privacy seals
DESCRIPTION
By Andrew TanFor ACC 626TRANSCRIPT
Privacy SealsAndrew Tan / ACC626
Introduction and Overview
Definition of a Privacy Seal• “Identifiable symbol or logo, voluntarily displayed
on a Web site, which graphically asserts that the site has implemented and complies with specified privacy practices”• The importance of being identifiable• Displayed on a Web site• Purpose is to graphically assert something• What is that “something”?• Does it work?
• Frameworks governing the seals• Do public accountants have a future with privacy seals?
Providers of Privacy Seals
What does it take?• Any company or group can produce a “privacy
seal”• Missing characteristics to be effective?• Must be identifiable• Must provide visitors with confidence
• Three dominant privacy seal programs
Popularity of the seals• Sealholders as of October 2006:
• TRUSTe is clearly dominant• Why bother mentioning WebTrust?
TRUSTe (2,598)BBBOnLine (707)WebTrust (25)
Why bother mentioning WebTrust?• Developed by the American Institute of Certified
Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)
• Granted only by public accountants• For example:
• Other seals developed by and granted by companies
Differences between seals• Each seal has different roots• Independently developed• Awarded by organizations with differing goals• Different process for obtaining seal• Different “meaning” behind each seal
• TRUSTe• Focus is on privacy
• WebTrust• Comprehensive level of assurance
Effectiveness of Privacy Seals
Objectives of a seal• For a visitor• Obtain assurance over the privacy practices of a website• Develop an accurate perception of the website
• For a website• Give the user the perception of assurance• Sway a visitor’s perception of the website favourably
• Key difference• A website only wants a user’s perception to be favourable• OK for visitor to be misinformed in reaching that
conclusion
A hypothetical example• A visitor contemplates making an online purchase• She is concerned about the order being shipped
out on the same day as the day her order is placed• Processing integrity
• A seal like TRUSTe provides no assurance over this
• But, what if the visitor doesn’t know this?
A hypothetical example• A seal must be identifiable to be effective• TRUSTe has 2,598 sealholders, compared to 25 for
WebTrust• Visitors are more likely to come across TRUSTe seals
during web browsing
• Which seal will the visitor trust more?
A hypothetical example• Have the objectives been met?
• Website wants the visitor to be comfortable• Comfort (positive perception) increases probability of
making a sale• Wants to achieve this efficiently and effectively• TRUSTe is cheaper and creates a better perception of the
website
• However, TRUSTe hasn’t actually provided the assurance that the visitor was looking for
The purpose of recent studies• Three questions1. Do privacy seals have an effect on consumers?2. Do privacy seals work as intended?3. Can consumers can tell the difference between a
“low-assurance” seal, such as TRUSTe, and a “high-assurance” seal, such as WebTrust?
Question 1: Do privacy seals have an effect on consumers? • Do privacy seals actually influence a visitor to
follow through with a purchase, or to create an account on a website?
• Do they build trust between the website and the visitor?
• That is, do privacy seals have value?
Studies on the First Question• “The value added by a Web assurance seal on a
company’s website is difficult to quantify”• Studies between 2000 and 2006 largely positive• “Companies can reduce their customers’ perceived
privacy concerns about providing personal information” by using a privacy seal• “A firm’s participation in a privacy seal program
favourably influences customers’ perceptions of a Web site’s privacy policy”• “Assurance seals have a positive effect on consumers’
purchasing behaviour”• “Empirical tests found significant associations between
the presence of seals and consumer purchasing behaviour”
Studies on the First Question• Studies from 2007 onward largely negative• “The existence of a privacy statement encouraged
individuals to provide their personal information, but a privacy seal did not”• Seals had “little influence on trusting beliefs” and that
“accountants’ seals, in particular, were found to be equally ineffective as those issued by other providers”• “The existence of a privacy seal did not affect individuals’
behaviour”
Question 2: Do privacy seals work as intended?• Do visitors know the difference between the types
of seals and what they represent?• Do visitors know what is required to obtain the
seals, and use this information to make an informed decision about whether to trust the website?
• That is, do visitors know the meaning behind the logo?
Studies on the Second Question• Conclusions overwhelmingly one-sided• “Although participants have a basic understanding about
privacy seals and about the function of seals, quite a number of them did not know how a seal is obtained and failed to recognize non-genuine privacy seals”• “Seals potentially meet some of the most acute consumer
concerns, but that consumers have inadequate understandings about the seals, and low regard for them”• “Consumers do not appear to completely understand
what seals assure”• “The premise of privacy seals such as TRUSTe and
BBBOnline is widely misunderstood; they do not assure the user’s privacy but only vouch for the accuracy of the site’s privacy policy, and even that is arguable”
Question 3: Can consumers tell the difference?• Related to Question 2• Considerable difference in the amount of
resources required to obtain a WebTrust seal as compared to a TRUSTe seal• WebTrust requires a commitment of funds and staff to
support a full information systems audit• TRUSTe only requires monitoring over the Internet
Studies on the Third Question• Different conclusions drawn from studies in same
year• Lala, Arnold, Sutton, and Guan (2002)• “The impact of assurance seals varies with the different
level of information quality. Individuals had a strong preference for a high information quality seal (i.e., WebTrust) over a low information quality seal (i.e., BBBOnLine)”
• Mauldin and Arunachalam (2002)• Between WebTrust, TRUSTe, and VISA, “customers
perceive no difference between [the] three providers of web assurance”• “All seals equally impact consumers’ intent to purchase
even though each seal addresses different dimensions of information risk”
Points of interest from the studies• Chronological trends• Earlier studies found that privacy seals were more
valuable• Able to influence visitor perception favourably• Linking between positive perception and purchasing
behaviour• Later studies tend to the opposite• Seals are secondary to privacy policies
• Why is this so?• Shift in overall consumer acceptance of ecommerce • Changing attitudes about privacy
Points of interest from the studies• Form over substance• Visitors do not know the meaning behind privacy seals• Overwhelming majority of studies came to this
conclusion• Those that are influenced by privacy seals are more
influenced by the perception of assurance, rather than any actual assurance offered by the seal• As in the hypothetical example, the cheapest and most
recognizable seal will provide the highest return on investment
• Obtaining an expensive, yet unrecognizable seal, will certainly result in negative returns, even though more assurance is provided
Points of interest from the studies• Put two and two together• Consumers may place additional reliance on high-
assurance seals if they knew that the high-assurance seals provided stronger assurance• But, they don’t know that• So, as far as a visitor knows, all seals have the same value• But, not all seals have the same value to a website
• The cheapest, most recognizable seal will do the best in terms of meeting the website’s objectives
Relevant Frameworks
Frameworks for WebTrust• WebTrust developed based on Trust Services• Includes a set of Generally Accepted Privacy Principles
• By conforming to GAPP, a website will meet the privacy objective developed by the AICPA/CICA:• “Personal information is collected, used, retained, and
disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA”
• Information systems audit required to obtain seal
Frameworks for WebTrust• Generally Accepted Privacy Principles
Generally Accepted Privacy Principle
Definition of Principle
1Management The entity defines, documents, communicates, and assigns accountability
for its privacy policies and procedures.
2Notice The entity provides notice about its privacy policies and procedures and
identifies the purposes for which personal information is collected, used, retained, and disclosed.
3Choice and Consent The entity describes the choices available to the individual and obtains
implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4Collection The entity collects personal information only for the purposes identified in
the notice.
5Use, Retention, and Disposal
The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes, or as required by law or regulations and thereafter appropriately disposes of such information.
6Access The entity provides individuals with access to their personal information
for review and update.
7Disclosure to Third Parties The entity discloses personal information to third parties only for the
purposes identified in the notice and with the implicit or explicit consent of the individual.
8Security for Privacy The entity protects personal information against unauthorized access
(both physical and logical).
9Quality The entity maintains accurate, complete, and relevant personal
information for the purposes identified in the notice.
10Monitoring and Enforcement
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
Frameworks for TRUSTe• TRUSTe has internally-developed requirements• Focus solely on privacy practices• “Core principles”: transparency, choice, accountability
• No audit necessary to obtain seal• Website submits proof of policy compliance• TRUSTe monitors compliance over the Internet
Impact on the Accounting Profession
History• Public accountants developed WebTrust• Joint effort between the CICA and the AICPA• Limited success• Faced strong criticism and calls for change
• So, should public accountants continue to be involved with privacy seals?
Arguments against involvement• WebTrust clearly a failure• 1/3 of top 500 websites had a privacy seal in 2001• None used WebTrust• Market share negligible
• Failure of WebTrust due to multiple factors• Lack of brand awareness; other companies abandoning
the seal• Steep prices for WebTrust audits; no direct benefit for
additional investment• Inefficient method for awarding seals
Arguments for involvement• Recommendations for continuing• Practice standards should be at a minimum• Integrated set of services
• Can provide services on top of web assurance• Advisory services on ecommerce controls• Help vendors support web seals
Conclusion and Recommendation
Fate of WebTrust• Current trends• Decreasing seal effectiveness• Visitors unable to differentiate a low-assurance seal from
a high-assurance one
• Cheaper, low-assurance seals will be more popular
• The public accounting profession developed and supports the costlier, high-assurance seal• Will eventually be forced out of the market, by the market
Develop a new seal?• “WebTrust Lite”• Provide at low cost• Damage to reputation• Worth the effort?
Develop a new service?• Advisory services• Leverage skill set with controls and other business
services • Ready websites to meet the requirements set out by
another seal
• Complementary to the market leader in privacy seals• Avoids competition with the market leader• Profession has proven that it is unable to handle that
competition
Thank you