arxiv: 2605.15056 · v1 · submitted 2026-05-14 · 💻 cs.HC

Recognition: no theorem link

Deceptive Cookies: Consent by Design -- A Mixed Methods Study

Liv Hilde Sj{\o}flot , Tobias A. Opsahl

Authors on Pith no claims yet

Pith reviewed 2026-05-15 03:16 UTC · model grok-4.3

classification 💻 cs.HC

keywords cookie consent bannersdeceptive patternsuser autonomyprivacy preferencesconsent withdrawalusability testingmixed methods study

0 comments

The pith

Cookie consent banners lead users to accept data collection despite their stated preference to reject it.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines how cookie consent banners shape user decisions about data collection. In a usability test and survey, participants said they wanted to reject non-essential cookies, yet they accepted them in practice because of asymmetric options and other design elements that made rejection slower or less obvious. Withdrawing consent took more than twenty times as long as granting it. The authors conclude that these banners undermine user autonomy by steering people toward consent as the path of least resistance.

Core claim

Although participants generally want to reject cookie collection, they often end up accepting because of deceptive patterns in the cookie consent banner design. They were more willing to consent to websites they trusted and if they expected it would improve their user experience. Withdrawing consent took on average more than 20 times longer than giving it, suggesting that cookie consent banners in their current form are not ideal with respect to user autonomy.

What carries the argument

Deceptive patterns in cookie consent banner design that create a gap between stated privacy preferences and actual acceptance actions.

If this is right

Users consent more readily to sites they already trust.
Expectations of better user experience increase the likelihood of acceptance.
Withdrawing consent requires substantially more time and effort than granting it.
Current banner designs produce consent by default rather than informed choice.
The findings indicate that banners fail to deliver the equal ease of withdrawal required by EU rules.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Standardizing banner layouts to make rejection as prominent as acceptance could narrow the observed preference-action gap.
Similar design pressures may appear in other digital consent flows such as app permissions or terms acceptance.
Over time, repeated exposure to these patterns could reduce overall user trust in data-handling practices across the web.

Load-bearing premise

The gap between stated preferences and actions observed in a usability test with twenty participants accurately reflects how people behave when encountering real cookie banners on live websites.

What would settle it

A field study that records actual consent clicks and withdrawal times on popular live websites, then compares those outcomes to the same users' earlier self-reported privacy preferences.

Figures

Figures reproduced from arXiv: 2605.15056 by Liv Hilde Sj{\o}flot, Tobias A. Opsahl.

**Figure 1.** Figure 1: Flowchart highlighting the choices made by the users. The numbers indicate the total number of selections, selections on computer and selections on phone (option : total (computer / phone)). Options that were never selected have gray background colours. Website Computer Phone Total Facebook 3 2 5 DNB 4 4 8 Google 6 3 9 Finn 9 6 15 Dagens 11 11 22 Sum 33 26 59 [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗

**Figure 3.** Figure 3: Cookie banner response times for the different websites on phone. time spent on giving consent to the same websites. This is a repeated measure context, and with pairwise data, one can use the Wilcoxon signed-rank test [46]. By averaging over all websites, the participants can be assumed to be independent of each other. Some participants always rejected consent and thus never withdrew, and those are exclu… view at source ↗

**Figure 2.** Figure 2: Cookie banner response times for the [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 4.** Figure 4: Finalised theme maps. The figure illustrates the themes and subthemes identified during review phase of the thematic analysis, with the themes shown as ellipses and subthemes shown as rectangles. The dotted lines represent relations between themes while the solid lines illustrate a relation between themes and subthemes. 6 [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗

read the original abstract

While companies increasingly rely on data, especially when it comes to targeted advertising, adapting content to users, selling data and training machine learning models, the collection of data raises privacy concerns. One way of collecting data is by using HTTP cookies when interacting with a website. Legal regulations require service providers to collect consent for some forms of cookie collection, which is often acquired through \emph{cookie consent banners}, but their effectiveness has been debated. This study aims to understand what influences users' experience and behaviour when managing their cookie consent, by investigating the gap between their stated privacy preferences and their actual actions. A mixed methods approach was used, collecting data from a usability test and a survey (N=20). The results showed that although participants generally want to reject cookie collection, they often end up accepting because of deceptive patterns in the cookie consent banner design. It also showed that they were more willing to consent to websites they trusted and if they expected it would improve their user experience. Although the current EU legislation states that withdrawing consent must be as easy as giving it, withdrawing consent took on average more than 20 times longer than giving it. This suggests that cookie consent banners in their current form are not ideal with respect to user autonomy, often leading users to \emph{consent by design}.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper's main concrete finding is a >20x time gap for withdrawing consent versus giving it in a small usability test, but the N=20 sample and missing method details make the broader 'consent by design' claim hard to trust yet.

read the letter

The standout detail is the measured time asymmetry: participants took over 20 times longer to withdraw consent than to give it. That lines up with the EU rule that withdrawal should be as easy as consent, and it's a straightforward empirical observation worth having on record. The mixed-methods setup with 20 users also shows the preference-action gap in action, where people said they preferred to reject cookies but often accepted due to banner design, plus some notes on trust and expected UX as moderators. Those are useful directional signals for anyone thinking about privacy interfaces. The work is honest about tying into existing discussions on deceptive patterns without overclaiming novelty beyond the specific time measurement and the 'consent by design' framing. The soft spots are clear and mostly around scale and transparency. N=20 is small enough that selection bias or task artificiality could explain the gap, and the abstract gives no recruitment details, no stats on the time difference, no info on whether banners were live or mocked, and no coding scheme for 'deceptive.' Without those, it's difficult to know how far the results travel beyond this cohort. The central claim about systematic reduction in user autonomy therefore rests on fairly limited evidence for now. This is the kind of paper that privacy and HCI people might skim for ideas on consent flows, but it won't be the one they cite as solid proof. A reader who wants quick empirical color on banner problems could get something from it, but anyone needing robust data should wait for follow-up. I would send it to peer review. The time finding is simple enough that referees could push for better methods and larger samples without starting from zero.

Referee Report

3 major / 1 minor

Summary. The paper reports a mixed-methods study (usability test plus survey) with N=20 participants that examines the gap between users' stated privacy preferences and their observed behavior with cookie consent banners. Key claims are that participants generally prefer to reject non-essential cookies yet often accept them due to deceptive design patterns; willingness to consent increases for trusted sites or when UX benefits are expected; and withdrawing consent takes more than 20 times longer than giving it, indicating that current banners undermine user autonomy despite regulatory requirements.

Significance. If the core observations hold under better-controlled conditions, the work would usefully document a preference-action mismatch and time asymmetry in consent interfaces, adding to the literature on dark patterns and privacy UX. The mixed-methods design, which pairs behavioral timing data with qualitative reports, is a methodological strength that allows both measurement and interpretation of the consent process.

major comments (3)

[Methods] The central claim that deceptive patterns produce 'consent by design' rests on a single usability study with N=20. The Methods section provides no details on recruitment (convenience vs. targeted), participant demographics, whether banners were live or mocked, task instructions, or any control conditions, leaving the preference-action gap vulnerable to selection bias and low task realism.
[Results] Results section: the statement that 'withdrawing consent took on average more than 20 times longer' is presented without standard deviations, per-participant data, or any inferential statistics. With such a small sample this ratio cannot be treated as robust evidence that current designs violate the 'as easy as giving it' requirement of EU law.
[Analysis] The coding of 'deceptive patterns' that supposedly drive acceptance behavior is not described (e.g., codebook, inter-rater reliability, or how patterns were identified in the tested banners). This omission directly weakens the causal attribution in the headline claim.

minor comments (1)

[Abstract] Abstract: the N=20 figure is not broken down by usability test versus survey component; clarifying this would improve readability.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We have reviewed each major comment carefully and provide point-by-point responses below. We agree that additional methodological transparency and more precise reporting of results will strengthen the paper, and we will revise accordingly while preserving the exploratory mixed-methods contribution.

read point-by-point responses

Referee: [Methods] The central claim that deceptive patterns produce 'consent by design' rests on a single usability study with N=20. The Methods section provides no details on recruitment (convenience vs. targeted), participant demographics, whether banners were live or mocked, task instructions, or any control conditions, leaving the preference-action gap vulnerable to selection bias and low task realism.

Authors: We agree that the Methods section requires expansion for transparency and to address potential biases. In the revised manuscript we will add: recruitment occurred via convenience sampling through university mailing lists, social media, and personal networks; full participant demographics (age range 18-45, gender distribution, education levels); clarification that banners were high-fidelity mocks derived from real-world examples of popular sites to maintain ecological validity while allowing controlled observation; verbatim task instructions provided to participants; and an explicit discussion of the absence of control conditions as a limitation of this exploratory study. These additions will directly mitigate concerns about selection bias and task realism. revision: yes
Referee: [Results] Results section: the statement that 'withdrawing consent took on average more than 20 times longer' is presented without standard deviations, per-participant data, or any inferential statistics. With such a small sample this ratio cannot be treated as robust evidence that current designs violate the 'as easy as giving it' requirement of EU law.

Authors: We accept that the timing result needs more rigorous presentation. The 'more than 20 times longer' figure is a descriptive average computed from observed task completion times in the usability test. In the revision we will report standard deviations, include a table or appendix with per-participant timing data, and explicitly state that this is an observational finding from a small sample rather than an inferential claim. We will revise the language around EU law to indicate that the results suggest potential difficulties in satisfying the 'as easy as' requirement while acknowledging the limitations of N=20 and the absence of statistical testing. revision: yes
Referee: [Analysis] The coding of 'deceptive patterns' that supposedly drive acceptance behavior is not described (e.g., codebook, inter-rater reliability, or how patterns were identified in the tested banners). This omission directly weakens the causal attribution in the headline claim.

Authors: We agree that the process for identifying deceptive patterns should be documented. The patterns were derived from a thematic analysis guided by established dark-pattern taxonomies in the literature. In the revised manuscript we will add a dedicated subsection describing the codebook (covering categories such as hidden reject options, pre-selected accept buttons, and asymmetric choice architecture), how each tested banner was mapped to these categories, and an acknowledgment that coding was performed by the lead researcher without inter-rater reliability checks. This limitation will be noted, and the analysis will be framed as interpretive rather than strictly causal. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical mixed-methods study rests on primary observations

full rationale

The paper reports results from a usability test and survey (N=20) examining the gap between stated privacy preferences and actual cookie consent actions. No equations, fitted parameters, predictions, or derivation chains appear in the text. Claims of 'consent by design' and the >20x withdrawal-time asymmetry are presented as direct empirical findings from the collected data, without any reduction to self-citations, ansatzes, or renamed known results. The study is self-contained; its load-bearing evidence consists of observed participant behaviors and survey responses rather than any self-referential construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim depends on domain assumptions about how well a small lab study captures real consent behavior and that survey responses reflect stable privacy preferences, with no free parameters or invented entities introduced.

axioms (2)

domain assumption Survey responses reliably capture users' true privacy preferences
The study contrasts stated preferences against observed actions, treating survey answers as the baseline for what users 'want'.
domain assumption Usability test tasks and banner implementations are representative of typical website interactions
Findings about acceptance rates and withdrawal times are generalized from the test setup without explicit validation against live sites.

pith-pipeline@v0.9.0 · 5530 in / 1260 out tokens · 56734 ms · 2026-05-15T03:16:00.772137+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

77 extracted references · 77 canonical work pages · 2 internal anchors

[1]

The age of surveillance capitalism

S. Zuboff. “The age of surveillance capitalism”. In:Social theory re-wired. Routledge, 2023, pp. 203–213

work page 2023
[2]

Ethan Cramer-Flood.Worldwide ad spend- ing forecast 2025. Jan. 2025.url:https:// www . emarketer . com / content / worldwide - ad-spending-forecast-2025#page-report (visited on 04/08/2025)

work page 2025
[3]

Laion-5b: An open large-scale dataset for training next generation image-text mod- els

C. Schuhmann, R. Beaumont, R. Vencu, C. Gordon, R. Wightman, M. Cherti, T. Coombes, A. Katta, C. Mullis, M. Wortsman, et al. “Laion-5b: An open large-scale dataset for training next generation image-text mod- els”. In:Advances in neural information pro- cessing systems35 (2022), pp. 25278–25294

work page 2022
[4]

Gemini: A Family of Highly Capable Multimodal Models

G. Team, R. Anil, S. Borgeaud, J.-B. Alayrac, J. Yu, R. Soricut, J. Schalkwyk, A. M. Dai, A. Hauth, K. Millican, et al. “Gemini: a family of highly capable multimodal models”. In:arXiv preprint arXiv:2312.11805(2023)

work page internal anchor Pith review Pith/arXiv arXiv 2023
[5]

The Llama 3 Herd of Models

A. Grattafiori, A. Dubey, A. Jauhri, A. Pandey, A. Kadian, A. Al-Dahle, A. Let- man, A. Mathur, A. Schelten, A. Vaughan, et al. “The llama 3 herd of models”. In:arXiv preprint arXiv:2407.21783(2024)

work page internal anchor Pith review Pith/arXiv arXiv 2024
[6]

U. N. G. Assembly.Universal declaration of human rights. Vol. 3381. Department of State, United States of America, 1949

work page 1949
[7]

Samuel Warren, Louis Brandeis.The Right To Privacy. Dec. 1980.url: https : / / web . archive . org / web / 20081023033917 / http : / / www . law . louisville . edu / library / collections / brandeis / node / 225(visited on 05/11/2025)

work page 1980
[8]

Parliament.Charter of fundamental rights of the European Union

E. Parliament.Charter of fundamental rights of the European Union. Office for Official Pub- lications of the European Communities, 2000

work page 2000
[9]

May 2016.url: http : / / data

European Parliament, Council of the Euro- pean Union.General Data Protection Regu- lation (GDPR) - Regulation (EU) 2016/679. May 2016.url: http : / / data . europa . eu / eli / reg / 2016 / 679 / oj (visited on 04/08/2025)

work page 2016
[10]

Datatilsynet.Record fine confirmed. Sept. 2023.url: https : / / www . datatilsynet . no / en / news / aktuelle - nyheter - 2023 / record - fine - grindr - confirmed/(visited on 04/11/2025)

work page 2023
[11]

The New York Times.The Secretive Com- pany That Might End Privacy as We Know It. Jan. 2020.url: https://www.nytimes. com/2020/01/18/technology/clearview- privacy - facial - recognition . html (vis- ited on 04/11/2025)

work page 2020
[12]

2021.url: https://www.priv

The Privacy Commissioner of Canada (OPC) and others.Joint investigation of Clearview AI, Inc.Feb. 2021.url: https://www.priv. gc . ca / en / opc - actions - and - decisions / investigations / investigations - into - businesses/2021/pipeda- 2021- 001/ (vis- ited on 04/11/2025)

work page 2021
[13]

The Autoriteit Persoonsgegevens (AP).Dutch DPA imposes a fine on Clearview be- cause of illegal data collection for facial recognition. Sept. 2024.url: https : / / autoriteitpersoonsgegevens . nl / en / current / dutch - dpa - imposes - a - fine - on-clearview-because-of-illegal-data- collection-for-facial-recognition (vis- ited on 04/11/2025)

work page 2024
[14]

enforcementtracker

CMS.GDPR Enforcement Tracker.url: https : / / www . enforcementtracker . com/ (visited on 04/11/2025)

work page 2025
[15]

Vedtak i Google Analytics-saken

The Norwegian Data Protection Authority. Vedtak i Google Analytics-saken. July 2023. url: https : / / www . datatilsynet . no / regelverk-og-verktoy/lover-og-regler/ avgjorelser - fra - datatilsynet / 2023 / vedtak- i- google- analytics- saken/ (vis- ited on 04/15/2025)

work page 2023
[16]

July 2023.url: https : / / www

The Norwegian Data Protection Author- ity.Nye regler for overføring av personop- plysninger til USA. July 2023.url: https : / / www . datatilsynet . no / aktuelt / aktuelle-nyheter-2023/nye-regler-for- overforing- av- personopplysninger- til- usa/(visited on 04/15/2025)

work page 2023
[17]

Department of Commerce.Data Privacy Framework Program (DPF).url: https:// www.dataprivacyframework.gov/Program- Overview(visited on 04/15/2025)

U.S. Department of Commerce.Data Privacy Framework Program (DPF).url: https:// www.dataprivacyframework.gov/Program- Overview(visited on 04/15/2025)

work page 2025
[18]

July 2010

Harry Brignull.Dark Patterns: dirty tricks de- signers use to make people do stuff. July 2010. url: https : / / 90percentofeverything . com / 2010 / 07 / 08 / dark - patterns - dirty - tricks- designers- use- to- make- people- do-stuff/(visited on 04/15/2025). 10

work page 2010
[19]

We Value Your Pri- vacy... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy

M. Degeling, C. Utz, C. Lentzsch, H. Hosseini, F. Schaub, and T. Holz. “We Value Your Pri- vacy... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy”. In:Net- work and Distributed Systems Security (NDSS) Symposium. 2019

work page 2019
[20]

Cookie banners and privacy policies: Measur- ing the impact of the GDPR on the web

M. Kretschmer, J. Pennekamp, and K. Wehrle. “Cookie banners and privacy policies: Measur- ing the impact of the GDPR on the web”. In: ACM Transactions on the Web (TWEB)15.4 (2021), pp. 1–42

work page 2021
[21]

Barth.RFC 6265: HTTP state manage- ment mechanism

A. Barth.RFC 6265: HTTP state manage- ment mechanism. 2011

work page 2011
[22]

A survey on web track- ing: Mechanisms, implications, and defenses

T. Bujlow, V. Carela-Español, J. Sole-Pareta, and P. Barlet-Ros. “A survey on web track- ing: Mechanisms, implications, and defenses”. In:Proceedings of the IEEE105.8 (2017), pp. 1476–1510

work page 2017
[23]

July 2002.url: https://eur- lex.europa.eu/ eli / dir / 2002 / 58 / oj / eng (visited on 04/15/2025)

European Parliament, Council of the Eu- ropean Union.Directive 2002/58/EC. July 2002.url: https://eur- lex.europa.eu/ eli / dir / 2002 / 58 / oj / eng (visited on 04/15/2025)

work page 2002
[24]

European Parliament, Council of the Euro- pean Union.Directive 2009/136/EC. Dec. 2009.url: https://eur- lex.europa.eu/ eli/dir/2002/58/2009- 12- 19 (visited on 04/15/2025)

work page 2009
[25]

European Parliament, Council of the Euro- pean Union.Recital 32 Conditions for Con- sent*. Apr. 2016.url: https : / / gdpr - info . eu / recitals / no - 32/ (visited on 05/11/2025)

work page 2016
[26]

Digitaliserings- og forvaltningsdeparte- mentet.Lov om elektronisk kommunikasjon (ekomloven). Dec. 2024.url: https : //lovdata.no/dokument/NL/lov/2024-12- 13-76(visited on 05/11/2025)

work page 2024
[27]

Datatilsynet.Bruk av informasjon- skapsler og andre sporingsteknolo- gier. Apr. 2025.url: https : / / www . datatilsynet . no / personvern - pa - ulike - omrader / internett - og - apper / bruk - av - informasjonskapsler - og - andre - sporingsteknologier (visited on 05/11/2025)

work page 2025
[28]

Deceptive patterns – user interfaces designed to trick you

H.Brignull,M.Leiser,C.Santos,andK.Doshi. Deceptive patterns – user interfaces designed to trick you. Apr. 2023.url: https://www. deceptive.design/(visited on 04/15/2025)

work page 2023
[29]

Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence

M. Nouwens, I. Liccardi, M. Veale, D. Karger, and L. Kagal. “Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence”. In:Proceedings of the 2020 CHI conference on human factors in computing systems. 2020, pp. 1–13

work page 2020
[30]

The ethics of nudging

C. R. Sunstein. “The ethics of nudging”. In: Yale J. on Reg.32 (2015), p. 413

work page 2015
[31]

(Un) informed consent: Studying GDPR consent notices in the field

C. Utz, M. Degeling, S. Fahl, F. Schaub, and T. Holz. “(Un) informed consent: Studying GDPR consent notices in the field”. In:Pro- ceedings of the 2019 ACM SIGSAC confer- ence on computer and communications secu- rity. 2019, pp. 973–990

work page 2019
[32]

This website uses cookies: Users’ percep- tions and reactions to the cookie disclaimer

O. Kulyk, A. Hilt, N. Gerber, and M. Volka- mer. “This website uses cookies: Users’ percep- tions and reactions to the cookie disclaimer”. In:European Workshop on Usable Security (EuroUSEC). Vol. 4. 2018

work page 2018
[33]

The privacy paradox: Personal infor- mation disclosure intentions versus behaviors

P. A. Norberg, D. R. Horne, and D. A. Horne. “The privacy paradox: Personal infor- mation disclosure intentions versus behaviors”. In:Journal of consumer affairs41.1 (2007), pp. 100–126

work page 2007
[34]

Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon

S. Kokolakis. “Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon”. In:Computers & security64 (2017), pp. 122–134

work page 2017
[35]

The myth of the privacy para- dox

D. J. Solove. “The myth of the privacy para- dox”. In:Geo. Wash. L. Rev.89 (2021), p. 1

work page 2021
[36]

J. W. Creswell and J. D. Creswell.Research design: Qualitative, quantitative, and mixed methods approaches. Sage publications, 2017

work page 2017
[37]

J. W. Creswell.A concise introduction to mixed methods research. SAGE publications, 2021

work page 2021
[38]

Content analysis and thematic analysis: Im- plications for conducting a qualitative descrip- tive study

M. Vaismoradi, H. Turunen, and T. Bondas. “Content analysis and thematic analysis: Im- plications for conducting a qualitative descrip- tive study”. In:Nursing & health sciences15.3 (2013), pp. 398–405

work page 2013
[39]

Tranco: A Research-Oriented Top Sites Rank- ing Hardened Against Manipulation

V. Le Pochat, T. Van Goethem, S. Tajal- izadehkhoob, M. Korczyński, and W. Joosen. “Tranco: A Research-Oriented Top Sites Rank- ing Hardened Against Manipulation”. In:Pro- ceedings of the 26th Annual Network and Dis- tributed System Security Symposium. NDSS

work page
[40]

2019.doi: 10.14722/ndss.2019

Feb. 2019.doi: 10.14722/ndss.2019. 23386

work page doi:10.14722/ndss.2019 2019
[41]

eu / list / KJYLW(visited on 02/05/2025)

Tranco-list ID:KJYLW.url: https : / / tranco - list . eu / list / KJYLW(visited on 02/05/2025)

work page 2025
[42]

Nielsen.Quantitative Studies: How Many Users to Test?2006.url: https : / / www

J. Nielsen.Quantitative Studies: How Many Users to Test?2006.url: https : / / www . nngroup . com / articles / quantitative - studies - how - many - users/ (visited on 05/13/2025)

work page 2006
[43]

Understand- ing the Hawthorne effect

P. Sedgwick and N. Greenwood. “Understand- ing the Hawthorne effect”. In:Bmj351 (2015). 11

work page 2015
[44]

Verbal re- ports as data

K. A. Ericsson and H. A. Simon. “Verbal re- ports as data.” In:Psychological review87.3 (1980), p. 215

work page 1980
[45]

Deception in the pursuit of science

D. Wendler and F. G. Miller. “Deception in the pursuit of science”. In:Archives of Internal Medicine164.6 (2004), pp. 597–600

work page 2004
[46]

The use of ranks to avoid the assumption of normality implicit in the anal- ysis of variance

M. Friedman. “The use of ranks to avoid the assumption of normality implicit in the anal- ysis of variance”. In:Journal of the american statistical association32.200 (1937), pp. 675– 701

work page 1937
[47]

Individual comparisons by rank- ing methods

F. Wilcoxon. “Individual comparisons by rank- ing methods”. In:Breakthroughs in statistics: Methodology and distribution. Springer, 1992, pp. 196–202

work page 1992
[48]

Using thematic anal- ysis in psychology

V. Braun and V. Clarke. “Using thematic anal- ysis in psychology”. In:Qualitative research in psychology3.2 (2006), pp. 77–101

work page 2006
[49]

Computer-Assisted Analysis of Qualitative Data Paper Prepared for the Dis- cussion Paper Series of the LSE Methodology Institute

U. Kelle. “Computer-Assisted Analysis of Qualitative Data Paper Prepared for the Dis- cussion Paper Series of the LSE Methodology Institute”. In:University of Bremen: Vechta, Germany(2004)

work page 2004
[50]

Qualitative evaluation check- list

M. Q. Patton. “Qualitative evaluation check- list”. In:Evaluation checklists project21 (2003), pp. 1–13

work page 2003
[51]

BI.Norsk kundebarometer 2024.url: https : / / www

H. BI.Norsk kundebarometer 2024.url: https : / / www . bi . no / forskning / norsk - kundebarometer / resultater - 2024/ (vis- ited on 04/28/2025)

work page 2024
[52]

Reliability and inter-rater reliability in qual- itative research: Norms and guidelines for CSCW and HCI practice

N. McDonald, S. Schoenebeck, and A. Forte. “Reliability and inter-rater reliability in qual- itative research: Norms and guidelines for CSCW and HCI practice”. In:Proceedings of the ACM on human-computer interaction 3.CSCW (2019), pp. 1–23

work page 2019
[53]

The dark (patterns) side of UX design

C. M. Gray, Y. Kou, B. Battles, J. Hoggatt, and A. L. Toombs. “The dark (patterns) side of UX design”. In:Proceedings of the 2018 CHI conference on human factors in computing systems. 2018, pp. 1–14

work page 2018
[54]

June 2018

Forbrukerrådet.Deceived by design. June 2018. url: https://storage02.forbrukerradet. no / media / 2018 / 06 / 2018 - 06 - 27 - deceived- by- design- final.pdf/ (visited on 05/04/2025)

work page 2018
[55]

Obstruction

H.Brignull,M.Leiser,C.Santos,andK.Doshi. Obstruction. Apr. 2023.url: https://www. deceptive . design / types / obstruction (visited on 04/15/2025)

work page 2023
[56]

Forced action

H.Brignull,M.Leiser,C.Santos,andK.Doshi. Forced action. Apr. 2023.url:https://www. deceptive . design / types / forced - action (visited on 04/15/2025)

work page 2023
[57]

Tales from the dark side: Pri- vacy dark strategies and privacy dark pat- terns

C. Bösch, B. Erb, F. Kargl, H. Kopp, and S. Pfattheicher. “Tales from the dark side: Pri- vacy dark strategies and privacy dark pat- terns”. In:Proceedings on Privacy Enhancing Technologies(2016)

work page 2016
[58]

Preselection

H.Brignull,M.Leiser,C.Santos,andK.Doshi. Preselection. Apr. 2023.url: https://www. deceptive . design / types / preselection (visited on 04/15/2025)

work page 2023
[59]

Trick wording

H.Brignull,M.Leiser,C.Santos,andK.Doshi. Trick wording. Apr. 2023.url:https://www. deceptive . design / types / trick - wording (visited on 05/05/2025)

work page 2023
[60]

Bootstrap con- fidence intervals

T. J. DiCiccio and B. Efron. “Bootstrap con- fidence intervals”. In:Statistical science11.3 (1996), pp. 189–228. A Website Selection The websites included in the usability test were chosen based on two selection criteria, that they had a presence of diverse deceptive patterns and that they were representative. The first criterion was chosen to answer the ...

work page 1996
[61]

Find a chair for sale in Østfold for under 200NOK

work page
[62]

Facebook 1

Leave this tab standing, and open a new private tab. Facebook 1. Go tofacebook.com

work page
[63]

Go to their “help” pages

work page
[64]

reporting abuse

Find their “reporting abuse” pages

work page
[65]

Was this helpful

Respond to their “Was this helpful” pop-over

work page
[66]

Dagens 1

Leave this tab standing, and open a new private tab. Dagens 1. Go todagens.no

work page
[67]

Find their search bar

work page
[68]

Find an article about “Taco”

work page
[69]

Google 1

Leave this tab standing, and open a new private tab. Google 1. Go togoogle.com

work page
[70]

Find a picture of Queen Sonja of Norway

work page
[71]

Find out the name of her mother

work page
[72]

Find a picture of her mother

work page
[73]

Leave this tab standing, and open a new private tab. DNB 1. Go todnb.no

work page
[74]

Find their contact pages

work page
[75]

Start a conversation with their chatbot

work page
[76]

Find out what the age limit for a BSU-account is

work page
[77]

How do you feel about cookie consent banners?

Leave this tab standing, and open a new private tab. Table B.1. The tasks given to the participants in the usability tests. The instructions were handed out on paper to the participants. 14 but the facilitator could not see what the partici- pants answered. Once the survey was answered, a conversation with a debriefing session was held. B.2 Pilot testing ...

work page