Privacy and trust in e-commerce - digital business and e commerce management strategy implement

1 Variation in organisation characteristics

● Size of company (employees or turnover)

● Industry sector and products

● Organisation type (private, public, government, not- for- profit)

● Division

● Country and region.

2 Individual role

● Role and responsibility from job title, function or number of staff managed

● Role in buying decision (purchasing influence)

● Department

● Product interest

● Demographics: age, sex and possibly social group.

B2B profiles

We can profile business users of the Internet in a similar way to consumers by assessing:

1 The percentage of companies with access. In the business-to-business market, Internet access levels are higher than for business-to-consumer. Understanding access for different members of the organisational buying unit amongst their customers is also important for marketers. Although the Internet seems to be used by many companies, it doesn’t necessarily reach the right people in the buying unit.

2 Influenced online. In B2B marketing, the high level of access is consistent with a high level of using the Internet to identify suppliers. As for consumer e-commerce, the Internet is important in identifying online suppliers rather than completing the transaction online.

This is particularly the case in the larger companies.

3 Purchase online. This shows the importance of understanding differences in the environment for e-commerce in different countries.

In summary, to estimate online revenue contribution to determine the amount of invest- ment in digital business we need to research the number of connected customers, the percentage whose offline purchase is influenced online and the number who buy online.

Adoption of digital business by businesses

The European Commission reviewed adoption of the digital business services across Europe (EuroStat, 2013), shown in Figure 4.6. It can be seen, perhaps surprisingly, that although most companies now have Internet access, other digital business services such as offering a website or using ERP or CRM are not used so widely, particularly in small business. This cer- tainly shows the opportunities remaining from individuals; indeed, the report states a need for more trained ICT specialists to assist businesses.

Figure 4.7 gives a summary of these barriers. You can see that the lack of relevance or need for e-commerce is the largest barrier, but organisational governance issues are also important.

Daniel et al. (2002) researched digital business adoption in UK SMEs and noted four clus- ters: (1) developers, which were actively developing services, but were limited at the time of research; (2) communicators, which use email to communicate internally and with customers and suppliers; (3) web presence; (4) transactors.

The luxury of sufficient resources to focus on planning and implementing an Internet strategy isn’t open to many small businesses and is likely to explain why they have not been such enthusiastic adopters of digital business.

Ethical issues and the associated laws constitute an important consideration of the Internet business environment for marketers. Privacy of consumers is a key ethical issue that affects all types of organisation regardless of whether they have a transactional e-commerce service.

(For example, we saw in Case study 1.1 that Facebook has encountered resistance from its users for its approach to managing their information.)

Figure 4.7 Barriers to adoption of e‑commerce services of European countries Source: European Commission (2010): http://ec.europa.eu/information_society/digital‑

agenda/documents/edcr.pdf. No longer available.

Adverse experiences with electronic sales in the past

Language problems related to international e-commerce Uncertainty about legal framework Security concerns (related to payments or transactions) Problems related to logistics Technical issues implementing e-commerce Need to reorganise business processes for e-commerce Customers do not want to buy via e-commerce Products or services not suitable for e-commerce

10% 20% 30% 40%

% of enterprises (simple average between 14 countries)

50% 60%

Figure 4.6 Enterprises adopting technologies for digital business, by size class, EU27, 2012 Source: EuroStat (2013).

23 39

20 31

18 44

68 49

73 88 68

86 93 95 99 100

Internet access Website Sharing

information electronically within the enterprise

Use of Enterprise Resource

Planning (ERP)

Business processes linked to those of

suppliers/

customers (Supply Chain Management)

Use of Customer Relationship Management (CRM) 0

20 40 60 80 100

EU27 95%

EU27 71%

EU27 53%

EU27 22% EU27 23% EU27 26%

Small Medium Large

A further ethical issue for which laws have been enacted in many countries is providing an accessible level of Internet services for disabled users. Other laws have been developed for managing commerce and distance- selling online. In many cases, the laws governing e-commerce are in their infancy and lag behind the applications of technology.

Privacy legislation

Privacy refers to a moral right of individuals to avoid intrusion into their personal affairs by third parties. Privacy of personal data such as our identities, likes and dislikes is a major concern to consumers, particularly with the dramatic increase in identity theft. This is clearly a major concern for many consumers when using e-commerce services since they believe that their privacy and identity may be compromised. This is not unfounded, as Box 4.2 shows.

While identity theft is traumatic, in the majority of cases the victim will eventually be able to regain any lost funds through their financial services providers.

Why personal data are valuable for digital business

While there is much natural concern amongst consumers about their online privacy, information about these consumers is very useful to marketers. Through understanding their customers’ needs, characteristics and behaviours it is possible to create more personalised,

Privacy A moral right of individuals to avoid intrusion into their personal affairs.

Identity theft The misappropriation of the identity of another person without their knowledge or consent.

Box 4.2 Types of identity fraud

Table 4.3 illustrates different types of identity fraud. The data show that it’s still a grow‑

ing problem with a 20% increase in impersonation between 2009 and 2010.

Fraud Type 2011 2012 % Change

Identity Fraud – Total 113,259 123,589 + 9.1%

Application Fraud – Total 43,263 39,868 -7.8%

False Insurance Claim 396 279 -29.5%

Facility Takeover Fraud 25,070 38,428 + 53.3%

Asset Conversion 532 337 -36.7%

Misuse of Facility 53,996 45,824 -15.1%

Victims of Impersonation 96,611 112,179 + 16.1%

Victims of Takeover 25,250 38,686 + 53.2%

See more at: www.cifas.org.uk/fraudtrendstwentytwelve#sthash.gmmvYOlJ.dpuf Notes:

Identity fraud cases include cases of false identity and identity theft.

Application fraud/false insurance claim relates to applications or claims with material falsehood (lies) or false supporting documentation where the name has not been identified as false.

Facility takeover fraud occurs where a person (the ‘facility hijacker’) unlawfully obtains access to details of the ‘victim of takeover’, namely an existing account holder or policy holder (or of an account or policy of a genuine customer or policy holder) and fraudulently operates the account or policy for their own (or someone else’s) benefit.

Asset conversion relates to the sale of assets subject to a credit agreement where the lender retained ownership of the asset (for example a car or a lorry).

Misuse of facility is where an account, policy or other facility is used fraudulently.

Source: CIFAS (2013).

Table 4.3 Identity fraud categories in the UK

targeted communications, which help increase sales. How should marketers respond to this dilemma? An obvious step is to ensure that marketing activities are consistent with the latest data protection and privacy laws. However, different interpretations of the law are possible and since these are new laws they have not been tested in court. As a result, companies have to take their own business decision based on the business benefits of applying particular marketing practices, against the financial and reputational risks of less strict compliance.

What are the main information types used by the Internet marketer which are governed by ethics and legislation? The information needs are:

1 Contact information. This is the name, postal address, email address and, for B2B companies, website address.

2 Profile information. This is information about a customer’s characteristics that can be used for segmentation. They include age, sex and social group for consumers, and company characteristics and individual role for business customers. (The specific types of information and how they are used is referenced in Chapters 2 and 6.) Research by Ward et al. (2005) found that consumers in Australia were willing to give non- financial data if there is an appropriate incentive.

3 Platform usage information. Through web analytics systems it is possible to collect information on type of computer, browser and screen resolution used by site users (see Chapter 7).

4 Behavioural information (on a single site). This is purchase history, but also includes the whole buying process. Web analytics (Chapter 12) can be used to assess the web and email content accessed by individuals.

5 Behavioural information (across multiple sites). This can show how a user accesses multiple sites and responds to ads across sites. Typically these data are collected and used using an anonymous profile based on cookie or IP addresses which is not related to an individual. Complete Activity 4.3 to find out more about behavioural targeting and form an opinion of whether it should be regulated more.

Activity 4.3 Attitudes to behavioural ad targeting

Imagine you are a web user who has just found out about behavioural targeting.

Use the information sources provided by the industry to form an opinion. Discuss with others studying your course whether you believe behavioural ad targeting should be banned (as has been proposed in some countries) or whether it is acceptable.

Suggested information sources:

● Internet Advertising Bureau guide to behavioural advertising and privacy (www.you‑

ronlinechoices.com/). If you take a look at this page you will see the number of ad networks that users can potentially you can be targeted on. How many are you targeted by and how do you feel about it? See www.youronlinechoices.com/uk/

your‑ad‑choices.

● Digital Analytics Association (www.digitalanalyticsassociation.org/? page= privacy).

A trade association of online tracking vendors.

● Google ‘ Interest‑ based advertising’: How it works (www.google.com/ads/prefer‑

ences/html/about.html), which explains the process and benefits as follows:

Many websites, such as news sites and blogs, use Google’s AdSense program (‘a network of publishers using advertising through Google’) to show ads on their sites.

It’s our goal to make these ads as relevant as possible for you. While we often show you ads based on the content of the page you are viewing, we also developed new

Table 4.4 summarises how these different types of customer information are collected and used. The main issue to be considered by the marketer is disclosure of the types of information collection and tracking data used. The first two types of information in the table are usually readily explained through a privacy statement at the point of data collection, which is usually a legal requirement. However, with the other types of information, users would only know they were being tracked if they have cookie monitoring software installed or if they seek out the privacy statement of a publisher which offers advertising.

Ethical issues concerned with personal information ownership have been summarised by Mason (1986) into four areas:

● Privacy – what information is held about the individual?

● Accuracy – is it correct?

● Property – who owns it and how can ownership be transferred?

● Accessibility – who is allowed to access this information, and under which conditions?

Fletcher (2001) provides an alternative perspective, raising these issues of concern for both the individual and the marketer:

● Transparency – who is collecting what information and how do they disclose the collection of data and how it will be used?

● Security – how is information protected once it has been collected by a company?

● Liability – who is responsible if data are abused?

All of these issues arise in the next section, which reviews actions marketers should take to achieve privacy and trust.

Data protection legislation is enacted to protect the individual, to protect their privacy and to prevent misuse of their personal data. Indeed, the first article of the European Union directive 95/46/EC (see http://ec.europa.eu/justice_home/fsj/privacy/) specifically refers to personal data. It says:

Member states shall protect the fundamental rights and freedoms of natural persons [i.e.

a named individual at home or at work], and in particular their right to privacy with respect to the processing of personal data.

In the UK, the enactment of the European legislation is the Data Protection Act 1984, 1998 (DPA). It is managed by the ‘Information Commissioner’ and summarised at ^www.

ico.gov.uk. This law is typical of what has evolved in many countries to help protect personal information. Any company that holds personal data on computers or on file about customers or employees must be registered with the data protection registrar (although there are some exceptions which may exclude small businesses). This process is known as notification.

Notification The process whereby companies register with the data protection registrar to inform about their data holdings.

technology that shows some ads based on interest categories that you might find useful. The following example explains this new technology step by step:

Mary’s favourite hobby is gardening. With Google’s interest- based advertising technology, Mary will see more relevant gardening ads because she visits many gar- dening websites. Here’s how that works: When Mary visits websites that display ads provided by Google’s AdSense program, Google stores a number in her browser (using a ‘cookie’) to remember her visits. That number could look like this: 114411.

Because many of the websites that Mary visits are related to gardening, Google puts her number (114411) in the ‘gardening enthusiast’ interest category.

As a result, Google will show more gardening ads to Mary (based on her browser) as she browses websites that use AdSense.

Answers to activities can be found at www.pearsoned.co.uk/chaffey

Type of information Approach and technology used to capture and use information

1 Contact information • Online forms – online forms linked to customer database

• Cookies – are used to remember a specific person on subsequent visits

2 Profile information, including personal information • Online registration forms collect data on social networks and retail sites

• Cookies can be used to assign a person to a particular segment by linking the cookie to a customer database record and then offering content consistent with their segment

3 Access platform usage • Web analytics system – identification of computer type, operating system and screen characteristics based on http attributes of visitors

4 Behavioural information on a single site • Purchase histories are stored in the sales order database.

Web analytics store details of IP addresses against clickstreams of the sequence of web pages visited

• Web beacons in email marketing – a single- pixel GIF is used to assess whether a reader had opened an email

• First- party cookies are also used for monitoring visitor behaviour during a site visit and on subsequent visits

• Malware can collect additional information such as passwords

5 Behavioural information across multiple sites • Third- party cookies used for assessing visits from different sources such as online advertising networks or affiliate networks (Chapter 9)

• Search engines such as Google use cookies to track advertising through its AdWords pay‑ per‑ click program

• Services such as Hitwise ( www.experian.com/hitwise/) monitor IP traffic to assess site usage of customer groups within a product category

Table 4.4 Types of information collected online and related technologies

The guidelines on the eight data protection principles are produced by legal requirements of the 1998 UK Data Protection Act. These principles state that personal data should be:

1 Fairly and lawfully processed.

In full: ‘Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – at least one of the conditions in Schedule 2 is met; and in the case of sensi‑

tive personal data, at least one of the conditions in Schedule 3 is also met.’

The Information Commissioner has produced a ‘fair processing code’ which suggests how an organisation needs to achieve ‘fair and lawful processing’. This requires:

● Appointment of a data controller who has defined responsibility for data protection within a company.

● Clear details in communications such as on a website or direct mail of how a ‘^data subject’ can contact the data controller or a representative.

● Before data processing ‘the data subject has given his consent’ or the processing must be necessary either for a ‘contract to which the data subject is a party’ (for example as part of a sale of a product) or because it is required by other laws.

Personal data Any information about an individual stored by companies concerning their customers or employees.

Data controller Each company must have a defined person responsible for data protection.

Data subject The legal term to refer to the individual whose data are held.

● Sensitive personal data require particular care, – the racial or ethnic origin of the data subject;

– political opinions;

– religious beliefs or other beliefs of a similar nature;

– membership of a trade union;

– physical or mental health or condition;

– sexual life;

– the commission or alleged commission or proceedings of any offence.

● No other laws must be broken in processing the data.

2 Processed for limited purposes.

In full: ‘Personal data shall be obtained only for one or more specified and lawful pur‑

poses, and shall not be further processed in any manner incompatible with that purpose or those purposes.’

This implies that the organisation must make it clear why and how the data will be processed at the point of collection. Figure 4.8 suggests some of the issues that should be considered when a data subject is informed of how the data will be used. Important issues are:

● Whether future communications will be sent to the individual (explicit consent is required for this in online channels).

● Whether the data will be passed on to third parties (again explicit consent is required).

● How long the data will be kept.

3 Adequate, relevant and not excessive.

In full: ‘Personal data shall be adequate, relevant and not excessive in relation to the pur‑

pose or purposes for which they are processed.’

This specifies that the minimum necessary amount of data is requested for processing.

There is difficulty in reconciling this provision between the needs of the individual and the needs of the company. The more details that an organisation has about a customer,

Figure 4.8 Information flows that need to be understood for compliance with data protection legislation

Do I understand?

• the purpose

• likely consequences

• future use

…of my given data

‘Data subject’

i.e. prospect or customer

‘Data controller’

Individual in organisation responsible for

personal data 1 Obtain ‘personal data’

2 Store ‘personal data’

3 Disseminate and use ‘personal data’

4 Modify and delete data

the better they can understand that customer and so develop products and marketing communications specific to that customer.

4 Accurate.

In full: ‘Personal data shall be accurate and, where necessary, kept up to date.’

It is clearly also in the interest of an organisation in an ongoing relationship with a partner that the data are kept accurate and up to date. Inaccurate data are defined in the guidelines as: ‘incorrect or misleading as to any matter of fact’.

The guidelines go on to discuss the importance of keeping information up to date. This is only necessary where there is an ongoing relationship and the rights of the individual may be affected if they are not up to date.

5 Not kept longer than necessary.

In full: ‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’

The guidelines state: ‘To comply with this Principle, data controllers will need to review their personal data regularly and to delete the information which is no longer required for their purposes.’

It might be in a company’s interests to ‘clean data’ so that records that are not relevant are archived or deleted. However, there is the possibility that the customer may still buy again, in which case the information would be useful. For example, a car manufacturer could justifiably hold data for several years.

If a relationship between the organisation and the data subject ends, then data should be deleted. This will be clear in some instances; for example, when an employee leaves a company their personal data should be deleted.

6 Processed in accordance with the data subject’s rights.

In full: ‘Personal data shall be processed in accordance with the rights of data subjects under this Act.’

One aspect of the data subject’s rights is the option to request a copy of their personal data from an organisation for payment of a small fee such as £10 or £30; this is known as a

‘subject access request’. This includes all information on paper files and on computer.

Other aspects of a data subject’s rights are designed to prevent or control processing which:

● causes damage or distress (for example, repeatedly sending mailshots to someone who has died);

● is used for direct marketing (for example, in the UK consumers can subscribe to the mail, email or telephone preference service to avoid unsolicited mailings, emails or phone calls). This invaluable service is provided by the Direct Marketing Association (www.dmaconsumers.org). Organisations must check against these ‘exclusion lists’

before contacting you.

● is used for automatic decision taking – automated credit checks, for example, may result in unjust decisions on taking a loan.

7 Secure.

In full: ‘Appropriate technical and organisational measures shall be taken against unau‑

thorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

(Techniques for managing data security are discussed in Chapter 11.)

Of course, the cost of security measures will vary according to the level of security required. The Act allows for this through this provision:

(i) Taking into account the state of technological development at any time and the cost of implementing any measures, the measures must ensure a level of security appropriate to:

(a) the harm that might result from a breach of security; and (b) the nature of the data to

Subject access request A request by a data subject to view personal data from an organisation.

Dalam dokumen digital business and e commerce management strategy implementation and practice 6 ed (Halaman 171-184)