Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Personalization paradox: the wish to be remembered and the right to be forgotten
A qualitative study of how companies balance being personal while protecting consumers’ right to privacy
Master’s Thesis 30 credits Department of Business Studies Uppsala University Spring semester of 2019 Date of Submission: 2019-05-29
Alexandra Harrysson Julia Olsson Supervisor: Cecilia Pahlberg
2
Abstract Many argue that personalization is needed in a modern marketing strategy. Whilst there are
several positive aspects of personalization, e.g. improved customer satisfaction rates, it can also
lead to firms being perceived as intrusive and elicit privacy concerns. This dilemma describes
the personalization paradox, which refers to the two-sided results of using personalized
communication by collecting and analyzing consumer data. To address the issue of how firms
balance the need for personalization while still respecting consumers’ privacy, previous
researchers have mainly investigated the issue from the consumer perspective. However, the
consumer is believed to display a paradoxical behavior in regards to personalization. Therefore,
we have addressed this issue through interviewing 12 company representatives from 7
companies. Our findings indicate that companies are mindful when creating personalized
content and do acknowledge the issues with privacy and the risk of being perceived as intrusive.
To overcome the personalization paradox, firms are not explicit about their data analysis in
their personalized communication as this can lead to consumers feeling discomfort. Finally, an
essential way that firms can prevent privacy concerns is to create relevant content as this
outweighs feelings of discomfort. These findings to a certain extent do not reflect the empirical
research on the topic, however the discrepancies may exist as previous studies were conducted
from the consumer side.
Key words: personalization, privacy, trust, transparency, control
3
Table of content 1. Introduction ___________________________________________________________ 5
1.2 Background _________________________________________________________________ 5 1.3 Problematization _____________________________________________________________ 6 1.4 Purpose and knowledge contribution _____________________________________________ 7
2. Theoretical Framework __________________________________________________ 8 2.2 Personalization ______________________________________________________________ 8 2.3 Privacy Paradox _____________________________________________________________ 9
2.3.2 Explaining the privacy paradox ____________________________________________________ 10 2.3.3 Personalization & Privacy Summary ________________________________________________ 11
2.4 Trust _____________________________________________________________________ 11 2.4.2 Explaining trust in relation to the personalization and privacy paradox ______________________ 12 2.4.3 The three dimensions of trust ______________________________________________________ 14
2.5 Control ___________________________________________________________________ 14 2.5.2 Transparency ___________________________________________________________________ 15 2.5.3 Information Control _____________________________________________________________ 16
2.6 Model ____________________________________________________________________ 18 3. Method ________________________________________________________________ 18
3.2 Methodological approach _____________________________________________________ 19 3.3 Literature review ____________________________________________________________ 20 3.4 Data Selection ______________________________________________________________ 20 3.5 Data Collection _____________________________________________________________ 21
3.5.2 Interviews _____________________________________________________________________ 21 3.5.3 Privacy statement analysis ________________________________________________________ 24
3.6 Data Analysis ______________________________________________________________ 24 3.7 Ethical implications _________________________________________________________ 25 3.8 Quality of research __________________________________________________________ 26 3.9 Limitations ________________________________________________________________ 26
4. Results & Analysis _______________________________________________________ 27 4.2 Interview Participants ________________________________________________________ 27 4.3 Personalization _____________________________________________________________ 28
4.3.2 Channels and Data ______________________________________________________________ 29 4.4 Relevance vs Privacy ________________________________________________________ 30 4.5 Trust _____________________________________________________________________ 32
4.5.2 Ability ________________________________________________________________________ 33 4.5.3 Integrity _______________________________________________________________________ 35 4.5.4 Benevolence ___________________________________________________________________ 36
4.6 Control ___________________________________________________________________ 37 4.6.2 Transparency in personalization ____________________________________________________ 37 4.6.3 Control _______________________________________________________________________ 41
4.7 Summary and table of recommendations _________________________________________ 44
4
5. Discussion and Conclusion ________________________________________________ 45 5.2 Future research _____________________________________________________________ 48
REFERENCES ______________________________________________________________ 49
APPENDICES ______________________________________________________________ 54
5
1. Introduction 1.2 Background “What data is my data?” is a question that is widely discussed today. In a recent scandal by the
US retailer Target, it was discovered that they had analyzed customers’ shopping habits to an
extent where they could determine customer pregnancy. Using this information, Target
personalized messages to fit these customers’ current state and needs (John et al., 2018; Rees,
2013). This was severely questioned, for one of their teenage customers had not yet discovered
her pregnancy and it was disclosed to her father by an alert sent out by the retailer (ibid.).
Many argue that personalization is needed in a modern marketing strategy to capture the
attention of consumers and provide relevant offers (Aguirre et al., 2015; Jung, 2017; Chellappa
& Sin, 2005). However, the example above leads to a discussion on what extent personalization
should be used and the potential downsides of it.
Personalization refers to “a customer-oriented marketing strategy that aims to deliver the right
content to the right person at the right time, to maximize immediate and future business
opportunities” (Tam and Ho 2006, as mentioned in Aguirre et al., 2015: 35). For the company,
personalization offers benefits in terms of increased customer loyalty (Chellappa & Sin, 2005:
181), opportunities to better serve their customers and thus increased customer satisfaction rates
(Aguirre et al. 2015: 36) as well as better effectiveness in gaining the consumers’ attention
(John et al., 2015; Bleier & Eisenbeiss, 2015). According to Cochrane (2018), consumers want
personalized offers that are relevant to their past behavior and future needs. However, he also
acknowledges the trickiness of using consumer data in personalized messaging for the fear of
consumer discomfort. This dilemma describes the personalization paradox, which refers to the
two-sided results of using personalized communication by collecting and analyzing consumer
data (Aguiree et al., 2015: 35). While it can lead to high customer satisfaction rates, it can also
lead to firms being perceived as intrusive and elicit privacy concerns (ibid.).
To protect consumers, the General Data Protection Regulation (GDPR) was implemented in
the European Union on May 25th 2018. This regulation ensures users more control over their
data, and it enables the European Data Protection Authorities (DPAs) to prosecute companies
for data and security breaches with bigger implications, up to 4 percent revenue in fines, instead
of small fines that had only been possible before due to limitations in local regulations (Houser
6
& Gregory Voss, 2018: 7). GDPR requires companies to both reveal what data they are
collecting as well as obtain explicit user consent before personal data can be collected (e.g.
location data, IP addresses) (Tiku, 2018). Furthermore, GDPR requires that the consent must
be explicit and informed and can at any time be revoked (Brandom, 2018).
However, for personalization to be done well and meet the expectations of customers, large
amounts of data must be collected (Cochrane, 2016). According to Accenture Strategy (2017),
48 percent of customers expect personalized offers and 33 percent of customers who left a
business relationship identified lack of personalization as the main reason. While
personalization is expected by customers, an IBM survey from 2018 finds that only 20 percent
completely trust organizations to maintain the privacy of their data and 75 percent say they will
not buy a product from a company if they do not trust the company to protect their data (ibid.).
1.3 Problematization Whether or not a consumer will react positively to personalized communication can be
dependent on many factors. For example, it can be dependent on the ad’s relevance and
consumer expectations about what their data is being used for (John et al., 2018: 64).
Furthermore, it can also be dependent on the degree of trust the consumer holds toward the
company sending out the personalized communication (Bleier and Eisenbeiss, 2015: 396).
Therefore, when a firm pursues a personalization strategy, that aims to optimize consumer data
for personalized communication, the firm must be aware that the data usage for this purpose
may trigger consumer privacy concerns. Furthermore, scandals involving the leak of consumer
data to third parties have been exposed e.g. the Cambridge Analytica scandal involving
Facebook (Granville, 2018) and the 1177-scandal in Sweden (Svt, 2018). The rise of scandals
in turn drives consumer awareness in the areas (GDPR report, 2018).
Consumer privacy is well-explored in the context of digital marketing in academia, however
because of the novelty of online personalization strategies, this area is yet underrepresented in
academia. A large majority of previous research have focused on the consumer side of what
consumers want in terms of personalization and to a certain degree dismissed the company view
and their experiences with personalization toward consumers (Bleier & Eisenbeiss, 2015;
Aguirre et al., 2015; Kokolakis, 2017). Previous studies have given recommendations on how
firms should behave to counteract negative feedback from consumers from the perspective of
consumer expectations. Many have thus disregarded to interact with actual companies to
7
investigate what firms actually do in terms of personalization and privacy. As previously
mentioned, many firms collect consumer data in order to personalize messages to consumers.
The consequences of this marketing strategy have been studied but the evidence has only been
based on consumer expectations. Therefore, we believe there is a need for research that dives
into what firms can do to overcome possible negative consumer reaction from personalization,
from the perspective of the firm. We thus propose the following research question:
How do companies that use personalization strategies work with preventative actions to
minimize the risk for triggering consumer privacy concerns, when creating personalized
communication?
1.4 Purpose and knowledge contribution Today, effective use of customer data across the organization, including marketing, is seen as
a competitive necessity. However, the contrasting views on the effectiveness of personalization
have raised two important questions; is there a connection between personalization and privacy
risks and if so, what preventative actions can be taken by firms to reduce the negative effects
of personalization? (Song et al., 2016: 90). As we will show in the following section, multiple
studies have researched the first question and the majority of them have indicated a relationship.
This study will therefore focus on the second question, as proposed by Song (2016): how can
companies manage the negative effects of personalization? What preventative actions can be
taken by firms to reduce the negative effects of personalization?
The purpose of this study is to gain new insights into personalization strategies from a company
perspective and examine how firms balance the need for personalization while still respecting
consumers’ privacy. Through interviewing company representatives, we will investigate what
they believe to be important when creating personalized communication and how they protect
and respect the privacy of their customers. Thereby we can contribute and complement the
research area of personalization and privacy by providing a new perspective and make it more
comprehensive. Furthermore, our research has managerial implications as it will generate
recommendations on how companies should work with their personalization strategies from the
perspective of benchmarking how other firms’ work with these questions and what they deem
to be important.
8
2. Theoretical Framework In the following chapter we present existing literature and theories that cover different factors
which affect consumers’ perception and reaction to privacy and personalization. Firstly, a
background explaining personalization and the privacy paradox that has emerged from
increased consumer privacy concerns will be introduced. Secondly, we will present two
interrelated factors, namely (1) trust and (2) control that have been recognized to affect the
consumer with regards to their privacy when receiving personalized communication. We will
end the chapter with a model that will visualize our theoretical framework. Additionally, an
extensive literature review has been conducted and from this, an overview describing previous
research findings can be found in Appendix 1.
2.2 Personalization On average, consumers are exposed to more than 5000 ads and brands per day (Jung, 2017:
303). Of these, they only recognize 86 and have an impression of 12. By using personalization,
for example in the form of targeted ads, companies aim to be one of these 12 (ibid.).
Personalization can be defined as “the use of technology and customer information to tailor
electronic commerce interactions between a business and each individual customer” (Chellappa
& Sin, 2005: 184). This implies that firms can track online behaviors of their customers to
personalize their experience in the future. For example, webpages, greeting phrases and search
results can be personalized based on data (Chellappa & Sin, 2005). Some of the tools that are
available today include behavioral retargeting (i.e. ads showing products recently viewed),
content-based targeting (i.e. ads based on what consumers read) and keyword-based targeting
(i.e. ads based on terms entered into search engines). This means that personalization allows
marketers to target consumers with greater efficiency and accuracy (Kim et al., 2019).
In a report presented by Boston Consulting Group, brands that work with personalization can
experience a revenue increase by 6% to 10%, which is two to three times faster than those that
only use mass marketing (BCG, 2017). Furthermore, personalization can improve customers’
response to advertisements and can lead to more attention, positive attitude and increased
purchase intentions (Jung, 2017; John et al., 2018; Song et al., 2016). This is further
emphasized by Taylor et al. (2009) who state that personalization can create consumer
engagement by increasing consumer response. For example, if the consumer perceives an ad
to be useful and it complies with their expectations, responses to the advertisement (click-
9
through rate i.e. number of people that click on the advertisement) increase and so does the
time spent viewing the product and the product revenue (John et al., 2018: 67).
Personalization can also bring value for the consumer if it fits the customer and if it is seen as
convenient i.e. if the consumer sees the relevance for them, personalization is likely to be met
with acceptance (Chellappa & Sin, 2005; John et al., 2018). Personalized recommendations can
also be made to anticipate the needs and wants of customers (ibid.). According to Phelp et al.
(2000) consumers who believe that they benefit from the data disclosure and personalization
tend to be less concerned about privacy. However, despite increased consumer awareness about
personalization, it can still be troublesome if consumers’ personal data ends up in the wrong
actors’ hands. For example, Larsson and Ledendal (2017: 22) bring up the issue of customers’
financial data getting in the hands of companies such as loan providers. If this were to happen,
these companies would be able to target ads toward consumers at a time of vulnerability which
can potentially harm the individual more than actually benefiting them (ibid.).
Lastly, while ad relevance has been argued to improve ad effectiveness, Jung (2017: 305)
claims that it can also have the reverse effect due to privacy concerns. John et al. (2017)
similarly agree that if the ad is perceived to use consumer data in a way that consumers dislike,
the ad can experience a backlash. These concerns can result in negative attitude towards the ad,
decreased purchase intention and increased skepticism and avoidance. Too self-related ads can
make consumers feel uncomfortable and raise awareness over data collection and potential data
misuse (Jung, 2017). Companies should therefore focus their efforts on finding the optimal
level which will lead to increased attention without causing concerns (ibid.). According to a
report by InMoment (2018) 75 percent of consumers found personalization to be “a bit creepy”
and 22% stated that they would end the business relationship if exposed to intrusive
personalization. The report further found that location-based personalization and “hunting”
retargeting is particularly prone to cause feelings of discomfort (ibid.). Location-based
marketing is for example when a customer is near or in one of the company’s stores, the brand’s
app notices their presence and sends out a marketing message or product recommendation
(BCG, 2018).
2.3 Privacy Paradox As mentioned above, personalization can elicit privacy concerns as it makes consumers aware
of data collection and data analysis. Many researchers have therefore investigated
personalization in relation to the privacy paradox (Sutanto et al., 2013; Xu et al., 2011;
10
Bhattacherjee, 2002; Bleier & Eisenbeiss, 2015; Chellappa & Sin, 2005). The privacy paradox
refers to the paradoxical behavior demonstrated by consumers when they state that they feel
uncomfortable disclosing their personal information due to privacy concerns but still do so
(Kobsa, 2007: 636). In the following section, we will therefore discuss theories on decision-
making to illustrate the paradoxical behavior consumers display with regards to privacy.
2.3.2 Explaining the privacy paradox In a recent study, Barth and Jong (2017) conducted a systematic literature review of studies that
examine the privacy paradox in the online environment. They found that most studies used an
underlying assumption in risk-benefit calculation that can be sub-categorized into rational
choice and bounded rationality/non-rational choice.
2.3.2.2 Rational decision making According to the rational choice theory, individuals strive to maximize utility and minimize
risk through rational and logical calculus and thinking. When going online, users engage in a
privacy calculus and weigh the negative consequences (such as information disclosure) against
perceived benefits (such as receiving personalized information) in order to find the best possible
outcome that fits their self-interest (Barth & Jong, 2017; Dinev & Hart: 2006: 62). This implies
that the outcome of this privacy trade-off is what ultimately determines individuals’ behaviors.
Dinev and Hart (2006) for example investigated inconsistencies in consumer behavior that
influence consumers when conducting transactions online. They found that despite existing
privacy concerns, influences of internet trust and personal interest in the internet can outweigh
the concerns (ibid.).
2.3.2.3 Non-rational decision making Barth and Jong (2017) argue that bounded rationality can have an impact on the decision-
making process; they mean that decision-making can only be rational within the limitations of
cognitive ability and available time (ibid.). Bounded rationality refers to the individual’s
tendency to “replace rational decision-making methods with simplified mental models and
heuristics” (Acquisti & Grossklags, 2007: 2). When individuals are faced with too many options
and uncertainties, and they cannot predict their outcome, they are subconsciously biased in their
calculation process. Therefore, the process is not rational because it does not lead to an orderly
analysis of the situation, but is instead based on experience (i.e. formal knowledge or beliefs)
or a confidence in virtue (Barth & Jong, 2017).
11
Simon (1972: 163) describes that rationality can be bounded in three ways. Firstly, in the case
of risk and uncertainties, it cannot be assumed that the agent will have perfect knowledge.
Secondly, rationality can be bounded when the individual has incomplete information about
alternatives and about consequences. Finally, rationality can also be bounded due to
complexities that prevent the actor from calculating the best course of action (ibid.). Acquisti
(2004) describes bounded rationality with regards to privacy as “the inability to calculate and
compare the magnitudes of pay-offs associated with various strategies the individual may
choose in privacy-sensitive situations” (ibid.).
An issue prevalent in the digital economy is information overload, which is particularly related
to user agreements, privacy policies and cookie usage (Larsson, 2017: 45). Acquisti and
Grossklags (2007: 7) describe that despite giving individuals clear information that may help
them overcome problems of information overload, it cannot be ensured that the individual will
use this information that benefits their own interest; they may instead use it in ways that
contradicts the utility maximization theory.
2.3.3 Personalization & Privacy Summary A key challenge for companies is to balance the potential benefits of using personal data with
the privacy concerns that its usage might cause. As mentioned in section 1.4, one important
question within this area of research is whether or not there is a connection between
personalization and privacy concerns. The studies above demonstrate this connection. In the
remainder of the theory section, we will therefore provide theories that can aid in answering
our research question.
2.4 Trust Trust has been identified as an important factor within the research of personalization and the
privacy paradox (Bhattacherjee, 2002; Hoffman et al., 1999; Norberg et al., 2007; Larsson,
2017; Bleier & Eisenbeiss, 2015; Chellappa & Sin, 2005; Lutz & Strathoff, 2011, Milne &
Boza, 1999). According to Bhattacherjee (2002: 213), trust can be defined as “the willingness
of a party [trustor] to be vulnerable to the actions of another party [trustee] based on the
expectation that the other [trustee] will perform a particular action important to the trustor,
irrespective of the ability to monitor or control that other party [trustee]”. This definition can
be applied online where consumers or users are the trustors that give sensitive information to
companies – the trustees. In order for individuals to believe that the behavior of the partner will
be beneficial, they must perceive the partner to be trustworthy (Lutz & Strathoff, 2014).
12
Hoffmann et al. (2016) further state that if an individual trust a company, they may allow a
more carefree reliance on the company. Research has indicated that higher levels of trust is
related to increased willingness to disclose personal information (Schoenbachler & Gordon,
2002; Hoffman et al., 1999; Lutz & Strathoff, 2014; Presthus & Sorum, 2018).
2.4.2 Explaining trust in relation to the personalization and privacy paradox Chellappa and Sin (2005) examined consumers’ user behavior of personalized services and
their willingness to share data. They argue that willingness to share is linked to privacy concerns,
and that privacy concerns in turn are related to trust in a company. Therefore, trust-building
activities can be used to influence consumers’ acceptance of personalization services. Trust is
regarded as important because some level of trust is necessary in order for customers to engage
in transactions. Additionally, it assures them that their data is collected, stored and used in a
safe manner. The authors therefore encourage companies to be mindful of consumers’ privacy
concerns and identify techniques to build trust in order to benefit from their personalization
strategies.
One way to build trust is by enhancing company reputation (e.g., Kim et al., 2004; Teo & Liu,
2007; Hsu et al. 2014; Han, et al., 2015). Earp and Baumer (2003) found that brand name status
influenced consumers’ willingness to provide personal information to well-known companies.
Furthermore, a firm’s reputation can serve as one of the main reasons why one consumer might
prefer personalization from one company and ignoring the other, regardless of whether the
content is identical (Chellappa & Sin, 2005). Familiarity and past experiences with a firm have
been identified as important factors within trust as well as improving brand image as a trust-
building activity (ibid.). Reputation can be a result of members in a community rating the level
of trustworthiness or it can be a result of a company’s promises and fulfillments, which leads
to credibility (Agag & El-Masry, 2017). According to Toms and Taves (2004), a company’s
reputation can be improved by receiving positive ratings through the assessment of a third party,
e.g. a rating website.
Furthermore, the effectiveness of an ad can also be dependent on ad platform trust. Kim et al.
(2019), found that if an ad was displayed on Facebook, users who trust Facebook are more
likely to engage with an ad. Context therefore also serves as an important factor in ad placement.
Aguirre et al. (2015: 42), similarly found that since CNN is perceived to be more trustworthy
13
and credible than Facebook, consumers are more inclined to be vulnerable and accept a
personalized advertisement there.
Another factor that can impact privacy concerns relate to the extent of consumer-specific
information (Nowak & Phelps, 1992; Song et al., 2016). Bleier and Eisenbeiss (2015: 402)
found that if a well trusted company used a moderate amount of personalization, the ad’s
effectiveness increases. On the other hand, if a company that is not well trusted uses the same
technique, the effectiveness decreases. Furthermore, the authors concluded that ads that used a
high amount of personalization should be avoided regardless of trust, as they can elicit privacy
concerns (ibid.). The managerial implications of this study are that companies first should
evaluate consumers’ trust in them before using personalization in their marketing strategy.
In the context of databased marketing, Milne and Boza (1999) conducted a consumer survey to
examine if improving trust and reducing concern leads to an enhanced management of
consumer information. They describe that a company has two strategies they can implement (1)
concern-reducing and (2) trust-building. In concern reducing strategies, firms actively avoid
disclosing their information policy until the last step of the interaction i.e. purchasing. In trust
building strategies, firms actively disclose their policies and use an informative and benefit-
driven communication in order to develop customer relationships. As we will develop on in the
next section, other studies have indicated that transparency minimizes privacy concerns (Phelps
et al., 2000; Kim et al., 2019). Trust-building activities were found to facilitate exchanges and
strengthen relationships, thereby increasing the opportunity of cross-marketing, word of mouth
support and future exchanges (Milne & Boza, 1999).
Furthermore, Lutz and Strathoff (2014) investigated whether privacy concerns lead to more
protective behavior and if trust can counteract privacy concerns. They concluded that trust can
aid in the privacy paradox both on the attitudinal side (concern) and the behavioral side
(protection behavior) of the equation. They also found that trust varies depending on sector and
industry. Banks and governments are perceived as more trustworthy whereas internet
companies and telecom operators suffer from a lack of trust (Lutz & Strathoff, 2014).
Furthermore, Milne and Boza (1999) found that airlines were rated as a low trust industry with
only 8% of the respondents indicating high levels of trust. In comparison, 35% of responded
had a high level of trust for banks, and 16% for insurance companies. Moreover, BCG and DLA
Piper (2018) found that online companies (e.g. social media, search engines, and online
14
retailers), financial companies (e.g. credit card companies and banks) and governments are
perceived as high concern industries whereas these industries collect sensitive data or most
visibly collect consumers’ data. On the other hand, low concern industries that were identified
included airline/hotel, branded manufacturing and car manufacturing. In general, they found
that it is easier for highly trusted companies be granted access to private data (ibid.).
2.4.3 The three dimensions of trust Mayer et al. (1995) present a model of trust where several aspects related to trust are
incorporated. This model was for example also used by Aguirre et al. (2015) in a study related
to personalization. The model first describes characteristics of the trustor (i.e. the consumer)
and secondly it describes the characteristics of the trustee (i.e. the firm). We have chosen to
focus on the latter part of this model as it explains concrete examples of trust-inducing
characteristics of trusted firms. Our research strategy also involves interviewing companies
rather than consumers.
Mayer et al. (1995) describe three dimensions of trust: ability, integrity and benevolence.
Moorman et al. (1992), similarly highlight credibility and benevolence when conceptualizing
trust as do Lutz and Strathoff (2014). The ability of a company enables it to have influence
within its operation. In order for a trustee to be perceived as able, it must demonstrate the
required competence to fulfill what is expected. By adhering to principles and rules, companies
demonstrate integrity, which in turn generate confidence in the trustee behavior and reduce
perception of risk. This is exemplified when an online company ships the products in time and
maintains confidentiality of personal data. However, the rules and principles which guides the
company must also be perceived to be fair and reasonable. Benevolence is related to the extent
a company is believed to go beyond acting in self-interest as well as being helpful. Benevolence
implies personal connection and intrinsic reward and motivation. By doing good to the trustor,
the risk of uncertainty and opportunistic behavior is reduced (Mayer et al., 1995).
2.5 Control An interdependent concept related to trust in the context of personalization and privacy is
control, which can be defined in terms of information control and transparency. These concepts
complement each other as transparency is required in order for consumers to make informed
decisions over their data. Furthermore, studies have shown that giving consumers more control
over their data and not hiding information can lead to more trust (Aguirre et al., 2015; Phelps
et al., 2000; Song et al., 2016; Bleier & Eisenbeiss, 2015; Milne & Boza, 1999).
15
According to Westin (1967, as mentioned in Midha, 2012: 203), lack of control is the
foundation of privacy concerns. Marketing practices that allow little or no information control
therefore is put at a high risk of leading to privacy concerns (Phelps et al., 2000). When the
individual experience violations of their expectations toward companies’ handling of their
personal information, negative emotions may be harvested as a result of them feeling exploited
(Aguirre et al., 2015: 37). In several studies, privacy concerns have been constructed in terms
of information control (Phelps et al., 2000; Aguirre et al., 2015; Van Dyke et al., 2007).
According to Phelps et al. (2000: 29) privacy in relation to marketing practices can be defined
as “the ability to affect the dissemination and use of personal information that is collected
during, or as a result of, marketing transactions, as well as control over unwanted telephone,
mail, or personal intrusions in the consumer’s home”.
2.5.2 Transparency Lutz and Strathoff (2014) encourage firms to engage in dialogue with users to foster trust via
transparency and accessibility. This is also highlighted by Bleier and Eisenbeiss (2015: 403)
who state that firms can reduce consumer privacy concerns through transparency and giving
consumers control. According to research conducted by BCG and DLA Piper (2018),
consumers’ actual concerns, in terms of data usage for marketing purposes, relate to information
access; consumers are requesting more transparency, notifications and permissions when firms
collect and use their personal data (ibid.). Companies should therefore focus on being open and
transparent and develop best practices in order to build trust and go beyond GDPR compliance
(BCG & DLA Piper, 2018). Transparency regarding data collection and analysis can be
disclosed through both personalized communication and privacy statements.
With regards to transparency in personalized communication, Kim et al. (2019) argues that
companies often have weak forms of ad transparency in which consumers actively have to
seek out information. In their study, the authors found that transparency can increase an ad’s
effectiveness if it reflects acceptable information flows. Consumers perceive information
flows to be unacceptable when the information was obtained outside (i.e. by third parties)
instead of within the website on which the ad appears. They also perceive them as
unacceptable when the information used to shape the ad is inferred by the firm rather than
explicitly stated by the consumer. When unacceptable information flows such as cross-
website tracking was revealed, ad effectiveness was reduced. The authors identified privacy
concern as the reason behind these finding (ibid.).
16
With regards to transparency in privacy statements, research finds that consumers rarely read
privacy statements (Milne & Culnan, 2004; Larsson, 2017; Myrstad, 2018; Phelps et al., 2000).
In a recent study conducted by Larsson (2017), they argue that agreements explaining privacy
notions are too long, too numerous and too obscure so users do not read them carefully and
therefore do not know what they are agreeing to (Larsson, 2017:45). For example, the
Norwegian Consumer Council found that reading the terms and conditions of all the apps on
an average smartphone took an average 31 hours and 49 minutes (Myrstad, 2018). BCG and
DLA Piper (2018) offers the suggestion of creating two versions; one longer more detailed and
a shorter version written with the customer in mind. This could for example be in the form of a
data charter. Another suggestion that is given by Oojien and Vrabec (2018) is the usage of icons
as they simplify understanding of information and save time. Providing visuals could for
example aid in making data more understandable and visible and make consumers feel more in
control (ibid.). Nevertheless, the authors emphasize that icons do not qualify as comprehensive
knowledge but only provide information in a generalized and simplistic manner.
While many studies have identified benefits with transparency, Knijnenburg and Kobsa (2013:
19) found that when firms disclose their justification for data collection, consumers are not
more willing to disclose personal information. Examples of justifications include reasons for
requesting the information, the benefits of disclosure and appealing to the social norm.
Consumers perceive the information to be valuable but their trust and satisfaction decreases.
The justification can be perceived as a warning sign and thereby leads to inhibition rather than
encouragement. Kim et al. (2019) similarly acknowledges the potential issues of transparency.
When consumers learn about marketing practices they might become more aware of privacy
threats. Furthermore, if a consumer finds that they have received a certain ad because of a
demographic category, it can make the consumer feel reduced to a single membership category
(Kim et al., 2019: 919). This is because it may feel like a threat to one’s identity (ibid.).
2.5.3 Information Control Giving control to users is another means that has been identified as a way to build trust and
thereby benefit firms (Kobsa, 2007; John et al., 2018; Midha, 2012). A survey presented by
Roy Morgan Research (as mentioned in Kobsa, 2007: 639) found that 59 percent were likely to
trust organization if it gave them more control over how their personal information was used.
A study by Phelps et al. (2000), showed that giving consumers more control, for example by
17
providing opt-out opportunities, does not only lead to minimize privacy concerns but a greater
acceptance of and interest in marketing offers because the consumer played a part in initiating
it. John et al. (2018) also found that ad performance increases if consumers are given a greater
say over what happens to the information they have shared. John et al. (2018) further argue that
all firms ought to try traditional data collection first i.e. giving consumers an opportunity to
state their preferences instead of only tracking them.
Additionally, Midha (2012) found that when consumers are perceived to be in control, they are
more inclined to engage in risk-taking behavior and will therefore be less aware of privacy risks
(ibid.). Following these findings, it is suggested that firms should initiate policies in which
control over decision related to private information should be delegated to consumers. These
policies should also be communicated to consumers but not in the traditional language typically
used in privacy statements as it does not engender trust but rather requires it. Instead the
wording should signal a sense of control on the part of the consumer and thereby indicate
trustworthiness and reduce the feeling of vulnerability (ibid.).
On a final note, an interesting aspect to look at, with regards to consumer control of their
personal data online, are take-it-or-leave-it scenarios. Preibusch (2005: 526) describes that
companies often apply a “take-it-or-leave-it” principle with their data collection practices.
While this implies that the user gets a choice whether to accept or reject a privacy policy that a
company has established, it generally does not give the user a choice to reject the offer in case
they want to use the service. Thus, the company does not intend a negotiation process and the
individual may either take it or leave it (ibid.). This can refer to websites or apps that are made
unavailable to European customers after the introduction of GDPR unless they comply with the
sites’ privacy policies i.e. presenting the customer with a take-it-or-leave-it scenario. When
customers do not have a choice whether or not to disclose personal information, the user must
depend on the benevolence and competence of a company to protect their information
responsibly. Otherwise, they may feel a perceived loss of control if their information is used in
a way they did not consent to (Taylor et al., 2009: 8). Whilst GDPR intends to protect the
customer against scenarios whereas consent is not freely given, it has been proved to not
explicitly prohibit take-it-or-leave-it choices (Zuiderveen Borgesius et al., 2017: 9). However,
in comparison to previous data regulation in Europe, it offers stricter conditions under which
consent is “freely given” (ibid.).
18
2.6 Model Following the results of their respective studies, researchers have recommended firms to focus
on balancing the need for being personal but not too intrusive. Furthermore, we conclude that
trust and control can alleviate privacy concerns related to personalization. In the studies
presented above, evidence indicates a connection between trust and control. When firms engage
in initiatives that builds trust and fosters control, consumers experience reduced privacy
concerns. Following the decrease of privacy concerns, a firm’s personalization strategy is
revealed more effective and thus firms’ can counteract negative consumer response to their
personalized communication. We have therefore used these concepts to develop a theoretical
model to visualize this connection.
Model 1. The relationship between trust and control to reduce consumer privacy concerns and enhance a firm’s personalization strategy
3. Method In the following chapter we will outline the methodological approach that has been pursued to
investigate the research problem. The methodology section describes a three-step approach
that has been applied to investigate our research problem. Firstly, a research design has been
developed to thoroughly observe the problem from our given scientific perspective and has
guided our data collection methods. Secondly, thematic analysis laid ground as our means to
analyze the collected data. Finally, the analysis served as a foundation for solving our
presented research problem.
Ability
Benevolence
Integrity
Transparency
Information Control
Reduced consumer privacy concerns
Control Trust
Effective personalization strategy
19
3.2 Methodological approach This thesis aims to investigate how firms balance the need for personalization while respecting
consumer privacy in their personalization strategies. As mentioned earlier, there is limited
research that focuses on the firm’s perspective. To research this problem setting, we have
applied a qualitative multiple-case study design. By doing this, we have been able to compare
and contrast different cases, allowing us to find unique and common features in the area, and
thus helping us to contribute to theory building (Bryman & Bell, 2011: 63). This approach is
deemed appropriate when the researcher aims to produce a wide in-depth description of the
social world, as well as when the research question is a ‘why’ or ‘how’ question (Yin, 2009:
chapter 1). When the purpose is to create a deeper understanding of how concepts should be
perceived and discussed, alike the purpose of our study, Ghauri and Grønhaug (2010) suggests
a qualitative research design.
Furthermore, different methods are associated with different types of assumptions of the world
and what type of knowledge can be produced. Our epistemological standing has therefore been
of interpretivist, which “requires the social scientist to grasp the subjective meaning of social
action” (Bryman, 2012: 712), and is usually related to a qualitative research design. Our
ontological standing has been that of constructivist as we consider that “social phenomena and
their meanings are continually being accomplished by social actors” and are thereby in constant
state of revision” (Bryman, 2012: 33). The qualitative approach and its implicit assumptions
about the social world suit our study as it allows us to research preventative actions that the
firm can engage in to minimize consumer privacy concerns, from the lens of those responsible
for setting the direction of how consumer data should be used in personalized communication.
To understand and draw conclusions from the interviewed persons’ viewpoints, our own
interpretations will thus be essential in order to conduct the research. Moreover, the study
deems to generate theoretical ideas from data, thereby following the logic of inductive
reasoning. However, we also follow an iterative logic, meaning that elements of deductive
reasoning may occur in the course of the research as our theories will be used to help us interpret
the results. This implies that we have gone back and forth between data and theory, depending
on the findings of the data analysis (Bryman, 2012: 26), also known as abductive reasoning.
As mentioned, we have not been able to identify a previous academic study focused on the
perspective of the firm. Therefore, our study is characterized by an exploratory multiple-case
study, meaning that its purpose is to map out relevant themes that can help understand the
20
research area, as well as give recommendations for future research (Bryman & Bell 2011:62).
Our research is therefore of a broader nature as we have interviewed representatives from
different companies and industries and used an encompassing definition of personalization,
rather than for example focusing on one channel. In section 5.2, we will present suggestions on
narrower future research subjects based on our initial findings.
3.3 Literature review We have examined previous literature on the subject as a means to fully understand the area
that we research. As interpretivists, we viewed the literature review as a means of gaining an
initial impression of a topic (Bryman & Bell, 2011: 104). In order to so, we have looked
scientific articles published in legitimate journals and statistical reports and newspapers from
respectable institutions. As we intend to enrich human discourse through generating knowledge
and not solely accumulating knowledge, we have conducted a narrative literature review
(Bryman & Bell, 2011: 101). This approach is more suitable for qualitative research, with a
research design based on interpretive epistemology alike ours, as it allows us to modify the
boundaries of the study as we go along (ibid.).
3.4 Data Selection The cases consist of firms within five industries: airline, retail, automotive, healthcare and
banking and insurance. Common for all companies within the industries are its market position
whereas the chosen firms are all among the biggest players within their industries. Being the
biggest players, they are well-known in their industries and among consumers. As previously
discussed, brand name status can influence consumers’ willingness to provide personal
information to well-known companies (Earp & Baumer, 2003). Therefore, the cases can be
presumed to have access to a considerable amount of consumer data that can be used for
personalization. Reputation can also play a large role in whether consumers accept personalized
content from a firm or not (Chellappa & Sin, 2005). The cases have a stable and trusted
reputation within their given industry. Moreover, as they are well-known, they have larger
consumer expectations on them to provide more relevant and personalized communication from
their customers (John et al., 2018: 64). They can, therefore, also be assumed to have more to
lose on doing something wrong. The cases have thus been selected on the basis on their market
leading position, regardless of their given industry, as they are believed to have a larger access
to consumer data, higher consumer expectations on them to provide relevant and personalized
communication, and therefore they need to work with preventative actions to ensure that
consumers are satisfied. Lastly, we have chosen cases that operate on the European market as
21
they are affected by the recent implementation of GDPR that regulates how firms can handle
consumer data and what data can be used for personalization; we can thus assume that all cases,
regardless of their industries, are working in accordance to the same rules and regulations.
As mentioned, the cases operate in different industries. We have chosen this approach because
consumer trust and privacy concerns can differ in industries depending on what type of data is
collected. We have previously discussed differences in consumer trust depending on the
industry that firms operate in and the implications it has on consumer data collection (see
section 2.4.2). For our study it was therefore interesting to see if results will differ depending
on the cases’ industry.
Again, an overwhelming majority of the studies have used a quantitative method with surveys.
As mentioned, many of them have also focused on consumers instead of companies. We
therefore also find relevance for our study. Current recommendations provided by previous
literature are based on consumer expectations. However, following the logic of the privacy
paradox, consumers display a paradoxical mindset with regards to privacy and their wants in
terms of personalization and may therefore not be entirely true to reality. By using a qualitative
method with company interviews, we may be able to provide a new perspective on the research
area.
3.5 Data Collection 3.5.2 Interviews To access the perspectives of the interviewees, we have chosen semi-structured interviews as
our means to collect empirical data (Bryman, 2012: 471). Semi-structured interviews are
deemed beneficial in a multiple-case study as it ensures cross-case compatibility by improving
the structure (Bryman, 2012: 472). Criticism toward semi-structured interviews implies that it
does not lead to generalizable results however it does provide insightful and in-depth answers
to the investigated topics (ibid.). To conduct semi-structured interviews, we have created an
interview guide. Semi-structured interviews are known to be more ‘flexible’ and whilst the
researcher has a list of fairly specific topics, the interviewee has a great deal of leeway in how
to reply, the researcher may also freely ask follow-up questions that are not part of the interview
guide (Bryman & Bell, 2011: 467).
22
In our study, we have identified two main drivers that drive an effective personalization strategy,
namely trust and control, as presented in our theoretical model. To understand the social world
of our interview participants, we have first asked them to broadly describe how they work with
personalization. To do this, we have included four questions directly related to personalization,
which the interviews begin with. For example, we have asked if there is any channel or type of
data that they prefer to use, and what they think is important when creating personalized content.
Following their answers, we have asked clarifying questions to get the most accurate
understanding of how they view the social world. Additionally, we have included follow-up
questions in the interview guide, which has been used to keep the interview focused on the
topic.
After letting the interview participant describe how they work with personalization, we have
prompted them further to discuss the identified themes from our theoretical model. As previous
literature has highlighted the connection between privacy and trust, we initially did not ask the
interview participants any explicit questions related to trust but rather we asked them how they
consider privacy concerns. We did so because we wanted to see if the interview participants
would make the connection between privacy and trust themselves and thereby explicitly
highlight trust in the discussion. If it was not highlighted by the interview participant, we asked
how they induce trust as a company, both in general and related to data disclosure. The reason
why we also asked a broad and general question about trust is because we wanted to identify
patterns and implicit answers with regards ability, integrity and benevolence. In terms of control,
we initially asked how GDPR had affected their personalization strategy to see how they ensure
compliance, as well as to get their opinion on transparency and information control. As
previously described, we have operationalized transparency in two ways: personalized
communication and privacy statements. In our follow-up questions, we therefore included
questions concerning both transparency in personalization and in privacy statements.
We interviewed 12 representatives from 7 companies. Find an interview chart describing
interview length, location and date below. The interview guide can be found in Appendix 2.
23
Industry Title Date Interview length
Interview location
Airline A Omnichannel Marketing & Personalization Manager
3 april 2019 45 min Skype
Airline A CRM Manager 26 april 2019 30 min Skype
Airline B Business Developer 17 april 2019 40 min Skype
Airline B Omni-channel Analyst 17 april 2019 40 min Skype
Retail A Digital Marketing Specialist 9 april 2019 30 min Skype
Retail A e-CRM Manager 17 april 2019 45 min Skype
Bank & Insurance A CRM Manager 9 april 2019 45 min Face to Face
Bank & Insurance B CRM Manager 12 april 2019 45 min Face to Face
Bank & Insurance B Marketing Digital Channels 2 may 2019 30 min Skype
Healthcare CRM Manager 17 april 2019 40 min Face to Face
Healthcare VP Growth 26 april 2019 30 min Face to Face
Automotive CRM Manager 8 april 2019 45 min Face to Face
Table 1. Interview chart
The sampling strategy that we applied is purposive sampling, meaning that we have chosen the
interviewed participants in a strategic way so that they are relevant to understanding the social
phenomenon (Bryman & Bell, 2011: 442). Therefore, we have interviewed one manager with
strategic responsibility over personalization and one employee who works hands-on with
personalization in the same company. As the managers set the strategic agenda for how to work
with personalization, we believe they are the right target group to interview for this study.
However, as managers are generally responsible for visioning, we may hear about their intended
strategies regarding personalization rather than what they are currently doing in the field, which
will potentially skew our research results. Yin (2009: 102) highlights the difficulties with
conducting interviews as it implies certain risk such as for example response bias and reflexivity
i.e. the interviewee adjusting the answer according to what they think is the desirable answer.
To circumvent idealized views on what the firm is currently doing in terms of personalization
and to get a holistic view of what they are currently doing in terms of personalization, we have
invited an employee who work hands-on with personalization. This strengthens the reliability
of the answers that we receive during our interviews. However, in two instances we have only
24
interviewed one representative from a company since he or she worked both strategically and
hands-on.
To investigate how firms balance the need for personalization while respecting consumers
privacy in their personalization strategies, we must meet those who (1) collect, store and
analyze consumer data, and (2) create personalized communication toward consumers. We
have therefore chosen interview participants that work in the areas of digital marketing, CRM
or omni-channel. People within these areas were chosen because they generally fulfill these
criteria. Furthermore, we have paid attention to the variety in the resulting sample so that the
interview participants differ from one another in terms of key characteristics, as suggested with
purposive sampling (Bryman & Bell, 2011: 442). Examples of key differences of our interview
participants that we considered include:
● 59% male, 41% female
● 59% managers working with personalization strategy, 41% working hands-on* *Unrelated to gender differences
3.5.3 Privacy statement analysis From the literature review, we have identified that individuals do not read privacy statements
because they are too long and complicated. Furthermore, as highlighted by findings from
previous literature, transparency can circumvent privacy concerns. Therefore, we ask the
interview participants how they work with transparency. As a complement, as well as to cross-
check the answers we receive during the interviews, we have read the firms’ privacy statements.
We have chosen this type of data collection because although some of the interview participants
may have relevant knowledge in this area, it is seldom a part of their job description. The
information gathered through reading privacy statements have been used as a complement
together with the answers received from interview participants in the analysis. An overview of
the interviewed firms’ privacy statements can be found in Appendix 3.
3.6 Data Analysis We have used thematic analysis when interpreting and analyzing our data. This method is
suitable for our study as it involves identifying themes and patterns from interviews, such as
repetitions, indigenous typologies, metaphors and analogies transitions, similarities and
differences, linguistic connectors, missing data and theory-related material (Bryman 2012: 580).
As mentioned we have had an abductive approach and have therefore partly strived to identify
new themes and patterns but also drawing connections between our theory and our findings.
25
With regards to thematic analysis, an inductive approach involves a process of coding without
trying to fit it into a pre-existing coding frame. A theoretical thematic analysis, means that the
analysis is driven by a theoretical or analytical interest in the area (Braun & Clarke 2006). Our
approach to thematic analysis has been theoretical as our pre-existing coding frame has been
influenced by our theoretical framework.
We have used Braun and Clarke’s (2006) practical six-step approach to thematic analysis as it
has given us a flexible yet structured approach to data analysis. During the first step we have
familiarized ourselves with the data by transcribing it. During the second step we have created
initial codes, which are according to Boyatziz (1998, as mentioned in Braun & Clarke 2006:
18) “the most basic segment, or element, of the raw data or information that can be assessed in
a meaningful way regarding the phenomenon”. These codes were then sorted into different
potential themes in the third step. During step two and three we have used our coding frame.
During the fourth step we have reviewed the themes and during the fifth step we have defined
and named the themes and provided a detailed analysis of each themes and determining their
story. In the final step we have contextualized the analysis according to theory and chosen
extracts based on the ground that they provide sufficient evidence of themes and that they are
interesting without being too complicated. We have also highlighted the new themes that we
could identify that had previously not been acknowledged in our theory.
3.7 Ethical implications We have strived to protect interview participants’ right to privacy, dignity and well-being i.e.
we considered the issues of confidentiality and anonymity. Therefore, in this paper, we have
not referred to interviewees by name or company. Instead we have referred to industries in
which the firms operate in, as well as their size, when describing the firm. In this study, we
have followed the classic assumption that individuals desire anonymity and therefore all
interviewees have been informed of their anonymity in the study upon the first initial contact.
We have opted for individual anonymity for both legal requirements and considerations of
potential harm for the individual in the aftermath of the publication of our study. Furthermore,
all interviewees have been informed about recordings of interviews in advance and we have
asked for explicit consent from the interviewee before recording.
In this study, we have strived to receive informed consent from all interviewees. We have
informed all interviewees of all relevant information for the study for them to give their consent
26
on participation. However, Bryman and Bell (2011: 133) point out the extreme difficulties with
presenting all relevant information to prospective interviewees. Furthermore, Bryman and Bell
(2011: 133) highlights that disclosing too much information may contaminate the interviewees’
answers. While interviewees have been informed about the general themes of the study and the
upcoming interview, the interview questions per se have not been disclosed before the actual
interview. However, in an attempt to present the interview participants with all relevant
information, before committing to participating in an interview, we have given all participants
the opportunity for a 10-15-minute phone call with us to ask more clarifying questions about
the study.
3.8 Quality of research There are several different ways in which one can assess the quality of research. We have used
the method of Lincoln and Guba (as mentioned in Bryman & Bell, 2011: 395), as they present
a similar view on research and provide specific concepts for qualitative research: credibility,
transferability, dependability and conformability. In terms of transferability we have provided
thick descriptions of how companies work with personalization and thereby opened up the
opportunity to transfer the findings the to other contexts. Throughout the research process, we
have kept records of all phases. We therefore adopt an ‘auditing’ approach, as proposed by
Guba and Lincoln (as mentioned in Bryman & Bell, 2011: 398). This strengthens the
dependability of our research. Furthermore, to ensure that we act out of good practice, we have
offered the possibility to all interview participants to review and approve our transcripts. We
have also submitted the research findings to the interview participants for confirmation to
ensure that we have understood their social world correctly. In this way we can ensure
credibility in our research (Bryman & Bell, 2011: 396). Although qualitative research has been
criticized for letting values intervene in the research (Bryman & Bell 2011:30) we have strived
to guarantee conformability by only interviewing companies which we have no personal
relation to. Additionally, we have used the same interview guide in all of our interviews and
ensured that all main themes were covered in all interviews. Lastly, we have used Braun and
Clarke’s (2006) regarded approach to thematic analysis, which gave us a more structured
approach to data analysis and thereby minimized the risk for subjective influence.
3.9 Limitations Dyer and Wilkins (1991, as mentioned in Bryman & Bell, 2011: 67) are critical of the merits
of multiple-case study research. They mean that it can lead to the researcher paying less
attention to the specific context and more to the ways in which they can be contrasted (ibid.).
27
However, in our analysis as well as our list of recommendations (see in section 4.7) we have
presented general advises that can be generalized across industries.
With regards to the quality assessment of the research, we have identified some drawbacks in
our research. Although we do not have any personal relations with the interviewed companies,
the cases are well-known and therefore we may be subjected to unconscious bias and
predisposed opinions. We can therefore not ensure 100 percent conformability. Furthermore,
although some of our findings are recognized across industries, some are more specific and
may therefore not be applicable in other context, which decreases the transferability. With
regards to credibility, we have not heard back from all interviewed participants and can
therefore not ensure that they have read the sent material.
Although we cross-checked the answers we receive during the interviews with the firms’
privacy statements, a more thorough analysis would need to be performed in order to produce
a more trustworthy result. Additionally, we would also have to look at transparency in other
channels such as terms and conditions for email subscription. However, that would make the
study too extensive and we have therefore chosen to focus our data selection on the interviews.
4. Results & Analysis In this section we will present the themes that we extracted from the empirical data by using
the six-step approach to thematic analysis as presented by Braun and Clarke (2006). Firstly,
using an initial coding frame, as well as codes that were found during the familiarization process,
we have identified themes related to our theoretical model, namely trust (ability, integrity,
benevolence) and control (transparency and information control). Additionally, a new theme
related to relevance will be introduced. We have also discussed in more general terms how the
interviewed companies work with personalization.
4.2 Interview Participants As earlier described, we will only reveal industry and the interview participants’ title. We do
this due to ethical considerations and we will keep all other information that could potentially
be used to identify the participants to a minimum. We will refer to them as IP (‘interview
participant’) 1-12 throughout the analysis.
28
IP 1: Airline A: Omnichannel Marketing & Personalization Manager
IP 2: Airline A: CRM manager
IP 3: Airline B: Business Developer
IP 4: Airline B: Omni-channel Analyst
IP 5: Retail: Digital Marketing Specialist
IP 6: Retail: e-CRM Manager
IP 7: Bank & Insurance A: CRM Manager
IP 8: Bank & Insurance B: CRM Manager
IP 9: Banks & Insurance B: Marketing Digital Channels
IP 10: Healthcare: CRM Manager
IP 11: Healthcare: VP Growth
IP12: Automotive: CRM Manager
4.3 Personalization All of the IPs emphasized the importance of being personal and relevant towards their
customers. For example, IP 7 stated that the shift is moving more towards personalization and
that it is their overall goal that everything should be personalized. Moreover, IP 3 said that they
have seen a financial uplift since they started with personalization and according to IP 6 and 7
when they have personalized content in their emails the click-through rate is much higher.
Although all IPs acknowledged the potential for personalization to become intrusive and raise
privacy concerns, they overall felt comfortable with their strategy and had not received any
negative feedback from customers in that regard. For example, IP 7 said that “we do not feel
like our customers in any way feel that we have gone too far. Rather our customers expect us
to be personal and that is something they request”. Following this, IP 1, 3, 4, 7 and 9 also
pointed to the fact that they are also customers and therefore they often ask themselves if they
would have thought that a certain communication would be taking it too far. IP 1 also stated
that they discuss the “creepiness factor” internally when planning marketing and campaign
activities. All IPs did not believe that the kind of personalization they are doing is too intrusive
or creepy. Furthermore, several of the IPs acknowledged that there is a discussion regarding
privacy in relation to personalization, especially in Europe since the implementation of GDPR.
The discussion is more focused on integrity and privacy rather than the benefits of
personalization. All IPs state that GDPR has increased consumer awareness and made them
29
more observant and aware of what type of data that companies have and what companies are
capable of in terms of data.
4.3.2 Channels and Data The channel that the firms use for personalization is mainly email but also website, app, mobile
texts and advertisement. However, there are some differences along industries as banking and
insurance and healthcare consider it to be safer to be personal when a customer is logged in, for
example via mobile bank ID. One of the recommendations provided by Siau and Shen (2003)
to minimize privacy concern is exactly this, namely that firms should focus on strengthening
security controls (i.e. authorization functionality and transaction signatures). IP 10 also said
that they do not use tracking on their website as it would be too intrusive to look at what their
customers look at; searching for medical conditions is more sensitive than browsing for
sneakers. IP 12 on the other hand said that they would never collect data by listening to their
customers via an app: “It can be effective but I think that there’s this level of invasiveness that
people don’t like, because you don’t know that it’s happening”. However, overall the IPs use
the most common channels mentioned in the beginning, although they are careful of where they
place their ads (see section 4.5.2).
Additionally, IP 10 said that even using personalization to a very low degree, e.g. name, in
context with non-personal but sensitive information can lead to consumers feeling
uncomfortable. If they used a name when advertising a campaign related to a sensitive medical
condition, the customer might think that the company has collected data about them if the
condition correlates with their health, even though they have not. Jung (2017) for example
argues that too self-related ads can make consumers feel uncomfortable and raise awareness
over data collection and potential data misuse. IP 11 further states that personalization can
become intrusive when customers get the feeling that you have too much information about
them, especially related to sensitive areas. Overall these findings correlate with John et al. (2018)
recommendations that when it comes to dealing with sensitive data in personalized marketing,
firms should stay away from it altogether.
Furthermore, some of the IPs highlighted that they would not collect and use data from certain
channels. For example, IP 6 and 7 highlighted the issue of personalization based on location-
based data. As exemplified by IP 6:
30
“We would never for example say ‘a boutique 200m from you is having an offer on a dress
why don’t you go over there’. From my point of view, that is too intimidating.”
IP 7 said that even though they know where their customers live, based on their transactions,
they wouldn’t use specific cities in their communication. This follows the findings of InMoment
(2018) that found that many consumers find it creepy when firms use location-based
personalization. Furthermore, IP 7 argues that one way to protect consumer privacy is by using
tags. This means that instead of focusing on a specific value, e.g. a consumer lives in Stockholm,
you use a tag like ‘he or she lives in a big city’ or instead of focusing on the exact number on a
bank account you can grade it on a scale. In order to get an accurate view on a customer you
use 7-8 tags, which prevents stereotyping and eventually leads to the customer becoming ‘an
individual’, without having to use exact numbers or data to get there. In IP 7’s opinion, this is
less invasive for an individual’s integrity.
4.4 Relevance vs Privacy The main point of personalization is to be more relevant and speak to individuals’ wants and
needs. According to Chellappa and Sin (2005) and John et al. (2018), personalization is more
likely to be accepted if the consumer believes it to be relevant and convenient. Phelp et al. (2000)
further found that consumers who believe that they benefit from personalization tend to be less
concerned about privacy. Our interviews showed that all the IPs believe that customers want to
have personalized communication and they want it to be relevant. As quoted by IP 2: “It’s the
saying ‘the right message and content at the right time to the right people’". Similarly, IP 9 and
12 stresses that it is not only the relevance of content but also the right channel for individual
consumers should be considered. IP 8 says that relevant offers and communication leads to
satisfied and happy consumers who buy more and stay longer.
All IPs also highlighted that when personalized communication is not relevant for the customer,
then it becomes irritating. IP 7 and 12 said that the alternative to personalization is spamming,
which does not lead to a positive customer experience. IP 5 also stated that “too general
communication will lead to irrelevant content for the majority”.
Another finding from our interviews is related to categorization. Both IP 1 and 7 agreed that
firms should avoid categorizing customers too much. As IP 1 phrased it: “the creepiness factor
can be triggered if people feel like we are putting them into boxes”. According to IP 1 and 7
31
customers can feel insulted when communication and offers is based on stereotypical qualities,
e.g. a male receiving beer advertisement based on their gender. IP 1 therefore refrains from
using gender in their communication and, as mentioned, IP 7 has their technique of tagging.
The same phenomenon was presented in the literature review, Kim et al. (2019: 919) found that
stereotyping can make consumers feel reduced to a single membership category and feel like a
big part of a demographic category instead of an individual.
Another part of relevance that was highlighted during the interviews is irritating and hunting
communication related to retargeting (i.e. ads showing products recently viewed). For example,
IP 1 and 4 exemplified that they avoid advertising trips that you have recently bought.
Furthermore, IP 2, 3, 6 and 7 mentioned the annoyance for customers when you have bought
or searched for something online and afterwards your browser is filled with retargeting
advertisements. They described it as ‘hunting’ which was both annoying for the customer and
may spoil surprises (e.g. when searching for gifts for someone else) which may elicit negative
feelings for the customer. Besides the annoyance, IP 3 also mentioned the negative impact on
the brand when a customer has bought something for full price and afterward receives a
discounted price for the same product. To circumvent this from happening, IP 7 stated:
“Instead we connect the data so that we know if the customer has bought the product. For
example, if you have browsed our website for cards you will not receive ads for cards because
maybe you were browsing to look something up. The most important thing is that we know the
customer and that it is relevant for the customer.”
Nevertheless, although it is important to the IPs that they are not perceived as intrusive they
still believe that relevant personalization to a certain degree is good for both the customer and
the company. We therefore find that an essential way that firms can prevent privacy concerns
is to create as relevant content as possible. For example, IP 6 stated “It’s at least my feeling
that customers would rather be met with relevant content than us being too concerned about
what we can show them based on if it’s too private”. One way to interpret the finding is that
companies believe that for customers, relevance is more important than privacy. IP 12
demonstrates this by saying: “So, we kind of do the active choice to give away our data (...) We
choose quick access over, I guess, security”. As mentioned, rational choice theory describes
how individuals weigh the negative consequences (privacy infringement) against perceived
benefits (relevant information) in order to find the best possible outcome that fits their self-
32
interest (Barth & Jong, 2017). While all of the IPs claimed that they value privacy and want to
ensure that their customers’ integrity is respected, they believe that customers will not feel
uncomfortable as long as their personalized communication is relevant and not too striking.
Furthermore, as long as the customers have given their consent, they expect and want to receive
personalized information. Nevertheless, rational choice theory postulates individuals as rational
agents when calculating risks and benefits (Barth & Jong, 2017). Bounded rationality, on the
other hand, claims that individuals can never truly make rational decisions since they are
subconsciously biased in their calculation process (ibid.). One issue that is particularly related
to user agreements, privacy policies and cookie usage is information overload (Larsson, 2017:
45). In section 4.6.3 we will develop more on this.
4.5 Trust In our literature review and theoretical framework, trust was identified as one of the main
factors that could minimize privacy concerns when using personalization. Whereas, IP 7, 8, 10
and 11 working within banking, insurance and healthcare did put a strong emphasis on it due
to the nature of their industry, many of the others did not put much explicit emphasis on the
topic. Furthermore, it is to be noted that few of the IPs mentioned trust before we asked about
it. Thus, contrary to our anticipation, trust was rarely explicitly highlighted in our interviews.
We believe that it may be because of the following:
1. All firms are well-known within their given industries and thus indicates good
reputation. The majority of IPs mentioned that many people know their brand and
that their customers exhibit high levels of trust toward them, as quoted by IP 1: “as
long as we are not doing anything wrong with the data people are not concerned
with how we treat them, I think. But one moment you do something wrong and you
will be very concerned about it.”
2. Trust is inherently implicit. Many indicated that trust was important when talking
about examples of ability, benevolence and integrity, without explicitly mentioning
trust.
Moreover, among the IPs, only IP 10 made an explicit connection between personalization and
trust, as quoted:
33
“It depends on where a customer is in a customer journey and then maybe the level of trust
they have towards a company. If you have a lot of data about a customer maybe you shouldn’t
use that in the beginning until you have developed trust.”
This correlates to Bleier and Eisenbeiss’ (2015) recommendation that companies should first
evaluate consumers’ trust in them before being too personal or detailed in their communication.
4.5.2 Ability Some of the main themes we could identify in terms of ability are safety, reputation and
relevancy (i.e. delivering relevant content).
In terms of safety, IP 8 and 10 agreed that to be perceived as a trusted provider, maintaining
safety is big. Furthermore, IP 10 had a focus on “being perceived as a serious company” and
that the communication on the webpage and app was created with a focus on always conveying
seriousness. As mentioned, Wu et al. (2012) encourage companies to reinforce their website
design to make it look more credible in order to reduce privacy concerns. Furthermore, banks
and governments are among the most trusted industries (Agag & El-Masry, 2017) and as IP 8
works in bank and IP 10 works in healthcare, it may therefore be a bigger focus on maintaining
safety and “live up to the expectation”, as quoted by IP 10. On the other hand, IP 6 stated that
banks are generally not trusted, correlating to a finding by BCG and DIA paper (2018), and
thereby they have to put an extra focus on building trust. IP 8 also presents the issue of
safeguarding against deception and hacker attacks and says that it is very important to them that
they can protect their customers and thereby be perceived as a trustworthy provider. IP 11
highlighted the importance of them actually giving high-quality advice and taking care of the
customers in order to build trust.
IP 12 mentioned the ‘power of the brand’ and that for example consumers trust well-established
brands that they will maintain their data in a safe manner. They further highlighted the
difficulties with new less-established brands and exemplified that they may need to partner up
with more established brands to make them known. This can be exemplified by our interviewed
firm operating in healthcare that started digital; they have collaborated with trusted third parties
and use industry certificate logos on their website to communicate trust. This type of situation
is also exemplified in our literature review where Toms and Taves (2004) claim that a
34
company’s reputation can be improved by receiving positive ratings through the assessment of
a third party (Agag & El-Masry, 2017).
Another factor that was brought up by IP 6, 8 and 12 was that being trusted is not static but
once you do something bad, then the firm’s reputation can deteriorate and ensuring good
associations with the brand seemed to be of utmost importance to all IPs. For example, IP 4
mentioned that they have “50 000 websites where we have said that we don’t want to pop up”.
As a reason for this, IP 8 said that it is because it can damage the brand image. All IPs agreed
that they did not want to be associated with web pages containing spam content and adult
themes. Furthermore, IP 7 mentioned that they did not want to be associated with some social
media sites as they did not agree on their way of selling data. This was contrary to the views of
IP 2 whom believed that social media was an important part of the personalization strategy in
their firm. IP 3 further highlighted that they did not want to be associated with web pages
containing “fake news”. These findings can be connected to studies by Aguirre et al. (2015)
and Kim et al. (2019) in which ad context was highlighted as important. Aguirre et al. (2015),
for example found that since CNN is perceived to be more trustworthy and credible than
Facebook, consumers are more inclined to be vulnerable and accept a personalized
advertisement there than on Facebook. All IPs thus mention different focus areas and reasons
for not wanting to be associated with different type of sites, this may be because of (1) personal
opinions of the people working in the team and/or (2) industry-specific reasons. However,
common for all IP, it is important to maintain a close eye on the channels they use to convey
their messages in order to ensure a strong brand image.
As mentioned, company reputation has been identified as an important factor related to trust
(Kim et al., 2004; Teo & Liu, 2007; Hsu et al., 2014; Han et al., 2015). Reputation can also be
considered a result of a company’s promises and fulfillments, which in turn leads to credibility
(Agag & El-Masry, 2017). Our findings can furthermore be positively connected to reputation
and more specifically to one of the recommendations provided by Chellappa and Sin (2005)
whom state that one way firms can affect consumers’ privacy concerns is through improving
their brand image. The authors further state that reputation can serve as one of the main reasons
why one consumer might prefer personalization from one company and ignoring the other,
regardless of whether the content is identical. An industry specific example is presented by IP
8 as their ability is not shown until “the moment of truth”, when a customer actually needs to
35
use their insurance. In order for them to be perceived as able is that they have to be quick when
damage occurs, and also ensure that they have a reputation of being serious and trustworthy.
In terms of relevance, pressure is put on firms to actually deliver relevant communication, as
requested by customers when they give their consent. According to IP 3, 5 and 6 customers
have contacted them and complained that they are not receiving relevant enough information.
IP 3 further states that:
“With (marketing) consent, expectations are also put on companies like ok now you have said
that you will use my data and profile me. So as a company you also have the responsibility to
always develop your models and the direct communication that you send out.”
IP 6 also highlighted the expectation that is put on them by customers. Furthermore, IP 9 states
that they can be more relevant because they are knowledgeable and competent within their area
and that their customers also believe them to be.
4.5.3 Integrity Some of the main themes we could identify in terms of integrity are compliance, data protection
and “keeping promises”.
Aside from adhering to rules and regulations (i.e. GDPR), the IPs focused on data protection as
an important factor of integrity. For example, IP 10 mentioned that they cannot say that they
“think about privacy and integrity and so on, and then we use the data in the wrong way”. This
is further highlighted by IP 1 who discussed the seriousness that data leakage could bring; not
only would it lead to a GDPR-related fine but it would also lead to bad PR and to decreased
customer trust. Therefore, it is very important for companies to protect the consumers’ data as
the potential downsides of doing it incorrectly would be fatal for the companies. However,
integrity does not only concern the regulatory landscape but it also involves how fair and
reasonable a firm is perceived to be. For example, IP 6 described that it is important for firms
to be aware of what it means to be in possession of so much data and the importance of
protecting it. Furthermore, IP 7 described the importance of maintaining the data internally and
explained it to be the reason for not wanting to advertise on social media as they do not know
where the data ends up.
36
An industry specific example is presented by IP 1 who explained that it is very important they
do not reveal personal travel history when friends or families have contacted customer services.
4.5.4 Benevolence Some of the main themes we could identify in terms of benevolence are customer focus,
customer feedback, transparency and corporate responsibility.
Many IPs acknowledged that having much consumer data meant a certain risk on what data to
actually use. For example, IP 2, 3 and 8 said that even though they have very detailed level data,
does not mean that they have to use it. IP 2 meant that it could be because it is not always
relevant to use it all, whereas IP 3 meant that “we have to apply the ethical lens”. This was
further stressed by IP 7 who mentioned the risk of recommending certain products to certain
customers (e.g. loans to customers whom had exhibited credit risk). Larsson and Ledendal
(2017: 22) bring up the potential problem of firms exploiting customers’ data to sell them
products that may harm the person more than it will actually benefit them. On this, IP 7 can be
quoted:
“We could make a lot of money on this but you are putting people at risk and we have to
decide what kind of bank we want to be and we do not want to be that type of bank.”
Also highlighted by IP 7 and 8 who stated that they are very careful with how they invest their
funds and that they do not want to be associated with certain industries e.g. tobacco and weapon
trade. From all IP it therefore seemed to be a certain focus on corporate responsibility and being
perceived as a “good guy”, as IP 3 phrased it. To ensure that the company is perceived as a
good company in the eyes of the consumers, IP 3, 6, 8, 10 and 12 mentioned that they put great
care in listening to their customers’ feedback. For example, IP 8 said that they have customer
representatives that customers can turn to if they have questions or concerns. IP 10 mentioned
that in case something happens then they “would always be transparent and show externally
what has happened and try not to hide it”. This was further highlighted by IP 12 that stated that
a “very good practice as a brand to apologize if you’ve done something wrong and take
ownership”.
Transparency was a topic that came up a lot that is directly linked to benevolence. All IPs agreed
that a certain degree of transparency was a way to overcome the creepiness of personalization
37
because it improves awareness. Furthermore, as previously mentioned, John et al. (2018) argue
that giving consumers control may also be beneficial for the firm. This is because it displays
signs of benevolence; in the act of giving the consumer control, the firm simultaneously gives
up ways to earn financial rewards on the consumer. Therefore, such an act may therefore be
seen as ‘doing good for the customer’ which in turn can benefit the firm in building trust. In the
following section we will discuss the findings in relation to control and transparency.
4.6 Control The second factor that could minimize privacy concerns as illustrated by our theoretical model
was control. Many of the IPs mentioned that consumers have become more aware about their
rights to their data after the implementation of GDPR, and are thus requesting more
transparency. However, although the IPs acknowledged that customer may want control and
require transparency, as long as the consumers have given their consent, they will be more
accepting toward personalization.
4.6.2 Transparency in personalization In the majority of the studies presented in the literature review, transparency was encouraged
and recommended (e.g Milne & Culnan, 2004; Lutz & Strathoff, 2014). Additionally, Kim et
al. (2019) found that firms should be transparent in their personalized communication if it
reflects acceptable information flows. Although the IPs agree that transparency is very
important, as IP 12 puts it “transparency is key”, they did not recognize the need to reveal how
the data was collected and analyzed, regardless of the nature of the information flows. Instead,
the IPs emphasized the importance of not being too transparent or too precise in their
communication. For this, two main reasons were highlighted. Firstly, IP 8 states that when
communicating to customers you often have limited time and space to get your message across.
Thus, as quoted by IP 8:
“In these kinds of channels, it will often just be long explanations that often just awakes more
questions. Therefore, it is better to take it through GDPR – if the customer wants to know
exactly what we’re doing, we will then tell them instead. That’s no secret!”.
John et al. (2018) suggest that firms should at least be willing to provide information about data
practices upon request, which is the case that most of the IPs highlight throughout the interviews.
Secondly, although customers want relevant information, IP 6 claims that they do not want to
know exactly how the companies have derived at those conclusions as it can become too creepy.
38
IP 8 & 9 mentioned that the analysis can be very precise but the communication should not be
as precise. As quoted by IP 1:
“If we are too precise in how we explain to customers how we have done the analysis in order
to identify which offer is most likely for people to buy, it could become creepy. It’s not only
what we sell but how we communicate it”.
Similarly, IP 5 says that instead of highlighting how customer data will be used, there should
be more focus on the communication around it so it is not creepy. For example, IP 5
recommends avoiding “hunting” sentences such as “we saw you on our page, did you like what
you saw?” or “have you forgotten something in your shopping basket?”. We can also see that
balance, striking and subtle were three words that were often mentioned in the interviews. For
example, IP 4 states that they would never say “We know that you travel to Nice every summer
week 29 so here is an offer”. IP 2 agrees and states that they should instead say: “Want to go
to (destination) again?”. Similarly, Jung (2017) argues that companies should focus their
efforts on finding the optimal level which will lead to increased attention without causing
concerns (Jung, 2017).
The balance of being personal but not too personal is also featured by Bleier and Eisenbeiss
(2015) that found that ads with high amount of personalization should be avoided regardless of
level of trust, as they can elicit privacy concerns. Although their study did not put as much
emphasize on how you communicate as the IPs, Song et al. (2016) also found that there is a
correlation between extent of personalization and privacy concerns.
The reason why our literature review put more emphasis on transparency than what was found
in our interviews, could be because the studies were based on consumers. Since our data is
based on the view of companies, they also stress the importance of “business and results”, as
IP 11 puts it “Too much information kills the response so it should be more implicit”. Many of
the IPs also said that if they are too transparent they become creepy and make consumers aware
of their data collection and analysis in a damaging way. This correlates to the finding by
Knijnenburg and Kobsa (2013: 19), which shows that justification, in order words, transparency,
can be perceived as a warning sign and thereby leads to inhibition to share data rather than
encouragement. Kim et al. (2019) further argues that when consumers learn about marketing
practices they might become more aware of privacy threats.
39
So, although the IPs believe that customers want relevant content, they do not believe that the
customers exactly want to know what this means. IP 12 said:
“I think you need to divide between being relevant and “showing off” the kind of data you
have about them. The customers aren’t going to be impressed with you saying what kind of
data you have, frankly they don’t care they just want you to be relevant. They want us to see
them but I think they want us to see them in a subtler way. Being relevant without being
spooky or too intimate.”
Instead, the IPs agree that if customers want to know more, they can go through privacy
statements and GDPR. The IPs also said that this process should be easy.
4.6.2.2 Transparency in Privacy Statements and Terms and Conditions All IPs agree that it is vital to be transparent, open and not hide facts. They also acknowledge
that GDPR has had a positive impact on transparency and as IP 6 states it “the trust is bigger
now for the consumers that their data won't be shared with anyone else”. The IPs also said that
they do not try to hide anything, for example having call to actions clearly visible on the website
and in the emails so that customers can easily see them. However, they also recognize the issue
of complicated and long statements, as well as few customers actually reading them.
Many of the IPs said that they have actively tried to make the privacy statements shorter, clearer
and easier to understand. According to both IP 8 and 9, they worked hard on rewording and
making the language easier to understand as well as shorten it, as IP 8 phrased it “To these long
texts we have a ‘what does this long boring text mean’, yes it means this. Short and concise.”
This follows the recommendations of both BCG and DLA Piper (2018) and Larsson (2017).
BCG and DLA Piper (2018) stress the importance of creating a version written with the
customer in mind, such as both IP 8 and 9 described and Larsson (2017) means that it can have
a negative impact on consumer trust if the firm has a too complex note. On this, all IPs agreed
that since it is a judicial text, is has to be encompassing. For example, IP 5 stated that:
“With GDPR we have to be complicated and ensure that there are loopholes. But as
marketers we can try and make it shorter and clearer.”
40
IP 4 also said that is important that they are clear and direct in their communication and inform
people that they can opt-out if they do not want to share their data. For IP 4 it is further important
to be transparent in order to be “true to our brand” and thereby be perceives as honest. However,
none of the interviewed firms use visual cues such as icons or data charts, as suggested by BCG
and DLA Piper (2018) and van Oojien and Vrabec (2018)
According to Presthus and Sorum (2018) consumers are often left feeling resigned when
confronted with privacy statements as the texts are too long and often difficult to understand.
This is a problem that many of the IPs acknowledged. IP 10 stated that “although most people
will accept without reading but as a company it is very important to still try and make your
customer understand what they are accepting without them necessarily having to read it
because most of them will not”. IP 7 also said that most people do not read them but he/she
believes that as long as they are easy, short and clear and that customers are given the
opportunity to opt-out it’s ok. However, IP 6 expresses that they do not work much with this,
since “under 1% reads it and under 1% ever contact us about these terms and conditions”.
Therefore, IP 6 argues that it does not seem like a pain point for customers and they do not do
more than what is required by GDPR. However, if customers would contact them and say that
it is unclear what they are signing up for and how their data will be used, then they would look
into it more. On this, IP 6 further differentiated between different industries and stated that clear
terms and conditions are more important when signing up for e.g. bank loans, than when making
smaller transactions, such as purschasing clothes. As quoted by IP 6: “the more the value the
transaction is consisting of, the more important it is to people”.
As mentioned, the IPs tend to place information regarding data collection and analysis in terms
and conditions rather than in the personalized content. However, also here they recognize the
dilemma of wanting to be transparent but not too transparent. IP 6 state that even if they were
to write out exactly what they use customers’ data for, they doubt that customers would read it
and if they did, it could potentially frighten customers, as quoted: “So I don’t think it would
serve any good purpose and instead frighten customers more than they should be because it is
really not something we will misuse”. IP 12 similarly said that it does not serve a purpose to
send customers huge lists, as customers aren’t interested in it. IP 12 also refers to customer
experience and says that “if you just want to sign up for something and you have to tick a
hundred boxes and you know that’s also not a great experience”. Nevertheless, IP 12 and the
other IPs still emphasize the importance of being transparent and having a user-friendly
41
language but that it is again about balance. However, upon the analysis of the websites, we
found that only three out of seven firms explained that they will use cookies to improve
commercial, ads and information, already in their initial privacy statements when entering their
websites and when presented the choice to either accept or not. All of our other cases did also
explain this, once you clicked “read more” in the initial privacy note.
All IPs consider transparency to be highly important and never try to hide their privacy
statements or unsubscribe buttons. The majority also said that they try to make the language as
easy as possible to understand that they believe customers trust them with their data. All the
cases can therefore be assumed to apply trust-building strategies, as described by Milne and
Boza (1999). This correlates with what Hoffmann (2016) describes, namely that if an individual
trusts a company, they may allow a more carefree reliance on the company. This also seemed
to be the case for the IPs. However, as mentioned many of the IPs also said that that they do
not want to be too explicit as this might make consumers feel uncomfortable and concerned.
We can thereby see that the IPs to some extent also apply concern-reducing strategies.
4.6.3 Control As regulated by GDPR, all interviewed firms are required to receive explicit consent before
they use customer data in personalization. Therefore, common for all IPs was that they
mentioned the importance on obtaining customer consent. However, there was a difference in
the stance toward to what degree the IPs had interpreted GDPR and to what degree of control
they offer their customers. For example, IP 6 mentioned the importance of obtaining consent
from the customer and highlighted that customers can contact them to withdraw their consent.
Aside from that they do not offer opt-out possibilities from their personalized services as it
would be too technical for them and they have not received any negative feedback from
customers. Others interpreted GDPR in a stricter manner. For example, IP 1 mentioned that
they had initiated a GDPR self-service portal that “was more open and maybe not necessary
(…) and it actually turned into a good thing. People are looking there and we have a second
shot of trying to get them interested and receiving things from us again”. IP 1 mentions that
giving the customer more control has benefited them as people generally keep their consents,
as was found by Midha (2012) who saw that consumers who are perceived to be in control are
less worried of privacy risks. Also highlighted by Phelps et al. (2000) who found that giving
consumers more control leads to a greater interest in marketing offers.
42
IP 3 also mentioned the importance of giving consumers control through the example of ability
to enter the website even if you do not accept cookies, as they do not want to force the consent.
Additionally, IP 4 highlighted the challenge of the cookie discussion, as quoted:
“The challenge in the cookie discussion is that some are a function piece of the website –
that’s just how the website works, but with tracking cookies you can at least say that if you
say no, and then we will respect that.”
Preibusch (2005) discuss the principle of ‘take-it-or-leave-it’ which both IP 3 and 4 touches
upon, whereas they both agreed its importance to circumvent it as it otherwise does not give
the user a choice to reject the offer if they want to use the web page. The importance of this is
discussed by Taylor et al. (2009: 8) that describes that when a consumer does not have a choice
other than disclose information, they must rely on the benevolence of the company, otherwise
they may perceive a loss of control. IP 12 touches on this subject as well, and mentions that a
way to overcome this is to implement a “double opt-in” which requires an initial consent and
then the customer has to “send them a follow up, like confirming that it’s them and that they
agree to it and they’d have to opt-in again”. This way the firm can guarantee an explicit consent
from the customer. That IP 3, 4 and 12 mentioned this is interesting, because out of the seven
interviewed firms, these two firms were the only ones that required the consumer to choose
what cookies they wanted to give their consent to (i.e. making a difference between functional-
and marketing cookies). All other cases only offered opt-out alternatives once you clicked “read
more” and landed on a new page, there the consumer actively needs to find the opt-out
alternatives. The firm of IP 1 and 2 offered an opt-out alternative in this stage. With an
exception of the firm of IP 5 and 6 that did not offer any opt-out alternative, all other cases
offered instructions on how the consumers’ can opt-out through their web browsers.
On the topic of cookie tracking, IP 6 who works primarily with email personalization stated
that email consent is more concrete. For example, when you sign up to a newsletter, you
understand its implications and then you can explicitly sign up for it, whereas cookie tracking
is more implicit. IP 6 means that they look the same on all web pages, so therefore it is difficult
to notice the difference, and it is thus a more implicit form of consent. According to Midha
(2012), companies should delegate control over decision related to private information to
consumers. However, IP 7 expressed skepticism on placing too much responsibility on the
customer. As quoted by IP 7:
43
“It’s difficult for the customer because you don’t understand as a customer how
comprehensive it is, you should describe things for the customers so that they can take a
stance on it. I believe that you have put too much responsibility on the individual to read
through and understand what it is I give my consent to; the customer can’t really understand
that. (…) There’s an overconfidence in the customer to understand what everything means but
I don’t think a lot of people do.”
This is a prevalent issue in literature as there are conflicting views in the rationality of the
individual. For example, information overload was presented as a problem of the digital
economy by Larsson (2017). Previously, we described three ways in rationality can be bounded,
as presented by Simon (1972), in the quote provided by IP 7, they describe all three ways.
Firstly, IP 7 describe that we cannot assume the individual to have perfect knowledge; secondly,
as the customer cannot understand the information, we can assume the individual has
incomplete information about consequences; thirdly, the complexities may prevent the
individual from calculating the best alternative (as described as ‘take a stance on it’). However,
IP 12 who also expressed skepticism toward the legality of the current form of obtaining consent,
said that “I think people don’t mind in general as long as they have the option, and they’ve
chosen this”.
They also perceive them as unacceptable when the information used to shape the ad is inferred
by the firm rather than explicitly stated by the consumer.
For obtaining consent, IP 12 also highlighted the power of asking customers. For example, IP
12 means that an easy way is to ask the customer what they would be interested in, and also
giving the option to the customer what channels they want to be contacted on. This is brought
up by John et al. (2018) who stresses that firms should try traditional data collection to give the
customers a chance to state their preferences and not only track them. Additionally, Kim et al.
(2019) found that personalized ads are perceived to be more acceptable when the information
used to shape the ad is explicitly stated by the consumer. Rather than inferred by the firm.
Furthermore, IP 6 brings up that showcasing “why am I seeing this ad?” on top of an ad may
give the customers a feeling of control as they will get the opportunity to give feedback over
the ads they receive; this way they can also get more relevant recommendations in the future.
This is also highlighted by Aguirre et al. (2015) that state that the incorporation of information
44
icons can signal trustworthiness, but as mentioned by IP 6 it can also increase ad relevance for
the individual in the future which further increases the functionality of information icons.
4.7 Summary and table of recommendations
IP 1 IP 2 IP 3 IP 4 IP 5 IP 6 IP 7 IP 8 IP 9 IP 10 IP 11 IP 12
Create relevant content x x x x x x x x x x x x
Do not use too detailed or striking words in personalized communication
x x x x x x x x x x x x
Make privacy policies as easy as possible to understand
x x x x x x x x x x x
Do not use sensitive data (e.g. transaction-, travel companion-, medical- and/or journey data)
x x x x x x x x x x x x
Ensure strong data protection to prevent data leaks
x x x x x x x x x x
Make it easy to find or ask for information about data collection and opt out
x x x x x
Listen to customer feedback x x x x x x x x x
Do not have too much information in privacy statements & terms and conditions
x x x x x x
Only use sensitive data when customers are logged in
x x x
Place personalized advertisement in credible contexts
x x x x x x x x x x x x
Put yourself in customers position
x x x x x
Ask customers how they want to be contacted
x x x
If new, use trusted third parties to enhance brand
x x x
Do not stereotype x x
Focus on corporate responsibility to enhance brand and create trust
x x x x x x
Do not use location-based personalization
x x
Communicate that customers do not have to accept cookies
x x x
Table 2. Summarization of recommendations
45
5. Discussion and Conclusion For this study, the research question that we sought to answer was the following:
“How do companies that use personalization strategies work with preventative actions to
minimize the risk for triggering consumer privacy concerns, when creating personalized
communication?”
Our findings show that companies are mindful when creating personalized content and do
acknowledge the issues with privacy and the risk of being perceived as creepy. From our
interviews, we were therefore able to extract certain recommendations on how one should work
with personalization (see in section 4.7). How companies communicate personalized content
was identified as the main factor when trying to avoid triggering privacy concerns. Although
certain types of data and channels were sometimes preferred or not preferred, the balance of
being relevant but not striking was an undivided opinion of all the interview participants.
Referring to our initial literature review and theoretical framework, we had expected more
emphasis on transparency and explicit information about how consumer data was used. We
expected this as the majority of recommendations from previous literature pointed to a
correlation between minimized privacy concerns, and thereby a greater acceptance of
personalization. However, our results points in the opposite direction. This discrepancy may
exist for two reasons. Firstly, as we previously hypothesized, previous literature reviews the
consumer side whereas we investigated the company side. Following the logic of the privacy
paradox, consumers display a paradoxical mindset with regards to privacy and their wants in
term of personalization. Through looking at the phenomena from the company lens, we have
therefore been able to provide a new perspective on the research area. Nevertheless, there is
previous research that also acknowledges the risk of triggering privacy concerns if you are too
transparent, as we previously discussed. It triggers privacy concerns because it awakens
customers’ awareness, a similar understanding was expressed by the IPs. Secondly, this
discrepancy may exist because of firms’ emphasis on ‘business and results’ as previously
described. Whereas the IPs acknowledged that transparency was needed, they also highlighted
that it can also kill the response and at the end of the day, the firms use personalization to create
value for themselves, just as they create value for their customers.
Although, relevance is brought up several times in our literature review as a definition of
personalization it is only once mentioned as a means to overcome privacy concerns. Our
findings on the other hand put much more emphasis on the matter. According to the IPs,
46
customers do not care that much about privacy in relation to personalization as long as it is
relevant and adds value. The IPs found support for their arguments in customer feedback. None
of the IPs had experienced negative feedback with regards of privacy concerns or creepiness
but rather they had received negative feedback that the content was not relevant enough. Again,
the different angles of looking at the problem, whereas we chose the company perspective, may
account for the discrepancy. Although consumers may say that they value privacy over
relevance, they are, according to bounded rationality, unable to make a rational analysis. While
many of the IPs said that they always listen to customers’ feedback, some IPs also expressed
that they do not believe that customers really know what they want and if you asked them, you
would not get the right answer.
As previously mentioned, trust was rarely explicitly connected to personalization. Following
the logic of our literature review and theoretical framework, we had expected that the IPs would
make a more direct linkage. The IPs still recognized the importance of being perceived as a
trusted partner but seemed to take it in a more given way. Their response can be interpreted as
trust being so essential to survive as a business that it is implicit in everything they do.
Maintaining their reputation and feeling that their customers trusted them was of utmost
importance. Nevertheless, few concrete trust-building activities were mentioned and whereas
the answers were broader, much could still be connected to the three dimensions of trust.
With regards to privacy transparency and control, we can see that the IPs believe it to be
essential to be GDPR compliance but rarely necessary to go beyond. They also think that
customers want them to be transparent and to give control in terms of opt-in and opt-out but
that it will ruin the customer experience if they give them too much information. Again, the IPs
also have to ensure that they can deliver business results and have high click through rates. If a
customer has to tick several boxes they are less likely to follow through on the transaction
according to the IPs. Furthermore, many of the IPs also stated that the reason why they do not
see a problem with their personalization is because of consent; if consumers are given the
opportunity to say yes then it opens up the possibility to use data without paying too much
attention to privacy. If a consumer does not want to share data or receive personalized
communication they have the option of saying no. Nevertheless, as mentioned only 2 of the 7
companies allow customers to use their website without having to accept tracking cookies. We
therefore question the full applicability of opt-in and opt-out as many companies still use the
take-it-or-leave-it scenario. Nevertheless, the IPs answers correlate to the previous findings in
47
the sense that they agree on the importance of transparency and control, however, they do not
believe in pushing too much of the information on them. Instead they try to make it easy to find
out more about data collection and handling.
Although our main purpose was to examine how firms balance the need for personalization
while still respecting consumers’ privacy, we also wanted to see if we could identify industry-
specific findings. However, the industry-specific recommendations that we could distinguish
were mostly minor and not as relevant as the broader themes and therefore not highlighted.
Most main findings include broad themes that were identified in all industries. A potential
explanation for this could be our case selection; more companies within a given industry would
need to be interviewed in order to generate more industry generalizable results. Additionally,
although a question related to industry was included in our interview guide, more questions
would need to be added. Nevertheless, this was not the main purpose of our study.
In conclusion, we can see that firms strive to achieve the optimal balance of being relevant to
the extent that it creates value for customers, and non-intrusive to the extent that it does not
make customers too aware about data collection and analysis. However, when discussing this
balance, few of the IPs were able to offer concrete methods on how this can be achieved. Instead
it seems to be something that is learned by working with it and more of a ‘feeling’. The balance
can therefore be perceived as tacit knowledge. For example, the IPs stated that they do not have
a specific manual or handbook about how they should work. Therefore, the actions differ from
case to case depending on whether it feels right or not. As mentioned, many of the IPs turned
to themselves and asked whether they would find a certain message relevant or intrusive.
Nevertheless, from our study we can see that firms minimize the risk for triggering customer
privacy concerns when creating personalized communication by:
● Creating relevant content so that customers feel they are receiving value for giving up
their data
● Be personal and detailed in the analysis in order to produce relevant content but be less
striking and detailed in the communication. Do not explain in detail why a customer is
receiving the message or how they have come to the conclusion that the offer is relevant
for them
● Be GDPR compliant and offer an easy way for customers to receive information
regarding their data
48
● Have privacy statements that are easy to understand, for example by keeping them short
and replacing difficult judicial terms with user-friendly language
● Improve brand image and reputation, and thereby trust, by delivering relevant content,
offer safe solutions, be compliant and transparent and work with corporate
responsibility
5.2 Future research As stated previously, we intended our research to be broad and to take an exploratory stance
and identify broad themes. From our initial findings we have been able to identify potential
research areas that can be conducted in order to further research the area.
As part our findings, many stressed the importance in protecting consumers’ data and the
responsibility they had to engage in behavior of good faith and being the ‘good guys’. A risk
with personalization may come when a firm exploits data that can potentially harm consumers.
In our study, we have reviewed well-known firms that are more inclined to act in benevolence
for their reputation as well as their trusted brand. In another study, it can therefore be interesting
to look at industries where there is more potential for manipulation and see what preventative
actions firms in these industries do to ensure consumer data. In our study we have looked at
firms operating on the European market, however we have disregarded national- and cultural
differences among the countries in Europe. We reckon that a future study may examine
differences on the European market and how this can affect whether consumers are more likely
to accept/reject a firm's’ personalization strategy. Another factor that we have disregarded in
this research is age. Firstly, consumer age may be an interesting aspect to look at with regards
to their acceptance to personalization and their privacy concerns as there may be generational
differences. Secondly, company age may be another interesting aspect to look at it as some
online companies are more prone to rely on consumer data for their survival (i.e. ‘born digital’)
whereas traditional companies may have started collecting consumer data online more recently.
Differences in displayed consumer trust in digital vs traditional companies may therefore be an
interesting future study. Lastly, another interesting research area is privacy statements. A future
study could for example examine how a privacy statement should optimally be designed to
increase consumers’ “reading rate” and their grasp.
49
REFERENCES Accenture strategy. (2017). Put your trust in hyper relevance. [Online]. [Accessed on 01 Mar 2019]. Available from: https://www.accenture.com/us-en/insight-hyper-relevance-gcpr
Agag, G. M., & El-Masry, A. A. (2017). Why do consumers trust online travel websites? Drivers and outcomes of consumer trust toward online travel websites. Journal of Travel Research, 56(3), 347-369.
Aguirre, E., Mahr, D., Grewal, D., de Ruyter, K., & Wetzels, M. (2015). Unraveling the personalization paradox: The effect of information collection and trust-building strategies on online advertisement effectiveness. Journal of Retailing, 91(1), 34-49.
Acquisti, A. (2004). Privacy in electronic commerce and the economics of immediate gratification. In Proceedings of the 5th ACM conference on Electronic commerce (pp. 21-29). ACM.
Acquisti, A., & Grossklags, J. (2007). What can behavioral economics teach us about privacy. Digital privacy: theory, technologies and practices, 18, 363-377.
Barth, S., & De Jong, M. D. (2017). The privacy paradox–Investigating discrepancies between expressed privacy concerns and actual online behavior–A systematic literature review. Telematics and Informatics, 34(7), 1038-1058.
BCG. (2017) Profiting from Personalization. [Online]. [Accessed on 02 May 2019]. Available from:https://www.bcg.com/publications/2017/retail-marketing-sales-profiting-personalization.aspx
BCG. (2018). Dressed for Digital: The Next Evolution in Fashion Marketing. Boston Consulting Group. [Online]. [Accessed on 10 May 2019]. Available from: https://www.bcg.com/publications/2018/dressed-for-digital-evolution-in-fashion-marketing.aspx
BCG and DLA Piper. (2018). Leveraging GDPR to Become a Trusted Data Steward [Online]. [Accessed on 15 Mar 2019].Available from: https://www.bcg.com/publications/2018/leveraging-gdpr-become-trusted-data-steward.aspx
Bhattacherjee, A. (2002). Individual trust in online firms: Scale development and initial test. Journal of management information systems, 19(1), 211-241.
Bleier, A., & Eisenbeiss, M. (2015). The importance of trust for personalized online advertising. Journal of Retailing, 91(3), 390-409.
Brandom, R. (2018). Everything you need to know about GDPR. The verge. [Online]. [Accessed on 01 Mar 2019]. Available from: https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice
Braun, V. and Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology. 3(2), pp. 77-101.
Bryman, A. (2012). Social Research Methods. 4th ed. Oxford: University Press.
Bryman,A. & Bell, E. (2011). Business Research Methods. 3rd ed. Oxford: University Press.
50
Chellappa, R. K., & Sin, R. G. (2005). Personalization versus privacy: An empirical examination of the online consumer’s dilemma. Information technology and management, 6(2-3), 181-202.
Cochrane, K. (2018). To Regain Consumers’ Trust, Marketers Need Transparent Data Practices. Harvard Business Review. [Online]. [Accessed on 10 May 2019]. Available from: https://hbr.org/2018/06/to-regain-consumers-trust-marketers-need-transparent-data-practices
Culnan, M. J., & Armstrong, P. K. (1999). Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation. Organization science, 10(1), 104-115.
Dinev, T., & Hart, P. (2006). An extended privacy calculus model for e-commerce transactions. Information systems research, 17(1), 61-80.
Earp, J. B., & Baumer, D. (2003). Innovative web use to learn about consumer behavior and online privacy. Communications of the ACM, 46(4), 81-83.
GDPR Report. (2018). Facebook scandal damages public trust with data, yet levels of GDPR awareness remains low. [Online]. [Accessed on 15 Feb 2019]. Available from: https://gdpr.report/news/2018/05/17/facebook-scandal-damages-public-trust-with-data-yet-levels-of-gdpr-awareness-remain-low/
Ghauri, P. N., & Grønhaug, K. (2010). Research methods in business studies (4th ed.). Harlow: Financial Times Prentice Hall.
Granville, K. (2018). Facebook and Cambridge Analytica: What you need to know as fallout widens. The New York Times. [Online]. [Accessed on 15 Feb 2019]. Available from: https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html
Han, S. H., Nguyen, B., & Lee, T. J. (2015). Consumer-based chain restaurant brand equity, brand reputation, and brand trust. International Journal of Hospitality Management, 50, 84-93.
Hoffman, D. L., Novak, T. P., & Peralta, M. (1999). Building consumer trust online. Communications of the ACM, 42(4), 80-85.
Hoffmann, C. P., Lutz, C., & Ranzini, G. (2016). Privacy cynicism: A new approach to the privacy paradox. Cyberpsychology: Journal of Psychosocial Research on Cyberspace, 10(4).
Houser, K. A., & Voss, W. G. (2018). GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy. Rich. JL & Tech., 25, 1.
Hsu, M. H., Chang, C. M., Chu, K. K., & Lee, Y. J. (2014). Determinants of repurchase intention in online group-buying: The perspectives of DeLone & McLean IS success model and trust. Computers in Human Behavior, 36, 234-245.
InMoment. (2018). What Brands Should Know About Creating Memorable Experience. 2018 CX Trends Report. [Online]. [Accessed on 10 May 2019]. Available from: http://www.inmoment.com/wp-content/uploads/2018/02/2018_CX_Trends_Report-1.pdf
John, L.K., Kim, T. & Barasz, K. (2018). "Ads that don't overstep: how to make sure you don't take personalization too far", Harvard Business Review, [Online], vol. 96, no. 1, pp. 62.
51
Jung, A. (2017). "The influence of perceived ad relevance on social media advertising: An empirical examination of a mediating role of privacy concern", Computers in Human Behavior, vol. 70, pp. 303-309.
Kim, H. W., Xu, Y., & Koh, J. (2004). A comparison of online trust building factors between potential customers and repeat customers. Journal of the association for information systems, 5(10), 13.
Kim, T., Barasz, K. & John, L.K. (2019). "Why Am I Seeing This Ad? The Effect of Ad Transparency on Ad Effectiveness", Journal of Consumer Research, vol. 45, no. 5, pp. 906-932.
Knijnenburg, B.P. & Kobsa, A. (2013). "Making Decisions about Privacy: Information Disclosure in Context-Aware Recommender Systems", ACM Transactions on Interactive Intelligent Systems (TiiS), vol. 3, no. 3, pp. 1-23.
Kobsa, A. (2007). Privacy-enhanced web personalization. The adaptive web. Springer-Verlag, 628-670.
Kokolakis, S. (2017). Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon. Computers & security, 64, 122-134.
Larsson, S. (2017). Sustaining Legitimacy and Trust in a Data-driven Society. Ericsson Technology Review, 94(1), 40-49.
Larsson, S. & Ledendal, J. (2017). Personuppgifter som betalningsmedel. Konsumentverket, 2017(4). [Online]. [Accessed on 03 Mar 2019]. Available from: https://www.konsumentverket.se/globalassets/publikationer/produkter-och-tjanster/gemensamt/rapport-2017-4-personuppgifter-som-betalmedel-konsumentverket.pdf
Lutz, C., & Strathoff, P. (2014). Privacy concerns and online behavior–Not so paradoxical after all? Viewing the privacy paradox through different theoretical lenses. Viewing the Privacy Paradox Through Different Theoretical Lenses (April 15, 2014).
Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust. Academy of management review, 20(3), 709-734.
Midha, V. (2012). "Impact of consumer empowerment on online trust: An examination across genders", Decision Support Systems, vol. 54, no. 1, pp. 198-205.
Milne, G. R., & Boza, M. E. (1999). Trust and concern in consumers’ perceptions of marketing information management practices. Journal of interactive Marketing, 13(1), 5-24.
Milne, G. R., & Culnan, M. J. (2004). Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices. Journal of interactive marketing, 18(3), 15-29. Moorman, C., Zaltman, G., & Deshpande, R. (1992). Relationships between providers and users of market research: the dynamics of trust within and between organizations. Journal of marketing research, 29(3), 314-328.
Myrstad, F. (2018). How tech companies deceive you into giving up your data and privacy. Ted. [Video]. [Accessed on 06 Mar 2019]. Available from:
52
https://www.ted.com/talks/finn_myrstad_how_tech_companies_deceive_you_into_giving_up_your_data_and_privacy#t-347987
Norberg, P. A., Horne, D. R., & Horne, D. A. (2007). The privacy paradox: Personal information disclosure intentions versus behaviors. Journal of Consumer Affairs, 41(1), 100-126.
Nowak, G. J., & Phelps, J. E. (1992). Understanding privacy concerns: an assessment of consumers’ information-related knowledge and beliefs. Journal of Direct Marketing, 6(4), 28-39.
Phelps, J., Nowak, G. & Ferrell, E. (2000). "Privacy Concerns and Consumer Willingness to Provide Personal Information", Journal of Public Policy & Marketing, vol. 19, no. 1, pp. 27-41.
Preibusch, S. (2005). Implementing Privacy Negotiations in Ecommerce. DIW Discussion Papers, 526. Deutsches Institut für Wirtschaftsforschung: Berlin.
Presthus, W. & Sørum, H. (2018). "Are Consumers Concerned About Privacy? An Online Survey Emphasizing the General Data Protection Regulation", Procedia Computer Science, vol. 138, pp. 603-611.
Rees, C. (2013). Tomorrow’s privacy: personal information as property. International Data Privacy Law, Vol. 3, No. 4.
Schoenbachler, D. D., & Gordon, G. L. (2002). Trust and customer willingness to provide information in database-driven relationship marketing. Journal of interactive marketing, 16(3), 2-16.
Simon, H. A. (1972). Theories of bounded rationality. Decision and organization, 1(1), 161-176.
Song, J.H., Kim, H.Y., Kim, S., Lee, S.W. & Lee, J.(2016). "Effects of personalized e-mail messages on privacy risk: Moderating roles of control and intimacy", Marketing Letters, vol. 27, no. 1, pp. 89-101.
Sutanto, J., Palme, E., Tan, C., Phang, C.W., (2013). "Addressing the Personalization-Privacy Paradox: An Empirical Assessment from a Field Experiment on Smartphone Users", MIS Quarterly, vol. 37, no. 4, pp. 1141-1164.
Svt. (2018). Region Stockholm inleder extern granskning efter 1177-skandalen. [Online]. [Accessed on 15 Feb 2019]. Available from: https://www.svt.se/nyheter/lokalt/stockholm/extern-granskning-av-1177
Taylor, D. G., Davis, D. F., & Jillapalli, R. (2009). Privacy concern and online personalization: The moderating effects of information control and compensation. Electronic commerce research, 9(3), 203-223.
Teo, T. S., & Liu, J. (2007). Consumer trust in e-commerce in the United States, Singapore and China. Omega, 35(1), 22-38.
Tiku, N. (2018). Europe's New Privacy Law Will Change the Web, and More. Wired. [Online]. [Accessed on 01 Mar 2019]. Available from: https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more/
53
Toms, E. G., & Taves, A. R. (2004). Measuring user perceptions of web site reputation. Information Processing & Management, 40(2), 291-317.
Van Dyke, M. Vishal, H. Nemati. (2007). The effect of consumer privacy empowerment on trust and privacy concerns in e-commerce, Electronic Markets 17 (1) 68–81.
Van Ooijen, I., & Vrabec, H. U. (2019). Does the GDPR enhance consumers’ control over personal data? An analysis from a behavioural perspective. Journal of consumer policy, 42(1), 91-107.
Xu, H., Luo, X., Carroll, J.M. & Rosson, M.B. (2011). "The personalization privacy paradox: An exploratory study of decision making process for location-aware marketing", Decision Support Systems, vol. 51, no. 1, pp. 42-52.
Yin, R. K. (2009). Case Study Research: Design and Methods. 4th ed. California: SAGE.
Zuiderveen Borgesius, F. J., Kruikemeier, S., Boerman, S. C., & Helberger, N. (2017). Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy regulation. Eur. Data Prot. L. Rev., 3, 353.
54
APPENDICES Appendix 1. Overview of previous literature findings/recommendations The table summarizes the main findings of previous literature on the topic of privacy and personalization. Previous
literature has investigated the topic from the lens of consumers. The authors then explain the managerial
implications of the findings and provide certain recommendations for firms to consider when pursuing a
personalization strategy with regards to consumer privacy concerns.
Author Method Recommendations
Siau, K. & Shen, Z. (2003)
Qualitative To continuously build trust: 1. Improve site quality 2. Sharpen business competence 3. Strengthen security controls (authorization functionality, transaction signatures)
Milne, G.R. & Culnan, M.J. (2004)
Quantitative online survey study
Privacy concerns is a big motivator for consumers to read privacy notices. The study found that perceived comprehension of notices has a strong effect; if the notice is not perceived as comprehensible then it will be less likely to be read. When consumers perceive they can comprehend privacy notices, the more likely they are to read notices and trust the notices.
Chellappa & Sin, 2005)
Quantitative survey study
Firms can affect consumers’ privacy concerns through trust building e.g. they can build trust through (1) improving their brand image/reputation and (2) engaging in trust building activities through relationships with trusted third parties. Thus, firms should uncover means to build trust if they want to benefit from their personalization strategies.
Kobsa, A. (2007) Narrative review 1.Make the personalization benefits clear to users, and ascertain that those benefits are ones that people want. 2.Explain to users what facts and assumptions are stored about them and how these are going to be used. 3.Give consumers control over the storage and usage of this data.
Lutz & Strathoff (2011)
Quantitative survey study
1. Provide users with easy-to-use and understandable protection options 2. Contextualize privacy practices to foster context-specific trust 3. Engage in dialogue with users to foster trust via transparency and accessibility
Knijnenburg & Kobsa (2013)
Online experiment and interview study
1. Personalized justification messages based on characteristics of the individual user may increase both disclosure and satisfaction 2. “Useful for you” and ‘explanation’ messages can increase trust in firms and increase individuals’ willingness to disclose 3. Avoid justification such as ‘Useful for others’ and ‘number of others’ as it can reduce trust in company and decrease willingness of disclosure because ‘feelings of peer pressure’
Aguirre, et al. (2015)
Exploratory field study
1.Place personalized advertisement in a credible context 2.Incorporate information icons that signal trustworthiness,
Wu et al. (2012) Quantitative survey study
1. Place correct information on privacy policies 2. Reinforce their website design to make it look more credible 3. Provide security information on website
Midha (2012) Quantitative (survey)
1.Delegate control over decisions related to private information to consumers. 2.Communicate privacy policies in a way that signal a sense of control on the part of the consumer and thereby indicate trustworthiness and reduce the feeling of vulnerability
55
Bleier & Eisenbeiss (2015)
Quantitative 1. Scenario-based online experiment 2. Survey
1.Evaluate consumer trust before initiating retargeting 2.Trusted companies should use ads that reflect moderate personalization 3.Always avoid ads that reflect high personalization 4.Provide consumers of retargeting ads with information about which specific personal data it stores and uses to personalize its ads.
Song et al. (2016)
Quantitative experiment
1.Give consumers control over personal information 2.Forge intimate interactions with consumers 3.Maintain a balance between personalization & privacy by offering moderate levels of personalization
Larsson (2017) Narrative Review 1.If a privacy notice is written in a clearer way then they will be less likely accepted but continuing to write notices in a complex way is not surely a good decision in the long term; it may have a negative impact on consumers’ trust in digital services
BCG & DLA Piper (2018)
N/A 1.Use personalization but offer consumers control 2.Be transparent about key data use in an easy and understandable way, e.g. use a data charter. 3.Measure and publish metrics about customer trust 4.Move from pull communication to push communication.
Kim et al. (2019)
Quantitative survey study
1.Use ad transparency when it shows acceptable information flows. 2.Use trustworthy platforms where the ads are published
John et al. (2018) Field experiments 1. Stay away from sensitive data 2. Commit to at least a minimum amount of transparency (suggest that marketers at least be willing to provide information about data- use practices upon request) 3. Use data judiciously (consumers react poorly when personal information is used to generate a recommendation or an advertisement that feels intrusive or inappropriate. Conversely, they will give advertisers more leeway if they are delighted by recommendations) 4. Justify your data collection (why do you need this data and what will it be used for?) 5. Try traditional data collection first (give consumers an opportunity to directly state their preferences instead of only tracking them e.g. ask them for their preferences the old-fashioned way)
Oojien & Vrabec (2018)
Qualitative 1.Use icons and provide visuals in order to make the data more understandable and make consumers feel more in control. 2. Privacy by default can enhance individual control. For example, firms should require affirmative action before data is being collected so thus consent should be given unambiguously. Thus silence, pre-ticked boxes or inactivity should not constitute consent. Instead collect data in a way that empowers the individual. 3. The right to access and portability gives individuals control. Give the individual the right to manage their own data.
Appendix 1. List of recommendations to an effective personalization strategy from previous literature Appendix 2. Interview Guide
● When do you use personalization?
● When do you not use personalization? (e.g. channel, type of consumer, sensitive data, content) How do you decide whether content is useful? How do you decide that it is too sensitive?
● What do you consider to be important when creating personalized communication? (e.g. privacy, useful, transparency, personal, data)
56
- Have you experienced positive/negative feedback from consumers related to personalized communication?
- Are there any industry-specific reasons why you focus on this?
● What do you think your customers want in terms of personalization? Are you meeting your customers’ needs? If yes, how and if no, how can you improve?
● In what ways do you consider privacy concerns when creating personalized content? Why is it important? If trust is mentioned,
- Do you measure consumer trust? In what ways? - In what ways do your consumers trust you in general/with their personal data? - How do you ensure that your consumers trust you with their personal data?
● How has GDPR affected your personalization strategy?
How has your approach been toward GDPR, are you compliant and/or do you also go beyond what is expected by the regulation? In what ways do you go beyond? (e.g. How transparent are you? How does your opt-out options look like?) If control is implied/mentioned in answers,
- Do you offer consumers options to opt-in/out of your personalized services? - How do you ensure transparency in your personalized communication? - Do you clearly state that consumer personal data can be used for personalized
services? - Do you make benefits for personalization clear to your users? If so, in what
way? - Do you clearly mark what ads are based on tracking/personalized and which
are general? ● Privacy statements can sometimes be long and complicated, how do you handle
that consumers don’t have time/don’t understand your privacy statement? Different versions, icons, easy text, what do you mention?
● Is there anything else you would like to add?
57
Appendix 3. Initial privacy statements when entering websites Airline A “By visiting (webpage) you consent to our usage of cookies in accordance
with our cookie policy.”
Airline B “We use cookies to improve your webpage experience as described in our
cookie policy.We would like to use technology, such as cookie, to make
your experience as nice as possible. It can happen that we share information
about how you use our web services and applications with our trusted
media-, ad- and analysis partners so that we can deliver relevant and
personal advertisement. Through clicking “I accept”, you approve our usage
of such technology”.
Retail “Information about usage of cookies. Cookies are needed for a functioning
website, but it also gives information about how you use our website.
Cookies on this site is primarily used for traffic measuring, optimizing the
page’s content and to adapt marketing on other webpages. If you click on
the page, then you accept our usage of cookies. Do you want to know more
about how to remove cookies, click here”.
Bank and Insurance A
“We use cookies to improve your experience, follow up on how the webpage
is used as well as supporting our marketing. If you continue browsing, you
approve that we use cookies. Read more about cookies here.”
Bank and Insurance B
“By using our webpage, you accept that we use cookies”
Healthcare “We use cookies to give you the best possible experience on our webpage.
f you continue browsing, you approve that we use cookies for this purpose.
Read more.”
Automotive “We use cookies to give you the best possible experience on our webpage,
for example to adapt content and ads, obtain functions for social media and
to analyze web traffic. These cookies involve cookies for targeted media and
cookies for advanced analysis. In our information message on the cookie
page, there is more information. Through clicking ‘accept’ you approve our
58
usage of cookies. To change what type of cookies we can use, you can click
‘options for cookies’”.