Wirtschaftsinformatik und Gesellschaft

Consent Request Framework

A project funded by the city of Vienna under the “Digitaler Humanismus” call

is being implemented by Olha Drozd (a PhD student of Prof. Sarah Spiekermann-Hoff) under the supervision of Dr.Sabrina Kirrane (Assistant Professor at the Institute for Information Systems & New Media).

Cure1

The aim of the Privacy CURE project is to develop a Consent reqUest fRamEwork (CURE) that elicits greater involvement of data subjects when it comes to granting consent; improves consent request understandability; affords them more control via usage-based generated consent, templates and/or customization features; and provides high transparency with respect to personal data processing.

The project extends our research presented in the recently published TrustBus paper “I Agree: Customize your Personal Data Processing with the CoRe User Interface” and the IFIP SEC paper “Privacy CURE: Consent Comprehension Made Easy”. In both papers we designed and evaluated several alternative web application consent requests. Contrary to that research, the Privacy CURE project concentrates on mobile apps where there is a need for different consent request approaches that are suitable for mobile devices.

In the project we aim to address the following research questions:

  • Which consent templates can be used to categorize personal data used by existing city of Vienna apps?

  • What extent of consent control and amount of information regarding the personal data processing, in the context of the use case, achieve high levels of consent content comprehension by a user and at the same time satisfy the GDPR requirements regarding consent?

  • How can the unified consent request UI be integrated across various mobile apps?

We envisage that the CURE prototype with its usage-based consent, consent templates, customization and the unified UI across apps will improve the apps transparency regarding personal data processing, users’ comprehension of the given consent as well as users’ control over the processing of their personal data, as opposed to the current situation, where each application has a different consent request design and formulation approach causing information overload from users’ perspective. Figure 1 shows how CURE (on the right) differs from the current consent requests solutions (on the left).

Cure2

Figure 1: Current (on the left) and proposed (on the right) approaches for giving and withdrawing consent by a user

At the moment we are developing a mobile application (app) prototype with different consent request user interface (UI) variations integrated into it. The prototype is based on a realistic use case scenario whereby Eva and Peter, who moved to Vienna for work, want to make their adjustment to the new city as easy as possible. They install all the relevant apps offered by the city of Vienna and are presented with a CURE-based personal data processing consent request. Peter is a recent supporter of the citizen science concept and would like to contribute his data to improve the city of Vienna via its apps. Eva does not mind providing her data to have a better city but would rather agree to a consent request tailored to her needs based on the app usage.

The Privacy CURE is under development, so stay tuned!

For further information please contact Olha Drozd