uzh_logo_e_neg_border

BIG DATA

Law & Technology

Representing Privacy Policies With Icons

Course: Big Data: Technology and Law (FS 20) 

Instructors: Prof. Dr. Abraham Bernstein and Prof. Dr. Florent Thouvenin

Download Results
Universität_Zürich_logo-1 (3)

BIG DATA

Law & Technology

Representing Privacy Policies With Icons

Course: Big Data: Technology and Law (FS 20)

Instructors: Prof. Dr. Abraham Bernstein and Prof. Dr. Florent Thouvenin

Download Results

1. INTRODUCTION

Jean-Jacques Rousseau, one of the most famous philosophers, writers, and political theorists wrote: ”I need only consult myself with regard to what I wish to do; what I feel to be good is good, what I feel to be bad is bad.” The previous ancient belief was that the authority came from gods but then, thanks to the process of social, psychological and spiritual development brought by the Enlightenment, ego-driven humans started to consider their own feelings and emotions as divinities. Nowadays things are changing again. Our authorities are not deities or feelings but possibly already big tech companies, the Silicon Valley, the Internet, algorithms and the omnipresent big data. However, if people want to keep the authority over their privacy, it is time to challenge this narrative.

This project was inspired by a topic prominent in the discussion about big data: lengthy privacy policies which almost nobody reads. This is especially true for most of us who are not educated in law and specifically its aspect that has to do with online activity. Most people accept privacy policies daily without having read them. This gives our project an important socio-political dimension. It means that most internet users do not give informed consent to their data being collected, stored and even sold. How is this possible? In order to get closer to solving this issue, we decided to read through the General Data Protection Regulation and the lengthy privacy policies of big tech companies such as Facebook, Google and Twitter which tackle lots of data. We identify issues most important for online users, find and design pictograms representing them, and test those icons with a survey. We hope that this research helps us support an argument that privacy policies can indeed be easy to understand for a regular user – if only they were represented graphically.To make the privacy policies easier to read, faster to understand and – hence – every user’s consent more informed, several projects are working on the development of icons to represent the basic ideas used in privacy policies. Instead of reading an entire paragraph or two, one icon might suffice. For our project we found different sets of icons and created our own icons representing important privacy issues. Then we conducted a survey to find out which of these icons best represent their ideas.

See survey

1. INTRODUCTION

Jean-Jacques Rousseau, one of the most famous philosophers, writers, and political theorists wrote: ”I need only consult myself with regard to what I wish to do; what I feel to be good is good, what I feel to be bad is bad.” The previous ancient belief was that the authority came from gods but then, thanks to the process of social, psychological and spiritual development brought by the Enlightenment, ego-driven humans started to consider their own feelings and emotions as divinities. Nowadays things are changing again. Our authorities are not deities or feelings but possibly already big tech companies, the Silicon Valley, the Internet, algorithms and the omnipresent big data. However, if people want to keep the authority over their privacy, it is time to challenge this narrative.

This project was inspired by a topic prominent in the discussion about big data: lengthy privacy policies which almost nobody reads. This is especially true for most of us who are not educated in law and specifically its aspect that has to do with online activity. Most people accept privacy policies daily without having read them. This gives our project an important socio-political dimension. It means that most internet users do not give informed consent to their data being collected, stored and even sold. How is this possible? In order to get closer to solving this issue, we decided to read through the General Data Protection Regulation and the lengthy privacy policies of big tech companies such as Facebook, Google and Twitter which tackle lots of data. We identify issues most important for online users, find and design pictograms representing them, and test those icons with a survey. We hope that this research helps us support an argument that privacy policies can indeed be easy to understand for a regular user – if only they were represented graphically.To make the privacy policies easier to read, faster to understand and – hence – every user’s consent more informed, several projects are working on the development of icons to represent the basic ideas used in privacy policies. Instead of reading an entire paragraph or two, one icon might suffice. For our project we found different sets of icons and created our own icons representing important privacy issues. Then we conducted a survey to find out which of these icons best represent their ideas.

2. METHOD

For the sake of this study we decided to use the exploratory research method, since it was considered most relevant for our project goals. To follow this approach, primary and secondary data were collected. On the one hand, primary data was gathered through an online survey conducted to gather participants’ perception of the icon sets. On the other hand, secondary data, such as icon sets from previous and ongoing research, were used partially for our final survey. To reach significant results, the steps of preparation, execution and analysis followed.

The setup of this study was initiated by identifying the most important topics that users should know regarding GDPR consent. The resulted categories from this first step were: sensitive data, right to erasure, data storage and selling or sharing data to other companies. Consecutively, secondary research was conducted to find appealing icon sets, which would match with the identified relevant topics. Some icons were found and considered as alternatives; however, a brainstorming session was needed to create new icons, which competed as options with the ones found beforehand.

To conclude the preparation stage, an online survey was developed. This survey consisted of demographic questions (e.g. gender, sex, education), questions regarding the background knowledge of GDPR and, most importantly, the test of our icon sets.

For the execution stage, a primary research was done to collect essential data to do so, an online survey was conducted. The expected data to be gathered consisted of knowing, from each identified topic, which icon, if any, the users felt was best understandable.

Concerning the online survey, a convenience sampling technique was used. We shared the online survey with our relatives and friends, and through a Facebook campaign. The only requirements for participating in the study were  residing in a European country and speaking one of the four languages in which the survey was available: English, German, French and Italian.

Finally, the online survey was posted for approximately two weeks to reach a high number of participants and, in this way, to get as significant and representative results as possible.

To transform the data into valuable information, we grouped the types of questions mentioned before. In this context, demographic and background knowledge questions were joined together with the ones related to our icon sets. By doing so, we provided a meaning to our results gathered from the survey. These results are further explained in section 4 of this paper.

See survey

2. METHOD

For the sake of this study we decided to use the exploratory research method, since it was considered most relevant for our project goals. To follow this approach, primary and secondary data were collected. On the one hand, primary data was gathered through an online survey conducted to gather participants’ perception of the icon sets. On the other hand, secondary data, such as icon sets from previous and ongoing research, were used partially for our final survey.

To reach significant results, the steps of preparation, execution and analysis followed.

The setup of this study was initiated by identifying the most important topics that users should know regarding GDPR consent. The resulted categories from this first step were: sensitive data, right to erasure, data storage and selling or sharing data to other companies. Consecutively, secondary research was conducted to find appealing icon sets, which would match with the identified relevant topics. Some icons were found and considered as alternatives; however, a brainstorming session was needed to create new icons, which competed as options with the ones found beforehand.

To conclude the preparation stage, an online survey was developed. This survey consisted of demographic questions (e.g. gender, sex, education), questions regarding the background knowledge of GDPR and, most importantly, the test of our icon sets.

To transform the data into valuable information, we grouped the types of questions mentioned before. In this context, demographic and background knowledge questions were joined together with the ones related to our icon sets. By doing so, we provided a meaning to our results gathered from the survey. These results are further explained in section 4 of this paper.

To transform the data into valuable information, we had to group the types of questions mentioned before. In this context, demographic and background knowledge questions were joined together with the ones related to our icon sets. By doing so, we provided a meaning to our results gathered from the survey. These results are further explained in section 4 of this paper.

3. PRIVACY ICONS IN RESEARCH

For our survey we intended to work with icons which we found among previous research projects in the academic literature. The idea of representing privacy issues with icons is more than a decade old. However, here were only four projects whose icons were still accessible at the time of doing our research:

Mehldau developed his icon set in 2007. He made it clear that his set was not complete and invited professionals to contribute. His goal was to develop a web tool that could represent privacy declarations with his icons. His icons are well thought-through and numerous from various categories (data, purpose, handling, and time period).

KnowPrivacy was a research project in 2009 whose goal was to “examine both: the data handling practices of popular websites and the concerns of consumers in an effort to identify practices which may be deceptive or potentially harmful to users‘ privacy”. Furthermore, they wanted to “offer potential solutions that policymakers should consider” [1]. The icons were not the goal of the project, but rather a side-product. As part of the project, the researchers studied various privacy policies. The icons, or tags, helped them evaluate these privacy policies. Nevertheless, they were not created to make privacy policies more understandable. For this reason, the icons cover several topics (e.g. IP address, browser type, or operating system), which makes the icon set impractical for the purpose of representing privacy policies for the user.

___________________

[1] http://knowprivacy.org/report/KnowPrivacy_Final_Report.pdf

Mozilla, together with disconnect.me and Stanford University, developed in 2011 an icon set. The initiator of the project was Aza Raskin who also published another icon set in 2010, also in the name of Mozilla.  On the websites from disconnect.me and Stanford University the icons are no longer available.

Both icon sets are very different in design. For instance, the earlier project was round and the newer was square. Nonetheless, content-wise they are more similar, mostly representing sharing, trading and selling of data to advertisers, third parties and law enforcement. Overall, there are only very few icons.

PrimeLife was an EU-funded project which lasted three years and ended in 2011. Its goals were broad, and the creation and testing of the icon set were only a small part of it. The PrimeLife researchers took the icons of Mary Rundle and Matthias Mehldau and developed them further.[1] Unfortunately, the complete icon set is not present on their project website. We found most icons in two articles which were written after the researchers tested the icons’ understandability.

The icons cover a wide range of topics, from data types to social networking, but – still – each topic has only a few icons.

___________________

[1] https://blog.xot.nl/2016/09/21/using-icons-to-summarise-privacy-polices-an-analysis-and-a-proposal/

For our project we studied the General Data Protection Regulation and three privacy declarations of big companies. Based on this research, we developed a list with ten most relevant legal issues, including the most sensitive data and the most questionable practices. Since we could not find icons to represent these topics in the relevant literature, we decided to create several icons ourselves through a brainstorming session among the members.

AVG. READING TIME

How long it takes to read the privacy policies of Google, Facebook and Twitter*

*Source: https://www.varonis.com/blog/gdpr-privacy-policy

0 min
GOOGLE
0 min
FACEBOOK
0 min
TWITTER

3. THEORY

Privacy Icons in Research

For our survey we intended to work with icons which we found among previous research projects in the academic literature. The idea of representing privacy issues with icons is more than a decade old. However, we identified only four projects whose icons were still accessible at the time of doing our research:

Matthias Mehldau developed an icon set in 2007. He made it clear that his set was not complete and invited professionals to contribute. His goal was to develop a web tool that could represent privacy declarations with his icons. Mehldau’s icons are well thought-through and numerous from various categories (data, purpose, handling, and time period).

KnowPrivacy was a research project from UC Berkeley done in 2009 whose goal was “to examine both: the data handling practices of popular websites and the concerns of consumers in an effort to identify practices which may be deceptive or potentially harmful to users‘ privacy”. Furthermore, they wanted to “offer potential solutions that policymakers should consider”. [1] The icons were not the goal of the project, but rather a side-product. As part of the project, the researchers studied various privacy policies. The icons, or tags, helped them evaluate these privacy policies. Nevertheless, they were not created to make privacy policies more understandable. For this reason, the icons cover several topics (e.g. IP address, browser type, or operating system), which makes the icon set impractical for the purpose of representing privacy policies for the user. 

__________________

[1] http://knowprivacy.org/report/KnowPrivacy_Final_Report.pdf

Another icon set was developed by Mozilla together with disconnect.me and Stanford Universityin 2011. The initiator of the project was Aza Raskin who one year earlier had published another icon set, also in the name of Mozilla. Unfortunately, the icons are no longer available on the websites of disconnect.me and Stanford University.

Both icon sets are very different in design. For instance, the earlier project was round and the newer was square. Nonetheless, content-wise they are more similar, mostly representing sharing, trading and selling of data to advertisers, third parties and law enforcement. Overall, there are only very few icons.

PrimeLife was an EU-funded project which lasted three years and ended in 2011. Its goals were broad, and the icon set’s creation and testing were only a small part of it. The PrimeLife researchers took icons developed by  Mary Rundle (which are not available online anymore) and those created by Matthias Mehldau and developed them further. Unfortunately, the complete icon set is not present on their project’s website. We found most icons in two articles which were written after the researchers tested the icons’ understandability.The icons cover a wide range of topics, from data types to social networking, but – still – each topic offers only a few icons.

For our project we studied the General Data Protection Regulation and privacy declarations of three big companies which process lots of data: Facebook, Google and Twitter. Based on this research, we developed a list with the  most relevant legal issues, including the most sensitive data and the most questionable practices. Since we could not find icons to represent these topics in the relevant literature, we decided to create several icons ourselves through a brainstorming session among the members.

4. RESULTS

What are our findings?

In academic literature we found various icons representing ideas in privacy policies. However, the icon sets we found are missing icons which cover important issues of the after-GDPR era, such as: (a) sensitive data (e-health data, religious beliefs, biometric data, political opinions and sexual orientation), (b) the right to erasure, (c) sharing data with other parties, (d) selling  data to other parties and (d) data storage. Because we lacked icons representing these issues, which we identified as the most important, we created our own icons. In the survey we tested both the existing and the newly created icons. The total number of respondents to our survey was 259.

4. RESULTS

What are our findings?

In academic literature we found various icons representing ideas in privacy policies. However, the icon sets we found are missing icons which cover important issues of the after-GDPR era, such as sensitive data (e-health data, religious beliefs, biometric data, political opinions, sexual orientation), the right to erasure, selling or sharing data to/with third companies, advertisers or organizations, and data storage. Because we lacked icons representing these issues, which we identified as the most important, we created our own icons. In the survey we have tested both the existing and the newly created icons. The total number of respondents to our survey was 259.

4.1. Knowledge of GDPR and people’s rights regarding data collection

From the survey results, it is evident that data collection is the participants’  major concern. We found out that 60% of respondents who do not know their rights concerning personal data are afraid of data collection. However, 54% of respondents who admitted that they know their rights concerning personal data are still afraid of data collection.

Therefore, regardless of whether an individual is informed about the privacy policies, data collection is still a concern for the majority. The GDPR is based on the idea of informed consent. “Informed” means that people need to know about the GDPR. According to our survey, around ⅔ of respondents without higher education have never heard about the GDPR, but around ⅔ of respondents with higher education have. Education seems to have an impact on the knowledge of the GDPR. This explains to a certain degree why the very young respondents (15-19 years old) have little knowledge of the GDPR (65% of them have never heard of it). Only the participants over 50 years old have heard less of it (73% are negative answers). However, the majority of respondents between 20 and 49 years old know about the GDPR. Respondents who know their rights concerning personal data are mostly aware of the fact that, once requested, a company must inform them about what data they have on them, and what the company use it for (79% of the respondents); that it is possible that their online data can be deleted (63% of the respondents); that it is possible to ask a company to correct their data if they are wrong (57% of the respondents) and that it is possible to access data if a company has collected data on them(55% of the respondents).

On the other hand, the respondents who admitted that they do not  know their rights concerning personal data are still aware of the fact that a company, upon request, must inform them about what data they have on them, and what the company use it for (61% of the respondents); that it is possible that their online data can be deleted (40% of the respondents) and that it is possible to access data if a company has collected data on them(37% of the respondents). Better is the knowledge about collecting “cookies”. Most respondents answer that they know what cookies are. Interestingly, the number is lowest among participants with a PhD(64%). Young respondents seem to have doubts about cookies (55% know what they are), but the number raises significantly for the next age group (87% of 20-29 year-olds; ). It can be theorised that maybe the teenagers hear of the GDPR  later in their education, but we cannot tell for sure based on the information we gathered. The answers to the question “Do you know your rights concerning personal data?” are too random to draw conclusions. This might be because the question asks for the respondents’ opinion of their knowledge, not the knowledge itself. Interestingly, more people residing in Switzerland have heard of GDPR (54%) than people in Italy (50%). This is so despite the fact that the GDPR does not (yet) apply to Switzerland. However, the 50% and 54% are rather similar numbers. Also, we  do not have enough respondents of other European countries to compare them. Roughly half of the respondents (51%) share data for personal benefits. When they do, these are mostly: their e-mail address (shared by 47% of respondents), name (shared by 42% of respondents) and surname (shared by 41% of respondents). As a comparison, payment details are shared only by 10% of the respondents.Only 8% of respondents fully read privacy policies. Among those that do not read them at all, the main reason is the length of privacy policies.  Because of this, it seems like the idea of representing privacy policies with icons would be meaningful – to avoid lengthy descriptions.

4.1 Knowledge of GDPR and people’s rights regarding data collection

From the survey results, it is evident that data collection is a major concern of people. We have found out that 60% of respondents who don’t know their rights concerning personal data are afraid of data collection. However, 54% of respondents who admitted that they know their rights concerning personal data are still afraid of data collection. Therefore, regardless of whether an individual is informed about the privacy policies, data collection is still a concern for the majority.

GDPR is based on the idea of informed consent. Informed means that people need to know about GDPR. According to our survey, around ⅔ of respondents without higher education have never heard about GDPR, but around ⅔ of respondents with higher education have. Education seems to have an impact on the knowledge of GDPR. This explains to a certain degree why very young respondents (15-19 years) have little knowledge of GDPR (65% who have never heard of it). Only over 50-year-old have heard less of it (73% negative answers). However, the majority of respondents between 20 and 49 years old know about GDPR. 

Respondents who know their rights concerning personal data are mostly aware of the fact that a company has to inform on what data they have on me, and what they use it for (79% of the respondents), that it is possible that my online data can be deleted (63% of the respondents), that it is possible to ask a company to correct my data if they are wrong (57% of the respondents) and that it is possible to access data if a company has collected data on me (55% of the respondents). On the other hand, the respondents who have admitted that they don’t know their rights concerning personal data are still aware of the fact that a company has to inform on what data they have on me, and what they use it for (61% of the respondents), that it is possible that my online data can be deleted (40% of the respondents) and that it is possible to access data if a company has collected data on me (37% of the respondents).

Better is the knowledge about cookies. Most respondents answer that they know what cookies are. Interestingly, the number is lowest with the doctorate (64% yes). Young respondents seem to have doubts about cookies (55% know what they are), but the number raises significantly for the next age group (20-29 87% yes). It could be theorised that maybe the teenagers hear of it later in their education, but we cannot tell for sure based on the information we have. 

The answers to the question “Do you know your rights concerning personal data?” are too random to draw conclusions. This might be because the question asks for the respondent’s opinion of their knowledge, not the knowledge itself. 

Interestingly, more people in Switzerland have heard of GDPR (54%) than people in Italy (50%). This despite the fact that GDPR does not (yet) apply to Switzerland. We do not have enough respondents of other European countries to compare them. 

Roughly half of the respondents (51%) share data for personal benefits. When they do, these are mostly: e-mail address (shared by 47% of respondents), name (shared by 42% of respondents) and surname (shared by 41% of respondents). As a comparison, payment details are shared only by 10% of the respondents.

Only 8% of respondents fully read privacy policies. Among those that don’t read them at all, they don’t do it mostly because the privacy policies are too long. Because of this, it seems like the idea of representing privacy policies with icons would be meaningful – to avoid lengthy descriptions.

4.2. Icons

We asked twice whether our respondents thought that icons could help them understand privacy policies better. The first time  had been before the respondents saw  an icon, so some of them might not have had a clear idea how icons representing privacy policies could look. The second time we asked after they saw some examples. This time  far fewer people answered, “I don’t know”, which means that we helped them by giving  an idea about the topic. The number of respondents who thought icons were a good idea grew only slightly (4%), while the number of respondents who thought icons could not  help them understand privacy policies grew by 10%. Overall, 60% thought it was a good idea compared to 19% who did not think so.

4.2 Icons

We asked twice whether our respondents think that icons could help them understand privacy policies better. The first time we asked was before the respondents had seen an icon, so some of them might not have had a clear idea how an icon could look. The second time we asked after they saw some examples. The second time we asked the question, a lot less people answered “I don’t know”, which means that we helped to give them an idea about the topic. The number of respondents who thought icons were a good idea grew only slightly (4%), while the number of respondents who thought icons couldn’t help them understand privacy policies grew by 10%. Overall, 60% thought it was a good idea compared to 19% who didn’t.

Let us start with icons about sensitive data such as e-health data, religious beliefs, biometric data, political opinions and sexual orientation. Regarding e-health, the answers were quite evenly distributed and none of the icons seemed to have been most convincing. Most respondents liked icon 13.1 (27%) and icon 13.2 (26%).

In the question about religious beliefs icon 14.1 was chosen most often with 63%. 

 

For political opinions almost half of our respondents like icon 15.2 (47%).

Icon 16.3 was chosen to represent sexual orientation best by 55% of the respondents.

As the icon best representing biometrical data, icon 17.3 was picked by 35% of respondents, closely followed by icon 17.2 (32%).

In the question about data storage, most of the respondents chose icon 18.1 (42%) 

With 68% of the picks icon 19.1, representing right to erasure, had the best result of all icons.

Generally, it seems that it is possible to understandably represent privacy issues with icons , because only a few respondents chose none of the icons  (less than 20% in all questions). In none of the questions was “none” the most chosen answer. 

Beside the different forms of sensitive data, we wanted to test the icons regarding sharing, selling and trading data. To test the icons’ understandability without bias, we let the respondents guess the meaning of three icons from the Mozilla project (see below).

 67% of respondents understood the meaning of the  icon on the left, and 71% of respondents understood the meaning of the icon on the right.

However, the icon below was only understood by 41% of the respondents. In our opinion, in order to be applied on websites, icons should have a higher rate of understandability. The intended meaning for this icon is: “Site is collecting data about you and selling or trading it with another organization, government, or person.” We can safely say that this icon does not represent its idea well enough.

Webp.net-resizeimage

5. DISCUSSION

Throughout this research study, we sought to assess the understandability of an icon set in order to create a new alternative towards the way the GDPR statements are presented to the users. To do so, we conducted a survey where the participants’ perception and degree of agreement towards the images were measured. In this section, we make conclusions about our results by briefly highlighting some implications for our findings, the limitations we encountered, and avenues for further research.

References

By first identifying the most relevant legal topics shown in the GDPR statements, and consecutively reusing as well as designing icons for these points, we offer interested parties, such as private companies, public organizations, advertising agencies, researchers and others, a practical alternative to unveil in a clear way how the users’ information will be used. This option intends to avoid users having to read long texts. For instance, as mentioned in the results section, topics related to sensitive data, such as e-health or religious beliefs, can easily be represented by proper pictograms. Consequently, companies are able to assure transparency in a complex topic, namely the manipulation of the users’ data.

Moreover, we think that reputation will be an important intangible asset that companies will secure through an implementation of such (or similar)  icon sets. Nowadays, users are more keen to know how their data is treated. Therefore, by aiding them to consciously accept terms that they fully understand, based on our research we argue that icons will enhance the image of companies regarding data treatment.

The results reported here should be considered while taking into account certain limitations.

The primary limitation that we encountered was the time frame allocated to this research. Since this study took about two months, constraints regarding the sample size and the sampling technique are now presented. On the one hand, the number of participants could have been higher if the survey had been posted for a longer period of time. This would have generated a more significant value in our results. On the other hand, we followed a convenience sample technique, which is fairly accepted in academia. However, this study could have followed, for instance, a probabilistic sampling to reach a more representative sample. Our choice was optimal given the resources available to us.

The second and last important limitation was the bounded access to icon sets, generated in previous studies, in order to offer a comparison in the survey. This led us to brainstorming sessions in which we  created our own icon set, which we then tested in the survey together with the icons from literature.

Due to the exploratory nature of the presented study, opportunities for further research appear.

Since the study’s scope considered only participants residing in the European countries, there is still room for further investigation regarding the understandability among people from the rest of the world.

Moreover, due to time constraints, the scope of this research included only some issues within the GDPR. It would be definitely helpful for interest parties to know which other topics, if not all of them, could be addressed with this initiative.

Moreover, the icon sets which  we found were missing specific privacy concepts of the GDPR and some of them were not specifically focused on the GDPR regulations. Therefore, it would be utterly useful to create a complete icon set comprising all GDPR concepts and evaluate to which extent these new icons would represent different privacy policies. We hope to see the fruits of such work in the future.

5. DISCUSSION

Throughout this research study, we sought to assess the understandability of an icon set in order to create a new alternative towards the way the GDPR statements are presented to the users. To do so, we conducted a survey where the participants’ perception and degree of agreement towards the images were measured. In this section, we make conclusions about our results by briefly highlighting some implications for our findings, the limitations we encountered, and avenues for further research.

By first identifying ten most relevant legal topics shown in GDPR statements, and consecutively designing icons for these points, we offer interested parties, such as Instagram or Facebook, a practical alternative to unveil in a clear way how the users’ information will be used. This option intends to avoid users having to read long texts. For instance, as mentioned in the results section, topics related to sensitive data, such as e-health or religious beliefs, can easily be represented by proper icons/pictograms. Consequently, companies are able to assure transparency in a complex topic, namely the manipulation of the users’ data.

Moreover, reputation will be an important intangible asset that companies will secure through the implementation of the icon sets. Nowadays, users are more keen to know how their data is treated. Therefore, by aiding them to consciously accept terms that they fully understand, icons will enhance the image of companies regarding data treatment.

 

The results reported here should be considered while taking into account certain limitations.

The primary limitation that we encountered was the time frame allocated to this research. Since we, as students, count only one semester (approx. 2.5 months) to conduct this study, constraints regarding the sample size and the sampling technique were presented. On the one hand, the number of participants could have been higher if the survey had been posted for a longer period of time. This would have generated a more significant value in our results. On the other hand, we followed a convenience sample technique, which is fairly accepted. However, this study could have followed, for instance, a probabilistic sampling to reach a more representative sample.

A second and last important limitation was the bounded access to icon sets, generated in previous studies, in order to offer a comparison in the survey. This led us to brainstorming sessions in which we  created our own icon set, which we then tested in the survey together with the icons from literature.

Due to the exploratory nature of the present study, opportunities for further research appear.

Since the study’s scope considered only participants residing in the European countries, there is still room for further investigation regarding the understandability of people from the rest of the world.

Moreover, due to time constraints, the scope of this research included only ten issues within the GDPR terms and conditions. It would be definitely helpful for interest parties to know which other topics, if not all of them, could be addressed with this initiative.

Moreover, the icon sets that we found were missing specific privacy concepts of GDPR and some of them were not specifically focused on GDPR regulations. Therefore, it would be useful to create the complete icon set compromising different GDPR concepts and evaluate to which extent these new icons would represent different privacy policies.

References