Copyright,1987-2006

1

A Pilot Study of the Effectiveness of Privacy Policy

Statements

Roger ClarkeXamax Consultancy Pty Ltd, Canberra

Visiting Professor, U.N.S.W., Uni. of Hong Kong & ANU

http://www.anu.edu.au/people/Roger.Clarke/....../DV/PPSE0601 {.html, .ppt}

Bled eCommerce Conf. – June 2006

Copyright,1987-2006

2

Privacy Policy Statements

Themes

1. Privacy as a Trust Factor2. Privacy Protection

Mechanisms3. Privacy Policy Statements4. Research Design5. The Pilot Survey6. Implications

Copyright,1987-2006

3

Trust as a Factor in B2C eCommerce

• The Theory of Reasoned Action (TRA) of Ajzen & Fishbein (1980) postulates that Trust is a major determinant of attitude towards purchasing, and hence of intention to purchase

• In Internet-based B2C eCommerce, Trust is usefully defined as:

confident reliance by Consumers about the behaviour of relevant Business Enterprises

Copyright,1987-2006

4

Important Factors in Consumer Trust

• Dependability• Security of Tradable Items and Funds• Transparency of Marketspace Processes• Fairness of Terms / Consumer Protections• Recourse ‘when things go wrong’• Privacy, and Anonymity / Pseudonymity

Copyright,1987-2006

5

A History of Marketer Abuses of Consumer Trust

• 1994-95 – The Web as New Advertising Medium(‘billboards on the information superhighway)

• 1995-97 – Closed Electronic ‘Communities’• 1996-98 – Push Technology (web-casting’)• 1996-98 – Info-Mediaries• 1998- ... – Portals• 2000- ... – Consumer Data Trails• ...

Copyright,1987-2006

6

Privacy as a Trust Factor

The interest that individuals havein sustaining a 'personal space',

free from interferenceby other people and organisations

Dimensions of Privacy• Privacy of the Person• Privacy of Personal Behaviour• Privacy of Personal Communications• Privacy of Personal Data

Copyright,1987-2006

7

Personal Data Privacy and Consumers

• Consumer Expectations• Privacy is a 'fundamental human right'• Excited by abuses, and numbed by them• Excited by advocates and the media

• Particularly Serious Concerns• Consumer behaviour data• Anti-discrimination categories • Taxation and financial data• Health data• Household data• Location data for persons-at-risk

Copyright,1987-2006

8

Privacy Policy Statements (PPS)

• What PPS Are Not• Privacy Impact Statements (cf. EIS)• Privacy Impact Assessment (PIA cf. EIA)

• What PPS Are• 'privacy policies'• 'privacy statements'• 'privacy notices'• 'information practice statements'

Copyright,1987-2006

9

Objectives of the PIA Process• Clearly define:

• business needs• stakeholder groups• privacy impacts

and implications• Enable understanding

and assessment of the proposal

• Enable mutual understanding of stakeholder perspectives

• Ensure reflection of stakeholder perspectives in the outcomes

• Enable:• maximisation of positive

impacts• avoidance or amelioration

of negative impacts• Maximise the likelihood of

stakeholder support• Avoid new requirements

emerging late• Earn public confidence• Raise awareness, educate • Anticipate and avoid

misinformation campaigns

Copyright,1987-2006

10

Privacy Impact Assessment (PIA)

A sophisticated process that surfaces and examines potential impacts and

implicationsof privacy-invasive proposals

A primitive form of unilateral reportby an organisation

about what the organisation does with personal data

Privacy Policy Statement (PPS)

Copyright,1987-2006

11

Privacy Protection Mechanisms

• Technological Measures• Organisational Measures• Legal Measures

• Privacy Statutes• Data Protection Statutes• Contract Law• Tort of

Misrepresentation

Copyright,1987-2006

12

Privacy Enhancing Technologies (PETs)

• Counter-PITsCookie-Managers, Firewalls, ...

• Savage PETsAnonymous Remailers, Web-Surfing, ...

• Gentle PETsPseudonymous Remailers, Web-Surfing, ...

• Pseudo-PETsMetaBrands (TRUSTe, Better Business Bureau)

Copyright,1987-2006

13

Organisational Protections

• Business Processes• Consumer Marketing

Principles• Information• Choice• Consent• Fair Conditions• Recourse

Copyright,1987-2006

14

The OECD’s 1980 Principles

plus Public Access and Accountability Principles

USE

DISCLOSURE

SUBJECT

ACCESS

IndividualConcerned

ThirdParties

ThirdParties

IndividualConcerned

Copyright,1987-2006

15

Alternative Regulatory Approaches

to Privacy Protection

• ‘Hard’ RegulationStatutory Impositions, Criminal Prosecution

• Self-Regulation“Wolves self-regulate for the good ofthemselves and the pack, not the deer”

No country accepts self-regulation alone, except the U.S.A.

• ‘Co-Regulation’Education, Changes to Procedures, Complaints Processes,Back-Ended by Damages Provisions and Criminal Sanctions

Copyright,1987-2006

16

The Role of PPS in the Alternative Regulatory Contexts

• ‘Hard’ RegulationLittle or no real role

• Self-RegulationThe key feature that is meant to create the impressionthat consumers have some kind of protection

• ‘Co-Regulation’Possible role, as an adjunct to minimum requirementsor as a means of interpreting the law

Copyright,1987-2006

17

The Research Question

• 'How effective are Privacy Policy Statements in encouraging consumer trust of B2C vendors?’

• Operational Formulation:

'Do the Privacy Policy Statements found on vendors' web-sites measure up to the requirements expressed in a specific normative Privacy Statement Template'?

Copyright,1987-2006

18

Privacy Policy Statement Template

http://www.anu.edu.au/people/Roger.Clarke/DV/SPT.html

• Comprehensive• Based on consumer need and practicality• Not constrained by:

• OECD Gs’ 1970s View of Technology• Business-Bias of the US ‘Safe Harbor’

• Designed to provide guidance for all, includingcorporations, business associations, govt agencies,individuals, public interest reps and advocates

Copyright,1987-2006

19

Research

Model

Copyright,1987-2006

20

Population Segmentation

Dimension 1 – The Business

• ‘Pure Internet B2C’• ‘Clicks-and-Mortar’

Dimension 2 – The Company

• Leaders• Aggressive Marketers• Marketers of Sensitive

Products• Regional Marketers• ‘Ethical’ Marketers /

‘Not-For-Profits’

Copyright,1987-2006

21

Sample for the Pilot Survey

Leaders:• Amazon• GoogleAggressive

Marketers:• Sears, Roebuck &

Co.Marketers of

Sensitive Products:• Adultshop.com

Regional Marketers:• Autoteile-Meile.de

(German online supplier of tyres and automotive spare parts)

'Ethical' Marketers:• National Geographic

(“world’s largest nonprofit scientific and educational institution”)

Copyright,1987-2006

22

Procedure• Determine the segmentation• Determine the sampling frames• Determine the sample• Conduct the assessment

• find the organisation’s web-site• find the PPS on that web-site• assess it against the template• summarise• compare among the sample• draw inferences

Copyright,1987-2006

23

Results

• Google terrible• Amazon worse• Sears & Roebuck worse again• Adultshop.com positive• National Geographic appalling• Autoteile-Meile Google-like and

irrelevant

Copyright,1987-2006

24

Implications for Practice

Caution: very limited external validity!

• Descriptive value:Many PPS are valueless to consumers

• Explanatory value:Current PPS undermine consumer Trust

• Predictive value:Fragility if and when things go wrong

• Self-Regulation doesn’t work‘Hard’ or ‘Co-Regulation’ is essential

Copyright,1987-2006

25

Implications for Research• Segmentation needs refinement:

• Organisational Size is a factor• Home Jurisdiction cf. Global

• The Normative Template needs refinement• The design appears to be:

• Practicable• Useful

• A representative sample can be assessed,and results capable of being generalised from can be achieved, with limited resources

Copyright,1987-2006

26

A Pilot Study of the Effectiveness of Privacy Policy

Statements

Roger ClarkeXamax Consultancy Pty Ltd, Canberra

Visiting Professor, U.N.S.W., Uni. of Hong Kong & ANU

http://www.anu.edu.au/people/Roger.Clarke/....../DV/PPSE0601 {.html, .ppt}

Bled eCommerce Conf. – June 2006