Gizlilik Yasalarının Test Edilmesi: Kullanıcıların Bilgi-Rıza Bildirimleri Hakkında Algıları ve Tepkileri

Year 2024, Volume: 6 Issue: 2, 1 - 32, 23.12.2024

Didem Güngör Firat

Abstract

Many websites have been using cookies to store information about users' behaviour. Although cookies provide various benefits for the service provider and the user, they are seen as a threat to online privacy. In recent years, many countries have introduced privacy laws.
The regulations led by the European Union impose the responsibility of informing the user about the cookies and obtaining the explicit consent of the user. For this reason, they use information/consent notices on their websites to inform users and ask for consent.
The primary concern of this study is to examine the effect of information/consent notices and, therefore, laws on users. The current study asks the following questions in the light of literature related to the subject: What are the users' knowledge and perceptions about the information/consent forms, how do they react to these forms, and what are the factors that affect their consent to these forms. While previous studies mostly focused on the EU region and the US, this study focuses on Turkey. In order to understand user behaviour in Turkey, an online survey was conducted with 56 participants. The study concluded that information/consent notices do not support optimal decision-making in users' privacy-related decisions.

Keywords

Cookies, privacy, GDPR, PDPL, information/consent notices (ICN)

GİZLİLİK YASALARININ TEST EDİLMESİ: KULLANICILARIN BİLGİ/RIZA BİLDİRİMLERİ HAKKINDA ALGILARI VE TEPKİLERİ

Abstract

Birçok web sitesi, kullanıcıların davranışları hakkında bilgi depolamak için çerezleri kullanıyor. Çerezler, hizmet sağlayıcı ve kullanıcı için çeşitli faydalar sağlasa da, çevrimiçi gizliliğe yönelik bir tehdit olarak görülmektedir. Son yıllarda, birçok ülkede gizlilik yasaları yürürlüğe girmiştir.
Avrupa Birliği’nin öncülük ettiği düzenlemeler, hizmet sağlayıcılara kullanıcıyı çerezler hakkında bilgilendirme ve kullanıcının açık rızasını alma sorumluluğunu yüklemektedir. Bu nedenle web siteleri, bilgi/rıza bildirimlerini kullanıcıları bilgilendirmek ve izin istemek için kullanırlar.
Bu çalışmanın birincil kaygısı, bilgi/rıza bildirimlerinin ve dolayısıyla yasaların kullanıcılar üzerindeki etkisini incelemektir. Mevcut çalışma, konuyla ilgili literatür ışığında şu soruları sormaktadır: Kullanıcıların bilgi/rıza formları hakkındaki bilgi ve algıları nelerdir, bu formlara nasıl tepki verirler ve rızalarını etkileyen faktörler nelerdir? Daha önceki çalışmalar daha çok AB bölgesi ve ABD'ye odaklanırken, bu çalışma Türkiye'ye odaklanır. Türkiye'deki kullanıcı davranışlarını anlamak için 56 katılımcı ile çevrimiçi bir anket yapılmıştır. Çalışma, bilgi/rıza bildirimlerinin, kullanıcıların gizlilikle ilgili kararlarında optimal karar vermeyi desteklemediği sonucuna varmıştır.

Keywords

Çerezler, gizlilik, GDPR, KVKK, bilgi/rıza bildirimleri

References

• Abrardi, L., Cambini, C., & Hoernig, S. (2021). ``I don’t care about cookies!" Platform Data Disclosure and Time- Inconsistent Users. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3806112
• AcquistiAlessandro, AdjeridIdris, BalebakoRebecca, BrandimarteLaura, Faith, C., KomanduriSaranga, Giovanni, L., SadehNorman, SchaubFlorian, SleeperManya, WangYang, & WilsonShomir. (2017). Nudges for Privacy and Security. ACM Computing Surveys (CSUR), 50(3). https://doi.org/10.1145/3054926
• Albrecht, J. P. (2016). How the GDPR Will Change the World. European Data Protection Law Review (EDPL), 2. https://heinonline.org/HOL/Page?handle=hein.journals/edpl2&id=313&div=&collection=
• Alexa. (2021). Alexa - Top Sites in Turke - Alexa. https://www.alexa.com/topsites/countries/TR
• ARTICLE 29 DATA PROTECTION WORKING PARTY. (2013). ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 06/2013 on open data and public sector information ('PSI’) reuse THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA. http://ec.europa.eu/justice/data-protection/index_en.htm
• Boerman, S. C., Kruikemeier, S., & Zuiderveen Borgesius, F. J. (2018). Exploring Motivations for Online Privacy Protection Behavior: Insights From Panel Data. Communication Research. https://doi.org/10.1177/0093650218800915
• Borgesius, Z., Mcdonald, F. J. ;, Frederik, D., Zuiderveen Borgesius, J., & Mcdonald, A. M. (2015). UvA-DARE (Digital Academic Repository) Do Not Track for Europe Do Not Track for Europe. http://ssrn.com/abstract=2588086
• Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77– 101. https://doi.org/10.1191/1478088706qp063oa
• Brewis, J. (2014). The Ethics of Researching Friends: On Convenience Sampling in Qualitative Management and Organization Studies. British Journal of Management, 25(4), 849–862. https://doi.org/10.1111/1467-8551.12064
• Burton, D. (2000a). Research Training for Social Scientists : A Handbook for Postgraduate Researchers. Sage Publication. https://ebookcentral.proquest.com/lib/lboro/detail.action?docID=483368
• Burton, D. (2000b). Research Training for Social Scientists: A Handbook for Postgraduate Researchers. SAGE Publications.
• Castelluccia, C., & Narayanan, A. (2012). Privacy considerations of online behavioural tracking. . European Network and Information Security Agency (ENISA).
• Choi, H., Park, J., & Jung, Y. (2018). The role of privacy fatigue in online privacy behavior. Computers in Human Behavior.
• Clarke, V., Braun, V., & Hayfield, N. (2015). Qualitative Psychology: A Practical Guide to Research Methods (J. A. Smith, Ed.). SAGE Publicaitons.
• Comley, P. (2002). Online survey techniques: Current issues and future trends. Interactive Marketing 2002 4:2, 4(2), 156–169. https://doi.org/10.1057/PALGRAVE.IM.4340174
• Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., & Holz, T. (2019). We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy. https://doi.org/10.14722/ndss.2019.23378
• Edenberg, E., & Jones, M. L. (2020). Troubleshooting AI and Consent. In The Oxford Handbook of Ethics of AI. The Oxford Handbook of Ethics of AI. https://philpapers.org/rec/EDETAA-2
• Eroğlu, Ş. (2018). Dijital Yaşamda Mahremiyet (Gizlilik) Kavramı ve Kişisel Veriler: Hacettepe Üniversitesi Bilgi ve Belge Yönetimi Bölümü Öğrencilerin Mahremiyet ve Kişisel Veri Algılarının Analizi. Hacettepe Üniversitesi Edebiyat Fakültesi Dergisi, 35(2), 35. https://doi.org/10.32600/huefd.439007
• European Commission. (2018). Progress on EU data protection reform now irreversible following European Parliament vote. https://ec.europa.eu/commission/presscorner/detail/en/MEMO_14_186
• European Data Protection Supervisor. (n.d.). The History of the General Data Protection Regulation | European Data Protection Supervisor. Retrieved October 5, 2021, from https://edps.europa.eu/data-protection/data- protection/legislation/history-general-data-protection-regulation_en
• Fogg, B. (2009). A behavior model for persuasive design. ACM International Conference Proceeding Series, 350. https://doi.org/10.1145/1541948.1541999
• Fricker, R. D., & Schonlau, M. (2016). Advantages and Disadvantages of Internet Research Surveys: Evidence from the Literature: Http://Dx.Doi.Org/10.1177/152582202237725, 14(4), 347–367. https://doi.org/10.1177/152582202237725
• GDPR. (n.d.). Recital 30 - Online Identifiers for Profiling and Identification - General Data Protection Regulation (GDPR). Retrieved October 5, 2021, from https://gdpr-info.eu/recitals/no-30/
• Gerson, K., & Horowitz, R. (2002). Observation and interviewing. Qualitative research in action.
• Giakoumopoulos, C., Buttarelli, G., & O’Flaherty, M. (2018). Handbook on European data protection law - 2018 edition | European Union Agency for Fundamental Rights. https://fra.europa.eu/en/publication/2018/handbook-european- data-protection-law-2018-edition
• Gray, C. M., Kou, Y., Battles, B., Hoggatt, J., & Toombs, A. L. (2018). The Dark (Patterns) Side of UX Design. https://doi.org/10.1145/3173574.3174108
• Gray, P. S. (2007). The Research Imagination : An Introduction to Qualitative and Quantitative Methods. https://ebookcentral.proquest.com/lib/lboro/reader.action?docID=307439
• Gurau, C. (2007). The Ethics of Online Surveys. In https://services.igi- global.com/resolvedoi/resolve.aspx?doi=10.4018/978-1-59140-792-8.ch012. IGI Global. https://doi.org/10.4018/978-1-59140-792-8.CH012
• Ha, V., Inkpen, K., al Shaar, F., & Hdeib, L. (2006). An examination of user perception and misconception of internet cookies. Conference on Human Factors in Computing Systems - Proceedings, 833–838. https://doi.org/10.1145/1125451.1125615
• Human, S., Gsenger, R., & Neumann, G. (2020). ePub WU Institutional Repository End-user Empowerment: An Interdisciplinary Perspective Conference or Workshop Item (Published) (Refereed) End-user Empowerment: An Interdisciplinary Perspective.
• Jayakumar, L. N. (2021). Cookies ‘n’ consent: An empirical study on the factors influencing website users’ attitudes towards cookie consent in the EU. DBS Business Review, 4, Article 72. https://doi.org/10.22375/dbr.v4i0.72
• ICO. (2021). Cookies and similar technologies. Information Commsisioner’s Office; ICO. https://ico.org.uk/for- organisations/guide-to-pecr/cookies-and-similar-technologies/
• Kulyk, O., Gerber, N., Hilt, A., & Volkamer, M. (2021). Has the GDPR hype affected users’ reaction to cookie disclaimers? Journal of Cybersecurity, 6(1). https://doi.org/10.1093/CYBSEC/TYAA022
• Kulyk, O., Hilt, A., Gerber, N., & Volkamer, M. (2018, July 1). “This Website Uses Cookies”: Users’ Perceptions and Reactions to the Cookie Disclaimer. https://doi.org/10.14722/eurousec.2018.23012
• Kuner, C. (2012). The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law. Bloomberg BNA Privacy and Security Law Report. https://papers.ssrn.com/abstract=2162781.
• KVKP. (2018). Turkish Personal Data Protection Law no. 6698 • Kişisel Verilerin Korunması Mevzuatı • KVKP. https://www.kisiselverilerinkorunmasi.org/kanunu-ingilizce-ceviri/
• Leon, P. G., Ur, B., Wang, Y., Sleeper, M., Balebako, R., Shay, R., Bauer, L., Christodorescu, M., & Cranor, L. F. (2013). What matters to users? Factors that affect users’ willingness to share information with online advertisers. SOUPS 2013 - Proceedings of the 9th Symposium on Usable Privacy and Security. https://doi.org/10.1145/2501604.2501611
• Lessig, L. (2009). Code: And Other Laws of Cyberspace.
• Lyon, D. (2006). Theorizing Surveillance. In Theorizing Surveillance. Willan. https://doi.org/10.4324/9781843926818- 5
• Machuletz, D., & Böhme, R. (2020). Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR. Proceedings on Privacy Enhancing Technologies, 2020(2), 481–498. https://doi.org/10.2478/popets-2020- 0037
• May, T. (2011). Social Research Issues, Methods and Process (Forth Edition). Open University Press.
• McDonald, A., & Cranor, L. F. (2010). Beliefs and Behaviors: Internet Users’ Understanding of Behavioral Advertising by Aleecia McDonald, Lorrie Faith Cranor :: SSRN. PTRC 2010. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1989092
• Meyers, W. A. (2018). C Is for Cookie: Is the EU’s New Cookie Law Good Enough to Protect My Data. International Lawyer, 52. https://heinonline.org/HOL/Page?handle=hein.journals/intlyr52&id=513&div=&collection=
• Milne, G. R., Labrecque, L. I., & Cromer, C. (2009). Toward an understanding of the online consumer’s risky behavior and protection practices. Journal of Consumer Affairs, 43(3), 449–473. https://doi.org/10.1111/j.1745- 6606.2009.01148.x
• Miyazaki, A. D. (2008). Online privacy and the disclosure of cookie use: Effects on consumer trust and anticipated patronage. Journal of Public Policy and Marketing, 27(1), 19–33. https://doi.org/10.1509/jppm.27.1.19
• Montulli, L. (2000). HTTP State Management Mechanism. Bell Laboratories, Lucent Technologies. https://www.rfc- editor.org/rfc/rfc2965.txt
• Murat, D., & Dülger, V. (2019). AVRUPA BİRLİĚİ GENEL VERİ KORUMA TÜZÜĚÜ BAĚLAMINDA KİŞİSEL VERİLERİN KORUNMASI. https://orcid.org/0000-0003-4034-5436
• Norberg, P., Horne, D. R., & Horne, D. (2007). The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors. The Journal of Consumer Affairs.
• Nouwens, M., Liccardi, I., Veale, M., Karger, D., & Kagal, L. (2020, April 21). Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence. Conference on Human Factors in Computing Systems - Proceedings. https://doi.org/10.1145/3313831.3376321
• Oldendick, R. W. (2012). Survey Research Ethics. Handbook of Survey Methodology for the Social Sciences, 23–35. https://doi.org/10.1007/978-1-4614-3876-2_3
• OneTrust. (2020). Cookie Consent | Comply with Cookie Laws | Products | OneTrust. https://www.onetrust.com/products/cookie-consent/
• PDPO. (2019). Communique on the Procedures and Principles to be Followed for the Fulfillment of the Obligation of Informing. www.kvkk.gov.tr
• Peng, W., & Cisna, J. (2000). HTTP cookies – a promising technology. Online Information Review, 24(2), 150–153. https://doi.org/10.1108/14684520010330346
• Peters, R., & Sikorski, R. (1997). SITE FINDER: Cookie Monster? Science, 278(5342), 1486b–11487. https://doi.org/10.1126/SCIENCE.278.5342.1486B
• Sanchez-Rola, I., Dell’Amico, M., Kotzias, P., Balzarotti, D., Bilge, L., Vervier, P. A., & Santos, I. (2019). Can i opt out yet? GDPR and the global illusion of cookie control. AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, 12, 340–351. https://doi.org/10.1145/3321705.3329806
• Schermer, B. W., Custers, B., & van der Hof, S. (2014). The crisis of consent: how stronger legal protection may lead to weaker consent in data protection. Ethics and Information Technology.
• Schillewaert, N., Langerak, F., & Duhamei, T. (1998). Non-probability Sampling for WWW surveys: a comparison of methods’. Journal of the Market Research Society, 1(40), 307–321.
• Sedgwick, P. (2013). Convenience sampling. BMJ, 347(oct25 2), f6304–f6304. https://doi.org/10.1136/BMJ.F6304
• Sharp, M. K., Glonti, K., & Hren, D. (2020). Online survey about the STROBE statement highlighted diverging views about its content, purpose, and value. Journal of Clinical Epidemiology, 123, 100–106. https://doi.org/10.1016/J.JCLINEPI.2020.03.025
• Skouma, G., & Léonard, L. (2015). On-line Behavioral Tracking: What May Change After the Legal Reform on Personal Data Protection. 35–60. https://doi.org/10.1007/978-94-017-9385-8_2
• Strycharz, J., Ausloos, J., & Helberger, N. (2020). Data Protection or Data Frustration? Individual Perceptions and Attitudes towards the GDPR. European Data Protection Law Review (EDPL), 6. https://heinonline.org/HOL/Page?handle=hein.journals/edpl6&id=430&div=&collection=
• TASKAYA, M., & TALAY, Ö. (2019). Dijital Gözetimin Pazarlama Amaçlı Aracıları: “Çerezler” ve Çerez Kullanımında “Açık Rıza.” Akdeniz Üniversitesi İletişim Fakültesi Dergisi.
• Trevisan, M., Traverso, S., Bassi, E., Mellia, M., di Torino, P., & Cyber Secu-, E. (2019). 4 Years of EU Cookie Law: Results and Lessons Learned. 126–145. https://doi.org/10.2478/popets-2019-0023
• Ur, B., Leon, P. G., Cranor, L. F., Shay, R., & Wang, Y. (2012). Smart, useful, scary, creepy: Perceptions of online behavioral advertising. SOUPS 2012 - Proceedings of the 8th Symposium on Usable Privacy and Security. https://doi.org/10.1145/2335356.2335362
• Utz, C., Degeling, M., Fahl, S., Schaub, F., & Holz, T. (2019). (Un)informed Consent: Studying GDPR Consent Notices in the Field ACM Reference Format. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 18. https://doi.org/10.1145/3319535.3354212
• W3Techs. (2021). Usage Statistics of Persistent Cookies for Websites, October 2021. https://w3techs.com/technologies/details/ce-persistentcookies