Online Customer Trust in the Context of the General Data Protection Regulation (GDPR)

Background: A recent global survey found that almost half of Internet users who never buy online indicated lack of trust as the main reason. The General Data Protection Regulation (GDPR) is new legislation expected to provide the opportunity for organizations to improve their customer trust through personal data governance. Few studies explore online customer trust from the GDPR perspective. This study aims to fill this gap by drawing on the Technology Acceptance Model (TAM) and Self-Determination Theory (SDT), examining the antecedents of online customer trust from the GDPR perspective. The study also attempts to derive insights about the GDPR that may affect online customer trust, but which to date have little presence in frameworks of the antecedents of online trust. The main research questions are as follows. First, what are the impacts of perceived technology, perceived risks and perceived trustworthiness on online customer trust in the GDPR context? Second, what are the GDPR-specific factors that may affect online customer trust? Method: This positivist study used a survey strategy with a deductive approach to investigate the research questions. A questionnaire was designed for primary data collection as the basis for quantitative data analysis. Results: Data analysis confirmed that several GDPR-related trust antecedents – perceived security, perceived third-party assurance and perceived openness – are positively associated with online customer trust. This study offers new insights into the SDT adaptation that suggest the value of motivation theory for trust research in the GDPR context. This study also generates insights about the GDPR that may affect online customer trust. Conclusions: This study suggests that the GDPR plays a significant role in online customer trust by bringing about stronger rights and more transparency for online customers. Both the confirmation and insights are a contribution that can lead seemingly old-fashioned trust antecedents into a new application. Available at: https://aisel.aisnet.org/pajais/vol12/iss1/4

How to make privacy policies both GDPR-compliant and usable

It is important for organisations to ensure that their privacy policies are General Data Protection Regulation (GDPR) compliant, and this has to be done by the May 2018 deadline. However, it is also important for these policies to be designed with the needs of the human recipient in mind. We carried out an investigation to find out how best to achieve this.We commenced by synthesising the GDPR requirements into a checklist-type format. We then derived a list of usability design guidelines for privacy notifications from the research literature. We augmented the recommendations with other findings reported in the research literature, in order to confirm the guidelines. We conclude by providing a usable and GDPR-compliant privacy policy template for the benefit of policy writers

Eavesdropping Whilst You're Shopping: Balancing Personalisation and Privacy in Connected Retail Spaces

Physical retailers, who once led the way in tracking with loyalty cards and `reverse appends', now lag behind online competitors. Yet we might be seeing these tables turn, as many increasingly deploy technologies ranging from simple sensors to advanced emotion detection systems, even enabling them to tailor prices and shopping experiences on a per-customer basis. Here, we examine these in-store tracking technologies in the retail context, and evaluate them from both technical and regulatory standpoints. We first introduce the relevant technologies in context, before considering privacy impacts, the current remedies individuals might seek through technology and the law, and those remedies' limitations. To illustrate challenging tensions in this space we consider the feasibility of technical and legal approaches to both a) the recent `Go' store concept from Amazon which requires fine-grained, multi-modal tracking to function as a shop, and b) current challenges in opting in or out of increasingly pervasive passive Wi-Fi tracking. The `Go' store presents significant challenges with its legality in Europe significantly unclear and unilateral, technical measures to avoid biometric tracking likely ineffective. In the case of MAC addresses, we see a difficult-to-reconcile clash between privacy-as-confidentiality and privacy-as-control, and suggest a technical framework which might help balance the two. Significant challenges exist when seeking to balance personalisation with privacy, and researchers must work together, including across the boundaries of preferred privacy definitions, to come up with solutions that draw on both technology and the legal frameworks to provide effective and proportionate protection. Retailers, simultaneously, must ensure that their tracking is not just legal, but worthy of the trust of concerned data subjects.Comment: 10 pages, 1 figure, Proceedings of the PETRAS/IoTUK/IET Living in the Internet of Things Conference, London, United Kingdom, 28-29 March 201

Making GDPR Usable: A Model to Support Usability Evaluations of Privacy

We introduce a new model for evaluating privacy that builds on the criteria proposed by the EuroPriSe certification scheme by adding usability criteria. Our model is visually represented through a cube, called Usable Privacy Cube (or UP Cube), where each of its three axes of variability captures, respectively: rights of the data subjects, privacy principles, and usable privacy criteria. We slightly reorganize the criteria of EuroPriSe to fit with the UP Cube model, i.e., we show how EuroPriSe can be viewed as a combination of only rights and principles, forming the two axes at the basis of our UP Cube. In this way we also want to bring out two perspectives on privacy: that of the data subjects and, respectively, that of the controllers/processors. We define usable privacy criteria based on usability goals that we have extracted from the whole text of the General Data Protection Regulation. The criteria are designed to produce measurements of the level of usability with which the goals are reached. Precisely, we measure effectiveness, efficiency, and satisfaction, considering both the objective and the perceived usability outcomes, producing measures of accuracy and completeness, of resource utilization (e.g., time, effort, financial), and measures resulting from satisfaction scales. In the long run, the UP Cube is meant to be the model behind a new certification methodology capable of evaluating the usability of privacy, to the benefit of common users. For industries, considering also the usability of privacy would allow for greater business differentiation, beyond GDPR compliance.Comment: 41 pages, 2 figures, 1 table, and appendixe

Electronic identity verification: personal data protection challenges and risks

This work highlights the clash of GDPR, eIDAS Regulation and PSD2 Directive, as well as tackles challenges of implementation in practice, specifically the challenges of securing personal data whilst ensuring an electronic identity. A comparative analysis on practical case studies which are concerned with electronic identity verification, electronic identity establishment and use electronic identity verification in the process of providing services is carried out in order to understand how such businesses tackle personal data challenges, how successfully and to what manner. The work concludes with findings of legal uncertainty between all three regulatory acts, as they lack unified definitions and interpretational certainty in terminology, as well as they are in a need of revision due to the fact that some relevant laws were developed prior GDPR

Data privacy as a business opportunity : leveraging privacy maximizing features to address client privacy concerns

Data privacy is a critical concern in the era of data-driven businesses. Users are becoming increasingly sensitive about the collection and processing of their personal data. This Master’s thesis examines whether a firm’s data privacy policy can provide an edge over competitors. Primary research was conducted to ascertain user preferences and behavior regarding data privacy in the context of identified business drivers for prioritizing data privacy as well as for mitigating associated risks and benefits. This data supplemented secondary material from the literature review. PESTEL analysis indicated that key drivers for data privacy are legal, ethical, financial, and technical. Moreover, expert interviews and the survey revealed that businesses cannot avoid data privacy and proved the above-mentioned key drivers. Furthermore, the drivers can be structured for transparency, trust, capabilities, and holistic processes. Data privacy must be approached holistically as data governance to ensure efficient and responsible data management within an organization. Hence, a concept was developed which proactively leverages user concerns and minimizes the consequences of data breaches and non-compliance with the GDPR. Based on the foregoing, privacy policies can lead to unique positioning and consequently provide a competitive advantage (CA) with the following measures: (1) explicit opt-in choices on a consent management platform, (2) efficient Data Lifecycle Management, (3) are in the context of privacy by design, and (4) represent technical best practices, such as differential privacy. These criteria, properly executed with consideration to company-specific use cases and the internal resources and capabilities, leverage privacy maximizing features for CA.A privacidade dos dados é uma preocupação crítica na era das empresas orientadas pelos dados. Os utilizadores estão a tornar-se cada vez mais sensíveis quanto à recolha dos seus dados pessoais. Esta tese de mestrado examina se a política de privacidade de dados de uma empresa pode proporcionar uma vantagem sobre a concorrência. Foi realizada uma pesquisa primária para determinar as preferências e o comportamento dos utilizadores relativamente à privacidade dos dados no contexto dos impulsionadores empresariais identificados para dar prioridade à privacidade dos dados. Estes dados complementaram o material secundário da revisão bibliográfica. A análise PESTEL indicou que os principais motores da privacidade de dados são legais, éticos, financeiros, e técnicos, comprovados por entrevistas e inquéritos. Além disso, os condutores podem ser estruturados para transparência, confiança, capacidades, e processos holísticos. A privacidade dos dados deve ser abordada holisticamente como governação dos dados para assegurar uma gestão eficiente dos dados dentro de uma organização. Foi desenvolvido um conceito que mostra que as políticas de privacidade podem conduzir a um posicionamento único e, consequentemente, proporcionar uma vantagem competitiva com as seguintes medidas:(1) escolhas explícitas de opt-in sobre uma plataforma de gestão de consentimento, (2) gestão eficiente do ciclo de vida dos dados, (3) estão no contexto da privacidade por conceção, e (4) representam as melhores práticas técnicas, tais como a privacidade diferencial. Estes critérios, devidamente executados tendo em consideração os casos de utilização específicos da empresa e os recursos e capacidades internas, potenciam as características de privacidade para uma vantagem competitiva

The Data Breach Dilemma: Proactive Solutions for Protecting Consumers’ Personal Information

Data breaches are an increasingly common part of consumers’ lives. No institution is immune to the possibility of an attack. Each breach inevitably risks the release of consumers’ personally identifiable information and the strong possibility of identity theft. Unfortunately, current solutions for handling these incidents are woefully inadequate. Private litigation like consumer class actions and shareholder lawsuits each face substantive legal and procedural barriers. States have their own data security and breach notification laws, but there is currently no unifying piece of legislation or strong enforcement mechanism. This Note argues that proactive solutions are required. First, a national data security law—setting minimum data security standards, regulating the use and storage of personal information, and expanding the enforcement role of the Federal Trade Commission—is imperative to protect consumers’ data. Second, a proactive solution requires reconsidering how to minimize the problem by going to its source: the collection of personally identifiable information in the first place. This Note suggests regulating companies’ collection of Social Security numbers, and, eventually, using a system based on distributed ledger technology to replace the ubiquity of Social Security numbers

Customer ratings as a vector for discrimination in employment relations? Pathways and pitfalls for legal remedies

The use of customer ratings to evaluate worker performance is increasingly worrisome because of its widespread use in the gig-economy. As scholars in computer and social sciences denounce, this practice entails the risk of producing discriminatory outcomes, by reproducing biases existing in society. By drawing an analogy with discriminatory practices adopted by an employer to satisfy its customers' preferences, we propose a legal analysis of this phenomenon grounded in EU non-discrimination law. Thus, we first analyse the issues related to the application of non-discrimination law to (alleged) self-employed workers. Then, we address the lack of access for the individual worker to the data regarding customers' ratings. We conclude by arguing that the use of customer ratings should be considered as a suspect criterion, while the current (EU) non-discrimination laws should be modernised through a clearer inclusion of (alleged) self-employed workers.Series: ohne Reih

Consumer perspectives on information privacy following the implementation of the GDPR

The General Data Protection Regulation (GDPR) was implemented in the European Union and European Economic Area in May 2018. The GDPR aims to strengthen consumers’ rights to data privacy in the wake of technological developments like big data and artificial intelligence. This was a hot topic for stakeholders, such as lawyers, companies and consumers, prior to the GDPR’s implementation. This paper investigates to what extent consumers are concerned about information privacy issues following the implementation of the GDPR. We present findings from an online survey conducted during spring 2019 among 327 Norwegian consumers, as well as findings from a survey conducted immediately prior to the implementation of the GDPR in spring 2018. We draw the following conclusions: (1) consumers gained significant knowledge about their information privacy from the GDPR, but felt relatively little need to execute their enhanced rights; (2) about 50% of respondents believed themselves to have control over their data, while almost 40% stated that they had no control about their personal data; and (3) consumers largely trusted companies to manage their personal data. These insights are of interest to both academia and to industries that deal with personal data