Enforced Standards Vs. Evolution by General Acceptance: E-Commerce Privacy Disclosure and Practice in US and UK - PowerPoint PPT Presentation

1 / 29
About This Presentation

Enforced Standards Vs. Evolution by General Acceptance: E-Commerce Privacy Disclosure and Practice in US and UK


Enforced Standards Vs. Evolution by General Acceptance: E-Commerce Privacy Disclosure and Practice in US and UK K. Jamal, M. Maier and S. Sunder – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 30
Provided by: ss454


Transcript and Presenter's Notes

Title: Enforced Standards Vs. Evolution by General Acceptance: E-Commerce Privacy Disclosure and Practice in US and UK

Enforced Standards Vs. Evolution by General
Acceptance E-Commerce Privacy Disclosure and
Practice in US and UK
  • K. Jamal, M. Maier and
  • S. Sunder
  • February 11, 2004

Law or Social Norms
  • Posner (1997) Law should be conservative and
    should codify existing norms
  • Sunstein (1996), Lessig (1998) Law should be
    activist and help shape social norms
  • Ellickson (1991) People ignore laws which are
    inconsistent with social norms
  • Mailath, Morris, and Postlewaite (2001) If laws
    do not change payoffs directly, they are cheap
    talk, and can only affect behavior because
    people have coordinated beliefs about the effects
    of the law

In Accounting
  • Under the Securities and Exchange Commission,
    seven decades of increasingly codified legal
    approach to financial reporting
  • Addressing problems by creating or modifying
    rules, and institutions to write new rules
  • Recent events (Enron, etc.) and Sarbanes-Oxley
    may have accelerated that trend (PCAOB, IASB)
  • How do we measure how good the financial reports
  • Thickness of the rulebook?
  • What do we know about the consequences of

  • Primary interest in financial reporting,
  • E-Commerce presents an opportunity to address
    some issues, interesting in themselves, as well
    as relevant to accounting
  • Compare the state of e-commerce privacy under
    quite different approaches used contemporaneously
    in US and UK

E-Commerce Privacy
  • U.S. has permitted e-commerce to develop its own
    privacy norms with little legislation and no
    required audit
  • US Privacy legislation for financial and medical
  • EUs an activist approach
  • Codification
  • Legal enforcement

UK Data Protection Act 1984 (Amended in 1998 for
compliance with the EU Directive on Data
Protection, 1995)
  • 1. Personal data shall be processed fairly and
    lawfully and, in particular, shall not be
    processed unless-  (a) at least one of the
    conditions in Schedule 2 is met (requirements of
    informed consent), and (b) in the case of
    sensitive personal data, at least one of the
    conditions in Schedule 3 is also met.
  • 2. Personal data shall be obtained only for one
    or more specified and lawful purposes, and shall
    not be further processed in any manner
    incompatible with that purpose or those purposes.
  • 3. Personal data shall be adequate, relevant and
    not excessive in relation to the purpose or
    purposes for which they are processed.
  • 4. Personal data shall be accurate and, where
    necessary, kept up to date.
  • 5. Personal data processed for any purpose or
    purposes shall not be kept for longer than is
    necessary for that purpose or those purposes.
  • 6. Personal data shall be processed in accordance
    with the rights of data subjects under this Act.
  • 7. Appropriate technical and organizational
    measures shall be taken against unauthorized or
    unlawful processing of personal data and against
    accidental loss or destruction of, or damage to,
    personal data.
  • 8. Personal data shall not be transferred to a
    country or territory outside the European
    Economic Area unless that country or territory
    ensures an adequate level of protection for the
    rights and freedoms of data subjects in relation
    to the processing of personal data. 

Enforcement Activity by the UK Information
Commissioner (1997-2002)
1997/98 1998/99 1999/00 2000/01 2001/02
Total Budget 3,661,690 4,190,489 4,721,666 5,280,860 8,244,982
Of Staff 109 118 114 126 157
Of Phone Inquiries 48,337 48,549 55,070 55,125 56,982
Total Complaints Received 4,178 3,653 5,166 8,875 12,479
Visits - Business Premises 471 700 388 480 448
Visits - Dwellings 313 319 199 235 411
Witness Statements Obtained 378 433 346 355 375
Interviews Under Caution 136 216 98 144 58
Court Prosecutions 38 59 145 23 66
Court Convictions (Guilty) 38 55 130 21 33
Key Findings Under EU Law
  • Quality of Privacy Disclosure is lower
    (Compliance Oriented)
  • No market for privacy audit has developed
    (Web-seals in US)
  • No difference in spam generated by visits to
    e-commerce sites (most spam is generated
  • Misbehavior by a comparably small number of
    outliers who violate the privacy of customers
    with impunity

Focus on Two Features of E-Commerce Privacy
  • Notice-Awareness Participants receive notice of
    an entitys privacy practices before they provide
  • Choice-Consent Participants have choices about
    how their information is used (especially for
    secondary purposes)
  • Three Features not examined in this study
    Access-Participation Integrity-Security and

Part 1 Audit and Disclosure Practices
  • Visit top 100 e-commerce websites in US (56 in
    UK) to detect evidence of audit (web-seals)
  • Read and tabulate the stated privacy policies and
    disclosures of individual e-commerce sites
  • Program a Web-Crawler to visit the 100
    web-sites in U.S. (56 in UK) five times over a
    one week period and record cookies (and 3RD party
    cookies) used by these sites
  • Review privacy policy for cookie usage
    disclosure and consistency with practice

Results Audit Practices
  • In US, four vendors BBB Online, Truste, WebTrust
    (AICPA-CICA), and BetterWeb (PricewaterhouseCooper
    s) offered this audit service
  • Written standards of the first two are more
    stringent than the last two
  • The prices of BBB Online and Truste much lower
  • No data on actual compliance testing by these
  • No evidence of race to the bottom
  • In US, 34 out of 100 website had purchased
    web-seals (30 Truste, 2 BBB Online, 2 both, no
    Better-Web or WebTrust)
  • In UK, no providers or displays of web-seals

Web-Seal Providers Prices and Market Shares
Web-Seal Number of Clients (Dec. 2001) Price of Audit
Truste 1830 399-8,999 (revenue based)
BBB Online 851 lt 7,000 (revenue based)
Better-Web (PWC) 100 15,000 (flat rate)
WebTrust (AICPA-CICA) 28 gt100,000 (full audit)
Market for Audit
  • Does regulation suppress demand for voluntary
  • Are accounting standards and auditing
  • Under US security regulation, accounting
    standards and auditing are frequently treated as
    if they are complements
  • Does mandatory audit eliminate the potential use
    of audit as an informative signal from management
    to investors
  • Why is the audit with more demanding standards
    priced lower?
  • Little evidence of race to the bottom among
    competing standards
  • Why the accounting profession (AICPA / CICA) fail
    in e-commerce privacy audit market?

Quality of Privacy Policy Disclosure
  • In The U.S. Privacy Policies are
  • Posted (100 / 95)
  • Easy to Find (100 / 92 one click away)
  • Disclose Cookie Usage (100 / 86)
  • Disclose 3rd Party Cookie Usage (97 / 63)
  • In The U.K. Privacy Policies are
  • Posted (77)
  • Harder to Find (70 one click away)
  • Cookies (80), 3rd Party Cookie (96)
  • Less disclosure on secondary uses of data

Privacy Policy Disclosures Use of 3rd Party
  • In U.S. 79 of Websites allow 3rd Parties to Use
    Cookies to Track Visitors
  • In U.K. only 50 Allow 3rd Parties To Track

Summary of Privacy Disclosure UK Compared to US
  • No Private Audit
  • Harder-To-Find Privacy Policies and Generally
    Poorer Disclosure
  • Less Use of 3rd Party Cookies

Part 2 Choice-Consent Study
  • Create 100 Simulated identities and register on
    Top 100 US web-sites --- OPT-IN
  • Create another 100 simulated identities and
    register on the same 100 US web-sites but this
    time we OPT-OUT
  • Compare e-mail, mail, phone calls for the
    following 6 month period
  • In UK, followed the same procedure for 56
    websites, one year later

Postal Mail and Phone Calls
  • Basically Close to 0 in Both U.S. and U.K.
    Can solve the problem of Spam by a small e-Mail
  • E-commerce website visits do not generate
    junk-phone calls (This could Change With New Do
    Not Call Phone List)

Mean Weekly E-Mail Messages
Cumulative Message Volume from Volume Ranked
Sites (Opt-in)
Cumulative Message Volume from Volume Ranked
Sites (Opt-Out)
Summary Choice/Consent Study
  • EU Law Provided No Protection From Spam
  • Most e-commerce spam originates from a few
    outliers in both U.S. and U.K

Concluding Remarks
  • Voluntary e-commerce privacy reporting norms
    and audit mechanisms evolving without regulation
    in U.S. through competition
  • Threat of US legislation may have had a role
  • Most US merchants highlight their privacy
    policies to attract business
  • In U.K. privacy disclosure is oriented to
    compliance with the law, not marketing
  • Not clear if regulation and enforcement protects
    consumers from a small number of scofflaws in

Or in Accounting
  • Consider Enron, WorldCom, etc.
  • Endogeneity of accounting practices
  • Given the accounting rules, what can I get away
  • Harder the rules, easier to bypass (e.g., lease
  • Raising punishment also increases incentives to
    incur costs to avoid being caught
  • Rule-makers are always a few years behind

  • Formal enforcement
  • Precise definitions
  • Salient
  • Come into force at a known time
  • Enacted through known institutional process
  • Modified through the institutional process
  • Transparency
  • Appeal in democratic polity
  • Good housekeeping Lets make the rules clear

Social Conventions
  • Not well defined
  • Vary in time and space
  • Need extended socialization to learn and
  • Penumbra of uncertainty
  • Incomplete overlap among individual beliefs
  • Slow, almost imperceptible evolution
  • Appear less transparent
  • Scandals mock existing institutions and norms
  • Default to formal rules and standards

Evolution of Financial Reporting
  • With every scandal, new emphasis on codification
    of accounting rules
  • Public image of precision in accounting (down
    to the last penny)
  • Regulation proposed to address market failures
  • Failure of government/regulation receives less

Problems of Setting Accounting Standards
  • What is a good rule?
  • Information problem
  • Design problem
  • Gaming problem
  • Signaling problem

  • We are careful registrants less careful
    consumers might be more susceptible to unintended
    violations of privacy
  • Our registrants were relatively passive
  • We limited our study to mainstream businesses (no
    adult sites), making our sample
    unrepresentative in a sense
Write a Comment
User Comments (0)
About PowerShow.com