Post Job Free

Resume

Sign in

Information Web

Location:
Springfield, MO
Posted:
January 25, 2013

Contact this candidate

Resume:

Informing Science Journal Volume *, ****

Would Regulation of Web Site Privacy Policy

Statements Increase Consumer Trust?

David B. Meinert and Dane K. Peterson

Missouri State University, Springfield, Missouri USA

abqd14@r.postjobfree.com abqd14@r.postjobfree.com

John R. Criswell II Martin D. Crossland

Shelter Insurance. Columbia, Oklahoma State University,

Missouri USA Tulsa, Oklahoma USA

abqd14@r.postjobfree.com abqd14@r.postjobfree.com

Abstract

Proponents of e-commerce have known for some time that limited participation by consumers

partially reflects their concern over the privacy of personal information. To address consumer

concerns, web site operators have employed security mechanisms, including privacy policy

statements to increase their perceived trustworthiness. While empirical evidence is limited, there

is some question regarding the ability of privacy policy statements to engender significantly

greater levels of trust. The limited effectiveness of such statements may reflect their voluntary

implementation, self-enforcement, and\or significant variance (protection and enforcement) from

one web site to another. One possible remedy would be the imposition of legally mandated state-

ments. This study examined the efficacy of legally mandated privacy policies vis- -vis both vol-

untary statements of varying degrees of protection and the absence of any such statement. The

results were mixed, as legally mandated privacy policy statements were found to be comparable

to strong voluntary statements, but superior to none, weak or moderate policies. Perhaps more

important, the nature of the privacy policy statement interacted with type of information re-

quested.

Keywords: e-commerce privacy: electronic commerce trust; Internet privacy; Internet trust;

online privacy; privacy policy statements

Introduction

The past decade has witnessed rapid growth in e-commerce, particularly with respect to business-

to-consumer (B2C) transactions. Both

Material published as part of this publication, either on-line or established and new vendors have

in print, is copyrighted by the Informing Science Institute.

sought to leverage the diffusion of the

Permission to make digital or paper copy of part or all of these

Internet to expand their markets. The

works for personal or classroom use is granted without fee

Internet has allowed established firms to

provided that the copies are not made or distributed for profit

or commercial advantage AND that copies 1) bear this notice expand their marketplace, but at the

in full and 2) give the full citation on the first page. It is per-

same time it has eliminated many of the

missible to abstract these works so long as credit is given. To

traditional barriers of entry for new en-

copy in all other cases or to republish or to post on a server or

trants to compete for these same con-

to redistribute to lists requires specific permission and payment

sumers. Consumers once accustomed to

of a fee. Contact abqd14@r.postjobfree.com to request

redistribution permission. limited and known vendors are now af-

Editor: Eli Cohen

Regulation of Web Site Privacy Policy

forded more choices, but are often concerned about privacy and trust as many of the vendors are

unknowns (Pennington, Wilcox & Grover, 2003). Given that consumers are now presented

with vendors with whom they have little or no familiarity it comes as no surprise that recent re-

search on e-commerce has found that privacy and trust issues are a key determinant in whether

consumers engage in on-line transactions (Hoffman, Novak, & Peralta 1999).

Recognizing that privacy and trust of the vendor is a critical antecedent to increased participation

in B2C e-commerce, researchers have examined several trust mechanisms employed by ven-

dors to enhance consumer trust and concomitantly their predisposition to purchase on-line. One

mechanism that has garnered considerable interest are privacy policy statements, voluntary, self-

reported statements displayed on web sites that convey established policies for the use and distri-

bution of personal information.

Use of privacy policy statements to increase perceived trustworthiness is a relatively new phe-

nomenon, and examination of their use and implications is just beginning to be explored

(Criswell & Meinert, 2003; Culnan, 1999; Grewal, Munger, Iyer, & Levy, 2003; Liu & Arnett,

2002; Luo & Najdawi, 2004; Meinert, Peterson, Criswell & Crossland, 2006; Miyazaki & Fer-

nandez, 2000; Pennington et al., 2003; Ranganathan & Ganapathy, 2002). While much of the re-

search to date on this topic has focused on chronicling rates of utilization and variability in con-

tent, a few studies have examined the efficacy of privacy statements. Pennington, Wilcox and

Grover (2003) found evidence via an experimental design that self-reported guarantees can influ-

ence system trust and indirectly influence consumer purchase intentions. In an exploratory study,

Criswell and Meinert (2003) found that self-reported privacy policy statements increased con-

sumer willingness to provide personal information on-line. That study and a more comprehensive

study by Meinert, Peterson, Criswell and Crossland (2006) also affirmed that not only the pres-

ence, but the strength, or level of protection guaranteed by the privacy policy statement influences

consumer trust as measured by willingness to provide personal information on-line. These results,

while preliminary, seem to suggest that voluntary privacy policy statements have a positive, but

relatively limited impact on consumer trust. Only a strong privacy policy statement was found to

induce a willingness to provide contact, biographical and financial information and in each case

respondents were only slightly likely . It should be further noted that respondents in these stud-

ies were required to read the description of the privacy policy statements. In many instances, po-

tential customers may not read any policies regarding the web site s stated privacy standards.

Given the widespread use of privacy policy statements it s somewhat surprising to find that they

have minimal impact on consumer trust. Determining whether the effectiveness of privacy policy

statements can be improved would contribute to the knowledge and understanding of what, if any,

role they can play in influencing consumer trust of on-line vendors. While the literature offers no

insight into why such statements are ineffective, one plausible explanation is that consumers

place little faith in privacy policies that lack regulatory oversight. The aim of this exploratory

study was to examine whether legally mandated web site privacy policies would be more effec-

tive than either no policy or voluntary policies affording varying degrees of protection. This study

was intended to provide a preliminary understanding of the extent to which regulation of privacy

standards might increase the efficacy of web site privacy policy statements in order to increase

consumer trust. As an exploratory study, four specific research questions were examined:

How willing are consumers to provide various types of information via the

Internet when a legally mandated privacy policy is in place?

Are legally mandated privacy policy statements more effective in engendering trust than

either no policy or voluntary policies affording varying degrees of protection?

Are consumers generally aware of privacy policy statements?

124

Meinert, Peterson, Criswell, & Crossland,

Are consumers reading privacy policy statements?

By addressing these questions, this study aims to contribute to the body of knowledge related to

web site privacy policy statements. The findings should be of interest to practitioners, public pol-

icy makers and academicians. The findings provide additional insight into the influence of alter-

native forms of privacy policy statements and the extent to which regulatory oversight might in-

fluence consumer behavior.

To address these research questions, this article reports the results of a survey designed to meas-

ure the impact of both voluntary\self-regulated and legally mandated privacy policy statements.

First, the article examines related research to develop a basis for this investigation. This literature

review necessarily examines findings related to consumer trust and its role in e-commerce and

methods employed to increase consumer trust. Likewise the review explores both the protection

provided by privacy policy statements and the types of information typically requested by web

sites. The literature review concludes with a brief description of existing federal privacy standards

that may influence consumer perceptions and/or expectations regarding the government s role in

privacy protection. Next, the purpose of the study is outlined in the context of the literature re-

view. This is followed by a methods section that describes the data collection, sample, and re-

sults. Following a discussion of the results, limitations of the study and opportunities for future

research are addressed. The article concludes with a brief summary of the implications of the

study.

Literature Review

An antecedent to virtually all business transactions is consumer trust. When consumers feel vul-

nerable or at risk they are generally hesitant or unwilling to place orders or provide personal in-

formation. Recognizing the importance of consumer trust, individual organizations, industries and

public policy makers have sought to identify and implement mechanisms to reduce perceived

risks. While concern about consumer trust in e-commerce is a relatively new phenomenon, there

are four categories of literature that provide a foundation for this study. The first explores the

general basis for trust and its role in e-commerce models. The second chronicles methods for in-

creasing consumer trust. The third examines the strength of privacy policy statements (i.e., level

of protection afforded) and the nature of information collected via the web site. The fourth and

final category pertains to existing federal privacy standards that demonstrate the viability of le-

gally mandated privacy policies for web sites.

Consumer Trust and its Role in E-Commerce

Numerous studies have demonstrated that many potential customers are reluctant to engage in e-

commerce transactions because of concerns about providing personal information through the

Internet (Kolsaker & Payne, 2002; Miyazaki & Fernandez, 2001; Suh & Han, 2003). It has been

estimated that $15 billion in e-commerce revenues for 2001 were unrealized due to a lack of con-

sumer trust in either the ability or the intent of web merchants to ensure that personal information

would only be used in an acceptable manner (Sipior, Ward, & Rongione, 2004).

Definition of trust

A number of definitions of trust have been suggested specifically with regards to e-commerce

(e.g., Gefen, 2002; Lee & Turban, 2001; McKnight & Chervany, 2001). Most of the definitions of

trust proposed within the realm of e-commerce share a number of common elements. For exam-

ple, trust has been defined as a consumer s willingness to rely on the seller and take action in cir-

cumstances where such action makes the consumer vulnerable to the seller (Jarvenpaa, Tractin-

sky, Saarinen & Vitale, 1999). As in most definitions of trust there is an element of risk associ-

125

Regulation of Web Site Privacy Policy

ated with the information submitted through the Internet. Consumers are vulnerable because they

are dependent on web merchants to use information in an acceptable manner. The definition also

implies that consumers make their own subjective assessment of the risks involved in a particular

e-commerce transaction. Finally, a consumer s actions are assumed to be the result of a rational

decision making process.

Models of consumer trust in e-commerce

A variety of models on consumer trust in e-commerce have recently been proposed (Jarvenpaa, et

al., 1999; Lee & Turban, 2001; Limayem, Khalifa, & Frini, 2000; Liu, Marchewka, & Ku, 2004;

McKnight & Chervany, 2001; Suh & Han, 2003; Tan & Thoen, 2001). For the most part, these

models share a number of common elements. For example, most models recognize that individual

differences among consumers play a vital role in e-commerce trust. In general, consumers are

assumed to differ in terms of their propensity to trust or their disposition to trust (Lee & Turban,

2001; McKnight & Chervany, 2001). The disposition or propensity to trust is likely influenced by

consumers awareness of Internet fraud and their past experiences regarding both the Internet and

other situations involving risk. In addition to past experiences, individual differences in the will-

ingness to engage in e-commerce transactions could also be the result of inherit differences in the

inclination of individuals to take risks, such as a tendency to be risk averse or a risk seeker (Tan,

1999; Tan & Thoen, 2001).

The assumption that individuals differ in terms of their trust in e-commerce is supported by stud-

ies demonstrating individual differences with respect to gender (Kolsaker & Payne, 2002),

amount of experience with the Internet (Corbitt, Thanasankit, & Han, 2003; Miyazaki & Fernan-

dez, 2001), and cultural background (Jarvenpaa et al. 1999; Liu et al., 2004). In an attempt to ex-

amine the extent of individual differences, Sheehan (2002) developed a four category typology

based on concerns about submitting personal information to web sites. This study, based on 889

responses to an e-mail survey, indicated that only a small percentage of individuals could be clas-

sified in the extreme groups, unconcerned (16%) and alarmed (3%). The majority of indi-

viduals were classified in the middle two categories, circumspect (38%) and wary (43%).

These results seem to imply that most individuals do not already have strong preconceived no-

tions about the level of risk involved in providing personal information to web sites. Rather the

results suggest that the specific attributes of a given web site or web merchant is likely to influ-

ence the decisions of most potential customers.

Another component that is common to most models on e-commerce trust is trust in the Internet

system (Lee & Turban, 2001; McKnight & Chervany, 2001). It has been proposed that consumer

trust in the Internet system is influenced by the perceived technical competence of the system,

perceived performance level of the system, and the degree to which the consumer understands the

Internet system (Lee & Turban, 2001). These perceptions of the trustworthiness of the Internet

system are likely to be highly influenced by media reports. For instance, one frequently reported

study conducted jointly by the Computer Security Institute and the FBI estimated the cost of sys-

tem penetration by outsiders at over seven billion dollars annually (cited in Tribunella, 2002).

The third and most investigated component of most models on e-commerce trust is trust in the

web merchant. Studies have shown that the size and reputation of a web merchant greatly influ-

ences consumer trust (Jarvenpaa, et al. 1999). It has also been demonstrated that the perceived

ability, integrity, and benevolence of a web merchant influences consumer trust (Lee & Turban,

2001). This finding emphasizes that web merchants must not only have good intentions, but also

the perceived ability to protect personal information. Strength of authentication, nonrepudiation,

confidentiality, privacy protection, and data integrity all have an impact consumer trust in Internet

Banking (Suh & Han, 2003).

126

Meinert, Peterson, Criswell, & Crossland,

Methods for Increasing Consumer Trust

To gain consumer trust, web merchants must convince potential consumers that personal

information obtained through e-commerce transactions will remain secure. To this end, web

merchants have employed a variety of security mechanisms to increase their perceived

trustworthiness. These methods include seals of approval or third party certifications, quality and

normalcy of web site design, ratings or customer testimonials, endorsements by reference groups,

and money-back guarantees (Ba & Pavlou, 2002; Corbitt et al. 2003; Grewal et al. 2003; Lee &

Turban, 2001; Liu et al. 2004; Pennington et al. 2003; Ranganathan & Ganapathy, 2002; Suh &

Han, 2003; Tan, 1999).

Since the effectiveness of these procedures has been reviewed in previous articles, a detailed

review will not be presented in this paper (Liu & Arnett, 2000; Ngai & Wat, 2002). Briefly, the

results of these studies have provided positive support for the inclusion of many security

mechanism, including money back guarantees, warranties, partnerships with established

organizations (Corbitt et al. 2003; Grewal et al. 2003), non-online methods of payment

(Ranganathan & Ganapathy, 2002) privacy protection guarantees, nonrepudiation (Suh & Han,

2003), approval from reference groups and warranties (Tan, 1999). However, seals, ratings

(Pennington et al. 2003) and third party endorsements (Lee & Turban, 2001) have not been found

to significantly increase consumer trust.

One of the most widely used security mechanisms by web merchants is a self-reported guarantee

or a privacy policy statement. A privacy policy statement is a contractual commitment to con-

sumers outlining how their personal information will be treated. Privacy policy statements repre-

sent one of the simpler and less expensive methods of increasing consumer confidence, which

may account for their widespread use. The evidence suggests that posting a self-reported guaran-

tee of compliance with e-commerce standards is an effective means of increasing consumer trust

(Pennington et al., 2003; Ranganathan & Ganapathy, 2002). Privacy policy statements appear to

be most beneficial to the web merchants that have the greatest need to increase consumer trust

(Grewal et al., 2003). That is, privacy policy statements were found to be much more useful for

web merchants that lacked name recognition than those with an established reputation.

Privacy Policy Statements

Previous research has examined various aspects of privacy policy statements including: levels of

protection, enforcement, and interaction with information types.

Levels of protection

Studies examining the content of web sites have found a remarkable amount of variability in the

nature and types of privacy policy statements (Liu & Arnett, 2002; Luo & Najdawi, 2004; Miya-

zaki & Fernandez, 2000). These studies have reported that privacy policy statements vary in

terms of their placement, length, and ease of reading. Most importantly, the statements vary in

terms of the level of protection guaranteed (Liu & Arnett, 2002). Some privacy policy statements

are highly restrictive while others offer no real assurance of privacy. An example of a highly re-

strictive privacy policy statement might include a statement such as: Under no circumstances

will any information you provide to us over the Internet be released to any third party for any rea-

son whatsoever (4321net, 2002).

A less restrictive privacy policy statement might include language similar to the following ex-

cerpt from the Sun Microsystems privacy policy statement, If you choose to provide us with

your Personal Information on the web, we may transfer that information, within Sun or to Sun s

third party service providers, across borders and from your country or jurisdiction to other coun-

tries or jurisdictions around the world (Sun Microsystems, 2001).

127

Regulation of Web Site Privacy Policy

A third and least restrictive level of privacy statement does not provide any protection of personal

information. In this scenario, the term privacy policy statement is a misnomer as the statement

simply indicates that it is the intention of the web merchant to share information collected on in-

dividuals with other organizations. Thus, these types of statements serve primarily as a means of

protecting the web site with respect to liability issues, as it is the intent of the web site to share

information on customers with other sources.

Enforcement. Differences in web site privacy policy statements are not limited to the level

of protection afforded as enforcement also varies. Enforcement generally falls into three catego-

ries: self-regulation, third-party validation/audits and regulatory oversight. Although the Federal

Trade Commission has been concerned about on-line privacy for some time they have actively

supported self-regulation (Federal Trade Commission, 2000, p. 20). Hence, the absence of any

reference to third party or regulatory oversight in a privacy policy implies self-enforcement. To

address consumer concerns related to self-regulation, third-party seal programs have been devel-

oped (Liu and Arnett, 2002). Seal programs such as TRUSTe, BBBOnLine (Better Business Bu-

reaus Online Seal), MutiCheck and WebTrust (offered by American Institute of CPAs) allow li-

censees who abide by posted privacy policies and/or allow compliance monitoring to display the

granting organizations seal of approval on their web site. Privacy seals are intended to provide a

simple means for addressing consumer privacy concerns. The standards for achieving certifica-

tion vary and at present there are no fewer than nine services offering seal programs (Higgens,

1998). The least common form of enforcement is regulatory, which reflects in large part the fed-

eral government s attempts to rely on self-regulation rather than legal standards. Laws and regula-

tions at both the state and federal level in the United States have been enacted to establish privacy

standards for web sites operated by the government. For example, policy set forth by the White

House Office of Management and Budget requires federal government web sites to post privacy

statements and eliminate the use of covert methods of collecting information, such as cookies

(Swire et al., 1999). On a broader scale, laws have been enacted that apply to all web sites, pri-

vate or public such as the Children s Online Privacy Protection Act (COPPA) of 1998 (SEC.

1301-1308). COPPA requires commercial web sites to obtain parental consent before collecting,

using, or disclosing personal information of children under the age of 13.

Types of Information Requested

Much of the research on e-commerce trust has focused on measures of consumers beliefs, atti-

tudes, and purchase intentions, without consideration for the types of information requested by

the web sites. As noted earlier, the inherent risk is associated with the type of information re-

quired. Thus, it seems likely that the type of information requested could affect beliefs concerning

risk and thus the willingness or intentions of consumers to engage in e-commerce transactions.

That is, consumers are apt to engage in e-commerce transactions when a certain threshold of trust

is achieved or the level of perceived risk is acceptable. Most theories on risk take into account not

only the perceived level of risk involved in a transaction or gamble, but also the stakes involved

in the gamble (Tversky, 1995). Thus, it might be reasonable to assume that the trust threshold for

engaging in e-commerce transactions varies depending on the potential loss or harm that could

result from engaging in a specific transaction. Individuals may be likely to engage in e-commerce

transactions when there is little to lose even if the level of trust is low. Conversely, if (1) the per-

ceived level of risk is high or (2) the potential loss or harm is substantial, there may be a reluc-

tance to engage in e-commerce. It is likely that the perceived potential for loss or harm in e-

commerce is dependent upon the type of personal information requested. Thus, whether a con-

sumer engages in an e-commerce transaction is apt to depend not only on the level of trust, but

also the potential loss associated with the type of personal information required.

128

Meinert, Peterson, Criswell, & Crossland,

There is enormous variability in the types of information requested by web sites. Some web sites

require contact information before consumers are even allowed to access a web site and extensive

personal information must be provided in order to complete a transaction (Sipior et al. 2004). At

the other extreme, some web sites make it possible for consumers to conduct transactions based

on a limited amount of personal information submitted to the web site using such techniques as

buyer s authentication, confirmation and payment assurance, or non-repudiation (Hoffman, No-

vak, & Peralta, 1999). Other web sites may permit consumers to browse potential products and

services and then printout order forms that can be submitted using other modes of communication

(e.g., telephone, conventional mail, or fax) (Miyazaki & Fernandez, 2000).

A preliminary review of web sites suggests that most of the information requested by web mer-

chants can be broadly classified as contact, biographical, or financial. Contact information in-

cludes such items as e-mail address, name, mailing address, and telephone numbers. Contact in-

formation is of value to web merchants for several reasons including creating mailing lists to pub-

licize special promotions, products, or services offered by the web merchant. However, contact

information may also be sold by web merchants to third parties. Consequently, many individuals

are often reluctant to provide contact information to web sites (Greiner, 2003).

Biographical information includes demographic data such as income, personal preferences, inter-

ests, and hobbies. Web merchants may use biographical information to profile customers, target

future communications for marketing purposes, and customize web pages for individual custom-

ers. Web sites may also use biographical information to market their site to advertisers by provid-

ing detailed information on visitors to their web site (Liu et al., 2004). Because consumers are

concerned that personal information may be sold to third parties, most individuals (over 90 %)

have refused to provide biographical information to a web site on at least one occasion and many

(approximately 40%) admitted in some instances to providing false information (Hoffman et al.

1999). A recent review of the literature suggests that privacy concerns regarding how web sites

use biographical information remains a most formidable barrier to people engaging in e-

commerce (Wang & Emurian, 2005).

Financial information includes such items as credit card numbers and bank account numbers. Al-

though consumers are obviously reluctant to provide financial information, this information is

often viewed as necessary to complete an e-commerce transaction. However, numerous tech-

niques such as buyer s authentication, confirmation and payment assurance, cryptography, digital

signatures, non-repudiation, and alternative payment methods can reduce the perceived risks as-

sociated with financial transactions (Hoffman, et al. 1999; Kolsker & Payne, 2002; Miyzazki &

Fernandez, 2000). While such techniques may complicate the processing of orders for web mer-

chants, these procedures may reduce the perceived risk and increase consumer willingness to en-

gage in e-commerce transactions.

Existing Federal Privacy Standards

Government involvement in the regulation of information privacy on the Internet varies greatly

among nations with the degree of government involvement highly associated with the level of

privacy concerns among citizens of a particular country (Smith, 1994). Many countries like the

U.S., and until recently, Canada and Australia, have not been highly involved in the regulation of

privacy standards, leaving it to the internet industry to regulate itself (Bellman, Johnson, Korbin,

& Loshe, 2004). These countries have primarily targeted government regulation in certain areas,

such as the public sector. This voluntary or sectoral approach contrasts with the omnibus ap-

proach, to both public and private sectors, used by the European Union (Bellman et al. 2004).

Since the present study was conducted within the U.S. and for the most part examined the views

of U.S. citizens, the focus of the present study is on the federal privacy standards existing in the

U.S.

129

Regulation of Web Site Privacy Policy

In recent years within the U.S., consumers have been inundated with notifications of federal pri-

vacy requirements when dealing with health care and financial institutions (e.g., loans, finan-

cial/investment advice, or insurance). In health care settings, patient privacy protection is man-

dated by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), while

privacy of consumer information held by financial institutions is governed by the Gramm-Leach-

Bliley Financial Modernization Act of 1999. Periodic (annual) and episodic notification of these

acts and the respective institution s privacy policies have certainly contributed to an increased

consumer awareness regarding not only privacy issues, but the existence of federal standards and

enforcement in select industries. In these settings consumers have grown accustom to uniformity

in both format and content of privacy policies. This is in severe contrast to the Internet where

consumers are confronted by a myriad of differences including placement, length, level of protec-

tion, and enforcement. Internet users must determine to what extent, if any, personal data will be

utilized internally and/or shared for external or secondary purposes. Further, consumers must for

the most part rely on self-policing and/or 3rd parties (seal programs) to insure compliance with

stated policies.

Purpose of the Study

The fundamental purpose of this study is to determine whether the imposition of legally mandated

privacy policy statements would significantly increase consumer trust and thus willingness to en-

gage in e-commerce. Attempts to estimate the efficacy of regulation would seem prudent given

calls for such regulation and the limited impact of voluntary privacy policy statements and self-

regulation. Therefore, this study examined the effects of legally mandated versus voluntary pri-

vacy policy statements on consumer willingness to provide personal information.

Recognizing that consumer privacy concerns are determined to some extent by what information

is requested (Cespedes & Smith, 1993) and level of protection promised (Meinert et. al, 2006), it

is necessary to examine the efficacy of privacy policy statements in the context of both the infor-

mation at risk and strength of protection afforded by the privacy policy. While information sensi-

tivity varies from individual to individual, some information items or categories generate more

privacy concerns than others. Therefore, a second objective of this study was to examine the main

and interaction effects of types of information requested. To address this objective, when present-

ing the alternative privacy policy scenarios the effects of three information categories, contact,

biographical, and financial, were examined.

Although privacy policy statements have become common, there is evidence suggesting that con-

sumers may not be familiar with these statements (Westin & Maurici, 1998). It might be expected

that with the increased popularity of e-commerce and the growing prevalence of privacy policy

statements that more consumers at the present time would be aware of such statements. However,

even though consumers may be aware of privacy policy statements, there is no guarantee that

they read such statements. Research in the area of consumer behavior has demonstrated that cus-

tomers frequently fail to read important and relevant information regarding transactions such as

product warranties (Adler, 1994) or guarantees (Gore, 1995). Thus, although privacy policy

statements are intended to increase consumer trust, if consumers are unaware or do not read the

privacy policy statements, then the statements provide dubious benefits. Therefore, this study also

examined whether consumers were generally aware of privacy policy statements and whether

they had read a privacy policy statement prior to participation in this study.

130

Meinert, Peterson, Criswell, & Crossland,

Method

Data Collection

Given the exploratory nature of this research and the need to present respondents with multiple

scenarios (5 scenarios of privacy policy statements x 3 types of information) a survey was se-

lected over interviews, mall intercepts, quasi-experimental or experimental design. A survey ap-

proach also allows for detailed and consistent presentation of the descriptions for both privacy

policy statements and information types. With this research procedure, respondents could com-

pare and contrast descriptions, if necessary, to differentiate between the scenarios presented. Sub-

jects were asked on the survey to indicate a willingness to provide various types of information to

hypothetical web sites possessing dissimilar privacy policy statements. Concise descriptions of

the alternative privacy policies were used to clearly differentiate between the types. Concise de-

scriptions were selected over actual privacy policy statements, as the later are often very lengthy,

difficult to read and contain information regarding other aspects of privacy and security. The

questions from the survey relevant to the present study are presented in A. As can be seen in the

appendix, subjects were not provided with any specific information concerning the nature of the

hypothetical web site.

The survey provided the following definition of privacy policy statements. A privacy policy

statement explains a web site s policy regarding the information that is provided online by users.

Following the definition of a privacy policy statement, respondents were given examples of three

levels of privacy (strong, moderate, and weak) that seem to typify many of the statements

presented on web sites. These examples were based on an examination of policy statements on

over 75 web sites. Table 1 contains the descriptions presented to respondents to differentiate

between strong, moderate, and weak privacy policy statements. Abbreviated descriptions for the

three types of privacy policy statements were utilized to minimize the risk of respondents

misinterpreting lengthy or technically written statements. Although the hypothetical privacy

statements used in this study were considerably more concise than those usually found on the

Internet, they captured the essence (i.e., level of protection) of what was found in the review of 75

such privacy statements.

Table 1:Descriptions of Privacy Policy Statements Examined

Type of

Description Presented to Respondents

Statement

A strong privacy policy statement explains a web vendor s policy concerning infor-

STRONG

mation that is provided by web users and makes an explicit guarantee that they will

not under any circumstances share the user s information with any other organiza-

tion, company, or individual

A moderate privacy policy statement explains a web vendor s policy concerning

MODERATE

information that is provided by the web users and also ensures that the information

that is provided will remain confidential. It also provides limited sharing of informa-

tion when the web vendor believes that it is in the best interest of the customer, the

web vendor, or both.

A weak privacy policy statement explains a web vendor s policy concerning infor-

WEAK

mation that is provided by the web users, but does not offer any guarantee with re-

spect to protecting personal information.

A legal privacy policy statement indicates that federal, state or local laws mandate

LEGALLY

the presentation and content of the privacy policy statement and use of information

MANDATED

collected online.

131

Regulation of Web Site Privacy Policy

The survey then provided respondents with a description of legally mandated privacy policy

statements noting that Some web sites indicate that federal, state or local laws legally mandate

their privacy policy statement and use of information collected online. Thus, respondents were

also asked their willingness to provide personal information IF a web site displayed a legally

mandated privacy policy statement.

Following the definition of each example of a privacy policy statement, respondents were asked

to indicate their willingness to provide various types of information on a six point Likert scale,

ranging from (1) "extremely unlikely" to (6) "extremely likely". The types of information re-

quested were defined in the following manner for the respondents on the survey.

Contact Information: Request for e-mail address, name, mailing address and telephone

number

Biographical Information: Request for demographic data, such as annual income, per-

sonal preferences, hobbies, and interests.

Financial Information: Request for credit card numbers, expiration date, bank account

numbers, etc.

The decision to utilize broad information types reflected the breadth of information that can, and

often is collected via the Internet and the desire to avoid a lengthy survey instrument that could

easily compromise the quality of responses and/or response rate.

Sample

The sample consisted of 374 students enrolled in graduate courses or non-credit professional

courses offered through the Colleges of Business at one of two Midwestern state universities. To

achieve a high response rate, the survey was administered during regularly scheduled class peri-

ods. Although participation was voluntary, nearly 100% of the enrolled students participated.

While the validity of using students in behavioral research has been questioned (Alpert, 1967;

Gordon, Slade & Schmitt, 1986; Levitt, 1965), there are instances where they (students) are either

good substitutes or surrogates for another population (Khera & Benson, 1970; LaTour, Cham-

pagne & Behling, 1990; Remus, 1986) or by virtue of demographic profile are representative of

the target population under investigation. The latter instance was the primary justification for the

use of graduate business students, specifically working professionals, in the present study. From

its inception the Internet and to a large extent e-commerce has attracted substantially larger num-

bers of well-educated and affluent consumers (Guglielmo, 1999). Consumers with more educa-

tion and above average incomes continue to be more likely to use the web and shop online (Enos,

2000; Kolettis, 2001). More recent research, has suggested that e-commerce has attracted a more

diverse consumer group, however, the younger, more affluent and highly educated individuals

still represent the vast majority of internet users (Savage & Waldman, 2005).

The present study relied on graduate students associated with business programs that have his-

torically attracted working professionals. The profile of these students was consistent with the

profile described above as on average they are more educated and earn more than the general

population. The average age of the graduate students was also very close to the median age (36

years old) of Internet users (Kolettis, 2001). While this convenience sample is not representative

of all Internet users it does represent a large segment of Internet users, one that is generally per-

ceived to be more inclined to participate in e-commerce.

Findings

Table 2 summarizes the characteristics of the respondents. As illustrated in Table 2 most respon-

dents connected to the Internet on a daily basis (86.4%). This compares favorably to national

132

Meinert, Peterson, Criswell, & Crossland,

norms for Internet users as Kolettis (2001) reported that 72 percent of women use the Internet

every day, while 87 percent of men are daily users. Almost the same percent had provided an e-

mail address to a web site (88.2%). Overall, the sample were somewhat younger and more edu-

cated than the general population, uses the Internet frequently and most have previously provided

personal information to a web site. Consequently, the results must be generalized with caution.

However, the sample would seem appropriate for a study aimed at determining the impact of pri-

vacy policy statements on the willingness of consumers to provide personal information to web

merchants.

As shown in Table 2, 79.4 percent of the 374 respondents had reported seeing a privacy policy

statement. However, only 170 or 45.5 percent indicated that they were familiar, or more specifi-

cally, had read a web site s privacy policy statement prior to the study.

Table 2: Respondent profile: Demographics (n = 374)

Demographic Characteristic

Age (years)

Mean 32.9

S 14.3

Gender

Male 216 (57.6%)

Female 157 (41.9%)

No Response 1

Connect to Internet

Daily 324 (86.4%)

Twice a Week 19 (5.1%)

Weekly 9 (2.4%)

Monthly 2 (0.5%)

Never 15 (4.0%)

No Response 4 (1.4%)

Provided An Email Address

Yes 330 (88.2%)

No 27 (7.2%)

No Response 17 (4.6%)

Awareness

(Seen a Privacy Policy Statement)

Yes 297 (79.4%)

No 73 (19.5%)

Familiarity

(Read a Privacy Policy Statement)

Yes 170 (45.5%)

No 154 (41.2%)

The mean willingness to provide the various types of information for each type of privacy

statement is presented in Table 3 along with grand means. A 3 (Types of Information) X 5 (Type

of Privacy Policy Statement) within subject ANOVA was conducted on the data. The last row of

133

Regulation of Web Site Privacy Policy

Table 3 illustrates the differences in willingness to provide each of the three types of information

requested. The overall mean willingness to provide personal information ranged from 3.74 for

contact information to 2.70 for financial information. It is noteworthy that only the grand mean

for contact (3.74) exceeded the scale midpoint, thus reflecting a likeliness to provide data. The

ANOVA results indicated the difference between types of information was significant (F=188.67,

p = 0.000). The results further revealed that all three possible pairwise comparisons were

significant (p

on-line or established and new vendors have

in print, is copyrighted by the Informing Science Institute.



Contact this candidate