Currently, we frame individuals online as in a series of exchanges with specific firms, and privacy, accordingly, is governed to ensure trust within those relationships. However, the focus on the relationship between consumers and specific firms does not capture how the online environment behaves. The aggregation and secondary use of consumer data is performed by market actors behind the scenes without any relationship with consumers. Trusting a single firm is not enough; individuals must trust the online market in general. Such institutional trust has gone under-examined in regards to privacy online. Little has been done to measure how aggregating and using consumer data supports a larger online market and impacts institutional trust online.
This paper explores how privacy governance should also be framed as protecting a larger market to ensure consumers trust being online. In a series of studies, I empirically examine (a) how typical secondary uses are judged along a generalized (for the good of the market) versus reciprocal (for the good of the consumer) exchange and impact institutional and consumer trust, and (b) whether governance mechanisms (limitations on the use of data such as adequate notice, auditing, non-identifiable information, limited storage, etc.) increase consumer trust in companies. I find:
The findings have implications for public policy and practice. Secondary uses of information online need not only be justified in a simple quid-pro-quo exchange with the consumer but could also be justified as appropriate for the online context within a generalized exchange. However, the majority of secondary uses currently popular cannot be justified as within either a general exchange or a reciprocal exchange and are judged inappropriate, violations of privacy, and decrease both interpersonal and institutional trust.
Second, if privacy violations hurt not only interpersonal consumer trust in a firm but also institutional trust online, then privacy would be governed similar to insider trading, fraud, or bribery—to protect the integrity of the market. Punishment for privacy violations would be set to ensure bad behavior is curtailed and institutional trust is maintained rather than to remediate a specific harm to an individual.