Informing California Privacy Regulations with Evidence from Research

check mark and x symbols

Informing California Privacy Regulations with Evidence from Research
Communications of the ACM, March 2021, Vol. 64 No. 3, Pages 29-32
By Lorrie Faith Cranor

Exercising privacy choices is akin to a scavenger hunt: information about available choices is hard to find and mechanisms can be difficult to use. My research group has been examining ways to improve privacy user experiences (UX). We started exploring website privacy “nutrition labels” a decade before Apple introduced them in their app store in December 2020, and recently we proposed a privacy and security label for IoT devices. When the State of California passed the California Consumer Privacy Act (CCPA) mandating a “Do Not Sell My Personal Information” website opt-out link and optional icon, we developed and evaluated icon designs and submitted recommendations in response to the Office of the Attorney General (OAG) call for public comments. After several twists and turns, in December 2020 the OAG issued proposed regulations with our recommended icon.


In fall 2019, our team of researchers began brainstorming possible icon designs. We developed 11 icons that could represent one of three concepts: choice, opting out, and do not sell personal information. We focused on representing these concepts rather than on representing privacy itself, as privacy is difficult to visualize and popular privacy visualizations (locks, shields, keys, masks, eyes) are already used in Web security and privacy tools.


We conducted an initial evaluation of our 11 icons as well as the green “privacy rights” icon promoted by the Digital Advertising Alliance industry group for use as a CCPA icon. We recruited participants from Amazon’s Mechanical Turk (MTurk) and showed one randomly selected icon to each participant. Half the participants saw the icon with the text “Do Not Sell My Personal Information” and half saw the icon alone. We asked participants to tell us what they thought the icon communicated and what they thought would happen if they clicked on it. Then we showed them all 12 icons, shown in Figure 1a, and asked them to select the icons that best conveyed the presence of privacy choices and do-not-sell choices.

Read the Full Article »

About the Author:

Lorrie Faith Cranor is Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab Security and Privacy Institute and FORE Systems Professor, Computer Science and Engineering & Public Policy, Carnegie Mellon University, Pittsburgh, PA, USA.

See Also:

PEPR ’20 – How to (In)Effectively Convey Privacy Choices with Icons and Link Text. USENIX, October 15, 2020.