Enforced Standards Versus Evolution by General Acceptance ...faculty.som.yale.edu/shyamsunder/Research/Accounting and Control... · Enforced Standards Versus Evolution by General

DOI: 10.1111/j.1475-679x.2004.00163.xJournal of Accounting Research

Vol. 43 No. 1 March 2005Printed in U.S.A.

Enforced Standards VersusEvolution by General Acceptance: AComparative Study of E-Commerce

Privacy Disclosure and Practicein the United States and the

United Kingdom

K A R I M J A M A L , ∗ M I C H A E L M A I E R , † A N D S H Y A M S U N D E R ‡

Received 28 July 2003; accepted 13 August 2004

ABSTRACT

We present data on privacy practices in e-commerce under the EuropeanUnion’s formal regulatory regime prevailing in the United Kingdom and com-pare it with the data from a previous study of U.S. practices that evolved inthe absence of government laws or enforcement. The codification by the E.U.law, and the enforcement by the U.K. government, improves neither the dis-closure nor the practice of e-commerce privacy relative to the United States.Regulation in the United Kingdom also appears to stifle development of amarket for Web assurance services. Both U.S. and U.K. consumers continue tobe vulnerable to a small number of e-commerce Web sites that spam their cus-tomers, ignoring the latter’s expressed or implied preferences. These resultsraise important questions about finding a balance between enforced standards

∗University of Alberta; †University of Iowa; ‡Yale University. Discussions with John Dick-haut, Paul Healy, and Joel Reidenberg on our earlier work led to the present study and aregratefully acknowledged. Assistance from Michael Barrett in setting up the experiment in theU.K. is gratefully acknowledged. We also thank workshop participants at University of Alberta,Hong Kong University of Science and Technology, University of Houston, Yale University, andUniversity of Waterloo Symposium on Information Systems Assurance for comments on earlierdrafts. The authors alone are responsible for the article.

73

Copyright C©, University of Chicago on behalf of the Institute of Professional Accounting, 2005

74 K. JAMAL, M. MAIER, AND S. SUNDER

and conventions in financial reporting. In the second half of the 20th century,financial reporting has been characterized by both a preference for legislatedstandards and a lack of faith in its evolution as a body of social conventions. Ev-idence on whether this faith in standards over conventions is justified remainsto be marshaled.

That government is best which governs least. Thoreau [1894/1906]

The rise and fall of government regulation challenges both sides in the debate overthe proper role of government and business in protecting people against variousrisks. Leaving business to its own devices is suspect for reasons suggested by hor-ror stories such as the exploding Ford Pinto. The “failures” of the free market arewell recognized. Consumers frequently lack information. Businesses often lack theincentive to internalize “external costs” such as pollution. The costs of organizingcollective interests can be prohibitive; and without the watchful eye of regulatoryinspectors, the unscrupulous lack a powerful reason for self-restraint. But, as therevolt against regulation reveals, government regulation has its own serious short-comings. As Charles Wolf points out, the “failures” of non-market arrangementsparallel those of the free market. Many regulatory agencies are plagued by adver-sariness and delay. Regulations are often slow in coming but quick to court. Theseregulations can be inflexible and unreasonable. As a result, the political debate overprotective regulation has reached an impasse. Proponents of government regulationappeal to well-founded fears of laissez-faire arrangements, while supporters of the pri-vate sector appeal to similarly substantiated concerns about regulatory bureaucracy.Cheit [1990, p. 3]

1. Introduction

This study reports results of a comparative field study of two divergentapproaches to regulating e-commerce privacy practices in United States andUnited Kingdom. Although in the United Kingdom (and in the EuropeanUnion), Internet privacy is governed by statutes and formal enforcement, inthe United States, this subject has been left largely to evolution of industrynorms and voluntary compliance. We examine the differences in privacypolicies, their disclosure, and the observable consequences for consumersunder these two regimes.

The evidence from our study has relevance for some key issues regardingaccounting standard setting and enforcement in the United States and inthe international community. During the seven decades since the creationof the Securities and Exchange Commission (SEC), the concept of Gen-erally Accepted Accounting Principles (GAAP) has gradually, but steadily,and without much explicit debate, shifted from evolved social conventionstoward legislated standards. Informal sanctions and reinforcements thatsustain the evolution and effectiveness of social conventions have graduallybeen replaced by formal surveillance and penalties, backed by regulatorypower to enforce the legislated standards. This fundamental shift in finan-cial reporting regime, initiated in the United States, has gradually spreadto most parts of the world. The London-based International AccountingStandards Board (IASB, note the parallel with the Financial Accounting

E-COMMERCE PRIVACY DISCLOSURE AND PRACTICES 75

Standards Board [FASB] implicit in the nomenclature), which hopes tohave its standards accepted around the globe, is an example of the broadacceptance of the idea that legislated standards, backed by governmentalpower of enforcement, is a preferred financial reporting regime. Social con-ventions, supported only by informal sanctions and market consequences,are not in fashion at the turn of this century.

This broad movement toward reliance on institutions to write and en-force financial reporting standards has been accompanied by surprisinglylittle theoretical or empirical analysis of their possible merits relative to theevolutionary approach. Such analyses could be facilitated by comparing de-liberately designed mechanisms or legislated standards on the one hand,and evolved norms on the other. Hayek’s [1973, chap. 1] comparison ofdesigned and evolved mechanisms is a good example.

Some recent law and the economics literatures address the relationshipbetween formal regulation (by law) and various informal or social modesof regulation (e.g., Posner [2003]). There is an implicit assumption in thisliterature that eventually all markets require legal regulation to succeed(McMillan [2003]). Recently, several attempts have been made to docu-ment the informal development of social order arising from repeated in-teraction and shared socialization (social capital) among individuals in asociety (Coleman [1990], Putnam [1993]). The literature on informal con-trol suggests that the role of law as a source of social order is exaggeratedin the mainstream literature.

A detailed examination of a successful online auction market (eBay)by Duh, Jamal, and Sunder [2002] indicates that eBay has sought to de-velop an effective market by relying primarily on informal controls suchas personal reputation and creation of an eBay community. Rather thanfocusing on the punitive function of the law, recent research by Mailath,Morris, and Postlewaite [2001] develops a theoretical framework for ar-guing that the impact of law and authority is rooted in the expectationspeople have about the behavior of others, that is, social norms. Posner[1997] proposes that the key role for the law is to formalize existing so-cial norms and provide a credible mechanism for publicizing rule viola-tions and enforcing penalties. Other legal scholars (e.g., Lessig [1998],Sunstein [1996]), however, propose that the law should be used in a moreactivist manner to help shape social norms. The limited evidence availableon the interplay between law and social norms suggests that people ignorelaws that are inconsistent with prevailing social norms (Ellickson [1991]).

Although the interplay between formal standards and informal normshas always been important in financial reporting, the events of recent yearshave brought increased attention to this topic. Revival of the rules versusprinciples debate in accounting is an example. Detailed rules are supportedby an inclination to enforce them by law, whereas general principles requirejudgment in an environment that values social norms.

It is difficult to gather empirical data on this topic from the financial ac-counting domain; therefore, we present a direct comparison of empirical


observations from the field of e-commerce privacy, which has some signif-icant parallels to financial reporting (see Jamal, Maier, and Sunder [JMS2003] for a detailed discussion of the externalities associated with privacyand financial reporting). JMS [2003] document the e-commerce privacystandards and practices in the United States, where little government reg-ulation or enforcement exists; social norms are developed by civic organi-zations such as TRUSTe that arose to develop better privacy practices, al-beit under the implicit threat of government legislation. TRUSTe promotesprivacy practices in e-commerce by developing and propagating norms, ed-ucation, and community monitoring supplemented by formal monitoringand enforcement. (See appendix A for measures of compliance effort.)The present study documents the e-commerce privacy practices and stan-dards in the United Kingdom, where the Information Commission (IC), aBritish government agency, currently enforces the privacy law of the Euro-pean Union. The European Union’s activist stance led to early legislationto mold commercial privacy practices.1

In the present study, we use the JMS field experiment method and designto examine the disclosure and privacy practices of 56 high-traffic Web sites inthe United Kingdom. These sites are formally regulated by the E.U. privacylaw, which has been incorporated into the U.K. national privacy law (seeappendix B). The IC monitors and enforces compliance with this law (seeappendix C for measures of compliance effort). We examine compliancewith two key aspects of the law for which JMS document the correspondingU.S. practices: (1) the requirement to provide disclosure or notice of whatconsumer information is gathered and used by the Web site, and (2) theconsent requirement that consumers be provided with an option to controlhow their personal information is used by a Web site for secondary purposes.

Our results indicate, first, that disclosure of privacy practices in the UnitedKingdom is no better, perhaps worse, than in the United States. It is moredifficult to find the privacy policy of a U.K. Web site, and compliance withthe disclosure requirements of the U.K. privacy laws are generally poor.Second, in the United States more Web sites use their own as well as third-party cookies to track user behavior than in the United Kingdom. Third,most Web sites in the United Kingdom as well as in the United States honorthe opt-out choices made by customers. Fourth, most of the e-mail receivedby U.K. registrants comes from a single Web site that does not honor theopt-out option chosen by registrants, similar to what happens in the UnitedStates. Finally, even in the opt-in condition, most of the e-mail comes from

1 Nijhawan [2003] writes: “Historically, the EU and the U.S. approach data privacy regula-tions in diametrically opposed ways. While the EU relies primarily on legislation and heavyregulation, the U.S. has adopted a market-based, self-regulatory approach to data privacy. TheEU further distinguishes itself from the U.S. by implementing an approach that guarantees itscitizens protection of their ‘fundamental rights.’ Such protection allows for strict governmentalcontrol of information flow. The U.S., on the other hand, does not recognize data privacy as afundamental right, employing instead a less prophylactic approach than that taken by the EU”(p. 940–41; also see Mullen [2001]).


a single Web site, just as in the United States. Overall, we find no importantdifferences between the average behavior of U.K. and U.S. Web sites in thisrespect. Consumers in both regimes remain vulnerable to a small number ofWeb sites that misbehave. In the United States, better companies can signaltheir good intentions to their visitors by paying a small fee to purchase aWeb seal from an independent provider such as TRUSTe or BBB Online.In the regulatory regime of the United Kingdom, the market for Web sealshas barely developed.2

2. Regulation of Privacy Practices in the United Statesand the United Kingdom

The concept of privacy is deemed to be central to the development of anautonomous self and hence an important facet of individual liberty (DeCew[1997]). Until recently, privacy rights focused on the intimate details of one’slife, such as the right to be silent about one’s sexual preference and the rightto choose abortion. In addition, there was a general concern about providinggovernment or other institutional authorities with too much information.There was less concern with privacy in business (DeCew [1999]).

That began to change with the rise of drug use in the general populationin the 1960s and the1970s, as business firms began testing prospective, andeven current, employees for drug use. More recently, electronic surveillanceof the behavior of employees and employer access to employees’ geneticand medical records have raised new privacy concerns relating to business(Kupfer [1993], Brockett and Tankersley [1997]).

With the Internet and the development of e-commerce, privacy issueshave become more complicated. New e-commerce technologies substan-tially have increased the ability of online merchants to collect, monitor,target, profile, and even sell personal information about customers to thirdparties (JMS [2003]). The intrusiveness of telemarketing activity and spamhas raised the profile of privacy issues involving business.

In response to broad societal concerns about privacy, the Organizationfor Economic Cooperation and Development (OECD), the U.S. govern-ment, and the European Union began extensive discussions in the 1970sabout developing a regulatory framework for privacy. These discussions wereguided by five privacy principles enumerated by the OECD [1980]: (1) no-tice/awareness: participants should receive notice of an entity’s informationpractices before they divulge any personal information; (2) choice/consent:participants should be given options as to the uses of any personal informa-tion collected from them, especially for secondary uses that are unrelatedto the original transaction (e.g., sale of information to third parties); (3) ac-cess/participation: participants should have access to information recorded

2 When we gathered data for this study, we could not identify any Web assurance services inour U.K. sample. In November 2003, we learned of one such service in the United Kingdomcalled Safebuy (www.safebuy.org.uk), which has only 41 clients at the time of this writing.


about them and be able to modify any information deemed incorrect;(4) integrity/security: collectors must take reasonable steps to ensure dataintegrity, convert it into anonymous form before using it for secondary pur-poses, and destroy untimely data; and (5) enforcement/redress: there mustbe a mechanism in place to enforce the privacy policies.

The European Union decided to adopt a formal (legal) regulatory frame-work for the protection of privacy. In 1995 the E.U. parliament formalizedthe E.U. privacy law by passing the European Directive on Data Protection(EU Directive 95/46/EC). The directive adopted the aforementioned fiveprinciples and required member countries to bring their national laws intocompliance.3 The directive stipulated that personal data must be processedfairly and lawfully and only collected for a specified, explicit, and legitimatepurpose. The use of data for any secondary purposes beyond those stated isprohibited. Data cannot be kept any longer than needed to serve the statedpurpose, and the data can only be collected if the person has given his or herconsent. There is some discretion available to each member country to de-fine what “consent” means. Some countries, such as France, require consentto be obtained explicitly (opt in), whereas the United Kingdom has a morepermissive definition that allows consent to be implied as long as consumersare provided with an opportunity to opt out of the use of their personal datafor secondary purposes.4 The E.U. directive also requires each membergovernment to create an independent government body to monitor the de-velopment, implementation, and enforcement of national data protectionlaw. Given that the United States has no law covering most Web sites, it isgenerally considered that, with respect to privacy laws, the European Unionhas much stricter (and legally binding) standards and enforcement thandoes the United States.

Data protection in the United Kingdom is regulated by the Data Pro-tection Act (DPA) of 1984, which was significantly amended in 1998 forcompliance with the E.U. directive (Reidenberg and Schwartz [1998]). TheIC, a U.K. government agency, is responsible for the monitoring and en-forcement required by the E.U. directive. All entities collecting personaldata must register with the IC. The IC has the statutory power to monitorcompliance with the DPA and can serve enforcement notices that direct aregistered person to take specific steps to comply with the act. The IC canalso cancel registration, prohibit overseas transfer of data, and initiate pros-ecution of violators of the act. Failure to register is subject to prosecution.Administrative decisions of the IC, especially the enforcement notices, canbe appealed to an independent Data Protection Tribunal (DPT). The bud-get of the IC more than doubled from £3,661,690 in fiscal year 1997–1998 to

3 These laws apply to all data collected online and offline.4 The U.K. law requires each entity that collects personal data to have and disclose a privacy

policy. The privacy policy notice must be of sufficient size, easy to find, and sufficiently detailedso that it can be presumed that a reader has given informed consent. The notice must be madeavailable before personal data are first collected (Reidenberg and Schwartz [1998]).


£8,244,982 in 2001–2002. Enforcement activities of the IC are summarizedin appendix C. From 1997 to 2002, the IC filed 331 court cases and obtained277 convictions for violation of the privacy law. Precedents established bythe DPT require that privacy notices be displayed in large, easy-to-read printin a prominent location where personal information is first collected. Rei-denberg and Schwartz [1998] provide a detailed discussion of the E.U. pri-vacy law and a comparison of the national privacy laws of Belgium, France,Germany, and the United Kingdom.

The year 1995 was a watershed year—the European Union passed itsprivacy directive and the United States did not pass a general privacy law.TRUSTe was formed in 1996 as a nonprofit organization to promote bet-ter privacy practices, and many U.S. Web sites voluntarily display a TRUSTeWeb seal to signal their compliance with the privacy standards formulatedby TRUSTe. (See TRUSTe compliance activity in appendix A.) The FederalTrade Commission (FTC) started holding workshops in 1995 to discuss andpromote good privacy practices. The FTC also tried to push e-commerceWeb sites to improve their privacy practices by conducting studies (whichcombined a review of privacy policies and surveys) in 1998, 1999, and 2000.Each FTC study showed improvement in the actual practices of U.S. Websites (FTC [2000]). As of May 2004, there is virtually no general govern-ment regulation of privacy in the United States and no legal requirement todisclose privacy policies in e-commerce or on the Internet.5 Once a persondiscloses information while registering or transacting at a site, there are nolegal constraints on what can be done with that personal information solong as no fraudulent actions are involved. There is no requirement thata site have a privacy policy, that consumers be informed about what dataare being collected about them, and that consumers be provided with anoption to give or deny their consent to secondary uses of the data gathered.In addition, there are no legally mandated audit procedures, nor are thee-commerce sites required by law to have their privacy policies certified byindependent auditors.6

3. Research Method and Results of the Notice/Awareness Study

We gathered data from 56 high-traffic Web sites in the United Kingdom byrepeating the procedure used in JMS [2003]. First, we obtained the addressesof high-traffic Web sites from Jupiter MediaMetrix (www.mediametrix.com),which monitors Web usage and provides research and consulting services for

5 As many experts had predicted, the Can-Spam Act of 2003, which went into effect January1, 2004, has so many loopholes for spammers that it has had virtually no impact on the volumeof e-mail received by U.S. consumers. The Can-Spam law can be viewed as an instrument oflegalizing spam subject only to a few restrictions rather than an attempt to reduce spam.

6 There are two exceptions to the lack of U.S. regulation of privacy. The health care indus-try and the financial services industry are governed by the Health Insurance Portability andAccountability Act (1996) and the Gramm-Leach-Bliley Act (1999), respectively.


online advertising. For countries other than the United States, MediaMetrixissues monthly reports of the top 15 active Web sites based on user traffic.We reviewed the top 15 reports from April 1999 to April 2002. This resultedin the identification of 28 Web sites that had been listed at least once in thetop 15 rating report. We then picked firms in the U.K. Financial Times Indexand looked for their Web sites. An additional 28 Web sites were identifiedwhere consumers could register or engage in transactions. A total of 56 high-traffic Web sites in the United Kingdom were identified during the summerof 2002.

We programmed a Web crawler to visit these sites and to record the use oftheir own, as well as any third-party, cookies. We also obtained an electroniccopy of the privacy policies of these Web sites and looked for disclosureabout cookie usage and the use of third-party cookies. Our crawler visitedeach of the 56 Web sites five times during the week of June 4–11, 2002. SomeWeb sites in the United Kingdom do not display a privacy policy until theconsumer actually registers or initiates a transaction. We attempted to regis-ter or initiate a transaction from June 11 to 20 to identify the use of cookies.During the same period (May 27 to June 12, 2002), a research assistant (whodid not know the results generated by the Web crawler) downloaded anddate-stamped the privacy policy of each Web site. The data collected usingthe crawler and manual review of the privacy policies were combined in aspreadsheet for the analysis here.

3.1 RESULTS: DISCLOSURE (NOTICE/AWARENESS)

The results of the disclosure of privacy policies of the 56 high-traffic U.K.Web sites are presented in table 1 (alongside, for ease of comparison, theresults from 100 high-traffic U.S. Web sites reported by JMS [2003]). In theUnited States, JMS [2003] report that 34 Web sites had paid for a privacyassurance Web seal from an independent party (30 TRUSTe, 2 BBB Online,and 2 both TRUSTe and BBB Online). None of the Web sites in the UnitedKingdom displayed a Web seal. One consequence of a legislated standardsapproach to privacy appears to be the elimination, or preclusion, of a marketfor private Web assurance. Because the law requires a disclosure of privacypolicies but not a privacy audit, we observe no market for privacy assuranceseals in the United Kingdom. The privacy disclosure law appears to haveeliminated the incentives for the Web sites to use Web seals as signals oftheir good privacy practices to consumers.

In the United States, JMS [2003] report that it was easy to locate theprivacy policies of 97% of the Web sites in the sample. In most cases, itcould be located from the home page (95% were one click away). In theUnited Kingdom, we found it difficult to locate privacy policies on Websites (70% were one click away). The U.K. law requires the privacy policyto be provided before any personal data are collected. We therefore lookedfor the policy at the main home page, the registration page, and the pagewhere personal information was entered. Our search succeeded in only77% of the Web sites in our sample (compared with 97% in the United


TA

BL

E1

Dis

clos

ure

ofPr

ivac

yPo

licie

s

U.S

.Web

Site

sU

.S.W

ebSi

tes

Tota

lU.S

.U

.K.W

ebSi

tes

Test

ofE

qual

ity

wit

hPr

ivac

yw

ith

outa

Priv

acy

Web

Site

sw

ith

EU

Priv

acy

ofPr

opor

tion

sN

umbe

rPr

ivac

yPr

acti

ceSe

als

(n=

34)

Seal

(n=

66)

(n=

100)

Law

(n=

56)

Z-V

alue

(p-v

alue

)1

Post

apr

ivac

ypo

licy

34(1

00%

)63

(95%

)97

(97%

)43

(77%

)12

.53

(p<

0.00

0)2

Priv

acy

polic

yis

one

clic

kaw

ay34

(100

%)

61(9

2%)

95(9

5%)

39(7

0%)

4.32

(p<

0.00

0)3

Use

cook

ies

totr

ack

user

beha

vior

34(1

00%

)64

(97%

)98

(98%

)49

(88%

)2.

6(p

<0.

01)

4D

iscl

ose

that

Web

site

isus

ing

cook

ies

34(1

00%

)55

(86%

)89

(91%

)39

(80%

)1.

87(p

<0.

05)

5E

xpla

inw

hat

cook

ies

are

30(8

8%)

42(6

6%)

72(7

4%)

37(7

6%)

0.26

5(p

<0.

40,n

s)6

Exp

lain

how

totu

rnof

f/de

clin

eco

okie

s19

(56%

)23

(36%

)42

(43%

)25

(51%

)0.

93(p

<0.

18,n

s)7

Allo

wth

ird

part

ies

tous

eco

okie

son

Web

site

31(9

1%)

48(7

3%)

79(7

9%)

28(5

0%)

3.76

(p<

0.00

0)8

Dis

clos

epr

esen

ceof

thir

d-pa

rty

cook

ies

onW

ebsi

te30

(97%

)30

(63%

)60

(76%

)27

(96%

)2.

32(p

<0.

01)

9Pr

ovid

elin

kto

priv

acy

polic

yof

thir

dpa

rty

19(6

1%)

20(4

2%)

39(4

9%)

4(1

4%)

3.27

(p<

0.00

1)10

Dis

clos

eh

owda

taar

eus

edfo

rin

tern

altr

ansa

ctio

npr

oces

sin

g34

(100

%)

63(9

5%)

97(9

7%)

43(7

7%)

4.0

(p<

0.00

0)11

Dis

clos

eh

owda

taar

eus

edfo

rin

tern

alm

arke

tin

gpu

rpos

es34

(100

%)

62(9

4%)

96(9

6%)

44(7

9%)

3.4

(p<

0.00

1)12

Dis

clos

eh

owda

taar

eus

edfo

rou

tsou

rced

tran

sact

ion

proc

essi

ng

bya

thir

dpa

rty

28(8

2%)

43(6

5%)

71(7

1%)

23(4

1%)

3.66

(p<

0.00

0)13

Dis

clos

eh

owda

taar

eus

edfo

rm

arke

tin

gpu

rpos

esby

thir

dpa

rtie

s34

(100

%)

62(9

4%)

96(9

6%)

32(5

7%)

6.09

(p<

0.00

0)

Ina

fiel

dex

peri

men

t,Ja

mal

,M

aier

,an

dSu

nde

r(J

MS

[200

3])

prog

ram

aW

ebcr

awle

rto

repe

ated

lyvi

sit

100

sele

cted

hig

h-tr

affi

cW

ebsi

tes

inth

eU

nit

edSt

ates

duri

ng

the

wee

kof

July

23–2

9,20

01,

and

tore

cord

wh

atco

okie

s(a

nd

thir

d-pa

rty

cook

ies)

are

used

byth

ese

Web

site

sto

mon

itor

visi

tors

toth

eW

ebsi

tes.

JMS

then

dow

nlo

adth

epr

ivac

ypo

licie

sof

thes

e10

0W

ebsi

tes

and

reco

rdth

en

umbe

rof

Web

site

sth

atdi

sclo

seth

eir

use

ofco

okie

s(a

nd

thir

d-pa

rty

cook

ies)

,as

wel

las

disc

losu

res

onh

owda

taco

llect

edfr

ompa

rtic

ipan

tsar

eus

edan

dsh

ared

inte

rnal

lyan

dw

ith

exte

rnal

thir

dpa

rtie

s.U

.S.

Web

site

sar

ecl

assi

fied

into

two

grou

ps:

thos

eth

atpu

rch

ase

anin

depe

nde

nt

Web

assu

ran

cese

al(n

=34

)an

dth

ose

that

don

oth

ave

aW

ebse

al(n

=66

).W

eap

ply

the

JMS

proc

edur

efr

omM

ay27

toJu

ne

12,2

002

for5

6h

igh

-traf

fic

U.K

.Web

site

sgov

ern

edby

EU

priv

acy

law.

AU

.K.g

over

nm

entb

ody

mon

itor

san

den

forc

esth

epr

ivac

yla

win

the

Un

ited

Kin

gdom

.Non

eof

the

U.K

.Web

site

shad

aW

ebse

al.


States). This suggests significant noncompliance with the legal requirementto provide a privacy policy and the precedents set by the DPT requiringprivacy policies to be prominent, easy to read, and provided before personalinformation is collected. Perhaps U.S. Web sites view the disclosure of privacypolicies as an instrument of their marketing strategy to attract consumers,and they make it easy to find this policy. U.K. Web sites, on the other hand,appear to view privacy disclosure as a matter of a bureaucratic requirement,and they make it difficult to find their statements of policy. The frequencyof noncompliance raises doubts about the effectiveness of the E.U. law inpromoting privacy policy disclosures.

In the United States, JMS [2003] report that all 34 of the privacy sealWeb sites and 64 of the remaining 66 nonseal Web sites used cookies, for anoverall cookie usage rate of 98%. The disclosure of cookie usage was alsohigh, with all 34 privacy seal Web sites and 55 of the remaining 64 Web sites(overall 91%) disclosing their cookie usage. In the United Kingdom, the rateof cookie usage was lower, with only 88% (49 of 56 Web sites) using cookiesto monitor consumers (p < 0.01). The disclosure rate of cookie usage in theUnited Kingdom was also lower, with only 80% (39 of 49) of the Web sitesthat use cookies disclosing their use (p < 0.05). Relative to the United States,the formal legal codification of cookie disclosure requirements appears notto have improved disclosures in the United Kingdom.

In the United States, JMS [2003] report that third parties placed cookieson visitor hard drives in 31 (91%) Web sites with seals, and 48 (73%) Web siteswithout a seal, for an overall third-party cookie usage rate of 79%. Thirty Websites with a seal (97%) disclosed the presence of these third-party cookieson their site. Thirty of the 48 Web sites without a seal who were placing thirdparty cookies (63%) disclosed the presence of third parties, for an overallthird party cookie disclosure rate of 76%. In the United Kingdom, Websites were much less likely to allow third parties to use cookies to monitorcustomer behavior, with only 50% of Web sites (28 of 56) allowing thirdparties to place cookies from their site (p < 0.000). In the United Kingdom,27 of 28 of these Web sites (96%) disclosed the presence of third-partycookies on their site. This is comparable to the 97% disclosure rate of thesites with a Web seal in the United States, and better than the average U.S.disclosure rate of 76% (p < 0.01).

For the remaining items in table 1 (more information about cookies, third-party cookies, and especially how data are used for secondary purposes),the disclosure rates in the United Kingdom are lower than the disclosurerates reported by JMS [2003] for U.S. Web sites (p < 0.01). Overall, it isclear that the privacy disclosures of the U.K. Web sites are no better thanthe privacy disclosures in the United States. The rates of noncompliancewith the requirements of the U.K. law are substantial, and only the third-party cookie disclosure rates (96%) indicate a high level of compliance.An independent survey of E.U. privacy practices conducted by ConsumersInternational in 2001 (Hwa [2001]) also finds poor compliance rates withE.U. privacy law. For a discussion of the complexities of E.U. privacy law and


the corresponding low compliance rates in E.U. countries, see Nijhawan[2003].

Although E.U. law appears not to improve disclosure of privacy practices,it does appear to reduce the use of cookies and third-party cookies to trackconsumer behavior. This improvement in business practice is associatedwith the absence of demand and supply of private audit (Web seal) services.The private market for Web seals has not developed well in the regulatedE.U. environment but is developing in the unregulated U.S. market (JMS[2003]). This raises an interesting question about the relationship betweenthe standardization of accounting practices and private demand for auditservices.

4. Research Method and Results for the Choice/Consent Study

According to choice/consent, the second of the five OECD privacy princi-ples, participants should be given an option to restrict the use of any personalinformation collected from them, especially for secondary uses unrelated tothe processing of the transaction at hand. Web sites use two primary optionsto let users control the use of their personal information. Opt-out, the mostcommon option, allows users to prevent the Web site from transferring theirdata to any third party not involved directly in processing the transactionfor which the data were collected. A second option is to require an explicitopt-in from the consumer, which expressly permits the Web site to use thedata for secondary purposes such as internal and possibly external market-ing. The opportunity to opt out (or opt in) is widely regarded as a key choicemechanism, and U.K. law requires that an opt-out option should at least beprovided whenever personal data are collected.7

We examine the effectiveness of the opt-out feature of Web sites by regis-tering on the same 56 high-traffic Web sites used to test disclosure policies insection 3. We use the JMS [2003] procedure to monitor the compliance ofthe Web sites with privacy standards. We set up a private U.K. domain name,created 112 identities (name, U.K. e-mail address, U.K.-based postal address,U.K. phone number with voice mail, and credit card number). These e-mailaccounts were secure in our private domain and could not be accessed byrobots or telemarketers looking for public directories of e-mail addresses.Each of the 56 pairs of identities could be uniquely traced to one of the 56Web sites where we used it for registration.

We registered twice on each of the 56 Web sites under two different iden-tities. Following the JMS [2003] procedure, we conducted one transaction(e.g., sent a greeting or e-mail, or set up a portfolio) at the time of regis-tration. We used the first set of 56 identities to register on each of the 56Web sites and did not place any restriction on having our data shared with

7 An opt-in system protects privacy better than does opt-out because each option is thedefault for the other. Most users end up with the default option through their failure to makean explicit choice between opt-in and opt-out.


others; that is, we opted in to receive messages and materials, such as mag-azines, relevant to our simulated identity. The second set of identities wasused to register again on the same sites, where we opted out immediatelyfrom having our information shared with both internal and any external par-ties. In the second registration we did not accept any free offers. Note thatour registration procedure enabled us to uniquely identify the 112 sources(opt-in and opt-out registrations at 56 sites) of any incoming e-mail becausethe name and e-mail address used in each registration were different. Allregistrations were completed September 2–8, 2002.

4.1 RESULTS: CHOICE/CONSENT

We attempted to register on all 56 Web sites used in the disclosure partof the study. Of the 56 Web sites, 40 allowed us to opt in, and only 25allowed us to opt out. Table 2 shows the weekly means (standard deviations)of the number of e-mail messages received over the 26 weeks followingthe registrations in the United States (as reported by JMS [2003]) and ourdata from the United Kingdom. The top part of figure 1 shows a chart ofthe weekly mean frequency of e-mail messages from the U.S. opt-in (blanksquare) and the U.K. opt-in (black square). The two middle lines in figure 1show the U.S. opt-in excluding the highest volume Web site (blank triangle),and the U.K. opt-in excluding the highest volume Web site (black triangle).The bottom two lines in figure 1 show the U.S. opt-out (blank circle) and theU.K. opt-out (black circle) Web site registrations. Most Web sites generatedone confirmation message immediately following the registration.

JMS [2003] report receiving few messages from opt-out registrations inthe United States; the mean was only 0.45 messages per week. JMS alsoreport that most of the messages in the opt-out condition were generated bya handful of Web sites; one site generated 48% of all e-mail messages, andthe top five sites accounted for 92% of all e-mail received. Excluding theseoutliers, the mean number of weekly e-mail messages was close to 0. In thepresent study of U.K. opt-out registrants, we received 468 commercial e-mailmessages over the 26-week data-collection period, for an average of 0.75messages per week from opt-out registrations. The U.K. data are also largelydriven by a single Web site that accounted for 93% of all the messages fromopt-out Web sites (see dark circle in figure 2). If we exclude this outlier,the mean number of weekly messages to opt-out registrants in the UnitedKingdom is also close to 0.8 The difference between the average numberof messages received from opt-out registrations in the United States andin the United Kingdom is not statistically significant. It does not matter ifwe look at all the data (GLM, F [1, 65] = 0.28, p = 0.6007), or exclude the one

8 In the United Kingdom, the top five sources of opt-out e-mail were from three retailersand two news organizations. In the United States, the top five sources of opt-out e-mail weretwo retailers, a portal, a Web hosting site, and a financial site.


T A B L E 2Mean (Standard Deviation) Number of E-Mail Messages Received for Opt-in and Opt-out

Web Site Registrations

U.S. U.K. U.S. Opt-in U.K. Opt-in U.S. U.K.Opt-in Opt-in w/o Outlier w/o Outlier Opt-out Opt-out

Week (n = 69) (n = 40) (n = 68) (n = 39) (n = 43) (n = 25)

1 4.62 2.13 3.78 1.87 0.98 0.80(8.73) (2.59) (5.24) (2.07) (0.91) (0.71)

2 4.71 3.25 2.63 2.03 0.19 0.12(17.98) (8.37) (5.07) (3.22) (0.82) (0.44)

3 5.00 4.13 2.71 1.82 0.30 0.00(19.77) (14.88) (5.29) (3.04) (0.89) (0.00)

4 5.41 4.98 2.51 2.15 0.21 0.00(24.56) (18.15) (5.20) (3.39) (0.71) (0.00)

5 7.74 5.68 2.88 2.31 0.26 0.04(40.66) (21.54) (5.10) (3.24) (1.09) (0.20)

6 6.96 6.90 2.62 2.41 0.19 0.04(36.42) (28.60) (5.30) (3.49) (1.08) (0.20)

7 7.93 6.00 2.93 2.23 0.21 0.00(41.98) (24.06) (6.07) (3.28) (0.97) (0.00)

8 7.96 7.55 2.79 2.51 0.23 0.12(43.25) (32.06) (5.65) (3.64) (1.02) (0.44)

9 9.23 7.48 2.87 2.59 0.28 0.04(53.2) (31.15) (5.96) (4.00) (1.10) (0.20)

10 9.20 8.43 2.90 2.77 0.26 0.08(52.74) (36.01) (6.23) (4.23) (1.05) (0.40)

11 8.54 7.90 2.63 2.82 0.21 0.52(49.34) (32.33) (5.46) (3.68) (0.97) (2.40)

12 10.13 8.68 3.68 3.44 0.26 0.76(54.22) (33.53) (8.18) (5.17) (1.03) (3.80)

13 9.41 10.83 3.07 4.26 0.12 1.36(53.05) (42.18) (6.92) (7.38) (0.45) (5.99)

14 11.59 11.15 3.78 4.08 0.23 1.24(65.48) (45.32) (8.64) (7.38) (0.92) (6.20)

15 12.04 11.28 4.07 3.79 0.28 1.12(66.87) (47.76) (9.45) (6.60) (1.10) (5.60)

16 13.94 9.98 4.32 2.05 0.49 0.28(80.53) (50.19) (10.11) (2.76) (1.67) (1.40)

17 12.36 10.25 4.46 3.64 0.49 1.28(66.72) (42.45) (11.84) (7.52) (2.04) (6.40)

18 10.00 11.98 3.49 4.28 0.47 1.48(55.16) (49.39) (10.78) (8.58) (2.07) (7.19)

19 4.33 11.58 3.93 3.82 0.91 1.40(14.27) (49.68) (13.97) (8.03) (4.46) (7.00)

20 4.04 12.35 4.10 3.38 0.79 1.16(13.89) (57.09) (13.99) (6.71) (3.90) (5.80)

21 4.86 11.85 4.93 3.77 0.63 1.20(17.18) (51.59) (17.30) (7.12) (2.95) (6.00)

22 4.87 12.23 4.93 3.79 0.44 1.28(17.54) (53.81) (17.66) (7.36) (1.98) (6.40)

23 5.88 11.68 5.07 4.08 0.86 1.36(20.48) (44.66) (19.48) (7.77) (4.21) (6.80)


T A B L E 2 — Continued

U.S. U.K. U.S. Opt-in U.K. Opt-in U.S. U.K.Opt-in Opt-in w/o Outlier w/o Outlier Opt-out Opt-out

Week (n = 69) (n = 40) (n = 68) (n = 39) (n = 43) (n = 25)

24 12.94 13.50 5.72 4.13 0.91 1.48(63.64) (59.85) (21.43) (8.39) (4.94) (7.40)

25 14.28 13.13 6.22 4.05 0.70 1.12(71.53) (57.79) (25.48) (6.90) (3.46) (5.60)

26 11.49 14.25 6.01 4.51 0.79 1.20(51.76) (62.04) (24.84) (7.61) (4.30) (6.00)

Average 8.44 9.20 3.81 3.18 0.45 0.75

In a field experiment, Jamal, Maier, and Sunder (JMS [2003]) construct 200 identities (name, address,e-mail address) and attempt to register twice on each of 100 high-traffic Web sites in the United States.In the opt-in registrations (n = 69), JMS allow the Web site to use their personal data both for internalmarketing purposes and for selling personal data to external third parties. In the opt-out registrations(n = 43), JMS do not allow the Web site to use their data for any secondary purpose. We apply the JMS fieldexperiment methodology to 56 high-traffic Web sites in the United Kingdom. Of the 56 Web sites, 40 allowopt-ins and 25 allow opt-outs.

extreme observation from the U.K. data and the five extreme observationsfrom the U.S. data (GLM, F [1, 59] = 1.15, p < 0.288).9

For U.S. opt-in registrants, JMS [2003] report receiving significantly moree-mails, with a mean of 8.44 e-mails per week. As in the opt-out condition,JMS report that one outlier generated 56% of all the opt-in messages re-ceived. After excluding this outlier, the mean level of e-mails was 3.81 perweek (still significantly more than the mean level of e-mails received by opt-out registrants at p < 0.000). In the present study, U.K. opt-in registrantsreceived 9,563 e-mail messages over the 26 weeks studied for an averageof 9.20 messages per registration per week. This is 12 times the averagevolume of e-mail messages received by opt-out registrants. A paired-samplet-test yields a mean difference of 8.45 (t = 14.74, 25 df , p < 0.000). Thisresult for the United Kingdom where opt-in registrants receive more e-mailsthan opt-out registrants is consistent with the data reported by JMS for theUnited States.

Beginning with an average of about 2 e-mail messages per week in thefirst week (see figure 1, black square legend), the average level of e-mailfrom U.K. Web sites rose steadily to about 14 per week in week 26. Like theopt-out results described earlier, the U.K. opt-in results were also driven inlarge part by a single Web site (see black square in figure 3). Some 66% ofall opt-in messages (a total of 6,342 messages over 26 weeks for an averageof 244 per week) came from this single registration. Excluding the messagesfrom this one outlier (black triangle legend in figure 1), the e-mail volumefrom the U.K. opt-in sites gradually rises from about 2 per week to about4.5 per week by the end of the 26 weeks. This is more than four times thee-mail volume for the opt-out registrants. Excluding the outlier data from

9 We obtain the same pattern of results even if we eliminate only three outliers from the U.S.opt-out data, F (1, 61) = 0.18, p = 0.6691.


0

2

4

6

8

10

12

14

16

1 3 5 7 9 11 13 15 17 19 21 23 25

WEEK NUMBER

E-M

ail M

essa

ges

Per

Web

site

OPT- IN UK

OPT-IN US

UK OPT-IN w/o OUTLIER

US OPT-In w/o OUTLIER

UK OPT-OUT

US OPT-OUT

FIG. 1.—Mean number of e-mail messages received. In a field experiment, Jamal, Maier, andSunder (JMS [2003]) construct 200 identities (name, address, e-mail address) and attempt toregister twice on each of 100 high-traffic Web sites in the United States. In the opt-in regist-rations (n = 69), JMS allow the Web site to use their personal data both for internal marketingpurposes and for selling personal data to external third parties. In the opt-out registrations(n = 43), JMS do not allow the Web site to use personal data for any secondary purpose. JMStrack the number of e-mail messages received at each registered address over the 26 weeksfollowing registration. We apply the JMS procedure to 56 U.K. Web sites regulated by E.U.privacy law. From our 56 Web sites in the United Kingdom, 40 allow opt-ins and 25 allowopt-outs. Raw data for this chart are shown in table 2. Figure 1 shows the average number ofmessages received by all U.S. and U.K. opt-in sites, average number of messages for all U.S.and U.K. opt-in sites except one outlier removed from both the U.S. and U.K. sites, and theaverage number of messages received from all U.S. and U.K. opt-out sites.

the opt-in sample, the number of opt-in messages (mean of 3.18 e-mailmessages per week) continues to be significantly more than that of the opt-out messages (mean difference = 2.42, t = 27.55, 25 df , p < 0.000). Thispattern of results also replicates the U.S. data reported by JMS [2003]. Thereis no significant difference between the opt-in e-mail level in the UnitedStates and the United Kingdom for both total e-mail received (GLM, F [1,107] = 0.01, p = 0.9231) and after excluding one outlier from each of theU.K. and the U.S. opt-in data (GLM, F [1, 105] = 0.14, p = 0.7063).10

10 The top five sources of opt-in e-mail in the United Kingdom are one gambling site, threeretail sites, and one news site. The top five sources of opt-in e-mail in the United States are agambling site, two retail sites, one greeting card site, and one news site. Spam originates froma variety of legitimate and highly reputable sites.


0.5

0.55

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39

Site Ranked By Number Of Messages

Cum

ulat

iive

Fre

quen

cy

UK OPT-OUT (24 Sites)

US OPT-OUT (40 Sites)

FIG. 2.—Cumulative percentage of e-mails received from volume-ranked opt-out Web sitesin the United States (self-regulation) and the United Kingdom (government regulation). Ina field experiment, Jamal, Maier and Sunder (JMS [2003]) construct 100 identities (name,address, e-mail address) and attempt to register twice on each of 100 high-traffic Web sitesin the United States. In the opt-out registrations JMS do not allow the Web site to use datafor any secondary purpose. Of the 100 Web sites, 43 allow opt-outs. JMS track the number ofe-mail messages received in each registered address over the 26 weeks following registration.We replicate the JMS procedure in the United Kingdom for 56 high-traffic Web sites. Twenty-five U.K. Web sites allow opt-outs. We chart the number of e-mail messages received at each ofour opt-in and opt-out addresses. In the United States, one site alone (blank circle) generates62% of all opt-out messages (indicated by the first circle on the chart). The five highest volumesites generate 91% of the total opt-out messages. In the United Kingdom (dark circle symbolin the figure), one site generates approximately 93% of all messages. The five highest volumesites generate 97% of the total opt-out messages. Note that the vertical scale is truncated at50% to highlight the differences in the 90% to 100% range.

In an independent study of e-commerce spam in the United States, theCenter for Democracy and Technology [2003] also reports that most Websites where their researchers registered honored their opt-out choices. Mostspam originates not from such registrations but from e-mail addresses lefton high-traffic Web sites or used in Internet public discussion groups. Spam-mers use various technology robots to harvest e-mail addresses from publicWeb sites.

5. Discussion and Concluding Remarks

The United Kingdom (and the European Union) protect the privacyof the citizens by legislating standards to be monitored and enforced bythe government. The United States, on the other hand, allows the privacypolicies in e-commerce to evolve as norms or conventions of e-commercewithout legislated standards or a public enforcement mechanism. For-profit


0.5

0.55

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67

Site ranked By Number Of Messages

Cum

ulat

ive

Fre

quen

cy

UK OPT-IN (40 Sites)

US OPT-IN (69 Sites)

FIG. 3.—Cumulative percentage of e-mails received from volume-ranked opt-in Web sitesin the United States (self-regulation) and the United Kingdom (government regulation). Ina field experiment, Jamal, Maier, and Sunder ( JMS [2003]) construct 100 identities (name,address, e-mail address) and attempt to register on each of 100 high-traffic Web sites in theUnited States. In the opt-in registrations, JMS allow the Web site to use their personal data bothfor internal marketing purposes and for selling data to external third parties. Sixty-nine Websites allow JMS to register and opt in. JMS track the number of e-mail messages received in eachregistered address over 26 weeks. We replicate the JMS procedure in the United Kingdom for56 high-traffic Web sites. Forty of these Web sites allow opt-ins. We chart the number of e-mailmessages received at each of our opt-in and opt-out addresses. In the United States, one sitealone (an outlier) generates 56% of all opt-in messages (indicated by the first blank squareon the chart). The five highest volume sites generate 80% of the total opt-in messages. In theUnited Kingdom (dark square symbol in the figure), one site generates approximately 66% ofall messages. The five highest volume sites generate 83% of the total opt-out messages. Notethat the vertical scale is truncated at 50% to highlight the differences in the 90% to 100%range.

and not-for-profit organizations have developed competing privacy stan-dards accompanied by compliance certification of e-commerce sites fora fee.

Our comparative study of the performance of these two regimes covers twodimensions of privacy. On the choice/consent dimension (i.e., participantscontrol any secondary uses of their personal information) we find that theperformance of the two regimes, as measured by the number of e-mailmessages sent to those who do and do not give consent to receive suchmessages, is almost identical. With only a few exceptions, most e-commercesites honor the choice exercised by the registrants. Under both regimes,a few Web sites flood their registrants with commercial e-mail messages,disregarding registrants’ wishes. Registrants who indicate their willingnessto receive commercial e-mail messages receive a comparable level of messagetraffic under both regimes.


On the notice/awareness dimension (i.e., participants receive timely no-tice of an entity’s information and privacy policies), the overall performanceof the standards and enforcement regime of the United Kingdom is aboutthe same as that of the evolutionary regime of the United States. In spiteof the privacy law and enforcement mechanism, fewer U.K. Web sites posttheir privacy policies. It is more difficult to find the privacy policy statementon U.K. Web sites even when they are posted. These Web sites are less likelyto disclose the use of cookies and how the data gathered are used for sec-ondary internal and external marketing purposes. In the United Kingdom,there is less use of cookies and less use of third-party cookies to monitoractivities of visitors to Web sites. This improvement in business practice (lessmonitoring) is offset by generally poorer disclosure of privacy practices andslower development of an audit market to signal good privacy policies.

In the absence of legislated standards and government enforcement,a market for Web assurance services, including privacy assurance, hasarisen in the United States. About one third of the U.S. Web sites in theJMS [2003] sample chose to pay a small fee to such service providers(e.g., TRUSTe and BBB Online) and had them certify that: (1) the Website policies conformed to the privately developed standards of the as-surance service provider, and (2) the Web site practices conformed tothe Web site’s stated policies. (See appendix A for TRUSTe’s complianceactivity.) The U.S. Web sites that displayed the service providers’ assur-ance seals performed at least as well as, and on average better than, theU.K. Web sites in protecting the privacy of their users. The legislationand enforcement mechanisms in the United Kingdom and the EuropeanUnion were set up on the assumption that they will help improve pri-vacy on the Internet. Our comparative study of the United Kingdom andthe United States reveals that privacy has fared no better in the UnitedKingdom than in the unregulated U.S. environment. Although the E.U. lawmay have helped reduce the use of first- and third-party cookies, it also ap-pears to have reduced the availability and quality of disclosure. Also, unlikethe United States, a U.K. market for Web seals barely exists. U.K. consumersappear to continue to be as vulnerable to misbehavior by a few outliers astheir U.S. counterparts. In the absence of mandated standards, U.S. Websites tend to view the disclosure of privacy policies as part of their market-ing strategy to attract consumers. Accordingly, they make it easy to findtheir statements of policy and adhere to these policies reasonably closely.U.K. Web sites, on the other hand, appear to view privacy disclosure asmerely a compliance matter and are largely indifferent to consumer con-cerns about their privacy policies. On average, they make it more difficultfor their customers to find their statements of policy as compared withU.S. Web sites.

We were able to gather some data on the enforcement efforts and activi-ties of one of the two major Web seal providers in United States (TRUSTe)and for the IC in the United Kingdom (see appendixes A and C). The en-forcement budget of the IC is significantly larger (for regulating a much


smaller economy) than TRUSTe’s enforcement budget. The same is trueof the number of complaints. Although the IC relies on its staff, TRUSTehas automated most of its monitoring operations and relies on consumercomplaints to identify violations beyond the capability of its monitoring pro-grams. The number of enforcement actions by TRUSTe is almost negligibleas compared with the IC.

Our conclusions from the comparison between U.S. and U.K. data needto be moderated by several considerations. First, the data in the UnitedStates were gathered one year earlier. The U.S. disclosure data collection(July) and Web site registrations (August) were done by JMS [2003] in thesummer of 2001, whereas our U.K. disclosure data collection (May/June)and Web site registrations (September) were done in the summer of 2002.It is possible that a shift in the e-commerce practices may have occurredduring this interval, eroding the validity of the comparisons presentedhere.

Second, we are careful registrants who opt out immediately upon regis-tration and follow the JMS [2003] procedure of visiting only high-traffic andreputable Web sites. It is possible that less careful registrants, and users whovisit less reputable Web sites, may get much larger volumes of unwanted(spam) e-mail (Center for Democracy and Technology [2003]). The effectof regulation on operators of less reputable Web sites may be different fromthe results reported in this study. Future research could examine how suchWeb sites respond to regulation.

Third, the final chapter of Internet privacy practices and regulation hasnot yet been written. We cannot rule out the possibility that the UnitedStates may follow the legal approach of the European Union in the fu-ture, or that the European Union may abandon its law. Even if legislationis passed in the United States, our results suggest that the problem of spamor pop up ads may not be solved. It may well be that the law will have toevolve to plug the loopholes exploited by spammers through ever-evolvingtechnology.11 Demands for amendments in, and better enforcement of,the privacy law in the United Kingdom have already appeared. Given therapid change in electronic technology, it is likely that any law passed inthe United States would evolve through much iteration before it satisfac-torily enhances the privacy of consumers. It may be faster and less errorprone for informal norms to evolve in response to the changing behaviorof corporate management. There is not enough evidence yet about therelative abilities of law and social norms to respond efficiently to environ-mental changes. We cannot yet make definitive judgments about whetherlaw must displace informal norms for a market to succeed. We believe it ismore likely that both jurisdictions will settle on some combination of the

11 Hansell points out: “The anti-Spam bill passed by the Senate may do little to stop legitimatecompanies from sending so-called white-collar spam” (S. Hansell, “Big Companies Add to SpamFlow,” New York Times, October 28, 2003, section A, p. 1).


two approaches that relies partially on regulation and partially on evolvednorms.

This belief is reinforced by Cheit’s [1990] comparison of protective stan-dards written by four pairs of public agencies and private organizations op-erating in the same space: grain elevators, woodstoves, aviation fire safety,and gas space heaters. He questions the economics and political sciencetheories (e.g., Stigler [1971], Wilson [1980]) about the relative nature andefficacy of safety standards set by government agencies and private orga-nizations, and he finds little evidence to support any of them in the fielddata. He shows that hundreds of little-known organizations (e.g., Under-writers Laboratories and the National Fire Protection Association) followrigorous due process, and their standards play significant roles in regula-tion, directly as well as through incorporation into government laws andregulations.

This is not to say that private standards are generally better or worse thanpublic standards. Insufficient information is available to reach a conclusion.There are reasons both to doubt and to believe the conventional wisdomabout public and private regulation. What is needed is more detailed infor-mation about the similarities and differences between standards setting inthe public and private sectors (Cheit [1990]).

The same regulatory space is often occupied by both government andnongovernment organizations with little systematic evidence on the cir-cumstances in which one kind of standards is more desirable than theother. Kelman’s [1981] comparative study shows that two seemingly dif-ferent regulatory regimes of workplace safety and health in the UnitedStates and Sweden produced surprisingly similar results. Our own re-sults parallel Kelman’s findings in this respect. There seems to be nobody of theory or evidence to guide policy makers in choosing betweenpublic and private mechanisms for a given standards and regulatorytask.

Finally, there are many differences between the United Kingdom and theUnited States and between e-commerce privacy and financial reporting thatrequire us to exercise caution in making analogies from one jurisdiction toanother (Healy [2003]). Our study is not a perfect controlled experiment;therefore, an inferential judgment must be made across these jurisdictionaldifferences. Recent research in banking (Barth, Caprio, and Levine [2003])and securities regulation (Romano [2002], La Porta, Lopez-de-Silanes, andShleifer [2003]) examines the possibility of regulatory failures, especiallywhen public as opposed to private enforcement is the primary instrumentof regulation.

In financial reporting, the Securities Act of 1933 and the Securities Ex-change Act of 1934 imposed an accounting regulator (the SEC) as well asa mandatory requirement to have an independent audit. The simultane-ous imposition of both requirements has led to a general perception thatenforced standards of accounting and a market for auditing services are


complementary. Our e-commerce results suggest that accounting regu-lation and auditing may be substitutes instead. Commoditization of thefinancial statement audit may have been speeded up by extensive reg-ulation of financial accounting. A recent attempt by the audit profes-sion (American Institute of Certified Public Accountants [AICPA]) todivorce auditing from accounting (hence the move from audit to assur-ance services) is also consistent with the argument that extensive regu-lation of financial reporting reduces the demand for auditing. The linkbetween regulation of financial accounting and private demand for au-diting may not be as direct, as it is often assumed in the accountingliterature.12

Recent months have seen a revival of the old debate about the degree towhich financial reporting should rely on detailed rules versus broad prin-ciples of accounting. Any shift in emphasis between rules and principlesimplies a corresponding change in reliance on formal enforcement andnorms of behavior. The consensus seems to be shifting toward placing moreweight on principles. The findings of the present study that raise questionsabout the effectiveness of enforced law in enhancing e-commerce privacycan be usefully considered in this light.

Law, auditors, reputation, business norms and practices, warranties, dis-closure, and industry associations are competing trust-creation mecha-nisms associated with markets. The value of each mechanism dependson which other mechanisms are available in a particular market. Al-though each mechanism may be useful in isolation, the marginal valueof some over others may be small. A large body of literature in psychol-ogy (Cook [2001]), sociology (Granovetter [1985]), and political science(Putnam [1993]) suggests that key trust creation mechanisms in societyare personal relationships and social embeddedness of market partici-pants rather than legal rules and formal enforcement structures. Our re-sults suggest that the value of legal regulation and enforcement may beoverestimated when the availability of alternative trust generation mech-anisms is ignored in studies of accounting regulation. Future researchcan help us understand the incremental value of formal legal regulationand enforcement in situations where other trust-creation mechanisms areavailable.

12 The AICPA and the Big 4 accounting firms failed to penetrate the e-commerce privacyassurance market, which is currently dominated by TRUSTe and BBB Online. The AICPAfocused its online Web seal (WEBTRUST) on selling assurance with respect to business practices(internal control) and security, not privacy, and found that there is little demand for what theyoffered at the high prices they demanded. DeWally and Ederington [2003] document a thrivingmarket for quality assurance services for comic books sold on eBay. Although eBay designatedPepBoys as its official assurance provider for used cars sold on its system, the demand for thisservice appears to be small.


A P P E N D I X AEnforcement Activity by TRUSTe from 2001 to 2003

2001 2002 2003

Total budget $1,100,000 $1,800,000 $2,300,000Total privacy-related complaints received 1,563 1,547 1,201Change in Web site operations required 3 5 1Change in privacy policy required 13 9 1On-site audit required 2 0 1Web seals revoked 0 0 2Number of failed Watchfire scans - - 345Percentage of failed Watchfire sites compliant - - 100%

within 10 days

TRUSTe provides a privacy Web seal to Web sites in the United States that wish to voluntarily conveytheir good privacy policies to visitors. TRUSTe monitors licensees for compliance with the TRUSTe privacyprogram using three processes: (1) an initial (manual) Web site review, (2) an automated audit usingWatchfire technology (robots) to scan licensees for ongoing compliance, and (3) online communitymonitoring whereby members of the public can file watchdog reports. In 2003 TRUSTe installed a WatchfirePrivacy monitoring system to augment manual screening done when a Web site first registers for a TRUSTeseal. This new monitoring system ensures that each Web site is screened electronically at least twice a yearfor compliance with their privacy policy. Information on the budget and Web seals revoked was obtainedfrom TRUSTe’s 2003 annual report. Information on complaints and resolution of complaints was obtainedfrom monthly watchdog reports posted at http://www.truste.org/users/users watchdog reports.html.

A P P E N D I X BUK Data Protection Act 1984

(Amended in 1998 for Compliance with European Union Privacy Law)

SCHEDULE 1: THE DATA PROTECTION PRINCIPLES

PART I: THE PRINCIPLES

1. Personal data shall be processed fairly and lawfully and, in particular, shallnot be processed unless—

(a) at least one of the conditions in Schedule 2 is met (requirementsof informed consent), and

(b) in the case of sensitive personal data, at least one of the conditionsin Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawfulpurposes, and shall not be further processed in any manner incompatiblewith that purpose or those purposes.

3. Personal data shall be adequate, relevant, and not excessive in relationto the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.5. Personal data processed for any purpose or purposes shall not be kept

for longer than is necessary for that purpose or those purposes.6. Personal data shall be processed in accordance with the rights of data

subjects under this Act.


7. Appropriate technical and organizational measures shall be taken againstunauthorized or unlawful processing of personal data and against acci-dental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outsidethe European Economic Area unless that country or territory ensures anadequate level of protection for the rights and freedoms of data subjectsin relation to the processing of personal data.

The UK Data Protection Act of 1984 can be obtained online at www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm.

A P P E N D I X CEnforcement Activity by the UK Information Commissioner for the Five Years from 1997 to 2002

1997–1998 1998–1999 1999–2000 2000–2001 2001–2002

Total budget £3,661,690 £4,190,489 £4,721,666 £5,280,860 £8,244,982No. of staff 109 118 114 126 157No. of phone inquiries 48,337 48,549 55,070 55,125 56,982Total complaints received 4,178 3,653 5,166 8,875 12,479Visits—business premises 471 700 388 480 448Visits—dwellings 313 319 199 235 411Witness statements obtained 378 433 346 355 375Interviews under caution 136 216 98 144 58Court prosecutions 38 59 145 23 66Court convictions (guilty) 38 55 130 21 33

The information commissioner enforces and oversees the Data Protection Act of 1998. The commissioneris a UK independent supervisory authority reporting directly to the UK parliament. The commissioner’smission is: “We shall develop respect for the private lives of individuals and encourage the openness andaccountability of public authorities. We shall promote good information handling practices and enforcingdata protection and freedom of information legislation; and seek to influence national and internationalthinking on privacy and information access issues.” This information on the budget and enforcementactivity of the UK information commissioner was obtained from the commission’s annual report, which canbe obtained at http://dataprotection.gov.ukar2001annrep/.

REFERENCES

BARTH, J.; G. CAPRIO; AND R. LEVINE. “Bank Supervision and Regulation: What Works Best?”Journal of Financial Intermediation 13 (2003): 205–48.

BROCKETT, P. L., AND S. E. TANKERSLEY. “The Genetics Revolution, Economics, Ethics, andInsurance.” Journal of Business Ethics 16 (1997): 1661–76.

CENTER FOR DEMOCRACY AND TECHNOLOGY. “Why Am I Getting All This Spam?” Web site,http://www.cdt.org/speech/spam/030319spamreports.html, 2003.

CHEIT, R. E. Setting Safety Standards: Regulation in the Public and Private Sectors. Berkeley: Universityof California Press, 1990.

COLEMAN, J. Foundations of Social Theory. Cambridge, MA: Harvard University Press, 1990.COOK, K. S. (ED.). Trust in Society. Volume II in The Russell Sage Foundation Series on Trust. New

York: Russell Sage Foundation, 2001.DECEW, J. W. In Pursuit of Privacy: Law, Ethics and the Rise of Technology. Ithaca, NY: Cornell

University Press, 1997.DEWALLY, M., AND L. EDERINGTON. “A Comparison of Reputation, Certification, Warranties,

and Disclosure as Remedies for Information Asymmetries: Lessons from the On-line ComicBook Market.” Working paper, University of Oklahoma, 2003.


DUH, R. R.; K. JAMAL; AND S. SUNDER. “Control and Assurance in e-Commerce: Privacy, Integrityand Security at eBay.” Taiwan Accounting Review 3 (2002): 1–27.

ELLICKSON, R. C. Order Without Law: How Neighbors Settle Disputes. Cambridge, MA: HarvardUniversity Press, 1991.

EUROPEAN PARLIAMENT. Directive 95/46/EC of the European Parliament and of the Council of 24October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and onthe Free Movement of Such Data. O.J. L281, November 23, 1995.

FEDERAL TRADE COMMISSION (FTC). “Privacy Online: Fair Information Practices in the Elec-tronic Marketplace,” Washington, DC, May 25, 2000.

GRANOVETTER, M. “Economic Action, Social Structure, and Embeddedness.” American Journalof Sociology 91 (1985): 481–510.

HAYEK, F. A. Law, Legislation and Liberty. Vol. I: Rules and Order . Chicago: University of ChicagoPress, 1973.

HEALEY, P. “Discussion of Privacy in e-Commerce: Development of Reporting Standards, Dis-closure and Assurance Services in an Unregulated Market.” Journal of Accounting Research 41(2003): 311–15.

HWA, A. P. “The Role of Self-Regulation and the Internet.” Journal of Interactive Advertising 1.Web site, http://www.jiad.org/vol1/no2/ans, 2001.

JAMAL, K.; M. MAIER; AND S. SUNDER. “Privacy in e-Commerce: Development of Reporting Stan-dards, Disclosure and Assurance Services in an Unregulated Market.” Journal of AccountingResearch 41 (2003): 285–309.

KELMAN, S. Regulating America, Regulating Sweden: A Case Study of Occupational Safety and HealthRegulations. Cambridge, MA: MIT Press, 1981.

KUPFER, J. “The Ethics of Screening in the Workplace.” Business Ethics Quarterly 3 (1993): 17–25.LA PORTA, R.; F. LOPEZ-DE-SILANES; AND A. SHLEIFER. “What Works in Securities Laws?” Working

paper, Harvard University and Yale University, 2003.LESSIG, L. “The New Chicago School.” Journal of Legal Studies 27 (1998): 661–91.MAILATH, G. J.; S. MORRIS; AND A. POSTLEWAITE. “Laws and Authority.” Mimeo, Yale University,

2001.MCMILLAN, J. Reinventing the Bazaar: A Natural History of Markets. New York: Norton, 2003.MULLEN, K. “Data Transfers: Negotiating to a Safe Harbor.” Cyberspace Lawyer July/August

(2001): 8.NIJHAWAN, D. R. “The Emperor Has No Clothes: A Critique of Applying the European Union

Approach to Privacy Regulation in the United States.” Vanderbilt Law Review 56 (2003): 939–76.

ORGANIZATION FOR ECONOMIC COOPERATION AND DEVELOPMENT (OECD). OECD Guide-lines on the Protection of Privacy and Transborder Flows of Personal Data. Web site,http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM, 1980.

POSNER, R. “Social Norms and the Law: An Economic Approach.” American Economic Review 87(1997): 365–69.

POSNER, R. Economic Analysis of Law, Sixth Edition. Aspen, CO: Aspen Law and Business Pub-lishers, 2003.

PUTNAM, R. D. Making Democracy Work. Princeton, NJ: Princeton University Press, 1993.REIDENBERG, J. R., AND P. M. SCHWARTZ. Online Services and Data Protection Law: Regulatory Re-

sponses. Luxembourg: European Commission’s Office of Official Publications, 1998.ROMANO, R. The Advantage of Competitive Federalism for Securities Regulation. Washington, DC: AEI

Press, 2002.STIGLER, G. S. “The Theory of Economic Regulation.” The Bell Journal of Economics and Manage-

ment Science 2 (1971): 3–21.SUNSTEIN, C. “Social Norms and Social Roles.” Columbia Law Review 96 (1996): 903–68.THOREAU, H. D. Civil Disobedience in The Writings of Henry David Thoreau. Edited by P. Lauter.

Boston, MA: Houghton Mifflin, 1906: 356. (Originally published as Resistance to Civil Govern-ment, 1849)

WILSON, J. Q. Politics of Regulation. New York: Basic Books, 1980.WOLF, C., JR. “A Theory of Non-Market Failures.” The Public Interest 55 (1979): 114–33.

Documents

Enforced Standards Versus Evolution by General Acceptance ...faculty.som.yale.edu/shyamsunder/Research/Accounting and Control... · Enforced Standards Versus Evolution by General