Online privacy as a corporate social responsibility: an empirical study Irene Pollach
Aarhus School of Business, University of Aarhus, Aarhus, Denmark
Information technology and the Internet have added a new stakeholder concern to the corporate social responsibility (CSR) agenda: online privacy. While theory suggests that online privacy is a CSR, only very few studies in the business ethics literature have connected these two. Based on a study of CSR disclosures, this article contributes to the existing literature by exploring whether and how the largest IT companies embrace online privacy as a CSR. The ﬁndings indicate that only a small proportion of the companies have comprehensive privacy programs, although more than half of them voice moral or relational motives for addressing online privacy. The privacy measures they have taken are primarily compliance measures, while measures that stimulate a stakeholder dialogue are rare. Overall, a wide variety of approaches to addressing privacy was found, which suggests that no institutionalization of privacy practices has taken place as yet. The study therefore indicates that online privacy is rather new on the CSR agenda, currently playing only a minor role.
Since the 1990s, companies striving to be good corporate citizens have had to devise strategies to address issues such as pollution, energy use, waste production, animal testing, child labor, sweatshops, workforce diversity, or advertising to children. It has become a de-facto standard for very large corporations to publish social reports documenting how they address these issues in the marketplace, the workplace, the supply chain, and the community in order to fulﬁll their role as good corporate citizens (Snider et al. 2003). The advent of the Internet has not only revolutionized many business models but has also redeﬁned what it means to be a good corporate citizen (Post 2000), as most of the above issues are of little relevance to companies dealing with data and technology. One issue of public concern that has become highly relevant for IT companies is online privacy (De George 2000, Johnson 2006). doi: 10.1111/j.1467-8608.2010.01611.x
Information privacy denotes an individual’s right to decide what information is made available to others (Westin 1967). Privacy is thus guaranteed only if individuals know that data are collected about them and if they have control over this data collection and the subsequent use of the data (Foxman & Kilcoyne 1993, Caudill & Murphy 2000). In the United States, privacy-related legislation exists only for health care, ﬁnancial services, and children on the Internet (Bowie & Jamal 2006), while many aspects of data collection and user control in electronic commerce are still unregulated (Fernback & Papacharissi 2007). Countries of the European Union, meanwhile, protect privacy more strictly (Baumer et al. 2004), which has proven to be a hurdle for US technology companies operating in Europe. In 2008, for example, technology giant Google encountered problems in several European countries with its data handling practices (O’Brien 2008). Despite legislative efforts in Europe, data privacy violations have occurred in a number of
r 2010 The Author Business Ethics: A European Review r 2010 Blackwell Publishing Ltd., 9600 Garsington Road, Oxford, OX4 2DQ, UK and 350 Main St, Malden, MA 02148, USA
Business Ethics: A European Review Volume 20 Number 1 January 2011
large organizations, including, for example, the largest German bank, DeutscheBank (Neate 2009), or T-Mobile UK (Wray 2009). The problems with privacy legislation are that it is difﬁcult to identify violations of these laws and that the law may lag behind what is technologically feasible. For the above reasons, global companies have some discretion over how much privacy they grant users and how much they reveal about their data...