Enforced Standards Vs. Evolution by General Acceptance: E-

Commerce Privacy Disclosure and Practice in US and UK

K. Jamal, M. Maier and

S. Sunder

February 11, 2004

Law or Social Norms

Posner (1997): Law should be conservative and should codify existing norms

Sunstein (1996), Lessig (1998): Law should be activist and help shape social norms

Ellickson (1991): People ignore laws which are inconsistent with social norms

Mailath, Morris, and Postlewaite (2001): If laws do not change payoffs directly, they are “cheap talk,” and can only affect behavior because people have coordinated beliefs about the effects of the law

In Accounting Under the Securities and Exchange Commission,

seven decades of increasingly codified “legal” approach to financial reporting

Addressing problems by creating or modifying rules, and institutions to write new rules

Recent events (Enron, etc.) and Sarbanes-Oxley may have accelerated that trend (PCAOB, IASB)

How do we measure how good the financial reports are? Thickness of the rulebook?

What do we know about the consequences of codification?

E-Commerce

Primary interest in financial reporting, E-Commerce presents an opportunity to

address some issues, interesting in themselves, as well as relevant to accounting

Compare the state of e-commerce privacy under quite different approaches used contemporaneously in US and UK

E-Commerce Privacy

U.S. has permitted e-commerce to develop its own privacy norms with little legislation and no required audit US Privacy legislation for financial and medical

records EU’s an activist approach

Codification Legal enforcement

UK Data Protection Act 1984 (Amended in 1998 for compliance with the EU Directive on Data Protection, 1995)

SCHEDULE 1: THE DATA PROTECTION PRINCIPLES PART I: THE PRINCIPLES    

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-  (a) at least one of the conditions in Schedule 2 is met (requirements of informed consent), and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.5. Personal data processed for any purpose or purposes shall not be kept for longer than is

necessary for that purpose or those purposes.6. Personal data shall be processed in accordance with the rights of data subjects under this Act.7. Appropriate technical and organizational measures shall be taken against unauthorized or

unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

Enforcement Activity by the UK Information Commissioner (1997-2002)

1997/98 1998/99 1999/00 2000/01 2001/02

Total Budget £ 3,661,690 £ 4,190,489 £ 4,721,666 £ 5,280,860 £ 8,244,982

# Of Staff 109 118 114 126 157

# Of Phone Inquiries 48,337 48,549 55,070 55,125 56,982

Total Complaints Received

4,178 3,653 5,166 8,875 12,479

Visits - Business Premises

471 700 388 480 448

Visits - Dwellings 313 319 199 235 411

Witness Statements Obtained

378 433 346 355 375

Interviews Under Caution

136 216 98 144 58

Court Prosecutions 38 59 145 23 66

Court Convictions (Guilty)

38 55 130 21 33

Key Findings: Under EU Law

Quality of Privacy Disclosure is lower (Compliance Oriented)

No market for privacy audit has developed (Web-seals in US)

No difference in spam generated by visits to e-commerce sites (most spam is generated elsewhere)

Misbehavior by a comparably small number of outliers who violate the privacy of customers with impunity

Focus on Two Features of E-Commerce Privacy

Notice-Awareness: Participants receive notice of an entity’s privacy practices before they provide information

Choice-Consent: Participants have choices about how their information is used (especially for secondary purposes)

Three Features not examined in this study: Access-Participation; Integrity-Security; and Enforcement-Redress.

Part 1: Audit and Disclosure Practices

Visit top 100 e-commerce websites in US (56 in UK) to detect evidence of audit (web-seals)

Read and tabulate the stated privacy policies and disclosures of individual e-commerce sites

Program a “Web-Crawler” to visit the 100 web-sites in U.S. (56 in UK) five times over a one week period and record cookies (and 3RD party cookies) used by these sites

Review privacy policy for cookie usage disclosure and consistency with practice

Results: Audit Practices In US, four vendors BBB Online, Truste, WebTrust (AICPA-

CICA), and BetterWeb (PricewaterhouseCoopers) offered this audit service

Written standards of the first two are more stringent than the last two

The prices of BBB Online and Truste much lower ($7,000-100,000)

No data on actual compliance testing by these auditors No evidence of race to the bottom In US, 34 out of 100 website had purchased web-seals (30

Truste, 2 BBB Online, 2 both, no Better-Web or WebTrust) In UK, no providers or displays of web-seals

Web-Seal Providers: Prices and Market Shares

Web-Seal Number of Clients (Dec. 2001)

Price of Audit

Truste 1830 $399-8,999

(revenue based)

BBB Online 851 <= $7,000

(revenue based)

Better-Web (PWC) 100 $15,000

(flat rate)

WebTrust (AICPA-CICA)

28 >$100,000

(full audit)

Market for Audit Does regulation suppress demand for voluntary

audit? Are accounting standards and auditing substitutes? Under US security regulation, accounting standards and

auditing are frequently treated as if they are complements Does mandatory audit eliminate the potential use of audit

as an informative signal from management to investors Why is the audit with “more demanding” standards

priced lower? Little evidence of “race to the bottom” among

competing standards Why the accounting profession (AICPA / CICA) fail

in e-commerce privacy audit market?

Quality of Privacy Policy Disclosure

In The U.S. Privacy Policies are Posted (100% / 95%) Easy to Find (100% / 92% one click away) Disclose Cookie Usage (100% / 86%) Disclose 3rd Party Cookie Usage (97% / 63%)

In The U.K. Privacy Policies are Posted (77%) Harder to Find (70% one click away) Cookies (80%), 3rd Party Cookie (96%) Less disclosure on secondary uses of data

Privacy Policy Disclosures: Use of 3rd Party Cookies

In U.S. 79% of Websites allow 3rd Parties to Use Cookies to Track Visitors

In U.K. only 50% Allow 3rd Parties To Track Visitors

Summary of Privacy Disclosure: UK Compared to US

No Private Audit

Harder-To-Find Privacy Policies and Generally Poorer Disclosure

Less Use of 3rd Party Cookies

Part 2: Choice-Consent Study

Create 100 Simulated identities and register on Top 100 US web-sites --- “OPT-IN”

Create another 100 simulated identities and register on the same 100 US web-sites – but this time we “OPT-OUT”

Compare e-mail, mail, phone calls for the following 6 month period

In UK, followed the same procedure for 56 websites, one year later

Postal Mail and Phone Calls

Basically Close to “0” in Both U.S. and U.K. – Can solve the problem of Spam by a small e-Mail Postage?

E-commerce website visits do not generate junk-phone calls (This could Change With New “Do Not Call” Phone List)

Mean Weekly E-Mail Messages

0

2

4

6

8

10

12

14

16

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

WEEK NUMBER

OPT- IN UK

OPT-IN US

UK OPT-IN w/o OUTLIER

US OPT-In w/o OUTLIER

UK OPT-OUT

US OPT-OUT

Cumulative Message Volume from Volume Ranked Sites (Opt-in)

0.5

0.55

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

Site ranked By Number Of Messages

UK OPT-IN (40 Sites)

US OPT-IN (69 Sites)

Cumulative Message Volume from Volume Ranked Sites (Opt-Out)

0.5

0.55

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

Site Ranked By Number Of Messages

UK OPT-OUT (24 Sites)

US OPT-OUT (40 Sites)

Summary: Choice/Consent Study

EU Law Provided No Protection From Spam

Most e-commerce spam originates from a few “outliers in both U.S. and U.K

Concluding Remarks Voluntary e-commerce privacy reporting norms

and audit mechanisms evolving without regulation in U.S. through competition

Threat of US legislation may have had a role Most US merchants highlight their privacy policies

to attract business In U.K. privacy disclosure is oriented to

compliance with the law, not marketing Not clear if regulation and enforcement protects

consumers from a small number of scofflaws in e-commerce

Or in Accounting…

Consider Enron, WorldCom, etc. Endogeneity of accounting practices

Given the accounting rules, what can I get away with

Harder the rules, easier to bypass (e.g., lease accounting)

Raising punishment also increases incentives to incur costs to avoid being caught

Rule-makers are always a few years behind

Statutes

Formal enforcement Precise definitions Salient Come into force at a known time Enacted through known institutional process Modified through the institutional process Transparency Appeal in democratic polity Good housekeeping: Let’s make the rules clear

Social Conventions

Not well defined Vary in time and space Need extended socialization to learn and

understand Penumbra of uncertainty Incomplete overlap among individual beliefs Slow, almost imperceptible evolution Appear less transparent Scandals mock existing institutions and norms Default to formal rules and standards

Evolution of Financial Reporting

With every scandal, new emphasis on codification of accounting rules

Public image of “precision” in accounting (down to the last penny)

Regulation proposed to address market failures

Failure of government/regulation receives less attention

Problems of Setting Accounting Standards

What is a good rule? Information problem Design problem Gaming problem Signaling problem

Caveats

We are careful registrants; less careful consumers might be more susceptible to unintended violations of privacy

Our registrants were relatively passive We limited our study to mainstream

businesses (no adult sites), making our sample “unrepresentative” in a sense