Privacy seal

A privacy seal is a type of trust seal or trustmark granted by third party providers for display on a company's website. Companies pay an annual fee (usually ranging from a few hundred to several thousand U.S. dollars) to have an image of the third party provider's seal pasted onto their homepage or privacy policy page. Users can oftentimes click on the seal and be redirected to the web assurance seal service's website which verifies the validity of the privacy seal. They are meant to act as a visual assurance for consumers that the website in question meets a certain standard of privacy. The idea of a privacy seal originates with its physical manifestation – companies have long sought seals of approval like Good Housekeeping to be placed on their tangible products in order to draw in customers who value "quality". While all web assurance seal services follow the guidelines set by the Federal Trade Commission, some providers may have additional requirements. Checks are then conducted on a regular or random basis to ensure compliance. Privacy seals can be applied to various types of e-commerce websites. Some seal providers even create a special privacy seal that is geared toward a certain product like mobile apps or accounting. There are many privacy compliance technology companies, most notably TRUSTArc (formerly TRUSTe), CPA Canada WebTrust, PwC Privacy and BBBOnline.

The U.S. does not regulate e-commerce privacy as stringently as Europe or other countries in the world. With this in mind, U.S. companies have more freedom when it comes to disclosure notices and selling data to third parties for advertising purposes. American based privacy seal companies make a pivot toward the broader field of reliability assurance and complaint resolution in the European marketplace. Privacy seals also have a major presence in the accounting industry of Canada and in general e-commerce in Japan and South Korea.

Privacy seals are meant to boost customers' perception of a company's website safety and regard for their privacy protection. Web assurance seal services also aid in online dispute resolution. A hot button public policy issue has been whether the U.S. government should regulate privacy in e-commerce. Past controversies and concerns have caused the need for privacy seals to come into question.

Origin
Privacy seals have been around since the 1990s – with the TRUSTArc seal program being founded in 1996 and BBBOnline's in 1998. Privacy seals are self-regulatory tools that were invented to combat privacy concerns without governmental legislation. With the rise of e-commerce, it became apparent that privacy concerns were deterring potential customers. When purchasing online, customers are prompted to provide private information such as name, address, credit card information, and sometimes age or birthdate. This information can be sold to third-parties for advertising purposes or be used by the company for data profiling purposes. Companies can price discriminate by using the information collected to predict the highest price point a customer is willing to pay.

Except for Federal Trade Commission guidelines, first established in a 1999 report, privacy protection is mainly self-regulated in the United States. Self regulators argue that governmental intervention would harm e-commerce because its inflexibility does not allow for each company to experiment with their policies and disclosures. They believe that legislative practices are too slow and bureaucratic to be effectual; this makes regulations more burdensome than helpful in e-commerce. Self regulation allows for quick adaptations that will ultimately create the most ideal privacy practices. In theory, businesses will be forced to create privacy policies that satisfy customers' concerns because their economic success relies on being able to draw in more and more customers. Because privacy is a major concern for customers, they will purchase from websites they feel secure using. This relation between a consumer's perception of a company's website and their intention to purchase is the cornerstone of privacy seals.

Some detractors of self regulation and laissez faire regulation believe a "race to the bottom" effect will occur if there are no regulatory (financial) penalties. Strauss et al. found that seal programs seem effective in regards to privacy but believes lack of regulation is why privacy seals have not seen high rates of participation. They note the conflict resolution and investigative aspect of privacy seal programs, but state that they have limited power to redress the situation. They are not given any powers for punitive action against companies in violation of privacy standards. Research by Jamal et al., however, suggests that lack of regulation should not be a concern. Even without governmental or financial threats, e-commerce companies still adopt policies and practices of privacy protection and disclosure. This is despite no general federal or state law requiring them – there are slight overlaps in the case of protecting health information or children. Proponents of governmental regulation believe legislation would officialize rules that are already being followed by many already. FTC guidelines are already followed by most companies (as a result of meeting customer expectation). Proponents also state that legislation in the United States could be less specific than the European Union's – wiggle room for how a business uses the data collected could still exist.

Privacy seals assure consumers that a company is taking measures to protect their privacy and data. Companies must undergo a process of inspection by the seal provider to make sure they meet certain standards. Checks are then conducted regularly (depending on the provider this can be done annually, biannually or randomly) to ensure compliance. Although FTC guidelines act as a bare minimum, additional standards can differ between seal providers. For example, SecureAssure (launched in 1999) resorts to an opt-in practice rather than disclosure measures. They do not allow companies participating in their seal certification service to share any information beyond its primary use – i.e. no selling to advertisers. People using these websites must opt-in to receive promotional material (this includes emails). Privacy seals usually come with a fee that ranges from a few hundred to several thousand U.S. dollars. The Entertainment Software Rating Board (ESRB) Privacy Certification program utilizes a sliding scale (starting at $0) that is based on the annual revenue of the company seeking certification.

Many privacy seal providers also serve as complaint resolution services. Participating seal service providers mediate conflicts between customers and the website in which their seal is displayed. They will also on occasion launch a formal investigation. The most severe action a privacy seal provider can enact is revoking the privacy seal from a company and thus producing negative attention. Action cannot be taken to remove the website or to enact a sizable financial penalty.

Uses
Privacy seals can be placed on many different types of e-commerce websites. Companies may also have different motives for wanting a privacy seal. Studies in the past have looked at the effectiveness of privacy in general e-commerce, as well as in specific categories like loan providers, travel booking, and online bookstores. ESRB has several types of privacy seals. Their Kids Online Compliance seal certifies companies whose target market are children. There are special laws that stipulate extra measures of protection and privacy for children – e.g. Children's Online Privacy Protection Act (COPPA). This seal is meant to indicate compliance to those additional standards. ESRB entered the privacy assurance space in 1999 and also introduced a privacy seal for mobile app services in 2013. A study conducted by Mai et al. examined online stores that sold e-books, textbooks, and audiobooks found that websites with privacy seals are able to charge a price premium because customers are willing to pay more if the website is deemed "safer" (via privacy seals) by them. Customers' perception of trustworthiness results from the presence of a privacy assurance tool like a privacy seal and the reputation of the company in question. Customers using websites with seals have higher rates of satisfaction and intention to purchase again. Privacy seals also desensitizes customers' perceptions of service performance. Kimery et al. found in their study that privacy seals only had a slightly positive impact on trust where unfamiliar e-commerce retailers were concerned. This means that well-known brick and mortar companies may after consideration decide that privacy seals are not worthwhile.

While privacy seals do not inform users about privacy like disclosure notices, they serve as a learning tool. Users can go to the seal provider's website (by clicking the seal) to learn what privacy protection practices are used by the participating company, as well as if the company is in good standing.

Privacy seals do not make customers more informed about their internet safety. This is because most customers do not read privacy policies (or click on the privacy seal) and therefore do not know the actual policies and privacy practices of a company. Still, company privacy practices usually align with what customers' expect in websites with privacy seals. Even though most customers do not take the extra step of clicking the seal, there is still accountability. Privacy seal providers would lose business if they did not uphold privacy and data protection to a certain extent or did not shape their policies to the desires (and priorities) of customers. Additionally, a study by Ruppel et al. which followed four fledgling websites states that businesses will build websites to reflect their values. A brick and mortar store that has established trust with consumers would be unlikely to build a website that would jeopardize that relationship. For this reason, websites may start off with the intention to promote product rather than facilitate actual transactions.

Effectiveness
There are four main privacy seal providers: TRUSTArc, BBBOnline, WebTrust, and PwC Privacy. Companies must make a decision on how much they want to pay, in addition to deciding which seal provider is the best fit. Companies can fall into the same trap that users fall into: perception of trust. Reputation from brick and mortar companies often translates to the online business place even though it may be unearned. When BBBOnline first started they had less clients then the already established TRUSTArc, but they were able attract big clients like American Airlines, eBay, Dell Computers, and AT&T. This is because they were already established as the Better Business Bureau (BBB), a global credential evaluator, in the brick and mortar marketplace.

Sheng et al. used eye tracking in their experiments to determine what draws consumers' attentions and the amount of information retained. They found that regardless of risk condition (cost of product), fixation times were longer for privacy icons then for privacy text or non-privacy content.

Research by Miyazaki et al. has compared perceived risk in e-commerce to other forms of shopping, more specifically mail order and purchases made by telephone. They found that consumers perceive online shopping as more dangerous than these other methods, but privacy seals are effective in mitigating concerns.

Although privacy seals have shown to work in attracting customers, they have experienced limited success. In the case of the WebTrust privacy seal program which is a joint venture between the U.S. and Canada, a study was done to determine the cause of its slow growth. The authors of this study, Lala et al. suggest it might be a marketing issue. Consumers are unaware of what privacy seals look like, as well as their purpose. BBBOnline Privacy Seal service ceased taking new applicants in 2007 and stopped their service in 2008, but this has not stopped websites from displaying their privacy seal to this day.

Privacy concerns
Level of privacy concern can vary depending on the type of website. This can partially impact a consumer's intention to purchase – which is also affected by price of product and level of certainty that the company will protect consumer data after the fact. A study by Sheng et al. examined how levels of concern changed with product. They found that in situations dealing with financial services, participants paid more attention to privacy practices (looking for a privacy seal or notice). Similarly, websites pertaining to homework assistance, dating, and medication also received high rates of attention to privacy practices.

Impact of internet literacy and social awareness
Privacy is talked about from an internet literacy perspective, as well as a social awareness dimension. People who are knowledgeable in terms of how to use the internet are not necessarily well versed in internet safety or the extent to which the government is involved. Dinev et al. analyzed data from over 400 respondents using structural equation modeling to test various relationships between Internet literacy, social awareness, Internet privacy concerns, and intention to transact. They found that people who were more Internet literate had less concerns whereas people who are more socially aware (pay more attention to socio-political factors and current events) are more concerned about their privacy. Past research has shown that young adults (18 to 29) are less likely to be concerned or proactive about their privacy even though they are the most likely to have their identity stolen. Risk in e-commerce is not just about the security measures put in place by the organization's website but also has to do with the behavior of the consumer.

Each privacy seal provider has its own standards in addition to following the rough guidelines the Federal Trade Commission has established on privacy protection. BBBOnline was found to make more statements about how they secure transmission of information than TRUSTArc. Generally speaking, websites with privacy seals are more transparent about their privacy practices, but they often ask for more personal information than websites without a privacy seal. This is because privacy seals evoke a sense of trust from the customers which makes them more willing to share personal information. Privacy seals are tools of persuasion. Companies benefit from having a privacy seal because it creates an appearance of trustworthiness. Privacy seals have little effect on perceived risk of using a website, but does strongly affect how trustworthy a customer perceives a website. Websites without seals are not necessarily more risky. This is because privacy seals are a product companies must opt-into, they are not automatically given to any websites that meet certain requirements. Privacy seals do not mitigate risk, they are a safety heuristic.

Controversies
Privacy seals have landed in hot water in the past due to slip ups. TRUSTArc mistakenly used a third party that tracks information on its own website. TRUSTArc also discovered that two of the websites certified by them were in violation of providing data to a marketing firm.

European Union
An American creation, privacy seals, have slowly made their way into Europe. Most seal programs are not only American in origin but also mainly consist of U.S. websites. QXL, a now defunct online auction house, was one of the first European companies to receive certification by TRUSTArc. Seal programs in Europe make their main focus reliability of a specific sector rather than privacy protection because the European Union (EU) already has regulations in place. U.S. company, ePublicEye, partnered with France's eBuyClub in 1999 to rate the reliability of shopping websites – they expanded in 2000 to include Germany and Spain. Like the United States, seal programs have failed to gain traction in Europe. Prior to the European Union's passage of Directive 95/46/EC, data protection laws were enacted on an individual (country) basis. Also known as "The Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data", Directive 95/46/EC was passed in 1995. The European Union (EU) not only regulates but also institutionalizes data privacy: every EU country has a data protection commissioner appointed to an agency.

The European Union has strict regulations for privacy unlike the United States and also needs to ensure the compliance of multiple countries rather than just one. As a result, many American based privacy seal services are used only for their complain resolution services. EuroPrise (started in 2003) is an EU funded project which serves as the main privacy seal service in Europe. Starting in 2009, it has been controlled by the Independent Centre for Privacy Protection Schleswig-Holstein (ULD) which is a German data protection agency. Each EuroPrise seal includes the country of the certification body (company being certified), a unique certification number, and the expiration date. European Multi-channel and Online Trade Association (EMOTA) also has a trust seal geared towards European e-commerce, however it cannot be displayed alone. It needs to be placed next to an accredited e-Commerce trust seal. They are also not solely privacy focused. Privacy and data protection is just one of their requirements for qualification.

Whereas there is a huge debate between governmental and self-regulation of privacy in the United States, it is less controversial in Europe. This stems from the European idea that the state should have an active role in protecting its constituents from social harm.

Canada
The WebTrust seal program is a joint venture between the American Institute of Certified Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). A study by Lala et al. shows that despite initial excitement, this product has failed to gain traction. They state that this is likely due to a mix of two factors: 1) costs of participating in a seal program are prohibitive and 2) consumers cannot tell the difference in quality between various privacy seal providers. Lala et al. found a preference in consumers for high information assurance seals. They believe that the issue is marketing. WebTrust needs to do a better job of convincing Internet firms that it is worth the money to use their program.

The Privacy and Big Data Institute at Ryerson University partnered with Deloitte to create a privacy scorecard and seal. Based on Ryerson University's seven foundational principles, Deloitte created 29 measurable criteria. Once it is determined that a company passes all the requirements, they are given permission to display the privacy seal referred to as "Privacy by Design Certification Seal". This seal is valid for three years but must be renewed annually – which involves signing an attestation form and paying a renewal fee.

South Korea
Privacy seals are not received the same in all countries. In a comparative study between the United States and South Korea, Kim et al. found privacy seals had a strongly positive effect on customer's intention to purchase and a strongly negative effect on concerns in the United States. The study's two surveys (one based in each country) revealed that privacy seals did not significantly influence South Korean shopper's intent to purchase or their concerns. Kim et al. suggest this is because of South Korea's collectivist culture which makes them more trusting of their government. Places where governmental influence is welcomed would have less use for privacy seals because users would in theory be satisfied with the measures the government takes to protect their privacy.

Japan
Privacy seals entered the Japanese market because the Japanese government believed privacy assurance to be paramount to ensuring the growth of e-commerce. Starting in April 1998, the Japan Information Processing Development Center (JIPDEC) has been managing the PrivacyMark program. Ten years prior, JIPDEC published their "Guidelines for personal data protection in the private sector". As of 2015, PrivacyMark has certified 19,000 organizations. In 2008, JIPDEC created a mutual recognition program in China in partnership with Dalian Software Industry Association (DSIA).