The Control Paradox in the Realm of Privacy:
The effect of level of control and mindset on information disclosure.
Master Thesis
MSc Business Administration – Digital Business Eleonore Vollebregt 11948043
Supervisor: Dr. Joris Demmers 21/06/2018 Final Thesis
Statement of Originality
This document is written by Eleonore Vollebregt, who declares to take full responsibility for the contents of this document. I declare that the text and the work presented in this document are original and that no sources other than those mentioned in the text and its references have been used in creating it. The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.
Abstract
The GDPR has recently been implemented in the European Union as a mechanism to protect European citizens from privacy harm. Additionally, there is an increase in privacy concerns due to the existence of the Web 2.0 and Big Data. Furthermore, it is observed that in spite of concerns related to privacy, individuals engage in a tremendous amount of personal information disclosure activities, which is known as the privacy paradox. Therefore, this study examines cues that could explain the privacy behavioural pattern of personal information disclosure. In specific, this paper studies how mindset moderates the effect of level of control on personal information disclosure. Additionally, it is examined how valence of consequences affects the relationship between level of control on personal information disclosure. The study was conducted by an online experiment, in which individuals were assigned to different settings of the level of control (low, moderate and high) and of mindset (abstract or concrete). To measure personal information disclosure, participants of the survey were asked to fill out a form. The analysis of results was conducted by a factorial ANOVA using the software SPSS. A comparison between the low, moderate and high level of control led to no statistically significant result, thus, concluded from these outcomes, there is no evidence on the existence of the control paradox. Furthermore, no moderation effects of mindset and valence of consequences were observed.
Table of Contents
Statement of Originality ... 2 Abstract ... 3 Table of Contents ... 4 Introduction ... 5 Theoretical Framework ... 9 Privacy Paradox ... 9Privacy Self-Management Through Control ... 11
The Role of Consequences in Privacy Decisions ... 14
Construal Level Theory ... 14
Valence of Consequences ... 16
Research Question and Hypotheses ... 19
Conceptual Model ... 24
Methodology ... 25
Research Design ... 25
Sample & Procedure ... 25
Survey & Stimuli ... 26
Variables ... 26
Survey Flow ... 28
Analysis & Results ... 30
Data Preparation ... 30
Statistical Procedures ... 32
Results Manipulation Checks ... 33
Results Factorial ANOVA... 34
Data Preparation & Results Valence of Consequences ... 35
Overview Hypotheses... 36
Discussion of Results ... 37
General Discussion ... 37
Theoretical and Practical Implications ... 39
Theoretical Implications ... 39
Practical Implications ... 40
Limitations and implications for future research ... 41
Conclusion ... 44
References ... 45
Introduction
On the 25th of May 2018, the General Data Protection Regulation (GDPR) went into effect within the European Union. The law is established in order to protect European citizens from data misuse by various institutions that can store and access personal data. The latest privacy regulation (GDPR) in the EU attempts to unify privacy policies within EU countries, to provide adequate protection and control over personal data for European citizens and to change the rules for how organizations manage data and privacy (European Commission, 2018). The focus of the legislation is on transparency and control for consumers. Organizations are obliged to have transparent communication in an understandable and easy language to consumers about how and why data will be used. Additionally, consumers gain more control, through extra tasks such as unticked boxes of cookies on websites. This means consumers have to choose for every single item specifically whether they agree or not, instead of merely clicking on a button. Thus, consumers have to opt in, which demonstrates an intentional action of the individual to agree with the terms and conditions. Overall, the goal is to protect citizens in the age of big data through enabling them to make more conscious and well-informed privacy decisions.
Before, the privacy policies of organizations, that consumers could read, were often written in complicated legal jargon, which was hard to understand for most consumers. Furthermore, it has been shown that information asymmetry and bounded rationality hinder the ability of rational individuals to make entirely informed and rational decisions and that as a result people provide personal information (Acquisti & Grossklags, 2004; Solove, 2013). The GDPR aims to tackle these issues in order to decrease information asymmetry to enable well-informed privacy related decision-making. The obtained rights for EU citizens through the GDPR are: breach notification, right to access, right to be forgotten, right to ask the provider to transmit data, right for transparent information and right to provide informed consent (European Commission, 2018). The new law enforcement raises a lot of questions related to privacy and
personal information sharing. Are privacy protection mechanisms appropriate and effective measures? Does legislation change rapidly enough in the era of big data? Does privacy protection and regulation result in the outcomes that policy-makers desire? Are consumers ready to manage their own data and participate in privacy self-management? Currently, there is a lot of uncertainty about privacy and the direction that privacy regulation is going in, which is emphasis on control and consent (Solove,2013). Therefore, it is of great interest to study whether control as protection mechanism for privacy of citizens is an effective measure. Thus, this research studies control in relation to personal information disclosure.
Today, big data is increasingly valuable for organizations and an enormous amount of institutions is collecting data in order to get to ‘truly’ know their customer. Alongside the increase of data collection, there is a growing awareness of risks associated with information disclosure and consumers increasingly express concerns (Norberg, Horne & Horne, 2007; Phelps, Nowak & Ferrell, 2000). Despite expressed concerns, there is a lack of discretion and in general consumers do actually reveal a lot of information online. This is labelled as the ‘privacy paradox’, which refers to the dichotomy that exists between privacy attitude and privacy behaviour (Kokolakis, 2017; Norberg et al., 2007). Policy makers attempt to ensure privacy protection, even so it remains a difficult task to find adequate measures (Solove, 2013). In the ‘information age’ the barrier to reveal information is low and the trade-off being made often results in information disclosure regardless concerns (Norberg, et al., 2007).
Currently various explanations exist for the gap between privacy attitude and privacy behaviour (Acquisti, Brandimarte & Loewenstein, 2015; Kokolakis, 2017). Nevertheless, there is not one uniformly accepted theory. A major theory that attempts to explain the privacy paradox is the Construal Level Theory, which describes the observation of different behavioural patterns through the difference in mindset that people have when expressing concerns and when they are engaged in an activity (Hallam & Zanella, 2017). Furthermore, people claim that if
they have more control over information sharing, that they would safeguard their privacy more (Phelps et al., 2007). Although, the provision of more control to consumers can have the opposite effect, meaning that they might even reveal more information online, which is known as the ‘control paradox’ (Brandimarte, Acquisti and Loewenstein, 2012). This implies that conventional mechanisms such as choice and consent might no longer be sufficient for protection of personal information, which Solove (2013) also questions. Different academics attempted to explain the existence of the privacy paradox, however, little evidence and literature is to be found on the control paradox. Therefore, this study will shed light on the control paradox within the field of privacy literature. Especially now the GDPR has been implemented, understanding the effect of increased control (on the consumer end) is of high value. This study builds on the privacy paradox, the control paradox (Brandimarte et al., 2012) and the Construal Level Theory (Trope & Liberman, 2003). In order to address the current gap in literature, the research questions of this paper are the following:
“To what extent do individuals with a high level of control over personal information engage in more personal information disclosure? What is the role of mindset (abstract/concrete) in the relationship between the level of control and personal information disclosure?”
To answer the research question, the proposed conceptual model of this research is the following. The control paradox is the building block of this paper. Therefore, the independent variable is level of control (low/moderate/high) and the dependent variable is personal information disclosure. The moderator in this research is mindset (abstract/concrete), because mindset can affect behaviour of individuals (Gollwitzer, 1990; Hallam et al., 2017; Murphy & Dweck, 2016).
This research contributes theoretically to privacy literature and in practice to legislators and organizations in the following manners. Firstly, the results question the existence of the control paradox. Therefore, it is argued whether the existence of the control paradox can contribute to explaining the privacy paradox. Secondly, the outcome of this study contributes to legal practice through demonstrating whether privacy policies and regulation are moving in the right direction, i.e. currently policies and regulations aim to give citizens more control over their personal information. However, control mechanisms for privacy protection might not be as effective as intention is. Thirdly, organizations can learn from the outcomes in such a way that they gain knowledge that the provision of more control to consumer might not result in less data collection for organizational purposes. Thus, regulations such as the GDPR might not hinder data collection.
This paper is structured in the following manner. First, the theoretical background relevant to the research question is elaborated in the literature review and hypotheses are formulated. This is followed by the methodology used for data collection and analysis. Next, the results of the analysis are presented followed by a discussion of the results. Finally, concluding thoughts are reported with limitations and implications for future research.
Theoretical Framework
In this section a comprehensive overview on the relevant literature and theoretical background for this paper is provided. First, the privacy is defined and the privacy paradox is introduced. Next, control in relation to privacy is discussed by the means of the new law GDPR, the control paradox and the consent dilemma. This is followed by more in-depth information of the Construal Level Theory as a clarification for the existence of the paradox and mechanism affecting behaviour. Finally, the research question and associated hypotheses are formulated.
Privacy Paradox
Privacy is a widely discussed topic today; in a world with growing privacy concerns resulting from technological developments, the rise of Web 2.0 and Big Data this is a sensible development (Solove, 2013). The evolution of technology results in an undeniable increase of data collection, storage and analysis of consumer information. Marketers are becoming more powerful than ever before now they are enabled to ‘truly’ know their customers (Norberg et al., 2007). They leverage their knowledge to find the ideal customer for their products and services and then communicate to them in a personalized manner through multiple channels. Not just organizations can benefit from data sharing, also customers potentially benefit from personalized offers such as products and services (Norberg et al., 2007; Peltier, Milne & Phelps, 2009). For suppliers’ big data creates a tremendous amount of opportunities, but alongside the opportunities, also many risks and concerns arise about privacy. Not only consumers, but also governments and other entities such as privacy activists’ express privacy concerns (Norberg et al.,2007). In the so called ‘information age’ privacy problems are one of the unfavourable outcomes (Norberg et al., 2007). The developments in the technological field result in exposure of personal information both consciously and unconsciously (Acquisti et al., 2015). Individuals’ encounter an increasing amount of decision moments in which they have to decide whether to
share data, in order to enjoy having potential benefits, or rather hide information to protect themselves without the reaching their goal. An example such a disclosure decision is that for people who desire to be active on social media, they need to create an account and provide personal information such as name, email and age among other things. Here the resulting personal benefit is the enjoyment of participating in social activities and the downside is that personal information needs to be shared in order to reach a goal and there is an associated risk of data misuse. This is just one example (out of many) of a decision moment of personal information that consumers are faced with today.
First of all, what is understood by privacy in this study is defined. An early definition of privacy is that it is the right to be left alone (Warren & Brandeis, 1890; Westin, 1967; Westin, 2003). Privacy is also defined as the privilege of an individual to decide upon what information is known by others (Westin, 2003). Kokolakis (2017) points out three distinct types of privacy in his study, namely, territorial privacy, privacy of a person and informational privacy. In this paper, the term privacy refers to informational privacy. Informational privacy concerned with the protection of personal data and the control that one has about their data. In this definition control is not limited to the just ability to decide over the disclosure decision of personal information, it also comprises the collection, storage, processing and distribution of personal data (Xu, Teo, Tan & Argawal, 2009; Bélanger & Crossler, 2011; Acquisti et al., 2015; Kokolakis, 2017).
Important to note is that the term privacy has an ambiguous nature and various researchers have studied it differently. In some studies, measures of privacy show something about privacy concerns in relation to current and future states of the participants’ privacy. In contrast to other research, where privacy measures explain more about the privacy attitudes of participants of the study. Another measurement of privacy relates to privacy behavioural intentions (Kokolakis, 2017; Norberg et al., 2007). It is important to be aware of these
differences when studying privacy related issues, in order to interpret the underlying concepts and results in the right manner. Privacy attitude itself is hard to measure, therefore, studies might deviate from attitude towards privacy concerns or privacy intentions. In this study, privacy relates to informational privacy and it is not measured directly, but an underlying construct is measured.
Thus, in the digital age, there is an increasing amount of discussion about informational privacy. Consumers express to care about their privacy and express concerns about whether it is handled in a secure manner. Remarkable is that in spite of the privacy attitudes that consumers have, regularly a contradictory behavioural pattern is observed (Acquisti et al., 2015; Kokolakis, 2017). As mentioned in the introduction, this is phenomenon is framed as the “privacy paradox”, in which consumer attitude differs from actual consumer behaviour (Brown, 2001; Norberg et al., 2007; Kokolakis, 2017). Some scholars try to answer why there exists a dichotomy between attitude and behaviour, while others claim that the paradox is non-existent as consumer attitude and concern are not the only factors that affect behaviour (Acquisti et al., 2015, Kokolakis, 2017). Results of numerous studies show evidence for the existence of the privacy paradox; therefore, this study builds upon the privacy paradox (Acquisti et al., 2005; Beresford et al., 2012; Kokolakis, 2017; Norberg et al., 2007). Furthermore, this research includes a potential mechanism that could affect the outcome of privacy behaviour, namely, the amount of control that individuals have about their personal information. In the next chapters, the control paradox and the construal level theory are explained, working towards the definition of the research questions and hypotheses for this study
Privacy Self-Management Through Control
Phelps et al. (2000) found support that consumers express concerns about how companies use collected personal data. Besides the concerns, they found that consumers do actually desire
more control over data they provide to organizations. However, in the realm of privacy, a common articulated concern is that there exists uncertainty whether individuals are capable of managing their privacy and information sharing themselves (Brandimarte et al., 2012; Solove, 2013). Therefore, regulations and protection mechanisms are set-up in order to contribute to information privacy protection, since people are not assumed to be able to competently self-manage their privacy. A reason for this inability of self-self-management is the so-called privacy fatigue, which Choi, Park & Jung (2018) use for explaining high information disclosure in spite of concerns. Privacy fatigue refers to the difficulty of managing privacy online, leaving people with the sentiment of not being in control, ultimately leading to more information disclosure (Choi et al., 2018). Additionally, Solove (2013) highlights different reasons for the inability of privacy self-management as the following, there are too many different entities collecting data and it is practically impossible to get an accurate overview of the benefits and costs and to completely understand the potential consequences. Both explanations for the inability of privacy self-management of individuals capture the essence of that there is too much information to process, making it too difficult to make fully informed decisions. The GDPR addresses this with an effort to obtain more transparent information for consumers. Nevertheless, the information might become easier to understand, the quantity of information that consumers need to process will not decrease. In fact, due to the GDPR, consumers will actually need to do additional tasks, which can increase privacy fatigue.
Taking into account the expressed privacy concerns and the claims that people want more control in order to protect themselves from privacy harm, the expectation is that people with more control over their information will reveal less about themselves. Paradoxically, Brandimarte et al. (2012) uncover the so-called “control paradox”, which describes that providing more control can actually result in more information disclosure, which is an unwelcome effect for legislators and for consumers. The provision of more control is supposed
to serve as a protection mechanism resulting in less information disclosure (Brandimarte et al., 2012). Currently, the focus in legislation is on the provision of control, offering the option to reveal personal information, e.g. GDPR. There is a remarkable emphasis on control rather than on the collection and processing methods of data and whether these methods are acceptable or not (Solove, 2013). Definitely noteworthy because it is unknown what the actual effects of control on privacy behaviour are.
Additionally, emphasis by policy-makers on informed consent in legislation can also be questioned in its effectiveness. Solove (2013) concludes that consent enables the acquisition and use of personal data for companies, however, consumers lose their control at the moment they provide consent and then the power over the data is in the hands of another. Therefore, it can be argued that from the perspective of consumers and policy-makers, this does not appear to provide real and adequate protection. In the field of privacy regulation, the is an issue called the “consent dilemma”, describing that the control that people are provided with through consent is not always sufficient for protection, however, simultaneously it is difficult in privacy regulation to find other effective protection mechanisms without hindering freedom of choice and becoming paternalistic (Solove, 2013). Governments and regulations are occupied with finding ways to provide more control to individuals without putting them in more risk of privacy harm and to enable people with their own privacy choices (Solove, 2013, Westin, 1967). An example of an effort to a solution is informed consent in the GDPR, which attempts on providing more control and more transparency through this mechanism (European Commission). The main purpose of privacy legislation is to protect individuals from privacy harm and organizational data misuse, therefore it is of great importance to have a profound understanding what the behavioural outcome is of granting more control over personal information.
It is important to uncover why more control might result in more information disclosure. The control paradox might be explained by the fact that control has an effect on the riskiness of behaviour in such a way that more control results in riskier behaviour. This is explained by the fact that more control can give a more secure feeling. In prior research, control has been proven to affect risk perception and risk behaviour (Brandimarte et al., 2012; Klein & Kunda, 1994; Weinstein, 1984). An example of riskier behaviour due to more control is that in general people have a preference for driving the car than flying somewhere. It is known that there are more car accidents than plane accidents, however, the feeling of being in control results in the preference for driving (Klein et al., 1994). Accordingly, the Peltzman Effect clarifies increases in unsafe behaviour through more security. Understood with the Peltzman Effect is that due to more safety through regulations, people might actually start showing riskier behaviour (Prazad & Jena, 2014). As the current information privacy regulations are updated and more regulations are implemented, a more secure feeling among individuals can arise, which in turn can result in more unsafe privacy behaviour, translated into information disclosure. Prior literature has failed to extensively study the effect of control on disclosure behaviour with respect to privacy, which is essential to know, as policy-makers focus on control mechanisms for protection.
The Role of Consequences in Privacy Decisions
Construal Level Theory
As previously stated, the privacy paradox is concerned about the gap between attitude and behaviour regarding privacy decisions. This means attitudinal preferences are often unreliable indicators for behavioural outcomes. The Construal Level Theory (CLT), retrieved from social psychology literature, has been used to explain the privacy paradox (Hallam et al., 2017). The CLT is a theory in which psychological distance of an object or event, is the subjective understanding of the distance of something being nearby or distant. The point of reference is
oneself and the here and now, making psychological distance an egocentric construct (Trope et al., 2010; Hallam et al., 2017). Psychological distance within CLT consists of 4 dimensions that are interrelated, namely, spatial, temporal, social and hypothetical distance from the perceiver (Trope et al., 2010). The psychological distance to an object or event of an individual is dependent on the mental construal that one has at that point in time, which is either abstract (a high-level construal) or concrete (a low-level construal). The low-level construal, being a concrete mindset is associated with psychologically proximity of objects and events, opposed to the high-level construal, being an abstract mindset, associated with psychologically distant objects and events. Different types of tasks bring about different types of mind-sets, that in turn help to carry out that task successfully (Gollwitzer, 1990). Thus, for events occurring in the near future, a concrete mindset is more likely to be activated, opposed to when an event is more distant (Trope et al., 2003). A concrete mindset is associated with more detailed, specific thinking of a given object or event, whereas, an abstract mindset describes thinking about objects or events as more general, broad constructs.
High- and low-level construal’s are assumed to influence consumer behaviour (Gollwitzer, 1990; Hallam et al., 2017; Murphy et al., 2016). Consequently, the CLT explains the privacy paradox in such a way, that individuals are likely to have an abstract mindset when expressing concerns about privacy related topics (privacy attitude), opposed to the concrete mindset that individuals’ have when they are doing a specific task (privacy behaviour). With abstract thinking, events improbable to occur and further removed from the perceiver will come to mind more easily, it enables thinking about the future events and consideration of the less likely (Wasklak, 2007; Wasklak & Trope, 2009). Therefore, in the concrete mindset, future risks of that disclosure decision might be less present in one’s mental representation, opposed to someone who is thinking abstractly. This is explained by the fact that an abstract mindset (high-level construal) is associated with distance, opposed to concrete mindset (low-level
construal) that is associated with nearness (Kyung, Menon & Trope, 2013). Meaning that in behavioural contexts, people are assumed to think concretely, thus short-term consequences rather than long-term consequences are more probable to be present in one’s mental representation at that point. Additionally, people are willing to take more risks for events that occur in the distant future (Gilovich, Kerr & Medvec, 1993). Therefore, when someone is making a disclosure decision, having a concrete mindset, this person might be willing to take more privacy risks, which is associated with more distant consequences. Events that consumers might directly experience the consequences from could be ordering something on a website, joining a social network, a discount, etc.
Overall, mindset can influence on behavioural outcomes. Mindset can affect how someone thinks about consequences of certain objects or events. More specifically, when consumers encounter disclosure decisions they are assumed to have a concrete mindset. Meaning that at that point, there is an increased probability of higher disclosure of personal information, as they see it as something they have to do to reach their goal and long-term consequences might be less salient in one’s mental representation at that specific moment. Therefore, mindset can be one of the explanations for the privacy paradox, as people have a different mindset during the formulation of a privacy attitude than for actual disclosure decisions that they engage in. Moreover, mindset can affect the evaluation of consequences, hence, disclosure behaviour. Furthermore, previous literature has not included the impact of mindset on disclosure behaviour with respect to the level of control over personal information.
Valence of Consequences
Besides the mindset that one has at the decision-making moment, the valence of associated consequences of a disclosure task might also play an important role. Understood with valence of consequences is whether the consequences that come to mind at a decision moment are
perceived to be more positive or more negative. In this section, the role of consequences and sensitivity of information in disclosure decisions is elaborated. Starting with some insights of disclosure behaviour as a result of a benefits and costs analysis, discussed by the means of the Privacy Calculus Theory. This is a well-known explanation for the privacy paradox, which explains the consideration that individuals make before revealing personal information about themselves. Moreover, the theory views disclosure behaviour as a benefit-cost assessment. Consumers have the tendency to provide information when the benefits they obtain after disclosure outweigh the costs at the decision moment (Culnan & Bies, 2003). Thus, individuals tend to share personal information in exchange for a social or economic benefit after an assessment of the associated risks (Culnan & Armstrong, 1999; Culnan et al., 2003). Then, a privacy trade-off is being made with the result of this trade-off affecting disclosure behaviour of personal information. Moreover, when the gained benefits are higher than the potential losses, behaviour might deviate from expressed privacy concerns or attitude that one has, which in turn explains the privacy paradox. Therefore, benefits and costs associated with a disclosure moment are consequences are assumed to affect the outcome of a decision.
The benefit-cost analysis that consumers make before a disclosure decision is not only dependent on personal differences, which is that the way people perceive benefits and costs differently. The outcome is also shaped by contextual differences, such as, which firm is asking for information and what type of information is asked for (Acquisti et al., 2015; Phelps, Nowak & Ferell, 2000). This means that disclosure behaviour is partly explained by the sensitivity of information. The sensitivity of information can affect perceptions of risk, such as that for more sensitive information the risks are perceived as higher, e.g. risk of losing control or risk of embarrassment (White, 2004). Thus, the willingness of consumers to provide companies with personal information is often dependent on the exact type of personal data that is asked for (Phelps et al., 2000). An example of Phelps et al. (2000) is that people are less willing to disclose
financial information than demographic and lifestyle information. According to Culnan et al. (2003) this is correlated with the social exchange theory and privacy calculus. As previously stated, disclosure decisions are made after an assessment of the associated benefits and risks that come with that disclosure task. In addition, with higher sensitivity of information the higher the perceived associated risks are, which affects the outcome and is more likely to result in less disclosure. Thus, the sensitivity of the information that is asked for, is also a cue in disclosure decisions (Mottersbaugh, Foxx, Beatty & Wang, 2012). Additionally, when individuals engage in a risk-benefit analysis, their decision reflects their knowledge on potential benefits and risks. However, individuals seldom have a complete understanding of the consequences of their decision. Therefore, a trade-off is made as a result of uncertainty due to incomplete information and information asymmetry, which is the bounded rationality in privacy self-management (Acquisti et al., 2015). As stated before, new laws, such as the GDPR, attempt to tackle this issue by requiring firms to be more transparent in their communication.
Thus, the salience of consequences is of importance in the process of making a decision about the provision of information to another. Additionally, it is argued that bounded rationality implies that consumers are unable to fully understand and be aware of the consequences associated with a specific event. This in turn means that bounded rationality can be one of the underlying reasons for high disclosure. It means that individuals are assumed to be unaware of the trade-off that they make and are uncertain about the associated risks of disclosure behaviour (Acquisti et al., 2015). Disclosure decisions come together with various consequences that a consumer assesses when making the decision, which done by the cost-benefit analysis. Drawing from this, it is important for disclosure behaviour which specific consequences come to mind and whether these consequences tend to be perceived as more positive or as more negative. Additionally, the sensitivity of information that is asked for can affect the consumers’ perception of the valence of the consequences.
Furthermore, retrieved from the Construal Level Theory, mindset influences which consequences come to mind more easily and whether the consequences are more short-term or more long-term oriented. The combination of the Privacy Calculus Theory and the Construal Level Theory is expected to influence disclosure in such a way that some consequences come easier to mind depending on mindset and the perceived valence of these consequences can affect the benefit-cost analysis. Additionally, the immediate gratification bias explains that people view the current benefits as more valuable than the associated future risks (Aquisti, 2004). If someone wants to purchase something online, this person is likely to have a concrete mindset and will probably think of the short-term benefits that come from buying that object. In this situation, long-term consequences of disclosure are expected to be less salient at that point. Hence, resulting in the decision to share personal information in order to reach the goal of buying that specific item. The opposite effect is proposed for when someone has an abstract mindset at the moment of disclosure and more negative consequences come to mind. Therefore, the valence of consequences is expected to affect disclosure behaviour. Both, the valence of consequences and mindset that people have when facing a decision moment could in turn influence the relationship of the level of control on disclosure behaviour.
Research Question and Hypotheses
The privacy paradox and the control paradox both require more in-depth research. The difference between both is that the privacy paradox is about the gap between privacy attitude and privacy behaviour, whereas the control paradox highlights that more control can result in more information disclosure. Basically, the control paradox could be an underlying construct of the privacy paradox, explaining why different disclosure behaviours exists by the means of level of control. Regardless the introduction of the control paradox in 2012 by Brandimarte et al., there is little other evidence of the existence of the paradox. In this research further
investigation of the control paradox is conducted, because of its theoretical value, but also for its high relevance for policy-makers, currently providing more control to consumers through legislation. The reason for this is that control is one of the mechanisms through which legislation currently wants to empower citizens to protect themselves from privacy harm and simultaneously maintaining freedom of choice in what information is accessed, stored and used by others (Solove, 2013). Hence, this study attempts to observe the effects of different levels of control on personal information sharing. In specific, whether a high level of control results in high levels of disclosure. Furthermore, no study up on to this point has included the effect of mindset on the relationship between level of control on personal information disclosure. The outcomes of disclosure behaviour could substantially differ across different mind-sets, because consequences are construed differently in one’s mind at different levels of mindset. Thus, this paper includes the moderating effect that mindset can have at the moment of disclosure decisions. Consequently, the question this paper attempts to answer is the following:
“To what extent do individuals with a high level of control over personal information engage in more personal information disclosure? What is the role of mindset (abstract/concrete) in the relationship between the level of control and personal information disclosure?”
This paper builds upon the observed control paradox and the Construal Level Theory in order to obtain a more in-depth understanding on privacy behaviour, in specific for disclosure behaviour. Outcomes could contribute in explaining the privacy paradox in such a way that control is also a cue in disclosure decisions, meaning that privacy behaviour is a multidimensional construct, not solely influenced by attitudes. Therefore, new insights retrieved in this paper, will help with understanding the construct and dimensions of the privacy
paradox more thoroughly. Additionally, results have practical implications and give an opportunity for a critical reflection on current privacy legislation, such as the GDPR.
Thus, the purpose of new laws, such as the GDPR, is to contribute to privacy protection of individuals partly through provision of more control to consumers. Hence, some legislation currently provides people with more control than before so consumers can self-manage their privacy. Retrieved from this information, it can be argued that policy-makers believe that more control will result in less disclosure behaviour, so privacy risks are reduced. Additionally, legislators appear to have the perception that individuals are capable to self-manage their privacy to some extent. This is contradicting to findings of several researches, arguing that consumers are not capable in privacy self-management due to privacy fatigue, information asymmetry and the large amounts of data collecting organizations (Acquisti et al., 2004; Choi et al., 2018; Solove, 2013).
Theory has shown that high control might actually result in the opposite from desired outcomes, namely, high disclosure behaviour. This could be explained by changed risk perceptions, for which control is distinguished to be a determinant (Brandimarte et al., 2012; Klein et al., 1994). Moreover, increased control can have such an effect that it creates an illusory feeling of security and control can reduce privacy concerns (Brandimarte et al., 2012; Xu et al., 2009). This in turn can result in higher disclosure for people with more control than for people with less control because people with high control perceive more safety. With the control paradox as starting point, expectations are that people with more control over personal information reveal more about themselves. Therefore, the first hypothesis is formulated to test the existence of the control paradox in which people with high control share more information than people with a low level of control.
H1: For individuals with a high level of control over personal information, personal information disclosure is higher than for individuals with a low level of control over personal information.
Following on H1, H2 is formulated that includes a 3rd level of control, namely, moderate control. The reason of inclusion is to see whether small changes in the levels of control already change amounts of personal information sharing. In the GDPR, small changes are made to increase the level of control for consumers, such as the opt-in option, which is an additional task in which individuals have to show an intentional action of agreement. This is why it is interesting include multiple levels of control, rather than just 2 levels. In order to observe if minor adjustments in control have different levels of output of disclosure a 3rd level is included. As high control is expected to result in more personal information disclosure than for people with a low level of control, moderate control is expected to result in average reveal of personal information by consumers. For this reason, H2 is defined as follows:
H2: For individuals with a moderate level of control over personal information, personal information disclosure is:
a) Lower than for individuals with a high level of control over personal information. b) Higher than for individuals with a low level of control over personal information.
Retrieved from the literature review, the Construal Level Theory explains the dichotomy between attitude and behaviour, therefore, it is interesting to see whether there exists a moderating effect of mindset on the outcome of different levels of control on disclosure behaviour. The reason for this is that mindset is an underlying psychological construct of behaviour. It is expected that people with an abstract mindset will engage in less personal information disclosure than people with a concrete mindset. The reason for this is that the CLT
explains that with an abstract mindset, consumers are more likely to think of future events that could occur, which in this context could be the long-term privacy consequences. Additionally, people with a concrete mindset are expected to engage in more personal information disclosure because then short-term consequences that are directly experienced are expected to be more salient in one’s mental representation. Furthermore, short-term consequences are more likely to be the benefits of the goal, whereas the long-term consequences are more associated privacy risks. Thus, for someone with a high or low level of control and a concrete mindset, disclosure is expected to be higher than for someone with a high or low level of control and an abstract mindset. The mindset that people have is of interest in this study because it can unravel the psychological constructs that are underlying privacy behaviour. Therefore, the mindset is included as moderator. Hence, H3 is formulated as follows:
H3: The effect of level of control on information disclosure is moderated by the mindset that individuals have at the moment of disclosure, in such a way that:
a) It leads to more personal information disclosure for individuals with a concrete mindset at the moment of disclosure.
b) It leads to less personal information disclosure for individuals with an abstract mindset at the moment of disclosure.
Recaptured from the literature, there is another important aspect in that affects disclosure behaviour. Namely, the valence of consequences of a disclosure decision. The mindset that people have might activate which consequences come more easily to mind in terms of short-term and long-short-term, but the valence of consequences is also expected to play a role in disclosure behaviour. When people are making a benefit-cost analysis of a disclosure decision, it is of relevance whether the consequences that are salient in one’s assessment, have a positive or
negative perceived value. Additionally, effects of control on disclosure can be substantially different depending on the valence of consequences. Namely, if someone with a high level of control perceives the consequences as more negative and someone with a low level of control perceives consequences more positively, the effect of H1 might be reversed. Meaning that in this case, someone with low control and an overall positive valence of consequences is expected to engage in more information disclosure than someone with high control and an overall negative valence of consequences. This is explained by the Privacy Calculus Theory, which claims that when benefits outweigh costs, one will engage in high disclosure, however, when costs outweigh benefits this can result in lower disclosure (Culnan & Bies, 2003). Therefore, valence of consequences is included in this study, testing whether a moderating effect of valence of consequences exist on the relationship of level of control and personal information disclosure. Consequently, H4 is formulated as follows:
H4: The effect of control on information disclosure is moderated by valence of consequences in such a way that with positive valence of consequences information disclosure is higher than for individuals with negative valence of consequences.
Conceptual Model
Methodology
In this section, the methodology of the study is presented. First, the research design is briefly discussed. This is followed by the elaboration of sample and procedure. Next, the different measures of the variables used in this research are elaborated.
Research Design
The aim of this research is to study the effect of level of control, the independent variable (IV), on disclosure behaviour, the dependent variable (DV). Additionally, it is tested whether there exists a moderating effect of mindset (IV) on the relationship of control on disclosure, which is either abstract or concrete, chosen based on the Construal Level Theory. In order to test the previously presented conceptual model, a quantitative study was set up and data was collected by the means of a survey. The used design to test the causal relationship is an online survey-based between-subject 3 (low control/moderate control/high control) x 2 (abstract/concrete) experiment design. In order to include valence of consequences (as a moderator), each respondent of the survey had to answer questions in the end that indicated whether the consequences they thought of were perceived as negative or positive.
Sample & Procedure
There were no requirements for the sample in this study as the focus was on disclosure behaviour, hence, no boundaries were set for a population of interest. This facilitated the search for respondents. The minimum required number of respondents was 50 respondents for each condition, which is 50 x 6, thus a sample size of 300 respondents was needed (VanVoorhis & Morgan, 2007). Data was retrieved through spreading the survey through social media and using the platform Mturk. In total there were 495 responses of the experiment, however, only 221 were taken into account. The reason for this was that some respondents answered inappropriately to the mindset questions, e.g. the word ‘good’ for every answer. Therefore, it
Additionally, the incomplete surveys were deleted. The survey software Qualtrics was used for the creation of the between-subjects experiment design. The research was performed following the code of ethics of the University of Amsterdam. As the dependent variable in this research was personal information disclosure, some personal questions were asked to the participants and some participants became personally identifiable. However, for this study the content of the information was not relevant, instead the amount of disclosed information was the information of interest. Therefore, the acquired information was anonymized and collected data was entirely transformed before analysis. Thus, personal information was collected, but no personal information was used throughout this paper and all the collected information was treated confidentially. After collecting data and transforming the dataset, analysis was conducted by the means of SPSS.
Survey & Stimuli
Variables
The independent variables of this study are level of control and mindset and the dependent variable is personal information disclosure. The variables were operationalized in the following way.
Level of control. Level of control was chosen as an independent variable in this study because it is a key measure for the control paradox. In this study, the level of control is defined as the amount of control that people have over personal information. The IV, level of control, consists of 3 levels in this research, namely, low control, moderate control and high control. Control was tested as control that one has about the release of personal information. In prior research control was decreased rather than increased for operationalization (Brandimarte et al., 2012). In this study, uncertainty is increased to create a feeling of low control. Increasing uncertainty about what would happen to information was done because uncertainty is assumed to decrease the sense of control (Acquisti et al., 2015). This is done by telling respondents in
this condition that information of the disclosure task might be shared with the Amsterdam Medical Centre (AMC) and that other information, such as meta-info (e.g. browser type, IP address), might also be shared. Additionally, they were told that this would be decided through a random selection of the respondents that filled out the form. In this way, respondents did not know for certain what would happen to the data after disclosure. The moderate control level was operationalized through telling respondents that the shared information would definitely be shared with the AMC. Therefore, there was more certainty to what would happen to the information after disclosure, thus, this was a more neutral level of control. Then, the last level of control, high control, was operationalized by adding a review option after the disclosure task. Furthermore, the respondents were told the same as in the moderate control condition, so they had certainty of what would happen to the data afterwards.
Mindset. Mindset was chosen as a moderator in this study, as it is a psychological construct that can influence behaviour of people. Mindset is defined as the way of thinking of an individual, which has 2 distinct levels in this study. The two levels of mindset are a concrete mindset and an abstract mindset, retrieved from the Construal Level Theory.
Valence of consequences. Valence of consequences is an additional moderator in this study, testing whether it influences the outcome of level of control on the amount of personal information disclosure. Valence of consequences of consequences can either be positive or negative, measured on a 5-point Likert scale ranging from ‘very disadvantageous’ to ‘very advantageous’.
Personal information disclosure. This is the dependent variable of the study, which is a typical measure for privacy behaviour. Personal information disclosure, means that people share personal information about themselves. The dependent variable is measured by asking respondents to fill out a form with different personal information questions that have various levels of sensitivity. Afterwards, these answers required recoding, so 1 total numerical measure
of personal information disclosure was computed. How this is done precisely is explained in the next chapter in the section of data preparation.
Survey Flow
Once respondents had entered the survey, they were randomly assigned to the 1 out of the 6 different conditions. Every respondent to the survey was presented with the same information about what the survey was about before actually beginning with the survey. In this part, the respondents were told that the survey was set up in collaboration with the Amsterdam Medical Centre to gain insights on a health application that they are currently developing. This story was fictional and set up to increase the perception that the provided data would be used for real life purposes. The aim was to ensure that the respondents did not know that the actual goal was to measure how much information they would reveal. The different variables were operationalized and measured as described below.
Mindset. In order to manipulate respondents to have either an abstract or concrete mindset, the respondents were assigned to either an abstract or concrete mindset task. The task was also used in other studies as manipulation for an abstract or concrete mindset (Fujita, Trope, Liberman & Levin-Sagi, 2006; Waslak & Trope, 2009). Respondents directed to the concrete mindset condition were asked to answer the question “An example of ___ is what?” for each word that they were presented with. More specific, if the word pizza was provided, they had to answer the question “An example of pizza is what?”. Respondents assigned to the abstract mindset task, were asked to answer the question “___ is an example of what?” for each word they were presented with. To illustrate, if the word pizza was given, they were asked to answer the question “Pizza is an example of what?”. For both conditions, participants had to answer this question for a total of 36 words. At the end of the first exercise, participants were asked to answer 8 questions, that aimed to check whether the mindset manipulation was effective. In
these questions, respondents had to select a description of a presented activity and choose which of the 2 descriptions they saw as best description. One of the descriptions to each question was abstract and the other was concrete. Thus, afterwards a total score to these questions could be calculated to see whether the answers to these questions matched with the mindset they were manipulated to have.
Feedback health application. After the completion of the mindset questions, participants had to answer a couple of questions as feedback for a health application. They were told that the purpose of the study was to gain more insights on features on an application that the Amsterdam Medical Centre (AMC) was currently working on. They had to rate potential features of the application on a 7-point Likert-scale. This task was constructed to hide the purpose of the study to participants. The reason for this was that the area of interest was the amount of personal information people revealed about themselves, thus, personal information disclosure. If respondents were aware of the task, this might have influenced their disclosure outcome. The answers for these questions were irrelevant for analysis and therefore deleted from the dataset afterwards.
Level of control. Next, the respondents were assigned to either a low, moderate or high control condition in which they were asked to fill out a form with demographics. Across all levels they were told that the retrieved information would be shared with the AMC for research purposes of the health application. Additionally, to create incentive to fill out the form, respondents were told that by filling out the form they would have a chance on winning a 20$ voucher of either Bol.com or Amazon. Furthermore, it was communicated that they could choose to fill out the form or skip to the following questions. For each level of the control question, a manipulation check followed, asking to indicate to what extent the respondent felt in control answering the previous questions. The specific differences between the levels of control are previously described in the variables chapter.
Valence of consequences. Lastly, respondents were directed to a question about the valence of consequences of filling out the information in the previous form. They had to name at least 1 advantage and 1 disadvantage of filling out the form. Additionally, for each consequence they had provided the respondents were asked to indicate the probability of the consequence occurring, when the consequence will occur and the extent to which they perceived the consequence as negative or positive. This question was included to see whether respondents were aware of the consequences of the disclosure task and whether they thought of more positive or negative consequences. At the end of the survey, respondents were debriefed about the purpose of the study. Here it was indicated that the data is treated confidentially and that no names would be associated with any research findings.
Analysis & Results
Data Preparation
Before running two-way ANOVA through SPSS, some data was excluded from the dataset due to inaccuracy, such as incomplete surveys and inaccurate answers to the mindset questions. In total, there were 222 participants taken into account for analysis. Afterwards, a dummy variable for mindset was created, as for the analysis it did not matter what the respondents replied to the mindset questions, but rather which mindset exercise they were assigned to. Thus, the dummy marked for each respondent whether they were in the abstract or concrete condition. Next, a dummy variable for level of control was created, to classify to which control condition the respondents were assigned to, which were low control, moderate control and high control. Then the dependent variable was recoded. The DV output showed answers to demographic information questions of the respondents, however, this was not the interest of this study. Solely the amount of provided information was relevant for the analysis. Therefore, for each of the
questions a dummy variable was created to assign scores to the amount of information that respondents provided. The scores ranged from 0 to 2, with 0 = no disclosure, 1 = moderate disclosure and 2 = high disclosure. For each answer, a 0 was assigned to no response at all and 2 was assigned when the answer to a question was complete. The score 1 was attributed to cases that e.g. did not mention full name, but initials combined with last name. Another example of the provision of the score 1 was for answers to the date-of-birth question in which respondents only shared the year. Therefore, these answers were not rated as full disclosure, but average disclosure. Additionally, the questions that respondents answered had a different level of sensitivity. Therefore, the for each question the assigned scores were weighted ranging between 0.25 (least sensitive) and 2 (most sensitive). During the assignment of the weights to the questions, every question was treated individually to determine sensitivity. Sometimes questions become more sensitive in combination with other questions, e.g. if someone has provided both their name and medical condition, however, this is not taken into account with assigning weights. In figure 2, the assigned weights are given for each question together with an explanation why that weight is chosen. Afterwards, a total score of the dependent variable, information disclosure, was calculated, resulting in a range between 0 and 30.
Figure 2 Attribution of weights
In the survey, questions for a manipulation check for mindset were also included. The respondents either selected option 1 or 2 to describe an activity, being an abstract or concrete description. These answers were recoded resulting in 0 being the concrete answer and 1 being the abstract answer. A new variable was created to perform a manipulation check on mindset,
which was the sum of the answers to mindset check questions. This resulted in a total mindset score ranging between 0 (concrete mindset) and 8 (abstract mindset).
Important to point out is that only a part of the respondents replied to the questions of valence of consequences. Therefore, for analysis of the effect of valence of consequences, a sub-dataset was prepared. Thus, in this section, valence of consequences is discussed separately and separate analysis of moderation was conducted.
Statistical Procedures
To test whether respondents assigned to either an abstract or concrete mindset task were actually manipulated to have that mindset afterwards, an independent-sample t-test was performed. In order to determine whether there was an effect of the different control levels on perceived control of the respondents, a manipulation check was conducted by the means of a one-way ANOVA.
Furthermore, a factorial ANOVA was performed in order to test the hypotheses, as the intention of this study was to compare different groups and to see whether there exists an interaction effect between the IVs on the DV, besides, potential main effects. Additionally, the IVs are categorical with 2 independent groups for mindset and 3 independent groups for level of control; and the DV is continuous. Lastly, there is independence of observations. Therefore, the first 3 assumptions for factorial ANOVA are satisfied, namely, a continuous DV, 2 categorical IVs and independent observations. The assumption checks for outliers, normality and the homogeneity of variances had the following results. Outliers were detected, as assessed by boxplots. These outliers are genuinely unusual values and the min and max of the DV are respectively 3.50 (n = 16) and 30 (n = 15), no data entry or instrument errors were made. Thus, they were not removed from the dataset. A normality test of the variables showed that the data was not normally distributed, but negatively skewed (Q-Q plots, skewness = -1.267 and kurtosis
= 0.635). Results of Levene’s test for the assumption of homogeneity of variances showed that the assumption not violated, thus there is homogeneity of variances (p = 0.119). Disregarding the non-normality, the dataset was not transformed because factorial ANOVA is considered robust to deviations from normality (Wilcox, 2011).
To measure a moderating effect of valence of consequences on the relationship between level of control and personal information disclosure, a simple analysis of a moderation effect was conducted on the sub-dataset in process through model 1 of Andrew Hayes (2012).
Results Manipulation Checks
Mindset. Manipulation checks on mindset were performed using an independent sample t-test. This way the effects of two independent groups (abstract or concrete) on the continuous dependent variable were tested. The included variables for this test were the IV mindset and the computed variable for the mindset check. There were 117 participants in the concrete mindset condition and 104 in the abstract mindset condition. An independent-samples t-test was conducted to determine if participants in a concrete mindset had lower scores for the mindset check than participants in an abstract mindset. There were no outliers in the data, assesses by a boxplot. Mindset scores were proximately normally distributed for each level of the IV mindset, acceptable for the independent sample t-test, assessed by Q-Q plots and skewness and kurtosis (95% CI [-0.76, -0.05]). Furthermore, Levene’s test for equality of variances showed that there was homogeneity of variances for mindset scores for respondents in an abstract or concrete mindset condition (p = 0.79). There was no statistically significant difference between the means of the concrete (M = 4.60, SD = 1.78) and abstract (M = 4.72, SD = 1.81) group in this sample, t(219) = -0.51, p = 0.61. The difference of means was 0.12, which represents a low effect size. Therefore, concluded from the mindset manipulation check, we can say that the manipulation of mindset was not effective.
Perceived control. To check whether the different levels of control (low, moderate, high) were also actually perceived by participants to be different, a one-way ANOVA was conducted. Respondents were classified into 3 groups, low control (n = 78), moderate control (n = 73) and high control (n = 70). No outliers were detected in boxplots. Data had a non-normal distribution (95% CI [-0.73, -0.07]), however, the non-normality was acceptable to continue with the analysis and group sizes were more or less equal. There was homogeneity of variances, determined by Levene’s test of equality of variances (p = 0.61 > 0.05). The means for low control (n = 78, M = 5.87, SD = 2.76), medium control (n = 73, M = 5.93, SD = 2.92) and high control (n = 70, M = 5.74, SD = 2.84) had minor differences. Consequently, the differences between the perceived level of control of the 3 groups were not statistically significant, Welch’s F(2, 218) = 0.082, p = 0.921. Therefore, it can be concluded that the different treatments of control had no effect on how the respondent perceived the control condition of the survey that they were assigned to.
Results Factorial ANOVA
A two-way ANOVA was executed to examine the effects of control and mindset on disclosure behaviour, which resulted in the outcomes that are discussed in this section. The outcomes of factorial ANOVA do not confirm a main effect of control on personal information disclosure (p > 0.05). In spite of statistically insignificant results, some slight differences in means of the different levels of control are observed. Respondents in the low control condition (M =20.67, SD = 7.11) provided only slightly more information than respondents in the high control condition (M = 20.64, SD = 7.54) and in the moderate control condition (M = 20.22, SD = 07.32; F(2, 215) = 0.066, p > 0.05, partial η2 = 0.001). The means clearly show that basically for every condition the mean and SD were more or less similar. Overall, H1 and H2a+b are rejected with p > 0.05. Furthermore, no statistically significant main effect of mindset on
personal information disclosure is observed (F(1, 215) = 2.415, p > 0.05, partial η2 = 0.01). The unweighted means for personal information disclosure scores for abstract and concrete mindset were 21.33 (SE = 0.72) and 19.72 (SE = 0.68), respectively. No post-hoc tests were conducted, due to lack of insignificant results. Lastly, there was a non-significant interaction effect between control and mindset on personal information disclosure F(2, 215) = 0.134, p > 0.05, partial η2 = 0.001. Therefore, H3a+b are both rejected (p > 0.05).
Table 1 Tests of Between-Subjects Effects
Table 2 Descriptive Statistics Mindset & Control on Personal Information Disclosure
Data Preparation & Results Valence of Consequences
In order to measure valence of consequences and to test whether it has a moderating effect on the relationship between control and personal information disclosure, a separate sub-dataset was created. The underlying reason was that many respondents did not provide answers to these questions. Therefore, a subset of the original dataset was used for this analysis, resulting in a sample of 143 respondents. Respondents were asked to provide at least 1 advantage and 1 disadvantage of filling out the form of the experiment. This was followed by a question asking the respondents about whether they though more negative or positive about the given consequences. This was measured on a 5-point Likert scale for each single consequence with 1
= very disadvantageous and 5 = very advantageous. Therefore, a total mean variable was computed of valence of consequences, which had scores between 1 (n = 1) and 5 (n = 1).
Valence of consequences is measured with process, to determine whether there exists a moderation effect on the relationship between level of control and personal information disclosure. Process model 1 of A. Hayes (2017) was used to test for moderation. Results showed that there is no moderating effect of valence of consequences on the relationship between level of control and personal information disclosure p = 0.71 > 0.05. This result was expected, as no main effect of control on personal information disclosure was observed after running factorial ANOVA with the original dataset.
Table 3 Process Moderation Analysis
Discussion of Results
First, in this chapter a general discussion of the results is provided, followed up by a discussion of theoretical and practical implications of the results of this study.
General Discussion
The aim of this research was to contribute to privacy literature and in specific to literature attempting to explain the privacy paradox, by determining if the level of control is a cue in disclosure behaviour. Additionally, this study attempted to find empirical evidence for the control paradox, which claims that people with high control provide more information (Brandimarte et al., 2012). The initial research question of this study was to answer whether high control over personal data results in more personal information disclosure. Therefore, in this study it was examined how personal information disclosure changes over different levels of control that individuals have of their personal data. Furthermore, mindset was included to determine whether it had a moderating role, through the way people construct consequences in their mind depending on mindset. Therefore, mindset was part of this study, in order to find whether the psychological construct affects privacy behaviour. The intention was to find out if the outcome of the different levels of control on personal information disclosure varied across the levels of mindset. On top of that, a separate analysis with a separate dataset was performed to see whether valence of consequences (positive or negative) influences outcomes of disclosure behaviour for different levels of control. Also, valence of consequences could have reversed the effect of the control paradox, namely, that with a negative valence of consequences individuals with a low level of control would reveal more information than individuals with a high level of control. Unfortunately, statistical results showed otherwise and no evidence was found to confirm the existence of the control paradox, nor for the moderation of mindset.
First, results rejected H1 and H2a+b because there was no statistical evidence to confirm the effect of level of control on disclosure behaviour (p > 0.05). For individuals with a high
