Escolar Documentos
Profissional Documentos
Cultura Documentos
www.emeraldinsight.com/1468-4527.htm
Reading a web
The impact of reading a web sites sites privacy
privacy statement on perceived statement
control over privacy and
661
perceived trust
Refereed article received
Manon Arcand 2 April 2007
Universite du Quebec a Montreal, Montreal, Canada Revision approved for
publication 21 June 2007
Jacques Nantel
HEC Montreal, Montreal, Canada
Mathieu Arles-Dufour
La Rochelle, France, and
Anne Vincent
Bell Canada, Montreal, Canada
Abstract
Purpose The purpose of this research is to study the impact of reading a web sites privacy
statement on the perceptions of control over privacy and trust in a cyber merchant.
Design/methodology/approach Two experiments were designed to monitor the actual reading
of the privacy statement. Study one compares the influence of actual reading with self-reported claims.
Study two manipulated the format of the privacy statement (opt-in or opt-out) and included a control
condition to assess the influence of the presence of a privacy statement and the influence of the format
on the dependent variables.
Findings The findings show that the mere presence of a privacy statement has a positive influence
on perceived control. However, reading the privacy statement does not necessarily have a positive
influence on perceived control and trust, contrary to commonly held assumptions. Participants who
read the opt-in format felt significantly more control and trust than the participants who read the
opt-out format. The opt-out format decreases perceived control compared with the group that did not
read the privacy statement when it was available.
Research limitations/implications The sample size for both experiments was relatively modest,
which limits the generalisability of the findings.
Practical implications Cyber merchants should devote particular attention to the strategic role of
the format of the privacy statement.
Originality/value In contrast to other studies that relied on surveys, this paper assesses the
impact of the actual reading of the privacy statement via an experimental approach. Moreover, the
impact of the format of the privacy statement has been empirically tested.
Keywords Electronic commerce, Privacy, Trust, Online operations, Internet
Paper type Research paper
Theoretical background
Trust in e-commerce: concepts and models
Over the years, trust has attracted considerable interest in the academic community,
engendering various definitions and models. Trust is important because it helps
consumers overcome perceptions of uncertainty and risk and engage in trust-related Reading a web
behaviours with vendors, such as sharing personal information or making purchases. sites privacy
In the marketing literature, Moorman et al. (1992) defined trust as the willingness to
rely on an exchange partner in whom one has confidence. Later, Doney and Cannon statement
(1997) defined trust as the perceived credibility and benevolence of a target of trust.
These definitions appear most appropriate when consumers have developed
confidence in the vendor and have had prior occasions to appreciate the motives of 663
the vendor. Initial trust (McKnight et al., 1998) refers to trust in an unfamiliar trustee, a
relationship in which the actors do not yet have credible, meaningful information
about, or affective bonds with, each other (Bigley and Pearce, 1998). In e-commerce, the
period during which a consumer visits and explores a vendors web site for the first
time (the focus of our study) is within the domain of initial trust. In initial relationships,
people use whatever information they have, such as perceptions of a web site and the
privacy statement to make trust inferences (McKnight et al., 2002). Most of the recent
models of trust (including initial trust in the e-commerce context) recognise that trust is
a multi-dimensional concept (Mayer et al., 1995; McKnight et al., 2002; Lee and Turban,
2001; Gefen and Straub, 2004) with three components that define the perception of
trustworthiness: competence (ability of the trustee to do what the truster needs),
benevolence (trustee caring and motivation to act in the trusters interest) and integrity
(trustee honesty and promise keeping). Integrity has been recognised as a major
contributing factor explaining behavioural intentions, including purchase intentions
and sharing personal information (McKnight et al., 2002; Gefen and Straub, 2004).
Furthermore, the influence of integrity has been assessed as being particularly
important at the beginning of a relationship (Mayer et al., 1995) because the customer
cannot rely on previous experience with the vendor. Since our research involves cyber
merchants that are unfamiliar to consumers, we will focus primarily on this dimension
of trust, as it appears the most relevant. Trust is then conceptualised here as the
perceived integrity of the cyber merchant, namely cyber merchant perceived honesty
and promise keeping (McKnight et al., 2002). The next section focuses on the notion of
privacy, clarifying the purpose of privacy statements on the internet as well as their
relationships to consumers perceptions of control and trust.
The concepts of privacy, control over privacy and the role of privacy statements
Privacy was originally defined as the right to be left alone (Brandeis and Warren,
1890). However, in a more recent definition of the concept, the contextual nature of
privacy is more evident. For example, Shoeman (1984) asserted that privacy is a state
or condition of limited access to individuals; individuals have privacy to the extent that
others have limited access to information about them, to the intimacies of their lives, to
their thoughts or their bodies. Concerns about privacy are not new; businesses have
been collecting customer information for decades. However, with technology (database
marketing) and especially with the development of the internet, that enhances
capabilities for collection, storage, use and communication of personal information,
new challenges to privacy have emerged: personal information about consumers can be
collected, monitored and shared without their knowledge and they can lose control over
the diffusion of their personal information. This lost of control is perceived as a major
threat of internet by consumers (Nakra, 2001; Caudill and Murphy, 2000). To address
OIR consumers concerns, the US Federal Trade Commission (FTC) (2000) proposed and
31,5 advocated that fair information practices online provided people with:
.
notice that personal information is being collected;
.
access to the data;
.
choice to allow an organisation to use or share information about them; and
664 .
security.
Reading the privacy statement: what are the anticipated consequences? 665
Despite widespread concerns about online privacy, it seems that relatively few
consumers take concrete actions to guard their privacy online. For example, although a
vast majority of USA consumers report worrying about their online privacy, only 31
per cent bother to read the privacy policies most of the time (E-Marketer, 2002).
Another survey has reported that fewer than 5 per cent of consumers read privacy
policies carefully (E-Marketer, 2003).
Little research has been done on the consequences of reading the privacy statement;
most studies have focused on the impact of either the presence or absence of such a
statement. However, the privacy literature indicates that it is not enough to have a
privacy policy to fully reassure consumers on the web (Ackerman et al., 1999). It seems
essential to make them aware of personal information management practices if we
want to alleviate their concerns (Culnan and Armstrong, 1999). Similarly, it is believed
that consumers are less likely to refuse marketing activities when they are made aware
of data collection and use as well as the means to shield themselves from these
activities (Milne and Rohm, 2000). These findings somewhat contradict consumers low
interest in reading the privacy statements located on web sites.
One way of considering this apparent paradox is to draw a parallel between reading
a privacy statement and the assurance of confidentiality reminders given by survey
administrators in order to increase the response rate or data quality. Frey (1986), in a
study on the effect of confidentiality reminders used in telephone surveys, concluded
that such reminders tend to reduce the probability of answering surveys, thus creating
more apprehension than trust with individuals, although the primary goal was to
reassure them. A meta-analysis on the subject (Singer et al., 1995) confirmed Freys
findings in that no support was found for a relationship between the reassurance of
confidentiality and increased response rate or response quality. In fact, when the data
gathered in a survey is not sensitive, confidentiality reassurances appear to produce
small negative effects. The evidence suggests that elaborate assurances of
confidentiality increase perceptions of the sensitivity of the data, anxiety or threat of
the survey. Singer et al. (1992) summarised their findings as follow: . . .subjects given a
more elaborate assurance of confidentiality were more likely to see their responses as
falling into the wrong hands, thus suggesting that such assurances, at least when
coupled with non-sensitive data, are more likely to arouse suspicion rather than
increase trust. We cannot rule out the possibility that reading the privacy statement
might have an impact similar to assurance of confidentiality, by prompting the
consumer to speculate on what could go wrong if they divulge personal information.
Study one
The goal of the first study or experiment was to assess the consequences on control
and trust perceptions when consumers read a privacy statement. Many studies on the
subject have used surveys to gather data, yet self-reports are sometimes plagued by
OIR important bias, some of which are relevant here. For social desirability or
31,5 self-presentation purposes, consumers may deviate from the real answer or
estimate in self-reports (Schwarz, 1999; DeMaio, 1984); contextual variables such as the
researchers interest then influence the answers subjects supply. When asked if they
read a privacy statement online, consumers may want to look good in both the eyes of
the researcher as well as in their own eyes, and state that they read it, when in fact, they
666 do not. This is why we believe it is important here to differentiate between consumers
that actually read the privacy statement and the ones that claim they did, and assess
the impact on perceptions for both groups. The experimental design of study one
allowed us to perform such a comparison.
Method
Data collection and participants. The objective of the study was to measure consumers
perceptions related to the privacy statement when they surf on a web site they have not
visited before, belonging to a cyber merchant they do not know. To this effect, we
created a travel agency web site. We did not want to use existing web sites in order to
control the familiarity that the participants might have had with the online merchant.
An e-mail was sent to 760 individuals registered in a consumer database owned by a
large research group located in Eastern Canada. With a response rate of 29 per cent,
219 subjects took part in the study. A financial incentive in the forms of a lottery was
offered to encourage participation. Subjects were first presented with a scenario aimed
at presenting the merchant and explaining the task to be carried out. They were asked
to surf on the web site as if they were shopping for an all-inclusive vacation package.
The travel agency site was professionally designed and offered all the features found
on such sites, including a privacy statement. Reading the privacy statement was
optional. Participants could register on the site for further ordering and communication
with the travel agency. Links to the privacy statement were available on the home page
and on the registration form page. The site was designed such that it allowed us to
monitor if consumers actually clicked on the privacy statement link (participants were
not made aware of this indicator). When participants determined that they had surfed
on the web site long enough, they clicked on a link in order to fill out a questionnaire.
The first question in the questionnaire asked participants if they had read the privacy Reading a web
statement. Participants perceived control and trust, socio-demographic profile and sites privacy
level of experience with the internet were also gathered via the questionnaire.
Participants were highly experienced with the internet (close to 80 per cent had at least statement
four years of experience with the internet) and 68 per cent of them had already made an
online purchase. Of the participants, 54 per cent were females and they were between
16 and 69 years of age, with an average age of almost 40. Table I presents the profile of 667
participants on socio-demographic variables and relevant internet dimensions.
Measures of constructs. To maximise the content validity of the constructs, the
scales retained have been successfully used by other researchers in the field. Table II
summarises the scales used, their source and original reliability (a).
Pre-test. Two pre-tests were necessary to ensure good comprehension of the web
site and of the scales used. Specifically, it was important that the link to the privacy
statement be noticed and that the content of the privacy statement be understood by
participants (the privacy statement is available in Figure 1). Sixty subjects took part in
the pre-tests, 48 of them navigating online on the experimental web site. Notice and
Gender
Women (%) 54
Men (%) 46
Age
Mean 39.8 (SD 12.73)
Education
High school or less (%) 12.1
College (%) 24.8
University (%) 63.1
Experience on the internet
Table I.
Less than 4 years (%) 20.5
Profile of participants on
4 to 6 years (%) 28.4
socio-demographic
6 years and over (%) 51.1
variables and relevant
Have already made an online purchase internet dimensions
Yes (%) 68.2 (questionnaire)
Cronbachs a
No. of of original Adaptation following
Construct itemsa Source scales pre-test
Perceived control 3 Bateson and Hui (1992) 0.61 Kept only 2 items, the
over privacy third one was confusing
Perceived trust 4 McKnight et al. (2002) 0.92 Kept only 3 items for
(integrity) parsimony purposes
Note: aAll items measured with Likert type scales anchored with (1) Totally disagree and (7) Totally Table II.
agree Constructs and source
OIR understanding of the privacy statement were assessed by the following questions, all
31,5 using a seven-point scale (1 not at all, 7 absolutely): the site has a hyperlink to a
privacy statement, The travel agency automatically includes me in their distribution
list and The travel agency advises me that my personal information can be shared
with other companies. No changes were deemed necessary to the web site as no
specific problems were encountered during navigation and the privacy statement was
668 well noticed (x 5:40) and well understood (x 6:8 for the distribution list question
and x 7 for the sharing of information). However, both pre-tests led us to shorten the
questionnaire, which was initially perceived as too long. Further, items in scales that
were difficult to understand or confusing for the subjects were removed, without
altering the initial structure or reliability of the constructs (Cronbachs alpha . 0.85 for
all dimensions in the pre-test)
Results
Validating the constructs: CFA results. Before testing our hypotheses, we first used
Confirmatory Factor Analysis (CFA) to assess the reliability and the validity of the
constructs presented in Table II. EQS 6.0 was used for the analysis with the Maximum
Likelihood (ML) estimator. After removing 2 outliers, the model showed an excellent fit
as exhibited by all measures (chi square 9:236(4), p 0:055, CFI 0:995,
SRMR 0:023). Reliability of the measures were good (composite reliability of 0.87
and 0.95 and variance extracted of 0.775 and 0.87 for control over privacy and
perceived integrity respectively), well above the recommended thresholds (0.70 for
composite reliability as per Hair et al., 1998 and 0.50 as per Fornell and Larcker, 1981).
Discriminant validity was also quite acceptable as the correlation between the two
constructs was 0.53, below the 0.60 threshold (Carlson et al., 2000). We thus confirmed
the high degree of reliability and validity of the constructs used in the study.
Descriptive results. According to the web surfer indicator, 41 per cent of the
participants clicked on the privacy statement, in proportions comparable to those
reported in the literature. However, the first question in the questionnaire asked
participants if they had read the travel agencys privacy statement (Did you read the
statement regarding the conditions of utilisation of your personal information on the
web site of the travel agency? Yes. . . No. . .); 68 per cent replied that they did.
Hypotheses testing
A series of t-tests were performed in order to test our hypotheses. As reported in
Table III, no relationship was found between claiming to read the privacy statement
and perceived control and trust. In the first case, claiming to have read the privacy
statement generated a score for perceived control of 3.6026 v. 3.7206 for not claiming so
Figure 1.
Wording of the privacy
statement in Study 1
(t 20:503; p 0:615). For trust, similar results were obtained (x) claiming to have Reading a web
read 4:649 and (x) not claiming to have read 4:4216, t 1:291; p 0:198). These sites privacy
results refute H1a and H1b. To assess the influence of actually reading the privacy
statement, we re-did the analyses using the information from the web indicator as the statement
independent variable instead of the claims made by respondents. Quite a different
picture emerged. As Table IV demonstrates, reading the privacy statement
significantly influenced perceived control over privacy (t 23:801; p 0:000) and 669
perceived trust (t 22:38; p 0:018). Participants who read the privacy statement
felt less in control of their privacy (x 3:16) and perceived less trust in the merchant
(x 4:35) than those that did not read it (x 3:97 for perceived control and x 4:74
for perceived trust). Therefore, contrary to the commonly held assumption that the
privacy statement has a positive impact on perceptions, the actual reading of the
statement has a negative impact on perceptions of both control and trust. Thus, H2a
and H2b were found to generate significant results but in a direction opposite to our
original expectations.
Discussion
Interesting but surprising results emerged from study one: first, when using self-report
answers, we showed that claiming to read the privacy statement has no impact on
perceptions of control and trust. A significant proportion (27 per cent) of participants
reported clicking on the privacy link but actually did not. These results cast doubt on
the validity of the survey as a method of assessing the influence of a privacy statement.
This is in line with the bias and limits of self-reports highlighted by Schwarz (1999)
and DeMaio (1984). Therefore, relying on what consumers say in surveys is not enough
and can be misleading. Researchers are better served if they rely on measures of actual
behaviour whenever possible.
Second, reading the privacy statement decreased the perceptions of control over
privacy and perceived integrity (trust). These findings contradict the widely held belief in
the privacy and trust literature that disclosing the management of personal information
reassures consumers and induces trust[1]. On the contrary, we showed that privacy
statements produce similar effects to assurance of confidentiality: they arouse suspicion
Study two
Since study one suggested that relying on self-reports alone to assess the influence of the
670 privacy statement on perceptions of control and trust could be misleading, we decided to
evaluate whether the mere presence of a privacy statement has a positive impact on
control and trust. Furthermore, in order to gain a better understanding of the results
obtained in study one, we investigated consumers reactions to different formats of
privacy statements. Two formats are commonly used by cyber merchants: the opt-in
and the opt-out format. The opt-in format allows consumers to have access to their
personal information and to act on information management practices. Conversely, the
opt-out format does not provide such access and choice features. We then anticipated
that the opt-in format should induce a higher level of perceived control and perceived
trust than the opt-out format. Study two was designed to address these research
questions. This time, an existing music web site was used, the disclosure of personal
information was mandatory and the experiment took place in a controlled environment.
The profile of the participants was similar to the typical internet user: young (60.6 per
cent of them were between 19-26 years old), male (57.7 per cent), well-educated (53.4 per
cent have completed an undergraduate degree). However, contrary to the typical
internet user, who reports income exceeding $60,000, only 10.5 per cent of our
participants reported income over $50,000.
Experimental manipulations
As mentioned, the only difference across the three experimental sites was the privacy
statement located on the subscribe page in step one. On site 1, there was no privacy
statement to inform consumers that data was collected or that there was any means of
protecting their personal information (control group). Sites 2A and 2B had a link to a
privacy statement on the subscribe page. The privacy statement concerning the
management and protection of personal information was in an opt-out format on site
2A while it was in an opt-in format on site 2B. The former gave users limited control,
while the latter granted consumers much more decision making power. The privacy
statements were built around the four dimensions (notice, security, access and choice)
advocated by the FTC (Fornell and Larcker, 19812) to ensure good business practices
related to the management of personal information. Liu et al. (2005) showed that these
four dimensions were positively correlated with trust. More specifically, the
dimensions of access and choice were manipulated. Table V provides details
regarding the experimental manipulations of the privacy statement. Here again, a web
indicator allowed us to monitor if participants clicked on the link to the privacy
statement. Participants were not aware of this monitoring.
OIR
Dimension Site 2A Site 2B
31,5
Notice Presence of a detailed privacy statement Presence of a detailed privacy statement
Security Disclose your personal information in a Disclose your personal information in a
totally secure environment backed by the totally secure environment backed by the
best encryption technology available on the best encryption technology available on the
672 market: SSL Technology with 128 bits market: SSL Technology with 128 bits
Access No mention At any time you can access the information
you disclosed to us in order to verify,
modify or even delete it
Choice Opt-out format: Opt-in format:
You will soon receive our newsletter and Please advise us, by checking the boxa, if
other interesting information. Please send us you wish to receive our newsletter and
an e-mail if you do not wish to receive it other information that may interest you
You will soon receive interesting offers from Please advise us, by checking the boxa, if
our commercial partners. Please send us an you wish to receive offers that may
e-mail if you do not wish to receive them interest you from our commercial
In order to offer you a personalised partners
experience, we retrieve and save your Please advise us, by checking the boxa, if
personal information. Specifically, we use you wish to navigate anonymously. No
cookies that will be automatically integrated cookies will be saved on your computer
into your computer. If you wish to navigate
anonymously, some companies have
developed software that allows you to do so.
Simply click on the following links: www.
anonymizer.com, www.idzap.com, /www.
somebody.net
We do not guarantee the efficacy of these
products
Notes: Site 1 is not presented here since it does not include any privacy statement and thus does not
Table V. contain any dimension advised by the FTC; sentences in italic were not included in the privacy
Experimental conditions statement presented to the subjects, we included them here to inform the reader. aA box was shown
for sites 2A and 2B next to each of these statements
Measures of constructs. Scales similar to the ones used in study one were used here to
measure perceived control and perceived trust. Equivalent reliability and validity
properties were found.
Pre-tests. The comprehension of the experimental sites, as well as the reliability and
validity of the scales and the manipulations were tested prior to the experiment. To do
so, the URL of the web site was sent randomly to 250 panellists of a consumer database
managed by a large research group located in Eastern Canada. One hundred and four
(104) participants agreed to participate in the pre-test. The scales showed good stability
and reliability (perceived control over privacy, a 0:84 and perceived trust, a 0:87).
Checks on the validity of the manipulations were done via a post-navigation
questionnaire, using Likert-type scales anchored with totally disagree (1) and totally
agree (7). No problems of comprehension were reported: subjects noticed the link to
the privacy statement when available (x 6:6 when navigating on the site with a
privacy statement versus x 3:6 when navigating on the site without a privacy
statement, p 0:000) and the subjects who read the privacy statement differed from Reading a web
those that did not read it, in terms of noticing the security (x 5:67 v. 3.06), access sites privacy
(x 6:41 v. 3.00) and choice (x 6:16 v. 3.28) dimensions included in the privacy
statement (all p 0:000). No changes to the experimental sites and manipulations were statement
deemed necessary. Further, because of the limited number of subjects in the final
experiment and since subjects from the pre-test came from the same population as the
final experiment, we decided to aggregate the results of the pre-test with those of the 673
105 subjects that took part in the final test.
Results
Validating the constructs. Both constructs appeared stable and showed good reliability
and validity as measured by exploratory factor analysis and Cronbachs alpha (control
over privacy a 0:89, with 1 factor explaining 81.8 per cent of the variance and
perceived trust a 0:84, with 1 factor explaining 86.8 per cent of the variance). The
correlation between control and trust was significant but moderate (0.365, p 0:000).
Descriptive results. Sixty-five subjects (31.1 per cent) were assigned to site 1
containing no privacy statement, 76 subjects (36.4 per cent) were assigned to site 2A
with a privacy policy in opt-out and 68 of them (32.5 per cent) visited site 2B, where the
privacy statement was presented in an opt-in format. Out of the 144 subjects that had a
link to a privacy statement (2A and 2B), only 58 (40.3 per cent) clicked on the link as
revealed by the analysis of the navigation logs. Subjects were then divided in four
distinct groups:
(1) control group (assigned to site 1);
(2) did not read group (assigned to sites 2A and 2B, that did not click on the privacy
statement link);
(3) opt-out group (assigned to site 2A and clicked on the privacy statement); and
(4) opt-in group (assigned to site 2B and clicked on the privacy statement).
Table VI shows the level of perceived control and perceived trust in the cyber merchant
for each of the six groups.
Hypotheses testing
In order to assess the impact of the presence of the privacy statement (H3), we
compared the perceptions of the group that had access to the privacy statement but
ignored it (did not read group) with the control group. Results show that the mere
presence of a privacy statement has a positive impact on perceived control over
Mean Mean
Group N Perceived control over privacy Perceived trust
Figure 2.
Discussion
Study two added many important nuances to the results observed in study one. First,
partial support was found for the idea that the mere presence of a privacy statement has
positive impacts on consumers perceptions as reported in the trust literature: the
positive impact is putatively confirmed on perceived control but not on perceived trust,
contrarily to Lee and Turban (2001) and Pan and Zinkhan (2006), who argued that
making a privacy statement visible increases perceived trust in the merchant. Second,
the study clarifies the relationship between reading a privacy statement and these same
perceptions: When presented in opt-out format, the statement has a negative impact on
control and no influence on trust, compared with not reading it at all. However, when
read in an opt-in format, the statement has a positive impact on both control and trust.
Third, the format of the privacy statement and the control put in the hands of consumers
is a strategic variable: Our results suggest that cyber merchants should make a privacy
statement available to consumers in an opt-in format (as opposed to opt-out), which
entails requesting permission to use customers personal information and putting more
control in their hands in order to maximise positive perceptions of control and trust.
However, such a strategy will likely minimise the gathering of personal information
available for subsequent marketing activities compared with an opt-out format. In effect,
a privacy statement and the preferred format to use operate like a double-edged sword.
The mere presence of the statement has a positive impact and the majority of users will
likely not consult it anyway. However, the format that makes a real positive difference on
these perceptions, when the statement is read, is likely to severely limit the strategic
information available for further marketing activities. Further, the results also build on
Table XI.
ANOVA and simple Group I Group J Mean differences (I-J) Standard error p
contrasts. Simple
Opt-out group Opt-in group 2 1.82 0.427 0.000
contrasts between groups:
Did not read group 2 1.05 0.325 0.002
the impact of reading the
privacy statement on Opt-in group Opt-out group 1.82 0.427 0.000
perceived control Did not read group 0.77 0.37 0.039
Table XII.
ANOVA and simple Group I Group J Mean differences (I-J) Standard error p
contrasts. Simple contrast
Opt-out group Opt-in group 2 0.875 0.32 0.007
between groups: the
Did not read group 2 0.0931 0.2437 0.703
impact of reading the
privacy statement on Opt-in group Opt-out group 0.875 0.32 0.007
perceived trust Did not read group 0.7817 0.278 0.006
Milne and Rohm (2000), who assert that when consumers are made aware of what Reading a web
information is collected about them and how their information will be used, they are less sites privacy
inclined to use withdrawal mechanisms. This is true in an opt-out format, but if the
customer is allowed to make all the choices (opt-in), they are most likely to restrict the statement
collection and sharing of their personal information for promotional purposes. They may
even decide to navigate incognito.
677
General discussion
This research makes an important contribution to the field of consumer behaviour and
trust in an e-commerce context at both the theoretical and managerial levels. First and
most importantly, results from two experiments showed that reading the privacy
statement does not necessarily have a positive influence on perceived control and trust,
contrary to what seems to be accepted knowledge in the privacy and trust literature. It all
depends on the content and the format, which gives consumers varying levels of control
over management of their personal information. Cyber merchants should devote
particular attention to the strategic role of the format of the privacy statement and the
associated control. They should thus carefully weigh the choice of opt-in versus opt-out
privacy statements. Merchants who choose an opt-out format may try to position the
statement subtly, in the hopes that users will notice the link (and appreciate the improved
control that comes with it) but will not read it; otherwise, they risk decreasing users
perceived control and trust (study one) by prompting consumers to speculate on what
could go wrong if their personal information ended up in the wrong hands. Conversely,
merchants that decide on an opt-in format that increases positive perceptions of control
and trust when read may severely limit the personal information gathered from the
users. A promising solution to this dilemma would be to reconsider the location of
privacy statements: instead of placing the statement at the periphery of the web site, it
should be placed in a central location, upstream to the navigation process. This ethical
practice would enhance consumers perceptions of power and trust and, from a
commercial standpoint, may reinforce attitudes and behavioural intentions toward the
cyber merchant. In this scenario, a dynamic opt-in format that could be personalised
would become the portal to navigation. The trusted merchant would then be able to
deploy well targeted marketing actions personalised to interested customers.
Second, relying on the self-reported answers of consumers to indicate whether they
clicked on the privacy statement link or not, paints a quite different picture. In study
one, we showed that there was no relationship between claiming to read the privacy
statement and control and trust perceptions[2]. This raises important question on the
validity of self-reports. Schwarz (1999) and DeMaio (1984) found that subjects may
adapt their response in light of social desirability and in this particular research, they
may have tried to look like thorough navigators in the eyes of the researchers. These
authors argued that such adaptations are not rare when self-report questions are used.
We encourage researchers to be prudent when analysing data based on self-reports
and, whenever possible, to measure actual behaviour instead of asking (surveying)
consumers what they did or what they would do in a particular situation.
Third, in both experiments many participants did not click on the privacy statement
(36 per cent in Study One and 60 per cent in Study Two) even if they divulge personal
information. We encourage policy makers to be vigilant and to promote safe practices
in the population regarding the disclosure of private information on the web.
OIR Limitations of the study and suggestions for future research
31,5 As with all behavioural research, there are limitations to this study that need to be
addressed. First, the size of the sample used for this research (219 and 209 participants
in studies one and two respectively) was relatively modest. This limitation was
especially apparent in study two, where the small proportion of participants consulting
the web site left us with a limited sample size to test the impact of the format. Second,
678 participation rates obtained for both studies (29 per cent for study one and 19 per cent
for study two) were modest, but in the average to high end of the response rate
continuum obtained in recent academic e-mail surveys (for reviews, see Deutskens et al.
2004 and Kaplowitz et al. 2004). Third, the experiments took place in an uncontrolled
environment, which, while increasing external validity can influence its internal
validity. These limitations somewhat constrain the generalisability of these findings,
which is why we consider this research exploratory. Our web indicator allowed us to
monitor whether or not participants clicked on the privacy link. We then assumed that
they read the content of the privacy statement. We cannot be sure that this was the
case. Qualitative research would be needed to observe subjects while navigating to
clarify this matter.
We hope that our challenging results will encourage researchers to replicate or
expand this study using larger samples, different experimental settings or
methodology in order to enrich our understanding of the impact of privacy policy
reading on consumers perceptions and behaviour. In particular, the influence of the
format of privacy statements should be studied on a larger scale, using a larger sample
and a different context. Manipulating the level of risk or the type of web site, e.g.
informational/transactional, are potentially interesting avenues of future research.
Another fruitful area might be to study the impact of other aspects of the privacy
statement (e.g. length and wording) on consumers trust, control over privacy and
disclosing behaviour.
Notes
1. It could also be argued that respondents more concerned about privacy and confidentiality
are more likely to read privacy policies. In such case, reading the privacy statement did not
succeed in altering their initial predispositions to trust or not to trust. However, participants
that clicked on the privacy policy link and the ones that didnt click had a similar general
propensity to trust as well as similar concerns regarding security ( p . 0,05 on both
measures). However, the ones who clicked on the link had less confidence in e-commerce
than the ones who did not click (p 0; 04). We would like to thank the reviewer for
suggesting this alternative explanation. Further research is needed to fully clarify this
matter.
2. Note that these results were replicated in study two but are not presented in the text for
space considerations.
References
Ackerman, M.S., Cranor, L.F. and Reagle, J. (1999), Privacy in e-commerce: examining user
scenarios and privacy preferences, Proceedings of the ACM Conference on Electronic
Commerce EC99.
Bateson, J.E.G. and Hui, M.K. (1992), The ecological validity of photographic slides and
videotapes in simulating the service setting, Journal of Consumer Research, Vol. 19 No. 2,
pp. 271-82.
Bigley, G.A. and Pearce, J.L. (1998), Straining for shared meaning in organization science: Reading a web
problems of trust and distrust, Academy of Management Review, Vol. 23 No. 3, pp. 405-21.
Boatright, J.R. (2000), Ethics and the Conduct of Business, 3rd. ed., Prentice Hall, Englewood
sites privacy
Cliffs, NJ. statement
Buchholz, R.A. and Rosenthal, S. (2002), internet privacy: individual rights and the common
good, S.A.M. Advances Management Journal, Vol. 67 No. 1, pp. 34-41.
Brandeis, L. and Warren, S. (1890), The right to privacy, Harvard Law Review, Vol. 4, p. 193. 679
Carlson, D., Kacmar, K.M. and Williams, L.J. (2000), Construction and initial validation of a
multidimensional measure of work-family conflict, Journal of Vocational Behaviour,
Vol. 56 No. 2, pp. 249-76.
Caudill, E.M. and Murphy, P.E. (2000), Consumer online privacy: legal and ethical issues,
Journal of Public Policy & Marketing, Vol. 19 No. 1, pp. 7-19.
Cheung, C.M.K. and Lee, M.K.O. (2001), Trust in internet shopping: instrument development and
validation through classical and modern approaches, Journal of Global Information
Management, July-September, pp. 23-35.
Culnan, M.J. and Armstrong, P.K. (1999), Information privacy concern, procedural fairness, and
impersonal trust: an empirical investigation, Organization Science, Vol. 10 No. 1,
pp. 103-15.
DeMaio, T.J. (1984), Social desirability and survey measurement: a review, in Turner, C.F. and
Martin, E. (Eds), Surveying Subjective Phenomena,Vol. 2, Russell Sage Foundation, New
York, NY, pp. 257-81.
Deutskens, E., De Ruyter, K., Wetzels, M. and Oosterveld, P. (2004), Response rate and response
quality of internet-based surveys: an experimental study, Marketing Letters, Vol. 15 No. 1,
pp. 21-36.
Doney, P.M. and Cannon, J.P. (1997), An examination of the nature of trust in buyer-seller
relationships, Journal of Marketing, Vol. 61 No. 2, pp. 35-61.
E-Marketer (2006a), Web sales growth remains strong as consumers spend more across a wider
range of online product categories, Census Bureau of the US Department of Commerce.
available at: www.emarketer.com/article.aspx?1004126
E-Marketer (2006b), US retail e-commerce (excluding travel) as a percent of total retail sales,
2000-2006, eMarketer Database, January, available at: www.emarketer.com/chart.
aspx?50944
E-Marketer (2006c), Online privacy and security: the fear factor, eMarketer Database, April,
available at: www.emarketer.com/Reports/Viewer.aspx?privacy_retail_apr06&
autodetect Y
E-Marketer (2003), Amount of time US adults spend reading website privacy policies, Harris
Interactive/Privacy Leadership Initiative, December 2001, eMarketerDatabase, available
at: www.emarketer.com/products/chart.php?31594
E-Marketer (2002), Frequency of reading online privacy policies among US consumers, EBrain
Market Research/Consumer Electronics Association, May, eMarketer Database, available
at: www.emarketer.com/products/chart.php?26317
Fornell, C. and Larcker, D.F. (1981), Evaluating structural equation models with unobservable
variables and measurement error, Journal of Marketing Research, Vol. 18, pp. 39-50.
Frey, J.H. (1986), An experiment with a confidentiality reminder in a telephone survey, Public
Opinion Quarterly, Vol. 50, pp. 267-9.
FTC Report to Congress (2000), Privacy online: fair information practices in the electronic
marketplace, available at: www.ftc.gov/reports/privacy2000.pdf
OIR Gefen, D. and Straub, D.W. (2004), Consumer trust in B2C e-commerce and the importance of
social presence: experiments in e-products and e-services, Omega: International Journal of
31,5 Management Science, Vol. 32 No. 6, pp. 404-27.
George, J.F. (2002), Influence on the intent to make internet purchases, internet Research:
Electronic Networking Applications and Policy, Vol. 12 No. 2, pp. 165-80.
George, J.F. (2004), The theory of planned behaviour and internet purchasing, internet
680 Research, Vol. 14 No. 3, pp. 198-212.
Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. (1998), Multivariate Data Analysis with
Readings.
Hoffman, D.L., Novak, T.P. and Peralta, M. (1999), Building consumer trust online,
Communications of the ACM, Vol. 42 No. 4, pp. 80-5.
Hui, M.K. and Bateson, J.E.G. (1991), Perceived control and the effects of crowding and
consumer choice on the service experience, Journal of Consumer Research, Vol. 18 No. 2,
pp. 174-85.
Kaplowitz, M., Hadlock, T.D. and Levine, R. (2004), A comparison of web and mail survey
response rates, Public Opinion Quarterly, Vol. 68, pp. 94-101.
Lee, M.K.O. and Turban, E. (2001), A trust model for consumer internet shopping, International
Journal of Electronic Commerce, Vol. 6 No. 1, pp. 75-91.
Liu, C., Marchewka, J.T., Lu, J. and Yu, C-S. (2005), Beyond concern: a privacy-trust-behavioral
intention model of electronic commerce, Information and Management, Vol. 42 No. 1,
pp. 127-42.
Mayer, R.C., Davis, J.H. and Schoorman, F.D. (1995), An integrative model of organizational
trust, Academy of Management Review, Vol. 20 No. 3, pp. 709-34.
McKnight, H.D., Cummings, L.L. and Chervany, N.L. (1998), Initial trust formation in new
organizational relationships, Academy of Management Review, Vol. 23 No. 3, pp. 473-90.
McKnight, H.D., Choudhury, V. and Kacmar, C. (2002), Developing and validating trust
measures for e-commerce: an integrative typology, Information Systems Research, Vol. 13
No. 3, pp. 334-59.
Milne, G.R. and Boza, M-E. (1999), Trust and concern in consumers perceptions of marketing
information management practices, Journal of Interactive Marketing, Vol. 13 No. 1,
pp. 5-24.
Milne, G.R. and Rohm, A.J. (2000), Consumer privacy and name removal across direct marketing
channels: exploring opt-in and opt-out alternatives, Journal of Public Policy and
Marketing, Vol. 19 No. 2, pp. 238-49.
Miyazaki, A.D. and Fernandez, A. (2000), internet privacy and security: an examination of
online retailer disclosure, Journal of Public Policy & Marketing, Vol. 19 No. 1, pp. 54-62.
Moorman, C., Zaltman, G. and Deshpande, R. (1992), Relationships between providers and users
of market research: the dynamics of trust within and between organizations, Journal of
Market Research, Vol. 29, August, pp. 314-28.
Nakra, P. (2001), Consumer privacy rights: CPR and the age of the internet, Management
Decision, Vol. 39 No. 4, pp. 272-9.
Pan, Y. and Zinkhan, G.M. (2006), Exploring the impact of online privacy disclosures on
consumer trust, Journal of Retailing, Vol. 82 No. 4, pp. 331-8.
Parker, L.E. and Price, R.H. (1994), Empowered managers and empowered workers: the effects
of managerial support and managerial perceived control on workers sense of control over
decision making, Human Relations, Vol. 47 No. 8, pp. 911-28.
Pavlou, P.A. (2003), Consumer acceptance of electronic commerce: integrating trust and risk Reading a web
with the technology acceptance model, International Journal of Electronic Commerce,
Vol. 7 No. 3, pp. 101-34. sites privacy
Pennington, R., Wilcox, H. and Grover, V. (2003), The role of system trust in business-to-consumer statement
transactions, Journal of Management Information Systems, Vol. 20 No. 3, pp. 197-226.
Schwarz, N. (1999), Self-reports: how the questions shape the answers, American Psychologist,
Vol. 54 No. 2, pp. 93-105. 681
Shoeman, F. (1984), Philosophical Dimensions of Privacy, Cambridge University Press,
Cambridge.
Singer, E., Hippler, H.-J. and Schwarz, N. (1992), Confidentiality assurances in surveys:
reassurance or threat?, International Journal of Public Opinion Research, Vol. 4, pp. 256-68.
Singer, E., Von Thurn, D.R. and Miller, E.R. (1995), Confidentiality assurances and response: a
quantitative review of the experimental literature, Public Opinion Quarterly, Vol. 59 No. 1,
pp. 66-77.
Westin, A. (1996), Harris-Equifax Consumer Privacy Survey, Equifax Inc., Atlanta, GA.
Corresponding author
Manon Arcand can be contacted at: arcand.manon@uqam.ca