Copyright, A Pilot Study of the Effectiveness of Privacy Policy Statements Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, U.N.S.W., Uni. of Hong Kong & ANU {.html,.ppt} Bled eCommerce Conf. – June 2006

Copyright, Privacy Policy Statements Themes 1.Privacy as a Trust Factor 2.Privacy Protection Mechanisms 3.Privacy Policy Statements 4.Research Design 5.The Pilot Survey 6.Implications

Copyright, Trust as a Factor in B2C eCommerce The Theory of Reasoned Action (TRA) of Ajzen & Fishbein (1980) postulates that Trust is a major determinant of attitude towards purchasing, and hence of intention to purchase In Internet-based B2C eCommerce, Trust is usefully defined as: confident reliance by Consumers about the behaviour of relevant Business Enterprises

Copyright, Important Factors in Consumer Trust Dependability Security of Tradable Items and Funds Transparency of Marketspace Processes Fairness of Terms / Consumer Protections Recourse when things go wrong Privacy, and Anonymity / Pseudonymity

Copyright, A History of Marketer Abuses of Consumer Trust – The Web as New Advertising Medium (billboards on the information superhighway) – Closed Electronic Communities – Push Technology (web-casting) – Info-Mediaries – Portals – Consumer Data Trails...

Copyright, Privacy as a Trust Factor The interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations Dimensions of Privacy Privacy of the Person Privacy of Personal Behaviour Privacy of Personal Communications Privacy of Personal Data

Copyright, Personal Data Privacy and Consumers Consumer Expectations Privacy is a 'fundamental human right' Excited by abuses, and numbed by them Excited by advocates and the media Particularly Serious Concerns Consumer behaviour data Anti-discrimination categories Taxation and financial data Health data Household data Location data for persons-at-risk

Copyright, Privacy Policy Statements (PPS) What PPS Are Not Privacy Impact Statements (cf. EIS) Privacy Impact Assessment (PIA cf. EIA) What PPS Are 'privacy policies' 'privacy statements' 'privacy notices' 'information practice statements'

Copyright, Objectives of the PIA Process Clearly define: business needs stakeholder groups privacy impacts and implications Enable understanding and assessment of the proposal Enable mutual understanding of stakeholder perspectives Ensure reflection of stakeholder perspectives in the outcomes Enable: maximisation of positive impacts avoidance or amelioration of negative impacts Maximise the likelihood of stakeholder support Avoid new requirements emerging late Earn public confidence Raise awareness, educate Anticipate and avoid misinformation campaigns

Copyright, Privacy Impact Assessment (PIA) A sophisticated process that surfaces and examines potential impacts and implications of privacy-invasive proposals A primitive form of unilateral report by an organisation about what the organisation does with personal data Privacy Policy Statement (PPS)

Copyright, Privacy Protection Mechanisms Technological Measures Organisational Measures Legal Measures Privacy Statutes Data Protection Statutes Contract Law Tort of Misrepresentation

Copyright, Privacy Enhancing Technologies (PETs) Counter-PITs Cookie-Managers, Firewalls,... Savage PETs Anonymous R ers, Web-Surfing,... Gentle PETs Pseudonymous R ers, Web-Surfing,... Pseudo-PETs MetaBrands (TRUSTe, Better Business Bureau)

Copyright, Organisational Protections Business Processes Consumer Marketing Principles Information Choice Consent Fair Conditions Recourse

Copyright, The OECDs 1980 Principles plus Public Access and Accountability Principles

Copyright, Alternative Regulatory Approaches to Privacy Protection Hard Regulation Statutory Impositions, Criminal Prosecution Self-Regulation Wolves self-regulate for the good of themselves and the pack, not the deer No country accepts self-regulation alone, except the U.S.A. Co-Regulation Education, Changes to Procedures, Complaints Processes, Back-Ended by Damages Provisions and Criminal Sanctions

Copyright, The Role of PPS in the Alternative Regulatory Contexts Hard Regulation Little or no real role Self-Regulation The key feature that is meant to create the impression that consumers have some kind of protection Co-Regulation Possible role, as an adjunct to minimum requirements or as a means of interpreting the law

Copyright, The Research Question 'How effective are Privacy Policy Statements in encouraging consumer trust of B2C vendors? Operational Formulation: 'Do the Privacy Policy Statements found on vendors' web-sites measure up to the requirements expressed in a specific normative Privacy Statement Template'?

Copyright, Privacy Policy Statement Template Comprehensive Based on consumer need and practicality Not constrained by: OECD Gs 1970s View of Technology Business-Bias of the US Safe Harbor Designed to provide guidance for all, including corporations, business associations, govt agencies, individuals, public interest reps and advocates

Copyright, Researc h Model

Copyright, Population Segmentation Dimension 1 – The Business Pure Internet B2C Clicks-and-Mortar Dimension 2 – The Company Leaders Aggressive Marketers Marketers of Sensitive Products Regional Marketers Ethical Marketers / Not- For-Profits

Copyright, Sample for the Pilot Survey Leaders: Amazon Google Aggressive Marketers: Sears, Roebuck & Co. Marketers of Sensitive Products: Adultshop.com Regional Marketers: Autoteile-Meile.de (German online supplier of tyres and automotive spare parts) 'Ethical' Marketers: National Geographic (worlds largest nonprofit scientific and educational institution)

Copyright, Procedure Determine the segmentation Determine the sampling frames Determine the sample Conduct the assessment find the organisations web-site find the PPS on that web-site assess it against the template summarise compare among the sample draw inferences

Copyright, Results Google terrible Amazon worse Sears & Roebuck worse again Adultshop.com positive National Geographic appalling Autoteile-Meile Google-like and irrelevant

Copyright, Implications for Practice Caution: very limited external validity! Descriptive value: Many PPS are valueless to consumers Explanatory value: Current PPS undermine consumer Trust Predictive value: Fragility if and when things go wrong Self-Regulation doesnt work Hard or Co-Regulation is essential

Copyright, Implications for Research Segmentation needs refinement: Organisational Size is a factor Home Jurisdiction cf. Global The Normative Template needs refinement The design appears to be: Practicable Useful A representative sample can be assessed, and results capable of being generalised from can be achieved, with limited resources

Copyright, A Pilot Study of the Effectiveness of Privacy Policy Statements Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, U.N.S.W., Uni. of Hong Kong & ANU {.html,.ppt} Bled eCommerce Conf. – June 2006