Enforced Standard Versus Evolution by General Acceptance

7/30/2019 Enforced Standard Versus Evolution by General Acceptance

1/25

DOI: 10.1111/j.1475-679x.2004.00163.x

Journal of Accounting ResearchVol. 43 No. 1 March 2005

Printed in U.S.A.

Enforced Standards VersusEvolution by General Acceptance: AComparative Study of E-Commerce

Privacy Disclosure and Practicein the United States and theUnited Kingdom

K A R I M J A M A L , M I C H A E L M A I E R , A N D S H Y A M S U N D E R

Received 28 July 2003; accepted 13 August 2004

ABSTRACT

We present data on privacy practices in e-commerce under the EuropeanUnions formal regulatory regime prevailing in the United Kingdom and com-

pare it with the data from a previous study of U.S. practices that evolved inthe absence of government laws or enforcement. The codification by the E.U.law, and the enforcement by the U.K. government, improves neither the dis-closure nor the practice of e-commerce privacy relative to the United States.Regulation in the United Kingdom also appears to stifle development of amarket for Web assurance services. Both U.S. and U.K. consumers continue tobe vulnerable to a small number of e-commerce Web sites that spam their cus-tomers, ignoring the latters expressed or implied preferences. These resultsraise important questions about finding a balance between enforced standards

University of Alberta; University of Iowa; Yale University. Discussions with John Dick-haut, Paul Healy, and Joel Reidenberg on our earlier work led to the present study and aregratefully acknowledged Assistance from Michael Barrett in setting up the experiment in the


2/25

74 K. JAMAL, M. MAIER, AND S. SUNDER

and conventions in financial reporting. In the second half of the 20th century,financial reporting has been characterized by both a preference for legislatedstandards and a lack of faith in its evolution as a body of social conventions. Ev-

idence on whether this faith in standards over conventions is justified remainsto be marshaled.

That government is best which governs least. Thoreau [1894/1906]

The rise and fall of government regulation challenges both sides in the debate overthe proper role of government and business in protecting people against variousrisks. Leaving business to its own devices is suspect for reasons suggested by hor-

ror stories such as the exploding Ford Pinto. The failures of the free market arewell recognized. Consumers frequently lack information. Businesses often lack the

incentive to internalize external costs such as pollution. The costs of organizingcollective interests can be prohibitive; and without the watchful eye of regulatory

inspectors, the unscrupulous lack a powerful reason for self-restraint. But, as therevolt against regulation reveals, government regulation has its own serious short-

comings. As Charles Wolf points out, the failures of non-market arrangementsparallel those of the free market. Many regulatory agencies are plagued by adver-

sariness and delay. Regulations are often slow in coming but quick to court. Theseregulations can be inflexible and unreasonable. As a result, the political debate over

protective regulation has reached an impasse. Proponents of government regulationappeal to well-founded fears of laissez-faire arrangements, while supporters of the pri-

vate sector appeal to similarly substantiated concerns about regulatory bureaucracy.

Cheit [1990, p. 3]

1. Introduction

This study reports results of a comparative field study of two divergentapproaches to regulating e-commerce privacy practices in United States andUnited Kingdom. Although in the United Kingdom (and in the EuropeanUnion), Internet privacy is governed by statutes and formal enforcement, inthe United States, this subject has been left largely to evolution of industrynorms and voluntary compliance. We examine the differences in privacypolicies, their disclosure, and the observable consequences for consumersunder these two regimes.

The evidence from our study has relevance for some key issues regardingaccounting standard setting and enforcement in the United States and inthe international community. During the seven decades since the creationof the Securities and Exchange Commission (SEC), the concept of Gen-erally Accepted Accounting Principles (GAAP) has gradually, but steadily,and without much explicit debate, shifted from evolved social conventionstoward legislated standards. Informal sanctions and reinforcements that

sustain the evolution and effectiveness of social conventions have graduallybeen replaced by formal surveillance and penalties, backed by regulatory


3/25

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES 75

Standards Board [FASB] implicit in the nomenclature), which hopes tohave its standards accepted around the globe, is an example of the broadacceptance of the idea that legislated standards, backed by governmental

power of enforcement, is a preferred financial reporting regime. Social con-ventions, supported only by informal sanctions and market consequences,are not in fashion at the turn of this century.

This broad movement toward reliance on institutions to write and en-force financial reporting standards has been accompanied by surprisinglylittle theoretical or empirical analysis of their possible merits relative to theevolutionary approach. Such analyses could be facilitated by comparing de-liberately designed mechanisms or legislated standards on the one hand,and evolved norms on the other. Hayeks [1973, chap. 1] comparison of

designed and evolved mechanisms is a good example.Some recent law and the economics literatures address the relationship

between formal regulation (by law) and various informal or social modesof regulation (e.g., Posner [2003]). There is an implicit assumption in thisliterature that eventually all markets require legal regulation to succeed(McMillan [2003]). Recently, several attempts have been made to docu-ment the informal development of social order arising from repeated in-teraction and shared socialization (social capital) among individuals in asociety (Coleman [1990], Putnam [1993]). The literature on informal con-

trol suggests that the role of law as a source of social order is exaggeratedin the mainstream literature.A detailed examination of a successful online auction market (eBay)

by Duh, Jamal, and Sunder [2002] indicates that eBay has sought to de-velop an effective market by relying primarily on informal controls suchas personal reputation and creation of an eBay community. Rather thanfocusing on the punitive function of the law, recent research by Mailath,Morris, and Postlewaite [2001] develops a theoretical framework for ar-guing that the impact of law and authority is rooted in the expectationspeople have about the behavior of others, that is, social norms. Posner

[1997] proposes that the key role for the law is to formalize existing so-cial norms and provide a credible mechanism for publicizing rule viola-tions and enforcing penalties. Other legal scholars (e.g., Lessig [1998],Sunstein [1996]), however, propose that the law should be used in a moreactivist manner to help shape social norms. The limited evidence availableon the interplay between law and social norms suggests that people ignorelaws that are inconsistent with prevailing social norms (Ellickson [1991]).

Although the interplay between formal standards and informal normshas always been important in financial reporting, the events of recent years

have brought increased attention to this topic. Revival of the rules versusprinciples debate in accounting is an example. Detailed rules are supported


4/25


observations from the field of e-commerce privacy, which has some signif-icant parallels to financial reporting (see Jamal, Maier, and Sunder [JMS2003] for a detailed discussion of the externalities associated with privacy

and financial reporting). JMS [2003] document the e-commerce privacystandards and practices in the United States, where little government reg-ulation or enforcement exists; social norms are developed by civic organi-zations such as TRUSTe that arose to develop better privacy practices, al-beit under the implicit threat of government legislation. TRUSTe promotesprivacy practices in e-commerce by developing and propagating norms, ed-ucation, and community monitoring supplemented by formal monitoringand enforcement. (See appendix A for measures of compliance effort.)The present study documents the e-commerce privacy practices and stan-

dards in the United Kingdom, where the Information Commission (IC), aBritish government agency, currently enforces the privacy law of the Euro-pean Union. The European Unions activist stance led to early legislationto mold commercial privacy practices.1

In the present study, we use the JMS field experiment method and designto examine the disclosure and privacy practices of 56 high-traffic Web sites inthe United Kingdom. These sites are formally regulated by the E.U. privacylaw, which has been incorporated into the U.K. national privacy law (seeappendix B). The IC monitors and enforces compliance with this law (see

appendix C for measures of compliance effort). We examine compliancewith two key aspects of the law for which JMS document the correspondingU.S. practices: (1) the requirement to provide disclosure or notice of whatconsumer information is gathered and used by the Web site, and (2) theconsent requirement that consumers be provided with an option to controlhow their personal information is used by a Web site for secondary purposes.

Our results indicate, first, that disclosure of privacy practices in the UnitedKingdom is no better, perhaps worse, than in the United States. It is moredifficult to find the privacy policy of a U.K. Web site, and compliance with

the disclosure requirements of the U.K. privacy laws are generally poor.Second, in the United States more Web sites use their own as well as third-party cookies to track user behavior than in the United Kingdom. Third,most Web sites in the United Kingdom as well as in the United States honorthe opt-out choices made by customers. Fourth, most of the e-mail receivedby U.K. registrants comes from a single Web site that does not honor theopt-out option chosen by registrants, similar to what happens in the UnitedStates. Finally, even in the opt-in condition, most of the e-mail comes from

1

Nijhawan [2003] writes: Historically, the EU and the U.S. approach data privacy regula-tions in diametrically opposed ways. While the EU relies primarily on legislation and heavyregulation, the U.S. has adopted a market-based, self-regulatory approach to data privacy. The


5/25


a single Web site, just as in the United States. Overall, we find no importantdifferences between the average behavior of U.K. and U.S. Web sites in thisrespect. Consumers in both regimes remain vulnerable to a small number of

Web sites that misbehave. In the United States, better companies can signaltheir good intentions to their visitors by paying a small fee to purchase a

Web seal from an independent provider such as TRUSTe or BBB Online.In the regulatory regime of the United Kingdom, the market for Web sealshas barely developed.2

2. Regulation of Privacy Practices in the United Statesand the United Kingdom

The concept of privacy is deemed to be central to the development of anautonomous self and hence an important facet of individual liberty (DeCew[1997]). Until recently, privacy rights focused on the intimate details of oneslife, such as the right to be silent about ones sexual preference and the rightto choose abortion. In addition, there was a general concern about providinggovernment or other institutional authorities with too much information.There was less concern with privacy in business (DeCew [1999]).

That began to change with the rise of drug use in the general populationin the 1960s and the1970s, as business firms began testing prospective, and

even current, employees for drug use. More recently, electronic surveillanceof the behavior of employees and employer access to employees geneticand medical records have raised new privacy concerns relating to business(Kupfer [1993], Brockett and Tankersley [1997]).

With the Internet and the development of e-commerce, privacy issueshave become more complicated. New e-commerce technologies substan-tially have increased the ability of online merchants to collect, monitor,target, profile, and even sell personal information about customers to thirdparties (JMS [2003]). The intrusiveness of telemarketing activity and spamhas raised the profile of privacy issues involving business.

In response to broad societal concerns about privacy, the Organizationfor Economic Cooperation and Development (OECD), the U.S. govern-ment, and the European Union began extensive discussions in the 1970sabout developing a regulatory framework for privacy. These discussions wereguided byfive privacy principles enumerated by the OECD [1980]: (1) no-tice/awareness: participants should receive notice of an entitys informationpractices before they divulge any personal information; (2) choice/consent:participants should be given options as to the uses of any personal informa-tion collected from them, especially for secondary uses that are unrelated

to the original transaction (e.g., sale of information to third parties); (3) ac-cess/participation: participants should have access to information recorded


6/25


about them and be able to modify any information deemed incorrect;(4) integrity/security: collectors must take reasonable steps to ensure dataintegrity, convert it into anonymous form before using it for secondary pur-

poses, and destroy untimely data; and (5) enforcement/redress: there mustbe a mechanism in place to enforce the privacy policies.

The European Union decided to adopt a formal (legal) regulatory frame-work for the protection of privacy. In 1995 the E.U. parliament formalizedthe E.U. privacy law by passing the European Directive on Data Protection(EU Directive 95/46/EC). The directive adopted the aforementioned fiveprinciples and required member countries to bring their national laws intocompliance.3 The directive stipulated that personal data must be processedfairly and lawfully and only collected for a specified, explicit, and legitimate

purpose. The use of data for any secondary purposes beyond those stated isprohibited. Data cannot be kept any longer than needed to serve the statedpurpose, and the data can only be collected if the person has given his or herconsent. There is some discretion available to each member country to de-fine whatconsent means. Some countries, such as France, require consentto be obtained explicitly (opt in), whereas the United Kingdom has a morepermissive definition that allows consent to be implied as long as consumersare provided with an opportunity to opt out of the use of their personal datafor secondary purposes.4 The E.U. directive also requires each member

government to create an independent government body to monitor the de-velopment, implementation, and enforcement of national data protectionlaw. Given that the United States has no law covering most Web sites, it isgenerally considered that, with respect to privacy laws, the European Unionhas much stricter (and legally binding) standards and enforcement thandoes the United States.

Data protection in the United Kingdom is regulated by the Data Pro-tection Act (DPA) of 1984, which was significantly amended in 1998 forcompliance with the E.U. directive (Reidenberg and Schwartz [1998]). The

IC, a U.K. government agency, is responsible for the monitoring and en-forcement required by the E.U. directive. All entities collecting personaldata must register with the IC. The IC has the statutory power to monitorcompliance with the DPA and can serve enforcement notices that direct aregistered person to take specific steps to comply with the act. The IC canalso cancel registration, prohibit overseas transfer of data, and initiate pros-ecution of violators of the act. Failure to register is subject to prosecution.

Administrative decisions of the IC, especially the enforcement notices, canbe appealed to an independent Data Protection Tribunal (DPT). The bud-get of the IC more than doubled from3,661,690 in fiscal year 19971998 to


7/25


8,244,982 in 20012002. Enforcement activities of the IC are summarizedin appendix C. From 1997 to 2002, the IC filed 331 court cases and obtained277 convictions for violation of the privacy law. Precedents established by

the DPT require that privacy notices be displayed in large, easy-to-read printin a prominent location where personal information is first collected. Rei-denberg and Schwartz [1998] provide a detailed discussion of the E.U. pri-

vacy law and a comparison of the national privacy laws of Belgium, France,Germany, and the United Kingdom.

The year 1995 was a watershed yearthe European Union passed itsprivacy directive and the United States did not pass a general privacy law.TRUSTe was formed in 1996 as a nonprofit organization to promote bet-ter privacy practices, and many U.S. Web sites voluntarily display a TRUSTe

Web seal to signal their compliance with the privacy standards formulatedby TRUSTe. (See TRUSTe compliance activity in appendix A.) The FederalTrade Commission (FTC) started holding workshops in 1995 to discuss andpromote good privacy practices. The FTC also tried to push e-commerce

Web sites to improve their privacy practices by conducting studies (whichcombined a review of privacy policies and surveys) in 1998, 1999, and 2000.Each FTC study showed improvement in the actual practices of U.S. Websites (FTC [2000]). As of May 2004, there is virtually no general govern-ment regulation of privacy in the United States and no legal requirement to

disclose privacy policies in e-commerce or on the Internet.

5

Once a persondiscloses information while registering or transacting at a site, there are nolegal constraints on what can be done with that personal information solong as no fraudulent actions are involved. There is no requirement thata site have a privacy policy, that consumers be informed about what dataare being collected about them, and that consumers be provided with anoption to give or deny their consent to secondary uses of the data gathered.In addition, there are no legally mandated audit procedures, nor are thee-commerce sites required by law to have their privacy policies certified byindependent auditors.6

3. Research Method and Results of the Notice/Awareness Study

We gathered data from 56 high-traffic Web sites in the United Kingdom byrepeating the procedure used in JMS [2003]. First, we obtained the addressesof high-traffic Web sites from Jupiter MediaMetrix (www.mediametrix.com),

which monitors Web usage and provides research and consulting services for

5As many experts had predicted, the Can-Spam Act of 2003, which went into effect January1, 2004, has so many loopholes for spammers that it has had virtually no impact on the volumeof e mail received by U S consumers The Can Spam law can be viewed as an instrument of


8/25


online advertising. For countries other than the United States, MediaMetrixissues monthly reports of the top 15 active Web sites based on user traffic.

We reviewed the top 15 reports from April 1999 to April 2002. This resulted

in the identification of 28 Web sites that had been listed at least once in thetop 15 rating report. We then picked firms in the U.K. Financial Times Indexand looked for their Web sites. An additional 28 Web sites were identified

where consumers could register or engage in transactions. A total of 56 high-traffic Web sites in the United Kingdom were identified during the summerof 2002.

We programmed a Web crawler to visit these sites and to record the use oftheir own, as well as any third-party, cookies. We also obtained an electroniccopy of the privacy policies of these Web sites and looked for disclosure

about cookie usage and the use of third-party cookies. Our crawler visitedeach of the 56 Web sites five times during the week of June 411, 2002. Some

Web sites in the United Kingdom do not display a privacy policy until theconsumer actually registers or initiates a transaction. We attempted to regis-ter or initiate a transaction from June 11 to 20 to identify the use of cookies.During the same period (May 27 to June 12, 2002), a research assistant (whodid not know the results generated by the Web crawler) downloaded anddate-stamped the privacy policy of each Web site. The data collected usingthe crawler and manual review of the privacy policies were combined in a

spreadsheet for the analysis here.

3.1 RESULTS: DISCLOSURE (NOTICE/AWARENESS)

The results of the disclosure of privacy policies of the 56 high-traffic U.K.Web sites are presented in table 1 (alongside, for ease of comparison, theresults from 100 high-traffic U.S. Web sites reported by JMS [2003]). In theUnited States, JMS [2003] report that 34 Web sites had paid for a privacyassurance Web seal from an independent party (30 TRUSTe, 2 BBB Online,and 2 both TRUSTe and BBB Online). None of the Web sites in the United

Kingdom displayed a Web seal. One consequence of a legislated standardsapproach to privacy appears to be the elimination, or preclusion, of a marketfor private Web assurance. Because the law requires a disclosure of privacypolicies but not a privacy audit, we observe no market for privacy assuranceseals in the United Kingdom. The privacy disclosure law appears to haveeliminated the incentives for the Web sites to use Web seals as signals oftheir good privacy practices to consumers.

In the United States, JMS [2003] report that it was easy to locate theprivacy policies of 97% of the Web sites in the sample. In most cases, itcould be located from the home page (95% were one click away). In theUnited Kingdom, we found it difficult to locate privacy policies on Websites (70% were one click away). The U.K. law requires the privacy policy


9/25

T A B L E 1Disclosure of Privacy Policies

U.S. Web Sites U.S. Webwith Privacy without a P

Number Privacy Practice Seals (n= 34) Seal (n=1 Post a privacy policy 34 (100%) 63 (95%

2 Privacy policy is one click away 34 (100%) 61 (92%

3 Use cookies to track user behavior 34 (100%) 64 (97%

4 Disclose that Web site is using cookies 34 (100%) 55 (86%

5 Explain what cookies are 30 (88%) 42 (66%

6 Explain how to turn off/decline cookies 19 (56%) 23 (36%

7 Allow third parties to use cookies on Web site 31 (91%) 48 (73%

8 Disclose presence of third-party cookies on Web site 30 (97%) 30 (63%

9 Provide link to privacy policy of third party 19 (61%) 20 (42%

10 Disclose how data are used for internal transaction processing 34 (100%) 63 (95%

11 Disclose how data are used for internal marketing purposes 34 (100%) 62 (94%

12 Disclose how data are used for outsourced transaction processing by a

third party

28 (82%) 43 (65%

13 Disclose how data are used for marketing purposes by third parties 34 (100%) 62 (94%

In a field experiment, Jamal, Maier, and Sunder (JMS [2003]) program a Web crawler to repeatedly visit 100 selected high-trafand to record what cookies (and third-party cookies) are used by these Web sites to monitor visitors to the Web sites. JMS thennumber of Web sites that disclose their use of cookies (and third-party cookies), as well as disclosures on how data collected froparties. U.S. Web sites are classified into two groups: those that purchase an independent Web assurance seal (n= 34) and those thMay 27to June12,2002for56 high-traffic U.K. Web sites governed by EU privacy law. A U.K. government bodymonitors andenforcesthe pr


10/25


States). This suggests significant noncompliance with the legal requirementto provide a privacy policy and the precedents set by the DPT requiringprivacy policies to be prominent, easy to read, and provided before personal

information is collected. Perhaps U.S. Web sites view the disclosure of privacypolicies as an instrument of their marketing strategy to attract consumers,and they make it easy to find this policy. U.K. Web sites, on the other hand,appear to view privacy disclosure as a matter of a bureaucratic requirement,and they make it difficult to find their statements of policy. The frequencyof noncompliance raises doubts about the effectiveness of the E.U. law inpromoting privacy policy disclosures.

In the United States, JMS [2003] report that all 34 of the privacy sealWeb sites and 64 of the remaining 66 nonseal Web sites used cookies, for an

overall cookie usage rate of 98%. The disclosure of cookie usage was alsohigh, with all 34 privacy seal Web sites and 55 of the remaining 64 Web sites(overall 91%) disclosing their cookie usage. In the United Kingdom, the rateof cookie usage was lower, with only 88% (49 of 56 Web sites) using cookiesto monitor consumers (p< 0.01). The disclosure rate of cookie usage in theUnited Kingdom was also lower, with only 80% (39 of 49) of the Web sitesthat use cookies disclosing their use (p< 0.05). Relative to the United States,the formal legal codification of cookie disclosure requirements appears notto have improved disclosures in the United Kingdom.

In the United States, JMS [2003] report that third parties placed cookiesonvisitorharddrivesin31(91%)Websiteswithseals,and48(73%)Websiteswithout a seal, for an overall third-party cookie usage rate of 79%. Thirty Websites with a seal (97%) disclosed the presence of these third-party cookieson their site. Thirty of the 48 Web sites without a seal who were placing thirdparty cookies (63%) disclosed the presence of third parties, for an overallthird party cookie disclosure rate of 76%. In the United Kingdom, Websites were much less likely to allow third parties to use cookies to monitorcustomer behavior, with only 50% of Web sites (28 of 56) allowing third

parties to place cookies from their site (p

Documents

Enforced Standard Versus Evolution by General Acceptance