Hello, ladies and gentlemen. I’m Andrew Tan.In this slidecast, we’ll be taking a look into Privacy Seals
So, let’s start with a quick introduction and overview of this slidecast.
A privacy seal is an “identifiable symbol or logo, voluntarily displayed on a Web site, which graphically asserts that the site has implemented and complies with specified privacy practices”.Now, there are several components to this definition that are of importance.First, for seals to have any effect on website visitors, the symbol used as the seal must be identifiable. If visitors do not recognize the symbol or do not associate it with stringent privacy requirements, visitors will not know that the seal asserts anything at all. For this reason, the market for privacy seals is controlled by a few major players.The main factor that makes privacy seals attractive to websites is the ability to graphically assert something. The ease in which a website would be able to convey an image of trustworthiness to visitors is something that businesses value.For a seal to not only convey a sense of trustworthiness, but to also represent privacy compliance, there must be regulations with which a website must comply to earn the seal. We’ll be taking a closer look at some of these frameworks later.Finally, in the past, public accountants have attempted to provide privacy seals. We’ll take a look into a bit of the past, and talk about the future of public accountants and web assurance.
Now, let’s take a look at the providers of privacy seals.
Virtually any company or group can provide what they deem to be a privacy seal.However, as mentioned, seals must be identifiable and should provide a website visitor with a level of confidence regarding the privacy practices of the website.For this reason, although any company can provide seals, there are only a few players that are widely entrusted to do soThe three dominant privacy seal programs are TRUSTe, BBBOnLine, and WebTrust.
As of October 2006, we note that the majority of companies using privacy seals use TRUSTe or BBBOnLine, with TRUSTe being dominant.So, why does WebTrust deserve to be mentioned in the same sentence as its competitors?
WebTrust was developed by and is granted by public accountants.This is different from other seals, which were developed by and granted by companies.
The actual meaning of the seal differs between the three providers. Each seal provides a different level of assurance.For example, TRUSTe focuses solely on privacy, whereas WebTrust covers system security, availability, and processing integrity.The process for obtaining each seal differs as well.For TRUSTe, only electronic monitoring of compliance with its requirements and policies is required.Compare this to WebTrust, where a full information systems audit by a public accountant is required to obtain the sealDue to this stringent requirement, WebTrust seals are more difficult to obtain, as well as more expensive to obtainAs such, website visitors would need to be fully informed as to what each seal offers in order to rightfully obtain confidence over a website’s privacy practices
Now, let’s take a look at the effectiveness of privacy seals.
A privacy seal is effective if it meets the objectives for obtaining a seal.A visitor’s objective is to obtain comfort over a website’s privacy practices from the seal, so that they can make an accurate assessment about whether to trust the website.On the other hand, a website’s ultimate goal is to make a sale. To do this, they must gain a visitor’s confidence.A website is not concerned about whether the visitor has made an accurate assessment or not. It is only concerned with getting the visitor to perceive the website favourably.So, as far as a website is concerned, a seal does not need to give a visitor the level of comfort they would demand if they were fully informed.Instead, a seal just needs to offer visitors the perception of such
Now, a hypothetical example.Consider a website visitor who is contemplating making an online purchase.She is concerned about her order being shipped out on the same business day, as promised by the website.A TRUSTe seal provides absolutely no assurance over such matters, but if the visitor is oblivious to this, displaying a TRUSTe seal will boost her perception of the website as much as a WebTrust seal, which does provide assurance over such matters.
Further, recall that a seal must be identifiable for it to be effective.Also recall that there were 2,600 TRUSTesealholders, as compared to 25 WebTrustsealholders. As such, TRUSTe seals are much more identifiable than WebTrust seals, as visitors are more likely to come across TRUSTe seals in their web browsing.So, if our visitor was not well informed as to the type of assurance that each seal provides, she would incorrectly believe that a TRUSTe seal provides more assurance over the timeliness of order processing than a WebTrust seal.
Consider our example from the perspective of the website.The website wants the visitor to be comfortable with the website’s policies to entice her to place an order.The website will want to achieve this in the most efficient and effective way possible.A TRUSTe seal, though actually not providing the visitor with the correct type of assurance, is both cheaper and creates a better perception of the website for the visitor, meeting all of the website’s objectives.
So, we move on to some recent studies.These studies have focused on three questions.One. <Read question>, Two, <Read question>, and Three, <Read question>
The first question is: do privacy seals have an effect on consumers?That is, do privacy seals have value?
It was noted that the value added by a Web assurance seal on a company’s website is difficult to quantifyStudies between 2000 and 2006 were largely positive.
Interestingly, studies from 2007 onward were quite the opposite.Conclusions included:Seals had “little influence on trusting beliefs”…and, quite bluntly…“The existence of a privacy seal did not affect individuals’ behaviour”
The second question is: do privacy seals work as intended?That is, do visitors know the meaning behind the logo?
Conclusions from studies on this question were overwhelmingly one-sided.Studies found that “consumers have inadequate understandings about the seals”.A particularly frightening conclusion from a study was that participants “failed to recognize non-genuine privacy seals”.This really puts into perspective, how little consumers actually know about privacy seals.
An third question to investigate, related to the second question, is whether consumers can tell the difference between a “low-assurance” seal, such as TRUSTe, and a “high-assurance” seal, such as WebTrust.
Differing conclusions were drawn with regard to the third question.Two studies, both performed in 2002, reached opposite conclusions.
An interesting trend to note is that earlier studies tended towards finding privacy seals to be effective and more valuable, finding seals to be able to influence visitor perception favourably. However, more recent studies have tended towards the opposite.This could be due to a shift in overall consumer acceptance of ecommerce and changing attitudes about privacy.In the early 2000s, stories about privacy problems were not as prevalent in mainstream news.As such, consumers were more likely to accept a privacy seal as adequate without knowing the meaning behind the seal.In today’s world, privacy concerns are more prevalent and consumers are aware of the level of privacy that they are entitled to.As such, more consumers appear to be demanding explicit privacy policies on websites, and fewer are willing to accept a logo as sufficient assurance over privacy.
Another point of interest is that studies overwhelmingly confirm the belief that visitors do not know the meaning behind privacy seals, and those that are influenced by privacy seals are more influenced by the perception of assurance, rather than any actual assurance offered by the seal.Further, as trends currently lead us to believe, seals are not as influential and effective as once thought.As such, businesses would be well-advised to adopt the cheapest, most well-recognized low-assurance seal, as it would have more influence over consumer trust than a more expensive but less-recognized high-assurance seal
From the results of the third question, it would appear that studies are inconclusive as to whether consumers place additional reliance on high-assurance seals.However, when analyzed in conjunction with the results of the second question, we can conclude that consumers may place additional reliance on high-assurance seals if they knew that the high-assurance seals provided stronger assurance.But, since the results of the second question indicate that consumers generally cannot differentiate between seals, it would appear that all seals have approximately the same value to the general consumer.
Now, let’s take a look at privacy seal frameworks.
WebTrust was developed based on the Trust Services framework, as developed by the AICPA and CICA.The Trust Services framework includes a set of Generally Accepted Privacy Principles, which must be met by a website in order to earn a WebTrust sealThe GAPP sub-framework was developed based on an objective for websites with regards to their privacy practices.By conforming to GAPP, a website will have met the objective.And, as noted before, an information systems audit is required to obtain the WebTrust seal
This slide has the ten Generally Accepted Privacy Principles.Review the principles at your leisure.
TRUSTe has developed its own set of requirements for earning a seal.These requirements focus solely on the privacy practices of websites, and are structured around three “core principles”: transparency, choice, and accountability .Unlike WebTrust, which requires a public accountant to physically visit the location of the business and conduct an information systems audit, TRUSTe only requires that the website initially submit proof of its practices.TRUSTe will then monitor compliance over the Internet.
Now, let’s take a look at privacy seals and their impact on the accounting profession.
Currently, the public accounting profession in Canada and the United States is involved with web assurance through Trust Services and its associated seal, WebTrust. As previously mentioned, the framework was developed by the CICA and the AICPA.Only public accountants are licensed to perform WebTrust audits and award WebTrust seals to websites.WebTrust has seen limited success, which raises the question: Should accountants continue to be involved with privacy seals?
Critics note that WebTrust was clearly a failure, with none of the top 500 websites holding the seal, even though a third of those websites had seals.Further, as pointed out before, WebTrust’s market share is negligible.Critics have given three overwhelming reasons for the failure of WebTrust.First, lack of brand awareness, combined with other companies abandoning the seal, has lowered the ability of WebTrust to be identifiable.Second, WebTrust audits are expensive, with no direct benefit associated with the additional investment.Lastly, when compared with TRUSTe, WebTrust has an inefficient process for awarding seals by requiring an audit.
However, some do argue that there should be continuing involvement in web assurance.Instead of regulating WebTrust as a product, it was recommended that the AICPA and CICA only set a minimum level of practice standards, so that individual firms can differentiate their offerings.Also, it was recommended that public accounting firms should seek to provide an “integrated set of services” that includes web assurance, as opposed to making web assurance the core product.Because public accountants are skilled in areas such as tax and internal controls, such a set of services would be more marketable than web assurance alone, and that providers of TRUSTe and other non-accountant seals would not be able to match such a product offeringFurther to this point, a recent 2009 study recommended that “vendors should design strong controls within ecommerce information systems that support” web assurance.With this argument, the public accounting profession can not only offer web assurance services, but can also provide advisory services on ecommerce controls in order to help vendors support web sealsThat is, Public accountants should not only offer web assurance services, but also provide advisory work on controls as part of a larger set of integrated services. Such services will be more marketable to businesses that see a potential benefit in having a privacy seal
Finally, a conclusion and some recommendations.
The trend of decreasing seal effectiveness, coupled with visitors being unable to differentiate a low-assurance seal from a high-assurance one, means that cheaper, low-assurance seals will be more popular.The public accounting profession, which has developed the costlier, high-assurance seal, will eventually be forced out of the market by the market.
It would appear to make sense for public accountants to develop a seal that can be provided at a low cost in order to compete with other seals like TRUSTe. However, such a solution would be problematic, as accountants must maintain a reputation for high quality in assurance.Further, web assurance has never been a core product, and any additional resources committee to fixing this broken product may be misplaced.
Instead, the public accounting profession should attempt to be involved in web assurance through the provision of advisory services.As suggested, accountants can leverage their skill set with controls and other business services to ready websites to meet the requirements set out by another seal, such as TRUSTe.Such a service would be complementary to the market leader in privacy seals, avoiding the competition that the profession has been unable to manage in the past.
We have reached the end of the slidecast.Whether in the capacity of a public accountant or a company’s management, I hope that when the opportunity arises for you to make a decision about privacy seals, you’ll come back to this slidecast to review the facts and recommendations.I’d like to thank you for your continued attention, and I hope that this slidecast has been informative and educational.
Definition of a Privacy Seal<br />“Identifiable symbol or logo, voluntarily displayed on a Web site, which graphically asserts that the site has implemented and complies with specified privacy practices”<br />The importance of being identifiable<br />Displayed on a Web site<br />Purpose is to graphically assert something<br />What is that “something”?<br />Does it work?<br />Frameworks governing the seals<br />Do public accountants have a future with privacy seals?<br />
What does it take?<br />Any company or group can produce a “privacy seal”<br />Missing characteristics to be effective?<br />Must be identifiable<br />Must provide visitors with confidence<br />Three dominant privacy seal programs<br />
Popularity of the seals<br />Sealholders as of October 2006:<br />TRUSTe is clearly dominant<br />Why bother mentioning WebTrust?<br />
Why bother mentioning WebTrust?<br />Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)<br />Granted only by public accountants<br />For example:<br />Other seals developed by and granted by companies<br />
Differences between seals<br />Each seal has different roots<br />Independently developed<br />Awarded by organizations with differing goals<br />Different process for obtaining seal<br />Different “meaning” behind each seal<br />TRUSTe<br />Focus is on privacy<br />WebTrust<br />Comprehensive level of assurance<br />
Objectives of a seal<br />For a visitor<br />Obtain assurance over the privacy practices of a website<br />Develop an accurate perception of the website<br />For a website<br />Give the user the perception of assurance<br />Sway a visitor’s perception of the website favourably<br />Key difference<br />A website only wants a user’s perception to be favourable<br />OK for visitor to be misinformed in reaching that conclusion<br />
A hypothetical example<br />A visitor contemplates making an online purchase<br />She is concerned about the order being shipped out on the same day as the day her order is placed<br />Processing integrity<br />A seal like TRUSTe provides no assurance over this<br />But, what if the visitor doesn’t know this?<br />
A hypothetical example<br />A seal must be identifiable to be effective<br />TRUSTe has 2,598 sealholders, compared to 25 for WebTrust<br />Visitors are more likely to come across TRUSTe seals during web browsing<br />Which seal will the visitor trust more?<br />
A hypothetical example<br />Have the objectives been met?<br />Website wants the visitor to be comfortable<br />Comfort (positive perception) increases probability of making a sale<br />Wants to achieve this efficiently and effectively<br />TRUSTe is cheaper and creates a better perception of the website<br />However, TRUSTe hasn’t actually provided the assurance that the visitor was looking for<br />
The purpose of recent studies<br />Three questions<br />Do privacy seals have an effect on consumers?<br />Do privacy seals work as intended?<br />Can consumers can tell the difference between a “low-assurance” seal, such as TRUSTe, and a “high-assurance” seal, such as WebTrust?<br />
Question 1: Do privacy seals have an effect on consumers? <br />Do privacy seals actually influence a visitor to follow through with a purchase, or to create an account on a website?<br />Do they build trust between the website and the visitor?<br />That is, do privacy seals have value?<br />
Studies on the First Question<br />Studies from 2007 onward largely negative<br />“The existence of a privacy statement encouraged individuals to provide their personal information, but a privacy seal did not”<br />Seals had “little influence on trusting beliefs” and that “accountants’ seals, in particular, were found to be equally ineffective as those issued by other providers”<br />“The existence of a privacy seal did not affect individuals’ behaviour”<br />
Question 2: Do privacy seals work as intended?<br />Do visitors know the difference between the types of seals and what they represent?<br />Do visitors know what is required to obtain the seals, and use this information to make an informed decision about whether to trust the website?<br />That is, do visitors know the meaning behind the logo?<br />
Question 3: Can consumers tell the difference?<br />Related to Question 2<br />Considerable difference in the amount of resources required to obtain a WebTrust seal as compared to a TRUSTeseal<br />WebTrust requires a commitment of funds and staff to support a full information systems audit<br />TRUSTeonly requires monitoring over the Internet<br />
Studies on the Third Question<br />Different conclusions drawn from studies in same year<br />Lala, Arnold, Sutton, and Guan (2002)<br />“The impact of assurance seals varies with the different level of information quality. Individuals had a strong preference for a high information quality seal (i.e., WebTrust) over a low information quality seal (i.e., BBBOnLine)”<br />Mauldin and Arunachalam (2002)<br />Between WebTrust, TRUSTe, and VISA, “customers perceive no difference between [the] three providers of web assurance”<br />“All seals equally impact consumers’ intent to purchase even though each seal addresses different dimensions of information risk”<br />
Points of interest from the studies<br />Chronological trends<br />Earlier studies found that privacy seals were more valuable<br />Able to influence visitor perception favourably<br />Linking between positive perception and purchasing behaviour<br />Later studies tend to the opposite<br />Seals are secondary to privacy policies<br />Why is this so?<br />Shift in overall consumer acceptance of ecommerce <br />Changing attitudes about privacy<br />
Points of interest from the studies<br />Form over substance<br />Visitors do not know the meaning behind privacy seals<br />Overwhelming majority of studies came to this conclusion<br />Those that are influenced by privacy seals are more influenced by the perception of assurance, rather than any actual assurance offered by the seal<br />As in the hypothetical example, the cheapest and most recognizable seal will provide the highest return on investment<br />Obtaining an expensive, yet unrecognizable seal, will certainly result in negative returns, even though more assurance is provided<br />
Points of interest from the studies<br />Put two and two together<br />Consumers may place additional reliance on high-assurance seals if they knew that the high-assurance seals provided stronger assurance<br />But, they don’t know that<br />So, as far as a visitor knows, all seals have the same value<br />But, not all seals have the same value to a website<br />The cheapest, most recognizable seal will do the best in terms of meeting the website’s objectives<br />
Frameworks for WebTrust<br />WebTrust developed based on Trust Services<br />Includes a set of Generally Accepted Privacy Principles<br />By conforming to GAPP, a website will meet the privacy objective developed by the AICPA/CICA:<br />“Personal information is collected, used, retained, and disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA”<br />Information systems audit required to obtain seal<br />
Frameworks for WebTrust<br />Generally Accepted Privacy Principles<br />
Frameworks for TRUSTe<br />TRUSTe has internally-developed requirements<br />Focus solely on privacy practices<br />“Core principles”: transparency, choice, accountability<br />No audit necessary to obtain seal<br />Website submits proof of policy compliance<br />TRUSTe monitors compliance over the Internet<br />
History<br />Public accountants developed WebTrust<br />Joint effort between the CICA and the AICPA<br />Limited success<br />Faced strong criticism and calls for change<br />So, should public accountants continue to be involved with privacy seals?<br />
Arguments against involvement<br />WebTrust clearly a failure<br />1/3 of top 500 websites had a privacy seal in 2001<br />None used WebTrust<br />Market share negligible<br />Failure of WebTrust due to multiple factors<br />Lack of brand awareness; other companies abandoning the seal<br />Steep prices for WebTrustaudits; no direct benefit for additional investment<br />Inefficient method for awarding seals<br />
Arguments for involvement<br />Recommendations for continuing<br />Practice standards should be at a minimum<br />Integrated set of services<br />Can provide services on top of web assurance<br />Advisory services on ecommerce controls<br />Help vendors support web seals<br />
Fate of WebTrust<br />Current trends<br />Decreasing seal effectiveness<br />Visitors unable to differentiate a low-assurance seal from a high-assurance one<br />Cheaper, low-assurance seals will be more popular<br />The public accounting profession developed and supports the costlier, high-assurance seal<br />Will eventually be forced out of the market, by the market<br />
Develop a new seal?<br />“WebTrust Lite”<br />Provide at low cost<br />Damage to reputation<br />Worth the effort?<br />
Develop a new service?<br />Advisory services<br />Leverage skill set with controls and other business services <br />Ready websites to meet the requirements set out by another seal<br />Complementary to the market leader in privacy seals<br />Avoids competition with the market leader<br />Profession has proven that it is unable to handle that competition<br />