Privacy concerns and kinds of Protective behaviour of victims of information Privacy violations

Within the current privacy sensitive environment, an understanding of consumers’ information privacy concerns is critical. The objective of the study is to establish whether there is a difference between victims and non-victims of information privacy invasion, and whether this has an influence on their privacy concerns and protective behaviour. A probability (systematic) sampling design was used to draw a representative sample of 800 households where-after 800 telephone interviews were conducted with adults from these households. The findings show that victims had increased concern about information misuse by, and solicitation practices of, organisations, and they exhibit more protective behaviour than non-victims. This suggests that organisations should recognise that consumers believe that they have ownership of their personal information. Furthermore, organisations should share information of consumers in a way that is respectful, relevant and beneficial. D18, L86, M14


Introduction
People around the world are increasingly recognising that their personal information is subjected to unauthorised usage on a daily basis.This has led to countries passing legislation on personal data protection.Data protection entails the legal protection of persons from other persons or institutions with regard to the processing of data concerning themselves.Data protection is no longer seen as a purely functional construct to be used to directly shape and influence the use of information-processing technology.Instead, the focus has shifted to the individual, as can be seen in citizens' rights featured prominently in all European dataprotection systems (Agre & Rotenberg, 1998: 235).
Consumers, to a greater extent than legislators, seem to be forcing privacy onto the marketing agenda (Mazur, 2001: 20).This may be because many consumers have experienced quite distinctly and personally the potential dangers of unrestricted gathering and processing of personal information by others.Many consumers report that they are victims of privacy invasion leading to an increased concern about the informationhandling practices of organisations.Personal information about individuals can be held by credit bureaux, banks, employers, insurance companies, the medical profession, voluntary associations, direct marketers and mailing list companies.Although the information stored by these institutions is often available only to its clients, the possibility exists that third parties like other individuals, private institutions or even government, may have access to this information.
The purpose of this paper is to investigate differences in terms of privacy concerns and protective behaviour between victims and nonvictims of information privacy invasion.First, the article provides a theoretical overview of privacy invasion, privacy concern and protective behaviour.Next, the research problem and method are described, after which the results are reported.Finally, the article provides a discussion on the implications of the findings for managers and organisations together with recommendations on how to improve information-handling practices.

Privacy and privacy invasion
The concept of privacy has shifted from a civil and political rights issue to a consumer rights issue underpinned by the principles of data protection.Many traditional rights have been put on a commercial footing, thus converting privacy rights into consumer issues (Agre & Rotenberg, 1998: 143).For the purpose of this study, privacy is defined as the right of an individual to isolate his or her private life (personal facts, time, circumstances, values and interests) from the knowledge of others.He or she should also be able to control what is withheld from others, and to be free from wrongful interference in his or her private life.Furthermore, information privacy is defined as the right of an individual to safeguard information about him-or herself from the use or control by others (Jordaan, 2003: 21).
Consumers' awareness of privacy issues has increased sharply as a result of the development of the Internet.Also, several privacy-related incidents have resulted in considerable negative press coverage for organisations who improperly invaded people's privacy (Loyle, 2002: 50).The processing of information by organisations and the compilation and distribution of personal information creates a direct threat to consumers' information privacy (Neethling, Potgieter & Visser, 1996: 295).More consumers are demanding that their information be used to enhance their consumer experience and that the information not be used in ways that abuse a privileged relationship (Mabley, 1999: 1).
Unfortunately, many consumers have experienced the potential dangers of unrestricted gathering, processing and dissemination of personal information, and now desire to keep their personal information more private (Agre & Rotenberg, 1998: 225).The reputation of the organisation involved, determines perceived invasion of privacy as well as the knowledge that consumers possess of the particular processes of data collection used, and what the information will be used for.Organisations also depend on the extent to which consumers believe the offer or request to be relevant, the degree of sensitivity they associate with the particular information being collected and any negative consequences likely to result from information collection (O'Malley, Patterson & Evans, 1999: 433).
In a study by Louis Harris and Associates (1998: ix), 41 per cent of consumers reported that they had personally been victim to an improper invasion of privacy by an organisation.A study by Eddy, Stone and Stone-Romero (1999: 347) provided empirical evidence that the ability to authorise the disclosure of personal information has important main and interactive effects on perceptions of invasion of privacy.The IBM-Harris Multi-National Consumer Privacy Survey (Harris Interactive & Westin, 2000: 5) showed that significant numbers of American, British and German consumers were victims of privacy invasion by organisations.The majority of these consumers voiced concern about the possible misuse of their personal information.Petrison and Wang (1995: 19) conducted a study indicating different dimensions of consumer privacy among American and British consumers.Americans expressed more concern about solicitations as privacy invasion, while the Britons were primarily concerned with the collection and exchange of consumer information.Rose (2006: 331) found that New Zealand consumers viewed unauthorised access, followed by secondary use of information as their greatest concern.
South African consumers have also demonstrated that certain information-handling practices of companies are invasive in nature.Early in 2002, EasyInfo.co.za (South Africa's first online telephone directory) launched a directory of 2.5 million names and addresses (including thousands that are unlisted in the white pages of Telkom directories).Soon after, EasyInfo, newspapers and radio stations were bombarded by complaints from consumers regarding an invasion of privacy.Initially, EasyInfo removed approximately 800 names from the directory, but only weeks later, EasyInfo had to close its information site containing confidential information of Telkom customers.Telkom also ordered EasyInfo to hand over all confidential customer information and disclose all third parties to whom the information had been made available (Marud, 2002: 1).

South African consumers' privacy concerns
In a South African study, four information privacy concern dimensions were identified and labelled as: privacy protection concerns; information misuse concerns; solicitation concerns; and government protection concerns (Jordaan, 2004: 4).Privacy protection concern relates to either behavioural intentions of consumers to protect their privacy, or privacy policies of organisations regarding data collection, storage, use, disclosure and solicitation.This protection of privacy behaviour or policies covers general privacy issues ranging from concerns about the sharing of personal information with third parties, to the reasons for collecting information from consumers and the safekeeping of information by organisations.Information misuse concern relates to how organisations use or misuse personal information protection.It also refers to the lack of keeping information safe while stored in a company's records, which makes it vulnerable to misuse.Solicitation concern shows consumers' desire to be left alone.Media intrusiveness seems to be a privacy concern because consumers feel they have little or no control over the prospecting efforts of organisations.Government protection concern relates to the role of government in protecting information privacy by means of legislation.
The identified information privacy dimensions can enable managers to understand the magnitude and areas of information privacy concerns.This way they are better able to develop policies that will align their informationhandling practices with consumers' concerns.In this study, the difference between victims and non-victims in terms of their privacy concerns will be examined against the backdrop of the four information privacy concern dimensions identified and discussed in this section.

Protective behaviour
Due to the increasing power of informationprocessing technology used to collect, store, analyse and exchange customers' personal information, consumers may start adopting protective behaviour to address their information privacy concerns.Many may feel that when engaging in various ways of protecting themselves they should be able to manage their information and thus minimise the potential consequences of supplying this information.
Sheehan and Hoy's study (1999: 40) reported several significant correlations between consumers' online privacy concerns and their behaviour.One such form of behaviour is, for example, the request to remove personal information from mailing lists.Phelps, Nowak and Ferrell (2000: 35) have found that previous name removal behaviour had a strong correlation to people's privacy concern level.The results of the Privacy Concerns and Consumer Choice survey (Louis Harris & Associates & Westin, 1998: x) indicated that consumers' concern about how organisations use their personal information manifested in the way they insisted on various ways of protecting their privacy.The results from a study by Rifon, Larose and Choi (2005: 359) supported the role of privacy self-efficacy in determining privacy protection behaviour.Findings from a study by Dolnicar and Jordaan (2007: 144) showed that there are significant associations between privacy-related consumer behaviour and privacy concerns with troubled consumers adopting protective behaviour such as requesting removal of information from databases.
Harris Interactive (2001a, 2001b, 2001c) conducted three surveys on different types of consumer privacy behaviour.The survey confirmed that consumers were willing to provide both online and offline companies with basic information, but that they were more protective of personal information and less comfortable sharing more sensitive information.Another survey supported the findings from Harris Interactive and showed that consumers are more willing to provide contact and biographical information, than financial information (Meinert, Peterson, Criswell & Crossland, 2006: 12).
However, the results of five major consumer privacy surveys conducted in 2001 were reviewed by Turner and Varghese (2002: 11), who reported a disconnection between consumer preferences and behaviour.They concluded that the consumer surveys at the time were consistent in finding high levels of concern about privacy, but that there were wide variations in results and a disconnection between consumer preferences and behaviour.These findings are supported by a recent study by Berendt, Gunther and Spiekerman (2005: 105) who argue that while many consumers have strong opinions on privacy and do state privacy preferences, they are unable to act accordingly.This, of course, does not mean that consumers are happy with the way organisations deal with their information and, it seems that they do later react with resentment towards the company because of the use (or misuse) of their personal information.For the purpose of this study, five questions on kinds of protective behaviour were included in the survey, including: refusal to provide personal information to companies; requests to companies to remove personal information; notifications to companies not to solicit individuals; requests to companies not to share personal information with others; and requests to companies to inform individuals about safety measures.

Research problem and hypotheses
Despite the multitude of studies conducted on information privacy, there is a lack of available information about South African consumers and their privacy experiences and behaviour.The research problem is whether privacy invasion will affect consumers' privacy concerns and/or protective behaviour.Therefore, the aim of the research is to investigate differences between victims and non-victims of information privacy invasion in relation to their privacy concerns and protective behaviour.
From the theoretical discussion and findings from international empirical studies on privacy invasion and protective behaviour, the following hypotheses were formulated: H 1 : There is a significant difference between victims and non-victims of invasions of privacy in terms of their privacy concerns.
H 2 : There is a significant difference between victims and non-victims of invasions of privacy in terms of the various ways of protecting themselves.

Method
A probability (systematic) sampling design was used to draw a representative sample of households with listed telephone numbers in the different provincial Telkom telephone directories.The sampling frame contained 2.9 million households representing 30.4 per cent of the households (9.5 million) with fixed telephone lines at home (SAARF, 2001).The sample units were randomly selected where-after 800 telephone interviews were conducted with adults from these households.The questionnaire was developed on the basis of an extensive literature review, and pre-tested among consumers in the selected survey population.
The consumer privacy scale developed by Jordaan (2003) was used to measure respondents' privacy concerns and related behaviour.Details on the scale purification process fall beyond the scope of this paper, but can be reviewed in Jordaan (2004: 8).In the measurement instrument, responses to privacy concern items were recorded on fivepoint Likert scale items (ranging from 1 = strongly disagree to 5 = strongly agree).The four underlying privacy concern dimensions as identified by Jordaan (2004: 4) and briefly discussed in the literature background, will form the backdrop for the testing of Hypothesis 1.The remaining behaviour items were measured on dichotomous 'yesno' scales.The five behavioural questions included in this survey were constructed to measure consumers' behaviour to protect their personal information during the stages of data collection, data security, data use, data disclosure and solicitation.Analysis and interpretation of findings Hypothesis 1 was tested using multiple analysis of variance tests to assess the differences between the groups collectively (across all four privacy concern dimensions) rather than individually using univariate tests.Wilks' lambda was the test statistic used to assess the overall significance of the MANOVA, followed by univariate analyses and post hoc comparisons to reveal more specific differences between groups.Hypothesis 2 was tested by means of two-sample chi-square (χ 2 ) tests for independency.The Yates's correction for continuity is reported seeing that an overestimation of the chi-square value may occur when used with a 2x2 table (Diamantopoulos & Schlegelmilch, 1997: 175).An alpha level of 0.05 was specified for all the hypotheses.

Invasion of privacy and privacy concerns
As discussed in literature background, previous empirical research suggests that consumers who have been victims of privacy invasion have higher privacy concerns than consumers who have not.H 1 was formulated to determine whether there would be significant differences between the victims and non-victims in terms of their privacy concerns.For this sample, a total of 31 per cent of the respondents felt that they had been victims of information privacy invasion.
Table 1 provides results of the MANOVA as well as the subsequent univariate analyses .From Table 1 it can be observed that the MANOVA test results indicate that the null hypothesis is rejected (p=0.0000),providing support for H 1 .The follow-up univariate analyses revealed that these differences were significant for information misuse concern as well as for solicitation concern.In both cases, the victims of privacy invasion had higher mean values (4.2 and 3.8) than the non-victims (3.5 and 3.5).The findings show that victims have higher concern about the use (or misuse) of their personal information and are also more concerned about the solicitation practices of companies.This makes perfect sense in that once a consumer has been a victim of privacy violation, be it through solicitation or information misuse, they will be more sensitive to the privacy issue, increasing their level of concern.Previous research stated that an individual's concern for privacy is likely to vary over the course of his or her lifetime, based on personal experiences (Campbell, 1997: 51).It is interesting to note that both groups regard it as important to receive privacy and government protection (Dimension 1 and 4) and no significant differences were found between the victims and non-victims for these two sub-dimensions.

Invasion of privacy and protective behaviours
With regard to protective behaviour, respondents were given a set of five questions to which they had to respond, depending on whether they had exhibited the specific protective behaviour or not.These answers were cross-tabulated with the answers of whether they were victims of privacy invasion or not.Table 2 contains the results of the chi-square test results for the five protective behaviour questions and its relation to being a victim of privacy invasion.From the results in Table 2 it can be concluded that victims exhibit a higher degree of protective behaviour than non-victims (the victim groups' observed frequencies are higher than their expected frequencies).The test results provide support for H 2 which means that there is a significant difference in the kind of protective behaviour victims and non-victims of privacy invasion display.This shows that consumers who feel that their privacy has been violated will be more likely to request the removal of their information, notifying companies not to receive advertising material, refusing to provide information to a company, requesting not to share information with others and requesting to inform them about safety measures.

Implications and recommendations
The intention of this study was to develop a better understanding of the specific nature of consumers' information privacy concerns as well as to investigate the protective behaviour of consumers who were victims of privacy invasion.One of the results from this study indicates that consumers who have been victims of privacy invasion had increased concern about information misuse and solicitation practices of organisations.This should signal to organisations that they must be cautious how they use consumers' information once they have collected it.If they use this information for other purposes than those stated during collection, if they share the information with other organisations, and if they do not keep consumers' personal information safe while stored in their database, consumers will believe that their information has been misused.Once a consumer's privacy has been violated, he or she does not feel safe in dealing with organisations and they do not trust the organisation to handle and store their information anymore.It is recommended that organisations institute security policies and practices to ensure complete security of information systems.They should also create and implement policies, procedures, training and response measures to protect personal information in everyday practice.
The results also indicate that victims of privacy invasion exhibit a greater degree of protective behaviour than non-victims.This shows that consumers, more specifically victims, will act differently and change their behaviour when dealing with organisations in future.The implication is that if organisations do not treat customers' personal information with care, these consumers will reduce their contact with the organisation and limit the personal information they make available to the organisation.It seems that many consumers have realised that the information they share so willingly with organisations is not necessarily handled effectively and efficiently and that they receive very little in exchange for the information provided.With more organisations focusing on the retention of customers, it will become increasingly important to protect customers' personal information in an attempt to build longterm relationships with them.If organisations want to act responsibly, they should consider educating consumers on how to protect their information, how to query information held in an organisation's database, and how to remove their information if they want to.If consumers are better educated, they should be better able to take precautions on how to protect themselves against privacy invasion, which should lower privacy concerns.

Summary and conclusions
The sampling frame for this study included all South African households with listed Telkom telephone numbers and therefore, the results cannot be generalised to all consumers in the country.While the sample frame limits the external validity of the research findings, the levels of consumer information privacy concern found in the study, are consistent with those found in international studies.Despite these limitations, the findings of this study provide guidance to organisations on the importance of adequate information-handling practices.Due to the multi-faceted nature of information privacy, future research can investigate the determinants or antecedents of buyer-seller relationships.Future research can also examine relationships between information privacy beliefs, attitudes, intent and behaviour.Recognising that consumers perceive that they have ownership of their personal information should help organisations to realise that they must share information of consumers in a way that is respectful, relevant and beneficial in the long-term.

Table 1
Test results for different privacy victim groups

Table 2
Chi-square test results