Internet Privacy and Security: An Examination of Online Retailer Disclosures

Author(s): Anthony D. Miyazaki and Ana Fernandez

Source: Journal of Public Policy & Marketing, Vol. 19, No. 1, Privacy and Ethical Issues in
Database/Interactive Marketing and Public Policy (Spring, 2000), pp. 54-61
Published by: American Marketing Association
Stable URL: http://www.jstor.org/stable/30000487
Accessed: 11-05-2018 16:04 UTC

JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
http://about.jstor.org/terms

American Marketing Association is collaborating with JSTOR to digitize, preserve and

extend access to Journal of Public Policy & Marketing

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
 Internet Privacy and Security: An Examination of Online
Retailer Disclosures

and Ana Fernandez

Anthony D. Miyazaki

The Federal Trade Commission has declared the privacy and security of consumer informa-
tion to be two major issues that stem from the rapid growth in e-commerce, particularly in
terms of consumer-related commerce on the Internet. Although prior studies have assessed
online retailer responses to privacy and security concerns with respect to retailers' disclo-
sure of their practices, these studies have been fairly general in their approaches and have
not explored the potential for such disclosures to affect consumers. The authors examine
online retailer disclosures of various privacy- and security-related practices for 17 product
categories. They also compare the prevalence of disclosures to a subset of data from a con-
sumer survey to evaluate potential relationships between online retailer practices and con-
sumer perceptions of risk and purchase intentions across product categories.

Consumers have little privacy protection on the Internet. store regarding not only consumer characteristics but also
- Federal Trade Commission Press Release, June 4, 1998
actual shopping behavior. Because most features of online
marketing transactions can be recorded electronically for
The Federal Trade Commission today told a House Committee future use by marketers, the amount of data gathered by
that business on the Internet could explode-from $2.6 billion in marketers is growing at constantly accelerating rates.
1996 to $220 billion in 2001--but if the trend is to continue, con-
Unfortunately, this burgeoning reservoir of information is
sumers must feel confident that the Internet is safe from fraud.
accompanied by technologically enhanced versions of two
- Federal Trade Commission Press Release, June 25, 1998
previously studied database issues, namely, the privacy and
The past decade has witnessed rapid escalation of the security of accumulated consumer data. These issues are of
diffusion of the Internet as a source of consumer enter- interest to policymakers with respect to both protecting con-
tainment, education, and marketplace exchange.' The sumers' rights regarding the privacy and security of their
growth of online retailing in particular has been well docu- personal and financial information and facilitating the con-
mented, and estimates of annual revenues have reached $13 tinued growth of e-commerce and the benefits it brings to
billion for 1998 (Holstein, Thomas, and Vogelstein 1998). consumers and businesses (e.g., enhanced efficiencies of
For example, the National Retail Federation reports that 26% information exchange and targeted communication).
of retailers had Internet sites in 1998, compared with only 8% Because many retailer practices have implications for pri-
in 1996 (Holstein, Thomas, and Vogelstein 1998; for similar vacy- and security-related issues, a key element of proposed
figures, see Ernst & Young 1999). Consumer patronage of legislation in this area involves the online disclosure of such
such sites also continues to grow. According to America practices. As discussed subsequently, these online disclo-
Online, currently the largest Internet service provider, 48% sures may be helpful in preventing and/or reducing con-
of its 14 million subscribers had purchased goods online as sumer concerns regarding Internet privacy and security.
of December 1998 (Holstein, Thomas, and Vogelstein 1998). Although several prior academic and industry studies have
In conjunction with this surge in e-commerce is a related evaluated commercial Web sites for privacy- and security-
increase in the amount of information marketers collect and related disclosures, most have taken a general approach and
have not examined how such disclosures may affect con-
sumer behavior. We assess disclosures of online retailers at
IAlthough the Internet includes various modes of information exchange,
such as directed communication (e.g., e-mail), posted communication (e.g., a more detailed level by delineating the various levels of
Usenet groups), real-time communication (e.g., Internet Relay Chat), and retailer response to several privacy and security concerns.
file transfer systems (e.g., File Transfer Protocol), our focus is the use of We then compare the prevalence of privacy- and security-
the World Wide Web (e,g., homepages, Web sites) as a main or alternative
storefront that allows for interactive consumer-initiated information
related disclosures with a subset of risk perception and
exchange (see Hoffman and Novak 1996). This information exchange may online purchase intention data from a consumer survey.
range from basic communications regarding products and physical retail Finally, we discuss implications for online retailing.
outlets to completely automated purchase and shipment procedures.

Privacy and Security of Consumer

ANTHONY D. MIYAZAKI is Assistant Professor of Marketing, and
Information
ANA FERNANDEZ is a research assistant, School of Business A major ethical issue in the collection and management of
Administration, University of Miami. The authors gratefully consumer information is the privacy of that information
acknowledge constructive comments from the special issue editor (Bloom, Milne, and Adler 1994; Chdnko 1995; Foxman and
and the anonymous JPP&M reviewers.
Kilcoyne 1993; Jones 1991). Indeed, privacy is often

Vol. 19 (1)
54 Journal of Public Policy & Marketing Spring 2000, 54-61

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
 Journal of Public Policy & Marketing 55

viewed, even from a legal perspective, as a distinct

E-Privacy Act (S.con-
2067) and the Secure Pub
sumer right (Goodwin 1991). With respect(S. 909), both of
to online which deal with encryptio
shop-
ping, recent research by Rohm and dards Milneregarding
(1998) demon-
domestic and internationa
In general,
strates that a majority of Internet users-both thosepolicymakers
who are tending tow
have made online purchases and those thatwho make online retailers responsible for
have not-have
several concerns regarding information sumer information
privacy, including acquisition, usage, and
tices. In fact,of
issues related to the acquisition and dissemination disclosure
con- of online informa
sumer data. tices has been the subject of several recen
Commission
In conjunction with information privacy, security (FTC) investigations, includin
(partic-
1998
ularly information theft and misuse) also wherein
has more a
been labeled than 90% of examined
than 1400 in
key concern of e-commerce by various government and con- total) collected some type of
tion
sumer organizations (e.g., Brinkley 1998; from visitors
Consumer to their pages. In contrast
Reports
Online 1998; Cyberspace Law Institute 674 commercial
1999; Web sites examined provi
Federal Trade
Commission 1998a; National Consumers notification
League regarding
1999) as information collect
only and
well as many articles in trade publications 2% the
provided comprehensive priv
popular
press (e.g., Briones 1998; CNN 1999; 1998d;
Folkerssee alsoJudge
1998; FTC 1999). A more recen
Culnan
1998; Machrone 1998; Rothfeder 1997). (1999a)
These finds that 65.9% of the
two issues
sites examined
are interrelated, because when the protection provided at least one type o
of consumer
sure (see Culnan
privacy is considered, the secure storage and transmission 1999b).
of
consumer information contained in organizational databases
Online
also are viewed as the responsibilities of Retailer
participant organi-Responses to Privac
zations (Federal Trade Commission 1998a; Considering
Jones 1991).the privacy and security issu
ernment are
From a public policy perspective, consumers and assumed
consumer groups, we now outli
vacy concerns
to have certain rights to privacy and security of theirand three online retailer m
infor-
with perceived
mation when conducting online transactions. security problems (Table I p
Publicity
ouscalls
regarding these issues has sparked several types foroflegislation
online retailer responses to pr
(see Bloom, Milne, and Adler 1994; Milne issues).
1997)We then
that discuss
vary as how the disclosur
mation may
to their requirements for changes in practices versusrelate to consumer perception
simple
disclosure of practices. Presumably, changes in online retailer
Online
practices that are deemed consumer friendly Customer
will Identification
build online
Of concern
shoppers' confidence with respect to their to policymakers is whether and
future purchasing
activities. Conversely, increasing mediaonline retailer
coverage collects personal informatio
of these
issues may decrease consumer confidence customers (see Culnan
by highlighting the 1995, 1999a). Alt
risks involved in online shopping and the
thusaforementioned
deter full con- legislative efforts adv
sumer adoption of e-commerce (Judge sure ofTherefore,
1998). information theacquisition activities,
provided
role of policymakers is twofold: to facilitate the to online of
adoption businesses is done kn
online shopping with its proposed marketsumers. There exists,
efficiencies and however, the ability f
to identify by
simultaneously to protect and inform consumers andmaking
gather information on repea
risks of Internet commerce known to all site by placing
potential coded information (cal
and active
computer
participants. From a marketing perspective, users' hard
the disclosure of drives without t
(Samuel and Scher
online retailer practices may serve both to inform consumers 1999). This informat
bined with
about risks of online practices and to reduce previously
consumer risk provided personal inf
patterns of Web site exploration and info
perceptions and increase purchase behavior.
behavior.2 The concealed nature of this inf
Online Disclosure of Privacy- and
tion highlights the importance for online r
their use of cookies or similar technologies
Security-Related Practices will know to what degree they will be iden
Appropriate online retailer practices regarding
return to the privacy Web site. Surprisin
a particular
and security of consumer information areaforementioned legislation specifically add
the topic of much
recently proposed or enacted legislative measures. For exam-
Online retailers may offer various levels
ple, proposed regulation, such as the Consumer
customer Internet
identification issues. The most e
Privacy Protection Act of 1999 (H.R. 313), the Online
Privacy Protection Act of 1999 (S. 809), andInternet
2Although the Inbox
users may adjust their Web bro
Privacy Act of 1999 (S. 759), all examinecertain types of
at least one cookies or to warn them before a co
aspect
hard drive, many consumers lack knowledge of this f
of online acquisition and disclosure of consumer information.
several online product ordering systems require the
The recently enacted Children's Online Privacy
selected Protection
products so that the purchase process can b
Act of 1998 (16 C.F.R. Part 312), which ofapplies to children
cookies can enable an Internet user to browse to
automatically
younger than 13 years of age, is even more be presented
restrictive in the with information uniqu
user, whether by conscious choice (i.e., selected stock
disclosure and consumer contact requirements that may be
ics) or by way of marketer analysis of online search
imposed on certain types of Web sites. (i.e.,
Similar legislation
online has
catalog offerings or banner advertising t
been proposed regarding Internet security issuesuser
determined such as the
interests).

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
 56 Internet Privacy and Security

the least favorable is the lack of any communication to the

Table 1. Online Retailer Responses to Privacy and
Internet user regarding the online customer identification
Security Issues
practices of the particular retailer (Brinkley 1998; FTC
1998b).
Privacy Issuesa
Unsolicited Customer
Online customer identification (including use of Contacts
cookies)
No policy statement regarding this issue
The practice of collecting consumer information for one
Identifies customer when customer logs onto site
purpose and then using that information to make unsolicited
Identifies customer when customer logs onto site unless cus-
contacts has long been a privacy issue (see Goodwin 1991;
tomer opts out
Milne 1997). With respect to the Internet, the majority of
Identifies customer only if customer requests such identifica-
legislative efforts address unsolicited customer contacts as a
tion (e.g., "Remember name/password")
Does not identify customer whencommon
customerconcern for consumers
logs ontoand thus one of two key
site
issues for regulation. As with online customer identifica-
Unsolicited customer contacts tion, responses to the unsolicited contact concerns vary as to
No policy statement regarding this issue the level of privacy protection they offer. At the most favor-
Uses information to make unsolicited customer contacts able level (from a privacy perspective), online retailers
Uses information to make unsolicited customer contacts unless
would not collect any information from consumers, thus
customer opts out
prohibiting the retailers from making unsolicited contacts. A
Uses information to make unsolicited customer contacts only if
similar situation would involve the collection of personally
requested by customer
identifying information combined with the presence of a
Uses information only for internal purposes without contacting
customer policy that the information would not be used for contacting
Does not collect any information customers. Opt-in and opt-out policies represent the next
two levels of response; the latter is the most common
Distribution of customer information to third parties response in current direct marketing activities (see Milne
No policy statement regarding this issue 1997).3
Shares information with other companies
Customer
Carefully (cautiously) shares information with other companies Information Distribution
Shares information with other companies unless customer opts
The other key regulatory issue is the degree to which customer
out
information will be shared (i.e., rented or sold) to third parties
Carefully (cautiously) shares information with other companies
unless customer opts out that have marketing-related interests in such data. Though an
Shares information with other companies only if requestedimportant
by issue in much privacy research (e.g., Culnan 1995;
customer Goodwin 1991; Milne 1997), this concern has just begun to
Does not share information with other companies receive interest with respect to online shopping, particularly in
Does not collect any information light of the aforementioned legislative efforts. Possible online
retailer responses to information distribution concerns are
Security Issues similar to those listed previously for customer contacts (i.e.,
Secure transactions not collecting information and opt-in and opt-out choices).
One aspect of information disclosure that differs from the cus-
Online credit card security guarantees tomer contact issue is that companies may provide assurance
that they will share information selectively, that is, with other
Alternative payment options parties that will (1) make offerings to the consumer that will
be of interest to the consumer and/or (2) use responsibly the
aRetailer responses for privacy issues are ordered from least favorable to information that is shared. These levels of response would pre-
most favorable from a consumer privacy perspective.
sumably be favored by consumers over more general state-
ments of sharing information. In support of this, Milne (1997)
(perhaps preferred by strict privacy advocates) is never to finds that consumers are more willing to allow the transfer of
identify customers when they access a site. Alternatively, a personal information when response cards state that personal
consumer opt-in choice would allow such identification to information will be provided to "mail-order businesses that
occur only if the customer explicitly requests such a practicehave products or services that we think will be of interest to
(e.g., checking a box that asks the online retailer to "remem- you" rather than when response cards state that the informa-
ber my name and password"). Negative option, or opt-out, tion will be provided merely to mail-order businesses.
choices, which have been suggested by several legislative
efforts and are often practiced in mail-order marketing
Online Retailer Responses to Security Concerns
(Milne 1997), enable consumers to prohibit automatic iden- A key security concern involved in online shopping pertains
tification by either checking an opt-out box during initial to unauthorized third-party access of consumers' personal
registration or separately contacting the online retailer and
requesting that such identification does not occur. An even
3Although consumers may have certain rights to opt out of a customer
less desirable level of response from a consumer privacy
contact procedure regardless of the disclosure of such a policy, we focus on
perspective would be constant identification of consumers disclosure because many consumers have been shown to be unaware of
as they access the Web site, without an opt-out alternative. their rights with respect to database privacy issues and particularly opt-out
Finally, the response most likely seen by policymakers as procedures (see Rohm and Milne 1998).

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
 Journal of Public Policy & Marketing 57

as the percentage
and financial information. Consumer concerns of offline purchase transactions increases.
regarding
Thus, although security
this issue are highlighted because of publicized this practice may reduce consumer concern,
breaches of online retailer database information,
it may also reduce such as purchasing.
actual online
Hallmark's discovery that consumers' personal electronic
Privacy
greeting card messages (on what was likely and Security
thought of as Disclosures
a and Consumer
Behavior
secure site) were actually available to anyone using the
site's search engine (CNN 1999). Given that the presence
Although of
efforts to implement mandatory disclosure of the
online security concerns may curtail purchase behavior,
previous issues and the
practices are based on a consumer pri-
alleviation of these concerns would seem to
vacybeperspective,
a key focus the disclosure of privacy and security
of online retailers. We now discuss three information
potential may online
also be useful from a marketing strategy
communication practices presumably designed toSpecifically,
perspective. reduce if concerns about privacy and
consumers' security concerns. security issues tend to raise risk perceptions and lower pur-
chase likelihoods, higher levels of privacy- and security-
Secure Transactions
related disclosure may be useful in stemming such concerns.
The protection of the online transaction of information This, in turn, would be expected to result in lower consumer
risk perceptions and higher purchase likelihoods. Thus, it is
(whether personal or financial) is a technological issue. Yet
Internet security advocates suggest that retailers provide expected that the percentage of Web sites with (1) privacy-
consumers with information regarding the safeguarding related
of statements and (2) security-related statements for a
transactions, either with clearly labeled "secure servers" particular
or shopping category will be negatively related to
prominent links to security policies (Consumer Reports consumer risk perceptions regarding online shopping in that
Online 1998; FTC 1998a). Thus, in addition to the actual category and would be positively related to consumer online
provision of secure transaction technology (e.g., secure purchase intentions in that category.
servers, secure sockets layer encryption), online retailers
have been counseled to assuage the concerns of consumers Method and Results
by communicating the security of their online information
systems. Examination of Web Sites
Web sites for 381 commercial enterprises based in the United
Online Credit Card Security Guarantees States and targeting U.S. consumers were visited in the first
To diminish consumer security concerns (see National two months of 1999 and were examined with respect to the
Consumers League 1999) even further, some online retailers privacy and security issues raised previously. The Web sites
have implemented consumer guarantees against credit card were randomly sampled from three popular shopping portals
fraud that may occur as a result of online divulgence of credit (excite.com, yahoo.com, and netscape.com), and each site
card information (e.g., Amazon.com's safe shopping guar- was placed into one of 17 shopping categories that appeared
antee or Wal-mart's online security guarantee). These guar- to be the main emphasis of each site's sales efforts at that
antees, which sometimes reference the Fair Credit Billing time. The 17 categories were fairly common across the por-
Act (15 U.S.C. 1601-67), typically pledge reimbursement tal sites and represent a broad array of goods. (A list of spe-
of unauthorized charges made to a credit card if such charges cific Web sites is available upon request from the authors.)
resulted from purchasing through the online retailer's secure Trained researchers accessed each Web page; searched
system. Because the maximum retailer liability for such a for any information pertaining to privacy and security
guarantee would typically be $50 and because cases of issues; and printed the pages on which this information was
online credit card fraud from security breaches are reported found, pages with links to such information, and the site
as very infrequent, this retail practice would likely serve as a home page (i.e., initial starting page). Each Web site was
reasonable method of allaying consumer concerns. then coded (see Table 1) by the authors with respect to its
information regarding (1) customer identification (including
Alternative Payment Options the use of cookies), (2) customer contact, and (3) informa-
A key consumer concern of online shopping is the intercep- tion sharing. The sites were also coded according to the
tion of credit card information (National Consumers League presence or absence of written information regarding (I)
1999). A viable retailer response would be the provision of secure transaction systems, (2) credit card fraud guarantees,
alternative payment (or ordering) options that enable the and (3) alternative ordering methods.4 Initial coding agree-
online customer to shift certain components of the transac- ment was high (93% across all variables), and disagree-
tion to the Internet (e.g., information acquisition, ordering) ments were resolved by discussion. Although the general
while still conducting more vulnerable components (e.g., approach used here is comparable to that reported by one of
actual payment) offline. Several online retailers offer con- the FTC's (1998d) recent studies on e-commerce, the cur-
sumers the opportunity to complete and submit orders rent research reports not only the presence of information
through the Internet, combined with telephone or facsimile privacy and/or security disclosure but also the type and level
transmission of credit card information. Some Web sites also of disclosure.
suggest mailing, faxing, telephoning, or e-mailing both the
order and the payment if the consumer has concerns over a
4Third-party endorsements (e.g., seals of approval such as VeriSign,
complete Web site transaction. Offering alternative payment TRUSTe, and CPA WebTrust) were not examined in this study, nor was the
methods is not seen as an ideal retailer response, because the activation of secure link icons (i.e., a locked padlock or unbroken key),
efficiencies of Internet ordering and payment are sacrificed which appear on popular Web browsers.

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
 58 Internet Privacy and Security

Table 2. Incidence of Privacy- and Security-Related Statements on Co

Consumer

Privacy-Related Statements Security-Related Statements Perceptions

Customer Infor- Secure Alternative Purchase
Shopping Category Identifi- Unsolicited mation Trans- Security Order- Likeli-
(Sample Size) cation Contact Sharing Any action Guarantee ing Any Risk hood
Books (21) 33.3 42.9 42.9 61.9 71.4 19.0 61.9 76.2 2.43 3.73
Clothing (29) 34.5 44.8 44.8 48.3 55.2 10.3 41.4 62.1 3.95 2.27
Computer hardware (13) 61.5 61.5 38.5 69.2 92.3 7.7 53.8 92.3 4.10 2.58
Cosmetics/skin care (36) 16.7 36.1 19.4 38.9 47.2 5.6 52.8 61.1 3.86 1.40
Department stores (14) 64.3 71.4 64.3 71.4 42.9 7.1 28.6 57.1 3.54 2.18
Electronics (12) 58.3 58.3 58.3 75.0 50.0 16.7 33.3 50.0 4.46 2.35
Flowers and gifts (9) 33.3 55.6 55.6 55.6 77.8 0.0 66.7 77.8 3.47 2.77
Food and groceries (13) 23.1 46.2 46.2 46.2 61.5 7.7 61.5 76.9 3.95 1.78
Hair care (15) 20.0 20.0 40.0 46.7 26.7 0.0 40.0 40.0 3.53 1.43
Health foods (25) 16.0 28.0 28.0 32.0 56.0 4.0 72.0 84.0 3.93 1.92
Home decor (27) 7.4 14.8 11.1 22.2 37.0 3.7 51.9 59.3 3.69 1.80
Music (51) 17.6 29.4 25.5 45.1 60.8 3.9 49.0 78.4 3.19 3.64
Office supplies (35) 17.1 20.0 8.6 25.7 28.6 5.7 31.4 45.7 3.25 2.21 ,
Pet supplies (17) 17.6 23.5 17.6 23.5 52.9 0.0 41.2 70.6 3.35 1.28
Rugs and carpets (17) 0.0 5.9 5.9 5.9 11.8 0.0 52.9 52.9 4.10 1.19
Sporting goods (35) 8.6 20.0 17.1 28.6 45.7 2.9 40.0 60.0 3.58 2.16
Toys and games (12) 41.7 75.0 75.0 83.3 83.3 8.3 33.3 83.3 3.57 2.55
Overall (381) 23.1 33.6 29.4 41.5 50.7 5.8 47.5 65.6

aAll numbers for privacy and security information are percentages of sites within a particular category
and so forth) to consumers regarding the privacy or security issue in question.
bRisk and purchase likelihood numbers represent aggregated means from the consumer survey.

Descriptive Results The sharing of information with other companies was dis-
closed by only 112 (29.4%) of the examined online retailers.
The general results show that the disclosure of online pri-
With respect to privacy protection levels, 65 sites (17.1%)
vacy practices has risen since the March 1998 FTC (1998e)
reported no sharing of consumer information; 2 (.5%)
survey and is comparable to the March 1999 survey (Culnan
shared information only if requested by the customer (an
1999a). Although the 1998 FTC study indicates that 14% of
opt-in procedure); 19 (5.0%) carefully shared information
commercial Web sites made mention of practices related to
but provided an opt-out alternative, whereas 16 (4.2%)
consumer information privacy and Culnan (1999a) reports a
65.9% disclosure rate in March 1999, our data merely provided the opt-out alternative; 3 (.8%) agreed to
share carefully but had no opt-out procedure; and 7 (1.8%)
(January/February 1999) show overall disclosure (i.e., the
merely shared information without further notification. The
presence of any type of privacy statement) to be 41.5%.
remaining 269 sites (70.6%) had no such privacy statement.
(Note that direct comparisons across these studies are not
Online customer identification procedures had the lowest
feasible because of differences in the samples used.) We
disclosure rates: Only 88 sites (23.1%) offered this type of
present the results from the study in Table 2.
statement. Nineteen sites (5.0%) explicitly stated that they
For individual types of privacy concerns, disclosure of never identified customers who access the site, 12 (3.1%)
practices related to unsolicited customer contact constituted
provided an opt-in alternative, 18 (4.7%) provided an opt-
33.6% (n = 128) of the current sample. Regarding the vari-
out alternative, and 39 (10.2%) stated that they identified
ous levels of privacy protection, 19 (5.0%) promised no
customers but did not provide any opt-out alternatives.
unsolicited contacts, 38 (10.0%) contacted only if requested,
With respect to methods of responding to security con-
60 (15.7%) provided an opt-out alternative, and 11 (2.9%)
cerns, 250 sites (65.6%) disclosed at least one of the three
stated that contacts would occur but did not give an opt-out
security-related practices described previously. Specifically,
alternative. The remaining 253 (66.4%) sites provided no
193 (50.7%) indicated that transactions were secure, but
information regarding unsolicited consumer contacts.5
I

50Of the 381 commercial Web sites in the sample, 88 did not allow a full
purchase transaction-including payment by credit card-to be made over
the Internet. However, many of the sites stil allowed nonpayment communi-
cation of personal information, such as asking questions, joining mailing
lists, stating product preferences, and even online ordering with preshipment,
postshipment, or COD bil ing. Because these sites stil collect personal and
some financial consumer information, many privacy advocates contend that
the online retailers should stil disclose privacy and security practices.
Nevertheless, we present in this footnote the aggregate privacy and security
figures for only those Web sites that allowed credit card transactions.
Of the 293 sites allowing credit card transactions, 146 (49.8%) had some
type of privacy statement. Disclosure figures for the individual types of pri-
vacy concerns were 118 (40.3%) for unsolicited customer contacts, 102
(34.8%) for customer information distribution, and 82 (28%) for online
customer identification. Regarding security-related statements, 230
(78.5%) had some type of security statement, 192 (65.5%) communicated
the presence of secure transaction systems, 22 (7.5%) had online security
guarantees, and 161 (54.9%) explicitly disclosed alternative payment
methods.

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
 Journal of Public Policy & Marketing 59

only 22 (5.8%) guaranteed that security.Web Finally,

sites delves further
181 sitesinto Internet privacy and security
issues by examining
(47.5%) explicitly offered alternative purchasing the degree of favorableness of actual
methods.
The disclosure rates varied considerably
online across
retailer practices
shopping from a privacy policy perspective.
categories. As can be seen in Table 2, Web sitebycategories
In addition, integrating data from a consumer survey, we
such as department stores and toys and showgames had relationship
that a positive higher exists between the percent-
percentages of privacy statements, whereas lower
age of privacy- and percent-
security-related statements on Web sites
ages were found in categories such as forhomeparticular
decor online
and shopping
rugscategories and consumers'
and carpets. online purchase likelihoods for those categories.8

The Relationship Between E-Retailer Responses Limitations and Future Research Directions
and Consumer Perceptions Although the examination presented here is helpful for
To examine whether the prevalence of privacy and security understanding disclosure practices of online retailers, sev-
disclosures relates to consumer perceptions, we compared eral limitations should be addressed in further research.
the Web site examination detailed previously with a subset First, the rapid growth of the Internet and online shopping
of data from a March 1999 investigation of 160 Internet practices makes published research such as this dated by the
users.6 The data are from a pencil-and-paper survey used to time of publication. The examination of online disclosure
explore consumers' Internet usage activities and their per- practices should be an ongoing research effort, particularly
ceptions regarding online shopping. Among other items not with respect to how such practices may affect consumer per-
examined here, the questionnaire included purchase likeli- ceptions. A second limitation involves the measure of per-
hood and risk perception measures for 17 categories of ceived risk used in the consumer survey. More-specific
goods sold online at the time of the study; these categories measures of perceived risk would aid in understanding how
matched those used for the Web site examination. Purchase consumers perceive the various dimensions of risk with
likelihood for each category was measured with a seven- respect to online shopping. For example, various risk
point response item that asked how likely respondents were dimensions may be more salient depending on the product
to make Internet purchases for each shopping category and category that is being considered for online purchase.
was anchored with "very unlikely" (1) and "very likely" (7). Finally, instead of examining only perceived risk toward
Risk perception was assessed by asking how risky online general online shopping, specific assessments of risk regard-
purchases are in each category on a scale anchored with "not ing privacy, online retailer fraud, and the security of online
risky" (1) and "risky" (7). transaction systems would be helpful for understanding
To assess the expected relationships, the percentages of those aspects that may be influenced by online disclosures.
privacy- and security-related statements from the Web site There are several directions that future policy-related
examination (Columns 5 and 9 of Table 2) were compared marketing research can take to advance knowledge that will
with the risk perceptions and purchase likelihoods from the be beneficial to both consumers and businesses. For exam-
consumer survey at -the shopping category level. ple, much of the proposed legislation is targeted toward
Spearman's rank correlations were calculated for each pair mandatory disclosures of online retailers' collection, use,
of variables. and dissemination of consumer data. These disclosures are
Although the prevalence of privacy and security state- often seen by policymakers as necessary information tools
ments was expected to be negatively correlated with risk so that consumers can operate with more complete knowl-
perceptions, analyses showed no relationship for either pri- edge of retailer practices (Andrews 1998). The same disclo-
vacy (rs = -.06, n.s.) or security (rs = -.01, n.s.). However, sures may be seen by retailers as an opportunity to reduce
the percentage of privacy statements in a category was pos- consumer concerns regarding privacy issues. An approach
itively related (as expected) to category-level online pur- suggested by Milne and Boza (1999) uses concepts from
chase likelihoods (rs = .65, p < .01). Likewise, the percent- relationship marketing to focus online retailer responses to
age of security statements in a category was positively privacy and security issues so that these responses empha-
related to online purchase likelihoods (rs = .44, p < .05).7 size the development and improvement of trust between
marketers and consumers. Thus, instead of focusing on con-
Discussion cerns, the focus shifts to trust, which Milne and Boza
describe as a distinct approach to managing potential pri-
In addition to providing a comparison point with FTC-
related research, the present examination of commercialvacy issues regarding database management (cf. Milne and
Gordon 1993). Because the method or format of information
disclosures can affect consumer perceptions and behavior
(e.g., Sprott, Hardesty, and Miyazaki 1998), research that
examines how such approaches can satisfy new legislative
6Respondents were randomly solicited in a major international airport of
requirements would be helpful. Consumers would receive
a large U.S. city (the effective response rate was 84.7%). See Miyazaki and
Fernandez (2000) for survey details, including sample characteristics.
7In support of our previous suggestion that alternative ordering methods 8Although the prevalence of privacy- and security-related disclosures
may not be as effective in increasing online ordering as the other security was not found to be related to category-level risk perceptions, this may
information disclosures, the Spearman's rank correlation between alterna- have been an artifact of the diversity in the dimensions of risk that each
tive ordering methods and purchase likelihoods was nonsignificant (rs = product category may invoke. Considering that our one-item risk percep-
.06), whereas the correlation between the rate that either of the other secu- tion measure was generic, any such variance in the dimension of risk con-
rity statements appeared and purchase likelihoods was significant (r, = .65, sidered by consumers when responding to each category could have hin-
p <.01). dered the findings.

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
60 Internet Privacy and Security

Chonko, Lawrence B. and

the disclosures required by policymakers, (1995), Ethical Decision Making in
marketers
Marketing. Thousand
would enjoy the benefits of increased effectiveness from aOaks, CA: Sage Publications.
managerial perspective. CNN (1999), "A Hallmark Nightmare: Online Glitch Makes
Intimateappear
Although several legislative efforts Messages Public,"
toCNN be Interactive,
directed (February 12),
at e-commerce, policymakers should (accessed February
continue 12), [availableto
at http://cnn.com/US/9902/
evaluate
12/romeos.revealed.ap].
not only online practice and consumer perceptions but also
expert opinion regarding the seriousness
Consumer Reports of Onlinethreats
(1998), "Some Bits such as
and Bytes of
undisclosed customer identification and
Consumer-Friendly Sites," tracking-two
special report, (accessed February
18), [available atin
issues that have received little attention http://www.consumersunion.org/Speciall
pending legisla-
Samples/Reports/9812shp2.htm].
tion. In addition, privacy and security concerns may have
differential effects on consumerCulnan,
perceptions and
Mary J. (1995), "Consumer behavior,
Awareness of Name Removal
perhaps complicating policymakers' Procedures:
efforts Implicationsto for Direct
inform Marketing,"con-
Journal of
sumers of unsafe online practices Direct Marketing,
while 9 (Spring), 10-19. avoiding
still
unnecessary deceleration of Internet adoption
- (1999a), "Georgetown rates.
Internet Privacy As
Policy Survey:
such, the barrage of privacy and security
Report to the Federalwarnings issued
Trade Commission," to
(June), (accessed
consumers may have mixed effects on atconsumer
July 27), [available confi-
http://www.msb.edu/faculty/culnanm/
dence, particularly as the Internet gippshome.html].
becomes perceived as a
necessary element of modern life. - (1999b), "Privacy and the Top 100 Web Sites: Report to
An additional concern is the direction inCommission,"
the Federal Trade which legislation
prepared for the Online Privacy
is headed. Petty (1998) contends thatAlliance, though
(June), (accessedthere
November 22), will[available
be at
continued efforts to reduce deceptive practices, the emerg-
http://www.privacyalliance.org/resources/100_summary.shtml].
ing focus will be on reducing unfairness,
Cyberspace Law Instituteparticularly as it
(1999), "The Public Policy Problems of
applies to the targeting of potentially vulnerable
the Internet," (accessed January 28), [available at audi-
http://www.
ences-a practice that will be increasingly easy to facilitate
cli.org/selford/problems.htm].
as Internet-related database information grows.
Ernst & Young (1999), "Second Annual Internet Shopping
As the popularity of the Internet Survey,"
continues to
(accessed August 2), rise,
[available atthe pri-
http://www.ey.com/
vacy and security issues discussed here will inevitably
industry/consumer/internetshopping].
change. Future alternatives to Federal
credit cards,
Trade Commission such
(1998a), "Consumeras elec-
Privacy on the
tronic money or "e-cash" (Rothfeder World Wide1997), are
Web," prepared unlikely
statement presented toto
the
relieve consumer concerns regarding privacy
Subcommittee and security.
on Telecommunications, Trade and Consumer
Protection of the House
Similarly, online credit card guarantees, Committee on
though Commerce, U.S. House
calming
some system security worries, may of Representatives,
do little Washington,
to DC (July 21).
resolve pri-
vacy concerns. Conversely, third-party endorsers, such as
- (1998b), "Cybersmarts: Tips for Protecting Yourself When
TRUSTe, Better Business Bureau Online, or Web Shopping Online," (July 1998), (accessed January 29), [available
Assurance Bureau, may be useful in building trust between at http://www.ftc.gov/bcp/conline/pubs/online/cybrsmrt.htm].
consumers and participating online retailers with respect to - (1998c), "Fraud Could Slow Growth of Electronic
privacy but may not resolve security issues. The introduc- Commerce," FTC Press Release (June 25), FTC File No. P97-
tion of security-related seals of approval, however, such as 4406. Washington, DC: Federal Trade Commission.
VeriSign and CPA WebTrust, may resolve this concern. In - (1998d), "FTC Releases Report on Consumers' Online
summary, the solution to many of these matters, from both Privacy," FTC Press Release (June 4), FTC File No. 954-4807.
privacy and security perspectives, will likely derive from a Washington, DC: Federal Trade Commission.
combination of strategic actions, such as guarantees or
- (1998e), Internet Privacy, prepared statement presented to
endorsements, and the incorporation of various theoretical the Subcommittee on Courts and Intellectual Property of the
approaches, such as building trust and adhering to implied House Committee on the Judiciary, U.S. House of
social contracts. Representatives, Washington, DC (March 26).
- (1999), FTC International Web Survey: Disclosure of
General Business and Contract-Related Information by Online
References
Retailers, presented at U.S. Perspectives on Consumer
Andrews, J. Craig (1998), "Warnings and Disclosures: Special Protection in the Global Electronic Marketplace public work-
Editor's Note," Journal of Public Policy & Marketing, 17 shop, (June 8-9), (accessed November 22), [available at
(Spring), 1-2. http://www.ftc.gov/bcp/icpw/index.htm].

Bloom, Paul N., George R. Milne, and Robert Adler (1994), Folkers, Richard (1998), "Jimmying the Internet: Why the U.S.
"Avoiding Misuse of New Information Technologies: Legal and Encryption Standard Is Very Vulnerable," U.S. News & World
Societal Considerations," Journal of Marketing, 58 (January), Report, (September 14), 45-46.
98-110.
Foxman, Ellen R. and Paula Kilcoyne (1993), "Information
Brinkley, Joel (1998), "F.T.C. Surfs the Web and Gears Up to Technology, Marketing Practice, and Consumer Privacy: Ethical
Demand Privacy Protection," New York Times, (September 21), Issues," Journal of Public Policy & Marketing, 12 (Spring),
1,4. 106-19.

Briones, Maricris G. (1998), "Internet Innovations-and Privacy Goodwin, Cathy (1991), "Privacy: Recognition of a Consumer
Issues-Remain Marketing's Biggest Story," Marketing News, Right," Journal of Public Policy & Marketing, 19 (Spring),
(December 7), 1, 16. 149-66.

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms
 Journal of Public Policy & Marketing 61

Hoffman, Donna L. and Thomas P. Novak Miyazaki,

(1996), Anthony
"Marketing
D. and Ana Fernandez (2000), "Consumer
in Hypermedia Computer-Mediated Environments: Perceptions of Privacy and Security Risks for Online Shopping,"
Conceptual Foundations," Journal of Marketing, 60 (July), working paper, Marketing Department, University of Miami.
50-68.
National Consumers League (1999), "Consumers in the 21st
Holstein, William J., Susan Gregory Thomas, and Fred Vogelstein Century," (May 19), (accessed August 2), [available at
(1998), "Click 'Til You Drop," U.S. News & World Report, http://www.natlconsumersleague.org/FNLSUM I.PDF].
(December 7), 42-45.
Petty, Ross D. (1998), "Interactive Marketing and the Law: The
Jones, Mary Gardiner (1991), "Privacy: A Significant Marketing Future Rise of Unfairness," Journal of Interactive Marketing, 12
Issue for the 1990s," Journal of Public Policy & Marketing, 10 (Summer), 21-31.
(Spring), 133-48.
Rohm, Andrew J. and George R. Milne (1998), "Emerging Marketing
Judge, Paul C. (1998), "How Safe Is the Net?" BusinessWeek, and Policy Issues in Electronic Commerce: Attitudes and Beliefs of
(June 22), 148-52. Internet Users," in Marketing and Public Policy Proceedings, Vol.
8, Alan Andreasen, Alex Simonson, and N. Craig Smith, eds.
Machrone, Bill (1998), "Trust Me?" PC Magazine, (June 9), 85.
Chicago: American Marketing Association, 73-79.
Milne, George R. (1997), "Consumer Participation in Mailing
Rothfeder, Jeffrey (1997), "No Privacy on the Net," PC World,
Lists: A Field Experiment," Journal of Public Policy &
(February), 223-29.
Marketing, 16 (Fall), 298-309.
Samuel, Alexandra and Abby Scher (1999), "Cookies Are Not So
- and Maria-Eugenia Boza (1999), "Trust and Concern in
Consumers' Perceptions of Marketing Information Management
Sweet-Online Database Marketing," Dollars & Sense,
(January/February), 7.
Practices," Journal of Interactive Marketing, 13 (1), 5-24.

- and Mary Ellen Gordon (1993), "Direct Mail Privacy-Sprott, David E., David M. Hardesty, and Anthony D. Miyazaki
(1998), "Disclosure of Odds Information: An Experimental
Efficiency Trade-Offs Within an Implied Social Contract
Investigation of Odds Format and Numeric Complexity,"
Framework," Journal of Public Policy & Marketing, 12 (Fall),
206-13. Journal of Public Policy & Marketing, 17 (Spring), 11-23.

This content downloaded from 14.139.224.146 on Fri, 11 May 2018 16:04:04 UTC
All use subject to http://about.jstor.org/terms