Studies suggest the general structure of Web sites leads consumers away from demanding that online merchants take certain approaches to privacy as a condition for dealing with them. This article presents findings from a nationally representative survey showing that the absence of such a privacy marketplace can also be attributed to the public's incomplete knowledge of privacy regulations. Most respondents correctly understood that regulations regarding merchants' sharing information are domain specific. The respondents were only sporadically correct, however, regarding which domains have which rules. The study raises questions about the best approaches to education in the absence of a coherent national policy of privacy regulation.
While studies consistently show that individuals are apprehensive about companies learning personal information about them, people rarely, if ever, read privacy policies or take steps to protect personal information collected during online transactions (Graber, D'Allessandro, and Johnson-West 2002; Vila, Greenstadt, and Molnar 2003). As Nehf (2007) and Pitt and Watson (2007) note, consumers do not act as if there is an online market for privacy that leads them to choose privacy-enhancing Web sites over others. Nehf concludes that the problem lies in the structure of the online world. That is, the online marketplace is organized such that consumers drop their sensitivity toward protecting their information to "pursue other goals that render privacy less salient than other attributes" (Nehf 2007, 355).
The aim of this article is not to dispute that structural reasons play a role in explaining the failure of online consumers to inquire into sites' privacy rules or to insist that sites not appropriate consumers' information. It is, rather, to present nationally representative survey findings suggesting that consumers' failure to protect their privacy online as well as offline can also be attributed to limited consumer's knowledge. Most respondents in the survey correctly understood that regulations regarding merchants' sharing information are domain specific. The respondents were only sporadically correct, however, regarding which domains have which rules. Our analysis highlights the dilemma of those who are looking for ways to encourage consumers to demand stronger privacy protections from marketers, and it suggests the importance of different levels of government involvement.
THE DILEMMA OF MARKETPLACE PRIVACY
In the United States, state and federal law generally leaves it up to individuals to learn the rules by which firms can use their personal information and to assess their privacy risks when dealing with merchants in the online and brick-and-mortar worlds. The lack of a cohesive regulatory scheme may be partly a result of inattention and neglect by regulators, partly a belief that the open market has historically been an American tradition, and partly because marketers and marketing advocacy groups have convinced regulators that important new businesses would be harmed by an aggressive stance on marketplace privacy (Turow 2006).
Within this regulatory context, Americans appear to have a contradictory approach to the issue. Some research shows that they are wary about the ways corporations use data about them. For example, a poll by the consultancy Privacy and American Business found that fifty-six percent of Americans in 2002 (vs. thirty-four percent in 1999) believed that most companies do not "handle personal information they collect in a proper and confidential way" (Westin 2003). At the same time, research shows that people behave in the online and offline marketplace as if they do not mind giving up information about themselves. Madden et al. (2007) at the Pew Internet and American Life Project found that "most internet users are not concerned about the amount of information available about them online, and most do not take steps to limit that information. …