This study set out to understand how customers choose when and what type of personal information to share with online marketers. Specifically, we were interested in the rules, if any, consumers used in evaluating online requests and deciding among behavioral options. Prior research had suggested a range of influencing factors on compliance and explored certain behavioral responses, such as falsification or the creation of pseudoidentities. The intent here was to explore the interpretation of, and responses to, online requests across a range of conditions to identify the key factors that determined or mediated their responses. Using personal interviews, the consumers' shared experiences drove the identification of factors related to the stimulus or situation, (i.e., Web site cues, relationship with the firm or type of information request), the interpretation of those by the respondent, (i.e., organism), that determined the ultimate response, (i.e., provision of truthful or false information or exiting exchange).
We noted that the rules or guidelines that elicited different behavioral responses required different degrees of effort and forethought on the part of the consumer. This effort was tied to the need to protect their personal information. As shown in Figure 3, complete disclosure can be a high effort investment because it requires the input of a great deal of information and collection of accurate information, such as credit card numbers. Because these were more often trusted sites (i.e., where the respondent had an account) or those that provide customized solutions (i.e., insurance quotes), consumers felt less need to protect their personal information in this exchange. The creation of false identities similarly required greater effort or thought than other strategies. This situation seemed to occur when the consumer felt the company had no need or right to their personal information in the exchange. Rather than simply exiting, the consumer was willing, either because of the value of the exchange or simply as a means for getting even, to invest in the crafting of multiple pieces of false information. In other instances, the consumers met the technical request for information with information that would misdirect any attempts to contact them, such as old telephone numbers or “junk” e-mail accounts. These choices reflected thought or effort on the informants' part to comply with the request but limit the ability to actually contact them.
In terms of rules, some informants seemed to have simpler sets of rules (i.e., exit any site that requests the Social Security number), while others described differing rules depending on the circumstances. Simpler rules might include the use of perceived endorsements. These might include whether the site was identified through a search using a trusted search engine, such as Google, whether it was linked to a perceived legitimate source such as a trade association or government agency, or whether the site had an “https” URL or displays a lock symbol in the status bar of the browser window. (The latter are meant to indicate that the site uses Secure Socket Overlay, meaning it provides secure communication for payment transactions and such.)
The results clearly showed that these consumers knew there were limits to their environmental and secondary use control over personal information. They exercised many different tactics to gain the benefits of the online marketplace, while limiting the potential known and unknown costs of online exchanges of personal information (i.e., unwanted solicitations, identity theft). In applying their rules, they demonstrated some knowledge of the precise processes by which that information could be used to disadvantage them. Specifically, they were aware that the data they provided in their exchange with a particular firm or Web site might be used for other purposes by that entity, sold to others, or even stolen.
Implications for Consumers and Consumer Policy
From the study, it is clear that consumers struggle to maintain a sense of control over their identities in the online marketplace. In particular, they were concerned with information that might personally identify them. They showed a lack of trust in how their data would be used and by whom and created their own “rules” to decide what and with whom to exchange accurate information.
To maintain control, consumers need to be fully aware of the tools by which online entities, legally or otherwise, can monitor their behavior and capture their data. To make them aware and raise confidence, trade associations, such as The Direct Marketing Association (DMA), promote their own guidelines aimed at securing data, policies for handling personally identifiable marketing data and honoring requests from individuals not to solicit or transfer personal data (DMA 2008a). Still there are gaps in what personal information is covered under the guidelines and adherence is voluntary. Penalties such as fines by governing authorities may be needed to raise the costs to business of failing to comply.
The DMA efforts are intended to reduce the likelihood of increased regulation, but even they recognize the public demand for legislative action. Among the demand from privacy advocates is the establishment of a “Do Not Track” registry that would preclude the tracking of Web site activity by online advertisers (The Direct Marketing Association 2008b). The demand for action is heightened by events such as the proposed merger of Double-Click, the online advertiser, and the search engine Google, which demonstrates the difficulty of federal or international regulation to controlling global entities' consolidation and use of personal data (EurActive Network 2008).
When legislation or regulation cannot be effective, certification may provide consumers with tools to judge those with whom they will do business. One such program is the European Commission's EuroPriSe award, given to organization's that meet the high European Privacy Standards (EuroPriSe 2008). The first award winner, the search engine Ixquick, was acknowledged for minimizing the use of personally identifiable data, with policies such as these: “IP addresses are deleted within 48 hours, after which they are no longer needed to prevent possible abuse of the servers. The remaining (non-personal) data are deleted within 14 days … [and] IP addresses of users are not disclosed to other search engines” (EuroPriSe 2008). In addition to certifying the standards of such firms, actively promoting these best practices will raise the expectations of consumers in the online environment and set standards for others in an industry.
A particular concern raised by many respondents was the use of personally identifiable data by a third party for marketing purposes. Called affiliate marketing, current U.S. regulation does exist for financial institutions and their use of personal identifiers such as address, telephone number, driver's license, Social Security number, and credit report information to determine eligibility for solicitations. By October 1, 2008, financial institutions and their subsidiaries were expected to comply with additional provisions that affected their ability to target solicitations. These provisions require consumers to be “provided a clear notice of such use and a simple means for opting out of it. … Several exceptions apply, including when the consumer has a preexisting relationship with the entity” (Harris 2008).
Consumers should have greater control over secondary use of their data under these regulations. However, it is unlikely that the public is fully aware of these new rights. Campaigns similar to those used for the federal “Do Not Call” lists could make the public aware of their rights and the means to opt out and that such requests to opt out should be honored for five years.
Consumers should see changes, according to Harris (2008), because institutions will have to make substantial alterations in their marketing approaches to obtain clear permission to contact and solicit them. No longer will oral agreements and prechecked opt-in boxes meet regulators requirements for such permission. Explicit definitions of a “pre-existing relationship” and a thorough tracking of contracts that support such definitions will need to be established. Consumers may see higher costs from compliance and will raise marketing costs because appeals cannot be as targeted, resulting in lower acceptance rates, and higher information technology costs to maintain clear, credible records.
Interestingly, none of our respondents mentioned privacy policies. Perhaps this is because they have been so untenable. Still, the FTC and other federal agencies have been engaged in the establishment of model privacy notices, as required by the Gramm-Leach-Bliley Act, to provide a standardized form in plain English for financial institutions to disclose data sharing arrangements (Privacy Rights Clearinghouse 2007). Such statements, particularly with clear opt-in or opt-out processes, would be expected to make it easier for consumers to choose how their personal data are used. Although these policies will apply only to the governed financial institutions, they may serve as models for other industries.
It is noteworthy that there was relatively less concern from the informants about data theft, as compared to misusing data, despite the spate of news stories about such breaches (Milne, Rohm and Bahl 2004). Though the FTC has established an Identity Theft Data Clearinghouse for complaints in support of law enforcement efforts (FTC 2007b), enforcement of compliance with standards, such as PCI compliance for credit card data, could reduce the threat by increasing the difficulty of such thefts. With some firms experiencing undetected thefts for over five years, there is clear need for both compliance oversight and stronger penalties (FTC 2008). This should also be followed up with increased consumer education to make consumers aware that data theft poses a great threat to consumer privacy than just data misuse.
The ability to protect one's personal information online does appear greatly limited. The only clear option is not to engage in the online marketplace. A by-product of consumers' attempts to protect themselves may create such high business costs from poor quality data that businesses rethink their online data collection processes, choosing to collect only what is necessary and likely to be shared honestly and being transparent in that process. This result is consistent with the FTC's report (FTC 2000), which noted that consumers liked, respected, and/or admired companies that demonstrated one or more of the fair information practices recommended. This included a privacy notice readily promoted and displayed, consumer choice to opt out of secondary affiliate marketing efforts, and cues of security with online exchange. Comparative data collected by the FTC suggested that the most frequently visited Web sites are more proactive in their online fairness practices than the general random Web site sample. This competitive advantage and the escalating costs of bad data may precipitate better business response.
Businesses, online and off, will have to address the issues raised by these respondents because of growing pressure from advocacy, legislative, and regulatory officials. Businesses can be proactive by participating with groups like the Future of Privacy Forum, which brings together representatives from academia, law, and corporate America to “shape standards … and give consumers more control over how personal information is used for behavioral-targeted advertising” (Hart 2008 p.A06). They can also join the ranks of businesses, such as Yahoo! and Intuit, that have established Chief Data Officers in recognition of the challenges associated with making business decisions on good data about consumers that does not disadvantage or bring harm to them.