Privacy Policies Online: further results from a continuing investigation

Steve McRobb and Simon Rogerson


This paper represents an update on the progress of an ongoing research project to investigate the characteristics of online privacy policies, and the ways that a sample of policies have changed over three biennial surveys undertaken in 2000, 2002 and 2004.

Publication of a privacy policy is encouraged by industry groups such as the Online Privacy Alliance, and by online certification bodies such as TRUSTe, since such policies are taken to reassure the wary, and thereby to overcome one of the main presumed disincentives to trading online. Clearly such a view is based on assumptions about the nature and formation of trust between individuals and organisations in an online environment. Our research is founded on a theoretical investigation of trust online, which provides an underpinning to the empirical enquiry.

The research began in 2000 with a selection of 113 websites from a variety of organisations, all of which published a privacy policy that gave (in some cases, attempted to give; in yet other cases, simply failed to give) information about the collection and of data through the organisation’s website and its subsequent use. The organisations in the sample included large and small commercial businesses from many sectors and regions, voluntary sector organisations and a number of government departments and other public sector agencies. Further surveys have been conducted at two year intervals, and the data collected is currently undergoing analysis.

The surveys use a non-judgemental sampling approach that is in keeping with the primarily interpretive thrust of the research. Taken together, the three surveys completed so far provide a unique opportunity to investigate how organisations have shaped their online privacy policies in response to changing perceptions of the importance and role of trust in the decision-making processes of a variety of buyers and browsers. While the direction of the research has been, to a large extent, determined by the findings as they have emerged from the analysis, the results so far indicate an incomparably rich source of data that illuminates the dynamic nature of trust online.

Interim reports on earlier phases of the research have been presented at this conference in 2002 and 2004, and a paper on the first phase to be completed has also subsequently been published in IT and People. These papers highlighted a number of issues that required attention on the part of those organisations that choose to publish an online privacy policy. For example, some privacy policies were so hard to understand that their value as a persuasive tool is open to considerable doubt. Others were so hard to find that there seemed little point in going to the trouble of posting them. The results of the first survey also indicated that many organisations show a great deal of inconsistency in their approach. For example, the most readable policies were not necessarily the easiest to find. There were also surprising regional effects. For example, North American policies scored more favourably on most assessed aspects than did European policies, with the exception of policy visibility. This ran counter to the expected effect, based on European legislation regarding data privacy. As comparative data between consecutive policies has become available, this has revealed some of the major changes in policy content, structure etc. that have taken place in the sample policies in the interval between 2000 and 2002. These changes did not, on first inspection, appear to be minor. Over this two year period, only 12% of policies showed no change, while over half showed ‘significant’ or ‘radical’ changes. Since this period includes a number of significant world events (not least, the World Trade Center attacks, but also the the implementation of the EU Privacy Directive), this is perhaps to be expected. It is anticipated that further investigation will throw more light on the ways that organisations have sought to respond to changes in commercial and regulatory environment. Efforts are currently being focused on a detailed examination of these changes, and this paper will report the latest findings from the analysis.

A further sample was collected late in 2004, and the preliminary results of the analysis of this latest survey will be available in time to report at conference. These are expected to reveal a further step in the evolution of online privacy policies, although at this stage it is not possible to forecast with any confidence what changes may be involved.