Factors Influencing Privacy Fatigue in a Mobile Application Environment
Paula Heuser & Leonie Gehrmann
The smartphone has become an indispensable daily companion and a personal extension of the self. We cannot imagine life without mobile apps anymore, as they provide endless opportunities, including unlimited access to information, round-the-clock connectivity and instantaneous problem solving. User data is thereby the fuel of such apps, whose features and functionalities consider various types of personal and sometimes sensitive information. While most data are often not actively or voluntarily created by consumers, the specific architecture in which apps are embedded allows for large scale data aggregation revealing a fine grained, holistic picture of individual consumers (Buck et al 2014b, p. 27). These highly personalized insights into „real lives” are very valuable to marketers and useful for precise targeting, customer service and relationship management. It is known that freemium business models gain revenue by selling personal data to third parties, so especially free versions of apps require a broad scope of permissions to information that is often unrelated to the apps’ functionality (Barth et al 2019, p. 56). Thus, the vast opportunities of app usage come with certain risks and raise discussions around informational privacy or the gathering, storage, processing, and dissemination of personal data (Kokolakis 2017, p. 123).
With data breaches continuing to rise (De Groot 2019) and consumers expressing a feeling of being „creeped out” by too much personalization (Shklovski et al 2014, p. 2351), surveys show that lack of online privacy is one of the major concerns of citizens (Kokolakis 2017, p. 122). While data disclosure seems to have become a necessary part of modern life, 70% of Europeans are concerned about the potential misuse of personal information and its negative outcomes (Special Eurobarometer 359 2011, p.2). Yet, numerous studies show that even though people claim to be concerned about their online privacy, they tend to disclose personal data anyways (Kokolakis 2017, p. 122). This dichotomy between privacy attitudes and behavior is called the privacy paradox and has been studied extensively across various research areas. In fact, the exploration of the relationship between privacy attitudes, information disclosure, protection behavior and potential influencing variables has revealed some inconsistencies. This highlights the complexity of the paradox and the necessity to understand it, as it has significant implications for e-commerce, online social networking, and governmental regulations (Kokolakis 2017).
One of many interpretations and explanations for the paradox is that people perform a rational calculus of benefits and risks of information disclosure. As granting access to personal data is necessary to benefit from various app features, some researchers conclude that it is reasonable to disclose information despite privacy concerns, if the perceived benefits of app usage exceed the expressed concerns (Barth and de Jong 2017, pp. 1044-1045). Yet, as human decision-making is affected by cognitive biases, a large stream of literature considers people’s limited ability, information, time, and emotional strength to make rational decisions within these situations (Li, Sarathy, and Xu 2010, p. 7). Especially the complexity of the mobile app context makes it hard to grasp the consequences of granting access to personal data, so consumers often lack all necessary information to make informed judgements (Barth and de Jong 2017, p. 1046). Indeed, consumers frequently complain about a feeling of loss of control and being overwhelmed by the amount of information to consider when deciding what data to disclose or how to protect oneself. Information barriers prevent users from knowing the extent of the observation, storage, and processing of their behavior (Buck et al. 2014a, p. 2). Similarly, the unpredictable consequences of data disclosure are complex and difficult to calculate so individuals make judgements based on incomplete information (Acquisti 2004, p. 23). Furthermore, the continuous habit of buying from the same app store and granting access to personal data is accompanied by low levels of involvement and cognitive control, as people want to proceed quickly with the use of an app (Buck et al. 2014b, p. 31).
Taking this into consideration, a few researchers started to explore the phenomenon of privacy fatigue as an alternative explanation for the reduction in decision-making efforts. Fatigue generally arises from situations in which people are faced with high demands, having to deal with more things than they can handle (Choi, Park and Jung 2018, p. 44). As privacy policies have become increasingly complex, people are overwhelmed and eventually give up trying to understand them. Thereby, a state of emotional exhaustion is accompanied by attitudes of frustration and hopelessness, serving as a cognitive coping mechanism and making people choose the easiest way of simply granting access to personal data (Choi, Park and Jung 2018, p. 44).
In their groundbreaking research on cognitive heuristics, Tversky and Kahneman (1974) explain that fatigued individuals can fall back on heuristics and biases in decision-making. With the aim of minimizing effort, they often avoid unnecessary decisions, choose the easiest available option, let immediate motivations drive decisions and behave impulsively (Stanton et al. 2016, p. 29). Several studies show that one of the key outcomes of fatigue is behavioral disengagement, leading to withdrawal and giving up of protective behavior. Additionally, fatigued individuals put in less effort to remove personal information and do not bother to provide intentional fake data, to engage in negative word-of-mouth or to complain to the company (Choi, Park and Jung 2018, p. 44).
Having discussed the consequences of privacy fatigue, some researchers have also considered self-efficacy and privacy literacy as potential drivers of the phenomenon. Highly self-efficacious people tend to feel confident that they possess the skills to protect themselves against online privacy risks (Boehmer et al. 2015; Milne, Labrecque, and Cromer 2009). Looking at the literature, this seems to be an important predictor since people that don’t believe their protection behavior is effective are less likely to protect themselves (Boerman, Kruikemeier, and Zuiderveen Borgesius 2018, p.16).
Alternatively, studies find evidence that consumers across various age groups and countries lack sufficient understanding about marketing surveillance practices and privacy-related functions on mobile phones (Park and Mo Jang 2014, pp. 299-301; Trepte and Masur 2017, p. 6). Therefore, researchers emphasize the importance of online privacy literacy, as skilled individuals are more likely to be aware of threats and are empowered to take “informed control of their digital identities” (Park 2013, p. 217).
To the best of our knowledge, no scientific study has empirically examined the antecedents of privacy fatigue, so our project takes a closer look at this research gap and empirically investigates its potential drivers. Thereby, the focus on a mobile setting is of special interest since, compared to e-commerce websites on a computer for example, the data aggregated via the use of mobile apps is even more sensible, while at the same time the system is less secure (Buck, Kaubisch and Eymann 2016, p. 394). Due to its resource-efficiency and ability to reach a high number of people, an online questionnaire was chosen to empirically investigate the relationship between privacy fatigue, self-efficacy and mobile privacy literacy. The questionnaire ran for one month in the spring of 2020 and used a snowball technique to recruit participants with a focus on those living in Germany or with a German background. In total, the final sample consists of 283 respondents. Thereby, roughly 2/3 of participants are female and while almost 70% are younger than 40, the age of respondents ranges from 16 to 85.
After a brief introduction on the research background, participants first read a hypothetical scenario about a situation in which they download a fitness app and are asked to reveal their location and various types of personal information. Then, with participants given the ability to imagine the setting, the main part consists of the survey questions that measure the three constructs of interest discussed previously. Finally, participants are asked to rate the frequency of use of different mobile apps, before sociodemographic questions about age, gender, education, and occupation, as well as a short thank you conclude the questionnaire.
For self-efficacy, respondents report their level of agreement (on a 5-point Likert scale) with each of four different statements on their confidence in avoiding danger and protecting their personal information online. The items are adapted from Milne, Labrecque, and Cromer (2009, p. 456). As expected, a rather low mean of self-efficacy of 2.48 indicates that overall, participants do not appear to believe in their ability to avoid danger and protect personal information in a mobile app environment. Men tend to be slightly more self-efficacious than women and younger age groups exhibit higher self-efficacy than older ones.
To capture mobile privacy literacy, the objective knowledge of participants is considered, since self-assessment of literacy might additionally address self-efficacy (Trepte et al. 2015, p. 347). Masur, Teutsch, and Trepte (2017) emphasize the multidimensionality of online privacy literacy and develop a scale that refers to users’ knowledge on technical aspects of online data protection, as well as German regulations and institutional practices. This project focuses on respondents’ knowledge about institutional practices and data protection law. Each of these two dimensions consists of five questions. One point is given for each correct answer while no points are given for wrong answers. The points are then summed up to calculate the raw mobile privacy literacy score for each respondent (Masur, Teutsch, and Trepte 2017, p. 267). A mean score of 5.74 out of 10 maximum points in the mobile privacy literacy test confirms that overall participants lack substantial knowledge about practices of institutions and legal aspects of data protection. An average of 4 out of 5 points regarding institutional practices shows that participants appear to be aware of the ways companies and service providers collect data. Yet, a median of 2 correct responses to the 5 questions about data protection law shows that people are not very knowledgeable of their rights. On average men’s scores are about one point higher than women’s, while individuals between the age of 25 and 39 achieve the highest scores and individuals over 70 years the lowest.
Finally, the measurement of Choi, Park, and Jung (2018) is adapted for privacy fatigue. Respondents report their level of agreement (on a 5-point Likert scale) with six statements concerning their extent of emotional exhaustion and cynicism. A mean of 3.31 shows that participants generally feel a sense of weariness towards privacy issues. While women seem to feel more fatigue than men, there are no obvious group differences regarding age or frequency of app usage.
Results and Discussion
As explained in the beginning of this post, the privacy paradox is highly complex with varying explanations developed by different researchers. Findings have indicated that especially self-efficacy plays a role in determining individuals’ sense of weariness towards privacy issues and their motivation to protect themselves. Additionally, studies on awareness and knowledge of online privacy indicate that privacy literacy also influences certain aspects of fatigue and can help to derive a complementary explanation of the phenomenon. The rather low levels of self-efficacy in the empirical analysis indicate that overall, participants are not fully confident they have the skills and abilities to avoid or cope with danger in a mobile app environment. Interestingly, men and younger age groups tend to exhibit comparatively higher levels of self-efficacy. Low scores on mobile privacy literacy show as expected, that participants generally lack substantial knowledge about practices of institutions and especially legal aspects of data protection.
A further regression analysis suggests that self-efficacy has a significant negative relationship with privacy fatigue. While mobile privacy literacy has a significant negative relationship with privacy fatigue when excluding age, gender and frequency of app usage, the relationship is not significant when including these variables as control. Hence, it seems that sociodemographic characteristics and app usage behavior do not have a significant effect on privacy fatigue. However, overall the results indicate that all of these variables together only explain a small portion of the variance in privacy fatigue, meaning there is room for improvement to find another model that is more successful at predicting this variable of interest. Nonetheless, especially the significant findings for the model’s most important predictor, self-efficacy, are meaningful and help understand how privacy fatigue arises.
Results from the statistical analysis provide important implications for marketing management and governmental regulations and show that we need to rethink the public’s relationship with privacy issues. It has been widely criticized that privacy laws and security technologies have not kept pace with how rapidly developing technologies collect, store and process data (Wedel and Kannan 2016, p. 113). Germany is known to be a country with a comparatively stricter view on data protection and just in May 2020, the Federal Court passed a law that requires users to actively accept which cookies are tracked (Bundesgerichtshof 2020). While some might think that this is a step in the right direction, this thesis suggests two issues. Firstly, privacy regulations on mobile apps are more complex and less transparent to consumers. As many popular data-sensitive apps follow a “take-it-or-leave-it” approach and are developed in countries with weaker legal data protection, many consumers exhibit functional confusion and are not able to draw the connection between privacy threats and a mobile environment (Park and Mo Jang 2014, p. 300). Secondly, the phenomenon of fatigue indicates that people fall into their familiar routine of neglect and simply consent whenever they are confronted with a privacy decision. Hence, simply making stricter laws and bombarding consumers with more complicated privacy statements is not the solution but will rather lead to more privacy fatigue.
Instead, it is crucial to recognize the existence of fatigue and users’ lack of effort to make rational decisions regarding information disclosure. Understanding the role of self-efficacy and mobile privacy literacy can certainly help in finding actions that reduce the sense of weariness towards mobile privacy issues. The public should be made aware of the threats of information disclosure, but also learn that protection is not an impossible challenge. Increasing knowledge about institutional practices and data law can offer support in helping users understand the complex threats and realize what is actually being done with their data. Obviously, simply being aware of the dangers will not help if people lack the confidence that they can do something to protect themselves. Therefore, researchers suggest a more transparent app design and framing of messages about privacy can facilitate a feeling of control and personal responsibility, increasing protective behavior (Boehmer et al. 2015, p. 1031). While many individuals think they are not tech-savvy enough, it needs to be stressed that there are easy tools and steps to follow that assist protection (Milne, Labrecque, and Cromer 2009, p. 467).
Marketing managers and app providers face a complicated trade-off between benefiting from vast amounts of customer data, but also keeping customers happy in the long-term. One might argue that privacy fatigue is in marketers’ interest as consumers disclose data without questioning it and thus enable companies to offer personalized services and effectively targeted advertisements. Yet, there are always risks of data breaches or other debacles causing public outcry and especially the dimension of cynicism within privacy fatigue can decrease overall customer satisfaction (Choi, Park and Jung 2018, p. 49). Partial or complete withdrawal of customers is not desired as marketers want to get a clear picture of them. Hence, companies need to find an equilibrium of getting valuable data and maintaining trust. Research suggests that the solution lies within the communication and design of apps. They should have a user-oriented design that decreases information overload and empowers users to make self-determined decisions about privacy protection (Barth and de Jong 2017, p. 1051). Raising privacy awareness on an application-specific level and connecting this with knowledge about essential tools and protection methods can aid marketers in strengthening the relationship with the customer in the long-term and benefiting from an acceptable level of data disclosure (Deuker 2009, p. 281).
To conclude, some remarks on the limitations of this project. Due to the chosen snowball sampling technique, the sample contains respondents from similar backgrounds. While the age range is quite large and represents a considerable number of participants from younger as well as older generations, the sample is not balanced in terms of gender or education. Furthermore, as research emphasizes the importance of technical skills with regard to understanding the privacy threats in the app context (Buck, Kaubisch, and Eymann 2016, p. 393), there is a strong need for the development of a privacy literacy construct in the mobile app context that covers various dimensions and not only institutional practices and data protection law. Especially, no clear definition of the term privacy fatigue in the academic literature makes it hard to define what exactly should be measured. Therefore, a more distinct definition of the term as well as enhanced development of a measurement construct is necessary. Finally, for a comprehensive interpretation of the privacy paradox it is necessary to assess individuals’ actual disclosure behavior and investigate how far privacy fatigue is connected to the paradoxical behavior. This enables a better understanding of the consequences of fatigue and its implications in practice. Nevertheless, the primary goal of this project is to focus on how privacy fatigue arises and how it relates to other research on the privacy paradox. As it is the first to ever investigate the influencing factors of privacy fatigue, it adds fresh insights into a complementary explanation of the privacy paradox. Especially the finding that higher levels of self-efficacy may decrease privacy fatigue has meaningful implications in practice and can help future researchers to further understand the phenomenon.