A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile

2.1 Legal Requirements

Cookie consent interfaces began to appear on websites as a response to a 2009 amendment to the EU’s ePrivacy Directive (EPD) that addressed confidentiality of digital communication and tracking on the internet [18]. Cookie consent interfaces became even more common with the European Union’s 2018 General Data Protection Regulation (GDPR) [17]. Under these rules, companies are required to obtain affirmative consent to process personal data beyond what is required to fulfill a legitimate business interest. This cannot be done through default settings or pre-checked boxes, and users must be able to withdraw their consent at any time. While the UK is no longer covered by the EU GDPR since the UK left the EU in 2020, the “key principles, rights and obligations remain the same” under the nearly identical UK GDPR [26]. Santos et al. identified requirements for cookie consent to comply with GDPR, including that the cookie consent interfaces should allow users to individually consent to cookies of different types, the consent must be informed, consent must be unambiguous, the banner should be reasonable (e. g. , easy to understand), and users should be able to revoke their consent at any time [40]. Research suggests that over 50% of cookie consent interfaces do not meet standards imposed by GDPR [1, 5, 31, 39, 41, 53].

The California Consumer Privacy Act (CCPA) went into effect in 2020, requiring (among other things) that certain companies provide notice to consumers related to data collection and offer them the ability to opt-out of the sale of personal information [37]. In practice, the CCPA’s notice and choice requirements are commonly provided through GDPR-style cookie consent banners [24]. The California Privacy Rights and Enforcement Act (CPRA), which took effect in January 2023, provides additional privacy rights to California consumers, including a right to opt-out of a business using sensitive personal information and to opt-out of the sharing of information with third parties [9].

2.2 Cookie Consent Interfaces and Consent Management Platforms

A variety of cookie consent interface designs are implemented on websites, including some that give users the options to opt-in to using cookies, some that allow users to decline cookies, and others that notify users that cookies are being used but do not allow any choice [13, 39, 53]. Information provided in cookie consent interfaces is not always accurate. For example, some websites misstate the reason for data collection or do not provide a reason at all [5, 41]. Researchers have found variations in location and styling, as well as the significant presence of nudging, pre-selection, and emphasized buttons to accept cookies [31, 32, 53].

Websites often turn to CMPs to generate cookie consent interfaces and record consent choices. While there are many CMPs [25], a small group are used by most websites. CMPs have become more prevalent over time with sharp upticks in their adoptions corresponding to new privacy laws going into effect. OneTrust has become the most used CMP since 2020 with options that can be tailored to comply with the CCPA [24]. These increases in adoption corresponding to when regulations go into effect suggest that legal compliance plays a large part in the adoption of CMPs. Even so, studies have found non-compliant consent interfaces implemented by CMPs on websites [13, 34, 49].

There is sometimes a difference between the cookie experience of users who are protected by privacy laws and those outside of their jurisdiction. For example, Dabrowski et al. found that 26.6% of sites that used cookies issued cookies for US-based visitors but not for EU-based ones after the GDPR went into effect. [12]. Further, Elik et al. found that the top-level domains of websites often explained most variations in cookie consent interfaces regardless of user location. A notable exception was seen with the use of the.com domain, in which users from the EU were significantly more likely to see a cookie banner than users in the US [54]. Finally, Alharbi et al. found that cookie consent interfaces from European websites were the most compliant with design best practices [1].

Many sites remained non-compliant with GDPR by failing to provide compliant cookie consent interfaces or incorrectly recording consent decisions [38]. Hils et al. examined 414 sites that used OneTrust as a CMP, observing that over 60% offered a non-compliant cookie consent interface that required a single click to accept cookies and a button or link that provided more granular options [24]. The privacy organization noyb has pushed for websites to adopt cookie consent interfaces that are compliant with the GDPR, encouraging the adoption of a three-button design that allows users to accept all cookies, reject all cookies, or access a secondary screen that allows for more granular control. [35]. French regulators have since stated that not having a button for rejecting cookies at the same level as one to accept them is not compliant with the ePrivacy Directive [28].

Cultural factors can influence how people perceive privacy risks [3, 11, 50]. In the context of cookies, Bornschein et al. found that the visibility of a cookie consent notice did not impact US participants’ risk perception while visibility did impact EU participants’ perception of risk on a website [7]. Bellentani found that users covered by GDPR chose to disclose more information after having seen a cookie consent interface relative to users who were not covered by GDPR [2]. Finally, Singh et al. found that whether the user is from the EU did not significantly influence their preferences for cookie consent interface design [42]. We further explore these differences by comparing the perception and consent behavior of participants located in the US and UK.

2.3 Mobile Devices

Compared to their full-sized counterparts, mobile devices have smaller screen sizes, use smaller fonts, have smaller buttons, and are used in more contexts [56]. In a study of AdChoices icon usability, Garlach et al. found that mobile devices further exacerbated problems with the icon. In particular, the decreased screen size made the icon more difficult to find and interact with [16]. Similarly, Singh et al. found that the smaller screen size made text-based privacy policies more difficult for users to understand on mobile platforms [43]. Users’ behavior concerning cookie consent interfaces also varies with the device type. Two studies found users on mobile devices were more likely to interact with consent interfaces, interact more quickly, accept the defaults provided to them, and accept cookies overall [4, 53]. On the other hand, Gunawan et al. found that notices on mobile platforms were more likely to have an option to reject cookies, which the authors postulate is due to the availability of APIs that can be used for other forms of tracking that do not involve cookies [21]. Our work builds on these studies by further exploring user perceptions and other usability aspects of the the consent experience, beyond consent decisions.

2.4 Impact of Cookie Consent Interface Design

Several studies have investigated how specific cookie consent interface design parameters, including deceptive patterns, impact the choices users make. Utz et al. found that users were more likely to interact with cookie consent interfaces on the lower left hand side of a screen [53] while Fernandez et al. found that location did not significantly impact users’ choice of setting [4]. Ma and Birrell found that banner text emphasizing the potential gains or losses of accepting cookies could influence users’ consent decisions [29]. However, when loss-aversion text was embedded in longer paragraphs, Habib et al. found no significant impact on consent decisions. Additionally, they found similar consent rates for interfaces with paragraph versus bullet-point text, and for banners with clearly-labeled buttons versus ambiguous buttons [23]. When users are shown confirmation-only interfaces or banners that only provide a binary choice they are more likely to consent to cookies than when they are presented with banners that allow opt-in to cookies by cookie type or vendor [53]. When specific cookie choices on the cookie consent banner were replaced with a “cookie preferences” button or link leading to a secondary interface with these choices, users were much more likely to accept all cookies [23]. Permissive default options lead to more types of cookies being accepted, with users being less sure of what options they had selected and less content with their choice when informed about what they chose [30].

3.1 Consent Interface Design

Figure 1:

View Figure

Figure 2:

View Figure

Table 1 provides an overview of the design variants we evaluated in our user study and Figure 1 shows their positioning within the browser. The variant we labeled baseline serves as the basis of comparison for all other conditions. All of our designs were implemented using the design tool integrated with the OneTrust CMP (version 6.31.0). While the main focus of our study was understanding the impact of users’ location and their device type, we tested 14 cookie consent interface designs in this study. This approach allowed us to ensure that any observed effects were not restricted to a single interface type, and evaluate the usability of both typical and novel designs that varied based on banner prominence, location of cookie category definitions, and which options are shown initially. We tested eight conditions that included a button to access a secondary cookie preference panel with toggles to accept or reject each cookie type (four of these also included check boxes for all optional cookie types in the primary consent interface), two conditions that included a link to access the secondary cookie preference panel, one condition that included a toggle for each cookie type on a separate tab, and three conditions that integrated the cookie preferences panel into the primary consent interface and had no secondary panel. A representative subset of the consent interfaces from the design variants can be seen in Figure 2.

The designs vary along five main design parameters:

The first four parameters were identified by Habib et al. [23] as commonly customized in CMP interfaces and potentially affecting usability. In most consent interfaces, term definitions are not present in the initial cookie notice. We opted to vary the location of definitions in order to test a new hypothesis based on the results of Habib et al. [23]. In their study, users in conditions where cookie terms were used but not defined in the initial consent notice were less likely to review the definitions of cookie terms in the preference panel when answering comprehension questions. We hypothesized that adding definitions in the initial notice may help educate users about what cookie terms mean. To test this hypothesis, we added four design variants: definitions-inline, definitions-tabs, definitions-accordion, and definitions-sidebanner. Definitions-inline shows the cookie definitions right below the corresponding toggles in a single fully-blocking panel. Both definitions-accordion and definitions-sidebanner similarly present the definitions with their corresponding toggles; however, each definition is not visible until a plus-sign-shaped button next to the name of the cookie type is pressed. Definitions-sidebanner is identical to definitions-accordion except the panel slides out from the side of the screen rather than appearing at its center. Finally, definitions-tabs is a fully-blocking panel with a tab for each type of cookie containing a definition and toggle.

We also developed two variants to explore the impact of offering thee initial options, similar to designs recommended by noyb [35]. We hypothesize that providing a three-button interface with the option to “Accept all cookies,” “Accept only necessary” cookies, or “Edit cookie preferences” may improve users’ ability to make their preferred decision, as it allows individuals to opt-out of all unnecessary cookies without viewing the complete menu of options available under “Edit cookie preferences.” We evaluate the three-button approach using two variants—options-3button and options-3button-banner. The conditions are identical except that the later presents the buttons in a non-blocking banner rather than a fully-blocking panel.

The other seven design variants we tested were selected based on their potential impact on mobile users as well as common website practices:

To facilitate comparison and control for potential confounding effects, the same wording was used across all design variants, with only minor modification of button labels due to design limitations imposed by the OneTrust CMP. All designs except cornerButton included a close button in the form of an "X" that dismisses the banner and accepts the website’s default cookie options. The close button is enabled in most OneTrust layouts by default. All design variants, except for the four definitions variants, included a secondary cookie preferences panel, which was formatted exactly the same as the primary consent interface used in the definitions-inline variant.

The design tools provided by OneTrust placed constraints on our designs. For example, we were unable to implement a condition that displayed definitions via tool tips, which we hypothesized might be convenient for users. In order to create the variants with inline cookie-type definitions, we had to use the templates for the cookie preference interface as cookie banners. This caused the button placement for the consent options in these four variants to differ significantly from the baseline. These differences must be kept in mind when interpreting the results of our study.

Before launching our study, we conducted a pilot study with 72 participants. The results of the pilot were used to refine our survey and ensure that the experiment proceeded as expected; they were not included in our final analysis.

3.2 Data Collection

3.3 Data Analysis

We gathered 1375 complete survey responses. 16 of these responses were excluded from analysis as we could not connect them with any website log data.³

3.4 Limitations

While we have taken steps to recruit a diverse sample we do not claim a representative sample. Our sample is younger and more highly educated than the US and UK general population. Non-white racial and ethnic groups were underrepresented in the US sample [36, 52]. Recent work suggests that results from Prolific are reasonably representative of the US population with regards to questions about privacy and security perceptions and experiences but not knowledge [47]. Additionally, some participants likely behaved differently from their typical behavior due to the knowledge that they were participating in a study. Indeed, a few participants indicated in free response questions that they made their consent decision in order to make sure the website functioned properly for the study. Our qualitative coding is necessarily subjective and influenced by the experience and attitude of the researchers. A different research team may have identified different themes in the data. Finally, while we have explored the effect of several explanatory variables in isolation, they likely have interaction effects as well.

4.1 Participant Demographics and Device Configuration

Table 2 presents an overview of participant demographics (n = 1359). Our sample is well balanced with respect to age and gender. The most common self-reported race or ethnicity was “White or of European descent” with more than 80% of participants selecting this option. Our sample is also skewed towards those with some form of tertiary education: \(56\%\) of our participants had at least a bachelor’s degree or equivalent, with around a third of those individuals reporting some form of graduate education. Our participant pool was roughly evenly divided between individuals located in the US (n=694) and those located in the UK (n=665). The two samples do not differ significantly in participant gender, age, tech expertise, or number of participants who reported blocking cookies. There was a higher proportion of mobile users in the UK sample (\(23.9\%\)) as compared to the US sample (\(12.4\%\)). UK participants in our sample, on average, also reported slightly less education than US participants (\(77.3\%\) UK vs \(83.1\%\) US with at least some higher education, p = 0.0154, Cramer’s V = 0.108).

\(59.2\%\) of participants accessed the task using the desktop version of Google Chrome. The next most common browser was Firefox desktop (\(9.0\%\)). The most common operating system used by our participants was some form of Windows (\(58.8\%\)). The second most common operating system was some version of mac OS X (\(15.6\%\)). \(18.0\%\) of our participants completed the task on a mobile phone, as determined by user-agent string.⁷ This is a smaller number of mobile users than one would expect [44, 45], likely due to our method of recruitment.⁸ \(54.3\%\) of mobile users accessed the study from an iOS device while the remaining \(45.7\%\) used an Android device. Mobile participants differed on average from non-mobile participants in a number of categories: mobile users were more likely to identify as female (\(57.6\%\) mobile users vs \(46.41\%\) of non-mobile users were female; chi-squared, p = 0.0322, Cramer’s V = 0.0892); mobile users were more likely to be in a younger age bracket than an older one (\(61.8\%\) of mobile users and \(49.8\%\) percent of non-mobile users were 37 or younger, chi-squared, p = 0.00160, Cramer’s V = 0.133); as previously stated, they were more likely to be located in the UK than the US (\(64.9\%\) of mobile users and \(45.4\%\) of non-mobile users were in the UK; chi-squared, p = 3.51 × 10^{− 7}, Cramer’s V = 0.148); and they were less likely to report blocking cookies (\(11.4\%\) of mobile users and \(19.4\%\) of non-mobile users reported blocking cookies; chi-squared, p = 0.0435; Cramer’s V = 0.0842).

4.2 RQ1: Effect of Country of Residence

We found a number of statistically significant differences between UK and US participants. Most notably, UK-based participants were much less likely to dismiss the initial cookie notice using the close button, and they responded less positively to most sentiment questions about the cookie consent process.

4.2.1 User behavior.

A Pearson’s chi-squared test supports the hypothesis that country of residence affects user consent action (p = 5.28 × 10^{− 6}, Cramer’s V = 0.170). While the effect size is smaller than 0.2, as Figure 3 shows, participants in the UK were more likely to accept all cookies than those in the US. UK participants were also much less likely to dismiss the banner by using the close button than those in the US. One potential explanation may be the relatively higher proportion of participants who used a mobile phone for the task in the UK as compared to the US. However, if we exclude the participants who accessed the task from their phone, the difference between US and UK participants remains statistically significant (chi-squared, p = 1.01 × 10^{− 5}, Cramer’s V = 0.172).

Figure 3:

View Figure

Despite this difference in behavior, our participants did not differ significantly in how successful they were in making their preferred decision based on country or any of the other evaluated explanatory variables (see subsection 3.3.2). Across all participants, the most common preferred decision was to “Accept strictly necessary cookies” (\(43.6\%\)). \(24.0\%\) of participants indicated they would prefer some custom combination, with a plurality (42.9) of those participants indicating that they would prefer to enable strictly necessary, functional, and performance cookies. Only \(21.5\%\) of our participants indicated that they would like to “Accept All Cookies.” \(7.06\%\) of the participants wanted no cookies at all, something which is infeasible in an e-commerce environment. \(3.75\%\) of participants selected a self-contradictory preference (i.e., by selecting both that they wanted a certain category of cookies but also wanted no cookies). Finally, \(0.368\%\) of participants selected the “Other” option.

Excluding individuals with contradictory preferences or who would have preferred no cookies, \(50.4\%\) of participants across both countries made their preferred decision, assuming that only strictly necessary cookies were enabled on the website by default. If the website enabled all cookies by default, only \(41.2\%\) of our participants would have made their preferred decision.⁹ Even if participants who made no decision are excluded, only \(49.1\%\) of the remaining participants successfully made their preferred decision. All of these percentages are within \(5\%\) of the \(45.3\%\) success rate reported by Habib et al. [23]. The most common mistaken decision was to accept all cookies.

Figure 4:

View Figure

In addition to observed differences in consent behavior, UK participants also differed from US participants in how they answered questions about their consent behavior. UK participants were less likely to report that they read the cookie consent notice text (\(25.7\%\) of US vs \(44.9\%\) of UK reported skipping over the notice text; chi-squared, p = 4.47 × 10^{− 12}, Cramer’s V = 0.221). This could reflect a greater degree of habituation to skipping over notice text among UK users. For example, one UK-based participant who reported skipping over the notice text stated: “there’s just too much information - it is unreasonable to expect people to read all the options, so there is a huge risk that most people will just allow all cookies in order to get rid of the annoying pop-up... It’s a bit like T&Cs - most people accept them without reading because they are either too verbose or just gobbledegook.”

4.2.3 Comprehension.

There was no statistically significant difference in either recall or focused comprehension score between US and UK participants. US and UK participants also did not differ significantly in their ability to recall the available options. Despite this lack of difference in outcome, UK users did respond more negatively to the question “How easy or difficult do you find the cookie consent interface to understand?” (chi-squared, p = 0.000427, Cramer’s V = 0.14133343) \(55.8\%\) and \(65.0\%\) of UK and US users respectively answered that the interface was “Very easy” or “Somewhat easy” to understand. US and UK based participants did differ in their expectations of what would happen if they failed to make a consent decision (p = 0.0482, Cramer’s V = 0.116). UK users were slightly less likely to say that either “Only strictly necessary” cookies would be allowed (\(28.6\%\) of UK participants versus \(29.8\%\) of US participants) or that “No cookies” would be allowed (\(29.6\%\) of UK participants versus \(34.4\%\) of US participants), despite the fact that UK websites are required by law to obtain opt-in consent for cookies other than those strictly necessary. UK participants were more likely to indicate that “All cookies would be allowed” (\(33.7\%\) of UK participants versus \(30.4\%\) of US participants) or that they would be blocked from using the website entirely (\(6.77\%\) of UK participants versus \(5.19\%\) US participants). After participants had the opportunity to review the consent interface again, the difference between the two groups ceased to be statistically significant. While the behavior of real websites varies and is influenced by the relevant regulations, our interface defaulted to only allowing strictly necessary cookies. However, as with most real-world cookie banners we have observed, we provided no indication as to what would happen if a user closed the banner by clicking on the X or just ignored it.

Figure 5:

View Figure

As we hypothesized, US and UK participants had different perceptions of the legal requirements in their countries (chi-squared, p = 5.06 × 10^{− 16}, Cramer’s V = 0.259). Under the UK GDPR and ePrivacy Directive, websites can use strictly necessary cookies without permission but must get user permission before using any other cookies [18]. In the US, there is no national law that regulates the use of cookies. Only \(13.2\%\) of UK participants and \(8.93\%\) of US particpiants selected the correct answer for their country. A smaller proportion of UK-based participants stated that they were not sure (\(31.4\%\) of UK vs \(43.7\%\) of US-based participants) or that there were no requirements related to the use of cookies (\(0.451\%\) of UK vs \(8.93\%\) of US-based participants). The most commonly selected perception in both groups was that “Websites must get user permission before using any cookies,” (\(18.5\%\) of UK and \(12.0\%\) of US participants), which is incorrect in both countries. Despite their less positive responses to sentiment questions, on average, UK-based participants reported higher confidence that websites in their country followed applicable law than US-based participants (\(74.0\%\) of UK vs. \(62.5\%\) of US-based participants were “Extremely” or “Moderately” confident; chi-squared, p = 1.86 × 10^{− 6}, Cramer’s V = 0.157).

4.3 RQ2: Effect of Mobile Device Usage

We also found several effects related to mobile device usage. Users on mobile devices were more likely to accept all cookies. Mobile device users also performed worse at answering both recall and focused comprehension questions.

4.4 RQ3: Effect of Design Parameters

Figure 6:

View Figure

In this section we discuss the impact of design variants, with a focus on banner prominence, location of cookie category definitions, and initial cookie options. As discussed in subsection 3.2.1, participants were randomly assigned to different consent interface designs at the end of the informed consent process. We found no statistically significant difference between conditions with respect to age, country of residence, gender, tech expertise, mobile phone use, or number of individuals who reported blocking cookies.

Of the considered explanatory variables (see subsection 3.3.2), condition had the largest effect on user consent action (Fisher’s exact, p < 0.001, Cramer’s V = 0.480). Figure 6 shows an overview of the initial consent action broken down by condition. We found significant differences between the baseline condition and the common-banner, cornerButton, definitions-tabs, definitions-sidebanner, options-button, and options-link conditions. The complete pairwise test results are in Appendix D, Table 4. We found no significant difference between conditions in response to any of the eight user sentiment questions.

Banner prominence. We examined differences in user behavior based on banner prominence and found evidence that the side banner resulted in less engagement than a fully-blocking panel in the center of the browser window. However, we did not find evidence of differences in behavior between participants who saw a fully-blocking center panel and those who saw a non-blocking bottom banner. We found support for the hypothesis that the side banner prominence effects user behavior as compared to a fully-blocking cookie notice. The definitions-sidebanner condition varied significantly from the definitions-accordion condition. Participants in definitions-sidebanner were more likely to dismiss the consent notice using the close button and less likely to select only strictly necessary cookies than participants in the definitions-accordion condition. As the main difference between these two conditions is the prominence (they also differ slightly in width and position of the “allow selection” button), this suggests that the notice being placed on the left side of the screen rather than the center likely led to less engagement with the consent process.

Our findings also fail to support the hypothesis that non-blocking bottom banner prominence differs from fully-blocking center prominence. The options-3button-banner and options-3button conditions did not differ significantly from one another. Similarly, the difference in action between the common-banner and options-link conditions¹⁰ was not statistically significant.

Location of cookie category definitions. In the three conditions that required users to take an action in order to view the inline cookie category definitions (definitions-accordion, definitions-sidebanner, and definitions-tabs) we collected information about whether participants clicked to view definitions. Only \(10.0\%\) of users in these conditions viewed any definitions. Most of those who accessed the definitions were in the definitions-tabs condition (\(55.2\%\)). This likely results from the unique design of this condition wherein users must click the tab for a cookie category both to view and interact with the toggle for that category and to view the cookie definition. While a plurality of users only accessed a single definition (\(31.0\%\)), one participant in the definitions-tabs condition interacted with the definitions 17 times. \(65.5\%\) of participants who accessed definitions accepted only strictly necessary cookies. Given that few users accessed the definitions, it is not surprising that the presence of definitions in the initial cookie notices seems to have had no affect on user comprehension. This is also true for the definitions-inline condition, where definitions were viewable without clicking, but required some scrolling on most screens. We found no statistically significant difference in number of comprehension questions answered correctly by condition, either before or after revisiting the study website, suggesting that cookie category definitions are largely ignored.

As in the Habib et al. study [23], participants across all groups struggled to correctly pick the definition for functional cookies (\(22.8\%\) before reviewing the interface, \(43.0\%\) after review) and performance cookies (\(46.9\%\) before reviewing the interface, \(67.7\%\) after review). These terms, at least as defined by the ICC UK, are not intuitive and have poor user comprehension. Most participants could recognize the definition of strictly necessary cookies (\(72.0\%\) before reviewing the interface, \(82.1\%\) after review) and targeting cookies (\(78.4\%\) before reviewing the interface, \(86.8\%\)).

Initial cookie options. As shown in Figure 6, participant behavior is similar among most of the conditions that offer an initial option to accept only necessary cookies¹¹ (via a button or through check boxes or toggles) but that participants were more likely to accept all cookies or take no action when doing otherwise required visiting a secondary cookie preferences interface.

Our results suggest that providing an edit cookie preferences button in the initial options is more effective at getting users to engage with the consent process than an edit cookie preferences link. We found a statistically significant difference in action between the options-link and options-button conditions. Participants in the options-button condition were less likely to accept all cookies and more likely to accept only strictly necessary cookies. In both conditions, accepting strictly necessary cookies requires accessing the preference center interface via the button or link, so this result suggests that participants are less likely to view the preference center if its presented via a link rather than a button.

Our findings fail to support the hypothesis that the three-button approach (accept only necessary button, accept all cookies button, and edit cookie preferences button) effects user behavior when compared to offering check boxes for all three optional cookie types. As mentioned in section 3.3.2, to perform this analysis we treated as equivalent clicking “Save Preferences” or “Allow Selection” without selecting any options or pressing a dedicated “Accept Only Necessary” button. Neither of the three-button conditions differed significantly from the baseline in terms of user behavior.

All of the conditions included a close button, with \(16.2\%\) of participants using it to dismiss the initial consent notice. Interestingly, when asked what they expected to happen because of their decision, \(24.0\%\) of those who dismissed the banner with the close button indicated that they expected to receive no cookies (e.g., “I expect that selecting the ’x’ means I do not accept all cookies, and that the site will let me browse for a short period of time until it asks again.”). \(17.2\%\) of those who made the same decision expected the website to enable some or all of the cookies by default (e.g., “For cookies to be collected. Since there was no clear option to disable them I rather just exit out and pretend i’m not being tracked, but I know I am.”). These results reflect the ambiguity of the close button. Indeed, multiple participants requested a way to see what happened if they pressed the close button. For example, one participant in the baseline condition stated that they would like if the interface had “...something to say what will happen if you click x.” Similarly, another participant in the options-3button banner condition stated: “I would like if you click the x if it tells you which cookies will be allowed so i know whats going on if i click it.”

5.1 US-UK Differences

In our country-to-country comparisons, participants from the UK were more likely to make a consent decision and had lower sentiment towards the consent process. UK participants also expressed greater confidence in their legal protection.

One possible interpretation of the generally lower sentiment of UK participants is related to the relative frequency of cookie banners when browsing in the UK versus the US. Not only have cookie consent notices been in use longer in the UK due to the GDPR and the ePrivacy Directive [18], but UK users are more likely to encounter cookie notices in their daily browsing [14]. This interpretation would suggest that users do not grow fonder of cookie consent interfaces with more exposure. We cannot necessarily rule out other cross-cultural differences as resulting in this effect. One could posit, for example, that UK users are more negative in general than their US counterparts. We find this explanation unlikely, however. Notably, UK and US users did not differ significantly in their response to the non-cookie-related question “How easy or difficult was it to shop on this website?”Despite their lower sentiment about the consent process, UK users were more confident that they had legal protection than US users. This almost certainly reflects the presence of national privacy regulation in the UK that is absent in the US. This finding is consistent with prior literature. Miltgen et al. surveyed younger UK residents and found support for a relationship between perceived regulatory protection and trust of companies and regulators [33]. In the context of cookie consent interfaces, Bellentani found that participants in countries with the GDPR were more willing to disclose personal information than those not under the GDPR [2]. While we found that UK participants could not necessarily identify the requirements of their national regulations with respect to cookies, it seems that the UK GDPR makes them feel more confident in their privacy online.

The different behavior of UK-based participants may reflect habituation to cookie consent notices due to more frequent exposure as well as differences in the types of banners they may have been exposed to due to the GDPR. Websites that comply with the GDPR are incentivized to omit a close button as they must obtain opt-in consent to use any cookies beyond those strictly necessary. We find it likely that UK users have had less exposure to banners with a close button, leading to their lower rate of dismissing or ignoring the banner. The habituation interpretation is further bolstered by the lack of increase in success in making their preferred decision as compared to US-based participants. UK-based participants may have made real consent decisions more often, but it resulted in no more success by this metric.

5.2 Design Implications

We argue that the best solution to the cookie consent problem would be to provide automated mechanisms for consent, reducing user burden. Such an approach is not without its challenges [23]; however, it seems clear that cookie notices are ineffective at allowing users to make informed decisions. Even so, in the short term at least, cookie banners will likely be prevalent. Therefore, we offer recommendations to improve them, informed by our study results.

B.1 Recruitment Ad

B.2 Task Instructions

Instructions: Please click on the link below to visit a prototype of a website for a new retailer located in the United States/United Kingdom called Cups n’ Such. Please browse the website as you normally would if you were interested in checking out this retailer’s products for the first time and making a purchase. Select a product and put it in your shopping cart. You will then be directed to post-task survey.

Link to prototype website: https: [anonymous]

C.1 Task Completion

Q1: Please enter your Prolific ID again. (free response field)

Q2: Which country are you located in

Q3: Were you able to successfully complete the task?

Q4: Which product did you select?

Question only displayed if participant answered “Yes...” to Q3

Q5: How easy or difficult was it to shop on this website?

Q6: Do you use a browser extension or other tool to block cookies?

Q7: Have you configured your browser to block cookies?

Q8 What is the name of the extension or other tool you use to block cookies? (Free response field)

Question only displayed if participant answered yes to Q6

C.2 Awareness & Needs

Q9 Do you recall making any privacy-related decisions during your interaction with the cups n’ such website?

Q10 What was this decision about?

Question only displayed if participant answered yes to Q9

Q11 When visiting cups n’ such’s website, you might have seen an interface related to the use of cookies. Which option(s) do you remember selecting? (participants can select multiple options)

Q12 What do you expect to happen since you selected (answer from Q11)? (Free response field)

Question only displayed if participant did not select “I don’t remember,” “I didn’t select any options...” or “I clicked the ‘X’ to close the window...” in Q11

Q13 What do you expect to happen since you clicked the ’x’ without selecting any options related to cookies? (Free response field)

Question only displayed if participant selected “I clicked the ‘X’ to close the window...” in Q11

Q14 What were you trying to achieve when you selected (answer from Q11)? (Free response field)

Question only displayed if participant did not select “I don’t remember,” “I didn’t select any options...” or “I clicked the ‘X’ to close the window...” in Q11

Q15 Why did you decide not to make a selection regarding the use of cookies on the website? (select all that apply) (participants can select multiple options)

Question only displayed if participant selected “I don’t remember,” “I didn’t select any options...” or “I clicked the ‘X’ to close the window...” in Q11

Q16 Which of the following best describes how you made your decision related to the use of cookies on the cups n’ such website?

Question only displayed if participant did not select “I didn’t select any options...” or “I clicked the ‘X’ to close the window...” in Q11

Q17 How carefully did you consider the options related to cookies on the cups n’ such website?

Question only displayed if participant did not select “I didn’t select any options...” in Q11

Q18 The cookie notice interface included some text. What did you do when you saw it?

Question only displayed if participant did not select “I didn’t select any options...” in Q11

Q19 What options related to cookies do you recall being available to you on this website? (Options for each statement: Definitely not available, Probably not available, Not sure if available, Probably available, Definitely available)

C.3 Comprehension (recall)

Instructions: Please select the definition that fits best for each of the following terms.

Q20 In the context of the web, what is a cookie?

Q21 What are strictly necessary cookies?

Q22 What are performance cookies?

Q23 What are functional cookies?

Q24 What are targeting cookies?

Q25 Which of the following scenarios do you think are most likely to happen if you do not make a selection regarding the use of cookies, for example, by dismissing the cookie banner by clicking the "x" in the top right corner?

Q26 How confident are you in your answer to the previous question?

C.4 Comprehension (review)

Instructions: Open the website again in a new tab by clicking the link below and keep it open for the remainder of the survey. (Link to the appropriate website for their condition was present here)

Instructions: Please answer the following questions after you review your options related to cookies.

Q27 You may have seen several cookie options on the prototype website. What additional options related to cookies would you like to have available to you, if any? (free response field)

Instructions: Next, we are going to ask some of questions again with your previous answers marked. After reviewing the information provided about the use of cookies on the website, please edit your answers if you need to.

Instructions: Please select the definition that fits best for each of the following terms.

Q28 In the context of the web, what is a cookie?

Pre-filled with answer from Q20

Q29 What are strictly necessary cookies?

Pre-filled with answer from Q21

Q30 What are performance cookies?

Pre-filled with answer from Q22

Q31 What are functional cookies?

Pre-filled with answer from Q23

Q32 What are targeting cookies?

Pre-filled with answer from Q24

Q33 Which of the following scenarios do you think are most likely to happen if you do not make a selection regarding the use of cookies, for example, by dismissing the cookie banner by clicking the "x" in the top right corner?

Pre-filled with answer from Q25

Q34 How confident are you in your answer to the previous question?

Pre-filled with answer from Q26

Instructions: Please answer the following questions, referring to the website if necessary.

Q35 What option related to cookies do you think the website is recommending?

Q36 How easy or difficult do you find the cookie consent interface to understand?

Instructions: For the next question, you may need to refer to the following definitions:

Q37 What would be your preferred cookie consent decision for this website? (Select all that apply) (participants can select multiple options)

Q38 How easy or difficult would it be for you to make your preferred cookie consent decision?

C.5 Sentiment

Q39 Which of the following is required under (answer from Q2) law?

Q40 When you visit retail websites in the (answer from Q2), how confident are you that they follow applicable (answer from Q2) laws about cookies?

Q41 To what extent do you feel... (Options for each statement: Not at all, Moderately, Extremely, Not sure)

Q42 Compared to other cookie consent interfaces you may have seen, do you think this cookie consent interface is...

Q43 Why do you feel that this cookie consent interface was (answer from Q42) than other cookie consent interfaces you have seen? (Free response field)

Question only displayed if participant did not selected “I have not seen other cookie consent interfaces” or “Not Sure” in Q42

Instructions: The following questions refer to “your cookie consent decision” which refers to the decision you made about the use of cookies on cups n’ such the first time you encountered the cookie consent interface.

Q44 To what extent do you feel... (Options for each statement: Not at all, Moderately, Extremely, Not sure)

Question only displayed if participant did not selected “I didn’t select any options related to the use of cookies” in Q11

C.6 Decision Reversal

Instructions: Please refer to the screenshot below for the following questions..

Participants were shown a screenshot of the cups n’ such with the persistent button to change their consent decision.

Q45 Suppose you already made a decision about how cookies can be used on this website. What would you do if you wanted to change your cookie consent decision, or make a decision if you didn’t when first visiting the website? (Free response field)

Q46 What would you do if what you described in your previous answer was not available on the website? (Free response field)

Q47 Did you look at this website’s privacy policy while taking this survey?

Q48 Did you look at this website’s cookie policy while taking this survey?

Q49 Did you look at this website’s cookie preference page (with toggles next to cookie categories) while taking this survey?

C.7 Demographics

Q50 How frequently do you shop online?

Q51 How frequently do you shop online? What is your age in years? Enter "0" if you prefer not to respond. (Free response field)

Q52 How do you describe your gender identity?

Q53 How do you describe your race or ethnic identity? (You may select more than one option.) (participants can select multiple options)

Q54 What is the highest level of school you have completed or the highest degree you have received?

Q55 What was your approximate household income in 2021 before taxes?

Response options were displayed in £if participant selected “United Kingdom” in Q2 and $ if participant selected “United States” in Q2

Q56 Do you have a formal education in a computer-related field, such as computer science or IT? (“Formal education” could mean a completed degree or certificate, or classes or trainings you took towards a degree or certificate.)

Q57 Do you have work experience in a computer-related field, such as computer science or IT?

C.8 Feedback

Q58 If you have any feedback on the survey or cookie consent interface you saw, please leave it here. (Free response field)