• Websites must obtain consent when storing cookies on their users’ devices. • They do so by making it difficult to reject cookies. • This is not necessarily in the best interest of the user. • We propose three solutions to improve the way consent is requested.

Personal data is often considered the currency of the digital world, allowing companies to better control, study and target consumers. However, users may not always be aware they are disclosing personal data online, posing a privacy policy problem. We tested whether the display of anthropomorphic cues could curb users’ unwitting disclosure of personal information. We conducted an online experiment with a between-subject design in Germany, Italy, Poland, and the UK (n=1,217). Neither a ‘static’ nor a ‘dynamic’ anthropomorphic character made participants disclose less personal information – in fact, the static character made them disclose more (p=0.03). Findings are interpreted by considering the effect of anthropomorphic characters on trust, which may in turn increase disclosure. Level of education and country also influenced disclosure.

We conducted an incentivized lab experiment examining the effect of gain vs. loss-framed warning messages on online security behavior. We measured the probability of suffering a cyberattack during the experiment as the result of five specific security behaviors: choosing a safe connection, providing minimum information during the sign-up process, choosing a strong password, choosing a trusted vendor, and logging-out. A loss-framed message led to more secure behavior during the experiment. The experiment also measured the effect of trusting beliefs and cybersecurity knowledge. Trusting beliefs had a negative effect on security behavior, while cybersecurity knowledge had a positive effect.

We conducted an online experiment (n=2,024) on a representative sample of internet users in Germany, Sweden, Poland, Spain and the UK to explore the effect of notifications on security behvaiour. Inspired by protection motivation theory (PMT), a coping message advised participants on how to minimise their exposure to risk and a threat appeal highlighted the potential negative consequences of not doing so. Both increased secure behaviour – but the coping message significantly more so. The coping message was also as effective as both messages combined, but not so the threat appeal. Risk attitudes, age and country had a significant effect on behaviour. Initiatives seeking to promote secure behaviour should focus more on coping messages, either alone or in combination with fear appeals.

We studied whether changes to the online environment, i.e. nudges, can lead to changes in privacy behaviour through an on-line experiment (n=3,229) across four European countries. The output measures were obtained through the answers to a questionnaire following a mock online exercise: one revealed the amount of personal information participants were willing to disclose, and the other whether they noticed a privacy policy link. The nudges appeared as changes in the design of a mock search engine (e.g. including an anthropomorphic character, highlighting prior browsing history or changing the look-and-feel to convey greater informality). The nudges did not lead to differences in the amount of personal information disclosed, but did affect whether participants noticed the privacy link or not. Socio-demographic factors were relevant. Compared to younger participants, older participants were less likely to reveal personal information but more likely to notice the privacy policy link. Men were more likely to reveal personal information than women, and more likely to notice the privacy policy link. Finally, significant differences were found between all countries. Participants from Italy chose to reveal least personal information (followed by those in Poland, Germany and the UK), and participants from the UK were significantly less likely to notice the privacy policy link. The implications for policy are that disclosure of personal information is resilient to small changes in the web environment, but this is not the case for awareness of a privacy policy link. Moreover, the fact that age, gender, and country of residence are relevant suggests that differentiated policy approaches depending on the target population may be warranted.