Information Privacy Concerns: Linking Individual Perceptions with Institutional Privacy Assurances
Xu, Heng, Dinev, Tamara, Smith, Jeff, Hart, Paul, Journal of the Association for Information Systems
Organizational information practices can result in a variety of privacy problems that can increase consumers' concerns for information privacy. To explore the link between individuals and organizations regarding privacy, we study how institutional privacy assurances such as privacy policies and industry self-regulation can contribute to reducing individual privacy concerns. Drawing on Communication Privacy Management (CPM) theory, we develop a research model suggesting that an individual's privacy concerns form through a cognitive process involving perceived privacy risk, privacy control, and his or her disposition to value privacy. Furthermore, individuals' perceptions of institutional privacy assurances - namely, perceived effectiveness of privacy policies and perceived effectiveness of industry privacy self-regulation - are posited to affect the riskcontrol assessment from information disclosure, thus, being an essential component of privacy concerns. We empirically tested the research model through a survey that was administered to 823 users of four different types of websites: 1) electronic commerce sites, 2) social networking sites, 3) financial sites, and 4) healthcare sites. The results provide support for the majority of the hypothesized relationships. The study reported here is novel to the extent that existing empirical research has not explored the link between individuals' privacy perceptions and institutional privacy assurances. We discuss implications for theory and practice and provide suggestions for future research.
Keywords: Information Privacy Concerns, Institutional Privacy Assurance, Communication Privacy Management (CPM) Theory, Questionnaire Surveys.
The importance of privacy in contemporary globalized information societies has been widely discussed and is undisputed. It has been 30 years since Laufer and Wolfe (1977) observed that "[i]f we are to understand privacy as a future as well as contemporary issue, we must understand privacy as a concept" (p. 22). Numerous studies in diverse fields have improved our understanding of privacy and privacy management at different levels. However, the picture that emerges is fragmented and usually discipline-specific, with concepts, definitions, and relationships that are inconsistent and neither fully developed nor empirically validated. The definitions of privacy vary and depend on the field, ranging from a "right" or "entitlement" in law (e.g., Warren & Brandeis, 1890) to a "state of limited access or isolation" in philosophy and psychology (e.g., Schoeman, 1984) to "control" in social sciences and information systems (Culnan, 1993; Westin, 1967). The wide scope of scholarly interests has resulted in a variety of conceptualizations of privacy, which leads Margulis (1977) to note that "theorists do not agree...on what privacy is or on whether privacy is a behavior, attitude, process, goal, phenomenal state, or what" (p. 17). Privacy has been described as multidimensional, elastic, depending upon context, and dynamic in the sense that it varies with life experience (Altman, 1977; Laufer & Wolfe, 1977). Overlapping cognate concepts such as confidentiality, secrecy, and anonymity have added to the confusion (Margulis, 2003a, 2003b). Therefore, Solove (2006) is not alone (see also Bennett, 1992) in his conclusion that "[p]rivacy as a concept is in disarray. Nobody can articulate what it means" (p. 477).
This prior body of conceptual work has led to efforts to synthesize various perspectives and identify common ground. Toward this end, Solove (2006) developed a taxonomy of information practices and activities, which maps out various types of problems and harms that constitute privacy violations. He does not define privacy, but describes privacy as "a shorthand umbrella term" (Solove, 2007, p.760) for a related web of privacy problems resulting from information collection, processing, dissemination, and invasion activities. …