- Email: [email protected]
Information Privacy Research: Framework for Integrating Multiple Publics, Information Channels, and Responses
Available online at www.sciencedirect.com
Journal of Interactive Marketing 23 (2009) 191 – 205 www.elsevier.com/locate/intmar
Information Privacy Research: Framework for Integrating Multiple Publics, Information Channels, and Responses James W. Peltier a,⁎, George R. Milne b & Joseph E. Phelps c a
College of Business and Economics, University of Wisconsin-Whitewater, 800 W. Main Street , Whitewater, WI 53190, USA b Isenberg School of Management, University of Massachusetts Amherst, Amherst, MA 01003, USA c College of Communications and Information Sciences, The University of Alabama, Tuscaloosa, AL 35487-0172, USA
Abstract This article puts forth a framework for understanding critical consumer information privacy issues in direct and interactive marketing that consists of three broad dimensions: (1) multiple publics, (2) information channel developments, and (3) the publics' responses to privacy actions. Within this structure, the authors review and integrate existing research and issues, and identify an agenda for future research. © 2009 Direct Marketing Educational Foundation, Inc. Published by Elsevier B.V. All rights reserved.
Introduction Today consumers have many options for learning about, evaluating, transacting with, and maintaining relationships with marketers. Direct mail, catalogs, the Internet, telemarketing, mobile communications, interactive television, and in-store media all offer a means by which consumers can interact in the marketplace at the time and location of their choice. From the supply side, recent advances in computer and database technologies have enhanced the opportunity for marketers to inexpensively collect, share, and use personal information acquired through multiple means to develop personalized buyer–seller relationships (Miceli et al. 2007). These personalized relationships take the form of targeted product offerings and communications delivered through both offline (i.e., direct mail, catalogs, personal selling) and online (i.e., Internet, email) media. Combined, the growth in information channel driven marketing has provided significant benefits to consumers through increased opportunities to learn about new products and services, make more informed purchase decisions, receive offers tailored to their needs, participate in loyalty programs, and maximize shopping convenience (Neslin and Shankar 2009).
⁎ Corresponding author. E-mail addresses: [email protected] (J.W. Peltier), [email protected] (G.R. Milne), [email protected] (J.E. Phelps).
The plethora of transactional and search options available to consumers in interactive environments also comes with potential risks, including the loss of privacy and a host of related side effects of living in an era of easy information access (Deighton and Kornfeld 2009; Norberg, Horne, and Horne 2007). The widespread access to detailed personal records, both legal and illegal, has increased the opportunity for governments, businesses and individuals to misuse consumer information, often with dramatic negative personal and financial consequences. The Patriot Act, phishing, data hacking, identity theft, spam, and compromised databases have all heightened consumers' anxiety regarding whether their personal data are safe in the hands of the organizations with which they transact. As a consequence, the need to curtail the improper access to, sharing of, and use of personal information is receiving increased attention by the news media, state and federal legislators, watchdog groups, and ultimately, consumers (Lemi 2007). The direct marketing industry is particularly vulnerable to negative perceptions about how it collects, uses, shares, and safeguards consumer information and has a critical economic stake in reducing consumers' privacy fears (Dolnicar and Jordaan 2007). Undeniably, direct marketing is big business, with forecasted sales of $2.064 trillion in 2007, a 6.5% increase over 2006 (Direct Marketing Association 2007). Much of this growth is being fueled by the Internet, a medium that is often criticized for its information privacy practices. Despite the fact that the vast majority of consumers have access to the Internet, many experts agree that privacy fears are creating an artificially
1094-9968/$ - see front matter © 2009 Direct Marketing Educational Foundation, Inc. Published by Elsevier B.V. All rights reserved. doi:10.1016/j.intmar.2009.02.007
192
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
low ceiling on the potential for online sales (eMarketer 2007; Pew 2006). As support, privacy advocates point to the fact that although online spending was $109 billion in 2006, an increase of 23.5% from 2005, this represents only about 2.8% of U.S. retail sales (USDC Quarterly Report 2007). In response to growing consumer privacy concerns, three countervailing forces are using their influence to stem the flow of improper information practices. From a top-down perspective and driven in part by widespread media coverage of privacy violations and improper information practices, federal and state legislatures are increasingly enacting and/or introducing laws to protect consumers. Although the cost–benefit ratio of many of these consumer privacy laws is debatable, there is little doubt that the current political climate in the U.S. foreshadows that more rather than less legislative actions are on the horizon (Cain 2002; Ciochetti 2007). Taking a more bottom-up approach, the direct marketing industry through self-regulation and proprivacy initiatives (e.g., DMA guidelines, public privacy policies, privacy seals, etc.) is sending clear signals of the importance of preserving consumers' information privacy rights (Milne and Culnan 2004). Lastly, consumers are taking actions to limit their vulnerability to potential privacy violations by refusing information requests, opting out of direct marketing lists, enrolling in no-call lists, abandoning online shopping carts, and avoiding non-retail purchases all together (Dommeyer and Gross 2003; eMarketer, 2007; LaRose and Rifon 2007; Schoenbachler and Gordon 2002). In a recent editorial in a special issue on consumer privacy in the Journal of Public Policy and Marketing, the editors noted that marketing scholars have been slow to embrace public policy as a mainstream topic deserving “sustained” research attention, and specifically with regard to privacy issues in information channel environments (Sappington and Silk 2003). Dating back to its inception, the Journal of Interactive Marketing has encouraged conceptual and empirical research on consumer privacy in the electronic age (c.f. Deighton 1998; Glazer 1998; Shankar and Malthouse 2006, 2007). In response to these calls to action, a steady stream of research is emerging investigating a host of information privacy concerns. Despite this recent attention in the privacy literature, virtually ignored are comprehensive frameworks that integrate evolving information privacy concerns across different information channels and multiple publics. Especially needed are conceptual frameworks that both distinguish and provide common grounds for understanding information privacy issues important to consumers, regulators, and businesses (Ashworth and Free 2006; Ciochetti 2007; DeMarco 2006). In this article we put forth a framework for understanding critical consumer information privacy issues in direct and interactive marketing. To this end, we examine privacy concerns pertinent to multiple publics, including regulatory agencies, consumers, direct marketing organizations, and consumer advocacy groups. Importantly, because the lines between “offline” and “online” direct media are becoming increasingly blurred, we then extend our focus to include research issues relevant in a wide variety of information channels. Of note, since many of these information channels are
in their infancy, we offer an information privacy agenda for spurring conceptual and empirical research in this rapidly changing area of discovery. Prior to presenting our framework and introducing our future research agenda, we first provide a historical perspective of information privacy. Historical perspective and framework introduction Defining privacy Having roots in multiple disciplines, there is no clear consensus of the exact nature and scope of the privacy construct. Early scholars defined privacy as the right to be left alone (Warren and Brandeis 1890), refined later by Prosser (1960) to include freedom from intrusion of a person's seclusion or solitude. In today's direct marketing context, the right to be left alone is the foundation for anti-spam legislation, no-call lists and other opt-out lists. During the initial stage of the computer revolution, Westin (1967) defined “information privacy” as the right of “individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (p. 7). Extending Westin, Fried (1968) offered the idea of managing one's identity through “the control we have over information about ourselves” (p. 482). Hoffman (1980) argued that information rights are more multidimensional in nature and are based on the belief that consumers have the right (1) to know the personal information others are collecting about them, (2) to control the type of information that is shared with third parties, and (3) to direct access to their own personal data. Tying together information protection and the right to be left alone, Goodwin (1991) defined consumer privacy in terms of control over two dimensions: control of information disclosure and control over unwanted intrusions into the consumer's environment. In this regard, the “invasion” of information privacy represents the unauthorized collection, disclosure, or improper use of personal information (Wang, Lee, and Wang 1998). And, the “intrusion” of personal privacy, or right to be left alone, can include the right to be free from unwanted marketing solicitations (Petty 2000). Privacy in the electronic era One of the most basic privacy dilemmas is how to protect consumers' privacy rights in an era of expanding access to personal information amassed from multiple touch points and through emerging technologies (Davenport and Harris 2007). Finding this balance is difficult for direct marketers as the important task of developing virtual and real-time customer relationship management practices is accomplished through the electronic capture, storage, and mining of customerspecific information. To this end, direct marketing organizations capture an extensive array of “customer-identified responses” collected through traditional media such as inbound and out-bound telemarketing, direct mail campaigns, and catalog sales. More recently, the Internet and other emerging information technologies, in addition to allowing easy capture of attitudinal and response data, have enhanced
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
databases thorough the real-time tracking of online behaviors, email, open and click through rates, in-store movements, media usage, physical location/movements, and a host of other detailed pieces of information about customers used to create personalized relationships (Montgomery and Smith (2009); Murray and Häubl (2009)). Although personal data have been collected for many years, the electronic era has simplified the ability of marketers to piece together personally identifying information (PII) from multiple sources to create “digital dossiers” of customers and prospects contained in their database (Solove 2006). An organization's set of digital dossiers is often augmented through external means by appending electronic information provided by data brokers, typically without consumer consent. Although we would contend that PII in and by itself is not a privacy violation, the apparent ease with which digital profiles can be stolen and/or misused raises important concerns. Information privacy framework The preceding discussion offers support that information privacy is an evolving and multi-dimensional construct impacted by a wide range of technological, legal, and ethical considerations. It is also clear that information privacy concerns differ based on the perspective of the public involved. Marketers seek personal information as a means of creating sustainable competitive advantage. Consumers have a personal stake in how their personal dossiers are created, shared and used. Consumer advocacy groups have arisen to give a more powerful voice to consumer concerns and the protection of consumer information, whereas regulatory agencies attempt to balance the rights of consumers and economic stability in the marketplace. Complicating these concerns is that buyer–seller relationships are no longer restricted to a limited set of direct marketing techniques. Rapidly advancing technologies have changed the privacy landscape and underscore the importance of considering information privacy research in light of the
193
multitude of information channels available to consumers today and in the near future. In the remainder of this paper we integrate three key dimensions useful for developing a research agenda on information privacy in the field of direct and interactive marketing: (1) multiple publics, (2) information channel developments, and (3) the publics' responses to privacy actions. These dimensions, as well as situational factors, are illustrated in an overarching systems level framework in Fig. 1. The purpose of the framework is to present and organize a macro view of the factors affecting privacy policy and behavior. While we suggest relationships between the dimensions in Fig. 1, and these are discussed with respect to the publics' response dimension, much of our review focuses discussion on past and future research issues within the dimensions of multiple publics and information channels. We begin by reviewing the concerns of multiple publics and needed research. The publics include consumers, advocacy groups, media, direct marketers and regulatory agencies. Next we review past research and identify a research needs agenda for different information channels. Specifically we review traditional direct marketing, internet/ ecommerce, mobile marketing, RFID/ubiquitous computing, social networking, virtual environments, and multi-channel integration. Third we review the publics' response in terms of consumer behavior, advocacy behavior, media coverage, self governance and regulation/enforcement. Multiple publics Consumers Multiple polls over the past two decades show that consumer privacy concerns are pervasive with nine out of ten U.S. citizens being “very” or “somewhat” concerned about threats to their personal privacy (Best, Krueger and Ladewig 2006). With regard to marketers' use of personal information, consumers' concerns revolve primarily around the basic question of whether
Fig. 1. Conceptual framework.
194
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
marketers behave ethically in their information practices (Culnan and Armstrong 1999; Dommeyer and Gross 2003). This overall concern is expressed in a variety of more specific concerns. For example, consumers are concerned about the amount and types of information collected. Consumers are concerned about data being collected and used without their knowledge or consent. Many consumers are concerned that the information they willingly exchange with one marketer will be sold to others and that they will become the target for additional marketing solicitations. As a consequence, having control over who has access to their personal information is important to the vast majority of consumers (Best, Krueger and Ladewig 2006). While this data sharing represents a misuse to some consumers, data theft is obviously a misuse to all. Zogby International (2007) reports that 94% of Americans worry about identity theft and are concerned that companies are not doing enough to protect their personal information. Although younger adults (18–29) are slightly less concerned about identity theft than older adults, the vast majority of younger adults (86%) worry about identity theft as well. Despite these high numbers and the potential ceiling effect, concerns about identity theft are likely to rise with increasing cases of hacking and data loss along with identity scams such as phishing. Consumers are also concerned about mistakes in their data profiles as these too lead to a type of mistaken identity, or at least mistaken label or categorization applied to the individual consumer. These mistakes may be relatively harmless or could cause real hardship, especially with regard to credit data. The identification of consumer concerns is an area that is well addressed in the scholarly and popular press. However, more research exploring the pathways through which these concerns influence consumer thoughts, feelings, and behaviors is needed. An essential gauge of the importance of information privacy concerns will be found in research assessing the outcomes of these concerns. To best assess the relative influence of information privacy concerns, more comprehensive research which examines consumers interactions and reactions in multichannel and multi-public environments would be most useful. Consumer advocacy groups Since the 1990s, consumer privacy concerns have spawned an increasing number of privacy advocacy groups (e.g., Center for Media Education, Computer Professionals for Social Responsibility, Cypherpunks, Privacy Coalition, and Privacy International). These consumer privacy advocacy groups are associations of consumers and professionals, coalescing around concerns over a single (e.g., Consumers Against Supermarket Privacy Invasion or Numbering) or a set of privacy issues (e.g., Electronic Privacy Information Center). The primary purpose behind these advocacy groups is to inform and influence policy makers, consumers, and marketers. Some, such as Cypherpunks, work to create technological solutions to privacy problems. Others, such as the Electronic Privacy Information Center use a variety of tactics. For example, EPIC strives to influence public policy by lobbying legislators and testifying before Congress. EPIC has also used the court system to litigate challenges to both
commercial and governmental information practices. It, like other advocacy groups, works to inform and influence public perceptions and the media agenda on privacy issues. Research is needed to better understand the influence of these groups with respect to information privacy. Media Consumer advocacy groups and marketers attempt to influence the media agenda because they believe that media coverage influences the perceptions that other publics hold concerning privacy issues. Traditional media publics consist of mass audience print and broadcast news media (e.g., newspapers, magazines, radio and television) as well as specialized media (e.g., trade, industry, or association publications) catering to a more select audience at the local and national levels (Hendrix and Hayes 2007). Relatively little research has examined privacy issues and related media coverage (e.g., Petrison and Wang 1995). Independent research projects, which combined examined over two decades of media coverage (Phelps, Gonzenbach, and Johnson 1994; Roznowski 2003), reported heavy and steadily increasing media attention allocated to information privacy issues. In addition to high levels of consumer concern, Roznowski (2003) also reported a strong positive correlation between amount of media coverage and amount of legislative activity regarding privacy issues. These findings lend support to the assumption that the media can play a critical role as privacy issues develop. Yet, very little is actually known about the nature and scope of potential media influence. Even less research has examined the attempts of the other publics to influence media coverage of privacy issues. Finally, more recent conceptualizations of media publics include media such as personal blogs and this blurs the distinction between independent journalism and other information sources (Hendrix and Hayes 2007). Blogs published by the advocacy groups or marketers are controlled media and provide these publics additional communication channels, separate from the traditional media, with which to disseminate and advocate their positions. The ramifications of these new media options with regard to the relationships among the publics remain unknown. Direct marketers Marketers have a keen interest in alleviating consumer privacy fears. However, developing and implementing information policies to ethically collect, use and safeguard consumer data provide marketers with a number of concerns of their own. First, the patchwork of state, federal, and in the case of multinational companies, international laws can make the process of compliance complex and costly (Shah, White and Cook 2007). This process becomes even more complex with the inclusion of industry guidelines and the proposals of consumer advocacy groups. Second, creating and continually updating a secure and efficient IT infrastructure is a costly ongoing endeavor. Despite the heavy investments made in this area, a recent study found that 42% of IT professionals believed their
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
companies were doing an inadequate job of protecting confidential information from loss or theft (Ponemon Institute 2007). Some marketers question just how important information privacy really is to consumers and if the actual level of concern merits the investment committed to information practices. Directly related to this concern is that marketers question whether a competitive advantage is more likely to belong to the company most aggressively using consumer data to gain consumer insights or to the company that patterns its information practices to be most respectful of consumer privacy rights. Regulatory agencies and information privacy legislation Federal and state privacy legislation evolved slowly during the United State's first 200 years as a nation. Not surprisingly, the unprecedented access to personal information spawned by advancing computer technologies and the desire to use this information have contributed to dramatic increases in the
195
number of more recent federal and state privacy laws that have been enacted and/or proposed. Although it is beyond the scope of this article to present the complete array of federal and state privacy laws, below we briefly discuss the Fair Information Practices (FIP) outlined by the Federal Trade Commission. These FIP are important to our research agenda for three reasons. First, recent privacy litigation at the federal and state level has primarily focused on violations of these practices. Second, ethical businesses are beginning to align their privacy initiatives with FIP. Lastly, the FTC's FIP tend to match up closely with most frequently mentioned concerns that consumers have with how their data are collected and used. Although not discussed here, Table 1 provides a summary of other important federal legislation and guidelines pertinent to the information privacy debate. The FTC is most closely involved with U.S. privacy laws and is responsible for handling violations of the Federal Privacy Act of 1974. Although they have been modified over
Table 1 Privacy legislation Law
Summary
Freedom of Information Act, enacted 1966, amended 1996
Guarantees third party access to federal records, including personal information in the control of federal agencies. Designed to promote accuracy, fairness, and privacy of information in the files of every “consumer reporting agency”, the credit bureaus that gather and sell information about consumers to creditors, employers, landlords and other businesses. Applies to the records of federal government agencies. Requires agencies to apply basic fair information practices to records containing personal information. Prohibits tampering with computers or accessing certain computerized records without authorization. Prohibits disclosure of the contents of stored communications. Amends federal wiretap law to electronic communications such as email, cell phones, private communications carriers, and computer transmissions. Also sets restrictions on access to stored wire and electronic communications and transaction records. Amends the federal Privacy Act of 1974 to set requirements that federal agencies must follow when matching information on individuals with information held by other federal, state or local agencies. Requires entities that use the telephone to solicit individuals, to provide such individuals with the ability to prevent future telephone solicitations. The Act makes it a federal crime to use another's identity to commit an activity that violates Federal law or that is a felony under state or local law. Requires financial institutions to issue privacy notices to their customers, giving them the opportunity to opt-out of some sharing of identifiable financial information. Prohibits State Departments of Motor Vehicles (DMVs) from releasing “personal information” from drivers' licenses and motor vehicle registration records. COPPA requires commercial Web sites and other online services directed at children 12 and under, or which collect information regarding users' age, to provide parents with notice of their information practices and obtain parental consent prior to the collection of personal information from children. Requires health care organizations to “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information. Protected health information includes medical records, patient logs, insurance, billing and other personally identifiable health information. This Act authorizes the FTC to implement and enforce a do-not-call registry. The Act also ratified the do-not-call registry provision of the FTC's Telemarketing Sales Rule FACTA amended the existing Fair Credit Reporting Act providing consumers, companies, consumer reporting agencies and regulators with new tools to expand consumer access to credit, enhance the accuracy of consumer financial information, and help fight identity theft. The Controlling the Assault of Non-Solicited Pornography and Marketing Act establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. Sets rules and penalties for identity theft.
Fair Credit Reporting Act (FCRA), enacted in 1970
Federal Privacy Act of 1974 Electronic Communications Privacy Act (1986) Electronic Communications Privacy Act of 1986
Computer Matching & Privacy Protection Act of 1988
Telephone Consumer Protection Act (TCPA), effective 1992 Federal Identity Theft Assumption and Deterrence Act of 1998 Financial Services Modernization Act of 1999 (Gramm–Leach–Bliley Act) Driver's Privacy Protection Act of 1994, Effective 1997 Children's Online Privacy Protection Act (COPPA), effective 2000
Health Insurance Portability and Accountability Act of 1996 (HIPAA), effective 2001
Do-Not-Call Registry Act of 2003 Fair and Accurate Credit Transactions Act of 2003 (FACTA)
CAN-SPAM Act of 2003, amended 2004
Identity Theft Penalty Enhancement Act of 2004
196
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
time, the FTC has four stated fair information practices for protecting consumer privacy (Federal Trade Commission 2007): (1) notice/awareness, (2) choice/consent, (3) access, and (4) security. Notice/awareness Consumers should be informed about the organization's information practices and this could include notice of the entity collecting these data, how these data will be used, identification of data recipients, how data are to be collected, whether provision is voluntary or required, and any steps taken to ensure the confidentiality, integrity and quality of these data. According to the Commission, notice is the most fundamental principle because individuals cannot make an informed decision regarding disclosure of their personal information without it. Regarding notice, consumers are concerned about the amount and the sensitivity of the information that marketers collect (Milne and Boza 1999; Phelps, D'Souza, and Nowak 2001).
Choice/consent At its core, choice refers to letting consumers have options regarding how their personal information is used. Most commonly, choice involves the use of information beyond the immediate transaction such as being added to the company's mailing list for future promotions or transferal to third parties. Consent is typically established through an opt-in (need to specify approval) or opt-out (must ask for removal) mechanism. More recently, direct marketers have created preference centers, allowing for a menu of choice options. Access Consumers have the right to view their personal data and to contest any inaccuracies. The access process must be timely, relatively inexpensive, and easy to contest, verify and amend. Integrity/security Collected data should be accurate and secure from unwarranted access. Data integrity requires a sound collection
Table 2 Selected settlements in violation of FIP principles FIP
Company/settlement date
Notice/awareness Centurion Financial Benefits (2007)
Choice/consent
Access
Integrity/security
Consumers were told they were giving information for a $2000 limit credit card limit. They instead received an application for a stored value/cash card with no line of credit and could be used once consumer first transferred funds to the card (2007). Sony BMG (2005) Sent flawed and overreaching computer program via millions of music CDs. BMG said they placed program on CDs to restrict consumer use of the music on the CDs, but also allowed for reporting customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that could expose users to tampering by third parties (also a consent issue) (2005). DoubleClick (2002) Violated state and federal laws by surreptitiously tracking and collecting consumers' personally identifiable data and combining it with information on their Web surfing habits (2002). Bank of America (2007) Bank of America disclosed consumers' personal, private, confidential information to third parties without consent (2007). Gateway Learning Corporation (2004) Rented personal information in violation with promises made in its privacy policy. After collecting consumer information, it changed its privacy policy to allow sharing of information without notifying consumers or getting their consent (2004). Cartmanager International (2005) FTC alleged that CartManager did not adequately inform consumers or merchants that it would collect and rent this information and that it acted knowing that renting the information was contrary to many merchants' privacy policies. Quicken Loans (2002) Failed to provide “adverse action” notices in violation of the Fair Credit Reporting Act. Failed to comply with the provisions of the Act to notify the consumer when an action is based wholly or partly on the consumer's credit report. The notice is designed to give consumers the opportunity to dispute the accuracy or completeness of the information in the credit report (2002). Performance Capital Management (2001) PCM provided credit bureaus with inaccurate “delinquency dates” for its accounts, resulting in negative information remaining on consumers' credit reports. PCM failed to investigate consumer disputes referred by credit bureaus, and by failing to notify credit bureaus when consumers disputed collection accounts with PCM (2001). Guidance Software (2006) The FTC charged that Guidance Software's failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its Web site. Data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. According to the complaint, Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers' data. ChoicePoint, Inc. (2006) Failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers. The security breach resulted in millions of dollars in fraudulent purchases. Microsoft Corp. (2002) FTC alleged that Microsoft didn't employ reasonable and appropriate measures to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services, including credit card numbers and billing information stored in Passport Wallet.
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
197
Table 3 Future research issues Information channels
Future topics
Traditional DM
How do the no call lists and other opt-in/out options affect consumer attitudes toward privacy? What type of information are consumers willing to share across traditional media? What type of benefit do they expect? How do traditional privacy issues translate to electronic media practices? How to resolve the concern–behavior paradox? How best to motivate consumers to be more self efficacious and secure their private information? Under what circumstances will consumers adopt privacy enhancing technologies to evaluate privacy policies? How much privacy are consumers willing to give up for personalization? What is the best format for online notice and choice? What is best format for mobile privacy notices? Which marketing and data collecting activities require consumer permission? What is the best way to obtain consumer permission? Whether and when should consumers be notified of ubiquitous data collection? How best to provide consumers choice? How to apply FIP when multiple data sources are combined? What is the best format to regulate privacy? How do consumers use social networking sites? What factors lead consumers to discount the long term consequences of data disclosure? How much trust do consumes have in their peers? How can marketers ethically communicate through social networking sites? Will social networking sites translate to older consumers as the current audience ages? How does capturing consent in virtual worlds differ from other media? Why do consumers adopt multiple online personalities? Does this help them protect their personal privacy? Does the virtual world allow consumers to explore private aspects of their personality? Does this translate to sales? How can companies take advantage of virtual worlds while protecting privacy and selling to consumer pseudonyms? How best to adhere to FIP when consumers and marketers interact on multiple channel touch points? Why might consumers provide inaccurate or disparate information across channels? Why do consumers seek access to multiple channels? Do privacy breaches occur? Are the systems and structures to handle privacy issues implemented in an inadequate manner within organizations? Is the technology within the organization being employed up-to-date and current to safeguard privacy issues? What types of “Internal Audits” would help organizations answer this question? What proactive measures can an organization undertake that would help reduce the increasing number of privacy and security breaches? What are the best practices used by organizations to safeguard consumers' privacy rights?
Internet
Mobile marketing
RFID/ubiquitous
Social networks
Virtual environments
Multi-channel Organizational issues
process with appropriate checks and balances. Data security involves managerial and technical processes that protect against unauthorized access or use, unplanned loss or destruction of data, or inappropriate disclosure of data. Concern over security is not surprising given the estimated 160 million individual records involved in data breaches from 2005 to mid 2007 (Privacy Rights Clearinghouse 2007). Enforcement/redress Although not an original fair information practice, the FTC acknowledges that enforcement mechanisms are needed to remedy improper information privacy behaviors. Enforcement mechanisms include federal/state legislation, regulatory schemes enforceable in the courts, and self-regulation. To help illustrate FTC enforcement, Table 2 presents examples of recent FTC settlements as they relate to Fair Information Practices1. Information channels This section reviews privacy issues attributed to the many information channels that marketers use to interact with
1 FTC settlements are often made without admission of guilt. These examples summarize original FTC claims made prior to settlement.
customers and prospects (Table 3). The advantage to marketers from using a variety of information channels is that they serve multiple consumer groups and offer customers the opportunity to use those channels most convenient to them at any particular point in time. Another important advantage of information channel marketing is the ability to build a database; the information gathered from one channel can thus be used to support communications to the same customer through other channels. While the gathering and use of information across multiple channels can lead to competitive advantages, there is a wide range of privacy considerations that need addressing. Most privacy research in marketing has been confined to the traditional direct marketing channel and more recently with the Internet. Less attention has been given to the emerging information channels of mobile marketing, technological advancements of RFID and ubiquitous computing, and new Internet applications such as social networks and virtual environments. To fully comprehend how privacy issues will unfold among marketers, consumers and legislative branches, it is important to understand the contextual and situational effects of different information channels and marketing technologies beyond traditional direct marketing media and the Internet. To this end we review the key issues, past research and emerging research opportunities across the following channels: traditional direct marketing, Internet, mobile, RFID and ubiquitous
198
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
computing, social networks, and virtual environments. We conclude by integrating common issues for understanding privacy in a multi-channel context. Traditional DM and core privacy concerns Although many factors have heightened consumer privacy concerns over the years, perhaps the most relevant from a historical perspective is the use and diffusion of traditional direct marketing techniques. For many years direct marketers led the way in collecting individual-specific consumer information and tracking individual consumer purchases (Nowak and Phelps 1992). Advances in technology allowed for increasing amounts of individual-level information to be collected, stored, and analyzed thereby improving direct marketers' segmentation, media selection, message creation and campaign evaluation capabilities. These database marketing techniques are now common practice among direct and general marketers. However, as marketers' use of consumer specific information increased so did consumer concerns over the use of their personal information (Milne and Boza 1999). The relatively recent historical roots of consumer information privacy concerns can arguably be traced back to the development, widespread use, and increased technological sophistication of traditional direct marketing techniques. Consistent with Fair Information Practices, one of the key issues specific to traditional direct marketing channels is the extent to which consumers have control over their personal information and environment. To this point researchers have examined the level of concern consumers have for various types of personal information that marketers collect about them (Milne and Boza 1999), the willingness to provide information across a sensitivity continuum (Phelps, Nowak, and Ferrell 2000), and the costs consumers incur and the tradeoffs consumers make (Milne and Gordon 1993; Petty 2000). Along these same lines, researchers have examined how consumers manage the relationship they have with marketers, including the role of trust in direct marketing relationships (Milne and Boza 1999; Schoenbachler and Gordon 2002). Privacy research has also examined consumer knowledge of laws and regulations (Dommeyer and Gross 2003), and consumer preference for opt-in and opt-out choice formats (Milne and Rohm 2000). Future research needs Given its longer history, research in traditional direct marketing foreshadowed emerging issues in electronic marketing channels. The primary lesson from this literature is that privacy concerns are situational in nature and that a one-sizefits-all approach to understanding privacy rights and strategic response is inadequate in today's information technology age. For example, not all types of information are equally sensitive nor protected by customers, some consumers are willing to share and tradeoff privacy with marketers who have proven their trustworthiness and/or offer benefits for doing so, and some push channels, such as telemarketing, are more intrusive than mail and catalog, which are more pull oriented.
Although research in traditional direct marketing media often seems less glamorous than for emerging interactive channels, there is nonetheless a wide-ranging set of research needs, including how the no call list and other opt-out options have affected consumer attitudes toward privacy, the types of information that customers will share across various traditional media and how they expect this information to be used. Especially interesting is research that seeks to examine how traditional privacy issues translate to electronic media practices and how consumers view the “entire menu” of privacy concerns that exist as they move from direct mail to email, from catalogs to online buying, from telemarketing to online chat and mobile communications, and any of a range of other research topics that help blend multi-channel privacy theories. Internet/ecommerce Consumer privacy concerns in an electronic communication environment are in part a logical extension of the fundamentals flowing from traditional direct marketing, but also need to be investigated in light of domain specific issues emanating from interactive media technologies (Urban, Amyx, and Lorenzon 2009). One key difference is that an online environment allows information collection to take place more quickly, in many different forms, and at more frequent intervals. Given this more interactive data collection environment, adhering to FIP principles such as notice/awareness, choice/consent, and security is very complex, especially with regard to the ability of consumers to control the collection and dissemination of information about them. For instance, behavioral data (e.g., tracking) are frequently collected without consumer consent, or even awareness (Lavin 2006). Such tracking is often accomplished via the planting of cookies, adware, spyware, etc., and can provide the marketer with a detailed profile of an individual's browsing and purchase habits. In contrast, consumers may willingly divulge personal information to register for a website or purchase a product. With so much information being collected and available online, consumers are increasingly concerned about whether their identities are safe from theft (Milne 2003). Recognizing the inherent risk of the online world, research has suggested that building online trust is an effective approach to reduce privacy concerns and to encourage consumers to buy online (Culnan and Armstrong 1999; Hoffman, Novak, and Peralta 1999). Research has shown that trust can be increased by reducing privacy concerns through signaling competence with well designed web sites (Schlosser, Tiffany, and Lloyd 2006). A developing stream of research has also focused on the extent to which consumers protect themselves through use of safe online practices (Milne, Rohm, and Bahl 2004). More specific research has examined consumer use of privacy seals (Miyazaki and Krishnamurthy 2002; LaRose and Rifon 2007) and privacy notices (Milne and Culnan 2004). These and other studies have concluded that although consumers are very concerned about protecting their personal information, they consistently fail to take full advantage of the tools that have been provided to them; making the benefits of fair information practices more difficult
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
to achieve. As a consequence, empirical research grounded in behavioral theories is emerging that attempts to explain this concern–behavior paradox (Norberg, Horne, and Horne 2007). Future research needs Conceptual and empirical research is clearly needed for explaining and resolving the consumer concern–behavior paradox. Motivating consumers to address their concerns through proactive and responsible Internet behaviors is an important step for protecting their privacy rights. One emergent finding is that consumer self efficacy is important for consumers to feel comfortable online. A follow-up research area is to investigate the extent that self efficacy is driven by a generational effect and how to best motivate consumers to be self efficacious (LaRose and Rifon 2007). Another trend is the continued use of personalization of online environments. Future research could explore the extent to which consumers are willing to trade off privacy for personalization. In terms of privacy protection, research can be undertaken to examine whether, and under what circumstances, consumers adopt privacy enhancing technologies to examine online privacy policies. Research should also identify the most effective online privacy warnings for achieving pro-privacy protection behaviors by consumers.
199
Jarvenpaa 2002). Although it could be argued that many of the noted privacy concerns of mobile marketing are not relevant today, they will undoubtedly occur in the not-to-distant future. Japan is a clear harbinger of mobile marketing in the US. Japan has the highest use of mobile phones and leads the world in 3G platform handsets; each user on average sends and reviews 10 emails a day by phone (Ferris 2007). Future research needs Although privacy concerns will likely change as mobile marketing moves from the introduction to the growth stage, research is needed that examines the best formats for mobile privacy notices, which marketing and data collection activities are most likely to need consumer permission, and how that permission can be secured. Taking Japan as an example, the mobile phone has been quite successful for advertising and promoting businesses. Aligning with Japan's 2003 law requiring prior notification, marketers are now developing opt-in procedures for gaining consumer permission. Such approaches involve coupons, sweepstakes, contests and other participation initiatives. Likewise, U.S. businesses and future research should study models that have worked in Japan and see if they would apply in the US. RFID and ubiquitous computing
Mobile marketing The mobile Internet adds value to consumers by offering position awareness and location based services2 (Barkuus and Day 2003; Shankar and Balasubramanian 2009). Although the benefits of mobile Internet access are clear, the fact that consumers are already concerned about Internet privacy and bothersome telemarketing practices hinder its acceptance in the marketplace. As a consequence, one of the key privacy issues in the mobile arena is the potential for excessive intrusion resulting from frequent and unwanted contextual offers pushed to consumers. It may be that a consumer does not want to be interrupted with a coupon offer while driving to a meeting. A second key issue is that consumers may not want information being captured about his or her physical location and purchase context (Milne and Rohm 2003). These privacy concerns become even more salient when they occur in public places, leading to the feeling that consumers are under constant surveillance. Despite the ability to control the on and off switch, consumers often forget that they are connected to their mobile communication devices and could be transmitting a steady stream of real-time information. Since it has only recently emerged as a marketing medium, little conceptual and empirical research exists on mobile privacy here and on a global scale. However, mobile privacy warrants attention because the ability and flexibility of the technology allows consumers (and marketers) to shift the time and space locations of their activities (Balasubramanian, Peterson, and 2 Position awareness is when the phone knows the user enters a building and stops transmitting, such as when a user is in a meeting. Location based services can include coupons and providing the locations of predetermined friends.
Extending beyond mobile phones is the broader trend of ubiquitous computing. Retailers are or will be using RFID Identification and Automatic Video Surveillance to add contextual information to existing databases for personalizing oneto-one communications (Sackmann, Strucker, and Accorsi 2006). An emerging concern is how consumers feel about context-related data being collected about themselves and how this information is used in marketing communications. Context data includes date, time inspecting a product, path through a store, products in a shopping cart, position of products or shopping cart, and any of a wide range of other time-location tracking devices. Interestingly, although this type of context is already in place on the Internet through tracking software, it will become increasingly available in off-line contexts and in settings where consumers have come to expect greater anonymity. Radio Frequency Identification (RFID), in particular, is receiving increased attention from researchers regarding possible privacy violations (Langheinrich 2006). This type of physical tracking system enables data to be transmitted by a tag (with a portable device) to an RFID reader; information is processed according to the need of the specific application. In retail stores the tag may contain identification or location information, product features—including price, color, date of purchase, and so forth. Another emerging issue is how consumers feel about having tags placed on the products they buy and wear. Early on, privacy groups such as CASPIAN organized boycotts against Benetton for their plans to tag clothing (boycottbenetton.org). EPIC has consistently warned about potential losses to consumer privacy where anyone with a reader could capture RFID information (EPIC 2007). For example, it has been demonstrated that credit
200
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
cards using swipe-free RFID technology could be read from readers several feet away (Swartz 2006). Despite these concerns, marketing organizations are continuing to pursue this technology because of available cost savings associated with improved automation, identification, integration, and authentication associated with RFID data collection procedures. Automatic checkout is receiving the most attention; willing shoppers walk through a RFID reader gate, their purchases are electronically recorded, and their purchases are then billed to their credit card. Future research needs Ubiquitous computing through RFID and other techniques presents a unique set of privacy dilemmas, most of which have not been studied to date. For example, with ubiquitous computing, information is continuously being collected without any indication or signal from the retailer. Since there is no “recording light” consumers are unaware that data collection is occurring, which is clearly in conflict with FIP. An important research question is whether and when consumers should be notified that data are being collected (notice/awareness). Moreover, data can be collected often without any specific purpose. Research is thus needed that investigates ways to secure choice/consent and under which situations choice/ consent is more appropriate. Similarly, because data from multiple devices can be combined and attributed to unique customer identification, research targeting multiple information sources and consumer acceptance has merit. Combined, these observations raise issues on how best to implement fair information practices. Regulating such data collection is difficult since the devices record multiple events. For example, a camera can capture many consumers at a time. This makes privacy policies regarding individual privacy preferences virtually impossible. Sackmann et al. (2006) suggest that in such dynamic environments that privacy be evaluated post hoc by analyzing privacy evidence from the files. Evaluating different permission formats is thus an important topic for future research.
friends, photos, group events and account settings. Gross, Acquisti, and Heinz (2005) found that students revealed extremely personal information about themselves and only a small percentage of users chose to implement more restrictive privacy preference options. An important privacy concern for social networking sites is the fact that “unprotected” information becomes part of the public domain and is readily accessible to others. These data are often open to the growing phenomenon of “online snooping”. As noted by Hamilton (2007), the purpose of 30% of all Web searches is to find people. Search companies such as PeekYou, Spock, Wink, and ZoomInfo help find people by scouring the social networking sites such as MySpace, Facebook, Friendster, Yahoo!, Flickr and others. Since this is public information, the search companies do not need consumers' permission. Unfortunately, the resulting profiles from these searches often can contain errors, may be embarrassing, or can lead to potentially dire consequences. Future research needs Privacy research in social networking settings is virtually unlimited. In addition to general research investigating how consumers use these sites today and in the future, research is needed that investigates factors that lead consumers to discount the importance of the long term consequences of data disclosure and other risky behaviors. Evaluating risk perspectives and long term consequences of data may help in the formation of privacy notice warnings or policies. Another issue is the role of peer to peer trust. A future research question is whether consumers can trust other consumers given the fact that individuals are reported to lie about themselves. Virtually unexplored is how marketers can ethically communicate with consumers either directly from information captured from social networking sites or through online affiliate programs. Importantly, because social networking sites are more common today for younger consumers, how this phenomenon transfers across the product life-cycle to older audiences deserves special research attention. Virtual environments
Social network sites The posting of personal information through social networking sites such as Friendster, Myspace, and Facebook is a new and exploding form of interactive communication. Students were the earliest adopters of this interactive technology, through which they created pages of personal profiles and information about themselves that they then communicated to the world. Since its inception, social networking has received considerable exposure in the popular press through accounts of stalking, identity theft, and other privacy losses. Although in its infancy, extant research has primarily been descriptive in nature and has documented students' use of social network sites. Of interest, although social network sites have privacy controls, relatively few students take control of protecting themselves. On most popular social network sites, a person's name, when joined, school status, and email are required data fields. Participants also have the opportunity to add a personal profile, a list of
The virtual world is one of the newest interactive channels. In a virtual world, consumers and marketers use avatars to communicate with each other in online sites such as Second Life. Avatars, which are graphic representations that are animated by means of computer technology, have been shown to be effective for improving sales and customer satisfaction. A key issue is that in this type of digital environment all dialogues can be captured and stored in databases for subsequent sales interactions. Although limited, recent research has examined the use of avatars for generating sales. In a virtual world, sales avatars can automatically adjust their sales presentation via computer scripts designed to mimic the customer's avatar. Moreover, it is possible for a sales avatar to adopt the gestures of all customers in a room simultaneously such that each customer sees his or her features and actions being mirrored back (Hemp 2006). This efficiency builds higher levels of trust, which can easily be exploited to the marketer's advantage. Other research
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
has shown that attractive avatars are more effective and well liked than less attractive avatars (Holzwarth, Janiszewski, and Newman 2006). Future research needs A research question that arises is whether the information that is gathered by marketers in these situations needs customer consent, and if so, how might capturing consent in the virtual word differ from that needed in other media? In terms of consumer behavior, the virtual world raises the question of why consumers adopt multiple online personalities. Is the adoption of such an identity for the protection of personal privacy? When a consumer's real world identity is kept private, does it afford the consumer the opportunity to examine other aspects of his or her personality? Does this engagement in fun and fantasy expand the consumers purchasing options? Most importantly, research is needed on how real world companies can best take advantage of this new environment while still protecting consumer privacy and selling to customer pseudonyms. Multi-channel integration Technological advances have consistently altered the privacy landscape. Emergent technologies often offer marketers and unwanted parties a new approach for invading the privacy rights of consumer. Information technology has also fueled the growth of the direct marketing industry and has provided marketers with database tools to study consumers on a one-to-one basis, which in turn have sparked increased privacy concerns. As new information technologies become available, consumers, marketers, and regulatory agencies will continually be forced to pay close attention to potential privacy violations (Saponas et al. 2007). Complicating matters is that the ever increasing number of communication and response channels make it more difficult to coordinate and protect consumer privacy rights. The vast majority of privacy research in the direct marketing field has focused on specific issues in specific channels and for specific publics. Although we have outlined issues that cross publics and channels, conceptual research is needed that provides taxonomies for furthering our understanding of privacy issues in an evolving multi-channel world. Particularly needed is multi-channel research that addresses how to best adhere to fair information practices, including how customers become aware of data collection practices from various touch points, how they are able to opt-in or opt-out of data collections procedures from the various channels in which they interact, and how the presence or absence of appropriate notice practices impact consumer behavior. Regarding choice/consent, multichannel research is needed that adds to the consumer privacy debate by increasing our understanding of the reasons and the types of data consumers are willing to disclose to information requests in some channels but not others. This becomes even more important as new channels enter the mix and marketers wish to speed their rate of adoption as a personalization medium. As with the other FIP, access becomes more complicated as data from various touch points must be validated by consumers and marketers alike. Research is thus needed that
201
explores why consumers might provide inaccurate or disparate information across channels, what motivates them to seek access to data from different channels, and how marketers can improve their data collection and validated practices. Lastly, as the number of available information channels grows and the technology that drives them becomes even more sophisticated, consumers will have a whole new set of security concerns regarding the unwarranted disclosure of the information that they provide across varied touch points as well as the increasing ease in which inappropriate data collection and marketing occurs. In this section of the paper we have identified a number of promising research opportunities involving information channels and privacy issues. Research questions pertaining to each channel were provided and, just as importantly, research issues across multi-channel information environments were presented. Researchers adopting a multiple channel perspective will undoubtedly find that privacy issues initially appear more complicated because of the increased number of factors to be considered. However, to more thoroughly understand the influence of channels on privacy issues and the influence of privacy concerns on channel selection and behavior within that channel (both by consumers and marketers), there is no substitute for research that is more comprehensive in nature. Public's response Having already identified and defined the critical publics, this section of the paper examines key responses in accordance with the framework presented in Fig. 1. The framework suggests that a given public's response to privacy issues is a function of that public's identity, interactions with other publics, channels, and situational factors (e.g., technology, regulatory climate, international and cross cultural variations). As the discussion emphasizes the importance of these interrelationships it highlights the need for researchers to adopt a more comprehensive approach when examining responses to privacy issues. Consumer behavior Two sets of consumer behavior that receive much attention in the privacy literature include providing personal information to marketers and purchase behavior. According to the framework, such consumer behavior is a function of consumer characteristics, the responses of the other publics, the channels in use, and situational factors. Research exploring consumer characteristics and associated variations in privacy concerns (e.g., Zogby International 2007) is well represented in the popular press and the scholarly literature. However, this type of research simply reflects the level of privacy concern by type of consumer and the mere presence of concern is not a stable predictor of consumers' behavioral response (Dinev and Hart 2006). Research examining consumers' privacy-related responses (e.g., Dolnicar and Jordaan 2007) begins to examine factors that mitigate and/or enhance the influence of privacy concerns on consumer behavior. The current paper calls for an even more comprehensive approach as consumer behavior is known to
202
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
vary on a host of factors. For instance, it is known that purchase behavior is influenced by price, product, and channel. The relative influence of consumer privacy concerns on purchase behavior then can only be identified if one also takes into account these other factors known to have an influence. Consumer behavior will also vary depending on past interactions with a specific marketer and level of trust (Milne and Boza 1999). Interactions with advocacy groups and exposure to relevant media coverage are also likely to influence consumer behavior. However, few studies have examined the relative impact of advocacy groups and the media on consumers' privacy-related behaviors. Research examining these issues would begin to fill an important void in the literature. Scholars must also consider situational factors within information privacy research as such factors influence the relevance of an information privacy issue, the role of channel(s), and the response from consumers and other publics. For example, consumer responses are influenced by technological availability, the technological efficacy of the consumer and the relative benefits the channel offers compared to other available informational and transactional alternatives. In sum, a deeper understanding of consumer responses is most likely to emerge from research examining linkages among the elements shown in Fig. 1. Advocacy behavior Similarly, the framework suggests advocacy behavior is a function of the interactions with the other publics as well as channel and situational factors. The importance of interactions with other publics is clear from the conception of an advocacy group. As its purpose is to correct a perceived problem in the environment, the advocacy group actively seeks interactions with consumers, the media, policy makers and business concerns in order to push an agenda and encourage responses from these other publics. Advocacy groups seek to inform consumers and change consumer behavior. They seek to influence self-regulatory responses, privacy law and information policy. As noted earlier, research examining the role of consumer advocacy groups and their influence on the other publics is lacking. This void is particularly acute with regard to investigating advocacy groups' influence on the public agenda, the media agenda, self-regulation and public policy. Media coverage Media coverage of privacy issues has also received little attention from marketing scholars. Although few, the media studies (e.g., Petrison and Wang 1995; Phelps et al. 1994; Roznowski 2003) suggest that media coverage influences the perceptions and responses of the other publics. Such research is more common in public relations and communications and the literature in those fields can be used as the foundation for further work with regard to privacy. Future research examining media responses to privacy issues must extend the examination of coverage and the influence of that coverage on other publics. It will be equally important to understand the roles that other
publics and situational factors play in determining the media agenda. It will also be crucial to identify trends and transitions in the roles played by traditional independent news media and the new controlled and uncontrolled media. Self governance Marketers' information privacy practices directly reflect their information needs and their perceptions of information value. Marketers' information practices are influenced by the responses of the other publics. Privacy laws, for instance, mandate certain actions from marketers. The focus here, however, is not on legislative mandates but on self governance as a mechanism through which marketers attempt to alleviate the concerns expressed by the various publics. Suggestions from regulatory agencies and industry associations are often adopted by marketers and incorporated in information policies. For example, both the FTC and the Direct Marketing Association (DMA) suggest that privacy notices follow the principles of fair information practices. Most large organizations have been compliant and have posted privacy notices online (Schwaig, Kane, and Storey 2006). Marketers' are cognizant of media coverage, advocacy efforts, and consumer privacy concerns. Although particularly interested in alleviating the concerns expressed by their customers, marketers work to develop and maintain good relationships with each of the publics. Therefore, research is needed that clarifies positions of the various publics and proposes solutions that account for the varied interests. Further research exploring the impact of marketers' information policies, consumer characteristics and situational factors on consumer behavior would prove insightful to marketers and policy makers. Research examining marketers' efforts to influence public perceptions, media coverage and legislative outcomes concerning privacy issues would also prove insightful. Finally, research is needed to identify best practices with regard to privacy and security measures. Empirical research is needed to understand the state of security within organizations and that explores the types of technology that is being employed. Recommendations are needed with regard to the type of Internal Audits that are needed to reduce privacy breaches. Regulation and enforcement Regulation and enforcement represent the responses of public policy makers and attempt to balance the interests of the previously discussed publics so as to best represent the interests of the general public. The current research provides evidence that interactions among the publics influence the debate and the implementation of public policy. Research has shown the level of concern for privacy was high and growing in opinion polls from 1990–2006 (Best, Krueger, and Ladewig 2006). Further, research has shown that there has been a steady increase in articles about privacy, in the US media (Roznowski 2003). Not surprisingly, strong positive correlations were found between the number of articles and number of privacy bills introduced. This suggests that privacy continues to be an important public
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
policy issue and also supports the usefulness of the framework presented here. In the U.S., regulatory response typically seeks to balance consumer concerns with business needs for consumer information. The U.S. regulatory climate is biased in favor of self-regulatory and sectoral responses. Thus, U.S. law tends to pertain to specific publics and channels. For example, regulation and enforcement from the FTC has targeted specific areas where privacy protection was most needed. This is reflected in regulatory responses where the groups that were involved were vulnerable (COPPA), the information was deemed highly sensitive (HIPPA, GLB), or the use of the technology was found to be highly intrusive (Do Not Call), or offensive (CANSPAM). Moreover, as shown in Table 2, enforcement of these regulations has occurred with enough regularity to make many companies wary of potential violations. The lesson here is that as new channels start to mature, there is a chance that regulation will be implemented if privacy issues cannot be addressed through a self-regulatory approach. In other words, if business does not respond appropriately, the government will likely respond. Once again, response is driven by the situation and the actions and reactions of the other important publics in the environment. Conclusion Information privacy is a complex construct that plays an essential role in a multitude of issues facing consumers, marketers, consumer advocates, and public policy makers. The importance of information privacy is clearly reflected in concerns expressed by the vast majority of citizens, not just in the U.S. but worldwide. It is reflected in marketers' investments of money and in time devoted to these issues. It is reflected in the increasing media coverage it garners and in the attention it receives in state and federal government. Despite the clear importance of information privacy issues and increasing attention in scholarly research, there remains a critical need for comprehensive frameworks that integrate evolving information privacy concerns across multiple channels and multiple publics. The current research attempts to address this important void in the literature by offering a framework that both distinguishes and provides common grounds for understanding information privacy issues important to consumers, regulators, and businesses. The framework and the interactions among the factors within the framework represent a Systems Theory approach that has long served as a fruitful research guide across a number of disciplines such as sociology and public relations. However, Systems Theory represents just one of many potentially useful theoretical foundations for exploring the issues discussed here. In our presentation of the framework we identified key issues, discussed previous work in each area and outlined directions for future research. The directions for future research are both extensive and elaborate. Indeed, the framework suggests a number of potential research agendas, comprised of sets of questions exploring issues within specific information channels or publics as well as more macro research questions covering multiple channels and multiple publics. Research
203
exploring the relationships within and among these factors can help to provide a more holistic understanding of why a public (or subset of that public) responds the way they do and how one public might elicit a more favorable response in its interactions with another. In other words, comprehensive research examining the relationships among these factors is needed to provide a better understanding of the privacy environment. The most nuanced understanding is likely to emerge from examinations of the interactions among the various factors. Such research will be more complicated to design, more time consuming and more costly to carry out and will require direct and interactive researchers to carry out sustainable research programs to deepen our understanding of information privacy issues, actors, and environment. References Ashworth, Laurence and Clinton Free (2006), “Marketing Dataveillance and Digital Privacy: Using Theories of Justice to Understand Consumers' Online Privacy Concerns,” Journal of Business Ethics, 67(2), 107–23. Balasubramanian, Sridhar, Robert A. Peterson, and Sirkka L. Jarvenpaa (2002), “Exploring the implications of m-commerce for markets and marketing,” Journal of Academy of Marketing Science, 30(4), 348–61. Barkuus, Louise and Anind Day (2003), “Location-Based Services for Mobile Telephony: A Study of Users' Privacy Concerns,” Proceedings of the INTERACT 2003, 9th IFIP TC13 International Conference on Human– Computer Interaction. Best, Samuel J., Brian S. Krueger, and Jeffery Ladewig (2006), “The Polls– Trends: Privacy in the Information Age,” Public Opinion Quarterly, 3, 375–401 (Fall). Cain, Rita M. (2002), “Global Privacy Concerns and Regulation — Is the United States a World Apart? International Review of Law, Computers & Technology, 16(1), 23–34. Ciochetti, Corey A. (2007), “E-Commerce and Information Privacy: Privacy Policies as Personal Information Protectors,” American Business Law Review, 44, 55–126 (Spring). Culnan, Mary J. and Pamela K. Armstrong (1999), “Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation,” Organization Science, 10(1), 104–15. Davenport, Thomas H. and Jeanne Harris (2007), “The Dark Side of Customer Analytics,” Harvard Business Review, , 37–48 (May). Deighton, John (1998), “Editorial: The Right to Be Let Alone,” Journal of Interactive Marketing, 12(2), 2–4. ——— and Leora Kornfeld (2009), “Digital Interactivity: Unanticipated Consequences for Markets, Marketing, and Consumers,” Journal of Interactive Marketing, 23(1), 4–10. DeMarco, David A. (2006), “Understanding Consumer Information Privacy in the Realm of Internet Commerce: Personhood and Pragmatism, Pop-Tarts and Six-Packs,” Texas Law Review, 84(4), 1013–64. Dinev, Tamara and Paul Hart (2006), “An Extended Privacy Calculus Model for E-Commerce Transactions,” Information Systems Research, 17(1), 61–80. Direct Marketing Association (2007), “The Power of Direct Marketing: ROI, Sales, Expenditures and Employment in the U.S. 2006–2007 Edition. New York, NY: Direct Marketing Association. Dolnicar, Sara and Yolanda Jordaan (2007), “A Market-Oriented Approach to Responsibly Marketing Information Privacy Concerns in Direct Marketing,” Journal of Advertising, 36, 123–49 (Summer). Dommeyer, Curt and Barbara Gross (2003), “What Consumers Know and What They Do: An Investigation of Consumer Knowledge, Awareness, and Use of Privacy Protection Strategies,” Journal of Interactive Marketing, 17(2), 34–51. eMarketer (2007), Security Concerns Hinder Online Buying, Available at http:// www.emarketer.com/Article.asp?id=1004949&src=article2_newaltr. EPIC (2007), Radio Frequency Identification (RFID) systems. Available at http://www.epic.org/privacy/rfid/.
204
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
Federal Trade Commission (2007), Fair Information Practice Principles. Available at http://www.ftc.gov/reports/privacy3/fairinfo.shtm. Ferris, Mark (2007), “Insights on Mobile Advertising, Promotion, and Research,” Journal of Advertising Research, 28–37 (March). Fried, Charles (1968), “Privacy,” Yale Law Journal, 77, 475–93. Glazer, Rashi (1998), “From the Editors: The Illusion of Privacy and Competition for Attention,” Journal of Interactive Marketing, 12(3), 2–4. Goodwin, Cathy (1991), “Privacy: Recognition of a Consumer Right,” Journal of Public Policy & Marketing, 10(1), 149–66. Gross, Ralph, Alessandro Acquisti, and H. John Heinz, III (2005), “Information Revelation and Privacy in Online Social Networks,” Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, 71–80. Hamilton, Anita (2007), “Finding Ways to Snoop Online,” Time.com [http:// www.time.com/time/printout/0,8816,1649121,00.html]. Hemp, Paul (2006), “Avatar-Based Marketing,” Harvard Business Review, , 48–57 June. Hendrix, Jerry A. and Darrell C. Hayes (2007), “Public Relations Cases,” (Seventh Edition). Belmont, CA: Thompson Wadsworth. Hoffman, Lance (1980), “Computers and Privacy in the Next Decade,” New York: Academic Press. Hoffman, Donna L., Thomas Novak, and Marcos Peralta (1999), “Information Privacy in the Marketspace: Implications for the Commercial Uses of Anonymity on the Web,” The Information Society, 15, 129–39. Holzwarth, Martin, Chris Janiszewski, and Marcus Newman (2006), “The Influence of Avatars on Online Shopping Behavior,” Journal of Marketing, 17(3), 19–36. Langheinrich, Marc (2006), “RFID and Privacy, Security,” in Privacy, and Trust in Modern Data Management, Milan Petkovic and Willem Jonker, eds. pp. 433–450. LaRose, Robert and Nora Rifon (2007), “Promoting i-Safety: Effects of Privacy Warnings and Privacy Seals on Risk Assessment and Online Privacy Behavior,” Journal of Consumer Affairs, 41(1), 127–49. Lavin, Marilyn (2006), “Cookies: What Do Consumers Know and What Can They Learn? Journal of Targeting, Measurement and Analysis for Marketing, 14(4), 279–88. Lemi, Baruh (2007), “Read at Your Own Risk: Shrinkage of Privacy and Interactive Media,” New Media & Society, 9(2), 187–211. Miceli, Gaetano, Francesco Ricotta, and Michele Costabile (2007), “Customizing Customization: A Conceptual Framework for Interactive Personalization,” Journal of Interactive Marketing, 21(2), 6–25. Milne, George R. (2003), “How Well Do Consumers Protect Themselves from Identity Theft? Journal of Consumer Affairs, 37(2), 388–402 Winter. ——— and Andrew Rohm (2000), “Consumer Privacy and Name Removal Across Direct Marketing Channels: Exploring Opt-in and Opt-out Alternatives,” Journal of Public Policy and Marketing, 19, 238–49 (Fall). ——— and Andrew Rohm (2003), “The 411 on Mobile Privacy,” Marketing Management, , 41–5 (July/August). ——— and Mary Culnan (2004), “Strategies for Reducing Online Privacy Risks: Why Consumer Read (or Don't Read) Online Privacy Notices,” Journal of Interactive Marketing, 18(3), 15–29. ——— and Mary Ellen Gordon (1993), “Direct Mail Privacy-Efficiency Tradeoffs Within an Implied Social Contract Framework,” Journal of Public Policy and Marketing, 12, 206–15 (Fall). ——— and María-ugenia Boza (1999), “Trust and Concern in Consumers' Perceptions of Marketing Information Management Practices,” Journal of Interactive Marketing, 13(1), 5–24. ———, Andrew Rohm, and Shalini Bahl (2004), “Consumers' Protection of Online Privacy and Identity,” Journal of Consumer Affairs, 38(2), 217–32. Miyazaki, Anthony D. and Sandeep Krishnamurthy (2002), “Internet Seals of Approval: Effects on Online Privacy Policies and Consumer Perceptions,” Journal of Consumer Affairs, 36(1), 28–49. Montgomery, Alan L. and Michael D. Smith (2009), “Prospects for Personalization on the Internet,” Journal of Interactive Marketing, 23(2), 130–7. Murray, Kyle B. and Gerald Häubl (2009), “Personalization without Interrogation: Towards More Effective Interactions between Consumers and Feature-
Based Recommendation Agents,” Journal of Interactive Marketing, 23(2), 138–46. Neslin, Scott A. and Venkatesh Shankar (2009), “Key Issues in Multichannel Customer Management: Current Knowledge and Future Directions,” Journal of Interactive Marketing, 23(1), 70–81. Norberg, Patricia A., Daniel R. Horne, and David A. Horne (2007), “The Privacy Paradox: Personal Information Disclosure Intentions versus Behavior,” The Journal of Consumer Affairs, 41(1), 100–26. Nowak, Glen and Joseph Phelps (1992), “Understanding Privacy Concerns,” Journal of Direct Marketing, 6(4), 28–39. Petrison, Lisa A. and Paul Wang (1995), “Exploring the Dimensions of Consumer Privacy: An Analysis of Coverage in British and American Media,” Journal of Direct Marketing, 9(4), 19–36. Petty, Ross (2000), “Marketing Without Consent: Consumer Choice and Costs, Privacy, and Public Policy,” Journal of Public Policy & Marketing, 19(1), 42–53. Pew (2006), “The Future of the Internet II,” Available at http://www. pewinternet.org/pdfs/PIP_Future_of_Internet_2006.pdf. Phelps, J., Glen Nowak & E. Ferrell (2000), “Privacy Concerns and Consumer Willingness to Provide Personal Information,” Journal of Public Policy & Marketing, 19(1), 27–41. Phelps, Joseph, William Gonzenbach, and Edwards Johnson (1994), “Press Coverage and Public Perception of Direct Marketing and Consumer Privacy,” Journal of Direct Marketing, 8(2), 9–21. ———, Giles D'Souza, and Glen Nowak (2001), “Antecedents and Consequences of Consumer Privacy Concerns: An Empirical Investigation,” Journal of Interactive Marketing, 15(4), 2–17. Ponemon Institute (2007), “2007 Consumer Survey on Data Security,” available at http://www.vontu.com/uploadedfiles/global/2007_Data_Security_Consumer_ Survey.pdf. Privacy Rights Clearinghouse (2007), “Chronology of Data Breaches,” available at http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP. Prosser, William L. (1960), “Privacy,” California Law Review, 48(3), 383–423. Roznowski, Joann L. (2003), “A Content Analysis of Mass Media Stories Surrounding the Consumer Privacy Issue 1990–2001,” Journal of Interactive Marketing, 17(2), 52–69. Sackmann, Stephan, Jens Strucker, and Rafael Accorsi (2006), “Personalization in Privacy-Aware Highly Dynamic Systems,” Communications of the ACM, 49(9), 32–8. Saponas, Scott T., Jonathan Lester, Carl Hartung, Sameer Agarwal, and Tadayoshi Kohno (2007), “Devices That Tell on You: Privacy Trends in Consumer Ubiquitous Computing,” 16th USENIX Security Symposium 2007. Sappington, David and Alvin Silk (2003), “Overview of the Special Issue— Marketing's Information Technology Revolution: Implications for Consumer Welfare and Economic Performance,” Journal of Public Policy & Marketing, 22(1), 3. Schwaig, Kathy S., Gerald Kane, and Veda C. Storey (2006), “Compliance to the Fair Information Practices: How are the Fortune 500 Handling Online Privacy Disclosures? Information & Management, 43, 805–20. Shah, Jaymeen R, Garry L. White, and James R. Cook (2007), “Privacy Protection Overseas as Perceived by USA-Based IT Professionals,” Journal of Global Information Management, 15(1), 68–81. Solove, Daniel (2006), “A Taxonomy of Privacy,” University of Pennsylvania Law Review, 154, 477–564. Schlosser, Ann, Tiffany Barnett White, and Susan M. Lloyd, (2006), “Converting Web Site Visitors into Buyers: How Web Site Investment Increases Consumer Trusting Beliefs and Online Purchase Intentions,” Journal of Marketing, 70(2), 133–148. Schoenbachler, Denise and Geoffrey Gordon (2002), “Trust and Customer Willingness to Provide Information in Database-Driven Relationship Marketing,” Journal of Interactive Marketing, 16(3), 2–16. Shankar, Venkatesh and Edward C. Malthouse (2006), “Editorial: Moving Interactive Marketing Forward,” Journal of Interactive Marketing, 20(1), 2–4. ——— and Edward C. Malthouse (2007), “Editorial: The Growth of Interactions and Dialogs in Interactive Marketing,” Journal of Interactive Marketing, 21, 2–4 (Spring).
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205 ——— and Sridhar Balasubramanian (2009), “Mobile Marketing: A Synthesis and Prognosis,” Journal of Interactive Marketing, 23(2), 118–29. Swartz, John (2006), “Researchers See Privacy Pitfalls in No-Swipe Credit Cards,” New York Times. October 23. United States Department of Commerce (2007), “Quarterly Retail E-Commerce Sales,” available at http://www.census.gov/mrts/www/ecomm.html. Urban, Glen L., Cinda Amyx and Antonio Lorenzon (2009), “Online Trust: State of the Art, New Frontiers, and Research Potential,” Journal of Interactive Marketing, 23(2), 179–90.
205
Wang, Huaiqing, Matthew K. Lee, and Chen Wang (1998), “Consumer Privacy Concerns About Internet Marketing,” Communications of the ACM, 41(3), 63–70. Warren, Samuel and Louis Brandeis (1890), “The Right to Privacy,” Harvard Law Review, 4(5), 193–220. Westin, Alan F. (1967), “Privacy and Freedom,” New York: Atheneum; 1967. Zogby International (2007), “Zogby Poll: Most Americans Worry About Identify Theft,” released: April 03, 2007, available at http://www.zogby. com/search/ReadNews.dbm?ID=1275.
Journal of Interactive Marketing 23 (2009) 191 – 205 www.elsevier.com/locate/intmar
Information Privacy Research: Framework for Integrating Multiple Publics, Information Channels, and Responses James W. Peltier a,⁎, George R. Milne b & Joseph E. Phelps c a
College of Business and Economics, University of Wisconsin-Whitewater, 800 W. Main Street , Whitewater, WI 53190, USA b Isenberg School of Management, University of Massachusetts Amherst, Amherst, MA 01003, USA c College of Communications and Information Sciences, The University of Alabama, Tuscaloosa, AL 35487-0172, USA
Abstract This article puts forth a framework for understanding critical consumer information privacy issues in direct and interactive marketing that consists of three broad dimensions: (1) multiple publics, (2) information channel developments, and (3) the publics' responses to privacy actions. Within this structure, the authors review and integrate existing research and issues, and identify an agenda for future research. © 2009 Direct Marketing Educational Foundation, Inc. Published by Elsevier B.V. All rights reserved.
Introduction Today consumers have many options for learning about, evaluating, transacting with, and maintaining relationships with marketers. Direct mail, catalogs, the Internet, telemarketing, mobile communications, interactive television, and in-store media all offer a means by which consumers can interact in the marketplace at the time and location of their choice. From the supply side, recent advances in computer and database technologies have enhanced the opportunity for marketers to inexpensively collect, share, and use personal information acquired through multiple means to develop personalized buyer–seller relationships (Miceli et al. 2007). These personalized relationships take the form of targeted product offerings and communications delivered through both offline (i.e., direct mail, catalogs, personal selling) and online (i.e., Internet, email) media. Combined, the growth in information channel driven marketing has provided significant benefits to consumers through increased opportunities to learn about new products and services, make more informed purchase decisions, receive offers tailored to their needs, participate in loyalty programs, and maximize shopping convenience (Neslin and Shankar 2009).
⁎ Corresponding author. E-mail addresses: [email protected] (J.W. Peltier), [email protected] (G.R. Milne), [email protected] (J.E. Phelps).
The plethora of transactional and search options available to consumers in interactive environments also comes with potential risks, including the loss of privacy and a host of related side effects of living in an era of easy information access (Deighton and Kornfeld 2009; Norberg, Horne, and Horne 2007). The widespread access to detailed personal records, both legal and illegal, has increased the opportunity for governments, businesses and individuals to misuse consumer information, often with dramatic negative personal and financial consequences. The Patriot Act, phishing, data hacking, identity theft, spam, and compromised databases have all heightened consumers' anxiety regarding whether their personal data are safe in the hands of the organizations with which they transact. As a consequence, the need to curtail the improper access to, sharing of, and use of personal information is receiving increased attention by the news media, state and federal legislators, watchdog groups, and ultimately, consumers (Lemi 2007). The direct marketing industry is particularly vulnerable to negative perceptions about how it collects, uses, shares, and safeguards consumer information and has a critical economic stake in reducing consumers' privacy fears (Dolnicar and Jordaan 2007). Undeniably, direct marketing is big business, with forecasted sales of $2.064 trillion in 2007, a 6.5% increase over 2006 (Direct Marketing Association 2007). Much of this growth is being fueled by the Internet, a medium that is often criticized for its information privacy practices. Despite the fact that the vast majority of consumers have access to the Internet, many experts agree that privacy fears are creating an artificially
1094-9968/$ - see front matter © 2009 Direct Marketing Educational Foundation, Inc. Published by Elsevier B.V. All rights reserved. doi:10.1016/j.intmar.2009.02.007
192
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
low ceiling on the potential for online sales (eMarketer 2007; Pew 2006). As support, privacy advocates point to the fact that although online spending was $109 billion in 2006, an increase of 23.5% from 2005, this represents only about 2.8% of U.S. retail sales (USDC Quarterly Report 2007). In response to growing consumer privacy concerns, three countervailing forces are using their influence to stem the flow of improper information practices. From a top-down perspective and driven in part by widespread media coverage of privacy violations and improper information practices, federal and state legislatures are increasingly enacting and/or introducing laws to protect consumers. Although the cost–benefit ratio of many of these consumer privacy laws is debatable, there is little doubt that the current political climate in the U.S. foreshadows that more rather than less legislative actions are on the horizon (Cain 2002; Ciochetti 2007). Taking a more bottom-up approach, the direct marketing industry through self-regulation and proprivacy initiatives (e.g., DMA guidelines, public privacy policies, privacy seals, etc.) is sending clear signals of the importance of preserving consumers' information privacy rights (Milne and Culnan 2004). Lastly, consumers are taking actions to limit their vulnerability to potential privacy violations by refusing information requests, opting out of direct marketing lists, enrolling in no-call lists, abandoning online shopping carts, and avoiding non-retail purchases all together (Dommeyer and Gross 2003; eMarketer, 2007; LaRose and Rifon 2007; Schoenbachler and Gordon 2002). In a recent editorial in a special issue on consumer privacy in the Journal of Public Policy and Marketing, the editors noted that marketing scholars have been slow to embrace public policy as a mainstream topic deserving “sustained” research attention, and specifically with regard to privacy issues in information channel environments (Sappington and Silk 2003). Dating back to its inception, the Journal of Interactive Marketing has encouraged conceptual and empirical research on consumer privacy in the electronic age (c.f. Deighton 1998; Glazer 1998; Shankar and Malthouse 2006, 2007). In response to these calls to action, a steady stream of research is emerging investigating a host of information privacy concerns. Despite this recent attention in the privacy literature, virtually ignored are comprehensive frameworks that integrate evolving information privacy concerns across different information channels and multiple publics. Especially needed are conceptual frameworks that both distinguish and provide common grounds for understanding information privacy issues important to consumers, regulators, and businesses (Ashworth and Free 2006; Ciochetti 2007; DeMarco 2006). In this article we put forth a framework for understanding critical consumer information privacy issues in direct and interactive marketing. To this end, we examine privacy concerns pertinent to multiple publics, including regulatory agencies, consumers, direct marketing organizations, and consumer advocacy groups. Importantly, because the lines between “offline” and “online” direct media are becoming increasingly blurred, we then extend our focus to include research issues relevant in a wide variety of information channels. Of note, since many of these information channels are
in their infancy, we offer an information privacy agenda for spurring conceptual and empirical research in this rapidly changing area of discovery. Prior to presenting our framework and introducing our future research agenda, we first provide a historical perspective of information privacy. Historical perspective and framework introduction Defining privacy Having roots in multiple disciplines, there is no clear consensus of the exact nature and scope of the privacy construct. Early scholars defined privacy as the right to be left alone (Warren and Brandeis 1890), refined later by Prosser (1960) to include freedom from intrusion of a person's seclusion or solitude. In today's direct marketing context, the right to be left alone is the foundation for anti-spam legislation, no-call lists and other opt-out lists. During the initial stage of the computer revolution, Westin (1967) defined “information privacy” as the right of “individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (p. 7). Extending Westin, Fried (1968) offered the idea of managing one's identity through “the control we have over information about ourselves” (p. 482). Hoffman (1980) argued that information rights are more multidimensional in nature and are based on the belief that consumers have the right (1) to know the personal information others are collecting about them, (2) to control the type of information that is shared with third parties, and (3) to direct access to their own personal data. Tying together information protection and the right to be left alone, Goodwin (1991) defined consumer privacy in terms of control over two dimensions: control of information disclosure and control over unwanted intrusions into the consumer's environment. In this regard, the “invasion” of information privacy represents the unauthorized collection, disclosure, or improper use of personal information (Wang, Lee, and Wang 1998). And, the “intrusion” of personal privacy, or right to be left alone, can include the right to be free from unwanted marketing solicitations (Petty 2000). Privacy in the electronic era One of the most basic privacy dilemmas is how to protect consumers' privacy rights in an era of expanding access to personal information amassed from multiple touch points and through emerging technologies (Davenport and Harris 2007). Finding this balance is difficult for direct marketers as the important task of developing virtual and real-time customer relationship management practices is accomplished through the electronic capture, storage, and mining of customerspecific information. To this end, direct marketing organizations capture an extensive array of “customer-identified responses” collected through traditional media such as inbound and out-bound telemarketing, direct mail campaigns, and catalog sales. More recently, the Internet and other emerging information technologies, in addition to allowing easy capture of attitudinal and response data, have enhanced
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
databases thorough the real-time tracking of online behaviors, email, open and click through rates, in-store movements, media usage, physical location/movements, and a host of other detailed pieces of information about customers used to create personalized relationships (Montgomery and Smith (2009); Murray and Häubl (2009)). Although personal data have been collected for many years, the electronic era has simplified the ability of marketers to piece together personally identifying information (PII) from multiple sources to create “digital dossiers” of customers and prospects contained in their database (Solove 2006). An organization's set of digital dossiers is often augmented through external means by appending electronic information provided by data brokers, typically without consumer consent. Although we would contend that PII in and by itself is not a privacy violation, the apparent ease with which digital profiles can be stolen and/or misused raises important concerns. Information privacy framework The preceding discussion offers support that information privacy is an evolving and multi-dimensional construct impacted by a wide range of technological, legal, and ethical considerations. It is also clear that information privacy concerns differ based on the perspective of the public involved. Marketers seek personal information as a means of creating sustainable competitive advantage. Consumers have a personal stake in how their personal dossiers are created, shared and used. Consumer advocacy groups have arisen to give a more powerful voice to consumer concerns and the protection of consumer information, whereas regulatory agencies attempt to balance the rights of consumers and economic stability in the marketplace. Complicating these concerns is that buyer–seller relationships are no longer restricted to a limited set of direct marketing techniques. Rapidly advancing technologies have changed the privacy landscape and underscore the importance of considering information privacy research in light of the
193
multitude of information channels available to consumers today and in the near future. In the remainder of this paper we integrate three key dimensions useful for developing a research agenda on information privacy in the field of direct and interactive marketing: (1) multiple publics, (2) information channel developments, and (3) the publics' responses to privacy actions. These dimensions, as well as situational factors, are illustrated in an overarching systems level framework in Fig. 1. The purpose of the framework is to present and organize a macro view of the factors affecting privacy policy and behavior. While we suggest relationships between the dimensions in Fig. 1, and these are discussed with respect to the publics' response dimension, much of our review focuses discussion on past and future research issues within the dimensions of multiple publics and information channels. We begin by reviewing the concerns of multiple publics and needed research. The publics include consumers, advocacy groups, media, direct marketers and regulatory agencies. Next we review past research and identify a research needs agenda for different information channels. Specifically we review traditional direct marketing, internet/ ecommerce, mobile marketing, RFID/ubiquitous computing, social networking, virtual environments, and multi-channel integration. Third we review the publics' response in terms of consumer behavior, advocacy behavior, media coverage, self governance and regulation/enforcement. Multiple publics Consumers Multiple polls over the past two decades show that consumer privacy concerns are pervasive with nine out of ten U.S. citizens being “very” or “somewhat” concerned about threats to their personal privacy (Best, Krueger and Ladewig 2006). With regard to marketers' use of personal information, consumers' concerns revolve primarily around the basic question of whether
Fig. 1. Conceptual framework.
194
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
marketers behave ethically in their information practices (Culnan and Armstrong 1999; Dommeyer and Gross 2003). This overall concern is expressed in a variety of more specific concerns. For example, consumers are concerned about the amount and types of information collected. Consumers are concerned about data being collected and used without their knowledge or consent. Many consumers are concerned that the information they willingly exchange with one marketer will be sold to others and that they will become the target for additional marketing solicitations. As a consequence, having control over who has access to their personal information is important to the vast majority of consumers (Best, Krueger and Ladewig 2006). While this data sharing represents a misuse to some consumers, data theft is obviously a misuse to all. Zogby International (2007) reports that 94% of Americans worry about identity theft and are concerned that companies are not doing enough to protect their personal information. Although younger adults (18–29) are slightly less concerned about identity theft than older adults, the vast majority of younger adults (86%) worry about identity theft as well. Despite these high numbers and the potential ceiling effect, concerns about identity theft are likely to rise with increasing cases of hacking and data loss along with identity scams such as phishing. Consumers are also concerned about mistakes in their data profiles as these too lead to a type of mistaken identity, or at least mistaken label or categorization applied to the individual consumer. These mistakes may be relatively harmless or could cause real hardship, especially with regard to credit data. The identification of consumer concerns is an area that is well addressed in the scholarly and popular press. However, more research exploring the pathways through which these concerns influence consumer thoughts, feelings, and behaviors is needed. An essential gauge of the importance of information privacy concerns will be found in research assessing the outcomes of these concerns. To best assess the relative influence of information privacy concerns, more comprehensive research which examines consumers interactions and reactions in multichannel and multi-public environments would be most useful. Consumer advocacy groups Since the 1990s, consumer privacy concerns have spawned an increasing number of privacy advocacy groups (e.g., Center for Media Education, Computer Professionals for Social Responsibility, Cypherpunks, Privacy Coalition, and Privacy International). These consumer privacy advocacy groups are associations of consumers and professionals, coalescing around concerns over a single (e.g., Consumers Against Supermarket Privacy Invasion or Numbering) or a set of privacy issues (e.g., Electronic Privacy Information Center). The primary purpose behind these advocacy groups is to inform and influence policy makers, consumers, and marketers. Some, such as Cypherpunks, work to create technological solutions to privacy problems. Others, such as the Electronic Privacy Information Center use a variety of tactics. For example, EPIC strives to influence public policy by lobbying legislators and testifying before Congress. EPIC has also used the court system to litigate challenges to both
commercial and governmental information practices. It, like other advocacy groups, works to inform and influence public perceptions and the media agenda on privacy issues. Research is needed to better understand the influence of these groups with respect to information privacy. Media Consumer advocacy groups and marketers attempt to influence the media agenda because they believe that media coverage influences the perceptions that other publics hold concerning privacy issues. Traditional media publics consist of mass audience print and broadcast news media (e.g., newspapers, magazines, radio and television) as well as specialized media (e.g., trade, industry, or association publications) catering to a more select audience at the local and national levels (Hendrix and Hayes 2007). Relatively little research has examined privacy issues and related media coverage (e.g., Petrison and Wang 1995). Independent research projects, which combined examined over two decades of media coverage (Phelps, Gonzenbach, and Johnson 1994; Roznowski 2003), reported heavy and steadily increasing media attention allocated to information privacy issues. In addition to high levels of consumer concern, Roznowski (2003) also reported a strong positive correlation between amount of media coverage and amount of legislative activity regarding privacy issues. These findings lend support to the assumption that the media can play a critical role as privacy issues develop. Yet, very little is actually known about the nature and scope of potential media influence. Even less research has examined the attempts of the other publics to influence media coverage of privacy issues. Finally, more recent conceptualizations of media publics include media such as personal blogs and this blurs the distinction between independent journalism and other information sources (Hendrix and Hayes 2007). Blogs published by the advocacy groups or marketers are controlled media and provide these publics additional communication channels, separate from the traditional media, with which to disseminate and advocate their positions. The ramifications of these new media options with regard to the relationships among the publics remain unknown. Direct marketers Marketers have a keen interest in alleviating consumer privacy fears. However, developing and implementing information policies to ethically collect, use and safeguard consumer data provide marketers with a number of concerns of their own. First, the patchwork of state, federal, and in the case of multinational companies, international laws can make the process of compliance complex and costly (Shah, White and Cook 2007). This process becomes even more complex with the inclusion of industry guidelines and the proposals of consumer advocacy groups. Second, creating and continually updating a secure and efficient IT infrastructure is a costly ongoing endeavor. Despite the heavy investments made in this area, a recent study found that 42% of IT professionals believed their
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
companies were doing an inadequate job of protecting confidential information from loss or theft (Ponemon Institute 2007). Some marketers question just how important information privacy really is to consumers and if the actual level of concern merits the investment committed to information practices. Directly related to this concern is that marketers question whether a competitive advantage is more likely to belong to the company most aggressively using consumer data to gain consumer insights or to the company that patterns its information practices to be most respectful of consumer privacy rights. Regulatory agencies and information privacy legislation Federal and state privacy legislation evolved slowly during the United State's first 200 years as a nation. Not surprisingly, the unprecedented access to personal information spawned by advancing computer technologies and the desire to use this information have contributed to dramatic increases in the
195
number of more recent federal and state privacy laws that have been enacted and/or proposed. Although it is beyond the scope of this article to present the complete array of federal and state privacy laws, below we briefly discuss the Fair Information Practices (FIP) outlined by the Federal Trade Commission. These FIP are important to our research agenda for three reasons. First, recent privacy litigation at the federal and state level has primarily focused on violations of these practices. Second, ethical businesses are beginning to align their privacy initiatives with FIP. Lastly, the FTC's FIP tend to match up closely with most frequently mentioned concerns that consumers have with how their data are collected and used. Although not discussed here, Table 1 provides a summary of other important federal legislation and guidelines pertinent to the information privacy debate. The FTC is most closely involved with U.S. privacy laws and is responsible for handling violations of the Federal Privacy Act of 1974. Although they have been modified over
Table 1 Privacy legislation Law
Summary
Freedom of Information Act, enacted 1966, amended 1996
Guarantees third party access to federal records, including personal information in the control of federal agencies. Designed to promote accuracy, fairness, and privacy of information in the files of every “consumer reporting agency”, the credit bureaus that gather and sell information about consumers to creditors, employers, landlords and other businesses. Applies to the records of federal government agencies. Requires agencies to apply basic fair information practices to records containing personal information. Prohibits tampering with computers or accessing certain computerized records without authorization. Prohibits disclosure of the contents of stored communications. Amends federal wiretap law to electronic communications such as email, cell phones, private communications carriers, and computer transmissions. Also sets restrictions on access to stored wire and electronic communications and transaction records. Amends the federal Privacy Act of 1974 to set requirements that federal agencies must follow when matching information on individuals with information held by other federal, state or local agencies. Requires entities that use the telephone to solicit individuals, to provide such individuals with the ability to prevent future telephone solicitations. The Act makes it a federal crime to use another's identity to commit an activity that violates Federal law or that is a felony under state or local law. Requires financial institutions to issue privacy notices to their customers, giving them the opportunity to opt-out of some sharing of identifiable financial information. Prohibits State Departments of Motor Vehicles (DMVs) from releasing “personal information” from drivers' licenses and motor vehicle registration records. COPPA requires commercial Web sites and other online services directed at children 12 and under, or which collect information regarding users' age, to provide parents with notice of their information practices and obtain parental consent prior to the collection of personal information from children. Requires health care organizations to “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information. Protected health information includes medical records, patient logs, insurance, billing and other personally identifiable health information. This Act authorizes the FTC to implement and enforce a do-not-call registry. The Act also ratified the do-not-call registry provision of the FTC's Telemarketing Sales Rule FACTA amended the existing Fair Credit Reporting Act providing consumers, companies, consumer reporting agencies and regulators with new tools to expand consumer access to credit, enhance the accuracy of consumer financial information, and help fight identity theft. The Controlling the Assault of Non-Solicited Pornography and Marketing Act establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. Sets rules and penalties for identity theft.
Fair Credit Reporting Act (FCRA), enacted in 1970
Federal Privacy Act of 1974 Electronic Communications Privacy Act (1986) Electronic Communications Privacy Act of 1986
Computer Matching & Privacy Protection Act of 1988
Telephone Consumer Protection Act (TCPA), effective 1992 Federal Identity Theft Assumption and Deterrence Act of 1998 Financial Services Modernization Act of 1999 (Gramm–Leach–Bliley Act) Driver's Privacy Protection Act of 1994, Effective 1997 Children's Online Privacy Protection Act (COPPA), effective 2000
Health Insurance Portability and Accountability Act of 1996 (HIPAA), effective 2001
Do-Not-Call Registry Act of 2003 Fair and Accurate Credit Transactions Act of 2003 (FACTA)
CAN-SPAM Act of 2003, amended 2004
Identity Theft Penalty Enhancement Act of 2004
196
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
time, the FTC has four stated fair information practices for protecting consumer privacy (Federal Trade Commission 2007): (1) notice/awareness, (2) choice/consent, (3) access, and (4) security. Notice/awareness Consumers should be informed about the organization's information practices and this could include notice of the entity collecting these data, how these data will be used, identification of data recipients, how data are to be collected, whether provision is voluntary or required, and any steps taken to ensure the confidentiality, integrity and quality of these data. According to the Commission, notice is the most fundamental principle because individuals cannot make an informed decision regarding disclosure of their personal information without it. Regarding notice, consumers are concerned about the amount and the sensitivity of the information that marketers collect (Milne and Boza 1999; Phelps, D'Souza, and Nowak 2001).
Choice/consent At its core, choice refers to letting consumers have options regarding how their personal information is used. Most commonly, choice involves the use of information beyond the immediate transaction such as being added to the company's mailing list for future promotions or transferal to third parties. Consent is typically established through an opt-in (need to specify approval) or opt-out (must ask for removal) mechanism. More recently, direct marketers have created preference centers, allowing for a menu of choice options. Access Consumers have the right to view their personal data and to contest any inaccuracies. The access process must be timely, relatively inexpensive, and easy to contest, verify and amend. Integrity/security Collected data should be accurate and secure from unwarranted access. Data integrity requires a sound collection
Table 2 Selected settlements in violation of FIP principles FIP
Company/settlement date
Notice/awareness Centurion Financial Benefits (2007)
Choice/consent
Access
Integrity/security
Consumers were told they were giving information for a $2000 limit credit card limit. They instead received an application for a stored value/cash card with no line of credit and could be used once consumer first transferred funds to the card (2007). Sony BMG (2005) Sent flawed and overreaching computer program via millions of music CDs. BMG said they placed program on CDs to restrict consumer use of the music on the CDs, but also allowed for reporting customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that could expose users to tampering by third parties (also a consent issue) (2005). DoubleClick (2002) Violated state and federal laws by surreptitiously tracking and collecting consumers' personally identifiable data and combining it with information on their Web surfing habits (2002). Bank of America (2007) Bank of America disclosed consumers' personal, private, confidential information to third parties without consent (2007). Gateway Learning Corporation (2004) Rented personal information in violation with promises made in its privacy policy. After collecting consumer information, it changed its privacy policy to allow sharing of information without notifying consumers or getting their consent (2004). Cartmanager International (2005) FTC alleged that CartManager did not adequately inform consumers or merchants that it would collect and rent this information and that it acted knowing that renting the information was contrary to many merchants' privacy policies. Quicken Loans (2002) Failed to provide “adverse action” notices in violation of the Fair Credit Reporting Act. Failed to comply with the provisions of the Act to notify the consumer when an action is based wholly or partly on the consumer's credit report. The notice is designed to give consumers the opportunity to dispute the accuracy or completeness of the information in the credit report (2002). Performance Capital Management (2001) PCM provided credit bureaus with inaccurate “delinquency dates” for its accounts, resulting in negative information remaining on consumers' credit reports. PCM failed to investigate consumer disputes referred by credit bureaus, and by failing to notify credit bureaus when consumers disputed collection accounts with PCM (2001). Guidance Software (2006) The FTC charged that Guidance Software's failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its Web site. Data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. According to the complaint, Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers' data. ChoicePoint, Inc. (2006) Failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers. The security breach resulted in millions of dollars in fraudulent purchases. Microsoft Corp. (2002) FTC alleged that Microsoft didn't employ reasonable and appropriate measures to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services, including credit card numbers and billing information stored in Passport Wallet.
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
197
Table 3 Future research issues Information channels
Future topics
Traditional DM
How do the no call lists and other opt-in/out options affect consumer attitudes toward privacy? What type of information are consumers willing to share across traditional media? What type of benefit do they expect? How do traditional privacy issues translate to electronic media practices? How to resolve the concern–behavior paradox? How best to motivate consumers to be more self efficacious and secure their private information? Under what circumstances will consumers adopt privacy enhancing technologies to evaluate privacy policies? How much privacy are consumers willing to give up for personalization? What is the best format for online notice and choice? What is best format for mobile privacy notices? Which marketing and data collecting activities require consumer permission? What is the best way to obtain consumer permission? Whether and when should consumers be notified of ubiquitous data collection? How best to provide consumers choice? How to apply FIP when multiple data sources are combined? What is the best format to regulate privacy? How do consumers use social networking sites? What factors lead consumers to discount the long term consequences of data disclosure? How much trust do consumes have in their peers? How can marketers ethically communicate through social networking sites? Will social networking sites translate to older consumers as the current audience ages? How does capturing consent in virtual worlds differ from other media? Why do consumers adopt multiple online personalities? Does this help them protect their personal privacy? Does the virtual world allow consumers to explore private aspects of their personality? Does this translate to sales? How can companies take advantage of virtual worlds while protecting privacy and selling to consumer pseudonyms? How best to adhere to FIP when consumers and marketers interact on multiple channel touch points? Why might consumers provide inaccurate or disparate information across channels? Why do consumers seek access to multiple channels? Do privacy breaches occur? Are the systems and structures to handle privacy issues implemented in an inadequate manner within organizations? Is the technology within the organization being employed up-to-date and current to safeguard privacy issues? What types of “Internal Audits” would help organizations answer this question? What proactive measures can an organization undertake that would help reduce the increasing number of privacy and security breaches? What are the best practices used by organizations to safeguard consumers' privacy rights?
Internet
Mobile marketing
RFID/ubiquitous
Social networks
Virtual environments
Multi-channel Organizational issues
process with appropriate checks and balances. Data security involves managerial and technical processes that protect against unauthorized access or use, unplanned loss or destruction of data, or inappropriate disclosure of data. Concern over security is not surprising given the estimated 160 million individual records involved in data breaches from 2005 to mid 2007 (Privacy Rights Clearinghouse 2007). Enforcement/redress Although not an original fair information practice, the FTC acknowledges that enforcement mechanisms are needed to remedy improper information privacy behaviors. Enforcement mechanisms include federal/state legislation, regulatory schemes enforceable in the courts, and self-regulation. To help illustrate FTC enforcement, Table 2 presents examples of recent FTC settlements as they relate to Fair Information Practices1. Information channels This section reviews privacy issues attributed to the many information channels that marketers use to interact with
1 FTC settlements are often made without admission of guilt. These examples summarize original FTC claims made prior to settlement.
customers and prospects (Table 3). The advantage to marketers from using a variety of information channels is that they serve multiple consumer groups and offer customers the opportunity to use those channels most convenient to them at any particular point in time. Another important advantage of information channel marketing is the ability to build a database; the information gathered from one channel can thus be used to support communications to the same customer through other channels. While the gathering and use of information across multiple channels can lead to competitive advantages, there is a wide range of privacy considerations that need addressing. Most privacy research in marketing has been confined to the traditional direct marketing channel and more recently with the Internet. Less attention has been given to the emerging information channels of mobile marketing, technological advancements of RFID and ubiquitous computing, and new Internet applications such as social networks and virtual environments. To fully comprehend how privacy issues will unfold among marketers, consumers and legislative branches, it is important to understand the contextual and situational effects of different information channels and marketing technologies beyond traditional direct marketing media and the Internet. To this end we review the key issues, past research and emerging research opportunities across the following channels: traditional direct marketing, Internet, mobile, RFID and ubiquitous
198
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
computing, social networks, and virtual environments. We conclude by integrating common issues for understanding privacy in a multi-channel context. Traditional DM and core privacy concerns Although many factors have heightened consumer privacy concerns over the years, perhaps the most relevant from a historical perspective is the use and diffusion of traditional direct marketing techniques. For many years direct marketers led the way in collecting individual-specific consumer information and tracking individual consumer purchases (Nowak and Phelps 1992). Advances in technology allowed for increasing amounts of individual-level information to be collected, stored, and analyzed thereby improving direct marketers' segmentation, media selection, message creation and campaign evaluation capabilities. These database marketing techniques are now common practice among direct and general marketers. However, as marketers' use of consumer specific information increased so did consumer concerns over the use of their personal information (Milne and Boza 1999). The relatively recent historical roots of consumer information privacy concerns can arguably be traced back to the development, widespread use, and increased technological sophistication of traditional direct marketing techniques. Consistent with Fair Information Practices, one of the key issues specific to traditional direct marketing channels is the extent to which consumers have control over their personal information and environment. To this point researchers have examined the level of concern consumers have for various types of personal information that marketers collect about them (Milne and Boza 1999), the willingness to provide information across a sensitivity continuum (Phelps, Nowak, and Ferrell 2000), and the costs consumers incur and the tradeoffs consumers make (Milne and Gordon 1993; Petty 2000). Along these same lines, researchers have examined how consumers manage the relationship they have with marketers, including the role of trust in direct marketing relationships (Milne and Boza 1999; Schoenbachler and Gordon 2002). Privacy research has also examined consumer knowledge of laws and regulations (Dommeyer and Gross 2003), and consumer preference for opt-in and opt-out choice formats (Milne and Rohm 2000). Future research needs Given its longer history, research in traditional direct marketing foreshadowed emerging issues in electronic marketing channels. The primary lesson from this literature is that privacy concerns are situational in nature and that a one-sizefits-all approach to understanding privacy rights and strategic response is inadequate in today's information technology age. For example, not all types of information are equally sensitive nor protected by customers, some consumers are willing to share and tradeoff privacy with marketers who have proven their trustworthiness and/or offer benefits for doing so, and some push channels, such as telemarketing, are more intrusive than mail and catalog, which are more pull oriented.
Although research in traditional direct marketing media often seems less glamorous than for emerging interactive channels, there is nonetheless a wide-ranging set of research needs, including how the no call list and other opt-out options have affected consumer attitudes toward privacy, the types of information that customers will share across various traditional media and how they expect this information to be used. Especially interesting is research that seeks to examine how traditional privacy issues translate to electronic media practices and how consumers view the “entire menu” of privacy concerns that exist as they move from direct mail to email, from catalogs to online buying, from telemarketing to online chat and mobile communications, and any of a range of other research topics that help blend multi-channel privacy theories. Internet/ecommerce Consumer privacy concerns in an electronic communication environment are in part a logical extension of the fundamentals flowing from traditional direct marketing, but also need to be investigated in light of domain specific issues emanating from interactive media technologies (Urban, Amyx, and Lorenzon 2009). One key difference is that an online environment allows information collection to take place more quickly, in many different forms, and at more frequent intervals. Given this more interactive data collection environment, adhering to FIP principles such as notice/awareness, choice/consent, and security is very complex, especially with regard to the ability of consumers to control the collection and dissemination of information about them. For instance, behavioral data (e.g., tracking) are frequently collected without consumer consent, or even awareness (Lavin 2006). Such tracking is often accomplished via the planting of cookies, adware, spyware, etc., and can provide the marketer with a detailed profile of an individual's browsing and purchase habits. In contrast, consumers may willingly divulge personal information to register for a website or purchase a product. With so much information being collected and available online, consumers are increasingly concerned about whether their identities are safe from theft (Milne 2003). Recognizing the inherent risk of the online world, research has suggested that building online trust is an effective approach to reduce privacy concerns and to encourage consumers to buy online (Culnan and Armstrong 1999; Hoffman, Novak, and Peralta 1999). Research has shown that trust can be increased by reducing privacy concerns through signaling competence with well designed web sites (Schlosser, Tiffany, and Lloyd 2006). A developing stream of research has also focused on the extent to which consumers protect themselves through use of safe online practices (Milne, Rohm, and Bahl 2004). More specific research has examined consumer use of privacy seals (Miyazaki and Krishnamurthy 2002; LaRose and Rifon 2007) and privacy notices (Milne and Culnan 2004). These and other studies have concluded that although consumers are very concerned about protecting their personal information, they consistently fail to take full advantage of the tools that have been provided to them; making the benefits of fair information practices more difficult
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
to achieve. As a consequence, empirical research grounded in behavioral theories is emerging that attempts to explain this concern–behavior paradox (Norberg, Horne, and Horne 2007). Future research needs Conceptual and empirical research is clearly needed for explaining and resolving the consumer concern–behavior paradox. Motivating consumers to address their concerns through proactive and responsible Internet behaviors is an important step for protecting their privacy rights. One emergent finding is that consumer self efficacy is important for consumers to feel comfortable online. A follow-up research area is to investigate the extent that self efficacy is driven by a generational effect and how to best motivate consumers to be self efficacious (LaRose and Rifon 2007). Another trend is the continued use of personalization of online environments. Future research could explore the extent to which consumers are willing to trade off privacy for personalization. In terms of privacy protection, research can be undertaken to examine whether, and under what circumstances, consumers adopt privacy enhancing technologies to examine online privacy policies. Research should also identify the most effective online privacy warnings for achieving pro-privacy protection behaviors by consumers.
199
Jarvenpaa 2002). Although it could be argued that many of the noted privacy concerns of mobile marketing are not relevant today, they will undoubtedly occur in the not-to-distant future. Japan is a clear harbinger of mobile marketing in the US. Japan has the highest use of mobile phones and leads the world in 3G platform handsets; each user on average sends and reviews 10 emails a day by phone (Ferris 2007). Future research needs Although privacy concerns will likely change as mobile marketing moves from the introduction to the growth stage, research is needed that examines the best formats for mobile privacy notices, which marketing and data collection activities are most likely to need consumer permission, and how that permission can be secured. Taking Japan as an example, the mobile phone has been quite successful for advertising and promoting businesses. Aligning with Japan's 2003 law requiring prior notification, marketers are now developing opt-in procedures for gaining consumer permission. Such approaches involve coupons, sweepstakes, contests and other participation initiatives. Likewise, U.S. businesses and future research should study models that have worked in Japan and see if they would apply in the US. RFID and ubiquitous computing
Mobile marketing The mobile Internet adds value to consumers by offering position awareness and location based services2 (Barkuus and Day 2003; Shankar and Balasubramanian 2009). Although the benefits of mobile Internet access are clear, the fact that consumers are already concerned about Internet privacy and bothersome telemarketing practices hinder its acceptance in the marketplace. As a consequence, one of the key privacy issues in the mobile arena is the potential for excessive intrusion resulting from frequent and unwanted contextual offers pushed to consumers. It may be that a consumer does not want to be interrupted with a coupon offer while driving to a meeting. A second key issue is that consumers may not want information being captured about his or her physical location and purchase context (Milne and Rohm 2003). These privacy concerns become even more salient when they occur in public places, leading to the feeling that consumers are under constant surveillance. Despite the ability to control the on and off switch, consumers often forget that they are connected to their mobile communication devices and could be transmitting a steady stream of real-time information. Since it has only recently emerged as a marketing medium, little conceptual and empirical research exists on mobile privacy here and on a global scale. However, mobile privacy warrants attention because the ability and flexibility of the technology allows consumers (and marketers) to shift the time and space locations of their activities (Balasubramanian, Peterson, and 2 Position awareness is when the phone knows the user enters a building and stops transmitting, such as when a user is in a meeting. Location based services can include coupons and providing the locations of predetermined friends.
Extending beyond mobile phones is the broader trend of ubiquitous computing. Retailers are or will be using RFID Identification and Automatic Video Surveillance to add contextual information to existing databases for personalizing oneto-one communications (Sackmann, Strucker, and Accorsi 2006). An emerging concern is how consumers feel about context-related data being collected about themselves and how this information is used in marketing communications. Context data includes date, time inspecting a product, path through a store, products in a shopping cart, position of products or shopping cart, and any of a wide range of other time-location tracking devices. Interestingly, although this type of context is already in place on the Internet through tracking software, it will become increasingly available in off-line contexts and in settings where consumers have come to expect greater anonymity. Radio Frequency Identification (RFID), in particular, is receiving increased attention from researchers regarding possible privacy violations (Langheinrich 2006). This type of physical tracking system enables data to be transmitted by a tag (with a portable device) to an RFID reader; information is processed according to the need of the specific application. In retail stores the tag may contain identification or location information, product features—including price, color, date of purchase, and so forth. Another emerging issue is how consumers feel about having tags placed on the products they buy and wear. Early on, privacy groups such as CASPIAN organized boycotts against Benetton for their plans to tag clothing (boycottbenetton.org). EPIC has consistently warned about potential losses to consumer privacy where anyone with a reader could capture RFID information (EPIC 2007). For example, it has been demonstrated that credit
200
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
cards using swipe-free RFID technology could be read from readers several feet away (Swartz 2006). Despite these concerns, marketing organizations are continuing to pursue this technology because of available cost savings associated with improved automation, identification, integration, and authentication associated with RFID data collection procedures. Automatic checkout is receiving the most attention; willing shoppers walk through a RFID reader gate, their purchases are electronically recorded, and their purchases are then billed to their credit card. Future research needs Ubiquitous computing through RFID and other techniques presents a unique set of privacy dilemmas, most of which have not been studied to date. For example, with ubiquitous computing, information is continuously being collected without any indication or signal from the retailer. Since there is no “recording light” consumers are unaware that data collection is occurring, which is clearly in conflict with FIP. An important research question is whether and when consumers should be notified that data are being collected (notice/awareness). Moreover, data can be collected often without any specific purpose. Research is thus needed that investigates ways to secure choice/consent and under which situations choice/ consent is more appropriate. Similarly, because data from multiple devices can be combined and attributed to unique customer identification, research targeting multiple information sources and consumer acceptance has merit. Combined, these observations raise issues on how best to implement fair information practices. Regulating such data collection is difficult since the devices record multiple events. For example, a camera can capture many consumers at a time. This makes privacy policies regarding individual privacy preferences virtually impossible. Sackmann et al. (2006) suggest that in such dynamic environments that privacy be evaluated post hoc by analyzing privacy evidence from the files. Evaluating different permission formats is thus an important topic for future research.
friends, photos, group events and account settings. Gross, Acquisti, and Heinz (2005) found that students revealed extremely personal information about themselves and only a small percentage of users chose to implement more restrictive privacy preference options. An important privacy concern for social networking sites is the fact that “unprotected” information becomes part of the public domain and is readily accessible to others. These data are often open to the growing phenomenon of “online snooping”. As noted by Hamilton (2007), the purpose of 30% of all Web searches is to find people. Search companies such as PeekYou, Spock, Wink, and ZoomInfo help find people by scouring the social networking sites such as MySpace, Facebook, Friendster, Yahoo!, Flickr and others. Since this is public information, the search companies do not need consumers' permission. Unfortunately, the resulting profiles from these searches often can contain errors, may be embarrassing, or can lead to potentially dire consequences. Future research needs Privacy research in social networking settings is virtually unlimited. In addition to general research investigating how consumers use these sites today and in the future, research is needed that investigates factors that lead consumers to discount the importance of the long term consequences of data disclosure and other risky behaviors. Evaluating risk perspectives and long term consequences of data may help in the formation of privacy notice warnings or policies. Another issue is the role of peer to peer trust. A future research question is whether consumers can trust other consumers given the fact that individuals are reported to lie about themselves. Virtually unexplored is how marketers can ethically communicate with consumers either directly from information captured from social networking sites or through online affiliate programs. Importantly, because social networking sites are more common today for younger consumers, how this phenomenon transfers across the product life-cycle to older audiences deserves special research attention. Virtual environments
Social network sites The posting of personal information through social networking sites such as Friendster, Myspace, and Facebook is a new and exploding form of interactive communication. Students were the earliest adopters of this interactive technology, through which they created pages of personal profiles and information about themselves that they then communicated to the world. Since its inception, social networking has received considerable exposure in the popular press through accounts of stalking, identity theft, and other privacy losses. Although in its infancy, extant research has primarily been descriptive in nature and has documented students' use of social network sites. Of interest, although social network sites have privacy controls, relatively few students take control of protecting themselves. On most popular social network sites, a person's name, when joined, school status, and email are required data fields. Participants also have the opportunity to add a personal profile, a list of
The virtual world is one of the newest interactive channels. In a virtual world, consumers and marketers use avatars to communicate with each other in online sites such as Second Life. Avatars, which are graphic representations that are animated by means of computer technology, have been shown to be effective for improving sales and customer satisfaction. A key issue is that in this type of digital environment all dialogues can be captured and stored in databases for subsequent sales interactions. Although limited, recent research has examined the use of avatars for generating sales. In a virtual world, sales avatars can automatically adjust their sales presentation via computer scripts designed to mimic the customer's avatar. Moreover, it is possible for a sales avatar to adopt the gestures of all customers in a room simultaneously such that each customer sees his or her features and actions being mirrored back (Hemp 2006). This efficiency builds higher levels of trust, which can easily be exploited to the marketer's advantage. Other research
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
has shown that attractive avatars are more effective and well liked than less attractive avatars (Holzwarth, Janiszewski, and Newman 2006). Future research needs A research question that arises is whether the information that is gathered by marketers in these situations needs customer consent, and if so, how might capturing consent in the virtual word differ from that needed in other media? In terms of consumer behavior, the virtual world raises the question of why consumers adopt multiple online personalities. Is the adoption of such an identity for the protection of personal privacy? When a consumer's real world identity is kept private, does it afford the consumer the opportunity to examine other aspects of his or her personality? Does this engagement in fun and fantasy expand the consumers purchasing options? Most importantly, research is needed on how real world companies can best take advantage of this new environment while still protecting consumer privacy and selling to customer pseudonyms. Multi-channel integration Technological advances have consistently altered the privacy landscape. Emergent technologies often offer marketers and unwanted parties a new approach for invading the privacy rights of consumer. Information technology has also fueled the growth of the direct marketing industry and has provided marketers with database tools to study consumers on a one-to-one basis, which in turn have sparked increased privacy concerns. As new information technologies become available, consumers, marketers, and regulatory agencies will continually be forced to pay close attention to potential privacy violations (Saponas et al. 2007). Complicating matters is that the ever increasing number of communication and response channels make it more difficult to coordinate and protect consumer privacy rights. The vast majority of privacy research in the direct marketing field has focused on specific issues in specific channels and for specific publics. Although we have outlined issues that cross publics and channels, conceptual research is needed that provides taxonomies for furthering our understanding of privacy issues in an evolving multi-channel world. Particularly needed is multi-channel research that addresses how to best adhere to fair information practices, including how customers become aware of data collection practices from various touch points, how they are able to opt-in or opt-out of data collections procedures from the various channels in which they interact, and how the presence or absence of appropriate notice practices impact consumer behavior. Regarding choice/consent, multichannel research is needed that adds to the consumer privacy debate by increasing our understanding of the reasons and the types of data consumers are willing to disclose to information requests in some channels but not others. This becomes even more important as new channels enter the mix and marketers wish to speed their rate of adoption as a personalization medium. As with the other FIP, access becomes more complicated as data from various touch points must be validated by consumers and marketers alike. Research is thus needed that
201
explores why consumers might provide inaccurate or disparate information across channels, what motivates them to seek access to data from different channels, and how marketers can improve their data collection and validated practices. Lastly, as the number of available information channels grows and the technology that drives them becomes even more sophisticated, consumers will have a whole new set of security concerns regarding the unwarranted disclosure of the information that they provide across varied touch points as well as the increasing ease in which inappropriate data collection and marketing occurs. In this section of the paper we have identified a number of promising research opportunities involving information channels and privacy issues. Research questions pertaining to each channel were provided and, just as importantly, research issues across multi-channel information environments were presented. Researchers adopting a multiple channel perspective will undoubtedly find that privacy issues initially appear more complicated because of the increased number of factors to be considered. However, to more thoroughly understand the influence of channels on privacy issues and the influence of privacy concerns on channel selection and behavior within that channel (both by consumers and marketers), there is no substitute for research that is more comprehensive in nature. Public's response Having already identified and defined the critical publics, this section of the paper examines key responses in accordance with the framework presented in Fig. 1. The framework suggests that a given public's response to privacy issues is a function of that public's identity, interactions with other publics, channels, and situational factors (e.g., technology, regulatory climate, international and cross cultural variations). As the discussion emphasizes the importance of these interrelationships it highlights the need for researchers to adopt a more comprehensive approach when examining responses to privacy issues. Consumer behavior Two sets of consumer behavior that receive much attention in the privacy literature include providing personal information to marketers and purchase behavior. According to the framework, such consumer behavior is a function of consumer characteristics, the responses of the other publics, the channels in use, and situational factors. Research exploring consumer characteristics and associated variations in privacy concerns (e.g., Zogby International 2007) is well represented in the popular press and the scholarly literature. However, this type of research simply reflects the level of privacy concern by type of consumer and the mere presence of concern is not a stable predictor of consumers' behavioral response (Dinev and Hart 2006). Research examining consumers' privacy-related responses (e.g., Dolnicar and Jordaan 2007) begins to examine factors that mitigate and/or enhance the influence of privacy concerns on consumer behavior. The current paper calls for an even more comprehensive approach as consumer behavior is known to
202
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
vary on a host of factors. For instance, it is known that purchase behavior is influenced by price, product, and channel. The relative influence of consumer privacy concerns on purchase behavior then can only be identified if one also takes into account these other factors known to have an influence. Consumer behavior will also vary depending on past interactions with a specific marketer and level of trust (Milne and Boza 1999). Interactions with advocacy groups and exposure to relevant media coverage are also likely to influence consumer behavior. However, few studies have examined the relative impact of advocacy groups and the media on consumers' privacy-related behaviors. Research examining these issues would begin to fill an important void in the literature. Scholars must also consider situational factors within information privacy research as such factors influence the relevance of an information privacy issue, the role of channel(s), and the response from consumers and other publics. For example, consumer responses are influenced by technological availability, the technological efficacy of the consumer and the relative benefits the channel offers compared to other available informational and transactional alternatives. In sum, a deeper understanding of consumer responses is most likely to emerge from research examining linkages among the elements shown in Fig. 1. Advocacy behavior Similarly, the framework suggests advocacy behavior is a function of the interactions with the other publics as well as channel and situational factors. The importance of interactions with other publics is clear from the conception of an advocacy group. As its purpose is to correct a perceived problem in the environment, the advocacy group actively seeks interactions with consumers, the media, policy makers and business concerns in order to push an agenda and encourage responses from these other publics. Advocacy groups seek to inform consumers and change consumer behavior. They seek to influence self-regulatory responses, privacy law and information policy. As noted earlier, research examining the role of consumer advocacy groups and their influence on the other publics is lacking. This void is particularly acute with regard to investigating advocacy groups' influence on the public agenda, the media agenda, self-regulation and public policy. Media coverage Media coverage of privacy issues has also received little attention from marketing scholars. Although few, the media studies (e.g., Petrison and Wang 1995; Phelps et al. 1994; Roznowski 2003) suggest that media coverage influences the perceptions and responses of the other publics. Such research is more common in public relations and communications and the literature in those fields can be used as the foundation for further work with regard to privacy. Future research examining media responses to privacy issues must extend the examination of coverage and the influence of that coverage on other publics. It will be equally important to understand the roles that other
publics and situational factors play in determining the media agenda. It will also be crucial to identify trends and transitions in the roles played by traditional independent news media and the new controlled and uncontrolled media. Self governance Marketers' information privacy practices directly reflect their information needs and their perceptions of information value. Marketers' information practices are influenced by the responses of the other publics. Privacy laws, for instance, mandate certain actions from marketers. The focus here, however, is not on legislative mandates but on self governance as a mechanism through which marketers attempt to alleviate the concerns expressed by the various publics. Suggestions from regulatory agencies and industry associations are often adopted by marketers and incorporated in information policies. For example, both the FTC and the Direct Marketing Association (DMA) suggest that privacy notices follow the principles of fair information practices. Most large organizations have been compliant and have posted privacy notices online (Schwaig, Kane, and Storey 2006). Marketers' are cognizant of media coverage, advocacy efforts, and consumer privacy concerns. Although particularly interested in alleviating the concerns expressed by their customers, marketers work to develop and maintain good relationships with each of the publics. Therefore, research is needed that clarifies positions of the various publics and proposes solutions that account for the varied interests. Further research exploring the impact of marketers' information policies, consumer characteristics and situational factors on consumer behavior would prove insightful to marketers and policy makers. Research examining marketers' efforts to influence public perceptions, media coverage and legislative outcomes concerning privacy issues would also prove insightful. Finally, research is needed to identify best practices with regard to privacy and security measures. Empirical research is needed to understand the state of security within organizations and that explores the types of technology that is being employed. Recommendations are needed with regard to the type of Internal Audits that are needed to reduce privacy breaches. Regulation and enforcement Regulation and enforcement represent the responses of public policy makers and attempt to balance the interests of the previously discussed publics so as to best represent the interests of the general public. The current research provides evidence that interactions among the publics influence the debate and the implementation of public policy. Research has shown the level of concern for privacy was high and growing in opinion polls from 1990–2006 (Best, Krueger, and Ladewig 2006). Further, research has shown that there has been a steady increase in articles about privacy, in the US media (Roznowski 2003). Not surprisingly, strong positive correlations were found between the number of articles and number of privacy bills introduced. This suggests that privacy continues to be an important public
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
policy issue and also supports the usefulness of the framework presented here. In the U.S., regulatory response typically seeks to balance consumer concerns with business needs for consumer information. The U.S. regulatory climate is biased in favor of self-regulatory and sectoral responses. Thus, U.S. law tends to pertain to specific publics and channels. For example, regulation and enforcement from the FTC has targeted specific areas where privacy protection was most needed. This is reflected in regulatory responses where the groups that were involved were vulnerable (COPPA), the information was deemed highly sensitive (HIPPA, GLB), or the use of the technology was found to be highly intrusive (Do Not Call), or offensive (CANSPAM). Moreover, as shown in Table 2, enforcement of these regulations has occurred with enough regularity to make many companies wary of potential violations. The lesson here is that as new channels start to mature, there is a chance that regulation will be implemented if privacy issues cannot be addressed through a self-regulatory approach. In other words, if business does not respond appropriately, the government will likely respond. Once again, response is driven by the situation and the actions and reactions of the other important publics in the environment. Conclusion Information privacy is a complex construct that plays an essential role in a multitude of issues facing consumers, marketers, consumer advocates, and public policy makers. The importance of information privacy is clearly reflected in concerns expressed by the vast majority of citizens, not just in the U.S. but worldwide. It is reflected in marketers' investments of money and in time devoted to these issues. It is reflected in the increasing media coverage it garners and in the attention it receives in state and federal government. Despite the clear importance of information privacy issues and increasing attention in scholarly research, there remains a critical need for comprehensive frameworks that integrate evolving information privacy concerns across multiple channels and multiple publics. The current research attempts to address this important void in the literature by offering a framework that both distinguishes and provides common grounds for understanding information privacy issues important to consumers, regulators, and businesses. The framework and the interactions among the factors within the framework represent a Systems Theory approach that has long served as a fruitful research guide across a number of disciplines such as sociology and public relations. However, Systems Theory represents just one of many potentially useful theoretical foundations for exploring the issues discussed here. In our presentation of the framework we identified key issues, discussed previous work in each area and outlined directions for future research. The directions for future research are both extensive and elaborate. Indeed, the framework suggests a number of potential research agendas, comprised of sets of questions exploring issues within specific information channels or publics as well as more macro research questions covering multiple channels and multiple publics. Research
203
exploring the relationships within and among these factors can help to provide a more holistic understanding of why a public (or subset of that public) responds the way they do and how one public might elicit a more favorable response in its interactions with another. In other words, comprehensive research examining the relationships among these factors is needed to provide a better understanding of the privacy environment. The most nuanced understanding is likely to emerge from examinations of the interactions among the various factors. Such research will be more complicated to design, more time consuming and more costly to carry out and will require direct and interactive researchers to carry out sustainable research programs to deepen our understanding of information privacy issues, actors, and environment. References Ashworth, Laurence and Clinton Free (2006), “Marketing Dataveillance and Digital Privacy: Using Theories of Justice to Understand Consumers' Online Privacy Concerns,” Journal of Business Ethics, 67(2), 107–23. Balasubramanian, Sridhar, Robert A. Peterson, and Sirkka L. Jarvenpaa (2002), “Exploring the implications of m-commerce for markets and marketing,” Journal of Academy of Marketing Science, 30(4), 348–61. Barkuus, Louise and Anind Day (2003), “Location-Based Services for Mobile Telephony: A Study of Users' Privacy Concerns,” Proceedings of the INTERACT 2003, 9th IFIP TC13 International Conference on Human– Computer Interaction. Best, Samuel J., Brian S. Krueger, and Jeffery Ladewig (2006), “The Polls– Trends: Privacy in the Information Age,” Public Opinion Quarterly, 3, 375–401 (Fall). Cain, Rita M. (2002), “Global Privacy Concerns and Regulation — Is the United States a World Apart? International Review of Law, Computers & Technology, 16(1), 23–34. Ciochetti, Corey A. (2007), “E-Commerce and Information Privacy: Privacy Policies as Personal Information Protectors,” American Business Law Review, 44, 55–126 (Spring). Culnan, Mary J. and Pamela K. Armstrong (1999), “Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation,” Organization Science, 10(1), 104–15. Davenport, Thomas H. and Jeanne Harris (2007), “The Dark Side of Customer Analytics,” Harvard Business Review, , 37–48 (May). Deighton, John (1998), “Editorial: The Right to Be Let Alone,” Journal of Interactive Marketing, 12(2), 2–4. ——— and Leora Kornfeld (2009), “Digital Interactivity: Unanticipated Consequences for Markets, Marketing, and Consumers,” Journal of Interactive Marketing, 23(1), 4–10. DeMarco, David A. (2006), “Understanding Consumer Information Privacy in the Realm of Internet Commerce: Personhood and Pragmatism, Pop-Tarts and Six-Packs,” Texas Law Review, 84(4), 1013–64. Dinev, Tamara and Paul Hart (2006), “An Extended Privacy Calculus Model for E-Commerce Transactions,” Information Systems Research, 17(1), 61–80. Direct Marketing Association (2007), “The Power of Direct Marketing: ROI, Sales, Expenditures and Employment in the U.S. 2006–2007 Edition. New York, NY: Direct Marketing Association. Dolnicar, Sara and Yolanda Jordaan (2007), “A Market-Oriented Approach to Responsibly Marketing Information Privacy Concerns in Direct Marketing,” Journal of Advertising, 36, 123–49 (Summer). Dommeyer, Curt and Barbara Gross (2003), “What Consumers Know and What They Do: An Investigation of Consumer Knowledge, Awareness, and Use of Privacy Protection Strategies,” Journal of Interactive Marketing, 17(2), 34–51. eMarketer (2007), Security Concerns Hinder Online Buying, Available at http:// www.emarketer.com/Article.asp?id=1004949&src=article2_newaltr. EPIC (2007), Radio Frequency Identification (RFID) systems. Available at http://www.epic.org/privacy/rfid/.
204
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205
Federal Trade Commission (2007), Fair Information Practice Principles. Available at http://www.ftc.gov/reports/privacy3/fairinfo.shtm. Ferris, Mark (2007), “Insights on Mobile Advertising, Promotion, and Research,” Journal of Advertising Research, 28–37 (March). Fried, Charles (1968), “Privacy,” Yale Law Journal, 77, 475–93. Glazer, Rashi (1998), “From the Editors: The Illusion of Privacy and Competition for Attention,” Journal of Interactive Marketing, 12(3), 2–4. Goodwin, Cathy (1991), “Privacy: Recognition of a Consumer Right,” Journal of Public Policy & Marketing, 10(1), 149–66. Gross, Ralph, Alessandro Acquisti, and H. John Heinz, III (2005), “Information Revelation and Privacy in Online Social Networks,” Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, 71–80. Hamilton, Anita (2007), “Finding Ways to Snoop Online,” Time.com [http:// www.time.com/time/printout/0,8816,1649121,00.html]. Hemp, Paul (2006), “Avatar-Based Marketing,” Harvard Business Review, , 48–57 June. Hendrix, Jerry A. and Darrell C. Hayes (2007), “Public Relations Cases,” (Seventh Edition). Belmont, CA: Thompson Wadsworth. Hoffman, Lance (1980), “Computers and Privacy in the Next Decade,” New York: Academic Press. Hoffman, Donna L., Thomas Novak, and Marcos Peralta (1999), “Information Privacy in the Marketspace: Implications for the Commercial Uses of Anonymity on the Web,” The Information Society, 15, 129–39. Holzwarth, Martin, Chris Janiszewski, and Marcus Newman (2006), “The Influence of Avatars on Online Shopping Behavior,” Journal of Marketing, 17(3), 19–36. Langheinrich, Marc (2006), “RFID and Privacy, Security,” in Privacy, and Trust in Modern Data Management, Milan Petkovic and Willem Jonker, eds. pp. 433–450. LaRose, Robert and Nora Rifon (2007), “Promoting i-Safety: Effects of Privacy Warnings and Privacy Seals on Risk Assessment and Online Privacy Behavior,” Journal of Consumer Affairs, 41(1), 127–49. Lavin, Marilyn (2006), “Cookies: What Do Consumers Know and What Can They Learn? Journal of Targeting, Measurement and Analysis for Marketing, 14(4), 279–88. Lemi, Baruh (2007), “Read at Your Own Risk: Shrinkage of Privacy and Interactive Media,” New Media & Society, 9(2), 187–211. Miceli, Gaetano, Francesco Ricotta, and Michele Costabile (2007), “Customizing Customization: A Conceptual Framework for Interactive Personalization,” Journal of Interactive Marketing, 21(2), 6–25. Milne, George R. (2003), “How Well Do Consumers Protect Themselves from Identity Theft? Journal of Consumer Affairs, 37(2), 388–402 Winter. ——— and Andrew Rohm (2000), “Consumer Privacy and Name Removal Across Direct Marketing Channels: Exploring Opt-in and Opt-out Alternatives,” Journal of Public Policy and Marketing, 19, 238–49 (Fall). ——— and Andrew Rohm (2003), “The 411 on Mobile Privacy,” Marketing Management, , 41–5 (July/August). ——— and Mary Culnan (2004), “Strategies for Reducing Online Privacy Risks: Why Consumer Read (or Don't Read) Online Privacy Notices,” Journal of Interactive Marketing, 18(3), 15–29. ——— and Mary Ellen Gordon (1993), “Direct Mail Privacy-Efficiency Tradeoffs Within an Implied Social Contract Framework,” Journal of Public Policy and Marketing, 12, 206–15 (Fall). ——— and María-ugenia Boza (1999), “Trust and Concern in Consumers' Perceptions of Marketing Information Management Practices,” Journal of Interactive Marketing, 13(1), 5–24. ———, Andrew Rohm, and Shalini Bahl (2004), “Consumers' Protection of Online Privacy and Identity,” Journal of Consumer Affairs, 38(2), 217–32. Miyazaki, Anthony D. and Sandeep Krishnamurthy (2002), “Internet Seals of Approval: Effects on Online Privacy Policies and Consumer Perceptions,” Journal of Consumer Affairs, 36(1), 28–49. Montgomery, Alan L. and Michael D. Smith (2009), “Prospects for Personalization on the Internet,” Journal of Interactive Marketing, 23(2), 130–7. Murray, Kyle B. and Gerald Häubl (2009), “Personalization without Interrogation: Towards More Effective Interactions between Consumers and Feature-
Based Recommendation Agents,” Journal of Interactive Marketing, 23(2), 138–46. Neslin, Scott A. and Venkatesh Shankar (2009), “Key Issues in Multichannel Customer Management: Current Knowledge and Future Directions,” Journal of Interactive Marketing, 23(1), 70–81. Norberg, Patricia A., Daniel R. Horne, and David A. Horne (2007), “The Privacy Paradox: Personal Information Disclosure Intentions versus Behavior,” The Journal of Consumer Affairs, 41(1), 100–26. Nowak, Glen and Joseph Phelps (1992), “Understanding Privacy Concerns,” Journal of Direct Marketing, 6(4), 28–39. Petrison, Lisa A. and Paul Wang (1995), “Exploring the Dimensions of Consumer Privacy: An Analysis of Coverage in British and American Media,” Journal of Direct Marketing, 9(4), 19–36. Petty, Ross (2000), “Marketing Without Consent: Consumer Choice and Costs, Privacy, and Public Policy,” Journal of Public Policy & Marketing, 19(1), 42–53. Pew (2006), “The Future of the Internet II,” Available at http://www. pewinternet.org/pdfs/PIP_Future_of_Internet_2006.pdf. Phelps, J., Glen Nowak & E. Ferrell (2000), “Privacy Concerns and Consumer Willingness to Provide Personal Information,” Journal of Public Policy & Marketing, 19(1), 27–41. Phelps, Joseph, William Gonzenbach, and Edwards Johnson (1994), “Press Coverage and Public Perception of Direct Marketing and Consumer Privacy,” Journal of Direct Marketing, 8(2), 9–21. ———, Giles D'Souza, and Glen Nowak (2001), “Antecedents and Consequences of Consumer Privacy Concerns: An Empirical Investigation,” Journal of Interactive Marketing, 15(4), 2–17. Ponemon Institute (2007), “2007 Consumer Survey on Data Security,” available at http://www.vontu.com/uploadedfiles/global/2007_Data_Security_Consumer_ Survey.pdf. Privacy Rights Clearinghouse (2007), “Chronology of Data Breaches,” available at http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP. Prosser, William L. (1960), “Privacy,” California Law Review, 48(3), 383–423. Roznowski, Joann L. (2003), “A Content Analysis of Mass Media Stories Surrounding the Consumer Privacy Issue 1990–2001,” Journal of Interactive Marketing, 17(2), 52–69. Sackmann, Stephan, Jens Strucker, and Rafael Accorsi (2006), “Personalization in Privacy-Aware Highly Dynamic Systems,” Communications of the ACM, 49(9), 32–8. Saponas, Scott T., Jonathan Lester, Carl Hartung, Sameer Agarwal, and Tadayoshi Kohno (2007), “Devices That Tell on You: Privacy Trends in Consumer Ubiquitous Computing,” 16th USENIX Security Symposium 2007. Sappington, David and Alvin Silk (2003), “Overview of the Special Issue— Marketing's Information Technology Revolution: Implications for Consumer Welfare and Economic Performance,” Journal of Public Policy & Marketing, 22(1), 3. Schwaig, Kathy S., Gerald Kane, and Veda C. Storey (2006), “Compliance to the Fair Information Practices: How are the Fortune 500 Handling Online Privacy Disclosures? Information & Management, 43, 805–20. Shah, Jaymeen R, Garry L. White, and James R. Cook (2007), “Privacy Protection Overseas as Perceived by USA-Based IT Professionals,” Journal of Global Information Management, 15(1), 68–81. Solove, Daniel (2006), “A Taxonomy of Privacy,” University of Pennsylvania Law Review, 154, 477–564. Schlosser, Ann, Tiffany Barnett White, and Susan M. Lloyd, (2006), “Converting Web Site Visitors into Buyers: How Web Site Investment Increases Consumer Trusting Beliefs and Online Purchase Intentions,” Journal of Marketing, 70(2), 133–148. Schoenbachler, Denise and Geoffrey Gordon (2002), “Trust and Customer Willingness to Provide Information in Database-Driven Relationship Marketing,” Journal of Interactive Marketing, 16(3), 2–16. Shankar, Venkatesh and Edward C. Malthouse (2006), “Editorial: Moving Interactive Marketing Forward,” Journal of Interactive Marketing, 20(1), 2–4. ——— and Edward C. Malthouse (2007), “Editorial: The Growth of Interactions and Dialogs in Interactive Marketing,” Journal of Interactive Marketing, 21, 2–4 (Spring).
J.W. Peltier et al. / Journal of Interactive Marketing 23 (2009) 191–205 ——— and Sridhar Balasubramanian (2009), “Mobile Marketing: A Synthesis and Prognosis,” Journal of Interactive Marketing, 23(2), 118–29. Swartz, John (2006), “Researchers See Privacy Pitfalls in No-Swipe Credit Cards,” New York Times. October 23. United States Department of Commerce (2007), “Quarterly Retail E-Commerce Sales,” available at http://www.census.gov/mrts/www/ecomm.html. Urban, Glen L., Cinda Amyx and Antonio Lorenzon (2009), “Online Trust: State of the Art, New Frontiers, and Research Potential,” Journal of Interactive Marketing, 23(2), 179–90.
205
Wang, Huaiqing, Matthew K. Lee, and Chen Wang (1998), “Consumer Privacy Concerns About Internet Marketing,” Communications of the ACM, 41(3), 63–70. Warren, Samuel and Louis Brandeis (1890), “The Right to Privacy,” Harvard Law Review, 4(5), 193–220. Westin, Alan F. (1967), “Privacy and Freedom,” New York: Atheneum; 1967. Zogby International (2007), “Zogby Poll: Most Americans Worry About Identify Theft,” released: April 03, 2007, available at http://www.zogby. com/search/ReadNews.dbm?ID=1275.