"I'm trying not to get hacked:" How Adults with IDD Navigate Security and Privacy Notifications

Abstract

Security and privacy notifications—such as login alerts, spam e-mail warnings, and cookie consent requests—play a critical role in shaping how users respond to digital risks. Yet most notifications overlook cognitive accessibility, limiting their effectiveness for people with intellectual and developmental disabilities (IDD). In this work, we investigate how adults with IDD perceive and respond to common security and privacy notifications across mobile and web applications. Through a user study involving six adults with IDD, we identified key factors that influenced their understanding and decision-making, including reliance on visual or symbolic cues, simplification of complex terms, interdependence with support persons, and familiarity with everyday functions. We further highlight interaction challenges, including misunderstandings of notification purpose and flow, misinterpretations of language and terminology, and misalignments of action-outcome expectations. Our results contribute design recommendations to advance usable privacy and security, supporting safer and more autonomous digital engagement for users with IDD.Security and privacy warnings — like login alerts, spam email notices, and cookie pop-ups — are meant to help users stay safe online. But most aren't designed with cognitive accessibility in mind, making them confusing for people with intellectual and developmental disabilities (IDD). We studied how six adults with IDD respond to common security and privacy warnings on phones and websites. We found people relied on visual cues, got help from others, and leaned on familiarity with everyday apps. We also found key challenges: misunderstanding what notifications were for, confusion about the language, and not knowing what would happen when they clicked buttons. Our findings offer design recommendations to make these warnings clearer and safer for everyone.

Resources