Privacy Policies Online

Steve McRobb and Simon Rogerson


Many authors have identified fears about a lack of personal privacy online as a major disincentive to the take-up of e-commerce by private consumers. The publication of a privacy policy is encouraged by ICT industry groups such as the Online Privacy Alliance, and by online certification bodies such as TRUSTe. Privacy policies are taken to reassure the wary, and thereby to overcome the disincentive to trade. Many authors have identified the simple presence or absence of a privacy policy as one of the key determinants of trust for consumers at the point of deciding whether or not to commit to an online transaction. Once a privacy policy exists on an organisation’s website, further questions arise regarding its content, its organisation, its visibility, its style, etc.

This paper reports on the second major phase of an ongoing research project into the practical measures taken by organisations to publish their online privacy policies. The research began, fortuitously, just before the September 11 World Trade Centre attack and the implementation of the EU Privacy Directive, and these have provided the authors with an unparalleled opportunity to examine some aspects of the dynamic nature of trust in online commerce.

The first phase (in preparation for publication at the time of writing) was based upon a survey undertaken early in September 2000, when a total of 113 disparate websites were identified that included some kind of explicit privacy policy and the visibility and content of the policy was analysed. The dataset proved surprisingly rich, and the analysis undertaken to date has barely scratched its surface. The analysis was set in context by relating it to a discussion of the nature and role of trust in online relationships. This highlighted a number of issues that need further attention on the part of some of the organisations in the survey.

This second phase of the study is based on a survey of the same sites that was undertaken late in 2002. A number of analyses have been carried out based on the two datasets now available for investigation. Firstly, a comparative analysis has been undertaken using the same techniques to determine what changes have taken place in the intervening two years. Further conclusions are drawn from this comparison, including (but not limited to) some of the possible effects on online privacy policies of intervening world events.

In addition to the straightforward comparisons enabled by the collection of similar data about the same organisations over a two year sampling interval, some further analysis has also been undertaken of both datasets. Reflection on the interim results of the first phase of the survey has prompted several further research questions. In particular, an effort has been made to determine the interaction between organisation characteristics (such as sector, size, nationality, etc) and privacy policies. This sheds further light on the significance of privacy policies for online commerce.

The work is ongoing. It is anticipated that the findings presented here, and the reactions of colleagues at conference and elsewhere, will, in turn, prompt further questions that may be asked of the existing data. It is also anticipated that further research directions will be identified, prompting still further research that is yet to be designed in any detail. A further survey is already planned for 2004, and other spin-off projects are currently under consideration.