Online privacy and consumer protection: an analysis of portal privacy statements.

Author:Papacharissi, Zizi

In an 1890 Harvard Law Review article, Louis Brandeis and Samuel Warren had the foresight to argue that individual citizens should be free from having intimate information published by an increasingly powerful press. Basic human dignity, they claimed, gives individuals a "right to be let alone"--a right to privacy (Warren & Brandeis, 1890, p. 220). A century later, that powerful press has taken on new proportions with the growth of new media technologies, and privacy concerns are a pervasive part of public discourse regarding information technology. Accompanying the rise of the information society, the notion of privacy has expanded to encompass rights to control information about ourselves. Individuals have the right to inspect their own tax, medical, and other governmental records and to assume that sensitive personal information is not released by financial institutions, governments, doctors, or other businesses to third parties. But these rights to privacy conflict with the freedom of information that democratic societies need to function properly and that businesses use to economize their operations. The guarantee of free information allows technologies such as thermal imaging, satellite imagery, global positioning, face recognition software, and biometrics to flourish; however, these technologies are accompanied by public worry about loss of privacy and loss of the ability to control information about ourselves. Accordingly, privacy has many facets: individual privacy regarding the integrity of the body; privacy regarding individual behavior; privacy regarding personal communication; and privacy regarding individual data. All of these areas of privacy are increasingly threatened in the information age (Clarke, 1999).

In this study, we focus on online privacy and investigate how consumer information is protected or exposed by online portal sites. Specifically, we examine privacy statements featured in online portals to determine their efficacy for consumers. Through the increasing sophistication of data mining tools, consumer database creation and management has become a growing, profitable enterprise. Personal data is now a tradable commodity in capitalist societies (Hamelink, 2000), and thus, the free market economy and privacy are inherently at odds with one another. Because digitally stored data can have an indefinite life span, public concern over the ability to control our own information is evident in consumer reluctance to provide personal data to online businesses (Elgesem, 1996; Fox & Lewis, 2001). The information storage and retrieval capabilities of new media technologies can facilitate the collection and exchange of customer information, often without the knowledge or permission of the consumer. Companies frequently assemble databases of extensive consumer information that they use to market to specific target populations. As a result, individuals have become wary of disclosing personal information online (Fox, 2000; Fox & Lewis, 2001). Clarke (1999) argued that those concerns over online privacy reflect larger social concerns over "trust in the information society" (p. 60).

Whether or not consumer anxiety about information gathering is warranted, the online industry has responded to public concern and consumer advocacy efforts with voluntarily posted privacy statements to alleviate those concerns. Although frequently governed by suggested industry guidelines, as specified by TRUSTe or similar industry coalitions, these privacy statements seldom provide explicit reassurance that consumer information will be kept confidential and will not be exploited. Instead, they frequently outline how companies intend to use private customer information so that, in the event of consumer complaints, the companies are absolved of responsibility. Companies such as Microsoft Passport Services are known for exploiting consumer information and were finally pressured into revising their privacy policies and statements following a series of articles originating from Both Yahoo's and Microsoft's Hotmail e-mail services reportedly divulged customer information in opposition to their stated privacy policies not to share personally identifiable information (Gillis, 2002). Moreover, these privacy statements are usually placed inconveniently at the bottom of the page and are often tedious, complex, and replete with legal language the average Web user finds difficult to comprehend. Kandra (2001) found that many of the security statements of e-tailers sound reassuring but offer very little protection to the individual consumer. In addition, Web users often find privacy policies difficult to trust (Reagle & Cranor, 1999).

The Pew Internet & American Life Project (Fox, 2000; Fox & Lewis, 2001) reveals that consumer trust is a vital issue for Web users, arguing that, although they are gravely concerned about online privacy violations, Americans still engage in intimate and revealing acts online. Twenty-seven percent of online users are staunch believers in online privacy to the extent that they never willfully provide personal information to Web sites. Fifty-four percent of Internet users find online tracking of personal information to be harmful, and only 27% find tracking to be helpful because it provides personally tailored, user-specific information. Tellingly, 86% of online users favor "opt-in" policies that require Web sites to ask for permission before collecting or using personal data. But many users are not proficient enough with computers to employ the methods available to them to protect their privacy. For example, only 10% of Internet users have set their browsers to reject cookies; 5% use anonymizing software to mask their computer identity; and 24% have provided false personal data (like a fake name) to avoid revealing true information. Similarly, 94% of Internet users want disciplinary action taken against privacy violators (Fox, 2000).

Building on this evidence, we examine privacy statements posted by online companies to determine whether they effectively protect personally identifiable and nonidentifiable data. Even though privacy statements do not have the primary purpose of protecting consumers, they are used by online entities to secure the TRUSTe seal of privacy approval, which effectively communicates a privacy pledge to consumers. Companies frequently explicitly state their commitment to protecting private information in these privacy statements, which sets these statements up as privacy pledges. There is also the danger of assuming that privacy protection becomes a problem solved simply by companies offering explicit reassurances of personal information use. Moreover, the survey cited documents consumer uncertainty about privacy protection. In response to this trend, we examine privacy statements to determine whether they provide visitors with adequate information to decide for themselves if disclosing information to that site is a fair and safe exchange. In doing so, we look first at the prevailing regulatory framework regarding online privacy protection, consider the nature and structure of privacy statements, and finally consult relevant research on the overall efficacy of privacy statements.

Online Privacy Statements and Regulation

Privacy statements are a fairly new feature for online companies, although some businesses have always made responsible use of consumer information. They usually detail how the company intends to use the personal information collected from customers. Although numerous consumer privacy bills (including the Online Personal Privacy Act, the Consumer Privacy Protection Act, and the Consumer Internet Privacy Enhancement Act) have been brought before Congress, the United States is the only major trading nation that has not adopted blanket privacy protection legislation, instead opting for piecemeal legislation and private sector data protection measures. These measures are flawed, according to Fausett (2001), who claimed that privacy policies tend to provide such large loopholes to companies that consumers' rights to privacy are merely titular. One of the reasons for the trajectory of privacy policy in the United States, said Fausett, has to do with the unfettered nature of e-commerce and the Internet in general. Just as TV executives adopted the voluntary ratings systems to circumvent federal involvement in regulating program content, Web sites, too, have adopted their own privacy policies to ensure a lack of government involvement in regulating consumer privacy (with the exception of the Children's Online Privacy Protection Act [COPPA]). Self-regulation informs consumers of how information on them is collected and used, ostensibly allowing the consumer to decide whether to do business with an online entity. Supposedly the consumer is empowered to make business/commerce decisions. Fausett pointed out that this scenario is rarely played out. Having been drafted by attorneys, online privacy statements often contain catchall stipulations that allow the online entity a high degree of flexibility regarding its uses of consumer information (Fausett, 2001).

In contrast, European Union (EU) member countries must follow strict and specific regulations that protect consumer privacy in accordance with the Directive on Data Protection of 1998. This privacy directive guarantees individual control over consumer data and insists that foreign trading partners adhere to the same level of equal protection (Lee, 2000). Thus, it prohibits the transmission of personal information from EU member countries to outside countries, including the United States, without adequate privacy protection. Other governments, such as Hong Kong, are writing privacy laws similar to the Directive on Data Protection, but the EU has nonetheless forged contractual agreements with U.S. companies to conduct business despite these differences in privacy policies (Lee, 2000). Such formulas do not tend to protect...

To continue reading