Enforced Standards Vs. Evolution by General Acceptance: E-Commerce Privacy Disclosure and Practice in US and UK

1
Enforced Standards Vs. Evolution by General
Acceptance E-Commerce Privacy Disclosure and
Practice in US and UK

• K. Jamal, M. Maier and
• S. Sunder
• February 11, 2004

2
Law or Social Norms

• Posner (1997) Law should be conservative and
  should codify existing norms
• Sunstein (1996), Lessig (1998) Law should be
  activist and help shape social norms
• Ellickson (1991) People ignore laws which are
  inconsistent with social norms
• Mailath, Morris, and Postlewaite (2001) If laws
  do not change payoffs directly, they are cheap
  talk, and can only affect behavior because
  people have coordinated beliefs about the effects
  of the law

3
In Accounting

• Under the Securities and Exchange Commission,
  seven decades of increasingly codified legal
  approach to financial reporting
• Addressing problems by creating or modifying
  rules, and institutions to write new rules
• Recent events (Enron, etc.) and Sarbanes-Oxley
  may have accelerated that trend (PCAOB, IASB)
• How do we measure how good the financial reports
  are?
• Thickness of the rulebook?
• What do we know about the consequences of
  codification?

4
E-Commerce

• Primary interest in financial reporting,
• E-Commerce presents an opportunity to address
  some issues, interesting in themselves, as well
  as relevant to accounting
• Compare the state of e-commerce privacy under
  quite different approaches used contemporaneously
  in US and UK

5
E-Commerce Privacy

• U.S. has permitted e-commerce to develop its own
  privacy norms with little legislation and no
  required audit
• US Privacy legislation for financial and medical
  records
• EUs an activist approach
• Codification
• Legal enforcement

6
UK Data Protection Act 1984 (Amended in 1998 for
compliance with the EU Directive on Data
Protection, 1995)

• SCHEDULE 1 THE DATA PROTECTION PRINCIPLES PART
  I THE PRINCIPLES    
• 1. Personal data shall be processed fairly and
  lawfully and, in particular, shall not be
  processed unless-  (a) at least one of the
  conditions in Schedule 2 is met (requirements of
  informed consent), and (b) in the case of
  sensitive personal data, at least one of the
  conditions in Schedule 3 is also met.
• 2. Personal data shall be obtained only for one
  or more specified and lawful purposes, and shall
  not be further processed in any manner
  incompatible with that purpose or those purposes.
• 3. Personal data shall be adequate, relevant and
  not excessive in relation to the purpose or
  purposes for which they are processed.
• 4. Personal data shall be accurate and, where
  necessary, kept up to date.
• 5. Personal data processed for any purpose or
  purposes shall not be kept for longer than is
  necessary for that purpose or those purposes.
• 6. Personal data shall be processed in accordance
  with the rights of data subjects under this Act.
• 7. Appropriate technical and organizational
  measures shall be taken against unauthorized or
  unlawful processing of personal data and against
  accidental loss or destruction of, or damage to,
  personal data.
• 8. Personal data shall not be transferred to a
  country or territory outside the European
  Economic Area unless that country or territory
  ensures an adequate level of protection for the
  rights and freedoms of data subjects in relation
  to the processing of personal data. 

7
Enforcement Activity by the UK Information
Commissioner (1997-2002)
1997/98 1998/99 1999/00 2000/01 2001/02
Total Budget 3,661,690 4,190,489 4,721,666 5,280,860 8,244,982
Of Staff 109 118 114 126 157
Of Phone Inquiries 48,337 48,549 55,070 55,125 56,982
Total Complaints Received 4,178 3,653 5,166 8,875 12,479
Visits - Business Premises 471 700 388 480 448
Visits - Dwellings 313 319 199 235 411
Witness Statements Obtained 378 433 346 355 375
Interviews Under Caution 136 216 98 144 58
Court Prosecutions 38 59 145 23 66
Court Convictions (Guilty) 38 55 130 21 33
8
Key Findings Under EU Law

• Quality of Privacy Disclosure is lower
  (Compliance Oriented)
• No market for privacy audit has developed
  (Web-seals in US)
• No difference in spam generated by visits to
  e-commerce sites (most spam is generated
  elsewhere)
• Misbehavior by a comparably small number of
  outliers who violate the privacy of customers
  with impunity

9
Focus on Two Features of E-Commerce Privacy

• Notice-Awareness Participants receive notice of
  an entitys privacy practices before they provide
  information
• Choice-Consent Participants have choices about
  how their information is used (especially for
  secondary purposes)
• Three Features not examined in this study
  Access-Participation Integrity-Security and
  Enforcement-Redress.

10
Part 1 Audit and Disclosure Practices

• Visit top 100 e-commerce websites in US (56 in
  UK) to detect evidence of audit (web-seals)
• Read and tabulate the stated privacy policies and
  disclosures of individual e-commerce sites
• Program a Web-Crawler to visit the 100
  web-sites in U.S. (56 in UK) five times over a
  one week period and record cookies (and 3RD party
  cookies) used by these sites
• Review privacy policy for cookie usage
  disclosure and consistency with practice

11
Results Audit Practices

• In US, four vendors BBB Online, Truste, WebTrust
  (AICPA-CICA), and BetterWeb (PricewaterhouseCooper
  s) offered this audit service
• Written standards of the first two are more
  stringent than the last two
• The prices of BBB Online and Truste much lower
  (7,000-100,000)
• No data on actual compliance testing by these
  auditors
• No evidence of race to the bottom
• In US, 34 out of 100 website had purchased
  web-seals (30 Truste, 2 BBB Online, 2 both, no
  Better-Web or WebTrust)
• In UK, no providers or displays of web-seals

12
Web-Seal Providers Prices and Market Shares
Web-Seal Number of Clients (Dec. 2001) Price of Audit
Truste 1830 399-8,999 (revenue based)
BBB Online 851 lt 7,000 (revenue based)
Better-Web (PWC) 100 15,000 (flat rate)
WebTrust (AICPA-CICA) 28 gt100,000 (full audit)
13
Market for Audit

• Does regulation suppress demand for voluntary
  audit?
• Are accounting standards and auditing
  substitutes?
• Under US security regulation, accounting
  standards and auditing are frequently treated as
  if they are complements
• Does mandatory audit eliminate the potential use
  of audit as an informative signal from management
  to investors
• Why is the audit with more demanding standards
  priced lower?
• Little evidence of race to the bottom among
  competing standards
• Why the accounting profession (AICPA / CICA) fail
  in e-commerce privacy audit market?

14
Quality of Privacy Policy Disclosure

• In The U.S. Privacy Policies are
• Posted (100 / 95)
• Easy to Find (100 / 92 one click away)
• Disclose Cookie Usage (100 / 86)
• Disclose 3rd Party Cookie Usage (97 / 63)
• In The U.K. Privacy Policies are
• Posted (77)
• Harder to Find (70 one click away)
• Cookies (80), 3rd Party Cookie (96)
• Less disclosure on secondary uses of data

15
Privacy Policy Disclosures Use of 3rd Party
Cookies

• In U.S. 79 of Websites allow 3rd Parties to Use
  Cookies to Track Visitors
• In U.K. only 50 Allow 3rd Parties To Track
  Visitors

16
Summary of Privacy Disclosure UK Compared to US

• No Private Audit
• Harder-To-Find Privacy Policies and Generally
  Poorer Disclosure
• Less Use of 3rd Party Cookies

17
Part 2 Choice-Consent Study

• Create 100 Simulated identities and register on
  Top 100 US web-sites --- OPT-IN
• Create another 100 simulated identities and
  register on the same 100 US web-sites but this
  time we OPT-OUT
• Compare e-mail, mail, phone calls for the
  following 6 month period
• In UK, followed the same procedure for 56
  websites, one year later

18
Postal Mail and Phone Calls

• Basically Close to 0 in Both U.S. and U.K.
  Can solve the problem of Spam by a small e-Mail
  Postage?
• E-commerce website visits do not generate
  junk-phone calls (This could Change With New Do
  Not Call Phone List)

19
Mean Weekly E-Mail Messages
20
Cumulative Message Volume from Volume Ranked
Sites (Opt-in)
21
Cumulative Message Volume from Volume Ranked
Sites (Opt-Out)
22
Summary Choice/Consent Study

• EU Law Provided No Protection From Spam
• Most e-commerce spam originates from a few
  outliers in both U.S. and U.K

23
Concluding Remarks

• Voluntary e-commerce privacy reporting norms
  and audit mechanisms evolving without regulation
  in U.S. through competition
• Threat of US legislation may have had a role
• Most US merchants highlight their privacy
  policies to attract business
• In U.K. privacy disclosure is oriented to
  compliance with the law, not marketing
• Not clear if regulation and enforcement protects
  consumers from a small number of scofflaws in
  e-commerce

24
Or in Accounting

• Consider Enron, WorldCom, etc.
• Endogeneity of accounting practices
• Given the accounting rules, what can I get away
  with
• Harder the rules, easier to bypass (e.g., lease
  accounting)
• Raising punishment also increases incentives to
  incur costs to avoid being caught
• Rule-makers are always a few years behind

25
Statutes

• Formal enforcement
• Precise definitions
• Salient
• Come into force at a known time
• Enacted through known institutional process
• Modified through the institutional process
• Transparency
• Appeal in democratic polity
• Good housekeeping Lets make the rules clear

26
Social Conventions

• Not well defined
• Vary in time and space
• Need extended socialization to learn and
  understand
• Penumbra of uncertainty
• Incomplete overlap among individual beliefs
• Slow, almost imperceptible evolution
• Appear less transparent
• Scandals mock existing institutions and norms
• Default to formal rules and standards

27
Evolution of Financial Reporting

• With every scandal, new emphasis on codification
  of accounting rules
• Public image of precision in accounting (down
  to the last penny)
• Regulation proposed to address market failures
• Failure of government/regulation receives less
  attention

28
Problems of Setting Accounting Standards

• What is a good rule?
• Information problem
• Design problem
• Gaming problem
• Signaling problem

29
Caveats

• We are careful registrants less careful
  consumers might be more susceptible to unintended
  violations of privacy
• Our registrants were relatively passive
• We limited our study to mainstream businesses (no
  adult sites), making our sample
  unrepresentative in a sense