Daniel J. Solove’s Understanding Privacy provides an overview of an elusive concept that has historically proved difficult to understand. The author provides insights into the evolving conception of privacy through the ages and the ongoing struggle of finding a balance between societal and individual norms for privacy. The liberal use of examples; case laws; and viewpoints of philosophers, jurists, sociologists, and scholars in the field adds to the richness and readability of the book. The book is intended to be a resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other contemporary matters pertaining to privacy.
The contribution of the book lies in its historical and multidisciplinary perspectives, rather than in offering a theory of privacy. Indeed, given the current state of research in privacy, it would be premature to expect identification of a theory for such a complex construct. Although the author discusses different conceptualizations of privacy in a few countries, he does not directly compare them to the United States with respect to specific laws and their resultant impact on individuals and society, including business. Solove believes that the central point of the book is his process-oriented framework for privacy. I would argue that the contribution of this book lies in (1) the culling together of the privacy literature from a historical and legal standpoint and (2) the potential of his framework being combined in the future with rigorous theoretical thought and privacy insights from other domains, such as marketing and business ethics, to move toward a theory of privacy. This review assesses what the book has to offer and provides a guide to the potential reader.
In Chapter 1, Solove presents the privacy paradox of interest: People express a desire for increased privacy but act contrarily by routinely disclosing information. This disparity between attitudes and actions has social, economic, and legal ramifications. For example, several statutes in the United States protect the privacy of data records, such as government, student, driver, financial, electronic communications, and video rental, but protection of these records may at times be socially detrimental by conflicting with other important societal values, such as freedom of expression, preventing and punishing crime, protecting private property, and conducting government operations efficiently.
Solove declares that he intends to use a bottom-up approach in his quest for a theory of privacy by focusing on privacy infringements rather than looking for a common denominator across different contexts in which privacy is a problem. He discusses many definitions of privacy but finds them all to be incomplete. Although privacy may have multiple related forms, without a clear definition there can be no guidelines for identifying when and under what conditions an informational or physical activity constitutes a privacy problem. The lack of clarity about the key construct, privacy, and related terms, such as “invasion” or “intrusion,” does not reflect well on the proposed taxonomy. (I discuss this in greater detail subsequently in the review.)
Solove devotes Chapter 2 to discussing various “theories” of privacy: (1) the right to be let alone, (2) limited access to the self, (3) secrecy, (4) control over personal information, (5), personhood, and (6) intimacy. He believes that these conceptions of privacy are either too broad or too narrow.
In Chapter 3, Solove advocates building a general framework for privacy based on identifying privacy harms and understanding why they are problematic. He traces the changing face of privacy with respect to family, body, sex, home, and communications as a result of changing attitudes, institutions, living conditions, and technology. He emphasizes that the condition or state of existence of the information (i.e., whether it is being concealed, held in confidence, or being kept secure) is of greater relevance than the nature/type of information. He also argues that societal rather than individual needs should be considered in ascertaining a “reasonable” level of privacy because he believes that individuals’ demands for privacy can become unreasonable, overriding the consideration of society at large. Yet, he does not indicate how to determine what a “reasonable” level of privacy is and who is to make this determination on behalf of society, if not the individuals who constitute society. Thus, Solove chooses not to address the quandary about contextual considerations in privacy issues.
In Chapter 4, Solove points out that regulating firms in their information-related endeavors by protecting individual privacy may hamper decision making, leading to higher prices for products and services. Support for this argument can be found in marketing and business ethics literature (e.g., Beard and Abernathy 2005; Petty 2000). Petty (2000) cautions against “overmarketing” because it creates the temptation in firms to deceive consumers and is also a misallocation of society’s scarce resources. Overmarketing has resulted in 60% of consumers registering for the Do-Not-Call list, which, as Beard and Abernathy (2005) find, has raised firms’ marketing costs. Furthermore, Solove argues that restricting the free flow of information may conflict with societal values for preventing crime and promoting national security. At the same time, the author points out that framing privacy in individualistic terms undervalues privacy because federal policy making does not value the effects of loss of privacy on freedom, culture, creativity, innovation, and public life and fails to provide adequate protection in the form of damages to compensate people for emotional or reputational harm. Throughout Chapters 1–4, Solove attempts to builds his case for presenting his taxonomy of privacy in Chapter 5. However, it is not clear how the privacy issues discussed until now metamorphose into the process-oriented taxonomy that follows.
The taxonomy Solove proposes in Chapter 5 focuses on activities that create privacy problems. The taxonomy comprises four broad groups of activities, each with different related subgroups of harmful activities: (1) information collection (e.g., surveillance, interrogation), (2) information processing (e.g., aggregation, identification, insecurity, secondary use, exclusion), (3) information dissemination (e.g., breach of confidentiality, disclosure, exposure, increased accessibility, blackmail, appropriation, distortion), and (4) invasion (e.g., intrusion, decisional interference). The flexible framework allows for additions and removals of potential privacy harms in the future as required by the rapid evolution of technologies and attitudes related to privacy.
Several issues arise on close examination of this framework, and the questions I raise next are merely illustrative. Is an “invasion” only physical or decision-related in nature? Could an invasion not occur during information collection, processing, or dissemination? For example, repeatedly contacting consumers by telephone to collect information was considered a form of invasive interrogation, which ultimately resulted in a do-not-call registry. Furthermore, what determines the levels at which any of the aforementioned activities turn from harmless to harmful? For example, at what point does “harmless” questioning turn into “harmful” interrogation? Similarly, the level of data aggregation considered unacceptable may differ on the basis of the individual, the benefits accrued as a result of the aggregation, the entity aggregating the data, and so forth. Thus, this framework is incomplete without discussion of contextual moderators, such as the entity (government or business or individual) interacting with the person, the relationship of the person with that entity, and the person’s evaluation of likely outcomes of providing this information to the entity. In essence, Solove’s framework is a description of process rather than a theory that addresses why, when, and under what circumstances a privacy violation occurs. It is also not clear how the proposed taxonomy reflects the author’s concern about individual versus societal needs, because the taxonomy examines a process without defining how and under what conditions the subactivities have been evaluated to be harmful and who (individual or society) has deemed these activities to be harmful. Another question that may be raised is whether this taxonomy can or should be expanded to include positive outcomes of the information process, such as convenience, personalization, and compensation. These have been examined by some researchers (Andrade, Kaltcheva, and Weitz 2002; Nam et al. 2006; Sheehan and Hoy 2000) but with mixed results.
Toward the end of Chapter 5 and in Chapter 6, Solove presents information that would have been more appropriate at the beginning than at the end of this book, such as definitions of critical terms (e.g., “spam,” “junk mail,” “junk faxes,” “telemarketing”). Similarly, only at the end of the book does Solove discuss the specific potential harms due to privacy infringements, such as individual, societal, financial, reputational, emotional, psychological, relationship, power imbalances, inhibition, and vulnerability. Indeed, these insights are of value to privacy-related research in marketing and business ethics, which have not yet explored such wide-ranging outcomes of privacy infringements. Solove also brings out the ineffectiveness of the Gramm-Leach-Bliley Act of 1999 (Pub.L. 106-102, 113 Stat. 1338) and the Privacy Act (1974, 5 U.S.C. § 552a) and the inconsistencies of different laws (e.g., tort laws recognize and redress breaches of confidentiality, while the Fourth Amendment law does not). He provides examples of privacy laws in other countries and specific legal outcomes that could have been effectively used to discuss the effect of privacy restrictions on firms in Europe, a discussion of great relevance to U.S. business. In cross-cultural studies, other researchers have found that a country’s regulatory approach depends on the country’s cultural values and individuals’ privacy concerns (Bellman et al 2004; Milberg et al. 1995; Milberg, Smith, and Burke 2000), which also underscores that when it comes to privacy, both societal and individual needs must be balanced.
Overall, the book is engaging, lucidly written, and offers a well-researched perspective of privacy issues from a legal and historical perspective, but it could have benefitted by drawing on insights from business ethics and marketing. In turn, it has the potential to contribute to privacy research in those areas. Given that the book addresses information activities of the government, companies, and individuals, leaving out a discussion of firms’ self-regulating actions in the United States (see, e.g., Culnan 2000; Culnan and Armstrong 1999) holds this book back from truly advancing knowledge in the field of privacy. For example, in an effort to avoid precisely the kinds of harmful activities that Solove describes in his taxonomy, many firms practice permission marketing (Tezinde, Smith, and Murphy 2002) and have adopted privacy notices and seals (Miyazaki and Fernandez 2000; Miyazaki and Krishnamurthy 2002). Another dimension that Solove acknowledges is that people differ in their preferences for giving away their personal information to others. This willingness to provide information has also been studied (see, e.g., Milne and Boza 1999; Nowak and Phelps 1992, 1995; Phelps, Nowak, and Ferell 2000; Schoenbachler and Gordon 2002) and can add value to Solove’s taxonomy.
Although the intuitively simple and flexible structure itself invites little disagreement, it is unclear how this framework can help frame laws if there are no guidelines on why, when, and under what conditions information collection, processing, and dissemination are perceived as problematic. Thus, to use this taxonomy for theory building, policy making ,and crafting laws, it is important to reflect not only on the conditions under which informational and physical activities result in an invasion of privacy but also reasons for the same. To this end, Understanding Privacy is likely to spark interest in academic research in privacy and contribute to the body of knowledge in this area. The added understanding from further research can inform government and firms interested in understanding why and how to safeguard peoples’ privacy. For all those interested in privacy issues, this book serves as good background reading.
—Mona Srivastava, Harvard Business School India Research Center.
REFERENCES
Andrade, Eduardo B., Velitchka Kaltcheva, and Bart Weitz (2002), “Self-Disclosure on the Web: The Impact of Privacy Policy, Reward, and Company Reputation,” Advances in Consumer Research, Vol. 19, Susan M. Broniarczyk and Kent Nakamoto, eds. Valdosta, GA: Association for Consumer Research, 350–53.
Beard, T. Randolph and Avery M. Abernathy (2005), “Consumer Prices and the Federal Trade Commission’s ‘Do-Not-Call’ Program,” Journal of Public Policy & Marketing, 24 (Fall), 253–59.
Bellman, Steven, Eric J. Johnson, Stephen J. Kobrin, and Gerald L. Lohse (2004), “International Differences in Information Privacy Concerns: A Global Survey of Consumers,” The Information Society, 20 (5), 313–24.
Culnan, Mary J. (2000), “Protecting Privacy Online: Is Self-Regulation Working?” Journal of Public Policy & Marketing, 19 (Spring), 20–26.
——— and Pamela K. Armstrong (1999), “Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation,” Organization Science, 10 (1), 104–115.
Milberg Sandra J., Sandra J. Burke, H. Jeff Smith, and Ernest A. Kallman (1995), “Values, Personal Information Privacy, and Regulatory Approaches,” Communications of the ACM, 38 (12), 65–74.
———, H. Jeff Smith, and Sandra J. Burke (2000), “Information Privacy: Corporate Management and National Regulation,” Organization Science, 11 (1), 35–57.
Milne, George R. and Maria-Eugenia Boza (1999), “Trust and Concern in Consumer’s Perceptions of Marketing Information Management Practices,” Journal of Interactive Marketing, 13 (1), 5–24.
Miyazaki, Anthony D. and Ana Fernandez (2000), “Internet Privacy and Security: An Examination of Online Retailer Disclosures,” Journal of Public Policy & Marketing, 19 (Spring), 54–61.
——— and Sandeep Krishnamurthy (2002), “Internet Seals of Approval: Effects of Online Privacy Policies and Consumer Perceptions,” Journal of Consumer Affairs, 36 (1), 28–49.
Nam, Changi, Chanhoo Song, Euehun Lee, and Chan Ik Park (2006), “Consumers’ Privacy Concerns and Willingness to Provide Marketing-Related Personal Information Online,” Advances in Consumer Research, Vol. 33, eds. Cornelia Pechmann and Linda L. Price Duluth, MN: Association for Consumer Research, 212–17.
Nowak, Glen J. and Joseph E. Phelps (1992), “Understanding Privacy Concerns,” Journal of Direct Marketing, 6 (4), 28–39.
——— and ——— (1995), “Direct Marketing and the Use of Individual-Level Consumer Information: Determining How and When Privacy Matters,” Journal of Direct Marketing, 9 (3), 46–60.
Petty, Ross D. (2000), “Marketing Without Consent: Consumer Choice and Costs, Privacy, and Public Policy,” Journal of Public Policy & Marketing, 19 (Spring), 42–53.
Phelps, Joseph E., Glen Nowak, and Elizabeth Ferell (2000), “Privacy Concerns and Consumer Willingness to Provide Personal Information,” Journal of Public Policy & Marketing, 19 (Spring), 27–41.
Schoenbachler, Denise D. and Geoffrey L. Gordon (2002), “Trust and Consumer Willingness to Provide Information in a Database-Driven Relationship Marketing,” Journal of Interactive Marketing, 16 (3), 2–16.
Sheehan, Kim Bartel and Mariea Grubbs Hoy (2000), “Dimensions of Privacy Concern Among Online Consumers,” Journal of Public Policy & Marketing, 19 (Spring), 62–73.
Tezinde, Tito, Brett Smith, and Jamie Murphy (2002), “Getting Permission: Exploring Factors Affecting Permission Marketing,” Journal of Interactive Marketing, 16 (4), 28–36.