Meihe (Iris) Xu Successfully Defends PhD Thesis!

M-EPLI is proud to announce that on 17 June at 16:00, Meihe (Iris) Xu successfully defended her thesis, “ONE SIZE FITS NONE: Effectiveness and Acceptability of Personalized Transparency and Privacy Assistance in the United States, the European Union, and China.” 

The defence, livestreamed from Maastricht University, explored whether personalization could fix one of privacy law’s biggest problems: disclosures are too long, too complex, and often give users little real control. 

Xu began by asking the audience to reflect on a familiar shared online experience: greetings from cookie banners that present three common options: (1) accept all, (2) reject all, (3) necessary cookies only, and if we are really diligent, we can navigate to a privacy policy for more information.  

She called attention to a broader critique about online privacy: "If digital services can personalise advertisements, recommendations, or even lifestyle advice, why can't they personalise privacy information in a way that helps users understand what actually matters to them?"

Xu compared transparency mandates in California, the EU, and China, using TikTok’s privacy policy as a case study. The findings show that laws, company practices, and user expectations do not always align. 

She noted that: "Users especially in California and Germany, wanted something more from transparency. They associated transparency not only with disclosure, but also with truthfulness, honestly, and as an instrument to trust."

This leads to what Xu calls "transparency cynicism", which describes "feelings of uncertainty, powerlessness, mistrust, and perception of lack of transparency" despite technical compliance with privacy law.

Xu tested whether personalized privacy policies that show users their most relevant section first could improve user experience. She found that legally compliant personalization with reordering does not significantly improve engagement, understanding, or cognitive load. 

Xu defines personalised privacy as "the practice of tailoring information disclosure to individual users' preferences in order to enhance their understanding and control."

To explore how this concept could be realized, Xu suggested that personalized privacy assistants (PPAs) could support users in "not only understanding privacy information, but also in managing privacy decisions". 

Xu's cross-regional survey of users and experts found that acceptance of these assistants depends on trust, habit, design, accountability, and regional context.

"For PPAs to be acceptable, they must preserve user agency by assisting rather replacing user decision-making. They also require multi-stakeholder scrutiny because privacy defaults and automated decision-making should not be left solely to companies or automated systems."

Xu concluded that "personalisation is not a panacea" and called for an approach that centers user agency in a way that actually empowers users to make meaningful choices about their privacy online.