Understanding Privacy Norms through Web Forms
Authors: Hao Cui (University of California, Irvine), Rahmadi Trimananda (University of California, Irvine), Athina Markopoulou (University of California, Irvine)
Volume: 2025
Issue: 1
Pages: 5–22
DOI: https://doi.org/10.56553/popets-2025-0002
Abstract: Web forms are one of the primary ways to collect personal information online, yet they are relatively under-studied. Unlike web tracking, data collection through web forms is explicit and contextualized. Users (i) are asked to input specific personal information types, and (ii) know the specific context (i.e., on which website and for what purpose). For web forms to be trusted by users, they must meet the common sense standards of appropriate data collection practices within a particular context (i.e., privacy norms). In this paper, we extract the privacy norms embedded within web forms through a measurement study. First, we build a specialized crawler to discover web forms on websites. We run it on 11,500 popular websites, and we create a dataset of 293K web forms. Second, to process data of this scale, we develop a cost-efficient way to annotate web forms with form types and personal information types, using text classifiers trained with assistance of large language models (LLMs). Third, by analyzing the annotated dataset, we reveal common patterns of data collection practices. We find that (i) these patterns are explained by functional necessities and legal obligations, thus reflecting privacy norms, and that (ii) deviations from the observed norms often signal unnecessary data collection. In addition, we analyze the privacy policies that accompany web forms. We show that, despite their wide adoption and use, there is a disconnect between privacy policy disclosures and the observed privacy norms.
Keywords: web forms, privacy norm, privacy policy, measurement
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.