Informing Science Journal Volume *, ****
Would Regulation of Web Site Privacy Policy
Statements Increase Consumer Trust?
David B. Meinert and Dane K. Peterson
Missouri State University, Springfield, Missouri USA
abqd14@r.postjobfree.com abqd14@r.postjobfree.com
John R. Criswell II Martin D. Crossland
Shelter Insurance. Columbia, Oklahoma State University,
Missouri USA Tulsa, Oklahoma USA
abqd14@r.postjobfree.com abqd14@r.postjobfree.com
Abstract
Proponents of e-commerce have known for some time that limited participation by consumers
partially reflects their concern over the privacy of personal information. To address consumer
concerns, web site operators have employed security mechanisms, including privacy policy
statements to increase their perceived trustworthiness. While empirical evidence is limited, there
is some question regarding the ability of privacy policy statements to engender significantly
greater levels of trust. The limited effectiveness of such statements may reflect their voluntary
implementation, self-enforcement, and\or significant variance (protection and enforcement) from
one web site to another. One possible remedy would be the imposition of legally mandated state-
ments. This study examined the efficacy of legally mandated privacy policies vis- -vis both vol-
untary statements of varying degrees of protection and the absence of any such statement. The
results were mixed, as legally mandated privacy policy statements were found to be comparable
to strong voluntary statements, but superior to none, weak or moderate policies. Perhaps more
important, the nature of the privacy policy statement interacted with type of information re-
quested.
Keywords: e-commerce privacy: electronic commerce trust; Internet privacy; Internet trust;
online privacy; privacy policy statements
Introduction
The past decade has witnessed rapid growth in e-commerce, particularly with respect to business-
to-consumer (B2C) transactions. Both
Material published as part of this publication, either on-line or established and new vendors have
in print, is copyrighted by the Informing Science Institute.
sought to leverage the diffusion of the
Permission to make digital or paper copy of part or all of these
Internet to expand their markets. The
works for personal or classroom use is granted without fee
Internet has allowed established firms to
provided that the copies are not made or distributed for profit
or commercial advantage AND that copies 1) bear this notice expand their marketplace, but at the
in full and 2) give the full citation on the first page. It is per-
same time it has eliminated many of the
missible to abstract these works so long as credit is given. To
traditional barriers of entry for new en-
copy in all other cases or to republish or to post on a server or
trants to compete for these same con-
to redistribute to lists requires specific permission and payment
sumers. Consumers once accustomed to
of a fee. Contact abqd14@r.postjobfree.com to request
redistribution permission. limited and known vendors are now af-
Editor: Eli Cohen
Regulation of Web Site Privacy Policy
forded more choices, but are often concerned about privacy and trust as many of the vendors are
unknowns (Pennington, Wilcox & Grover, 2003). Given that consumers are now presented
with vendors with whom they have little or no familiarity it comes as no surprise that recent re-
search on e-commerce has found that privacy and trust issues are a key determinant in whether
consumers engage in on-line transactions (Hoffman, Novak, & Peralta 1999).
Recognizing that privacy and trust of the vendor is a critical antecedent to increased participation
in B2C e-commerce, researchers have examined several trust mechanisms employed by ven-
dors to enhance consumer trust and concomitantly their predisposition to purchase on-line. One
mechanism that has garnered considerable interest are privacy policy statements, voluntary, self-
reported statements displayed on web sites that convey established policies for the use and distri-
bution of personal information.
Use of privacy policy statements to increase perceived trustworthiness is a relatively new phe-
nomenon, and examination of their use and implications is just beginning to be explored
(Criswell & Meinert, 2003; Culnan, 1999; Grewal, Munger, Iyer, & Levy, 2003; Liu & Arnett,
2002; Luo & Najdawi, 2004; Meinert, Peterson, Criswell & Crossland, 2006; Miyazaki & Fer-
nandez, 2000; Pennington et al., 2003; Ranganathan & Ganapathy, 2002). While much of the re-
search to date on this topic has focused on chronicling rates of utilization and variability in con-
tent, a few studies have examined the efficacy of privacy statements. Pennington, Wilcox and
Grover (2003) found evidence via an experimental design that self-reported guarantees can influ-
ence system trust and indirectly influence consumer purchase intentions. In an exploratory study,
Criswell and Meinert (2003) found that self-reported privacy policy statements increased con-
sumer willingness to provide personal information on-line. That study and a more comprehensive
study by Meinert, Peterson, Criswell and Crossland (2006) also affirmed that not only the pres-
ence, but the strength, or level of protection guaranteed by the privacy policy statement influences
consumer trust as measured by willingness to provide personal information on-line. These results,
while preliminary, seem to suggest that voluntary privacy policy statements have a positive, but
relatively limited impact on consumer trust. Only a strong privacy policy statement was found to
induce a willingness to provide contact, biographical and financial information and in each case
respondents were only slightly likely . It should be further noted that respondents in these stud-
ies were required to read the description of the privacy policy statements. In many instances, po-
tential customers may not read any policies regarding the web site s stated privacy standards.
Given the widespread use of privacy policy statements it s somewhat surprising to find that they
have minimal impact on consumer trust. Determining whether the effectiveness of privacy policy
statements can be improved would contribute to the knowledge and understanding of what, if any,
role they can play in influencing consumer trust of on-line vendors. While the literature offers no
insight into why such statements are ineffective, one plausible explanation is that consumers
place little faith in privacy policies that lack regulatory oversight. The aim of this exploratory
study was to examine whether legally mandated web site privacy policies would be more effec-
tive than either no policy or voluntary policies affording varying degrees of protection. This study
was intended to provide a preliminary understanding of the extent to which regulation of privacy
standards might increase the efficacy of web site privacy policy statements in order to increase
consumer trust. As an exploratory study, four specific research questions were examined:
How willing are consumers to provide various types of information via the
Internet when a legally mandated privacy policy is in place?
Are legally mandated privacy policy statements more effective in engendering trust than
either no policy or voluntary policies affording varying degrees of protection?
Are consumers generally aware of privacy policy statements?
124
Meinert, Peterson, Criswell, & Crossland,
Are consumers reading privacy policy statements?
By addressing these questions, this study aims to contribute to the body of knowledge related to
web site privacy policy statements. The findings should be of interest to practitioners, public pol-
icy makers and academicians. The findings provide additional insight into the influence of alter-
native forms of privacy policy statements and the extent to which regulatory oversight might in-
fluence consumer behavior.
To address these research questions, this article reports the results of a survey designed to meas-
ure the impact of both voluntary\self-regulated and legally mandated privacy policy statements.
First, the article examines related research to develop a basis for this investigation. This literature
review necessarily examines findings related to consumer trust and its role in e-commerce and
methods employed to increase consumer trust. Likewise the review explores both the protection
provided by privacy policy statements and the types of information typically requested by web
sites. The literature review concludes with a brief description of existing federal privacy standards
that may influence consumer perceptions and/or expectations regarding the government s role in
privacy protection. Next, the purpose of the study is outlined in the context of the literature re-
view. This is followed by a methods section that describes the data collection, sample, and re-
sults. Following a discussion of the results, limitations of the study and opportunities for future
research are addressed. The article concludes with a brief summary of the implications of the
study.
Literature Review
An antecedent to virtually all business transactions is consumer trust. When consumers feel vul-
nerable or at risk they are generally hesitant or unwilling to place orders or provide personal in-
formation. Recognizing the importance of consumer trust, individual organizations, industries and
public policy makers have sought to identify and implement mechanisms to reduce perceived
risks. While concern about consumer trust in e-commerce is a relatively new phenomenon, there
are four categories of literature that provide a foundation for this study. The first explores the
general basis for trust and its role in e-commerce models. The second chronicles methods for in-
creasing consumer trust. The third examines the strength of privacy policy statements (i.e., level
of protection afforded) and the nature of information collected via the web site. The fourth and
final category pertains to existing federal privacy standards that demonstrate the viability of le-
gally mandated privacy policies for web sites.
Consumer Trust and its Role in E-Commerce
Numerous studies have demonstrated that many potential customers are reluctant to engage in e-
commerce transactions because of concerns about providing personal information through the
Internet (Kolsaker & Payne, 2002; Miyazaki & Fernandez, 2001; Suh & Han, 2003). It has been
estimated that $15 billion in e-commerce revenues for 2001 were unrealized due to a lack of con-
sumer trust in either the ability or the intent of web merchants to ensure that personal information
would only be used in an acceptable manner (Sipior, Ward, & Rongione, 2004).
Definition of trust
A number of definitions of trust have been suggested specifically with regards to e-commerce
(e.g., Gefen, 2002; Lee & Turban, 2001; McKnight & Chervany, 2001). Most of the definitions of
trust proposed within the realm of e-commerce share a number of common elements. For exam-
ple, trust has been defined as a consumer s willingness to rely on the seller and take action in cir-
cumstances where such action makes the consumer vulnerable to the seller (Jarvenpaa, Tractin-
sky, Saarinen & Vitale, 1999). As in most definitions of trust there is an element of risk associ-
125
Regulation of Web Site Privacy Policy
ated with the information submitted through the Internet. Consumers are vulnerable because they
are dependent on web merchants to use information in an acceptable manner. The definition also
implies that consumers make their own subjective assessment of the risks involved in a particular
e-commerce transaction. Finally, a consumer s actions are assumed to be the result of a rational
decision making process.
Models of consumer trust in e-commerce
A variety of models on consumer trust in e-commerce have recently been proposed (Jarvenpaa, et
al., 1999; Lee & Turban, 2001; Limayem, Khalifa, & Frini, 2000; Liu, Marchewka, & Ku, 2004;
McKnight & Chervany, 2001; Suh & Han, 2003; Tan & Thoen, 2001). For the most part, these
models share a number of common elements. For example, most models recognize that individual
differences among consumers play a vital role in e-commerce trust. In general, consumers are
assumed to differ in terms of their propensity to trust or their disposition to trust (Lee & Turban,
2001; McKnight & Chervany, 2001). The disposition or propensity to trust is likely influenced by
consumers awareness of Internet fraud and their past experiences regarding both the Internet and
other situations involving risk. In addition to past experiences, individual differences in the will-
ingness to engage in e-commerce transactions could also be the result of inherit differences in the
inclination of individuals to take risks, such as a tendency to be risk averse or a risk seeker (Tan,
1999; Tan & Thoen, 2001).
The assumption that individuals differ in terms of their trust in e-commerce is supported by stud-
ies demonstrating individual differences with respect to gender (Kolsaker & Payne, 2002),
amount of experience with the Internet (Corbitt, Thanasankit, & Han, 2003; Miyazaki & Fernan-
dez, 2001), and cultural background (Jarvenpaa et al. 1999; Liu et al., 2004). In an attempt to ex-
amine the extent of individual differences, Sheehan (2002) developed a four category typology
based on concerns about submitting personal information to web sites. This study, based on 889
responses to an e-mail survey, indicated that only a small percentage of individuals could be clas-
sified in the extreme groups, unconcerned (16%) and alarmed (3%). The majority of indi-
viduals were classified in the middle two categories, circumspect (38%) and wary (43%).
These results seem to imply that most individuals do not already have strong preconceived no-
tions about the level of risk involved in providing personal information to web sites. Rather the
results suggest that the specific attributes of a given web site or web merchant is likely to influ-
ence the decisions of most potential customers.
Another component that is common to most models on e-commerce trust is trust in the Internet
system (Lee & Turban, 2001; McKnight & Chervany, 2001). It has been proposed that consumer
trust in the Internet system is influenced by the perceived technical competence of the system,
perceived performance level of the system, and the degree to which the consumer understands the
Internet system (Lee & Turban, 2001). These perceptions of the trustworthiness of the Internet
system are likely to be highly influenced by media reports. For instance, one frequently reported
study conducted jointly by the Computer Security Institute and the FBI estimated the cost of sys-
tem penetration by outsiders at over seven billion dollars annually (cited in Tribunella, 2002).
The third and most investigated component of most models on e-commerce trust is trust in the
web merchant. Studies have shown that the size and reputation of a web merchant greatly influ-
ences consumer trust (Jarvenpaa, et al. 1999). It has also been demonstrated that the perceived
ability, integrity, and benevolence of a web merchant influences consumer trust (Lee & Turban,
2001). This finding emphasizes that web merchants must not only have good intentions, but also
the perceived ability to protect personal information. Strength of authentication, nonrepudiation,
confidentiality, privacy protection, and data integrity all have an impact consumer trust in Internet
Banking (Suh & Han, 2003).
126
Meinert, Peterson, Criswell, & Crossland,
Methods for Increasing Consumer Trust
To gain consumer trust, web merchants must convince potential consumers that personal
information obtained through e-commerce transactions will remain secure. To this end, web
merchants have employed a variety of security mechanisms to increase their perceived
trustworthiness. These methods include seals of approval or third party certifications, quality and
normalcy of web site design, ratings or customer testimonials, endorsements by reference groups,
and money-back guarantees (Ba & Pavlou, 2002; Corbitt et al. 2003; Grewal et al. 2003; Lee &
Turban, 2001; Liu et al. 2004; Pennington et al. 2003; Ranganathan & Ganapathy, 2002; Suh &
Han, 2003; Tan, 1999).
Since the effectiveness of these procedures has been reviewed in previous articles, a detailed
review will not be presented in this paper (Liu & Arnett, 2000; Ngai & Wat, 2002). Briefly, the
results of these studies have provided positive support for the inclusion of many security
mechanism, including money back guarantees, warranties, partnerships with established
organizations (Corbitt et al. 2003; Grewal et al. 2003), non-online methods of payment
(Ranganathan & Ganapathy, 2002) privacy protection guarantees, nonrepudiation (Suh & Han,
2003), approval from reference groups and warranties (Tan, 1999). However, seals, ratings
(Pennington et al. 2003) and third party endorsements (Lee & Turban, 2001) have not been found
to significantly increase consumer trust.
One of the most widely used security mechanisms by web merchants is a self-reported guarantee
or a privacy policy statement. A privacy policy statement is a contractual commitment to con-
sumers outlining how their personal information will be treated. Privacy policy statements repre-
sent one of the simpler and less expensive methods of increasing consumer confidence, which
may account for their widespread use. The evidence suggests that posting a self-reported guaran-
tee of compliance with e-commerce standards is an effective means of increasing consumer trust
(Pennington et al., 2003; Ranganathan & Ganapathy, 2002). Privacy policy statements appear to
be most beneficial to the web merchants that have the greatest need to increase consumer trust
(Grewal et al., 2003). That is, privacy policy statements were found to be much more useful for
web merchants that lacked name recognition than those with an established reputation.
Privacy Policy Statements
Previous research has examined various aspects of privacy policy statements including: levels of
protection, enforcement, and interaction with information types.
Levels of protection
Studies examining the content of web sites have found a remarkable amount of variability in the
nature and types of privacy policy statements (Liu & Arnett, 2002; Luo & Najdawi, 2004; Miya-
zaki & Fernandez, 2000). These studies have reported that privacy policy statements vary in
terms of their placement, length, and ease of reading. Most importantly, the statements vary in
terms of the level of protection guaranteed (Liu & Arnett, 2002). Some privacy policy statements
are highly restrictive while others offer no real assurance of privacy. An example of a highly re-
strictive privacy policy statement might include a statement such as: Under no circumstances
will any information you provide to us over the Internet be released to any third party for any rea-
son whatsoever (4321net, 2002).
A less restrictive privacy policy statement might include language similar to the following ex-
cerpt from the Sun Microsystems privacy policy statement, If you choose to provide us with
your Personal Information on the web, we may transfer that information, within Sun or to Sun s
third party service providers, across borders and from your country or jurisdiction to other coun-
tries or jurisdictions around the world (Sun Microsystems, 2001).
127
Regulation of Web Site Privacy Policy
A third and least restrictive level of privacy statement does not provide any protection of personal
information. In this scenario, the term privacy policy statement is a misnomer as the statement
simply indicates that it is the intention of the web merchant to share information collected on in-
dividuals with other organizations. Thus, these types of statements serve primarily as a means of
protecting the web site with respect to liability issues, as it is the intent of the web site to share
information on customers with other sources.
Enforcement. Differences in web site privacy policy statements are not limited to the level
of protection afforded as enforcement also varies. Enforcement generally falls into three catego-
ries: self-regulation, third-party validation/audits and regulatory oversight. Although the Federal
Trade Commission has been concerned about on-line privacy for some time they have actively
supported self-regulation (Federal Trade Commission, 2000, p. 20). Hence, the absence of any
reference to third party or regulatory oversight in a privacy policy implies self-enforcement. To
address consumer concerns related to self-regulation, third-party seal programs have been devel-
oped (Liu and Arnett, 2002). Seal programs such as TRUSTe, BBBOnLine (Better Business Bu-
reaus Online Seal), MutiCheck and WebTrust (offered by American Institute of CPAs) allow li-
censees who abide by posted privacy policies and/or allow compliance monitoring to display the
granting organizations seal of approval on their web site. Privacy seals are intended to provide a
simple means for addressing consumer privacy concerns. The standards for achieving certifica-
tion vary and at present there are no fewer than nine services offering seal programs (Higgens,
1998). The least common form of enforcement is regulatory, which reflects in large part the fed-
eral government s attempts to rely on self-regulation rather than legal standards. Laws and regula-
tions at both the state and federal level in the United States have been enacted to establish privacy
standards for web sites operated by the government. For example, policy set forth by the White
House Office of Management and Budget requires federal government web sites to post privacy
statements and eliminate the use of covert methods of collecting information, such as cookies
(Swire et al., 1999). On a broader scale, laws have been enacted that apply to all web sites, pri-
vate or public such as the Children s Online Privacy Protection Act (COPPA) of 1998 (SEC.
1301-1308). COPPA requires commercial web sites to obtain parental consent before collecting,
using, or disclosing personal information of children under the age of 13.
Types of Information Requested
Much of the research on e-commerce trust has focused on measures of consumers beliefs, atti-
tudes, and purchase intentions, without consideration for the types of information requested by
the web sites. As noted earlier, the inherent risk is associated with the type of information re-
quired. Thus, it seems likely that the type of information requested could affect beliefs concerning
risk and thus the willingness or intentions of consumers to engage in e-commerce transactions.
That is, consumers are apt to engage in e-commerce transactions when a certain threshold of trust
is achieved or the level of perceived risk is acceptable. Most theories on risk take into account not
only the perceived level of risk involved in a transaction or gamble, but also the stakes involved
in the gamble (Tversky, 1995). Thus, it might be reasonable to assume that the trust threshold for
engaging in e-commerce transactions varies depending on the potential loss or harm that could
result from engaging in a specific transaction. Individuals may be likely to engage in e-commerce
transactions when there is little to lose even if the level of trust is low. Conversely, if (1) the per-
ceived level of risk is high or (2) the potential loss or harm is substantial, there may be a reluc-
tance to engage in e-commerce. It is likely that the perceived potential for loss or harm in e-
commerce is dependent upon the type of personal information requested. Thus, whether a con-
sumer engages in an e-commerce transaction is apt to depend not only on the level of trust, but
also the potential loss associated with the type of personal information required.
128
Meinert, Peterson, Criswell, & Crossland,
There is enormous variability in the types of information requested by web sites. Some web sites
require contact information before consumers are even allowed to access a web site and extensive
personal information must be provided in order to complete a transaction (Sipior et al. 2004). At
the other extreme, some web sites make it possible for consumers to conduct transactions based
on a limited amount of personal information submitted to the web site using such techniques as
buyer s authentication, confirmation and payment assurance, or non-repudiation (Hoffman, No-
vak, & Peralta, 1999). Other web sites may permit consumers to browse potential products and
services and then printout order forms that can be submitted using other modes of communication
(e.g., telephone, conventional mail, or fax) (Miyazaki & Fernandez, 2000).
A preliminary review of web sites suggests that most of the information requested by web mer-
chants can be broadly classified as contact, biographical, or financial. Contact information in-
cludes such items as e-mail address, name, mailing address, and telephone numbers. Contact in-
formation is of value to web merchants for several reasons including creating mailing lists to pub-
licize special promotions, products, or services offered by the web merchant. However, contact
information may also be sold by web merchants to third parties. Consequently, many individuals
are often reluctant to provide contact information to web sites (Greiner, 2003).
Biographical information includes demographic data such as income, personal preferences, inter-
ests, and hobbies. Web merchants may use biographical information to profile customers, target
future communications for marketing purposes, and customize web pages for individual custom-
ers. Web sites may also use biographical information to market their site to advertisers by provid-
ing detailed information on visitors to their web site (Liu et al., 2004). Because consumers are
concerned that personal information may be sold to third parties, most individuals (over 90 %)
have refused to provide biographical information to a web site on at least one occasion and many
(approximately 40%) admitted in some instances to providing false information (Hoffman et al.
1999). A recent review of the literature suggests that privacy concerns regarding how web sites
use biographical information remains a most formidable barrier to people engaging in e-
commerce (Wang & Emurian, 2005).
Financial information includes such items as credit card numbers and bank account numbers. Al-
though consumers are obviously reluctant to provide financial information, this information is
often viewed as necessary to complete an e-commerce transaction. However, numerous tech-
niques such as buyer s authentication, confirmation and payment assurance, cryptography, digital
signatures, non-repudiation, and alternative payment methods can reduce the perceived risks as-
sociated with financial transactions (Hoffman, et al. 1999; Kolsker & Payne, 2002; Miyzazki &
Fernandez, 2000). While such techniques may complicate the processing of orders for web mer-
chants, these procedures may reduce the perceived risk and increase consumer willingness to en-
gage in e-commerce transactions.
Existing Federal Privacy Standards
Government involvement in the regulation of information privacy on the Internet varies greatly
among nations with the degree of government involvement highly associated with the level of
privacy concerns among citizens of a particular country (Smith, 1994). Many countries like the
U.S., and until recently, Canada and Australia, have not been highly involved in the regulation of
privacy standards, leaving it to the internet industry to regulate itself (Bellman, Johnson, Korbin,
& Loshe, 2004). These countries have primarily targeted government regulation in certain areas,
such as the public sector. This voluntary or sectoral approach contrasts with the omnibus ap-
proach, to both public and private sectors, used by the European Union (Bellman et al. 2004).
Since the present study was conducted within the U.S. and for the most part examined the views
of U.S. citizens, the focus of the present study is on the federal privacy standards existing in the
U.S.
129
Regulation of Web Site Privacy Policy
In recent years within the U.S., consumers have been inundated with notifications of federal pri-
vacy requirements when dealing with health care and financial institutions (e.g., loans, finan-
cial/investment advice, or insurance). In health care settings, patient privacy protection is man-
dated by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), while
privacy of consumer information held by financial institutions is governed by the Gramm-Leach-
Bliley Financial Modernization Act of 1999. Periodic (annual) and episodic notification of these
acts and the respective institution s privacy policies have certainly contributed to an increased
consumer awareness regarding not only privacy issues, but the existence of federal standards and
enforcement in select industries. In these settings consumers have grown accustom to uniformity
in both format and content of privacy policies. This is in severe contrast to the Internet where
consumers are confronted by a myriad of differences including placement, length, level of protec-
tion, and enforcement. Internet users must determine to what extent, if any, personal data will be
utilized internally and/or shared for external or secondary purposes. Further, consumers must for
the most part rely on self-policing and/or 3rd parties (seal programs) to insure compliance with
stated policies.
Purpose of the Study
The fundamental purpose of this study is to determine whether the imposition of legally mandated
privacy policy statements would significantly increase consumer trust and thus willingness to en-
gage in e-commerce. Attempts to estimate the efficacy of regulation would seem prudent given
calls for such regulation and the limited impact of voluntary privacy policy statements and self-
regulation. Therefore, this study examined the effects of legally mandated versus voluntary pri-
vacy policy statements on consumer willingness to provide personal information.
Recognizing that consumer privacy concerns are determined to some extent by what information
is requested (Cespedes & Smith, 1993) and level of protection promised (Meinert et. al, 2006), it
is necessary to examine the efficacy of privacy policy statements in the context of both the infor-
mation at risk and strength of protection afforded by the privacy policy. While information sensi-
tivity varies from individual to individual, some information items or categories generate more
privacy concerns than others. Therefore, a second objective of this study was to examine the main
and interaction effects of types of information requested. To address this objective, when present-
ing the alternative privacy policy scenarios the effects of three information categories, contact,
biographical, and financial, were examined.
Although privacy policy statements have become common, there is evidence suggesting that con-
sumers may not be familiar with these statements (Westin & Maurici, 1998). It might be expected
that with the increased popularity of e-commerce and the growing prevalence of privacy policy
statements that more consumers at the present time would be aware of such statements. However,
even though consumers may be aware of privacy policy statements, there is no guarantee that
they read such statements. Research in the area of consumer behavior has demonstrated that cus-
tomers frequently fail to read important and relevant information regarding transactions such as
product warranties (Adler, 1994) or guarantees (Gore, 1995). Thus, although privacy policy
statements are intended to increase consumer trust, if consumers are unaware or do not read the
privacy policy statements, then the statements provide dubious benefits. Therefore, this study also
examined whether consumers were generally aware of privacy policy statements and whether
they had read a privacy policy statement prior to participation in this study.
130
Meinert, Peterson, Criswell, & Crossland,
Method
Data Collection
Given the exploratory nature of this research and the need to present respondents with multiple
scenarios (5 scenarios of privacy policy statements x 3 types of information) a survey was se-
lected over interviews, mall intercepts, quasi-experimental or experimental design. A survey ap-
proach also allows for detailed and consistent presentation of the descriptions for both privacy
policy statements and information types. With this research procedure, respondents could com-
pare and contrast descriptions, if necessary, to differentiate between the scenarios presented. Sub-
jects were asked on the survey to indicate a willingness to provide various types of information to
hypothetical web sites possessing dissimilar privacy policy statements. Concise descriptions of
the alternative privacy policies were used to clearly differentiate between the types. Concise de-
scriptions were selected over actual privacy policy statements, as the later are often very lengthy,
difficult to read and contain information regarding other aspects of privacy and security. The
questions from the survey relevant to the present study are presented in A. As can be seen in the
appendix, subjects were not provided with any specific information concerning the nature of the
hypothetical web site.
The survey provided the following definition of privacy policy statements. A privacy policy
statement explains a web site s policy regarding the information that is provided online by users.
Following the definition of a privacy policy statement, respondents were given examples of three
levels of privacy (strong, moderate, and weak) that seem to typify many of the statements
presented on web sites. These examples were based on an examination of policy statements on
over 75 web sites. Table 1 contains the descriptions presented to respondents to differentiate
between strong, moderate, and weak privacy policy statements. Abbreviated descriptions for the
three types of privacy policy statements were utilized to minimize the risk of respondents
misinterpreting lengthy or technically written statements. Although the hypothetical privacy
statements used in this study were considerably more concise than those usually found on the
Internet, they captured the essence (i.e., level of protection) of what was found in the review of 75
such privacy statements.
Table 1:Descriptions of Privacy Policy Statements Examined
Type of
Description Presented to Respondents
Statement
A strong privacy policy statement explains a web vendor s policy concerning infor-
STRONG
mation that is provided by web users and makes an explicit guarantee that they will
not under any circumstances share the user s information with any other organiza-
tion, company, or individual
A moderate privacy policy statement explains a web vendor s policy concerning
MODERATE
information that is provided by the web users and also ensures that the information
that is provided will remain confidential. It also provides limited sharing of informa-
tion when the web vendor believes that it is in the best interest of the customer, the
web vendor, or both.
A weak privacy policy statement explains a web vendor s policy concerning infor-
WEAK
mation that is provided by the web users, but does not offer any guarantee with re-
spect to protecting personal information.
A legal privacy policy statement indicates that federal, state or local laws mandate
LEGALLY
the presentation and content of the privacy policy statement and use of information
MANDATED
collected online.
131
Regulation of Web Site Privacy Policy
The survey then provided respondents with a description of legally mandated privacy policy
statements noting that Some web sites indicate that federal, state or local laws legally mandate
their privacy policy statement and use of information collected online. Thus, respondents were
also asked their willingness to provide personal information IF a web site displayed a legally
mandated privacy policy statement.
Following the definition of each example of a privacy policy statement, respondents were asked
to indicate their willingness to provide various types of information on a six point Likert scale,
ranging from (1) "extremely unlikely" to (6) "extremely likely". The types of information re-
quested were defined in the following manner for the respondents on the survey.
Contact Information: Request for e-mail address, name, mailing address and telephone
number
Biographical Information: Request for demographic data, such as annual income, per-
sonal preferences, hobbies, and interests.
Financial Information: Request for credit card numbers, expiration date, bank account
numbers, etc.
The decision to utilize broad information types reflected the breadth of information that can, and
often is collected via the Internet and the desire to avoid a lengthy survey instrument that could
easily compromise the quality of responses and/or response rate.
Sample
The sample consisted of 374 students enrolled in graduate courses or non-credit professional
courses offered through the Colleges of Business at one of two Midwestern state universities. To
achieve a high response rate, the survey was administered during regularly scheduled class peri-
ods. Although participation was voluntary, nearly 100% of the enrolled students participated.
While the validity of using students in behavioral research has been questioned (Alpert, 1967;
Gordon, Slade & Schmitt, 1986; Levitt, 1965), there are instances where they (students) are either
good substitutes or surrogates for another population (Khera & Benson, 1970; LaTour, Cham-
pagne & Behling, 1990; Remus, 1986) or by virtue of demographic profile are representative of
the target population under investigation. The latter instance was the primary justification for the
use of graduate business students, specifically working professionals, in the present study. From
its inception the Internet and to a large extent e-commerce has attracted substantially larger num-
bers of well-educated and affluent consumers (Guglielmo, 1999). Consumers with more educa-
tion and above average incomes continue to be more likely to use the web and shop online (Enos,
2000; Kolettis, 2001). More recent research, has suggested that e-commerce has attracted a more
diverse consumer group, however, the younger, more affluent and highly educated individuals
still represent the vast majority of internet users (Savage & Waldman, 2005).
The present study relied on graduate students associated with business programs that have his-
torically attracted working professionals. The profile of these students was consistent with the
profile described above as on average they are more educated and earn more than the general
population. The average age of the graduate students was also very close to the median age (36
years old) of Internet users (Kolettis, 2001). While this convenience sample is not representative
of all Internet users it does represent a large segment of Internet users, one that is generally per-
ceived to be more inclined to participate in e-commerce.
Findings
Table 2 summarizes the characteristics of the respondents. As illustrated in Table 2 most respon-
dents connected to the Internet on a daily basis (86.4%). This compares favorably to national
132
Meinert, Peterson, Criswell, & Crossland,
norms for Internet users as Kolettis (2001) reported that 72 percent of women use the Internet
every day, while 87 percent of men are daily users. Almost the same percent had provided an e-
mail address to a web site (88.2%). Overall, the sample were somewhat younger and more edu-
cated than the general population, uses the Internet frequently and most have previously provided
personal information to a web site. Consequently, the results must be generalized with caution.
However, the sample would seem appropriate for a study aimed at determining the impact of pri-
vacy policy statements on the willingness of consumers to provide personal information to web
merchants.
As shown in Table 2, 79.4 percent of the 374 respondents had reported seeing a privacy policy
statement. However, only 170 or 45.5 percent indicated that they were familiar, or more specifi-
cally, had read a web site s privacy policy statement prior to the study.
Table 2: Respondent profile: Demographics (n = 374)
Demographic Characteristic
Age (years)
Mean 32.9
S 14.3
Gender
Male 216 (57.6%)
Female 157 (41.9%)
No Response 1
Connect to Internet
Daily 324 (86.4%)
Twice a Week 19 (5.1%)
Weekly 9 (2.4%)
Monthly 2 (0.5%)
Never 15 (4.0%)
No Response 4 (1.4%)
Provided An Email Address
Yes 330 (88.2%)
No 27 (7.2%)
No Response 17 (4.6%)
Awareness
(Seen a Privacy Policy Statement)
Yes 297 (79.4%)
No 73 (19.5%)
Familiarity
(Read a Privacy Policy Statement)
Yes 170 (45.5%)
No 154 (41.2%)
The mean willingness to provide the various types of information for each type of privacy
statement is presented in Table 3 along with grand means. A 3 (Types of Information) X 5 (Type
of Privacy Policy Statement) within subject ANOVA was conducted on the data. The last row of
133
Regulation of Web Site Privacy Policy
Table 3 illustrates the differences in willingness to provide each of the three types of information
requested. The overall mean willingness to provide personal information ranged from 3.74 for
contact information to 2.70 for financial information. It is noteworthy that only the grand mean
for contact (3.74) exceeded the scale midpoint, thus reflecting a likeliness to provide data. The
ANOVA results indicated the difference between types of information was significant (F=188.67,
p = 0.000). The results further revealed that all three possible pairwise comparisons were
significant (p
on-line or established and new vendors have
in print, is copyrighted by the Informing Science Institute.