Author(s): Chris Jay Hoofnagle
Abstract: Many online privacy problems are rooted in the offline world, where businesses are free to sell consumers' personal information unless they voluntarily agree not to or where a specific law prohibits the practice. In order to gauge Californians' understanding of business practices with respect to the selling of customer data, we asked a representative sample of Californians about the default rules for protecting personal information in nine contexts. In six of those contexts (pizza delivery, donations to charities, product warranties, product rebates, phone numbers collected at the register, and catalog sales), a majority either didn't know or falsely believed that opt-in rules protected their personal information from being sold to others. In one context - grocery store club cards - a majority did not know or thought information could be sold when California law prohibited the sale. Only in two contexts - newspaper and magazine subscriptions and sweepstakes competitions - did our sample of Californians understand that personal information collected by a company could be sold to others.
Respondents who shopped online were less likely to say that they didn't know the answer to the nine questions asked than those who never shopped online. In about half of the cases, those who shopped online answered correctly more often than those who do not shop online.
Professor Alan Westin has pioneered a popular "segmentation" to describe Americans as fitting into one of three subgroups concerning privacy: privacy "fundamentalists" (high concern for privacy), "pragmatists" (mid-level concern), and the "unconcerned" (low or no privacy concern). When compared with these segments, Californians are more likely to be privacy pragmatists or fundamentalists, and less likely to be unconcerned about privacy. Fundamentalists were much more likely to be correct in their views of privacy rules. In light of this finding, we question Westin's conclusion that privacy pragmatists are well served by self-regulatory and opt-out approaches, as we found this subgroup of consumers is likely to misunderstand default rules in the marketplace.
Keywords: Privacy, market, self-regulation, consumer protection, profiling, opt-in, opt-outLink: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1133075