Literature Review

Privacy Policies and the Law

In the United States, through the Health Information and Portability Accountability Act of 1996 (HIPAA), health care is the only service category where privacy-related legislation exists; through the Gramm-Leach-Bliley Act of 1999 (GLBA) for financial services; and through the Children’s Online Privacy Protection Act of 1998 (COPPA) for children on the internet” (Jensen & Potts, 2004; Anton et al., 2002). “Although numerous consumer privacy bills (including the Online Personal Privacy Act, the Consumer Privacy Protection Act, and the Consumer Internet Privacy Enhancement Act) have been brought before Congress, the United States is the only major trading nation that has not adopted blanket privacy protection legislation” (Papacharissi & Fernback, 2005, p. 261).

Notwithstanding the lack of adults’ online privacy-protection legislation, the public has become increasingly aware of and concerned about maintaining control over their personally identifiable information (PII) (Kobsa & Teltzrow, 2005; Pollach, 2007; Ackerman, Cranor, & Reagle, 1999). Regardless, the majority of US websites attempt to gain PII; approximately 91% of US websites collect personal information, and around 90% collect personally identifying information, justifying public concern regarding the potential for misuse of this information (Adkinson, Eisenach, & Lenard, 2002). In order to reduce conflicts between the public’s concerns and companies’ act of collecting PII, numerous companies provide privacy policies through either their websites or via email. Today, privacy policies have become almost ubiquitous for web-based companies and web merchants (Jensen & Potts, 2004).

However, privacy policies vary widely from site to site, in style, content, and usability, because of the absence of a legal requirement for the merchant to protect user privacy.

Privacy Policy Content and Credibility

Since consumer trust is at stake, the privacy policy content is important to the policy’s credibility; in general, a company’s privacy policy is the only information the public can have regarding how their PII is handled. Nonetheless, consumers’ personal data is not protected by companies’ privacy policies because there is no legislation regarding the privacy policy in the US. Consumers’ PII is even considered “a tradable commodity in capitalist societies, and thus, the free market economy and privacy are inherently at odds with each other” (Papacharissi & Fernback, 2005, p. 260). The companies are faced with an impossible situation here: balancing their own business goals against the needs and requirements of protecting their customers’ PII. For this reason, privacy policies are often confusing and contradictory.

Existing literature examining the internal content of privacy statements shows that the statements often start with an assurance that user privacy and PII will be protected, and “subsequently dismantles any true protection of consumer data” (Fernback & Papacharissi, 2007, p. 730). A commonly seen example is a statement indicating that only aggregate data will be collected, followed by a statement providing assurances of nondisclosure of PII, clearly conflicting with the statements that only aggregate data was to be collected (Fernback & Papacharissi, 2007).

Another area of privacy policies that tends to undermine their credibility is the practice related to changes to privacy policies. A significant percentage of policies do not address how changes to the policy would be communicated to the users, and the majority of them require users to check the policy on a periodical basis (Jensen & Potts, 2004). In addition, most company sites only provide notices of policy changes after they change the policies, and the only option the site users have to refuse the changes is to withdraw from the site.

Privacy Policy Readability

The readability of a privacy policy is an important factor in its usefulness and credibility. Clearly, a statement that cannot be understood is of no value to the user. Readability has many variables, including the level of education needed to understand it, the use of legalese or other confusing terminology, and the use of confusing verb tenses and adverbs intended to produce vagueness or multiple interpretations (Jensen & Potts, 2004; Milne, Culnan, & Greene, 2006; Pollach, 2007).

The level of education required to read and understand a privacy policy has been evaluated. Based on 2000 US Census data reported in a recent research study, 15.5% of the US population over 25 did not finish high school, and only 26.9% has college or higher education (Jensen & Potts, 2004). However, since over 70% of the US population is now online (Phillips, 2010), we can no longer assume that only the more highly educated public will be reading and relying on Internet privacy statements.

Studies of readability typically use the Flesch Grade Level (FGL) to assess the level of education at which the policies are written. The FGL converts to a US grade-school equivalency, where 1-12 represent the public school grade levels, and 12-18 represent college and graduate levels of education; the assessments are based on sentence length and the average number of syllables in the words used. In one study, the average FGL was 14.21 (equivalent to an associate degree level of education), as compared to 13.5, the average FGL of the US. A longitudinal study performed by Milne et al. (2006) found that the FGL increased from 11.2 in 2001 to 12.3 in 2003. Milne et al.’s study also found a statistically significant increase in the length of the average privacy policy over the same period. While the length of a privacy policy does not necessarily contribute to readability, it contributes to complexity, since a longer policy statement may not be read with the same attention as a shorter one.

Evaluations of the language and word choices of privacy policies have also been performed in several pieces of literature (Jensen & Potts, 2004; Milne et al., 2006; Pollach, 2007). Pollach (2007) performed a detailed evaluation of word choice, syntactical transformation such as using the passive voice, and modality (use of verbs and adverbs such as ‘may,’ ‘occasionally,’ and ‘perhaps’) to make sentences vague. Pollach (2005) found that the use of distancing terms such as “you receive” rather than “we send” was commonly used; these are linguistic mechanisms meant to distance the company from the practice described. Another commonly used phrase, “we reserve the right to,” is a legal expression allowing for several interpretations as to whether the action is carried out or not (Pollach, 2005, p. 106).

User Control Over Privacy and Opt-In/Opt-Out

Although the use of opt-in/opt-out mechanisms has been shown to increase user trust by increasing the level of control maintained by the user (Pollach, 2005, p. 104), careful framing which influences people’s privacy preferences was found to be used in opt-in/opt-out discussions, limiting their actual value. For example, when a company uses phrases such as “only when authorized” to describe their practice with regard to unsolicited email, it may be difficult for the consumers to determine whether the authorization is the result of opting-in or opting-out. Users may be unaware that they have unwittingly given authorization to a company by not choosing to opt out (Pollach, 2005; 2007). Since the user considers that “privacy entails managing the release of personal information while deflecting unwanted intrusions” (LaRose & Rifon, 2006, p. 1010) such as having their PII provided to third parties without their permission, language which influences the user to select an opt-in/opt-out option contrary to their actual objectives is clearly not in the interest of the user.

Considering that past research has only delved into the specific issues of legality, credibility, readability, and control with respect to PII and privacy, this research seeks to address the issues at a more holistic level. We specifically ask how WOM marketing sites address the issue of user privacy.

Research Methodology

This research study investigates, in a holistic way, the approach and understanding that WOM marketing companies bring to the issue of privacy and personal information. To explore this issue, qualitative textual analysis on privacy statements of eleven WOM marketing agencies was utilized for the data analysis. The research was completed by a team of three researchers, who took a collaborative approach to completing the research. Additional discussion of coding validation and of the individual roles of research team members is provided in the textual analysis section below.

Sample Selection

Samples for the textual analysis were obtained by two researchers who executed Google Search; the keywords used for the search were “buzz marketing agencies,” “word of mouth marketing agencies,” “top ten WOM marketing companies,” etc. Two lists were obtained from the Google Search because the two researchers worked separately. Then, the websites of these companies were systematically checked to determine the nature of business the company conducted. Companies with incomplete websites, and those that focused primarily on newsletters and message boards were discarded. A final list of sixteen WOM marketing companies was developed.

For this study, the samples were restricted by certain variables to allow some uniformity among the samples for comparison. Specifically, all samples were required to have a company-generated privacy statement, or to have discussed privacy in some area of their website. It was considered that those companies have linked their sites to either the Word of Mouth Marketing Association (WOMMA) website or other standards of care. Several WOM marketing company sites could not be readily analyzed for their own understanding of the concepts and practices of privacy in this context, and as a result, five of the original sixteen companies were eliminated from further evaluation as they either did not have a privacy policy or only posted a link to WOMMA.

WOMMA

WOMMA, the Word of Mouth Marketing Association, is a non-profit organization with the mission to advance and advocate credible WOM marketing. Within a year of creation, WOMMA published an “ethics code,” which focused on three main factors which WOMMA believed would separate ethical from non-ethical practitioners:

∙Honesty of Relationship: You say whom you’re speaking for

∙Honesty of Opinion: You say what you believe

∙Honesty of Identity: You never lie about who you are.

Several of the companies reviewed in this study referenced the WOMMA ethics code, either by statement or a link posted on their webpage. Those who referenced the WOMMA ethics code were noted; however, no further analysis was performed on those sites.

Additional Methods of Addressing Privacy

In some cases, several privacy statements were contained on the webpage of their parent companies. These privacy statements were analyzed in the same manner as other company-specific privacy statements. One company was found to have the privacy policy incorporated into the company’s legal Terms and Conditions. The Terms and Conditions document was analyzed in the same way as a separate privacy statement.

Textual Analysis Procedure

The textual analysis started with close reading of subsamples consisting of five of the collected privacy statements. The entirety of the subsamples was reviewed by two researchers, and a preliminary list of five themes was developed. The privacy statements were then reanalyzed and coded from the perspective of these initial themes. A comparison chart showing the relevant text for each theme was developed and discussed among the researchers. Three additional themes emerged from this further evaluation, resulting in a total of eight themes. The researchers’ agreement on the final coding practices was obtained prior to analyzing the full samples of privacy statements.

 Each researcher was responsible for coding two participant privacy statements for all eight of the final themes. This information was added to the comparison chart for ease of viewing patterns across company statements. Then all the researchers reviewed the complete samples of privacy statements, with each researcher being responsible for the identification of patterns and nuances related to two of the final eight themes.

Analysis

We identified eight major themes among the eleven policies analyzed. The presence of the eight themes in all eleven policies is listed in Table 1. Table 1 shows the significant variety of privacy policy discussions just among the eleven companies analyzed in this study and reaffirms the lack of consistency among privacy policies, which was identified in the literature. Further analysis of the eight themes is broken down into observations on mission statements, defining PII, accessing PII, customer consent, and sources of PII.

The analysis of the purpose or mission for these statements revealed three justifications for privacy policies: (1) general statements about the commitment to privacy, (2) claims to specific steps that protect privacy, and (3) a balance between the needs of the customer and those of the business.

General statements about privacy used phrases such as “closely guard” (BzzAgent), “committed to respecting” (Fanscape), and “respecting the privacy of our users” (Fanscape). Specific steps approached the privacy problem by appealing to procedural protection in the form of “steps to protect…privacy” (GasPedal) or “strict operations guidelines” (Kbuzz). The balanced approach appealed to the “legitimate interests in improving our services by collecting and using personal information with your reasonable expectations of privacy” (Buzzfeed).

The definitions of personal identifying information (PII) varied across the websites that were analyzed. Some sites failed to define the term, making it difficult for users to understand what data was covered by the policies under review. The most common aspects of PII were (1) email address, (2) home address, (3) phone number, and (4) name. One company included interests, occupation, and date of birth as part of the PII. Another company (BzzAgent) explicitly excluded some types of information from being considered PII, such as IP addresses, browser types, and access time. Overall, there was no consensus among the websites explored about what personally identifiable information was.

Accessing PII was further discussed in the privacy statements on the websites along a number of dimensions, including employee access, third-party access, and distribution of personally identifying information.

Employee access was granted if they need information to perform a specific job pertaining to a business reason such as performing diagnostics (Omgili), resolving disputes (Omgili), or delivering products (BuzzLogic), thus justifying access as contingent upon the needs of the company. Other sites explicitly mentioned the use of PII to improve the performance of their website. One company (Brainsonfire) explicitly dismissed any claims of liability or damage as a result of using their website or disclosing any information to the company. Third-party access was justified in five different ways. First, for marketing and business:

Brainsonfire: …you volunteer to us through the BuzzLogic Site, with third-party service providers in order for those service providers to perform business functions for us or on our behalf… We may share some or all of your PII or NPII with any parent company, subsidiaries, joint ventures, or other companies under common control…

Second, for direct customer requests: “unless we have asked for and obtained your explicit consent” (Tremor). Other reasons given for possible third-party access to PII were legal actions involving the company or members, protecting minors from exposure, and finally, to disclaim liability for holding PII.

Distribution of PII was addressed by many of the sites. The language used to describe distribution was commercial, using terms such as “sell,” “share,” “rent,” or “trade” information with customer consent. Other sites stated that information provided by users was automatically “public,” and thus, no limits to information distribution were needed. One site mentioned the existence of a parent-company with which information could be shared.

Another set of common themes centered on the issue of consent. This issue was directly discussed, linked to either the collection of PII or the updating of PII.

Among the sites analyzed, consent for the collection of PII was granted in two major ways. First, merely visiting the site may be considered a form of consent (Buzzlogic & Omgili) or second, through submission of content to the site (BzzAgent & GasPedal). Consent was an automatic process for most sites, with no explicit actions required by the site visitors for the granting of consent.

Modifying the conditions of the consent was up to the site visitors, usually through some forms of opting-out. A visitor may choose to unsubscribe from email newsletters or other forms of communication. However, if the user wishes to be removed from the company databases, there is no guarantee of action, even if the request is made in writing. Brickfish and GasPedal offer to remove personal information from their databases. Brickfish adds a caveat that information may remain in archives or public postings. GasPedal offers complete removal of PII, but asks the user for “a reasonable amount of time to complete these requests” (GasPedal). The definition of “a reasonable amount of time” was ignored.

There are three main sources for PII among the sample of WOM marketing agencies that we analyzed. Information may be provided by the user, collected automatically to track site visits, and collected from third parties.

The clearest policy statements concern automatic collection of site data. A number of sites described the technical process of server logging and cookie transmission that occur regardless of whether any PII has been exchanged. This information is collected simply through the process of connecting to the websites in question.

Personal information provided by the users is used for business purposes, such as “billing, dispatching of service, to solve problems, and to inform customers of new products or services that will better meet their needs” (KBuzz). Other sites collect PII when the user explicitly signs up for their services or communications. One of the sites’ privacy policies states that “When you personalize your Brickfish Profile, we will collect any information you provide, such as photos you choose for your display picture” (Brickfish). Sites with forums or other public areas collect information if the user chooses to post material to the web.

Information collected from third parties was rarely discussed. If it was mentioned, it was discussed in vague language. Specifically, Tremor adds, “We collect information about you from a variety of sources, including: …Information we collect about you from other sources, such as commercially available sources”. “Commercially available” has no determinate limit for most users, because they are probably unaware of what information is commercially available. In order for the user to determine the limits of this policy, he or she must become a business themselves and attempt to obtain information about themselves in a commercial form. It is unlikely that any person will pursue this route.

All but one (Tremor) of the analyzed sites indicated when they would update their privacy policies and how they would notify their users of the updates. Two main categories emerged: They used either email to contact the users or they posted the updates on their websites for notification. However, most sites indicated that they were more likely to post the update notifications on their website, rather than sending emails to their site users. In addition, sites that post notifications on their websites “encourage” (Buzzfeed) their users to visit their websites “frequently” (BzzAgent) to check recent updates of the privacy policies.

Discussion and Implications

All of the privacy statements analyzed used complex, legalistic language. However, terms were used without definition or clear limits. Therefore, terms such as “respect” or “guarding” the users’ privacy are named but rarely operationalized. When they are operationalized in the form of specific guidelines about employee or third-party access to PII, the limits are basically whatever benefits the business. If there is a business need to distribute information, then the companies will do so, usually without any additional consent from the user. The main audiences for these statements were other lawyers, not customers or users. One company acknowledged this fact by starting the privacy statement with “Sounds like we’re selfish, doesn’t it? Well, we’re not. It’s the law-dogs talkin’” (Brainsonfire). They concluded the statement with “Thus ends the reading of the terms and conditions. If you have any questions, we’re sorry. But we don’t have the answers” (Brainsonfire). This privacy statement may be the only statement to openly acknowledge the audience and purpose for the privacy policies, but the legalistic style persisted throughout the samples of statements that were analyzed.

It is important to note that the language used in each of the companies’ mission statements did not necessarily reflect the overall legalistic tone of the majority of the privacy policies. In particular, the third category within the mission statement, which reflected a balancing of both user and company needs, was not represented throughout the majority of the privacy statements. For example, even though a mission statement provided by a company places much of the responsibility of ensuring privacy on their own shoulders, “[we] are committed to respecting the privacy of our users. We strive to provide a safe, secure user experience” (Fanscape), much of the language used in the body of the privacy statement reflects a lack of liability regarding their own protective measures of PII: “FANSCAPE is and shall be under no obligation to maintain any of your COMMENTS in confidence, to pay to you any compensation for any COMMENTS, or to respond to any of your COMMENTS” (Fanscape).

Other companies followed the same line, acknowledging the importance of privacy in the mission statement and then undermining that statement in the remainder of the policy. Companies claimed to “respect[s] the privacy of the visitors to its Website” or “closely guard any personally identifiable information you disclose to us” early in the policy statement. Such blanket privacy protections were rarely supported by the detailed statements of the policy. Even balanced mission statements, such as “our intent is to balance our legitimate interests in improving our service by collecting and using your personal information with your reasonable expectations of privacy,” were often undermined by subsequent language in the same policies.

This apparent dichotomy in language in the privacy policies of WOM company sites is problematic, in that the user is lulled into a false sense of security due to the finding that the mission statement typically comes before the policy body. As Jensen and Potts (2004), Milne et al. (2006), and Pollach (2007) note, readability is an issue when users determine the credibility of online sites. Therefore, the use of seemingly hypocritical language, as indicated by the difference between the mission statements and the remainder of the policy body, may be misleading. When users go no further than what they read up front, they leave unread the contrasting statements that actually counter what is said in the mission statement.

Research and policy-making are linked together, and they have significant influences on each other (Ozanne, 2011). When a policy study is completed by a researcher, policy-makers in the relevant fields can use the research to develop better policies by applying the research to many cases of existing policies. Moreover, researchers can execute a new privacy research study when new policies have been developed by policy-makers.

The current study explored how Internet users’ PII was treated by privacy policies of US WOM marketing companies. According to major findings of the study, contents and styles in privacy policies vary from site to site. This can be very confusing to consumers who try to determine how their PII and privacy are protected by the company privacy policies and US legislation. Secondly, privacy statements on various WOM marketing sites use vague and unclear language to describe their policies. This can also threaten the credibility and readability of agencies’ privacy policies. These situations exist because the US law lacks clear legislation pertaining to the protection of adults’ online privacy. Policy-makers may use this study as a guideline to improve their policies.

Conclusion

In Andrejevic’s (2002) discussion of the exploitation of self-disclosure, he raises the idea that, when the user is given the perception of control, they tend to think they actually have it. “For too long, the discussion of mediated interactivity has tended to assume that as long as the Internet allowed unfettered interactivity, questions of network control and ownership were rendered moot by the revolutionary potential of the technology itself” (Andrejevic, 2002, p. 246). What this suggests is that a reexamination of the asymmetries of power in the online environment may be advisable. In particular, the notion that a user can contribute to a conversation within a WOM website gives that individual the perception of power: that their needs are met and heard. True as that may be, it is still concerning to note the degree of language inconsistency and blatant hypocrisy.

What our findings suggest is an affirmation of previous studies concerning privacy and PII. Although users are given more power to have their voices and opinions heard in a WOM marketing website, that very work which they do serves these companies’ marketing efforts. The language embedded in the policies allows many of these companies to justify the utilization of users’ PII according to a plethora of un-operationalized, indefinable, and ambiguous criteria set out for their company’s needs—not the user’s.