CyLab Researchers Design Privacy Icon for Use by California Law

Wednesday, December 16, 2020 - by Daniel Tkacik

California will soon use an icon developed by a team from Cylab and the University of Michigan in its privacy regulations.

This past January, you may have noticed the phrase "Do not sell my personal information" at the bottom of many webpages. If you didn't, it could be because there's no icon next to it — even though the California Consumer Privacy Act (CCPA) suggests using one.

After a year without guidance on what that icon should look like, California has proposed an official icon to include with the opt-out text — one developed by researchers from Carnegie Mellon University's CyLab and the University of Michigan's School of Information.

"Icon design for privacy applications can be really difficult because information privacy is not easy to visualize," said Lorrie Cranor, the director of CyLab and leader of its Usable Privacy and Security Laboratory. "We tried a variety of designs and performed a series of user tests that give us confidence that our icon will do its job effectively."

Creating and approving the icon has been a yearlong process.

Late last year, researchers from CyLab and the University of Michigan developed a dozen icons and tested their ability to communicate privacy choices and "do not sell my personal information" themes with hundreds of participants on Amazon Mechanical Turk. They then performed another study with users, evaluating which text accompanying the icon (e.g. "Privacy Options," "Do Not Sell My Personal Information," "Do Not Sell My Info") best communicated their privacy choices.

After receiving participant feedback, researchers found that a blue toggle-like icon with the text, "Privacy Options" yielded the most accurate understanding. The team suggested that this icon could be used not only for compliance with the California law, but also to indicate where consumers could find a website's privacy choices in one place. The team also recommended "Do Not Sell My Personal Information" as an option, since that verbiage complied with the CCPA as written.

In February, the researchers shared these findings with the California Office of the Attorney General (OAG), and a few days later the OAG released their revised regulations, which included a somewhat-similar red toggle-like icon. To the researchers, the revised icon looked too much like an actual toggle that you might see on an iPhone, and they worried it could cause confusion. The team ran another series of user tests and confirmed their suspicions: users were much more likely to interpret the California icon as an actual toggle.

"Small changes can sometimes make a big difference," said Cranor, who is the FORE Systems Professor of Computer Science and Engineering & Public Policy. "You won't really know unless you test with users."

On Dec. 10, the California OAG proposed using the team's blue stylized toggle icon in the privacy regulation. Public comments are being accepted through Dec. 28. Users may begin to see the new stylized icon in website footers early next year.

The team presented their findings at last month's USENIX Conference on Privacy Engineering Practice and Respect (PEPR).

For more information, Contact:
Byron Spice | 412-268-9068 | bspice@cs.cmu.edu