There is little legal protection of consumer information acquired onlineeither voluntarily or involuntarily1with the exception of some financial or medical transactions or collecting information from children. The Federal Trade Commission (FTC) has statutory authority to prohibit "unfair and deceptive" trade practices, which includes many tactics used by Web sites to acquire information online. The FTC, however, does not have the resources to comprehensively regulate the Internet. This implies consumers should be aware of privacy risks when visiting a Web site.
Although the FTC has intervened in one high-profile case where a Web site did not adhere to its stated policies concerning acquisition, storage, and use of information gathered from its customers, the enforcement of privacy promises made in cyberspace is perceived to be erratic at best.2 This study suggests consumers protect themselves by being selective in providing information that could be used in ways adverse to their interests. It uses an online survey that incorporates Web site screen captures to investigate consumer privacy fears and looks beyond consumer attitudes to investigate what Web sites can do to assuage consumer concerns about privacy.
The data from our study represents the opinions of 415 respondents. The survey was constructed to randomly provide each respondent with one of 30 Web pages to view while responding to the survey items. The 30 Web sites were equally divided between retail, medical/health, and financial sites. Within each of these three categories, 15 were well-known Web sites (as listed in the top 1,500 sites ranked by unique users in PC Data Online 2000; www.netscoreonline.com) and 15 were lesser known. Lesser-known sites, although professionally designed, are those that did not make the top 1,500. The survey consisted of 34 privacy-related statements where respondents answered using a 5-point Likert scale anchored by "Strongly Disagree" (1) and "Strongly Agree" (5).
Survey respondents were first asked to respond to the statement "I would provide the following information to this Web site" with regard to demographic, personal, medical, and financial information. According to our results, consumers are most willing to reveal their gender and age (mean responses of 3.52 and 3.45 respectively on the 5-point scale), and least willing to reveal their social security numbers (mean response of 1.46 on the same scale).3 This clearly indicates that consumers are protecting themselves by discriminating about information they are willing to reveal to certain Web sites.
Consumers are more willing to provide their home address, phone number, email address, Social Security number, and credit card number to a well-known site compared to a lesser-known site, in part because they have no confidence the e-commerce legal environment is secure.
Multivariate Analysis of Variance reveals a significant (p<0.05) overall effect for the type (retail, financial, or medical/health) of Web site with regard to the willingness of respondents to reveal information. Exploring these differences individually, five items were significantly different with respect to the type of site: age, gender, race, employer, and medical information (Table 1). Respondents were more likely to provide their gender, race, employer information, and medical information to health sites when compared to retail sites. They also indicated they would have more confidence in the privacy practices of the retail site if it possessed a Web seal. When comparing health sites with financial sites, the differences were less striking, but respondents were more inclined to provide their employer and medical information to the health site. These results could be attributed to legislation that protects bank records and medical records, as well as the lack of legislation surrounding retail sites.
Of the 415 respondents, 217 viewed one of the 15 lesser-known sites while 198 viewed one of the 15 well-known sites. The stated willingness to provide phone number, home address, email address, Social Security number, and credit card number to Web sites was significantly different with respect to whether the Web site was well known or not well known. Although the respondents as a whole responded negatively to providing these five pieces of information to the observed Web site, the level of negativity was much higher with the lesser-known Web sites (see Table 1). We can infer that consumers are more willing to provide their home address, phone number, email address, Social Security number, and credit card number to a well-known site compared to a lesser-known site, in part because they have no confidence the e-commerce legal environment is secure.
The Graphics, Visualization & Usability (GVU) Center at Georgia Tech implemented a privacy/security survey five years ago that indicated 75% of their respondents would be willing to use their credit card number online (www.gvu.gatch.edu/user_surveys/). Our survey went a bit deeper to discover what influences this behavior and we discovered it depends significantly on the brand name status of the Web site. Shown a well-known Web site, 18% of our respondents indicate willingness to provide their credit card number online while only 3% indicate willingness to provide the same information when shown a lesser-known site.
We also discovered several items significantly influenced by age, particularly when comparing consumers between 15 and 35 years old with those over 35. Statistical tests reveal significant differences in the two groups for the following items:
Furnell and Karweni [1] implemented a survey of consumers and businesses that showed 87.5% of surveyed consumers expect to see comprehensive information regarding privacy policy when visiting a commerce Web site. Interestingly, respondents in our study were not consistent about reading privacy policies. Only 54% of respondents indicated they would read the privacy policy upon first visiting the observed Web site. This percentage did not differ significantly between site categories or brand status. However, 66% indicated increased confidence in the Web site if a privacy policy is present. This might imply that most Internet users are reassured by the presence of a privacy policy, but are less concerned about specific provisions of the policy.4 In addition, some visitors may naively believe that because a privacy policy exposes a Web site to potential legal action, a Web site will always adhere to its policy.
A somewhat surprising 39% of respondents indicated that seeing a well-designed Web site would positively influence their behavior relating to privacy. Not surprisingly, 76% of our respondents consider having the option to opt out (or disallow distribution or sale of personal information) as a factor that influences their confidence in the privacy practices of the Web site (Table 2). Thus, Internet companies should consider employing the opt-out option on their sites. During the 107th Congress, Senator Fritz Hollings of South Carolina introduced the Online Personal Privacy Act (S.2201), which would make it mandatory for Web sites that collected personally identifying information to offer opt-out options to consumers.
The typical offerings Web sites use to induce consumers to reveal information about them include the opportunity to receive targeted postal mail, targeted email, cash, coupons, gifts, and participation in a contest or lottery. None of these inducements were very appealing to the survey respondents, although they reacted more favorably to cash, coupons, and gifts than they did to targeted postal mail or email.
Lack of legal remedies for misuse of information provided to Web sites causes consumers to be discriminating about the information they reveal online and to what Web sites they reveal the information. It is possible the growth in e-commerce is slowing and the potential efficiency of the Internet is affected because of consumer unwillingness to supply information. Relative to retail and financial Web sites, consumers appear more willing to reveal personal information to health-oriented Web sites. In several instances, consumers appeared more willing to provide information if the Web site is a well-known site. Web sites that provide a privacy statement, opt-out features, and third-party seals can allay some consumer concerns about unexpected privacy invasions, but the evidence is not particularly strong.
Survey respondents were very aware of the possible negative consequences of allowing personal information to fall into the wrong hands and appeared particularly concerned about lack of control of their information and unauthorized redistribution. In general, the respondents to our survey did not appear particularly impressed with the typical emoluments offered by Web sites in return for information, though these offerings were relatively more attractive to young people. Overall, the responses of consumers reveal the expected: since the legal environment is uncertain, people protect themselves by being very careful as to what and to whom they reveal personal information.
1. Furnell, S.M., and Karweni, T. Security implications of electronic commerce: A survey of consumers and businesses. Internet Research: Electronic Networking Applications and Policy 9, 5 (1999), 372382.
2. Volokh, E. Personalization and privacy. Commun. ACM 43, 8 (Aug. 2000), 8488.
1The lack of legal protection for information acquired or disclosed online is a point made by Volokh [2]. The Gramm-Leach-Bliley Act provides consumers privacy protection for their bank records, regulations issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA) do the same thing for medical records, and the Children Online Privacy and Protection Act (COPPA) regulates acquisition of information from children online.
2Federal Trade Commission Geocities; Analysis to Aid Public Comment, 63 Federal Register 44624 (Aug. 20, 1998).
3The other categories of information respondents were asked are listed in Table 1. Statistical summaries to these inquiries are available on request from the authors.
4A content analysis of privacy policies is the topic of Anton, Earp, and Reese's Analyzing Web Site Privacy Requirements Using a Privacy Goal Taxonomy. In Proceedings of the IEEE Joint International Conference on Requirements Engineering, (2002), 2321.
Table 1. Statistically significant response differences based on the types of Web site (retail, financial, health/medical) and the brand name status of the Web site (well known, lesser known).
Table 2. Rank ordering of stated influential factors in confidence of privacy practices of Web site.
©2003 ACM 0002-0782/03/0400 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2003 ACM, Inc.