Have you noticed the new icon popping up on websites across the Internet?
Thanks to researchers at Carnegie Mellon’s CyLab Security and Privacy Institute, the University of Michigan, and Fordham University, users can now easily make choices about how websites use their personal information, all in one convenient spot.
For years, the team of privacy experts has been conducting user studies, searching for the best ways to help website visitors make informed decisions about their personal data. So when the California Attorney General’s office requested public input on the California Consumer Privacy Act in 2019, the group decided to review the new regulations to see how they could help.
The statute mandated that websites collecting and sharing visitors’ personal information include a link labeled “Do not sell my personal information,” optionally accompanied by an icon to be specified by the Attorney General’s office. So the researchers went to work developing and testing different options.
“When we brainstormed possible icons, we thought about trying to directly convey the “do not sell my personal information” concept or an “opt-out” concept,” said Lorrie Cranor, director of CyLab, and professor in Carnegie Mellon’s School of Computer Science and Engineering & Public Policy department. “However, we realized that in the future, people will likely have multiple privacy choices that cover areas beyond the selling of information. Therefore, it would be better to design an icon that effectively conveys the idea of choices.”
Researchers also suggested using a more general phrase for the link label, such as “privacy options” or “privacy choices,” taking users to a one-stop shop where they could make all of their privacy decisions.
As regulators finalized the California Consumer Privacy Act regulations, they chose to adopt the researchers’ icon, providing the resource as an optional tool while mandating the “Do not sell my personal information” link.
In January 2023, another privacy law went into effect in California, the 2020 California Privacy Rights Act (CPRA), which required covered websites to include a longer “Do not sell or share my personal information link” as well as a new “Limit the use of my sensitive information” link. The CPRA also created the California Privacy Protection Agency, which decided to take a closer look at the statute, making modifications to better serve consumers in today’s ever-evolving internet landscape.
With the list of required privacy links beginning to grow, the agency decided to provide an alternative option, allowing websites to use the researchers’ icon alongside text that reads “Your Privacy Choices” or “Your California Privacy Choices” rather than listing multiple links.
“Websites don’t want to include multiple links, so we see many of them adopting the alternative opt-out link and our icon,” says Cranor.
"Consolidating privacy choices into a single page makes exercising consumer choices less of a scavenger hunt, enabling consumers to better protect their privacy,” explains Hana Habib, special faculty instructor and associate director of the CMU Software and Societal Systems Department’s Masters in Privacy Engineering program.
The icon now appears on Spotify, Proctor and Gamble, Walmart, Ford Motor Company, and Verizon’s websites, among many others.
Related Research Papers:
- Toggles, Dollar Signs, and Triangles: How to (In)Effectively Convey Privacy Choices with Icons and Link Texts
- CCPA Opt-Out Icon Testing – Phase 2 (Submitted to the California Office of the Attorney General, May 28, 2020)
- "It’s a scavenger hunt": Usability of Websites' Opt-Out and Data Deletion Choices User Testing of the Proposed CCPA Do-Not-Sell Icon (Submitted to the California Office of the Attorney General, February 24, 2020)
- Design and Evaluation of a Usable Icon and Tagline to Signal an Opt-Out of the Sale of Personal Information as Required by CCPA (Submitted to the California Office of the Attorney General, February 4, 2020)
- Usable and Useful Privacy Interfaces
- An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites
- Lorrie Cranor - Director of CyLab Security and Privacy Institute, Bosch Distinguished Professor in Security and Privacy Technologies, FORE Systems Professor of Computer Science and of Engineering & Public Policy, Carnegie Mellon University
- Hana Habib - Specialty Faculty Instructor, Associate Director of the Masters in Privacy Engineering program, Carnegie Mellon University
- Yixin Zou, Tenure-Track Faculty Member, Max Planck Institute for Security and Privacy
- Alessandro Acquisti - Professor of Information Technology & Public Policy, Carnegie Mellon University
- Joel Reidenberg, Stanley D. and Nikki Waxberg Chair and Professor of Law, Fordham University School of Law
- Norman Sadeh, Professor of Computer Science and Co-Director Privacy Engineering Program, Carnegie Mellon University
- Florian Schaub, Associate Professor of Information and Associate Professor of Electrical Engineering and Computer Science, University of Michigan