Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

"I need to learn better searching tactics for privacy policy laws." Investigating Software Developers' Behavior When Using Sources on Privacy Issues

Stefan Albert Horstmann, Sandy Hong, Maziar Niazian, Cristiana Santos, Alena Naiakshina

TL;DR

The paper investigates how software developers address privacy requirements under GDPR and CCPA by comparing personal knowledge, online sources, and AI assistants in a think-aloud study with 30 professionals. It analyzes the effectiveness and limitations of each source in identifying privacy issues and proposing measures within a realistic fitness app scenario. The findings show that AI assistants are preferred for speed and convenience but often miss context specific issues, while online sources lag in quality and applicability, and developer knowledge is insufficient. The work advocates for accessible, jurisdiction specific privacy guidance and curated AI outputs to better support privacy compliance in software development.

Abstract

Since the introduction of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), software developers increasingly have to make privacy-related decisions during system design and implementation. However, past research showed that they often lack legal expertise and struggle with privacy-compliant development. To shed light on how effective current information sources are in supporting them with privacy-sensitive implementation, we conducted a qualitative study with 30 developers. Participants were presented with a privacy-sensitive scenario and asked to identify privacy issues and suggest measures using their knowledge, online resources, and an AI assistant. We observed developers' decision-making in think-aloud sessions and discussed it in follow-up interviews. We found that participants struggled with all three sources: personal knowledge was insufficient, web content was often too complex, and while AI assistants provided clear and user-tailored responses, they lacked contextual relevance and failed to identify scenario-specific issues. Our study highlights major shortcomings in existing support for privacy-related development tasks. Based on our findings, we discuss the need for more accessible, understandable, and actionable privacy resources for developers.

"I need to learn better searching tactics for privacy policy laws." Investigating Software Developers' Behavior When Using Sources on Privacy Issues

TL;DR

The paper investigates how software developers address privacy requirements under GDPR and CCPA by comparing personal knowledge, online sources, and AI assistants in a think-aloud study with 30 professionals. It analyzes the effectiveness and limitations of each source in identifying privacy issues and proposing measures within a realistic fitness app scenario. The findings show that AI assistants are preferred for speed and convenience but often miss context specific issues, while online sources lag in quality and applicability, and developer knowledge is insufficient. The work advocates for accessible, jurisdiction specific privacy guidance and curated AI outputs to better support privacy compliance in software development.

Abstract

Since the introduction of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), software developers increasingly have to make privacy-related decisions during system design and implementation. However, past research showed that they often lack legal expertise and struggle with privacy-compliant development. To shed light on how effective current information sources are in supporting them with privacy-sensitive implementation, we conducted a qualitative study with 30 developers. Participants were presented with a privacy-sensitive scenario and asked to identify privacy issues and suggest measures using their knowledge, online resources, and an AI assistant. We observed developers' decision-making in think-aloud sessions and discussed it in follow-up interviews. We found that participants struggled with all three sources: personal knowledge was insufficient, web content was often too complex, and while AI assistants provided clear and user-tailored responses, they lacked contextual relevance and failed to identify scenario-specific issues. Our study highlights major shortcomings in existing support for privacy-related development tasks. Based on our findings, we discuss the need for more accessible, understandable, and actionable privacy resources for developers.

Paper Structure

This paper contains 35 sections, 1 figure, 6 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Developers and Legal/Privacy Requirements
  4. Developers and Information Sources
  5. LLMs in Software Development
  6. Research Method
  7. Scenario
  8. Description
  9. Legal Background
  10. Study Procedure
  11. Previous Privacy Knowledge
  12. Think-Aloud Sessions
  13. Post-Survey
  14. Piloting
  15. Positionally Statement
  16. ...and 20 more sections

Figures (1)

  • Figure 1: Participants' Rating of the Three Sources