Is Your Inseam a Biometric? Evaluating the Understandability of Mobile Privacy Notice Categories (CMU-CyLab-13-011)

The National Telecommunications and Information Administration (NTIA) has proposed a set of categories and definitions to create a United States national standard for short-form privacy notices on mobile devices. These notices are intended to facilitate user decision-making by categorizing both smartphone data to be shared and the entities with which that data is shared. In order to determine whether users consistently understand these proposed categories and their definitions, we conducted an online study with 791 participants. We found that participants had low agreement on how different data and entities should be categorized. We also compared our online results with those provided by four anonymous NTIA stakeholders, finding that even the stakeholders did not consistently categorize data or entities. Our work highlights areas of confusion for both survey participants and experts in the proposed scheme, and we offer suggestions for addressing these issues.