Assessing the impact of the 2018
General Data Protection Regulation
on the willingness to disclose information
Statement of Originality
This document is written by Student Lars Houben who declares to take full responsibility for the contents of this document.
I declare that the text and the work presented in this document are original and that no sources other than those mentioned in the text and
its references have been used in creating it.
The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.
Table of Contents
Abstract ... 1
1. Introduction ... 2
2. Literature review ... 3
2.1. The impact and value of data processing on business and society ... 3
2.2. Privacy and data processing ... 5
2.3. The psychology of privacy ... 6
2.4. Privacy concerns, trust beliefs, risk beliefs and relevance as predictors for the willingness to disclose information ... 9
2.5. Disclosure of personal information to third parties ... 11
3. Method ... 16 3.1. Procedure ... 16 3.2. Sample ... 17 3.3. Measures ... 18 3.4. Analytical strategy ... 19 4. Results ... 21 4.1. Descriptive statistics ... 21
4.2. Overall model testing... 22
4.3. Hypothesis testing ... 26
4.3.1. Hypothesis I ... 27
4.3.2. Hypothesis II ... 28
5. Discussion ... 34
5.1. General discussion ... 34
5.2. Managerial implications ... 38
5.3. Limitations and future research ... 39
Citations ... 40
Tables & Figures ... 44
Abstract
In May 2018 the General Data Protection Regulation, or in short GDPR, has become effective throughout the European Union. In terms of acquiring consent for data processing, the GDPR attempts to bring consumers understanding in an area previously incomprehensible, by empowering consumers to make considered privacy related decisions. Although the new privacy regulations potentially increase transparency, and consequently awareness, of privacy practices, not all GDPR-compliant privacy notices have the same outcomes in terms of attitudes, and consequently behavior. This study found that when exposed to both pre-GDPR and GPDR-compliant privacy notices, consumers falsely state to be aware of privacy related practices. This effect can also be seen as there appears to be a gap between perceived disclosure of information to third parties and actual disclosure of information to third parties by firms. The ability to understand the actual disclosure of information to third parties is dependent of the type of privacy notice involved, and this study show that at-setup privacy notifications are best suited to predict the actual level of disclosure of information to third parties. The results of this study show that there is substantial room for interpretation of regulations – and consequently (un)intended malleability as firms are able to acquire consent while abiding the rules, despite a firm’s intentions.
1. Introduction
An in 2016 introduced set of privacy regulations has become effective in May 2018 throughout the European Union. The so-called General Data Protection Regulation, regulation (EU) 2016/679 of the European Parliament or in short GDPR (European Parliament, 2016), brings significant changes to the privacy landscape for both firms and consumers in acquiring, processing (i.e. analysing, manipulating, exchanging) and retaining personal data. In terms of acquiring consent for data processing, the GDPR requires firms to pro-actively provide a straight-forward, compact and easy to understand explanation as to what ends the acquired data is being used. The Information Commissioner’s Office or ICO (2017), the UK’s independent privacy authority, sums up implications for acquiring consent for data collection and processing based on GDPR articles 12, 13 and 14: information about the processing of personal data (1) has to be concise, transparent, intelligible and easily accessible; (2) written in clear and plain language, particularly if addressed to a child; and (3) free of charge. The ultimate goal of these regulations in terms of acquiring consent for data processing, is to allow consumers to make considered decisions to what extent their personal data may be used.
In order to comply with the GDPR, ICO (2017) has suggested three ways of displaying privacy notices during registration in which firms can comply with the GDPR in terms of acquiring consent for data collection. These notices explicitly display to what extent personal data will be processed. Simply displaying a message of privacy practices is described as a
privacy notice at-setup1, also defined as at-setup privacy notices. Furthermore, just-in-time
privacy notices1 are defined as context dependent notices positioned during registration to
obtain consent, showing a dialog box specific to an item which is being processed. On websites, such notices are often presented near input fields in online forms. Lastly, ICO suggests a layered
privacy notices, which displays an on-demand, often multi-layered, and comprehensible
privacy notice. Each layer has an increased level of detail with regards to the privacy practices. The exact impact of these type of notices on firms in terms of acquiring consent for data processing remains unknown to date. This study examines the relationship between the various means to acquire consent to process data and the resulting consumer attitudes and intended behaviors, measured in terms of awareness of privacy related practices, perceived disclosure
of information to third parties, risk beliefs, trusting beliefs, perceived relevance, attitude towards disclosing information, and intent to disclose information. This study is the first study to conduct research that directly assesses the impact of various privacy notices in the light of the GDPR, by offering an integrated side-by-side comparison of different privacy notices in a controlled experiment.
2. Literature review
The following literature review sheds light on acquiring consent for data collection, by examining (1) the impact of data collection and processing on businesses and society, (2) the implications of data processing in terms of privacy (or lack thereof) and (3) the current findings in the field of acquiring consent for data collection. A case will be made that there currently is a lack of knowledge concerning the impact of the by the GDPR required privacy notices on consumer attitudes and intended behavior, and consequently business-related and societal outcomes.
2.1. The impact and value of data processing on business and society
Clive Humby famously stated (2006): “Data is the new oil. It’s valuable, but if unrefined it
cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity; so must data be broken down, analyzed for it to have value”, suggesting that the actual value of data resides in the potential of new applications.
Chen, Chiang and Storney (2012) identified five fields that have been susceptible to innovation as a result of new applications in big data analytics, illustrating the impact of analytical big data applications on businesses and society as a whole over the last decade.
Strikingly, in terms of economic value, data truly appears to be the new oil. In 2006, the six most valuable firms in the world were oil and oil-related energy firms (Thirani & Gupta 2017). A decade later, the list of most valuable firms in the world is dominated by data-driven firms, including Alphabet, Apple, Facebook, Amazon and Microsoft; firms that have mastered creating valuable applications in data processing, leading to value for firms, consumers and society. The myriad valuable insights as a result of data analytics is leading companies of all sizes to the continuous acquisition and processing of vast amounts of data.
One particular field that illustrates the value of data for firms, is the field of marketing. In marketing, providing an increased customer experience is widely regarded as a driver for Table 1: Impact of business intelligence and analytics as shown by Chen, Chiang and Storney (2012)
Field Impact
E-Commerce & Market Intelligence
Long-tail marketing, targeted and personalized recommendation, increased sale and customer satisfaction
E-Government & politics 2.0
Transforming governments, empowering citizens, improving transparency, participation, and equality
Science & technology Science & technology advances, scientific impact
Smart health & wellbeing Improved healthcare quality, improved long-term care, patient
empowerment
increased value, leading to increased sales, satisfaction and profits (e.g. Aarons, van den Driest, & Weed, 2014; Homburg, Jozic, Kuehnl, 2017; Lemon & Verhoef, 2016). Lemon & Verhoef (2016, p. 71) define the concept of the customer experience as a “multidimensional construct focusing on a customer’s cognitive, emotional, behavioral, sensorial, and social responses to a firm’s offerings during the customer’s entire purchase journey”. More specifically, Lemon & Verhoef (2016) define measuring and monitoring customer reactions to a firm’s offering as a key element of any successful customer experience, emphasizing the need of data collection and analytics in the definition of any customer experience. Both online and offline, firms are using a plethora of tools to track customers interactions with the firm throughout different points in time, albeit often without explicit consent or awareness of the consumer which has led to increased privacy concerns (e.g. Zawadzinski, 2015; Ballard, 2017; Ryan, 2017).
2.2. Privacy and data processing
Early recognition of the potential dark side of (new) technology and the impact on privacy dates back to 1964, and concerns have been voiced in a wide array of research ever since (Smith, Dinev, & Xu, 2011). The universal concept of privacy resides in the belief that individuals should have the right to protect themselves against unwanted interference or intrusions, in terms of either information or physical space (e.g. Warren & Brandeis, 1890; Westin, 1967; Goodwin, 1991). Unfortunately, not all data processing is beneficial in terms of enabling consumers to harbour privacy, as personal information of consumers is often stored by firms and/or shared without explicit consent or awareness. In order to empower individuals with the right to privacy, omnipresent legislative and regulatory measures have required the acceptance of privacy
Cranor (2015) define privacy policies as a means of making consumers aware of data practices involving personal information.
A vast amount of research has focussed on the implications of the presence and acceptance of these notice mechanisms. Most interestingly, findings by Jensen, Potts & Jensen (2005) in the first decade of this century uncover that internet users do not read these privacy policies at all. Nearly ten years later, that phenomenon appears to remain unchanged, as boldly illustrated by an US White House report on Big Data: “Only in a fantasy world do users actually
read these notices and understand their implications (…)” (The White House, 2013, p. 6).
Schaub et. al. (2015) explain this phenomenon by reasoning that notice and choice mechanisms, such as privacy policies, are neither usable nor useful, and therefor ignored by consumers. This argument is strengthened by the notion that even law students could not understand the terms of privacy notices (Marotta-Wurgler, 2014). It is both expected and intended that the GDPR will bring significant changes to this phenomenon, as privacy notices and the resulting implications are imposed to become understandable by increasing usability and usefulness while reducing complexity.
2.3. The psychology of privacy
Pro-active protection of privacy comes with cognitive, temporal, financial and emotional costs, as time and effort spend on reading and assessing privacy notices can be seen as a cost (Stewart, 2017). As an extension of the findings by Schaub et. al. (2015), it can be reasoned that the conditioning of individuals being put in a situation to assess non-understandable privacy policy has led to a privacy desensitization or the diminished emotional responsiveness to a stimulus after repeated exposure to it. Even though an individual might uphold privacy concerns, the lack of understanding privacy policies may lead to a disinterest in reading privacy policies (Böhme & Köpsell, 2010). Furthermore, Good, Grossklags, Mulligan, & Konstan (2007)
conclude that it is often difficult to make considered privacy decisions as individuals might be focused on finishing the intended goal, e.g. making a purchase or starting the use of a service, which diminishes cognitive resources and/or attention for the analysis of privacy related practices.
Although the GDPR forces firms into disclosing the data practices involving personal information in a clear and concise manner, it does not necessarily mean that firms are unable to persuade consumers into making decisions that are beneficial to the firm but potentially harmful to consumers by manipulating privacy related decisions. Various studies show that consumers are highly perceptual to situational cues when making privacy related decisions (e.g. Acquisti et. al., 2017; Egelman & Peer, 2015). Simply posting a policy that consumers do not read may lead to misplaced feelings of being protected (Hoofnagle & Urban, 2014). Furthermore, various design factors play a role in acquiring consent to process disclosed personal data. Subtle ‘nudges’, or perceptual cues that move people towards favourable behaviour without restricting their choice, influence consumers throughout privacy-related decisions (e.g. Acquisti et. al., 2017; Egelman & Peer, 2015).
Amongst both pre-GDPR and GDPR-compliant notices, some clear distinctions in terms of perceptibility, effort and comprehensibility are present. As at-setup notices are both visible and prompt in their presence, they do not require any further action of the individual to be read.
Just-in-time notices, or contextualized notices, are slightly less intrusive and show how
information is being processed at the time the individual is processing that exact information, increasing the relevance of the information which allows the consumer to make considered decisions. Lastly, layered notices can be identified as on demand notices, as action of the
purposes, a taxonomy based on the dimensions of perceptibility, required effort and comprehensibility, is proposed in Table 2.
In sum, five key insights, being (I) making considered privacy related decisions requires awareness of privacy related practices, (II) privacy related practices are disclosed in privacy notices, (III) pre-GDPR privacy notices are not read due to complexity and demanding too much effort, (IV) it might be difficult to make considered decisions as individuals might be focussed on finish in the intended goals over reading privacy notices, and (V) characteristics of both pre-GDPR and GDPR-compliant privacy notices appear to differ across the dimensions of perceptibility, required effort and comprehensibility, lead to the belief that making considered privacy related decisions can have many different outcomes based on the type of privacy notice involved. One proxy to measure the effect of GDPR on privacy related practices would be the extent to which consumers indicate they have become aware of the privacy practices involved (i.e. awareness of privacy related practices) upon giving consent to firms to collect and process their personal information.
It is expected that GDPR-compliant layered privacy notices, which as a characteristic are only shown on demand, will not be read, and do not increase consumer’s awareness of a firm’s privacy related behaviour and intentions. This behaviour can be explained by the Table 2: The level of visibility of privacy notices, effort required to assess privacy practices, and
comprehensibility of privacy practices involved
Field Perceptibility Required effort Comprehensibility
Pre-GDPR notice Low High Low
At-setup notice High Low High
Just-in-time notice High Low High
association of layered notices with non-understandable privacy policies, and the fact that reading the layered notice leads to increased costs in time and effort. Based on this theory, hypothesis I is constructed.
I The GDPR compliant ‘Layered’-approach does not bring any significant changes
to the awareness of privacy practices compared to pre-GDPR notices.
Due to increased perceptibility, a low level of required effort, and a comprehensible disclosure of privacy practices, both at-setup notices and just-in-time notices are predicted to increase the awareness of privacy practices compared to pre-GDPR notices.
II The GDPR-compliant (a) at-setup and (b) just-in-time notices will increase the Awareness of Privacy Practices compared to pre-GDPR notices.
2.4. Privacy concerns, trust beliefs, risk beliefs and relevance as predictors for the willingness to disclose information
In privacy and marketing literature, the outcome of privacy related decisions is often measured by the willingness to disclose personal information by consumers. Privacy notices have been found to affect the willingness to disclose information (e.g. Phelps, Nowak, and Ferrell, 2000, Acquisti et. al., 2017). The constructs privacy concerns, trusting beliefs and risk beliefs are widely seen as predictors for the willingness to disclose information, although recent research indicates these constructs are considered highly contextual.
risk beliefs and reducing trusting beliefs. Nearly a decade later, Mothersbaugh, Foxx, Beatty, and Wang (2012) found that privacy concerns are highly contextual. In their research, Mothersbaugh et. al. (2012) confirm the findings by Malhotra et. al. (2004) that show that privacy concerns have a negative impact on the willingness to disclose information high in sensitivity, but not low in sensitivity, and contribute to privacy literature by identifying that (1) the ability to control information has a positive impact on disclosure of information of higher sensitivity; and (2) perceived customization has a strong positive impact on disclosing information of lower sensitivity.
Furthermore, Zimmer, Arsal, Al-Marzouq, and Grover (2010) show that perceived relevance of information disclosure can be seen as a contextual antecedent of the willingness to disclose information, partly by influencing risk beliefs. Their findings show that the relevance of information requested is seen as a predictor of attitudes towards disclosing information, as consumers are more willing to disclose information when they believe that the information requested is relevant.
Schoenbachler & Gordon (2002) have shown that trusting beliefs influence customers’ perception of privacy practices, which affects the willingness to provide information. Increased trusting beliefs directly influence the perception to what extent information disclosure outweighs the potential risks (Luo, 2002). McKnight and Chervany (2002) emphasize this view, by suggesting that trusting beliefs are a precedent of information sharing that ultimately reduces the impact of privacy concerns. Furthermore, Milne & Boza (1999) provide empirical evidence that suggests improving trust is more effective than efforts to reduce concerns.
The conceptual model that will be proposed in this study is an extension of the work by Malhotra et. al. (2004) and Zimmer et. al. (2010), that will build upon the relationship between the constructs privacy concerns, trusting beliefs, risk beliefs, perceived relevance, attitude
towards disclosing information, intent to disclose information and sensitivity of the requested information. In line with findings by Malhotra et. al. (2004) and Zimmer et. al. (2010) it is expected to find privacy concerns to positively influence risk beliefs and negatively influence trusting beliefs for all types of privacy notices. Furthermore, increased trusting beliefs and perceived relevance are expected to have a negative impact on risk beliefs. Lastly, trusting beliefs, risk beliefs and perceived relevance are expected to be predictors of the attitude towards sharing information, which in turn is a predictor for the intention to share personal information. Within this relationship, trusting beliefs and perceived relevance are expected to positively influence the intention to share personal information, whilst risk beliefs have a negative impact on the intention to share personal information. The specific hypotheses that this study expects to find in line with prior research can be found in Appendix IV: Hypotheses in line with Malhotra et. al. (2004) and Zimmer et. al. (2010).
2.5. Disclosure of personal information to third parties
Although pre-GDPR regulations have required information distribution practices to be disclosed in privacy policies, the degree to which customer information is distributed (i.e., rented or sold), from here on described as the disclosure of information to third parties, is often not known by consumers. This effect can again be explained by the complexity of the privacy notices, and the corresponding the lack of transparency. Research by Nowak and Phelps (1992) showed that 80% of customers regard the collection of data for selling can be considered privacy violation, and 84% of customers find this behavior unethical. Not disclosing the extent to which information is being disclosed to third parties is associated with lower consumer trust (e.g. Culnan 1995; Milne & Gordon 1993; Phelps, Nowak, & Ferrell 2000). Milne (1997) found
share data when they are unaware of the extent to which information is being disclosed to third parties.
The distribution of customer information has recently been a central topic of debate, as using services such as Google and Facebook can lead to the distribution of consumer data without consumers being aware of the consequences. The fact that these practices can have great consequences, is illustrated by the recent hyper-personalization and targeting of ads presented to voters in the US (Bondi-Camacho, 2018). Indirect acquired data in terms of personal information was successfully used to identify personality traits of individuals, which resulted in personalized ads on social media to incite voting behavior. In mainstream media, this strategy has often been attributed as a key factor for the winning campaign of the 2016 US Presidential Elections (e.g. Granville, 2018; Greenfield, 2018)
As customer information distribution, or the disclosure of information to third parties, has been found to influence trust and risk beliefs, logic compels to reason that the extent to which consumers perceive information as being distributed to third parties will negatively influence the attitude towards disclosing information, as these practices are predicted to reduce trust and increase risk beliefs.
III A higher perceived level of disclosure of information to third parties (a) negatively influences the attitude towards disclosing information, by (b) increasing risk beliefs and (c) reducing trusting beliefs.
In relation to the work by Malhotra et. al. (2004) and Zimmer et. al. (2010), it is expected that (a) the different methods of displaying privacy notices and (b) the level to which information is being disclosed to third parties will result in significant differences in terms of willingness to
disclose information. Considering that the characteristics of the three GDPR-compliant notices in terms of required effort and perceptibility differ significantly (i.e. clicking on a layered privacy notice requires additional effort, and the information is not perceptible by default), it is expected that a gap is present between to what extent consumers believe their information is being shared with third parties, and to what extent information is actually shared. Like pre-GDPR privacy notices, if customers are not exposed to the actual privacy practices due to not clicking on a layered privacy notice, the perception to what extent information is being disclosed is not based on the privacy notice (as these notices were never read) but rather on implicit associations and beliefs.
In sum, it is expected that there is no relation between the actual and perceived level of disclosure to third parties for both the Layered condition and the pre-GDPR condition, and consequently there is a difference amongst the GDPR-compliant privacy notices in terms of the intention to disclose personal information.
IV While for (a) just-in-time and (b) at-setup privacy notices the actual level of disclosure to third parties is a predictor for the perceived level of disclosure to third parties. this effect is not present for (c) layered and (d) pre-GDPR privacy notices.
V There is a significant difference between the methods of displaying GDPR-compliant privacy notices in terms of intention to disclose personal information.
Conceptual Model
Data processing appears to be a double-edged sword. On one hand, data acquisition and processing has led to benefits for both firms and consumers. From a firm’s perspective, data processing is a driver of gaining a sustainable competitive advantage and continuous growth, which has lead data acquisition & processing to have become a top priority for firms. The products and services these very same firms offer have changed the way of life for consumers, by offering technological advancements across various field that reduce effort or provide benefits that previously were not offered. On the other hand, consumers have limited control over, and awareness of, the disclosure of personal data, leading to concerns with regard to making considered privacy-related decisions. Although the GDPR attempts to increase both awareness of, and control over, privacy related practices, very little is known of the impact of GDPR on the acquisition of consent to collect data, and to what extent the different methods of indicating a privacy policy affect customers’ attitudes, behaviour and consequently willingness to share information. The broad range of potential GDPR-compliant notices, and the characteristics of these notices, lead to the belief that there is room for firms to nudge consumers in decisions that can benefit the firm, but are potentially harmful for consumers.
Trusting beliefs Risk beliefs Perceived relevance Privacy Concerns Attitude towards disclosing information Intent to disclose information Sensitivity of requested information Perceived Level of Disclosure to Third Parties
Positive effect Negative effect Characteristics
The impact of privacy notices as suggested by ICO to comply to the recent GDPR-regulations has not yet been studied. More specifically, the impact of the suggested approaches, being (a) layered-, (b) just-in-time- and (c) setup-notices, on attitude towards disclosing information have not yet been measured in an integrated research under controlled conditions. This research attempts to actively contribute to the fields of marketing, privacy and public policy, by identifying the implications of the GDPR regulation on making considered privacy related decisions by consumers. As the GDPR regulations have just recently become effective throughout the EU, this is a field that requires special interest.
To what extent do requirements of GDPR regulations in terms of acquiring consent for data collection affect the attitude of consumers measured in terms of perceived disclosure of
information to third parties, risk beliefs, trusting beliefs, perceived relevance, attitude towards disclosing information, and intent to disclose information?
3. Method
3.1. Procedure
In order to fit the exploratory nature of this study, a quantitative study of experimental design has been conducted. Participants were asked to complete an online registration to obtain an offering of the non-existing brand ‘FoodDiscounter’. Upon completing the sign-up, participants would be able to obtain discounts for food (generic, genderless product). Using PHP, CSS, a MySQL database and JavaScript, the behavior of respondents was tracked in a responsive web-based application2, specifically designed for this assignment by the author. Variables with
regards to the type of privacy notice, the sensitivity of the requested information and the level of information disclosure to third parties by the firm were manipulated across 16 conditions. Each individual participant was divided into one of 16 conditions via an automated process (randomization), with an equal distribution of participants over all conditions. After finishing the online registration, a questionnaire consisting of 57 questions was presented to participants. The study is of a [4] x [2] x [2] factorial design, being [4] type of privacy notice x [2] sensitivity of required information x [2] level of disclosure to third party. Examples of the distinct notices can be found in Appendix I through III. The sensitivity of the requested information and the level of information disclosure are represented over two distinct conditions, being (1) high and (2) low. The sensitivity frame was adapted from Malhotra et. al. (2004), whom suggested the use of a scenario where respondents simply had to sign up (i.e. low sensitivity) and a scenario where personal financial information was requested (i.e. high sensitivity) in order to obtain a discount. This dichotomous sensitivity frame was constructed upon the insight that financial information is more sensitive as compared to personal preferences (Sheehan and Hoy, 2000, as cited by Malhotra et. al., 2004). The disclosure frame was adapted from best-practice examples as suggested by ICO (2018), illustrated in appendix
2 This web-based application is available on https://www.uva-surveys.nl/control/ until 31/08/2018 and can be
I, II, and III. To indicate that information was not shared with third parties (i.e. low disclosure), the disclosure across the different GDPR-compliant privacy notices indicated “Here at
FoodDiscounter we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us”.
For the conditions that indicated that information was being shared (i.e. high disclosure), the privacy notice additionally stated “We would also like to pass your details onto other
companies, so that they can contact you with details of offers that they provide”. A pre-test (N
= 16) was performed to ensure the proper categorization.
3.2. Sample
This research was conducted using non-probabilistic convenience sampling and based on anonymous respondents, whom were approached face-to-face and using online social media. Although convenience sampling of non-probabilistic nature could hinder the generalizability of the results, the choice of convenience sampling was necessary due to time constraints and limited available recourses. The population of interest were Dutch adults who have experience with purchasing goods and services online. Recent demographical statistics show that 76.4% of the population aged 12 years or older engage in this kind of online activity (CBS, 2017). With an overall population of approximately 17 million, the population size is approximately 12 million. With a population of 12 million, a confidence level of 90% (z-score = 1.65) and 5% margin of error, the minimal sample size is considered 271 (Qualtrics, 2018). Additional demographic information, such as gender, age and education, was collected for controlling purposes and can be found in Appendix VII: Demographical statistics.
3.3. Measures
Multiple validated scales were used to measure the constructs. Appendix V: Measures lists an overview of all used scales, including questionnaire items. Table 3 displays the source of all scales and the level of reliability found in the corresponding studies.
Table 3: Used measures
Measure Used in study α
Awareness or privacy-related practices Adapted from Malhotra et. al. (2004) 0.74
Trusting beliefs Zimmer et. al. (2010) 0.84
Risk beliefs Zimmer et. al. (2010) 0.64
Perceived relevance Zimmer et. al. (2010) 0.93
Privacy concerns Malhotra et. al. (2004)
Collection Malhotra et. al. (2004) 0.83
Errors Malhotra et. al. (2004) 0.88
Seccondary use Malhotra et. al. (2004) 0.82
Improper access Malhotra et. al. (2004) 0.77
Awareness Malhotra et. al. (2004) 0.74
Control Malhotra et. al. (2004) 0.78
Global concern Malhotra et. al. (2004) 0.75
Attitude towards disclosing information Zimmer et. al. (2010) 0.97 Intent to disclose information Zimmer et. al. (2010) 1.00
Two scales, being the (a) awareness of privacy practices and (b) perceived level of disclosure of information to third parties, have been adapted or generated for this study. Awareness of privacy related practices is adapted from the privacy concerns scale as suggested by Malhotra et. al. (2004) and rephrased as to measure the extent to which participants perceive firms to disclose data processing practices and the extent to which participants are knowledgeable of the processing of personal information. In order to measure the perceived level of disclosure of information to third parties, participants were asked the question “To what extent do you believe
that FoodDiscounter will prevent the disclosure of the information you provided to third parties?”. This survey item could be answered by moving a slider on a 0 to 100 scale either
towards ‘will prevent disclosure to third parties’ (0) or ‘will share my information with third parties’ (100).
3.4. Analytical strategy
315 people completed the online survey. Two separate datasets, one coming from the Qualtrics Survey platform and one coming from a self-managed SQL database that was used to track progress of an application form, were merged. A total of ten impartial responses were removed, and nine responses were removed due to failing attention checks throughout the survey. A check of frequencies resulted in no inconsistencies, leaving 296 valid data entries for further analysis. A total of two items had to be reverse coded, and six dummy variables were created based on the factorial design of the survey. For each of the four privacy notice conditions a variable was created to show which type of privacy notice was shown (0 = other condition, 1 = privacy notice for that specific condition), and for the sensitivity of the requested information and level of disclosure to third parties a dummy variable was coded as 0 = low and 1 = high. Furthermore, for increased ease of interpretation of results with regards to coefficients for mediation analysis of Hypothesis III, the scale perceived sharing with third parties has been rescaled from 0 to 100 to 0 to 7 as an additional variable.
The intended result of 16 groups of approximately 6% of participants each was unfortunately not met. Several conditions ended up with a small sample size due to issues with the randomizer. After 10 entries for each of the conditions (so a total of 16 x 10 entries, or 160 entries), the database engine stopped assigning participants to one of 16 conditions, but divided all participants over three conditions, being (1) [privacy notice: layered] x [sensitivity: low] x
[disclosure: low] with N total = 27. This issue was not discovered until approximately 265
respondents had finished the survey. Furthermore, some entries had to be removed from the control condition due to not passing attention checks, which resulted in a total of seven to nine entries for the three conditions where [privacy notice: pre-GDPR] and [sensitivity: low] and/or [disclosure: high or low].
Trackers for the control condition indicated that not a single participant of the 51 [privacy notice: pre-GDPR] participants bothered to check the pre-GDPR privacy notice, meaning that not a single participant would be able to know the difference between the high and low disclosure condition. In an attempt to increase statistical significance of results, the participants with [privacy notice: pre-GDPR] and [disclosure: high or low] have been merged in to a single group that is valid for both the [disclosure: high] and [disclosure: low] conditions, divided by sensitivity of the information requested. This has led to the creation of a second data set with additional valid cases, which will only be used for hypothesis testing using ANOVA to compare means within a specific condition.
Lastly, after running multiple validity and reliability analysis using SPSS, a reliability analysis pointed out to an issue with one item. The item “I believe that online privacy is invaded when
control is lost or unwillingly reduced as a result of a marketing transaction”, showed
inconsistencies with the other two items, resulting in a Cronbach’s Alpha of .69. This inconsistency has not been found in prior research. A possible explanation can be found in recent headline news with regards to the social media network Facebook that affected the 2018 US elections, and lead to a worldwide discussion on unwanted use of data (e.g. The Guardian, 2018). Since this inconsistency is not representative for the other items within this scale, this item was deleted. After deletion, the Cronbach’s Alpha of this scale reached > .70 and was qualified for further analysis.
4. Results
Out of the 296 respondents, 58% of respondents were of male gender and overall 70% of participants had obtained a University Bachelor’s Degree, Master’s Degree or a professional equivalent, while the other 29% had finished either college or high school. A total of 44.7% of respondents was of 25-34 years of age, representing the largest age group for this research3.
4.1. Descriptive statistics
A correlation analysis shows statistically significant relationships between the studied variables, indicating a potentially good fit of the overall model to reality. Control variables (i.e. gender, age and education) show weak, but statistically significant, relationships to some of this study’s variables. Both female respondents and older respondents appear to have a weak relationship with more skepticism towards disclosing information ( r gender = -.159, r age = -.201,
p < 0.01 ) possibly incited by reduced trusting beliefs ( r gender = -.135, r age = -.171, p < 0.01 )
and increased privacy concerns ( r gender = -.183, r age = -.240, p < 0.01 ). Lastly, education level
is positively correlated with increased risk beliefs ( r = .118, p < 0.05 ).
Strong relationships exist among attitude to disclose information and intent to disclose information ( r = .718, p < 0.01 ). Furthermore, as both (a) attitude and (b) intent to disclose information are considered as the outcome variables of this research, the variables perceived relevance ( r attitude = -.645, r intent = -.608, p < 0.01 ), awareness of privacy policy ( r attitude =
.475, r intent = .446, p < 0.01 ), trusting beliefs ( r attitude = .686, r intent = .697, p < 0.01 ), and risk
beliefs ( r attitude = -.645, r intent = -.558, p < 0.01 ) all show moderate to strong relationships. As
expected, the variables trusting beliefs, risk beliefs, awareness of privacy policy and perceived relevance all show moderate to strong statistically significant correlations. Table 4 displays the
Table 4: General correlation among study variables
Note. N = 296. Gender 0 = Female, 1 = Male. Attitude to disclose information 0 = Negative 1 = Positive, Condition dummy variables being 0
= Other type of privacy notice 1 = Condition type of privacy notice. Cronbach’s Alpha on diagonal axis, ** p < .01, * p < .05 (two tailed).
4.2. Overall model testing
Considering this conceptual model and experiment is an extension of the work by Malhotra et. al. (2004) and Zimmer et. al. (2010), five out of six hypotheses as suggested by Malhotra et. al. (2004) and Zimmer et. al. (2010) are found to be confirmed. In order to identify the total effect of the model, a preliminary exploration using regression analysis for the dependent variables (I) trusting beliefs, (II) risk beliefs, and (III) attitude towards sharing information is conducted. Linear regression analysis I, displayed in Table 5, shows that the sum of trusting beliefs, perceived relevance, privacy concerns, perceived sharing, and sensitivity of requested
M SD 1 2 3 4 5 6 7 8 9 10 11 1 Gender 1,4 0,49 ( - ) 2 Age 2,8 1,10 .209** ( - ) 3 Education 3,8 0,93 -0,11 -0,08 ( - ) 4 Attitude to disclose information 0,5 0,47 -.159** -.201** -0,03 ( .96 ) 5 Intent to disclose information 4,3 1,80 -0,07 -.141* 0,01 .718** ( - ) 6 Perceived relevance 4,9 1,53 -.153** -0,02 -0,08 .645** .608** ( .94 ) 7 Awareness of privacy policy 4,1 1,93 -0,07 -.221** -0,03 .475** .446** .427** ( .94 ) 8 Trusting beliefs 4,7 1,35 -.135* -.171** -0,04 .686** .697** .708** .636** ( .97 ) 9 Risk beliefs 4,5 1,40 0,04 0,05 .118* -.645** -.558** -.567** -.302** -.556** ( .89 ) 10 Privacy Concerns 5,9 0,76 .183** .240** -0,03 -.294** -.143* -0,06 -0,10 -0,10 .311** (.86) 11 Perceived sharing of information 58 29,82 -0,05 -0,01 0,08 -.213** -.198** -.220** -0,07 -.292** .367** .122* ( - ) 12 Disclosure condition 0,6 0,50 0,01 0,08 -0,02 0,02 0,00 0,01 0,10 0,02 -0,08 0,08 -0,01 13 Sensitivity condition 0,4 0,50 -0,05 -0,06 0,07 -.146* -0,11 -.225** -.129* -.131* .213** 0,03 0,05 14 Control condition 0,2 0,38 -0,01 0,00 0,01 -0,04 0,01 -0,03 -0,08 0,00 .136* 0,06 -0,02 15 At-setup condition 0,2 0,39 0,03 -0,05 -0,06 -0,06 -0,03 -0,04 -0,05 0,01 0,03 0,03 -0,02 16 just-in-time condition 0,2 0,42 0,11 0,01 0,03 -0,08 -0,10 -0,07 0,06 -0,07 0,10 0,07 .119* 17 Layered condition 0,4 0,49 -0,11 0,02 0,02 .147* 0,11 .117* 0,05 0,06 -.215** -.124* -0,07
Table 5: Regression analysis of trusting beliefs, perceived relevance, privacy concerns, perceived disclosure
to third parties, & sensitivity of information on risk beliefs
(1) (2) (3) (4) (5) Trusting Beliefs (β) -.556** -.310** -.283** -.232** -.238** Perceived Relevance (β) -.348** -.351** -.345** -.321** Privacy Concerns (β) .262** .243** .242** Perceived Disclosure to Third Parties (β) .193** .192** Sensitivity of information (β) .093* ∆R2 .310 .060 .068 .034 .008 R2 .310** .370** .438** .472** .480** F (df) 131.891 (1,294) 86.003 (2,293) 75.769 (3,292) 64.957 (4,291) 53.522 (5,290) Note. N = 296. Dependent Variable = Risk Beliefs ** p < .01, * p < .05 (two tailed).
is a statistically significant predictor of risk beliefs, as 48% of the total variance is explained (model 5, R2 = .480, F(5,290) = 53.522, p < .01). This effect remains when checking for control variables and demographical characteristics, and as the Variance Inflation Factor (VIF) is under 2 for each of the variables, no multicollinearity is present.
Furthermore, the sum of perceived sharing with third parties, sensitivity, and privacy concerns can largely be considered as a significant predictor for trusting beliefs. Table 6 shows that sensitivity and perceived sharing are statistically significant predictors of trusting beliefs (model 2, R2 = .10, F(2,293) = 16.054, p = .00), however the addition of privacy concerns to this model does not seem to be valuable as ∆R2
Model 3= 0.03, β Privacy Concerns= -.060, p = .29.
Table 6: Regression analysis of perceived sharing, privacy concerns, & sensitivity on trusting beliefs (1) (2) (3) Perceived Sharing (β) -.292** -.286** -.279** Sensitivity (β) -.116* -.114* Privacy Concerns (β) .060 ∆R2 .085 .014 .003 R2 .085** .099** .102** F (df) 27.469 (1,294) 16.054 (2,293) 11.087 (3,292)
Note. N = 296. Dependent Variable = Trusting Beliefs ** p < .01, * p < .05 (two tailed).
Lastly, Table 7 illustrates the regression analysis of trusting beliefs, perceived relevance and risk beliefs on attitude towards sharing information. This analysis shows that model 3 explains 58,6% of the variance, indicating a good fit (model 3, R2 = .586, F(3,292) = 140.019, p < .01). All three of the variables that entered this model, being trusting beliefs, risk beliefs and relevance, explain the attitude towards sharing information. Within these models no multicollinearity was found, as all VIF are under 2. Lastly, the attitude towards sharing information is seen as an impactful and statistically significant predictor for the intent to disclose information ( β = .718, R2 = .515, F(1,294) = 312.110, p < .01).
A Structural Equation Model (SEM) analysis was used to test the overall model. With covariance being the basic statistical measure of SEM, the goal of this analysis is to test correlations between variables and to explain as much as possible of the variance (Kline, 2005). The main benefit of SEM is the simultaneous testing of all variables in the model, reducing the chance for measurement errors. The SEM analysis resulted in a good overall fit (x2 (10) = 268.189, p < .01), although this analysis also indicated the fact that privacy concerns could not
Table 7: Regression analysis of trusting beliefs, perceived relevance and risk beliefs on attitude towards sharing information (1) (2) (3) Trusting Beliefs (β) .686** .473** .357** Risk Beliefs (β) -.382** -.331** Relevance (β) .205** ∆R2 .470 .098 .018 R2 .470** .568** .586** F (df) 260.900 (1,294) 194.875 (2,293) 140.019 (3,292)
Note. N = 296. Dependent Variable = Attitude Towards Sharing Information ** p < .01, * p < .05 (two tailed).
be regarded as a statistically significant predictor for trusting beliefs (β = -.060, p = .28). Path coefficients are shown in Figure 1. Based on the results of linear regression analysis and structural equation modelling, five out of six hypotheses as suggested by Malhotra et. al. (2004) and Zimmer et. al. (2010) are found to be confirmed in this study. These findings are summarized in Table 8.
Table 8: Findings in prior research by Malhotra et. al. (2004) and Zimmer et. al. (2010) and results in this
study
Hypothesis Finding
HXa Privacy concerns have a positive effect on risk beliefs for all privacy notices. Confirmed
HXb Privacy concerns have a negative effect on trusting beliefs for all privacy notices. Not confirmed
HXc Trusting beliefs and perceived relevance have a negative effect on risk beliefs for all privacy
notices. Confirmed
HXd Trusting beliefs and perceived relevance positively influence the attitude towards disclosing
information for all privacy notices.
Figure 1: Conceptual model, displaying standardized path coefficients
Note. N = 296. ** p < .001, * p < .05 (two tailed).
4.3. Hypothesis testing
In subsection 1 through 5 of this section, the hypotheses involved in this study will be tested. Table 9 contains an overview of all hypotheses involved, and whether the findings are in line with the hypotheses or refute the hypotheses.
Table 9: Hypothesis overview
Hypothesis Finding
I The GDPR-compliant ‘layered’-approach does not bring any significant changes to the
awareness of privacy practices compared to pre-GDPR notices. Rejected
II The GDPR -compliant (a) at-setup and (b) just-in-time notices will increase the awareness of
privacy practices compared to pre- GDPR notices. Rejected
III A higher level of disclosure of information to third parties (a) negatively influences the
attitude towards disclosing information, by (b) increasing risk beliefs and (c) reducing
trusting beliefs which consequently reduce the attitude towards disclosing information. Confirmed
IV While for (a) just-in-time and (b) at-setup privacy notices the actual level of disclosure to
third parties is a predictor for the perceived level of disclosure to third parties, this effect is
not present for (c) layered and (d) pre-GDPR privacy notices. Partially confirmed
V There is a significant difference between the methods of displaying GDPR-compliant privacy
notices in terms of intention to disclose information. Confirmed
-.250** -.337** Trusting beliefs Risk beliefs Perceived relevance Privacy Concerns Attitude towards disclosing information Intent to disclose information Sensitivity of requested information Perceived Level of Disclosure to Third Parties
Positive effect Negative effect Characteristics .254** -.060 .224** -.345** .685** .391** .202** -.279** .098* -.114*
For analysis of hypothesis I, II, and V, the F-Test or Analysis of Variance (ANOVA) Analysis of Variance (ANOVA) was performed to check whether the difference in means has any statistical significance. Considering the fact that each condition has a relatively small sample size, some critique is present on the use of ANOVA as a measure for small sample sizes. It is often suggested that a t test should be used for smaller sample sizes; however, both ANOVA and t test are based on the same assumptions, as the F test from ANOVA is equal to the square of the t test (Norman, 2010). Norman (2010) states that “nowhere is there any evidence that
non-parametric tests are more appropriate than parametric tests when sample size gets smaller”. Within the context of this study, where the use of dichotomous data is present due to
the use conditions, ANOVA seems to be better equipped for analysis, as testing dichotomous data using t test can reduce statistical power (e.g. Suissa, 1991; Hunter & Schmidt, 1990; as cited in Norman, 2010). Although small sample sizes require larger effects to achieve statistical significance, significant results of small sample sizes do not undermine the significant results of larger sample sizes.
4.3.1. Hypothesis I
The GDPR compliant ‘Layered’-approach does not bring any significant changes to the Awareness of Privacy Practices compared to pre-GDPR notices.
A slight difference in means of awareness of privacy practices across [privacy-notice: pre-GDPR] and [privacy-notice: layered] was present in each of the four conditions, with varying levels of sensitivity and disclosure. As displayed in Error! Reference source not found., the d ifference in averages as measured for the condition [sensitivity: low] x [disclosure: low] is ∆M
difference is found, the difference did not bear any statistical significance, and would suggest no typical difference
Table 10: Awareness of privacy related practices across layered and pre-GDPR privacy notices
Low Disclosure High Disclosure
N M ∆M SD N M ∆M SD Se ns iti vi ty Low Pre-GDPR 16 4.52 0.00 1.66 16 4.52 0.00 1.66 Layered 13 3.56 - 0.96 1.52 82 4.39 - 0.13 1.89 ANOVA F(1,27) = 2.562, p = .12 F(1,96) = 0.071, p = .79 H igh Pre-GDPR 35 3.38 0.00 2.06 35 3.38 0.00 2.06 Layered 13 5.15 1.77 1.53 13 2.62 - 0.76 1.75 ANOVA F(1,46) = 7.971, p < .01 F(1,46) = 1.415, p = .24
Note. N = 296. Awareness of Privacy Related Practices is measured on a scale of 1 (low) to 7 (high).
in terms of awareness of privacy practices. However, as within the condition [sensitivity: high] x [disclosure: low] participants found the layered notice to better explain privacy related practices (M = 5.15, ∆M pre-GDPR = 1.77, F(1,46) = 7.971, p < .01), this hypothesis has to be
rejected.
4.3.2. Hypothesis II
Hypothesis IIa at-setup privacy notices will increase the awareness of privacy practices
compared to pre-GDPR notices.
Table 11 displays the results of awareness of privacy related practices across at-setup and pre-GDPR privacy notices and the corresponding results of ANOVA. Although differences in means in terms of awareness of privacy related practices can be seen across at-setup and pre-GDPR privacy notices, none of these results have any statistical significance. This can be attributed to (a) a high level of deviation within each measure and (b) a relatively small sample size. As such, Hypothesis IIa cannot be confirmed and has to be rejected.
Table 11: Awareness of privacy related practices across at-setup and pre-GDPR privacy notices
Low Disclosure High Disclosure
N M ∆M SD N M ∆M SD Se ns iti vi ty Low Pre-GDPR 16 4.52 0.00 1.66 16 4.52 0.00 1.66 At-setup 14 3.88 -0.64 1.92 14 4.38 - 0.14 1.97 ANOVA F(1,28) = 0.959, p = .33 F(1,28) = 0.044, p = .83 H igh Pre-GDPR 35 3.38 0.00 2.06 35 3.38 0.00 2.06 At-setup 14 3.69 0.31 2.33 13 3.54 0.16 1.82 ANOVA F(1,47) = 0.210, p = .65 F(1,46) = 0.059, p = .81
Note. N = 157. Awareness of Privacy Related Practices is measured on a scale of 1 (low) to 7 (high).
Hypothesis IIb just-in-time privacy notices will increase the awareness of privacy practices
compared to pre-GDPR notices.
Table 12 displays the results of awareness of privacy related practices across at-setup and pre-GDPR privacy notices. Although a difference in averages can be seen across multiple
conditions, only within the condition [sensitivity: high] x [disclosure: high] this effect can be regarded as statistically significant (M = 4.67, ∆M pre-GDPR = 1.29, F(1,47) = 4.305, p < .05).
Considering under these circumstances the just-in-time notice increases awareness of privacy practices, this hypothesis is accepted.
Table 12: Awareness of privacy related practices across just-in-time and pre-GDPR privacy notices
Low Disclosure High Disclosure
N M ∆M SD N M ∆M SD Se ns iti vi ty Low Pre-GDPR 16 4.52 0.00 1.66 16 4.52 0.00 1.66 just-in-time 14 3.60 - 0.92 1.99 13 5.33 0.81 1.44 ANOVA F(1,28) = 1.928, p = .18 F(1,27) = 1.924, p = .18 Pre-GDPR 35 3.38 0.00 2.06 35 3.38 0.00 2.06
4.3.5. Hypothesis III
A higher level of disclosure of information to third parties (a) negatively influences the attitude towards disclosing information, by (b) increasing risk beliefs and (c) reducing trusting beliefs which consequently reduce the attitude towards disclosing information. The relationship between perceived sharing with third parties on attitude to disclose information is negative. An SPSS-initiated linear regression analysis shows that an increase in perceived sharing of information with third parties results in a reduced attitude towards disclosing any personal information (B = -.048, p < .01). This effect is believed to be mediated by both trust beliefs and risk beliefs. A mediation analysis, based on Model 6 of Andrew F. Hayes Process Macro For SPSS, points out that the effect of perceived sharing with third parties on attitude to disclose information is close to zero and statistically insignificant (c1 = .018, t(292) = 2.732, p = .06), as opposed to the initial effect of perceived sharing with third parties on attitude to disclose information. Three indirect effects illustrate the underlying process of this mediation.
Figure 2: Conceptual model hypothesis 5
The first indirect effect, the effect of perceived sharing with third parties on perceptions of risk, indicates that those who perceive an organization as to be sharing personal information with third parties to have significantly increased risk beliefs (a1 = .246, p < .01), which is associated
Trusting beliefs Perceived sharing of personal information Attitude towards disclosing information Risk beliefs Positive effect Negative effect
with a more negative attitude to disclosing personal information (b1 = -.138, p < .001), independently of their trust beliefs. This indirect effect can be interpreted as significantly negative as coincidence interval is below zero (indirect effect = .034, SE = .007, CI .049 to -.020).
The second indirect effect is the effect of perceived sharing with third parties on attitude to disclose information, through risk and trust beliefs in serial. Participants who had an increased perception of firms to be sharing information with third parties experienced higher risk beliefs, which was related to reduced trust (a3 = -.502, p < .01) that consequently is related to a negative attitude to disclose personal information (b2 = -.138, p < .01). This indirect effect is significantly negative (indirect effect = -.011, SE = 0.05, CI: -.024 to -.001). The third indirect effect indicates the specific effect of perceived sharing of information with third parties on the attitude to disclose personal information, through trusting beliefs. Participants who perceived an increased level of sharing information with third parties experienced a significant reduction in trust (a2= -.066, p = .05), which in turn is associated with a more positive attitude towards disclosing personal information (b2 = .169, p < .01), regardless of risk beliefs. This effect is significantly negative (indirect effect = .021, SE = .004, CI: -.030 to -.013).
Table 13: Results mediation analysis
Risk beliefs (M) Trust beliefs (M) Attitude to Disclosing Information
Antecedent B SE B p B SE B p B SE B p
Perceived sharing .245 .036 <.001 -.066 .034 .051 .018 .009 .063
Risk Beliefs -.502 .050 <.001 -.138 .016 <.001
Trusting Beliefs .170 .016 <.001
The inclusion of the mediation variables has reduced the relationship between the independent and dependent variable, albeit not statistically significant. The total indirect effect of the model is .066 (SE = .012, CI: -.090 to -.042), with coincidence intervals suggesting good reliability. These results are in line with hypothesis III, which can be confirmed.
4.3.4. Hypothesis IV
While for (a) just-in-time and (b) at-setup privacy notices the actual level of disclosure to third parties is a predictor for the perceived level of disclosure to third parties. this effect is not present for (c) layered and (d) pre-GDPR privacy notices.
A simple linear regression analysis, as displayed in Table 14, shows that within the (a) at-setup privacy notice condition, the actual level of disclosure to third parties is a predictor for the perceived level of disclosure (β = .296, p = .03, R2 = .09, F(1,53) = 5.089). This effect is however not present for the (b) just-in-time notice (β = -.069, p = .58, R2 = .01, F(1,67) = 0.319). Within both the (c) layered and (d) pre-GDPR privacy notice conditions, actual level of disclosure to third parties is not a significant predictor for perceived level of disclosure to third parties, as β Privacy Notice: pre-GDPR = -.099 (p = .49, R2 = .01, F(1,49) = 0.481) and β Privacy Notice: Layered = -.052 (p = .57, R2 = .00, F(1,119) = 0.318). As such, hypothesis a, c and d are accepted, but hypothesis b is rejected.
Table 14: Linear regression analysis of actual level of disclosure to third parties on perceived level of
disclosure to third parties.
Pre-GDPR Layered just-in-time At-Setup
Actual Level of Disclosure To Third Parties -.099 -.052 -.069 .296*
R2 .010 .003 .005 .088
F (df) 0.481 (1,49) 0.318 (1,119) 0.319 (1,67) 5.089 (1,53)
Table 15: Intention to disclose personal information across all 16 conditions
Low Disclosure High Disclosure
N M SD N M SD L ow Se ns it iv it y At-setup 14 4.71 1.68 14 4.43 1.87 Layered 13 4.54 1.39 82 4.57 1.62 just-in-time 14 4.00 1.96 13 3.23 1.96 ANOVA F(2,38) = 0.667, p = .52 F(2,106) = 3.531, p = .03 H igh Se ns it iv it y At-setup 14 3.57 1.79 13 4.15 2.04 Layered 13 5.08 1.61 13 4.00 2.04 just-in-time 28 4.32 1.81 14 4.07 2.24 ANOVA F(2,52) = 2.477, p = .09 F(2,37) = 0.017, p = .98
Note. N = 296. Intention To Disclose Personal Information is measured on a scale of 1 (low) to 7 (high).
4.3.3. Hypothesis V
There is a significant difference between the methods of displaying GDPR-compliant privacy notices in terms of Intention to Disclose Information.
ANOVA is used to point out whether a statistically significant difference is present between the methods of displaying GDPR-compliant privacy notices, as displayed in Table 15. Within the condition [sensitivity: low] x [disclosure: high] a statistically significant difference has been found in terms of intention to disclose personal information. The condition [privacy notice: just-in-time] has a significantly different effect on intent to disclose information, opposed to [privacy notice: layered] and [privacy notice: at-setup], as means vary from M Privacy Notice: just-in-time = 3.23 to M Privacy Notice: layered = 4.57. Although a difference in means is also found within the
[sensitivity: high] x [disclosure: low] condition, this effect is not statistically significant. Considering the presence of a statistically significant difference among privacy notices in terms of intention to disclose personal information within the [sensitivity: low] x [disclosure: high]
5. Discussion
5.1. General discussion
For both hypothesis I and II, an unexpected effect was identified in terms of the measurement of awareness of privacy related practices. Upon asking participants to what extent (a) FoodDiscounter discloses the way the data are collected, processed, and used, (b) FoodDiscounter’s privacy policy has a clear and conspicuous disclosure, and (c) to what extent participants are aware and knowledgeable about the use of personal information, the underlying assumption is that respondents whom have read privacy policies and consequently have become aware of privacy policies involved would indicate a higher awareness opposed to those who do not have read the privacy practices involved. Within the layered condition, those who have read the layered privacy notice typically state to be more aware of privacy related practices (M no click = 3.97, M click = 5.05, p < .01), but even respondents who have not clicked on the privacy notice indicate that they are aware of privacy related practices. This accounts for 80% of the respondents within the layered notice condition. Respondents who did not read the privacy policy appear to answer this set of questions based on their implicit associations, which can overall be explained with the very strong correlation to trusting beliefs (r = .636, p < 0.01) and risk beliefs (r = -.302, p < 0.01).
With regards to the statistical analysis of hypotheses related to the measurement of awareness of privacy related practices, hypothesis I and II had to be rejected, albeit with several remarks. Opposed to hypothesis I, which suggested that the GDPR-compliant layered privacy notices would not bring any significant changes in awareness of privacy practices as compared to pre-GDPR notices, there is an indication of statistically significant diversity in the means of awareness of privacy related practices across both conditions. The difference in means within the condition with a low level of sensitivity and a low level of disclosure to third parties is of statistical significance. There is however reason to believe that these findings could potentially
be explained due to too small of a sample size which is leading to errors. A total of 23% of participants within the condition with a high level of sensitivity, but low level of disclosure to third parties clicked on the layered notice to become aware of the privacy practices involved, yet those who clicked on the privacy notice gave a significantly lower score (M = 4.67) to the awareness of privacy practices compared to those who did not click (M = 5.30). Within the condition where the levels of both sensitivity and disclosure to third parties are high, none of the participants clicked on the layered notice and consequently did not become aware of a potentially lower or higher disclosure to third parties. This implies that all of the participants exposed to the condition where the levels of both sensitivity and disclosure to third parties are high and the participants who did not click on the privacy notice within the condition where the level of sensitivity is high but disclosure to third parties is low experienced the exact same experiment. The averages of these conditions however differ significantly, as M Disclosure High =
2.62 while M Disclosure Low = 5.15 (F(1,24) = 15.574, p < .01). This is curious as both of these
groups were exposed to an identical experiment. Nevertheless, the hypothesis has to be rejected on the grounds of the presence of a statistically significant difference in means across conditions.
Hypothesis II suggested that both at-setup privacy notices and just-in-time notices would increase the awareness of privacy practices as compared to pre-GDPR notices. No significant effect could be found for a difference in means across the pre-GDPR condition and at-setup notices, which were characterized by very low margins (∆M < 0.64). Although an increase in awareness of privacy related practices could also be seen in the other conditions, however these were of no statistical significance. Upon the testing of hypothesis IIb , results
