مطالعه سیاست های حفظ حریم خصوصی وب در صنایع A study of web privacy policies across industries

Introduction The ever-growing use of the Internet and the collection of Personally Identifiable Information (PII) over it has raised concerns for close to two decades (Culnan, 1999; FTC, 1998). In particular, the problem of how companies handle users’ PII collected over the Internet involves three main players: companies, regulators, and users. Companies, across industries, currently are faced with tough decisions when constructing their privacy policies. On the one hand, many business models are built on collecting, using, sharing, and selling personal information. Such information can be profitable for the company and can be leveraged to improve their product offerings and consumer-facing services. On the other hand, collecting and storing personal information about consumers carries considerable risk, as evidenced by the financial and public relations fallout from high-profile hacks experienced by Target and Sony. Data breaches are occurring at alarming rates, and the public relations and financial fallout from such hacks can be massive. Companies must assess the balance of these risk/value propositions as they construct their privacy policies. In response to high profile data breaches, regulators and policy makers—the second important player—have employed two lines of strategy: (1) holding corporations liable for breaches, imposing fines, and sanctions on organizations that handled consumer data inappropriately and (2) attempting to increase the transparency of privacy and data management practices in privacy policies. The regulators, however, must constantly assess the current state of privacy policies across industries and evaluate the effects of the regulations they establish (Romanosky, Telang, & Acquisti, 2011). Finally, in the face of companies’ carefully constructed privacy policies and regulators’ endeavors to encourage transparency in privacy policies, users have neither the time (Kohavi, 2001; McDonald & Cranor, 2008; Meinert, Peterson, Criswell, & Crossland, 2006; Milne & Culnan, 2004) nor the inclination (Graber, Alessandro, & Johnson-West, 2002; Milne, Culnan, & Greene, 2006) to read privacy policies thoroughly, choosing instead to agree absentmindedly to the various privacy policies. More than ever, consumers need information to help them compare what a privacy policy offers with the status quo (e.g., average privacy practices among the companies that provide similar services).