acm-header
Sign In

Communications of the ACM

Communications of the ACM

Do Consumers -nderstand the Role of Privacy Seals in E-Commerce?


E-Commerce sales in the U.S. totaled $56.0 billion in 2003, an increase of 26.4% over the 2002 total of $44.3 billion [7]. This increase was achieved at a time when the U.S. economy teetered in and out of recession. While e-commerce sales are expected to grow rapidly, Jupiter Research speculates that privacy concerns will cause billions in lost sales for Internet-related businesses [2]. Although all commercial and business transactions require an element of trust, the amount of data required to complete an online B2C transaction and the potential for fraud has continually raised privacy concerns [1, 9].

Privacy (or Web assurance) seals such as TRUSTe, CPA WebTrust, and BBBOnline have been developed by the e-commerce industry in order to persuade B2C consumers that a particular Web site can be trusted. "Trust" is typically defined with social connotations in terms of a reliance on the integrity, veracity, or reliability of a person (or thing) to fulfill a promise or complete a task. Engendering trust in online consumers is now seen as a critical component of any successful e-business strategy [8].

On the other hand, evidence suggests that neither online consumers nor e-commerce sites themselves are interested in dealing with the complicated issues surrounding trust. For instance, in a recent survey of over 2000 U.S. residents by Harris Interactive, 64% of respondents admitted they rarely or never read Web sites' privacy policies, with 40% citing a lack of time and interest [6]. This is perhaps just as well, since a worldwide study of Web sites by consumers advocacy group Consumers International found that only 58% of Web sites display a privacy policy [5].

The aim of this study, therefore, is to answer the basic question of whether online consumers understand or care about privacy seals and whether such measures have any impact on their propensity to shop online. It will be shown that while respondents understand that privacy seals have something to do with promoting trust online, they are generally unaware of what a site must do to acquire a seal, or even what a genuine seal actually looks like. Furthermore, while almost all of the respondents had bought online, less than one-third would only trust a site with a seal. The results suggest that serious questions should be asked of the role of privacy seals in developing a trusting relationship between a commercial Web site and online consumers.


While respondents understand that privacy seals have something to do with promoting trust online, they are generally unaware of what a site must do to acquire a seal, or even what a genuine seal actually looks like.


Back to Top

A Review of Privacy Seals

The three major privacy seals are TRUSTe, CPA WebTrust, and BBBOnline. The TRUSTe program (www.truste.org) was released in June 1997 by a consortium of CommerceNet, the Electronic Frontier Foundation, and the Boston Consulting Group. CPA WebTrust (www.cpawebtrust.org) was released in September 1997 by the American Institute of Certified Public Accountants (AICPA), with Version 3.0 released in November 2000. BBBOnline (www.bbbonline.org) was released in March 1999 by the Better Business Bureau.

The process of acquiring a seal typically involves writing a privacy policy and a self-assessed questionnaire on business practices. The material is then submitted to the trust organization for review and approval. All three seals attempt to embody fair information practices similar to those supported by the U.S. Federal Trade Commission, U.S. Department of Commerce, and other industry associations such as the Online Privacy Alliance (www.privacyalliance. org). For instance, in order to be TRUSTe-compliant, the Web site must agree to the program principles, and abide by the TRUSTe's oversight and resolution procedures. The program principles state that a privacy policy must be displayed on their site that clearly states what personally identifiable information is collected. The principles also require that users consent to how that data is used and shared.

The site must also have adequate security measures to safeguard customer information. The oversight procedures include "seeding" user information to see whether Web sites are complying with their stated policies. Complaints are dealt with under a resolution process that could potentially escalate from TRUSTe mediation, to onsite compliance reviews by official auditors such as PricewaterhouseCoopers, to referral to the appropriate government agency. The other two seals outline similar principles, although BBBOnline does not have an oversight procedure, and CPA WebTrust has no oversight or complaint procedure.

The cost of acquiring a seal is typically determined by a sliding scale depending on the company's annual revenue and/or number of brands, with TRUSTe charging from $599 (single brand, annual revenue less than $5 million), up to $75,000 for an enterprise with up to 300 brands. BBBOnline is somewhat less expensive, with a sliding scale ranging from $200 to $7,000. Because CPA WebTrust requires the assessment to be carried out by a certified public accountant the cost depends on the time the CPA takes to inspect the Web site, estimated at between 50–100 hours [4]. Cost may explain why, as of October 2004, CPA WebTrust has only approximately 40 recipients, while TRUSTe has around 1,300, and BBBOnline around 600. Notable seal recipients include America Online, AT&T, Bell Canada, IBM, Intel, Microsoft, and Hewlett-Packard.

A number of other privacy and general Web assurance seals have also been developed, including BetterWeb by PricewaterhouseCoopers (www.pwcbetterweb.com), WebAssured's Online Purchase Protection program (www.WebAssured.com), and Good Housekeeping's Web Site Certification (www.ghcertificate.com). WebAssured is probably unique in publishing a WatchList of companies that have had serious complaints filed against them, and a ShopAssured browser plug-in warns surfers if they happen to come across a Web site known to be unscrupulous.

The main criticism of these seals is the assurance organizations, such as TRUSTe, AICPA, and BBB, have no real power to deal with abuses, although TRUSTe for one has shown its willingness to challenge abuses, such as its pursuit of the bankrupt e-tailer Toysmart.com that attempted to sell its customer database [2]. Since then, however, a number of Web sites have included a disclaimer in their privacy statement that allows the sale of customer data should all or part of the business be sold in the future. Such Web sites include Amazon and eBay.

Back to Top

The Study

The study was part of class exercise that involved students searching five well-known Web sites (Yahoo!, Dell, Compaq, Barnes & Noble, and Amazon) for information on goods or services. A sample of 143 students participated in the study. Although there is likely to be some deviation between responses from students and the rest of the population, the sample represents the Web-aware digital generation, and hence, the future of online consumption. The demographics confirm this suggestion with 120 respondents (84%) reporting they have previously bought online.

After completing the required tasks, respondents were presented with the privacy seal graphics and asked whether they recognized any of the seals, namely, TRUSTe, CPA WebTrust, and BBBOnline (see the figure here). To further test their response, a fourth, fictitious seal was also presented, namely, the "Web Shield." This "stars and stripes" graphic was borrowed from Microsoft's ClipArt and introduced into the study to determine the extent to which respondents are actually recognizing a legitimate seal, rather than merely responding to the plausibility of a graphic image.

Eight questions were then presented that investigated the subjects' understanding of what a privacy seal is, and what a Web site must do to acquire one. Each question was answered "Yes," "No," or "Not sure." The subjects were asked whether privacy seals are designed to increase trust, whether Web sites are required to post privacy policies in order to qualify for a seal, whether any third-party assessment of business practices is involved, and whether any fee is required to apply for or receive a seal. The respondents were also asked whether they would only trust a Web site with a seal.

In terms of recognizing the seals (see Table 1), 60 respondents (42%) recognized TRUSTe, followed by 41 respondents (29%) who recognized BBBOnline. The suggestion that respondents may be confused by the presence of official-looking graphics was confirmed, however, by the fact that 21 respondents (15%) reported recognizing the fake seal Web Shield—exceeding the number of respondents who recognized the genuine CPA WebTrust seal by 10. This finding suggests that any official-looking graphic placed on a Web site has an equal chance of persuading the consumer that the site is trustworthy, regardless of any relation between that graphic and the actual Web assurance seals.

A summary of the responses to the eight questions is given in Table 2, including expected and actual results. The actual results are interpreted in terms of a significant deviation from an even distribution of one-third of the responses appearing in each of the three response cells (Yes/No/Not sure). Given a sample of 143, an even distribution would have approximately 48 responses in each cell. A significant deviation from this null hypothesis can be tested using a chi-square distribution with two degrees of freedom.

A sensitivity analysis of the critical chi-square values suggests there must be 62 responses in a cell to exceed the critical chi-square value at the 5% confidence level, and 65 to exceed the critical chi-square value at the 1% confidence level. As such, it will be assumed that 62 or more responses in a response cell (Yes/No/Not sure) count as weak agreement, while 65 or more responses in a response cell count as strong agreement.

On this basis, there is strong agreement from the sample that Web assurance seals are designed to increase trust (Q1), and that Web seals have a click-to-verify function (Q4). There is also strong agreement that not every site that applies for a seal gets one (Q6), and that a Web site must display a data privacy notice in order to get a seal (Q7). All of these assertions are true, although the seal organizations do not actually publish figures on the number of sites that fail in their applications for a seal. In short, most of the subjects in this study seem to have a basic understanding of the function of these seals.


In order for privacy seals to be effective, B2C Web sites must display them more prominently so that online consumers can begin to recognize these graphic images and understand their function.


The problem, however, becomes clear when we observe those questions with which the respondents are uncertain. This confusion is seen most strongly with questions regarding the need for Web sites to declare how they collect and share customer information (Q2), the role of third-party assurance organizations (Q3), the financial cost of applying for a seal (Q5), whether all that applies for a seal get one (Q6), and the need to display a privacy statement (Q7). Combining the lack of recognition of Web assurance seals with the overall confusion regarding what a Web site must do in order to acquire a seal, it is perhaps not surprising to find there is no statistical agreement or disagreement, weak or strong, to the question of whether a site is only trustworthy if it has a Web assurance seal (Q8).

These questions are related to factors meant to lead an online consumer to trust a Web site. For instance, stating how a Web site collects and shares customer data is the baseline requirement for any Web assurance seal, and it is interesting to note that although study respondents clearly recognize the role of a seal in promoting trust, they do not know that stating how customer data is used is the very thing that is supposed to engender that trust. There also seems to be no recognition between the seal and the fact that its assurance derives from a third-party organization, such as TRUSTe, AICPA, or BBB. Third-party involvement is supposed to strengthen the power of the seal by alluding to an independent verification of the policies of the Web site.

Back to Top

Conclusion

The results of this study suggest that respondents do not fully understand the form or function of privacy seals, few can recognize the genuine article, some "recognize" seals that do not exist, and few see them as important in deciding to trust a Web site. While the respondents in this study have a basic understanding of the connection between a privacy seal and trust, there is little recognition of the seal graphics themselves. There is also a lack of understanding of crucial trust-engendering properties, such as the need to post a privacy statement on a Web site, and assessment by a third party. This suggests that privacy seals are failing to play their intended role of allaying the fears of online consumers by generating trust.

That is not to say that seals cannot play that role. However, in order for privacy seals to be effective, B2C Web sites must display them more prominently so that online consumers can begin to recognize these graphic images and understand their function. The fact that so few respondents recognized the three main seals, but answered many of the questions correctly suggests there is a general understanding of the issue of online trust, and a recognition that Web sites are attempting to prove themselves trustworthy. The relative success of the fake Web Shield seal also suggests, however, that online consumers may simply be responding to graphical design, rather than to any attempt by the Web site to be certified as trustworthy.

Two key questions need further investigation. First, given the well-documented examples of online fraud, what is encouraging e-consumers to continue their forays into e-commerce? Given that e-commerce is still less than a decade old, the average e-consumer may be somewhat of a reckless pioneer. For instance, Jupiter Research finds that only 46% of consumers are currently aware they can avoid sales tax on many purchases by comparison shopping, and only 4% make a point of finding online retailers that will not charge sales tax [3]. If e-consumers are willing to pay unnecessary taxes as part of their online experience, we should perhaps not be surprised that enthusiasm for the medium is leading them to trust sites that should not be trusted. As is typical of the pioneer experience, the lessons that allow costly mistakes to be avoided are still being learned.

Second, while the cost of a privacy seal is minimal, most companies fail to make use of them as a trust-engendering tool by failing to display them prominently on their homepage. Why? One answer might be that as a demonstration of a firm's ability to self-regulate, the seal may be aimed more at defending against potentially expensive legislation than actually engendering consumer trust. If so, it is worth noting that the number of recipients of the most popular privacy seal, TRUSTe, fell from around 2,000 in December 2001 to less than 1,300 by July 2003. Have e-businesses found a better alternative to Web assurance seals, or is the drop in numbers simply a realization that legislation is inevitable, and the seals are no longer playing their hoped-for role? If so, what is the future of trust online?

Back to Top

References

1. Culnan, M.J. How did you get my name? An exploratory investigation of consumer attitudes toward secondary information use. MIS Quarterly 17, 3 (1993), 341–363.

2. Doherty, S. Keeping data private. Network Computing (June 25, 2001), 83–91.

3. Jupiter Research reports that imposition of sales tax will have little effect on online retailers, 2003; www.internet.com/corporate/releases/03.02.05-researchrep.html.

4. Koreto, R.J. A WebTrust experience. J. Accountancy 186, 4 (1998), 99–102.

5. Privacy@net: An International Comparative Study of Consumer Privacy on the Internet, 2001; www.consumersinternational.org/news/pressreleases/fprivreport.pdf.

6. Privacy notices research: Final results, 2001; www.understandingprivacy.org/content/library/datasum.pdf.

7. United States Department of Commerce News; www.census.gov/mrts/www/current.html.

8. Urban, G.L., Sultan, F., and Qualls, W.J. Placing trust at the center of your Internet strategy. MIT Sloan Management Review 42 1 (2000), 39–48.

9. Wang, H., Lee, M.K.O., and Wang, C. Consumer privacy concerns about Internet marketing. Commun. ACM 41, 3 (Mar. 1998), 63–70.

Back to Top

Author

Trevor Moores ([email protected]) is an assistant professor in the Department of Management Information Systems at the University of Nevada, Las Vegas.

Back to Top

Figures

UF1Figure. The three main Web assurance seals (Note: All seals are trademarks of their respective organizations; Web Shield is a fake).

Back to Top

Tables

T1Table 1. Summary of recognition results (N=143).

T2Table 2. Summary of responses to questions on the function of Web assurance seals (N=143).

Back to top


©2005 ACM  0001-0782/05/0300  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2005 ACM, Inc.


 

No entries found