"I need to learn better searching tactics for privacy policy laws." Investigating Software Developers' Behavior When Using Sources on Privacy Issues

TL;DR

This study examines how software developers seek privacy law information, revealing challenges with current sources and highlighting the need for more effective, accessible privacy resources to support compliant development.

Contribution

It provides empirical insights into developers' information-seeking behavior and evaluates the effectiveness of current sources, including AI assistants, in privacy-related tasks.

Findings

Developers find personal knowledge insufficient for privacy issues.

Web content is often too complex for quick understanding.

AI assistants offer clear responses but lack contextual relevance.

Abstract

Since the introduction of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), software developers increasingly have to make privacy-related decisions during system design and implementation. However, past research showed that they often lack legal expertise and struggle with privacy-compliant development. To shed light on how effective current information sources are in supporting them with privacy-sensitive implementation, we conducted a qualitative study with 30 developers. Participants were presented with a privacy-sensitive scenario and asked to identify privacy issues and suggest measures using their knowledge, online resources, and an AI assistant. We observed developers' decision-making in think-aloud sessions and discussed it in follow-up interviews. We found that participants struggled with all three sources: personal knowledge was insufficient, web content was often too complex, and while AI assistants provided clear and user-tailored responses, they lacked contextual relevance and failed to identify scenario-specific issues. Our study highlights major shortcomings in existing support for privacy-related development tasks. Based on our findings, we discuss the need for more accessible, understandable, and actionable privacy resources for developers.