Sight unseen: The role of online security indicators in visual attention to online privacy information

Journal of Business Research xxx (xxxx) xxx–xxx

Contents lists available at ScienceDirect

Journal of Business Research journal homepage: www.elsevier.com/locate/jbusres

Sight unseen: The role of online security indicators in visual attention to online privacy information Xiaojing Shenga, , Reto Felixa, Swapnil Saravadea, Judy A. Siguawb, Seth C. Ketronc, Krzysztof Krejtzd, Andrew T. Duchowskie ⁎

a

College of Business and Entrepreneurship, The University of Texas Rio Grande Valley, 1201 W. University Blvd., Edinburg, TX 78539, United States Department of Marketing and Supply Chain Management, College of Business, East Carolina University, Greenville, NC 27858, United States c Department of International Business and Marketing, College of Business Administration, California State Polytechnic University, Pomona, CA, United States d Eye Tracking Research Center, Psychology Department, SWPS University of Social Sciences and Humanities, ul. Chodakowska 19/31, Warszawa, Poland e School of Computing, Clemson University, Clemson, SC 29634-0974, United States b

ARTICLE INFO

ABSTRACT

Keywords: Attention Privacy protection Eye-tracking methodology Online shopping

Although data privacy is a compelling concern, prior inquiries have found that consumers do not adequately attend to data privacy policies. This research develops a framework delineating the effects of top-down/bottomup processes and individual consumer differences in the need for cognition (NFC) and perceived control on visual attention to data privacy policies, including influences on perceptions, attitudes, and behavioral intentions. Using eye tracking in an online shopping context, this research finds perceived control interacted with topdown motivation, manipulated through perceived risk in sharing personal information, to affect visual attention toward privacy-related information. Moreover, a privacy policy icon garners more attention than privacy policy text and non-privacy contents on the website. Further, attention to non-privacy contents significantly enhances loan application likelihood and attitude toward the website. These findings demonstrate attention toward privacy information as a function of the dynamic interaction between top-down motivational influences and individual differences in perceived control.

1. Introduction The revelation that Facebook had sold the personal data–including user names, gender, geographic locations, birthdates, educational achievements, political preferences, relationship statuses, religious views, etc.–of 87 million of its users to Cambridge Analytica focused public scrutiny on how the personal information of consumers can be exploited for corporate promotional purposes and financial gain (Meredith, 2018). This data scandal significantly heightened consumers’ concerns about the privacy and security of personal information. Indeed, a national survey conducted a year after the FacebookCambridge Analytica disclosure by marketing firm SlickText found that more than 76% of consumers were moderately to significantly concerned about how their data may be used by any organization with which they interact (SlickText, 2019). Moreover, 94.1% of survey respondents indicated that they would not conduct business with an organization if they had concerns about how the organization might use their personal information (SlickText, 2019).

To address consumers’ privacy and security concerns, organizations commonly utilize privacy policies, explaining in detail how they collect, use, share, and protect consumers’ personal information (Solove & Hartzog, 2014). Additionally, most business websites use security icons to denote the security measures undertaken to safeguard credit card and financial data (e.g., “Norton SECURED” and its accompanying checkmark; Bart, Shankar, Sultan, & Urban, 2005; Kimery & McCord, 2006; Pennington, Wilcox, & Grover, 2003), and in the last decade, some businesses have added privacy icons to provide a visual that instantly depicts how personal data is being used. The latter are intended to simplify privacy policies (Pavlus, 2010). Research on these information privacy and security efforts has routinely utilized methodologies in which participants are either directed to read and evaluate privacy policies and/or icons using experimental design (e.g., Tsai, Egelman, Cranor, & Acquisti, 2011) or surveyed about their perceptions of privacy policies and security icons (e.g., Bart et al., 2005). Unfortunately, the sole reliance on self-reported attention and perception measures used in prior studies is prone to

Corresponding author. E-mail addresses: [email protected] (X. Sheng), [email protected] (R. Felix), [email protected] (S. Saravade), [email protected] (J.A. Siguaw), [email protected] (S.C. Ketron), [email protected] (K. Krejtz), [email protected] (A.T. Duchowski). ⁎

https://doi.org/10.1016/j.jbusres.2019.11.084 Received 1 September 2018; Received in revised form 23 November 2019; Accepted 28 November 2019 0148-2963/ © 2019 Elsevier Inc. All rights reserved.

Please cite this article as: Xiaojing Sheng, et al., Journal of Business Research, https://doi.org/10.1016/j.jbusres.2019.11.084

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

memory biases (e.g., Nisbett & Wilson, 1977). Further, although these studies offer interesting insights, because of the limited external validity inherent in experimental design studies, it is unclear whether study participants would naturally direct their visual attention to privacy policies and icons if they were not instructed to do so. In contrast, eye movement measures are more reliable and have higher validity (Duchowski, 2017) and provide accurate depictions of consumers’ online behaviors and decision-making processes (Kahn, 2017). As Van der Lans and Wedel (2017) assert, “…people move their eyes to objects that they are interested in and that the human eye is, thus, an important indicator of a person’s cognitive and affective processes,” (p. 331) and “in almost all natural situations, eye movements are reliable and valid indicators of visual attention, and in particular reflect ongoing information uptake during search and choice tasks” (p. 336). Consequently, eye-tracking methodology has gained greater importance and wider acceptance across many research disciplines (Duchowski, 2017; Wedel & Pieters, 2008). Nonetheless, eye movement measures have not been sufficiently implemented in the context of consumers’ attention to information privacy and security. A notable exception is Steinfeld’s (2016) study, which collected eye-movement data to assess how web-users read privacy policies. While this is an important first step, the work by Steinfeld (2016) lacks external validity because, under the default condition in the study, an entire privacy policy was first shown to each participant. The study design, thus, was not a realistic representation of consumers’ typical online experience and behavior. In summary, the existing research has only examined the effects of the existence vs. absence of privacy policies and icons or differences in privacy policies related to length (short vs. long) and/or content (weak vs. strong) on downstream variables, such as trust, attitude, and intentions. Thus, findings from previous research offer little insight into what factors direct consumers’ attention to privacy policies and icons, whether consumers actually see privacy policies and site seals without first being prompted, and how attention to privacy policies and site seals shape consumer responses. To address these noted gaps in the literature, we develop a conceptual framework (see Fig. 1) largely informed by research findings from eye movement studies in marketing and other fields (e.g., Chandon, Hutchinson, Bradlow, & Young, 2009; Duchowski, 2017; Orquin, Bagger, Lahm, Grunert, & Scholderer, in press; Pieters, Wedel, & Zhang, 2007; Pieters & Wedel, 2004; Wedel & Pieters, 2008) and the extant information privacy and security literature (e.g., Martin &

Murphy, 2017; Steinfeld, 2016; Tsai et al., 2011). In this framework, we propose that motivation to process information related to privacy and security protection and the visual features of presented information will independently and jointly influence visual attention to the information. Visual attention, in turn, will relate to evaluations and perceptions, which are likely manifested in consumers’ perceived privacy and security protection on a certain website; trust in and attitude toward the website; and intentions to make a purchase from the website. Further, we expect that consumer personal factors of importance and relevance to data security and privacy information processing will interact with top-down and bottom-up processes to impact attention. In this research, we focus on examining the role of need for cognition (NFC) and perceived control as two individual difference variables in moderating the top-down and bottom-up influences on attention. This research offers several contributions. First, this research uniquely uses eye-tracking methodology to study visual attention to information related to privacy and security protection in two controlled lab experiments that simulate consumers’ typical online shopping and information searching experiences. Second, the study identifies key factors that drive consumers’ visual attention to privacy- and securityrelated information. Third, this investigation heeds the call to study the independent and joint impacts of top-down, cognitive influences and bottom-up, stimulus-driven effects on visual attention (Kahn, 2017). We do so by testing the interaction effect among motivation to process privacy- and security-related information, visual features of the information, individual consumer differences in NFC and perceived control, and the influence of attention on downstream consumer responses. The results offer guidance for practitioners related to resource allocation and website design. 2. Conceptual framework and research hypotheses 2.1. Visual attention and privacy and security protection 2.1.1. Top-down influences of visual attention to privacy- and securityrelated information Prior studies show that visual search and attention are guided by a combination of top-down, goal-directedness and bottom-up, stimulusdriven factors (see Hutchinson, Lu, & Weingarten, 2016; Kahn, 2017; and Wedel & Pieters, 2008 for reviews of eye-tracking research). In terms of top-down influences, research has documented a wide range of factors, such as goals, task instructions, involvement, expertise, and

Fig. 1. Conceptual framework. 2

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

familiarity, that directly affect visual attention. For example, Pieters and Warlop (1999) revealed that consumers with high task motivation exhibited longer average fixation durations on the presented ads than those in the low task motivation condition. In Chandon et al. (2009), participants performed a search task of either choosing a single brand or selecting a set of brands for further consideration. The authors found that prior brand usage, a top-down variable, had a much larger effect on choice of a brand than stimulus-driven factors. Yang (2015) provided similar support for the top-down influence of visual attention in an online shopping context and reported that participants who were in the high product involvement and high product experience condition exhibited longer fixation durations on the stimulus webpage than those in the low involvement and low experience condition when a peripheral message cue about the product was positively framed. Concerning information privacy and security, however, eye-tracking research is rare and essentially silent on the question of what factors drive consumers’ visual attention to such information as commonly conveyed in organizational privacy policies, security icons, and privacy icons. From the top-down perspective, given the paramount importance placed on personal information protection, consumers should be highly motivated to evaluate not only the substantive contents of the privacy policy text but also visual indicators such as icons to reach an informed judgment about the privacy and security of their personal data. Motivation to process privacy- and security-related information can be situational and extrinsic, triggered by heightened perceived risk from extensive reporting of data breaches and identity theft incidents. Such motivation can also be intrinsic and may be present when protecting personal information is an especially important aim. Nevertheless, given prior studies’ robust findings of top-down, cognitive influences of attention, we expect that as a top-down factor, motivation, whether intrinsic or extrinsic, will guide attention in such a way that when motivation is high, consumers will be more attentive to not only the textual content of the privacy policy but also the visual depictions of privacy- and security-related information (e.g., the icons). Formally stated:

2.1.3. Moderating effects of NFC and perceived control Although the top-down process influences attention independently from the bottom-up process, researchers have argued that it may often be the case that “top-down factors do not overpower and cancel out the bottom-up criteria” (Kahn, 2017, p. 40). Rather, they dynamically interact with one another to jointly influence attention (e.g., Bagger, 2016; Ramsøy, 2015). For example, Pieters and Warlop (1999) found that time pressure, a situational factor, interacted with task motivation in influencing attention to the presented ads in an eye tracking experiment. Khachatryan et al. (2018) studied how buying impulsiveness, a personality trait variable, and point-of-sale information, such as signs and displays, affected consumers’ visual attention and purchasing behavior. Consequently, more research has been requested to better understand the interaction between top-down and bottom-up processes as well as the moderating effects of situational constraints and individual differences in influencing visual attention (Kahn, 2017). One individual difference variable germane to information processing and attention allocation is NFC. NFC refers to an individual’s tendency to engage in and enjoy effortful cognitive endeavors (Cacioppo, Petty, Feinstein, & Jarvis, 1996) and is a prominent personality variable in dual-process theories such as the Elaboration Likelihood Model (Petty & Cacioppo, 1986) and the Heuristic-Systematic Model (Chaiken, 1980). The conjecture that NFC interacts with top-down, cognitive influences and bottom-up, stimulus-based factors to affect attention has received some empirical support. For example, using a neurocognitive paradigm and sound stimuli in two experiments, Enge, Fleischhauer, Brocke, and Strobel (2008) investigated whether top-down, voluntary attentional resource allocation and bottom-up, involuntary attentional resource allocation differed between high- and low-NFC individuals. The authors conducted two studies and found that high-NFC individuals, compared to their low-NFC counterparts, exhibited substantially larger involuntary, bottom-up-stimulus-driven attentional resource allocation in response to contextually novel sound stimuli. Similarly, but only in the second study, the authors observed that high-NFC participants displayed a larger voluntary, top-downdriven attentional resource allocation than low-NFC participants in response to the sound stimuli. Taken together, these findings suggest that in response to novel sound stimuli, attentional resource allocation interacts with NFC, such that high-NFC individuals were more attentive and showed more brain activity in both top-down and bottom-up processes than low NFC individuals. Relatedly, but in the context of web-based information availability, Sicilia and Ruiz (2010) reported that too much information on a webpage negatively affected information processing. However, this negative effect was less pronounced for high-NFC consumers than for lowNFC consumers because high-NFC consumers are intrinsically inclined to challenge complex problems. Along this line, Wu, Gao, and Miao (2018) reported that in a reading task, fixation duration length and fixation count on a textual message differed between high- vs. low-NFC participants, such that high-NFC participants fixated longer and more frequently on the message than low-NFC participants. Applying similar logic to the current research context, we argue that the effect of motivation and visual saliency on attention, as predicted in hypotheses 1 and 2, will be contingent upon NFC. Specifically,

H1. The greater the motivation to process privacy- and security-related information, the longer the attention to a website’s privacy policy text and icons. 2.1.2. Bottom-up influences of visual attention to privacy- and securityrelated information In terms of bottom-up, stimulus-driven influences, previous research has studied the length (long vs. short) and content (strong vs. weak) of privacy policies without the use of eye-tracking methodology. However, the focus has been on attitude, trust, and risk perceptions, not on visual attention. On the other hand, eye-tracking studies in marketing have shown that although goal-directed factors may have stronger and longer-term effects on purchase decisions, stimulus-based variables can enhance brand familiarity, change perceptions, and affect choice (e.g., Orquin et al., in press; Pieters & Wedel, 2004). Indeed, a large corpus of eye-tracking research has consistently documented the effects of visual features,–such as the display size (Wedel & Pieters, 2008), the surface size of a feature ad and the distinctiveness of the target product in the ad (Pieters et al., 2007), the brightness of the packaging (Milosavljevic, Navalpakkam, Koch, & Rangel, 2012), the visual contrast between a brand and its background color (Pieters, Wedel, & Batra, 2010), and more recently, a combined influence from bottom-up factors pertaining to product packaging, such as salience, size, and distance to the center of packaging elements (Orquin et al., in press)–on attention. Extending these findings to the current research context, we expect that the visual features of privacy information will affect attention.

H3a. NFC moderates the positive effect of motivation on attention to privacy policy text and icons, such that for high-NFC individuals, the direct (positive) effect of motivation on attention is strengthened. H3b. NFC moderates the positive effect of visual saliency on attention to privacy policy text, such that for high-NFC individuals, the direct (positive) effect of visual saliency on attention is strengthened. Another relevant individual difference variable is perceived control, a construct of importance to information privacy and security because “the element of control is embedded in most privacy definitions” (Xu, Teo, Tan, & Agarwal, 2012, p. 1344). Perceived control affects human

H2. The greater the visual saliency of a website’s privacy policy text, the longer the attention to the privacy policy text. 3

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

behavior much more than actual control (Skinner, 1996) and can refer to the amount of control people feel they have over a situation or another person (Bugental, Blue, & Cruzcosa, 1989). It has been posited that individuals who perceive themselves as having a higher sense of control believe that their actions and abilities have a stronger effect on events and outcomes, whereas those with a lower sense of control believe that events and outcomes are the result of luck, chance, fate, or powerful others (Rotter, 1966; Specht, Egloff, & Schmukle, 2013; Wallston, Strudler Wallston, & DeVellis, 1978). In the context of information privacy and security, research shows that perceived control alleviates consumers’ privacy concerns and reduces risk perceptions of personal information sharing (Martin & Murphy, 2017) so much so that when consumers have stronger perceptions of control, they sometimes provide too much private information to the point that they may become more vulnerable to privacy violations, a phenomenon known as the control paradox (Brandimarte, Acquisti, & Loewenstein, 2013). Given this background, we argue that the effect of motivation on visual attention will become weaker when perceived control is high because perceptions of being in control lessen the need to be attentive and alert to privacy- and security-related information, given that consumers believe they have a greater command of the online environment.

3. Preliminary study 1 3.1. Study overview and design An initial exploratory study examined the effect of motivation on visual attention and the effect of attention on downstream consumer response variables. We built a fictitious website named Shop4School, a start-up e-business selling laptop computers, decorative posters, and headphones. The website consisted of four webpages in sequence: the homepage, the product overview page, the product description page, and the shopping cart page. A privacy policy text, a privacy policy icon, and a security icon were embedded on the lower part on each webpage. Participants could also choose to view the full privacy policy in its entirety upon clicking the “Read more…” link underneath the abbreviated privacy text on each webpage (see Appendix A.1). Browsing the website mimicked the typical online shopping process whereby the participants started from examining different product options (homepage) to selecting a preferred product (product overview and description page) and ending when the selection was added to the cart (shopping cart page). The study followed a 2 (motivation to process privacy- and security-related information: high vs. low message relevance) × 2 (financial risk involved in a purchase: high vs. low) between-subjects design. We manipulated motivation through scenarios that varied in the message relevance of protecting personal information to participants. In each scenario, participants were tasked with shopping for either a laptop computer priced between $1100 and $1500 or a poster priced between $10 and $15 as the manipulation of financial risk (see Appendix A.2).

H4a. Perceived control moderates the positive effect of motivation on attention to privacy policy text and icons, such that when perceived control is high, the direct (positive) effect of motivation on attention is weakened. H4b. Perceived control moderates the positive effect of visual saliency on attention to privacy policy text, such that when perceived control is high, the direct (positive) effect of visual saliency on attention is weakened.

3.1.1. Participants and procedure One hundred seventeen undergraduate and graduate students (46.1% female, mean age = 24.33 years) from a southwestern U.S. university participated in the study for partial course credit. Data from two participants were removed due to problems with eye-tracking recordings. Upon arrival, participants were seated in front of an Acer XR341CK computer monitor (approximately 60 cm viewing distance from the screen) and were fitted with a wearable 50 Hz binocular eye tracker using infrared corneal reflection (Tobii Glasses 2). Following calibration, participants first read a randomly assigned shopping scenario and then clicked on the initial webpage link for Shop4School to browse the website at their own pace. The task finished when participants added a selected laptop computer or a poster to the cart. At this point, the recording stopped. Participants then answered a questionnaire before being debriefed and thanked.

2.2. Visual attention and perceptions and evaluations of privacy- and security-related information Evidence from past studies supports the influence of attention on choice and consideration. For example, Chandon et al. (2009) found that the number of facings of the brand on a supermarket shelf, a stimulus-driven factor, strongly influenced visual attention, and through attention, brand evaluation. In their study, visual attention (i.e., noting and reexamination), measured by the number of fixations, was shown to strongly correlate with brands in consumers’ consideration sets. Janiszewski (1998) provided evidence from actual product sales to establish that attention to catalog items affected consumer purchases. Similarly, Milosavljevic et al. (2012) demonstrated that under conditions of short exposure, rapid decisions, and high cognitive load, visual saliency in terms of the relative brightness and contrast of selected products can influence choices more than preferences do. Specifically, in their study, visually salient options were more likely to be chosen and to receive higher liking ratings as a result of greater attention during the decision-making process. In information privacy and security research, Steinfeld’s (Steinfeld, 2016) eye-tracking experiment reported that participants who spent more time reading the privacy policy, as measured by fixation duration, demonstrated a better understanding of the policy regarding permitted and prohibited uses of personal information. Additionally, the positive effect of privacy policies and other indicators on mitigating risk perceptions and enhancing trust, attitude, and purchase intentions has been well documented by previous research, although without the corroboration of eye movement data (e.g., Martin & Murphy, 2017). Given these findings, we propose that:

3.1.2. Measures We defined three areas of interest (AOIs) located on the lower part of each webpage (the privacy policy text, the privacy policy icon, and the security icon) and the full privacy policy as a fourth AOI. To analyze the gaze data, we first mapped individual fixations on AOIs using the Tobii Pro Lab (x64) analysis software (see Appendix A.3 for descriptive statistics). We used I-VT velocity-based filtering with a velocity threshold of 30 degrees per second. As a manipulation check for message relevance, participants responded to the question, “Do you consider protecting the privacy and security of consumers’ personal information on Shop4School’s website an issue relevant to you?” on a 7point scale (1 = “Not at all relevant” to “Extremely relevant” = 7). Three items adapted from Bart et al. (2005) were a manipulation check for financial risk (“It involves a great deal of financial risk,” “It is financially risky for me to buy a laptop at that price range,” and “Spending $1100–$1500 on a laptop is certainly a high risk purchase for me”; α = 0.947). All other latent variables from the survey portion of the study, including perceived privacy protection, trust in and attitude toward the website, and intention to buy were measured using existing scales in the literature (see Appendix A.4).

H5. The longer the attention to privacy policy text and icons on a website, the more positive the evaluation of the website in terms of perceived privacy protection, trust, attitude, and purchase intentions. 4

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

3.2. Results

4.1. Study overview and design

Participants in the laptop condition reported significantly higher financial risk (M = 4.00, SD = 0.905) than participants in the poster condition (M = 2.50, SD = 1.136, F(1,113) = 60.972, p < 0.001). However, the message relevance manipulation did not work (F(1, 113) = 1.785, p = 0.184). Privacy and security protection seemed to be a highly relevant issue to all participants: the mean score of responses to the manipulation check question was 5.72 on a seven-point scale. The unsuccessful manipulation of motivation through message relevance led us to an exploratory approach in examining the relationships linking motivation, attention, and downstream variables. Because our hypotheses made predictions about the length of visual attention being longer or shorter under different experimental conditions, fixation duration, a time-based eye movement metric, was deemed suitable in the analysis (see Van der Lans & Wedel, 2017; Orquin & Holmqvist, 2018 for a discussion on eye movement metrics). Further, we operationalized a longer fixation duration as indicative of more attentive visual information processing based on Just and Carpenter (1976) eyemind association hypothesis. Results from ANOVA revealed a marginally significant difference in fixation duration on the privacy policy text between participants who were in the low message relevance scenario and those in the high relevance scenario (MLow Relevance = 6.268, SD = 10.647 vs. MHigh Relevance = 15.232, SD = 35.339, F(1, 114) = 3.446, p = 0.065). However, fixation duration on the privacy policy icon (F(1, 114) = 0.146, p = 0.703) and on the security icon (F (1, 114) = 0.088, p = 0.767) did not differ between high vs. low message relevance conditions. Financial risk did not affect fixation duration on any of the AOIs. We then ran regressions to examine whether visual attention impacted perceived privacy protection, trust in and attitude toward the website and intentions. The results showed that while fixation duration on the privacy policy icon and on the security icon did not have any significant effects, fixation duration on the privacy policy text negatively affected attitude (B = −0.24, t(114) = −2.515, p = 0.013), trust (B = −0.191, t(114) = −1.986, p = 0.05) and intention to reuse and purchase from the website (B = −0.191, t(114) = −1.975, p = 0.051). These results suggest that the longer participants fixated on the privacy policy text, the more diminished their attitude toward, trust of, and intentions to reuse and purchase from the website.

To address the limitations of the first study, we conducted a second preliminary study to test a different motivation manipulation by using written scenarios for high vs. low risk in sharing personal information. We first ran a pretest (N = 46; 45.45% female, mean age = 25.88 years) with students from a southwestern U.S. university to understand what types of products would make consumers more attentive to privacy and security protection. Financial services, such as student loan and credit card applications, yielded the greatest concern on a seven-point scale (M = 5.7, SD = 1.949). Other options included dating services (M = 5.6, SD = 1.665), medications (M = 5.33, SD = 1.884), and homework assistance services (M = 5.23, SD = 1.892). Thus, we developed a website for a fictitious loan organization, StudentLoanFinder. In developing the webpages, steps were taken to reduce common potential validity threats to eye-tracking studies (Orquin & Holmqvist, 2018). The website consisted of two webpages in sequence: one displayed three loan options, and the other included a form with empty text fields in which participants could optionally enter personal information (none of the personal information entered was retained). A privacy policy text and a privacy policy icon appeared on the lower part of each of the two webpages. The webpages varied in visual saliency of the privacy policy text on each of the two webpages. Further, the “Read more…” link and the full privacy policy were removed due to the confounding issue surfaced in preliminary study 1. This study followed a 2 (motivation to process privacy- and securityrelated information: high vs. low risk in sharing personal information) × 2 (visual saliency of the privacy policy text: high vs. low) between-subjects design intended to assess the effectiveness of the manipulations. We manipulated motivation through scenarios in which participants were asked to assume that they needed a student loan and they were to consider the various loan options on StudentLoanFinder. Whereas one scenario highlighted the risk in sharing personal information by providing statistics and mentioning recent data breach and identity theft incidents, the other emphasized StudentLoanFinder’s continuous investment in data protection technologies (see Appendix A.5). Following relevant research on website design, readability, and visual performance (e.g., Lin, 2003; Richardson, Drexler, & Delparte, 2014), we manipulated visual saliency of the privacy policy text using a black font color with a contrast ratio of 21.00:1 for the high saliency condition and a light grey font color with a contrast ratio of 1.38:1 for the low saliency condition.

4. Preliminary study 2

4.1.1. Participants and procedure In exchange for monetary compensation, 188 Amazon Mechanical Turk panelists (male = 111; mean age = 35) read a randomly assigned scenario about StudentLoanFinder and about the general risks of sharing information online to obtain student loans. To reinforce the manipulation, participants then responded to an open-ended question asking them to write about their feelings and thoughts regarding the scenario. The question was timed, with 90 seconds to respond. Next, participants were shown a set of two webpages for StudentLoanFinder that featured either low or high visual saliency of the privacy policy text (see Fig. 2). After viewing the assigned webpages, each participant was asked if a privacy policy icon appeared; 59 participants indicated that they did not see an icon, so they were excluded from further analysis (final sample: N = 129; male = 75; mean age = 36). Next, three seven-point bipolar items measured perceived risk of sharing information and were averaged to create an index as the manipulation check (“How would you describe sharing personal information to the website you just saw?”, with “not risky/risky,” “unsafe/safe [reverse coded]” and “not dangerous/dangerous” as items; α = 0.823). Additionally, participants rated perceived saliency of the privacy policy text with a seven-point Likert-type item, “The privacy policy was clearly visible to me”

The results of the first preliminary study revealed that when message relevance is high, consumers pay slightly longer attention to the privacy policy text on the website, as measured by fixation duration. This effect may have been only marginally significant because privacy and security protection was highly relevant to all participants, reducing the effect of high vs. low message relevance; additionally, the way the participants interacted with the website might have caused some confounding issues. For example, study participants were instructed to browse the website freely and at their own pace. Consequently, the viewing of the website’s four webpages was not of a fixed sequence. Participants could click the “Read more…” link and view the full privacy policy or revisit a certain webpage multiple times, accumulating a much longer viewing time on one webpage than others. Additionally, the finding that fixation duration on the privacy policy text had a negative effect on attitude, trust, and intention to reuse and purchase from the website was unexpected yet intriguing. The detailed privacy issues discussed in the policy may have triggered apprehensive thoughts about privacy protection for those participants who pondered the policy for a longer time, perhaps making participants more cautious and less trusting. 5

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

High contrast loan information page

High contrast personal information page

Low contrast loan information page

Low contrast personal information page Fig. 2. Images of webpages for StudentLoanFinder.

(strongly disagree = 1 to strongly agree = 7).

manipulating motivation and visual saliency from preliminary study 2.

4.2. Results

5.1.1. Participants and procedure One hundred twenty-seven undergraduate and graduate students (40.2% female, mean age = 23.83 years) from a southwestern U.S. university participated in the study for partial course credit. Participants were first provided a written overview of the study and the tasks required to complete the study. Then, they were instructed to read a scenario and browse a website wearing an eye-tracker before answering a brief survey. To ensure that all participants viewed the website’s two webpages in a fixed sequence, participants were specifically instructed not to click on the forward, backward, or refresh button when browsing the website. After receiving the instructions, participants were then randomly assigned a scenario involving either a situation with high or low risk in providing personal information. An open-ended question then followed that asked participants to list their thoughts and feelings about the scenario. Next, participants were seated in front of a Dell 2208WFP computer monitor (approximately 60 cm viewing distance from the screen), randomly assigned to either the high or low visual saliency website and fitted with the Tobii Glasses 2 eye-tracker. Following calibration, participants clicked on the initial webpage link for StudentLoanFinder.com and browsed the website at their own pace, progressing from the loan information page to the personal information page. A privacy policy text and a privacy policy icon were embedded in the lower part of both webpages. Once on the loan information page, participants were presented with three loan options and instructed to evaluate them, select their preferred one, and click “Continue.” Once on the personal information page, participants were informed that their browsing session

Participants viewed the low-risk scenario (M = 3.45, SD = 1.423) as significantly lower in risk in sharing personal information on the website than the high-risk scenario (M = 4.42, SD = 1.283, F(1, 127) = 17.254, p < 0.001). Additionally, the privacy policy in the high-saliency condition (M = 5.39, SD = 1.433) was rated as more visible than the low-saliency condition (M = 4.80, SD = 1.802, F(1, 127) = 3.995, p = 0.048). Further, neither perceived risk (F(1, 125) = 1.285, p > 0.2) nor saliency (F(1, 125) = 0.170, p > 0.6) was significantly affected by the interaction of manipulated risk and visual saliency. Given these results, the risk and saliency manipulations and the website for StudentLoanFinder were used in the main study. 5. Main study 5.1. Study overview and design Building upon the first two preliminary studies, the objective of the main study was to test the effects of top-down motivation and bottomup visual saliency on attention to privacy- and security-related information. The moderating roles of NFC and perceived control were also examined, as was the relationship between attention and downstream variables. The study followed a 2 (motivation to process privacyand security-related information: high vs. low risk in sharing personal information) × 2 (visual saliency of the privacy policy text: high vs. low) between-subjects design. We used the same method of 6

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Fig. 3. Example of video frame grabs where ArUco marker is seen at left with AOIs defined on the web page relative to the marker position. At right, the privacy textbox is highlighted as gaze has been detected within the box.

had ended and they could optionally provide their personal information, including first and last name, date of birth, email, phone, and mailing address. Participants could choose to fill out all the text fields, some fields, or leave all fields blank. The participants informed the researcher when they were finished with the website tasks. At this point, the recording was stopped (see Appendix A.6 for sample recordings of browsing sessions). Participants then answered a survey, after which they were debriefed and thanked.

tap Savitzky and Golay (1964) filter was then used to differentiate positional gaze data to produce velocity. The Savitzky-Golay filter was set to use a 3rd degree polynomial to fit the data (see Gorry, 1990 for further filter usage details). Saccade detection was based on a velocity threshold (e.g., 10° per second). Raw gaze data that was not labelled as a saccade was identified as a fixation (i.e., below the constant velocity threshold). This is a standard velocity-based method of detecting saccades to find fixations (i.e., fixations are comprised of data that are not saccades) and is otherwise known as I-VT filtering (Salvucci & Goldberg, 2000). For analysis of eye movements over the embedded privacy policy icon and text, we added ArUco markers to each of the two webpages viewed by participants. ArUco markers facilitated specification of AOIs that were positioned relative to the marker, thus allowing users to freely scroll the webpage. Detection of fixations within AOIs allowed us to compare fixation durations on the privacy policy icon and text on each of the webpages, as shown in Fig. 3.

5.1.2. Measures To assess the effectiveness of the motivation manipulation, we used perceived risk in sharing personal information, a composite variable validated in preliminary study 2, as the manipulation check. As a check for the visual saliency manipulation, in addition to the one item used in preliminary study 2 (“The privacy policy was clearly visible to me”), we included two items adapted from Sohn, Seegebarth, and Moritz (2017) to tap the overall visibility and organization of a certain webpage (“Overall, the webpage appeared to be…” with “easy to view/hard to view” and “organized/disorganized” as the response end-points on a seven-point scale). The three items were averaged to create an index as the manipulation check for visual saliency (α = 0.501). We also measured perceived privacy protection, trust in and attitude toward the website, the likelihood of applying for a student loan from the website, NFC, and perceived control in the survey (see Appendix A.7).

5.2. Results Analysis of the gaze data was performed in R. We removed very short fixations from further analysis because readers usually do not extract much information during such short fixations (Rayner & Pollatsek, 1989; Sturt, 2003). We also removed very long fixations because they typically do not reflect online cognitive processes (Inhoff & Radach, 1998; Nuthmann, 2014, 2017; Yan, Pan, Chang, & Kliegl, 2019). For example, Galley, Betz, and Biniossek (2015) found that very long fixations occurred when participants in their study were close to falling asleep, a state in which cognitive activities are presumably minimal. Rayner (1998) showed that during reading, typical fixations were approximately within the range of 150–650 ms. Indeed, excluding fixations with very short and very long durations is deemed as “common” by many researchers (e.g., Nuthmann, 2014, 2017; Van der Lans, Wedel, & Pieters, 2011). Following this practice, thus, in the current study, we retained fixations with durations between 80 ms and 720 ms for further statistical analysis (min = 100 ms; max = 720 ms; M = 260 ms; SD = 150). As a result, 7.6% of the fixations were filtered out. The upper threshold was chosen per the rule of the 1st and 3rd quantile ± 1.5 × IQR (Inter Quartile Range) (Upton & Cook, 1996) and the recommendation that fixations with durations of “more than three times the standard deviation” be removed (Van der Lans et al., 2011, p. 241). Eye movement data from both the loan information page and the personal information page were aggregated and used in the analysis (see Table 1 for descriptive statistics).

5.1.3. Area of interest (AOI) definition and data processing We defined three areas of interest (AOIs), of which two were located on the lower part of each webpage (the privacy policy text and the privacy policy icon). A third AOI included the rest of the webpage that was not privacy related but pertained to the assigned task of searching for a student loan on the website. Data recorded by the eye tracker was processed using custom software written in Python. For the AOI definition, we developed a novel method for automated video frame AOI labelling through computer vision techniques (i.e., ArUco markers) to map AOIs in the scene (Garrido-Jurado, Muñoz-Salinas, Madrid-Cuevas, & Marín-Jiménez, 2014). Each detected ArUco marker is defined by its numerical ID, location, and orientation (relative to the camera) by the OpenCV software. A distinct ArUco marker was embedded at the left side of each webpage presented. We then defined AOIs relative to the position of the marker by specifying a positional offset and width and height of the AOI such that the AOI would contain the text or icon in question. To denoise the data and detect fixations, raw gaze data was processed using custom scripts written in Python (Duchowski, 2017). The custom scripts consisted of the following (customized) steps: (1) denoise and extract raw gaze data gi = (x i , yi , ti ) , where (xi , yi ) indicates the position of the gaze point, and ti indicates the timestamp; (2) detect fixations fi = (x i , yi , ti, di ) , where (xi , yi ) now indicate the fixation centroid, di the duration, and ti the timestamp; and (3) collate fixationrelated data for statistical analysis. The denoising step involved excluding invalid gaze data as identified by the eye-tracker’s manufacturer, typically during a blink. In the filtering step, data was converted to visual angle given scene camera resolution (1920 × 1080) and assumed viewing distance (22 in.). A 7-

5.2.1. Manipulation check Participants in the high-motivation condition rated perceived risk in sharing personal information as significantly higher (M = 4.412, SD = 1.631) than participants in the low-motivation condition (M = 3.825, SD = 1.574), F(1, 126) = 4.243, p = 0.041). Participants in the high-saliency condition reported significantly greater visibility of the privacy policy text (M = 5.722, SD = 0.948) than participants in the low-saliency condition (M = 5.009, SD = 1.128), F(1, 74) = 8.725, p = 0.004). 7

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

provided support for H4a. However, H4b, i.e., the interaction effect between perceived control and saliency on attention, was not supported. H5 was tested with OLS regression analyses with fixation duration and AOI as predictors. The results showed that the model with loan application likelihood as the dependent variable is statistically significant, F(5, 344) = 2.750, p = 0.02, with an R-squared value of 0.04. The results also surfaced a significant interaction between AOI and fixation duration, F(2, 344) = 5.33, p = 0.005. The coefficient estimate for this interaction, as seen in Table 3, showed that an increase of fixation duration on non-privacy contents significantly increased loan application likelihood (ΔB = 1.49, SE = 0.48, t(344) = 3.09, p < 0.001). Furthermore, the slope for the relationship between fixation duration on the privacy icon and loan application likelihood was significantly lower than that for the relationship between fixation duration on non-privacy contents and loan application likelihood (ΔB = −1.25, SE = 0.50, t(344) = −2.49, p < 0.01). Likewise, the slope for the relationship between fixation duration on the privacy policy text and loan application likelihood was also significantly lower (ΔB = −1.64, SE = 0.52, t(344) = −3.17, p < 0.001). The following simple slope analysis showed that an increase of fixation duration on non-privacy contents corresponded to an increased loan application likelihood (B = 19.39, SE = 6.28, CIlower = 7.042, CIupper = 31.730). The slope for fixation duration on the privacy icon (B = 3.17, SE = 1.72, CIlower = −0.222, CIupper = 6.560) and that for the privacy policy text (B = −1.97, SE = 2.47, CIlower = −6.835, CIupper = 2.890) were not significantly different from zero (see Fig. 6). The regression analysis in which attitude toward the website was the dependent variable revealed a similar pattern of results. The overall model was marginally significant, F(5, 344) = 1.98, p = 0.08, with an R-squared value of 0.03. The results showed a marginally significant interaction effect between fixation duration and AOI, F(2, 344) = 2.773, p = 0.064. The model estimates showed that an increase of fixation duration on non-privacy contents significantly enhanced attitude (ΔB = 0.86, SE = 0.32, t(344) = 2.68, p = 0.01). In comparison to fixation duration on non-privacy contents, the slope for fixation duration on the privacy icon (ΔB = −0.72, SE = 0.35, t (344) = −2.16, p = 0.03) and that for fixation duration on the privacy policy text (ΔB = −0.82, SE = 0.35, t(344) = −2.35, p = 0.02) were significantly lower. Results from simple slope analysis showed a significant positive association between fixation duration on non-privacy contents and attitude (B = 11.24, SE = 4.20, CIlower = 2.979, CIupper = 19.50). The slope for fixation duration on the privacy icon (B = 1.823, SE = 1.15, CIlower = −0.447, CIupper = 5.090) and that for the fixation duration on the privacy policy text (B = 0.624, SE = 1.65, CIlower = −2.628, CIupper = 3.880) were not significantly different from zero (see Fig. 7). Trust and perceived privacy protection were not affected by fixation duration on non-privacy contents, the privacy policy icon, or the text. Given these results, H5 was partially supported.

Table 1 Descriptive statistics for eye tracking metrics. Mean (ms)

AOI: Privacy policy icon Fixation duration 297.54 AOI: Privacy policy text Fixation duration 246.91

SD

Skewness Statistic

SE

107.92

0.31

0.66

71.67

0.04

0.10

5.2.2. Hypothesis testing We used generalized linear mixed models (LMM) in testing hypotheses 1–4. All models were estimated with the lme4 package in R. We fit models for each hypothesis. We first specified the null model in which fixation duration was the dependent variable with random effects for AOI (categorical with three levels: non-privacy contents, the privacy icon, and the privacy policy text) and participant. Fixations were nested within AOI and AOI was nested within participant. We then updated the null model with predictors according to each hypothesis with AOI, risk (categorical with two levels: high vs. low), saliency (categorical with two levels: high vs. low), and the interaction effects of NFC (continuous) and perceived control (continuous). Risk (low), saliency (low), and AOI (non-privacy contents) were the default reference groups for comparisons. We examined the values of AIC, the significance level of each individual model, and between-model chi-square differences in assessing the overall fit of the models. To test H5, we followed the same approach as previously outlined and used OLS linear regressions with fixation duration and AOI as predictors and perceived privacy protection, trust in the website, attitude toward the website, and likelihood of applying for a student loan from the website as the dependent variable respectively for each regression model. We evaluated the results by examining the overall significance level of each regression model and the R-squared. The LMM model for H1 (AIC = −865.48, χ2(8) = 50.012, p < 0.001) with AOI and risk as predictors revealed a significant main effect of AOI, F(2, 164.84) = 7.312, p < 0.001. Study participants fixated longer on the privacy icon (M = 0.303, SD = 0.129) than on non-privacy contents (M = 0.257, SD = 0.261), t(156.55) = 3.32, p < 0.001. Likewise, the privacy icon garnered more attention than the privacy policy text (M = 0.254, SD = 0.010), t(111.00) = 3.67, p < 0.001 (see Fig. 4). However, neither the main effect of risk, as postulated by H1, nor the interaction effect between risk and AOI were significant. The LMM model for H2 with AOI and saliency as predictors (AIC = −865.52, χ2(8) = 50.065, p < 0.001) revealed only a significant main effect of AOI, which is similar to the results from testing H1. However, neither the main effect of saliency, as hypothesized in H2, nor the interaction between saliency and AOI were significant. The results did not support the moderating effects of NFC hypothesized in H3a (AIC = −851.97, χ2(4) = 0.764, p > 0.1) or in H3b (AIC = −853.68, χ2(4) = 4.234, p > 0.1). In testing H4a, results from the LMM model (AIC = −864.17, χ2(1) = 5.194, p = 0.023) showed a significant main effect of AOI (similar to previous analyses) and a significant main effect of risk, F(1, 225.39) = 4.849, p = 0.029. In comparison to the low-risk condition (M = 0.264, SD = 0.122), study participants in the high-risk condition (M = 0.281, SD = 0.118) exhibited longer fixation durations, ΔB = 0.15, SE = 0.07, t(240.37) = 2.290, p = 0.020. More interestingly, the main effect of risk was significantly moderated by perceived control, F(1, 222.11) = 5.79, p = 0.017. That is, the slope for the relationship between perceived control and fixation duration was significantly lower in the high-risk condition than that in the low-risk condition, ΔB = −0.03, SE = 0.01, t(222.11) = −2.41, p = 0.02 (see Fig. 5). Taken together, these results, as summarized in Table 2,

5.3. Discussion Results from the main study provided mixed support for the proposed hypotheses. Of note is the significant interaction between risk and perceived control. This effect indicates that the impact of risk, a top-down motivation variable manipulated through perceived risk in sharing personal information, on visual attention toward privacy-related information varied as a function of participants’ perceived sense of control. Specifically, in comparison to the low-risk condition, when risk was high, the greater the perceived control, the shorter the fixation duration on AOIs. This result is likely due to participants’ belief that their abilities and actions have a stronger effect on events and outcomes when they felt a greater sense of control. Moreover, situations involving higher risk seemed to further strengthen this belief, such that greater perceived control lessened the need to be alert and attentive to privacy8

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Fig. 4. Main effect of AOI on fixation duration; Error bars represent 95% confidence intervals.

related information. These findings, taken together, substantiated the moderating role of perceived control in influencing visual attention and lent credence to the view that top-down, bottom-up, and individual difference variables interact with one another to jointly exert impact on attention as several researchers have long maintained (e.g., Bagger, 2016; Kahn, 2017). These results were also in line with previous privacy research whereby perceived control was found to alleviate privacy concerns, reduce risk perceptions, and increase the likelihood of providing and sharing personal information (e.g., Martin & Murphy, 2017). Although the main effect of risk was somewhat overshadowed by its interaction with perceived control, the finding that participants in the high-risk condition exhibited longer fixation durations than their counterparts in the low-risk condition presented converging evidence of the effect of top-down motivation on visual attention as well documented by prior eye-tracking research (e.g., Chandon et al., 2009; Orquin et al., in press). The finding that AOI had a significant main effect on attention and that participants fixated significantly longer on the privacy policy icon than on the privacy policy text and the non-privacy contents is interesting. One possibility that the privacy icon garnered more attention than both the privacy policy text and the non-privacy contents could be that the icon is placed in a near-center location in reference to the rest of the visual elements on the website (see Fig. 2). The location effect has indeed been shown to be quite influential in guiding visual attention (e.g., Chandon et al., 2009; Orquin et al., in press). Of note is the central fixation bias, defined as a strong inclination and tendency to look first at the center of the scene and to choose the option in the center of an array (e.g., Atalay, Bodur, & Rasolofoarison, 2012; Tatler, 2007). Another possibility could be due to the different format of the presented

information in that the privacy policy icon is a pictorial logo, whereas the privacy policy text and non-privacy contents are primarily textual. Evidence exists to show that when textual information and pictorial information are integrated, fixation durations on pictures could be longer than fixation durations on text. For example, Rayner, Rotello, Stewart, Keir, and Duffy (2001) found that when looking at print ads that included both textual and pictorial information, irrespective of which instructional group they were in (to purchase a car vs. to purchase skin care products) or what type of ad (car vs. skin care) they looked at, study participants’ average fixation durations were longer on the picture portions of the ads (266 ms) than on the text (226 ms). A third possible explanation is that the visual contrast between the icon and other non-pictorial elements on the website makes the icon “stand out” in such a way that participants shift their attention to focus on the icon. This conjecture can be explained by attention engagement theory (Duncan & Humphreys, 1989, 1992), which maintains that the saliency of a target object in the presence of other objects is determined by the similarity of not only the target to other objects but also those other objects among themselves. Finally, in terms of the effect of attention on downstream consumer response variables, the results revealed that consumers’ self-reported loan application likelihood and attitude toward the website both increased as a result of longer fixation duration on the non-privacy contents on the website. In comparison, the change in loan application likelihood and attitude resulting from increases in fixation duration on the privacy policy text and the icon was negligible. Although study participants did fixate longer on the privacy icon than on the privacy policy text and non-privacy contents, the longer fixation duration and greater visual attention toward the icon did not translate into 9

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Fig. 5. Interaction effect between perceived control and risk on fixation duration; Gray areas represent 95% confidence intervals for the regression lines.

Therefore, attention toward non-privacy contents on the website (the majority of which include loan information) had a sizable effect on loan application likelihood and attitude and significantly predicted both.

Table 2 Summary of hypothesis testing results using LMM. Parameter

Estimate

SE

t

df

p

Intercept AOI (privacy icon) AOI (privacy text) Risk (high) Perceived control AOI (privacy icon) × Risk (high) AOI (privacy text) × Risk (high) Risk (high) × Perceived control

0.23 0.05 0.00 0.15 0.01 −0.01 −0.01 −0.03

0.04 0.02 0.01 0.07 0.01 0.03 0.02 0.01

5.54 2.71 0.03 2.29 0.83 −0.52 −0.58 −2.41

202.12 197.82 321.75 240.37 183.07 203.59 328.55 222.11

< 0.001 0.01 0.98 0.02 0.41 0.60 0.56 0.02

6. Conclusions Privacy and security are intensifying in importance as consumers engage with an increasingly-online world that places greater demands on the sharing of personal information. Although prior studies have made some strides in the domain of attention to privacy policies and downstream consumer responses (e.g., Bart et al., 2005; Tsai et al., 2011), including eye-tracking investigations (Ozimek, Lewandowska, Krejtz, & Duchowski, 2019; Steinfeld, 2016), this is the first study, to our knowledge, to test the influences of top-down motivation, bottomup visual characteristics, and individual differences in NFC and perceived control on attention to privacy policies. Our research contributes to marketing literature, theory, and practice in several ways.

Number of observations = 460. Dependent variable: Fixation duration. AIC = −864.17, BIC = −793.94.

significant effects on perceived privacy protection, trust, attitude, and loan application likelihood. Study participants were tasked with evaluating loan information and selecting an option to their preference. Table 3 Summary of hypothesis testing results using OLS linear regression. Dependent variable

Parameter

Loan application likelihood

Intercept Fixation duration Fixation duration Fixation duration Intercept Fixation duration Fixation duration Fixation duration

Attitude toward the website

× AOI (non-privacy contents) × AOI (privacy icon) × AOI (privacy text) × AOI (non-privacy contents) × AOI (privacy icon) × AOI (privacy text)

10

Estimate

SE

t

p

3.60 1.49 −1.25 −1.64 4.48 0.86 −0.72 −0.82

0.18 0.48 0.50 0.52 0.12 0.32 0.34 0.35

20.43 3.09 −2.49 −3.17 37.97 2.68 −2.16 −2.35

0.00 0.00 0.01 0.00 0.00 0.01 0.03 0.02

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Fig. 6. Interaction effect between fixation duration and AOI on loan application likelihood; Gray areas represent 95% confidence intervals for the regression lines.

6.1. Theoretical contributions

personal information is high. The finding that regardless of the risk condition (high vs. low) and the saliency condition (high vs. low), study participants fixated longer on the privacy icon than the privacy policy text and non-privacy contents contributes to the privacy literature by providing corroborating evidence with eye-movement data of the prevalent tendency of consumers’ inattention to privacy policies (e.g., Milne & Culnan, 2004; Tsai et al., 2011). On the other hand, attention toward the privacy icon might indicate that consumers are indeed “cognitive misers,” as described by Meyvis and Janiszewski (2004, p. 347), who only use “the most accessible cognition sufficient to determine a response” (Feldman & Lynch, 1988, p. 429). Icons are simplified depictions of privacy policies (Pavlus, 2010), and as such, offer consumers an easy and accessible understanding of the privacy policy. This latter result is also consistent with prior eye-tracking research that showed that when textual and pictorial information was integrated and blended in a scene, pictures garnered more attention than texts (e.g., Carroll, Young, & Guertin, 1992; Rayner et al., 2001). Plausible explanations for this effect point to the significant impact of bottom-up stimulus driven factors on visual attention, i.e., the near-center location and visual distinctiveness of the privacy icon in reference to its surrounding elements on the website, and thus, extends the location effect and the central fixation bias phenomenon (e.g., Atalay et al., 2012; Tatler, 2007) to the current research context. Moreover, this finding also lends credence to the concept of “visual ecology” examined in Orquin et al. (in press) work whereby the authors show that packaging elements that are visually conspicuous in terms of surface size, salience, and distance to center drive attention independently of consumers’ shopping goals. A final key finding of this study revealed that while fixation

First, this investigation adds to the information privacy and security literature with a novel methodological approach in which consumers’ eye movements, while naturally and freely browsing a realistic website, were captured by eye trackers. This approach enabled us to address two major research deficiencies: the scarcity of eye-tracking investigations and the potentially unrealistic study settings of prior research in the topical area of information privacy and security. More importantly, the current study uncovered a significant interaction effect between perceived control and the risk manipulation on visual attention toward privacy-related information. This finding enriches our understanding of visual attention as a function of consumers’ sense of control and risk perceptions and thus, contributes to the extant eye-tracking literature by presenting evidence that it is indeed the interplay among a multitude of influences from top-down, bottom-up, and individual consumer difference variables that together determine attention as many researchers have suggested (e.g., Bagger, 2016; Kahn, 2017; Pieters & Warlop, 1999; Ramsøy, 2015). Further, in accordance with previous works (e.g., Xu et al., 2012), this finding underscores the importance and omnipresence of perceived control as a theoretical construct in privacy research. The nuanced outcomes of the moderating effect of perceived control add to privacy research by demonstrating that the impact of top-down motivation on attention is bounded by consumers’ perceived sense of control. These results also provide a refined understanding of the privacy paradox phenomenon (Brandimarte et al., 2013) in that strong perceptions of perceived control lessened the need to be alert and attentive to privacy- and security-related information, which potentially might result in the divulgence of too much information, even when perceived risk in sharing 11

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Fig. 7. Interaction effect between fixation duration and AOI on attitude toward the website; Gray areas represent 95% confidence intervals for the regression lines.

duration on the non-privacy contents of the website predicted loan application likelihood and attitude, fixation duration on the privacy icon and the privacy policy text did not affect any of the downstream consumer response variables. Taken at face value, this finding seems to suggest that attention toward privacy-related information on a website is irrelevant to consumer trust, attitude, and intentions to purchase from the website. However, this seemingly counterintuitive finding, especially given the result that study participants did fixate longer and attend more toward the privacy icon, speaks to the importance of goal directedness in human behavior, as has been well documented in the literature (e.g., Ajzen & Madden, 1986). Given that the participants were instructed to evaluate and select a student loan from the website, the overarching goal of completing the assigned task supersedes other motivational influences, such as a heightened risk in sharing personal information, in guiding their behavior.

sword in that perceptions of being in control can misleadingly divert consumers’ attention away from information regarding the protection of their privacy and security. This could potentially defeat marketers’ objective of informing consumers of their data practice policies through the means of privacy policies and icons. Third, marketers may also differentiate themselves from other online players by emphasizing their capability of protecting consumers’ privacy and security. In other words, reduced risk of information misuse may reduce emphasis on privacy protection icons and text and augment downstream variables such as attitudes, trust, and purchase intentions. Fourth, marketers may use the above strategy to build high firm reputation. Research has shown that a strong firm reputation reduces risks associated with privacy concerns, such that the combined offering of well-known brands, money-back guarantees, best price guarantees, and price reductions was shown to be the most effective strategy for significantly reducing consumers' perceived risk about online shopping (Van den Poel & Leunis, 1999).

6.2. Managerial implications Findings of the current research have strong managerial implications. First, because study participants fixated significantly longer on the privacy policy icon than on the privacy policy text and the nonprivacy contents, managers may wish to employ such icons as a visible, short-hand means for rapidly conveying privacy policies. These logos encapsulate lengthier, complex privacy policies and help consumers quickly recognize how their personal data will be used. Managers can help consumers save time and position the business as transparent. Second, high perceived control was found to override the effect of risk perceptions on attention toward privacy-related information on the website. An interesting implication from this finding is that empowering consumers with a greater sense of control can be a double-edged

6.3. Limitations and future research directions While a primary strength of this investigation was the use of eyetracking data, the study is limited in three ways. First, only one main experiment tested the effects. Thus, future research should seek to replicate the effects with further studies. Ideally, these studies would take place in laboratory settings, given the focus of online shopping. However, field studies incorporating online shopping may be useful, especially in the context of mobile shopping: data security is similarly important for the mobile channel, which bears strong resemblances to more conventional online shopping. Second, although participants in the main experiment were prompted to provide personal data to receive 12

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

additional loan information, which is a consequential measure, future field studies incorporating actual purchases that require real financial and personal information would offer a stronger test of the privacy and security issue. Future studies should also incorporate measures to assess participants’ preexisting attitude toward privacy policies and include as a covariate in subsequent analysis. Third, while the second preliminary study utilized MTurk panelists, the first preliminary study and the main study utilized student participants. Thus, additional replications with other sampling frames would build generalizability. Future research could also follow Ozimek et al. (2019) to investigate the location (top vs. bottom vs. center of a webpage), size (large vs. small), and presentation style (banner vs. pop-up window) of the privacy policy text and icons and examine whether these stimulusdriven factors affect attention differently. Likewise, other motivational variables such as product involvement and situational involvement

with a specific purchase could also be explored in future studies. Although this research investigated the moderating effects of two individual difference variables, i.e., NFC and perceived control, future studies could examine other moderators that are relevant to information privacy and security such as uncertainty avoidance and risk propensity. Another direction is to research how privacy policies and similar information might affect consumer responses differently in other shopping environments. For example, are privacy policies salient in brick-and-mortar retail environments, where consumers’ credit card information is, nonetheless, potentially at risk of theft in a data breach? If so, how does consumer attention function with any visuals (i.e., privacy icons), situational risk, NFC, and perceived control? Further, if the relationships differ in a brick-and-mortar environment, how should managers adjust their strategies to optimize for multichannel operations?

Appendix A A.1. Images of webpages for Shop4School Homepage

13

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Product overview page (Laptops)

14

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Product description page (Laptops)

15

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Shopping cart page (Laptops)

16

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Product overview page (Posters)

17

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Product description page (Posters)

18

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Shopping cart page (Posters)

19

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

AOI mapping example

A.2. High vs. Low message relevance scenarios for the laptop purchase condition Low message relevance scenario Shop4School is a small start-up e-business that sells products such as laptop computers, headphones, posters, and decorative arts to college students. Shop4School invites you to experience its newly launched website and provide feedback based on your use experience. This invitation reminds you that you are actually thinking about buying a laptop computer because recently your computer has started running slower and experiencing many technical problems. Considering that laptop computers are expensive and usually cost $1100–$1500, you decide to explore Shop4School’s website and start looking for information on various laptop computers. High message relevance scenario Shop4School is a small start-up e-business that sells products such as laptop computers, headphones, posters, and decorative arts to college students. Shop4School invites you to experience its newly launched website and provide feedback on the website’s design, security, and privacy protection features. Given the widely reported negative impact of recent data breaches at Facebook and Uber, your feedback will be extremely valuable to help Shop4School understand the increasing importance of security and privacy protection to consumers. Shop4School’s invitation reminds you that you are actually thinking about buying a laptop computer because recently your computer has started running slower and experiencing many technical problems. Considering that laptop computers are expensive and usually cost $1,100-$1,500, you decide to explore Shop4School’s website and start looking for information on various laptop computers. A.3. Descriptive statistics for eye tracking metrics Mean (s)

AOI: Privacy policy icon and security icon Fixation duration AOI: Privacy policy text Fixation duration

SD

Skewness Statistic

SE

1.988

2.387

2.986

0.226

10.633

26.085

5.288

0.226

A.4. Preliminary study 1 measure validity and reliability Constructs and items

Mean

SD

Perceived privacy protection (adapted from Bart et al., 2005). The website seems to have the technology to guard the security and privacy of my personal information. The website seems capable of protecting the security and privacy of my personal information. It seems that this website has invested a great deal in information privacy and security protection. Trust in the website (adapted from Dabholkar & Sheng, 2009; Schlosser, White, & Lloyd, 2006; Wang, Beatty, & Foxx, 2004). This website appears to be very trustworthy. This website can be relied upon. I am confident that this website can be trusted.

3.615

0.900

3.196

1.017

20

FL 0.903 0.916 0.798 0.895 0.875 0.906

CR

AVE

0.906

0.764

0.925

0.804

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al. My overall faith in this website is high. Attitude towards the website (adapted from Davis, Bagozzi, & Warshaw, 1989). Extremely unfavorable/extremely favorable Extremely bad/extremely good Extremely negative/extremely positive Didn’t like it at all/liked it very much Intention to buy from the website (adapted from Dabholkar & Sheng, 2009) I would definitely buy products from this website in the near future. It is very likely that I will purchase from this website. I intend to make my future purchases from this website.

4.694

1.141

2.957

1.147

0.910 0.836 0.907 0.901 0.852 0.889 0.961 0.945

0.917

0.765

0.952

0.869

Notes: FL = factor loadings; CR = composite reliability; AVE = average of variance extracted; SD = standard deviation. A.5. High vs. Low risk scenarios Low risk scenario Assume that you are planning to pursue a degree program at a reputable university in the United States. As a prospective student, you receive emails about student loans, accommodations, and even some food options near your new school. As always, you browse through such emails and websites. On one such occasion, you come across the website of StudentLoanFinder.com and find their offers of different financial aid packages and loan options pretty attractive. It is common that companies require certain personal information such as name, date of birth, email address, phone number, and social security number (SSN) to be provided during the loan registration or application process. You know, however, that unlike other websites that superficially focus on trendy designs of the websites’ look and appearance, StudentLoanFinder substantially invests in the latest effective data protection technologies on a continuous basis. This makes StudentLoanFinder one of the most trusted platforms for applying for student loans, so you feel safer about sharing your personal information with the website. With this background, you decide to casually browse through StudentLoanFinder’s website and evaluate their offers in case you or your friends ever need a loan or financial aid in the future. The reputation and security of the website make you feel comfortable and safe about sharing your personal information with the website. High risk scenario Assume that you are planning to pursue a degree program at a reputable university in the United States. As a prospective student, you receive emails about student loans, accommodations, and even some food options near your new school. As always, you browse through such emails and websites. On one such occasion, you come across the website of StudentLoanFinder.com and find their offers of different financial aid packages and loan options pretty attractive. It is common that companies require certain personal information such as name, date of birth, email address, phone number, and social security number (SSN) to be provided during the loan registration or application process. You know, however, that hacking and phishing incidents are happening more often than before, even in companies that have the financial means for equipping their websites with the latest and most advanced data protection technology. For example, in 2019, as many as 600 million Facebook users’ passwords were stolen as a result of a massive data breach at the company. According to a recent report, in 2018, one in every seven Americans fell victim to identity theft. This makes you wonder if you are next because data breach and identity theft can happen to anyone at any time. With this background and given the sensitive nature of personal information, you decide to carefully browse through StudentLoanFinder’s website and evaluate their offers. Data breach and identity theft incidents in real life make you feel compelled to be cautious and protective about your personal information. A.6. Sample recordings of the browsing sessions for two participants in the study Recording018: a participant’s browsing session of the website in the high risk, high contrast condition. Recording114: a participant’s browsing session of the website in the low risk, low contrast condition. Click the link below and then use VLC to play both recordings. http://andrewd.ces.clemson.edu/vids/cutrgv/risk_v_contrast/. A.7. Main study measure validity and reliability Constructs and items

Mean

SD

Perceived privacy protection (adapted from John, Acquisti, & Loewenstein, 2011). I would feel secure sending sensitive information over this website. This website is a secure means through which to send information. I would feel confident placing my personal data and payment information on this website. Overall, this website is a safe place to transmit sensitive information. Trust in the website (adapted from Dabholkar & Sheng, 2009; Schlosser et al., 2006; Wang et al., 2004). This website appears to be very trustworthy. This website appears reliable. I am confident that I can trust this website. My overall faith in this website is high. Attitude towards the website (adapted from Dabholkar & Sheng, 2009; Davis et al., 1989). Extremely unfavorable/extremely favorable Extremely bad/extremely good

3.459

1.596

3.699

1.585

4.390

1.289

21

FL 0.929 0.938 0.940 0.941 0.939 0.958 0.944 0.957 0.936 0.929

CR

AVE

0.966

0.878

0.974

0.902

0.953

0.836

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al.

Extremely negative/extremely positive Didn’t like it at all/liked it very much Likelihood of loan application (newly developed for this study) 3.449 Definitely not/definitely Not at all likely/very likely Not at all probable/very probable Need for cognition (de Holanda Coelho, Hanel, & Wolf, 2018) 4.784 I would prefer complex to simple problems.* I like to have the responsibility of handling a situation that requires a lot of thinking. Thinking is not my idea of fun (R). I would rather do something that requires little thought than something that is sure to challenge my thinking abilities.* I really enjoy a task that involves coming up with new solutions to problems.* I would prefer a task that is intellectual, difficult, and important to one that is somewhat important, but does not require much thought. Perceived control (Lachman & Weaver, 1998) 5.953 I can do just about anything I really set my mind to. When I really want to do something, I usually find a way to succeed at it. Whether or not I am able to get what I want is in my own hands.* What happens to me in the future mostly depends on me.*

1.930

1.191

0.931 0.858 0.968 0.985 0.970

0.983

0.949

0.815

0.598

0.814

0.688

0.841 0.830

0.960

0.630 0.904 0.748

Notes: * items dropped due to low factor loadings; FL = factor loadings; CR = composite reliability; AVE = average of variance extracted; SD = standard deviation.

in the study of cognitive processes. In G. Underwood (Ed.). Eye guidance in reading and scene perception (pp. 29–53). Oxford, UK: Elsevier Science. Janiszewski, C. (1998). The influence of display characteristics on visual exploratory search behavior. Journal of Consumer Research, 25(3), 290–301. John, L. K., Acquisti, A., & Loewenstein, G. (2011). Strangers on a Plane: Context-dependent willingness to divulge sensitive information. Journal of Consumer Research, 37(5), 858–873. Just, M. A., & Carpenter, P. A. (1976). Eye fixations and cognitive processes. Cognitive Psychology, 8(4), 441–480. Kahn, B. E. (2017). Using visual design to improve customer perceptions of online assortments. Journal of Retailing, 93(1), 29–42. Khachatryan, H., Rihn, A., Behe, B., Hall, C., Campbell, B., Dennis, J., & Yue, C. (2018). Visual attention, buying impulsiveness, and consumer behavior. Marketing Letters, 29(1), 23–35. Kimery, K. M., & McCord, M. (2006). Signals of trustworthiness in e-commerce: Consumer understanding of third-party assurance seals. Journal of Electronic Commerce in Organizations, 4(4), 52–74. Lachman, M. E., & Weaver, S. L. (1998). The sense of control as a moderator of social class differences in health and well-being. Journal of Personality and Social Psychology, 74(3), 763. Lin, C. C. (2003). Effects of contrast ratio and text color on visual performance with TFTLCD. International Journal of Industrial Ergonomics, 31(2), 65–72. Martin, K. D., & Murphy, P. E. (2017). The role of data privacy in marketing. Journal of the Academy of Marketing Science, 45(2), 135–155. Meredith, S. (2018). Facebook-Cambridge Analytica: A timeline of the data hijacking scandal. CNBC. Retrieved from https://www.cnbc.com/2018/04/10/facebookcambridge-analytica-a-timeline-of-the-data-hijacking-scandal.html. Meyvis, T., & Janiszewski, C. (2004). When are broader brand stronger brands? An accessibility perspective on the success of future extensions. Journal of Consumer Research, 31(2), 346–357. Milne, G. R., & Culnan, M. J. (2004). Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices. Journal of Interactive Marketing, 18(3), 15–29. Milosavljevic, M., Navalpakkam, V., Koch, C., & Rangel, A. (2012). Relative visual saliency differences induce sizable bias in consumer choice. Journal of Consumer Psychology, 22(1), 67–74. Nisbett, R. E., & Wilson, T. D. (1977). Telling more than we can know: Verbal reports on mental processes. Psychological Review, 84(3), 231–259. Nuthmann, A. (2014). How do the regions of the visual field contribute to object search in real-world scenes? Evidence from eye movements. Journal of Experimental Psychology: Human Perception and Performance, 40(1), 342–360. Nuthmann, A. (2017). Fixation durations in scene viewing: Modeling the effects of local image features, oculomotor parameters, and task. Psychonomic Bulletin & Review, 24(2), 370–392. Orquin, J. L., & Holmqvist, K. (2018). Threats to the validity of eye-movement research in psychology. Behavior Research Methods, 50(4), 1645–1656. Orquin, J., Bagger, M., Lahm, E., Grunert, K., & Scholderer, J. (2019). The visual ecology of product packaging and its effects on consumer attention. Journal of Business Research. https://doi.org/10.1016/j.jbusres.2019.01.043 (in press). Ozimek, A., Lewandowska, P., Krejtz, K., & Duchowski, A. T. (2019). Attention towards privacy notifications on web pages. In Proceedings of the 11th ACM symposium on eye tracking research & applications (p. 91). ACM. Pavlus, J. (2010). Mozilla’s privacy icons tell you how sites use your personal data. Fast Company, December 3. Retrieved from https://www.fastcompany.com/1662961/ mozillas-privacy-icons-tell-you-how-sites-use-your-personal-data. Pennington, R., Wilcox, H., & Grover, V. (2003). The role of system trust in business-toconsumer transactions. Journal of Management Information Systems, 20(3), 197–226. Petty, R. E., & Cacioppo, J. T. (1986). The elaboration likelihood model of persuasion. Communication and persuasion (pp. 1–24). New York, NY: Springer. Pieters, R., & Warlop, L. (1999). Visual attention during brand choice: The impact of time

References Ajzen, I., & Madden, T. J. (1986). Prediction of goal-directed behavior: Attitudes, intentions, and perceived behavioral control. Journal of Experimental Social Psychology, 5, 453–474. Atalay, A. S., Bodur, H. O., & Rasolofoarison, D. (2012). Shining in the center: Central gaze cascade effect on product choice. Journal of Consumer Research, 39(4), 848–866. Bagger, M. (2016). Attention and decision-making: Separating top-down from bottom-up components (Doctoral dissertation). Institut for Økonomi, Aarhus Universitet). Bart, Y., Shankar, V., Sultan, F., & Urban, G. (2005). Are the drivers and role of online trust the same for all web sites and consumers? A large-scale exploratory empirical study. Journal of Marketing, 69(4), 133–152. Brandimarte, L., Acquisti, A., & Loewenstein, G. (2013). Misplaced confidences: Privacy and the control paradox. Social Psychological and Personality Science, 4(3), 340–347. Bugental, D. B., Blue, J., & Cruzcosa, M. (1989). Perceived control over caregiving outcomes: Implications for child abuse. Developmental Psychology, 25(4), 532–539. Cacioppo, J. T., Petty, Richard E., Feinstein, Jeffrey A., & Jarvis, W. B. G. (1996). Dispositional differences in cognitive motivation: The life and times of individuals varying in need for cognition”. Psychological Bulletin, 119(2), 197–253. Carroll, P. J., Young, J. R., & Guertin, M. S. (1992). Visual analysis of cartoons: A view from the far side. Eye movements and visual cognition (pp. 444–461). New York, NY: Springer. Chaiken, S. (1980). Heuristic versus systematic information processing and the use of source versus message cues in persuasion. Journal of Personality and Social Psychology, 39(5), 752–776. Chandon, P., Hutchinson, J. W., Bradlow, E. T., & Young, S. H. (2009). Does in-store marketing work? Effects of the number and position of shelf facings on brand attention and evaluation at the point of purchase. Journal of Marketing, 73(6), 1–17. Dabholkar, P. A., & Sheng, X. (2009). The role of perceived control and gender in consumer reactions to download delays. Journal of Business Research, 62(7), 756–760. Davis, F. D., Bagozzi, R. P., & Warshaw, P. R. (1989). User acceptance of computer technology: A comparison of two theoretical models. Management Science, 35(8), 903–1028. de Holanda Coelho, G. L., Hanel, P. H. P., & Wolf, L. J. (2018). The very efficient assessment of need for cognition: Developing a six-item version. Assessment. https:// doi.org/10.1177/1073191118793208. Duchowski, A. T. (2017). Eye tracking methodology: Theory and practice (3rd ed.). Cham, Switzerland: Springer. Duncan, J., & Humphreys, G. W. (1989). Visual search and stimulus similarity. Psychological Review, 96(3), 433–458. Duncan, J., & Humphreys, G. W. (1992). Beyond the search surface: Visual search and attentional engagement. Journal of Experimental Psychology: Human Perception & Performance, 18, 578–588. Enge, S., Fleischhauer, M., Brocke, B., & Strobel, A. (2008). Neurophysiological measures of involuntary and voluntary attention allocation and dispositional differences in need for cognition. Personality and Social Psychology Bulletin, 34(6), 862–874. Feldman, J. M., & Lynch, J. G., Jr. (1988). Self-generated validity and other effects of measurement on belief, attitude, intention, and behavior. Journal of Applied Psychology, 73(3), 421–435. Galley, N., Betz, D., & Biniossek, C. (2015). Fixation durations – Why are they so highly variable? In T. Heinen (Ed.). Advances in visual perception (pp. 83–106). New York, NY: Nova. Garrido-Jurado, S., Muñoz-Salinas, R., Madrid-Cuevas, F. J., & Marín-Jiménez, M. J. (2014). Automatic generation and detection of highly reliable fiducial markers under occlusion. Pattern Recognition, 47(6), 2280–2292. Gorry, P. A. (1990). General least-squares smoothing and differentiation by the convolution (Savitzky-Golay) method. Analytical Chemistry, 62(6), 570–573. Hutchinson, J. W., Lu, J., & Weingarten, E. (2016). Visual attention in consumer settings. Routledge international handbook of consumer psychology (pp. 79–102). Routledge. Inhoff, A. W., & Radach, R. (1998). Definition and computation of oculomotor measures

22

Journal of Business Research xxx (xxxx) xxx–xxx

X. Sheng, et al. pressure and task motivation. International Journal of Research in Marketing, 16(1), 1–16. Pieters, R., & Wedel, M. (2004). Attention capture and transfer in advertising: Brand, pictorial, and text-size effects. Journal of Marketing, 68(2), 36–50. Pieters, R., Wedel, M., & Zhang, J. (2007). Optimal feature advertising design under competitive clutter. Management Science, 53(11), 1815–1828. Pieters, R., Wedel, M., & Batra, R. (2010). The stopping power of advertising: Measures and effects of visual complexity. Journal of Marketing, 74(5), 48–60. Ramsøy, T. Z. (2015). Introduction to neuromarketing & consumer neuroscience. Rørvig, Denmark: Neurons Inc. Rayner, K. (1998). Eye movements in reading and information processing: 20 years of research. Psychological Bulletin, 224(3), 372–422. Rayner, K., & Pollatsek, A. (1989). The psychology of reading. New York, NY: Prentice-Hall. Rayner, K., Rotello, C. M., Stewart, A. J., Keir, J., & Duffy, S. A. (2001). Integrating text and pictorial information: Eye movements when looking at print advertisements. Journal of Experimental Psychology: Applied, 7(3), 219. Richardson, R. T., Drexler, T. L., & Delparte, D. M. (2014). Color and contrast in ELearning design: A review of the literature and recommendations for instructional designers and web developers. MERLOT Journal of Online Learning and Teaching, 10(4), 657–670. Rotter, J. B. (1966). Generalized expectancies for internal versus external control of reinforcement. Psychological monographs: General and Applied, 80(1), 1–28. Salvucci, D. D., & Goldberg, J. H. (2000). Identifying fixations and saccades in eyetracking protocols. In Proceedings of the 2000 symposium on eye tracking research & applications (pp. 71–78). ACM. Savitzky, A., & Golay, M. J. (1964). Smoothing and differentiation of data by simplified least squares procedures. Analytical Chemistry, 36(8), 1627–1639. Schlosser, A. E., White, T. B., & Lloyd, S. M. (2006). Converting web site visitors into buyers: How web site investment increases consumer trusting beliefs and online purchase intentions. Journal of Marketing, 70(2), 133–148. Sicilia, M., & Ruiz, S. (2010). The effect of web-based information availability on consumers' processing and attitudes. Journal of Interactive Marketing, 24(1), 31–41. Skinner, E. A. (1996). A guide to constructs of control. Journal of Personality and Social Psychology, 71(3), 549–570. SlickText (2019). One year after Cambridge Analytica, survey reveals strong consumer privacy fears remain. Retrieved from https://www.slicktext.com/blog/2019/02/ survey-consumer-privacy-fears-after-cambridge-analytica/. Sohn, S., Seegebarth, B., & Moritz, M. (2017). The impact of perceived visual complexity of mobile online shops on user's satisfaction. Psychology & Marketing, 34(2), 195–214. Solove, D., & Hartzog, W. (2014). The FTC and the new common law of privacy. Columbia Law Review, 114(3), 583–676.

Specht, J., Egloff, B., & Schmukle, S. C. (2013). Everything under control? The effects of age, gender, and education on trajectories of perceived control in a nationally representative German sample. Developmental Psychology, 49(2), 353–364. Steinfeld, N. (2016). “I agree to the terms and conditions”: (How) do users read privacy policies online? An eye-tracking experiment. Computers in Human Behavior, 55, 992–1000. Sturt, P. (2003). The time-course of the application of binding constraints in reference resolution. Journal of Memory and Language, 48(3), 542–562. Tatler, B. W. (2007). The central fixation bias in scene viewing: Selecting an optimal viewing position independently of motor biases and image feature distributions. Journal of Vision, 7(14), 1–17. Tsai, J. Y., Egelman, S., Cranor, L., & Acquisti, A. (2011). The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research, 22(2), 254–268. Upton, G., & Cook, I. (1996). Understanding statistics. Oxford, UK: Oxford University Press. Van den Poel, D., & Leunis, J. (1999). Consumer acceptance of the Internet as a channel of distribution. Journal of Business Research, 45(3), 249–256. Van der Lans, R., Wedel, M., & Pieters, R. (2011). Defining eye-fixation sequences across individuals and tasks: The Binocular-Individual Threshold (BIT) algorithm. Behavior Research Methods, 43(1), 239–257. Van der Lans, R., & Wedel, M. (2017). Eye movements during search and choice. Handbook of marketing decision models (pp. 331–359). Cham, Switzerland: Springer. Wallston, K. A., Strudler Wallston, B., & DeVellis, R. (1978). Development of the multidimensional health locus of control (MHLC) scales. Health Education Monographs, 6(1), 160–170. Wang, S., Beatty, S. E., & Foxx, W. (2004). Signaling the trustworthiness of small online retailers. Journal of Interactive Marketing, 18(1), 53–69. Wedel, M., & Pieters, R. (2008). A review of eye-tracking research in marketing. In N. K. Malhotra (Ed.). Review of marketing research (Vol. 4) (pp. 123-147). Armonk, NY: M. E. Sharpe. Wu, D., Gao, Y., & Miao, D. (2018). Using an eye tracker to measure information processing according to need for cognition level. Social Behavior and Personality, 46(11), 1869–1880. Xu, H., Teo, H. H., Tan, B. C., & Agarwal, R. (2012). Research note—effects of individual self-protection, industry self-regulation, and government regulation on privacy concerns: A study of location-based services. Information Systems Research, 23(4), 1342–1363. Yan, M., Pan, J., Chang, W., & Kliegl, R. (2019). Read sideways or not: Vertical saccade advantage in sentence reading. Reading and Writing, 32(8), 1911–1926. Yang, S. F. (2015). An eye-tracking study of the Elaboration Likelihood Model in online shopping. Electronic Commerce Research and Applications, 14(4), 233–240.

23