Are they really listening?

2 downloads 0 Views 2MB Size Report
millennium ... This research investigates the use of online privacy policies to allay .... Second, some organisations have joined one or more third party certification ... while both the UK and Canada narrowly exceeded 60 per cent. ...... University, Atlanta, GA, available at: ftp://ftp.cc.gatech.edu/pub/gvu/tr/1997/97-15a.pdf.
The Emerald Research Register for this journal is available at www.emeraldinsight.com/researchregister

The current issue and full text archive of this journal is available at www.emeraldinsight.com/0959-3845.htm

ITP 17,4

Are they really listening?

442

An investigation into published online privacy policies at the beginning of the third millennium Steve McRobb School of Computing and Centre for Computing and Social Responsibility, De Montfort University, Leicester, UK, and

Simon Rogerson Centre for Computing and Social Responsibility, De Montfort University, Leicester, UK Keywords Internet, Privacy, Business policy, Worldwide web, Ethics Abstract Many authors have identified fears about a lack of personal privacy online as a major disincentive to the take-up of e-commerce by private consumers. The publication of a privacy policy is encouraged by information and communications technology industry groups such as the Online Privacy Alliance, and by online certification bodies such as TRUSTe. Privacy policies are taken to reassure the wary, and thereby to overcome the disincentive to trade. This paper offers an account of an ongoing research project into the practical measures taken by organisations to publish their online privacy policies. Late in 2000, a total of 113 disparate web sites were identified that included some kind of explicit privacy policy and the visibility and content of the policy was analysed. The primary research into privacy policies is set in context by relating it to a discussion of the nature and role of trustworthiness in online relationships. This highlights a number of issues that need further attention on the part of some of the organisations in the survey.

Information Technology & People Vol. 17 No. 4, 2004 pp. 442-461 q Emerald Group Publishing Limited 0959-3845 DOI 10.1108/09593840410570285

Introduction Internet users seem concerned about how organisations may use or abuse personal information supplied online, whether such information is supplied willingly or without informed consent (for example, Pitkow and Kehoe, 1997; Udo, 2001; Jupiter Media Metrix, 2002). This can be a disincentive to online purchasing: Ranganathan and Ganapathy (2002) found that web site characteristics that conveyed security and privacy were the most reliable indicators of purchase intent. Similar attitudes exist within the business community, albeit for different reasons (for example, Roy Morgan Research, 2001). The picture is also enduring: in a three year survey of online companies Desai et al. (2003) found that privacy was consistently the most important policy issue. This research investigates the use of online privacy policies to allay consumers’ concerns. It concentrates specifically on organisations that have posted a privacy policy, and investigates in more detail what the policy itself implied about the attitudes and practices of the organisation. A primarily qualitative approach was adopted, that combines non-probabilistic sampling and interpretative analysis, together with limited use of quantitative analysis where this appears meaningful and is supported by the data. The paper begins with an overview of the nature of online personal information, the threats to privacy that can arise from providing it, and the relevance of trustworthiness. While brief, this theoretical review is necessary to an understanding of the empirical research and analysis that follows.

The main part of the paper describes: the methodology adopted for the research and analysis of results; the most interesting findings that resulted; and a discussion and analysis of the significance of the results. The final section draws conclusions, makes recommendations for practice and identifies further research work that might be undertaken.

Online privacy policies

Context Online personal information There are a number of distinct elements to the fears that people have regarding online capture of personal information. Perhaps the most important is the fear of fraud. Fraud online, as offline, can occur through deception or through data interception. In both circumstances, there has been a failure to apply the principle of informed consent. Other potential misuses of personal information are not necessarily fraudulent but still represent a failure to apply the principle of informed consent. An organisation may collect contact details and other information about visitors to its web site in order to profile customers, and use the profile to target further communications for marketing purposes. One survey reported that a significant number of internet users have falsified their personal details when registering at a web site (Pitkow and Kehoe, 1997) in an attempt to curtail dissemination of their personal data. Personal information collected by an organisation may be passed to other organisations for a variety of reasons. The most innocent is when a host organisation has sub-contracted out part of the service on offer, and as a result must pass on some personal information about its customers in order to deliver the service. For instance, many online retailers use logistics companies to make deliveries, which necessitates the transfer of name and address details. Perhaps we should regard this as a case of implied consent, since the requested delivery cannot occur without transfer of data. Personal information may be referred on to business partners for targeted marketing purposes. It may be sold on to otherwise unconnected organisations for similar use. Recent legislation, particularly in Europe and the US, has sought to restrict this sort of activity. However, some reports suggest that the growth in the quantity of personal information held in large databases has made it possible to obtain for a price almost any item of information about almost anyone (The Guardian, 2002). The significance of demographic profiles is explored in a study undertaken by Graeff and Harmon (2002). They report that the vast majority of consumers believe that the internet has made it easier to obtain personal information about them; male consumers have fewer privacy concerns and are more comfortable in making purchases over the internet; consumers with higher incomes are more likely to demand to know how their personal information is being used; and older people are less likely to agree that companies can sell personal information about their customers. These findings support the need to establish trustworthy transactions for all types of consumers. Trust is becoming increasingly important because of the changing profile of internet users, for example, increasing percentages of females and older people who both have greater concerns over privacy.

443

Trustworthiness According to Gambetta (1988), “Trust is particularly relevant in conditions of ignorance or uncertainty with respect to unknown or unknowable actions of others”.

ITP 17,4

444

This applies to ecommerce where there is a strong possibility that the actors are unknown to each other and therefore there is ignorance or uncertainty on the part of one as to how the other might operate. Trustworthiness takes on special importance in such circumstances. Trustworthiness is an intrinsic reality that abides in one or both of the partners to a transaction. Its perception, particularly in the beginning, by the other partner depends critically on the perception of certain extrinsic forms (signs, labels, messages, etc) that are understood to represent the presence of underlying trustworthiness. Since these extrinsic forms are understood to represent trustworthiness, they can also be designed for this purpose. According to a study undertaken by Cheskin Research and Studio Archetype/Sapient (1999), control is the most important extrinsic form for commercial transactions. Over time, trust deepens, and the extrinsic forms become less important. As a relationship acquires its own history, we have more to go on than just external appearances and thus the appearances become secondary. Studies that sought to examine attitudes to revealing personal information in online transactions (for example, Sheehan, 2002) have found that the demographics of this issue are complex. However, since attitudes to privacy are strongly contextual for the majority of individuals, Sheehan concluded that a privacy policy posted in an easy-to-find place is a useful first step “to raise awareness and educate online users about the consequences of their online activities”. It is consistent with Sheehan’s results that for most individuals the issue is one of control over what personal information is revealed, to whom, in what circumstances, and for what purpose, rather than an absolute disinclination to reveal any personal information, to anyone, at any time. This interpretation is reinforced by other sources (for example, Pitkow and Kehoe, 1997; Fox, 2000; Turban et al., 2002). The internet as a medium still suffers a relative lack of history, and thus, by association, so do all businesses that transact within it. Therefore the first and least dispensable step for anyone who seeks to establish relationships that involve trust on the internet is to satisfy their partners’ needs for control, mostly of security and privacy. Thus trustworthiness is the perception of confidence in the partners’ reliability and integrity (Belanger et al., 2002). It is this that influences an organisation’s internet strategy. Tan and Thoen (2002) have developed a generic model of trust for electronic commerce. They explain that “an individual will only engage in a transaction if his level of trust exceeds his personal threshold, which depends on the type of transaction and other parties involved in the transaction . . . the two basic components of the level of transaction trust are the trust in the other party and the trust in the control mechanisms . . . both kinds of trust have objective and subjective elements”. This provides a useful way in which to explore organisational strategy when engaging in internet trading.

Organisational internet strategies Many organisations have been worried about damage to trade if consumers did not feel they could place sufficient trust in online transactions (Timmers, 2000). This was in addition to legislative pressures from, for example, the national laws arising from the European Data Protection Directive (Directive 95/46/EC). They sought to respond to the concerns described in three main ways.

First, most e-commerce sites have adopted practices and technologies that give some assurance regarding confidentiality, authenticity, integrity and non-repudiation. These include security protocols such as SET and SSL, security measures such as firewalls, constant vigilance by network administrators, administrative procedures and physical security of buildings. All help to protect against intrusion, fraud, and other threats to personal information. Second, some organisations have joined one or more third party certification schemes, such as TRUSTe and VeriSign. These provide some independent verification that an online organisation is trustworthy. Depending on the scheme, some redress may be available if consumers believe they have been treated unfairly. Third, many organisations have published on their web sites a statement of policy that aims to make explicit how that organisation deals with information provided by visitors to its web site, including its customers. The adopters of privacy policies hope to reassure the wary, and thereby to overcome the disincentive to trade. A privacy policy also functions as part of the overall branding and image of an organisation. Its presence, its location, its prominence, its style and its contents carry explicit and implicit messages about the organisation. The first two strategies are concerned with the objective aspects of control trust in Tan and Thoen’s (2002) model whilst the third relates to the objective aspect of party trust. This emphasis on objective aspects relates to the need for extrinsic instruments when the subjective aspect of party trust is not yet established. Objective aspects of control trust are enhanced by subjective aspects such as understanding how the control instrument works and the control instrument becoming a universally accepted standard. The extent of adoption of privacy policies has been investigated by various other studies, and turns out to be quite high but not consistent across different countries. For example, Johnson-Page and Thatcher (2001) conducted a survey of 149 commercial sites in nine countries and found that on average 42 per cent contained a privacy policy. The rate was higher in the developed West, but differences did not follow a simple regional pattern. The USA led with 80 per cent of sites displaying a policy, while both the UK and Canada narrowly exceeded 60 per cent. In the middle range, Singapore scored 54 per cent, China 39 per cent and Venezuela 38 per cent. The rate for some countries was much lower, with Brazil and Germany at only 18 per cent, and none of the 17 Hungarian sites displayed a privacy policy. Empirical research method The research undertaken was an empirical survey of the online privacy policies of 113 organisations. The purpose of this survey was to reach a better understanding of privacy policies on the internet, and the interplay between these policies and other factors. Therefore an interpretative approach using largely subjective material was adopted, rather than pure statistical analysis of objectively quantifiable data. A purposive (or judgemental), non-probability sampling method was followed due to the subjective interpretation of the findings, the great difficulty of isolating discrete operational variables and the exploratory thrust of the research. This permitted the deliberate inclusion of web sites from a wide variety of organisations, including large and small manufacturers, retailers, service agencies, utilities and public sector organisations in many different countries. Organisations of different scales were

Online privacy policies

445

ITP 17,4

446

represented with a spread across various sectors and a range of different countries. Within each category, individual organisations were selected at random. The use of a non-probability survey instrument can be seen as limiting our ability to generalise the findings, since there is the possibility of bias either arising from the judgemental approach itself, or from the availability of organisations to represent each category. However, we do not regard this as a serious weakness in relation to the aims of the survey. Other sources of bias were considered and controlled in the overall survey design where possible. Some coding carried out during the data collection phase (e.g. to industry sector) was checked and corrected where necessary by one of the authors. Inevitable differences of opinion in coding the more subjective aspects of the data were controlled through a standardisation exercise described below. The primary data collection approach was as follows. Each site selected was searched for a privacy policy. Wherever an explicit policy was found, the site was provisionally included in the survey. The policy document was downloaded for later analysis, and some meta-characteristics of the policy recorded. When no policy was found, the site was discarded. Most policies took the form of a specific page called “privacy policy” or something very similar, accessed directly from a link on the home page, or from a page immediately below the home page in the site’s access hierarchy. If no obvious policy was found in this way, a more determined search was made, using a variety of strategies and with varying degrees of success. Surprisingly, on one occasion, it seemed a blind guess at possible URLs actually succeeded where all else had failed! Policies that were not clearly signposted commonly took the form of a sub-section of another page, typically under a general heading such as “legal notices”. Sometimes the privacy sub-section was itself clearly titled, but a few had no explicit heading to draw the reader’s attention to their purpose. A small minority of hard-to-find policies were very well hidden. One (mentioned above) was apparently not linked from any other page on the site. Another could be accessed only after registration, and even then displayed only as a graphic that therefore would not appear on any search engine index. A total of 113 organisations were included in the sample (see Appendix 1). A brief note was made of some meta-characteristics of each policy as it was downloaded. The initial questions were deliberately kept very simple: . To what sector does the organisation appear to belong? This question was included to maintain the sampling approach. The allocation to categories was sometimes corrected later in the analysis process. . How easy is it to find the statement of policy? For example, is there a link to the policy on the homepage? Where is the link located on the page? How clearly visible is the link? . What third party trust-marks (if any) are displayed? The results of this first simple questionnaire were recorded and the policies were then skim-read to identify the more obvious characteristics. Further questions were identified and added to the database. The policies were then interrogated against this full list of questions and the results coded on a paper-based form (see Appendix 2), which provided a tangible record of the process and thus facilitated later validation.

A quantitative analysis was conducted using the Flesch reading ease score (a built in function in Microsoft Word’s grammar checker). This rates text on a 100-point scale, and is based on calculating the average sentence length and the average number of syllables per word. The higher the score, the more readable is the text. The degree of structure of the policy and its length were also recorded. The structure of a document, in particular the use of headings and sub-headings to organise the material, has an impact on ease of understanding. Policy length is an indicator of its authors’ seriousness, although it can be argued that a long, wordy policy is not necessarily helpful. Other data collected focused on the presence or absence of various elements of the informational content of the policies, mainly derived from the OECD guidelines on fair information processing (Organisation of Economic Cooperation and Development, 1980) – for more details, see below under “Results”. Since some aspects of the procedure were necessarily subjective, an attempt was made to standardise the coding by having two researchers re-code a sample of ten policies. Neither re-coder was closely involved in the earlier work, and a robust validation of the original coding was expected. It was also anticipated that good agreement would be obtained; approximately 10 per cent of the total sample appeared sufficient to demonstrate this. The results of the standardisation exercise show a good level of agreement amongst the researchers on some points, but also some notable disagreements on others. Those aspects of a policy that were reasonably objective produced the best agreement, while those that were more subjective in nature produced less agreement. While this may seem unsurprising in itself, there are interesting and unexpected consequences, to which we will return later. Results Results are summarised below under the four main themes. Ten policies were independently re-coded and these results are included where relevant. General policy characteristics The prominence of a policy on the web site is an important indicator of how seriously the organisation views the policy. The great majority (80 per cent) in this sample were either very or quite prominent on the web site. Exactly 20 per cent were either quite or very hard to find. In these cases, at best, the link from the homepage to the policy was hidden in a mass of detail. At worst, no link to the policy could be found. When this question was checked in the re-coding exercise, only four of ten responses were unanimous. However, if the granularity of the analysis is reduced from four categories to two (easy; hard), nine are in agreement. The corresponding data can be thus treated as reliable at this level of analysis. The vast majority of policies (92 per cent) were “formal but clear”, as opposed to “informal” or “dense legalese”. The re-coding on this question was unanimous in seven of ten cases, confirming the reliability of this data. On the Flesch index, the sample scored a mean of 35 with a median of 37, a standard deviation of 10 and a maximum of 60. This compares poorly with the recommended 60-70 for a document aimed at a general readership. No policy in the sample achieved good readability for a general audience. This finding is in broad agreement with a UMIST (2002) survey that found that only 5 per cent of UK sites reached the recommended readability level.

Online privacy policies

447

ITP 17,4

Two-thirds of the policies had no explicit structure, and were written as a monolithic block of text. This question was checked in the re-coding exercise. Here, too, seven of ten responses were unanimous. Policies in the sample ranged from a minimum of 36 words to a maximum of 7,639, with a mean of 793 and a median of 538. Relatively short policies dominated the sample.

448 Collection of personal data Almost all organisations (95 per cent) acknowledged clearly that they collected some kind of personal data, but there was more reticence on some related points. Amongst those policies that acknowledged the collection of personal data, 90 per cent stated why, 81 per cent stated that it was possible to opt out, 66 per cent described the nature of the data collected, and 65 per cent explained how the data was collected. The stated reasons for personal data collection were: . to enable the provision of a service (75 per cent); . to assist with the design, evaluation or personalisation of the web site (44 per cent); . to enable marketing communications to be targeted (40 per cent); . to maintain contact details (21 per cent) – although perhaps this should be subsumed under service provision; and . to sell advertising (7 per cent); The frequencies sum to over 100 per cent, since many policies identified more than one reason. The re-coding exercise produced little agreement on the stated reasons for data collection, and this is one of the surprising results mentioned earlier. When three educated and literate researchers who are professionally focused on online privacy issues cannot reach agreement, one wonders what hope there is that an ordinary surfer will understand what a privacy policy says on this point. Disclosure to third parties Almost half (47 per cent) acknowledged that personal data was disclosed to other organisations in certain circumstances. 38 per cent stated that personal data is never disclosed, while 15 per cent made no mention of disclosure. Of those policies that did acknowledge disclosure, almost all (92 per cent) gave a reason; these being: . To enable the provision of a service (58 per cent). In some cases, this was explained further in terms of partnership with other organisations that collaborated in the provision of service. . For marketing purposes (40 per cent). . To enable the tailoring of a service (4 per cent). These frequencies sum to just over 100 per cent, as a few policies identified more than one reason for disclosure. A total of 73 per cent stated that an opt-out from disclosure is possible. The question “why is data disclosed?” also generated disagreement among the researchers in the re-coding exercise, even with only three possible answers. Again, one

wonders whether the ordinary surfer will really understand what some policies have to say on this point. Other related questions The results of this miscellany of questions were: . Of the sites, 14 per cent (i.e. 19) displayed a trust mark. The majority (11) displayed the TRUSTe mark. Some sites with a trust mark are globally-known brand-names, for example Microsoft, IBM and AT&T. Others are less well known, for example Francoudi and Stephanos in Cyprus and Euregio in Belgium. . Of the policies, 43 per cent did not explain how a visitor consents to the collection or use of personal data. . Of the policies, 61 per cent contained no contact details for the host organisation, although these may appear elsewhere on the web site. . Of the policies, 70 per cent did not indicate whether, or how, personal data could be checked or amended. . Of the policies, 64 per cent did not describe the procedures or technologies used to protect personal data. . Of policies, 43 per cent did not mention whether cookies were used on the web site. A total of 47 per cent acknowledged the use of cookies, while the remaining 11 per cent stated explicitly that cookies were not used. . Of the policies, 14 per cent specifically mentioned a difference in the way that child visitors to the web site were treated. . Of the policies, 16 per cent contained (or included links to) further advice about online privacy. Further comparisons and analyses Further analysis was undertaken to examine the relationships between organisations and their policies, and the extent of interaction among different policy characteristics. Comparisons by sector Policies were grouped by sector and averages calculated for each of the quantified factors: visibility, structure, word count and Flesch score. Average scores for each sector were compared with the sample as a whole. The differences were then interpreted in the context of the simplifying perspective that a longer policy is preferable to a shorter one; a readable policy is preferable to an unreadable one; a visible one is preferable to one that is hard to find; and a structured one is preferable to one that is monolithic. Such simplification has its drawbacks but it does provide a basis for initial comparisons. Due to the relatively small numbers of policies in each sector (ranging from 1 to 13) and the uncertainties associated with some of the quantification, no measure of statistical significance was undertaken. For most sectors the results were inconclusive, but some interesting patterns emerged. Two sectors scored better than average on all four factors: retail and internet services (represented in our sample by a total of 16 policies combined). Two sectors scored worse than average across the board: travel and tourism and public utilities (also represented by 16 policies combined).

Online privacy policies

449

ITP 17,4

A comparison of content was made by taking the percentage of policies within each sector that included content for each of the 16 aspects mentioned earlier. No sector scored better than the population average on all 16 aspects, although internet services came closest with only one aspect (why data is collected) falling below the population average. Perhaps organisations in this sector simply assume that their clients already know the reasons for collecting personal data, and thus see no need to explain it.

450 Comparisons by region Policies were grouped by region. The following regions were used, based mainly on the expected effects of legislative and trade block boundaries: European Union, North America, Asia (including Australia) and other (a miscellany of policies from Switzerland, Israel, Mauritius and Cyprus). The Asia and Other regions were not analysed due to the small sample size. The North American policies (61 in all) and those from the EU (39 in all) were large enough to permit the use of a statistical measure of significance. Differences in scores on the four quantitative factors were tested for significance using an F-test. No significance was found in differences of structure or readability. However, EU policies were found to be significantly more prominently displayed than North American ones (p ¼ 0:074), presumably due to EU Data Protection legislation, while North American policies on average were significantly wordier than those from the EU (897 words compared with 709 words, p , 0:001). It was expected that the data protection legislation would also result in privacy policies within the EU being generally more informative than North American ones. This was not proven. For every single one of the 16 non-quantified factors, a higher proportion of North American policies than EU ones included that type of information. Some differences were relatively marginal (15 per cent of North American policies displayed a trust mark, compared with 13 per cent of EU policies). Others were quite marked (41 per cent of North American policies explained how to opt out from disclosure of personal data to third parties, compared with only 23 per cent of EU policies). Overall, this is a striking and unexpected finding. Inter-relationships among policy characteristics It was expected that there would be positive correlations between features such as the length, readability, structure and prominence of a policy. On the whole, this was not strongly confirmed. There was no noticeable correlation between word-count and readability (r ¼ 0:042), nor between readability and structure (r ¼ 0:017). Word-count, structure and prominence were all weakly but positively correlated (r in all cases close to 0.3). It was also expected that organisations which displayed a trustmark would also display privacy policies that were lengthier, more readable, more detailed and more comprehensive in their coverage. The results give strong confirmation of the expectation. Trustmarked policies were much longer than non-trustmarked policies (1,906 words compared with 615, p , 0:001). While on average they were only slightly more readable (Flesch score ¼ 35:59 compared with 34.80), this difference was also significant (p ¼ 0:053). Trustmarked policies were much more likely to contain information on all except two of the 16 recorded aspects. The two exceptions were: statement of the reason(s) for collecting personal data, and statement of the reason(s)

for disclosing personal data to a third party. For many other aspects, the differences were large. For example, 81 per cent of trustmarked sites explained the procedure for checking and amending personal data, compared with 29 per cent of non-trustmarked sites. There is, of course, an element of causality at work here. Trustmarks typically require member organisations to adopt and publish a privacy policy. The Better Business Bureau (four sites in the sample) publishes on its web site a generic “Sample privacy policy” that is already 693 words before any customisation has occurred (Better Business Bureau, 2003). Discussion Issues arising from the re-coding exercise There was little disagreement among the researchers regarding overall characteristics such as language and structure. Main survey data relating to these, and similar, questions can thus be regarded as reliable. Disagreement arose where more time had to be spent or more care exercised in reaching a judgement. Many policies were unclear about the uses to which personal data is put, the reasons for which it is disclosed, or how the visitor consents to its collection or use. Furthermore, the reader’s understanding is not necessarily directly related to the apparent clarity of the policy. One policy (Federal Express) was unanimously coded as “formal but clear” and “structured with sub-headings”, yet there was disagreement regarding the reasons given for the collection of personal data, and whether the consent procedure was explained. Nor is understanding necessarily directly related to objective criteria such as word-count or readability index. Both Symantec Store – one of the shortest policies in the survey (63 words) and with above average readability index of 47.7 – and Lycos – the longest (7,639 words) and of above average readability at 37.6 – produced disagreement on the same points. However, these readings are not necessarily in conflict. For any given policy, there may be multiple reasons for the collection and disclosure of personal data. It appears likely that, in the cases of disagreement, each researcher picked up different nuances in the text. Perhaps all of the interpretations recorded are supported (or implied) by the policy, but with varying degrees of explicitness. It would be prudent to treat these results with a degree of caution, in the specific sense that they may not fully reflect the variety of ways in which the policies surveyed imply that personal data is used. As noted earlier, the researchers are all educated and literate, are experienced in interpreting this sort of text and have a professional focus on privacy issues. However, privacy policies, if they are to have practical value, must be intelligible to a broad cross section of users. It appears very likely that there is widespread misunderstanding and misinterpretation of what privacy policies say about the use and disclosure of personal information. Wider implications To some extent the results of the main survey are reassuring. Most policies in this survey are either US- or UK-based, and we know from other sources (for example, Johnson-Page and Thatcher, 2001) that the majority of sites in these countries already posted a privacy policy by 2001. The data presented here can thus be taken as broadly representative. It confirms that by the year 2000, the privacy and security of personal

Online privacy policies

451

ITP 17,4

452

information collected online was a widely recognised concern, indicated by the high proportion of policies that were prominently posted, acknowledged the collection of personal data, indicated why and how information was collected and said what it was. Many also explained how to opt out, although this will often prevent access to a service. A relatively large minority promised that no personal information would be passed to third parties. Among those that acknowledged the reverse, nearly all explained why and most had an associated opt-out provision. However, a clash of intent can often be discerned between the prominence of a policy and the relative care with which it has been created. Where a policy is relatively easy to find (as in 80 per cent of cases), some managers clearly regard online privacy as a serious matter (or, at least, they believe that their customers do). However, this is not always aligned with an equivalent concern for content, readability, and so on. One example of good practice in this regard is Lycos, whose policy was simultaneously the longest in the sample (7,639 words), among the more readable (Flesch score ¼ 37:6, slightly above the median), and one of the most informative (almost every identified aspect in the survey was covered). Other very visible policies were so brief that they could say little (freestuffanddiscounts.com was one of the shortest, at only 48 words). Still others had very low readability and therefore may convey little (the CIA policy had a Flesch score ¼ 18:5). These were by no means isolated cases – the overall correlation between word-count and prominence was positive but weak (r ¼ 0:3), while that between readability and prominence was even weaker (r ¼ 0:24). Moreover, there was virtually no correlation between word-count and readability (r ¼ 0:04). If organisations were as serious about implementing their privacy policies as they were about drafting them, stronger correlations should be evident. The clash of intent sometimes worked the other way round. Policies that are hard to find (20 per cent of the sample) are a wasted opportunity even if they are well written and informative – and some are: one of the hardest of all to find (the BBC) was quite long (1,209 words, around 0.5 standard deviation above the mean), quite readable (Flesch score ¼ 48:9, more than one standard deviation above the mean) and very informative – but of little value if visitors cannot find it. No correlation was found between length and readability of a policy, and between length or readability and either structure or prominence are weak. Some policies had little to recommend them. TotalFinaElf was simultaneously one of the shortest (72 words), one of the most unreadable (Flesch score ¼ 10:5), written in “legalese” language, unstructured and generally uninformative. It acknowledged the collection of personal data, but not how or why this was done, and disclosure to third parties was not mentioned. Perhaps its primary aim was to act as a disclaimer and thus give the company some protection against litigation. However, it appears unlikely that such a statement would provide much protection for a company that operates in an environment where privacy issues are covered by legislation (for example, in the EU). It is also highly unlikely that it would provide any reassurance to visitors concerned about the use or abuse of their personal data. There were surprising gaps in coverage. In particular, few sites were affiliated to any trust mark and so must be taken at face value. This may be reasonable for a well-known organisation with a reputation based on its track record offline (for

example Compaq) or online (for example Letsbuyit.com). But many that lacked a trust mark affiliation were not so widely known (for example, Adcrew.com), and may therefore suffer a lack of trust on the part of potential customers. Most sites did not explain how a visitor could check or amend their details. This is surprising at a European site, since the Directive on Privacy and Data Protection gives a statutory right to access and correct stored personal data. Of course, anyone can contact an organisation and ask for details of the subject access procedure, but it is odd not to include this in a published privacy policy. Most also gave no indication of the security measures and technologies used. This also seems odd when a probable aim of all privacy policies is to reassure participants in online transactions. Adequate security procedures may still exist, but visitors are likely to doubt this when no information is given in the privacy policy. Some interesting regional differences emerged from the study. First, contrary to the authors’ expectations, North American privacy policies (predominantly US organisations) scored favourably on almost every factor compared to the EU (predominantly UK organisations). Only on visibility did EU-based policies score higher than their North American counterparts. This may imply that EU organisations have responded to legislation by being seen to toe the line, but with less enthusiasm than their North American counterparts, and thus with less elaborated policies. In the continuing absence of over-arching federal US legislation to require fair and open practices in relation to personal information, this could confirm that commercial, consumer and public pressures have had a beneficial effect. However, another interpretation could be that EU organisations see no need to issue a statement that amounts to little more than a commitment to abide by the law, while North American organisations may feel that in a de-regulated environment it is necessary to do more to reassure their customers. Comparisons of the different sectors give a mixed picture, with no sector scoring consistently either above or below the population average for all aspects. Overall, there appears to be a widespread lack of “joined-up thinking”. It may be an important step to recognise that a privacy policy is an important communication with customers and clients. Nevertheless, for that communication to be successful, other steps must also be taken. The policy must address the concerns of visitors to the site. It must be readable. It must be easy to find. And it must be put into practise. The data presented here suggests that many organisations engaged in the collection of personal data via their web sites do not show an appropriate commitment to all of these points. For example, it must strike a discordant note if a well thought out policy is hidden in an obscure location, with no obvious link to it. It must be equally disconcerting if a privacy policy is prominently posted but no corresponding effort is made to make it readable and informative. In either case, the visitor may wonder whether those responsible for commissioning, writing and displaying the policy are also competent to ensure that it is applied consistently in the organisation’s activities. Less scrupulous (and more short-sighted) managers might regard the publication of a privacy policy as an end in itself – as pure window-dressing aimed at the gullible. Taken altogether, this view contradicts the main findings of a recent paper by Desai et al. (2003) which reports on a longitudinal study of 45 businesses trading on the internet from 1999 to 2001. These authors found evidence that “internet companies . . .

Online privacy policies

453

ITP 17,4

454

are being up-front in their communications about how customer data are collected and shared”, and concluded that “[internet companies] are reacting to customer needs and concerns by increasing the communication of their internet policies”. However, the contrast in findings may be partly explained by Desai et al’s use of a five-point scale as the sole means of recording their assessment of privacy policies. Given the extensive and complex content of many of the policies analysed in this paper, together with such other characteristics as visibility and readability, a five-point scale seems far too simple an instrument to produce useful insights. Other authors have reached similar conclusions to our own. For example, Gauzente (2004) found, in a French national context, that “web merchants do not necessarily implement thorough privacy policies” – often not even confirming their compliance with minimal legal requirements. Meanwhile, across the Atlantic, Milne and Culnan (2002) collated the results of a series of Federal Trade Commission surveys from 1998 to 2001 and found considerable variation in quite fundamental aspects such as readability and compliance with OECD guidelines. Echoing Gauzente, a UMIST (2002) study found that legislation does not necessarily guarantee compliance, noting that many organisations – especially smaller companies – found the relevant legislation “difficult to understand” and were therefore unsure whether or not they complied with it. Recommendations While many of our conclusions remain rather tentative, due in part to the unexpected complexity of the data gathered, it is perhaps possible to make some preliminary recommendations. Following guidance from our editor, we have divided this into two sets. First, we propose some heuristics aimed primarily at managers with responsibility for privacy policy in online organisations. Second, we make some suggestions to future researchers working in this area. Recommendations to practitioners Privacy policies may be made effectively unavailable to users in many ways, but these should all be avoided. This could be achieved by ensuring that: . There is a prominent link to the policy on the main home page. . The policy is readable for a general audience (recommended Flesch score of 60 or more). . The policy minimally covers OECD guidelines. That is, it includes content relating to notice, choice, access, security/integrity and enforcement/redress. Where any of these aspects do not apply, the policy should state this explicitly. . The policy restates (where necessary) compliance with relevant national law. . The policy is tailored specifically to the information processing practices of the host organisation, and is regularly audited to ensure that compliance is maintained over time. There is also an argument to be made that privacy policies should be sensitive to the individual user and the context of use, in the same way that other aspects of web site presentation and content are often now customised. Gauzente (2004) argues for this, based on her finding that the issues surrounding privacy depend on user needs and

intentions at a given time. Different aspects of policy thus become relevant at different times and in different contexts. One thing that we do not recommend is the use of automated online privacy policy tools such as that offered by PrivacyAffiliates.com (n.d.). There may be attractions in being able to create a privacy policy quickly, cheaply and with minimum effort, especially for small businesses. But we have reservations about the validity of any such policy in any but the most routine circumstances, and it is likely that important aspects of online privacy will not be addressed. It is worth noting that the TRUSTe web site states: “We can not effectively review your privacy statement until it matches the information collection and use practices on your Web site” (TRUSTe, 2004). To conduct any serious review of operational practices inevitably takes time and effort. Recommendations for researchers Several issues have emerged from this study and its background that might help to shape either the methodology or the focus of future studies. Firstly, further investigation is clearly required into users’ understanding and acceptance of online privacy policies, a point that is reinforced by Milne and Culnan (2002), who also suggest there is a need to develop a standard vocabulary for information practices. Our experience also suggests that future researchers would be best advised to embrace a qualitative approach, since the problem is clearly a complex one, with philosophical, sociological and psychological dimensions, and thus not amenable to overly simple quantitative instruments. As in the case of the Desai et al. (2003) study, these may be too blunt for the purpose and obscure more than they reveal. Conclusion The data captured in the survey has proved surprisingly rich, and there is considerable scope for further analysis. But it is clear that many organisations have embraced the publication of an online privacy policy with some seriousness, gauged in a number of different ways. These include the prominence of a policy on the organisation’s web site, its detailed content and length, and other characteristics such as its style and readability. However, it was striking that in many cases the different measurements that could be made did not align with each other. Thus, for instance, some of the most prominent policies were very limited in their content or suffered poor readability. Some of the most readable or detailed policies were difficult to find. The overall conclusion is that many organisations still have considerable work to do, before they can be seen to “walk the talk” in relation to their privacy policies. A further survey of the same organisations was completed late in 2002, and a follow-up study is planned to compare the results of the two surveys. Many policies are likely to have evolved over the intervening two years, and it is hoped that this will throw some useful light on changes in the social and legal environment that occurred during the same period. In particular, the after-effects of the September 11 attacks in New York, and the implementation of the European Directive on Human Rights into UK law in 2000 (soon after the initial survey) may be expected to have had some effect on privacy policies. It will be interesting to see how this expectation compares with the reality, and it is likely that the comparison will generate further insights and lead in turn to new research questions.

Online privacy policies

455

ITP 17,4

456

References Belanger, F., Hiller, J.S. and Smith, W.J. (2002), “Trustworthiness in electronic commerce: the role of privacy, security and site attributes”, Journal of Strategic Information Systems, Vol. 11 No. 3/4, pp. 245-70. Better Business Bureau (2003), “Sample privacy policy”, available at: https://www.bbbonline.org/ privacy/sample_privacy.asp Cheskin Research and Studio Archetype/Sapient (1999), “E-commerce trust”, January, available at: www.studioarchetype.com/cheskin/ Desai, M.S., Richards, T.C. and Desai, K.J. (2003), “E-commerce policies and customer privacy”, Information Management and Computer Security, Vol. 11 No. 1, pp. 19-27. Fox, S. (2000), “Trust and privacy online: why Americans want to rewrite the rules”, PEW Internet and American Life Project, available at: www.pewinternet.org/ reports/ toc.asp?Report¼19 Gambetta, D. (1988), “Can we trust trust?”, in Gambetta, D. (Ed.), Trust: Making and Breaking Cooperative Relations, Basil Blackwell, Oxford, pp. 213-37. Graeff, T.R. and Harmon, S. (2002), “Collecting and using personal data: consumers’ awareness and concerns”, Journal of Consumer Marketing, Vol. 19 No. 4, pp. 302-18. Gauzente, C. (2004), “Web merchants’ privacy and security statements: how reassuring are they for consumers? A two-sided approach”, Journal of Electronic Commerce Research, Vol. 5 No. 3, pp. 181-98. (The) Guardian (2002), “Welsh teen hacker sentenced”, The Guardian, 18 May. Johnson-Page, G.F. and Thatcher, R.S. (2001), “B2C data privacy policies: current trends”, Management Decision, Vol. 39 No. 4, pp. 262-71. Jupiter Media Metrix (2002), “Consumers worried about online privacy”, NUA Internet Surveys, available at: www.nua.ie/surveys/index.cgi?f ¼ VS&art_id ¼ 905358019&rel ¼ true Milne, G. and Culnan, M.J. (2002), “Using the content of online privacy notices to inform public policy: a longitudinal analysis of the 1998-2001 US web surveys”, The Information Society, Vol. 18, pp. 345-59. Organisation of Economic Cooperation and Development (1980), Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD, Geneva, available at: www.oecd.org/document/18/0,2340,en_2649_201185_1815186_1_1_1_1,00.html Pitkow, J.E. and Kehoe, C. (1997), Federal Trade Commission Workshop on Consumer Information Privacy Initial and Supplemental Comments, GVU Technical Report No. GIT-GVU-97-15a, Graphics, Visualization, and Usability Center at Georgia Tech University, Atlanta, GA, available at: ftp://ftp.cc.gatech.edu/pub/gvu/tr/1997/97-15a.pdf PrivacyAffiliates.com (n.d.), “How to create a privacy policy in ten minutes flat!”, available at: www.privacyaffiliates.com Ranganathan, C. and Ganapathy, S. (2002), “Key dimensions of B2C web sites”, Information and Management, Vol. 39, pp. 457-65. Roy Morgan Research (2001), “Privacy and business”, report to the Office of the Australian Federal Privacy Commissioner, available at: www.privacy.gov.au/publications/ rbusiness.html#4.1.1 Sheehan, K.B. (2002), “Toward a typology or internet users and online privacy concerns”, Information Society, Vol. 18 No. 1, pp. 21-32. Tan, Y-H. and Thoen, W. (2002), “Formal aspects of a generic model of trust for electronic commerce”, Decision Support Systems, Vol. 33, pp. 233-46.

Timmers, P. (2000), Electronic Commerce: Strategies and Models for Business-to-business Trading, Wiley, Chichester. TRUSTe (2004), “General TRUSTe application: frequently asked questions”, available at: www.truste.org/sealholders/faq_general.php#gen6 Turban, E., King, D., Warkentin, M. and Chung, H.M. (2002), Electronic Commerce 2002: A Managerial Perspective, Prentice-Hall, Upper Saddle River, NJ. Udo, G.J. (2001), “Privacy and security concerns as major barriers for e-commerce: a survey study”, Information Management and Computer Security, Vol. 9 No. 4, pp. 165-74. UMIST (2002), “Study of compliance with the Data Protection Act of 1998 by UK based web sites”, Office of the Information Commissioner, available at: www.co.umist.ac.uk/research/ tech_reports/trs_2002_008_lam.pdf Further reading Boatwright, M. (2000), Privacy, Ethics and the Conduct of Business, 3rd ed., Prentice-Hall, Englewood Cliffs, NJ. Campbell, D. and Connor, S. (1987), “Surveillance, computers and privacy”, in Finnegan, R., Salaman, G. and Thompson, K. (Eds), Information Technology: Social Issues, Hodder and Stoughton, Sevenoaks (originally published in Joseph, M. (Ed), On The Records). Charters, D. (2002), “Electronic monitoring and privacy issues in business marketing: the ethics of the doubleclick experience”, Journal of Business Ethics, Vol. 35 No. 4, pp. 243-354. Foremski, T. (2001), “IBM increases its focus on privacy and security”, Financial Times, 12 November. (The) Guardian (2001), “Have the hackers got your number?”, The Guardian, 6 July. Maury, M.D. and Kleiner, D.S. (2002), “E-commerce, ethical commerce?”, Journal of Business Ethics, Vol. 36 No. 1, pp. 21-31. Spinello, R.A. (1995), Ethical Aspects of Information Technology, Prentice-Hall, Englewood Cliffs, NJ.

Online privacy policies

457

ITP 17,4

458

Figure A1. List of organisations surveyed

Appendix 1

Online privacy policies

459

Figure A1.

ITP 17,4

460

Figure A1.

Appendix 2

Online privacy policies

461

Figure A2. Data coding form