As is evident with the current Facebook crisis, third parties pose a significant potential privacy risk to visitors. But Facebook is not the only website using them. The convenience of easy sign-ins with Google or Twitter accounts also results in immediate identification with third parties.
Currently, there is effectively no tracking of where your data goes, and no ability for a consumer to know what is done with their data.
Even before the Facebook data breach, a U.S. Senate report found that visits to online news sites may involve connecting with hundreds of other parties, and the “sheer volume of such activity makes it difficult for even the most vigilant consumer to control the data being collected or protect against its malicious use.”
If simply landing on a website can cause substantial and instantaneous sharing with third parties, this begs the question, “What’s going to limit this privacy intrusion?”
But an overlooked method of limiting this privacy intrusion is through the invisible hand of the market itself. Our work focuses on the possibility that websites dealing with visitors who are more concerned about their privacy will be faced with a market that curbs their behavior.
In a paper published in a recent issue of MIS Quarterly, we found that when visitor privacy concerns for a website are high relative to the competition, the website will have a smaller niche market of customers willing to pay high subscription prices in exchange for privacy protection.
We concentrated on two sources of income for websites: subscriptions and the sale of visitor data to third parties. A website using the subscription model needs a large base of visitors, but it can also sell visitor information in secondary markets through advertising or other third parties. Therefore, the website must strike a balance between subscription and third party monetization in this two-sided market.
An overlooked method of limiting this privacy intrusion is through the invisible hand of the market itself.
At the other extreme, a website facing low visitor privacy concerns can tap into a larger market of customers willing to exchange their personal information to access the website. We found that the website’s profits are highest when visitors have moderate privacy concerns – not too low and not too high – especially when the competition faces very high privacy concerns.
We also analyzed how the third party industry structure is impacted by visitor privacy concerns.
We found that higher visitor privacy concerns will result in the website using fewer third parties, and the result is a higher concentration in the third party market for that industry. Higher industry security requirements result in higher barriers to entry, which also increase the industry concentration of third parties.
These findings about the third party market corroborate the finding that third party concentration is higher in markets with high privacy concerns, such as healthcare. Ironically, in a concentrated market, the fewer – but more powerful – third parties collect data from many websites. These third parties gain a more comprehensive visitor profile, which has greater value, but also greater privacy risk to visitors.
In the wake of the Facebook data breach, it is evident that policymakers and regulatory organizations must monitor the third party market for potential privacy violations.
Additionally, requiring transparency with respect to the exact third parties and the types of data they are receiving would allow consumers to make better decisions regarding their privacy. Adding tracking features for consumers to see where their data goes beyond these third parties would create additional and potentially important transparency.
Currently, there is effectively no tracking of where your data goes, and no ability for a consumer to know what is done with their data.