DOI: 10.1111/j.1475-679x.2004.00163.x Journal of Accounting Research Vol. 43 No. 1 March 2005 Printed in U.S.A.

Enforced Standards Versus Evolution by General Acceptance: A Comparative Study of E-Commerce Privacy Disclosure and Practice in the United States and the United Kingdom
KARIM JAMAL, MICHAEL MAIER, AND SHYAM SUNDER Received 28 July 2003; accepted 13 August 2004

ABSTRACT

We present data on privacy practices in e-commerce under the European Unions formal regulatory regime prevailing in the United Kingdom and compare it with the data from a previous study of U.S. practices that evolved in the absence of government laws or enforcement. The codication by the E.U. law, and the enforcement by the U.K. government, improves neither the disclosure nor the practice of e-commerce privacy relative to the United States. Regulation in the United Kingdom also appears to stie development of a market for Web assurance services. Both U.S. and U.K. consumers continue to be vulnerable to a small number of e-commerce Web sites that spam their customers, ignoring the latters expressed or implied preferences. These results raise important questions about nding a balance between enforced standards
University of Alberta; University of Iowa; Yale University. Discussions with John Dickhaut, Paul Healy, and Joel Reidenberg on our earlier work led to the present study and are gratefully acknowledged. Assistance from Michael Barrett in setting up the experiment in the U.K. is gratefully acknowledged. We also thank workshop participants at University of Alberta, Hong Kong University of Science and Technology, University of Houston, Yale University, and University of Waterloo Symposium on Information Systems Assurance for comments on earlier drafts. The authors alone are responsible for the article. 73
Copyright
C

, University of Chicago on behalf of the Institute of Professional Accounting, 2005

74

K. JAMAL, M. MAIER, AND S. SUNDER

and conventions in nancial reporting. In the second half of the 20th century, nancial reporting has been characterized by both a preference for legislated standards and a lack of faith in its evolution as a body of social conventions. Evidence on whether this faith in standards over conventions is justied remains to be marshaled. That government is best which governs least. Thoreau [1894/1906] The rise and fall of government regulation challenges both sides in the debate over the proper role of government and business in protecting people against various risks. Leaving business to its own devices is suspect for reasons suggested by horror stories such as the exploding Ford Pinto. The failures of the free market are well recognized. Consumers frequently lack information. Businesses often lack the incentive to internalize external costs such as pollution. The costs of organizing collective interests can be prohibitive; and without the watchful eye of regulatory inspectors, the unscrupulous lack a powerful reason for self-restraint. But, as the revolt against regulation reveals, government regulation has its own serious shortcomings. As Charles Wolf points out, the failures of non-market arrangements parallel those of the free market. Many regulatory agencies are plagued by adversariness and delay. Regulations are often slow in coming but quick to court. These regulations can be inexible and unreasonable. As a result, the political debate over protective regulation has reached an impasse. Proponents of government regulation appeal to well-founded fears of laissez-faire arrangements, while supporters of the private sector appeal to similarly substantiated concerns about regulatory bureaucracy. Cheit [1990, p. 3]

1. Introduction
This study reports results of a comparative eld study of two divergent approaches to regulating e-commerce privacy practices in United States and United Kingdom. Although in the United Kingdom (and in the European Union), Internet privacy is governed by statutes and formal enforcement, in the United States, this subject has been left largely to evolution of industry norms and voluntary compliance. We examine the differences in privacy policies, their disclosure, and the observable consequences for consumers under these two regimes. The evidence from our study has relevance for some key issues regarding accounting standard setting and enforcement in the United States and in the international community. During the seven decades since the creation of the Securities and Exchange Commission (SEC), the concept of Generally Accepted Accounting Principles (GAAP) has gradually, but steadily, and without much explicit debate, shifted from evolved social conventions toward legislated standards. Informal sanctions and reinforcements that sustain the evolution and effectiveness of social conventions have gradually been replaced by formal surveillance and penalties, backed by regulatory power to enforce the legislated standards. This fundamental shift in nancial reporting regime, initiated in the United States, has gradually spread to most parts of the world. The London-based International Accounting Standards Board (IASB, note the parallel with the Financial Accounting

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

75

Standards Board [FASB] implicit in the nomenclature), which hopes to have its standards accepted around the globe, is an example of the broad acceptance of the idea that legislated standards, backed by governmental power of enforcement, is a preferred nancial reporting regime. Social conventions, supported only by informal sanctions and market consequences, are not in fashion at the turn of this century. This broad movement toward reliance on institutions to write and enforce nancial reporting standards has been accompanied by surprisingly little theoretical or empirical analysis of their possible merits relative to the evolutionary approach. Such analyses could be facilitated by comparing deliberately designed mechanisms or legislated standards on the one hand, and evolved norms on the other. Hayeks [1973, chap. 1] comparison of designed and evolved mechanisms is a good example. Some recent law and the economics literatures address the relationship between formal regulation (by law) and various informal or social modes of regulation (e.g., Posner [2003]). There is an implicit assumption in this literature that eventually all markets require legal regulation to succeed (McMillan [2003]). Recently, several attempts have been made to document the informal development of social order arising from repeated interaction and shared socialization (social capital) among individuals in a society (Coleman [1990], Putnam [1993]). The literature on informal control suggests that the role of law as a source of social order is exaggerated in the mainstream literature. A detailed examination of a successful online auction market (eBay) by Duh, Jamal, and Sunder [2002] indicates that eBay has sought to develop an effective market by relying primarily on informal controls such as personal reputation and creation of an eBay community. Rather than focusing on the punitive function of the law, recent research by Mailath, Morris, and Postlewaite [2001] develops a theoretical framework for arguing that the impact of law and authority is rooted in the expectations people have about the behavior of others, that is, social norms. Posner [1997] proposes that the key role for the law is to formalize existing social norms and provide a credible mechanism for publicizing rule violations and enforcing penalties. Other legal scholars (e.g., Lessig [1998], Sunstein [1996]), however, propose that the law should be used in a more activist manner to help shape social norms. The limited evidence available on the interplay between law and social norms suggests that people ignore laws that are inconsistent with prevailing social norms (Ellickson [1991]). Although the interplay between formal standards and informal norms has always been important in nancial reporting, the events of recent years have brought increased attention to this topic. Revival of the rules versus principles debate in accounting is an example. Detailed rules are supported by an inclination to enforce them by law, whereas general principles require judgment in an environment that values social norms. It is difcult to gather empirical data on this topic from the nancial accounting domain; therefore, we present a direct comparison of empirical

76

K. JAMAL, M. MAIER, AND S. SUNDER

observations from the eld of e-commerce privacy, which has some significant parallels to nancial reporting (see Jamal, Maier, and Sunder [JMS 2003] for a detailed discussion of the externalities associated with privacy and nancial reporting). JMS [2003] document the e-commerce privacy standards and practices in the United States, where little government regulation or enforcement exists; social norms are developed by civic organizations such as TRUSTe that arose to develop better privacy practices, albeit under the implicit threat of government legislation. TRUSTe promotes privacy practices in e-commerce by developing and propagating norms, education, and community monitoring supplemented by formal monitoring and enforcement. (See appendix A for measures of compliance effort.) The present study documents the e-commerce privacy practices and standards in the United Kingdom, where the Information Commission (IC), a British government agency, currently enforces the privacy law of the European Union. The European Unions activist stance led to early legislation to mold commercial privacy practices.1 In the present study, we use the JMS eld experiment method and design to examine the disclosure and privacy practices of 56 high-trafc Web sites in the United Kingdom. These sites are formally regulated by the E.U. privacy law, which has been incorporated into the U.K. national privacy law (see appendix B). The IC monitors and enforces compliance with this law (see appendix C for measures of compliance effort). We examine compliance with two key aspects of the law for which JMS document the corresponding U.S. practices: (1) the requirement to provide disclosure or notice of what consumer information is gathered and used by the Web site, and (2) the consent requirement that consumers be provided with an option to control how their personal information is used by a Web site for secondary purposes. Our results indicate, rst, that disclosure of privacy practices in the United Kingdom is no better, perhaps worse, than in the United States. It is more difcult to nd the privacy policy of a U.K. Web site, and compliance with the disclosure requirements of the U.K. privacy laws are generally poor. Second, in the United States more Web sites use their own as well as thirdparty cookies to track user behavior than in the United Kingdom. Third, most Web sites in the United Kingdom as well as in the United States honor the opt-out choices made by customers. Fourth, most of the e-mail received by U.K. registrants comes from a single Web site that does not honor the opt-out option chosen by registrants, similar to what happens in the United States. Finally, even in the opt-in condition, most of the e-mail comes from
Nijhawan [2003] writes: Historically, the EU and the U.S. approach data privacy regulations in diametrically opposed ways. While the EU relies primarily on legislation and heavy regulation, the U.S. has adopted a market-based, self-regulatory approach to data privacy. The EU further distinguishes itself from the U.S. by implementing an approach that guarantees its citizens protection of their fundamental rights. Such protection allows for strict governmental control of information ow. The U.S., on the other hand, does not recognize data privacy as a fundamental right, employing instead a less prophylactic approach than that taken by the EU (p. 94041; also see Mullen [2001]).
1

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

77

a single Web site, just as in the United States. Overall, we nd no important differences between the average behavior of U.K. and U.S. Web sites in this respect. Consumers in both regimes remain vulnerable to a small number of Web sites that misbehave. In the United States, better companies can signal their good intentions to their visitors by paying a small fee to purchase a Web seal from an independent provider such as TRUSTe or BBB Online. In the regulatory regime of the United Kingdom, the market for Web seals has barely developed.2

2. Regulation of Privacy Practices in the United States and the United Kingdom
The concept of privacy is deemed to be central to the development of an autonomous self and hence an important facet of individual liberty (DeCew [1997]). Until recently, privacy rights focused on the intimate details of ones life, such as the right to be silent about ones sexual preference and the right to choose abortion. In addition, there was a general concern about providing government or other institutional authorities with too much information. There was less concern with privacy in business (DeCew [1999]). That began to change with the rise of drug use in the general population in the 1960s and the1970s, as business rms began testing prospective, and even current, employees for drug use. More recently, electronic surveillance of the behavior of employees and employer access to employees genetic and medical records have raised new privacy concerns relating to business (Kupfer [1993], Brockett and Tankersley [1997]). With the Internet and the development of e-commerce, privacy issues have become more complicated. New e-commerce technologies substantially have increased the ability of online merchants to collect, monitor, target, prole, and even sell personal information about customers to third parties (JMS [2003]). The intrusiveness of telemarketing activity and spam has raised the prole of privacy issues involving business. In response to broad societal concerns about privacy, the Organization for Economic Cooperation and Development (OECD), the U.S. government, and the European Union began extensive discussions in the 1970s about developing a regulatory framework for privacy. These discussions were guided by ve privacy principles enumerated by the OECD [1980]: (1) notice/awareness: participants should receive notice of an entitys information practices before they divulge any personal information; (2) choice/consent: participants should be given options as to the uses of any personal information collected from them, especially for secondary uses that are unrelated to the original transaction (e.g., sale of information to third parties); (3) access/participation: participants should have access to information recorded
2 When we gathered data for this study, we could not identify any Web assurance services in our U.K. sample. In November 2003, we learned of one such service in the United Kingdom called Safebuy (www.safebuy.org.uk), which has only 41 clients at the time of this writing.

78

K. JAMAL, M. MAIER, AND S. SUNDER

about them and be able to modify any information deemed incorrect; (4) integrity/security: collectors must take reasonable steps to ensure data integrity, convert it into anonymous form before using it for secondary purposes, and destroy untimely data; and (5) enforcement/redress: there must be a mechanism in place to enforce the privacy policies. The European Union decided to adopt a formal (legal) regulatory framework for the protection of privacy. In 1995 the E.U. parliament formalized the E.U. privacy law by passing the European Directive on Data Protection (EU Directive 95/46/EC). The directive adopted the aforementioned ve principles and required member countries to bring their national laws into compliance.3 The directive stipulated that personal data must be processed fairly and lawfully and only collected for a specied, explicit, and legitimate purpose. The use of data for any secondary purposes beyond those stated is prohibited. Data cannot be kept any longer than needed to serve the stated purpose, and the data can only be collected if the person has given his or her consent. There is some discretion available to each member country to dene what consent means. Some countries, such as France, require consent to be obtained explicitly (opt in), whereas the United Kingdom has a more permissive denition that allows consent to be implied as long as consumers are provided with an opportunity to opt out of the use of their personal data for secondary purposes.4 The E.U. directive also requires each member government to create an independent government body to monitor the development, implementation, and enforcement of national data protection law. Given that the United States has no law covering most Web sites, it is generally considered that, with respect to privacy laws, the European Union has much stricter (and legally binding) standards and enforcement than does the United States. Data protection in the United Kingdom is regulated by the Data Protection Act (DPA) of 1984, which was signicantly amended in 1998 for compliance with the E.U. directive (Reidenberg and Schwartz [1998]). The IC, a U.K. government agency, is responsible for the monitoring and enforcement required by the E.U. directive. All entities collecting personal data must register with the IC. The IC has the statutory power to monitor compliance with the DPA and can serve enforcement notices that direct a registered person to take specic steps to comply with the act. The IC can also cancel registration, prohibit overseas transfer of data, and initiate prosecution of violators of the act. Failure to register is subject to prosecution. Administrative decisions of the IC, especially the enforcement notices, can be appealed to an independent Data Protection Tribunal (DPT). The budget of the IC more than doubled from 3,661,690 in scal year 19971998 to
These laws apply to all data collected online and ofine. The U.K. law requires each entity that collects personal data to have and disclose a privacy policy. The privacy policy notice must be of sufcient size, easy to nd, and sufciently detailed so that it can be presumed that a reader has given informed consent. The notice must be made available before personal data are rst collected (Reidenberg and Schwartz [1998]).
4 3

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

79

8,244,982 in 20012002. Enforcement activities of the IC are summarized in appendix C. From 1997 to 2002, the IC led 331 court cases and obtained 277 convictions for violation of the privacy law. Precedents established by the DPT require that privacy notices be displayed in large, easy-to-read print in a prominent location where personal information is rst collected. Reidenberg and Schwartz [1998] provide a detailed discussion of the E.U. privacy law and a comparison of the national privacy laws of Belgium, France, Germany, and the United Kingdom. The year 1995 was a watershed yearthe European Union passed its privacy directive and the United States did not pass a general privacy law. TRUSTe was formed in 1996 as a nonprot organization to promote better privacy practices, and many U.S. Web sites voluntarily display a TRUSTe Web seal to signal their compliance with the privacy standards formulated by TRUSTe. (See TRUSTe compliance activity in appendix A.) The Federal Trade Commission (FTC) started holding workshops in 1995 to discuss and promote good privacy practices. The FTC also tried to push e-commerce Web sites to improve their privacy practices by conducting studies (which combined a review of privacy policies and surveys) in 1998, 1999, and 2000. Each FTC study showed improvement in the actual practices of U.S. Web sites (FTC [2000]). As of May 2004, there is virtually no general government regulation of privacy in the United States and no legal requirement to disclose privacy policies in e-commerce or on the Internet.5 Once a person discloses information while registering or transacting at a site, there are no legal constraints on what can be done with that personal information so long as no fraudulent actions are involved. There is no requirement that a site have a privacy policy, that consumers be informed about what data are being collected about them, and that consumers be provided with an option to give or deny their consent to secondary uses of the data gathered. In addition, there are no legally mandated audit procedures, nor are the e-commerce sites required by law to have their privacy policies certied by independent auditors.6

3. Research Method and Results of the Notice/Awareness Study

We gathered data from 56 high-trafc Web sites in the United Kingdom by repeating the procedure used in JMS [2003]. First, we obtained the addresses of high-trafc Web sites from Jupiter MediaMetrix (www.mediametrix.com), which monitors Web usage and provides research and consulting services for
5 As many experts had predicted, the Can-Spam Act of 2003, which went into effect January 1, 2004, has so many loopholes for spammers that it has had virtually no impact on the volume of e-mail received by U.S. consumers. The Can-Spam law can be viewed as an instrument of legalizing spam subject only to a few restrictions rather than an attempt to reduce spam. 6 There are two exceptions to the lack of U.S. regulation of privacy. The health care industry and the nancial services industry are governed by the Health Insurance Portability and Accountability Act (1996) and the Gramm-Leach-Bliley Act (1999), respectively.

80

K. JAMAL, M. MAIER, AND S. SUNDER

online advertising. For countries other than the United States, MediaMetrix issues monthly reports of the top 15 active Web sites based on user trafc. We reviewed the top 15 reports from April 1999 to April 2002. This resulted in the identication of 28 Web sites that had been listed at least once in the top 15 rating report. We then picked rms in the U.K. Financial Times Index and looked for their Web sites. An additional 28 Web sites were identied where consumers could register or engage in transactions. A total of 56 hightrafc Web sites in the United Kingdom were identied during the summer of 2002. We programmed a Web crawler to visit these sites and to record the use of their own, as well as any third-party, cookies. We also obtained an electronic copy of the privacy policies of these Web sites and looked for disclosure about cookie usage and the use of third-party cookies. Our crawler visited each of the 56 Web sites ve times during the week of June 411, 2002. Some Web sites in the United Kingdom do not display a privacy policy until the consumer actually registers or initiates a transaction. We attempted to register or initiate a transaction from June 11 to 20 to identify the use of cookies. During the same period (May 27 to June 12, 2002), a research assistant (who did not know the results generated by the Web crawler) downloaded and date-stamped the privacy policy of each Web site. The data collected using the crawler and manual review of the privacy policies were combined in a spreadsheet for the analysis here.

3.1

RESULTS: DISCLOSURE (NOTICE/AWARENESS)

The results of the disclosure of privacy policies of the 56 high-trafc U.K. Web sites are presented in table 1 (alongside, for ease of comparison, the results from 100 high-trafc U.S. Web sites reported by JMS [2003]). In the United States, JMS [2003] report that 34 Web sites had paid for a privacy assurance Web seal from an independent party (30 TRUSTe, 2 BBB Online, and 2 both TRUSTe and BBB Online). None of the Web sites in the United Kingdom displayed a Web seal. One consequence of a legislated standards approach to privacy appears to be the elimination, or preclusion, of a market for private Web assurance. Because the law requires a disclosure of privacy policies but not a privacy audit, we observe no market for privacy assurance seals in the United Kingdom. The privacy disclosure law appears to have eliminated the incentives for the Web sites to use Web seals as signals of their good privacy practices to consumers. In the United States, JMS [2003] report that it was easy to locate the privacy policies of 97% of the Web sites in the sample. In most cases, it could be located from the home page (95% were one click away). In the United Kingdom, we found it difcult to locate privacy policies on Web sites (70% were one click away). The U.K. law requires the privacy policy to be provided before any personal data are collected. We therefore looked for the policy at the main home page, the registration page, and the page where personal information was entered. Our search succeeded in only 77% of the Web sites in our sample (compared with 97% in the United

TABLE 1 Disclosure of Privacy Policies U.S. Web Sites U.S. Web Sites Total U.S. U.K. Web Sites Test of Equality with Privacy without a Privacy Web Sites with EU Privacy of Proportions Seals (n = 34) Seal (n = 66) (n = 100) Law (n = 56) Z -Value (p -value)
34 (100%) 34 (100%) 34 (100%) 34 (100%) 30 (88%) 19 (56%) 31 (91%) 30 (97%) 19 (61%) 34 (100%) 34 (100%) 28 (82%) 34 (100%) 63 (95%) 61 (92%) 64 (97%) 55 (86%) 42 (66%) 23 (36%) 48 (73%) 30 (63%) 20 (42%) 63 (95%) 62 (94%) 43 (65%) 62 (94%) 97 (97%) 95 (95%) 98 (98%) 89 (91%) 72 (74%) 42 (43%) 79 (79%) 60 (76%) 39 (49%) 97 (97%) 96 (96%) 71 (71%) 96 (96%) 43 (77%) 39 (70%) 49 (88%) 39 (80%) 37 (76%) 25 (51%) 28 (50%) 27 (96%) 4 (14%) 43 (77%) 44 (79%) 23 (41%) 32 (57%) 12.53 (p < 0.000) 4.32 (p < 0.000) 2.6 (p < 0.01) 1.87 (p < 0.05) 0.265 (p < 0.40, ns ) 0.93 (p < 0.18, ns ) 3.76 (p < 0.000) 2.32 (p < 0.01) 3.27 (p < 0.001) 4.0 (p < 0.000) 3.4 (p < 0.001) 3.66 (p < 0.000) 6.09 (p < 0.000)

Number
1 2 3 4 5 6 7 8 9 10 11 12 13 Post a privacy policy

Privacy Practice

Privacy policy is one click away Use cookies to track user behavior Disclose that Web site is using cookies Explain what cookies are Explain how to turn off/decline cookies Allow third parties to use cookies on Web site Disclose presence of third-party cookies on Web site Provide link to privacy policy of third party Disclose how data are used for internal transaction processing Disclose how data are used for internal marketing purposes Disclose how data are used for outsourced transaction processing by a third party Disclose how data are used for marketing purposes by third parties

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

In a eld experiment, Jamal, Maier, and Sunder (JMS [2003]) program a Web crawler to repeatedly visit 100 selected high-trafc Web sites in the United States during the week of July 2329, 2001, and to record what cookies (and third-party cookies) are used by these Web sites to monitor visitors to the Web sites. JMS then download the privacy policies of these 100 Web sites and record the number of Web sites that disclose their use of cookies (and third-party cookies), as well as disclosures on how data collected from participants are used and shared internally and with external third parties. U.S. Web sites are classied into two groups: those that purchase an independent Web assurance seal (n = 34) and those that do not have a Web seal (n = 66). We apply the JMS procedure from May 27 to June 12, 2002 for 56 high-trafc U.K. Web sites governed by EU privacy law. A U.K. government body monitors and enforces the privacy law in the United Kingdom. None of the U.K. Web sites had a Web seal.

81

82

K. JAMAL, M. MAIER, AND S. SUNDER

States). This suggests signicant noncompliance with the legal requirement to provide a privacy policy and the precedents set by the DPT requiring privacy policies to be prominent, easy to read, and provided before personal information is collected. Perhaps U.S. Web sites view the disclosure of privacy policies as an instrument of their marketing strategy to attract consumers, and they make it easy to nd this policy. U.K. Web sites, on the other hand, appear to view privacy disclosure as a matter of a bureaucratic requirement, and they make it difcult to nd their statements of policy. The frequency of noncompliance raises doubts about the effectiveness of the E.U. law in promoting privacy policy disclosures. In the United States, JMS [2003] report that all 34 of the privacy seal Web sites and 64 of the remaining 66 nonseal Web sites used cookies, for an overall cookie usage rate of 98%. The disclosure of cookie usage was also high, with all 34 privacy seal Web sites and 55 of the remaining 64 Web sites (overall 91%) disclosing their cookie usage. In the United Kingdom, the rate of cookie usage was lower, with only 88% (49 of 56 Web sites) using cookies to monitor consumers (p < 0.01). The disclosure rate of cookie usage in the United Kingdom was also lower, with only 80% (39 of 49) of the Web sites that use cookies disclosing their use (p < 0.05). Relative to the United States, the formal legal codication of cookie disclosure requirements appears not to have improved disclosures in the United Kingdom. In the United States, JMS [2003] report that third parties placed cookies on visitor hard drives in 31 (91%) Web sites with seals, and 48 (73%) Web sites without a seal, for an overall third-party cookie usage rate of 79%. Thirty Web sites with a seal (97%) disclosed the presence of these third-party cookies on their site. Thirty of the 48 Web sites without a seal who were placing third party cookies (63%) disclosed the presence of third parties, for an overall third party cookie disclosure rate of 76%. In the United Kingdom, Web sites were much less likely to allow third parties to use cookies to monitor customer behavior, with only 50% of Web sites (28 of 56) allowing third parties to place cookies from their site (p < 0.000). In the United Kingdom, 27 of 28 of these Web sites (96%) disclosed the presence of third-party cookies on their site. This is comparable to the 97% disclosure rate of the sites with a Web seal in the United States, and better than the average U.S. disclosure rate of 76% (p < 0.01). For the remaining items in table 1 (more information about cookies, thirdparty cookies, and especially how data are used for secondary purposes), the disclosure rates in the United Kingdom are lower than the disclosure rates reported by JMS [2003] for U.S. Web sites (p < 0.01). Overall, it is clear that the privacy disclosures of the U.K. Web sites are no better than the privacy disclosures in the United States. The rates of noncompliance with the requirements of the U.K. law are substantial, and only the thirdparty cookie disclosure rates (96%) indicate a high level of compliance. An independent survey of E.U. privacy practices conducted by Consumers International in 2001 (Hwa [2001]) also nds poor compliance rates with E.U. privacy law. For a discussion of the complexities of E.U. privacy law and

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

83

the corresponding low compliance rates in E.U. countries, see Nijhawan [2003]. Although E.U. law appears not to improve disclosure of privacy practices, it does appear to reduce the use of cookies and third-party cookies to track consumer behavior. This improvement in business practice is associated with the absence of demand and supply of private audit (Web seal) services. The private market for Web seals has not developed well in the regulated E.U. environment but is developing in the unregulated U.S. market (JMS [2003]). This raises an interesting question about the relationship between the standardization of accounting practices and private demand for audit services.

4. Research Method and Results for the Choice/Consent Study

According to choice/consent, the second of the ve OECD privacy principles, participants should be given an option to restrict the use of any personal information collected from them, especially for secondary uses unrelated to the processing of the transaction at hand. Web sites use two primary options to let users control the use of their personal information. Opt-out, the most common option, allows users to prevent the Web site from transferring their data to any third party not involved directly in processing the transaction for which the data were collected. A second option is to require an explicit opt-in from the consumer, which expressly permits the Web site to use the data for secondary purposes such as internal and possibly external marketing. The opportunity to opt out (or opt in) is widely regarded as a key choice mechanism, and U.K. law requires that an opt-out option should at least be provided whenever personal data are collected.7 We examine the effectiveness of the opt-out feature of Web sites by registering on the same 56 high-trafc Web sites used to test disclosure policies in section 3. We use the JMS [2003] procedure to monitor the compliance of the Web sites with privacy standards. We set up a private U.K. domain name, created 112 identities (name, U.K. e-mail address, U.K.-based postal address, U.K. phone number with voice mail, and credit card number). These e-mail accounts were secure in our private domain and could not be accessed by robots or telemarketers looking for public directories of e-mail addresses. Each of the 56 pairs of identities could be uniquely traced to one of the 56 Web sites where we used it for registration. We registered twice on each of the 56 Web sites under two different identities. Following the JMS [2003] procedure, we conducted one transaction (e.g., sent a greeting or e-mail, or set up a portfolio) at the time of registration. We used the rst set of 56 identities to register on each of the 56 Web sites and did not place any restriction on having our data shared with
7 An opt-in system protects privacy better than does opt-out because each option is the default for the other. Most users end up with the default option through their failure to make an explicit choice between opt-in and opt-out.

84

K. JAMAL, M. MAIER, AND S. SUNDER

others; that is, we opted in to receive messages and materials, such as magazines, relevant to our simulated identity. The second set of identities was used to register again on the same sites, where we opted out immediately from having our information shared with both internal and any external parties. In the second registration we did not accept any free offers. Note that our registration procedure enabled us to uniquely identify the 112 sources (opt-in and opt-out registrations at 56 sites) of any incoming e-mail because the name and e-mail address used in each registration were different. All registrations were completed September 28, 2002.

4.1

RESULTS: CHOICE/CONSENT

We attempted to register on all 56 Web sites used in the disclosure part of the study. Of the 56 Web sites, 40 allowed us to opt in, and only 25 allowed us to opt out. Table 2 shows the weekly means (standard deviations) of the number of e-mail messages received over the 26 weeks following the registrations in the United States (as reported by JMS [2003]) and our data from the United Kingdom. The top part of gure 1 shows a chart of the weekly mean frequency of e-mail messages from the U.S. opt-in (blank square) and the U.K. opt-in (black square). The two middle lines in gure 1 show the U.S. opt-in excluding the highest volume Web site (blank triangle), and the U.K. opt-in excluding the highest volume Web site (black triangle). The bottom two lines in gure 1 show the U.S. opt-out (blank circle) and the U.K. opt-out (black circle) Web site registrations. Most Web sites generated one conrmation message immediately following the registration. JMS [2003] report receiving few messages from opt-out registrations in the United States; the mean was only 0.45 messages per week. JMS also report that most of the messages in the opt-out condition were generated by a handful of Web sites; one site generated 48% of all e-mail messages, and the top ve sites accounted for 92% of all e-mail received. Excluding these outliers, the mean number of weekly e-mail messages was close to 0. In the present study of U.K. opt-out registrants, we received 468 commercial e-mail messages over the 26-week data-collection period, for an average of 0.75 messages per week from opt-out registrations. The U.K. data are also largely driven by a single Web site that accounted for 93% of all the messages from opt-out Web sites (see dark circle in gure 2). If we exclude this outlier, the mean number of weekly messages to opt-out registrants in the United Kingdom is also close to 0.8 The difference between the average number of messages received from opt-out registrations in the United States and in the United Kingdom is not statistically signicant. It does not matter if we look at all the data (GLM, F [1, 65] = 0.28, p = 0.6007), or exclude the one

8 In the United Kingdom, the top ve sources of opt-out e-mail were from three retailers and two news organizations. In the United States, the top ve sources of opt-out e-mail were two retailers, a portal, a Web hosting site, and a nancial site.

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

TABLE 2 Mean (Standard Deviation) Number of E-Mail Messages Received for Opt-in and Opt-out Web Site Registrations U.S. Opt-in (n = 69) 4.62 (8.73) 4.71 (17.98) 5.00 (19.77) 5.41 (24.56) 7.74 (40.66) 6.96 (36.42) 7.93 (41.98) 7.96 (43.25) 9.23 (53.2) 9.20 (52.74) 8.54 (49.34) 10.13 (54.22) 9.41 (53.05) 11.59 (65.48) 12.04 (66.87) 13.94 (80.53) 12.36 (66.72) 10.00 (55.16) 4.33 (14.27) 4.04 (13.89) 4.86 (17.18) 4.87 (17.54) 5.88 (20.48) U.K. Opt-in (n = 40) 2.13 (2.59) 3.25 (8.37) 4.13 (14.88) 4.98 (18.15) 5.68 (21.54) 6.90 (28.60) 6.00 (24.06) 7.55 (32.06) 7.48 (31.15) 8.43 (36.01) 7.90 (32.33) 8.68 (33.53) 10.83 (42.18) 11.15 (45.32) 11.28 (47.76) 9.98 (50.19) 10.25 (42.45) 11.98 (49.39) 11.58 (49.68) 12.35 (57.09) 11.85 (51.59) 12.23 (53.81) 11.68 (44.66) U.S. Opt-in w/o Outlier (n = 68) 3.78 (5.24) 2.63 (5.07) 2.71 (5.29) 2.51 (5.20) 2.88 (5.10) 2.62 (5.30) 2.93 (6.07) 2.79 (5.65) 2.87 (5.96) 2.90 (6.23) 2.63 (5.46) 3.68 (8.18) 3.07 (6.92) 3.78 (8.64) 4.07 (9.45) 4.32 (10.11) 4.46 (11.84) 3.49 (10.78) 3.93 (13.97) 4.10 (13.99) 4.93 (17.30) 4.93 (17.66) 5.07 (19.48) U.K. Opt-in w/o Outlier (n = 39) 1.87 (2.07) 2.03 (3.22) 1.82 (3.04) 2.15 (3.39) 2.31 (3.24) 2.41 (3.49) 2.23 (3.28) 2.51 (3.64) 2.59 (4.00) 2.77 (4.23) 2.82 (3.68) 3.44 (5.17) 4.26 (7.38) 4.08 (7.38) 3.79 (6.60) 2.05 (2.76) 3.64 (7.52) 4.28 (8.58) 3.82 (8.03) 3.38 (6.71) 3.77 (7.12) 3.79 (7.36) 4.08 (7.77) U.S. Opt-out (n = 43) 0.98 (0.91) 0.19 (0.82) 0.30 (0.89) 0.21 (0.71) 0.26 (1.09) 0.19 (1.08) 0.21 (0.97) 0.23 (1.02) 0.28 (1.10) 0.26 (1.05) 0.21 (0.97) 0.26 (1.03) 0.12 (0.45) 0.23 (0.92) 0.28 (1.10) 0.49 (1.67) 0.49 (2.04) 0.47 (2.07) 0.91 (4.46) 0.79 (3.90) 0.63 (2.95) 0.44 (1.98) 0.86 (4.21)

85

Week 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

U.K. Opt-out (n = 25) 0.80 (0.71) 0.12 (0.44) 0.00 (0.00) 0.00 (0.00) 0.04 (0.20) 0.04 (0.20) 0.00 (0.00) 0.12 (0.44) 0.04 (0.20) 0.08 (0.40) 0.52 (2.40) 0.76 (3.80) 1.36 (5.99) 1.24 (6.20) 1.12 (5.60) 0.28 (1.40) 1.28 (6.40) 1.48 (7.19) 1.40 (7.00) 1.16 (5.80) 1.20 (6.00) 1.28 (6.40) 1.36 (6.80)

86

K. JAMAL, M. MAIER, AND S. SUNDER

T A B L E 2 Continued U.S. Opt-in (n = 69) 12.94 (63.64) 14.28 (71.53) 11.49 (51.76) 8.44 U.K. Opt-in (n = 40) 13.50 (59.85) 13.13 (57.79) 14.25 (62.04) 9.20 U.S. Opt-in w/o Outlier (n = 68) 5.72 (21.43) 6.22 (25.48) 6.01 (24.84) 3.81 U.K. Opt-in w/o Outlier (n = 39) 4.13 (8.39) 4.05 (6.90) 4.51 (7.61) 3.18 U.S. Opt-out (n = 43) 0.91 (4.94) 0.70 (3.46) 0.79 (4.30) 0.45 U.K. Opt-out (n = 25) 1.48 (7.40) 1.12 (5.60) 1.20 (6.00) 0.75

Week 24 25 26 Average

In a eld experiment, Jamal, Maier, and Sunder ( JMS [2003]) construct 200 identities (name, address, e-mail address) and attempt to register twice on each of 100 high-trafc Web sites in the United States. In the opt-in registrations (n = 69), JMS allow the Web site to use their personal data both for internal marketing purposes and for selling personal data to external third parties. In the opt-out registrations (n = 43), JMS do not allow the Web site to use their data for any secondary purpose. We apply the JMS eld experiment methodology to 56 high-trafc Web sites in the United Kingdom. Of the 56 Web sites, 40 allow opt-ins and 25 allow opt-outs.

extreme observation from the U.K. data and the ve extreme observations from the U.S. data (GLM, F [1, 59] = 1.15, p < 0.288).9 For U.S. opt-in registrants, JMS [2003] report receiving signicantly more e-mails, with a mean of 8.44 e-mails per week. As in the opt-out condition, JMS report that one outlier generated 56% of all the opt-in messages received. After excluding this outlier, the mean level of e-mails was 3.81 per week (still signicantly more than the mean level of e-mails received by optout registrants at p < 0.000). In the present study, U.K. opt-in registrants received 9,563 e-mail messages over the 26 weeks studied for an average of 9.20 messages per registration per week. This is 12 times the average volume of e-mail messages received by opt-out registrants. A paired-sample t -test yields a mean difference of 8.45 (t = 14.74, 25 df , p < 0.000). This result for the United Kingdom where opt-in registrants receive more e-mails than opt-out registrants is consistent with the data reported by JMS for the United States. Beginning with an average of about 2 e-mail messages per week in the rst week (see gure 1, black square legend), the average level of e-mail from U.K. Web sites rose steadily to about 14 per week in week 26. Like the opt-out results described earlier, the U.K. opt-in results were also driven in large part by a single Web site (see black square in gure 3). Some 66% of all opt-in messages (a total of 6,342 messages over 26 weeks for an average of 244 per week) came from this single registration. Excluding the messages from this one outlier (black triangle legend in gure 1), the e-mail volume from the U.K. opt-in sites gradually rises from about 2 per week to about 4.5 per week by the end of the 26 weeks. This is more than four times the e-mail volume for the opt-out registrants. Excluding the outlier data from
9 We obtain the same pattern of results even if we eliminate only three outliers from the U.S. opt-out data, F (1, 61) = 0.18, p = 0.6691.

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

16

87

14

12 E-Mail Messages Per Website OPT- IN UK OPT-IN US UK OPT-IN w/o OUTLIER 8 US OPT-In w/o OUTLIER UK OPT-OUT 6 US OPT-OUT

10

0 1 3 5 7 9 11 13 15 17 19 21 23 25 WEEK NUMBER

FIG. 1.Mean number of e-mail messages received. In a eld experiment, Jamal, Maier, and Sunder ( JMS [2003]) construct 200 identities (name, address, e-mail address) and attempt to register twice on each of 100 high-trafc Web sites in the United States. In the opt-in registrations (n = 69), JMS allow the Web site to use their personal data both for internal marketing purposes and for selling personal data to external third parties. In the opt-out registrations (n = 43), JMS do not allow the Web site to use personal data for any secondary purpose. JMS track the number of e-mail messages received at each registered address over the 26 weeks following registration. We apply the JMS procedure to 56 U.K. Web sites regulated by E.U. privacy law. From our 56 Web sites in the United Kingdom, 40 allow opt-ins and 25 allow opt-outs. Raw data for this chart are shown in table 2. Figure 1 shows the average number of messages received by all U.S. and U.K. opt-in sites, average number of messages for all U.S. and U.K. opt-in sites except one outlier removed from both the U.S. and U.K. sites, and the average number of messages received from all U.S. and U.K. opt-out sites.

the opt-in sample, the number of opt-in messages (mean of 3.18 e-mail messages per week) continues to be signicantly more than that of the optout messages (mean difference = 2.42, t = 27.55, 25 df , p < 0.000). This pattern of results also replicates the U.S. data reported by JMS [2003]. There is no signicant difference between the opt-in e-mail level in the United States and the United Kingdom for both total e-mail received (GLM, F [1, 107] = 0.01, p = 0.9231) and after excluding one outlier from each of the U.K. and the U.S. opt-in data (GLM, F [1, 105] = 0.14, p = 0.7063).10

10 The top ve sources of opt-in e-mail in the United Kingdom are one gambling site, three retail sites, and one news site. The top ve sources of opt-in e-mail in the United States are a gambling site, two retail sites, one greeting card site, and one news site. Spam originates from a variety of legitimate and highly reputable sites.

88
1 0.95 0.9 Cumulatiive Frequency 0.85 0.8 0.75 0.7 0.65 0.6 0.55 0.5

K. JAMAL, M. MAIER, AND S. SUNDER

UK OPT-OUT (24 Sites) US OPT-OUT (40 Sites)

9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 Site Ranked By Number Of Messages

FIG. 2.Cumulative percentage of e-mails received from volume-ranked opt-out Web sites in the United States (self-regulation) and the United Kingdom (government regulation). In a eld experiment, Jamal, Maier and Sunder ( JMS [2003]) construct 100 identities (name, address, e-mail address) and attempt to register twice on each of 100 high-trafc Web sites in the United States. In the opt-out registrations JMS do not allow the Web site to use data for any secondary purpose. Of the 100 Web sites, 43 allow opt-outs. JMS track the number of e-mail messages received in each registered address over the 26 weeks following registration. We replicate the JMS procedure in the United Kingdom for 56 high-trafc Web sites. Twentyve U.K. Web sites allow opt-outs. We chart the number of e-mail messages received at each of our opt-in and opt-out addresses. In the United States, one site alone (blank circle) generates 62% of all opt-out messages (indicated by the rst circle on the chart). The ve highest volume sites generate 91% of the total opt-out messages. In the United Kingdom (dark circle symbol in the gure), one site generates approximately 93% of all messages. The ve highest volume sites generate 97% of the total opt-out messages. Note that the vertical scale is truncated at 50% to highlight the differences in the 90% to 100% range.

In an independent study of e-commerce spam in the United States, the Center for Democracy and Technology [2003] also reports that most Web sites where their researchers registered honored their opt-out choices. Most spam originates not from such registrations but from e-mail addresses left on high-trafc Web sites or used in Internet public discussion groups. Spammers use various technology robots to harvest e-mail addresses from public Web sites.

5. Discussion and Concluding Remarks

The United Kingdom (and the European Union) protect the privacy of the citizens by legislating standards to be monitored and enforced by the government. The United States, on the other hand, allows the privacy policies in e-commerce to evolve as norms or conventions of e-commerce without legislated standards or a public enforcement mechanism. For-prot

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

1 0.95 0.9 Cumulative Frequency 0.85 0.8 0.75 0.7 0.65 0.6 0.55 0.5 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 Site ranked By Number Of Messages

89

UK OPT-IN (40 Sites) US OPT-IN (69 Sites)

FIG. 3.Cumulative percentage of e-mails received from volume-ranked opt-in Web sites in the United States (self-regulation) and the United Kingdom (government regulation). In a eld experiment, Jamal, Maier, and Sunder ( JMS [2003]) construct 100 identities (name, address, e-mail address) and attempt to register on each of 100 high-trafc Web sites in the United States. In the opt-in registrations, JMS allow the Web site to use their personal data both for internal marketing purposes and for selling data to external third parties. Sixty-nine Web sites allow JMS to register and opt in. JMS track the number of e-mail messages received in each registered address over 26 weeks. We replicate the JMS procedure in the United Kingdom for 56 high-trafc Web sites. Forty of these Web sites allow opt-ins. We chart the number of e-mail messages received at each of our opt-in and opt-out addresses. In the United States, one site alone (an outlier) generates 56% of all opt-in messages (indicated by the rst blank square on the chart). The ve highest volume sites generate 80% of the total opt-in messages. In the United Kingdom (dark square symbol in the gure), one site generates approximately 66% of all messages. The ve highest volume sites generate 83% of the total opt-out messages. Note that the vertical scale is truncated at 50% to highlight the differences in the 90% to 100% range.

and not-for-prot organizations have developed competing privacy standards accompanied by compliance certication of e-commerce sites for a fee. Our comparative study of the performance of these two regimes covers two dimensions of privacy. On the choice/consent dimension (i.e., participants control any secondary uses of their personal information) we nd that the performance of the two regimes, as measured by the number of e-mail messages sent to those who do and do not give consent to receive such messages, is almost identical. With only a few exceptions, most e-commerce sites honor the choice exercised by the registrants. Under both regimes, a few Web sites ood their registrants with commercial e-mail messages, disregarding registrants wishes. Registrants who indicate their willingness to receive commercial e-mail messages receive a comparable level of message trafc under both regimes.

90

K. JAMAL, M. MAIER, AND S. SUNDER

On the notice/awareness dimension (i.e., participants receive timely notice of an entitys information and privacy policies), the overall performance of the standards and enforcement regime of the United Kingdom is about the same as that of the evolutionary regime of the United States. In spite of the privacy law and enforcement mechanism, fewer U.K. Web sites post their privacy policies. It is more difcult to nd the privacy policy statement on U.K. Web sites even when they are posted. These Web sites are less likely to disclose the use of cookies and how the data gathered are used for secondary internal and external marketing purposes. In the United Kingdom, there is less use of cookies and less use of third-party cookies to monitor activities of visitors to Web sites. This improvement in business practice (less monitoring) is offset by generally poorer disclosure of privacy practices and slower development of an audit market to signal good privacy policies. In the absence of legislated standards and government enforcement, a market for Web assurance services, including privacy assurance, has arisen in the United States. About one third of the U.S. Web sites in the JMS [2003] sample chose to pay a small fee to such service providers (e.g., TRUSTe and BBB Online) and had them certify that: (1) the Web site policies conformed to the privately developed standards of the assurance service provider, and (2) the Web site practices conformed to the Web sites stated policies. (See appendix A for TRUSTes compliance activity.) The U.S. Web sites that displayed the service providers assurance seals performed at least as well as, and on average better than, the U.K. Web sites in protecting the privacy of their users. The legislation and enforcement mechanisms in the United Kingdom and the European Union were set up on the assumption that they will help improve privacy on the Internet. Our comparative study of the United Kingdom and the United States reveals that privacy has fared no better in the United Kingdom than in the unregulated U.S. environment. Although the E.U. law may have helped reduce the use of rst- and third-party cookies, it also appears to have reduced the availability and quality of disclosure. Also, unlike the United States, a U.K. market for Web seals barely exists. U.K. consumers appear to continue to be as vulnerable to misbehavior by a few outliers as their U.S. counterparts. In the absence of mandated standards, U.S. Web sites tend to view the disclosure of privacy policies as part of their marketing strategy to attract consumers. Accordingly, they make it easy to nd their statements of policy and adhere to these policies reasonably closely. U.K. Web sites, on the other hand, appear to view privacy disclosure as merely a compliance matter and are largely indifferent to consumer concerns about their privacy policies. On average, they make it more difcult for their customers to nd their statements of policy as compared with U.S. Web sites. We were able to gather some data on the enforcement efforts and activities of one of the two major Web seal providers in United States (TRUSTe) and for the IC in the United Kingdom (see appendixes A and C). The enforcement budget of the IC is signicantly larger (for regulating a much

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

91

smaller economy) than TRUSTes enforcement budget. The same is true of the number of complaints. Although the IC relies on its staff, TRUSTe has automated most of its monitoring operations and relies on consumer complaints to identify violations beyond the capability of its monitoring programs. The number of enforcement actions by TRUSTe is almost negligible as compared with the IC. Our conclusions from the comparison between U.S. and U.K. data need to be moderated by several considerations. First, the data in the United States were gathered one year earlier. The U.S. disclosure data collection (July) and Web site registrations (August) were done by JMS [2003] in the summer of 2001, whereas our U.K. disclosure data collection (May/June) and Web site registrations (September) were done in the summer of 2002. It is possible that a shift in the e-commerce practices may have occurred during this interval, eroding the validity of the comparisons presented here. Second, we are careful registrants who opt out immediately upon registration and follow the JMS [2003] procedure of visiting only high-trafc and reputable Web sites. It is possible that less careful registrants, and users who visit less reputable Web sites, may get much larger volumes of unwanted (spam) e-mail (Center for Democracy and Technology [2003]). The effect of regulation on operators of less reputable Web sites may be different from the results reported in this study. Future research could examine how such Web sites respond to regulation. Third, the nal chapter of Internet privacy practices and regulation has not yet been written. We cannot rule out the possibility that the United States may follow the legal approach of the European Union in the future, or that the European Union may abandon its law. Even if legislation is passed in the United States, our results suggest that the problem of spam or pop up ads may not be solved. It may well be that the law will have to evolve to plug the loopholes exploited by spammers through ever-evolving technology.11 Demands for amendments in, and better enforcement of, the privacy law in the United Kingdom have already appeared. Given the rapid change in electronic technology, it is likely that any law passed in the United States would evolve through much iteration before it satisfactorily enhances the privacy of consumers. It may be faster and less error prone for informal norms to evolve in response to the changing behavior of corporate management. There is not enough evidence yet about the relative abilities of law and social norms to respond efciently to environmental changes. We cannot yet make denitive judgments about whether law must displace informal norms for a market to succeed. We believe it is more likely that both jurisdictions will settle on some combination of the

11 Hansell points out: The anti-Spam bill passed by the Senate may do little to stop legitimate companies from sending so-called white-collar spam (S. Hansell, Big Companies Add to Spam Flow, New York Times , October 28, 2003, section A, p. 1).

92

K. JAMAL, M. MAIER, AND S. SUNDER

two approaches that relies partially on regulation and partially on evolved norms. This belief is reinforced by Cheits [1990] comparison of protective standards written by four pairs of public agencies and private organizations operating in the same space: grain elevators, woodstoves, aviation re safety, and gas space heaters. He questions the economics and political science theories (e.g., Stigler [1971], Wilson [1980]) about the relative nature and efcacy of safety standards set by government agencies and private organizations, and he nds little evidence to support any of them in the eld data. He shows that hundreds of little-known organizations (e.g., Underwriters Laboratories and the National Fire Protection Association) follow rigorous due process, and their standards play signicant roles in regulation, directly as well as through incorporation into government laws and regulations. This is not to say that private standards are generally better or worse than public standards. Insufcient information is available to reach a conclusion. There are reasons both to doubt and to believe the conventional wisdom about public and private regulation. What is needed is more detailed information about the similarities and differences between standards setting in the public and private sectors (Cheit [1990]). The same regulatory space is often occupied by both government and nongovernment organizations with little systematic evidence on the circumstances in which one kind of standards is more desirable than the other. Kelmans [1981] comparative study shows that two seemingly different regulatory regimes of workplace safety and health in the United States and Sweden produced surprisingly similar results. Our own results parallel Kelmans ndings in this respect. There seems to be no body of theory or evidence to guide policy makers in choosing between public and private mechanisms for a given standards and regulatory task. Finally, there are many differences between the United Kingdom and the United States and between e-commerce privacy and nancial reporting that require us to exercise caution in making analogies from one jurisdiction to another (Healy [2003]). Our study is not a perfect controlled experiment; therefore, an inferential judgment must be made across these jurisdictional differences. Recent research in banking (Barth, Caprio, and Levine [2003]) and securities regulation (Romano [2002], La Porta, Lopez-de-Silanes, and Shleifer [2003]) examines the possibility of regulatory failures, especially when public as opposed to private enforcement is the primary instrument of regulation. In nancial reporting, the Securities Act of 1933 and the Securities Exchange Act of 1934 imposed an accounting regulator (the SEC) as well as a mandatory requirement to have an independent audit. The simultaneous imposition of both requirements has led to a general perception that enforced standards of accounting and a market for auditing services are

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

93

complementary. Our e-commerce results suggest that accounting regulation and auditing may be substitutes instead. Commoditization of the nancial statement audit may have been speeded up by extensive regulation of nancial accounting. A recent attempt by the audit profession (American Institute of Certied Public Accountants [AICPA]) to divorce auditing from accounting (hence the move from audit to assurance services) is also consistent with the argument that extensive regulation of nancial reporting reduces the demand for auditing. The link between regulation of nancial accounting and private demand for auditing may not be as direct, as it is often assumed in the accounting literature.12 Recent months have seen a revival of the old debate about the degree to which nancial reporting should rely on detailed rules versus broad principles of accounting. Any shift in emphasis between rules and principles implies a corresponding change in reliance on formal enforcement and norms of behavior. The consensus seems to be shifting toward placing more weight on principles. The ndings of the present study that raise questions about the effectiveness of enforced law in enhancing e-commerce privacy can be usefully considered in this light. Law, auditors, reputation, business norms and practices, warranties, disclosure, and industry associations are competing trust-creation mechanisms associated with markets. The value of each mechanism depends on which other mechanisms are available in a particular market. Although each mechanism may be useful in isolation, the marginal value of some over others may be small. A large body of literature in psychology (Cook [2001]), sociology (Granovetter [1985]), and political science (Putnam [1993]) suggests that key trust creation mechanisms in society are personal relationships and social embeddedness of market participants rather than legal rules and formal enforcement structures. Our results suggest that the value of legal regulation and enforcement may be overestimated when the availability of alternative trust generation mechanisms is ignored in studies of accounting regulation. Future research can help us understand the incremental value of formal legal regulation and enforcement in situations where other trust-creation mechanisms are available.

The AICPA and the Big 4 accounting rms failed to penetrate the e-commerce privacy assurance market, which is currently dominated by TRUSTe and BBB Online. The AICPA focused its online Web seal (WEBTRUST) on selling assurance with respect to business practices (internal control) and security, not privacy, and found that there is little demand for what they offered at the high prices they demanded. DeWally and Ederington [2003] document a thriving market for quality assurance services for comic books sold on eBay. Although eBay designated PepBoys as its ofcial assurance provider for used cars sold on its system, the demand for this service appears to be small.

12

94

K. JAMAL, M. MAIER, AND S. SUNDER

APPENDIX A Enforcement Activity by TRUSTe from 2001 to 2003 2001 $1,100,000 1,563 3 13 2 0 2002 $1,800,000 1,547 5 9 0 0 2003 $2,300,000 1,201 1 1 1 2 345 100%

Total budget Total privacy-related complaints received Change in Web site operations required Change in privacy policy required On-site audit required Web seals revoked Number of failed Watchre scans Percentage of failed Watchre sites compliant within 10 days

TRUSTe provides a privacy Web seal to Web sites in the United States that wish to voluntarily convey their good privacy policies to visitors. TRUSTe monitors licensees for compliance with the TRUSTe privacy program using three processes: (1) an initial (manual) Web site review, (2) an automated audit using Watchre technology (robots) to scan licensees for ongoing compliance, and (3) online community monitoring whereby members of the public can le watchdog reports. In 2003 TRUSTe installed a Watchre Privacy monitoring system to augment manual screening done when a Web site rst registers for a TRUSTe seal. This new monitoring system ensures that each Web site is screened electronically at least twice a year for compliance with their privacy policy. Information on the budget and Web seals revoked was obtained from TRUSTes 2003 annual report. Information on complaints and resolution of complaints was obtained from monthly watchdog reports posted at http://www.truste.org/users/users watchdog reports.html.

APPENDIX B UK Data Protection Act 1984 (Amended in 1998 for Compliance with European Union Privacy Law) SCHEDULE 1: THE DATA PROTECTION PRINCIPLES PART I: THE PRINCIPLES

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met (requirements of informed consent), and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specied and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES

95

7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The UK Data Protection Act of 1984 can be obtained online at www. legislation.hmso.gov.uk/acts/acts1998/19980029.htm.
APPENDIX C Enforcement Activity by the UK Information Commissioner for the Five Years from 1997 to 2002 19971998 19981999 19992000 20002001 20012002 Total budget No. of staff No. of phone inquiries Total complaints received Visitsbusiness premises Visitsdwellings Witness statements obtained Interviews under caution Court prosecutions Court convictions (guilty)

3,661,690 4,190,489 4,721,666 5,280,860 8,244,982

109 48,337 4,178 471 313 378 136 38 38 118 48,549 3,653 700 319 433 216 59 55 114 55,070 5,166 388 199 346 98 145 130 126 55,125 8,875 480 235 355 144 23 21 157 56,982 12,479 448 411 375 58 66 33

The information commissioner enforces and oversees the Data Protection Act of 1998. The commissioner is a UK independent supervisory authority reporting directly to the UK parliament. The commissioners mission is: We shall develop respect for the private lives of individuals and encourage the openness and accountability of public authorities. We shall promote good information handling practices and enforcing data protection and freedom of information legislation; and seek to inuence national and international thinking on privacy and information access issues. This information on the budget and enforcement activity of the UK information commissioner was obtained from the commissions annual report, which can be obtained at http://dataprotection.gov.ukar2001annrep/.

REFERENCES BARTH, J.; G. CAPRIO; AND R. LEVINE. Bank Supervision and Regulation: What Works Best? Journal of Financial Intermediation 13 (2003): 20548. BROCKETT, P. L., AND S. E. TANKERSLEY. The Genetics Revolution, Economics, Ethics, and Insurance. Journal of Business Ethics 16 (1997): 166176. CENTER FOR DEMOCRACY AND TECHNOLOGY. Why Am I Getting All This Spam? Web site, http://www.cdt.org/speech/spam/030319spamreports.html, 2003. CHEIT, R. E. Setting Safety Standards: Regulation in the Public and Private Sectors . Berkeley: University of California Press, 1990. COLEMAN, J. Foundations of Social Theory. Cambridge, MA: Harvard University Press, 1990. COOK, K. S. (ED.). Trust in Society. Volume II in The Russell Sage Foundation Series on Trust . New York: Russell Sage Foundation, 2001. DECEW, J. W. In Pursuit of Privacy: Law, Ethics and the Rise of Technology. Ithaca, NY: Cornell University Press, 1997. DEWALLY, M., AND L. EDERINGTON. A Comparison of Reputation, Certication, Warranties, and Disclosure as Remedies for Information Asymmetries: Lessons from the On-line Comic Book Market. Working paper, University of Oklahoma, 2003.

96

K. JAMAL, M. MAIER, AND S. SUNDER

DUH, R. R.; K. JAMAL; AND S. SUNDER. Control and Assurance in e-Commerce: Privacy, Integrity and Security at eBay. Taiwan Accounting Review 3 (2002): 127. ELLICKSON, R. C. Order Without Law: How Neighbors Settle Disputes . Cambridge, MA: Harvard University Press, 1991. EUROPEAN PARLIAMENT. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data . O.J. L281, November 23, 1995. FEDERAL TRADE COMMISSION (FTC). Privacy Online: Fair Information Practices in the Electronic Marketplace, Washington, DC, May 25, 2000. GRANOVETTER, M. Economic Action, Social Structure, and Embeddedness. American Journal of Sociology 91 (1985): 481510. HAYEK, F. A. Law, Legislation and Liberty. Vol. I: Rules and Order . Chicago: University of Chicago Press, 1973. HEALEY, P. Discussion of Privacy in e-Commerce: Development of Reporting Standards, Disclosure and Assurance Services in an Unregulated Market. Journal of Accounting Research 41 (2003): 31115. HWA, A. P. The Role of Self-Regulation and the Internet. Journal of Interactive Advertising 1. Web site, http://www.jiad.org/vol1/no2/ans, 2001. JAMAL, K.; M. MAIER; AND S. SUNDER. Privacy in e-Commerce: Development of Reporting Standards, Disclosure and Assurance Services in an Unregulated Market. Journal of Accounting Research 41 (2003): 285309. KELMAN, S. Regulating America, Regulating Sweden: A Case Study of Occupational Safety and Health Regulations . Cambridge, MA: MIT Press, 1981. KUPFER, J. The Ethics of Screening in the Workplace. Business Ethics Quarterly 3 (1993): 1725. LA PORTA, R.; F. LOPEZ-DE-SILANES; AND A. SHLEIFER. What Works in Securities Laws? Working paper, Harvard University and Yale University, 2003. LESSIG, L. The New Chicago School. Journal of Legal Studies 27 (1998): 66191. MAILATH, G. J.; S. MORRIS; AND A. POSTLEWAITE. Laws and Authority. Mimeo, Yale University, 2001. MCMILLAN, J. Reinventing the Bazaar: A Natural History of Markets . New York: Norton, 2003. MULLEN, K. Data Transfers: Negotiating to a Safe Harbor. Cyberspace Lawyer July/August (2001): 8. NIJHAWAN, D. R. The Emperor Has No Clothes: A Critique of Applying the European Union Approach to Privacy Regulation in the United States. Vanderbilt Law Review 56 (2003): 939 76. ORGANIZATION FOR ECONOMIC COOPERATION AND DEVELOPMENT (OECD). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data . Web site, http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM, 1980. POSNER, R. Social Norms and the Law: An Economic Approach. American Economic Review 87 (1997): 36569. POSNER, R. Economic Analysis of Law , Sixth Edition. Aspen, CO: Aspen Law and Business Publishers, 2003. PUTNAM, R. D. Making Democracy Work . Princeton, NJ: Princeton University Press, 1993. REIDENBERG, J. R., AND P. M. SCHWARTZ. Online Services and Data Protection Law: Regulatory Responses . Luxembourg: European Commissions Ofce of Ofcial Publications, 1998. ROMANO, R. The Advantage of Competitive Federalism for Securities Regulation . Washington, DC: AEI Press, 2002. STIGLER, G. S. The Theory of Economic Regulation. The Bell Journal of Economics and Management Science 2 (1971): 321. SUNSTEIN, C. Social Norms and Social Roles. Columbia Law Review 96 (1996): 90368. THOREAU, H. D. Civil Disobedience in The Writings of Henry David Thoreau . Edited by P. Lauter. Boston, MA: Houghton Mifin, 1906: 356. (Originally published as Resistance to Civil Government , 1849) WILSON, J. Q. Politics of Regulation . New York: Basic Books, 1980. WOLF, C., JR. A Theory of Non-Market Failures. The Public Interest 55 (1979): 11433.