CyLab researchers design privacy icon to be used by California law
Dec 11, 2020
On January 1 of this year, you may have noticed the phrase “Do not sell my personal information” shown at the bottom of many webpages. If you didn’t notice it, it might be because there’s no icon next to it, even though the California Consumer Privacy Act (CCPA) suggests that there be one without offering any suggestions on what the icon should look like.
The state of California has now proposed an official icon to include next to that new opt-out text—a blue stylized toggle icon developed by researchers from Carnegie Mellon University’s CyLab and the University of Michigan’s School of Information.
“Icon design for privacy applications can be really difficult because information privacy is not easy to visualize,” says CyLab’s Lorrie Cranor, the director of CyLab and leader of the CyLab Usable Privacy and Security Laboratory. “But we tried a variety of designs and performed a series of user tests that give us confidence that our icon will do its job effectively.”
Icon design for privacy applications can be really difficult because information privacy is not easy to visualize.Lorrie Cranor, Director, CyLab Usable Privacy and Security Laboratory
Creating and approving the icon has been a year-long process.
Late last year, researchers from Carnegie Mellon University’s CyLab and the University of Michigan’s School of Information developed a dozen icons and tested their ability to communicate privacy choices and “do not sell my personal information” themes to hundreds of participants through Amazon’s Mechanical Turk. They then performed another study with users, evaluating which text accompanying the icon (e.g. Privacy Options, Do Not Sell My Personal Information, Do Not Sell My Info, etc.) best communicated the privacy choices presented to them.
After receiving feedback from hundreds of participants, it turned out that a blue toggle-like icon with the text, “Privacy Options,” yielded the most accurate understanding amongst users. The team suggested that this icon could be used not only for compliance with the California law, but also to indicate where consumers could find all of a website’s privacy choices in one place. The team also recommended “Do Not Sell My Personal Information” as an option, since that verbiage complies with the CCPA as written.
“You should always include people and consumers from the start,” says Florian Schaub, an assistant professor in the University of Michigan’s School of Information and a collaborator on the icon design research. “We, the experts, are the worst judges in terms of what other people understand when you show them an icon.”
In February, the researchers shared their findings with the California Office of the Attorney General (OAG), and a few days later, the OAG released their revised regulations, which included a somewhat-similar red toggle-like icon.
“Their icon looks a bit more like an actual toggle switch that you might find, for example, on an iPhone,” said Hana Habib, a PhD candidate in the Institute for Software Research who helped evaluate the icons. “We thought that this had the potential to confuse people who might think they could actually click on it and toggle with it.”
You should always include people and consumers from the start.Florian Schaub, assistant professor, University of Michigan's School of Information
The team ran another series of user tests, comparing the OAG icon with theirs and assessing whether users found one more informative than the other. They also evaluated the performance of their icon in red, and the OAG icon in blue.
The California icon was much more likely to be misinterpreted as an actual toggle, the researchers found. Color turned out to not make much of a difference.
“Some small changes can sometimes make a big difference,” Cranor says. “… and you won’t really know unless you test with users.”
In this case, the researchers say, the checkmark, the X, and the slashed line in their icon made it clearer to users that the icon wasn’t an actual toggle, but it suggested the concept of toggle. The OAG’s proposed icon looked too similar to an actual toggle.
“We needed to conduct a user study to know whether that was really the case or not,” explained Yixin Zou, a PhD candidate at the University of Michigan School of Information who helped evaluate the icons.
On December 10, the California OAG announced that they are proposing to use the team’s blue stylized toggle icon in the privacy regulation. Public comments are being accepted through December 28. Users may begin seeing the new stylized icon at the bottom of websites’ footers early next year.
Cranor and Schaub presented their team’s research findings at the recent USENIX Conference on Privacy Engineering Practice and Respect (PEPR). A video of their presentation can be viewed below.
View the group’s opt-out research papers, as well as high-resolution versions of the icon.
The icon project team included:
- Lorrie Cranor, Director of CyLab Security and Privacy Institute, Bosch Distinguished Professor in Security and Privacy Technologies, FORE Systems Professor of Computer Science and of Engineering & Public Policy, Carnegie Mellon University
- Hana Habib, PhD Candidate, Institute for Software Research, Carnegie Mellon University
- Yixin Zou, PhD Candidate, School of Information, University of Michigan
- Alessandro Acquisti, Professor of Information Technology & Public Policy, Carnegie Mellon University
- Norman Sadeh, Professor of Computer Science and Co-Director Privacy Engineering Program, Institute for Software Research, Carnegie Mellon University
- Florian Schaub, Assistant Professor in the School of Information at the University of Michigan
- Michelle Chou, a recent graduate of the Master’s in Interaction Design program at Carnegie Mellon University