The effect of Fair information practices and data collection methods on privacy-related behaviors: A study of Mobile apps

Highlights

• We tested the effect of two intervention strategies on privacy-related decisions.

• Intervention strategies were found to have a significant effect on PDC and PIR.

• Our findings have novel implications to the mobile app industry.

Abstract

To capitalize on valuable consumer and transactional data on mobile apps, companies should employ ethical decisions and strategies that can reduce privacy concerns, because such concerns present critical challenges for corporate social responsibility. In this study, we tested the effect of intervention strategies, Fair Information Practices, and the data collection method on privacy-related decisions. The results show that both intervention strategies have a significant effect on perceived data control and perceived risks and in turn on behavioral intention. Our findings have novel theoretical and managerial implications to those who want to promote ethical business practices in the mobile apps industry.

Introduction

The increasing affordability and features of mobile devices and mobile apps have enabled companies to collect huge amounts of user data [[1], [2], [3]]. In particular, cookies and GPS, along with consumers’ transactional data, allow companies to track user preference, and provide accurate location-based prediction and recommendations [4]. When processed effectively and innovatively, consumer data supply actionable real-time information to improve operations, facilitate innovation, optimize resource allocation, reduce costs, and enhance decision-making [4,5]. The recent big data analytics capabilities and tools further accentuate potential benefits companies could gain from having access to a large amount of consumer data [4].

While companies could capitalize on consumer data to improve market advantage, privacy concerns stand as the biggest roadblock to monetizing these data [3,6]. The concerns also present critical challenges for ethical business practices [3,6]. Specifically, consumers are concerned about how their personal data will be processed, stored, shared, and used [7]. They are also worried about the vulnerabilities of mobile technologies that lead to potential data leakages, hacking, and data thefts [7]. All these concerns may stop consumers from using mobile apps. As the success of mobile apps depends on the usage rate [8,9], a low adoption rate is a loss to companies considering that the size of the mobile apps market is one of the biggest within the IT sector. Its total market revenue for 2016 was 76.5 billion dollars, and the figure is expected to grow to 101 billion dollars in 2020 [10]. Therefore, companies ought to strategize on how to reduce consumers’ privacy concerns, so as to increase the consumption rate and present a better corporate image [11]. In this paper, we tested the effect of two company intervention strategies, Fair Information Practices (FIPs) and the data collection method, on privacy-related decisions linked to the use of mobile apps. These intervention strategies are framed using the control-risk literature, which gives our research model a strong theoretical foundation [12,13].

We contended that using FIPs to instill consumer confidence toward a company’s data management practices is a good strategy. The privacy literature posits that FIPs have a regulatory endorsement effect, which conveys the perception of “fairness” [14,15]. Companies could utilize the power of FIPs to shape positive perception toward their data management practices. Existing FIP studies have examined various aspects including origin [16], challenges in the implementation process [12,17,18], companies’ compliance [12,[16], [17], [18], [19], [20], [21]], perceptions [6,22,23], and enforcement [[24], [25], [26], [27]]. From a further inspection of Appendix A, which covers studies on FIPs or closely related variables, most of them focused on fixed platforms or general scenarios, while only five focused on mobile technologies. Following are the few studies on fixed platforms or general scenarios that used experimental research. Culnan and Armstrong [14] conducted a preexperimental study with secondary data. However, data were captured from secondary sources, there was no control group, and the research items were proxy measures of privacy concerns and other related variables. Therefore, the results should be interpreted with caution. Nemati and Van Dyke [27] conducted a quasi-experimental research using t-test and ANOVA techniques. However, the results showed a nonsignificant effect of FIPs on trust and risk perception (the study did not include behavioral intention). Liu, Marchewka, Lu and Yu [28] conducted an experimental study on the effect of FIPs on trust and behavioral intention. However, they only included two scenarios: FIPs and non-FIPs (they did not study interaction with other factors). To fully understand the power of FIPs, it is necessary to assess their effectiveness in various situations. Other studies that focused on fixed platforms are either descriptive in nature [12,16,[18], [19], [20]] or do not consider all the aspects of FIPs. For example, Awad and Krishnan [29], Bellman et al. [24], Chellappa and Pavlou [30], Li, Sarathy and Xu [31], Milne and Boza [23], Milne and Rohm [32], and Xu et al. [25] focused on some aspects of FIPs but considered neither all the FIPs dimensions nor their interaction with other interventions. In addition, all these studies are nonexperimental research, and thus do not allow testing of causality.

As for the studies that focused on mobile platforms, Karyda, Gritzalis, Park, and Kokolakis [17] conducted a descriptive study on the obstacles of implementing FIPs. In the case of Libaque-Saenz, Chang, Kim, Park and Rho [6] and Libaque-Sáenz, Wong, Chang, Ha, and Park [22], although these studies focused on the mobile sector, the scope was the secondary use of personal information by network operators (i.e., a situation faced by users when their data have been already collected), and not user interaction with mobile devices before their data are collected. Prior literature contends that the data collection stage is more sensitive for users than the postrelease process itself [33]. In addition, none of these studies used an experimental design to assess causality. Finally, although Xu, Gupta, Rosson, and Carroll [7] focused on mobile apps and used an experimental design, they neither included all the FIPs principles (only choice) nor focused on behavioral intention (their focus was privacy concerns). They did not include another internal factor; rather, they focused on external factors, namely, government intervention and industry regulation. Thus, there is still a gap in the literature to fully understand the effectiveness of FIPs in various contexts.

In short, existing studies have not investigated the effect of all FIPs dimensions on consumers’ privacy-related decisions within the mobile apps context. Mobile apps or mobile platforms in general differ from fixed platforms, because the former are characterized by portability, mobility, and permanent availability features [34]. Hence, these platforms can be used anywhere and at any time. In contrast, fixed platforms are usually used in predetermined environments, such as in an office or at home [35]. In addition, mobile apps run on mobile devices (e.g., mobile phones), which are regarded as personal and individual items because users always carry them and rarely share them with others [36]. However, fixed platforms can be used by many people, such as family members and office workers [37]. Furthermore, the location-awareness features of mobile Internet can be used to determine users’ physical locations [38], unlike fixed Internet, which does not expose where consumers are located. To better support these differences, we developed an additional survey to determine user perceptions about which device (fixed or mobile) is storing more of their personal information. First, an extensive list of items (pieces of data) was developed based on the General Data Protection Regulation (GDPR) and prior research [[39], [40], [41]]. These items were reviewed by three researchers to assess the clarity and appropriateness of the questions. Finally, we gathered 150 responses through Mechanical Turk, which is the same platform we used to collect data to assess our research model, as it is discussed in the Methodology section. Appendix B shows the source of each of the questions of this survey, while Fig. 1 shows clearly that user perception of the amount of personal information stored by mobile devices is far larger than the amount of data collected by fixed platforms. In fact, according to Ghose [40], smartphones are storing information about who we are, where we are from, where we go, where we have been, our location, what we need, what we have bought, and what our interests are. In addition, the IT Security Survey 2019 revealed that though most of the fixed computers have an installed antivirus, there are about 37.8 % of mobile phones without any antivirus solution [42]. These features of mobile platforms (an active collection of personal information and lack of antivirus programs) may raise greater user perception of risks compared to fixed platforms, and thus additional analysis is required. We argue that the effect of FIPs still remains an accepted “black box” because it “assumes the status of a taken-for-granted truth where its label replaces its contents” [16].

As well as FIPs, we argue that companies could also intervene by adjusting their data collection methods. Data collection activities have raised concerns about data control and the associated potential risks [23,43,44]. Aggressive data collection may give the impression of privacy invasion and affect consumers’ decision to use an app. For example, quitters of Facebook are motivated by privacy concerns when they commit “virtual identity suicide” [45]. They are worried about Facebook making their location available, which may reveal patterns of their day-to-day activities and place them at risk [46]. At the same time, they feel they are losing control over personal data because their friends may post information about them without restrictions [47]. Prior research on data collection methods has focused on theoretical discussions [48], their effect on the use of u-commerce [49], and perceptions of personalization [50,51]. However, the interaction of these methods with FIPs remains unexplored. Our study will provide empirical evidence to explain the role of data collection methods in creating consumers’ willingness to participate in privacy-related behaviors when using mobile apps and their interaction with FIPs.

In summary, our study fills previously discussed research gaps by adding a theoretical explanation on the effect of FIPs on user privacy-related decisions. Specifically, we use an experimental design to support causality and include all dimensions of FIPs, and the interaction of FIPs with other important internal factors, such as data collection methods, to understand the power of this intervention on user privacy-related decisions. In addition, we focus on the mobile context that has not yet been fully studied.

The rest of the paper is organized as follows. The next section provides the literature review and develops the hypotheses. The subsequent two sections detail the research methodology and show the results of the study. We then present the discussion and implications as well as the limitations and future research. Finally, we provide a conclusion for the paper.