The role of privacy policy on consumers’ perceived privacy

https://doi.org/10.1016/j.giq.2018.04.002Get rights and content

Highlights

  • We test a Privacy Boundary Management Model and perceived effectiveness of FIPPs.

  • Access, notice, security, and enforcement affect the effectiveness of privacy policy.

  • Perceived effectiveness significantly influences privacy control and privacy risk.

  • Privacy control, privacy concern, and trust significantly influence perceived privacy.

  • The results have important implications for policy makers and financial institutes.

Abstract

With today's big data and analytics capability, access to consumer data provides competitive advantage. Analysis of consumers' transactional data helps organizations to understand customer behaviors and preferences. However, prior to capitalizing on the data, organizations ought to have effective plans for addressing consumers' privacy concerns because violation of consumer privacy brings long-term reputational damage. This paper proposes and tests a Privacy Boundary Management Model, explaining how consumers formulate and manage their privacy boundary. It also analyzes the effect of the five dimensions of privacy policy (Fair Information Practices) on privacy boundary formation to assess how customers link these dimensions to the effectiveness of privacy policy. Survey data was collected from 363 customers who have used online banking websites for a minimum of six months. Partial Least Square results showed that the validated research model accounts for high variance in perceived privacy. Four elements of the Fair Information Practice Principles (access, notice, security, and enforcement) have significant impact on perceived effectiveness of privacy policy. Perceived effectiveness in turn significantly influences perceived privacy control and perceived privacy risk. Perceived privacy control significantly influences trust and perceived privacy. Perceived privacy concern and trust also significantly influence perceived privacy.

Introduction

We live in the era of big data that dramatically transforms the way we make decisions (Janssen, van der Voort, & Wahyudi, 2017). Big data is the “data sets whose size is beyond the ability of typical database software tools to capture, store, manage, and analyze” (Manyika, Chui, Brown et al., 2011). New information and communication technologies (ICTs) have enabled the big data trend by providing the capability to capture and store huge amounts of consumer data which serves as the core of the big data trend (Chen, Chiang, & Storey, 2012). When properly collected, stored, and processed, consumer data may allow organizations to understand customer behaviors and preferences. Such knowledge is valuable in customizing and personalizing products and services to meet customer needs, thereby equipping companies with a competitive advantage (Erevelles, Fukawa, & Swayne, 2016).

While businesses are eager to access customer data, privacy factor remains the most salient issue that must be solved before organizations could capitalize on the value of a data-centric service economy (Janssen & van den Hoven, 2015; TRUSTe, 2011). Given that each piece of data leaves behind electronic trails of customer activities, individuals are concerned about how companies collect and use their private information (Janssen & Kuk, 2016; Morey, Forbath, & Schoop, 2015) This situation, together with the increasing number of online information leaks, heightens customers' privacy concerns toward information risk (Drinkwater, 2016). Therefore, it is important that companies are aware and capable of handling the risks because they could pose long-term damaging effects on companies as well as cause economic losses (Culnan, 1993).

The risks have led governments to enact privacy regulations and policies (e.g., European Directive EC 95/461995 and United States Federal Trade Commission (FTC)’s Fair Information Practice Principles (FIPPs)) to protect people from potential harmful acts. Companies must comply with these regulations and devise effective privacy management strategies to address privacy issues. This would require knowledge of how people make decisions about revealing and concealing private information.

Petronio (2012)’s communication privacy management (CPM) theory used a boundary metaphor to explain how people make decisions about revealing and concealing information, which is known as ‘privacy boundary formation.’ In impersonal contexts such as those between customers and companies, the form by which companies use customer data (i.e., organizational information practices) is salient to the formation of an individual's privacy boundary (Dinev, Xu, Smith, & Hart, 2013; Metzger, 2007). In the process of forming privacy boundary, consumers also reference their governments' privacy regulations (Xu, Dinev, Smith, & Hart, 2011).

Weighing the interplay among consumers' privacy boundary formation, organizations' information practices, and government's regulations as well as the current findings in the literature, we realize that there are gaps that have to be addressed so that a better understanding of consumers' privacy boundary formation can be achieved. First, previous research has not fully examined the effect of government's privacy policy. In fact, these studies are either considering only some of the dimensions (e.g., Libaque-Saenz, Chang, Kim, Park, & Rho, 2016; Libaque-Saenz, Chang, Wong, & Lee, 2015; Libaque-Saenz, Wong, Chang, Ha, & Park, 2016) or have not even delved into its specific dimensions at all (e.g., Xu et al., 2011; Xu, Teo, Tan, & Agarwal, 2012). Since each principle of the privacy regulations may have different effect, organizations need to determine which is exerting stronger impact on individuals' decisions in order to draw adequate strategies (Schwaig, Kane, & Storey, 2006),

Second, while prior research has focused on various dependent variables such as privacy concerns, intrinsic motivation, trust, information sensitivity, intention to disclose personal information and compliance intention (e.g., Bansal, Zahedi, & Gefen, 2010; Dinev & Hart, 2006a; Joinson, Reips, Buchanan, & Schofield, 2010; Lee, Lim, Kim, Zo, & Ciganek, 2015; Lowry, Cao, & Everard, 2011; Tsai, Egelman, Cranor, & Acquisti, 2011), it has not placed the complete organizational information practices within the recursive and wholeness view of privacy boundary formation model to explore their effect in the online context. Recognizing this gap, researchers (e.g., Bansal & Gefen, 2015; Dinev et al., 2013; Kehr, Kowatsch, Wentzel, & Fleisch, 2015) have called for scholars to further explore online privacy boundary formation and rationality.

Our research aims to fill these two research gaps by proposing and empirically testing a Privacy Boundary Management Model (PBMM) that is grounded on Petronio (2012)’s Communication Privacy Management Theory, Higgins (1997)’s Regulatory Focus Theory and Xu et al. (2011)’s application of CPM in the context of information privacy to provide a complete view of customers' privacy boundary management process. We collected the data from bank customers in Malaysia who are using online banking services because the banking sector contains a wealth of sensitive private information that many consumers would be reluctant to disclose to third parties. Therefore, we expect these consumers to act more conservatively as regards the sharing and disclosure of their banking data.

The rest of the paper is structured as follows. Section 2 reviews the theoretical background and section 3 discusses the research model and the hypotheses. Section 4 describes the research method while section 5 discusses the results. Section 6 provides the discussion, implications, research limitations, future research, and concluding remarks.

Section snippets

Online banking

Online banking refers to the use of banking services through the Internet (Yiu, Grant, & Edgar, 2007). Although it started as a channel to present information, this technology has evolved and nowadays allows customers to perform various transactions such as paying bills, transferring money, and checking account balances through the bank's website. The use of this technology has expanded worldwide due to its cost savings and convenience (Pikkarainen, Pikkarainen, Karjaluoto, & Pahnila, 2004). As

Boundary rule formation: risk-control assessment

The calculus perspective of privacy, which incorporates the interplay between risk and control (Dinev & Hart, 2006a; Dinev et al., 2013), is the most useful framework for analyzing contemporary consumer privacy concerns (Culnan & Bies, 2003). Xu et al. (2011, p. 804) defined privacy control as “a perceptual construct reflecting an individual's beliefs in his or her ability to manage the release and dissemination of personal information.” The risk-control literature posits a positive

Scale development

We adapted validated measurement items from the literature. Items for measuring perceived privacy were adopted from Dinev et al. (2013). Perceived privacy risk was measured using four Likert-scale questions adapted from Dinev and Hart (2006a) and Malhotra et al. (2004). Perceived privacy control, privacy concerns and perceived effectiveness of privacy policy were measured using items taken from Xu et al. (2011). Trust were adapted from Paul A. Pavlou (2003) and Wu et al. (2012). Items that

Results

We used Partial Least Squares (PLS) to analyze the data. PLS is a powerful second generation modeling technique that is suitable for theory testing in exploratory studies. It simultaneously assesses measurement and structural models in an optimal fashion and analyzes complex causal models involving multiple constructs with multiple observed items (Chin, 1998). PLS also places minimal restrictions on measurement scales, sample size, and residual distributions (Chin, 1998). To decide the minimum

Discussion of the findings

The results showed that the proposed model accounted for high percentage of the variance in perceived privacy. For organizations, the results imply that the factors identified in our privacy boundary management model for the formation of perceived privacy can be manipulated to yield the desired effects. All hypotheses are supported, except that on the relationship between choice and perceived effectiveness of privacy policy and privacy risk to perceived privacy.

Choice implies that customers

Acknowledgement

This work is supported by funding from the Malaysia Ministry of Higher Education, Fundamental Research Grant Scheme (FRGS), Project number: FRGS/1/2014/SS05/SYUC/02/1.

Younghoon Chang is an Associate Professor in the School of Management and Economics at Beijing Institute of Technology, Beijing, China. He received his PhD degree in Business & Technology Management from Korea Advanced Institute of Science and Technology (KAIST), South Korea. His research interests include Information privacy, ICT4D, e-business, business analytics and HCI. His articles have appeared in the Government Information Quarterly, Journal of Global Information Management, Behavior and

References (108)

  • G.R. Milne et al.

    Strategies for reducing online privacy risks: Why consumers read (or don't read) online privacy notices

    Journal of Interactive Marketing

    (2004)
  • K.S. Schwaig et al.

    Compliance to the fair information practices: How are the fortune 500 handling online privacy disclosures?

    Information Management

    (2006)
  • S. Taddei et al.

    Privacy, trust and control: Which relationships with online self-disclosure?

    Computers in Human Behavior

    (2013)
  • T.S. Teo et al.

    Intrinsic and extrinsic motivation in internet usage

    Omega

    (1999)
  • M.S. Ackerman et al.

    Privacy issues and human-computer interaction

    Computer

    (2005)
  • M. Baas et al.

    A meta-analysis of 25 years of mood-creativity research: Hedonic tone, activation, or regulatory focus?

    Psychological Bulletin

    (2008)
  • A. Bandura

    Social cognitive theory: An agentic perspective

    Annual Review of Psychology

    (2001)
  • G. Bansal et al.

    The role of privacy assurance mechanisms in building trust and the moderating role of privacy concern

    European Journal of Information Systems

    (2015)
  • G. Bansal et al.

    The moderating influence of privacy concern on the efficacy of privacy assurance mechanisms for building trust: A multiple-context investigation

  • L. Baruh et al.

    Online privacy concerns and privacy management: A meta-analytical review

    Journal of Communication

    (2017)
  • F. Bélanger et al.

    Privacy in the digital age: A review of information privacy research in information systems

    MIS Quarterly

    (2011)
  • C.J. Bennett

    Regulating privacy: data protection and public policy in Europe and the United States

    (1992)
  • E. Boritz et al.

    A gap in perceived importance of privacy policies between individuals and companies

  • L. Brandimarte et al.

    Misplaced confidences privacy and the control paradox

    Social Psychological and Personality Science

    (2013)
  • D.T. Campbell et al.

    Convergent and discriminant validation by the multitrait-multimethod matrix

    Psychological Bulletin

    (1959)
  • R.K. Chellappa et al.

    Perceived information security, financial liability and consumer trust in electronic commerce transactions

    Logistics Information Management

    (2002)
  • H. Chen et al.

    Business intelligence and analytics: From big data to big impact

    MIS Quarterly

    (2012)
  • W.W. Chin

    The partial least squares approach to structural equation modeling

  • E.L.Y. Cieh

    Personal data protection and privacy law in Malaysia

  • Council of Europe

    Convention for the protection of individuals with regard to automatic processing of personal data

  • M.J. Culnan

    " how did they get my name?": An exploratory investigation of consumer attitudes toward secondary information use

    MIS Quarterly

    (1993)
  • M.J. Culnan et al.

    Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation

    Organization Science

    (1999)
  • M.J. Culnan et al.

    Consumer privacy: Balancing economic and justice considerations

    Journal of Social Issues

    (2003)
  • M.J. Culnan et al.

    The second exchange: Managing customer information in marketing relationships

    (1998)
  • M.J. Culnan et al.

    How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches

    MIS Quarterly

    (2009)
  • T. Dienlin et al.

    An extended privacy Calculus model for SNSs: Analyzing self-disclosure and self-withdrawal in a representative US sample

    Journal of Computer-Mediated Communication

    (2016)
  • T. Dinev et al.

    An extended privacy calculus model for e-commerce transactions

    Information Systems Research

    (2006)
  • T. Dinev et al.

    Internet privacy concerns and social awareness as determinants of intention to transact

    International Journal of Electronic Commerce

    (2006)
  • T. Dinev et al.

    Information privacy and correlates: An empirical attempt to bridge and distinguish privacy-related concepts

    European Journal of Information Systems

    (2013)
  • G.R. Dowling et al.

    A model of perceived risk and intended risk-handling activity

    Journal of Consumer Research

    (1994)
  • D. Drinkwater

    Does a data breach really affect your firm's reputation

  • J.B. Earp et al.

    Innovative web use to learn about consumer behavior and online privacy

    Communications of the ACM

    (2003)
  • S. Faja et al.

    Influence of the web vendor's interventions on privacy-related behaviors in e-commerce

    Communications of the Association for Information Systems

    (2006)
  • R.F. Falk et al.

    A primer for soft modeling

    (1992)
  • C. Flavián et al.

    Consumer trust, perceived security and privacy policy: Three basic elements of loyalty to a web site

    Industrial Management & Data Systems

    (2006)
  • C. Fornell et al.

    Evaluating structural equation models with unobservable variables and measurement error

    Journal of Marketing Research

    (1981)
  • J.P.G. Gashami et al.

    Privacy concerns and benefits in SaaS adoption by individual users: A trade-off approach

    Information Development

    (2016)
  • D. Gefen et al.

    Structural equation modeling and regression: Guidelines for research practice

    Communications of the Association for Information Systems

    (2000)
  • R. Gellman

    Fair information practices: A basic history

  • J.F. Hair et al.

    An assessment of the use of partial least squares structural equation modeling in marketing research

    Journal of the Academy of Marketing Science

    (2012)
  • Cited by (0)

    Younghoon Chang is an Associate Professor in the School of Management and Economics at Beijing Institute of Technology, Beijing, China. He received his PhD degree in Business & Technology Management from Korea Advanced Institute of Science and Technology (KAIST), South Korea. His research interests include Information privacy, ICT4D, e-business, business analytics and HCI. His articles have appeared in the Government Information Quarterly, Journal of Global Information Management, Behavior and Information Technology, Industrial Management & Data Systems as well as in the proceedings of international conferences. He is currently serving as an editorial review board member of Journal of Computer Information Systems.

    Siew Fan Wong is an Adjunct Associate Professor in the Department of Computing and Information Systems at Sunway University, Malaysia. She received her PhD degree in MIS from the University of Houston, Texas. Her research interests involve organizational IT strategy, digital inclusion, information privacy and business analytics. Her publications have appeared in journals such as the Government Information Quarterly, Journal of Global Information Management, International Journal of Information Management, Industrial Management & Data Systems, Information Development, and Telematics and Informatics as well as in the proceedings of international conferences. She is currently serving as an associate editor of International Journal of Business Intelligence Research.

    Christian Fernando Libaque-Saenz is a Professor and Researcher at Universidad del Pacífico, Lima, Peru. He received his BS degree in Telecommunications Engineering from the Universidad Nacional de Ingeniería (Lima-Peru), and his MA and PhD degrees in Information and Telecommunication Technology from the Korea Advanced Institute of Science and Technology (KAIST). Before starting his studies at KAIST, Christian worked for the Peruvian Ministry of Transport and Communications. Christian's research interests include digital divide, privacy, ICT strategy, human-computer interaction, and spectrum management. His publications have appeared in journals such as the Government Information Quarterly, Telecommunications Policy, Behavior and Information Technology, Telematics and Informatics, as well as in international conferences.

    Hwansoo Lee is an Assistant Professor in the Department of Convergence Security at Dankook University, South Korea. He received his PhD degree in Business & Technology Management from Korea Advanced Institute of Science and Technology (KAIST), South Korea. His research focuses on information security & privacy, electronic commerce, and enterprise information systems. His papers have appealed in journals such as Information & Management, Behaviour & Information Technology, Journal of Artificial Societies and Social Simulation, Journal of Global Information Management, Telematics & Informatics. He also received the Best Paper awards at various international and domestic conferences. Further, he has well-qualified experiences related to information systems as a developer and a system analyst. He is currently serving as an editorial review board member of Industrial Management and Data Systems.

    View full text