Internet Privacy and Security: An Examination of Online

Retailer Disclosures

Anthony D. Miyazaki and Ana Fernandez

The Federal Trade Commission has declared the privacy and security of consumer informa-
tion to be two major issues that stem from the rapid growth in e-commerce, particularly in
terms of consumer-related commerce on the Internet. Although prior studies have assessed
online retailer responses to privacy and security concerns with respect to retailers’ disclo-
sure of their practices, these studies have been fairly general in their approaches and have
not explored the potential for such disclosures to affect consumers. The authors examine
online retailer disclosures of various privacy- and security-related practices for 17 product
categories. They also compare the prevalence of disclosures to a subset of data from a con-
sumer survey to evaluate potential relationships between online retailer practices and con-
sumer perceptions of risk and purchase intentions across product categories.

Consumers have little privacy protection on the Internet.
— Federal Trade Commission Press Release, June 4, 1998
The Federal Trade Commission today told a House Committee
that business on the Internet could explode—from $2.6 billion in
1996 to $220 billion in 2001—but if the trend is to continue, con-
sumers must feel confident that the Internet is safe from fraud.
— Federal Trade Commission Press Release, June 25, 1998
he past decade has witnessed rapid escalation of the
store regarding not only consumer characteristics but also
actual shopping behavior. Because most features of online
marketing transactions can be recorded electronically for
future use by marketers, the amount of data gathered by
marketers is growing at constantly accelerating rates.
Unfortunately, this burgeoning reservoir of information is
accompanied by technologically enhanced versions of two
previously studied database issues, namely, the privacy and
security of accumulated consumer data. These issues are of

T diffusion of the Internet as a source of consumer enter-

tainment, education, and marketplace exchange.1 The
growth of online retailing in particular has been well docu-
mented, and estimates of annual revenues have reached $13
billion for 1998 (Holstein, Thomas, and Vogelstein 1998).
For example, the National Retail Federation reports that 26%
of retailers had Internet sites in 1998, compared with only 8%
in 1996 (Holstein, Thomas, and Vogelstein 1998; for similar
figures, see Ernst & Young 1999). Consumer patronage of
such sites also continues to grow. According to America
Online, currently the largest Internet service provider, 48%
of its 14 million subscribers had purchased goods online as
of December 1998 (Holstein, Thomas, and Vogelstein 1998).
In conjunction with this surge in e-commerce is a related
increase in the amount of information marketers collect and
1Although the Internet includes various modes of information exchange,
such as directed communication (e.g., e-mail), posted communication (e.g.,
Usenet groups), real-time communication (e.g., Internet Relay Chat), and
file transfer systems (e.g., File Transfer Protocol), our focus is the use of
the World Wide Web (e.g., homepages, Web sites) as a main or alternative
storefront that allows for interactive consumer-initiated information
exchange (see Hoffman and Novak 1996). This information exchange may
range from basic communications regarding products and physical retail
outlets to completely automated purchase and shipment procedures.
ANTHONY D. MIYAZAKI is Assistant Professor of Marketing, and
ANA FERNANDEZ is a research assistant, School of Business
Administration, University of Miami. The authors gratefully
acknowledge constructive comments from the special issue editor
and the anonymous JPP&M reviewers.
interest to policymakers with respect to both protecting con-
sumers’ rights regarding the privacy and security of their
personal and financial information and facilitating the con-
tinued growth of e-commerce and the benefits it brings to
consumers and businesses (e.g., enhanced efficiencies of
information exchange and targeted communication).
Because many retailer practices have implications for pri-
vacy- and security-related issues, a key element of proposed
legislation in this area involves the online disclosure of such
practices. As discussed subsequently, these online disclo-
sures may be helpful in preventing and/or reducing con-
sumer concerns regarding Internet privacy and security.
Although several prior academic and industry studies have
evaluated commercial Web sites for privacy- and security-
related disclosures, most have taken a general approach and
have not examined how such disclosures may affect con-
sumer behavior. We assess disclosures of online retailers at
a more detailed level by delineating the various levels of
retailer response to several privacy and security concerns.
We then compare the prevalence of privacy- and security-
related disclosures with a subset of risk perception and
online purchase intention data from a consumer survey.
Finally, we discuss implications for online retailing.
Privacy and Security of Consumer
Information
A major ethical issue in the collection and management of
consumer information is the privacy of that information
(Bloom, Milne, and Adler 1994; Chonko 1995; Foxman and
Kilcoyne 1993; Jones 1991). Indeed, privacy is often

Vol. 19 (1)
54 Journal of Public Policy & Marketing Spring 2000, 54–61
 Journal of Public Policy & Marketing
viewed, even from a legal perspective, as a distinct con-
sumer right (Goodwin 1991). With respect to online shop-
ping, recent research by Rohm and Milne (1998) demon-
strates that a majority of Internet users—both those who
have made online purchases and those who have not—have
several concerns regarding information privacy, including
issues related to the acquisition and dissemination of con-
sumer data.
In conjunction with information privacy, security (partic-
ularly information theft and misuse) also has been labeled a
key concern of e-commerce by various government and con-
sumer organizations (e.g., Brinkley 1998; Consumer Reports
Online 1998; Cyberspace Law Institute 1999; Federal Trade
Commission 1998a; National Consumers League 1999) as
well as many articles in trade publications and the popular
press (e.g., Briones 1998; CNN 1999; Folkers 1998; Judge
1998; Machrone 1998; Rothfeder 1997). These two issues
are interrelated, because when the protection of consumer
privacy is considered, the secure storage and transmission of
consumer information contained in organizational databases
also are viewed as the responsibilities of participant organi-
zations (Federal Trade Commission 1998a; Jones 1991).
From a public policy perspective, consumers are assumed
to have certain rights to privacy and security of their infor-
mation when conducting online transactions. Publicity
regarding these issues has sparked several calls for legislation
(see Bloom, Milne, and Adler 1994; Milne 1997) that vary as
to their requirements for changes in practices versus simple
disclosure of practices. Presumably, changes in online retailer
practices that are deemed consumer friendly will build online
shoppers’ confidence with respect to their future purchasing
activities. Conversely, increasing media coverage of these
issues may decrease consumer confidence by highlighting the
risks involved in online shopping and thus deter full con-
sumer adoption of e-commerce (Judge 1998). Therefore, the
role of policymakers is twofold: to facilitate the adoption of
online shopping with its proposed market efficiencies and
simultaneously to protect and inform consumers by making
risks of Internet commerce known to all potential and active
participants. From a marketing perspective, the disclosure of
online retailer practices may serve both to inform consumers
about risks of online practices and to reduce consumer risk
perceptions and increase purchase behavior.
Online Disclosure of Privacy- and
Security-Related Practices
Appropriate online retailer practices regarding the privacy
and security of consumer information are the topic of much
recently proposed or enacted legislative measures. For exam-
ple, proposed regulation, such as the Consumer Internet
Privacy Protection Act of 1999 (H.R. 313), the Online
Privacy Protection Act of 1999 (S. 809), and the Inbox
Privacy Act of 1999 (S. 759), all examine at least one aspect
of online acquisition and disclosure of consumer information.
The recently enacted Children’s Online Privacy Protection
Act of 1998 (16 C.F.R. Part 312), which applies to children
younger than 13 years of age, is even more restrictive in the
disclosure and consumer contact requirements that may be
imposed on certain types of Web sites. Similar legislation has
been proposed regarding Internet security issues such as the
55
E-Privacy Act (S. 2067) and the Secure Public Networks Act
(S. 909), both of which deal with encryption rights and stan-
dards regarding domestic and international e-commerce.
In general, policymakers are tending toward regulations
that make online retailers responsible for disclosing con-
sumer information acquisition, usage, and protection prac-
tices. In fact, disclosure of online information privacy prac-
tices has been the subject of several recent Federal Trade
Commission (FTC) investigations, including one in March
1998 wherein more than 90% of examined Web sites (more
than 1400 in total) collected some type of personal informa-
tion from visitors to their pages. In contrast, only 14% of the
674 commercial Web sites examined provided any type of
notification regarding information collection practices, and
only 2% provided comprehensive privacy policies (FTC
1998d; see also FTC 1999). A more recent examination by
Culnan (1999a) finds that 65.9% of the 361 “.com” Web
sites examined provided at least one type of privacy disclo-
sure (see Culnan 1999b).
Online Retailer Responses to Privacy Concerns
Considering the privacy and security issues raised by gov-
ernment and consumer groups, we now outline three key pri-
vacy concerns and three online retailer methods of dealing
with perceived security problems (Table 1 presents the vari-
ous types of online retailer responses to privacy and security
issues). We then discuss how the disclosure of such infor-
mation may relate to consumer perceptions and intentions.
Online Customer Identification
Of concern to policymakers is whether and to what degree an
online retailer collects personal information from Web site
customers (see Culnan 1995, 1999a). Although several of
the aforementioned legislative efforts advocate full disclo-
sure of information acquisition activities, most information
provided to online businesses is done knowingly by con-
sumers. There exists, however, the ability for online retailers
to identify and gather information on repeat visitors to a Web
site by placing coded information (called “cookies”) on
computer users’ hard drives without their knowledge
(Samuel and Scher 1999). This information may be com-
bined with previously provided personal information to track
patterns of Web site exploration and information search
behavior.2 The concealed nature of this information acquisi-
tion highlights the importance for online retailers to disclose
their use of cookies or similar technologies so that customers
will know to what degree they will be identified when they
return to a particular Web site. Surprisingly, none of the
aforementioned legislation specifically addresses this issue.
Online retailers may offer various levels of responses to
customer identification issues. The most extreme position
2Although Internet users may adjust their Web browsers to reject all or
certain types of cookies or to warn them before a cookie is placed on their
hard drive, many consumers lack knowledge of this function. Furthermore,
several online product ordering systems require the use of cookies to track
selected products so that the purchase process can be carried out. The use
of cookies can enable an Internet user to browse to a particular site and
automatically be presented with information uniquely preferred by that
user, whether by conscious choice (i.e., selected stock quotes or news top-
ics) or by way of marketer analysis of online search and purchase patterns
(i.e., online catalog offerings or banner advertising that correspond to pre-
determined user interests).
56 Internet Privacy and Security
Table 1. Online Retailer Responses to Privacy and
Security Issues
Privacy Issuesa
Online customer identification (including use of cookies)
No policy statement regarding this issue
Identifies customer when customer logs onto site
Identifies customer when customer logs onto site unless cus-
tomer opts out
Identifies customer only if customer requests such identifica-
tion (e.g., “Remember name/password”)
Does not identify customer when customer logs onto site
Unsolicited customer contacts
No policy statement regarding this issue
Uses information to make unsolicited customer contacts
Uses information to make unsolicited customer contacts unless
customer opts out
Uses information to make unsolicited customer contacts only if
requested by customer
Uses information only for internal purposes without contacting
customer
Does not collect any information
Distribution of customer information to third parties
No policy statement regarding this issue
Shares information with other companies
Carefully (cautiously) shares information with other companies
Shares information with other companies unless customer opts
out
Carefully (cautiously) shares information with other companies
unless customer opts out
Shares information with other companies only if requested by
customer
Does not share information with other companies
Does not collect any information
Security Issues
Secure transactions
Online credit card security guarantees
Alternative payment options
aRetailer
responses for privacy issues are ordered from least favorable to
most favorable from a consumer privacy perspective.
(perhaps preferred by strict privacy advocates) is never to
identify customers when they access a site. Alternatively, a
consumer opt-in choice would allow such identification to
occur only if the customer explicitly requests such a practice
(e.g., checking a box that asks the online retailer to “remem-
ber my name and password”). Negative option, or opt-out,
choices, which have been suggested by several legislative
efforts and are often practiced in mail-order marketing
(Milne 1997), enable consumers to prohibit automatic iden-
tification by either checking an opt-out box during initial
registration or separately contacting the online retailer and
requesting that such identification does not occur. An even
less desirable level of response from a consumer privacy
perspective would be constant identification of consumers
as they access the Web site, without an opt-out alternative.
Finally, the response most likely seen by policymakers as
the least favorable is the lack of any communication to the
Internet user regarding the online customer identification
practices of the particular retailer (Brinkley 1998; FTC
1998b).
Unsolicited Customer Contacts
The practice of collecting consumer information for one
purpose and then using that information to make unsolicited
contacts has long been a privacy issue (see Goodwin 1991;
Milne 1997). With respect to the Internet, the majority of
legislative efforts address unsolicited customer contacts as a
common concern for consumers and thus one of two key
issues for regulation. As with online customer identifica-
tion, responses to the unsolicited contact concerns vary as to
the level of privacy protection they offer. At the most favor-
able level (from a privacy perspective), online retailers
would not collect any information from consumers, thus
prohibiting the retailers from making unsolicited contacts. A
similar situation would involve the collection of personally
identifying information combined with the presence of a
policy that the information would not be used for contacting
customers. Opt-in and opt-out policies represent the next
two levels of response; the latter is the most common
response in current direct marketing activities (see Milne
1997).3
Customer Information Distribution
The other key regulatory issue is the degree to which customer
information will be shared (i.e., rented or sold) to third parties
that have marketing-related interests in such data. Though an
important issue in much privacy research (e.g., Culnan 1995;
Goodwin 1991; Milne 1997), this concern has just begun to
receive interest with respect to online shopping, particularly in
light of the aforementioned legislative efforts. Possible online
retailer responses to information distribution concerns are
similar to those listed previously for customer contacts (i.e.,
not collecting information and opt-in and opt-out choices).
One aspect of information disclosure that differs from the cus-
tomer contact issue is that companies may provide assurance
that they will share information selectively, that is, with other
parties that will (1) make offerings to the consumer that will
be of interest to the consumer and/or (2) use responsibly the
information that is shared. These levels of response would pre-
sumably be favored by consumers over more general state-
ments of sharing information. In support of this, Milne (1997)
finds that consumers are more willing to allow the transfer of
personal information when response cards state that personal
information will be provided to “mail-order businesses that
have products or services that we think will be of interest to
you” rather than when response cards state that the informa-
tion will be provided merely to mail-order businesses.
Online Retailer Responses to Security Concerns
A key security concern involved in online shopping pertains
to unauthorized third-party access of consumers’ personal
3Although consumers may have certain rights to opt out of a customer
contact procedure regardless of the disclosure of such a policy, we focus on
disclosure because many consumers have been shown to be unaware of
their rights with respect to database privacy issues and particularly opt-out
procedures (see Rohm and Milne 1998).
 Journal of Public Policy & Marketing
and financial information. Consumer concerns regarding
this issue are highlighted because of publicized security
breaches of online retailer database information, such as
Hallmark’s discovery that consumers’ personal electronic
greeting card messages (on what was likely thought of as a
secure site) were actually available to anyone using the
site’s search engine (CNN 1999). Given that the presence of
online security concerns may curtail purchase behavior, the
alleviation of these concerns would seem to be a key focus
of online retailers. We now discuss three potential online
communication practices presumably designed to reduce
consumers’ security concerns.
Secure Transactions
The protection of the online transaction of information
(whether personal or financial) is a technological issue. Yet
Internet security advocates suggest that retailers provide
consumers with information regarding the safeguarding of
transactions, either with clearly labeled “secure servers” or
prominent links to security policies (Consumer Reports
Online 1998; FTC 1998a). Thus, in addition to the actual
provision of secure transaction technology (e.g., secure
servers, secure sockets layer encryption), online retailers
have been counseled to assuage the concerns of consumers
by communicating the security of their online information
systems.
Online Credit Card Security Guarantees
To diminish consumer security concerns (see National
Consumers League 1999) even further, some online retailers
have implemented consumer guarantees against credit card
fraud that may occur as a result of online divulgence of credit
card information (e.g., Amazon.com’s safe shopping guar-
antee or Wal-mart’s online security guarantee). These guar-
antees, which sometimes reference the Fair Credit Billing
Act (15 U.S.C. §§ 1601–67), typically pledge reimbursement
of unauthorized charges made to a credit card if such charges
resulted from purchasing through the online retailer’s secure
system. Because the maximum retailer liability for such a
guarantee would typically be $50 and because cases of
online credit card fraud from security breaches are reported
as very infrequent, this retail practice would likely serve as a
reasonable method of allaying consumer concerns.
Alternative Payment Options
A key consumer concern of online shopping is the intercep-
tion of credit card information (National Consumers League
1999). A viable retailer response would be the provision of
alternative payment (or ordering) options that enable the
online customer to shift certain components of the transac-
tion to the Internet (e.g., information acquisition, ordering)
while still conducting more vulnerable components (e.g.,
actual payment) offline. Several online retailers offer con-
sumers the opportunity to complete and submit orders
through the Internet, combined with telephone or facsimile
transmission of credit card information. Some Web sites also
suggest mailing, faxing, telephoning, or e-mailing both the
order and the payment if the consumer has concerns over a
complete Web site transaction. Offering alternative payment
methods is not seen as an ideal retailer response, because the
efficiencies of Internet ordering and payment are sacrificed
57
as the percentage of offline purchase transactions increases.
Thus, although this practice may reduce consumer concern,
it may also reduce actual online purchasing.
Privacy and Security Disclosures and Consumer
Behavior
Although efforts to implement mandatory disclosure of the
previous issues and practices are based on a consumer pri-
vacy perspective, the disclosure of privacy and security
information may also be useful from a marketing strategy
perspective. Specifically, if concerns about privacy and
security issues tend to raise risk perceptions and lower pur-
chase likelihoods, higher levels of privacy- and security-
related disclosure may be useful in stemming such concerns.
This, in turn, would be expected to result in lower consumer
risk perceptions and higher purchase likelihoods. Thus, it is
expected that the percentage of Web sites with (1) privacy-
related statements and (2) security-related statements for a
particular shopping category will be negatively related to
consumer risk perceptions regarding online shopping in that
category and would be positively related to consumer online
purchase intentions in that category.
Method and Results
Examination of Web Sites
Web sites for 381 commercial enterprises based in the United
States and targeting U.S. consumers were visited in the first
two months of 1999 and were examined with respect to the
privacy and security issues raised previously. The Web sites
were randomly sampled from three popular shopping portals
(excite.com, yahoo.com, and netscape.com), and each site
was placed into one of 17 shopping categories that appeared
to be the main emphasis of each site’s sales efforts at that
time. The 17 categories were fairly common across the por-
tal sites and represent a broad array of goods. (A list of spe-
cific Web sites is available upon request from the authors.)
Trained researchers accessed each Web page; searched
for any information pertaining to privacy and security
issues; and printed the pages on which this information was
found, pages with links to such information, and the site
home page (i.e., initial starting page). Each Web site was
then coded (see Table 1) by the authors with respect to its
information regarding (1) customer identification (including
the use of cookies), (2) customer contact, and (3) informa-
tion sharing. The sites were also coded according to the
presence or absence of written information regarding (1)
secure transaction systems, (2) credit card fraud guarantees,
and (3) alternative ordering methods.4 Initial coding agree-
ment was high (93% across all variables), and disagree-
ments were resolved by discussion. Although the general
approach used here is comparable to that reported by one of
the FTC’s (1998d) recent studies on e-commerce, the cur-
rent research reports not only the presence of information
privacy and/or security disclosure but also the type and level
of disclosure.
4Third-party endorsements (e.g., seals of approval such as VeriSign,
TRUSTe, and CPA WebTrust) were not examined in this study, nor was the
activation of secure link icons (i.e., a locked padlock or unbroken key),
which appear on popular Web browsers.
58 Internet Privacy and Security

Table 2. Incidence of Privacy- and Security-Related Statements on Commercial Web Sitesa

Consumer
Privacy-Related Statements Security-Related Statements Perceptions
Customer Infor- Secure Alternative Purchase
Shopping Category Identifi- Unsolicited mation Trans- Security Order- Likeli-
(Sample Size) cation Contact Sharing Any action Guarantee ing Any Risk hood
Books (21) 33.3 42.9 42.9 61.9 71.4 19.0 61.9 76.2 2.43 3.73
Clothing (29) 34.5 44.8 44.8 48.3 55.2 10.3 41.4 62.1 3.95 2.27
Computer hardware (13) 61.5 61.5 38.5 69.2 92.3 7.7 53.8 92.3 4.10 2.58
Cosmetics/skin care (36) 16.7 36.1 19.4 38.9 47.2 5.6 52.8 61.1 3.86 1.40
Department stores (14) 64.3 71.4 64.3 71.4 42.9 7.1 28.6 57.1 3.54 2.18
Electronics (12) 58.3 58.3 58.3 75.0 50.0 16.7 33.3 50.0 4.46 2.35
Flowers and gifts (9) 33.3 55.6 55.6 55.6 77.8 0.0 66.7 77.8 3.47 2.77
Food and groceries (13) 23.1 46.2 46.2 46.2 61.5 7.7 61.5 76.9 3.95 1.78
Hair care (15) 20.0 20.0 40.0 46.7 26.7 0.0 40.0 40.0 3.53 1.43
Health foods (25) 16.0 28.0 28.0 32.0 56.0 4.0 72.0 84.0 3.93 1.92
Home decor (27) 7.4 14.8 11.1 22.2 37.0 3.7 51.9 59.3 3.69 1.80
Music (51) 17.6 29.4 25.5 45.1 60.8 3.9 49.0 78.4 3.19 3.64
Office supplies (35) 17.1 20.0 8.6 25.7 28.6 5.7 31.4 45.7 3.25 2.21
Pet supplies (17) 17.6 23.5 17.6 23.5 52.9 0.0 41.2 70.6 3.35 1.28
Rugs and carpets (17) 0.0 5.9 5.9 5.9 11.8 0.0 52.9 52.9 4.10 1.19
Sporting goods (35) 8.6 20.0 17.1 28.6 45.7 2.9 40.0 60.0 3.58 2.16
Toys and games (12) 41.7 75.0 75.0 83.3 83.3 8.3 33.3 83.3 3.57 2.55
Overall (381) 23.1 33.6 29.4 41.5 50.7 5.8 47.5 65.6

aAllnumbers for privacy and security information are percentages of sites within a particular category that gave some type of notification (statement, policy,
and so forth) to consumers regarding the privacy or security issue in question.
bRisk and purchase likelihood numbers represent aggregated means from the consumer survey.

Descriptive Results
The general results show that the disclosure of online pri-
vacy practices has risen since the March 1998 FTC (1998e)
survey and is comparable to the March 1999 survey (Culnan
1999a). Although the 1998 FTC study indicates that 14% of
commercial Web sites made mention of practices related to
consumer information privacy and Culnan (1999a) reports a
65.9% disclosure rate in March 1999, our data
(January/February 1999) show overall disclosure (i.e., the
presence of any type of privacy statement) to be 41.5%.
(Note that direct comparisons across these studies are not
feasible because of differences in the samples used.) We
present the results from the study in Table 2.
For individual types of privacy concerns, disclosure of
practices related to unsolicited customer contact constituted
33.6% (n = 128) of the current sample. Regarding the vari-
ous levels of privacy protection, 19 (5.0%) promised no
unsolicited contacts, 38 (10.0%) contacted only if requested,
60 (15.7%) provided an opt-out alternative, and 11 (2.9%)
stated that contacts would occur but did not give an opt-out
alternative. The remaining 253 (66.4%) sites provided no
information regarding unsolicited consumer contacts.5
The sharing of information with other companies was dis-
closed by only 112 (29.4%) of the examined online retailers.
With respect to privacy protection levels, 65 sites (17.1%)
reported no sharing of consumer information; 2 (.5%)
shared information only if requested by the customer (an
opt-in procedure); 19 (5.0%) carefully shared information
but provided an opt-out alternative, whereas 16 (4.2%)
merely provided the opt-out alternative; 3 (.8%) agreed to
share carefully but had no opt-out procedure; and 7 (1.8%)
merely shared information without further notification. The
remaining 269 sites (70.6%) had no such privacy statement.
Online customer identification procedures had the lowest
disclosure rates: Only 88 sites (23.1%) offered this type of
statement. Nineteen sites (5.0%) explicitly stated that they
never identified customers who access the site, 12 (3.1%)
provided an opt-in alternative, 18 (4.7%) provided an opt-
out alternative, and 39 (10.2%) stated that they identified
customers but did not provide any opt-out alternatives.
With respect to methods of responding to security con-
cerns, 250 sites (65.6%) disclosed at least one of the three
security-related practices described previously. Specifically,
193 (50.7%) indicated that transactions were secure, but

5Of the 381 commercial Web sites in the sample, 88 did not allow a full
purchase transaction—including payment by credit card—to be made over
the Internet. However, many of the sites still allowed nonpayment communi-
cation of personal information, such as asking questions, joining mailing
lists, stating product preferences, and even online ordering with preshipment,
postshipment, or COD billing. Because these sites still collect personal and
some financial consumer information, many privacy advocates contend that
the online retailers should still disclose privacy and security practices.
Nevertheless, we present in this footnote the aggregate privacy and security
figures for only those Web sites that allowed credit card transactions.
Of the 293 sites allowing credit card transactions, 146 (49.8%) had some
type of privacy statement. Disclosure figures for the individual types of pri-
vacy concerns were 118 (40.3%) for unsolicited customer contacts, 102
(34.8%) for customer information distribution, and 82 (28%) for online
customer identification. Regarding security-related statements, 230
(78.5%) had some type of security statement, 192 (65.5%) communicated
the presence of secure transaction systems, 22 (7.5%) had online security
guarantees, and 161 (54.9%) explicitly disclosed alternative payment
methods.
 Journal of Public Policy & Marketing
only 22 (5.8%) guaranteed that security. Finally, 181 sites
(47.5%) explicitly offered alternative purchasing methods.
The disclosure rates varied considerably across shopping
categories. As can be seen in Table 2, Web site categories
such as department stores and toys and games had higher
percentages of privacy statements, whereas lower percent-
ages were found in categories such as home decor and rugs
and carpets.
The Relationship Between E-Retailer Responses
and Consumer Perceptions
To examine whether the prevalence of privacy and security
disclosures relates to consumer perceptions, we compared
the Web site examination detailed previously with a subset
of data from a March 1999 investigation of 160 Internet
users.6 The data are from a pencil-and-paper survey used to
explore consumers’ Internet usage activities and their per-
ceptions regarding online shopping. Among other items not
examined here, the questionnaire included purchase likeli-
hood and risk perception measures for 17 categories of
goods sold online at the time of the study; these categories
matched those used for the Web site examination. Purchase
likelihood for each category was measured with a seven-
point response item that asked how likely respondents were
to make Internet purchases for each shopping category and
was anchored with “very unlikely” (1) and “very likely” (7).
Risk perception was assessed by asking how risky online
purchases are in each category on a scale anchored with “not
risky” (1) and “risky” (7).
To assess the expected relationships, the percentages of
privacy- and security-related statements from the Web site
examination (Columns 5 and 9 of Table 2) were compared
with the risk perceptions and purchase likelihoods from the
consumer survey at the shopping category level.
Spearman’s rank correlations were calculated for each pair
of variables.
Although the prevalence of privacy and security state-
ments was expected to be negatively correlated with risk
perceptions, analyses showed no relationship for either pri-
vacy (rs = –.06, n.s.) or security (rs = –.01, n.s.). However,
the percentage of privacy statements in a category was pos-
itively related (as expected) to category-level online pur-
chase likelihoods (rs = .65, p < .01). Likewise, the percent-
age of security statements in a category was positively
related to online purchase likelihoods (rs = .44, p < .05).7
Discussion
In addition to providing a comparison point with FTC-
related research, the present examination of commercial
6Respondents were randomly solicited in a major international airport of
a large U.S. city (the effective response rate was 84.7%). See Miyazaki and
Fernandez (2000) for survey details, including sample characteristics.
7In support of our previous suggestion that alternative ordering methods
may not be as effective in increasing online ordering as the other security
information disclosures, the Spearman’s rank correlation between alterna-
tive ordering methods and purchase likelihoods was nonsignificant (rs =
.06), whereas the correlation between the rate that either of the other secu-
rity statements appeared and purchase likelihoods was significant (rs = .65,
p < .01).
59
Web sites delves further into Internet privacy and security
issues by examining the degree of favorableness of actual
online retailer practices from a privacy policy perspective.
In addition, by integrating data from a consumer survey, we
show that a positive relationship exists between the percent-
age of privacy- and security-related statements on Web sites
for particular online shopping categories and consumers’
online purchase likelihoods for those categories.8
Limitations and Future Research Directions
Although the examination presented here is helpful for
understanding disclosure practices of online retailers, sev-
eral limitations should be addressed in further research.
First, the rapid growth of the Internet and online shopping
practices makes published research such as this dated by the
time of publication. The examination of online disclosure
practices should be an ongoing research effort, particularly
with respect to how such practices may affect consumer per-
ceptions. A second limitation involves the measure of per-
ceived risk used in the consumer survey. More-specific
measures of perceived risk would aid in understanding how
consumers perceive the various dimensions of risk with
respect to online shopping. For example, various risk
dimensions may be more salient depending on the product
category that is being considered for online purchase.
Finally, instead of examining only perceived risk toward
general online shopping, specific assessments of risk regard-
ing privacy, online retailer fraud, and the security of online
transaction systems would be helpful for understanding
those aspects that may be influenced by online disclosures.
There are several directions that future policy-related
marketing research can take to advance knowledge that will
be beneficial to both consumers and businesses. For exam-
ple, much of the proposed legislation is targeted toward
mandatory disclosures of online retailers’ collection, use,
and dissemination of consumer data. These disclosures are
often seen by policymakers as necessary information tools
so that consumers can operate with more complete knowl-
edge of retailer practices (Andrews 1998). The same disclo-
sures may be seen by retailers as an opportunity to reduce
consumer concerns regarding privacy issues. An approach
suggested by Milne and Boza (1999) uses concepts from
relationship marketing to focus online retailer responses to
privacy and security issues so that these responses empha-
size the development and improvement of trust between
marketers and consumers. Thus, instead of focusing on con-
cerns, the focus shifts to trust, which Milne and Boza
describe as a distinct approach to managing potential pri-
vacy issues regarding database management (cf. Milne and
Gordon 1993). Because the method or format of information
disclosures can affect consumer perceptions and behavior
(e.g., Sprott, Hardesty, and Miyazaki 1998), research that
examines how such approaches can satisfy new legislative
requirements would be helpful. Consumers would receive
8Although the prevalence of privacy- and security-related disclosures
was not found to be related to category-level risk perceptions, this may
have been an artifact of the diversity in the dimensions of risk that each
product category may invoke. Considering that our one-item risk percep-
tion measure was generic, any such variance in the dimension of risk con-
sidered by consumers when responding to each category could have hin-
dered the findings.
60 Internet Privacy and Security
the disclosures required by policymakers, and marketers
would enjoy the benefits of increased effectiveness from a
managerial perspective.
Although several legislative efforts appear to be directed
at e-commerce, policymakers should continue to evaluate
not only online practice and consumer perceptions but also
expert opinion regarding the seriousness of threats such as
undisclosed customer identification and tracking—two
issues that have received little attention in pending legisla-
tion. In addition, privacy and security concerns may have
differential effects on consumer perceptions and behavior,
perhaps complicating policymakers’ efforts to inform con-
sumers of unsafe online practices while still avoiding
unnecessary deceleration of Internet adoption rates. As
such, the barrage of privacy and security warnings issued to
consumers may have mixed effects on consumer confi-
dence, particularly as the Internet becomes perceived as a
necessary element of modern life.
An additional concern is the direction in which legislation
is headed. Petty (1998) contends that though there will be
continued efforts to reduce deceptive practices, the emerg-
ing focus will be on reducing unfairness, particularly as it
applies to the targeting of potentially vulnerable audi-
ences—a practice that will be increasingly easy to facilitate
as Internet-related database information grows.
As the popularity of the Internet continues to rise, the pri-
vacy and security issues discussed here will inevitably
change. Future alternatives to credit cards, such as elec-
tronic money or “e-cash” (Rothfeder 1997), are unlikely to
relieve consumer concerns regarding privacy and security.
Similarly, online credit card guarantees, though calming
some system security worries, may do little to resolve pri-
vacy concerns. Conversely, third-party endorsers, such as
TRUSTe, Better Business Bureau Online, or Web
Assurance Bureau, may be useful in building trust between
consumers and participating online retailers with respect to
privacy but may not resolve security issues. The introduc-
tion of security-related seals of approval, however, such as
VeriSign and CPA WebTrust, may resolve this concern. In
summary, the solution to many of these matters, from both
privacy and security perspectives, will likely derive from a
combination of strategic actions, such as guarantees or
endorsements, and the incorporation of various theoretical
approaches, such as building trust and adhering to implied
social contracts.
References
Andrews, J. Craig (1998), “Warnings and Disclosures: Special
Editor’s Note,” Journal of Public Policy & Marketing, 17
(Spring), 1–2.
Bloom, Paul N., George R. Milne, and Robert Adler (1994),
“Avoiding Misuse of New Information Technologies: Legal and
Societal Considerations,” Journal of Marketing, 58 (January),
98–110.
Brinkley, Joel (1998), “F.T.C. Surfs the Web and Gears Up to
Demand Privacy Protection,” New York Times, (September 21),
1, 4.
Briones, Maricris G. (1998), “Internet Innovations—and Privacy
Issues—Remain Marketing’s Biggest Story,” Marketing News,
(December 7), 1, 16.
Chonko, Lawrence B. (1995), Ethical Decision Making in
Marketing. Thousand Oaks, CA: Sage Publications.
CNN (1999), “A Hallmark Nightmare: Online Glitch Makes
Intimate Messages Public,” CNN Interactive, (February 12),
(accessed February 12), [available at http://cnn.com/US/9902/
12/romeos.revealed.ap].
Consumer Reports Online (1998), “Some Bits and Bytes of
Consumer-Friendly Sites,” special report, (accessed February
18), [available at http://www.consumersunion.org/Special/
Samples/Reports/9812shp2.htm].
Culnan, Mary J. (1995), “Consumer Awareness of Name Removal
Procedures: Implications for Direct Marketing,” Journal of
Direct Marketing, 9 (Spring), 10–19.
——— (1999a), “Georgetown Internet Privacy Policy Survey:
Report to the Federal Trade Commission,” (June), (accessed
July 27), [available at http://www.msb.edu/faculty/culnanm/
gippshome.html].
——— (1999b), “Privacy and the Top 100 Web Sites: Report to
the Federal Trade Commission,” prepared for the Online Privacy
Alliance, (June), (accessed November 22), [available at
http://www.privacyalliance.org/resources/100_summary.shtml].
Cyberspace Law Institute (1999), “The Public Policy Problems of
the Internet,” (accessed January 28), [available at http://www.
cli.org/selford/problems.htm].
Ernst & Young (1999), “Second Annual Internet Shopping
Survey,” (accessed August 2), [available at http://www.ey.com/
industry/consumer/internetshopping].
Federal Trade Commission (1998a), “Consumer Privacy on the
World Wide Web,” prepared statement presented to the
Subcommittee on Telecommunications, Trade and Consumer
Protection of the House Committee on Commerce, U.S. House
of Representatives, Washington, DC (July 21).
——— (1998b), “Cybersmarts: Tips for Protecting Yourself When
Shopping Online,” (July 1998), (accessed January 29), [available
at http://www.ftc.gov/bcp/conline/pubs/online/cybrsmrt.htm].
——— (1998c), “Fraud Could Slow Growth of Electronic
Commerce,” FTC Press Release (June 25), FTC File No. P97-
4406. Washington, DC: Federal Trade Commission.
——— (1998d), “FTC Releases Report on Consumers’ Online
Privacy,” FTC Press Release (June 4), FTC File No. 954-4807.
Washington, DC: Federal Trade Commission.
——— (1998e), Internet Privacy, prepared statement presented to
the Subcommittee on Courts and Intellectual Property of the
House Committee on the Judiciary, U.S. House of
Representatives, Washington, DC (March 26).
——— (1999), FTC International Web Survey: Disclosure of
General Business and Contract-Related Information by Online
Retailers, presented at U.S. Perspectives on Consumer
Protection in the Global Electronic Marketplace public work-
shop, (June 8–9), (accessed November 22), [available at
http://www.ftc.gov/bcp/icpw/index.htm].
Folkers, Richard (1998), “Jimmying the Internet: Why the U.S.
Encryption Standard Is Very Vulnerable,” U.S. News & World
Report, (September 14), 45–46.
Foxman, Ellen R. and Paula Kilcoyne (1993), “Information
Technology, Marketing Practice, and Consumer Privacy: Ethical
Issues,” Journal of Public Policy & Marketing, 12 (Spring),
106–19.
Goodwin, Cathy (1991), “Privacy: Recognition of a Consumer
Right,” Journal of Public Policy & Marketing, 19 (Spring),
149–66.
 Journal of Public Policy & Marketing
Hoffman, Donna L. and Thomas P. Novak (1996), “Marketing
in Hypermedia Computer-Mediated Environments:
Conceptual Foundations,” Journal of Marketing, 60 (July),
50–68.
Holstein, William J., Susan Gregory Thomas, and Fred Vogelstein
(1998), “Click ‘Til You Drop,” U.S. News & World Report,
(December 7), 42–45.
Jones, Mary Gardiner (1991), “Privacy: A Significant Marketing
Issue for the 1990s,” Journal of Public Policy & Marketing, 10
(Spring), 133–48.
Judge, Paul C. (1998), “How Safe Is the Net?” BusinessWeek,
(June 22), 148–52.
Machrone, Bill (1998), “Trust Me?” PC Magazine, (June 9), 85.
Milne, George R. (1997), “Consumer Participation in Mailing
Lists: A Field Experiment,” Journal of Public Policy &
Marketing, 16 (Fall), 298–309.
——— and María-Eugenia Boza (1999), “Trust and Concern in
Consumers’ Perceptions of Marketing Information Management
Practices,” Journal of Interactive Marketing, 13 (1), 5–24.
——— and Mary Ellen Gordon (1993), “Direct Mail Privacy-
Efficiency Trade-Offs Within an Implied Social Contract
Framework,” Journal of Public Policy & Marketing, 12 (Fall),
206–13.
61
Miyazaki, Anthony D. and Ana Fernandez (2000), “Consumer
Perceptions of Privacy and Security Risks for Online Shopping,”
working paper, Marketing Department, University of Miami.
National Consumers League (1999), “Consumers in the 21st
Century,” (May 19), (accessed August 2), [available at
http://www.natlconsumersleague.org/FNLSUM1.PDF].
Petty, Ross D. (1998), “Interactive Marketing and the Law: The
Future Rise of Unfairness,” Journal of Interactive Marketing, 12
(Summer), 21–31.
Rohm, Andrew J. and George R. Milne (1998), “Emerging Marketing
and Policy Issues in Electronic Commerce: Attitudes and Beliefs of
Internet Users,” in Marketing and Public Policy Proceedings, Vol.
8, Alan Andreasen, Alex Simonson, and N. Craig Smith, eds.
Chicago: American Marketing Association, 73–79.
Rothfeder, Jeffrey (1997), “No Privacy on the Net,” PC World,
(February), 223–29.
Samuel, Alexandra and Abby Scher (1999), “Cookies Are Not So
Sweet—Online Database Marketing,” Dollars & Sense,
(January/February), 7.
Sprott, David E., David M. Hardesty, and Anthony D. Miyazaki
(1998), “Disclosure of Odds Information: An Experimental
Investigation of Odds Format and Numeric Complexity,”
Journal of Public Policy & Marketing, 17 (Spring), 11–23.