Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
157 tokens/sec
GPT-4o
43 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SoK: Technical Implementation and Human Impact of Internet Privacy Regulations (2312.15383v1)

Published 24 Dec 2023 in cs.CY

Abstract: Growing recognition of the potential for exploitation of personal data and of the shortcomings of prior privacy regimes has led to the passage of a multitude of new online privacy regulations. Some of these laws -- notably the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) -- have been the focus of large bodies of research by the computer science community, while others have received less attention. In this work, we analyze a set of Internet privacy and data protection regulations drawn from around the world -- both those that have frequently been studied by computer scientists and those that have not -- and develop a taxonomy of rights granted and obligations imposed by these laws. We then leverage this taxonomy to systematize 270 technical research papers published in computer science venues that investigate the impact of these laws and explore how technical solutions can complement legal protections. Finally, we analyze the results in this space through an interdisciplinary lens and make recommendations for future work at the intersection of computer science and legal privacy.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (302)
  1. Conceptual model for automating gdpr compliance verification using natural language approach. In 2022 International Conference on Intelligent Technology, System and Service for Internet of Everything (ITSS-IoE), pages 1–6. IEEE, 2022.
  2. Why IP-based subject access requests are denied? arXiv preprint arXiv:2103.01019, 2021.
  3. Evolution of composition, readability, and structure of privacy policies over two decades. Proceedings on Privacy Enhancing Technologies, 3:138ś153, 2023.
  4. Retrofitting GDPR compliance onto legacy databases. Proceedings of the VLDB Endowment, 15(4), 2021.
  5. Central Intelligence Agency. European union. https://www.cia.gov/the-world-factbook/countries/european-union/#people-and-society, August 2022.
  6. Central Intelligence Agency. World. https://www.cia.gov/the-world-factbook/countries/european-union/#people-and-society, August 2022.
  7. Abdulrahman Alhazmi and Nalin Asanka Gamagedara Arachchilage. Why are developers struggling to put gdpr into practice when developing privacy-preserving software systems? arXiv preprint arXiv:2008.02987, 2020.
  8. Betrayed by the guardian: Security and privacy risks of parental control solutions. In Annual Computer Security Applications Conference, pages 69–83, 2020.
  9. GDPR reality check-claiming and investigating personally identifiable data from companies. In 5th European Workshop on Usable Security, 2020.
  10. Privacy by design in aged care monitoring devices? Well, not quite yet! In 32nd Australian Conference on Human-Computer Interaction, pages 492–505, 2020.
  11. Toward GDPR compliance in iot systems. In Service-Oriented Computing–ICSOC 2019 Workshops: WESOACS, ASOCA, ISYCC, TBCE, and STRAPS, Toulouse, France, October 28–31, 2019, Revised Selected Papers 17, pages 130–141. Springer, 2020.
  12. Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps. Proceedings on Privacy Enhancing Technologies, 4:250–273, 2022.
  13. Nlp-based automated compliance checking of data processing agreements against gdpr. IEEE Transactions on Software Engineering, 2023.
  14. Compliance generation for privacy documents under GDPR: A roadmap for implementing automation and machine learning. arXiv preprint arXiv:2012.12718, 2020.
  15. Privacy policies over time: Curation and analysis of a million-document dataset. In The Web Conference, pages 2165–2176, 2021.
  16. PolicyLint: Investigating internal privacy policy contradictions on Google Play. In 28th USENIX Security Symposium, pages 585–602, 2019.
  17. Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with PoliCheck. In 29th USENIX Security Symposium, pages 985–1002, 2020.
  18. What we can’t measure, we can’t understand: Challenges to demographic data procurement in the pursuit of fairness. In ACM Conference on Fairness, Accountability, and Transparency, pages 249–260, 2021.
  19. App privacy policy generator. https://app-privacy-policy-generator.nisrulz.com/.
  20. Evaluating the contextual integrity of privacy regulation: Parents’ IoT toy privacy norms versus COPPA. In 28th USENIX Security Symposium, pages 123–140, 2019.
  21. Monitoring the GDPR. In 24th European Symposium on Research in Computer Security (ESORICS), pages 681–699. Springer, 2019.
  22. ‘surprised, shocked, worried’: User reactions to facebook data collection from third parties. Proceedings on Privacy Enhancing Technologies, 1:384–399, 2023.
  23. A tale of two regulatory regimes: Creation and analysis of a bilingual privacy policy corpus. In LREC proceedings, 2022.
  24. Overlooking context: How do defaults and framing reduce deliberation in smart home privacy decision-making? In CHI Conference on Human Factors in Computing Systems, pages 1–18, 2021.
  25. Jack M Balkin. The fiduciary model of privacy. Harv. L. Rev. F., 134:11, 2020.
  26. Finding a choice in a haystack: Automatic extraction of opt-out statements from privacy policy text. In The Web Conference, pages 1943–1954, 2020.
  27. Privacy and contextual integrity: Framework and applications. In IEEE Symposium on Security and Privacy, 2006.
  28. Marlene Barth. A case study on data portability. Datenschutz und Datensicherheit-DuD, 45(3):190–197, 2021.
  29. On purpose and by necessity: Compliance under the GDPR. In Financial Cryptography and Data Security: 22nd International Conference, FC 2018, Nieuwpoort, Curaçao, February 26–March 2, 2018, Revised Selected Papers 22, pages 20–37. Springer, 2018.
  30. GDPR privacy implications for the internet of things. In 4th Annual IoT Security Foundation Conference, volume 4, pages 1–8, 2018.
  31. COPPTCHA: COPPA tracking by checking hardware-level activity. IEEE Transactions on Information Forensics and Security, 15:3213–3226, 2020.
  32. Engineering privacy by design: Are engineers ready to live up to the challenge? The Information Society, 35(3):122–142, 2019.
  33. Alvaro M Bedoya. Privacy as civil right. NML Rev., 50:301, 2020.
  34. This website uses nudging: Mturk workers’ behaviour on cookie consent notices. Human-Computer Interaction, 5(CSCW2):1–22, 2021.
  35. Five Years of the Right to be Forgotten. In ACM SIGSAC Conference on Computer and Communications Security, pages 959–972, 2019.
  36. Operationalizing the legal principle of data minimization for personalization. In International ACM SIGIR Conference on Research and Development in Information Retrieval, pages 399–408, 2020.
  37. Automating cookie consent and GDPR violation detection. In 31st USENIX Security Symposium, 2022.
  38. Machine understandable policies and gdpr compliance checking. KI-Künstliche Intelligenz, 34:303–315, 2020.
  39. Security analysis of subject access request procedures. In Annual Privacy Forum, pages 182–209, 2019.
  40. A us-uk usability evaluation of consent management platform cookie consent interface design on desktop and mobile. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, pages 1–36, 2023.
  41. Human-GDPR interaction: Practical experiences of accessing personal data. In CHI Conference on Human Factors in Computing Systems, pages 1–19, 2022.
  42. GDPR: when the right to access personal data becomes a threat. In IEEE International Conference on Web Services, pages 75–83, 2020.
  43. Do opt-outs really opt me out? In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 425–439, 2022.
  44. Consistency analysis of data-usage purposes in mobile apps. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 2824–2843, 2021.
  45. United States Census Bureau. Quickfacts california. https://www.census.gov/quickfacts/fact/table/CA/PST045221, July 2021.
  46. Unveiling and quantifying Facebook exploitation of sensitive personal data for advertising purposes. In 27th USENIX Security Symposium, pages 479–495, 2018.
  47. Gdpirated–stealing personal information on-and offline. In European Symposium on Research in Computer Security, pages 367–386, 2019.
  48. Achieving gdpr compliance through provenance: An extended model. In Anais do XXXV Simpósio Brasileiro de Bancos de Dados, pages 13–24. SBC, 2020.
  49. Automatic assessment of website compliance to the european cookie law with coolcheck. In Workshop on Privacy in the Electronic Society, pages 135–138, 2016.
  50. Privacy and data protection in mobile applications: A study on the app development ecosystem and the technical implementation of GDPR. 2017.
  51. Data protection at a discount: Investigating the ux of data protection from user, designer, and business leader perspectives. Proceedings of the ACM on Human-computer Interaction, 6(CSCW2):1–36, 2022.
  52. Innovation inaction or in action? the role of user experience in the security and privacy design of smart home cameras. In 16th Symposium on Usable Privacy and Security, pages 185–204, 2020.
  53. “it did not give me an option to decline”: A longitudinal analysis of the user experience of security and privacy in smart home products. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–16, 2021.
  54. Automated and personalized privacy policy extraction under GDPR consideration. In International Conference on Wireless Algorithms, Systems, and Applications, pages 43–54, 2019.
  55. Fighting the fog: Evaluating the clarity of privacy disclosures in the age of CCPA. In Workshop on Privacy in the Electronic Society, pages 73–102, 2021.
  56. Data protection by design tool for automated GDPR compliance verification based on semantically modeled informed consent. Sensors, 22(7):2763, 2022.
  57. Aloni Cohen. Attacks on deidentification’s defenses. In 31st USENIX Security Symposium, 2022.
  58. Towards formalizing the GDPR’s notion of singling out. Proceedings of the National Academy of Sciences, 117(15):8344–8352, 2020.
  59. Claudette meets GDPR: Automating the evaluation of privacy policies using artificial intelligence. Available at SSRN 3208596, 2018.
  60. “i feel invaded, annoyed, anxious and i may protect myself”: Individuals’ feelings about online tracking and their protective behaviour across gender and country. In 31st USENIX Security Symposium, 2022.
  61. Design and evaluation of a usable icon and tagline to signal an opt-out of the sale of personal information as required by CCPA. Retrieved September 13th, 2020.
  62. Measuring cookies and web privacy in a post-GDPR world. In International Conference on Passive and Active Network Measurement, pages 258–270, 2019.
  63. When sally met trackers: Web tracking from the users’ perspective. In 31st USENIX Security Symposium, 2022.
  64. Javam de Castro Machado and Paulo Roberto Pessoa Amora. How can db systems be ready for privacy regulations. In Anais do XXXV Simpósio Brasileiro de Bancos de Dados, pages 235–240. SBC, 2020.
  65. We Value your Privacy… Now Take some Cookies: Measuring the GDPR’s Impact on Web Privacy. In 26th Network and Distributed System Security Symposium, 2019.
  66. Designing for gdpr-investigating children’s understanding of privacy: A survey approach. In Proceedings of the 32nd International BCS Human Computer Interaction Conference 32, pages 1–13, 2018.
  67. Amol Deshpande. Sypse: Privacy-first data management through pseudonymization and partitioning. In CIDR, 2021.
  68. Profiling high-school students with Facebook: How online privacy laws can actually increase minors’ risk. In Internet Measurement Conference, pages 405–416, 2013.
  69. Revisiting identification issues in GDPR ‘right of access’ policies: A technical and longitudinal analysis. Proceedings on Privacy Enhancing Technologies, 2022(2):95–113, 2022.
  70. Personal information leakage by abusing the GDPR ’right of access’. In 15th Symposium on Usable Privacy and Security, pages 371–385, 2019.
  71. The Corporate Cultivation of Digital Resignation. New media & society, 21(8):1824–1839, 2019.
  72. “Money makes the world go around”: Identifying barriers to better privacy in children’s apps from developers’ perspectives. In CHI Conference on Human Factors in Computing Systems, pages 1–15, 2021.
  73. A combined rule-based and machine learning approach for automated GDPR compliance checking. In International Conference on Artificial Intelligence and Law, pages 40–49, 2021.
  74. A knowledge representation of cloud data controls for EU GDPR compliance. In IEEE World Congress on Services, pages 45–46, 2018.
  75. An empirical evaluation of GDPR compliance violations in android mhealth apps. In IEEE 31st International Symposium on Software Reliability Engineering, pages 253–264, 2020.
  76. Sabrina Fang. Investigating GDPR compliance across consumer-related websites: Are businesses telling consumers the truth about data collection? 2018.
  77. Are privacy dashboards good for end users? evaluating user perceptions and reactions to google’s my activity. In 30th USENIX Security Symposium, pages 483–500, 2021.
  78. Design of a forgetting blockchain: A possible way to accomplish gdpr compatibility. 2019.
  79. Angel or devil? a privacy study of mobile parental control apps. Proceedings of Privacy Enhancing Technologies (PoPETS), 2020, 2020.
  80. A design space for privacy choices: Towards meaningful privacy control in the internet of things. In CHI Conference on Human Factors in Computing Systems, pages 1–16, 2021.
  81. Static analysis for GDPR compliance. In ITASEC, 2018.
  82. RuleKeeper: GDPR-aware personal data compliance for web frameworks. In 2023 IEEE Symposium on Security and Privacy (SP), pages 2817–2834. IEEE, 2023.
  83. Investigating fingerprinters and fingerprinting-alike behaviour of android applications. In European Symposium on Research in Computer Security, pages 60–80, 2018.
  84. Heads in the clouds? measuring universities’ migration to public clouds: Implications for privacy & academic freedom. In Proceedings on Privacy Enhancing Technologies Symposium, volume 2023, 2022.
  85. On compliance of cookie purposes with the purpose specification principle. In IEEE European Symposium on Security and Privacy Workshops, pages 326–333, 2020.
  86. My cookie is a phoenix: Detection, measurement, and lawfulness of cookie respawning with browser fingerprinting. In 22nd Privacy Enhancing Technologies Symposium, 2022.
  87. M da C Freitas and Miguel Mira da Silva. Gdpr compliance in SMEs: There is much to be done. Journal of Information Systems Engineering & Management, 3(4):30, 2018.
  88. Can I trust her? Intelligent personal assistants and GDPR. In 2019 International Symposium on Networks, Computers and Communications (ISNCC), pages 1–6. IEEE, 2019.
  89. Formalizing data deletion in the context of the right to be forgotten. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 373–402. Springer, 2020.
  90. Lpl, towards a GDPR-compliant privacy language: formal definition and usage. In Transactions on Large-Scale Data-and Knowledge-Centered Systems XXXVII, pages 41–80. Springer, 2018.
  91. The layered privacy language art. 12–14 GDPR extension–privacy enhancing user interfaces. Datenschutz und Datensicherheit-DuD, 43(12):747–752, 2019.
  92. A unified framework for quantifying privacy risk in synthetic data. Proceedings on Privacy Enhancing Technologies, 2:312–328, 2023.
  93. privacytracker: a privacy-by-design GDPR-compliant framework with verifiable data traceability controls. In International Conference on Web Engineering, pages 3–15, 2016.
  94. Data protection by design for cybersecurity systems in a smart home environment. In 2019 IEEE Conference on Network Softwarization (NetSoft), pages 101–109. IEEE, 2019.
  95. Deletion-compliance in the absence of privacy. In 2021 18th International Conference on Privacy, Security and Trust (PST), pages 1–10. IEEE, 2021.
  96. What is sensitive about (sensitive) data? characterizing sensitivity and intimacy with google assistant users. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, pages 1–16, 2023.
  97. The dark (patterns) side of ux design. In Proceedings of the 2018 CHI conference on human factors in computing systems, pages 1–14, 2018.
  98. Dark patterns and the legal requirements of consent banners: An interaction criticism perspective. In CHI Conference on Human Factors in Computing Systems, pages 1–18, 2021.
  99. Graham Greenleaf. Now 157 countries: Twelve data privacy laws in 2021/22. 176 Privacy Laws & Business International Report 1, 3-8, March 2022.
  100. “We may share the number of diaper changes”: A privacy and security analysis of mobile child care applications. Proceedings on Privacy Enhancing Technologies, 3:394–414, 2022.
  101. Tilt: A GDPR-aligned transparency information language and toolkit for practical privacy engineering. In ACM Conference on Fairness, Accountability, and Transparency, pages 636–646, 2021.
  102. Tira: An openapi extension and toolbox for GDPR transparency in restful architectures. In IEEE European Symposium on Security and Privacy Workshops, pages 312–319, 2021.
  103. Privacy issues and data protection in big data: A case study analysis under GDPR. In IEEE International Conference on Big Data, pages 5027–5033, 2018.
  104. GDPR compliance assessment for cross-border personal data transfers in android apps. IEEE Access, 9:15961–15982, 2021.
  105. A comparative study of dark patterns across mobile and web modalities. In Conference on Computer-Supported Cooperative Work and Social Computing, volume 5, 2021.
  106. {{\{{SkillExplorer}}\}}: Understanding the behavior of skills in large scale. In 29th USENIX Security Symposium (USENIX Security 20), pages 2649–2666, 2020.
  107. Evaluating the usability of privacy choice mechanisms. In Symposium on Usable Privacy and Security, 2022.
  108. “Okay, whatever”: An evaluation of cookie consent interfaces. In CHI Conference on Human Factors in Computing Systems, pages 1–27, 2022.
  109. ” it’s a scavenger hunt”: Usability of websites’ opt-out and data deletion choices. In CHI Conference on Human Factors in Computing Systems, pages 1–12, 2020.
  110. An empirical analysis of data deletion and opt-out choices on 150 websites. In 15th Symposium on Usable Privacy and Security, pages 387–406, 2019.
  111. Toggles, dollar signs, and triangles: How to (in) effectively convey privacy choices with icons and link texts. In CHI Conference on Human Factors in Computing Systems, pages 1–25, 2021.
  112. Privacy by designers: Software developers’ privacy mindset. Empirical Software Engineering, 23(1):259–289, 2018.
  113. The price is (not) right: Comparing privacy in free and paid apps. Proceedings on Privacy Enhancing Technologies, 2020(3), 2020.
  114. Deeprec: On-device deep learning for privacy-preserving sequential recommendation in mobile commerce. In The Web Conference, pages 900–911, 2021.
  115. Your cookie disclaimer is not in line with the ideas of the gdpr. why? In International Symposium on Human Aspects of Information Security and Assurance, pages 218–227. Springer, 2022.
  116. Obtaining personal data and asking for erasure: Do app vendors and website owners honour your privacy rights? arXiv preprint arXiv:1602.01804, 2016.
  117. Measuring the emergence of consent management on the web. In Internet Measurement Conference, pages 317–332, 2020.
  118. Privacy preference signals: Past, present and future. Proceedings on Privacy Enhancing Technologies, 2021(4):249–269, 2021.
  119. The general data protection regulation: requirements, architectures, and constraints. In IEEE 27th International Requirements Engineering Conference, pages 265–275, 2019.
  120. Multi-country study of third party trackers from real browser histories. In IEEE European Symposium on Security and Privacy, pages 70–86, 2020.
  121. Characterising third party cookie usage in the EU after GDPR. In ACM Conference on Web Science, pages 137–141, 2019.
  122. On general data protection regulation vulnerabilities and privacy issues, for wearable devices and fitness tracking applications. Cryptography, 5(4):29, 2021.
  123. Tracing cross border web tracking. In Internet Measurement Conference 2018, pages 329–342, 2018.
  124. Towards software-defined data protection: Gdpr compliance at the storage layer is within reach. arXiv preprint arXiv:2008.04936, 2020.
  125. iubenda. https://www.iubenda.com/en/.
  126. Privacy policies caught between the legal and the ethical: European media and third party trackers before and after GDPR. In TPRC47: The 47th Research Conference on Communication, Information and Internet Policy, 2019.
  127. Who leaks my privacy: Towards automatic and association detection with GDPR compliance. In International Conference on Wireless Algorithms, Systems, and Applications, pages 137–148, 2019.
  128. Privacy & market concentration: Intended & unintended consequences of the GDPR. Available at SSRN 3477686, 2021.
  129. Viceroy: GDPR-/CCPA-compliant enforcement of verifiable accountless consumer requests. arXiv preprint arXiv:2105.06942, 2021.
  130. Florian Kammueller. Formal modeling and analysis of data protection for GDPR compliance of iot healthcare systems. In 2018 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pages 3319–3324. IEEE, 2018.
  131. DPL: A language for GDPR enforcement. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF), pages 112–129. IEEE, 2022.
  132. “How I know for sure”: People’s perspectives on solely automated decision-making (SADM). In 17th Symposium on Usable Privacy and Security, pages 159–180, 2021.
  133. ”We are a startup to the core”: A qualitative interview study on the security and privacy development practices in Turkish software startups. In 2023 IEEE Symposium on Security and Privacy (SP), pages 2015–2031. IEEE, 2023.
  134. Automated cookie notice analysis and enforcement. In 32nd USENIX Security Symposium (USENIX Security 23), pages 1109–1126, 2023.
  135. Accept all exploits: Exploring the security impact of cookie banners. In Proceedings of the 38th Annual Computer Security Applications Conference, pages 911–922, 2022.
  136. Keeping privacy labels honest. Proceedings on Privacy Enhancing Technologies, 4(486-506):2–2, 2022.
  137. Before and after GDPR: tracking in mobile apps. Internet Policy Review, 10(4), 2021.
  138. A fait accompli? an empirical study into the absence of consent to third-party tracking in android apps. In 17th Symposium on Usable Privacy and Security, pages 181–196, 2021.
  139. Goodbye tracking? Impact of iOS app tracking transparency and privacy labels. arXiv preprint arXiv:2204.03556, 2022.
  140. Towards bridging the gaps between the right to explanation and the right to be forgotten. arXiv preprint arXiv:2302.04288, 2023.
  141. How do app vendors respond to subject access requests? a longitudinal privacy study on ios and android apps. In International Conference on Availability, Reliability and Security, pages 1–10, 2020.
  142. Karel Kubicek. Checking websites’ GDPR consent compliance for marketing emails. Proceedings on Privacy Enhancing Technologies, 2022.
  143. The right to data portability: Conception, status quo, and future directions. Informatik Spektrum, 44(4):264–272, 2021.
  144. Has the GDPR hype affected users’ reaction to cookie disclaimers? Journal of Cybersecurity, 6(1):tyaa022, 2020.
  145. A large-scale investigation into geodifferences in mobile apps. In 31st USENIX Security Symposium, 2022.
  146. GDPR–Challenges for reconciling legal rules with technical reality. In 25th European Symposium on Research in Computer Security (ESORICS), pages 736–755. Springer, 2020.
  147. Investigating deceptive design in gdpr’s legitimate interest. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, pages 1–16, 2023.
  148. Understanding data protection regulations from a data management perspective: a capability-based approach to EU-GDPR. In 14th International Conference on Wirtschaftsinformatik (2019), 2019.
  149. How developers talk about personal data and what it means for user privacy: A case study of a developer forum on Reddit. Proceedings of the ACM on Human-Computer Interaction, 4(CSCW):1–28, 2021.
  150. Measuring the effectiveness of privacy policies for voice assistant applications. In Annual Computer Security Applications Conference, pages 856–869, 2020.
  151. Changes in third-party content on European news websites after GDPR. 2018.
  152. Can apps play by the COPPA rules? In 12th Annual International Conference on Privacy, Security and Trust, 2014.
  153. GDPR privacy policies in Claudette: Challenges of omission, context and multilingualism. In 3rd Workshop on Automated Semantic Analysis of Information in Legal Texts, volume 2385, 2019.
  154. The privacy policy landscape after the gdpr. Proceedings on Privacy Enhancing Technologies, 2020(1):47–64, 2020.
  155. Are they toeing the line? Diagnosing privacy compliance violations among browser extensions. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, pages 1–12, 2022.
  156. Have you been properly notified? automatic compliance analysis of privacy policy text with GDPR article 13. In The Web Conference, pages 2154–2164, 2021.
  157. How ISO 27001 can help achieve GDPR compliance. In 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), pages 1–6. IEEE, 2019.
  158. More data types more problems: A temporal analysis of complexity, stability, and sensitivity in privacy policies. In Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency, pages 1088–1100, 2023.
  159. From WHOIS to WHOWAS: A Large-Scale Measurement Study of Domain Registration Privacy under the GDPR. In 28th Network and Distributed System Security Symposium, 2021.
  160. Odlaw: A tool for retroactive gdpr compliance. In 2021 IEEE 37th International Conference on Data Engineering (ICDE), pages 2709–2712. IEEE, 2021.
  161. Prospective consent: The effect of framing on cookie consent decisions. In CHI Conference on Human Factors in Computing Systems Extended Abstracts, pages 1–6, 2022.
  162. Multiple purposes, multiple problems: A user study of consent dialogs after gdpr. arXiv preprint arXiv:1908.10048, 2019.
  163. Smart home privacy policies demystified: A study of availability, content, and coverage. In 31st USENIX Security Symposium (USENIX Security 22), pages 3521–3538, 2022.
  164. Blocking without breaking: Identification and mitigation of non-essential iot traffic. Proceedings on Privacy Enhancing Technologies, 4:369–388, 2021.
  165. Data security on the ground: Investigating technical and legal requirements under the gdpr. Proceedings on Privacy Enhancing Technologies, 3:405–417, 2023.
  166. Methods and tools for GDPR compliance through privacy and data protection engineering. In 2018 IEEE European symposium on security and privacy workshops (EuroS&PW), pages 108–111. IEEE, 2018.
  167. Dark patterns at scale: Findings from a crawl of 11k shopping websites. Proceedings of the ACM on Human-Computer Interaction, 3(CSCW):1–32, 2019.
  168. What makes a dark pattern… dark? design attributes, normative considerations, and measurement methods. In CHI Conference on Human Factors in Computing Systems, pages 1–18, 2021.
  169. Do cookie banners respect my choice?: Measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In IEEE Symposium on Security and Privacy, pages 791–809, 2020.
  170. The cost of reading privacy policies. Isjlp, 4:543, 2008.
  171. How can and would people protect from online tracking? Proceedings on Privacy Enhancing Technologies, 1:105–125, 2022.
  172. Post-gdpr threat hunting on android phones: dissecting os-level safeguards of user-unresettable identifiers. In The Network and Distributed System Security Symposium (NDSS), 2023.
  173. Researchers’ experiences in analyzing privacy policies: Challenges and opportunities. Proceedings on Privacy Enhancing Technologies, 4:287–305, 2023.
  174. Empirical understanding of deletion privacy: Experiences, expectations, and measures. 2022.
  175. Online privacy and aging of digital artifacts. In 14th Symposium on Usable Privacy and Security, pages 177–195, 2018.
  176. Analyzing GDPR compliance through the lens of privacy policy. In Heterogeneous Data Management, Polystores, and Analytics for Healthcare: VLDB 2019 Workshops, Poly and DMAH, Los Angeles, CA, USA, August 30, 2019, Revised Selected Papers 5, pages 82–95. Springer, 2019.
  177. Did app privacy improve after the GDPR? IEEE Security & Privacy, 17(6):10–20, 2019.
  178. Knight: Mapping privacy policies to GDPR. In European Knowledge Acquisition Workshop, pages 258–272, 2018.
  179. Atom: ad-network tomography. Proceedings on Privacy Enhancing Technologies, 4:295–313, 2022.
  180. Privacy policy classification with xlnet (short paper). In International Workshop on Data Privacy Management, pages 250–257. Springer, 2020.
  181. Are you spying on me? Large-Scale analysis on IoT data exposure through companion apps. In 32nd USENIX Security Symposium, pages 6665–6682, 2023.
  182. Myths and fallacies of” personally identifiable information”. Communications of the ACM, 53(6):24–26, 2010.
  183. Share first, ask later (or never?) studying violations of gdpr’s explicit consent in android apps. In 30th USENIX Security Symposium, 2021.
  184. Freely given consent? studying consent notice of third-party tracking and its violations of gdpr in android apps. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 2369–2383, 2022.
  185. Disclosure by design: Designing information disclosures to support meaningful transparency and accountability. In Proceedings of the 2022 ACM Conference on Fairness, Accountability, and Transparency, pages 679–690, 2022.
  186. Consent-o-matic: Automatically answering consent pop-ups using adversarial interoperability. In CHI Conference on Human Factors in Computing Systems Extended Abstracts, pages 1–7, 2022.
  187. Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence. In CHI Conference on Human Factors in Computing Systems, pages 1–13, 2020.
  188. (Un)clear and (In)conspicuous: The right to opt-out of sale under CCPA. In Workshop on Privacy in the Electronic Society, pages 59–72, 2021.
  189. Personal Data Protection Commission of Singapore. Advisory guidelines on key concepts in the personal data protection act. https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act.
  190. Will EU’s GDPR act as an effective enforcer to gain consent? IEEE Access, 9:79477–79490, 2021.
  191. Viopolicy-detector: An automated approach to detecting GDPR suspected compliance violations in websites. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, pages 409–430, 2022.
  192. Electronic monitoring smartphone apps: An analysis of risks from technical, human-centered, and legal perspectives. 2022.
  193. Queryable provenance metadata for GDPR compliance. Procedia Computer Science, 137:262–268, 2018.
  194. User tracking in the post-cookie era: How websites bypass GDPR consent to track users. In The Web Conference, pages 2130–2141, 2021.
  195. Gdparrrrr: Using privacy laws to steal identities. Blackhat, 2019.
  196. Generating practices: investigations into the double embedding of gdpr and data access policies. Proceedings of the ACM on Human-Computer Interaction, 6(CSCW2):1–26, 2022.
  197. DEFeND architecture: A privacy by design platform for GDPR compliance. In International Conference on Trust and Privacy in Digital Business, pages 78–93, 2019.
  198. Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions. Journal of cybersecurity, 4(1):tyy001, 2018.
  199. Detecting compliance of privacy policies with data protection laws. arXiv preprint arXiv:2102.12362, 2021.
  200. Automated detection of GDPR disclosure requirements in privacy policies using deep active learning. arXiv preprint arXiv:2111.04224, 2021.
  201. Exploring the cookieverse: A multi-perspective analysis of web cookies. In International Conference on Passive and Active Network Measurement, pages 623–651. Springer, 2023.
  202. Designing a GDPR-compliant and usable privacy dashboard. In IFIP international summer school on privacy and identity management, pages 221–236, 2017.
  203. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In The 25th Annual Network and Distributed System Security Symposium, 2018.
  204. Analyzing GDPR compliance in cloud services’ privacy policies using textual fuzzy interpretive structural modeling (tfism). In IEEE International Conference on Services Computing, pages 89–98, 2021.
  205. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. In 28th USENIX Security Symposium, 2019.
  206. Information exposure from consumer iot devices: A multidimensional, network-informed measurement approach. In Proceedings of the Internet Measurement Conference, pages 267–279, 2019.
  207. “Won’t somebody think of the children?” examining COPPA compliance at scale. In The 18th Privacy Enhancing Technologies Symposium, 2018.
  208. An analysis of ireland’s homecare companies’ cookie practices in terms of gdpr compliance. In 2022 Cyber Research Conference-Ireland (Cyber-RCI), pages 1–7. IEEE, 2022.
  209. The pathologies of digital consent. Wash. UL Rev., 96:1461, 2018.
  210. Dpcat: Specification for an interoperable and machine-readable data processing catalogue based on GDPR. Information, 13(5):244, 2022.
  211. A data-driven analysis of blockchain systems’ public online communications on GDPR. In IEEE International Conference on Decentralized Applications and Infrastructures, pages 22–31, 2020.
  212. Et tu, brute? privacy analysis of government websites and mobile apps. In Proceedings of the ACM Web Conference, pages 564–575, 2022.
  213. Lessons in vcr repair: Compliance of android app developers with the california consumer privacy act (ccpa). Proceedings on Privacy Enhancing Technologies, 3:103–121, 2023.
  214. Can I opt out yet? GDPR and the global illusion of cookie control. In Asia conference on computer and communications security, pages 340–351, 2019.
  215. Journey to the center of the cookie ecosystem: Unraveling actors’ roles and relationships. In IEEE Symposium on Security and Privacy, 2021.
  216. Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Technology and Regulation, pages 91–135, 2020.
  217. Consent management platforms under the GDPR: processors and/or controllers? In Annual Privacy Forum, pages 47–69, 2021.
  218. Cookie banners, what’s the purpose? analyzing cookie banner text through a legal lens. In Workshop on Privacy in the Electronic Society, pages 187–194, 2021.
  219. Towards enforcement of the EU GDPR: Enabling data erasure. In IEEE International Conference on Internet of Things and IEEE Green Computing and Communications and IEEE Cyber, Physical and Social Computing and IEEE Smart Data, pages 222–229, 2018.
  220. Understanding account deletion and relevant dark patterns on social media. Proceedings of the ACM on Human-Computer Interaction, 6(CSCW2):1–43, 2022.
  221. Position: GDPR compliance by construction. In Heterogeneous Data Management, Polystores, and Analytics for Healthcare: VLDB 2019 Workshops, Poly and DMAH, Los Angeles, CA, USA, August 30, 2019, Revised Selected Papers 5, pages 39–53. Springer, 2019.
  222. Harmonizing privacy regarding data retention and purging. In Proceedings of the 34th International Conference on Scientific and Statistical Database Management, pages 1–12, 2022.
  223. Awanthika Senarath and Nalin Asanka Gamagedara Arachchilage. Understanding software developers’ approach towards implementing data minimization. arXiv preprint arXiv:1808.01479, 2018.
  224. Legal obligation and ethical best practice: Towards meaningful verbal consent for voice assistants. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, pages 1–16, 2023.
  225. Analyzing the impact of GDPR on storage systems. In 11th USENIX Workshop on Hot Topics in Storage and File Systems, 2019.
  226. Learning to limit data collection via scaling laws: A computational interpretation for the legal principle of data minimization. In 2022 ACM Conference on Fairness, Accountability, and Transparency, pages 839–849, 2022.
  227. Understanding and benchmarking the impact of GDPR on database systems. Proceedings of the VLDB Endowment, 13(7).
  228. The seven sins of personal-data processing systems under GDPR. In 11th USENIX Workshop on Hot Topics in Cloud Computing, 2019.
  229. Us and them: a study of privacy requirements across north america, asia, and europe. In 36th International Conference on Software Engineering, 2014.
  230. NL2GDPR: Automatically develop GDPR compliant android application features from natural language. arXiv preprint arXiv:2208.13361, 2022.
  231. Chkplug: Checking gdpr compliance of wordpress plugins via cross-language code property graph. In NDSS, 2023.
  232. The impact of visibility on the right to opt-out of sale under CCPA. arXiv preprint arXiv:2206.10545, 2022.
  233. The Statutes Of The Republic Of Singapore. Personal data protection act 2012, 2020 revised edition. https://sso.agc.gov.sg/Act/PDPA2012.
  234. A technical look at the indian personal data protection bill. arXiv preprint arXiv:2005.13812, 2020.
  235. Are we there yet? understanding the challenges faced in complying with the general data protection regulation (gdpr). In Proceedings of the 2nd International Workshop on Multimedia Privacy and Security, pages 88–95, 2018.
  236. Daniel Solove. Beyond GDPR: The challenge of global privacy compliance—an interview with lothar determann. https://teachprivacy.com/challenge-of-global-privacy-compliance/, [https://perma.cc/4956-Q6TK], 11 2017.
  237. Daniel J Solove. Introduction: Privacy self-management and the consent dilemma. Harv. L. Rev., 126:1880, 2012.
  238. Daniel J Solove. The myth of the privacy paradox. Geo. Wash. L. Rev., 89:1, 2021.
  239. Before and after GDPR: The changes in third party presence at public and private European websites. In The World Wide Web Conference, pages 1590–1600, 2019.
  240. Feasibility of large-scale vulnerability notifications after gdpr. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 532–537. IEEE, 2020.
  241. Website operators are not the enemy either-analyzing options for creating cookie consent notices without dark patterns. Mensch und Computer 2022-Workshopband, 2022.
  242. a how website owners face privacy issues: Thematic analysis of responses from a covert notification study reveals diverse circumstances and challenges. Proc Priv Enhanc Technol, 2023.
  243. Ensuring compliance of iot devices with their privacy policy agreement. In 2018 IEEE 6th International Conference on Future Internet of Things and Cloud (FiCloud), pages 100–107. IEEE, 2018.
  244. “They see you’re a girl if you pick a pink robot with a skirt”: A qualitative study of how children conceptualize data processing and digital privacy risks. In CHI Conference on Human Factors in Computing Systems, pages 1–34, 2021.
  245. Data portability between online services: an empirical analysis on the effectiveness of gdpr art. 20. Proceedings on Privacy Enhancing Technologies, 2021(3):351–372, 2021.
  246. I still know what you watched last sunday: Privacy of the hbbtv protocol in the european smart tv landscape. In NDSS, 2023.
  247. Deciding on personalized ads: Nudging developers about user privacy. In 17th Symposium on Usable Privacy and Security, pages 573–596, 2021.
  248. Privacy champions in software teams: Understanding their motivations, strategies, and challenges. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–15, 2021.
  249. Understanding privacy-related advice on Stack Overflow. Proceedings on Privacy Enhancing Technologies, 1:18, 2022.
  250. Charting app developers’ journey through privacy regulation features in ad networks. Proceedings on Privacy Enhancing Technologies, 1:24, 2022.
  251. “Developers are responsible”: What ad networks tell developers about privacy. In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems, pages 1–11, 2021.
  252. “It feels like whack-a-mole”: User experiences of data removal from people search websites. Proceedings on Privacy Enhancing Technologies, 1:20, 2022.
  253. The right to customization: Conceptualizing the right to repair for informational privacy. In Annual Privacy Forum, pages 3–22, 2021.
  254. rgpdos: GDPR enforcement by the operating system. In 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S), pages 100–104. IEEE, 2023.
  255. Termly. https://termly.io/products/privacy-policy-generator/.
  256. TermsFeed. https://www.termsfeed.com/.
  257. I read but don’t agree: Privacy policy benchmarking using machine learning and the EU GDPR. In The Web Conference, pages 163–166, 2018.
  258. Privacyguide: towards an implementation of the EU GDPR on internet privacy policy evaluation. In ACM International Workshop on Security and Privacy Analytics, pages 15–21, 2018.
  259. Static checking of GDPR-related privacy compliance for object-oriented distributed systems. Journal of Logical and Algebraic Methods in Programming, 125:100733, 2022.
  260. A case study on the implementation of the right of access in privacy dashboards. In Annual Privacy Forum, pages 23–46, 2021.
  261. Using models to enable compliance checking against the gdpr: an experience report. In 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS), pages 1–11. IEEE, 2019.
  262. On dark patterns and manipulation of website publishers by CMPs. In 22nd Privacy Enhancing Technologies Symposium, 2022.
  263. Analyzing GDPR compliance of named data networking. In Conference on Information-Centric Networking, pages 107–117, 2021.
  264. 4 years of EU cookie law: Results and lessons learned. Proc. Priv. Enhancing Technol., 2019(2):126–145, 2019.
  265. GDPR-compliant personal data management: A blockchain-based solution. IEEE Transactions on Information Forensics and Security, 15:1746–1761, 2019.
  266. The exercisability of the right to data portability in the emerging internet of things (iot) environment. new media & society, 23(10):2861–2881, 2021.
  267. “Your hashed IP address: Ubuntu.” Perspectives on transparency tools for online advertising. In Annual Computer Security Applications Conference, pages 702–717, 2019.
  268. Beyond the front page: Measuring third party dynamics in the field. In The Web Conference, pages 1275–1286, 2020.
  269. The unwanted sharing economy: An analysis of cookie syncing and user transparency under GDPR. arXiv preprint arXiv:1811.08660, 2018.
  270. A study on subject data access in online advertising after the GDPR. In Data Privacy Management, Cryptocurrencies and Blockchain Technology, pages 61–79. Springer, 2019.
  271. Measuring the impact of the GDPR on data sharing in ad networks. In Asia Conference on Computer and Communications Security, pages 222–235, 2020.
  272. Privacy rarely considered: Exploring considerations in the adoption of third-party services by websites. Proceedings on Privacy Enhancing Technologies, 1:5–28, 2023.
  273. (Un)informed Consent: Studying GDPR Consent Notices in the Field. In ACM SIGSAC Conference on Computer and Communications Security, pages 973–990, 2019.
  274. Comparing large-scale privacy and security notifications. Proceedings on Privacy Enhancing Technologies, 3:173–193, 2023.
  275. Tales from the porn: A comprehensive privacy analysis of the web porn ecosystem. In Internet Measurement Conference, pages 245–258, 2019.
  276. Automatic classification of legal violations in cookie banner texts. In Proceedings of the Natural Legal Language Processing Workshop 2022, pages 287–295, 2022.
  277. Setting the bar low: Are websites complying with the minimum requirements of the CCPA? Proceedings on Privacy Enhancing Technologies, 2022(1):608–628, 2022.
  278. Pursuing usable and useful data downloads under GDPR/CCPA access rights via Co-Design. In 17th Symposium on Usable Privacy and Security, pages 217–242, 2021.
  279. Online tracking of kids and teens by means of invisible images: COPPA vs. GDPR. In International Workshop on Multimedia Privacy and Security, pages 96–103, 2018.
  280. Ari Ezra Waldman. Cognitive biases, dark patterns, and the ‘privacy paradox’. Current opinion in psychology, 31:105–109, 2020.
  281. Understanding malicious cross-library data harvesting on android. In 30th USENIX Security Symposium (USENIX Security 21), pages 4133–4150, 2021.
  282. PRIVGUARD: Privacy regulation compliance made easier. In 31st USENIX Security Symposium, 2022.
  283. What twitter knows: Characterizing ad targeting practices, user perceptions, and ad explanations through users’ own twitter data. In 29th USENIX Security Symposium (USENIX Security 20), pages 145–162, 2020.
  284. From needs to actions to secure apps? The effect of requirements and developer practices on app security. In 29th USENIX Security Symposium, pages 289–305, 2020.
  285. ”Is our children’s apps learning?” Automatically detecting COPPA violations. In Workshop on Technology and Consumer Protection, 2017.
  286. Messaging with purpose limitation–privacy-compliant publish-subscribe systems. In IEEE 25th International Enterprise Distributed Object Computing Conference, pages 162–172, 2021.
  287. How portable is portable? Exercising the GDPR’s right to data portability. In International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers, pages 911–920, 2018.
  288. The right to data portability in practice: exploring the implications of the technologically neutral gdpr. International Data Privacy Law, 9(3):173–191, 2019.
  289. Privacy legislation as business risks: How gdpr and ccpa are represented in technology companies’ investment risk disclosures. Proceedings of the ACM on Human-Computer Interaction, 7(CSCW1):1–26, 2023.
  290. Mike Woodward. 16 countries with gdpr-like data privacy laws. https://securityscorecard.com/blog/countries-with-gdpr-like-data-privacy-laws, July 2021.
  291. Lalaine: Measuring and characterizing Non-Compliance of apple privacy labels. In 32nd USENIX Security Symposium (USENIX Security 23), pages 1091–1108, 2023.
  292. Scrutinizing privacy policy compliance of virtual personal assistant apps. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, pages 1–13, 2022.
  293. The right to be forgotten in the media: A data-driven study. Proceedings on Privacy Enhancing Technologies, 2016(4):389–402, 2016.
  294. Complicy: Evaluating the GDPR alignment of privacy policies-a study on web platforms. In Research Challenges in Information Science, volume 415, page 152, 2021.
  295. The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems, 12(1):1–20, 2020.
  296. “Whether it’s moral is a whole other story”: Consumer perspectives on privacy regulations and corporate data practices. In 17th Symposium on Usable Privacy and Security, pages 197–216, 2021.
  297. POLICYCOMP: Counterpart comparison of privacy policies uncovers overbroad personal data collection practices. In 32nd USENIX Security Symposium (USENIX Security 23), pages 1073–1090, 2023.
  298. Standardizing and implementing do not sell. In Workshop on Privacy in the Electronic Society, pages 15–20, 2020.
  299. PrivacyFlash Pro: Automating Privacy Policy Generation for Mobile Apps. In 28th Network and Distributed System Security Symposium, 2021.
  300. Maps: Scaling privacy compliance analysis to a million apps. Proc. Priv. Enhancing Tech., 2019:66, 2019.
  301. Usability and enforceability of global privacy control. Proceedings on Privacy Enhancing Technologies, 2:1–17, 2023.
  302. Automated analysis of privacy requirements for mobile apps. In 24th Network & Distributed System Security Symposium, 2017.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now