Enforced Standards Vs. Evolution by General Acceptance: E-Commerce Privacy Disclosure and Practice in US and UK K. Jamal, M. Maier and S. Sunder February 11, 2004
Jan 20, 2016
Enforced Standards Vs. Evolution by General Acceptance: E-
Commerce Privacy Disclosure and Practice in US and UK
K. Jamal, M. Maier and
S. Sunder
February 11, 2004
Law or Social Norms
Posner (1997): Law should be conservative and should codify existing norms
Sunstein (1996), Lessig (1998): Law should be activist and help shape social norms
Ellickson (1991): People ignore laws which are inconsistent with social norms
Mailath, Morris, and Postlewaite (2001): If laws do not change payoffs directly, they are “cheap talk,” and can only affect behavior because people have coordinated beliefs about the effects of the law
In Accounting Under the Securities and Exchange Commission,
seven decades of increasingly codified “legal” approach to financial reporting
Addressing problems by creating or modifying rules, and institutions to write new rules
Recent events (Enron, etc.) and Sarbanes-Oxley may have accelerated that trend (PCAOB, IASB)
How do we measure how good the financial reports are? Thickness of the rulebook?
What do we know about the consequences of codification?
E-Commerce
Primary interest in financial reporting, E-Commerce presents an opportunity to
address some issues, interesting in themselves, as well as relevant to accounting
Compare the state of e-commerce privacy under quite different approaches used contemporaneously in US and UK
E-Commerce Privacy
U.S. has permitted e-commerce to develop its own privacy norms with little legislation and no required audit US Privacy legislation for financial and medical
records EU’s an activist approach
Codification Legal enforcement
UK Data Protection Act 1984 (Amended in 1998 for compliance with the EU Directive on Data Protection, 1995)
SCHEDULE 1: THE DATA PROTECTION PRINCIPLES PART I: THE PRINCIPLES
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met (requirements of informed consent), and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.5. Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.6. Personal data shall be processed in accordance with the rights of data subjects under this Act.7. Appropriate technical and organizational measures shall be taken against unauthorized or
unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Enforcement Activity by the UK Information Commissioner (1997-2002)
1997/98 1998/99 1999/00 2000/01 2001/02
Total Budget £ 3,661,690 £ 4,190,489 £ 4,721,666 £ 5,280,860 £ 8,244,982
# Of Staff 109 118 114 126 157
# Of Phone Inquiries 48,337 48,549 55,070 55,125 56,982
Total Complaints Received
4,178 3,653 5,166 8,875 12,479
Visits - Business Premises
471 700 388 480 448
Visits - Dwellings 313 319 199 235 411
Witness Statements Obtained
378 433 346 355 375
Interviews Under Caution
136 216 98 144 58
Court Prosecutions 38 59 145 23 66
Court Convictions (Guilty)
38 55 130 21 33
Key Findings: Under EU Law
Quality of Privacy Disclosure is lower (Compliance Oriented)
No market for privacy audit has developed (Web-seals in US)
No difference in spam generated by visits to e-commerce sites (most spam is generated elsewhere)
Misbehavior by a comparably small number of outliers who violate the privacy of customers with impunity
Focus on Two Features of E-Commerce Privacy
Notice-Awareness: Participants receive notice of an entity’s privacy practices before they provide information
Choice-Consent: Participants have choices about how their information is used (especially for secondary purposes)
Three Features not examined in this study: Access-Participation; Integrity-Security; and Enforcement-Redress.
Part 1: Audit and Disclosure Practices
Visit top 100 e-commerce websites in US (56 in UK) to detect evidence of audit (web-seals)
Read and tabulate the stated privacy policies and disclosures of individual e-commerce sites
Program a “Web-Crawler” to visit the 100 web-sites in U.S. (56 in UK) five times over a one week period and record cookies (and 3RD party cookies) used by these sites
Review privacy policy for cookie usage disclosure and consistency with practice
Results: Audit Practices In US, four vendors BBB Online, Truste, WebTrust (AICPA-
CICA), and BetterWeb (PricewaterhouseCoopers) offered this audit service
Written standards of the first two are more stringent than the last two
The prices of BBB Online and Truste much lower ($7,000-100,000)
No data on actual compliance testing by these auditors No evidence of race to the bottom In US, 34 out of 100 website had purchased web-seals (30
Truste, 2 BBB Online, 2 both, no Better-Web or WebTrust) In UK, no providers or displays of web-seals
Web-Seal Providers: Prices and Market Shares
Web-Seal Number of Clients (Dec. 2001)
Price of Audit
Truste 1830 $399-8,999
(revenue based)
BBB Online 851 <= $7,000
(revenue based)
Better-Web (PWC) 100 $15,000
(flat rate)
WebTrust (AICPA-CICA)
28 >$100,000
(full audit)
Market for Audit Does regulation suppress demand for voluntary
audit? Are accounting standards and auditing substitutes? Under US security regulation, accounting standards and
auditing are frequently treated as if they are complements Does mandatory audit eliminate the potential use of audit
as an informative signal from management to investors Why is the audit with “more demanding” standards
priced lower? Little evidence of “race to the bottom” among
competing standards Why the accounting profession (AICPA / CICA) fail
in e-commerce privacy audit market?
Quality of Privacy Policy Disclosure
In The U.S. Privacy Policies are Posted (100% / 95%) Easy to Find (100% / 92% one click away) Disclose Cookie Usage (100% / 86%) Disclose 3rd Party Cookie Usage (97% / 63%)
In The U.K. Privacy Policies are Posted (77%) Harder to Find (70% one click away) Cookies (80%), 3rd Party Cookie (96%) Less disclosure on secondary uses of data
Privacy Policy Disclosures: Use of 3rd Party Cookies
In U.S. 79% of Websites allow 3rd Parties to Use Cookies to Track Visitors
In U.K. only 50% Allow 3rd Parties To Track Visitors
Summary of Privacy Disclosure: UK Compared to US
No Private Audit
Harder-To-Find Privacy Policies and Generally Poorer Disclosure
Less Use of 3rd Party Cookies
Part 2: Choice-Consent Study
Create 100 Simulated identities and register on Top 100 US web-sites --- “OPT-IN”
Create another 100 simulated identities and register on the same 100 US web-sites – but this time we “OPT-OUT”
Compare e-mail, mail, phone calls for the following 6 month period
In UK, followed the same procedure for 56 websites, one year later
Postal Mail and Phone Calls
Basically Close to “0” in Both U.S. and U.K. – Can solve the problem of Spam by a small e-Mail Postage?
E-commerce website visits do not generate junk-phone calls (This could Change With New “Do Not Call” Phone List)
Mean Weekly E-Mail Messages
0
2
4
6
8
10
12
14
16
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
WEEK NUMBER
OPT- IN UK
OPT-IN US
UK OPT-IN w/o OUTLIER
US OPT-In w/o OUTLIER
UK OPT-OUT
US OPT-OUT
Cumulative Message Volume from Volume Ranked Sites (Opt-in)
0.5
0.55
0.6
0.65
0.7
0.75
0.8
0.85
0.9
0.95
1
Site ranked By Number Of Messages
UK OPT-IN (40 Sites)
US OPT-IN (69 Sites)
Cumulative Message Volume from Volume Ranked Sites (Opt-Out)
0.5
0.55
0.6
0.65
0.7
0.75
0.8
0.85
0.9
0.95
1
Site Ranked By Number Of Messages
UK OPT-OUT (24 Sites)
US OPT-OUT (40 Sites)
Summary: Choice/Consent Study
EU Law Provided No Protection From Spam
Most e-commerce spam originates from a few “outliers in both U.S. and U.K
Concluding Remarks Voluntary e-commerce privacy reporting norms
and audit mechanisms evolving without regulation in U.S. through competition
Threat of US legislation may have had a role Most US merchants highlight their privacy policies
to attract business In U.K. privacy disclosure is oriented to
compliance with the law, not marketing Not clear if regulation and enforcement protects
consumers from a small number of scofflaws in e-commerce
Or in Accounting…
Consider Enron, WorldCom, etc. Endogeneity of accounting practices
Given the accounting rules, what can I get away with
Harder the rules, easier to bypass (e.g., lease accounting)
Raising punishment also increases incentives to incur costs to avoid being caught
Rule-makers are always a few years behind
Statutes
Formal enforcement Precise definitions Salient Come into force at a known time Enacted through known institutional process Modified through the institutional process Transparency Appeal in democratic polity Good housekeeping: Let’s make the rules clear
Social Conventions
Not well defined Vary in time and space Need extended socialization to learn and
understand Penumbra of uncertainty Incomplete overlap among individual beliefs Slow, almost imperceptible evolution Appear less transparent Scandals mock existing institutions and norms Default to formal rules and standards
Evolution of Financial Reporting
With every scandal, new emphasis on codification of accounting rules
Public image of “precision” in accounting (down to the last penny)
Regulation proposed to address market failures
Failure of government/regulation receives less attention
Problems of Setting Accounting Standards
What is a good rule? Information problem Design problem Gaming problem Signaling problem
Caveats
We are careful registrants; less careful consumers might be more susceptible to unintended violations of privacy
Our registrants were relatively passive We limited our study to mainstream
businesses (no adult sites), making our sample “unrepresentative” in a sense