{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T08:00:05Z","timestamp":1776931205036,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":65,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,13]]},"DOI":"10.1145\/3733802.3764047","type":"proceedings-article","created":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:38:21Z","timestamp":1763458701000},"page":"183-197","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Compliance by Design or by Disguise? GDPR's Reshaping of Universities' Privacy Policies"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-8359-8250","authenticated-orcid":false,"given":"Simran","family":"Munot","sequence":"first","affiliation":[{"name":"Max-Planck Institute for Informatics, Saarbr\u00fccken, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0163-5134","authenticated-orcid":false,"given":"Tobias","family":"Fiebig","sequence":"additional","affiliation":[{"name":"Max-Planck Institute for Informatics, Saarbr\u00fccken, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4717-6180","authenticated-orcid":false,"given":"Mannat","family":"Kaur","sequence":"additional","affiliation":[{"name":"Max-Planck-Institute for Informatics, Saarbr\u00fccken, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,18]]},"reference":[{"key":"e_1_3_3_2_2_2","doi-asserted-by":"crossref","unstructured":"Andrick Adhikari Sanchari Das and Rinku Dewri. 2023. Evolution of composition readability and structure of privacy policies over two decades. Proceedings on Privacy Enhancing Technologies (2023).","DOI":"10.56553\/popets-2023-0074"},{"key":"e_1_3_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450048"},{"key":"e_1_3_3_2_4_2","first-page":"985","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Andow Benjamin","year":"2020","unstructured":"Benjamin Andow, Samin\u00a0Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions speak louder than words:{ Entity-Sensitive} privacy policy and data flow analysis with { PoliCheck}. In 29th USENIX Security Symposium (USENIX Security 20). 985\u20131002."},{"key":"e_1_3_3_2_5_2","unstructured":"The Italian Data\u00a0Protection Authority. 2021. Injunction order against Commercial University \u201cLuigi Bocconi\u201d of Milan. https:\/\/www.gpdp.it\/web\/guest\/home\/docweb\/-\/docweb-display\/docweb\/9703988 [Online. Accessed on 30\/06\/2025 ]."},{"key":"e_1_3_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/RE.2018.00023"},{"key":"e_1_3_3_2_7_2","volume-title":"12th International Conference on Building and Exploring Web Based Environments (to appear)","author":"Bartelt Bianca","year":"2024","unstructured":"Bianca Bartelt and Erik Buchmann. 2024. Transparency in Privacy Policies. In 12th International Conference on Building and Exploring Web Based Environments (to appear)."},{"key":"e_1_3_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-49028-7_9"},{"key":"e_1_3_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-21752-5_12"},{"key":"e_1_3_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3491102.3501947"},{"key":"e_1_3_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICWS49710.2020.00017"},{"key":"e_1_3_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-29962-0_18"},{"key":"e_1_3_3_2_13_2","doi-asserted-by":"crossref","unstructured":"Giuseppe Contissa Koen Docter Francesca Lagioia Marco Lippi Hans-W Micklitz Przemys\u0142aw Pa\u0142ka Giovanni Sartor and Paolo Torroni. 2018. Claudette meets GDPR: Automating the evaluation of privacy policies using artificial intelligence. Available at SSRN 3208596 (2018).","DOI":"10.2139\/ssrn.3208596"},{"key":"e_1_3_3_2_14_2","volume-title":"Research design","author":"Creswell John","year":"2012","unstructured":"John Creswell. 2012. Research design. SAGE."},{"key":"e_1_3_3_2_15_2","first-page":"2189","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Dambra Savino","year":"2022","unstructured":"Savino Dambra, Iskander Sanchez-Rola, Leyla Bilge, and Davide Balzarotti. 2022. When Sally met trackers: Web tracking from the users\u2019 perspective. In 31st USENIX Security Symposium (USENIX Security 22). 2189\u20132206."},{"key":"e_1_3_3_2_16_2","doi-asserted-by":"crossref","unstructured":"Martin Degeling Christine Utz Christopher Lentzsch Henry Hosseini Florian Schaub and Thorsten Holz. 2018. We value your privacy... now take some cookies: Measuring the GDPR\u2019s impact on web privacy. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/1808.05096 (2018).","DOI":"10.14722\/ndss.2019.23378"},{"key":"e_1_3_3_2_17_2","doi-asserted-by":"crossref","unstructured":"Mariano Di\u00a0Martino Isaac Meers Peter Quax Ken Andries and Wim Lamotte. 2022. Revisiting identification issues in GDPR \u2018Right Of Access\u2019 policies: a technical and longitudinal analysis. Proceedings on Privacy Enhancing Technologies (2022).","DOI":"10.2478\/popets-2022-0037"},{"key":"e_1_3_3_2_18_2","first-page":"371","volume-title":"Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019)","author":"Di\u00a0Martino Mariano","year":"2019","unstructured":"Mariano Di\u00a0Martino, Pieter Robyns, Winnie Weyts, Peter Quax, Wim Lamotte, and Ken Andries. 2019. Personal Information Leakage by Abusing the { GDPR} \u2019Right of Access\u2019. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). 371\u2013385."},{"key":"e_1_3_3_2_19_2","doi-asserted-by":"publisher","unstructured":"Satu Elo and Helvi Kyng\u00e4s. 2008. The qualitative content analysis. Journal of advanced nursing 62 (05 2008) 107\u201315. 10.1111\/j.1365-2648.2007.04569.x","DOI":"10.1111\/j.1365-2648.2007.04569.x"},{"key":"e_1_3_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE5003.2020.00032"},{"key":"e_1_3_3_2_21_2","first-page":"483","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Farke Florian\u00a0M","year":"2021","unstructured":"Florian\u00a0M Farke, David\u00a0G Balash, Maximilian Golla, Markus D\u00fcrmuth, and Adam\u00a0J Aviv. 2021. Are privacy dashboards good for end users? Evaluating user perceptions and reactions to google\u2019s my activity. In 30th USENIX Security Symposium (USENIX Security 21). 483\u2013500."},{"key":"e_1_3_3_2_22_2","first-page":"117","volume-title":"Proceedings on privacy enhancing technologies symposium","volume":"2023","author":"Fiebig Tobias","year":"2023","unstructured":"Tobias Fiebig, Seda G\u00fcrses, Carlos\u00a0H Ga\u00f1\u00e1n, Erna Kotkamp, Fernando Kuipers, Martina Lindorfer, Menghua Prisse, and Taritha Sari. 2023. Heads in the Clouds? Measuring Universities\u2019 Migration to Public Clouds: Implications for Privacy & Academic Freedom. In Proceedings on privacy enhancing technologies symposium , Vol.\u00a02023. 117\u2013150."},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"crossref","unstructured":"Mich\u00e8le Finck and Frank Pallas. 2019. They Who Must Not Be Identified - Distinguishing Personal from Non-Personal Data Under the GDPR. Max Planck Institute for Innovation & Competition Research Paper Series (2019). https:\/\/api.semanticscholar.org\/CorpusID:210484921","DOI":"10.2139\/ssrn.3462948"},{"key":"e_1_3_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00051"},{"key":"e_1_3_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW54576.2021.00039"},{"key":"e_1_3_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376511"},{"key":"e_1_3_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3462757.3466081"},{"key":"e_1_3_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3292522.3326039"},{"key":"e_1_3_3_2_29_2","doi-asserted-by":"crossref","unstructured":"Irene Ioannidou and Nicolas Sklavos. 2021. On general data protection regulation vulnerabilities and privacy issues for wearable devices and fitness tracking applications. Cryptography 5 4 (2021) 29.","DOI":"10.3390\/cryptography5040029"},{"key":"e_1_3_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.3427207"},{"key":"e_1_3_3_2_31_2","doi-asserted-by":"crossref","unstructured":"Garrett\u00a0A Johnson Scott\u00a0K Shriver and Samuel\u00a0G Goldberg. 2023. Privacy and market concentration: intended and unintended consequences of the GDPR. Management Science 69 10 (2023) 5695\u20135721.","DOI":"10.1287\/mnsc.2023.4709"},{"key":"e_1_3_3_2_32_2","doi-asserted-by":"crossref","unstructured":"Kyle\u00a0ML Jones Andrew Asher Abigail Goben Michael\u00a0R Perry Dorothea Salo Kristin\u00a0A Briney and M\u00a0Brooke Robertshaw. 2020. \u201cWe\u2019re being tracked at all times\u201d: Student perspectives of their privacy in relation to learning analytics in higher education. Journal of the Association for Information Science and Technology 71 9 (2020) 1044\u20131059.","DOI":"10.1002\/asi.24358"},{"key":"e_1_3_3_2_33_2","unstructured":"Scott Jordan Yoshimichi Nakatsuka Ercan Ozturk Andrew Paverd and Gene Tsudik. 2021. Viceroy: Gdpr-\/ccpa-compliant enforcement of verifiable accountless consumer requests. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2105.06942 (2021)."},{"key":"e_1_3_3_2_34_2","doi-asserted-by":"crossref","unstructured":"Sophie Kuebler-Wachendorff Robert Luzsa Johann Kranz Stefan Mager Emmanuel Syrmoudis Susanne Mayr and Jens Grossklags. 2021. The right to data portability: Conception status quo and future directions. Informatik Spektrum 44 (2021) 264\u2013272.","DOI":"10.1007\/s00287-021-01372-w"},{"key":"e_1_3_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/INCOFT60753.2023.10425479"},{"key":"e_1_3_3_2_36_2","unstructured":"Christian Kurtz Martin Semmann and Tilo B\u00f6hmann. 2018. Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors."},{"key":"e_1_3_3_2_37_2","volume-title":"ASAIL@ICAIL","author":"Liepi\u0146a R\u016bta","year":"2019","unstructured":"R\u016bta Liepi\u0146a, Giuseppe Contissa, Kasper Drazewski, Francesca Lagioia, Marco Lippi, Hans\u00a0Wolfgang Micklitz, Przemyslaw Palka, Giovanni Sartor, and Paolo Torroni. 2019. GDPR Privacy Policies in CLAUDETTE: Challenges of Omission, Context and Multilingualism. In ASAIL@ICAIL. https:\/\/api.semanticscholar.org\/CorpusID:195693926"},{"key":"e_1_3_3_2_38_2","doi-asserted-by":"publisher","unstructured":"Thomas Linden Rishabh Khandelwal Hamza Harkous and Kassem Fawaz. 2020. The Privacy Policy Landscape After the GDPR. Proceedings on Privacy Enhancing Technologies 2020 (01 2020) 47\u201364. 10.2478\/popets-2020-0004","DOI":"10.2478\/popets-2020-0004"},{"key":"e_1_3_3_2_39_2","doi-asserted-by":"crossref","unstructured":"Maria Lindh and Jan Nolin. 2016. Information we collect: Surveillance and privacy in the implementation of Google apps for education. European Educational Research Journal 15 6 (2016) 644\u2013663.","DOI":"10.1177\/1474904116654917"},{"key":"e_1_3_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3560436"},{"key":"e_1_3_3_2_41_2","volume-title":"We Read 150 Privacy Policies. They Were an Incomprehensible Disaster.","author":"Litman-Navarro Kevin","year":"2019","unstructured":"Kevin Litman-Navarro. 2019. We Read 150 Privacy Policies. They Were an Incomprehensible Disaster.https:\/\/www.nytimes.com\/interactive\/2019\/06\/12\/opinion\/facebook-google-privacy-policies.html"},{"key":"e_1_3_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450022"},{"key":"e_1_3_3_2_43_2","volume-title":"Privacy policies are still too horrible to read in full","author":"Lomas Natasha","year":"2019","unstructured":"Natasha Lomas. 2019. Privacy policies are still too horrible to read in full. https:\/\/techcrunch.com\/2019\/06\/13\/privacy-policies-are-still-too-horrible-to-read-in-full\/"},{"key":"e_1_3_3_2_44_2","first-page":"265","volume-title":"International Journal on E-Learning","author":"Marek Michael\u00a0W","year":"2017","unstructured":"Michael\u00a0W Marek and Stan Skrabut. 2017. Privacy in educational use of social media in the US. In International Journal on E-Learning , Vol.\u00a016. Association for the Advancement of Computing in Education (AACE), 265\u2013286."},{"key":"e_1_3_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-33752-0_6"},{"key":"e_1_3_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-03667-6_17"},{"key":"e_1_3_3_2_47_2","unstructured":"Office of\u00a0the Commissioner\u00a0for Personal Data\u00a0Protection. 2023. Announcement - Personal Data Protection Commissioner regarding cyber attacks. https:\/\/www.dataprotection.gov.cy\/dataprotection\/dataprotection.nsf\/All\/0289C76C8BC40785C2258A74003395F8?OpenDocument [Online. Accessed on 30\/06\/2025 ]."},{"key":"e_1_3_3_2_48_2","volume-title":"Overview \u2013 Data Protection and the EU","author":"Office Information\u00a0Commissioner\u2019s","unstructured":"Information\u00a0Commissioner\u2019s Office. [n. d.]. Overview \u2013 Data Protection and the EU. https:\/\/ico.org.uk\/for-organisations\/data-protection-and-the-eu\/overview-data-protection-and-the-eu\/"},{"key":"e_1_3_3_2_49_2","doi-asserted-by":"crossref","unstructured":"Junhyoung Oh Jinhyoung Hong Changsoo Lee Jemin\u00a0Justin Lee Simon\u00a0S. Woo and Kyungho Lee. 2021. Will EU\u2019s GDPR Act as an Effective Enforcer to Gain Consent? IEEE Access 9 (2021) 79477\u201379490. https:\/\/api.semanticscholar.org\/CorpusID:235340705","DOI":"10.1109\/ACCESS.2021.3083897"},{"key":"e_1_3_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545952"},{"key":"e_1_3_3_2_51_2","unstructured":"Ayesha Qamar Tehreem Javed and Mirza\u00a0Omer Beg. 2021. Detecting compliance of privacy policies with data protection laws. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2102.12362 (2021)."},{"key":"e_1_3_3_2_52_2","unstructured":"Tamjid\u00a0Al Rahat Tu Le and Yuan Tian. 2021. Automated detection of gdpr disclosure requirements in privacy policies using deep active learning. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2111.04224 (2021)."},{"key":"e_1_3_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3559613.3563195"},{"key":"e_1_3_3_2_54_2","doi-asserted-by":"crossref","unstructured":"Joel\u00a0R Reidenberg Travis Breaux Lorrie\u00a0Faith Cranor Brian French Amanda Grannis James\u00a0T Graves Fei Liu Aleecia McDonald Thomas\u00a0B Norton Rohan Ramanath et\u00a0al. 2015. Disagreeable privacy policies: Mismatches between meaning and users\u2019 understanding. Berkeley Tech. LJ 30 (2015) 39.","DOI":"10.2139\/ssrn.2418297"},{"key":"e_1_3_3_2_55_2","volume-title":"Forum Qualitative Sozialforschung\/Forum: Qualitative Social Research","author":"Roller Margaret\u00a0R","year":"2019","unstructured":"Margaret\u00a0R Roller et\u00a0al. 2019. A quality approach to qualitative content analysis: Similarities and differences compared to other qualitative methods. In Forum Qualitative Sozialforschung\/Forum: Qualitative Social Research , Vol.\u00a020."},{"key":"e_1_3_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313524"},{"key":"e_1_3_3_2_57_2","volume-title":"General Data Protection Regulation","author":"Supervisor European Data\u00a0Protection","year":"2016","unstructured":"European Data\u00a0Protection Supervisor. 2016. General Data Protection Regulation. https:\/\/www.edps.europa.eu\/general-data-protection-regulation_en"},{"key":"e_1_3_3_2_58_2","doi-asserted-by":"crossref","unstructured":"Emmanuel Syrmoudis Stefan Mager Sophie Kuebler-Wachendorff Paul Pizzinini Jens Grossklags and Johann Kranz. 2021. Data portability between Online services: an empirical analysis on the effectiveness of GDPR Art. 20. Proceedings on Privacy Enhancing Technologies (2021).","DOI":"10.2478\/popets-2021-0051"},{"key":"e_1_3_3_2_59_2","doi-asserted-by":"crossref","unstructured":"Kejsi Take Kevin Gallagher Andrea Forte Damon McCoy and Rachel Greenstadt. 2022. \u201cit feels like whack-a-mole\u201d: User experiences of data removal from people search websites. Proceedings on Privacy Enhancing Technologies 2022 3 (2022).","DOI":"10.56553\/popets-2022-0067"},{"key":"e_1_3_3_2_60_2","unstructured":"Tobias Urban Dennis Tatang Martin Degeling Thorsten Holz and Norbert Pohlmann. 2018. The unwanted sharing economy: An analysis of cookie syncing and user transparency under GDPR. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/1811.08660 (2018)."},{"key":"e_1_3_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-31500-9_5"},{"key":"e_1_3_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1145\/3320269.3372194"},{"key":"e_1_3_3_2_63_2","first-page":"911","volume-title":"Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers","author":"Wong Janis","year":"2018","unstructured":"Janis Wong and Tristan Henderson. 2018. How portable is portable? Exercising the GDPR\u2019s right to data portability. In Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers. 911\u2013920."},{"key":"e_1_3_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623067"},{"key":"e_1_3_3_2_65_2","doi-asserted-by":"publisher","unstructured":"Razieh\u00a0Nokhbeh Zaeem and K.\u00a0Suzanne Barber. 2020. The Effect of the GDPR on Privacy Policies: Recent Progress and Future Promise. ACM Trans. Manage. Inf. Syst. 12 1 Article 2 (Dec. 2020) 20\u00a0pages. 10.1145\/3389685","DOI":"10.1145\/3389685"},{"key":"e_1_3_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/CNS59707.2023.10288797"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","location":"Taipei Taiwan","acronym":"WPES '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 24th Workshop on Privacy in the Electronic Society"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3733802.3764047","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T18:56:01Z","timestamp":1767984961000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3733802.3764047"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"references-count":65,"alternative-id":["10.1145\/3733802.3764047","10.1145\/3733802"],"URL":"https:\/\/doi.org\/10.1145\/3733802.3764047","relation":{},"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"2025-11-18","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}