From consent to control by closing the feedback loop: Enabling data subjects to directly compare personalized and non-personalized content through an On/Off toggle

In an increasingly digitized world, personalization has emerged as a key mechanism for matching users with relevant content, advertisements, services, and other products. For personalization to work, typically, users' online behavior is tracked to create unique profiles about their individual behavior and interests. This process creates trade-offs between data collection and users' privacy concerns. These conflicts are regulated, amongst other laws, by the General Data Protection Regulation (GDPR) as well as the ePrivacy Directive. While the ePrivacy Directive requires the data controller to get the consent from data subjects for the setting of cookies through which data subjects can be tracked across different websites and even devices, the GDPR requires further user control and transparency with respect to the processing of such data, especially profiling, on which the personalization of content is based. However, plenty of research shows that, up to date, users do neither understand the effects of tracking technology on their online experience nor do they feel in control of their profiles created. As a consequence, users report helplessness and even fatalism instead of being able to effectively control tracking for personalization, even where controls are provided to the users. Based on the rich research on feedback design, we argue that for learning how to effectively control tracking and, as a consequence, personalization, users need effective feedback mechanisms to learn about the outcomes of their settings and evaluate their performance. One of the key elements for effectiveness of feedback in general are its situatedness and timeliness. In this paper we therefore address the question of how feedback mechanisms should be designed so that they enable users to make an effective decision for or against tracking and personalization. To this aim, we conducted in a first research phase 20 qualitative interviews to explore users' privacy expectations, what benefits of personalization they value and which risks they see and, most importantly, what controls do they think they should have? The results of this study suggested an immediate feedback mechanism. In a second phase, we therefore prototyped an on/off switch that users could use to enable or disable the personalisation of advertising and other content on a website and compare the results of the two settings. A preliminary evaluation confirms such a feedback mechanism as a promising approach for effective user control according to the data protection by design requirement in Art. 25 sect. 1 GDPR. If this mechanism were to be further developed and evaluated into an effective solution available on the market, it would represent the so-called state of the art, which would have to be considered by all data controllers in accordance with Art. 25 sect. 1 GDPR.