Understanding Privacy Norms through Web Forms

TL;DR

This study analyzes web forms across 11,500 websites to uncover embedded privacy norms, revealing patterns driven by function and law, and highlighting discrepancies between privacy policies and actual data collection practices.

Contribution

It introduces a scalable method to annotate and analyze web forms for privacy norms, combining web crawling, text classification, and large language models.

Findings

Web forms follow privacy norms driven by function and legal needs.

Deviations from norms often indicate unnecessary data collection.

Privacy policies frequently do not align with observed data practices.

Abstract

Web forms are one of the primary ways to collect personal information online, yet they are relatively under-studied. Unlike web tracking, data collection through web forms is explicit and contextualized. Users (i) are asked to input specific personal information types, and (ii) know the specific context (i.e., on which website and for what purpose). For web forms to be trusted by users, they must meet the common sense standards of appropriate data collection practices within a particular context (i.e., privacy norms). In this paper, we extract the privacy norms embedded within web forms through a measurement study. First, we build a specialized crawler to discover web forms on websites. We run it on 11,500 popular websites, and we create a dataset of 293K web forms. Second, to process data of this scale, we develop a cost-efficient way to annotate web forms with form types and personal information types, using text classifiers trained with assistance of large language models (LLMs). Third, by analyzing the annotated dataset, we reveal common patterns of data collection practices. We find that (i) these patterns are explained by functional necessities and legal obligations, thus reflecting privacy norms, and that (ii) deviations from the observed norms often signal unnecessary data collection. In addition, we analyze the privacy policies that accompany web forms. We show that, despite their wide adoption and use, there is a disconnect between privacy policy disclosures and the observed privacy norms.