Cookies, cookies everywhere! : A qualitative interview study about how internet users interact with cookie consent notices

Sammanfattning: The purpose of this study is to examine what reasons internet users have for accepting, declining, or adjusting cookie settings. The study’s research question is: what reasons do Internet users have for accepting, declining, or adjusting cookie settings? To answer the research question, we constructed three research support questions: 1) how do internet users access the internet?, 2) What are internet users’ perspectives on privacy on the internet?, 3) How do internet users interact with cookie consent notices? The study’s theoretical framework consists of informed consent, contextual integrity, nudging, and political economy. We conducted semi-structured interviews in order to get a deeper understanding of the internet users’ experiences with cookie consent notices. We analyzed the material through thematic coding. Due to the Covid19 pandemic, all interviews were conducted through Zoom. The sample consisted of eight media and communication students at Karlstad University. There were four key findings: 1) The interviewees in our study accessed the internet primarily via applications on their smartphones. 2) There were mixed opinions about who has the greatest responsibility for private citizens’ privacy on the internet. Although many thought that the individual bears most of the responsibility, a majority thought there is a need for more governmental regulation regarding collecting and processing private data. 3) All interviewees thought cookie consent notices are an excellent tool for protecting one’s privacy, but none of them adjusted the cookie settings regularly when prompted by cookie consent notices. 4) The reasons why the interviewees accept cookies without adjusting cookie settings varied. Habits and annoyance were key factors.  The current climate where notice and choice is the de facto privacy measure for internet users is not sustainable. In conclusion, legislators and policymakers should focus on regulating how personal data is processed rather than pushing the responsibility of safeguarding personal data onto the users.