One of the jobs of a marketer is to instill in the consumer a sense of trust: Trust in the brand, trust in the product or service, trust in how the company handles their personal data and so on.
The latter job is often fulfilled by putting a privacy notice on the site.
Sometimes, we do it because it's the law in our country. Sometimes in an effort to show people we are a responsible company.
But are we shooting ourselves in the proverbial foot? That's what Aaron Brough and his colleague set out to discover. Dr. Brough is an associate professor of marketing at Jon M. Huntsman School of Business at Utah State University. He is the co-author of a new scientific research study called The Bulletproof Glass Effect: Unintended Consequences of Privacy Notices.
Our podcast host Tod Maffin spoke with him recently.
Table of Contents
- What Are the Unintended Consequences of Privacy Notices?
- Words Make a Difference
- The Financial Site Test
- Why Value Perception Isn't Affected
- Differences Between Age and Gender
- What Happens When Consumers Hit a 404?
- How to Fix If You Can't Control the Privacy Banner
- Designing the Perfect Privacy Banner
- Why People are Willing to Give Up Their Data So Easily
What Are the Unintended Consequences of Privacy Notices?
Tod Maffin: Let's start with the top line findings. What were those unintended consequences?
Aaron: We set out trying to understand how consumers respond to privacy notices. As part of the research, we surveyed managers across different industries. A large majority of these managers expected privacy notices to help customers feel more secure, but it turns out their intuition was flawed. We conducted a series of six experiments, involving nearly 20,000 people and we compared consumers' interest in purchasing from a website or an app that either included or didn't include a privacy notice.
One of the things we found is that telling customers how their personal data is protected can undermine consumer trust and discourage them from making a purchase. I like to compare it to going to an elementary school and seeing bulletproof glass and metal detectors. Their purpose is there to protect you, but instead of making you feel safe, they could make you feel more vulnerable.
Tod Maffin: It's interesting, because that's counter to, I think, everything that is both instinctive as marketers and everything that's taught as well. You would think that the more we layer on, “We'll take care of your data,” the more secure people feel.
Aaron: Yes. Certainly, this does challenge that intuition, the telling consumers how their personal data will be protected is going to be good for business. For most firms and privacy advocates, that's not great news. As researchers, my co-authors and I are definitely supportive of respecting consumers' privacy, and we want to encourage firms to be responsible and transparent in their data practices.
Another thing we looked at after initially discovering this is, how could we provide actionable guidance to managers on how to effectively convey privacy information without hurting purchase interest?
We tested how changes in the wording of a privacy notice affected consumers' willingness to purchase. We found that consumers were less turned off by privacy notices that included what we call benevolence cues. Those would be statements like, “We care about protecting your privacy,” or “We respect you and promise to treat you fairly,” or “We're committed to the protection of your information.”
The interesting thing is that although these statements do don't offer any legal protection to consumers, they do seem to help build trust by conveying to consumers that companies have good intentions. Adding these benevolence cues to a privacy notice can reduce or even reverse its negative effects on purchase interest.
Words Make a Difference
Tod Maffin: I think the example that you used in this study was that you changed the phrase, “We collect your information,” to “We protect your information.” Did you study how people's purchase intent changed when you made substitutions like that?
Aaron: Yes. In fact, in one study, people were more likely to buy a product when a privacy notice had these benevolence cues, than when a privacy did not include comforting language, or when privacy information wasn't readily available at all during the checkout process.
The Financial Site Test
Tod Maffin: One of your studies came from a test that you did on a financial services website, like a real site, one that was in the market. Can you walk us through what you tested and what you found?
Aaron: Sure. There was surprisingly little previous research about how privacy notices affect consumers' purchase decisions. As far as I know, we conducted the first published field experiment looking at this issue with actual customers. The company we partnered with was Borrowell, which is a Canadian financial technology firm with over a million user. To sign up for Borrowell's service, visitors have to complete a nine-step enrollment process that involves providing some sensitive personal information. They have to give things like their name, their address, birth date, phone number, income, financial goals, and access to a credit report. Each perspective customer who visited the site was randomly assigned to one of two conditions. In the control condition, only a hyperlink to Borrowell's privacy policy was provided on the first screen of the signup process. In the other condition, the link was proceeded by an explanation of Borrowell's commitment to the protection of customers' personal information.
As predicted, enrollment was significantly lower in the condition with the detailed description of privacy protections than in the control condition that included only a privacy policy link. These results suggest that prominently displaying detailed privacy protections can drive consumers away, which could end up costing Borrowell hundreds of thousands of dollars per year in lost revenue. We conducted this study over a seven day period, and so if you extrapolate, that's the estimate for what they could stand to lose.
Why Value Perception Isn't Affected
Tod Maffin: One of the things I thought was interesting is that you found that while people might be less willing to buy something after seeing a privacy notice, their perception of the value of that product didn't actually change. Did that surprise you?
Aaron: Yes. The thing that surprised me the most is that consumers are more likely to purchase from a company that makes no promises regarding the protection of consumer privacy, than from one that is transparent in describing its data practices. The reason for that is that a privacy notice places legally enforceable limits on a firm's data practices, it communicates safeguards and it might be expected to promote confidence that one's personal data will not be misused.
As I said, instead of making people feel more secure, we found that it does undermine trust and purchase interest. Yes, it doesn't change the value, but it does change the willingness that they have to pay for that product. I was also surprised that something seemingly trivial as including benevolence cues in the privacy notice, these subtle changes that we make to the language, could counter the negative effects.
Differences Between Age and Gender
Tod Maffin: Were there any significant differences between generations or genders?
Aaron: No. We looked at age and gender as covariants, meaning we tried to see if there were differences across those variables and we didn't find any.
What Happens When Consumers Hit a 404?
Tod Maffin: I don't often laugh when I'm reading scientific journals or scientific papers, but I did chuck a little bit, because one of the test variations that you did that I thought was clever. We've talked about the two A/B tests that you've done before with this financial services, but one of your tests included a third option beyond there's a privacy policy link and I read it, and there was no privacy policy link at all. That third option was that you had a link to a privacy policy, but when people clicked it, the web browser just barfed back a file not found error. People were aware that there was a privacy policy, but they didn't get to read it. How did that change people's purchase intent?
Aaron: I think that was actually a study that didn't make it into the published paper. That was one of the earlier studies that we ran. One of the reasons it didn't make it into the published paper is because I think one issue could have been that people are thinking there might be some kind of problem with the site. If they can't get a link to their privacy policy to work properly, then maybe there's other incompetence in their ability to manage my personal data. That was an alternative explanation for the results of that study. We ran some subsequent studies to be cleaner tests, that wouldn't be susceptible to that alternative explanation.
How to Fix If You Can't Control the Privacy Banner
Tod Maffin: Right. A lot of people who are listening to the podcast, people who manage e-commerce sites and so on, they don't have control, this level of granularity of control over whether there's a privacy box, what it says, that sort of thing. For those people, I'm thinking people who use a preset theme in Shopify or something like that, for those people, is there any way to counter the loss in purchase intent?
Aaron: Yes, that's a good question. I think anything that you can do to build consumer trust and to let them know that you care about them, that you're committed to not only competently protecting their privacy, but also that you have their best interest in mind and at heart. I think any kind of cues that you can give along those lines should be effective, but you're sometimes limited by the platform in terms of the extent that you can use to communicate these cues.
Tod Maffin: Yes. Let's go the other way, if someone has full control over their site and they can choose whether a privacy notice appears or doesn't appear. Is it, you're finding, that they should just not show one?
Aaron: No. I would say the finding is if you incorporate benevolence cues into your privacy policy, we found that in some cases, it can actually be beneficial. It can actually increase purchase intent beyond what it would be in the absence of any privacy communication. The downside or the thing you want to avoid is having a privacy notice that does not include benevolence cues. As part of the research, one of the things that we did is we looked at a random sample of privacy notices of companies listed on the Nasdaq Stock Exchange, and we found that benevolence cues were in fact quite rare.
One of the things that I hope that our research will prompt more companies to do is to include language in their privacy notices that communicates caring, and fosters consumer trust, so that consumers are more willing to provide that information and do business with the companies, but the companies are not discouraged from being transparent in what they're doing with the customer's personal data.
Designing the Perfect Privacy Banner
Tod Maffin: What would be the perfect? If you were VP of policy, or VP of privacy or whatever for an e-commerce company, and the CEO said, “You've got a day. Design for me the perfect privacy apparatus as it is forward-facing to the consumer.” What does it look like? Is it a box? Is it a pop-up? How big is it? Tell me the words to use?
Aaron: Yes, that's the million dollar question, right?
Tod Maffin: Yes, it is, or more.
Aaron: I think that there's obviously no solution that fits all different situations. I think some of that's going to be dictated by the situation and the context. I think the key results from our research are, do things that build consumer trust. In addition to conveying that you will protect their information, make sure that you're communicating how much you care about their privacy, and how much you care about them. I think from other privacy research that I'm familiar with, that other people have conducted, I think there are a lot of best practices out there in terms of being very concise, trying to avoid jargon that people aren't going to understand. To be very open and transparent about what you're doing and explaining to them why you're collecting this data, how it will be used, and what the benefits are to them of your collecting this information. If you're collecting a particular piece of information explaining that this might allow you to customize the product or the experience to their needs, that can be a way to help.
Why People are Willing to Give Up Their Data So Easily
Tod Maffin: What surprised you the most about your findings?
Aaron: Like I said earlier, I think one of the biggest surprises was just the fact that people would be so willing to give up their personal data without any promise that it will be protected. When I first started doing this research, I looked at some of the most popular apps on the App Store. This was before there was regulation that they required them to have privacy policies. Some of the most popular apps for finance or for fitness where you're entering personal health information, or medical conditions or things like that, or you're entering financial data, there were no privacy policies on those apps. I thought that was shocking, frankly.
The other thing that I think is surprising, like I said earlier, is that I think just changing the language slightly can reduce these negative effects that we've observed, of bringing privacy information to the forefront of people's minds.
Tod Maffin: It's interesting, because I think a lot of people in the industry, obviously, they're used to multivariate testing and there's lots of things that we test. There's image, there's the color of buttons. Google once tested 32 different shades of blue for their hyperlinks. I don't know that many people would consider testing the privacy portion of that, and yet, as you discuss, it's pretty critical to the whole thing.
Tod Maffin: What made you want to study this?
Aaron: I think part of it was noticing this about the apps. I've done some other privacy research, so I have a couple of recently published papers where we look at the implications of the pandemic for privacy. One effect of the pandemic is that there's been this large pool of personal data that's been generated that was not previously available. That's partly due to increased collecting and sharing of consumer information by governments and businesses. It's also partly due to an increase in online activities and voluntary self-disclosure by people who are isolated. We identify some opportunities, challenges, and open questions that this poses for both consumers and marketers.
In another paper, we look at the need to consider both individuals' motivation to protect their personal information, but also their knowledge of how to do so. A lot of the research and privacy looks either at motivation or at knowledge, but not at both. In fact, many consumers are fairly privacy illiterate. They're not able to accurately predict how they will respond to privacy threats. In order to do that, we need to consider not only their motivation, but also their familiarity with privacy-related issues. To answer your question, privacy has been something that I've been interested in for a while now, and working on it from several different angles and that's what got me thinking about privacy notices.
As I said, I'm an advocate of transparency and privacy practices. I think it's ethical for companies to disclose how they are going to be using consumers' personal information and as a consumer, I want my personal information to be protected. I think there's a lot of benefits that I can get by providing it, but I want to make sure that I know how they're going to be using it, how they will be protecting it. I think privacy notices are important. I think that as our research shows, they can be very influential in influencing consumer purchases.
Tod Maffin: I'm curious. Given that your research focuses around privacy and the web, and e-commerce and so on, has your research or your experience in this changed the way that you move through the web as a consumer?
Aaron: It has a little bit, but I'm like everyone else, I think, where I often don't read privacy notices all the way through, especially if they're long and full of technical jargon. I have become more aware of it, I think. I've been particularly more aware of their absence. I think that's the thing that a lot of people, when they're shopping, they're not always thinking about privacy. That's the thing that started us off on doing this research is that the absence of privacy notice doesn't usually send up red flags to consumers, but it should. What that means is they're making no promises. They could be collecting any data from you, and making no promises about how it will be protected or used. I think privacy notices are there to protect us. I just want to make sure that companies have a way of communicating that in a way that won't hurt their business, because otherwise, they're essentially given an incentive not to convey that information, which I think hurts consumers overall.
Tod Maffin: I hate to say it, I'm one of those people who when I arrive at a website, and it has the privacy banner, probably GDPR-inspired, where there's a big accept everything button and then a big customize your choices button, I usually click that. I like to think I'm privacy-aware. I run the Brave browser, I run a VPN on all my devices, but yet, that accept all button, it's tantalizingly easy to click. Maybe this will eventually change all of us.
