 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Mary J. Culnan, Slade Professor of Management and Information Technology
Bentley College
How Privacy Notices Promote Informed Consumer Choice [pdf]
The first principle of the original fair information practices Ð that there should be no secret systems Ð is fundamental to the ability of individuals to assert their interest in the privacy of their personal information. To assure openness about the existence and operation of data collection systems, collectors of personal information post privacy notices Ð statements that represent, among other things, the manner in which the collector acquires, uses, shares, protects and provides access to an individual's personal information.
As privacy is often defined as the ability of individuals to exercise control over the disclosure and subsequent uses of their personal information (Westin 1967), notice is fundamental to the individual's ability to protect his or her privacy. The representations that organizations make about their information collection and sharing practices provide the basis for consumers to make informed decisions about whether or not to disclose their personal information. Notice alone does not insure that an organization abides by its policy or observes fair information practices, or that individuals can pursue a complaint against the organization. It is nonetheless the lynchpin of the fair information practices of notice, choice, access, security and enforcement, as without notice, individuals have no knowledge about the organization's information practices and no basis for deciding whether or not to interact with the organization.
This paper presents a conceptual framework for the design of effective online privacy notices using product labels and warnings as an analogy. The paper first discusses how privacy notices help promote informed decisions by consumers. Second, it describes consumer attitudes toward current privacy notices and how the functions of privacy notices drive their format. The paper concludes with a discussion of unresolved policy issues.
Information plays two widely-recognized roles in consumer decision-making. First, it provides the basis for informed choices by consumers and allows for comparisons across alternatives. For example, consumers can use food labels to choose a breakfast cereal that is lower in sugar or higher in vitamins than other cereals on the shelf at the grocery store. Second, information provides a way for consumers to manage risk. Product labels may signal that the item should not be used in a certain environment, in a particular manner, by certain individuals, or around children because of the risks such uses may pose. In both instances, information helps consumers decide which products to purchase and as a result, helps to drive markets (Beales, Craswell and Salop, 1981).
Similarly, privacy notices can help consumers decide whether to disclose their personal information to a particular organization, or even whether or not to start or continue a relationship with the organization. Research shows that people perform a simple risk-benefit calculation in deciding whether or not to disclose their personal information (e.g. Laufer & Wolfe 1977). If the benefits of disclosure outweigh the risks, both present and future, consumers are more likely to disclose. Privacy notices, when properly drafted and prominently posted, may provide the information needed to evaluate the risks of disclosure, and in doing so, provide consumers with the assurances of autonomy they need to participate in the digital economy.
Privacy notices differ from food or other product labels, however, in at least two important ways. First, while product labels are backed by regulations mandating health and safety requirements that establish consistent baseline expectations on the part of consumers, privacy notices are not. Consumers are left to decide whether the organization's information practices are safe
or respect their interest in controlling the collection, use and sharing of their personal information. Second, product labels represent the end result of a manufacturing process. The product as purchased is set
Ð the consumer maintains control over its use and can avoid the risk of harm from its use, assuming the label is clear and the consumer reads and understands it.
Privacy notices, by contrast, are intended to inform consumers about how their personal information will be used as inputs to a set of ongoing, dynamic business practices that are likely to vary from firm to firm and from industry to industry. In addition, once personally identifiable information is disclosed, the consumer loses control over its subsequent use, as information can be used indefinitely and the organization, not the consumer, controls these future uses. In many cases, these future uses of personal information are likely to reflect new business processes that were unanticipated when the privacy notice was drafted, and therefore not disclosed to the consumer. In spite of these differences, however, food and product labels provide a useful analogy for discussing privacy notices.
While privacy notices are expected to serve an essential function in providing transparency, the results of two national studies released in fall 2001 suggest that the effectiveness of current notices is limited. The results of both of these surveys of consumer attitudes toward privacy notices were presented at the Get Noticed
Interagency Workshop convened by the Federal Trade Commission (FTC") in Washington DC in December 2001 (see: www.ftc.gov/bcp/workshops/ glb/index.html). One study conducted by the Privacy Leadership Initiative (
PLI
) included questions about both online and offline notices. A second study was conducted by Professor Mary Culnan of Bentley College and Professor George Milne of University of Massachusetts-Amherst.
Culnan and Milne found that 17% of the public never read online privacy notices. The main reasons given for reading the policy related to risk management. Consumers sought assurance that it was safe to use a credit card; to learn whether the site shares personal information other companies; or to familiarize themselves with a company whose reputation they did not know. The PLI survey found that 31% of the public spends little or no time reading online privacy notices. Study respondents indicated that it was important that the privacy notice specify what personal information is collected and how it is used internally, whether the information is shared with other organizations and how their information could be removed from the company's database.
In both surveys, respondents indicated that current privacy notices are too long, contain too much legal jargon, or are too hard to read. Those surveyed said they often did not want to pause to read privacy notices because of a lack of time or interest, and a sense that all privacy notices say the same thing and are, therefore, not useful. Some respondents indicated that they only interacted with Web sites that are familiar or trusted, obviating the need to read the privacy policy.
To promote informed decisions by individuals, privacy notices should be concise, clearly written, and comprehensive. However, as discussed earlier in this paper, difficulties encountered in creating effective privacy notices are well documented by the two consumer surveys.
Like product and food labels, privacy notices serve more than one function, influencing the manner in which they are written and presented to consumers. First, they act as a vehicle by which an organization communicates its information practices to individuals. Second, they form a basis for evaluating the organization's compliance with laws or self-regulatory programs. But whereas both food and product labels successfully both inform consumers and provide the basis for verifying the accuracy of its representation through laboratory product testing, a single privacy notice is unlikely to perform both the communication and compliance functions effectively for the reasons described above.
The role of privacy notices in informing users derives from the first principle of fair information practices that there should be no secret data systems. As such, the privacy notices must clearly state to consumers that information collection will occur, how it is accomplished, the manner and purposes for which the information will be used, and the choices consumers may have about the sharing of information. To assure that notices meet the goal of informing consumers, it is crucial that the information provided be clear, concise and comprehensive, a goal difficult to achieve when describing dynamic business information practices and future uses of personal information.
Privacy notices also serve a compliance function when the organization is governed by law or participates in a self-regulatory program. For example, both the Children's Online Privacy Protection Act ("COPPA") and the Gramm-Leach-Bliley Act ("GLB") specify notice requirements for Web sites targeted at young children and financial institutions respectively. For other organizations, the posting of the notice may invoke FTC jurisdiction for unfair and deceptive trade practices if their information practices vary from what they have disclosed in their privacy notice. As a result, companies are concerned about liability, and will often assign the drafting of the notice to their legal department. In an effort to create a comprehensive statement of information practices that avoids liability with the FTC or other regulatory agencies, attorneys often draft notices that resemble a legal document. While comprehensive, the statements are so lengthy and full of legal language that they arguably do little to assist the average consumer in understanding a company's privacy practices.
In addition to endeavoring to draft notices that fulfill these information and compliance functions, corporate counsel may anticipate the perception that a posted privacy policy is an offer of a contractual relationship with the consumer. If the policy functions in this manner, counsel is more likely to craft a policy that anticipates any possible eventualities of an ongoing relationship governed by contract. As a result, the notice may be drafted with potential contract litigation in mind, employing language that is vague and open ended, and that does not clearly delineate reliable information practices.
In 1998, the FTC conducted the first Web survey to measure how many Web sites posted privacy policies that represented the basics of fair information practices: notice, choice, access, and security. Subsequent surveys have been conducted annually. The results of these surveys provide one way to assess the extent to which industry is adopting data management procedures that incorporate principles of fair information practices.
The results of the 2000 and 2001 surveys conducted by the FTC and the Progress and Freedom Foundation (PFF
) respectively, suggest that voluntary efforts toward posting comprehensive privacy notices have reached a plateau. Table 1 summarizes some of the key findings for the two most recent studies. While nearly all Web sites collect some personal information, close to 20% of these sites sampled in 2001 do not post a privacy policy. Further, the majority of privacy notices do not include all elements of fair information practices.
In addition to the fact that most current privacy notices are incomplete, the results of the two consumer surveys on notice described above indicate that current notices are not effective. In the PLI survey, a large majority of consumers expressed a preference for short privacy notices (77%) with a common format to facilitate comparisons across organizations (70%). This clearly suggests the need for a layered approach to online notices: a short notice perhaps similar to a food label that is linked to a longer notice fully describing the organization's information practices. The consumer surveys suggest that whether or not a firm shares the personal information with other organizations would top the list of elements that should be included in any short notice.
Notice of a company's privacy policy that is clear, comprehensive, communicates effectively to users and facilitates informed consumer choice is essential to good privacy protection. An effective privacy notice can also serve as a potential source of competitive advantage by providing consumers with an additional reason beyond the attributes of the product or service to select a particular organization over its competitors. Because notice is such a fundamental element of fair information practices, it is critical that consumers can consistently rely upon finding privacy notices at all Web sites Ð even if a site does not collect any personal information. A baseline requirement to post a privacy notice provides consumers with the information necessary to promote informed choice. Without a privacy notice, the consumer has no basis for knowing if the organization does not collect any personal information, or if it collects personal information and has chosen not to disclose its information practices.
But notice alone is not enough. Food and other product labels derive much of their effectiveness from laws that demand standards of safety and quality from producers. Privacy notices would be more useful to consumers if they could build upon an expectation Ð established in law - that companies will make consistent disclosures about their uses of personal information. This would include a requirement to post a privacy notice and standards for the content of the notice such as a requirement to describe whether or not personal information is shared with other organizations in ways that are unrelated to the original transaction, and how the consumer can object to this sharing.
Even in an environment that would provide for ubiquitous posting of privacy notices that meet certain requirements, the experience with Gramm-Leach-Bliley privacy notices suggests it is critical that the utility of notices be enhanced. Significant research is needed to determine what kinds information practices are of greatest concern to consumers and need to be disclosed, what language communicates well to consumers and how privacy notices optimally should be presented to promote consumer choice across alternatives. Building on this knowledge, laws about posting privacy notices and implementing regulations should not foreclose the use of alternative formats that enable the website to communicate effectively with consumers while complying with legal requirements.
| Finding for Random Sample | 2000 FTC Web Survey (281 Sites) | 2001 PFF Web Survey (223 Sites) | % Change | Statistical Significance |
|---|---|---|---|---|
| Web Sites posting a privacy policy | 65.8% | 76.7% | +10.9% | p < .01 |
| Provide notice about what information is collected | 71.2% | 73.5% | +2.3% | Not significant |
| Provide notice about cookies | 48.0% | 57.4% | +9.4% | p < .05 |
| Provide notice about exercising choice | 75.4% | 72.1% | -3.3% | Not significant |
| Provide notice about security | 30.6% | 32.7% | +2.1% | Not significant |
Note: Analysis based on analysis of comparable Web sites from both studies, therefore percentages differ from raw percentages reported in the two studies. The 2001 survey did not include any questions about access.
Source: Milne, George R. and Mary J. Culnan. Using the Content of Online Privacy Notices to Inform Public Policy: A Longitudinal Analysis of the 1998-2001 U.S. Web Surveys. The Information Society, 2002.
Beales, Howard, Richard Craswell and Steven C. Salop. The Efficient Regulation of Consumer Information, Journal of Law & Economics, Vol. 24, p. 491-539, December 1981.
Culnan, Mary J. and George R. Milne. The Culnan-Milne Survey on Consumers and Online Privacy Notices, November 2001. Available at: http://intra.som.umass.edu/georgemilne/pdf_files/culnan-milne.pdf.
Federal Trade Commission. Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, May 2000. Available at: http://www.ftc.gov/reports/privacy2000/ privacy2000.pdf.
Laufer, R. S., & Wolfe, M. Privacy as a concept and a social issue: A multidimensional developmental theory. Journal of Social Issues, 33, 22-42, 1977.
Milne, George R. and Mary J. Culnan. Using the Content of Online Privacy Notices to Inform Public Policy: A Longitudinal Analysis of the 1998-2001 U.S. Web Surveys. The Information Society, 2002.
Privacy Leadership Initiative. Privacy Notices Research Final Results, November 2001, Available at: http://www.understandingprivacy.org/ content/library/datasum.pdf.
Adkinson, W.F., J.A Eisenach and T.M. Lenard. Privacy Online: A Report on the Information Practices and Policies of Commercial Web Sites. Washington: Progress & Freedom Foundation, March 2002. Available at: http://www.pff.org/publications/privacyonlinefinalael.pdf.
Westin, Alan F. Privacy and Freedom, New York: Atheneum, 1967.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |