Let’s agree to differ: varying interpretations of online privacy policies Available to Purchase

During the period of growth of e‐commerce, e‐business and online life in general, trust has been identified by a number of authors as a key factor, the absence of which can act as a powerful disincentive to an individual’s engagement in a transaction. This has encouraged a great deal of research into the various facets of trust in an online environment, both theoretical and empirical. One of the many recommendations for business practice that have emerged from this research is the suggestion that online businesses should publish on their website a privacy policy that explains clearly the use that will be made of any personal information collected on the site, the third parties to whom it may be disclosed, and the circumstances under which disclosure may occur. A number of surveys have been conducted that highlight the rather patchy adoption of this recommendation in various countries. We now know, for example, that by no means all online organisations publish an online privacy policy, and that many of those that do exist display a range of serious shortcomings, including poor visibility on the site, incomplete coverage of the main issues of concern and poor readability. However, previous discussion of privacy policies has tended to assume that any particular policy can provide value to its readers by informing them of the privacy practices of its host organisation, and thus also to its publishers through encouraging customers and clients to trust them more than they otherwise would. This assumption is expected to be valid where the policy meets certain criteria, which are either established on the basis of theoretical considerations,or are derived from a kind of best‐in‐breed comparative exercise. This paper seeks to address the question how far privacy policies can ever achieve the goal of providing clear information to website visitors about the privacy practices of an organisation. It reports on an empirical study that was conducted between November 2005 and April 2006 using two groups of University students as subjects. The subjects were asked to read three privacy policies, selected in advance by the author, and to complete a short questionnaire on what the subject thought each policy had to say about certain key privacy issues. The results reveal that there is surprisingly little agreement about what a policy actually means. This has significant implications both for policy writers and their managers, and also for those who are considering entering into a transaction with the host website. There is a need for further research to investigate this question in more detail, but it is clear from these findings that we know less than we thought we did about the ways in which people interpret the notices that they read on websites.