supports presenting privacy choices directly within the platform or device where users interact with the system, such as within the app or website.

Control

Control [4] is the main privacy attribute that is addressed by this guideline. This attribute involves the data subject's ability to provide consent for collecting and processing their data and the extent to which they can opt out of data collection or processing. The guideline aims to enhance user engagement and attention during the consent process, ensuring that users make informed and self-determined decisions about the information they share. Interactive consent forms like drag-and-drop interfaces and knowledge testing methods directly improve user control over their personal data by making the consent process more transparent and user-friendly. Other related privacy attributes:

The guideline enhances transparency by making the consent process more interactive and informative, helping users understand the terms of data sharing and processing before they give their consent.

The guideline improves the consent process by ensuring users are better informed about the specific purposes for which their data will be used, contributing to more informed consent.

Interactive consent forms can highlight what data is being collected and allow users to make more granular choices about what they consent to share, aligning with the principle of data minimisation.


References

[1] Daniel Lindegren, Farzaneh Karegar, Bridget Kane & John Sören Pettersson (2021). An evaluation of three designs to engage users when providing their consent on smartphones. Behaviour & Information Technology, 40:4, p. 398-414. https://doi.org/10.1080/0144929X.2019.1697898

[2] Farzaneh Karegar, Nina Gerber, Melanie Volkamer, and Simone Fischer-Hübner (2018). Helping john to make informed decisions on using social login. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (SAC '18). Association for Computing Machinery, New York, NY, USA, 1165–1174. https://doi.org/10.1145/3167132.3167259

[3] Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor (2015). A Design Space for Effective Privacy Notices. In: Symposium on Usable Privacy and Security (SOUPS 2015). [S.l.: s.n.], p. 1–17. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf

[4] Yuanyuan Feng, Yaxing Yao, and Norman Sadeh (2021). A Design Space for Privacy Choices: Towards Meaningful Privacy Control in the Internet of Things. In CHI Conference on Human Factors in Computing Systems (CHI ’21), May 8–13, 2021, Yokohama, Japan. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/3411764.3445148

[5] Susanne Barth, Dan Ionita, and Pieter Hartel (2022). Understanding Online Privacy — A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines. ACM Comput. Surv. 55, 3, Article 63 (February 2022), 37 pages. https://doi.org/10.1145/3502288