Stock image of an online privacy notice

From the music we stream, to the banking apps we use, to all the purchases we make online, privacy notices have become ubiquitous parts of our digital shopping experiences. But what makes a privacy notice an effective one and do these notices have any impact on our actions as consumers?

Recent research conducted by David Norton, clinical assistant professor of marketing and logistics, and his colleagues from Utah State and Harvard wades into the understudied intersection of consumer behavior and privacy-related information.

Question: What was your team’s motivation for taking a deeper dive into consumers’ reaction to privacy notices?

Norton: It’s obvious that there’s wide variation in the manner and extent to which details about a firm’s privacy practices and handling of data are communicated to consumers. For example, some notices include a lengthy description of the company’s privacy practices, while others are just a brief and often vague statement. Some privacy-related information may even be absent or unavailable, such as when a privacy nutrition label on Apple’s App Store indicates that the developer has not provided details about its data-handling practices. We wanted to address the question of how consumers respond to such differences in the availability and presentation of privacy-related information.

Q: The title of your paper, published by the Journal of Marketing Research, is “The Bulletproof Glass Effect: Unintended Consequences of Privacy Notices.” Explain the meaning behind the title.

Norton: There’s an expectation that when companies tell their customers how their personal data is protected, this disclosure should make them feel more secure. However, consistent with the analogy that bulletproof glass can increase feelings of vulnerability despite the protection it offers, we find that formal privacy notices can actually decrease consumers’ trust and their interest in making a purchase.

Q: So, open and straightforward messages about how our data is being managed doesn’t necessarily equate to peace of mind? Was that surprising?

Norton: That’s right. And it was a little surprising. In some cases, we were telling consumers explicitly the various ways that the firm went about protecting their personal information. That should make us feel more trust toward a firm since we know they’ve at least given my privacy some consideration. But it turns out that consumers have very emotional reactions to their personal identity, and that often overrides the assurances that firms are trying to give.

Q: How did you go about comparing and contrasting different privacy statements and consumer’s sentiments and reactions to them?

Norton: Interestingly, some of the insights in the paper came to us through a bit of luck. We wondered whether all privacy notices used identical language and which, if any, language was the “scary stuff.” So, we ran privacy policies of a variety of Fortune 500 firms through a text analysis. What we discovered was that these policies can vary quite widely. One particular way they vary is in how these firms go about trying to communicate that they are worthy of a consumer’s trust. Some firms use language that describes their competence, ‘We’re good at what we do.’ And other firms speak more relationally, about ‘acting in the consumer’s best interest.’

We wondered if there would be a difference between consumers’ desire to purchase from a company based on whether they had one type of privacy notice or the other. Turns out there is a difference!

Q: You found that “benevolence cues” are important to the efficacy of and trust in privacy notices. What are they and how do they help mitigate potential distrust?

Norton: There is a general reaction when we hear about privacy. That reaction is protective. We want to protect ourselves from bad things that might happen to us; the same is true about consumers and their personal information. The way to combat that protective reaction is to show consumers that you share the same goal of preventing bad things. “Benevolence cues” do just that. They are words and phrases that demonstrate that a firm is “on the same side” as the consumer. It can be as simple as saying, ‘We care about your privacy,’ or ‘We are committed to treating you fairly.’

Q: What were the most significant takeaways from the research?

Norton: I think there are two major things that I see as valuable learnings from this work, and they both have to do with how firms approach relationships with consumers. The first is that even firms’ best intentions can backfire. We want to be (and sometimes are required to be) transparent with our customers, but sometimes that has unintended consequences.

Second, consumer trust comes from beliefs that organizations: a) can do what’s necessary to protect consumer data, and b) want to do what’s necessary to protect consumer data. For consumers and their privacy, it seems more important that a firm is by their side.

Q: How can companies and organizations utilize the insights from the research?

Norton: This research can provide managers with better insights to help them create and convey privacy information more effectively without hurting purchase interest. For example, a field study with a financial services firm showed that prominently displaying detailed privacy protections significantly decreased enrollment rates, but our online experiments suggested that such losses can be avoided by incorporating benevolence cues into a privacy notice.

For companies, it’s imperative they understand how their consumers are reacting to these privacy notices. If these notices are lacking or aren’t crafted with intentionality, they can decrease consumers’ willingness to trust a company with their personal information and ultimately drive down purchase interest.

Consumers have very emotional reactions to their personal identity, and that often overrides the assurances that firms are trying to give.

David NortonClinical Assistant Professor, Marketing and Logistics