User behavior and Cookie AcceptanceWhat influences whether users accept or decline your cookies?

If you regularly browse the internet, you probably already know what a cookie warning is. Almost all websites ask consent to place cookies on your internet session to better identify you for analytical and marketing purposes. These cookies are a form of data collection and thus fall under the GDPR. This means that websites are expected to ask active consent for placing cookies and to provide full information on how the gathered data is used. To date, however, many websites in the EU still have cookie warnings that are not fully GDPR compliant. While punitive measures are not common yet, they are a serious threat for businesses – especially after the expected new cookie directive will be published.

The Privacy Paradox

Cookies are often used to collect data that can then be used to personalize the website for the user. In general, users’ attitude is one of concern about online data collection and privacy, but their behavior towards cookie warnings does not represent this. This dichotomy between behavior and attitude is termed the “privacy paradox”.

The content of this blog

This blog does not to go into the privacy paradox and its effect on cookie warnings. Instead, it focuses on one inconclusive result of the study: that behavior is not influenced by user’s (self-reported) attitude, but instead is influenced by a rationality influenced by the design of the cookie warning. This blog first describes the effect of the type of cookie warning on behavior, followed by the effect of the type of user. Afterwards, the implications for you are described, whether that’s you as a user, a business owner, a legislator or an academic. The last part shortly describes how the research was executed for full disclosure with a link to the referenced thesis study.

How does the type of cookie warning influence behavior?

One of the major purposes of the study was to assess user behavior on unique variants of cookie warnings (“CWs”). In total, five variants were tested.

All these CWs met certain base-level design principles that were gathered from a preliminary study on how most, well-visited websites designed their CWs. This was done to ensure that the user perceives our CWs as legitimate, allowing natural behavior to be measured. Furthermore, all CWs met the requirements as stipulated by the GDPR (that is: the CW needs to ask active consent for storing the type of cookie and provide full disclosure on why and how this information is used). The five CWs differed in design based on a high number of theories and heuristics that, according to an extensive literature research, are related to the privacy paradox and thus aim to explain behavior of the user related to privacy in one way or another.

The five tested Cookie warnings

CW1 and CW2 (see figure 1 and 2) were the same, save that CW2 did not provide the option to read more information. This is due to several theories suggesting that users exhibit less concerned behavior, because they don’t have all information available to make a rationally sound choice.

CW5 (see figure 3) is identical to CW1, except that the background is red, and the header has the yellow text: “Warning: This website uses cookies”. This is based on several theories and heuristics suggesting that users exhibit less concerned behavior regarding their online privacy because they are simply not made aware of a privacy choice being made. The red background colors and yellow text assumedly raise awareness and alertness which would lead to more concerned behavior.

CW3 and CW4 (see figure 4 and 5) differed most in design styles.

In CW3, users were expected to click on an embedded phrase “Change your cookie settings here” to open a window where they can change their cookie preferences.

In CW4, users have to scroll down a wall of information (the “Click here for more information” text) before being able to customize their cookie preferences.

In both CW3 and CW4, users were immediately able to see the button to accept all cookies.
In none of the cookie warnings did users have the option to close the CW.

How cookie warnings influenced user behavior

The results revealed that users showed relatively unconcerned behavior across all CWs, but significantly less concerned in CW3 and CW4. This is possibly due to the extra steps required from the user to not accept all cookies. CW5 also did not lead to more concerned behavior, in contrast to expectations. Most notable is that only 2.7% (roughly 11 users) even bothered to click on the “read_more” information.

Also notable is that, while CW3 and CW4 led to much higher cookie acceptance, it did not cause users to simply leave the website, because of unwillingness to accept all cookies. This suggests that, while users concerned about their privacy would rather not accept all cookies, they only realize this preference when the option to accept some cookies, is as easy as accepting all cookies. When it takes more effort to have customized cookie preferences, users seem instead to just accept all. This suggests the notion that, while users seem concerned about their online privacy, they approach privacy with a habituality, where they measure the amount of effort necessary for the reward.

How did the type of user influence behavior?

Besides the influence of the different types of cookie warnings, the influence of the type of user was also measured. In total, 7 user-descriptive groups were used:

• age group;
• whether the user was from the EU or not;
• the type of device of the user;
• the time the user spent on the internet, daily;
• the mood of the user;
• whether the user has any software to manage cookies;
• whether user remembered processing the CW at the end of the survey.

User types that influenced behavior

Ultimately, behavior was influenced only by age group, device type and whether the user remembered processing the CW. In the Age Group category, the youngest age group of 14-20 exhibited far less concerned behavior. In the Device Type category, mobile users exhibited far less concerned behavior and in the last group, users that did not remember processing the CW, also exhibited far less concerned behavior in the CW. Herein, less concerned behavior either meant they spent less time on the CW or were more likely to accept all cookies.

For mobile users, this could be because of the same reason that CW3 and CW4 lead to higher cookie acceptance, that is, due to the extra steps required to reject cookies. The website used to research behavior was scalable with mobile users, but the cookie warning was much more skewed and required more scrolling from the user to see the “save settings” for customized cookie acceptance. This meant all CWs required more manual labor from the user to not accept all cookies because the “accept all” button would be immediately visible, but the “save settings” for customized acceptance was not.

The practical implications for businesses

Practical implications of these findings for businesses are that users seem more willing to accept all cookies when more than one step is required to customize cookie settings. Furthermore, users seem unwilling to read the extra provided information in cookie warnings and having the option to do so does not seem to influence behavior. The provision of information is mandatory per GDPR, but heavy investment into the design of delivery might be wasted.

The effect of more “intrusive” cookie warnings on acceptance and behavior

In this research, all five types of cookie warning were centralized on the user’s screen and required the user to either accept all or some cookies before being able to proceed in the website. For websites that highly value cookie acceptance, it’s worth noting that it did not matter what type of cookie warning the user received: an increase in the intrusiveness of type of the cookie warning did not make user leave the website more. This means that cookie warnings that require more steps to complete, do not cause more users to leave when compared to cookie warnings that are easier completed.
However, more research is needed on the effect of a less intrusive cookie warning (such as a banner) on behavior in general. Assumedly, this would lead to less rejection of the website, but also less cookie acceptance.

Concluding thoughts

It’s a matter of weighing the value of a website visitor that accepts cookies to one that accepts no cookies and one that simply does not visit. Websites can also opt to not ask consent for placing cookies immediately, but only after the user already spent some time on the website, meaning the user is more involved, might trust the website more, and therefore be more likely to process the cookie warning, even if it requires more steps to not accept all cookies.

Ultimately, it is clear that users are more likely to accept all cookies, when the option to not accept all cookies is not immediately visible.

Furthermore, a younger audience (14-20) and mobile device users also are more likely to accept all cookies.

Practical implications for Internet Users / the GDPR

It’s important to understand whether the introduced regulations have any effect when businesses are free to complicate the user’s process in accepting cookies: it seems that while users care about their online privacy, they fail to put in the effort to secure it or are simply mislead through nudging and heuristics. It might be worthwhile to standardize cookie warning design to provide unambiguous decisions as well as limiting the freedom of what businesses can do with cookies, minimizing the need for users to read the “read_more” prompt for every individual website.

How the research was done and more

Over 750 users participated in the research. They were asked to participate in a survey on https://thijs-research.nl. The purpose of the research was not made obvious to them and they were only asked to complete a survey. However, upon opening the websites, the user would be first confronted with a CW. This was designed and executed in such a way that the CW would not look to be part of the research. After processing the cookie warning, the user arrived at the survey with a total of 31 questions. However, unbeknownst to the user, all possible activity in the CW was recorded. The “user behavior” was then based on her behavior in the CW and her attitude and her descriptive was based on an extensive survey.

The theoretical basis for this blog

Interested in reading more? This blog was just the tip of the iceberg and does not nearly provide the full story. We recommend that you read the thesis on which this blog was based. It describes all of the above in far greater detail, including other topics that were deliberately left out. Answers are given to questions such as “Do users perceive cookie warnings as online privacy violations?” and “Are attitude and behavior really separate things?” and more concrete questions such as “What are the numbers behind these findings and how was the analysis done?”. If you are interested in the thesis, please fill out our contact form and we will send you a copy.

[ps2id id=’commentaren’ target=”/]