1 / 21

University of Waterloo Centre for Information Systems Assurance

The Effect of Involvement and Privacy Policy Disclosure on Individuals’ Privacy Behaviour. University of Waterloo Centre for Information Systems Assurance 5 th Symposium of Information Systems Assurance October 11 -13, 2007. Discussant’s Comments Robert G. Parker MBA, FCA, CA*CISA, CMC.

breanna-mccall
Download Presentation

University of Waterloo Centre for Information Systems Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Effect of Involvement and Privacy Policy Disclosure on Individuals’ Privacy Behaviour University of Waterloo Centre for Information Systems Assurance 5th Symposium of Information Systems Assurance October 11 -13, 2007 Discussant’s Comments Robert G. Parker MBA, FCA, CA*CISA, CMC

  2. Overall Impression Good paper, I enjoyed reading it There is not enough known about the impact of privacy concerns on eCommerce Provides useful insight into individuals privacy behaviour The paper appears to assume that eCommerce users understand what privacy really means Experience has shown that privacy is frequently confused with confidentiality and security

  3. Privacy Defined Privacy is about fair information practices A set of policies, principles and procedures designed to ensure the fair, lawful and ethical collection, use and disclosure of personal information, which give respect to the rights of the individual Robert G. Parker Unpublished Manuscript - 2004 The AICPA-CICA definition of privacy states that: Privacyencompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information. AICPA - CICA - 2002

  4. Abstract The authors state that: “Privacy emerges as a critical issue in an e-commerce environment because of a fundamental tension among corporate, consumer, and government interests” In Canada, eBusiness appears to be business as usual without provision for real choice. The real concerns currently are security and identity theft Need for a crisp definition of high privacy involvement, as the reader is left to consider whether that means: Sensitivity of information requested, Security over that information Impact if information is misused Fair information practices Amount of information requested Type of information requested

  5. Abstract The discussion on privacy seals leaves the reader wondering if the failure of privacy seals to impact the willingness to provide personal information was due to: Individuals do not understand the seal They do not trust the seal Because nothing is going to change an individual’s preconceived ideas about privacy on the web

  6. Introduction The authors states that “customers’ concerns about privacy have put pressure on them to develop customer-focused privacy practices.” What appears to have happened is that: • Companies develop privacy policies that addressed the optics • Back office systems were not changed • Training of staff was not rigorously carried out • Other legislative and regulatory imperatives absorbed management’s focus Canadian Model of Knowledge & Consent vs. Notice & Choice • Users are not provided with the opportunity or ability to make changes

  7. Literature Reviews The authors’ site research conducted by Georgia Institute of Technology, in which Koyuncu and Lien (2003) found that privacy concerns contribute negatively to consumer’s online purchasing decision The paper focuses on the impact of the privacy policies; the examples provided may be impacted more by news articles, TV and other privacy “noise” than the degree to which a particular privacy policy may impact the individual’s decisions or behaviour. In other research discussed one must consider the relevancy in view if the rapid changes in privacy, particularly California SB 1386 in 2004 and the ramping up of the Federal Trade Commission’s rulings in 2005 and 2006.

  8. Theory & Hypotheses The Authors Appear to Adopt the Premise That: • Customers’ behaviour is affected by customers’ privacy concerns, companies’ privacy policy disclosures, and company characteristics such as the trustworthiness of a company, and • Education level, income level, and online experience have a positive effect on consumer’s online purchasing decision, but privacy concern contributes negatively to consumer’s online purchasing decision. The second theory may be intuitively obvious. However, one would likely want to also consider: • generation gap issues (perhaps partially explained through online experience) • weighting amongst education, income and on-line experience

  9. Theory & Hypotheses I mentioned earlier that I would discuss “involvement” and “impact”. The authors consider that it is “reasonable to expect that the individuals’ behaviour might be different depending on their involvement with privacy”. The authors reference Rothschild (1984), who defines involvement is “an unobservable state of motivation, arousal or interest.” When adopting the Elaboration Likelihood Model (ELM) to explain how variables influence an individual’s attitude the authors should also consider the extent to which they read and understand the pages of information dealing with privacy. (the authors did measure time on the web page) One of the Canadian financial institutions posted a 42 page privacy policy How may of you read the entire license agreement prior to installing a new piece of software?

  10. Theory & Hypotheses One page 8 the authors indicate that: “Since involvement might have an impact on individuals’ attitudes toward privacy and their behaviour, it is anticipated that there is a relationship between the level of privacy involvement and individuals’ behaviour in terms of reading the privacy policy statement when they are requested to provide personal information on a web site”. This assumption must be based on the premise that the individuals reading the privacy notice fully understand what privacy means. Most readers do not even understand the difference between privacy and confidentiality and are most likely more concerned about identity theft and/or security. After searching the web for hours and finally finding the product you need, few would let it slip through their hands because they didn’t like the company’s privacy statement.

  11. Theory & Hypotheses The authors go on to state that “it is expected that when customers are under high privacy involved situations in which they are motivated to think about privacy, they will carefully examine all available privacy relevant information such as privacy policies and come to a judgment on the company’s privacy practices based on the quality of the information they find”. I find this somewhat simplistic; from a purchaser’s perspective the question in my mind is likely “Is what they have what I want, at the price I am willing to pay”. Then I consider that “I have searched for months and finally I have found it.” – Oops I don’t think their privacy policy provides sufficient information What do you do? Oh well, CLICK”

  12. Research Methodology I like the approach I liked the fact that they highlighted some of the deficiencies The choice of personal information of screen 9/23 which purports to acquire data on sensitive personal information; unfortunately financial and health information was omitted. Financial information such as bank account or credit cared number used in executing an eBusiness transaction and health information such as that required to be disclosed when applying for travel insurance online may well have changed the results which currently rank SIN and Student Number as the two highest sensitivity items.

  13. Research Methodology On the “additional information” screen (all screens should be identified with a unique number or other identifier for reference and trouble shooting) respondents are asked to provide their Social Insurance Number for a chance to win $100. The results obtained using this form of request may not be as conclusive as the request to provide the SIN number was not part of executing the transaction

  14. Research Methodology On page 15 the authors state ”type of information requested has effect on customers’ privacy concerns (e.g., Ackerman et al., 1999; Earp and Baumer, 2003) and purchase intention (e.g., Malhotra et al., 2004; Phelps et al., 2000). While the relationship between personal information requested and privacy concerns appears valid, the impact on purchase intention may be less clear unless the prior studies included an analysis of purchase intentions that existed but which were consummated through different channels. What would be interesting is to see if they abandoned the purchase altogether or whether they adopted a different channel. Perhaps the current research should have included different channel purchases in their analysis.

  15. Research Methodology On page 20 the authors provide information on the responses received and indicate that “92 percent reported that they had online transaction experiences such as ordering consumer goods, subscribing services or registering on web sites for online services. On average, they conducted online transactions 10 times in the past twelve months. A total of 179 participants (85.2%) had seen the privacy policy statement attached to some web sites. Because the perceived risks of eBusiness differs depending upon the type of products purchased and the business the individual is dealing with, it would have been beneficial to know what the respondents had purchased in the past (travel, entertainment tickets, books, CDs DVDs, computer software or clothes). It would also have been interesting to know the country from which they purchased the goods and whether the vendor was a household name, an unknown vendor or an auction site.

  16. Research Methodology On page 21 the authors state that “respondents tended to have low trust in e-commerce companies”. This response would benefit from a comparison. For example, it would be interesting to know the level of trust of similar business in different environments, such as banks in a bricks and mortar environment as compared to an eBusiness environment. Do banks have a lower trust on the Internet than in a bricks and mortar environment?

  17. Discussion and Implications The study appears to focus on the willingness to provide personal information, and while an indicator, from a business perspective perhaps what is more important is whether the individual used their feelings about the company’s privacy policies and practices to influence their ultimate decision, in other words, did they still execute the purchase. Whether or not a privacy statement is read, or whether or not specific information is provided is not as compelling as whether or not they executed a purchase transaction. Sometimes individuals feel uncomfortable in providing personal information. However, in order to obtain what they want, whether a loan from the bank, tickets to the concert or a book they cannot find elsewhere, they are willing to accept the “risk” that their personal information may be misused in order to get want they want

  18. Discussion and Implications The authors indicate a weakness on page 34-35 in that “Individuals’ behaviour with respect to reading privacy policy statement was measured by examining whether they opened the privacy policy statement Web page as well as the number of seconds they spent in the Web page. However, the study did not measure whether respondents in fact read the privacy policy statement as well as their understanding of the privacy statement”. While the authors acknowledge two items, whether respondents in fact read the privacy policy statement as well as their understanding, they also have to consider their level of understanding, whether they had sufficient privacy knowledge to fully assess the company’s privacy statement, their appreciation of the meaning of the privacy statement, their appreciation of the privacy risks associated with the privacy statement and whether they used that appreciation to guide their decision whether or not to engage in eBusiness.

  19. Discussion and Implications Did the paper contribute to the understanding of the relationship between individuals’ privacy behaviour and their degree of involvement in use of the company’s privacy statement? • Perhaps what we really need to understand is: • What personal information is collected • How that personal information is used • How disclosure of that personal information made, and • To whom One then needs to determine the likely result that each of these will have on whether or not an individual engages in eBusiness.

  20. Discussion and Implications Further, we need to fully understand what activities, opportunities, choices, etc., about the collection, use and disclosure of personal information are likely to enhance the likelihood that the individual will engage in eBusiness. With this information one could provide guidance on privacy policies, practice, procedures and privacy notice and choice. . Then we might see progress in user understanding of privacy and corporate responsibility in the collection, use and disclosure of personal information

  21. Thank You For The Opportunity To Discuss This Paper

More Related