Atlanta, Equifax Inc.,. Lwin. M, Witz, J. and Williams, J. (2007). âConsumer online privacy concerns and responses: a power-responsibility equilibrium perspective ...
Nottingham University Business School Research Paper Series
Towards a Privacy Framework Frauke Mattison Thompson*, Andrew Smith† and Heidi Winklhofer† *
Nottingham University Business School China Ningbo China †
Nottingham University Business School Nottingham UK
NUBS Research Paper Series No. 2009-18
http://www.nottingham.ac.uk/business Electronic copy available at: http://ssrn.com/abstract=1506917
Towards a Privacy Framework Frauke Mattison Thompson – NUBS China Andrew Smith – NUBS Heidi Winklhofer - NUBS Abstract The increasing capture of more detailed personal data by organisations in the 21st century has given rise to increasing consumer privacy concerns, which undermine profitable buyer-seller relationships. As a result, there has been increasing academic interest in the notion of privacy, due to a growing inability by consumers to control their personal data and rising countermeasures by customers to protect their privacy. However, progress in this area has been hampered by the persistence of numerous and differing definitions of the term. In response to this, this paper proposes a framework of privacy as a subjective function based on 7 elements of privacy identified through the critical review of conceptual and empirical literature. This comprehensive framework allows privacy to be operationalised and help marketers to reduce potential consumer privacy intrusion. Keywords: Privacy, Conceptualisation 1. The Concept of Privacy In today’s digital age, commercial organisations’ capture and use of personal data is increasing. Detailed information and sizeable databases allow marketers to record actual consumer purchase behaviour and use this information to conduct more targeted marketing activities (Graeff and Harmon, 2002; Long et al., 1999). Indeed, there is wide support for the claim that information technology is essential in relationship development and maintenance between organisations and consumers (Ryals and Payne, 2001). Recent technological advances allow organisations to readily maintain records on each individual (Blattberg and Deighton, 1991; McKenna, 1991; Foss et al., 2002), provide interactions that can be personalised (Blattberg and Deighton, 1991; Crié and Micheaux, 2006), and allow the identification of the most important consumers, calculation of their lifetime value etc. (Blattberg and Deighton, 1991). However, a growing number of empirical studies have shown rising consumer concern over matters of privacy due to an increasing inability to control their personal data and the consequential limited control perceived over how their information is managed by organisations (e.g. Cespedes and Smith, 1993; Wang and Petrison, 1993; O’Malley, Patterson and Evans, 1997; Kelly, 2000; Milne, Rohm and Bahl, 2000; Westin, 2005; Milne, Culnan and Greene, 2006). As a result, there has been a widespread academic interest in consumer privacy, particularly with respect to intrusion through various marketing activities (e.g. Smith and Sparks, 2004; Milne, Culnan and Greene, 2006). Understanding consumer privacy fears are important, if these are to be reduced. Within the literature a large number of definitions of privacy have been offered (e.g. Westin, 1976; Fried, 1968; Simmel, 1971; Burgoon, 1982; Simms, 1994; DeCew, 1997; Clarke, 2005), ‘few values so fundamental to society as privacy have been left so undefined in social theory…’ (Westin, 1967, p. 7). Indeed, ‘the widespread discontent over conceptualising privacy persists while the concern over privacy has escalated into an essential issue for freedom and 1 Electronic copy available at: http://ssrn.com/abstract=1506917
democracy’ (Solove, 2002, p. 1140) requiring a comprehensive understanding of privacy without delay. The lack of a common, universally accepted definition is obviously problematic if privacy concerns are to be addressed and managed (e.g. Burgoon, 1982; Parent, 1983; Clarke 2005). There are three reasons why privacy is difficult to define and why there is still a lack of a common, universally applicable definition. Firstly, the concept of privacy is subjective on both a personal and a social level. Everyone has their own intuitive sense about the value and importance of privacy regarding different matters (e.g. financial history, contact information, bodily appearance, sexual activity, etc.) and therefore perceptions of privacy vary from person to person. In addition, individuals’ desires for privacy vary in magnitude (e.g. Nowak and Phelps, 1992; Milne, Rohm and Bahl, 2004; Mattison Thompson, 2007), prohibiting a universal definition that can capture the wide variation. Furthermore, the concept of privacy is formed through its use in social reality, since it is an aspect of social practices (see Solove, 2002). This means that our understanding of privacy changes as advances in technology are made. It also changes as a result of the context in which it is created. Secondly, issues relating to privacy are changing all the time. As mentioned previously, information is flowing more freely and more frequently than before. With the emergence of comprehensive databases, loyalty card schemes, credit cards, and the internet, vast amounts of data can be gathered and held on individuals (McKenna, 1991). This consumer information provides many advantages for marketers and organisations (Porter and Millar, 1985); it facilitates the recruitment of new consumers, the increased and customised selling to existing customers, the support of customer services operations, the customisation of products to consumer demands in shops and a refined understanding of consumer shopping behaviour by organisations (e.g. Blattberg and Deighton, 1991; Crié and Micheaux, 2006). Nevertheless, it changes consumer perceptions and needs for privacy to accommodate the increasing collection of personal data by organisations and the government, as well as for the new contexts in which this information exchange is taking place (e.g. Cespedes and Smith, 1993; Wang and Petrison, 1993; O’Malley, Evans and Patterson, 1997; Kelly, 2000; Phelps, Nowak and Ferrell, 2000; Franzak et al., 2001; Graeff and Harmon, 2002; Milne, Culnan and Greene, 2006). Existing definitions are often too narrow and fail to accommodate new technological advances (i.e. Cooley, 1880; Jourard, 1966; Posner, 1981; Westin, 1967; Miller, 1971; Fried, 1968) and therefore also fail to accommodate for the changing understanding and need of privacy by consumers. Thirdly, different practices use different definitions of the term that do not all have the same goal. For example, the law defines privacy in order to achieve an understanding of the realm in which one has the right to be left alone (see Warren and Brandeis, 1890) and the extent to which organisations have the right to infringe on this right (see the Data Protection Act, 1998); consumers define privacy with the aim to set boundaries to the intrusion of privacy by others; philosophers in turn define privacy as a natural right (see Breckenridge, 1970) and therefore seek to define a different realm than the law does, for example. With different functions and requirements of privacy, which are context specific, it is difficult to adapt one definition that satisfies everyone’s needs.
2 Electronic copy available at: http://ssrn.com/abstract=1506917
As a result of these three reasons, privacy is difficult to define, as it is a function of many elements rather than a fixed constant that does not change over time. Our understanding of privacy changes over time as a function of the development of the individual, society and the specific environmental context (Westin, 1967; Margulis, 1977; Newell, 1995, Solove, 2002) and thus impedes the adoption of a lasting, universally applicable definition of privacy. Privacy is a social construction which associates a single output to each input element drawn from a set of interdependent elements, i.e. the subjective elements of privacy interact with informational elements which are shaped by context and are thus changing in response to each other rather than independently. Therefore, although privacy is problematic it is possible to formulate it as a function of its various elements. This paper identifies all relevant elements of how privacy is understood by consumers and develops a framework that sets up privacy as a function of these elements. A comprehensive set of all elements of privacy will allow a more coherent foundation for future privacy discussions and allows privacy to be operationalised. This will allow marketers and organisations to evaluate perceived consumer privacy threats. As a result the framework should help advise marketing and organisational privacy policy makers to improve consumer privacy services (see Mattison Thompson, 2007). Understanding which elements of privacy consumers perceive as important is of value to organisations if they want to work towards limiting consumer privacy intrusion, improving buyer-seller relationships, sustaining brand image and becoming more compliant with what consumers want in terms of their privacy protection. The following sections will now present the method employed by which the existing elements of privacy were identified and will critically review each element for its applicability and functionality as part of a comprehensive framework of privacy. 2. The Elements of Privacy The framework presented in this paper was established through a rigorous, comprehensive and critical analysis of, first, the existing conceptual literature on privacy conceptualisation and second, the current empirical literature on consumer privacy fears and perceptions, particularly in the marketing domain. First a list of over 50 existing privacy definitions was accumulated, which were critically analysed for their individual elements of privacy. The integral parts of the privacy concept were identified as: (1) secrecy (e.g. Cooley, 1980; Jourard, 1966; Posner, 1981; Etzioni, 1999); (2) control over personal information (e.g. Westin, 1967; Fried, 1968; Miller, 1971; Altschull, 1990; Murphy, 1996; Kang, 1998); and (3) intimacy (e.g. Fried, 1968; Rachels, 1975; Reiman, 1976; Farber, 1993; Inness, 1992). These were extensively criticised (see Mattison Thompson, 2007) for often being too broad (e.g. secrecy fails to acknowledge the condition under which the disclosure of certain secrets is a violation of privacy, yet does not constitute a loss of secrecy) and did not allow for a comprehensive choice of a definition of privacy (e.g. intimacy describes parts of privacy, however does not cover for situations where privacy is intruded without the relationship being an intimate one), as they were never discussed together but only as separate elements. Second, a parallel review of extant empirical literature on privacy and the perceived privacy threats by consumers identified that empirical privacy concepts are based and built on theoretical privacy concepts. In this literature, privacy is conceptualised as being threatened by: (1) the sensitivity of the information (e.g. Phelps, Nowak and Ferrell, 2000; Han and Maclaurin, 2002; Sheehan, 2002; Ward, Bridges and Chitty, 2005), (2) the amount of 3
information held in the hand of others (e.g. Miller, 1971; Gandy, 1993; Milne and Rohm, 2000; Petty, 2000; Franzak et al., 2001), (3) the awareness of data collection (e.g. Culnan, 1993; Nowak and Phelps, 1995; Sheehan and Hoy, 2000; Milne, Rohm and Bahl, 2004, Baig, 2004), (4) the control over the use and subsequent release of information (e,g, Sheehan and Hoy, 2000; Petty, 2000; Han and Maclaurin, 2002; Graeff and Harmon, 2002), (5) the control over the number of people with access to that information (e.g. Cranor, Reagle and Ackerman, 1999; Sheehan, 2002; Milne, Rohm and Bahl, 2004) and (6) the nature of the relationship with those possessing the information (e.g. O’Malley et al., 1997; Sheehan and Hoy, 2000; Graeff and Harmon, 2002). Thus, all conceptual elements have empirical counterparts: for example, the theoretical concept of ‘secrecy’ is represented both in ‘the awareness and knowledge of information collection and use’ and in ‘the nature of the relationship with those possessing the information’ concepts; the theoretical concept of ‘intimacy’ is represented also through ‘the nature of the relationship with those possessing the information’ concept; ‘control over personal information’ is represented by the empirical concept of ‘the control over the release and subsequent use of the information’; although it could be assumed that the theoretical concept of ‘limited access to the self’ is represented by ‘the number of people with access to the information’ concept identified through empirical research, it was argued that because one involves exercising control over who has access to the person and the other involves keeping certain information secret from selected people respectively, they should be kept separate when defining privacy. Further, the empirical privacy concept of ‘the sum of information in the hand of others’ can be understood as a subset of ‘the sensitivity of the information’ concept, as the accumulation of information can increase the sensitivity of individual bits of information as they are connected (Franzak et al., 2001). In turn, the empirical concept of ‘sensitivity of information’ is reflected in conceptual literature by the concept of ‘control over personal information’, thus all conceptual and empirical concepts are interlinked and corresponded to respectively. As a result of the analysis of the literature it is thus argued that the elements of privacy can be discussed under five headings: (1) the sensitivity of information, (2) the sum of information held in the hand of others, (3) the awareness of data collection, (4) the control over information use and the access of others, and (5) the nature of the relationship with others (see: Mattison Thompson, 2007). The following sections will present the critical analysis of the individual elements of privacy identified during the literature review and will highlight the interdependency of the conceptual and empirical elements of privacy. 2.1. The Sensitivity of Information Information sensitivity refers to ‘the level of privacy concern an individual feels for a type of data in a specific situation’ (Weible, 1993, p. 20). The ‘sensitivity of information’, as a key component of the privacy concept is widely supported by both conceptual and empirical evidence (e.g. Wang and Petrison, 1993; Cranor, Reagle, and Ackerman, 1999; Han and Maclaurin, 2002; Ward, Bridges and Chitty, 2005). Various attempts have been made to differentiate information based on its sensitive nature. For example, Nowak and Phelps (1992) findings show that personal information in the form of telephone numbers, credit records, annual income, bank balance and medical records are defined as highly sensitive by 80% of consumers questioned. Yet, information on age, religion, names of food brands purchased, 4
department store shopped at and TV programmes watched were found to evoke little consumer concern. A follow up study confirmed that most consumers were willing to provide demographic and lifestyle information but for the vast majority of consumers when asked to divulge financial information and personal identifiers it clearly evoked heightened privacy concerns (Phelps, Nowak and Ferrell, 2000, see also Graeff and Harmon, 2002; Wang and Petrison, 1993; Cranor et al., 1999). Similar findings were also reported in a UK study by O’Malley, Patterson and Evans (1999). Although this shows that type of information varies in terms of sensitivity, there is evidence that perceived sensitivity of information is clearly contextual and differs in magnitude by person and by situation (Cranor, Reagle and Ackerman, 1999; Milne, 1997; Sheehan and Hoy, 2000). Nevertheless, the sensitivity of information perceived by a person clearly makes up one element of consumer privacy. 2.2. The Sum of Information in the Hands of Others Information gains in value when it is combined with other information to portray a detailed account of a person’s life. Shopping behaviour of a consumer alone, without the link to names, income or age for example, is less valuable for organisations than having a detailed profile of that person. This provides an advantage in a competitive marketplace, where knowledge about the target buyer needs to be more detailed, more personal, increasingly timely and preferably exclusive (Franzak et al., 2001). Consumers are increasingly troubled by the fact that profiling ‘may produce sensitive information from that which was not sensitive in its original form’ (Gandy, 1993, p. 139). Therefore, the value of each piece of information, and the ability to link the information to other pieces of information, is what determines privacy concern (Wacks, 1989). Smith and Sparks (2004) illustrate this point by analysing individual purchase records of a loyalty cardholder over 243 different days. Despite the single bit of purchase information not being perceived as sensitive, ‘an archaeological record’ (Smith and Sparks, 2004, p. 379), of almost a year’s worth of shopping behaviour, allowed various conclusions about lifestyle, health, vanity etc. thus allowing a detailed look at the individual’s life. This suggests that the volume of information a retailer holds on an individual can become sensitive. As a consequence, many online consumers decline to provide information requested by a website, because of the amount of information asked for (Culnan, 2000), or resort to providing false information to take advantage of the service without having to provide actual, detailed information about themselves (O’Malley, Patterson and Evans, 1997). Based on the above, the amount of data held by organisations could be viewed as sensitive and private, once combined and used (e.g. Smith and Sparks, 2004). Therefore the conditions under which privacy is at risk also need to include the ‘sum of information in the hand of others’, as this directly determines the level of perceived privacy threats by consumers. Without this element, a privacy framework would be overlooking the ability of organisations to compile private and sensitive information via great amounts of less sensitive information. 2.3. Secrecy and the Knowledge of Data Collection One of the most common understandings of privacy is that it constitutes the secrecy of certain matters (e.g. Cooley, 1880; Jourard, 1966; Posner, 1981). Under this view privacy is violated by the public disclosure of previously concealed information. Posner (1981, p.271) who regards privacy as ‘the interest in being left alone’ also perceives privacy as an interest in 5
concealment of information, which ‘is invaded whenever private information is obtained against the wishes of the person to whom the information pertains’. Posner (1981) believes that people want to manipulate the world around them by selective disclosure of facts about themselves. Nevertheless, a number of theorists have claimed that understanding privacy as secrecy conceptualises privacy too narrowly (e.g. Simmel, 1971; DeCew, 1997; Solove, 2002). By equating privacy with secrecy, this formulation fails to recognise that individuals do not strive to keep everything private instead they aim to be selective in the disclosure of information (Karst,1966). Etzioni (1999, p. 196) tries to overcome this problem by defining privacy as ‘the realm in which an actor (either a person, or a group) can legitimately act without disclosure and accountability to others’. Nonetheless, even under selective secrecy definitions, the harm caused by an invasion of privacy is understood as the disclosure of previously concealed information. Privacy entails more than avoiding disclosure, it also involves the individual’s ability to control the use of personal information for purposes s/he desires, such as for example sensitive financial information for online banking (Culnan, 1993). As Inness (1992, p. 3) notes ‘privacy might not necessarily be opposed to publicity; its function might be to provide the individual with control over certain aspects of her life’. Whilst it should be acknowledged that the disclosure of certain secrets is a violation of privacy, many commonly recognised privacy invasions do not involve the loss of secrecy (e.g. unsolicited telephone calls or being harassed in the street by street vendors). Therefore, secrecy is a common aspect of privacy, however on its own it makes the concept of privacy too narrow to accommodate for the loss of privacy in situations where secrecy is not lost. Similarly, if a person wants to keep something secret, however has no knowledge of or is unaware of data collection, a threat to privacy exists. This concept of privacy intrusion as ‘the lack of knowledge of data collection’ is widely represented in empirical studies (e.g. Nowak and Phelps, 1992; Culnan, 1993; Cespedes and Smith, 1993; Sheehan and Hoy, 2000; Milne and Rohm, 2000; Milne, 2000; Han and Maclaurin, 2002; Graeff and Harmon, 2002; Milne, Rohm and Bahl, 2004). Awareness of information collection is a major influence on the degree to which consumers experience privacy concern (Burgoon, 1982; Sheehan and Hoy, 2000). Most predominant and heavily cited is the research done by Nowak and Phelps (1992; 1995). In their articles, Nowak and Phelps (1992; 1995) try to establish a clear understanding of what ‘privacy’ is, related to marketing practices, in addition to how the level of knowledge about organisational data gathering influences consumer privacy concerns. Their framework which classifies consumers’ knowledge on data collection into three specific categories: (1) consumers who experience full knowledge of data collection and use; (2) consumers who experience knowledge of data collection but not of use; and (3) consumers who experience neither knowledge of data collection nor of use, suggests that: ‘the threat to consumer privacy is minimal under the first condition (full knowledge) and greatest under the last condition – where consumers do not know of collection or use of information’ (Graeff and Harmon, 2002, p. 304). Consumers with little or no knowledge of data collection sited ‘the lack of control over the access to information by others, the use of supplied information for different purposes and the passing on of information to third parties without consent’ (Nowak 6
and Phelps, 1995, p. 105) as highly threatening to their privacy. Expanding on this idea and incorporating several other aspects of privacy, Sheehan and Hoy (2000) thus argue that privacy concerns are influenced by the awareness of information collection, information usage, information sensitivity and familiarity with the entity dealt with (Sheehan and Hoy, 2000). Their findings suggest that cause to privacy concern stems from ‘the fear of the unknown, and because consumers can’t trace how the company acquired their e-mail addresses and private information’ (Sheehan and Hoy, 2000, p. 68). Foxman and Kilcoyne (1993, p. 109) note that ‘the lack of knowledge (of data collection) violates the principle of autonomy – because consumers are denied the right to make rational choices about whether or not organisations may use personal information’. It is questionable whether the simple notification in advance, that businesses will use and collect consumer information for unspecified purposes, would resolve this inequity. The concept of ‘Knowledge of Data Collection’ is not limited to any context, but is valid in the on-line environment as well as in the off-line environment (e.g. Culnan, 1993; Cespedes and Smith, 1993; Nowak and Phelps, 1995; Sheehan and Hoy, 2000; Milne and Rohm, 2000; Milne, 2000; Han and Maclaurin, 2002; Graeff and Harmon, 2002; Milne, Rohm and Bahl, 2004). It is therefore a vital element of any consumer privacy framework. 2.4. Control over Information Use and the Access of Others According to Westin (1967, p. 7) ‘privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others’. Other scholars have articulated similar theories, for example Fried (1968, p. 482) believes that ‘privacy is the control we have over information about ourselves’. In their 2002 report on empirical studies, Han and Maclaurin note that ‘39% of online consumers cited the lack of control over who gets access to the information’ as highly important when making decisions about providing organisations with private information. Further, in 2004 Milne, Rohm and Bahl, who investigated online behaviour of consumers that increases or reduces the risk of online identity theft, made similar observations. ‘More serious threats to privacy include employees stealing data that is electronically stored, or thieves who directly hack into company databases and stealing personal or financial information’ (Milne, Rohm and Bahl, 2004, p. 220). Clearly, which people have access and how many people have access to information about an individual determines the magnitude of perceived privacy threat. In other words, the more people have access to an individual’s information the higher the likelihood that there is someone with access to this information who the individual would rather not grant access. As mentioned earlier: ‘our interest in privacy…is related to our concern over accessibility of others…the extent to which others have physical access to us and the extent to which we are the subject of others’ (Gavison, 1980, p. 422). Therefore it can be argued that as the number of people who gain access to personal and sensitive data increases, the perception of control decreases both in terms of who might abuse the information and in what manner.
7
Within the concept of control over personal information, there is also the issue of secondary use of information. According to Culnan (1993, p. 344) secondary use of information is ‘the use of personal information for other purposes subsequent to the original transaction between an individual and an organisation when the information was collected’. Empirical evidence by Cespedes and Smith (1993) shows that the use of data for other purposes than it had originally been intended for is seen as an invasion of consumer privacy and an illegitimate use of information on the companies’ part. Indeed, such findings are not context specific. In their 1999 study, O’Malley, Patterson and Evans, found that 76% of the 724 UK respondents agreed that marketers should not share their information with other organisations. Furthermore, 79% wanted marketers to inform them before sharing their personal details. These findings reinforce the importance of perceived control over personal information and the perceived intrusion resulting from a loss of control over the release and subsequent use of that information. 2.5. Intimacy and The Nature of the Relationship with Others The definition of ‘intimacy’ (i.e. something of a personal or private nature, a close, familiar, and usually affectionate or loving personal relationship with another person or group) appropriately recognises that privacy is not just essential to individual self-creation, but also to human relationships. The conceptualisation views privacy as consisting of some form of limited access or control, and it locates the value of privacy in the development of personal relationships (Farber, 1993). Farber argues that people form relationships with differing degrees of intimacy and self revelation and value privacy so that they can maintain the desired levels of intimacy for each of the varied relationships. By focusing on the value of privacy, the theory of privacy as intimacy attempts to define what aspects of life people should be able to restrict access to, or what information people should be able to control or keep a secret. Rachels (1975) contends that privacy is valuable because there is a close connection between one’s ability to control who has access to us and to information about us, and one’s ability to create and maintain different sorts of social relationships with different people. Reiman (1984, p. 304) however argues that this view of intimacy ‘overlooks the fact that what constitutes intimacy is not merely the sharing of otherwise withheld information, but the context of caring which makes the sharing of personal information significant’. He also notes that revealing information to one’s doctor which one might not ordinarily reveal to another person does not necessarily mean that one has an intimate relationship with one’s doctor. He notes that Rachels focuses too heavily on the notion of control and limited access rather than on the attributes of intimate relationships. As Weinstein (1971, p. 27) notes: ‘there is a wide range of instances where to speak of something as private is not to imply intimacy. For example, computer databases pose a significant threat to privacy but ‘do not primarily affect…relationships of friendship, love and trust. Instead, these threats come from private and government organisations – the police, welfare agencies, credit agencies, banks and employers’ (Regan, 1995, p. 7). Thus, since people often share a great deal of information with those with whom they are not intimate, intimacy is apart of privacy, however it is not a principal part (Parker, 1974). In empirical research the intimacy concept can be described as ‘the nature of the relationship with others’; and because this is derived from the ‘secrecy’ concept, draws heavily on this conceptual privacy assumption. As noted above, intimacy is the sharing of information about 8
one’s actions, beliefs or emotions which one does not share with all. This assumes that people have differing relationships with different people; those they share information with and those they do not. Indeed, in their empirical study, Sheehan and Hoy (2000) identify that consumers make differences between whom they provide information to and whom they do not, based on the relationship they have with the party involved and on the benefits they receive from that relationship. ‘Online users try to balance the information they give with what is received in the exchange’ (Sheehan and Hoy, 2000, p. 68). This is comparable to Milne and Gordon’s (1993) finding that people are willing to give up some degree of their privacy to obtain some type of benefit from the exchange. Furthermore, the length of the relationships also has an impact on privacy concerns. Sheehan and Hoy (2000, p. 68) found that ‘an established relationship between online entities and users appears to lessen privacy concerns’. This importance of relationships has been seen in both online and offline contexts. For example, Milne and Rohm (2000) discovered that online consumers appear to indicate a willingness to engage in relationships, when the relationship is mutually beneficial. Milne and Boza (1999) further note that people’s past experience with any type of organisation is one of the main reasons for trusting an organisation with their personal information. In their 1997 study, O’Malley, Patterson and Evans assessed consumers’ attitudes towards direct and database marketing practices in the UK. They found that abuses in areas such as trust, commitment, respect, adaptation, regard for privacy and mutuality of interest, create a barrier to the development of meaningful relationships between consumers and organisations. ‘Essentially, as privacy concerns grow, it will become increasingly difficult to foster the integral elements of a relationship’ (O’Malley, Patterson and Evans, 1997, p. 545). This thus suggests that the nature of the relationship with others determines the magnitude of the areas of trust, commitment and respect etc. and ultimately impacts on the privacy concerns perceived by consumers. The stronger these dimensions are within a relationship, the less privacy concerns arise and the bigger the perceived loss should privacy be intruded. In marketing terms, the nature of the relationship determines whether consumers perceive marketing activities, such as pop-ups, direct marketing activities and loyalty card schemes, as intrusive or as ‘intimate’ exchanges of benefit and knowledge. 3. Towards a Framework of Privacy As mentioned earlier, the purpose of this paper is to provide a comprehensive privacy framework for marketers and policy makers that encompassed all elements of how consumers understand privacy, which can be used to operationalise the privacy function and through which potential consumer privacy threats can be analysed. Currently, discussions on privacy involve various elements of privacy, however seldom include all elements or fail to indicate which elements of privacy are referred to all together. This results in partial or uninformed discussion of the consumer privacy notion and hinders the formation of a coherent and common ground on which these discussions are based. Furthermore it has provided organisations with the liberty to use the term very loosely and mainly from the viewpoint of their own context rather than a consumer context. As argued earlier different practices have different understandings of the term, thus leading to discrepancies in meaning and therefore to perceived privacy intrusion in contexts in which the term is defined differently. Thus in order to reduce consumer privacy threats and to help organisations understand how the term is used by consumers, this paper has organised extant privacy literature to generate a framework of 9
the privacy function. The elements that make up consumer privacy have been discussed in the previous sections. By establishing that theoretical concepts of privacy are reflected in empirical concepts of the term, it is argued that the combination of these individual elements allows for the creation of a more comprehensive consumer privacy framework. The framework is responsive to social reality through the integration of all the elements of privacy that have been identified as important in consumer literature. As stated before, since privacy is a socially created concept and since the magnitude of the perception of privacy differs from person to person, yet its fundamental elements underlie all consumer perceptions of the term, this paper argues that: ‘The subjective condition of privacy is a function of the levels of knowledge over sensitive information collection and use an individual has; the levels of control over the release and subsequent use of that information, over the number of people with access to that information, over the nature of the relationship with others, and over the access of others an individual has; and when they can exercise that control consistent with their interests and values’. Consequently, the threat to privacy exists when the above subjective condition of privacy is compromised by an unwanted (deliberate or accidental) event that results in harm to full knowledge of sensitive information collection and use; full control over the release and subsequent use of that information, over the number of people with access to that information, over the nature of the relationship with others, and over the access of others; and when the control is no longer consistent with a person’s interests and values. Thus privacy is a function of the levels of knowledge and control a consumer has over the above set of privacy elements and the importance the person attaches to each of the individual privacy elements. Figure 1 overleaf visually represents the privacy function established in this paper.
10
Figure 1: The Privacy Function
The level of control and awareness over the individual privacy elements identified in this paper together with the magnitude of attached importance to each of these elements by the consumer, determines their individual perceived privacy. Thus, this framework privacy allows marketers to determine which and how a manipulated variable of the privacy function impacts on perceived privacy threat. Therefore the concept of privacy can be practically measured. This comprehensive set of all elements of privacy allows a more coherent foundation for future privacy discussions, allows privacy to be operationalised and allows marketers and organisations to evaluate perceived consumer privacy threats. This should help advise marketing and organisational privacy policy makers to improve consumer privacy services (see Mattison Thompson, 2007). Understanding which elements of privacy consumers perceive as important is of value to organisations if they want to work towards limiting consumer privacy intrusion, improving buyer-seller relationships, sustaining brand image and becoming more compliant with what consumers want in terms of their privacy protection. Therefore it is suggested that more specific guidelines, to help organisations reduce the threat to privacy and therefore protect an individual’s requirements of privacy, might provide more effective in doing so. These guidelines might then help reflect the crucial privacy levels that have to be achieved in order for organisations to protect privacy more adequately.
11
4. Conclusion Privacy is an important concept and has gained prominence due to increasing consumer privacy concerns (see: O’Malley, Patterson and Evans, 1999; Phelps, Nowak and Ferrell, 2000; Kelly, 2000; Franzak et al, 2001; Graeff and Harmon, 2002; Milne, Culnan and Greene, 2006). Despite much interest in this area a basic understanding of privacy has been neglected. This is due to the fact that it is a function of many elements rather than a constant; our understanding of privacy changes over time as a function of the development of the individual, society and the specific environmental context (Westin, 1967; Margulis, 1977; Newell, 1995) and thus impedes the adoption of a lasting, universally applicable definition of privacy. Therefore, given the diversity of definitions offered and the lack of a universally accepted delimitation of the domain, due to its subjectivity and context specification, it has become impossible to have a meaningful discussion about it, as rarely authors specify what it this they understand by the term ‘privacy’. In an attempt to fill this knowledge gap and to contribute to the understanding of privacy, this paper has critically reviewed extant academic literature on the conceptualisation and current socio-cultural understanding of privacy and has introduced a framework of the term. This framework allows marketers and organisational policy makers to better understand how consumers understand privacy and what their privacy needs are, and should thus help tackle increasing consumer privacy threats by marketing and organisational data management activities. Although regulating or restricting the collection of consumers’ personal information could ultimately limit the quality and level of service businesses can deliver to their customers (e.g. Zeithaml et al., 1990), privacy concerns by consumers tend to put in jeopardy those relationships in which the consumer feels misled or cheated (Prabhaker, 2000). Increasingly, consumers are using countermeasures to protect their privacy, for example supplying false or fictitious information (e.g. O’Malley, Patterson and Evans, 1997, Lwin and Williams, 2003), adding weight to the argument that more needs to be done by organisations to protect consumer privacy and thus nurture more mutually beneficial relationships. By understanding how consumers perceive privacy and threats to their privacy, through the use of the privacy framework offered in this paper, marketers and organisational policy makers can reduce privacy threat. Technological advances facilitate sophisticated data accumulation, data mining, consumer targeting, etc. This technology could equally be employed to facilitate the provision of ‘privacy services’. Concerned consumers could participate and specify their desired privacy threshold (in line with: Zeithaml et al., 1990; Kang, 2002; Vargo and Lusch, 2004). This also ensures that organisations become more accountable when dealing with consumer data and that consumers are more involved in the management of their privacy. As a result, both parties manage privacy more actively. As this framework was created through an in-depth and rigorous analysis of extant privacy literature, the next step to operationalising this framework fully would be to develop scales that allow each variable to be tested for its significance to each person and in different contexts. Furthermore, as this framework is based on Western ideology and cultural understandings, an insight into the understanding of privacy within a different culture, for example in Asia, might be of interest to provide additional insight into this domain. Certainly a comparison between different cultural understandings of the term will be of value to the current literature on privacy, as it could help inform how global businesses should tackle consumer privacy fears. 12
References Altman, I. (1975). The Environment and Social Behaviour: Privacy, Personal Space, Territory, and Crowding. Monterey; California, Brooks/Cole Publishing. Altschull, J. (1990). From Milton to McLuhan: The Ideas Behind American Journalism, New York, Longman. Baig, E. (2004). "Keep Spies from Skulking into your PC." USA Today Online from http://www.usatoday.com/money/industries/technology/2004-01-22-spy_x.htm. Blattberg, R. C. and Deighton, J. (1991). "Interactive Marketing: Exploiting the Age of Addressability." Sloan Management Review 33(1): 5. Bloustein, E. (1964). Privacy as an Aspect of Human Dignity. Philosophical Dimensions of Privacy. Schoeman, F., Cambridge University Press: 156 - 202. Breckenridge, A. C. (1970). The Right to Privacy. University of Nebraska Press Burgoon, J. (1982). Privacy and Communication. Communication Yearbook 6. Burgoon, M., Sage Publications: 206 - 249. Caudill, E. M. and Murphy, P. E. (2000). "Consumer Online Privacy: Legal and Ethical Issues." Journal of Public Policy & Marketing 19(1): 7-19. Cespedes, F. V. and Smith, H. J. (1993). "Database Marketing: New Rules for Policy and Practice." Sloan Management Review 34(4): 7-22. Clarke, R. (2005). "Roger Clarke’s Dataveillance and Information Privacy Home-Page" from http://www.anu.edu.au/people/Roger.Clarke/DV/. Cooley, T. (1880). Law of Torts, Unknown. Cranor, L., Reagle, J. and Ackerman, M. (1999). "Beyond Concern: Understanding Net Users' Attitudes about Online Privacy." Research Technical Report TR 99.4.3(AT&T Labs). Crié, D. and Micheaux, A. (2006). "From Customer Data to Value: What is Lacking in the Information Chain?" Journal of Database Marketing & Customer Strategy Management 13(4): 282-299 Culnan, M. J. (1993). "How Did They Get My Name?" MIS Quarterly 17(3): 341-363. 20 Culnan, M. J. (2000). "Protecting Privacy Online: Is Self-Regulation Working?" Journal of Public Policy & Marketing 19(1): 20-26. Dassen, T., Gasull, M. and Lemonidou, C. (2001). "Privacy: A Review of the Literature." International Journal of Nursing Studies 38: 663-671. 13
DeCew, J. (1997). In Pursuit of Privacy: Law, Ethics and the Rise of Technology, Ithaca, NY: Cornell University Press. Duby, G. (1987). Foreword. A History of Private Life: From Pagan Rome to Byzantium. Goldhammer, A. and Veyne, P., Oxford University Press. Etzioni, A. (1999). The Limits of Privacy, New York: Basic Books Farber, D. (1993). Book Review: Privacy, Intimacy and Isolation. Privacy, Intimacy and Isolation, Oxford University Press: 510-515. Fisher, T. (2005). ‘How Mature Is Your Data Management Environment?’ Business Intelligence Journal 10 (3): 20-27 Forcht and Cochran (1999). "Using Data Mining and Data Warehousing Techniques." Industrial Management & Data Systems 99(7): 189-196. Foss, B., Henderson, I., Johnson, P., Murray, D. and Stone, M. (2002). "Managing the Quality and Completeness of Customer Data." Journal of Database Marketing 10(2): 139. Foxman, E. R. and Kilcoyne, P. (1993). "Information Technology, Marketing Practice, and Consumer Privacy: Ethical Issues." Journal of Public Policy & Marketing 12(1): 106-119. Franzak, F., Pitta, D. and Fritsche, S. (2001). "Online Relationships and the Consumer's Right to Privacy." Journal of Consumer Marketing 18(7): 631-649. Fried, C. (1968). Privacy. Philosophical Dimensions of Privacy. Schoeman, F., Cambridge University Press. Fried, C. (1984). Privacy and Moral Analysis: Philosophical Dimensions of Privacy, Cambridge University Press. Gandy, O. H. (1993). The Panoptic Sport: A Political Economy of Personal Information, Boulder, CO: Westview Press. Gardiner Jones, M. (1991). "Privacy: A Significant Marketing Issue for the 1990's." Journal of Public Policy & Marketing 10(1): 133-148. Gavison, R. (1980). Privacy and the Limits of Law. Philosophical Dimensions of Privacy. Schoeman, F., Cambridge University Press: 346 - 402. Graeff, T. R. and Harmon, S. (2002). "Collecting and Using Personal Data: Consumers' Awareness and Concerns." Journal of Consumer Marketing 19(4/5): 302-318. Greenawalt, K. (1971). "All or Nothing at All: The Defeat of Selective Conscientious Objection." The Supreme Court Review 1971: 31-94. 14
Goodwin, C. (1991). "Privacy: Recognition of a Consumer Right." Journal of Public Policy & Marketing 10(1): 149-166. Han, P. and Maclaurin, A. (2002). "Do Consumers Really Care About Online Privacy?" Marketing Management 11(1): 35-38. Hanson, D. (1970). From Kingdom to Commonwealth: The Development of Civil Consciousness in English Thought, Cambridge, MA: Harvard University Press. Inness, J. (1992). Privacy, Intimacy and Isolation, New York: Oxford University Press. Jourard, S. (1966). "Some Psychological Aspects of Privacy." Law and Contemporary Problems 31: 307-319. Kang, J. (1998). "Information Privacy in Cyberspace Transactions." Stanford Law Review 50: 1193-1202. Kang, G. (2002). "Measuring of Internal Service Quality: Application of the SERVQUAL Battery to Internal Service Quality." Managing Service Quality 12(5): 87-99. Karst, K. (1966). "The Files: Legal Controls over the Accuracy and Accessibility of Stored Personal Data." Law and Contemporary Problems: 342-354. Kelly, E. P. (2000). "Ethical Aspects of Managing Customer Privacy in Electronic Commerce." Human Systems Management 19(4): 237-244. Long, G., Hogg, M. and Angold, S. (1999). "Relationship Marketing and Privacy: Exploring the Thresholds." Journal of Marketing Practice 5: 56-63. Louis, H. and Associates (1992). Consumer Privacy Survey 1992. Atlanta, Equifax Inc., Lwin. M, Witz, J. and Williams, J. (2007). “Consumer online privacy concerns and responses: a power-responsibility equilibrium perspective.” Journal of the Academy Marketing Science 35: 572-585 Mattison Thompson, F. (2007). Organisational Data Management and Privacy: A Financial Services Case Study. PhD Thesis, Nottingham University Business School Margulis, S. (1977). "Conceptions of Privacy: Current Status and Next Steps." Journal of Social Issues 33(3): 5-21. McKenna, A. (2001). "Playing Fair with Consumer Privacy in the Global On-line Environment." Information and Communications Technology Law 10(3): 221-234. Moore, B. (1984). Privacy: Studies in Social and Cultural History. M. E. Sharpe Miller, A. (1971). The Assault on Privacy: Computers, Data Banks and Dossiers, Unknown. 15
Milne, G. R. (1997). "Consumer Participation in Mailing Lists: A Field Experiment." Journal of Public Policy & Marketing 16(2): 298-309. Milne, G. R. (2000). "Privacy and Ethical Issues in Database/Interactive Marketing and Public Policy: A Research Framework and Overview of the Special Issue." Journal of Public Policy & Marketing 19(1): 1-6. Milne, G. R. and Gordon, M. E. (1993). "Direct Mail Privacy-Efficiency Trade-offs Within an Implied Social Contract Framework." Journal of Public Policy & Marketing 12(2): 206215. Milne, G. R. and Boza, M.-E. (1999). Trust has to be Earned. Frontiers of Direct Marketing. Phelps, J., New York: Direct Marketing Educational Foundation. Milne, G. R. and Rohm, A. J. (2000). "Consumer Privacy and Name Removal Across Direct Marketing Channels: Exploring Opt-In and Opt-Out Alternatives." Journal of Public Policy & Marketing 19(2): 238-249. Milne, G. R., Rohm, A. J. and Bahl, S. (2004). "Consumers' Protection of Online Privacy and Identity." Journal of Consumer Affairs 38(2): 217-232. Milne, G. R., Culnan, M. J. and Greene, H. (2006). "A Longitudinal Assessment of Online Privacy Notice Readability." Journal of Public Policy & Marketing 25(2): 238-249. Murphy, R. (1996). Property Rights in Personal Information: An Economic Defence of Privacy. GEO. 84: 2381-2383. Newell, P. B. (1995). "Perspectives on Privacy." Journal of Environmental Psychology 15: 87-104. Nowak, G. and Phelps, J. (1992). "Understanding Privacy Concerns: An Assessment of Consumers' Information Related to Knowledge and Beliefs." Journal of Direct Marketing 6(Autumn): 28-39. Nowak, G. J. and Phelps, J. (1995). "Direct Marketing and the Use of Individual-Level Consumer Information: Determining How and When "Privacy" Matters." Journal of Direct Marketing 9 (3): 46-60. O'Brien, D. (1979). Privacy, Law and Public Policy, New York: Praeger Special Studies. O'Malley, L., Patterson, M. and Evans, M. (1997). "Intimacy or Intrusion? The Privacy Dilemma For Relationship Marketing in Consumer Markets." Journal of Marketing Management 13(6): 541-559. O'Malley, L., Patterson, M. and Evans, M. (1999). "Data Fusion and Data Control: Privacy Problems and Solutions? ." Journal of Targeting, Measurement & Analysis for Marketing 16
7(3): 288-302. Parent, W. (1983). "Recent Work on the Concept of Privacy." American Philosophical Quarterly 20(October). Parker, R. (1974). "A Definition of Privacy." Rutgers Law Review 27(2): 275-297. Petty, R. D. (2000). "Marketing Without Consent: Consumer Choice and Costs, Privacy, and Public Policy." Journal of Public Policy & Marketing 19(1): 42-53. Phelps, J., Nowak, G. and Ferrell, E. (2000). "Privacy Concerns and Consumer Willingness to Provide Personal Information." Journal of Public Policy & Marketing 19(1): 27-41. Posner, R. A. (1981). "The Economics of Privacy." American Economic Review 71(2): 405415. Prabhaker, P. R. (2000). "Who Owns the Online Consumer?" Journal of Consumer Marketing 17(2/3): 158-169. 24 Rachels, J. (1975). Why Privacy is Important. Philosophical Dimensions of Privacy. Schoeman, F., Cambridge University Press: 290 - 299. Regan, P. (1995). Legislating Privacy: Technology, Social Values and Public Policy, University of North Carolina Press. Reiman, J. (1976). Privacy, Intimacy and Personhood. Philosophical Dimensions of Privacy. Schoeman, F., Cambridge University Press: 300 - 316. Ryals, L. and Payne, A. (2001). "Customer Relationship Management in Financial Services: Towards Information-enabled Relationship Marketing." Journal of Strategic Marketing 9(1): 3-27. Schoeman, F. (1984). Privacy: Philosophical Dimensions of the Literature. Philosophical Dimensions of Privacy: An Anthology. Schoeman, F., Cambridge University Press. Schoeman, F. (1992). Privacy and Social Freedom. Cambridge, Cambridge University Press. Solove, D. J. (2002). "Conceptualising Privacy." California Law Review 90(1087): 10881155. Sheehan, K. B. (2002). "Toward a Typology of Internet Users and Online Privacy Concerns." Information Society 18(1): 21-32. Sheehan, K. B. and Hoy, M. G. (2000). "Dimensions of Privacy Concern Among Online Consumers." Journal of Public Policy & Marketing 19(1): 62-73.
17
Simmel, A. (1971). Privacy is not an Isolated Freedom. Privacy. Pennock, R. and Chapman, W., New York, Atherton Press. Simms, M. (1994). "Defining Privacy in Employee Health Screening Cases: Ethical Ramifications Concerning the Employee/Employer Relationship." Journal of Business Ethics 13: 315-325. Smith, J. (1994). Managing Privacy: Information technology and Corporate America, University of North Carolina Press. Smith, A. and Sparks, L. (2004). "All About Eve?" Journal of Marketing Management 20(3/4): 363-385. Solove, D. J. (2002). "Conceptualising Privacy." California Law Review 90(1087): 1088-1155. 25 Unknown, A. (1998). Data Protection Act 1998. Crown Copyright, 1998. United Kingdom, Crown Court. Vargo, S. and Lush, R. (2004). "Evolving to a New Dominant Logic for Marketing." Journal of Marketing 68: 1-17. Wacks, R. (1989). Personal Information, Privacy and the Law, Oxford: Oxford University Press. Wang, P. and Petrison, L. A. (1993). "Direct Marketing Activities and Personal Privacy: A Consumer Survey." Journal of Direct Marketing 7(1): 7-19. Ward, S., Bridges, K. and Chitty, B. (2005). "Do Incentives Matter? An Examination of Online Privacy Concerns and Willingness to Provide Personal and Financial Information." Journal of Marketing Communications 11(1): 21-40. Warren, S. and Brandeis, L. (1890). "The Right to Privacy." Harvard Business Review 4: 193220. Weible, R. J. (1993). "Privacy and data: An empirical study of the influence of types of data and situational context upon privacy perceptions" D.B.A., Mississippi State University, 1993 Weinstein, W. (1971). The Private and the Free: A Conceptual Inquiry. NOMOS XIII: Privacy. Chapman, J., Unknown: 27-33. Weiss, R. (1994). Learning from Strangers: The Art and Method of Qualitative Interview Studies, New York, Free Press. Westin, A. (1967). The Origins of Modern Claims to Privacy. Philosophical Dimensions to Privacy. Schoeman, F., Cambridge University Press: 56 - 74. 18
Westin, A. (1976). Privacy and Freedom, New York Atheneum. Westin, A. F. (2005). "American Attitudes on Health Care and Privacy." I-Ways 28(2): 7984. Young, J. (1978). Introduction: A Look at Privacy. Privacy. Young, J., New York, Wiley and Sons. Zeithaml, V. A., Parasuraman, A. and Berry, L. L. (1990). Delivering Quality Service, New York: Free Press.
19
