The effects of voluntary GDPR adoption and the readability of privacy statements on customers’ information disclosure intention and trust
Pages | 145-163 |
DOI | https://doi.org/10.1108/JIC-05-2019-0113 |
Published date | 03 March 2020 |
Date | 03 March 2020 |
Author | Yibo Zhang,Tawei Wang,Carol Hsu |
Subject Matter | Information & knowledge management |
The effects of voluntary GDPR
adoption and the readability of
privacy statements on customers’
information disclosure
intention and trust
Yibo Zhang
Miami University, Oxford, Ohio, USA
Tawei Wang
DePaul University, Chicago, Illinois, USA, and
Carol Hsu
Tongji University, Shanghai, China
Abstract
Purpose –The purpose of this paper is to examine the impacts of companies’voluntary adoption of the
General Data Protection Regulation (GDPR) as well as the readability of privacy statements on US customers’
intention to disclose information and their trust in a company.
Design/methodology/approach –Building on the construal level theory and psychological distance, the
authors conduct a 2 ×2+2 between-participants experiment with 255 participants.
Findings –The findings show that a company’s voluntary adoption of the GDPR has positive effects on
customers’intention to discloseinformation to and their trust in thatcompany. In addition, the effectsof GDPR
adoption are stronger when the adoptingcompany’s privacy statements possess a higher levelof readability.
Originality/value –The authors believe this study poses policy implications for the outcomes of GDPR
adoption and the recent debate on both a stricter data breach and privacy regulation.
Keywords Construal level theory, Privacy, Psychological distance, GDPR, Policy readability,
Intention to disclose
Paper type Research paper
1. Introduction
Three major aspects of intellectual capital have been identified in previous studies: human,
organizational and social capital. Human capital concerns individuals’knowledge, skills and
abilities (Schultz, 1961); organizational capital is institutionalized knowledge and experience
(Youndt et al., 2004); and social capital is the knowledge embedded within, and utilized for,
interactions among individuals and their networks of people (Nahapiet and Ghoshal, 1998). One
aspect of social capital that has been commonly discussed in prior studies in the context of
consumer–firm relationships is relational social capital (e.g. Jones and Taylor, 2012; Muhammad
et al., 2017; Sussan, 2012), which refers to relationships developed over time in interactions
(Nahapiet and Ghoshal, 1998). High relational social capital involves close, committed or
trusting relationships (e.g. Morgan and Shaver, 1999; Watson and Papamarcos, 2002).
Although consumer relational social capital has been emphasized in the past, advances in
digital technology and the emergence of big data have brought new opportunities for firms’to
improve these relationships and to understand consumers in more detail (e.g. Rosenbush and
Totty, 2013). Nevertheless, it is a challenge to manage and protect a variety of data in a way that
enables the creation of different forms of intellectual capital (Secundo et al., 2017). This paper
argues that, while data generated through daily business processes provide new opportunities
for organizations to enhance their decision making and increase organizational performance
Received 26 May 2019
Revised 31 May 2019
9 August 2019
Accepted 16 September 2019
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1469-1930.htm
Effects of
voluntary
GDPR
adoption
JournalofIntellectualCapital
Vol.21 No. 2, 2020
pp.145-163
©EmeraldPublishingLimited
1469-1930
DOI10.1108/JIC-05-2019-0113
145
(Buluswar et al., 2016; Mills, 2018) via enhanced relational social capital, increasing data
collection and analysis activities have led to major concerns regarding personal privacy[1].
This has become evident through a number of high-profile data breaches and more
stringent regulatory requirements for personal data[2] protection; for instance, in 2018, the
Facebook privacyscandal, which revealed that millionsof users’of Cambridge Analytica had
escalated privacy concerns, resulted in great attention from both regulators and the public
(Forbes Technology Council, 2018). In view of this major data protection issue, the General
Data Protection Regulation (GDPR) was passed in 2017 and implemented in the European
Union (EU) in May 2018 to combatthe increasing problems associatedwith the collection and
management of customers’personal data[3]. This new regulation was established to change
organizationalpractices for gathering and handlingthe information of individuals residing in
the EU, regardlessof a company’s physical presence in Europe(Schechner, 2018)[4]. Similarly,
US states, such asAlabama, Arizona, Iowa and Virginia, started proposingnew data privacy
laws with the aim of expanding the scope of existing regulations and mirroring several
aspects of the GDPR;for instance, the new Californialaw AB375[5], which was passed inJune
2018, is in essence similar to the GDPR in that it requires businesses to delete collected
personaldata. In addition, the White House NationalEconomic Council is currentlydiscussing
the possibility of implementing a GDPR-like data privacy law (Romm, 2018).
Although enforced in the EU, the GDPR (2018) has global impact because of the
extraterritoriality requirement in Article 3; for example, if a US company collects personal
data from EU customers, the company is mandated to comply with the GDPR. Compared to
previous agreements between the EU and the US, such as the EU–US Safe Harbor
arrangement and the Privacy Shield agreement[6], the extraterritoriality requirement of the
GDPR is a higher-level protective regulation and requires US companies to take immediate
compliance action. As a result, based on a survey conducted by McDermott–Ponemon
Institute LLC, approximately one month before the enforcement of the GDPR, 90 percent of
US companies expected to be influenced by the GDPR and two-thirds of US companies were
being proactive and taking action to comply with it (McDermott Will Emery LLP and
Ponemon Institute LLC, 2018).
In addition to the extraterritoriality requirement, another important aspect that is
highlightedin the GDPR (2018) is the need for organizations to communicate with individuals
“in a concise, transparent, intelligible and easily accessible form, using clear and plain
language […]”(Article 12 Clause 1)[7] concerning how and why their information is being
collected and processed; for example, Google was fined roughly $57m by the French
Government becausethe company did not fully disclose how users’personal informationwas
collected and used–or obtain users’informed consent regarding Google’s useof personalized
advertisements (Romm, 2019). To give another example, Facebook agreed to pay $100m in
compensation for misleading disclosures regarding the use of customers’information (SEC,
2019). Comparedto their European counterparts, Stern (2018)argued that most US companies’
consent processes are unnecessarily lengthy and difficult to understand.
Given the background of the GDPR, this research specifically examined two aspects of
the GDPR: voluntary adoption of the GDPR and the readability of privacy statements. The
former aspect is driven by the extraterritoriality requirement, leading to US companies
considering voluntary adoption of the GDPR as a proactive strategic decision. The latter
aspect is driven by the GDPR’s requirement for communication of privacy statements,
encouraging US companies to design more readable privacy statements. Therefore, the
research aimed to answer the following research question:
RQ1. How do US companies’voluntary adoption of the GDPR and the readability
of their privacy statements affect customers’trust and willingness to disclose
personal information?
JIC
146
21,2
To continue reading
Request your trial