Internet Privacy and Security: An Examination of Online Retailer Disclosures Author(s): Anthony D. Miyazaki and Ana Fernandez Source: Journal of Public Policy & Marketing, Vol. 19, No. 1, Privacy and Ethical Issues in Database/Interactive Marketing and Public Policy (Spring, 2000), pp. 54-61 Published by: American Marketing Association Stable URL: http://www.jstor.org/stable/30000487 . Accessed: 06/08/2014 22:43 Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at . http://www.jstor.org/page/info/about/policies/terms.jsp . JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms of scholarship. For more information about JSTOR, please contact [email protected]. . American Marketing Association is collaborating with JSTOR to digitize, preserve and extend access to Journal of Public Policy &Marketing. http://www.jstor.org This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PM All use subject to JSTOR Terms and Conditions
Transcript
Internet Privacy and Security: An Examination of Online Retailer DisclosuresAuthor(s): Anthony D. Miyazaki and Ana FernandezSource: Journal of Public Policy & Marketing, Vol. 19, No. 1, Privacy and Ethical Issues inDatabase/Interactive Marketing and Public Policy (Spring, 2000), pp. 54-61Published by: American Marketing AssociationStable URL: http://www.jstor.org/stable/30000487 .
Accessed: 06/08/2014 22:43
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .http://www.jstor.org/page/info/about/policies/terms.jsp
.JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range ofcontent in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new formsof scholarship. For more information about JSTOR, please contact [email protected].
.
American Marketing Association is collaborating with JSTOR to digitize, preserve and extend access toJournal of Public Policy &Marketing.
http://www.jstor.org
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
Internet Privacy and Security: An Examination of Online Retailer Disclosures
Anthony D. Miyazaki and Ana Fernandez
The Federal Trade Commission has declared the privacy and security of consumer informa- tion to be two major issues that stem from the rapid growth in e-commerce, particularly in terms of consumer-related commerce on the Internet. Although prior studies have assessed online retailer responses to privacy and security concerns with respect to retailers' disclo- sure of their practices, these studies have been fairly general in their approaches and have not explored the potential for such disclosures to affect consumers. The authors examine online retailer disclosures of various privacy- and security-related practices for 17 product categories. They also compare the prevalence of disclosures to a subset of data from a con- sumer survey to evaluate potential relationships between online retailer practices and con- sumer perceptions of risk and purchase intentions across product categories.
Consumers have little privacy protection on the Internet. - Federal Trade Commission Press Release, June 4, 1998
The Federal Trade Commission today told a House Committee that business on the Internet could explode-from $2.6 billion in 1996 to $220 billion in 2001--but if the trend is to continue, con- sumers must feel confident that the Internet is safe from fraud.
- Federal Trade Commission Press Release, June 25, 1998
The past decade has witnessed rapid escalation of the diffusion of the Internet as a source of consumer enter- tainment, education, and marketplace exchange.' The
growth of online retailing in particular has been well docu- mented, and estimates of annual revenues have reached $13 billion for 1998 (Holstein, Thomas, and Vogelstein 1998). For example, the National Retail Federation reports that 26% of retailers had Internet sites in 1998, compared with only 8% in 1996 (Holstein, Thomas, and Vogelstein 1998; for similar figures, see Ernst & Young 1999). Consumer patronage of such sites also continues to grow. According to America Online, currently the largest Internet service provider, 48% of its 14 million subscribers had purchased goods online as of December 1998 (Holstein, Thomas, and Vogelstein 1998).
In conjunction with this surge in e-commerce is a related increase in the amount of information marketers collect and
store regarding not only consumer characteristics but also actual shopping behavior. Because most features of online marketing transactions can be recorded electronically for future use by marketers, the amount of data gathered by marketers is growing at constantly accelerating rates. Unfortunately, this burgeoning reservoir of information is accompanied by technologically enhanced versions of two previously studied database issues, namely, the privacy and security of accumulated consumer data. These issues are of interest to policymakers with respect to both protecting con- sumers' rights regarding the privacy and security of their personal and financial information and facilitating the con- tinued growth of e-commerce and the benefits it brings to consumers and businesses (e.g., enhanced efficiencies of information exchange and targeted communication).
Because many retailer practices have implications for pri- vacy- and security-related issues, a key element of proposed legislation in this area involves the online disclosure of such practices. As discussed subsequently, these online disclo- sures may be helpful in preventing and/or reducing con- sumer concerns regarding Internet privacy and security. Although several prior academic and industry studies have evaluated commercial Web sites for privacy- and security- related disclosures, most have taken a general approach and have not examined how such disclosures may affect con- sumer behavior. We assess disclosures of online retailers at a more detailed level by delineating the various levels of retailer response to several privacy and security concerns. We then compare the prevalence of privacy- and security- related disclosures with a subset of risk perception and online purchase intention data from a consumer survey. Finally, we discuss implications for online retailing.
Privacy and Security of Consumer Information A major ethical issue in the collection and management of consumer information is the privacy of that information (Bloom, Milne, and Adler 1994; Chdnko 1995; Foxman and Kilcoyne 1993; Jones 1991). Indeed, privacy is often
IAlthough the Internet includes various modes of information exchange, such as directed communication (e.g., e-mail), posted communication (e.g., Usenet groups), real-time communication (e.g., Internet Relay Chat), and file transfer systems (e.g., File Transfer Protocol), our focus is the use of the World Wide Web (e,g., homepages, Web sites) as a main or alternative storefront that allows for interactive consumer-initiated information exchange (see Hoffman and Novak 1996). This information exchange may range from basic communications regarding products and physical retail outlets to completely automated purchase and shipment procedures.
ANTHONY D. MIYAZAKI is Assistant Professor of Marketing, and ANA FERNANDEZ is a research assistant, School of Business Administration, University of Miami. The authors gratefully acknowledge constructive comments from the special issue editor and the anonymous JPP&M reviewers.
54 Journal of Public Policy & Marketing Vol. 19 (1)
Spring 2000, 54-61
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
viewed, even from a legal perspective, as a distinct con- sumer right (Goodwin 1991). With respect to online shop- ping, recent research by Rohm and Milne (1998) demon- strates that a majority of Internet users-both those who have made online purchases and those who have not-have several concerns regarding information privacy, including issues related to the acquisition and dissemination of con- sumer data.
In conjunction with information privacy, security (partic- ularly information theft and misuse) also has been labeled a key concern of e-commerce by various government and con- sumer organizations (e.g., Brinkley 1998; Consumer Reports Online 1998; Cyberspace Law Institute 1999; Federal Trade Commission 1998a; National Consumers League 1999) as well as many articles in trade publications and the popular press (e.g., Briones 1998; CNN 1999; Folkers 1998; Judge 1998; Machrone 1998; Rothfeder 1997). These two issues are interrelated, because when the protection of consumer privacy is considered, the secure storage and transmission of consumer information contained in organizational databases also are viewed as the responsibilities of participant organi- zations (Federal Trade Commission 1998a; Jones 1991).
From a public policy perspective, consumers are assumed to have certain rights to privacy and security of their infor- mation when conducting online transactions. Publicity regarding these issues has sparked several calls for legislation (see Bloom, Milne, and Adler 1994; Milne 1997) that vary as to their requirements for changes in practices versus simple disclosure of practices. Presumably, changes in online retailer practices that are deemed consumer friendly will build online shoppers' confidence with respect to their future purchasing activities. Conversely, increasing media coverage of these issues may decrease consumer confidence by highlighting the risks involved in online shopping and thus deter full con- sumer adoption of e-commerce (Judge 1998). Therefore, the role of policymakers is twofold: to facilitate the adoption of online shopping with its proposed market efficiencies and simultaneously to protect and inform consumers by making risks of Internet commerce known to all potential and active participants. From a marketing perspective, the disclosure of online retailer practices may serve both to inform consumers about risks of online practices and to reduce consumer risk perceptions and increase purchase behavior.
Online Disclosure of Privacy- and Security-Related Practices Appropriate online retailer practices regarding the privacy and security of consumer information are the topic of much recently proposed or enacted legislative measures. For exam- ple, proposed regulation, such as the Consumer Internet Privacy Protection Act of 1999 (H.R. 313), the Online Privacy Protection Act of 1999 (S. 809), and the Inbox Privacy Act of 1999 (S. 759), all examine at least one aspect of online acquisition and disclosure of consumer information. The recently enacted Children's Online Privacy Protection Act of 1998 (16 C.F.R. Part 312), which applies to children younger than 13 years of age, is even more restrictive in the disclosure and consumer contact requirements that may be imposed on certain types of Web sites. Similar legislation has been proposed regarding Internet security issues such as the
E-Privacy Act (S. 2067) and the Secure Public Networks Act (S. 909), both of which deal with encryption rights and stan- dards regarding domestic and international e-commerce.
In general, policymakers are tending toward regulations that make online retailers responsible for disclosing con- sumer information acquisition, usage, and protection prac- tices. In fact, disclosure of online information privacy prac- tices has been the subject of several recent Federal Trade Commission (FTC) investigations, including one in March 1998 wherein more than 90% of examined Web sites (more than 1400 in total) collected some type of personal informa- tion from visitors to their pages. In contrast, only 14% of the 674 commercial Web sites examined provided any type of notification regarding information collection practices, and only 2% provided comprehensive privacy policies (FTC 1998d; see also FTC 1999). A more recent examination by Culnan (1999a) finds that 65.9% of the 361 ".com" Web sites examined provided at least one type of privacy disclo- sure (see Culnan 1999b).
Online Retailer Responses to Privacy Concerns Considering the privacy and security issues raised by gov- ernment and consumer groups, we now outline three key pri- vacy concerns and three online retailer methods of dealing with perceived security problems (Table I presents the vari- ous types of online retailer responses to privacy and security issues). We then discuss how the disclosure of such infor- mation may relate to consumer perceptions and intentions.
Online Customer Identification Of concern to policymakers is whether and to what degree an online retailer collects personal information from Web site customers (see Culnan 1995, 1999a). Although several of the aforementioned legislative efforts advocate full disclo- sure of information acquisition activities, most information provided to online businesses is done knowingly by con- sumers. There exists, however, the ability for online retailers to identify and gather information on repeat visitors to a Web site by placing coded information (called "cookies") on computer users' hard drives without their knowledge (Samuel and Scher 1999). This information may be com- bined with previously provided personal information to track patterns of Web site exploration and information search behavior.2 The concealed nature of this information acquisi- tion highlights the importance for online retailers to disclose their use of cookies or similar technologies so that customers will know to what degree they will be identified when they return to a particular Web site. Surprisingly, none of the aforementioned legislation specifically addresses this issue.
Online retailers may offer various levels of responses to customer identification issues. The most extreme position
2Although Internet users may adjust their Web browsers to reject all or certain types of cookies or to warn them before a cookie is placed on their hard drive, many consumers lack knowledge of this function. Furthermore, several online product ordering systems require the use of cookies to track selected products so that the purchase process can be carried out. The use of cookies can enable an Internet user to browse to a particular site and automatically be presented with information uniquely preferred by that user, whether by conscious choice (i.e., selected stock quotes or news top- ics) or by way of marketer analysis of online search and purchase patterns (i.e., online catalog offerings or banner advertising that correspond to pre- determined user interests).
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
Table 1. Online Retailer Responses to Privacy and Security Issues
Privacy Issuesa
Online customer identification (including use of cookies) No policy statement regarding this issue Identifies customer when customer logs onto site Identifies customer when customer logs onto site unless cus-
tomer opts out Identifies customer only if customer requests such identifica-
tion (e.g., "Remember name/password") Does not identify customer when customer logs onto site
Unsolicited customer contacts No policy statement regarding this issue Uses information to make unsolicited customer contacts Uses information to make unsolicited customer contacts unless
customer opts out Uses information to make unsolicited customer contacts only if
requested by customer Uses information only for internal purposes without contacting
customer Does not collect any information
Distribution of customer information to third parties No policy statement regarding this issue Shares information with other companies Carefully (cautiously) shares information with other companies Shares information with other companies unless customer opts
out Carefully (cautiously) shares information with other companies
unless customer opts out Shares information with other companies only if requested by
customer Does not share information with other companies Does not collect any information
Security Issues
Secure transactions
Online credit card security guarantees
Alternative payment options
aRetailer responses for privacy issues are ordered from least favorable to most favorable from a consumer privacy perspective.
(perhaps preferred by strict privacy advocates) is never to identify customers when they access a site. Alternatively, a consumer opt-in choice would allow such identification to occur only if the customer explicitly requests such a practice (e.g., checking a box that asks the online retailer to "remem- ber my name and password"). Negative option, or opt-out, choices, which have been suggested by several legislative efforts and are often practiced in mail-order marketing (Milne 1997), enable consumers to prohibit automatic iden- tification by either checking an opt-out box during initial registration or separately contacting the online retailer and requesting that such identification does not occur. An even less desirable level of response from a consumer privacy perspective would be constant identification of consumers as they access the Web site, without an opt-out alternative. Finally, the response most likely seen by policymakers as
the least favorable is the lack of any communication to the Internet user regarding the online customer identification practices of the particular retailer (Brinkley 1998; FTC 1998b).
Unsolicited Customer Contacts The practice of collecting consumer information for one purpose and then using that information to make unsolicited contacts has long been a privacy issue (see Goodwin 1991; Milne 1997). With respect to the Internet, the majority of legislative efforts address unsolicited customer contacts as a common concern for consumers and thus one of two key issues for regulation. As with online customer identifica- tion, responses to the unsolicited contact concerns vary as to the level of privacy protection they offer. At the most favor- able level (from a privacy perspective), online retailers would not collect any information from consumers, thus
prohibiting the retailers from making unsolicited contacts. A similar situation would involve the collection of personally identifying information combined with the presence of a
policy that the information would not be used for contacting customers. Opt-in and opt-out policies represent the next two levels of response; the latter is the most common response in current direct marketing activities (see Milne 1997).3
Customer Information Distribution The other key regulatory issue is the degree to which customer information will be shared (i.e., rented or sold) to third parties that have marketing-related interests in such data. Though an
important issue in much privacy research (e.g., Culnan 1995; Goodwin 1991; Milne 1997), this concern has just begun to receive interest with respect to online shopping, particularly in light of the aforementioned legislative efforts. Possible online retailer responses to information distribution concerns are similar to those listed previously for customer contacts (i.e., not collecting information and opt-in and opt-out choices). One aspect of information disclosure that differs from the cus- tomer contact issue is that companies may provide assurance that they will share information selectively, that is, with other parties that will (1) make offerings to the consumer that will be of interest to the consumer and/or (2) use responsibly the information that is shared. These levels of response would pre- sumably be favored by consumers over more general state- ments of sharing information. In support of this, Milne (1997) finds that consumers are more willing to allow the transfer of
personal information when response cards state that personal information will be provided to "mail-order businesses that have products or services that we think will be of interest to you" rather than when response cards state that the informa- tion will be provided merely to mail-order businesses.
Online Retailer Responses to Security Concerns A key security concern involved in online shopping pertains to unauthorized third-party access of consumers' personal
3Although consumers may have certain rights to opt out of a customer contact procedure regardless of the disclosure of such a policy, we focus on disclosure because many consumers have been shown to be unaware of their rights with respect to database privacy issues and particularly opt-out procedures (see Rohm and Milne 1998).
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
and financial information. Consumer concerns regarding this issue are highlighted because of publicized security breaches of online retailer database information, such as Hallmark's discovery that consumers' personal electronic greeting card messages (on what was likely thought of as a secure site) were actually available to anyone using the site's search engine (CNN 1999). Given that the presence of online security concerns may curtail purchase behavior, the alleviation of these concerns would seem to be a key focus of online retailers. We now discuss three potential online communication practices presumably designed to reduce consumers' security concerns.
Secure Transactions The protection of the online transaction of information (whether personal or financial) is a technological issue. Yet Internet security advocates suggest that retailers provide consumers with information regarding the safeguarding of transactions, either with clearly labeled "secure servers" or prominent links to security policies (Consumer Reports Online 1998; FTC 1998a). Thus, in addition to the actual provision of secure transaction technology (e.g., secure servers, secure sockets layer encryption), online retailers have been counseled to assuage the concerns of consumers by communicating the security of their online information systems.
Online Credit Card Security Guarantees To diminish consumer security concerns (see National Consumers League 1999) even further, some online retailers have implemented consumer guarantees against credit card fraud that may occur as a result of online divulgence of credit card information (e.g., Amazon.com's safe shopping guar- antee or Wal-mart's online security guarantee). These guar- antees, which sometimes reference the Fair Credit Billing Act (15 U.S.C. 1601-67), typically pledge reimbursement of unauthorized charges made to a credit card if such charges resulted from purchasing through the online retailer's secure system. Because the maximum retailer liability for such a guarantee would typically be $50 and because cases of online credit card fraud from security breaches are reported as very infrequent, this retail practice would likely serve as a reasonable method of allaying consumer concerns.
Alternative Payment Options A key consumer concern of online shopping is the intercep- tion of credit card information (National Consumers League 1999). A viable retailer response would be the provision of alternative payment (or ordering) options that enable the online customer to shift certain components of the transac- tion to the Internet (e.g., information acquisition, ordering) while still conducting more vulnerable components (e.g., actual payment) offline. Several online retailers offer con- sumers the opportunity to complete and submit orders through the Internet, combined with telephone or facsimile transmission of credit card information. Some Web sites also suggest mailing, faxing, telephoning, or e-mailing both the order and the payment if the consumer has concerns over a complete Web site transaction. Offering alternative payment methods is not seen as an ideal retailer response, because the efficiencies of Internet ordering and payment are sacrificed
as the percentage of offline purchase transactions increases. Thus, although this practice may reduce consumer concern, it may also reduce actual online purchasing.
Privacy and Security Disclosures and Consumer Behavior
Although efforts to implement mandatory disclosure of the
previous issues and practices are based on a consumer pri- vacy perspective, the disclosure of privacy and security information may also be useful from a marketing strategy perspective. Specifically, if concerns about privacy and security issues tend to raise risk perceptions and lower pur- chase likelihoods, higher levels of privacy- and security- related disclosure may be useful in stemming such concerns. This, in turn, would be expected to result in lower consumer risk perceptions and higher purchase likelihoods. Thus, it is expected that the percentage of Web sites with (1) privacy- related statements and (2) security-related statements for a particular shopping category will be negatively related to consumer risk perceptions regarding online shopping in that category and would be positively related to consumer online purchase intentions in that category.
Method and Results Examination of Web Sites Web sites for 381 commercial enterprises based in the United States and targeting U.S. consumers were visited in the first two months of 1999 and were examined with respect to the privacy and security issues raised previously. The Web sites were randomly sampled from three popular shopping portals (excite.com, yahoo.com, and netscape.com), and each site was placed into one of 17 shopping categories that appeared to be the main emphasis of each site's sales efforts at that time. The 17 categories were fairly common across the por- tal sites and represent a broad array of goods. (A list of spe- cific Web sites is available upon request from the authors.)
Trained researchers accessed each Web page; searched for any information pertaining to privacy and security issues; and printed the pages on which this information was found, pages with links to such information, and the site home page (i.e., initial starting page). Each Web site was then coded (see Table 1) by the authors with respect to its information regarding (1) customer identification (including the use of cookies), (2) customer contact, and (3) informa- tion sharing. The sites were also coded according to the presence or absence of written information regarding (I) secure transaction systems, (2) credit card fraud guarantees, and (3) alternative ordering methods.4 Initial coding agree- ment was high (93% across all variables), and disagree- ments were resolved by discussion. Although the general approach used here is comparable to that reported by one of the FTC's (1998d) recent studies on e-commerce, the cur- rent research reports not only the presence of information privacy and/or security disclosure but also the type and level of disclosure.
4Third-party endorsements (e.g., seals of approval such as VeriSign, TRUSTe, and CPA WebTrust) were not examined in this study, nor was the activation of secure link icons (i.e., a locked padlock or unbroken key), which appear on popular Web browsers.
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
aAll numbers for privacy and security information are percentages of sites within a particular category that gave some type of notification (statement, policy, and so forth) to consumers regarding the privacy or security issue in question.
bRisk and purchase likelihood numbers represent aggregated means from the consumer survey.
Descriptive Results The general results show that the disclosure of online pri- vacy practices has risen since the March 1998 FTC (1998e) survey and is comparable to the March 1999 survey (Culnan 1999a). Although the 1998 FTC study indicates that 14% of commercial Web sites made mention of practices related to consumer information privacy and Culnan (1999a) reports a 65.9% disclosure rate in March 1999, our data
(January/February 1999) show overall disclosure (i.e., the presence of any type of privacy statement) to be 41.5%.
(Note that direct comparisons across these studies are not feasible because of differences in the samples used.) We
present the results from the study in Table 2. For individual types of privacy concerns, disclosure of
practices related to unsolicited customer contact constituted 33.6% (n = 128) of the current sample. Regarding the vari- ous levels of privacy protection, 19 (5.0%) promised no unsolicited contacts, 38 (10.0%) contacted only if requested, 60 (15.7%) provided an opt-out alternative, and 11 (2.9%) stated that contacts would occur but did not give an opt-out alternative. The remaining 253 (66.4%) sites provided no information regarding unsolicited consumer contacts.5
The sharing of information with other companies was dis- closed by only 112 (29.4%) of the examined online retailers. With respect to privacy protection levels, 65 sites (17.1%) reported no sharing of consumer information; 2 (.5%) shared information only if requested by the customer (an opt-in procedure); 19 (5.0%) carefully shared information but provided an opt-out alternative, whereas 16 (4.2%) merely provided the opt-out alternative; 3 (.8%) agreed to share carefully but had no opt-out procedure; and 7 (1.8%) merely shared information without further notification. The remaining 269 sites (70.6%) had no such privacy statement.
Online customer identification procedures had the lowest disclosure rates: Only 88 sites (23.1%) offered this type of statement. Nineteen sites (5.0%) explicitly stated that they never identified customers who access the site, 12 (3.1%) provided an opt-in alternative, 18 (4.7%) provided an opt- out alternative, and 39 (10.2%) stated that they identified customers but did not provide any opt-out alternatives.
With respect to methods of responding to security con- cerns, 250 sites (65.6%) disclosed at least one of the three
security-related practices described previously. Specifically, 193 (50.7%) indicated that transactions were secure, but
I
50Of the 381 commercial Web sites in the sample, 88 did not allow a full purchase transaction-including payment by credit card-to be made over the Internet. However, many of the sites still allowed nonpayment communi- cation of personal information, such as asking questions, joining mailing lists, stating product preferences, and even online ordering with preshipment, postshipment, or COD billing. Because these sites still collect personal and some financial consumer information, many privacy advocates contend that the online retailers should still disclose privacy and security practices. Nevertheless, we present in this footnote the aggregate privacy and security figures for only those Web sites that allowed credit card transactions.
Of the 293 sites allowing credit card transactions, 146 (49.8%) had some type of privacy statement. Disclosure figures for the individual types of pri- vacy concerns were 118 (40.3%) for unsolicited customer contacts, 102 (34.8%) for customer information distribution, and 82 (28%) for online customer identification. Regarding security-related statements, 230 (78.5%) had some type of security statement, 192 (65.5%) communicated the presence of secure transaction systems, 22 (7.5%) had online security guarantees, and 161 (54.9%) explicitly disclosed alternative payment methods.
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
only 22 (5.8%) guaranteed that security. Finally, 181 sites (47.5%) explicitly offered alternative purchasing methods.
The disclosure rates varied considerably across shopping categories. As can be seen in Table 2, Web site categories such as department stores and toys and games had higher percentages of privacy statements, whereas lower percent- ages were found in categories such as home decor and rugs and carpets.
The Relationship Between E-Retailer Responses and Consumer Perceptions To examine whether the prevalence of privacy and security disclosures relates to consumer perceptions, we compared the Web site examination detailed previously with a subset of data from a March 1999 investigation of 160 Internet users.6 The data are from a pencil-and-paper survey used to explore consumers' Internet usage activities and their per- ceptions regarding online shopping. Among other items not examined here, the questionnaire included purchase likeli- hood and risk perception measures for 17 categories of goods sold online at the time of the study; these categories matched those used for the Web site examination. Purchase likelihood for each category was measured with a seven- point response item that asked how likely respondents were to make Internet purchases for each shopping category and was anchored with "very unlikely" (1) and "very likely" (7). Risk perception was assessed by asking how risky online purchases are in each category on a scale anchored with "not risky" (1) and "risky" (7).
To assess the expected relationships, the percentages of privacy- and security-related statements from the Web site examination (Columns 5 and 9 of Table 2) were compared with the risk perceptions and purchase likelihoods from the consumer survey at -the shopping category level. Spearman's rank correlations were calculated for each pair of variables.
Although the prevalence of privacy and security state- ments was expected to be negatively correlated with risk perceptions, analyses showed no relationship for either pri- vacy (rs = -.06, n.s.) or security (rs = -.01, n.s.). However, the percentage of privacy statements in a category was pos- itively related (as expected) to category-level online pur- chase likelihoods (rs = .65, p < .01). Likewise, the percent- age of security statements in a category was positively related to online purchase likelihoods (rs = .44, p < .05).7
Discussion In addition to providing a comparison point with FTC- related research, the present examination of commercial
Web sites delves further into Internet privacy and security issues by examining the degree of favorableness of actual online retailer practices from a privacy policy perspective. In addition, by integrating data from a consumer survey, we show that a positive relationship exists between the percent- age of privacy- and security-related statements on Web sites for particular online shopping categories and consumers' online purchase likelihoods for those categories.8
Limitations and Future Research Directions Although the examination presented here is helpful for understanding disclosure practices of online retailers, sev- eral limitations should be addressed in further research. First, the rapid growth of the Internet and online shopping practices makes published research such as this dated by the time of publication. The examination of online disclosure practices should be an ongoing research effort, particularly with respect to how such practices may affect consumer per- ceptions. A second limitation involves the measure of per- ceived risk used in the consumer survey. More-specific measures of perceived risk would aid in understanding how consumers perceive the various dimensions of risk with respect to online shopping. For example, various risk dimensions may be more salient depending on the product category that is being considered for online purchase. Finally, instead of examining only perceived risk toward general online shopping, specific assessments of risk regard- ing privacy, online retailer fraud, and the security of online transaction systems would be helpful for understanding those aspects that may be influenced by online disclosures.
There are several directions that future policy-related marketing research can take to advance knowledge that will be beneficial to both consumers and businesses. For exam- ple, much of the proposed legislation is targeted toward mandatory disclosures of online retailers' collection, use, and dissemination of consumer data. These disclosures are often seen by policymakers as necessary information tools so that consumers can operate with more complete knowl- edge of retailer practices (Andrews 1998). The same disclo- sures may be seen by retailers as an opportunity to reduce consumer concerns regarding privacy issues. An approach suggested by Milne and Boza (1999) uses concepts from relationship marketing to focus online retailer responses to privacy and security issues so that these responses empha- size the development and improvement of trust between marketers and consumers. Thus, instead of focusing on con- cerns, the focus shifts to trust, which Milne and Boza describe as a distinct approach to managing potential pri- vacy issues regarding database management (cf. Milne and Gordon 1993). Because the method or format of information disclosures can affect consumer perceptions and behavior (e.g., Sprott, Hardesty, and Miyazaki 1998), research that examines how such approaches can satisfy new legislative requirements would be helpful. Consumers would receive 6Respondents were randomly solicited in a major international airport of
a large U.S. city (the effective response rate was 84.7%). See Miyazaki and Fernandez (2000) for survey details, including sample characteristics.
7In support of our previous suggestion that alternative ordering methods may not be as effective in increasing online ordering as the other security information disclosures, the Spearman's rank correlation between alterna- tive ordering methods and purchase likelihoods was nonsignificant (rs = .06), whereas the correlation between the rate that either of the other secu- rity statements appeared and purchase likelihoods was significant (r, = .65, p <.01).
8Although the prevalence of privacy- and security-related disclosures was not found to be related to category-level risk perceptions, this may have been an artifact of the diversity in the dimensions of risk that each product category may invoke. Considering that our one-item risk percep- tion measure was generic, any such variance in the dimension of risk con- sidered by consumers when responding to each category could have hin- dered the findings.
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
the disclosures required by policymakers, and marketers would enjoy the benefits of increased effectiveness from a
managerial perspective. Although several legislative efforts appear to be directed
at e-commerce, policymakers should continue to evaluate not only online practice and consumer perceptions but also
expert opinion regarding the seriousness of threats such as undisclosed customer identification and tracking-two issues that have received little attention in pending legisla- tion. In addition, privacy and security concerns may have differential effects on consumer perceptions and behavior, perhaps complicating policymakers' efforts to inform con- sumers of unsafe online practices while still avoiding unnecessary deceleration of Internet adoption rates. As such, the barrage of privacy and security warnings issued to consumers may have mixed effects on consumer confi- dence, particularly as the Internet becomes perceived as a
necessary element of modern life. An additional concern is the direction in which legislation
is headed. Petty (1998) contends that though there will be continued efforts to reduce deceptive practices, the emerg- ing focus will be on reducing unfairness, particularly as it
applies to the targeting of potentially vulnerable audi- ences-a practice that will be increasingly easy to facilitate as Internet-related database information grows.
As the popularity of the Internet continues to rise, the pri- vacy and security issues discussed here will inevitably change. Future alternatives to credit cards, such as elec- tronic money or "e-cash" (Rothfeder 1997), are unlikely to relieve consumer concerns regarding privacy and security. Similarly, online credit card guarantees, though calming some system security worries, may do little to resolve pri- vacy concerns. Conversely, third-party endorsers, such as TRUSTe, Better Business Bureau Online, or Web Assurance Bureau, may be useful in building trust between consumers and participating online retailers with respect to
privacy but may not resolve security issues. The introduc- tion of security-related seals of approval, however, such as VeriSign and CPA WebTrust, may resolve this concern. In summary, the solution to many of these matters, from both
privacy and security perspectives, will likely derive from a combination of strategic actions, such as guarantees or endorsements, and the incorporation of various theoretical
approaches, such as building trust and adhering to implied social contracts.
References Andrews, J. Craig (1998), "Warnings and Disclosures: Special
Editor's Note," Journal of Public Policy & Marketing, 17
(Spring), 1-2.
Bloom, Paul N., George R. Milne, and Robert Adler (1994), "Avoiding Misuse of New Information Technologies: Legal and Societal Considerations," Journal of Marketing, 58 (January), 98-110.
Brinkley, Joel (1998), "F.T.C. Surfs the Web and Gears Up to Demand Privacy Protection," New York Times, (September 21), 1,4.
Chonko, Lawrence B. (1995), Ethical Decision Making in Marketing. Thousand Oaks, CA: Sage Publications.
CNN (1999), "A Hallmark Nightmare: Online Glitch Makes Intimate Messages Public," CNN Interactive, (February 12), (accessed February 12), [available at http://cnn.com/US/9902/ 12/romeos.revealed.ap].
Consumer Reports Online (1998), "Some Bits and Bytes of Consumer-Friendly Sites," special report, (accessed February 18), [available at http://www.consumersunion.org/Speciall Samples/Reports/9812shp2.htm].
Culnan, Mary J. (1995), "Consumer Awareness of Name Removal Procedures: Implications for Direct Marketing," Journal of Direct Marketing, 9 (Spring), 10-19.
- (1999a), "Georgetown Internet Privacy Policy Survey: Report to the Federal Trade Commission," (June), (accessed July 27), [available at http://www.msb.edu/faculty/culnanm/ gippshome.html].
- (1999b), "Privacy and the Top 100 Web Sites: Report to the Federal Trade Commission," prepared for the Online Privacy Alliance, (June), (accessed November 22), [available at http://www.privacyalliance.org/resources/100_summary.shtml].
Cyberspace Law Institute (1999), "The Public Policy Problems of the Internet," (accessed January 28), [available at http://www. cli.org/selford/problems.htm].
Ernst & Young (1999), "Second Annual Internet Shopping Survey," (accessed August 2), [available at http://www.ey.com/ industry/consumer/internetshopping].
Federal Trade Commission (1998a), "Consumer Privacy on the World Wide Web," prepared statement presented to the Subcommittee on Telecommunications, Trade and Consumer Protection of the House Committee on Commerce, U.S. House of Representatives, Washington, DC (July 21).
- (1998b), "Cybersmarts: Tips for Protecting Yourself When
Shopping Online," (July 1998), (accessed January 29), [available at http://www.ftc.gov/bcp/conline/pubs/online/cybrsmrt.htm].
- (1998c), "Fraud Could Slow Growth of Electronic Commerce," FTC Press Release (June 25), FTC File No. P97- 4406. Washington, DC: Federal Trade Commission.
- (1998e), Internet Privacy, prepared statement presented to the Subcommittee on Courts and Intellectual Property of the House Committee on the Judiciary, U.S. House of Representatives, Washington, DC (March 26).
- (1999), FTC International Web Survey: Disclosure of General Business and Contract-Related Information by Online Retailers, presented at U.S. Perspectives on Consumer Protection in the Global Electronic Marketplace public work- shop, (June 8-9), (accessed November 22), [available at http://www.ftc.gov/bcp/icpw/index.htm].
Folkers, Richard (1998), "Jimmying the Internet: Why the U.S. Encryption Standard Is Very Vulnerable," U.S. News & World Report, (September 14), 45-46.
Foxman, Ellen R. and Paula Kilcoyne (1993), "Information Technology, Marketing Practice, and Consumer Privacy: Ethical Issues," Journal of Public Policy & Marketing, 12 (Spring), 106-19.
Goodwin, Cathy (1991), "Privacy: Recognition of a Consumer Right," Journal of Public Policy & Marketing, 19 (Spring), 149-66.
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
Hoffman, Donna L. and Thomas P. Novak (1996), "Marketing in Hypermedia Computer-Mediated Environments: Conceptual Foundations," Journal of Marketing, 60 (July), 50-68.
Holstein, William J., Susan Gregory Thomas, and Fred Vogelstein (1998), "Click 'Til You Drop," U.S. News & World Report, (December 7), 42-45.
Jones, Mary Gardiner (1991), "Privacy: A Significant Marketing Issue for the 1990s," Journal of Public Policy & Marketing, 10 (Spring), 133-48.
Judge, Paul C. (1998), "How Safe Is the Net?" BusinessWeek, (June 22), 148-52.
Machrone, Bill (1998), "Trust Me?" PC Magazine, (June 9), 85.
Milne, George R. (1997), "Consumer Participation in Mailing Lists: A Field Experiment," Journal of Public Policy & Marketing, 16 (Fall), 298-309.
- and Maria-Eugenia Boza (1999), "Trust and Concern in Consumers' Perceptions of Marketing Information Management Practices," Journal of Interactive Marketing, 13 (1), 5-24.
- and Mary Ellen Gordon (1993), "Direct Mail Privacy- Efficiency Trade-Offs Within an Implied Social Contract Framework," Journal of Public Policy & Marketing, 12 (Fall), 206-13.
Miyazaki, Anthony D. and Ana Fernandez (2000), "Consumer Perceptions of Privacy and Security Risks for Online Shopping," working paper, Marketing Department, University of Miami.
National Consumers League (1999), "Consumers in the 21st Century," (May 19), (accessed August 2), [available at http://www.natlconsumersleague.org/FNLSUM I.PDF].
Petty, Ross D. (1998), "Interactive Marketing and the Law: The Future Rise of Unfairness," Journal of Interactive Marketing, 12 (Summer), 21-31.
Rohm, Andrew J. and George R. Milne (1998), "Emerging Marketing and Policy Issues in Electronic Commerce: Attitudes and Beliefs of Internet Users," in Marketing and Public Policy Proceedings, Vol. 8, Alan Andreasen, Alex Simonson, and N. Craig Smith, eds. Chicago: American Marketing Association, 73-79.
Rothfeder, Jeffrey (1997), "No Privacy on the Net," PC World, (February), 223-29.
Samuel, Alexandra and Abby Scher (1999), "Cookies Are Not So Sweet-Online Database Marketing," Dollars & Sense, (January/February), 7.
Sprott, David E., David M. Hardesty, and Anthony D. Miyazaki (1998), "Disclosure of Odds Information: An Experimental Investigation of Odds Format and Numeric Complexity," Journal of Public Policy & Marketing, 17 (Spring), 11-23.
This content downloaded from 203.217.177.216 on Wed, 6 Aug 2014 22:43:22 PMAll use subject to JSTOR Terms and Conditions
