International Differences in Information Privacy Concern - CiteSeerX

International Differences in Information Privacy Concern 1

International Differences in Information Privacy Concern: Implications for the Globalization of Electronic Commerce† May 7, 2003 Steven Bellman* Senior Lecturer Graduate School of Management University of Western Australia 35 Stirling Highway Crawley, WA 6009 AUSTRALIA Phone +61-8-9380-1513, fax +61-8-9380-1072 [email protected] Eric J. Johnson The Norman Eig Professor of Business Department of Marketing Columbia School of Business Columbia University 3022 Broadway New York, New York 10027 Phone 212-854-5068, fax 212-316-9214 [email protected] Stephen J. Kobrin William H. Wurster Professor of Multinational Management Director, The Joseph H. Lauder Institute of Management and International Studies University of Pennsylvania 256 South 37th St. Philadelphia, PA 19104-6330 Phone 215-898-7732, fax 215-898-2067 [email protected] Gerald L. Lohse Accenture The Wanamaker Building 100 Penn Square East Philadelphia, PA 19107 Phone 267.216.1876, AIM: webphd57 [email protected]

RUNNING HEAD: International Differences in Information Privacy Concern †

This research was funded by the Columbia Center for E-Business (cebiz.org) and the member companies of the Wharton Forum on Electronic Commerce. *Author to whom proofs and correspondence should be sent


International Differences in Information Privacy Concern: Implications for the Globalization of Electronic Commerce Abstract Privacy concerns and willingness to participate in relationship marketing differ around the world. Using a sample of Internet users from 38 countries matched against the Internet population of the United States, we tested hypotheses relating variance in information privacy concern to differences in cultural values, national regulation of privacy, and familiarity with Web privacy practices. Cultural values and national regulation had a significant influence on privacy concerns, as did the sensitivity of the context of data collection. After controlling for differences in demographics and Internet experience, there were significant residual differences between the privacy concerns of consumers from six regions: U.S.; Canada, the UK, and Ireland; Continental Europe (current me mbers of the EU); Australia and New Zealand; and Other Countries. While there are substantial areas of agreement, for example, that private information should not be shared without permission, in other areas consumers from the U.S. differ significantly from consumers in some other regions, and these differences suggest the need for customized privacy protocols. [163 words] Keywords: privacy, security, international, global, Internet, Web, electronic commerce, data protection, government regulation, cultural values [10]


For many companies with little experience of doing business internationally, putting up a Web site has introduced the problems of trading across borders. Even companies with a long history of international data flows may have to adjust to changes in international legislation restricting the collection and use of personal information over the Internet. In the research reported in this article, we measure the influence of differences in government regulation on the privacy concerns of consumers in different countries. By controlling for differences in regulation, we look beyond the current period of harmonization to examine whether these differences in privacy concern would remain if the same laws applied globally. If these differences in concern were influenced by cultural values, they may well persist despite marketer- led education and incentives. On the other hand, differences in concern that remain after regulation is equalized may be due to unfamiliarity and lack of knowledge about the new marketing practices the Internet makes possible. If government regulation, cultural values, and knowledge of Web privacy practices explain differences in privacy concern, a company could use information on these variables to predict whether consumers in a country or region will accept the direct marketing practices it plans to introduce there. The ability of Web sites to collect information unobtrusively has heightened concern about the privacy of personal information. In 2001, only six percent of U.S. consumers had a “high level of trust” in how Web sites protect personal data (Carroll, 2002), and 79.7 percent of Americans said that “controlling what information is collected about you” was extremely important to them (Harris, 2001a). A multinational poll in 1999 found that 80 percent of consumers in the U.S., 79 percent in Germany, and 68 percent in the UK agreed that “consumers have lost all control over how personal


information is collected and used by companies” (IBM, 1999). In Canada too, concern about information privacy has been rising, with 92 percent of Canadians at least “moderately” concerned (Campbell, 1997). This high level of concern about information privacy has been reflected in new privacy legislation in several countries. Differences between local information privacy regulation regimes could potentially disrupt international trade, but there has been some international effort at harmonization, such as the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (OECD, 2002) and the European Union Data Privacy Directive (EU Directive: EU, 1995), which has unified privacy legislation within the Member States of the EU. Countries wanting to join the EU and countries that want to ensure smooth trade with the EU, such as Canada and Australia, have enacted data-protection laws similar to the EU Directive (Long and Quek, 2002). In contrast to the EU, the U.S. has maintained a sectoral and self-regulatory approach to privacy legislation, but the “safe harbor” agreement between the U.S. and the EU allows U.S. companies that adhere to the “Safe Harbor Privacy Principles” to process data from consumers in the EU (EU, 2000). Even when legislation does not impede the transfer of personal information, differences in privacy concern at the individual level may still restrict the use of personal data for marketing purposes. Consumers in different countries differ substantially in their attitudes toward companies’ collection of personal data. Industry groups have argued that surveys of privacy concern should be taken “with a grain of salt” as the number of consumers buying online continues to grow despite high levels of concern about privacy on the Net (e.g., Turner and Varghese, 2001; Harper and Singleton, 2001). However,


other research suggests that online buying would be even more pervasive if privacy concerns were better addressed. Direct links have been found between concern about privacy and willingness to place an order by phone or mail (Campbell, 1997), or online (Lohse, Bellman, and Johnson, 2000), and the number and value of items purchased from catalogs (Phelps, D’Souza, and Nowak, 2001). Negative association between privacy concerns and participation in direct marketing varies across countries and seems to be larger outside the U.S. Roughly three-quarters of all consumers express concern about information privacy in the U.S., Germany, and the UK. However, while 48 percent of U.S. consumers express some interest in receiving direct marketing material, this percentage drops to below a third in Germany (32%) and the UK (29%) (IBM, 1999). This study investigates whether privacy concerns vary across countries in line with influences that companies can either measure, such as differences in government regulation or cultural values, or modify, such as knowledge about privacy practices. Our research builds on previous studies in this area. Differences in information privacy concern have been found in national probability samples of consumers from the U.S., the UK, and Germany (IBM, 1999). Country differences can be due to many variables, such as differences in demographics or differences in cultural values (Malpass and Poortinga, 1986; Poortinga and Malpass, 1986). In this study we control for differences in demographics to isolate the effects of cultural values, government regulation, and knowledge of Web privacy practices. Milberg, Smith, and Burke (2000) controlled for differences in demographics by using country samples from the same occupational group, members of the Information Systems Audit and Control Association, and identified cultural values and government regulation as key drivers of international differences in


information privacy concern. In this study, we replicated and extended the findings of both this and the 1999 IBM study by surveying consumers from 38 countries who used the Internet, and we assessed the implications of our findings for companies using the Web to market to consumers in different countries.

CONCEPTUAL FRAMEWORK AND HYPOTHESES Previous research suggests that country differences in privacy concern are related to cultural values and government regulation. We develop hypotheses for these relationships in the following sections. First, we define information privacy and relate overall concern for information privacy to its four underlying dimensions. Information Privacy Privacy is a multidimensional concept, embracing physical privacy (solitude), social privacy (interaction and disclosure), the ability to make decisions without interference, and the privacy of personal information (Bennett, 1992; Laufer and Wolfe, 1977; Stone and Stone, 1990). Westin (1967) defined information privacy as the amount of control that individuals can exert over the type of information and the extent of that information revealed to others. Americans are willing to exchange their information privacy in return for some social or economic benefit (Long and Quek, 2002). Many studies have examined this “calculus of behavior” (Laufer and Wolfe, 1977), in which individuals assess whether the benefits of revealing their personal information may be outweighed by possible negative consequences, or the possibility that their personal information will not used fairly (Culnan and Armstrong, 1999; Eddy, Stone, and StoneRomero, 1999; Milne and Gordon, 1993; Stone and Stone, 1990). In other countries,


where privacy is viewed as a fundamental right, consumers may be less ready to bargain with their privacy (Long and Quek, 2002). Prosser (1960) associated privacy concerns with four legal torts: (1) intrusion into a person’s seclusion or solitude, (2) public disclosure of embarrassing private facts, (3) false light, that is, public disclosure of false information about a person, and (4) appropriation of a person’s identity or image without permission. Marketing communications and data collection can be intrusive; marketers can appropriate consumer information surreptitiously or without giving consumers control over its use; and marketers can disclose embarrassing facts about consumers or make use of false or inaccurate information (Nowak and Phelps, 1997). Smith, Milberg, and Burke (1996) reviewed the various aspects of information privacy concern and found that four dimensions summarize these concerns. Collection reflects the growing impression, matched by increasing technological capabilities for surveillance, that companies are getting more intrusive and collecting unreasonable amounts of personal data, perhaps without fair notice or consent. Unauthorized Secondary Use refers to the appropriation of information collected from a consumer for another purpose, either internally within the company or externally by another company, without implied or explicit permission. Improper Access reflects lapses in the integrity and security of information systems that allow the disclosure of personal information to unauthorized individuals. Finally, the Errors dimension describes concern that databases may, either by accident or design, contain inaccurate personal information that portrays consumers in a false light. In this study, we use Smith, Milberg, and Burke’s (1996) four dimensions of information privacy, which have been used in several international studies (e.g., Campbell, 1997;


Milberg et al., 1995; Milberg, Smith, and Burke, 2000), to compare concerns in different countries. Cultural Values The relative importance of privacy, and the means of achieving it, has been found to vary between cultures (Altman, 1977; Milberg, Smith, and Burke, 2000). Cultural values are a set of strongly held beliefs that guide attitudes and behavior and that tend to endure even when other differences between countries are eroded by changes in economics, politics, and technology (Hofstede, 1980; Schwartz, 1994), or external pressures, such as education campaigns by marketers (Long and Quek, 2002). Hofstede (1980, 1991) has quantified the characteristics of 56 countries and regions using five dimensions of cultural values. Countries with similar scores on these dimensions can be grouped into regions with similar cultural values. Milberg et al. (1995) proposed several relationships between Hofstede’s dimensions of cultural values and differences in concern for information privacy. Most of these relationships were later confirmed in a study of information system auditors from 19 countries (Milberg, Smith, and Burke, 2000). This later study found a significant positive effect of a formative measure of cultural values on overall concern for information privacy. This overall effect was due to the individual effects of four of Hofstede’s dimensions of cultural values. Countries with a high Power Distance Index (PDI) tolerate a greater level of inequality between groups with greater and lesser power. Higher scores are also associated with greater mistrust of more powerful groups, such as companies. Smith, Milberg, and Burke (1996) found a positive association between interpersonal trust and concern for informational privacy. Countries with a high level of Individualism (IND)


prefer independent life styles and the right to a private life. Low scores for individualism reflect a preference for its opposite, collectivism, which emphasizes loyalty to a tightly knit group, such as the extended family (Schwartz, 1990; Triandis et al., 1988). In collectivist societies, there is greater acceptance that groups, including organizations, can intrude upon the private life of the individual. For example, in Japan, a collectivist culture, there was no indigenous word for ‘privacy,’ which delayed discussion of privacy regulation for over 30 years (Ishikawa, 2000). Countries with higher scores for Masculinity (MAS) tolerate greater levels of inequality between males and females and place greater emphasis on achievement and material success over caring relationships and quality of life. Societies with a high Uncertainty Avoidance Index (UAI) feel more threatened by uncertain and ambiguous situations and try to avoid these situations (Hofstede, 1980, 1991). Societies with high UAI tend to reduce their uncertainty and insecurity by embracing clear written rules and regulations, and they may be more likely than other societies to alleviate their concerns about information privacy by introducing higher levels of government regulation (Milberg et al., 1995). Milberg, Smith, and Burke (2000) reported positive associations for PDI, IND, and MAS with the overall effect of cultural values on information privacy concern across countries, and a negative association for UAI. Using a measure of cultural values that replicates the one used by Milberg, Smith, and Burke (2000), we expect to find support for the following hypothesis: HYPOTHESIS 1: Cross-cultural values will be associated with differences in concern about information privacy.


Government Involvement in Regulation There is a general consensus that the level of government involvement in the regulation of information privacy is associated with the level of privacy concern in a country (Bennett, 1992; Flaherty, 1989; Smith, 1994). Public concern over sophisticated surveillance technology and the computerization of centralized databases during the 1960s prompted the first wave of data protection legislation, beginning with Sweden in 1973 and the United States in 1974 (Bennett, 1992). The widespread use of database marketing and telemarketing in the late 1980s (Culnan, 1993), and the commercial use of the Internet in the 1990s, raised public concerns even higher, and governments have reacted to that concern by introducing further government regulatio n, such as the EU Directive, and in the U.S. the 1999 Gramm- Leach-Bliley Act in relation to financial information, and the Children’s Online Privacy Protection Act (Ambrose and Gelb, 2002). Nationwide Mutual Insurance Co., in the U.S., is currently tracking 150 state and federal privacy-related laws that have either been proposed or adopted, and it recently spent about $130,000 complying with a California law against the public disclosure of Social Security numbers in company mail (Whiting, 2002). In the U.S., and until recently Canada and Australia, government regulation has tended to be targeted or sector-specific and aimed mainly at the public sector. This sectoral approach to legislation contrasts with the omnibus approach, to both the public and private sectors, used by the European Union (Givens, 2000). Milberg et al. (1995) developed a five-category continuum of increasing government involvement in information privacy regulation. In countries with a Self-Help model (category 1) legal remedies are available for individuals, but individuals must bring their complaints to a


court. The Voluntary Control model (category 2) relies on responsible persons in corporations to self-regulate information privacy practices in accordance with specific rules defined by law. The Data Commissioner model (category 3) uses an ombudsman to investigate complaints and advise on information practices, although privacy regulation may only apply to the public sector. In the Registration model (category 4), the data commission or another government institution registers databases containing personal data, in both the public and private sectors. Finally, in the Licensing model (category 5), the government institution licensing a database of personal information stipulates conditions and requires prior approval for the use of any data. Milberg, Smith, and Burke (2000) found a significant and positive simple linear relationship between government involvement in the regulation of privacy, measured according to these categories, and overall concern about information privacy. Accordingly, we expect to find support for our second hypothesis: HYPOTHESIS 2: Higher levels of government involvement in regulation of corporate privacy management will be associated with higher levels of concern for information privacy. Public opinion surveys (e.g., Equifax 1991, 1992) have shown that consumers with the highest level of concern about information privacy are more likely to push governments to enact stronger regulation. However, Milberg et al. (1995) expected this relationship to be a complex one and found a significant “inverse-u” relationship between the level of government regulation in a country and concern for information privacy. Countries with little or no privacy regulation, most likely reflecting a lack of pressure for privacy regulation, exhibited low levels of concern about information privacy (Smith,


1994). At the opposite extreme, countries with the strictest government regulation of information privacy also exhibited low levels of concern about information privacy, probably because fewer infringements of privacy were possible (Bennett, 1992). The countries that exhibited the highest levels of concern for information privacy were those with moderate levels of government regulation of privacy practices, which meant that well-publicized infringements of privacy were still possible, raising privacy concerns and pressure for more regulation. Based on Milberg et al.’s (1995) findings, we propose an additional hypothesis about the relationship between government regulation and concern for privacy: HYPOTHESIS 3: There will be a significant quadratic (“inverse-u”) effect of government involvement in regulation on concern for information privacy. Respondents from countries with moderate levels of government regulation will exhibit the highest levels of privacy concern. A further complexity in the relationship between government involvement in the regulation of privacy and privacy concerns is that consumers with equal concern about information privacy problems may prefer different levels of government regulation to solve these problems. The amount of government regulation desired is likely to be influenced by the amount of regulation a consumer is used to. Decision- making research has shown that consumers have strong biases toward the status quo or other reference points when making choices (e.g., Kahneman and Tversky, 1984; Samuelson and Zeckhauser, 1988). Milberg, Smith, and Burke (2000) found a positive relationship between existing government involveme nt in regulation and preference for more government regulation and similar framing effects have been found in responses to


requests for permission-based marketing (Bellman, Johnson, and Lohse, 2001) We would expect to obtain support for the following hypothesis: HYPOTHESIS 4: Higher levels of current governmental involvement in the regulation of corporate privacy management will be associated with a greater preference for even stronger laws to regulate information privacy. Knowledge about Privacy Practices Besides cultural values and government regulation, another influence on information privacy concern is likely to be familiarity with relationship marketing practices and ways of controlling the use of personal information. The length of time since the introduction of a marketing practice in a developing country, and hence the familiarity of the population with that marketing tool, has a substantial impact on consumers’ attitudes and usage (Huff and Alden, 1998). Groups with less knowledge of the capabilities of new technology, such as the elderly, may be more likely to disclose information and more vulnerable to invasions of privacy (Laufer and Wolfe, 1977). On the other hand, individuals who believe they have control over, for example, the secondary use of their information have a lower level of concern about their privacy being invaded (Fusilier and Hoyer, 1980; Phelps, D’Souza, and Nowak, 2001; Stone, Gueutal, Gardner, and McClure, 1983; Tolchinsky et al., 1981). For example, Culnan (1995) found that cons umers who were aware of name-removal procedures for “opting out” of direct mailing lists were less concerned about information privacy. Culnan and Armstrong (1999) showed that people who are willing to be profiled for marketing purposes are more likely to have prior experience with direct marketing. Familiarity with Web privacy practices may be one reason why, in the 1999 IBM multinational survey,


the U.S., the country with the highest level of Internet penetration (43%), in comparison with the U.K. (28%) and Germany (18%), was also the country with the highest percentage of consumers taking actions to protect their privacy online, such as reading an online privacy notice (U.S. 52%, UK 42%, Germany 24%). The need for more consumer education is a typical recommendation in the conclusion of academic studies (e.g., Culnan, 1995; Whitman, Perez, and Beise, 2001). Recently, industry groups in the U.S. such as TRUSTe (Benassi, 1999), the Privacy Leadership Initiative (PLI, 2002), and the Internet Education Foundation (www.neted.org) have been spending millions of dollars on education programs to try to reduce consumers’ privacy concerns and demands for increased government regulation. We therefore propose the following hypothesis: HYPOTHESIS 5: Respondents with higher levels of knowledge about Web privacy practices will exhibit lower levels of concern about the privacy of their personal information. Contextual Effects Consumer attitudes about privacy are not “black and white” (Campbell, 1997, p. 45) but depend on the situation in which personal information is being collected. Consumers are very concerned when personal and financial information given to one company is sold to another without their permission (Wang and Petrison, 1993). On the other hand, they are less concerned when a prior relationship with a company exists and that company re-contacts them (Sheehan, 1999); and when the information collected is relevant to a current transaction, they can control its future use, and it will be used to draw accurate inferences about them (Bies, 1993; Eddy, Stone, and Stone-Romero, 1999; Stone and Stone, 1990; Stone et al., 1983; Tolchinsky et al., 1981; Woodman et al.,


1982). In U.S. public- opinion surveys (e.g., Harris, 1994; IBM, 1999), medical and financial data are considered to be more sensitive than other data. Some types of collection practices and personal information have more serious consequences for consumers, such as denial of benefits or invasion of privacy (Culnan, 1995). For this reason, consumers are more willing to reveal their email addresses than their phone numbers (Cranor, Reagle, and Ackerman, 1999). Willingness to disclose information also depends on the level of trust consumers have in a company’s reputation and dependability in handling personal information, which varies across industries (Schoenbachler and Gordon, 2002). What is considered a fair information practice may vary from sector to sector (Culnan, 1995): under the EU Directive, an “opt-out” regime is sufficient protection for direct marketing data but “opt-in” is required for “sensitive data” such as medical and financial information. Our interest is in whether consumers outside the U.S. indicate the same difference in concern between a lower-sensitivity and a highersensitivity context. In other countries, where privacy is seen as a fundamental human right, there may be no continuum of privacy concern, and all data collection may be seen as potentially sensitive: HYPOTHESIS 6: There will be a significant difference between the levels of concern about information privacy consumers express in a lower-sensitivity context compared to a higher-sensitivity context. Summary of Hypotheses Previous research suggests that consumers in different countries have differing levels of concern about information privacy. These differences in privacy are likely to reflect country differences in cultural values (Hypothesis 1), government involvement in


regulation of privacy (Hypotheses 2, 3, and 4), and familiarity with and control over marketing practices (Hypothesis 5). Additionally, the level of concern across countries is likely to vary widely with the sensitivity of the data being collected and the context in which the data are collected (Hypothesis 6). In some countries, the gap between relatively higher sensitivity and lower sensitivity may be very narrow, limiting the opportunities for data collection and usage. The following sections describe how we collected data from online consumers around the globe to test these hypotheses and the results of our hypothesis tests.

METHODS Sampling Our respondents were drawn from the Virtual Test Market (VTM), a panel of over 25,000 Web users from all over the world. The demographics of the U.S. members of the VTM are matched during membership drives with the demo graphics of the U.S. Internet population, as reported by the U.S. Census (see Bellman, Lohse, and Johnson, 1999, and Lohse, Bellman, and Johnson, 2000, for comparisons with U.S. Census data). Since we knew the demographics and Web usage of the VTM panelists from their answers to the 88-item membership sign- up survey, we were able to develop a list of 1,000 U.S. panelists and 1,000 international panelists who were matched on a series of demographic and Web- usage variables. In November 1998 we emailed the panelists on this list, inviting them to complete our privacy survey for a chance of winning a $US 500 first prize, a $250 second prize, or a 20 percent chance of winning $25 instantly. Following, Milberg, Smith, and Burke (2000), we eliminated respondents from countries for which Hofstede (1980, 1991) has not reported cultural values indices (e.g., Iceland,


Luxembourg, Russia, Sri Lanka). Our matched sample consisted of 335 valid responses from 24 countries—a response rate of 23.5 percent, given that 28.8 percent of the 2,000 panelists originally selected had non- functioning email addresses or had withdrawn from the panel. In order to generate adequate sample sizes for regions outside the U.S., we recruited a further 199 panelists from 38 countries with Hofstede cultural values scores outside the U.S., bringing the total number of valid responses to 534. These respondents were recruited with a banner-ad campaign promising the same incentives as the email invitation sent to the matched panelists. This banner campaign was heavily focused on European sites to increase the sampling of respondents who had interacted with sites that followed the EU Directive on data protection. The 339 non-U.S. respondents (63.5%) were allocated into five regional groups in whic h privacy preferences were likely to be similar due to shared history, legal systems, and geography: Canada (146, 27.3%), the United Kingdom of Great Britain and Northern Ireland, together with the Republic of Ireland (41, 7.7%), Continental Europe (Austria, Belgium, Denmark, Finland, Germany, Greece, Italy, The Netherlands, Norway, Portugal, Spain, Sweden, and Switzerland: 64, 12.0%), Australia and New Zealand (44, 8.2%), and an Other group containing panelists from Central and South America, Asia, and Africa (44, 8.2%). The Other group also contained two formerly socialist countries from Continental Europe: Hungary and Poland. We expected attitudes about privacy in these countries to have been affected by their relatively recent history of government surve illance, even though both have adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and Hungary’s Act No. LXIII of 1992 on the Protection of Personal Data and


Disclosure of Data of Public Interest was considered to be very similar to the EU Directive (Privacy International, 1998).

Checks for Non-Response Bias Compared to non-respondents from the U.S. in the panel (n = 7,940), U.S. respondents in the matched sample had a slightly higher level of education (respondents M = 4.4, non-respondents M = 4.2, p = .036) and were more likely to be male (female respondents 33%, female non-respondents 47%, p < .001). However, if we compare responses to information privacy items in the sign- up survey, these demographic differences do not appear to have generated any non-response bias in the variables of interest in this study. U.S. respondents and non-respondents had the same level of concern about third parties monitoring their online transactions and were equally likely to give their name, email address, and telephone number to a Web site. There were no significant demographic differences between the matched U.S. (n = 195) and international respondents (n = 140): 37 percent of respondents were females, 63 percent were males, the mean age was 32.7 years, mean education level 4.5 (between “some college” and “college graduate”), and the mean level of Internet experience was 27 months. Only 23 percent were full-time students; the majority of the other respondents were employed in executive/management (18%), professional (25%), technical (9%), sales (3%), or administrative/clerical (6%) occupations. Compared to these matched respondents, the respondents recruited by banner ads had identical Internet experience and demographics, with the exception of being slightly younger (M = 29.2 years vs. M = 32.5 years, p = .009).


The type of individual willing to sign up for an online panel by revealing 88 items of personal information may be less concerned about information privacy than the general public. However, the levels of privacy concern in our samples from various countries match norms reported in previous studies (Campbell, 1997; IBM, 1999; Cranor, Reagle, and Ackerman, 1999; Milberg, Smith, and Burke, 2000; Smith, Milberg, and Burke, 1996; Westin, 1998). Survey Items Concern For Individual Privacy. Fifteen items were based on the Concern For Individual Privacy (CFIP) scale developed by Smith, Milberg, and Burke (1996) to assess concerns about the collection of personal data, errors in databases, unauthorized secondary use of data, and improper access to data. Minor adaptations were made to these items, substituting “Web site” for “company,” and to reflect the possibility that outside hackers as well as company employees may gain unauthorized access to data. Agreement or disagreement with each item was indicated on seven-point Likert scales (1 = “strongly disagree” to 7 = “strongly agree”), with a “no opinion” option so that responses were not forced. The items used in the Web version of the CFIP scale are listed in Appendix 1. We replicated the most-parsimonious model found in a recent confirmatory factor analysis (CFA) study of the CFIP scale by Stewart and Segars (2002): a four- factor solution with a single higher-order factor, Concern For Information Privacy. In both matched samples the Goodness-of-Fit Index (GFI) and Adjusted Goodness-of-Fit Index (AGFI) were above the recommended .90 criterion (Bentler and Bonnet, 1980) and the Root Mean Square Residual (RMR) was less than .09 (Bagozzi and Yi, 1989): U.S. GFI = .97, AGFI = .96, RMR = .07; international GFI = .97, AGFI = .95, RMR = .07. The


pattern of loadings of the individual items on their factors and the loadings of these factors on the higher order factor, CFIP (Appendix 1), suggest that the slight modifications made to these items did not alter their factor structure and that all the items were interpreted equivalently in the U.S. and internationally (Meredith, 1993). We averaged responses to individual items on each factor to create four subscale scores, and then, following Stewart and Segars (2002), we calculated an overall measure of CFIP as the average of an individual’s scores for these four subscales. For all five scales, Construct Reliability (CR) and Average Variance Extracted (AVE) were close to or above their acceptable criteria, .70 for CR (Nunally, 1978) and .50 for AVE (Fornell and Larcker, 1981). Concern about the Security of Transactions on the Internet. The Smith, Milberg, and Burke (1996) scale asks questions about the security of personal data already stored in databases. However, data could also be stolen while in transit over the Internet. We asked our respondents: “How concerned are you, in general, with the security of the transactions you do on the Net?” In both matched samples, this item had a significant correlation with overall CFIP (U.S. r = .51, p < .0001, international r = .30, p = .001), and with the Unauthorized Access subscale (U.S. r = .42, p < .0001, international r = .29, p = .0007). However, the low correlations in the international sample suggest that for these respondents this item measures concerns about security that are not tapped by the CFIP scale or its Unauthorized Access subscale. We report responses to this item separately in our analyses.


Influence of Context on Privacy Concern. Two scenarios compared privacy concerns associated with the use of technology in two contexts widely separated on a continuum of low versus high sensitivity of information and collection environment. The first scenario described the use of a bonus card that allowed a store to associate purchases with an individual consumer in return for customized offers. Store purchase data are not listed as “sensitive” in the EU Directive, although they could potentially be as sensitive as video rental data, which are regulated in the U.S. For example, health or life insurance companies could use supermarket purchases to evaluate someone’s dietary habits (Sayre and Horne, 2000). However, we expected the collection of supermarket purchase data in an offline situation to be a relatively low-sensitivity context compared to the second scenario, in which income and health information were collected over the Web. Following each scenario, panelists were asked seven items relating to their privacy concerns in each scenario (scenarios and items are listed in Appendix 2). Responses to these items were recorded using seven-point Likert scales (1 = “strongly disagree” to 7 = “strongly agree”), with a “no opinion” option. In order to compare concern across the two contexts, we reverse coded some items (items 1, 3, and 4 for Scenario 1, items 2 and 7 for Scenario 2) and averaged responses to create an index of concern in a relatively LowerSensitivity Context (U.S. Cronbach’s α = .73, internationa l α = .72) and a corresponding index of concern in a relatively Higher-Sensitivity Context (U.S. α = .67, international α = .63). An indicator of the convergent validity of these new items is their significant positive correlations with overall CFIP (lower-sensitivity context r = .39, highersensitivity context r = .49, both p < .0001). Although the items are not identical, the difference between the average scores for the lower-sensitivity and the higher-sensitivity


items is a measure of the increase in concern an individual feels moving from a lowsensitivity to a high-sensitivity context. Order of presentation was counterbalanced across respondents to control for possible order effects. Half the respondents saw the scenario items first; the other half saw the CFIP items first. Knowledge of Web Privacy Issues. Rounding out the survey was a Web privacy knowledge quiz consisting of six questions. The first asked whether (“yes” or “no”) the respondent had ever examined a Web site’s privacy policy. The remaining questions asked how knowledgeable respondents were (0 = “I really don’t know,” 1 = “I have a faint idea,” or 2 = “I am pretty knowledgeable”) about five concepts related to online privacy: “putting a cookie on a machine,” “SET (Secure Electronic Transaction),” “Privacy Policy,” “TRUSTe” (the largest privacy policy certifier), and “Clickstreams and Log Files.” We multiplied responses to the privacy policy item by two and then summed responses to all six items to create an index of Web Privacy Knowledge (U.S. α = .71, international α = .73). Information Privacy Regulatory Approaches. Milberg et al. (1995) classified nine countries into five ordinal categories (1–5), according to the amount of government involvement in the regulation of information privacy in each country in 1993, the year of their survey. Countries for which no formal information privacy regulation could be identified were classified into a sixth category (0). Milberg, Smith, and Burke (2000) classified a further ten countries in their study. We consulted Privacy International’s 1998 survey of privacy and human rights to update classifications for two of these 19 countries in which regulation had changed since 1993 and to classify 19 additional countries for


which information was available. Classifications for all 38 countries in our data are listed in Table 1. To analyze the quadratic effect of government involvement in regulation, we first standardized all the continuous variables in the model and then squared each individual’s standardized score for government regulation (Jaccard, Turrisi, and Wan, 1990).

Table 1 about here

Cultural Values. Following Milberg, Smith, and Burke (2000), we summed country scores on four of Hofstede’s (1980, 1991) cross-cultural value indices—Power Distance Index (PDI), Individualism (IND), Masculinity (MAS), and Uncertainty Avoidance Index (UAI)—to derive an overall measure of cultural values in relation to privacy concern. Each index has a theoretical range of 0 to 120. In our sample of 38 countries, PDI ranged from 11 in Austria to 104 in Malaysia, IND ranged from 6 in Guatemala to 91 in the U.S., MAS ranged from 5 in Sweden to 95 in Japan, and UAI ranged from 8 in Singapore to 112 in Greece. Since UAI had a negative association with the overall effect of cultural values in Milberg, Smith, and Burke’s (2000) study, UAI was reverse coded by subtracting a country’s raw UAI score from 120. The total summed score ranged from 137 to 275, and its correlations with PDI, IND, MAS, and UAI (before reverse coding) were .10 (p = .02), .66, .65, and –.56 (all p < .001). PDI was highly correlated with government involvement in regulation (r = –.56, p