Kirsten Martin, An empirical study of factors driving privacy expectations online

Kirsten Martin, An empirical study of factors driving privacy expectations online

Comment by: Annie Anton

PLSC 2013

Workshop draft abstract:

Recent work suggests that conforming to privacy notices online is neither necessary nor sufficient to meeting privacy expectations of users; however, a direct comparison between the two types of privacy judgments has not been performed.  In order to examine whether and how judgments about privacy expectations differ from judgments about privacy notice compliance, four factorial vignette studies were conducted covering targeted advertising and tracking information online for both the degree scenarios were judged to meet privacy expectations and judged to comply with privacy notices.  The study tests the hypotheses that (a) individuals hold different privacy expectations based on the context of their online activity and (b) notice and consent varies in tis effectiveness in addressing online privacy expectations across different contexts.  The general goal of the larger project is to better understand privacy expectations across contexts online leveraging a contextual approach to privacy.

The initial findings through pilot studies have identified factors – such as using data for friends, the time the data is stored, the type of information captured, etc – that vary in importance to privacy judgments depending on the context online.  In addition, the analysis around privacy notices suggests that users have an expectations premium whereby a given scenario meets the privacy expectations to a lesser extent than the scenario is judged to comply with the privacy notice.  In particular, using and tracking click information, using an individual’s name, and using the information for advertising is judged to comply with the privacy notice yet do not meet privacy expectations.

In this paper for PLSC, judgments about privacy expectations online will be compared to judgments about compliance to privacy notices along three dimensions:  the judgments themselves, the factors that contribute to the judgments, and how the judgments are made.  The findings will (1) identify important online contexts with similar privacy expectations (e.g., gaming, shopping, socializing, blogging, researching, etc), (2) prioritize the role of notice and consent in addressing privacy expectations within different contexts, and (3) identify the factors and their relative importance in developing privacy expectations for specific contexts online.

The findings have implications to how firms should attempt to meet the privacy expectations of users.  When privacy notices are found to be insufficient to meeting privacy expectations, individuals have attempted to pull out of this information exchange and obfuscate their behavior using tools such as CacheCloak, donottrack.us, Bit Torrent Hydra, TOR,  and TrackMeNot, which work to allow users to maintain their privacy expectations regardless of the privacy policy of a website.  Understanding how, if at all, judgments about privacy notices are related to privacy expectations should help firms avoid unnecessary and unintentional privacy violations caused by an over reliance on privacy notices.