copyright, 1987-2006 1 a pilot study of the effectiveness of privacy policy statements roger clarke...
TRANSCRIPT
Copyright,1987-2006
1
A Pilot Study of the Effectiveness of Privacy Policy
Statements
Roger ClarkeXamax Consultancy Pty Ltd, Canberra
Visiting Professor, U.N.S.W., Uni. of Hong Kong & ANU
http://www.anu.edu.au/people/Roger.Clarke/....../DV/PPSE0601 {.html, .ppt}
Bled eCommerce Conf. – June 2006
Copyright,1987-2006
2
Privacy Policy Statements
Themes
1. Privacy as a Trust Factor2. Privacy Protection
Mechanisms3. Privacy Policy Statements4. Research Design5. The Pilot Survey6. Implications
Copyright,1987-2006
3
Trust as a Factor in B2C eCommerce
• The Theory of Reasoned Action (TRA) of Ajzen & Fishbein (1980) postulates that Trust is a major determinant of attitude towards purchasing, and hence of intention to purchase
• In Internet-based B2C eCommerce, Trust is usefully defined as:
confident reliance by Consumers about the behaviour of relevant Business Enterprises
Copyright,1987-2006
4
Important Factors in Consumer Trust
• Dependability• Security of Tradable Items and Funds• Transparency of Marketspace Processes• Fairness of Terms / Consumer Protections• Recourse ‘when things go wrong’• Privacy, and Anonymity / Pseudonymity
Copyright,1987-2006
5
A History of Marketer Abuses of Consumer Trust
• 1994-95 – The Web as New Advertising Medium(‘billboards on the information superhighway)
• 1995-97 – Closed Electronic ‘Communities’• 1996-98 – Push Technology (web-casting’)• 1996-98 – Info-Mediaries• 1998- ... – Portals• 2000- ... – Consumer Data Trails• ...
Copyright,1987-2006
6
Privacy as a Trust Factor
The interest that individuals havein sustaining a 'personal space',
free from interferenceby other people and organisations
Dimensions of Privacy• Privacy of the Person• Privacy of Personal Behaviour• Privacy of Personal Communications• Privacy of Personal Data
Copyright,1987-2006
7
Personal Data Privacy and Consumers
• Consumer Expectations• Privacy is a 'fundamental human right'• Excited by abuses, and numbed by them• Excited by advocates and the media
• Particularly Serious Concerns• Consumer behaviour data• Anti-discrimination categories • Taxation and financial data• Health data• Household data• Location data for persons-at-risk
Copyright,1987-2006
8
Privacy Policy Statements (PPS)
• What PPS Are Not• Privacy Impact Statements (cf. EIS)• Privacy Impact Assessment (PIA cf. EIA)
• What PPS Are• 'privacy policies'• 'privacy statements'• 'privacy notices'• 'information practice statements'
Copyright,1987-2006
9
Objectives of the PIA Process• Clearly define:
• business needs• stakeholder groups• privacy impacts
and implications• Enable understanding
and assessment of the proposal
• Enable mutual understanding of stakeholder perspectives
• Ensure reflection of stakeholder perspectives in the outcomes
• Enable:• maximisation of positive
impacts• avoidance or amelioration
of negative impacts• Maximise the likelihood of
stakeholder support• Avoid new requirements
emerging late• Earn public confidence• Raise awareness, educate • Anticipate and avoid
misinformation campaigns
Copyright,1987-2006
10
Privacy Impact Assessment (PIA)
A sophisticated process that surfaces and examines potential impacts and
implicationsof privacy-invasive proposals
A primitive form of unilateral reportby an organisation
about what the organisation does with personal data
Privacy Policy Statement (PPS)
Copyright,1987-2006
11
Privacy Protection Mechanisms
• Technological Measures• Organisational Measures• Legal Measures
• Privacy Statutes• Data Protection Statutes• Contract Law• Tort of
Misrepresentation
Copyright,1987-2006
12
Privacy Enhancing Technologies (PETs)
• Counter-PITsCookie-Managers, Firewalls, ...
• Savage PETsAnonymous Remailers, Web-Surfing, ...
• Gentle PETsPseudonymous Remailers, Web-Surfing, ...
• Pseudo-PETsMetaBrands (TRUSTe, Better Business Bureau)
Copyright,1987-2006
13
Organisational Protections
• Business Processes• Consumer Marketing
Principles• Information• Choice• Consent• Fair Conditions• Recourse
Copyright,1987-2006
14
The OECD’s 1980 Principles
plus Public Access and Accountability Principles
USE
DISCLOSURE
SUBJECT
ACCESS
IndividualConcerned
ThirdParties
ThirdParties
IndividualConcerned
Copyright,1987-2006
15
Alternative Regulatory Approaches
to Privacy Protection
• ‘Hard’ RegulationStatutory Impositions, Criminal Prosecution
• Self-Regulation“Wolves self-regulate for the good ofthemselves and the pack, not the deer”
No country accepts self-regulation alone, except the U.S.A.
• ‘Co-Regulation’Education, Changes to Procedures, Complaints Processes,Back-Ended by Damages Provisions and Criminal Sanctions
Copyright,1987-2006
16
The Role of PPS in the Alternative Regulatory Contexts
• ‘Hard’ RegulationLittle or no real role
• Self-RegulationThe key feature that is meant to create the impressionthat consumers have some kind of protection
• ‘Co-Regulation’Possible role, as an adjunct to minimum requirementsor as a means of interpreting the law
Copyright,1987-2006
17
The Research Question
• 'How effective are Privacy Policy Statements in encouraging consumer trust of B2C vendors?’
• Operational Formulation:
'Do the Privacy Policy Statements found on vendors' web-sites measure up to the requirements expressed in a specific normative Privacy Statement Template'?
Copyright,1987-2006
18
Privacy Policy Statement Template
http://www.anu.edu.au/people/Roger.Clarke/DV/SPT.html
• Comprehensive• Based on consumer need and practicality• Not constrained by:
• OECD Gs’ 1970s View of Technology• Business-Bias of the US ‘Safe Harbor’
• Designed to provide guidance for all, includingcorporations, business associations, govt agencies,individuals, public interest reps and advocates
Copyright,1987-2006
19
Research
Model
Copyright,1987-2006
20
Population Segmentation
Dimension 1 – The Business
• ‘Pure Internet B2C’• ‘Clicks-and-Mortar’
Dimension 2 – The Company
• Leaders• Aggressive Marketers• Marketers of Sensitive
Products• Regional Marketers• ‘Ethical’ Marketers /
‘Not-For-Profits’
Copyright,1987-2006
21
Sample for the Pilot Survey
Leaders:• Amazon• GoogleAggressive
Marketers:• Sears, Roebuck &
Co.Marketers of
Sensitive Products:• Adultshop.com
Regional Marketers:• Autoteile-Meile.de
(German online supplier of tyres and automotive spare parts)
'Ethical' Marketers:• National Geographic
(“world’s largest nonprofit scientific and educational institution”)
Copyright,1987-2006
22
Procedure• Determine the segmentation• Determine the sampling frames• Determine the sample• Conduct the assessment
• find the organisation’s web-site• find the PPS on that web-site• assess it against the template• summarise• compare among the sample• draw inferences
Copyright,1987-2006
23
Results
• Google terrible• Amazon worse• Sears & Roebuck worse again• Adultshop.com positive• National Geographic appalling• Autoteile-Meile Google-like and
irrelevant
Copyright,1987-2006
24
Implications for Practice
Caution: very limited external validity!
• Descriptive value:Many PPS are valueless to consumers
• Explanatory value:Current PPS undermine consumer Trust
• Predictive value:Fragility if and when things go wrong
• Self-Regulation doesn’t work‘Hard’ or ‘Co-Regulation’ is essential
Copyright,1987-2006
25
Implications for Research• Segmentation needs refinement:
• Organisational Size is a factor• Home Jurisdiction cf. Global
• The Normative Template needs refinement• The design appears to be:
• Practicable• Useful
• A representative sample can be assessed,and results capable of being generalised from can be achieved, with limited resources
Copyright,1987-2006
26
A Pilot Study of the Effectiveness of Privacy Policy
Statements
Roger ClarkeXamax Consultancy Pty Ltd, Canberra
Visiting Professor, U.N.S.W., Uni. of Hong Kong & ANU
http://www.anu.edu.au/people/Roger.Clarke/....../DV/PPSE0601 {.html, .ppt}
Bled eCommerce Conf. – June 2006