Protecting Privacy Online: Is Self-Regulation Working?

Author(s): Mary J. Culnan

Source: Journal of Public Policy & Marketing, Vol. 19, No. 1, Privacy and Ethical Issues in
Database/Interactive Marketing and Public Policy (Spring, 2000), pp. 20-26
Published by: American Marketing Association
Stable URL: http://www.jstor.org/stable/30000484 .
Accessed: 03/04/2013 18:47

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .
http://www.jstor.org/page/info/about/policies/terms.jsp

.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of
content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms
of scholarship. For more information about JSTOR, please contact support@jstor.org.

American Marketing Association is collaborating with JSTOR to digitize, preserve and extend access to
Journal of Public Policy &Marketing.

http://www.jstor.org

This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM

All use subject to JSTOR Terms and Conditions
Protecting Privacy Online: Is Self-Regulation
Working?

Mary J. Culnan
The author assesses the extent to which 361 consumer-orientedcommercial Websites post
disclosures that describe their informationpractices and whetherthese disclosures reflect
fair informationpractices. Althoughapproximately67% of the sites sampledpost a privacy
disclosure, only 14%of these disclosures constitutea comprehensiveprivacy policy. The
study was initiated by the private sector as a progress report to the Federal Trade
Commission(FTC) and is one in a series of effortsdesigned to assess whetherconsumer
privacy can be protected throughindustryself-regulationor whetherlegislation is required.
Although the FTC does not recommendlegislation at this time, the study suggests that an
effective self-regulatoryregimefor consumerprivacy online has yet to emerge.

One policy questioncurrentlybeing addressedin
Washingtonis whetherconsumerprivacyonline can
be protectedthroughself-regulationor whethergov-
ernmentregulation is needed. In this article, I describe the
results of the Georgetown Internet Privacy Policy Study
(Culnan 1999a). The Georgetownstudy surveyedthe extent
to which consumer-oriented".com" Web sites posted pri-
vacy policies and whether these policies reflect fair infor-
mation practices. Partly on the basis of the results of this
study, the Federal TradeCommission (FTC) recommended
in mid-1999 that Congress should not enact Internetprivacy
legislation at this time (FTC 1999a, b). I describe the
methodology of the Georgetown study and summarize the
results. I conclude the article with suggestions for further
researchrelated to Internetprivacy and self-regulation.
Privacy can be defined as people's ability to control the
terms under which their personal information is acquired
and used (Westin 1967). Personal informationis informa-
tion that can be associated with an identifiable individual.
From a business perspective,privacy is really about making
consumerscomfortabledisclosing the personalinformation
needed for relationshipmarketing.This involves simultane-
ously communicating to the consumer the benefits of dis-
closure and providingassurancesthatdisclosureof personal
informationis a low-risk proposition(Culnanand Milberg
1999).
In the Framework for Global Electronic Commerce
(Clinton and Gore 1997), the Clinton administrationstated
that ensuring consumer privacy was essential if electronic
commerce was to realize its full potential. The Internet is
causing a fundamentalshift to a customer-centeredworld in
which customer relationshipmanagementbecomes the core
activity of an e-business. When consumers are dissatisfied
is a professor,The RobertEmmettMcDonough
MARYJ. CULNAN
School of Business,GeorgetownUniversity.Preparation of this
articlewas partiallysupportedby the CreditResearchCenterat
GeorgetownUniversityand by McDonoughSchoolof Business
and GeorgetownUniversitysummerresearchgrants.The study
was fundedby smallgrantsfrom17 differentcompaniesandasso-
ciations.
with their interactionswith a Web site and go elsewhere, the
probability of reengaging that consumer is significantly
reduced (PriceWaterhouseCoopers1999).
Privacy concerns, or an unwillingness to disclose per-
sonal information,were seen by the Clinton administration
as threateningelectronic commerce and the emerging digi-
tal economy. For example, a recent public opinion survey
finds thatprivacyconcernsare an importantreasonthatpeo-
ple who are not already online do not go online (Green
1998). Other surveys of Internetusers find that consumers
who are online decline to provide informationrequestedby
a Web site or providedfalse informationif the site does not
provide notice about why personalinformationis being col-
lected and how it will be used (Georgia Tech Research
Corporation1997; Privacy and American Business 1997).
The section on privacy in the frameworkconcludes with
the following statement:"TheAdministrationconsidersdata
protection critically important. We believe that private
efforts of industryworking in cooperation with consumer
groupsare preferableto governmentregulation,but if effec-
tive privacy protectioncannot be provided in this way, we
will reevaluatethis policy" (Clinton and Gore 1997).
Self-regulation differs from a pure market approach in
which consumerpreferencesdrive companybehavior.Under
a puremarketapproach,it is assumed that consumersprefer
to do business with firms that have implementedstrongpri-
vacy protectionsand avoid firms thathave breachedprivacy.
In contrast,self-regulationis based on the three traditional
components of government-legislation, enforcement, and
adjudication-and these functions are carriedout by the pri-
vate sector rather than the government (Swire 1997).
Legislationrefersto the question of defining the appropriate
rules, enforcementto the initiationof an enforcementaction
when the rulesarebroken,andadjudicationto whetheror not
a company has violated the privacy rules (Swire 1997).
Fair informationpractices define the privacy rules for a
self-regulatoryregime.They areglobal principlesthatbalance
the privacyinterestsof individualswith the legitimateneed of
business to derive value from customer information.At the
heartof fairinformationpracticesarethe following principles:
*Noticeof the firm'sinformation practicesregardingwhatper-
sonalinformation it collectsandhowthe informationis used;

Vol. 19 (1)
20 Journal of Public Policy & Marketing Spring 2000, 20-26

This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM

All use subject to JSTOR Terms and Conditions
 Journalof PublicPolicy& Marketing
*Choiceregardingsubsequentuses of the information, particu-
larlywhenthe information is usedby an organization for pur-
posesotherthanthoseforwhichtheinformation wascollected,
suchas marketing;
*Access,ortheabilityof usersto viewthedataaboutthemselves
theorganization hascollectedandto contestthedata'saccuracy
andcompleteness;
whichrequiresthe organization
*Security/integrity, to takerea-
sonablestepsto ensurethatpersonalinformationis secureduring
transmissionandstorageandthatit is accurateandtimely;and
'Enforcement/redress,whichmeanstheremustbe mechanisms
to ensurethatorganizationscomplywithfairinformation prac-
tices and thatmeaningfulsanctionsapplyfor noncompliance
(FTC1998).
Fair informationpractices representgood public policy
for both consumers and business. Priorresearchon privacy
finds that people are willing to disclose personal informa-
tion in exchange for some economic or social benefit subject
to the "privacycalculus," an assessment that their personal
informationwill subsequentlybe used fairly and they will
not suffer negative consequences in the future (Laufer and
Wolfe 1977; Milne and Gordon 1993). Assuming that the
firm's practices are consistent with what it discloses, fair
informationpractices signal to the consumer that the firm
will abide by a set of rules that most consumersperceive as
fair and will not behave opportunistically(Bradrachand
Eccles 1989; Shapiro 1987; Spence 1974). Because fair
informationpractices minimize the risk of disclosure, they
help build trust and promote the disclosure of the personal
informationneeded for relationshipmarketing(Culnanand
Armstrong 1999; Lewicki, McAllister, and Bies 1998;
Milne and Boza 1999). Therefore, observing fair informa-
tion practices is good for business. The remainingquestion
is whethertheir implementationonline should be governed
by self-regulationor requiredby law.
The FTC's PrivacyInitiative
In 1995, the FTC's Bureau of Consumer Protection
launcheda ConsumerPrivacyInitiative,an ongoing effort to
bringconsumersand businesses togetherto addressthe con-
sumer privacy issues raisedby the emergingelectronicmar-
ketplace. The hallmarkof the initiative was a series of pub-
lic workshops. The chairs of the House and Senate
Commerce Committees requested a summary of the June
1997 Public Workshop on Consumer Privacy. In their
response to RepresentativeThomas Bliley and SenatorJohn
McCain, the FTC stated that during the next 12 months, it
would monitor the information practices of commercial
Web sites and report to Congress on the effectiveness of
self-regulation(FTC 1997).
In June 1998, the FTC issued its report,Privacy Online:
A Report to Congress (FTC 1998). This reportcontains the
findings from the Web sweep conducted by the FTC in
March 1998. This study surveyed the privacy disclosures
posted by Web sites from six targetpopulations:a compre-
hensive sample of .com Web sites; Web sites drawn from
the health, retail, and financialsectors;Web sites targetedat
children; and the most popularWeb sites. The FTC found
that though more than 85% of the first four populationscol-
lect personal informationfrom consumers, only 14% pro-
vide any notice with respect to their informationpractices,
This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM
All use subject to JSTOR Terms and Conditions
21
and approximately2% provide notice by means of a com-
prehensive privacy policy. The FTC found that 97% of the
111 most popularWeb sites collected personalinformation,
and 71% of these sites provided some form of privacy dis-
closure (FTC 1998).
The FTC concluded that an effective self-regulatory
regime had yet to emerge. It recommended legislation to
place parentsin control of the online collection and use of
personal informationfrom children. In fall 1998, Congress
enacted the Children's Online Privacy Protection Act (16
U.S.C. 650 and 16 C.F.R. Part 312, October 21, 1999),
which regulatesthe collection and use of personalinforma-
tion collected by Web sites directed at children under 13
years of age.
The commission furtherfound that the majorityof other
online businesses had failed to adopt even the most funda-
mental elements of fair informationpractices: notice and
choice. Furthermore,the majorityof existing industryself-
regulatoryprogramsfailed to provide meaningful enforce-
ment. The commission did not recommend legislation for
adults but stated it would recommend an appropriate
response to protect consumer privacy at a later date (FTC
1998).
The GeorgetownStudy
Background
The Georgetown study was commissioned by the private
sector in December 1998 as a progress report on self-
regulation to the FTC. It was hoped that recent industry
efforts to strengthen self-regulatoryprograms would per-
suade the FTC not to call for additional legislation. The
Georgetown study asked the same three questions as the
FTC study:
1. Whattypesof personalinformationdo Websitescollectfrom
consumers?
2. HowmanyWebsiteshavepostedprivacydisclosures?
3. To whatextentdo theseprivacydisclosuresreflectfairinfor-
mationpractices?
The study was funded by contributionsof $5,000 or less
from 17 differentprivatesectorcompaniesand associations:
America Online, AmericanExpress, BBBOnline, Compaq,
eBay, eDirect, Ernst & Young, Direct Marketing
Association, IBM, Media Metrix, Microsoft, MatchLogic,
Online Privacy Alliance, Privaseek, Time Warner,
TRUSTe, and Wave Systems.
Methodology
The methodology of the Georgetown study was modeled
after that of the 1998 FTC study but was not an exact repli-
cation. The Georgetownstudy differed from the FTC study
in four primaryways:
1. Thenumberof sectorssampled:The Georgetownstudywas
basedon a singlecomprehensive sampleof U.S. commercial
Websites likelyto be of interestto consumers.Becausethe
FTCdidnotfindsignificantdifferencesamongits resultsfor
thegeneralsampleandthesectoralsamplesforretail,health,
andfinancialservicessites,no sectoralsampleswereusedin
this study. Furthermore,the Children'sOnline Privacy
22 Protecting Privacy Online

ProtectionActwasenactedintolawduring1998,eliminating
theneedto surveyWebsitesspecificallytargetedatchildren. Table 1. SampleDistributionby Web Site Audience
Finally,themostpopularWebsitesweresurveyedin a sepa-
rate study of the Top 100 fundedby the OnlinePrivacy Number
Alliance(see Culnan1999b). Group Minimum from Sample Proportion
2. Thesamplingframe:The samplesfor the two studieswere (Rank) Audience in Group of Sample
drawnfromdifferentpopulations.Thecomprehensive sample 1-1000 221,000 86 23.8%
fortheFTCstudywasbasedon a randomsampleof theentire 1001-2000 116,000 49 13.6%
.comuniversedrawnfroma Dun& Bradstreet database.The 2001-3000 77,000 45 12.5%
Georgetown studywasdrawnfroma randomsampleof .com 3001-4000 59,000 45 12.5%
Websitesbasedon unduplicated traffic. 4001-5000 48,000 39 10.8%
3. Thesamplesize:TheFTC'scomprehensive samplehad674 5001-6000 40,000 37 10.2%
observations,whereasthe Georgetownstudyhad361 obser- 6000-7500 32,000 60 16.6%
vations.
4. Thesurveyquestions:The Georgetownquestionnaire items Total 361 100%
askeda widerrangeof questionsaboutthecontentof privacy
disclosures. Notes:Data were suppliedby Media Metrix(www.mediametrix.com).
Rankis basedon audience.In the samplingframe,URLswere
During the design phase of the study, the advisory group rankedin descendingorderon the basisof audience.Forexample,
for the Georgetown study, composed of representatives the firstURLon the list hadthe largestaudience.Audiencerepre-
from the business and privacy/consumeradvocacy commu- sentsthe minimumnumberof visitorsfor January1999basedon
unduplicated reach.Unduplicated reachmeansthateachvisitorto a
nities, providedsubstantiveadvice on the design of the sam- Websiteduringa givenperiodis countedonlyonce,evenif theper-
ple and the survey form. The FTC also providedextensive son makesmultiplevisitsto thesameURL.Forexample,eachURL
advice on all aspects of the study. The advisory group dis- in thelastgroupwasvisitedby at least32,000andby no morethan
cussions and discussions with the FTC about the sampling 39,999differentpeopleduringJanuary1999.Thetop 25 URLsin
the list hada minimumof 4,580,000unduplicated visitorsduring
plan focused on the following criteria:
January1999.
1. Thestudyshouldbe basedon a randomsample.
Whereastheunitof analysisforthesurveywasthedomainor Web
2. The sampleshouldreflectWebtrafficratherthanthe entire site, the samplingframewas basedon serverratherthandomain.
WorldWideWeb,whichincludesmanysitesthathavelittle Someof the largersites or domainshadmorethanone serveror
or no consumertraffic. URLin thesamplingframe,andthesecarriedoverto thesampling
3. Thesampleshouldgo deepenoughintotheWebto represent pool beforetheyweredetectedandeliminated.AppendixB of the
a significantproportionof consumerWebtrafficanda large reportdiscusseshowduplicateswerehandled(Culnan1999a).
enoughnumberof Web sites ratherthanfocus only on the Beforedataanalysis,theMediaMetrixrankof the URLsforwhich
largestor the mostpopularWebsites. duplicatesweredetectedwasrecodedto reflecttherankof theURL
4. The sampleshouldbe largeenoughto minimizesampling fromthesamplingframewiththelargestaudienceforthatWebsite.
errors. Thiswasdoneto providethemostaccuratepictureof theaudience
5. Thefinalnumberof Websitesto be surveyedwouldalso be represented by the sample,as rankservesas a surrogatefor audi-
ence size. Forexample,in theoriginalrankedlist, AmericaOnline
subjectto severaloperational includingthenum-
constraints, was second. Howeverthe URL for AmericaOnline that was
berof workstationsin thefacilitythatwouldbe usedfordata includedin therandomsamplewasranked329.Therefore, theURL
collectionandthe needto collectthedataduringa one-week forAmericaOnlinein thesamplewasrecodedfrom329to 2 to rep-
period. resentits trueaudience.
In discussions with the study's advisorygroup,many par-
ticipantsexpressed the view that neitherof the two general 1. Identifyinga listingof sitesthatcouldbe usedto representthe
groups used in the 1998 FTC study, the comprehensiveran- targetpopulation. Thislist constitutedthe samplingframe.
dom sample and the census of the most popularsites, fully 2. Generating a randomsamplefromthe samplingframe.The
satisfied the sampling criteria. The comprehensive sample sitesin thesampleconstituted the samplingpool.
based on a randomsample of the entire .com universe from 3. Identifyingqualifyingsites fromthe samplingpool for the
the Dun & Bradstreetdatabasedid not necessarilyreflectthe sample.Sitesin the samplingpool wererandomlyexamined
Web sites that most consumers visit. The census of the top untilthenumberof examinedsitesqualifyingforinclusionin
the surveymetor exceededthe targetsamplesize. The sam-
sites did not representa random sample and could not be
pleconsistsof theexaminedqualifyingsites,whichweresub-
generalizedbeyond that list. sequentlysurveyedfor information collectionpracticesand
Furthermore,operationalconstraintsmade it unfeasibleto information practice disclosures.
survey three samples-including the replicationof the gen-
eral group from the 1998 FTC study, the most popularWeb The Georgetownstudy surveyed a randomsample of 361
site, and a thirdgroup based on Web traffic-and to ensure commercial U.S. Web sites drawn from a list supplied by
that the two randomsamples were large enough to address Media Metrix of the top 7500 URLs (Uniform Resource
the concerns about sampling errors.Therefore,the decision Locator, the address of a computer or document on the
reached by the study director was that the policy process Internet)based on unduplicatedtraffic by consumerssurfing
would be best served by a sample of at least 300 Web sites the Web from home duringJanuary1999. These 7500 URLs
that were drawn from a sampling frame with reach as close constitute a total reach of 98.8% of the World Wide Web,
to 100%of Web traffic as possible. The process of develop- which means that the sampling frame represented98.8% or
ing the actual sample consisted of three steps: nearly all consumers who visited Web sites during this

This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM

All use subject to JSTOR Terms and Conditions
 Journal of Public Policy & Marketing 23

period. The audience of the sites in the sample rangedfrom Table 2. PersonalInformationCollected(Base= 361)
more than 4.5 million unduplicatedvisitors per month to at
least 32,000 unduplicatedvisitors per month. The Web sites
not included in the sampling frame include .com Web sites Type of Numberof Percentage
Information Sites Collecting Collecting
with fewer than 32,000 unique visitors per month or Web
sites from other domains (e.g., .edu or .net). Table 1 shows PersonalIdentifying
Information
the sample distributionby audience. E-mailaddress 328 90.9%
Data for the study were collected by 15 graduatestudents Name 293 81.2%
Postaladdress 227 62.9%
("surfers")from GeorgetownUniversityand George Mason 189 52.4%
Telephonenumber
University during the week of March 8-12, 1999. Each Creditcardnumber 141 39.1%
surfer first determinedwhethera site was a consumer site, Faxnumber 59 16.3%
which meant that the site would be of interest to at least Socialsecuritynumber 17 4.7%
some consumers. Purely business-to-business sites were
eliminated,as were pornographicor adultsites, foreign sites Demographic Information
without any U.S. presence, and nonworking sites. After a Age/dateof birth 111 30.7%
surferconcluded that the Web site qualified for inclusion in Zipcode/city/state 108 29.9%
the sample, the surfersearchedthe site and completed a sur- Sex 91 25.2%
Preferences/interests 76 21.1%
vey form for the site. Appendix C of the Georgetownreport 58 16.1%
contains both a list of the Web sites in the final sample and Occupation
Otherdemographic 57 15.8%
the questionnaire with response frequencies (Culnan Income 37 10.2%
1999a). Education 37 10.2%
Familyinformation 23 6.4%
Summaryof Findings
Question1: PersonalInformationCollection Table3. Typesof PrivacyDisclosures(Base= 361)
The first question asked what types of personalinformation
Web sites collect fromconsumers.This studyadoptedthe def- Type of
initionof "personalinformation"used by the FTC in its 1998 Privacy Proportion
Disclosure Frequency of Base
report.It includedtwo broadcategoriesof information:per-
sonal identifyinginformationand demographicor preference None 123 34.1%
information(hereafterreferredto as demographicinforma- Websiteswithat least
tion). Personalidentifying informationincludes information one privacydisclosure 238 65.9%
thatcan be used to identifya consumer,such as a nameor an Privacypolicyonly 26 7.2%
e-mail address.Demographicinformationby itself cannotbe Informationpractice
used to identifya consumer.It can be used in aggregate,non- statementonly 81 22.4%
Both 131 36.0%
identifying form for marketresearchor in conjunctionwith Total 361 100%
personalidentifyinginformationto createconsumerprofiles.
The majority of sites collected at least one type of per-
sonal information:A total of 335 sites (92.8%) collected as a discrete statementthat describes a particularinforma-
tion practiceor policy from which at least one potential use
personalidentifying information,and 205 (56.8%) sites col-
lected demographic information.Thirty-five sites (10.3%) could be inferred.Examples of informationpractice state-
collected e-mail addresses only. Twenty-four sites (6.6%) ments include the following:
collected no personal information,whereas two sites (.5%) *"Clickhereif you do notwantto receivee-mailfromus."
collected only demographic information. Other types of *"Wedo notshareyourpersonalinformation withanyone."
demographic informationcollected included maritalstatus, *"Weonly shareaggregateinformation withthirdparties."
computer/software/onlineuse information,personalcharac- *"Yourorderwill be processedon oursecureserver."
teristics (e.g., height, weight), and time zone. More thanhalf
the sites (56.2%) collected both personal identifying and Nearly two-thirdsof the Web sites in the sample (n = 238,
demographic information.Table 2 shows how often each 65.9%) containedat least one privacydisclosure. Seven per-
type of personal informationwas collected. cent posted a privacy policy only, 22% posted an informa-
tion practice statementonly, and 36% posted both types of
Question2: Frequencyof PrivacyDisclosures disclosures. Thirty-fourpercent of the sample did not post
The second research question asked how many Web sites eithertype of disclosure.Table 3 shows the frequencyof pri-
posted privacy disclosures. The surfers searched the Web vacy disclosures by the type of disclosure. Of the 337 Web
sites in the sample for two types of privacydisclosures-pri- sites that collect at least one type of personal information,
vacy policy notices and informationpractice statements- 236 (70%) had posted at least one type of privacydisclosure.
using the definitions provided in the 1998 FTC report. A Of the 157 sites that posted a privacy policy notice,
privacy policy notice was defined as a comprehensive 79.6% linked the policy from the home page, and 74.5%
description of a site's practices that is located in one place linked the policy from at least one Web page on which per-
on the site that may be reached by clicking on an icon or a sonal informationwas collected. Of the 212 sites thatposted
hyperlink. An informationpractice statement was defined at least one informationpractice statement,81.1% of these

This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM

All use subject to JSTOR Terms and Conditions
24 Protecting Privacy Online
statementsappearedon at least one Web page on which per-
sonal informationwas collected.
Question3: Natureof Disclosures
The thirdresearchquestionasked to what extent the privacy
disclosures posted by Web sites are based on fair informa-
tion practices. The contents of these privacy disclosures
were analyzed to determineif they included notice, choice,
access, and security.These four elements of fair information
practiceswere operationalizedin the survey as follows:
*Noticewas definedto includestatementsaboutwhatinforma-
tion is collected,how the informationis collected,how the
informationcollectedwill be used, whetherthe information
will be reusedor disclosedto thirdparties,andwhetherthesite
says anythingaboutits use or nonuseof cookies.Consistent
withthe FTCstudy,theGeorgetownstudydid notcollectdata
aboutwhetheror nota Website actuallyplaceda cookie.Only
disclosuresaboutcookieswerecounted.
*Choicewas definedto includestatementsregardingchoice
offeredaboutbeingcontactedagainby the sameorganization
and choice abouthavingnonaggregatepersonalinformation
collectedby the Website disclosedto thirdparties.
*Accesswasdefinedto includeallowingconsumersto reviewor
ask questionsaboutthe information the site has collectedand
whetherthe sitesdisclosedhow inaccuracies in personalinfor-
mationthe site hadcollectedwerehandled.
*Securitywas definedto includeprotectinginformation during
transmission andsubsequent storage.
The privacy disclosures were furtheranalyzed to deter-
mine if they providedcontact informationa consumercould
use to ask a question about the site's informationpractices
or to complainto the companyor anotherorganizationabout
privacy. Contact informationis the first step in providing
consumer redress and enforcement. Redress and enforce-
ment are also elements of fair information practices.
Because this study focused only on disclosures, it was not
possible to determinewhethera Web site had implemented
redress or enforcement procedures or whether the Web
site's practicesdiffered from its disclosures.
Of the 236 Web sites that collected personal information
and posted a privacy disclosure,
*89.8%includedat leastone surveyelementfor notice,
*61.9%containedat leastone surveyelementforchoice,
*40.3%containedat leastone surveyelementfor access,
*45.8%containedat leastone surveyelementfor security,and
*48.7%containedat leastone elementforcontactinformation.
For the same privacy disclosures posted by 236 Web sites,
21.2% contained only one of these five elements of fair
information practices (i.e., the disclosure contained only
notice, choice, access, security, or contact information),
22.5% contained any two of the five elements (e.g., the dis-
closure containednotice and securitybut did not include any
of the otherelements), 18.6%containedany threeof the five
elements, 24.9% contained any four of the five elements,
and 13.6%contained all five elements.
Thirty-six(15.2%) of the 236 Web sites containedat least
one survey item for all four elements of fair information
practices. Of these 36 sites, 32 sites (13.6% of 236 sites)
also included at least one survey item for contact informa-
tion in their privacy disclosure(s).
This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM
All use subject to JSTOR Terms and Conditions
The StakeholderResponses
The results of the Georgetown study provide ammunition
for stakeholderson both sides of the issue. For the industry,
the glass is 67% full. One organization commented, for
example, that "The [Direct MarketingAssociation] believes
the study shows that business has heeded the call from the
White House and the FederalTradeCommission to promote
privacy protection online through the adoption of self-
regulatorymeasures"(Direct MarketingAssociation 1999).
Consumergroups,in contrast,find the glass closer to empty.
For example, the ConsumerFederationof America (1999)
stated that "The 1999 results, gradedon a pass-fail basis, are
being portrayedby the industryas a sign of great progress.
When actualperformanceaccordingto the FTC's fair infor-
mation practices standards is graded, the industry fails.
Meaningful and effective privacy protectionsfor consumers
are largely missing."
Despite repeatedcautions about drawing direct compar-
isons between the results of the Georgetown study and the
results of the 1998 FTC study because the studies are based
on different populations,the industrynonetheless cited the
increase in the numberof Web sites that post some form of
notice to argue that though work remainedto be done, new
legislation was not needed. The consumergroupsconcluded
that fair informationpracticeswere still the exception rather
than the norm on the Web on the basis of the small number
of Web sites posting comprehensive privacy polices that
included all the elements of fair information practices
(Center for Democracy and Technology 1999). Comments
on the results of the Georgetown study submittedby mem-
bers of the study's advisorygroupcan be found in Appendix
E of the GeorgetownReport (Culnan 1999a).
In July 1999, the FTC issued a reportto Congress recom-
mending thatthoughthe privatesector continuedto face sig-
nificant challenges in promotingmore widespreadadoption
of fair informationpractices, the commission did not rec-
ommend additionallegislation at this time (FTC 1999a, b).
The commission cited the substantial effort and commit-
ment to fair informationon the partof industryleaders and
outlined the next steps it would take, including conducting
anothersurvey of online privacydisclosures in the springof
2000 (FTC 1999b).
Beyond the Statistics:Discussionand
UnansweredQuestions
The Georgetownstudy provides statistics about the number
of consumer-orientedWeb sites that have posted privacy
disclosures. These statistics can be used to make an initial
assessment of whetheran effective self-regulatoryregime is
emerging for Internet privacy. Although the majority of
Web sites sampled here posted notice of their information
practices, these disclosures did not fully reflect fair infor-
mation practices.Furthermore,nearly one-thirdof the Web
sites did not post any disclosures, which suggests that a full
self-regulatoryregime has not emerged.
Currently, there is no consensus about how to opera-
tionalize fair informationpractices online. Without opera-
tional definitions for the elements of fair informationprac-
tices, Web sites are unlikely to post disclosures that satisfy
the most demandingcritics. The privacy seal programssuch
 Journalof PublicPolicy& Marketing
as TRUSTe and BBBOnline require certified firms to
adhere to standards,but not all Web sites belong to these
programs (see, e.g., www.truste.org and www.bbbonline.
org). The absence of operationaldefinitions for fair infor-
mation practices, combined with the dynamic natureof the
Web, provides additionalmeasurementchallenges for repli-
cating the existing surveys or surveyingdifferentaspects of
the Internet.
Furthermore,it is unlikely that all Web sites will self-
regulate.The currentmethodof enforcementis for the FTC
to prosecutefirms whose practicesare at variancewith their
disclosures for engaging in a deceptive trade practice.
However, Web sites are not requiredto post any disclosures,
and without a posted privacy policy, the FTC has no basis
for acting under its currentauthority.Therefore,it is likely
at some point that legislation will be required.On the basis
of the record of prior privacy legislation, the chances for
new legislation improve when the interests of consumer
groups and industry align (Regan 1995). This may occur
when any proposedlegislation is consistentwith the existing
practices of the firms with the greatest lobbying clout. The
following three issues also merit attentionduringthe policy
process and cannot be addressedby the existing data.
First,the study's resultsare limited to the populationsam-
pled, which means that the results of the Georgetownstudy
cannot be generalized to Web sites that have fewer than
32,000 different visitors per month. The populationof Web
sites used in the Georgetownstudy is the appropriateplace to
startthe policy discussionsaboutprivacyon the WorldWide
Web, as it representsthe commercialsites thatthe majorityof
consumers visit. However, ultimately the same protections
should apply to consumers who visit the "one-stoplight
towns" as to those who visit the "largemetropolitanareas,"
the sites that were surveyed in the Georgetownstudy. The
1998 FTC study addressedthe former question by using a
sample of .com Web sites that was not based on traffic.
Unansweredquestions,then,relateto how well self-regulation
is workingfor the entireWorldWide Web and how the Web
should be defined and measured.For example, shoulda Web
site maintainedby a smallbusinesswith five or feweremploy-
ees be exempted,as it would be from some otherregulations,
particularlyif the Web site serves only as an electronic
brochurewith an e-mail link to contactthe organization?
Second, it is importantto look beyond the statistics in
assessing whetherprivacydisclosuresadequatelyreflect fair
information practices for a specific context. The
Georgetown study found that approximately 14% of 236
Web sites that collect at least one type of personalinforma-
tion and have at least one privacydisclosure had posted dis-
closures that included all four elements of fair information
practices:notice, choice, access, and security.However, it is
importantto note that what constitutes an effective privacy
disclosure is a function of the Web site's informationprac-
tices and business model. For example, a site that collects
personal information but does not use the information to
contact the consumer for marketingor other unrelatedpur-
poses and does not share the informationwith affiliates or
third parties does not need to give choice. It would be use-
ful to understandwhetherWeb sites with differentinforma-
tion practicespost the privacydisclosures that are appropri-
ate for their business models (e.g., electronic commerce
This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM
All use subject to JSTOR Terms and Conditions
25
versus information dissemination only). Furthermore,the
Georgetown study provides no evidence for determining
what types of privacy disclosures communicatemost effec-
tively to consumers.These issues meritfurtherinvestigation
and requiredifferentresearchmethods.
Third, the Georgetown study results do not provide any
insights about what has worked to date in promotingeffec-
tive self-regulation. The Georgetown study did not code
Web sites by business model; industry;or membershipin a
trade association, seal program, or other type of business
relationship.It would be useful to assess whetherthe Web
sites with the best privacydisclosureshave anythingin com-
mon. By understandingwhat characteristicsthe sites that
post privacy policies share as well as what, if anything,sites
without policies have in common, the effectiveness of vari-
ous industryinitiatives can be assessed, and strategiescan
be developed for promotingself-regulationmore widely.
References
Bradrach,Jeffrey L. and Robert G. Eccles (1989), "Price,
Authority,and Trust:FromIdealTypesto PluralForms,"in
AnnualReviewof Sociology,RichardW. Scott,ed. Palo Alto,
CA:AnnualReviews,97-118.
Center for Democracyand Technology (1999), Behind the
Numbers: Privacy Practices on the Web, [available at
http://www.cdt.org/privacy/990727privacy.pdf].
Clinton,WilliamJ. andAl Gore(1997),"Framework for Global
ElectronicCommerce,"[availableat http://www.ecommerce.
gov].
ConsumerFederationof America(1999), "Statementon the
GeorgetownInternetPrivacyPolicy Survey,"in Georgetown
Internet Privacy Policy Survey, Mary J. Culnan, ed.
Washington, DC:GeorgetownUniversity,AppendixE, 10-11.
[Availableat http://www.msb.edu/faculty/culnanm/gippshome.
html].
Culnan,MaryJ. (1999a),TheGeorgetown InternetPrivacyPolicy
Survey:Reportto theFederalTradeCommission, (June),[avail-
ableat http://www.msb.edu/faculty/culnanm/gippshome.html].
- (1999b),PrivacyandtheTop100 WebSites:Reportto the
Federal TradeCommission,(June),[availableat http://www.
msb.edu/faculty/culnanm/gippshome.html].
- and PamelaK. Armstrong(1999),"Information Privacy
Concerns,ProceduralFairness and ImpersonalTrust: An
EmpiricalInvestigation,"OrganizationScience, 10 (January),
104-15.
- and SandraJ. Milberg(1999), "Consumer Privacy,"in
Information Privacy:LookingForward,LookingBack,MaryJ.
Culnan,RobertJ. Bies,andMichaelB. Levy,eds.Washington,
DC: GeorgetownUniversityPress.[Availableat http://www.
msb.edu/faculty/culnanm/home.html].
Direct Marketing Association (1999), "Statementon the
GeorgetownInternetPrivacyPolicy Survey,"in Georgetown
Internet Privacy Policy Survey, Mary J. Culnan, ed.
Washington, DC:GeorgetownUniversity,AppendixE, 12-14.
[Availableat http://www.msb.edu/faculty/culnanm/gippshome.
html].
FederalTradeCommission(1997),Lettersto Honorable Thomas
Bliley and HonorableJohn McCain,(July 31), [availableat
http://www.ftc.gov/privacy].
- (1998), PrivacyOnline:A Reportto Congress,(June),
[availableat http://www.ftc.gov/privacy].
26 Protecting Privacy Online

- (1999a), Self-Regulationand Privacy Online: A Reportto - and Mary Ellen Gordon (1993), "Direct Mail Privacy-
Congress,(June),[availableat http://www.ftc.gov/privacy]. Efficiency Trade-OffsWithin an Implied Social Contract
- (1999b),"Self-Regulation andPrivacyOnline,"testimony Framework,"Journal of Public Policy & Marketing, 12 (Fall),
before the U.S. House of Representatives Subcommitteeon 206-15.
Telecommunications, Tradeand ConsumerProtectionof the PricewaterhouseCoopers (1999), E-Business Technology
Committeeon Commerce,(July13), [availableat http://www. Forecast. Menlo Park, CA: PricewaterhouseCoopers
ftc.gov/privacy]. TechnologyCentre.
GeorgiaTech ResearchCorporation (1997),SeventhWWWUser Privacyand AmericanBusiness(1997), Commerce,Communi-
athttp://www.cc.gatech.edu/gvu/user_surveys].cation and Privacy Online: A National Survey of Computer
Survey,[available
Green,Heather(1998),"A LittlePrivacyPlease,"BusinessWeek, Users.Hackensack, NJ:PrivacyandAmericanBusiness.
(March16),98-102. Regan, Priscilla M. (1995), Legislating Privacy. Chapel Hill:
Laufer,R.S. and M. Wolfe (1977),"Privacyas a Conceptanda Universityof NorthCarolinaPress.
Social Issue: A Multidimensional DevelopmentalTheory,"
Journal Social
of 22-42.
Issues, 33 (3), Shapiro,Susan P. (1987), "The Social Controlof Impersonal
Trust,"AmericanJournal of Sociology, 93 (3), 623-58.
Lewicki,Roy J., DanielJ. McAllister,andRobertJ. Bies (1998),
"TrustandDistrust:NewRelationships andRealities,"
Academy Spence, A. Michael (1974), Market Signaling: Informational
of ManagementReview, 23 (3), 438-58. Transfer in Hiring and Related Screening Processes.
Cambridge, MA:Harvard UniversityPress.
MediaMetrix(1999),"MediaMetrixChroniclesthe Historyof the
Internet,"(March 18), [availableat www.mediametrix.com/ Swire, Peter P. (1997), "Markets, Self-Regulation, and
PressRoom]. GovernmentEnforcementin the Protection of Personal
Boza (1999), "Trustand Information,"in Privacy and Self-Regulationin the Information
Milne, GeorgeR. and Maria-Eugenia DC:U.S. Department of Commerce,3-20.
Concernin Consumers'Perceptionsof MarketingInformation Age. Washington,
ManagementPractices," Journal of Interactive Marketing, 13 Westin, Alan F. (1967), Privacy and Freedom.New York:
(Winter),5-24. Atheneum.

This content downloaded from 171.66.33.183 on Wed, 3 Apr 2013 18:47:43 PM

All use subject to JSTOR Terms and Conditions