Poster: Evaluating the Usefulness of Subject Access Requests

Tobias Urban, Martin Degeling, Dennis Tatang, Thorsten Holz, Norbert Pohlmann

Symposium on Usable Privacy and Security (SOUPS) 2019, Santa Clara, CA, USA, August 2019


Ad personalization has been criticized in the past for its privacy implications and a lack of transparency and control. Over the last years, many companies have implemented ways to increase transparency about the data that they collect. Some did so to respond to subject access requests — a right granted to individuals by the new European Data Protection Regulation (GDPR). To learn more about the data collected by tracking services, we evaluate how companies respond to subject access requests. More specifically, we exercised our right to access with 38 companies that had tracked us online. Based on these insights, we perform a survey with 490 participants to evaluate the most common approaches to disclose data.

We find that newly created transparency tools present a variety of information to users ranging from detailed technical logs to high-level segment information. Our results indicate that users do not (yet) know what to learn from the data and mistrust the accuracy of the information shown to them.


tags: gdpr