Uppsala University Department of Business Studies Master Program in Business and Management Strategic Management Master Thesis Spring Semester 2012 Supervisor: Olivia Kang

Personalized Marketing

- An invasion of or an approved phenomenon? An empirical study of how organizations can respond to

consumers’ concern over the threats of online privacy.

Authors: Hiral Amin & Johanna Birgisdottir Abstract The authors of this study analysed the increasing use of personalized marketing and consumer concerns regarding the access to personal information. The purpose was to find out how companies could react to these concerns. Several theoretical concepts were explored, such as Personal Data, Personalized Marketing, Privacy Concerns, Privacy Policies, Consumer Trust and Consumer Behaviour. Facebook Inc. was analysed as an example to address the problem. An online survey was conducted on university students and two interviews were performed with representatives from the Data Inspection Board in Sweden. The main findings were that individuals seem to approve of personalized marketing but are concerned about their privacy. Companies should therefore inform their consumers on how personal data is used for personalized marketing and respect their rights and take governmental regulations into consideration.

Key Words:

Facebook, Trust, Privacy Policies, Personal Data, Privacy Concern, Personalized Marketing.

Uppsala University 1

Table of Contents 1. Introduction ...... 4

1.1 Background ...... 4

1.2 Problem Background ...... 5

1.3 Problem Statement ...... 6

1.4 Outline ...... 6

2. Literature Review ...... 7

2.1 Personal Data ...... 7

2.1.1 Personal Data on Social Networking Sites ...... 7

2.1.2 Government Control on Data Usage ...... 8

2.2 Personalized Marketing ...... 9

2.3 Privacy Concerns ...... 11

2.4 Privacy Policies ...... 12

2.4.1 Facebook Inc. Privacy Policy ...... 13

2.5 Consumer Trust ...... 14

2.6 Consumer Behaviour ...... 16

2.7 Theory Model ...... 17

3. Research Method ...... 18

3.1 Research Approach ...... 18

3.2 Gathering of Data ...... 19

3.2.1 Primary and Secondary Data ...... 19

3.2.2 Choice of Survey Sample ...... 19

3.2.3 The Procedural of the Survey ...... 20

3.2.4 Choice of Interviewees ...... 20

3.3 Social Networking Sites ...... 21

3.4 Facebook Inc...... 22

3.5 Operationalization ...... 23

Uppsala University 2

4. Analysis ...... 24

5. Conclusions ...... 32

5.1 Limitations and Future Research ...... 34

References ...... 35

Appendix 1: The Questionnaire ...... 39

Appendix 2: Results from the Questionnaire ...... 42

Appendix 3: Interview Questions with Catharina Fernquist ...... 49

Appendix 4: Interview Questions with Jonas Agnvall ...... 49

Uppsala University 3

1. Introduction In this first chapter the background to the study is presented where the purpose of the paper is explained, followed by a problem discussion and the problem statement. At the end of the chapter the Research Questions and the Outline of the study are presented.

1.1 Background “Companies definitely can and do use our data for manipulation, for creating desires, creating needs that we don’t have. You can say it is only money but you can also see it as a problem of freedom(Szymielewicz, 2012).”

An user’s every movement is potentially a piece of marketing information. Online marketing is constantly increasing and today many firms stress the use of technology to get closer to their customers and build relationships with them. Access to customer information is a critical success factor and the better the information is gathered, the better the company is able to meet its customers’ needs (Brown &Muchira, 2004).The fast development of information technology and the ability to store and examine great amounts of personal information has paralleled the increased usage of the Internet. Customer data is a major marketing asset through which businesses can improve customer service and build competitive advantage (Dinev& Hart, 2006a). Technologies that require large amounts of data from which consumer patterns can be extracted, have improved the capability of companies to target specific individuals (Dinev& Hart, 2006).

While the technological advances have made it possible for firms to identify consumer preferences, develop better products, and improve customer relationships, the same advances have also increased concerns among consumers about access to their personal information and how it is being used. A lot of the information that websites require from the users is often not needed, but simply desirable for the companies’ marketing purposes (Dinev& Hart, 2006a). Internet users are concerned that without their consent,their personal information is available to a large network of information seekers (Dinev& Hart, 2006). In 1996, Smith et al. published a survey where they revealed several central dimensions of individuals' concerns regarding privacy practices: 1) collection of personal data; 2) internal unauthorized secondary use of personal data; 3) external unauthorized secondary use of personal data; 4) errors in personal data; and 5) improper access to personal data (Smith et al., 1996).

Uppsala University 4

Privacy can be defined in many ways, and has a different meaning in different contexts. It covers three basic expectations: anonymity, confidentiality, and fairness and control over personal information (Brown &Muchira, 2004). The understanding and protection of privacy in information systems is becoming increasingly critical with widespread use of networked systems and the Internet (Antónet al., 2010).

The purpose of this paper is to find out, from an organizational perspective, how companies should react to their consumers concern, about their personal data being used for personalized marketing at the cost of their privacy. The authors will address this issue by analysing one of the largest social networking sites, Facebook Inc. which harbours vast amounts of personal data.

1.2 Problem Background “Facebook was looking at which links I clicked on, and it was noticing that I was clicking more on my liberal friends’ links than on my conservative friends’ links. And without consulting me about it, it had edited them out. They disappeared(Pariser, 2011).”

People believe they have lost control over how their personal information is being collected and used by companies (Dinev& Hart, 2006a). Personal information is seen as a commodity to be traded and profitability has become more important than privacy (Brown &Muchira, 2004). Internet users are becoming more aware of the power of Internet technologies to monitor their activities and gather information about them without their knowledge and permission (Dinev& Hart, 2006a). Yet, individuals are increasingly providing information about themselves online (Antónet al., 2010). In some cases, they put up false information as a negative reaction from threats to privacy. This can have a significant influence on a firm’s marketing performance (Wirtzet al., 2007). Therefore, it is interesting to see whether firms can improve their marketing skills by adopting policies that acquire increased trust from consumers.

Various attempts have been made to regulate online privacy and develop monitoring controls. Brown and Muchira(2004) stated that companies who collect consumer information for their own marketing purposes can build trust with their customers by displaying privacy policies online, and firms have increasingly started to do so. Internet users are aware of the privacy- policy concept and are beginning to pay attention to privacy policies when visiting websites (Earp et al., 2005). However, recent studies have shown that privacy policies are problematic and difficult to comprehend. The consumers think they are too lengthy, too difficult to read, Uppsala University 5 and include too much legalese (Antónet al., 2010). Some observers have criticized these policies as being either too weak, or too detailed. Researchers have noted that if the privacy policies are clearly stated, then the customer perceives the organization as more trustworthy. According to Earp et al., this will assist the companies to attract new customers and keep the existing ones (Earp et al., 2005).

1.3 Problem Statement With the rising concerns regarding individuals’ online privacy and security it is of utter importance to understand to what extent they feel that their confidentiality is being threatened. According to Broom et al. (2002), Internet users want protection in three different areas. The first is email privacy, in which only the intended recipient should read the message. The second is access and security, meaning wanting to surf online anonymously. The third and final is personal information and unsolicited marketing, which includes the consumers concern of how their personal data is being used.Researchers argue that companies should update their privacy policies regularly (Wirtz et al., 2007) and display those clearly on their websites (Earp et al., 2005), but are the policies meeting the consumers concern? In order to achieve the purpose of this paper the authors will strive to answer the following research questions:

1. To what extent can the usage of personal data for personalized marketing be positively related to the consumers’ behaviour on social networking sites? 2. How can organizations implement personalized marketing without jeopardising customers’ trust?

1.4 Outline This paper is divided into six main chapters. The first section introduced the topic and the background of the study. The second part will cover the literature review. This chapter describes the theoretical concepts chosen for the study,whichwere connected to the questionnaire and the interviewsperformed. Thereafter followsthe research methodin which the process of the study is clarified. This section presents Social Networking Sites and Facebook Inc. The data gathering process is explained by introducing the performed interviews and the survey conducted. The next chapter describes the findings from the research and the data is analysed. In the fifth and final section the conclusions are revealed in which the research questionsare answered. Limitations of the study as well as suggestions for future research arepresented in this final part of the paper.

Uppsala University 6

2. Literature Review Following is a presentation of the theoretical concepts chosen for this paper. They have been chosen due to the fact that they are relevant to the study and can be connected to the survey and the interviews performed.

2.1 Personal Data On a daily basis in the online world individuals reveal personal information about themselves. This can include their name, phone number, photographs, as well as their date of birth, anything that can identify who they are (European Commission, 2012). This sensitive information can also include where they go to school, where they work as well as what they purchase (Information Commissioners Office, 2012).All of this can be defined as personal data.This data can be processed in many legitimate ways such as joining clubs and applying for jobs. But due to the immense expansion of technology this private data can travel easily around the world, which can indicate great risks of misuse of personal data (European Commission, 2012).

Although personal information is an intangible good it is very valuable, and individuals need to treat it like they would of their tangible goods. Everyday personal information is given out in one way or another, and people need to make sure that the information is accurate and secure. When organizations collect this personal data they need to state why they are doing so, use it properly, protect it, and make sure that it is up-to-date. To make it clearer for the individual, a privacy notice should be available that fully states why the information is being collected and what it will be used for. It should also state whether or not it would be shared with other organizations. These notices need to be clearly displayed and easy to understand.Sometimes the information can be shared within the organization and it can also be shared without the users consent (Information Commissioners Office, 2012). Sharing and abuse of personal information can create consequences for the users, particularly young individuals. Their rapid adaption of the Internet world and joining social networking sites (SNS) has created social anxiety. They disclose more information that can be misused in cases of harassment and abuse (Mesch&Beker, 2010).

2.1.1 Personal Data on Social Networking Sites “Austrian law student requested all the information that a social networking site kept about him on his profile. The social network sent him 1,224 pages of information. This included photos, messages and postings on his page dating back several years, some of which he Uppsala University 7 thought he had deleted. He realized that information he had deleted was still being processed against his wishes (European Commission, 2011).”

Internet social networking has become one of the biggest phenomenon of the 21st century. Social networking sites such as Facebook, MySpace and LinkedIn have exploded in popularity. In these online social worlds users post information about themselves, comment on others profiles, and join virtual groups that have common interests (Peluchette& Karl, 2010). These sites have become platforms for exchange of vast amounts of personal data (Kostaet al., 2010). Though they are a great way of keeping in touch with family and friends around the world, they present a great risk of private information being viewed more widely than the user realizes (European Commission, 2011). Users reveal personal information with great ease; in particular the student demographic seems to be doing this more than others (Peluchette& Karl, 2010).

Social networking sites allow the distribution of information about other users without their consent. This is problematic, but users do not have the privilege of choosing how they can protect their data. They have to choose from specific privacy options that the social network sites have provide them with. These social sites are taking steps towards revealing more information of their users, rather than protecting it. Also, users either tend to not manage their privacy settings, because they seem to trust the provider, or they are clueless as to what extent their personal data is endangered (Kostaet al., 2010).

2.1.2 Government Control on Data Usage The European Union (EU) has high standards when it comes to the protection of their citizens’ privacy rights and personal data. They impose strict rules and regulations on entities that process personal information (Kostaet al., 2010).On the European Commission’s website it is stated that anyone that collects and manages personal date is called a data controller. They have to respect the EU law when handling information that is fragile. Under European Union regulations the data controllers have to inform the individual when they are collecting their personal data; they have to let them know who they are, what the information is being used for and if it will be transferred. The individual has the right of knowing whether the data was collected directly or indirectly, unless the information is legally protected or impossible to obtain. The individual has the right of asking the data controllers if they are processing personal data about them. The individual has the right of receiving a copy of the data

Uppsala University 8 collected in comprehensible form; and finally the individual has the right of asking to have the data deleted, blocked or erased (European Commission, 2012).

The European Commission is proposing a strengthened right to be forgotten so that if anindividual no longer wants their personal data to be processed, and if there is no legitimate reason for an organization to keep it, it must be deleted from their system. Data controllers have to verify that there is a need to keep the data rather than the individual having to prove that the data collection is not needed. Firms will be obliged to inform the individuals as understandably and transparently as possible about how the data will be used, so that the individuals can decide what data will be shared. The proposals will make it easier for consumers to access their data, which means it will be easier to transfer it from one service provider to another. Also, when users give their permission for companies to collect and use the personal information, the agreements will be given explicitly and with their full awareness. This will give users control over their data, and help foster trust in the online environment (European Commission, 2011).

The Commission considers the new proposal of high importance since a high level of data protection is essential to foster peoples’ trust in online services and in the in general. Privacy concern is among the top reasons for people not buying goods and services online. The Commission argues that individual trust in online services is significant for stimulating economic growth in the EU. With the increasing globalization of data flows there is a risk of consumers losing control of their online data. The new rules will put people in control of their personal data, and will promote trust both in and in online shopping as well as communication in general (European Commission, 2011).

2.2 Personalized Marketing “Every time a person shares a link, listens to a song, clicks on one of Facebook’s ubiquitous “like” buttons, or changes a relationship status to “engaged,” a morsel of data is added to Facebook’s vast library. It is a siren to advertisers hoping to leverage that information to match their ads with the right audience (Sengupta&Rusli, 2012).”

Personalization is the concept of using a combination of customer information and technology to produce electronic commerce interaction between a company and their individual customers. The company uses previously obtained or real-time personal information about the individual to best suit the customers’ needs (Vesanen, 2007). More simply put, it is when a

Uppsala University 9 company decides what marketing mix is best suitable to interact with the individual based on their collected personal data(Aroraet al., 2008).

According to Pepper et al.(1999) there are four main steps ofpersonalization. The first step is to identify your customer. To be able to better target a customer, the company needs to get to know the customers preferences and needs. This information needs to be continuously updated and therefore it cannot be a one-time contact. The customer has to be observed in all of their mediums and locations. The second step is to differentiate the customers, as they are different in two different ways; the first is that they represent diverselevels of value and the second is that their needs are different. In this step the company can identify which customers are of value for them to gain the most advantage. After identifying who the valuable customers are the companies can form appropriate target marketing strategies. The third step in the concept is interacting with your customers. It is critical to improve cost efficiency and effectiveness of interactions with the customers. By now knowing the best way of communicating with ones customer is crucial. The fourth and final step is customizing your enterprises behaviour. The company needs to adapt their behaviour to meet the customers individually expressed needs. The product or service needs to be personalized to each and every customer, in order to give them what theywant(Pepper et al., 1999).

To be able to implement personalized marketing there are eight elements needed: customer, dialogue with customer, customer data, analysis of the customer data, customer profile, customization, marketing output, and delivery of marketing output. The base of personalized marketing is the customer. They have different needs and preferences, which create different customer segments. When interacting with a customer they provide data about themselves. One of the ways of interacting with a customer is through their website behaviour, by viewing their visits and routes in a website. Customer data is collected in three ways: a) through customer interactions, changes, or opportunities in existing customer status; (b) through external data sources that can provide new potential information; or (c) by matching external data with the customers’ internal data. After the data is processed it turns into customer profiles, which helps identifying and differentiating the customers. The customers are then put into different segment groups based on their preferences. Analysing their private data, behaviour, and interests does all this. The customer profiles are then used as input for customization, which is the production of personalized marketing output. Marketing output can be printed material, automated phone service, or a personalized product. Online it can be a personalized web page or email. After the marketing output is delivered to the customer it Uppsala University 10 causes a reaction with the customer. Through this reaction a new interaction is formed, and this in turn provides new data about the customer. By using this new information the marketer can create a more targeted profile. The process is a learning loop, and with each round more information is gained (Vesanen&Raulas, 2006).

The magnitude of personal information that Facebook has about their users for target marketing is undeniably amazing (Andrews, 2012). Though there are advantages such as greater customer satisfaction and higher profits to personalization, there can also be downsides to this practice. One of the main concerns is the invasion of privacy, as personalization requires the collection of personal data (Arora et al., 2008).

2.3Privacy Concerns “If there is information, there is always a risk of misusing it, and that’s just the way it is” (Agnvall, 2012).

The concept privacy can mean different things but many scholars have defined the concept of privacy as the “right to be left alone”(Brown &Muchira, 2004), and it is accepted as one of the basic human needs (Mesch&Beker, 2010).Another aspect is that privacy is the right to control the gathering and usage of information about oneself (Dinev& Hart, 2006a). Privacy concerns are beliefs about who has access to the information that is revealed when using the Internet and how it is being used (Dinev& Hart, 2006). The focus in this thesis will be onthe privacy concerns regarding companies' possession of personal information. With the rapid growth and development of technology, large databases are ever present to collect information online. Thishas led to rebuilding the concept of privacy (Mesch&Beker, 2010).Dwyer et al. (2007) state that privacy within social networking sites is often undefined and the sites record all interactions and keep them for potential use in social data mining. The authors also argue that these sites need clear policies and data protection tools in order to deliver the same level of social privacy found offline (Dwyer et al., 2007).

Internet users are concerned about what the companies know about them, how they gain the information, what they do with the data they collect, and what is the accuracy of the information they use (Brown &Muchira, 2004). There are several factors that users rate highlyimportant when deciding whether or not to provide requested information.These factors include a) whether their information will be shared with otherorganizations, b) whether the information will be used in an identifiable way,c) the kind of information collected, and d) the purpose for which it is collected. Research has shown that people areconcerned about whether Uppsala University 11 a websiteposts a privacy policy, has a privacy seal, and discloses a date of retention policy (Proctor et al., 2008). Phelps et al. (2001) argue that only with an understanding of the factors that underlie privacy concerns that policy and practices can be employed to reduce consumer concerns and enhance consumer trust. Therefore, it is crucial that marketers understand the importance of dealing with consumers’ concerns (Phelps et al., 2001).

2.4Privacy Policies Research from as early as the mid to late 1990s, has suggested that consumers are concerned with how their personal data will be used online. Consumers need to feel trust in the companies they will interact with. One of the main indicators of trustworthiness that was determined from past research was the importance of displaying a privacy policy. These privacy policies should clearly state to their consumers how they will use their personal information that was collected on the site, the third parties to whom this information could be disclosed to, and when or how the disclosure may occur (McRobb, 2006).

A privacy policy is typically defined as “a comprehensive description of the site’s information practices that is found in a single location on the site and may be accessed through a link”. Research has revealed that strong business policies and governmental regulation reduce consumer privacy concerns (Wirtzet al., 2007).Culnan and Armstrong (1999) argued that companies could gain competitive advantage by behaving ethically. The companies have to balance the competing forces of the power of information and privacy when doing business with their customers (Culnan& Armstrong, 1999).

Companies need to pay close attention to their privacy policies to reduce consumer privacy concern and consequent negative reactions. As the usage of Internet increases companies are becoming more aware of posting privacy policies on their websites (Culnan& Armstrong, 1999). However, most privacy policies are too complex, written in confusing language and are full of jargon. Therefore, althoughconsumers are concerned about privacy, only few of them actually read the privacy policies (Proctor et al., 2008).One explanation of the difference between consumers’ privacy values and website’s privacy policy content is that website organizations and users have different ideas. Website organizations, in general, have an objective to be legally protected from potential lawsuits; therefore, their online privacy policies are often written in such a way that protects the organization. This objective interferes with users’ needs by causing the privacy policy to assist the organization rather than the users.

Uppsala University 12

Earp et al. (2005) argue that managers must ensure they establish and maintain the trust of the public who reads the policies on the organization’s websites.

Privacy policies should be easy to understand, allow comparisons and afford action ability. In order to facilitate the ability to understand a privacy notice, the language must be plainly written, as well as being short and easy to read (Timpson &Troutman, 2009).The TRUSTe Privacy Program requires that the policies describe what personal information is being collected, the means by which it is beingcollected, how the information will be used, and whether it will be shared withthird parties. Users must be allowed the option to opt out, and sufficient securityand access measures must be put into place (Proctor et al., 2008).The Federal Trade Commission (FTC) has presented five basic principles that make a privacy policy fair and trustworthy:

1) To give notice - tell customers what information is being collected and what the firm is planning to do with it. 2) Choice - customers are able todecide not to have their information shared with third parties. 3) Security - to assure customers that the information is safe from tampering, theft, misappropriation and misuse. 4) Access and Correction - customers can see what has been collected and can correct errors in the data. 5) Enforcement - a mechanism to ensure compliance by participating companies (Wirtzet al., 2007).

Consumers who perceive that corporations are acting responsibly in terms of their privacy policies, and that sufficient legal regulation is in place to protect their privacy, are expected to have greater trust and confidence towards the organizations and show less concern for internet privacy (Wirtzet al., 2007).

2.4.1 Facebook Inc. Privacy Policy “Facebook has always been committed to being transparent about the information you have stored with us – and we have led the Internet in building tools to give people the ability to see and control what they share, - Mark Zuckerberg (Sengupta, 2011).”

Facebook has become an integral part of peoples’everyday lives. It has become the site where people share an immense amount of personal information such as birthdays, engagement announcements, ultra sound scans, wedding photos and so much more. This type of online activity was unimaginable just a few years ago (Ortutay, 2011). Users can also play games, check horoscopes, stream music, and read newspaper articles online. They reveal intimate Uppsala University 13 information such as who their friends and family members are, as well as their political stand. And Facebook has been collecting all of this data for years (Sengupta&Rusli, 2012). But with such openness comes privacy problems (Ortutay, 2011). The Federal Trade Commission (FTC) had blamed the company of deceiving their users about the privacy settings (Sengupta&Rusli, 2012). They had violated their users’ privacy by getting them to share more personal data than they had agreed to when they first joined the website. Due to this, Facebook came to an agreement of having their privacy practises reviewed every two years for two decades (Ortutay, 2011), and they have to inform their users of how their personal data will be shared with new products and services over the next twenty years. David Vladeck, the director of the bureau of consumer protection at the FTC stated that this has to be done in order to protect peoples’ privacy (Sengupta, 2011).

2.5Consumer Trust Online Trust has been defined as “a set of three beliefs that reflect confidence that personal information submitted to Internet websites will not be used opportunistically; these beliefs include competence, reliability, and safety”(Dinev& Hart, 2006). In other words, online trust is when an individual is willing to disclose personal information because of a confidence belief. Trust is important when building relationships with customers (Dinev& Hart, 2006) and to be an effective competitor a company needs to be a trusted co-operator (Morgan & Hunt, 1994). Many consumers are still fearful of giving out financial information over the Internet and many do not trust companies they do not know (Peter & Olson, 2008). Phelps et al. (2001) argue that only with an understanding of the factors that underlie privacy concerns, that policies and practices can be employed to reduce consumers concern and enhance consumers trust.

The fact that companies are able to track data about Internet users behaviour has made it possible for them to personalize and enrich the users experiences (Earp et al., 2005). However, this makes the consumers worried that the information might be traded or sold to third parties without their knowledge or permission (Earp et al., 2005; Dinev& Hart, 2006). There is a strong relationship between the willingness to provide personal information and perceived online trust where a lack of trust may lead to privacy concerns and unwillingness to disclose personal data (Dinev& Hart, 2006).

Online trust is frequently associated with the success or failure of online ventures. Internet users are often concerned about the safety of their personal information and misuse of private

Uppsala University 14 consumer data. Subjects like hacking, fraud, spam and online scams raise security concerns as well as scepticism and mistrust. The physical distance and lack of personal contact are also factors that increase the consumers’ risk perceptions. According to Constantinides (2004), web providers should give consumers the choice of rejecting possible follow-up activities and always ask the customers clear permission for any further use of data for commercial purposes. Online marketers should know the main factors enhancing or undermining trust among potential customers. For online companies, the question of winning consumer trust should be a central issue when designing their website (Constantinides, 2004).

Consumers find it difficult to trust web providers enough to engage in "relationship exchanges" involving money and personal information. The primary barriers to consumers providing personal data to websites are related to trust and the nature of the exchange relationship (Hoffman et al., 1999). Trust is therefore an important factor for online businesses and companies should work on sustaining and ensuring trust (Dinev& Hart, 2006). When a company displays a privacy policy and adopts fair procedures to protect individual privacy, customers tend to develop trust in the organization. As a result, they are likely to be willing to disclose personal information and have that information used. Such trust is crucial in business because it contributes substantially to customers’ satisfaction and commitment to become a loyal customer of that particular organization (Earp et al., 2005).

The role and growth of social networking sites (SNS) such as Facebook has been enormous, especially among teens and young adults. Marketers increasingly advertise on SNS’s to reach their target groups. As a result, is the primary source of revenue for most SNS’s and is changing in the way marketers reach their consumers. When SNS’s users receive the information (through messages or news feed) from friends that they trust, they are more likely to pay attention to it. Therefore, advertising on SNS is considered highly targeted and relevant. With the increased usage of SNS for advertising it becomes important to develop an understanding of users and their attitudes toward these sites (Gangadharbatla, 2008). In analysing trust on SNS, Dwyer et al., (2007) argued that trust and usage goals might affect what people are willing to share. According to Dinev and Hart (2006), a higher level of perceived privacy risk online is related to a lower level of willingness to provide personal data. On the other hand, a higher level of online trust is related to a higher level of willingness to provide personal data (Dinev& Hart, 2006).

Uppsala University 15

2.6 Consumer Behaviour “Consumer behaviour involves the thoughts and feelings people experience and the actions they perform in the consumption processes” (Peter & Olson, 2008). Organizations must keep in mind that each customer is unique, which makes it difficult to understand the differences of each of their consumers (Szmigin, 2003). However, the advantages of the Internet and online marketing have provided a means for developing one-on-one relationships with consumers and establishing consumer databases (Peter & Olson, 2008).

On social networking sites (SNS), people can have conversations, express their opinions, and influence others. Web providers can reach consumers and gather data about them via the SNS. People's positive attitudes and behaviour towards SNS may stem from their need to belong and therefore they may disclose more personal information. On SNS such as Facebook, individuals post not only contact information but also information like their favourite television show, movies, music, and pictures. Therefore with SNS, companies have greater access to personal information, which may often be sensitive (Gangadharbatla, 2008).

Online consumer behaviour varies depending on factors such as demographics, technology literacy and experience level. Increased technology and lack of security measures at Web providers’ transaction systems has released greater uncertainty regarding access to disclosed personal information and how it is being used (Hamid, 2008; Dinev& Hart, 2006). This has created hesitation among consumers to complete online activities (Hamid, 2008). The greater the uncertainty about the access and use of information, the greater the privacy concerns (Dinev& Hart, 2006).

Privacy concerns are negatively related to purchase behaviour and the purchase decision process. Understanding the antecedents of privacy concerns provides a foundation for developing effective policies and practices to reduce these concerns. If consumers’ privacy concern influence their behaviour, then protecting privacy could actually have a positive impact on the company’s sales and profit (Phelps et al., 2001). However, consumers’ actual behaviours may be not the same as their stated privacy preferences. Their behaviour can either reflect lower privacy concerns than research say or other factors may reduce the privacy concerns (Dinev& Hart, 2006).

There may not be any major differences between the traditional and online buying behaviour but it is argued that a new step has been added to the online buying process - the step of building trust. Usability and trust are the issues more frequently found to influence the Uppsala University 16

Internet consumer’s behaviour (Constantinides, 2004). Perceived risk may influence the attitude and behaviour of consumers towards the Internet services. Hamid (2008) emphasizes the importance of understanding the dimensions that can build and maintain online customer relationships. Traditional marketing principles may be applied to the online environment but there are differences in consumer behaviour that emerge as a result of interaction with “new” technology that must be recognized. Factors like superior service quality, perceived value and trust will still influence the customers’ intention to revisit and to remain loyal (Hamid, 2008).

2.7 Theory Model To answer the purpose and the research questions of the study the authors of this paper have formed the following theory. Companies need access to their consumers’ personal data to be able to use personalized marketing.When companies have the opportunity to access consumers’ personal data, it raises their privacy concerns. Due to a raise in the consumers’ privacy concerns, the companies form privacy policies on how the data will be used and protected. When privacy policies are an integral part of a company’s website it increasesthe consumers trust in the company. Because the consumer’s trust increases it can affect the consumer’s behaviour online. This can be both negative as well as positive. Depending on what the privacy policy states, the consumers might choose to share more information or less information.

Privacy Privacy Consumer Trust Concerns Policies Behaviour

Personalized Marketing

Personal Data

Uppsala University 17

3. Research Method In this section the process of the study is followed in detail to defend the reliability and validity of the paper. Here, the importance of the choice of field is stated with a presentation of Social Networking Sites and Facebook. The information gathering process is explained by introducing the performed interviews and the survey conducted.

This study started with research questions and hypothesis the authors had in the field of online privacy and personalized marketing. After narrowing down the purpose of the study, the process of a thorough examination started on the topic. Detailed observation was performed on following concepts: Personal Data, Personalized Marketing, Privacy Concerns, Privacy Policies, Consumer Trust and Consumer Behaviour. These concepts were connected to Social Networking Sites, Facebook Inc. and Government Control. Next, the authors performed an online survey on university students and conducted interviews with two lawyers from the Data Inspection Board in Sweden. The gathered material was analysed and conclusions presented to test the theory model. Finally, the authors presented their limitations for the study and suggestions for future research.

3.1 Research Approach In this study, both qualitative and quantitative approaches were used. When both qualitative and quantitative approaches are used it means that the research phenomenon is seen from different perspectives. This means in practice that various techniques are used for the data gathering and the analysis. Depending on the outcome of the research it is possible to measure how well the different approaches reach similar results, which strengthens the validity of the research (Christensen et al., 2001). In this paper, the qualitative data consists of findings from the interviews conducted with The Data Inspection Board. The quantitative data consists of results from the online surveys sent out to university students in Sweden. Both approaches were used for this study to examine what the Internet users need, to feel that their privacy is being protected, and compare it to what the government is doing in regards to privacy protection. This in turn, deepens the research and strengthens the validity of the paper.

Uppsala University 18

3.2 Gathering of Data

3.2.1 Primary and Secondary Data For this paper both primary and secondary data was collected. The primary data consists of the results from the survey performed and the findings from the interviews. The secondary data consists of information about Facebook Inc. and the Data Inspection Board in Sweden.

3.2.2 Choice of Survey Sample Data was collected by a survey questionnaire using a convenience sample of one hundred and forty university students in Sweden that had accounts on Facebook. The respondents ranged between the ages of 18 to 34. 50% of the sample were males and the other 50% were females.

Using a student sample can be justified since Facebook’s users fit the demographics of university students between the ages of 18-34. Also,younger people tend to live a large proportion of their lives in the online world and Facebook is the most widely used social networking site (Pernemalm& Lindgren, 2011).Gangadharbatla (2008) performed a study, which gave insight into why college students register with these social networking sites (SNS) and the various factors that influence their adoption. Students join and participate in these sites because of their need to belong and need for awareness. Internet self-efficacy, the need to belong, and collective self-esteem all have positive effects on attitudes towards SNS (Gangadharbatla, 2008).The development of technology and growth of social networks in which people share private information give pleasure to young people but it also raises awareness of privacy issues, many regret posting certain private information online (Pernemalm& Lindgren, 2011).

According to Boyd and Ellison (2007) there is often a disconnection between students’ desire to protect privacy and their behaviours, meaning that they are not always aware of the public nature of the Internet. Therefore, students were considered the optimal sample for this study. The sample is relatively homogenous in terms of demographics and lifestyles but it was considered applicable since the purpose of the study was not to provide point and interval estimates of the variables but to test the relationships amongst them. Furthermore, the relative youth of the sample is not inappropriate as Internet usage is prevalent among younger consumers, with as many as forty per cent of all Internet users falling within the 18 to 34 age category. Also, younger people have been shown to have lesser privacy concerns compared to older people (Brown &Muchira, 2004).

Uppsala University 19

3.2.3 The Procedural of the Survey An e-mail-based survey was designed and used, in which respondents’ perceptions, beliefs, concerns and responses to online privacy were measured on retrospective behaviour to test the theory. The method chosen has high external validity, based on a research performed by Wirtz et al. in 2007. According to them, Internet surveys have shown to provide various benefits and are gradually being used.E-mail-based questionnaires have advantages such as low costs, wide reach, design flexibility, and data control. The negative aspects researchers have pointed out regarding Internet surveysare that they might lead to a “sampling dilemma” which excludes individuals not using the Internet(Wirtz et al., 2007). However for this research, the targeted population was restricted to Internet users, possessing Facebook accounts, which validated the use of an e-survey as an appropriate research method.

All measurement items except the demographics, used seven-point Likert-type scales (Gangadharbatla, 2008; Wirtz et al., 2007), anchored in “strongly disagree” (1) to “strongly agree” (7). The questionnaire consisted of 21 questions (see appendix 1) and was partially based on the survey performed by Wirtx et al. in 2007.

3.2.4 Choice of Interviewees For this study, two interviews with The Data Inspection Board in Sweden (Datainspektionen)were conducted. The first one was an email-based interview with Catharina Fernquist (see appendix 3). For offline electronic interviewing it has been suggested that the relative anonymity of the interview facilitates more open and honest responses. Email interviews are normally conducted over an extended time period. This type of interviewing consists of a series of emails, each containing a small number of questions. For this paper, the authors first made contact with the Data Inspection Board by emailing a small number of questions introducing the topic. After obtaining agreement to participate, the authors responded and asked specific further questions, raising points of clarification and ideas of further interest. Because of the nature of email communication the interview lasted for a few weeks, due to time delay between a question being asked and it being answered. This was in fact advantageous as it allowed both the interviewer and the interviewee to reflect on the questions and responses (Saunders et al., 2009).

The second interview was a semi-structured, face-to-face interview with Jonas Agnvall (see appendix 4). According to Saunders et al. (2009), a semi-structured interview allows for the freedom of asking additional questions and adaptation of the interview as it progresses.In

Uppsala University 20 order for the interview to be as effective as possible and to get a deep understanding of the subject, the questions were sent to the interviewee in advance (Saunders, et al., 2009). For both interviews the questions were all based on the articles chosen for this study.

The Data Inspection Board isSweden's nationalregulatory authority for theprocessing of personal dataunder the Schengen Convention, the Convention on the EU CustomsInformation System andCouncilDecision establishing theEuropean Police Office (Europol).The Board works to prevent violation upon privacy through itsregulatory activities by issuing directives and codes of statutes. By examining government bills the Data Inspection Board ensures that new laws and ordinances protect personal data in an adequate manner. The Data Inspection Board is a governmental agency with about 40 employees, in which two thirds are lawyers (Datainspektionen, 2012).

The Board’s task is to protect the individuals’ privacy in the information society without unnecessarily preventing or complicating the use of new technology. The Board educates and informs those who process personal data, and makes sure that they are following the laws and regulations of protecting privacy. The Data Inspection Board will achieveits objectives by: spreading awareness,stimulating debate,warn of potential risks, communicate knowledge, give advice and help,prevent errorsand abuses, review and ensure. Theycarry out inspectionsandhandle questionsand complaintsfrom individuals.Theymonitor to detect and prevent threats to personal privacy anddescribe developmentsin the IT sectoron issuesrelating toprivacy andnew technologies. They especially focus onsensitive areas such as personal data, new developments, and areas in which the potential for abuse is particularly high (Datainspektionen, 2012).

The Board has handled multiple cases regarding individuals’ online privacy, and due to this, performing an interview with them was fully applicable to the study. They believe that many young people live dangerously on the Internet, knowing that there are lurking risks. The Board carried out a survey, which discovered that young people expose themselves online despite being aware of the privacy risks. The Board’s task is not to act as an Internet police, but rather raising risk awareness (Datainspektionen, 2012).

3.3Social Networking Sites Social networking sites (SNS) are a type of virtual communities that have grown tremendously in popularity over the past few years (Dwyer et al., 2007). The sites have been defined as “web-based services that allow individuals to (1) construct a public or semi-public Uppsala University 21 profile within a bounded system, (2) articulate a list of other users with whom they share a connection, and (3) view and traverse their list of connections and those made by others within the system” (Boyd & Ellison, 2007). These sites act as a platform for people with similar interest, beliefs and ideas to come together. The users connect with each other with the purpose of wanting to find and exchange content. These sites can also be used for self- representation to create and maintain a social and professional identity. The five main uses of SNS are to meet new people, for personal entertainment, to maintain existing relationships, to learn about social events and to share media. One of the main advantages of being active on these sites is to create and manage a diffuse network of weak relations. This can help in establishing new business contacts and developments.

Due to the large and broader groups available on SNS, information exchange is wider and it encourages the addition of as many contacts as possible without having to deepen the relations, but still being able to gain business advantages (Mital&Sarkar, 2011).In recent years there has been an increase in research regarding threats to privacy associated with SNS (Boyd & Ellison, 2007), whichmade this area of study an interesting topic of choice for this paper.

3.4Facebook Inc. Facebook Inc. was founded on February 4th, 2004 and was originally called TheFacebook and its mission was to make the world more open and connected (Carlsson, 2010). People use Facebook to stay connected with friends and family around the world, to discover what is going on globally, and to share and express what matters to them (Facebook, 2012). Facebook Inc. was originally developed for college students, faculty, and staff but has expanded to include high school, corporate, and geographic communities (Kasavanaet al., 2010). Today the social site has over 845 million monthly active users and around 483 million daily users (Facebook, 2012), which makes it the fastest growing, most prominent and widely used social networking service (Kasavanaet al., 2010). Roughly 80% of their monthly active users are outside the U.S. and Canada and it operates in more than 70 languages(Facebook, 2012).

On Facebook, the members reveal a lot of information about themselves but many are not really aware of privacy control options and who can actually view their profile (Acquisti& Gross, 2006).This makes the site a virtual treasure trove of target advertisement (Ortutay, 2011).Facebook is an interesting company to this study since it is the leader within its field, constantly gathering and using vast amounts of personal data. The firm has the largest share of display advertising on the Internet which leads to an increase inprivacy concerns among

Uppsala University 22

Facebook users (Sengupta, 2012). Facebook has dealt with manycontroversiesover the years, one of them being private data collection (Story, 2008;Sengupta, 2012). The company settled FTC (Federal Trade Commission) charges that it deceived its consumers by informing them they could keep their personal data on Facebook private. Facebook failed to keep privacy promises by repeatedly sharing and making the information public (FTC, 2011).

3.5 Operationalization As mentioned above, the survey was based on another research performed in 2007 by Wirtzet al. The questionnaire for this paper was also based upon other theories chosen for the research. Therefore, some additional questions were added to the survey performed by Wirtzet al. (2007), (see appendix 1).

The first questions in the survey were general questions regarding age, gender, usage of Facebook and whether or not the respondents had read Facebook’s Privacy Policy. These questions were asked to see how active the users are on Facebook and to see their awareness about the Privacy Policy.

Questions were asked regarding the users’ trust with Facebook in connection with their Privacy Policy. Theory says that trust increases if privacy policies are available online (Brown &Muchira, 2004). Therefore, further questions were asked regarding the users’ opinion on privacy policies in general and whether they increase their perceived trust in a website. According to Antón et al. (2010), privacy policies are often difficult to comprehend. Thus, the respondents answered if they consider the policies easy to comprehend or not.

The survey included questions regarding consumer’s privacy concerns online and whether or not they would consider using another name or only fill out data partially in order to protect their real identity. These questions were asked to be able to measure consumers’ actual concerns (Broom et al., 2002; Phelps et al., 2001). Respondents filled out what kind of information they share with Facebook and whether they are worried or not that the company would share this personal information with third parties (Facebook, 2012; Proctor et al., 2008; Phelps et al., 2001; Ortutay, 2011; Dwyer et al., 2007; Dinev& Hart, 2006). The survey asked questions regarding users’ concern about Facebook tracking their online history and if they would use software that eliminates their browsing history (Earp et al., 2005).

Theory says that personalized marketing sometimes is considered as an invasion of privacy (Aroraet al., 2008). Therefore the respondents were asked about their opinion on personalized

Uppsala University 23 marketing and personalized search results. Finally, the respondents expressed their opinion on governmental control to protect their online privacy (Wirtzet al., 2007).

The questions in the interviews were based on the six theoretical concepts from the literature review; Personal Data, Personalized Marketing, Privacy Concerns, Privacy Policies, Consumer Trust and Consumer Behaviour (see appendix 3 and 4). The authors asked questions about the main complaints regarding personal data to see what concerns the consumers actually consider of high importance. Also, the board answered questions regarding privacy policies and rules about usage of personal data.

4. Analysis This chapter presents the empirical findings that were collected through the online survey conducted and the performed interviews. The survey generated 140 respondents and the interviews were done through email and face-to-face. The results are analysed in accordance with the authors’ theory model and the most significant data is discussed in connection with the purpose of the paper.

Personal Data and Privacy Concern

According to Proctor et al. (2008) factors such as a) whether consumer’s information will be shared with other organizations, b) whether the information will be used in an identifiable way, c) the kind of information collected, and d) the purpose for which it is collected, are of high importance before providing personal information. 62% of the 140 respondents were concerned that their personal data would be used for other purposes and without their authorization. In Facebook’s personal data section it states the various types of personal information that they receive and collect about their users. This includes all of the personal information such as name, email address, birthday and gender, which is required when one first signs up with the site. Other information such as photos, comments on friends’ profiles, relationship status, adding a friend, and liking pages and websites are also collected and shared (Facebook, 2012). Even though it is clearly stated how the data is being used the users are still concerned how their data is being used. This can be due to that they did not read the privacy policy properly or at all. If they did read the privacy policy and still feel concern, they might not have fully comprehended the policy or they believe that it is too vague.

Uppsala University 24

74% were especially concerned over Facebook tracking their web browsing history and collecting data from that. Even if websites have privacy policies, users do not have full control over their personal data and how it will be used because they have to choose from certain privacy options that are provided to them. Catharina Fernquist (2012) of The Data Inspection Board argued that there is a regulation in 26 § Data Protection Act, that states that one must be informed about the personal data processing that is being performed and also what is about to be communicated.

Jonas Agnvall (2012) of the Data Inspection Board believed that users want the right to control over what information is being shared and to whom it is being shared.Thus, the basic privacy settings should be set at default to only be viewed by the users’ friends. Thereafter they can increase or decrease the security of their accounts themselves. If the users feel that they have more control over their own personal data, their concern on how the website will use it may decrease, which might also lead to them giving out more personal data. This can be positively related to the individuals’ user experience on Facebook’s website. With the vast amount of information they receive about their users from the users themselves or their friends, Facebook puts all of the data together and determines which friends activities should be more highlighted, or by putting together the users current location, they can offer deals in the area that the user might be interested in.

Facebook states that they only keep this information until it is no longer useful to the user (Facebook, 2012). If they feel that giving out more information is enhancing their usage, trust may also increase, because the user feels that the company is catering to their needs. Pepper et al. (1999) pointed out that companies need to get to know the customers preferences and needs in order to give them what they want.

The respondents that have read Facebook’s privacy policy know that it states that the information they receive is used in connection with the services and features the site provides to the user and the user’s friends, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites the user is consuming. They also state that it is only shared when the users name or any other information that identifies them is removed (Facebook, 2012). Knowing this, the users still feel that their personal privacy is at risk but at the same time they also share a lot of personal data with the website. 96% share more personal data such as photos and interests, than their basic information such as full name and/or date of birth.

Uppsala University 25

According to Pernemalm& Lindgren (2011)many regret posting certain private information afterwards. This can be due to that the information they posted might have been misused by others. Fernquist (2012) stated that she believed that most complaints in regards to misuse of personal data would involve a person violating another person’s privacy on a SNS or a blog by putting up pictures and/or written text that is hurtful.This shows that the users want to share personal data to fulfil the need of belonging, and that they care more about what others say about them rather than how the website will use their personal data.

Government Control

Under the European Union regulations, data controllers have to inform individuals whose personal data is being collected. The controllers have to let the consumers know what the data is being collected for. In general, 65% out of the 140 respondents wanted tougher regulations by the government to protect their personal privacy. 52% were concerned over their personal privacy on Facebook and thus wanted more government control. Out of all of the respondents 31% liked personalized search results but were both concerned with their personal privacy and wanted stronger governmental control.

Brown and Muchira (2004) stated that access to customer information leads to meeting the customers’ needs better. The results demonstrate that users like the idea of personalized search results because it meets their needs, but they want outside control of how their information will be handled to make them feel secure. Even though Facebook’s Privacy Policy states that they will not share their user’s information unless they have received permission, given notice to the user, and removed their name or any other personally identifying information from it, the respondents are concerned. However, Agnvall (2012) stated that if there was more control by the government, people may not put up as much information. What is being written and said online can be drastically changed. This can happen because individuals feel as though they are being watched, which can instil fear. Thus anonymity is important, and therefore it is crucial to find a balance between anonymity and government control to protect the users personal privacy.

Agnvall(2012) also stated that people have more trust in companies than in the government. This can be concluded that people want the security of knowing that if there were to be any discrepancies they can turn to the higher authorities to deal with the problems, but at the same time they do not want the authorities to continuously monitor what is being said or done on social networking sites. For example a teenager feels secure when they know that their parents

Uppsala University 26 are there if something bad were to happen, but they do not want their mother or father to constantly watch over them.

Personalized Marketing and Privacy Concern

43% of the 140 respondents believed that personalized marketing was an invasion of privacy, and 35% did not - the rest were unsure. Personalized marketing can enhance a user’s experience by offering deals and advertisements that are of their interest and appealing to them, but this can also worry the user that others are viewing their information. Agnvall (2012) stated that the Data Inspection Board rarely gets any complaints about personalized marketing. Even with the factor of personal privacy being invaded, 72% of the respondents liked the idea of personalized search results which is based on information from their social networking sites and past searches. Still, 60% were concerned that Facebook was tracking the sites they had visited. Out of the 72% that liked personalized search results, 77% liked the idea of it but had some privacy concern, and 23% had no concern at all. 42% of the respondents that were concerned with their personal privacy on Facebook liked the idea of personalized search results. This shows that users might want the full benefits from having personalized search results but are concerned with giving out too much personal data.

Anonymity is a crucial part of people’s lives. Individuals want to be private when they navigate online from the comfort of their home but at the same time they want to be catered because their needs have to be served. According to Agnvall (2012) everyone has something that they do not want to share with others. Thus individuals want to behave in a certain way online but they do not want everyone to see how they are behaving. They want to be out there but at the same time be private. This concludes that if the users can be reassured that they will stay anonymous but still receive relevant information that are of interest to them, they might be willing to display the type of behaviour the firm wants them to. This will lead to a win-win situation for both parties involved.

48% believed that personalized search results were beneficial to get the most out of their user experience. Facebook states that they might use anonymous or combined data to improve the ads in general. They also say that advertisers do not have direct access to the user’s personal information. For example, if they choose certain demographics for their ads such as women between the ages of 18-25 living in Chicago, then the system will match those ads automatically to the appropriate audience based on location, demographics, likes, and

Uppsala University 27 keywords. In return, the advertisers only receive anonymous reports to let them know how many users saw or clicked on their ads (Facebook, 2012).

Facebook states that they want to show users ads that are interesting and relevant to them. To do this Facebook uses information such as current city, age, sex, relationship status, schools and jobs, interests that are listed in the users profiles, the pages that have been “liked” and groups that have been visited, keywords from posts and status updates. They also encourage users to include more information in their profiles to make the ads more interesting and relevant. To reassure their users they repeatedly inform them that nobody reads their private posts/status updates but that it is passed through an automated system. They also specify that personal information is not shared with advertisers, unless the user gives them permission (Facebook, 2012).

Even though the users believe that personalized search results enhance their experience there is still the core problem of privacy concern. This can be due to that the users have not read Facebook’s Privacy Policy. If the website clearly states how personal data is processed for personalized marketing it should reassure the users’ privacy concern. According to Dinev and Hart (2006a) and Agnvall (2012), users want control on how their information is being used, collected, and shared. Dealing with the users’ privacy concern requires consent from both parties. If the user feels involved in how their data is being used they feel that they are somewhat in control. If they do not want certain ads because they shared certain information on the site that was only meant for one time use, then they should have the right of not receiving these advertisements.

Privacy Concerns

Privacy covers three basic expectations: anonymity, confidentiality, and fairness and control over personal information (Brown &Muchira, 2004). The respondents do not feel that these expectations are met on the Facebook site. 66% out of the 140 respondents were concerned about their personal privacy on Facebook. Out of the 70 respondents that had read the privacy policy of Facebook 40% stated that they were concerned with their personal privacy. This demonstrates that as younger people are including social networking sites a big part of their daily lives, concern over what is said, posted and sent is increasing. Nonetheless 65% of the respondents that were concerned about their online personal privacy on Facebook shared more than the basic information that is needed when signing up with the website. This other personal information being shared includes photos and religious views. Users want the full

Uppsala University 28 benefits of using the site, but are concerned over their personal privacy. Even though Facebook states how the personal data is used the respondents need more factors to support their privacy concern. This goes with Phelps et al. (2001) theory that a thorough understanding of privacy concern is needed in order to respond and reduce them.

Agnvall (2012) stated that the consumer’s right to be forgotten has been suggested. But there are practical problems with it. It is not easy to simply remove information and then the user is forgotten - there are legal issues to be considered. But social networking sites are obligated to remove information that is offensive. There has to be a balance between freedom of expression and integrity. Thus, websites should inform their users in a separate section in detail on how they can protect their personal data. This reveals that websites should educate their users how they can behave online without having to regret with what they posted, so that there are no issues of having information removed, as this process can be very hard. Even if users might not follow the guidelines at all times, they have something to fall back on in situations where they are unsure of how they should go about.

Facebook and Privacy Policies

According to Facebook’s website, 438 million users from around the world log on to their site on a daily basis (Facebook, 2012). Out of the 140 respondents 84% logged on to Facebook on a daily basis, 11% on a weekly basis, and 4% on a monthly basis. The website has become an important part of peoples’ everyday lives, and they share a lot of personal information on the site. According to Proctor et al. (2008) very few consumers actually read privacy policies as they find them too complex to understand. 4% out of the 140 respondents had read Facebook’s privacy policy thoroughly. 46% had read it to some extent and 50% had never read it. Even among the daily users, 50% had never read the privacy policy. This can be due to that the policy is too long and complicated to read, or that it is not clearly displayed.

Recent studies have shown that privacy policies are too lengthy and hard to read (Antón et al., 2010). 61% out of the 140 respondents believe that privacy policies in general are hard to understand. Fernquist (2012) believed that privacy policies are often too inadequate. On the other hand, she also stated that an excessive amount of information makes one not want to fully absorb what is written or simply makes one skip it over. This shows us that privacy policies need to be written in a basic language to facilitate the ability of understanding them. They should be long enough to cover the areas of how the personal data is being collected, used and stored – without unnecessary information being included.

Uppsala University 29

Agnvall (2012) pointed out that even though users want more clear and transparent privacy policies, there are certain procedures the websites have to follow to fulfil governmental requirements. The users want it simple and easy but the data protection authorities want in depth information on how the personal data will be processed and used. This goes against Timpson & Troutman’s (2009) theory that privacy policies should be short and plainly written. He also stated that the users have a responsibility of reading the privacy policies, no matter the toughness; “Of course the websites can make it easier, but you still have a responsibility as a user to read them (Agnvall, 2012).” This implies that websites such as Facebook can make two sets of privacy policies; one that covers the basic idea of the privacy policies for the users to read and understand, making it as clear and transparent as possible. The other one can be more in depth to meet the data protection authorities’ requirements, but can also be read by the users if they want more detailed information.

Trust and Privacy Policies

According to McRobb (2006) websites that display a privacy policy will increase trust in their consumers. 46% of all users agreed on some level that their trust would increase if a website displayed a privacy policy. The Federal Trade Commission (FTC) had presented five principles that make a privacy policy trustworthy; to give notice; choice; security; access & correction; and enforcement(Wirtz et al., 2007).

6% that had read Facebook’s privacy policy thoroughly or to some extent believed that their trust increased with the website, but 24% believed that it did not. 46% of the respondents stated that if other websites had privacy policies their trust would increase with them. This shows that users may not have full trust in a SNS they use extensively. This can be due to the fact that Facebook has been accused in the past of violating their users’ privacy by getting them to share more personal information than they had agreed to when they first signed up. Agnvall (2012) stated that Facebook had been reviewed in Europe with their privacy policy, after users were being mapped on what they were doing and what information they were giving on the website. The users had no idea what was being done and what data was being collected. He pointed out that it is important to have consent from both parties. Both have to agree on the terms of usage of personal data.

In the case of people that had read Facebook’s Privacy Policy and there was no increase of trust, goes against the theory of that trust increases if a website displays a privacy policy (Brown &Muchira, 2004). However, this could also be due to that Facebook’s privacy policy

Uppsala University 30 is either too vague or too hard to understand. Facebook state in their Privacy Policy that the users still own their own data, because trust is important to the company. That is why they will not share the users information unless they have permission from the user, given notice to the user, or removed the users name and other information that could identify them (Facebook, 2012). Even though this is stated, the respondents that read the privacy policy did not feel that their trust increased in the company. This can be due to that further down in their policy Facebook states that the information they receive from the user is given to the people and companies that help Facebook with providing the services that are offered. For example, they might use vendors from outside to help host their website, serve photos and videos, process payments, and provide search results. In certain cases they provide service jointly with another company, such as the Facebook Marketplace.

When Facebook does share information with their partners, the partners have to agree to only use the users’ information consistently with the agreement that they entered into with Facebook, and also with this privacy policy (Facebook, 2012). After reading the first statement the user understands it as though the information will only stay between Facebook and the user, but after reading the second statement it is understood that Facebook shares the information with their partners. This suggests that the respondents that had read the privacy policy, in which trust did not increase, felt that Facebook sharing their personal data with other partners was an invasion of privacy.

Consumer Behaviour and Personal Data

75% of the respondents said that they would only fill in data partially when registering with Facebook. Facebook requires email address, date of birth and gender when users sign up (Facebook, 2012). However the registrar does not have to fill in the correct information. As long as there is a valid email address available, users can type in any date of birth and gender. This shows that users do this when they feel that their privacy is put at risk but they still want to get the most usage of a site that they possibly can. Out of the 75% that would fill in data partially, 71% were concerned with their personal privacy on Facebook. When an individual’s personal privacy is being put on the line, they will give out less personal data.

The most common data Facebook users share on their profile is: full name, date of birth, email address, work experience, education history, interests and photos. Even though 66% stated that they were concerned of their personal privacy on Facebook, they have shared highly personal information such as full name, date of birth, and photos. This goes against the

Uppsala University 31 theory of Dinev and Hart (2006) that states that the higher the trust the more information consumers will reveal. However, the authors also state that the consumers’ actual behaviour might not be the same as their stated privacy preferences. According to Gangadharbatla (2008), peoples’ behaviour on social networking sites change because they have a need to belong, and thus will disclose more information. This demonstrates that the respondents are concerned about their privacy but they do not want the feeling of being left out, and thus will give out other information in order to stay in touch with their friends.

Dinev and Hart’s (2006) theory goes well along with one individual, which was the most basic with only full name, date of birth and email address revealed. As stated above, these three criterion are needed when one registers on Facebook’s website. This person only logs in a few times a month, and has read Facebook’s Privacy Policy thoroughly in which after reading trust did not increase. This person is highly concerned about their own personal privacy on Facebook, concerned that their information will be shared, believes personalized marketing is an invasion of privacy and that there should be tougher regulations by the government.

On the other hand, we have another individual that shares all of their information, which goes with Gangadharbatla’s (2008) theory, as mentioned above. This person reveals their full name, date of birth, home address, telephone number, email address, work experience, education history, relationship status, political views, religion, other website information (, blog etc.), interests, and photos. This individual logs on to Facebook on a daily basis, has read the privacy policy to some extent and has no concern over their personal privacy on the website. They also have no concern over Facebook sharing their personal information; they do not believe that personalized marketing is an invasion of privacy; and thus does not want tougher government regulations.

5. Conclusions This chapter presents the conclusions where the research questions are answered to fulfil the purpose of the paper. Finally, the paper will discuss possible limitations of the study and present recommendations for future research.

The purpose of this paper was to find out how companies could react to consumer concerns regarding online privacy and how their personal data is being used for personalized marketing. Companies’ access to personal data has increased the use of personalized Uppsala University 32 marketing which has in turn increased privacy concerns among Internet users. If companies clearly display privacy policies online they can affect consumers’ trust and behaviour as they become more willing to provide personal information. The theory model for this study is therefore accepted.

A number of implications can be drawn from this study. The findings suggest that consumers who perceive their privacy being threatened still share various amount of personal data on the Internet. Some of the users are not aware, or do not fully understand, how personal data is being used for marketing purposes. This, in turn, challenges trust and at the same time it weakens the benefits for this type of target marketing.

The authors raised the research question to what extent the usage of personal data for personalized marketing could be positively related to the consumers’ behaviour on social networking sites. The results indicate that if companies improve their privacy policies and do their best to inform the customers about how the personal data is being used, it will reduce the negative responses. When customers are assured about their rights, the concerns will in turn be minimized. This can lead to the customers giving out more information, which is positive for both parties, as the firms can more easily meet the customers’ needs, and interests.

The research demonstrates that the respondentsdepend on the privacy policies as a measure for trustworthiness. For companies, the results imply that they should be up to date and comply with the regulations on personal data protection. In the long run this will increase trust among the consumers. Our findings agree with Wirtz et al. (2007), that businesses should implement privacy policies that include basic principles of notice, choice, security, review, and correction. The policies should be highly visible on the companies’ websites and written in a language simple enough to understand, and yet comprehensive enough to be effective.

The authors wanted to find out if Internet users approve of personalized marketing or if they consider it an invasion of privacy. At first sight, people seem to approve of personalized marketing and the majority want to be visible on the Internet. Instead of emphasizing strong barriers they seem to focus on being noticed and presentedpersonally. However, Internet users believe in, and trust governmental control and law enforcement as methods to ensure their online privacy protection. Marketers should respect rules, regulations and individuals’ rights. But in order to continue personalized marketing, there are two important concepts for companies to keep in mind: education and the individuals’ right to object. Web providers need to inform their consumers clearly about their rights, explain how they use personal data and Uppsala University 33 assist people in having their data altered or deleted if permissible.However, this can be difficult to implement in certain situations due to legal issues.

The second research question considered how organizations could implement personalized marketing without jeopardising customers’ trust. The authors have concluded that Internet users like the idea of personalised search results as the companies can better meet the customers’ needs and interests. Therefore, despite everything theory says regarding privacy concerns and what researchers have argued, the conclusion according to this research is that it is time to re-think previous theories. People prefer being noticed than being anonymous, which is a milestone conclusion in the world of online marketing and something scholars and marketers should reflect on. Nevertheless, the risk of information misuse exists.When people start to accept personalized marketing, more personal data will be given out, in which it can be harder to control the web providers’ next steps. Therefore it goes back to that companies should inform and educate their customers on how their personal data is being collected and processed.

5.1 Limitations and Future Research Due to the fact that this is an empirical study of exploratory nature, it has some limitations. First, it relies on a convenience sample of university students, which may limit the validity of the findings. The validity of the study would have increased if focus groups and interviews had been conducted with the sample, in order to get a better understanding for the consumers concern. Also, no interview was conducted with the company analysed in this research, Facebook Inc., due to lack of interest to participate on their behalf.

For future research it would be interesting to conduct the survey on different demographic samples, for example people over the age of 34, instead of focusing on young people/students. Also, the future of personalized marketing is an interesting field to monitor, and in a few years perform a follow up study to see how the results have evolved.

It would be interesting to look at other companies using personalized marketing and see where they stand in comparison to Facebook regarding privacy concerns. In addition, it could be interesting to interview other companies that gather and use vast amounts of personal data to find out what their opinion towards personalized marketing is, and their prediction for the future of online marketing.

Uppsala University 34

References Antón, A. I., Earp, J. B., & Young, J. D., (2010), How Internet Users’ Privacy Concerns Have Evolved Since 2002, IEEE Security & Privacy Magazine, Vol. 8, No. 1, pp. 21-27.

Arora, Neerajet al., (2008),Putting One-To-One Marketing To Work: Personalization, Customization, and Choice, Marketing Letters, Vol. 19, No. 3/4, pp. 305-321.

Boyd, D.,& Ellison, N., (2007), Social Network Sites: Definition, History, and Scholarship. Journal of Computer-Mediated Communication, Vol. 13, pp.210-230.

Broom, R., Forcht, K. A., Gottovi, D., Kruck, S.E., &Moghadami, F., (2002), Protecting Personal Privacy on the Internet, Information Management and Computer Security, Vol. 10, No. 2, pp. 77-84.

Brown, M.,&Muchira, R., (2004), Investigating the Relationship Between Internet Privacy Concerns and Online Purchase Behavior, Journal of Electronic Commerce Research, Vol. 5, No. 1, pp. 62-70.

Christensen, L., Engdahl, N., Carlsson, C., Haglund, L., (2001), Marknadsundersökning – en Handbook, Lund: Student literature. Culnan, M. J., & Armstrong, P. K., (1999), Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation, Organization Science, Vol. 10, No. 1, pp. 104-115.

Dinev, T.,& Hart, P., (2006a), Internet Privacy Concerns and Social Awareness as Determinants of Intention to Transact, International Journal of Electronic Commerce, Vol. 10, No. 2, pp. 7-29.

Dinev, T.,& Hart, P., (2006), An Extended Privacy Calculus Model for E-Commerce Transactions, Information Systems Research, Vol. 17, No. 1, pp. 61-80.

Earp, J. B., Antón, A. I., Aiman-Smith, L., &Stufflebeam, W. H., (2005), Examining Internet Privacy Policies Within the Context of User Privacy Values, IEEE Transactions on Engineering Management, Vol. 52, No. 2, pp. 227-237.

Gangadharbatla, Harsha, (2008), Facebook Me: Collective Self-Esteem, Need to Belong, and Internet Self-Efficacy as Predictors of the iGeneration’s Attitudes Toward Social Networking Sites, Journal of Interactive Advertising, Vol. 8, No. 2, Special section, pp. 1-28. Hamid, Noor R. Ab, (2008), Consumers’ Behaviour Towards Internet Technology and Internet Marketing Tools, International Journal of Communications, Issue 3, Vol. 2, pp. 195- 204. Hoffman, D. L., Novak, T. P., & Peralta, M., (1999), Building Consumer Trust Online, Communications of the ACM, Vol 42, No 4, pp. 80-85.

Kasavana, M., Nusair, K., &Teodosic, K., (2010), Online social networking: redefining the human web, Journal of Hospitality and Tourism Technology, Vol. 1, No. 1, pp. 68-82.

Uppsala University 35

Kosta, E., Kalloniatis, C., Mitrou, L., &Gritzalis, S., (2010), Data Protection Issues Pertaining to Social Networking Under EU Law, Transforming Government: People, Process and Policy, Vol. 4, No. 2, pp. 193-201.

McRobb, Steve, (2006), Let’s Agree to Differ: Varying Interpretations of Online Privacy Policies, Journal of Information, Communication, and Ethics in Society, Vol. 4, No. 4, pp. 15- 28. Mesch, G. S., & Beker, G., (2010). Are Norms of Disclosure of Online and Offline Personal Information Associated with the Disclosure of Personal Information Online? Human Communication Research, Vol. 36 No. 4, pp. 570-592.

Mital, M.,&Sarkar, S., (2011), MultihomingBehavior of Users in Social Networking Websites: A Theoretical Model, Information Technology & People, Vol. 24, No. 4, pp. 378- 392.

Morgan, R. M., & Hunt, S. D., (1994), The Commitment-Trust Theory of , The Journal of Marketing, Vol. 58, No 3, pp. 20-38.

Peluchette, J., &Karl, K., (2010). Examining Students’ Intended Image on Facebook: “What Were They Thinking?!”,Journal of Education for Business, Vol. 85, No. 1, pp. 30-37.

Pepper, D., Rogers, M., &Dorf, B., (1999), Is Your Company Ready For One-To-One Marketing?, Harvard Business Review, Vol. 77, No. 1, pp. 151-160.

Peter, P. J., and Olson, J. C., (2008), Consumer Behaviour and Marketing Strategy, Eighth Edition, Singapore, The McGraw-Hill Companies Inc., International Edition. Phelps, J. E., D’Souza, G., & Nowak, G. J., (2001), Antecedents and Consequences of Consumer Privacy Concerns: An Empirical Investigation, Journal of Interactive Marketing, Vol. 15, No. 4, pp. 2-17.

Proctor, R. W., Ali, A. M., Vu, KP. L., (2008), Examining Usability of Web Privacy Policies, International Journal of Human-Computer Interaction, Vol. 24, No. 3, pp. 307-328.

Saunders, M., Lewis, P. &Thornhill, A. (2009).Research Methods for Business Students (5th ed.). Essex: Prentice Hall. Smith, J., Milberg, S..& Burke, S., (1996), Information Privacy: Measuring Individuals’ Concerns About Organizational Practices, MIS Quarterly, Vol. 20, Issue 2, pp. 167-196.

Szmigin, Isabelle, (2003), Understanding the Consumer, London, SAGE Publication Ltd.

Timpson, S., & Troutman, M., (2009), The Importance of a Layered Privacy Policy on all Mobile Internet Sites and Campaigns, International Journal of Mobile Marketing, Vol. 4, No. 1, pp. 57-61.

Vesanen, J., &Raulas, M., (2006), Building Bridges For Personalization: A Process Model For Marketing, Journal of Interactive Marketing, Vol. 20, No. 1, pp. 5-20.

Vesanen, Jari, (2007), What Is Personalization? A conceptual framework, European Journal of Marketing, Vol. 41, No. 5, pp. 409-418.

Uppsala University 36

Wirtz, J., Lwin, M. O., & Williams, J. D., (2007), Causes and Consequences of Consumer Online Privacy Concern, International Journal of Service Industry Management, Vol. 18, No. 4, pp. 326-348.

Digital Sources

Acquisti, A., and Gross, R., (2006), Imagined Communities: Awareness, Information Sharing and Privacy on The Facebook, Proceedings of the 6th Workshop on Privacy Enhancing Technologies, Cambridge, UK, 2006, http://petworkshop.org/2006/preproc/preproc_03.pdf (Retrieved 3/15/2012).

Andrews, Lori, (2012). How Facebook Uses Your Data. The Times Of India, (online) Available at: http://articles.timesofindia.indiatimes.com/2012-02- 06/internet/31030189_1_facebook-advertising-revenue-myspace (Retrieved 4/8/2012).

Carlson, Nicholas (2010) At Last – The Full Story of How Facebook Was Founded. Business Insider, (online) Available at: http://www.businessinsider.com/how-facebook-was-founded- 2010-3 (Retrieved April 30, 2012). Constantinides, Efthymios, (2004), Influencing the Online Consumer’s Behaviour: The Web Experience, Internet Research, Vol. 14, No. 2 pp. 111-126, Emerald Group Publishing Limited, (online) Permanent link: http://dx.doi.org/10.1108/10662240410530835. Datainspektionen, (2012), About Us, (online) Available at: http://www.datainspektionen.se/in- english/ (Retrieved 3/17/2012). Dwyer, C., Hiltz, S. R., &Passerini, K. (2007). Trust and Privacy Concern Within Social Networking Sites: A Comparison of Facebook and MySpace. Proceedings of the Thirteenth Americas Conference on Information Systems, Keystone, Colorado August 09 - 12 2007, (online) Available at: http://csis.pace.edu/~dwyer/research/DwyerAMCIS2007.pdf (Retrieved 15/3/2012).

European Commission, (2011).New Data Protection Rules for the Digital Age.(online) Available at: http://ec.europa.eu/justice/data-protection/minisite/users3.html (Retrieved 4/10/2012).

European Commission, (2012).Protection of Personal Data.(online) Available at: http://ec.europa.eu/justice/data-protection/index_en.htm (Retrieved 4/10/2012).

Facebook Inc., (2012). Cookies, Pixels, and Similar Technologies, (online) Available at: http://www.facebook.com/help/?page=176591669064814 (Retrieved 4/15/2012).

Facebook Inc., (2012). How Advertising Works, (online) Available at: http://www.facebook.com/about/privacy/advertising (Retrieved 4/15/2012).

Facebook Inc., (2012). Information We Receive and How it is Used, (online). Available at: http://www.facebook.com/about/privacy/your-info (Retrieved 4/1/2012).

Facebook Inc., (2012). Interacting With Ads, (online) Available at: http://www.facebook.com/help/?page=226611954016283 (Retrieved 4/17/2012).

Uppsala University 37

Facebook Inc., (2012). Newsroom, Fact Sheet, (online) Available at: http://newsroom.fb.com/content/default.aspx?NewsAreaId=22 (Retrieved 3/15/2012).

Facebook Inc., (2012). Some Other Things You Need to Know (online) Available at: http://www.facebook.com/about/privacy/other (Retrieved 4/15/2012).

Federal Trade Commission (FTC), (2011). Facebook Settles FTC Charges that it Deceived Consumers by Failing to Keep Privacy Promises. (online) Available at: http://www.ftc.gov/opa/2011/11/privacysettlement.shtm (Retrieved 3/15/2012).

Information Commissioners Office, (2011).How Will The Data Protection Reform Affect Social Networks? (online) Available at: http://ec.europa.eu/justice/data- protection/index_en.htm (Retrieved 4/8/2012).

Information Commissioners Office, (2012).For the Public, Personal Information.(online) Available at: http://www.ico.gov.uk/for_the_public/personal_information.aspx(Retrieved 4/8/2012).

Ortutay, Barbara, (2011). Q and A: Facebook Privacy Changes. USA Today, (online). Available at http://www.usatoday.com/tech/news/story/2011-11-30/facebook-privacy- questions-and-answers/51509888/1 (Retrieved 3/26/2012). Pariser, Eli, (2011).Beware Online “Filter Bubbles”. (online video) Availabe at: http://www.ted.com/talks/eli_pariser_beware_online_filter_bubbles.html (Retrieved 3/20/2012).

Pernemalm, P., & Lindgren, M., (2011).Young People and Privacy 2011, (online) Available at: http://www.datainspektionen.se/in-english/in-focus-youth-and-privacy/ (Retrieved 3/24/2012).

Sengupta, Somini, (2011). F.T.C Settles Privacy Issue At Facebook. The New York Times, (online). Available at: http://www.nytimes.com/2011/11/30/technology/facebook-agrees-to- ftc-settlement-on-privacy.html?_r=1 (Retrieved 3/26/2012).

Sengupta, Somini, (2012). Risk and Riches in User Data for Facebook.The New York Times, (online) Available at: http://www.nytimes.com/2012/02/27/technology/for-facebook-risk-and- riches-in-user-data.html?ref=facebookinc (Retrieved 3/15/2012).

Sengupta, S., & Rusli, E. M., (2012). Personal Data’s Value: Facebook Is Set To Find Out. The New York Times, (online). Available at: http://www.nytimes.com/2012/02/01/technology/riding-personal-data-facebook-is-going- public.html?_r=1&pagewanted=all (Retrieved 3/26/2012). Story, Louise, (2008). To Aim Ads, Web Is Keeping Closer Eye on You. The New York Times, (online) Available at: http://www.nytimes.com/2008/03/10/technology/10privacy.html?_r=1 (Retrieved 3/15/2012).

Szymielewicz, Katarzyna, (2012). e-business: Your Privacy on the Line, Euronews, Right On, (online) Available at: http://www.euronews.com/2012/02/20/e-business-your-privacy-on-the- line-/ (Retrieved 3/15/2012).

Uppsala University 38

Interviews

Fernquist, Catharina, Lawyer at the Data Inspection Board of Sweden, (March 15, 2012).

Agnvall, Jonas, Lawyer at the Data Inspection Board of Sweden, (May 10, 2012).

Appendix 1: The Questionnaire * Required 1. Age * 2. Gender *

Male

Female

3. How often do you log on to Facebook? *

Daily

Few times a week

Few times a month

4. Have you read Facebooks privacy policy? *If the answer is 'Never' move on to question number 6

Never

To some extent

Thoroughly

5. Do you believe that your trust increased with Facebook after reading their privacy policy?

Strongly Disagree Strongly Agree

6. Does your trust in a website increase if you see that they have a privacy policy? *

Strongly Disagree Strongly Agree

7. Do you believe that privacy policies are easy to comprehend? *

Uppsala University 39

Strongly Disagree Strongly Agree

8. I am concerned about my online personal privacy on Facebook. *

Strongly Disagree Strongly Agree

9. I would resort to using another name or web/e-mail address when registering with this website so I can have full access and benefits as a registered user without divulging my real identity. *

Strongly Disagree Strongly Agree

10. When registering with this website, I may only fill in data partially. *

Strongly Disagree Strongly Agree

11. What type of personal data do you share with Facebook? * Fill in all that are applicable.

Full name

Date of birth

Home address

Telephone number

Email address

Work experience

Education history

Relationship status

Political views

Religion

Other website information (Twitter, blog, etc.)

Interests

Photos

Uppsala University 40

12. I am concerned that my personal data may be used for purposes other than the reason I provided the information for? *

Strongly Disagree Strongly Agree

13. I believe that the company would not share my personal information with other external parties unless I authorized it. *

Strongly Disagree Strongly Agree

14. I believe that the company would not use my personal information for purposes other than those initially stated on the site. *

Strongly Disagree Strongly Agree

15. I am concerned about the fact that this website might know/track the sites I have visited? *

Strongly Disagree Strongly Agree

16. I would use software to eliminate cookies that track my web-browsing behavior (e.g. JunkBuster, WRQ AtGuard). *

Strongly Disagree Strongly Agree

17. I would like to make use of software to disguise my identity (e.g. Zero Knowledge, Anonymizer, Freedom). *

Strongly Disagree Strongly Agree

18. I believe that personalized marketing is an invasion of privacy. *

Strongly Disagree Strongly Agree

19. Do you like the idea of personalizing search results based on past searches and information from your social networking sites? *

Yes

Yes, but I do have some concern about privacy

No, it is an invasion of privacy

20. Personalized search results are beneficial for getting the most out of my user experience. *

Strongly Disagree Strongly Agree

Uppsala University 41

21. There should be tougher regulations by the government to protect personal privacy online. *

Strongly Disagree Strongly Agree

Appendix 2:Results from the Questionnaire

1. Age

Age 34 1 1 Age 32 3 2 Age 30 6 4 Age 28 8 12 Age 26 15 40 Age 24 14 10 Age 22 5 8 Age 20 5 3 Age 18 3 0 5 10 15 20 25 30 35 40 45 Number of Students

2. Gender 3. How often do you log on to Facebook?

4%

12% Daily

Female Male Few Times A 50% 50% Week Few Times A 84% Month

Uppsala University 42

4. Have you read Facebooks privacy policy? 4%

Never 50% To Some Extent 46% Thoroughly

5. Do you believe that your trust increased with Facebook after reading their privacy policy?

30 28

25 20 20

15 10 10 7 4 5 0 1 0 1 - 2 3 4 5 6 7 - Strongly Strongly Disagree Agree

6. Does your trust in a website increase if you see that they have a privacy policy?

50 46 46 45 40 35 30 25 20 13 12 15 11 7 10 5 5 0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

Uppsala University 43

7. Do you believe that privacy policies are easy to comprehend?

40 36 35 31 30 25 24 25 20 17 15 10 3 4 5 0 1 - 2 3 4 5 6 7 - Strongly Strongly Disagree Agree

8. I am concerned about my online personal privacy on Facebook. 35 33 35

30 25 25 20 17 14 15 12 10 4 5 0 1 - 2 3 4 5 6 7 - Strongly Strongly Disagree Agree

9. I would resort to using another name or web/e-mail address when registering with this web site so I can have full access and benefits as a registered user without divulging my real identity.

28 30 26

23 25

18 20 17 16

15 12

10

5

0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

Uppsala University 44

10. When registering with this web site, I may only fill in data partially.

44 45

40 35 35 30 26 25 19 20 15 8 10 5 3 5 0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

11. What type of personal data do you share with Facebook?

Photos 123 78 Other Website Information 16 47 Political Views 25 56 Education History 110 69 Email Address 113 33 Home Address 10 118 Full Name 124 0 20 40 60 80 100 120 140

12. I am concerned that my personal data may be used for purposes other than the reason I provided the information for?

30 29 28 30

25 20 19 20

15 12

10

5 2

0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

Uppsala University 45

13. I believe that the company would not share my personal information with other external parties unless I authorized it.

30 30 24 23 25 20 20 17 14 15 12

10

5

0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

14. I believe that the company would not use my personal information for purposes other than those initially stated on the site.

28 30 26 23 25 22

18 20

13 15 10 10

5

0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

15. I am concerned about the fact that this web site might know track the sites I have visited? 40 40 35 30 23 25 21 21 17 20 15 11 7 10 5 0 1 - 2 3 4 5 6 7 - Strongly Strongly Disagree Agree

Uppsala University 46

16. I would use software to eliminate cookies that track my web- browsing behavior (e.g. JunkBuster, WRQ AtGuard).

24 24 25 22 20 20 18 18

14 15

10

5

0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

17. I would like to make use of software to disguise my identity (e.g. Zero Knowledge, Anonymizer, Freedom).

23 24 24 25 19 20 20 15 15 15

10

5

0 1 - 2 3 4 5 6 7 - Strongly Strongly Disagree Agree

18. I believe that personalized marketing is an invasion of privacy.

35 31 30 30

25 21 20 20 16 14 15 8 10

5

0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

Uppsala University 47

19. Do you like the idea of personalizing search results based on past searches and information from your social networking sites?

16% 28% Yes

Yes, but I do have some concern about privacy No, it is an invasion of privacy

56%

20. Personalized search results are beneficial for getting the most out of my user experience.

50 46 45 40 35 28 30 25 21 20 15 15 15 10 10 5 5 0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

21. There should be tougher regulations by the government to protect personal privacy online.

35 35 31 32

30 24 25

20

15 11

10 6

5 1

0 1 - Strongly 2 3 4 5 6 7 - Strongly Disagree Agree

Uppsala University 48

Appendix 3: Interview Questions with Catharina Fernquist 1. What complaints are most common regarding the usage of consumers’ personal data on the Internet? 2. Do you believe that Privacy Policies are too complicated to comprehend? Should the companies make them clearer and shorter for the reader to fully understand?

3. Whatdo you thinkcompaniescan do toincrease trustamongst theircustomers?Do you believeitwouldhelp if thePrivacyPoliceswereclearly displayedon their websites? Shouldcompaniesformcampaigns to promote and to make their policies more accessible? 4. Would it be a positive impact on a companies marketing strategy if theywere to be more honestabout the usage ofpersonaldata(regardless of how they use it)andcould it leadto increasedmarket share? Do the clients actually care about the PrivacyPolicies?

Appendix 4: Interview Questions with Jonas Agnvall 1. Have there been any recent legal issues with individuals’ personal privacy that has created a stir? 2. To avoid conflicts between the users and the website, would it help to make the privacy policies easier? 3. Has the Data Inspection Board ever received complaints about personalized marketing? 4. What will happen with personalized marketing in the future? 5. Do individuals have the right to be forgotten? 7. People put up a lot information on social networking sites, how should it be protected? 8. Should government regulations be increased due to that there are more users online today compared to only a few years back? 12. Should the websites inform on how to protect personal information, or should it just be a part of the privacy policies? 13. Would individuals behave differently if there was more Government control?

Uppsala University 49