"Sorry for bugging you so much." Exploring Developers' Behavior Towards Privacy-Compliant Implementation

TL;DR

The paper examines why developers struggle to implement GDPR-aligned privacy in software through a controlled lab study with 30 professionals divided into control, privacy-prompted, and privacy-expert-supported groups. Four GDPR-relevant tasks on a health-application prototype reveal widespread noncompliance and only modest gains from prompts or expert advice, highlighting a persistent privacy-awareness gap, perceived task complexity, and underutilization of privacy resources. The study combines source-code analysis, screen recordings, and interviews to triangulate constraints such as knowledge gaps, time pressure, and reliance on existing implementations, arguing for clearer guidelines, better privacy education, and tools that decouple privacy from security during development. Overall, the work provides foundational insights into privacy-by-design challenges in software engineering and points to pathways for improving developer support and organizational practices. This research establishes a baseline for how privacy considerations are currently addressed in practice and sets the stage for future interventions and tooling to promote privacy-compliant software.

Abstract

While protecting user data is essential, software developers often fail to fulfill privacy requirements. However, the reasons why they struggle with privacy-compliant implementation remain unclear. Is it due to a lack of knowledge, or is it because of insufficient support? To provide foundational insights in this field, we conducted a qualitative 5-hour programming study with 30 professional software developers implementing 3 privacy-sensitive programming tasks that were designed with GDPR compliance in mind. To explore if and how developers implement privacy requirements, participants were divided into 3 groups: control, privacy prompted, and privacy expert-supported. After task completion, we conducted follow-up interviews. Alarmingly, almost all participants submitted non-GDPR-compliant solutions (79/90). In particular, none of the 3 tasks were solved privacy-compliant by all 30 participants, with the non-prompted group having the lowest number of 3 out of 30 privacy-compliant solution attempts. Privacy prompting and expert support only slightly improved participants' submissions, with 6/30 and 8/30 privacy-compliant attempts, respectively. In fact, all participants reported severe issues addressing common privacy requirements such as purpose limitation, user consent, or data minimization. Counterintuitively, although most developers exhibited minimal confidence in their solutions, they rarely sought online assistance or contacted the privacy expert, with only 4 out of 10 expert-supported participants explicitly asking for compliance confirmation. Instead, participants often relied on existing implementations and focused on implementing functionality and security first.