Reasons for privacy as CSR
The texts were examined for indications of why the companies include privacy in their CSR programs. Only 13 companies voiced their motivation for engaging in privacy protection, presenting different reasons why they engage in CSR. The communicated motives have been grouped according to Aguilera et al.'s (2007) classification of moral, relational, and instrumental CSR motives. Table 1 shows this categorization together with the text passages where these motives were expressed. The moral motives found include the understanding that Internet users have privacy rights, which the company wants to observe, and the acknowledgement that the company has the responsibility to protect the data they gather from Internet users. Relational motives include the recognition that customers have a desire for privacy, which the company seeks to meet, and the expectation that privacy protection will help the company win customers' trust. Ultimately, one company expects to benefit from its privacy program in that it expects to gain a reputational advantage from privacy protection.
Table 1. Communicated motives for corporate privacy programs
|Moral||Three companies acknowledge that people have a right to privacy||‘To us, the right to privacy includes the right of individuals to have a voice in the use and dissemination of their personal information.’|
|‘A person has the right to control what information about him or her is collected and to determine how that information is used.’|
|‘Confidentiality and security of consumer data … are areas safeguarded by PT in order to respect the freedom and basic rights of each individual’|
|Four companies hold that they have a responsibility to protect the data they gather from Internet users||‘We feel a strong responsibility to help ensure a safer, more enjoyable Internet, while addressing the challenges to privacy and security posed by today's new media.’|
|‘Companies have a responsibility to ensure that the information they hold about their customers and employees is protected, stored, transferred, and used in a responsible manner.’|
|‘Microsoft takes seriously its responsibility to help address the security and privacy challenges of the information-based society, from viruses and spyware to spam and online identity theft.’|
|‘Respect for privacy is part of our commitment to observe high standards of integrity and ethical conduct in all our operations’|
|Relational||Two companies recognize that customers have a desire for privacy that needs to be met||‘Protecting our customers' privacy is a priority. We understand and respect your desire to protect your personal information.’|
|‘The protection of personal information is a very high expectation among our customers, and to meet it, we ….’|
|Four companies view privacy protection as a means to winning customer trust||‘Externally, Sabre is committed to building customer relationships based on trust, and that includes recognizing the importance of protecting personal information.’|
|‘Consumer trust and confidence is critical to Cisco's business and to any technology and Internet-related business; as a result, the industry must protect citizens' privacy.’|
|‘[We] have to acquire a ‘license to operate’ by conducting our business in a decent and responsible way.’|
|‘Security and reliability form the basis of Telekom Austria Group's stable and successful customer relationships. The Group therefore gives top priority to protecting the integrity and confidentiality of sensitive data.’|
|Instrumental||One company states that it expects to gain a reputational advantage from its privacy program||‘Main opportunities: Enhance customer and employee trust, … support brand/reputation.’|
The content analysis revealed 41 different measures companies had taken to support user privacy (see Table 2). They have been grouped into four categories, which are discussed below. One company has implemented 19 of these measures, and nine companies have implemented eight, nine, or 10 different measures. At the other end of the spectrum, there are two companies that have not implemented a single measure, but still talk about privacy in the context of CSR. Further, eight companies have implemented one or two measures, and nine companies have implemented between three and seven measures. Most commonly, a measure was taken by only one company (19 measures) or two companies (six measures). The measure taken most frequently was taken by 15 companies. Thus, there is a broad variety in how companies address privacy. It is also worth noting that it is not necessarily the biggest companies in the industry that have taken lead roles in protecting user privacy. When ranking all companies according to their ranks on the Forbes 2000 and the Fortune Global 500 lists, one can see that the company with the highest number of privacy measures ranks among the top three on both the Forbes and the Fortune list. The other two companies among the top three in the Fortune and Forbes rankings have implemented only one and three measures, respectively. The three companies that have implemented the second highest number of privacy measures occupy ranks #77, #87, and #173 on the Fortune Global 500 list and ranks #49, #518, and #782 on the Forbes 2000 list, which indicates that it is not necessarily the biggest companies in the IT industries that embrace information privacy. An investigation of the relationship between the number of measures taken and length of the privacy text on the corporate website revealed a correlation of 0.77. This suggests that text length is an indicator of how important the issue is to a company. At the same time, it also shows that the companies generally do not talk at length about privacy without having taken relevant measures.
Another group of measures pertain to the participation in industry initiatives and collaborations. Ten companies mention a variety of privacy forums, centers, associations, think tanks, and institutes in which they are involved, including for example, the Electronic Privacy Group, the European Privacy Officers Forum, or the Liberty Alliance. Some of them also state that they cooperate with other companies and governments. However, the nature of this cooperation remains unclear, and in some places, the cooperating institutions are not even mentioned. Ultimately, a few US companies express their views on privacy legislation. As part of the measures they have taken, three companies take an active stance for either privacy legislation or self-regulation. Both of these viewpoints are visions at this point, as there is neither privacy legislation nor a functioning model of self-regulation in the United States. The two viewpoints are as follows:
‘We also believe that governments must find improved ways to enforce laws against data breach, misuse and fraud, and help consumers pursue those who mishandle their personal information. … HP was one of the first companies to embrace the idea of a comprehensive U.S. privacy law.’
‘Because disparate and multiple privacy rules place a heavy burden on global companies, we support a model of industry self-regulation (as opposed to government intervention) in which innovative tools give consumers greater choice in both protecting their personal data and understanding how it may be collected and used.’
Even companies that do not take a stance on the legislation vs. self-regulation debate emphasize compliance with legislation. Eleven companies state that they comply with all relevant privacy laws. As compliance with laws is a legal rather than an ethical responsibility according to Carroll's (1979) classification of corporate responsibilities, only going beyond the law can qualify as a CSR initiative. Dressing up a legal responsibility as an ethical responsibility casts doubt over the sincerity of these efforts. In fact, one of these 11 companies has implemented no other privacy measure apart from legal compliance. There is only one company that vows to exceed legal requirements: ‘HP is pioneering an approach to the protection and responsible use of personal information. This effort goes beyond compliance with the law.’ Only a minority of companies have adopted the privacy standards of outside organizations, such as GRI or privacy seal programs.
The measures identified above relate to a number of internal and external stakeholder groups, including employees, consumers, parents, industry, suppliers, governments, advocacy groups, and the community at large. However, the analysis of the measures does not reveal anything about the relationships with stakeholders, and in some cases, the stakeholder group to which a particular measure was addressed was not even mentioned. This section therefore focuses specifically on the stakeholder groups to which the companies express some form of consideration. This could be in the form of protection measures, information provision, cooperation, or merely by expressing an awareness of their stakes in privacy. In addition to an account of these overt commitments to stakeholders, a discourse analysis is used to uncover discursively constructed relationships with stakeholders.
Table 3 lists the various stakeholder groups identified, together with their stake in privacy, the number of companies that made a commitment toward each stakeholder group, and an example of such a commitment. This table is different from the results presented in Table 2 in that it was not concrete actions that guided this analysis, but the awareness of stakeholder concerns. We find that companies recognize primarily the stakes of their customers and employees, who exercise a direct and economic influence on the company and can therefore be labeled ‘primary stakeholders’ according to Ansoff (1965). However, there are also companies that talk about privacy in a CSR context, but do not voice a commitment to these two primary stakeholder groups. Of the 30 companies, five do not state that they do anything to improve the privacy situation of their customers and 16 do not make such a commitment toward their employees. Suppliers, who are also primary stakeholders, are addressed to a smaller extent. We can also see that the companies in the sample largely neglect their secondary stakeholders, i.e. those groups who do not directly influence a company's core business (Ansoff 1965). Only a maximum of six companies interact with each secondary stakeholder group, such as parents or governments.
Table 3. Addressing stakeholder concerns
| Customers/Users||Protection of their data||25||‘In order to help our customers address these issues, we have begun to develop guidance documents to help customers understand which parts of our technology may have privacy applications.’|
| Employees||Training||14||‘We work hard to ensure that Sun employees have the information they need to apply our privacy protection standards in their work.’|
| Suppliers/Vendors||Guidelines||6||‘When it is necessary for business reasons to share a person's information with third parties such as network service providers and marketing campaign partners, we work together to ensure that we maintain the highest privacy standards.’|
| Government||Compliance with laws; expertise in data handling||6||‘We met with government officials and regulators in all regions to understand their concerns and initiatives and to help them fully appreciate the potential implications for privacy of new technologies.’|
| Industry||Cooperation||6||‘We are working with other industry participants … to develop solutions that help us reach both of these objectives.’|
| Advocacy groups||Cooperation||3||‘In 2007, we formed our Stakeholder Advisory Council (SAC) comprising respected experts from a variety of nongovernmental organizations.’|
| Parents||Protection of their children's data||5||‘Symantec is committed to helping parents keep their kids cybersafe. We believe that in the same way that we educate our children about the risks of drugs, smoking, or violence, it is critical that we educate them about the importance of safe computing.’|
| Schools/communities||Expertise||1||‘We tap this internal resource to offer programs that benefit our local schools and communities. We are also in the process of implementing an employee-led education program.’|
On the surface, all companies studied engage in a discourse characterized by care and concern for privacy. In particular, emotion-laden words like help, understand, respect, concern, and safe abound across all texts studied. For example:
‘Protecting our customers' privacy is a priority. We understand and respect your desire to protect your personal information.’
‘And as the 24 × 7 demands of the Internet Age threaten to overwhelm customers with complexity, they need trusted and reliable companies to help them make sense of technology and put it to use to make their lives better.’
The tone becomes even more concerned when companies address their relationship with parents and children:
‘We understand the responsibility and concern of parents who worry about their children's exposure to inappropriate content and potentially dangerous interactions on the Web.’
‘Protecting our children … We believe that in the same way that we educate our children about the risks of drugs, smoking, or violence, it is critical that we educate them about the importance of safe computing.’
In the second example, the pronoun ‘we/our’ adds to the concerned tone by promoting a sense of collegiality and shared affection. The same is also achieved in other places, when companies use this inclusive form of ‘we’ to reduce the distance between themselves and their outside stakeholders: ‘Our individual sensitivities about how our information is treated … are not uniform’ or ‘Sun is committed to investigating and addressing the privacy challenges … associated with our increasingly digital way of life.’ In such statements, companies reduce the power distance between themselves and their stakeholders. The inclusive ‘we’ is also an indicator of positive politeness (Brown & Levinson 1987), indicating how writers conceptualize their audiences and what kind of distance writers create between themselves and their audience. While some companies use the inclusive ‘we,’ others talk about companies in general, e.g. ‘all businesses are responsible for …,’ which includes themselves only implicitly and distances themselves from these events. Mostly, though, companies make themselves the causal agents: ‘we must address these concerns by helping to protect ….’ Notably, one company draws its audiences into the discourse by always addressing them directly, e.g. ‘We understand and respect your desire to protect ….’ All together, the different voices present in these texts suggest that companies have different levels of self-awareness and different understandings of their role in this process. Less variety exists in the distance to the audience, which is – apart from one exception – not explicitly present in the discourse. This suggests that companies do not consider their CSR activities to be dialogic in nature.
Another kind of discourse is found in 10 of the companies' texts studied. This discourse reveals that some companies are actually interested in finding a balance between users' privacy interests and their own business interests rather than protecting privacy unconditionally. They seek to achieve a balance between customers' privacy interests and ‘business priorities,’‘business requirements,’‘business needs,’ their ‘values,’ or their ‘ability … to reap the benefits of online interactions.’ Business interests are also communicated implicitly: ‘our goal is simple: to balance the interests and concerns of our customers' private information with their interest in receiving quality service and information about useful new products.’ Alternatively, one company mentions only one weight of the balance, without saying what the other weight is: ‘that we are striking the right balance for our customers’ and ‘to reach balanced results.’ The discourse of balance is a manifestation of the companies' power, given that it is they who decide when this balance is reached. Interestingly, this kind of discourse has nothing to do with the motivations they express. Two companies, for example, have voiced moral motives, but also engage in this discourse of balance, as does the one company that has indicated an instrumental motive. It is also worth noting that not a single European company in the sample engages in this discourse of balance.