pith. sign in

arxiv: 2605.02005 · v1 · submitted 2026-05-03 · 💻 cs.HC

Privy: From Fine Print to Fair Practice in Privacy Rights Exercise

Qi Sun , Ziyang Li , Yinzhi Cao , Yaxing Yao This is my paper

Pith reviewed 2026-05-08 19:25 UTC · model grok-4.3

classification 💻 cs.HC
keywords privacy rightsLLM assistantbrowser extensionGDPRCCPApolicy analysisuser studyusability
0
0 comments X

The pith

An LLM browser assistant turns privacy policies into step-by-step guidance for exercising data rights on websites.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Privy as a system that automatically reads a website's privacy policy, identifies the specific rights available to users under regulations like GDPR and CCPA, and then supplies direct navigation aids such as links, email templates, or form instructions. This setup addresses the practical barrier where legal rights exist on paper but remain difficult to use because policies are vague and settings are buried in interfaces. By merging policy interpretation with action support in a single side-panel interface, the tool reports extracting rights at 0.979 precision and completing 96.3 percent of tasks in an average of 3.2 steps across 14 sites, with a small user study showing high perceived helpfulness. The authors conclude that privacy support works best when comprehension and usability are treated as one integrated interaction challenge rather than separate problems.

Core claim

Privy automatically analyzes a website's privacy policy to surface available user rights as selectable action labels, then delivers tailored step-by-step guidance including direct links, generated email templates, or form-completion instructions, while also allowing on-demand policy evidence and rights education. Technical evaluation across 14 websites demonstrates that this approach extracts rights with 0.979 precision and completes 96.3% of privacy tasks in an average of 3.2 steps. A user study with 15 participants reports high overall perceived helpfulness, supporting the claim that effective privacy assistance requires tight integration of policy understanding and privacy actions rather

What carries the argument

Privy, the LLM-powered browser assistant that parses privacy policies into actionable rights labels and generates interactive navigation and evidence links.

If this is right

  • Users gain a practical way to exercise privacy rights without manually locating and interpreting policies or navigating complex site settings.
  • Privacy rights tools can reach over 95 percent task completion rates when policy analysis is combined with direct action prompts.
  • Future assistants should embed rights education and evidence links alongside navigation rather than offering them as separate features.
  • Design guidelines for privacy interfaces can shift toward single-flow support that links policy text directly to executable steps.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If LLM reliability holds across more languages and smaller sites, similar assistants could be deployed at scale by browser vendors.
  • Widespread use might increase the actual exercise rate of rights granted by GDPR and CCPA, creating new data on which rights users value most.
  • The approach suggests regulators could require sites to expose machine-readable rights summaries to reduce reliance on LLM interpretation.

Load-bearing premise

Large language models can reliably interpret vague or incomplete privacy policy text to correctly identify available rights without significant errors or missed cases.

What would settle it

Running the system on a new set of 50 diverse websites and finding that it either misses rights explicitly stated in the policies or provides guidance that leads to failed or incorrect rights exercises.

Figures

Figures reproduced from arXiv: 2605.02005 by Qi Sun, Yaxing Yao, Yinzhi Cao, Ziyang Li.

Figure 1
Figure 1. Figure 1: User Interface of Privy. Privy serves as a side panel view at source ↗
Figure 2
Figure 2. Figure 2: Design Framework of Privy. (a) Privy automatically locates and analyzes a website’s privacy policy, extracting applicable view at source ↗
Figure 3
Figure 3. Figure 3: The three strategies that Privy will provide to the users for exercising their rights: (a) Link: Privy presents a direct URL to view at source ↗
Figure 4
Figure 4. Figure 4: Result of SUS quesionaire. For the negative statements view at source ↗
read the original abstract

Privacy regulations such as the CCPA and GDPR grant individuals rights over their personal data, yet it remains challenging for most users to exercise them in practice due to vague policy interpretation and unapproachable settings on web interfaces. We introduce Privy, an LLM-powered browser assistant that guides users through exercising their privacy rights on websites. Privy automatically analyzes a website's privacy policy and surfaces the specific rights available as action labels in a side panel. When a user selects a right, Privy provides step-by-step guidance and navigation, presenting direct links, generating email templates, or guiding form completion. Users can also request on-demand policy evidence and rights education to enhance their literacy. A technical evaluation across 14 websites shows that Privy extracts rights with high precision (0.979) and completes 96.3\% of privacy tasks in an average of 3.2 steps. A user study (N=15) also demonstrates the overall high-level of perceived helpfulness among users. Our findings suggest that comprehension and usability are not two separate challenges but a single interaction problem, and that effective privacy support requires integration of policy understanding and privacy actions. We offer design suggestions for future privacy assistants.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper introduces Privy, an LLM-powered browser assistant that analyzes website privacy policies to identify available user rights (e.g., under CCPA/GDPR), surfaces them as action labels, and provides step-by-step guidance including direct links, email templates, and form navigation. It reports a technical evaluation on 14 websites with 0.979 precision in rights extraction and 96.3% privacy task completion in an average of 3.2 steps, plus a user study (N=15) indicating high perceived helpfulness, and concludes that privacy support requires integrated policy understanding and actionable guidance.

Significance. If the evaluation holds under scrutiny, the work offers a practical advance in HCI for privacy by showing how LLM assistance can address both policy vagueness and interface barriers in rights exercise. The dual technical-plus-user-study design is appropriate for the domain, and the emphasis on on-demand evidence and education adds value beyond pure automation.

major comments (2)
  1. [Abstract / Technical Evaluation] Abstract and Technical Evaluation section: the headline claims of 0.979 precision and 96.3% task completion are presented without any description of ground-truth construction, website selection criteria, inter-annotator agreement, or error/failure analysis. This is load-bearing for the central empirical contribution because privacy policies frequently contain conditional, jurisdiction-specific, or incomplete language; without these details it is impossible to assess whether the LLM component avoids hallucinations or omissions that would invalidate the generated guidance.
  2. [Technical Evaluation] Technical Evaluation section: the assumption that the LLM can reliably map vague policy clauses to correct rights (the weakest link noted in the skeptic analysis) is not supported by any concrete examples of policy text, extracted rights, or edge-case handling, directly affecting the credibility of both the precision metric and the downstream usability claims.
minor comments (1)
  1. [Abstract] Abstract: the phrase 'high-level of perceived helpfulness' is imprecise and should be replaced with a more specific description of the measured outcomes or scales used in the user study.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive feedback, which identifies key gaps in the transparency of our technical evaluation. We will revise the manuscript to incorporate the requested details on methodology and examples, thereby strengthening the support for our empirical claims without altering the core findings.

read point-by-point responses

  1. Referee: [Abstract / Technical Evaluation] Abstract and Technical Evaluation section: the headline claims of 0.979 precision and 96.3% task completion are presented without any description of ground-truth construction, website selection criteria, inter-annotator agreement, or error/failure analysis. This is load-bearing for the central empirical contribution because privacy policies frequently contain conditional, jurisdiction-specific, or incomplete language; without these details it is impossible to assess whether the LLM component avoids hallucinations or omissions that would invalidate the generated guidance.

    Authors: We agree that these methodological details are essential to substantiate the precision and task completion metrics, given the inherent ambiguities in privacy policies. In the revised manuscript, we will expand the Technical Evaluation section with: a description of ground-truth construction via expert manual annotation of rights in each policy; website selection criteria emphasizing diversity across sectors, policy complexity, and regulatory applicability; inter-annotator agreement metrics; and a categorized error/failure analysis addressing potential hallucinations, omissions, and conditional clauses. This will allow readers to rigorously evaluate the LLM's reliability. revision: yes

  2. Referee: [Technical Evaluation] Technical Evaluation section: the assumption that the LLM can reliably map vague policy clauses to correct rights (the weakest link noted in the skeptic analysis) is not supported by any concrete examples of policy text, extracted rights, or edge-case handling, directly affecting the credibility of both the precision metric and the downstream usability claims.

    Authors: We acknowledge that concrete examples are needed to illustrate reliable mapping of vague or conditional policy language. In the revision, we will add a subsection or table in the Technical Evaluation providing specific examples from the 14 sites: policy text excerpts with ambiguous or jurisdiction-specific clauses, the rights extracted by Privy, the LLM's mapping rationale, and handling of edge cases such as incomplete statements. This will directly bolster the credibility of the precision metric and usability claims. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical system and evaluation with no derivations or self-referential reductions

full rationale

The paper describes an LLM-powered browser assistant (Privy) for privacy rights exercise, supported by a technical evaluation on 14 websites (reporting precision 0.979 and 96.3% task completion) and a user study (N=15). No equations, parameters, or derivation chains appear in the abstract or described content. Claims rest on reported empirical results rather than any self-definitional, fitted-input, or self-citation load-bearing logic. The contribution is self-contained as a system-building and evaluation paper; external validity concerns (e.g., ground-truth construction for policy interpretation) fall under correctness rather than circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 1 invented entities

The central claim rests on the assumption that current LLMs can parse legal privacy text accurately enough for actionable guidance and that the chosen evaluation sites represent typical web privacy interfaces. No free parameters, mathematical axioms, or new physical entities are introduced.

invented entities (1)
  • Privy no independent evidence
    purpose: LLM-powered browser assistant that extracts and guides privacy rights exercise
    The system itself is the novel artifact; no independent evidence such as a public deployment or third-party validation is mentioned.

pith-pipeline@v0.9.0 · 5514 in / 1211 out tokens · 54841 ms · 2026-05-08T19:25:16.058352+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

60 extracted references · 19 canonical work pages

  1. [1]

    Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2015. Privacy and Human Behavior in the Age of Information.Science347, 6221 (2015), 509–514. doi:10.1126/science.aaa1465

    work page doi:10.1126/science.aaa1465 2015

  2. [2]

    Idris Adjerid, Alessandro Acquisti, Laura Brandimarte, and George Loewenstein

  3. [3]

    InProceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS)

    Sleights of Privacy: Framing, Disclosures, and the Limits of Transparency. InProceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS). 9:1–9:11

  4. [4]

    Hazim Almuhimedi, Florian Schaub, Norman Sadeh, Idris Adjerid, Alessandro Acquisti, Joshua Gluck, Lorrie Faith Cranor, and Yuvraj Agarwal. 2015. Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging. InProceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. 787–796. doi:10.1145/2702123.2702210

    work page doi:10.1145/2702123.2702210 2015

  5. [5]

    Ryan Amos, Gunes Acar, Elena Lucherini, Mihir Kshirsagar, Arvind Narayanan, and Jonathan Mayer. 2021. Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset. InProceedings of the Web Conference 2021. 2165–2176. doi:10.1145/3442381.3450048

    work page doi:10.1145/3442381.3450048 2021

  6. [6]

    Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. 2019. PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play. In28th USENIX Security Symposium (USENIX Security 19). USENIX Association, 585–602

    2019

  7. [7]

    Jef Ausloos and Pierre Dewitte. 2018. Shattering One-Way Mirrors – Data Subject Access Rights in Practice.International Data Privacy Law8, 1 (2018), 4–28. doi:10.1093/idpl/ipy001

    work page doi:10.1093/idpl/ipy001 2018

  8. [8]

    Do you play it by the books? a study on incident response playbooks and influencing factors,

    Eleanor Birrell, Jay Rodolitz, Angel Ding, Jenna Lee, Emily McReynolds, Jevan A. Hutson, and Ada Lerner. 2024. SoK: Technical Implementation and Human Impact of Internet Privacy Regulations. In2024 IEEE Symposium on Security and Privacy (SP). 673–696. doi:10.1109/SP54263.2024.00206

    work page doi:10.1109/sp54263.2024.00206 2024

  9. [9]

    Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin. 2022. Automat- ing Cookie Consent and GDPR Violation Detection. In31st USENIX Security Symposium (USENIX Security 22). USENIX Association, 2893–2910

    2022

  10. [10]

    Arthur Borem, Elleen Pan, Olufunmilola Obielodan, Aurelie Roubinowitz, Luca Dovichi, Michelle L Mazurek, and Blase Ur. 2024. Data subjects’ reactions to exercising their right of access. In33rd USENIX Security Symposium (USENIX Security 24). 2865–2882

    2024

  11. [11]

    Elijah Robert Bouma-Sims, Megan Li, Yanzi Lin, Adia Sakura-Lemessy, Alexan- dra Nisenoff, Ellie Young, Eleanor Birrell, Lorrie Faith Cranor, and Hana Habib. 2023. A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile. InProceedings of the 2023 CHI Conference on Human Factors in Computing Systems....

    work page doi:10.1145/3544548.3580725 2023

  12. [12]

    Alex Bowyer, Jack Holt, Josephine Go Jefferies, Rob Wilson, David Kirk, and Jan David Smeddinck. 2022. Human-GDPR interaction: practical experiences of accessing personal data. InProceedings of the 2022 CHI conference on human factors in computing systems. 1–19

    2022

  13. [13]

    Quick and Dirty

    John Brooke. 1996. SUS: A “Quick and Dirty” Usability Scale. InUsability Evaluation in Industry, Patrick W. Jordan, Bruce Thomas, Ian Lyall McClelland, and Bernard Weerdmeester (Eds.). Taylor & Francis, 189–194

    1996

  14. [14]

    Igor Calzada. 2022. Citizens’ data privacy in China: The state of the art of the Personal Information Protection Law (PIPL).Smart Cities5, 3 (2022), 1129– 1150

    2022

  15. [15]

    Chaoran Chen, Daodao Zhou, Yanfang Ye, Toby Jia-jun Li, and Yaxing Yao

  16. [16]

    InProceedings of the 30th International Conference on Intelligent User Interfaces

    Clear: Towards contextual llm-empowered privacy policy analysis and risk generation for large language model applications. InProceedings of the 30th International Conference on Intelligent User Interfaces. 277–297

  17. [17]

    Martin Degeling, Christine Utz, Christian Lentzsch, Hadi Hosseini, Florian Schaub, and Thorsten Holz. 2019. We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy. InNetwork and Dis- tributed System Security Symposium (NDSS). doi:10.14722/ndss.2019.23378

    work page doi:10.14722/ndss.2019.23378 2019

  18. [18]

    Xiang Deng, Yu Gu, Boyuan Zheng, Shijie Chen, Samuel Stevens, Boshi Wang, Huan Sun, and Yu Su. 2023. Mind2Web: Towards a Generalist Agent for the Web. InAdvances in Neural Information Processing Systems (NeurIPS), V ol. 36

    2023

  19. [19]

    Draper and Joseph Turow

    Nora A. Draper and Joseph Turow. 2019. The Corporate Cultivation of Digital Resignation.New Media & Society21, 8 (2019), 1824–1839. doi:10.1177/ 1461444819833331

    2019

  20. [20]

    Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. InProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1388–1401. doi:10.1145/2976749. 2978313

    work page doi:10.1145/2976749 2016

  21. [21]

    HHK Fawaz, RLF Schaub, and KGS Karl. 2017. Polisis: automated analysis and presentation of privacy policies using deep learning.Technical Report. Technical report, EPFL(2017)

    2017

  22. [22]

    Adrienne Porter Felt, Serge Egelman, and David Wagner. 2012. Android Permis- sions: User Attention, Comprehension, and Behavior. InProceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS). 3:1–3:14

    2012

  23. [23]

    You don’t need a university degree to comprehend data protection this way

    Vincent Freiberger, Arthur Fleig, and Erik Buchmann. 2025. " You don’t need a university degree to comprehend data protection this way": LLM-Powered Interactive Privacy Policy Assessment. InProceedings of the Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. 1–12

    2025

  24. [24]

    Gray, Yubo Kou, Brennan Battles, Joseph Hoggatt, and Austin L

    Colin M. Gray, Yubo Kou, Brennan Battles, Joseph Hoggatt, and Austin L. Toombs

  25. [25]

    InProceedings of the 2018 CHI Conference on Human Factors in Computing Systems

    The Dark (Patterns) Side of UX Design. InProceedings of the 2018 CHI Conference on Human Factors in Computing Systems. 534:1–534:14. doi:10.1145/ 3173574.3174108

    work page arXiv 2018

  26. [26]

    Elias Grünewald, Johannes M Halkenhäußer, Nicola Leschke, Johanna Washing- ton, Cristina Paupini, and Frank Pallas. 2023. Enabling versatile privacy interfaces using machine-readable transparency information. InPrivacy Symposium: Data Protection Law International Convergence and Compliance with Innovative Tech- nologies. Springer, 119–137

    2023

  27. [27]

    Okay, whatever

    Hana Habib, Megan Li, Ellie Young, and Lorrie Faith Cranor. 2022. "Okay, whatever": An Evaluation of Cookie Consent Interfaces. InProceedings of the 2022 CHI Conference on Human Factors in Computing Systems. 1–27. doi:10. 1145/3491102.3501985

    work page arXiv 2022

  28. [28]

    It’s a Scavenger Hunt

    Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2020. “It’s a Scavenger Hunt”: Usability of Websites’ Opt-Out and Data Deletion Choices. InProceedings of the 2020 CHI Conference on Human Factors in Computing Systems. ACM, 1–12. doi:10.1145/3313831.3376511

    work page doi:10.1145/3313831.3376511 2020

  29. [29]

    My Data Just Goes Everywhere:

    Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. “My Data Just Goes Everywhere:” User Mental Models of the Internet and Implications for Privacy and Security. InProceedings of the Eleventh USENIX Conference on Usable Privacy and Security (SOUPS). USENIX Association, 39–52

    2015

  30. [30]

    How I Know For Sure

    Smirity Kaushik, Yaxing Yao, Pierre Dewitte, and Yang Wang. 2021. " How I Know For Sure": People’s Perspectives on Solely Automated {Decision- Making}({ { { { {SADM} } } } }). InSeventeenth Symposium on Usable Privacy and Security (SOUPS 2021). 159–180

    2021

  31. [31]

    Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W Reeder

  32. [32]

    nutrition label

    A" nutrition label" for privacy. InProceedings of the 5th Symposium on Usable Privacy and Security. 1–12

  33. [33]

    Rishabh Khandelwal, Asmit Nayak, Hamza Harkous, and Kassem Fawaz. 2023. Automated Cookie Notice Analysis and Enforcement. In32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, 1109–1126

    2023

  34. [34]

    Pedro Giovanni Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang. 2012. Why Johnny can’t opt out: A usability evaluation of tools to limit online behavioral advertising. InProceedings of the SIGCHI Conference on Human Factors in Computing Systems. 589–598. doi:10.1145/ 2207676.2207759

    work page arXiv 2012

  35. [35]

    Nicola Leschke, Florian Kirsten, Frank Pallas, and Elias Grünewald. 2023. Stream- lining personal data access requests: From obstructive procedures to automated Conference’17, July 2017, Washington, DC, USA Qi Sun, Ziyang Li, Yinzhi Cao, and Y axing Y ao web workflows. InInternational Conference on Web Engineering. Springer, 111– 125

    2023

  36. [36]

    Jialiu Lin, Shahriyar Amini, Jason Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and Purpose: Understanding Users’ Mental Models of Mobile App Privacy through Crowdsourcing. InProceedings of the 2012 ACM Conference on Ubiquitous Computing. 501–510. doi:10.1145/2370216.2370290

    work page doi:10.1145/2370216.2370290 2012

  37. [37]

    Alexander Löbel, René Schäfer, Hanna Püschel, Esra Güney, and Ulrike Michaela Meyer. 2024. Access Your Data... if You Can: An Analysis of Dark Patterns Against the Right of Access on Popular Websites. InPrivacy Technologies and Policy: 12th Annual Privacy Forum (APF 2024) (Lecture Notes in Computer Science, Vol. 14831). Springer, 23–47. doi:10.1007/978-3-...

    work page doi:10.1007/978-3-031-68024-3_2 2024

  38. [38]

    Sunil Manandhar, Kaushal Kafle, Benjamin Andow, Kapil Singh, and Adwait Nad- karni. 2022. Smart Home Privacy Policies Demystified: A Study of Availability, Content, and Coverage. In31st USENIX Security Symposium (USENIX Security 22). USENIX Association, 3521–3538

    2022

  39. [39]

    Mathur, G

    Arunesh Mathur, Gunes Acar, Michael J. Friedman, Elena Lucherini, Jonathan Mayer, Marshini Chetty, and Arvind Narayanan. 2019. Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites.Proceedings of the ACM on Human-Computer Interaction3, CSCW (2019), 81:1–81:32. doi:10.1145/3359183

    work page doi:10.1145/3359183 2019

  40. [40]

    Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2020. Do Cookie Banners Respect My Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework. In2020 IEEE Symposium on Security and Privacy (SP). 791–809. doi:10.1109/SP40000.2020.00008

    work page doi:10.1109/sp40000.2020.00008 2020

  41. [41]

    McDonald and Lorrie Faith Cranor

    Aleecia M. McDonald and Lorrie Faith Cranor. 2008. The Cost of Reading Privacy Policies.I/S: A Journal of Law and Policy for the Information Society4, 3 (2008), 543–568

    2008

  42. [42]

    Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal

  43. [43]

    InProceedings of the 2020 CHI Conference on Human Factors in Computing Systems

    Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrat- ing their Influence. InProceedings of the 2020 CHI Conference on Human Factors in Computing Systems. 1–13. doi:10.1145/3313831.3376321

    work page doi:10.1145/3313831.3376321 2020

  44. [44]

    Obar and Anne Oeldorf-Hirsch

    Jonathan A. Obar and Anne Oeldorf-Hirsch. 2020. The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services.Information, Communication & Society23, 1 (2020), 128–

    2020

  45. [45]

    doi:10.1080/1369118X.2018.1486870

    work page doi:10.1080/1369118x.2018.1486870 2018

  46. [46]

    Shidong Pan, Zhen Tao, Thong Hoang, Dawen Zhang, Tianshi Li, Zhenchang Xing, Xiwei Xu, Mark Staples, Thierry Rakotoarivelo, and David Lo. 2024. A {NEW} {HOPE}: Contextual Privacy Policies for Mobile Applications and An Approach Toward Automated Generation. In33rd USENIX Security Symposium (USENIX Security 24). 5699–5716

    2024

  47. [47]

    Justin Petelka, Elisa Oreglia, Megan Finn, and Janaki Srinivasan. 2022. Generating practices: Investigations into the double embedding of GDPR and data access policies.Proceedings of the ACM on Human-Computer Interaction6, CSCW2 (2022), 1–26

    2022

  48. [48]

    Dominik Pins, Timo Jakobi, Gunnar Stevens, Fatemeh Alizadeh, and Jana Krüger

  49. [49]

    Finding, getting and understanding: The user journey for the GDPR’s right to access.Behaviour & Information Technology41, 10 (2022), 2174–2200

    2022

  50. [50]

    Eugenia Politou, Efthimios Alepis, and Constantinos Patsakis. 2018. Forgetting Personal Data and Revoking Consent Under the GDPR: Challenges and Proposed Solutions.Journal of Cybersecurity4, 1 (2018), tyy001. doi:10.1093/cybsec/ tyy001

    work page doi:10.1093/cybsec/ 2018

  51. [51]

    Durity, and Lorrie Faith Cranor

    Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor. 2015. A Design Space for Effective Privacy Notices. InProceedings of the Eleventh Symposium On Usable Privacy and Security (SOUPS). USENIX Association, 1–17

    2015

  52. [52]

    1990.Basics of Qualitative Research: Grounded Theory Procedures and Techniques

    Anselm Strauss and Juliet Corbin. 1990.Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Sage Publications

    1990

  53. [53]

    Draper, and Ari Ezra Waldman

    Joseph Turow, Yphtach Lelkes, Nora A. Draper, and Ari Ezra Waldman. 2023. Americans Cannot Consent to Companies’ Use of Their Data.International Journal of Communication17 (2023), 4796–4817

    2023

  54. [54]

    Rick Wash. 2010. Folk Models of Home Computer Security. InProceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS). 11:1–11:16

    2010

  55. [55]

    Maximiliane Windl, Niels Henze, Albrecht Schmidt, and Sebastian S Feger. 2022. Automating contextual privacy policies: Design and evaluation of a production tool for digital consumer privacy awareness. InProceedings of the 2022 CHI Conference on Human Factors in Computing Systems. 1–18

    2022

  56. [56]

    Lu Zhou, Chengyongxiao Wei, Tong Zhu, Guoxing Chen, Xiaokuan Zhang, Suguo Du, Hui Cao, and Haojin Zhu. 2023. POLICYCOMP: Counterpart Comparison of Privacy Policies Uncovers Overbroad Personal Data Collection Practices. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, 1073–1090

    2023

  57. [57]

    Morgana Mo Zhou, Zhiyan Qu, Jinhan Wan, Bo Wen, Yaxing Yao, and Zhicong Lu. 2024. Understanding Chinese Internet Users’ Perceptions of, and Online Platforms’ Compliance with, the Personal Information Protection Law (PIPL). Proceedings of the ACM on Human-Computer Interaction8, CSCW1 (2024), 1–26

    2024

  58. [58]

    Xu, Hao Zhu, Xuhui Zhou, Robert Lo, Abishek Sridhar, Xianyi Cheng, Tianyue Ou, Yonatan Bisk, Daniel Fried, Uri Alon, and Graham Neubig

    Shuyan Zhou, Frank F. Xu, Hao Zhu, Xuhui Zhou, Robert Lo, Abishek Sridhar, Xianyi Cheng, Tianyue Ou, Yonatan Bisk, Daniel Fried, Uri Alon, and Graham Neubig. 2024. WebArena: A Realistic Web Environment for Building Autonomous Agents. InProceedings of the Twelfth International Conference on Learning Representations (ICLR)

    2024

  59. [59]

    Sebastian Zimmeck, Oliver Wang, Kuba Alicki, Jocelyn Wang, and Sophie Eng

  60. [60]

    rights”: [{ “id

    Usability and enforceability of global privacy control.Proceedings on Privacy Enhancing Technologies2023, 2 (2023). A Codebook (1) Baseline Privacy Attitudes (a) Skipping privacy policies (b) Privacy as convenience tradeoff (c) Proactive privacy management (d) Behavioral privacy strategies (e) Privacy settings feel ineffective (f) Privacy indifference (g)...

    2023