Promoting i-Safety: effects of privacy warnings and privacy seals on risk assessment and online privacy behavior.

Publication: Journal of Consumer Affairs

Publication Date: 22-JUN-07

Bookmark this article Print this article Link to this article Email this article Digg It! Add to del.icio.us RSS

COPYRIGHT 2007 American Council on Consumer Interests

Using social cognitive theory, this study experimentally examines the effects of explicit privacy warnings, a clear, conspicuous, and concise presentation of the benefits and risks associated with database information practices stated in a Web site's privacy policy. Warnings increased perceptions of the risks associated with information practices and decreased disclosures, but not in the presence of a privacy seal. The effects were also moderated by consumer privacy self-efficacy and involvement with privacy. The results support the development of privacy warnings as a part of consumer privacy self-regulatory efforts and the use of a social cognitive paradigm for understanding consumer privacy behaviors.

THE I-SAFETY PROBLEM

How can we motivate Internet consumers to engage in behavior that will protect their privacy online? This question assumes increasing importance as privacy threats reach alarming proportions. In a recent multicity audit of consumers' computers conducted by the National Cyber Security Alliance, four-fifths were infested with spyware (National Cyber Security Alliance 2004). One-eighth of all identity thefts are attributed to online sources including spyware, online transactions, viruses, and phishing (Better Business Bureau 2005). Two-thirds of all e-mail worldwide is now spam (MessageLabs 2005), up from 7% in 2001 (Brightmail 2004). Consumers, as well as Web site proprietors, software developers, and policy makers, must play a role in protecting privacy (Milne and Culnan 2004). However, consumers are called upon (Consumer Reports 2004; PC Magazine 2004) to enact a bewildering array of measures to protect their privacy online: update virus protection, mind security settings, download patches, install firewalls, screen e-mail, shut down spyware, control cookies, deploy encryption, fend off browser hijackers, and block pop-ups. How can the average consumer be enlisted in the abstract and complex cause of privacy protection and ultimately, network security?

Presently, Internet privacy standards have been set forth by the Federal Trade Commission (FTC), relying on the voluntary participation of Web proprietors for the provision of their information practices in a clear and conspicuous privacy policy and the participation in privacy seal programs such as TRUSTe. Yet, consumers do not appear to completely understand what seals assure (Rifon, LaRose, and Choi 2005) and most do not read policies (Turow 2003). We suggest that privacy policies and seals do not provide adequate information for consumers to understand the implications of the sharing of their personal information, nor do they motivate consumers to take protective actions and engage in safe online behaviors. A different model for notice is needed, one that can prompt consumers to consider the potential consequences, positive and negative, that are associated with personal information disclosures.

From the consumer's perspective, privacy and security measures entail managing the release of personal information while deflecting unwanted intrusions, parallel to two underlying dimensions of consumer privacy (cf. Goodwin 1991; Lee and LaRose 1994). Online privacy may then be defined in behavioral terms as actions that prevent unwanted disclosures and intrusions while using the Internet. As such, consumers translate preferences into actions that protect themselves, their information, and their computers. We conceptualize the problem as one of personal safety protection, arming consumers with the requisite information and skills so that they can make informed choices and enact appropriate behaviors that will shield them from online privacy threats. Following the common practice of adding an e-, an i-, or a cyber- to denote the online version of a familiar concept, we call ours i-Safety. The result is an intentional double entendre, the i signifying information but also highlighting the role that the individual must play to protect one's information and the network at large. The i-Safety model is a social cognitive approach that highlights the role of consumer self-efficacy or confidence for privacy protection enactment as a moderator of the motivating effects of privacy concern. We use the i-Safety model to guide an experimental test of a warning label's potential benefits for consumer protection through its ability to influence consumer perceptions and subsequent privacy protection behaviors.

Privacy Concern and Protection Behaviors

Online consumers can and sometimes do take action to protect themselves. A fourth use separate e-mail addresses to avoid spam, nearly two-thirds avoid posting their addresses on Web sites, and a like percentage use spam filters (Fallows 2005). Over two-thirds of Internet users have on occasion refused information requests, opted out of direct marketing lists or information transfers, or decided not to use a Web site or complete a purchase. Fewer but still substantial numbers selectively blocked cookies, cleared browser memories, read privacy statements, encrypted e-mails, or used anonymizing technologies (Milne, Rohm, and Bahl 2004).

Still, Internet privacy poses something of a paradox, some say even a fallacy (Goldman 2003). Surveys show that concerns about online privacy are widespread (e.g., Cyber Security Industry Alliance 2005; Milne, Rohm, and Bahl 2004; National Telecommunications and Information Administration 2000; Smith 2005a,b). Yet, privacy concerns have little overall impact on surfing habits or e-commerce participation (George 2004; Han and Maclaurin 2002; Jarvenpaa and Todd 1997; Khalifa and Limayem 2003; Miyazaki and Krishnamurthy 2002). Concerns had relatively weak positive relationships to privacy protection behaviors in two studies (Milne and Culnan 2004; Milne, Rohm, and Bahl 2004) but an inverse relationship in another (Chen and Rea 2004). Internet users willingly divulge personal information to obtain "free" information, personalized content (Pastore 1999), customized discounts (White 2004), prizes, loyalty program memberships (Earp and Baumer 2003), cajoling interactions with automated shopping "agents" (Berendt, Gunther, and Spiekermann 2005), or some other form of "fair exchange" (Culnan and Bies 2003). Thus, although online privacy is undeniably a "concern," one might well ask if it really influences a consumer's privacy protection behaviors.

Privacy Policies and Third-Party Seals

Whether consumer privacy concerns have any practical impact is still open to question, but they undeniably have had a political impact. In response, the FTC (2000) has supported fair information practice standards that call for notice of the information that is being collected, access to the data that are collected, choice about the use of the information, and reasonable assurance of the security of the information. Studies generally confirm that Web sites bearing privacy statements at least partially comply with the FTC guidelines (reviewed by Milne and Culnan 2002; Peslak 2005).

The FTC also supports third-party seal certifications as part of a self-regulatory approach. Web sites may participate in privacy seal programs such as TRUSTe that assure consumers of the privacy policy's veracity and compliance with FTC fair information practice standards. The premise of privacy seals such as TRUSTe and BBBOnline is widely misunderstood (Miyazaki and Krishnamurthy 2002; Rifon, LaRose, and Choi 2005; Turow 2003); they do not assure the user's privacy but only vouch for the accuracy of the site's privacy policy, and even that is arguable (cf. Perfectly Private 2001). Indeed, many do not read privacy policies (Milne and Culnan 2004), a behavioral prerequisite for seal programs to protect consumers. The process for obtaining seal approval and the ability to "click to verify" are also widely misapprehended (Moores 2005). There is mixed evidence about the ability of seals to inspire trust. When privacy seals were manipulated in isolation from other privacy variables, they had no effect on trust (McKnight, Kacmar, and Choudhury 2004). Other evidence suggests that consumers heuristically (Petty, Cacioppo, and Schumann 1983), and inaccurately, use privacy seals to signal trust, less personal data collection, and fewer privacy violations (Rifon, LaRose, and Choi 2005) and that seals encourage both personal information disclosure and participation in e-commerce (Miyazaki and Krishnamurthy 2002). What of those who choose not to rely on privacy seals? While over four-fifths of Internet users sometimes read privacy policies at the sites they visit, fewer than 5% always...

Read the full article for free courtesy of your local library.