Jacob Fredericksen and Dr. Mark Keith, Information Systems
Electronic transactions such as purchases, account registrations, and app downloads frequently require consumers to disclose personal information, financial information, and/or online social network information. Providers who participate in such transactions (e.g., mobile application vendors) may disclose how they intend to use consumers’ information by displaying some form of privacy policy containing information about their data practices. For example, providers may disclose through privacy policies that they intend to share or sell anonymized summaries of consumers’ information to other companies, that consumers’ non-anonymized information will be shared with a partnered company for marketing purposes, or that consumers’ information will be held solely and securely by the provider to support product functionality. However, because privacy policies are not sufficiently understandable and engaging, consumers often ignore them—foregoing the rational risk/benefit analysis described in privacy calculus theory—and allow transaction partners to access their personal information. In creating and presenting privacy policies, companies must seemingly reconcile three competing objectives: (1) fulfill legal obligations by comprehensively disclosing all information regarding the company’s data practices, (2) obtain consumers’ attention sufficiently to obtain “informed consent,” and (3) resolve consumers’ privacy concerns by being easily understandable. The difficulty in fulfilling all of these objectives in a single privacy policy results in a “privacy policy paradox.”
Little progress has been made thus far in meaningfully improving privacy policies so that both (1) consumers are adequately informed and (2) providers are able to alleviate consumers’ privacy concerns. Improving privacy policy design by simplifying language and changing format and placement has been found ineffective in increasing consumers’ understanding of providers’ data practices but remains among policymakers’ top recommendations to providers. While prior studies have included manipulations of privacy policy language, formatting, and placement, the unexamined effects of including or omitting different types of information—e.g., what data will be collected, why it is needed, and with whom it will be shared—have been made relevant by policymakers’ validation of “layered policies” to disclose data practices. Additionally, the potential solution of using video to communicate privacy policies has not been sufficiently examined in today’s technological environment. We therefore contribute to this research by examining (1) how different amounts and types of privacy policy content affect consumers’ perceived risk and their decisions to disclose personal data, and (2) whether privacy policies can be more effectively conveyed through video rather than through traditional textual documents. To explain the surprising effects of privacy policy content on consumer information disclosure, we integrate multiple theories into a core model based on privacy calculus.
To examine the effects of privacy policy content manipulations and of the video medium, we first developed a mobile app that provides value to consumers through predictive analyses of their personal information, therefore requiring a high degree of consumer information disclosure. Next, we created nine versions of a privacy policy script with varied content. The versions’ content differed based on (1) inclusion/omission of what data would be collected from the user, why the data was needed, and who the data would be shared with, and (2) whether the requested data appeared to “fit” versus “not fit” the requirements of the hypothetical app. We hired a professional video producer to create commercial-like videos for each of the nine versions. With IRB approval, we recruited participants based on the false notion that they were needed to help a software company perform “market research” for an upcoming mobile app. We thus engendered “real-world” privacy risk perceptions in participants, who believed that they were viewing and testing out a real mobile app. After testing out the app, participants were invited to register to use the app permanently for free as a reward for their help. The dependent variable in this study is derived from each participant’s decision regarding whether or not to register and, if the participant decided to register, the amount of optional information disclosed by the participant.
The results indicate that although certain types of information help to minimize consumers’ perceived risk when included in privacy statements, not all types of required information have an impact on consumers’ risk/benefit perceptions. Additionally, “too much” disclosure can fatigue consumers and/or make them wary of the provider (even when the additional information does not indicate increased privacy risks). Our findings also indicate that video, while subject to similar effects of differing information amounts and types, is more effective than text as a medium for communicating privacy policies because consumers appear to remain engaged longer and be impacted to a greater degree by the information provided (reflecting greater understanding).
This research has many practical and theoretical implications. Concerning theory, our findings help to resolve one of the primary limitations of privacy calculus theory—i.e., that consumers cannot be modeled as rational decision makers who accurately assess privacy risks. Our findings also suggest that information asymmetry can be ameliorated through the use of mediated content, particularly video. To best fulfill the objectives of fulfilling legal obligations (with a long, comprehensive, textual privacy policy) and effectively educating and assuring consumers without unduly decreasing perceived disclosure benefits, we recommend that providers produce two versions of their privacy policies: a long, comprehensive, textual privacy policy to fulfill the first objective, and a video privacy statement to fulfill the second objective.
In conclusion, the present study contributes to the literature on information privacy and privacy policies by (1) proposing a separation of privacy policies into two types to meet competing objectives, (2) developing a theoretical model to explain the effects of privacy policy content, and (3) positioning video as the optimal delivery mechanism of summarized “to-actually-be-read” privacy policy versions that providers can use to reduce privacy concerns and increase service adoption.